+ # 3 is device which simply holds a key for the 4's,
+ # so we can unlock multi-device btrfs fs with 1 manually entered passphrase.
+ #
+ # Background: It's of course possible modify the initramfs to
+ # put the input from a passphrase prompt into a variable and use
+ # it to unlock multiple devices, but that would require figuring
+ # more things out.
+ #
+ for luks_dev in ${dev}3; do
+ yes YES | cryptsetup luksFormat $luks_dev $luks_dir/host-$HOSTNAME \
+ -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
+ $luks_dev || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+
+ cryptsetup luksOpen $luks_dev crypt_dev_${luks_dev##/dev/} \
+ --key-file $luks_dir/host-$HOSTNAME
+ done