From 2cdf496c20c16096522f706d61f1de4e04a84e9a Mon Sep 17 00:00:00 2001
From: Jeff Moe <moe@forksand.com>
Date: Thu, 3 Oct 2019 15:28:12 -0600
Subject: [PATCH] Cryptsetup new drive

---
 source/resources/apps/cryptsetup/ADD-DRIVE.md | 30 +++++++++++++++++++
 source/resources/apps/cryptsetup/README.md    |  2 ++
 2 files changed, 32 insertions(+)
 create mode 100644 source/resources/apps/cryptsetup/ADD-DRIVE.md

diff --git a/source/resources/apps/cryptsetup/ADD-DRIVE.md b/source/resources/apps/cryptsetup/ADD-DRIVE.md
new file mode 100644
index 0000000..db8d57d
--- /dev/null
+++ b/source/resources/apps/cryptsetup/ADD-DRIVE.md
@@ -0,0 +1,30 @@
+# HOWTO add encrypted drive to an existing system.
+
+exit 0
+
+# XXX Change device names as appropriate
+fdisk /dev/nvme1n1
+# Make gpt partition
+# Make linux parition full disk size
+
+# --hash, --cipher --key-size, --key-slot --label 
+cryptsetup luksFormat /dev/nvme1n1p1
+# or like:
+cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat /dev/nvme1n1p1
+
+# "devel: (arbitrary name) is named now:
+cryptsetup luksOpen /dev/nvme1n1p1 devel
+# Format drive:
+mkfs.ext4 /dev/mapper/devel
+
+# Add to /etc/crypttab:
+devel UUID=00000000-0000-0000-0000-000000000000 none luks
+
+# Add to /etc/fstab:
+# Note this UUID is not the same as the UUID in the crypttab
+UUID=00000000-0000-0000-0000-000000000000 /srv/devel ext4  defaults        0       2
+
+# To change password:
+cryptsetup -y luksAddKey /dev/nvme1n1p1
+cryptsetup luksRemoveKey /dev/nvme1n1p1
+
diff --git a/source/resources/apps/cryptsetup/README.md b/source/resources/apps/cryptsetup/README.md
index 0612145..a869540 100644
--- a/source/resources/apps/cryptsetup/README.md
+++ b/source/resources/apps/cryptsetup/README.md
@@ -1,3 +1,5 @@
+# This is how to set up decrypting a remote encrypted partition at boot.
+
 apt install dropbear-initramfs
 
 /etc/dropbear-initramfs/config