#crypt device
cryptsetup -y -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/"device_name"
 
#open device
cryptsetup luksOpen /dev/"device_name" "crypt_name"
 
#make filesystem
mkfs.ext4 /dev/mapper/"crypt_name"
 
#mount and fill with random data (fast way)
mount /dev/mapper/"crypt_name" /mnt/
randfs /mnt/random.file
 
#umount and close crypt
umount /mnt/
cryptsetup luksClose "crypt_name"

on boot: the first device asks for password, the second looks for the keyfile at /mnt/keys/

# <target name>	<source device>	<key file> <options>
"crypt_name" /dev/"device_name" none luks,cipher=aes-cbc-essiv:sha256
"crypt_name" /dev/"device_name" /mnt/keys/"crypt_name".key luks,cipher=aes-cbc-essiv:sha256

randfs

#create file crypt.aes 100MB
dd if=/dev/urandom of=./crypt.aes bs=2k count=50000
 
#setup loop, you will be prompted for passphrase
losetup -e aes /dev/loop0 ./crypt.aes
 
#make FS
mkfs.ext3 /dev/loop0
 
#release loop
losetup -d /dev/loop0
 
#make node
mkdir /mnt/keys

/crypt.aes /mnt/keys       ext3    noauto,encryption=aes   0       0

head -c 256 /dev/random > /mnt/crypt.key
cryptsetup luksAddkey /dev/"device_name" /mnt/crypt.key

# Run cryptdisks at startup ?
CRYPTDISKS_ENABLE=Yes
 
# Mountpoints to mount, before starting cryptsetup. This is useful for
# keyfiles on removable media. Seperate mountpoints by space.
CRYPTDISKS_MOUNT="/mnt/keys"
 
# Default check script, see /lib/cryptsetup/checks/
# Takes effect, if the 'check' option is set in crypttab without a value
CRYPTDISKS_CHECK=vol_id
 
# Default precheck script, see 
# Takes effect, if the 'precheck' option is set in crypttab without a value
CRYPTDISKS_PRECHECK=
 
# Default timeout in seconds for password prompt
# Takes effect, if the 'timeout' option is set in crypttab without a value
CRYPTDISKS_TIMEOUT=180