diff --git a/homepage/knowledge/cryptography.html b/homepage/knowledge/cryptography.html
index 2384a84..1e35964 100644
--- a/homepage/knowledge/cryptography.html
+++ b/homepage/knowledge/cryptography.html
@@ -16,11 +16,37 @@
 <SCRIPT SRC="/js/sheets.js"  TYPE="application/javascript"></SCRIPT>
 <SCRIPT TYPE="application/javascript">window.onload = window.initializesheets;</SCRIPT>
 <H1>cryptography</H1>
-<H3>updated 2021-10-14</H3>
+<H3>updated 2021-11-09</H3>
 <HR ALIGN="left" SIZE="1" WIDTH="25%" />
 <P><B>
 This information is not authoritative, nor from a place of deep knowledge.
 </B></P>
+<H2 ID="luks_partitioning">LUKS partitioning</H2>
+<H3>Sources</H3>
+<UL>
+	<LI><A HREF="https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/">How to backup and restore LUKS header on Linux</A></LI>
+	<LI><A HREF="https://devconnected.com/how-to-encrypt-partition-on-linux/">How To Encrypt Partition on Linux</A></LI>
+	<LI><A HREF="https://unixfuntime.wordpress.com/2012/08/20/luks-passphrases-changing-adding-removing/">LUKS passphrases: Changing, adding, removing</A></LI>
+</UL>
+<P>
+To format a partition for LUKS, use <CODE>lsblk</CODE> to determine the physical block device location for that partition and run <CODE>cryptsetup luksFormat [<I>partition</I>]</CODE>.
+The passphrase used can be changed or removed after creation.
+</P>
+<P>
+To open a LUKS partition, use <CODE>cryptsetup luksOpen [<I>partition</I>] [<I>name</I>]</CODE>.
+This <I>name</I> is the name the <I>decrypted block device</I> location will take in <CODE>/dev/mapper/</CODE>.
+Before the decrypted block device has a filesystem it'll just be cleared space - use <CODE>mkfs.[<I>filesystem</I>] /dev/mapper/[<I>name</I>]</CODE>.
+</P>
+<P>
+To mount an opened LUKS partition, use <CODE>mount(8)</CODE> as normal, just with the decrypted block device location.
+</P>
+<P>
+To close an open LUKS partition, <CODE>umount(8)</CODE> it if it's open and <CODE>cryptsetup luksClose [<I>name</I>]</CODE>.
+</P>
+<P>
+To make the LUKS partition openable via keyfile, first make a keyfile (<CODE>dd if=/dev/urandom of=/root/keyfile bs=1024 count=4</CODE> seems to work), and optionally make it readable by root only (<CODE>chmod 0400 [<I>keyfile</I>]</CODE>).
+Then add the keyfile to the partition's LUKS header with <CODE>cryptsetup luksAddKey [<I>physical partition block device</I>] [<I>keyfile</I>]</CODE>.
+</P>
 <H2>SSH keys</H2>
 <H3>Sources</H3>
 <UL>
diff --git a/homepage/knowledge/postmarketos.html b/homepage/knowledge/postmarketos.html
index fb0d2a3..66c7f32 100644
--- a/homepage/knowledge/postmarketos.html
+++ b/homepage/knowledge/postmarketos.html
@@ -22,47 +22,22 @@
 postmarketOS is based on Alpine Linux and this site's <A HREF="/knowledge/alpine">knowledge article for Alpine</A> applies to postmarketOS as well.
