Privacy Tools Guide

Disk Encryption Comparison: LUKS vs BitLocker

Both LUKS (Linux Unified Key Setup) and BitLocker protect data at rest by encrypting the entire disk volume. A stolen laptop with either enabled reveals nothing without the key. But they differ significantly in how they manage keys, what trust they place in hardware, and what happens when you need to recover data.

Table of Contents

Architecture Overview

LUKS stores an encrypted master key in a header on the disk, protected by one or more key slots. Each key slot holds a copy of the master key, encrypted with a different passphrase, key file, or TPM-bound key. The cipher and parameters are stored in the header.

BitLocker uses the Windows CryptoAPI and stores the Volume Master Key (VMK) protected by one or more key protectors: TPM, TPM+PIN, password, USB startup key, or recovery key. The Full Volume Encryption Key (FVEK) is encrypted by the VMK.

Encryption Algorithms

LUKS2

# Create a LUKS2 volume with AES-256-XTS (default and recommended)
sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha256 /dev/sdb1

# Verify the parameters used
sudo cryptsetup luksDump /dev/sdb1 | grep -E "Cipher|Key|Hash"
# Cipher name:    aes-xts-plain64
# Cipher key:     512 bits
# Hash spec:      sha256

LUKS2 supports:

BitLocker

BitLocker uses AES-128 by default, upgradable to AES-256:

# Check current BitLocker settings
Get-BitLockerVolume -MountPoint "C:"

# Enable BitLocker with AES-256-XTS (Windows 10 1511+)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector

# Or via Group Policy:
# Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
# → Set: Choose drive encryption method and cipher strength → AES-256-XTS

TPM Integration

BitLocker + TPM

BitLocker’s default mode seals the VMK to the TPM. The disk decrypts automatically at boot as long as the measured boot state (PCR values) matches — meaning the bootloader and UEFI configuration have not changed. This is transparent to users but provides no protection against someone with physical access who can boot into Windows normally (e.g., if someone steals a logged-in machine that is not locked).

TPM+PIN mode requires both the TPM measurement match and a PIN — this is the correct mode for laptops:

# Enable BitLocker with TPM+PIN
$SecurePin = Read-Host -AsSecureString "Enter BitLocker PIN"
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmAndPinProtector -Pin $SecurePin

LUKS + TPM (systemd-cryptenroll)

LUKS2 on modern Linux can use the TPM similarly:

# Enroll the TPM as a LUKS key protector
# --tpm2-pcrs=7 measures secure boot state
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda2

# For TPM+PIN equivalent (requires PIN input at boot):
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --tpm2-with-pin=yes /dev/sda2

# List enrolled keys
sudo cryptsetup luksDump /dev/sda2 | grep -A3 "Tokens"

Key Management and Key Slots

LUKS Key Slots

LUKS2 supports up to 32 key slots. Each slot can hold a different passphrase, key file, or hardware token binding.

# Add a second passphrase (backup key slot)
sudo cryptsetup luksAddKey /dev/sda2

# Add a key file as a key slot
dd if=/dev/urandom of=/root/luks-keyfile bs=512 count=1
chmod 400 /root/luks-keyfile
sudo cryptsetup luksAddKey /dev/sda2 /root/luks-keyfile

# List key slots
sudo cryptsetup luksDump /dev/sda2 | grep "Keyslot"

# Remove a key slot (e.g., if a passphrase is compromised)
sudo cryptsetup luksKillSlot /dev/sda2 1

BitLocker Recovery Keys

# Get the recovery key (save this to a safe place)
(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | Select-Object -ExpandProperty RecoveryPassword

# Back up recovery key to Azure AD / Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId

# Add an additional recovery password
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

Performance

The performance difference is small on modern hardware with AES-NI instruction support (present in nearly all CPUs since 2012).

# LUKS: benchmark ciphers on your hardware
sudo cryptsetup benchmark

# Typical output on a modern system:
# Algorithm       Key  Encryption  Decryption
# aes-cbc         128b  1612.5 MiB/s  5893.7 MiB/s
# aes-cbc         256b  1166.8 MiB/s  4450.2 MiB/s
# aes-xts         256b  1604.6 MiB/s  1588.3 MiB/s
# aes-xts         512b  1175.3 MiB/s  1162.9 MiB/s

# Check if your CPU has AES-NI
grep -m1 aes /proc/cpuinfo

On NVMe SSDs, encryption overhead with AES-NI is under 5% for most workloads. Without AES-NI (rare now), ChaCha20 is faster.

Header Backup and Recovery

LUKS headers are at risk: a corrupted or overwritten header means the data is gone even if you have the passphrase.

# Back up the LUKS header — store in a safe, separate location
sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file luks-header-backup.bin
gpg -c luks-header-backup.bin   # encrypt the backup before storing

# Restore a header if needed
sudo cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file luks-header-backup.bin

BitLocker does not expose a raw header, but the recovery key serves the equivalent purpose.

