1CRYPTSETUP-TOKEN(8) Maintenance Commands CRYPTSETUP-TOKEN(8)
2
3
4
6 cryptsetup-token - manage LUKS2 tokens
7
9 cryptsetup token <add|remove|import|export> [<options>] <device>
10
12 Action add creates a new keyring token to enable auto-activation of the
13 device. For the auto-activation, the passphrase must be stored in
14 keyring with the specified description. Usually, the passphrase should
15 be stored in user or user-session keyring. The token command is
16 supported only for LUKS2.
17
18 For adding new keyring token, option --key-description is mandatory.
19 Also, new token is assigned to key slot specified with --key-slot
20 option or to all active key slots in the case --key-slot option is
21 omitted.
22
23 To remove existing token, specify the token ID which should be removed
24 with --token-id option.
25
26 WARNING: The action token remove removes any token type, not just
27 keyring type from token slot specified by --token-id option.
28
29 Action import can store arbitrary valid token json in LUKS2 header. It
30 may be passed via standard input or via file passed in --json-file
31 option. If you specify --key-slot then successfully imported token is
32 also assigned to the key slot.
33
34 Action export writes requested token JSON to a file passed with
35 --json-file or to standard output.
36
37 If --token-id is used with action add or action import and a token with
38 that ID already exists, option --token-replace can be used to replace
39 the existing token.
40
41 <options> can be [--header, --token-id, --key-slot, --key-description,
42 --disable-external-tokens, --disable-locks, --disable-keyring,
43 --json-file, --token-replace].
44
46 --json-file
47 Read token JSON from a file or write token to it. --json-file=-
48 reads JSON from standard input or writes it to standard output
49 respectively.
50
51 --token-replace
52 Replace an existing token when adding or importing a token with the
53 --token-id option.
54
55 --key-slot, -S <0-N>
56 For LUKS operations that add key material, this option allows you
57 to specify which key slot is selected for the new key.
58
59 The maximum number of key slots depends on the LUKS version. LUKS1
60 can have up to 8 key slots. LUKS2 can have up to 32 key slots based
61 on key slot area size and key size, but a valid key slot ID can
62 always be between 0 and 31 for LUKS2.
63
64 --header <device or file storing the LUKS header>
65 Use a detached (separated) metadata device or file where the LUKS
66 header is stored. This option allows one to store ciphertext and
67 LUKS header on different devices.
68
69 For commands that change the LUKS header (e.g. luksAddKey), specify
70 the device or file with the LUKS header directly as the LUKS
71 device.
72
73 --disable-external-tokens
74 Disable loading of plugins for external LUKS2 tokens.
75
76 --disable-locks
77 Disable lock protection for metadata on disk. This option is valid
78 only for LUKS2 and ignored for other formats.
79
80 WARNING: Do not use this option unless you run cryptsetup in a
81 restricted environment where locking is impossible to perform
82 (where /run directory cannot be used).
83
84 --disable-keyring
85 Do not load volume key in kernel keyring and store it directly in
86 the dm-crypt target instead. This option is supported only for the
87 LUKS2 type.
88
89 --key-description <text>
90 Set key description in keyring for use with token command.
91
92 --token-id
93 Specify what token to use. If omitted, all available tokens will be
94 checked before proceeding further with passphrase prompt.
95
96 --batch-mode, -q
97 Suppresses all confirmation questions. Use with care!
98
99 If the --verify-passphrase option is not specified, this option
100 also switches off the passphrase verification.
101
102 --debug or --debug-json
103 Run in debug mode with full diagnostic logs. Debug output lines are
104 always prefixed by #.
105
106 If --debug-json is used, additional LUKS2 JSON data structures are
107 printed.
108
109 --version, -V
110 Show the program version.
111
112 --usage
113 Show short option help.
114
115 --help, -?
116 Show help text and default parameters.
117
119 Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or
120 in Issues project section
121 <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.
122
123 Please attach output of the failed command with --debug option added.
124
126 Cryptsetup FAQ
127 <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
128
129 cryptsetup(8), integritysetup(8) and veritysetup(8)
130
132 Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.
133
134
135
136cryptsetup 2.5.0 2022-07-28 CRYPTSETUP-TOKEN(8)