= cryptsetup-ssh(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup-ssh {release-version}
:man-linkstyle: pass:[blue R < >]

== NAME

cryptsetup-ssh - manage LUKS2 SSH token

== SYNOPSIS

*cryptsetup-ssh <action> [<options>] <action args>*

== DESCRIPTION

Experimental cryptsetup plugin for unlocking LUKS2 devices with a token connected to an SSH server.

This plugin currently allows only adding a token to an existing keyslot.
See *cryptsetup*(8) for instructions on how to remove, import or export the token.

=== Add operation

*add <options> <device>*

Adds the SSH token to *<device>*.

The specified SSH server must contain a key file on the specified path with a passphrase for an existing keyslot on the device.
Provided credentials will be used by cryptsetup to get the password when opening the device using the token.

Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.

== OPTIONS

*--debug*::
Show debug messages

*--debug-json*::
Show debug messages including JSON metadata

*--help*, *-?*::
Show help

*--key-slot* _number_::
Keyslot to assign the token to.
If not specified, the token will be assigned to the first keyslot matching the provided passphrase.

*--ssh-keypath* _string_::
Path to the SSH key for connecting to the remote server.

*--ssh-path* _string_::
Path to the key file on the remote server.

*--ssh-server* _string_::
IP address/URL of the remote server for this token.

*--ssh-user* _string_::
The username used for the remote server.

*--verbose*, *-v*::
Shows more detailed error messages

*--version*, *-V*::
Print program version

== NOTES

The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.

== AUTHORS

The cryptsetup-ssh tool is written by Vojtech Trefny.

include::man/common_footer.adoc[]