table of contents
CRYPTSETUP-TOKEN(8) | Maintenance Commands | CRYPTSETUP-TOKEN(8) |
NAME¶
cryptsetup-token - manage LUKS2 tokens
SYNOPSIS¶
cryptsetup token <add|remove|import|export|unassign> [<options>] <device>
DESCRIPTION¶
Action add creates a new keyring token to enable auto-activation of the device. For the auto-activation, the passphrase must be stored in keyring with the specified description. Usually, the passphrase should be stored in user or user-session keyring. The token command is supported only for LUKS2.
For adding new keyring token, option --key-description is mandatory. Also, new token is assigned to key slot specified with --key-slot option or to all active key slots in the case --key-slot option is omitted.
To remove existing token, specify the token ID which should be removed with --token-id option.
WARNING: The action token remove removes any token type, not just keyring type from token slot specified by --token-id option.
Action import can store arbitrary valid token json in LUKS2 header. It may be passed via standard input or via file passed in --json-file option. If you specify --key-slot then successfully imported token is also assigned to the key slot.
Action export writes requested token JSON to a file passed with --json-file or to standard output.
Action unassign removes token binding to specified keyslot. Both token and keyslot must be specified by --token-id and --key-slot parameters.
If --token-id is used with action add or action import and a token with that ID already exists, option --token-replace can be used to replace the existing token.
<options> can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file, --token-replace, --unbound].
OPTIONS¶
--json-file
--token-replace
--key-slot, -S <0-N>
The maximum number of key slots depends on the LUKS version. LUKS1 can have up to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area size and key size, but a valid key slot ID can always be between 0 and 31 for LUKS2.
--header <device or file storing the LUKS header>
For commands that change the LUKS header (e.g. luksAddKey), specify the device or file with the LUKS header directly as the LUKS device.
--disable-external-tokens
--disable-locks
WARNING: Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).
--disable-keyring
--key-description <text>
--token-id
--unbound
--batch-mode, -q
If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.
--debug or --debug-json
If --debug-json is used, additional LUKS2 JSON data structures are printed.
--version, -V
--usage
--help, -?
Report bugs at cryptsetup mailing list <cryptsetup@lists.linux.dev> or in Issues project section <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.
Please attach output of the failed command with --debug option added.
SEE ALSO¶
Cryptsetup FAQ <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
CRYPTSETUP¶
Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.
2023-06-30 | cryptsetup 2.6.0 |