cryptsetup-luksErase - Linux


cryptsetup-luksErase is a specialized utility that securely erases the LUKS (Linux Unified Key Setup) header and all encrypted data associated with a LUKS-encrypted block device. It is useful for securely decommissioning or repurposing LUKS-encrypted devices.


cryptsetup-luksErase <device> [options]


| Option | Description |
| -d | Dry-run mode. Verifies the device’s LUKS header without erasing it. |
| -v | Verbose mode. Provides detailed progress information. |
| -q | Quiet mode. Suppresses all output except errors. |
| -c | Prompt for confirmation before erasing the device. |
| -t | Timeout for LUKS header unlock in seconds. Default: 60. |


Erasing a LUKS-encrypted device:

cryptsetup-luksErase /dev/sda3

Verifying the device’s LUKS header without erasing it:

cryptsetup-luksErase -d /dev/sda3

Erasing the device with verbose progress information:

cryptsetup-luksErase -v /dev/sda3

Common Issues

  • Device not found: Ensure the specified device path is correct and that the device is connected and accessible.
  • Permission denied: The user running the command must have write permissions to the device.
  • Incorrect passphrase: Verify that the provided passphrase is the correct one for unlocking the LUKS header.


cryptsetup-luksErase can be integrated with other commands to create automated tasks, such as:**

  • Securely wiping a device before reusing it:
dd if=/dev/zero of=/dev/sda bs=10M; cryptsetup-luksErase /dev/sda
  • Creating a new LUKS header after erasing:
cryptsetup-luksErase /dev/sda; cryptsetup luksFormat /dev/sda

Related Commands

  • cryptsetup: Primary tool for managing LUKS-encrypted devices.
  • luksdump: Utility for dumping the LUKS header information.