Encrypting swap and largetmp with a random key; see https://groups.google.com/forum/#!topic/qubes-users/X0BBZ-kfix0 for the context

after crypttab update

$ sudo /usr/lib/systemd/system-generators/systemd-cryptsetup-generator 
$ sudo systemctl daemon-reload
$ sudo systemctl restart cryptsetup.target

crypttab

dom0-largetmp                             /dev/<PV name>/<encrypted largetmp LV name>     /dev/random plain,cipher=aes-cbc-essiv:sha256
dom0-swap                                 /dev/<PV name>/<encrypted swap LV name>         /dev/random swap,cipher=aes-cbc-essiv:sha256

fstab

/dev/mapper/dom0-largetmp                               /largetmp            ext4  defaults,barrier=0,delalloc,noatime,nodiratime,norecovery,noacl,nouser_xattr,noauto_da_alloc,noinit_itable        	0 0
# It seems that kernel of Qubes 3.2 is complaining about options data=writeback and commit=36000.
/dev/mapper/dom0-swap                                   swap                 swap  defaults                           	0 0

largetmp-fs.service

[Unit]
# Optional tweak for startup time; If you use it, you should remove the tmp option from crypttab. If you don't remove the tmp option from crypttab, you will gain no startup performance.
Description=Filesystem for largetmp
DefaultDependencies=no
Requires=cryptsetup.target
After=cryptsetup.target
Before=local-fs.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/mkfs.ext4 /dev/mapper/dom0-largetmp -m 0 -E lazy_itable_init=1 -E lazy_journal_init=1 -O sparse_super -O ^has_journal

[Install]
RequiredBy=local-fs.target