- yes YES | cryptsetup luksFormat /dev/$crypt $luks_dir/host-$HOSTNAME \
- -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
- yes "$lukspw" cryptsetup luksAddKey --key-file \
- $luks_dir/host-$HOSTNAME /dev/$crypt || [[ $? == 141 ]]
- # this would remove the keyfile. we will do that manually later.
- # yes 'test' | cryptsetup luksRemoveKey /dev/... \
- # /key/file || [[ $? == 141 ]]
- cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt --key-file \
- $luks_dir/host-$HOSTNAME
- parted ${devs[0]} set 1 boot on
- mkfs.btrfs -f /dev/mapper/crypt_dev_$crypt
- mount /dev/mapper/crypt_dev_$crypt /mnt
- create_subvols
+ luks_dev=$dev$rootn
+ yes YES | cryptsetup luksFormat $luks_dev $luks_dir/host-$HOSTNAME \
+ -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
+ $luks_dev || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+
+ cryptsetup luksOpen $luks_dev crypt_dev_${luks_dev##/dev/} \
+ --key-file $luks_dir/host-$HOSTNAME
+ done
+ bpart ${crypt_devs[@]/%/$rootn}
+ bpart ${devs[@]/%/$bootn}