cryptsetup-token - Linux


cryptsetup-token is a tool for managing LUKS2 or LUKS1 token passphrases in the kernel’s token keyring.


cryptsetup-token [options] --load-token --token-source=<source> [device]
cryptsetup-token [options] --export-token --token=<token>
cryptsetup-token [options] --insert-token --token=<token>\
  --token-source=<source> [device]
cryptsetup-token [options] --withdraw-token --token=<token>
cryptsetup-token [options] --release-token --token=<token>


Set maximum token cache size. Default: 8192

Enable token cache hash integrity check. Default: false

Use strong token cache hash digest as in LUKS1. Default: false

List all currently inserted tokens.

Allow discarded tokens to be used again.

Display token string as base64.

Run without making any changes.

Display help information.

Run self-test to profile performance of cache.

Suppress non-error messages.

Specify one or more specific tags used to identify tokens.

Display version information.


Load a token into the kernel’s token keyring:

cryptsetup-token --load-token --token-source=/dev/sr0

Export a token from the kernel’s token keyring:

cryptsetup-token --export-token --token=87258e68-886f-492f-86c2-ba23581ce22c

Insert a token into a LUKS device:

cryptsetup-token --insert-token --token=87258e68-886f-492f-86c2-ba23581ce22c \
  --token-source=/dev/sr0 /dev/mapper/crypt

Withdraw a token from the kernel’s token keyring:

cryptsetup-token --withdraw-token --token=87258e68-886f-492f-86c2-ba23581ce22c

Release a token from a LUKS device:

cryptsetup-token --release-token --token=87258e68-886f-492f-86c2-ba23581ce22c \

Common Issues

Q: I cannot load the token, I get a "Could not find token string" error.
A: Ensure the token source is correct and that the token is inserted correctly.

Q: I cannot insert the token into my device, I get a "Bad token" error.
A: Ensure the token is valid and that it is authorized for use with the device.


cryptsetup-token can be used in combination with other LUKS tools to manage encrypted devices. For example, it can be used with cryptsetup luksAddToken to add a token to a device, or with cryptsetup luksRemoveToken to remove a token from a device.

Related Commands

  • cryptsetup
  • luksAddToken
  • luksRemoveToken