for dev, attrs in node.metadata.get('dm-crypt/encrypted-devices', {}).items():
    actions['dm-crypt_format_' + dev] = {
        'cascade_skip': False,
        'command': f'cryptsetup --batch-mode luksFormat --cipher aes-xts-plain64 --key-size 512 {dev}',
        'comment': 'Careful: This destroys the current contents of that device. Afterwards, it will be encrypted using dm-crypt.',
        'data_stdin': attrs['passphrase'],
        'unless': f'blkid -t TYPE=crypto_LUKS {dev}',
        'needs': {
            'pkg_apt:cryptsetup',
        },
    }
    actions['dm-crypt_open_' + attrs['dm-name']] = {
        'cascade_skip': False,
        'command': 'cryptsetup --batch-mode luksOpen {dev} {dm_name}'.format(
            dev=dev,
            dm_name=attrs['dm-name'],
        ),
        'comment': 'Unlocks the device and makes it available as /dev/mapper/{}'.format(attrs['dm-name']),
        'data_stdin': attrs['passphrase'],
        'needs': {
            f'action:dm-crypt_format_{dev}',
            'pkg_apt:cryptsetup',
        },
        'unless': 'test -e /dev/mapper/{}'.format(attrs['dm-name']),
    }