cryptsetup-token - Linux
Overview
cryptsetup-token
is a tool for managing LUKS2 or LUKS1 token passphrases in the kernel’s token keyring.
Syntax
cryptsetup-token [options] --load-token --token-source=<source> [device]
cryptsetup-token [options] --export-token --token=<token>
cryptsetup-token [options] --insert-token --token=<token>\
--token-source=<source> [device]
cryptsetup-token [options] --withdraw-token --token=<token>
cryptsetup-token [options] --release-token --token=<token>
Options/Flags
–token-cache-size=
Set maximum token cache size. Default: 8192
–token-cache-hash
Enable token cache hash integrity check. Default: false
–token-cache-strong-hash
Use strong token cache hash digest as in LUKS1. Default: false
–all
List all currently inserted tokens.
–allow-discards
Allow discarded tokens to be used again.
–display-token
Display token string as base64.
–dry-run
Run without making any changes.
–help
Display help information.
–profile-cache
Run self-test to profile performance of cache.
–quiet
Suppress non-error messages.
–tag=
Specify one or more specific tags used to identify tokens.
–version
Display version information.
Examples
Load a token into the kernel’s token keyring:
cryptsetup-token --load-token --token-source=/dev/sr0
Export a token from the kernel’s token keyring:
cryptsetup-token --export-token --token=87258e68-886f-492f-86c2-ba23581ce22c
Insert a token into a LUKS device:
cryptsetup-token --insert-token --token=87258e68-886f-492f-86c2-ba23581ce22c \
--token-source=/dev/sr0 /dev/mapper/crypt
Withdraw a token from the kernel’s token keyring:
cryptsetup-token --withdraw-token --token=87258e68-886f-492f-86c2-ba23581ce22c
Release a token from a LUKS device:
cryptsetup-token --release-token --token=87258e68-886f-492f-86c2-ba23581ce22c \
/dev/mapper/crypt
Common Issues
Q: I cannot load the token, I get a "Could not find token string" error.
A: Ensure the token source is correct and that the token is inserted correctly.
Q: I cannot insert the token into my device, I get a "Bad token" error.
A: Ensure the token is valid and that it is authorized for use with the device.
Integration
cryptsetup-token
can be used in combination with other LUKS tools to manage encrypted devices. For example, it can be used with cryptsetup luksAddToken
to add a token to a device, or with cryptsetup luksRemoveToken
to remove a token from a device.
Related Commands
cryptsetup
luksAddToken
luksRemoveToken