 </P>
 <H2>Encrypted SD card with LUKS</H2>
-<H3>Other resources</H3>
+<H3>Sources</H3>
 <UL>
 	<LI><A HREF="https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile/">Automatically Unlock LUKS Encrypted Drives With A Keyfile</A></LI>
 	<LI><A HREF="https://wiki.gentoo.org/wiki/Dm-crypt">Dm-crypt</A> (Gentoo Wiki)</LI>
-	<LI><A HREF="https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/">How to backup and restore LUKS header on Linux</A></LI>
 	<LI><A HREF="https://wiki.alpinelinux.org/wiki/LVM_on_LUKS">LVM on LUKS</A> (Alpine Wiki)</LI>
-	<LI><A HREF="https://devconnected.com/how-to-encrypt-partition-on-linux/">How To Encrypt Partition on Linux</A></LI>
 </UL>
 <P>
 I bought a <A HREF="https://www.amazon.com/gp/product/B09B1JFY24/">SAMSUNG EVO Select 128GB New Generation</A> card (apologies for the Amazon link, it isn't an associate link though), wiped it, and put one partition on it that spanned the whole drive.
+See <A HREF="/knowledge/cryptography#luks_partitioning">cryptography#LUKS partitioning</A> for how to make a LUKS partition.
 </P>
 <P>
-To format a partition for LUKS, use <CODE>lsblk</CODE> to determine the block device location for that partition and run <CODE>cryptsetup luksFormat [<I>partition</I>]</CODE>.
-The passphrase used can be changed or removed after creation.
-</P>
-<P>
-To open a LUKS partition, use <CODE>cryptsetup luksOpen [<I>partition</I>] [<I>name</I>]</CODE>.
-This <I>name</I> is the name the decrypted block device location will take in <CODE>/dev/mapper/</CODE>.
-Before the decrypted block device has a filesystem it'll just be cleared space.
-Use <CODE>mkfs.ext4 /dev/mapper/[<I>name</I>]</CODE> to create an ext4 filesystem on the decrypted volume.
-</P>
-<P>
-To mount an opened LUKS partition, use <CODE>mount(8)</CODE> as normal, just with the block device location <CODE>/dev/mapper/[<I>name</I>]</CODE>.
-</P>
-<P>
-To close an open LUKS partition, <CODE>umount(8)</CODE> it if it's open and <CODE>cryptsetup luksClose [<I>name</I>]</CODE>.
-</P>
-<P>
-To make the LUKS partition openable via keyfile, first make a keyfile (<CODE>dd if=/dev/urandom of=/root/keyfile bs=1024 count=4</CODE> seems to work), and optionally make it readable by root only (<CODE>chmod 0400 [<I>keyfile</I>]</CODE>).
-Then add the keyfile to the partition's LUKS header with <CODE>cryptsetup luksAddKey [<I>physical partition block device</I>] [<I>keyfile</I>]</CODE>.
-<I>Physical partition block device</I> refers to the same <I>partition</I> openable with <CODE>cryptsetup luksOpen</CODE>, but is called such here to disambiguate from the <I>decrypted</I> block device (at <CODE>/dev/mapper/</CODE>).
-</P>
-<P>
-To have the SD card auto-mount at boot, add an <CODE>fstab(5)</CODE> line for the <I>decrypted</I> block device.
-In <CODE>blkid(8)</CODE>'s output, this will be the line that starts with <CODE>/dev/mapper/[<I>name</I>]</CODE>.
+To have the SD card auto-mount at boot, add an <CODE>fstab(5)</CODE> line for the decrypted block device.
+The <CODE>localmount</CODE> OpenRC service will also have to be enabled for the system to read <CODE>fstab(5)</CODE> - <CODE>rc-update add localmount</CODE>.
 Then, <CODE>rc-update add dmcrypt boot</CODE> and add an entry in <CODE>/etc/conf.d/dmcrypt</CODE> to automatically luksOpen the volume.
 <CODE>dm-crypt</CODE> will need the UUID of the <I>physical</I> block device; in <CODE>blkid(8)</CODE> this will be the line that starts with <CODE>/dev/mmcblk</CODE> or <CODE>/dev/sd[<I>X</I>]</CODE>.
 </P>
-<P>
-The <CODE>localmount</CODE> OpenRC service will also have to be enabled for the system to read <CODE>fstab(5)</CODE>.
-</P>
 
 <H2>Random MAC address generation on Wifi</H2>
 <P>