3 :manmanual: Maintenance Commands
4 :mansource: cryptsetup {release-version}
5 :man-linkstyle: pass:[blue R < >]
11 cryptsetup-token - manage LUKS2 tokens
15 *cryptsetup _token_ <add|remove|import|export|unassign> [<options>] <device>*
19 Action _add_ creates a new keyring token to enable auto-activation of the
20 device. For the auto-activation, the passphrase must be stored in
21 keyring with the specified description. Usually, the passphrase should
22 be stored in _user_ or _user-session_ keyring. The _token_ command is
23 supported only for LUKS2.
25 For adding new keyring token, option --key-description is mandatory.
26 Also, new token is assigned to key slot specified with --key-slot option
27 or to all active key slots in the case --key-slot option is omitted.
29 To remove existing token, specify the token ID which should be removed
30 with --token-id option.
32 *WARNING:* The action _token remove_ removes any token type, not just
33 _keyring_ type from token slot specified by --token-id option.
35 Action _import_ can store arbitrary valid token json in LUKS2 header. It
36 may be passed via standard input or via file passed in --json-file
37 option. If you specify --key-slot then successfully imported token is
38 also assigned to the key slot.
40 Action _export_ writes requested token JSON to a file passed with
41 --json-file or to standard output.
43 Action _unassign_ removes token binding to specified keyslot. Both token
44 and keyslot must be specified by --token-id and --key-slot parameters.
46 If --token-id is used with action _add_ or action _import_ and a token
47 with that ID already exists, option --token-replace can be used to
48 replace the existing token.
50 *<options>* can be [--header, --token-id, --key-slot, --key-description,
51 --disable-external-tokens, --disable-locks, --disable-keyring,
52 --json-file, --token-replace, --unbound].
54 include::man/common_options.adoc[]
55 include::man/common_footer.adoc[]
projects / platform / upstream / cryptsetup.git / blob