diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 7626e762..e43f0278 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -250,6 +250,25 @@ in
 
     cargo.persist.byStore.plaintext = [ ".cargo" ];
 
+    # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
+    cryptsetup.sandbox.method = "landlock";
+    cryptsetup.sandbox.wrapperType = "wrappedDerivation";
+    cryptsetup.sandbox.extraPaths = [
+      "/dev/mapper"
+      "/dev/random"
+      "/dev/urandom"
+      "/run"  #< it needs the whole directory, at least if using landlock
+      "/proc"
+      "/sys/dev/block"
+      "/sys/devices"
+    ];
+    cryptsetup.sandbox.capabilities = [ "sys_admin" ];
+    cryptsetup.sandbox.autodetectCliPaths = "existing";
+
+    ddrescue.sandbox.method = "landlock";  # TODO:sandbox: untested
+    ddrescue.sandbox.wrapperType = "wrappedDerivation";
+    ddrescue.sandbox.autodetectCliPaths = "existingFileOrParent";
+
     # auth token, preferences
     delfin.sandbox.method = "bwrap";
     delfin.sandbox.wrapperType = "wrappedDerivation";