cryptsetup-token - manage LUKS2 tokens
Action add creates a new keyring token to enable auto-activation of the device. For the auto-activation, the passphrase must be stored in the keyring with the specified description. Usually, the passphrase should be stored in the user or user-session keyring. The token command is supported only for LUKS2.
For adding a new keyring token, the option --key-description is mandatory. Also, a new token is assigned to the keyslot specified with --key-slot option or to all active keyslots if the --key-slot option is omitted.
To remove an existing token, specify the token ID that should be removed with --token-id option.
WARNING: The action token remove removes any token type, not just keyring type from token slot specified by --token-id option.
Action import can store an arbitrary valid JSON data in the LUKS2 token. It may be passed via standard input or a file passed in --json-file option. If you specify --key-slot, a successfully imported token is also assigned to the keyslot.
Action export writes requested token JSON to a file passed with --json-file or to standard output.
Action unassign removes token binding to specified keyslot. Both token and keyslot must be specified by --token-id and --key-slot parameters.
If --token-id is used with action add or action import and a token with that ID already exists, option --token-replace can replace the existing token.
<options> can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file, --token-replace, --unbound, --external tokens-path].