diff --git a/homepage/knowledge/postmarketos.html b/homepage/knowledge/postmarketos.html
index 57ff5bd..0a6a267 100644
--- a/homepage/knowledge/postmarketos.html
+++ b/homepage/knowledge/postmarketos.html
@@ -16,11 +16,51 @@
 <SCRIPT SRC="/js/sheets.js"  TYPE="application/javascript"></SCRIPT>
 <SCRIPT TYPE="application/javascript">window.onload = window.initializesheets;</SCRIPT>
 <H1>postmarketOS</H1>
-<H3>updated 2021-10-27</H3>
+<H3>updated 2021-11-09</H3>
 <HR ALIGN="left" SIZE="1" WIDTH="25%" />
 <P>
 postmarketOS is based on Alpine Linux and this site's <A HREF="/knowledge/alpine">knowledge article for Alpine</A> applies to postmarketOS as well.
 </P>
+<H2>Encrypted SD card with LUKS</H2>
+<H3>Other resources</H3>
+<UL>
+	<LI><A HREF="https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile/">Automatically Unlock LUKS Encrypted Drives With A Keyfile</A></LI>
+	<LI><A HREF="https://wiki.gentoo.org/wiki/Dm-crypt">Dm-crypt</A> (Gentoo Wiki)</LI>
+	<LI><A HREF="https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/">How to backup and restore LUKS header on Linux</A></LI>
+	<LI><A HREF="https://wiki.alpinelinux.org/wiki/LVM_on_LUKS">LVM on LUKS</A> (Alpine Wiki)</LI>
+	<LI><A HREF="https://devconnected.com/how-to-encrypt-partition-on-linux/">How To Encrypt Partition on Linux</A></LI>
+<BR />
+<P>
+I bought a <A HREF="https://www.amazon.com/gp/product/B09B1JFY24/">SAMSUNG EVO Select 128GB New Generation</A> card (apologies for the Amazon link, it isn't an associate link though), wiped it, and put one partition on it that spanned the whole drive.
+</P>
+<P>
+To format a partition for LUKS, use <CODE>lsblk</CODE> to determine the block device location for that partition and run <CODE>cryptsetup luksFormat [<I>partition</I>]</CODE>.
+The passphrase used can be changed or removed after creation.
+</P>
+<P>
+To open a LUKS partition, use <CODE>cryptsetup luksOpen [<I>partition</I>] [<I>name</I>]</CODE>.
+This <I>name</I> is the name the decrypted block device location will take in <CODE>/dev/mapper/</CODE>.
+Before the decrypted block device has a filesystem it'll just be cleared space.
+Use <CODE>mkfs.ext4 /dev/mapper/[<I>name</I>]</CODE> to create an ext4 filesystem on the decrypted volume.
+</P>
+<P>
+To mount an opened LUKS partition, use <CODE>mount(8)</CODE> as normal, just with the block device location <CODE>/dev/mapper/[<I>name</I>]</CODE>.
+</P>
+<P>
+To close an open LUKS partition, <CODE>umount(8)</CODE> it if it's open and <CODE>cryptsetup luksClose [<I>name</I>]</CODE>.
+</P>
+<P>
+To make the LUKS partition openable via keyfile, first make a keyfile (<CODE>dd if=/dev/urandom of=/root/keyfile bs=1024 count=4</CODE> seems to work), and optionally make it readable by root only (<CODE>chmod 0400 [<I>keyfile</I>]</CODE>).
+Then add the keyfile to the partition's LUKS header with <CODE>cryptsetup luksAddKey [<I>physical partition block device</I>] [<I>keyfile</I>]</CODE>.
+<I>Physical partition block device</I> refers to the same <I>partition</I> openable with <CODE>cryptsetup luksOpen</CODE>, but is called such here to disambiguate from the <I>decrypted</I> block device (at <CODE>/dev/mapper/</CODE>).
+</P>
+<P>
+To have the SD card auto-mount at boot, add an <CODE>fstab(5)</CODE> line for the <I>decrypted</I> block device.
+In <CODE>blkid(8)</CODE>'s output, this will be the line that starts with <CODE>/dev/mapper/[<I>name</I>]</CODE>.
+Then, <CODE>rc-update add dmcrypt boot</CODE> and add an entry in <CODE>/etc/conf.d/dmcrypt</CODE> to automatically luksOpen the volume.
+<CODE>dm-crypt</CODE> will need the UUID of the <I>physical</I> block device; in <CODE>blkid(8)</CODE> this will be the line that starts with <CODE>/dev/mmcblk</CODE> or <CODE>/dev/sd[<I>X</I>]</CODE>.
+</P>
+
 <H2>Random MAC address generation on Wifi</H2>
 <P>
 By default, postmarketOS will generate a random software MAC address when connecting to a new WLAN network.