diff --git a/bundles/dm-crypt/items.py b/bundles/dm-crypt/items.py
new file mode 100644
index 0000000..ed87137
--- /dev/null
+++ b/bundles/dm-crypt/items.py
@@ -0,0 +1,26 @@
+for dev, attrs in node.metadata.get('dm-crypt/encrypted-devices', {}).items():
+    actions['dm-crypt_format_' + dev] = {
+        'cascade_skip': False,
+        'command': f'cryptsetup --batch-mode luksFormat --cipher aes-xts-plain64 --key-size 512 {dev}',
+        'comment': 'Careful: This destroys the current contents of that device. Afterwards, it will be encrypted using dm-crypt.',
+        'data_stdin': attrs['passphrase'],
+        'unless': f'blkid -t TYPE=crypto_LUKS {dev}',
+        'needs': {
+            'pkg_apt:cryptsetup',
+        },
+    }
+    actions['dm-crypt_open_' + attrs['dm-name']] = {
+        'cascade_skip': False,
+        'command': 'cryptsetup --batch-mode luksOpen {dev} {dm_name}'.format(
+            dev=dev,
+            dm_name=attrs['dm-name'],
+        ),
+        'comment': 'Unlocks the device and makes it available as /dev/mapper/{}'.format(attrs['dm-name']),
+        'data_stdin': attrs['passphrase'],
+        'needs': {
+            f'action:dm-crypt_format_{dev}',
+            'pkg_apt:cryptsetup',
+        },
+        'unless': 'test -e /dev/mapper/{}'.format(attrs['dm-name']),
+    }
+
diff --git a/bundles/dm-crypt/metadata.py b/bundles/dm-crypt/metadata.py
new file mode 100644
index 0000000..ad68261
--- /dev/null
+++ b/bundles/dm-crypt/metadata.py
@@ -0,0 +1,7 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'cryptsetup': {},
+        },
+    },
+}