Side-by-Side Summary

Feature LUKS2 BitLocker
OS Linux Windows (Pro/Enterprise)
Algorithm AES-256-XTS (configurable) AES-128-XTS (AES-256 with policy)
KDF Argon2id (LUKS2) PBKDF2
TPM support Yes (systemd-cryptenroll) Native
TPM+PIN Yes Yes
Key slots Up to 32 Multiple protectors
Open source Yes No
Recovery Passphrase / key file Recovery password / recovery key
Header backup Manual N/A (recovery key serves this)

Practical Setup Walkthrough: LUKS on Ubuntu

For Linux users, setting up LUKS2 from scratch on a new partition:

# 1. Identify your device (BE CAREFUL - verify with lsblk)
lsblk
# Output: sdb is your new drive

# 2. Create partition if needed (or use existing partition)
sudo parted /dev/sdb mklabel gpt
sudo parted /dev/sdb mkpart primary 0% 100%
lsblk /dev/sdb

# 3. Format with LUKS2
sudo cryptsetup luksFormat --type luks2 \
  --cipher aes-xts-plain64 \
  --key-size 512 \
  --hash sha512 \
  --pbkdf pbkdf2 \
  --pbkdf-force-iterations 100000 \
  /dev/sdb1

# 4. Enter passphrase twice (use 20+ characters, avoid dictionary words)
# Example: "Tr0pical$UnderWater#2026@SecurePass"

# 5. Open the encrypted volume
sudo cryptsetup luksOpen /dev/sdb1 my_secure_drive

# 6. Create filesystem
sudo mkfs.ext4 -L SecureDrive /dev/mapper/my_secure_drive

# 7. Mount
mkdir ~/secure_drive
sudo mount /dev/mapper/my_secure_drive ~/secure_drive
sudo chown $USER:$USER ~/secure_drive

# 8. Verify
lsblk
df -h | grep secure_drive

For persistent mounting across reboots, edit /etc/crypttab:

# /etc/crypttab
my_secure_drive /dev/sdb1 none luks,discard

# Then add to /etc/fstab:
# /dev/mapper/my_secure_drive /home/user/secure_drive ext4 defaults 0 2

# On reboot, systemd will prompt for passphrase before mounting

BitLocker on Windows: Full Setup

For Windows 10/11 Pro, Enterprise, or Education:

# 1. Check BitLocker status
Get-BitLockerVolume -MountPoint "C:"

# 2. Enable BitLocker with TPM+PIN (most secure)
$SecurePin = Read-Host -AsSecureString "Enter 6-20 digit PIN"
Enable-BitLocker -MountPoint "C:" `
  -EncryptionMethod XtsAes256 `
  -TpmAndPinProtector `
  -Pin $SecurePin `
  -SkipHardwareTest

# 3. Save recovery key to secure location
(Get-BitLockerVolume -MountPoint "C:").KeyProtector | `
  Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
  Select-Object -ExpandProperty RecoveryPassword > C:\Backup\BitLocker-RecoveryKey.txt

# 4. Back up to OneDrive or AD
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId

# 5. Monitor encryption progress
Get-BitLockerVolume -MountPoint "C:" | Select-Object -Property VolumeStatus, EncryptionPercentage

Real-World Disaster Recovery Scenarios

Scenario 1: Forgotten LUKS Passphrase

If you have a backup key slot:

# Boot from USB with your Linux distribution
# Mount the encrypted drive
sudo cryptsetup luksOpen /dev/sdb1 recovery_attempt

# If that fails with wrong password, try secondary key slot
# List available slots
sudo cryptsetup luksDump /dev/sdb1 | grep Keyslot

# The data is still encrypted and locked — there's no backdoor
# You must either:
# 1. Use a secondary passphrase if you set one up
# 2. Use the header backup (if you made one)
# 3. Accept the data is lost

# Prevention: Always set up multiple key slots

Scenario 2: BitLocker Disabled, But Forgot PIN

If you can still boot Windows:

# Suspend BitLocker temporarily (no encryption, PIN not required)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1

# Reboot and immediately change PIN
Enable-BitLocker -MountPoint "C:" `
  -EncryptionMethod XtsAes256 `
  -TpmAndPinProtector `
  -Pin $NewSecurePin

# Or recover with recovery key
Unlock-BitLocker -MountPoint "C:" -RecoveryPassword "Your-Recovery-Key-Here"

When to Use LUKS vs BitLocker

Scenario Best Choice Why
Linux-only system LUKS Native, open-source, no licensing
Windows corporate environment BitLocker Hardware integration, Group Policy management
Multi-OS (dual-boot) LUKS on shared partition Works on all systems
Maximum security paranoia LUKS2 with Argon2id More resistant to GPU attacks
Ease of setup BitLocker Automated, TPM integration
Cross-platform portability LUKS Linux, macOS with FUSE, partial Windows support
Server environments LUKS Minimal overhead, automation-friendly
Consumer laptops BitLocker Transparent after initial setup

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides