cryptsetup-token - Linux

Overview

cryptsetup-token is a tool for managing LUKS2 or LUKS1 token passphrases in the kernel’s token keyring.

Syntax

cryptsetup-token [options] --load-token --token-source=<source> [device]
cryptsetup-token [options] --export-token --token=<token>
cryptsetup-token [options] --insert-token --token=<token>\
  --token-source=<source> [device]
cryptsetup-token [options] --withdraw-token --token=<token>
cryptsetup-token [options] --release-token --token=<token>

Options/Flags

–token-cache-size=
Set maximum token cache size. Default: 8192

–token-cache-hash
Enable token cache hash integrity check. Default: false

–token-cache-strong-hash
Use strong token cache hash digest as in LUKS1. Default: false

–all
List all currently inserted tokens.

–allow-discards
Allow discarded tokens to be used again.

–display-token
Display token string as base64.

–dry-run
Run without making any changes.

–help
Display help information.

–profile-cache
Run self-test to profile performance of cache.

–quiet
Suppress non-error messages.

–tag=[,,…]
Specify one or more specific tags used to identify tokens.

–version
Display version information.

Examples

Load a token into the kernel’s token keyring:

cryptsetup-token --load-token --token-source=/dev/sr0

Export a token from the kernel’s token keyring:

cryptsetup-token --export-token --token=87258e68-886f-492f-86c2-ba23581ce22c

Insert a token into a LUKS device:

cryptsetup-token --insert-token --token=87258e68-886f-492f-86c2-ba23581ce22c \
  --token-source=/dev/sr0 /dev/mapper/crypt

Withdraw a token from the kernel’s token keyring:

cryptsetup-token --withdraw-token --token=87258e68-886f-492f-86c2-ba23581ce22c

Release a token from a LUKS device:

cryptsetup-token --release-token --token=87258e68-886f-492f-86c2-ba23581ce22c \
  /dev/mapper/crypt

Common Issues

Q: I cannot load the token, I get a "Could not find token string" error.
A: Ensure the token source is correct and that the token is inserted correctly.

Q: I cannot insert the token into my device, I get a "Bad token" error.
A: Ensure the token is valid and that it is authorized for use with the device.

Integration

cryptsetup-token can be used in combination with other LUKS tools to manage encrypted devices. For example, it can be used with cryptsetup luksAddToken to add a token to a device, or with cryptsetup luksRemoveToken to remove a token from a device.

Related Commands

  • cryptsetup
  • luksAddToken
  • luksRemoveToken