LUKS Is Not A Checkbox

ops-tactics.jpg

LUKS is not a checkbox. It is the final boundary.
When the system sleeps, nothing else protects what is inside.
Access control ends. Permissions end. The running state ends.
Only encryption remains.

A disk without LUKS is an exposed nerve.
A disk with LUKS becomes a sealed chamber that answers only to you.

This operation explains how to extend a Debian system with a new encrypted volume.

Not automated. Not silent. It must ask for your passphrase at boot.
Intent over convenience. Control over comfort.

Objective

  1. Add a new disk to Debian.
  2. Prepare it with a clean partition table.
  3. Build an LVM stack.
  4. Create a LUKS-encrypted logical volume.
  5. Integrate it into the boot ritual via crypttab and fstab.
  6. The system must pause and wait for you.
  7. No unattended mounts. No silent assumptions.

Operation

1. Detect the New Disk

Confirm the disk identifier. 

lsblk -o NAME,SIZE,TYPE,MODEL
dmesg | tail

Assume the new device is /dev/sdb.

2. Create a Clean Partition Table

Use fdisk to create a single partition for LVM. 

sudo fdisk /dev/sdb
 #  g               (create GPT table)
 #  n               (new partition)
 #  default values  (use whole disk)
 #  t               (change type)
 #  8e              (Linux LVM)
 #  w               (write)

Verify: 

lsblk /dev/sdb

3. Build the LVM Structure

Initialize the physical volume: 

sudo pvcreate /dev/sdb1

Extend or create a volume group: 

sudo vgcreate vgdata /dev/sdb1
 #  or: sudo vgextend vgdata /dev/sdb1

Create a logical volume: 

sudo lvcreate -n lvsecure -L 100G vgdata

4. Initialize LUKS on the Logical Volume

Encrypt the LV: 

sudo cryptsetup luksFormat /dev/vgdata/lvsecure

Open it: 

sudo cryptsetup open /dev/vgdata/lvsecure securedata

A mapping appears at: 

/dev/mapper/securedata

5. Create the Filesystem

Format the encrypted block device: 

sudo mkfs.ext4 /dev/mapper/securedata

Create a mount point: 

sudo mkdir -p /secure/data

Mount it for testing: 

sudo mount /dev/mapper/securedata /secure/data

6. Integrate Into Boot Ritual (crypttab)

Get the LUKS UUID: 

sudo cryptsetup luksUUID /dev/vgdata/lvsecure

Add entry to /etc/crypttab: 

securedata UUID= none luks

This forces the system to ask for the passphrase at boot.
This is intentional.

Update initramfs so the system knows about the encrypted volume: 

sudo update-initramfs -u

7. Define the Mount Contract (fstab)

Obtain the filesystem UUID: 

sudo blkid /dev/mapper/securedata

Add entry to /etc/fstab: 

UUID=  /secure/data  ext4  defaults  0  2

Verify configuration: 

sudo systemctl daemon-reload
sudo mount -a

If nothing complains, the contract is valid.

8. Reboot Verification

Reboot and confirm:

  1. The boot process pauses.
  2. The system requests the LUKS passphrase for securedata.
  3. After entry, the filesystem mounts as defined.

If the system continues without prompting, something is broken.

Failure Modes

Wrong UUID in crypttab

System boots but mapping never appears.

Missing initramfs update

System ignores crypttab entries.

Incorrect fstab order or missing mountpoint

Boot drops into emergency mode.

LVM inside LUKS vs. LUKS inside LVM

This article uses LUKS on LVM.
Reversing the order changes boot behavior and recovery workflows.

Weak passphrase discipline

LUKS is as strong as the phrase that guards it.

Final Whisper

Security at rest is not decoration.
It is the last guarantee when everything else fails.
Privileges dissolve. Sessions expire. Firewalls sleep.
Only the encrypted block remains unbroken.

A machine that auto-mounts without asking you is not your machine.
A machine that pauses and waits for your intent is your machine.

LUKS is not a checkbox.
It is the boundary between possession and loss.

[ Fear the Silence. Fear the Switch ]