= cryptsetup-token(8)
:doctype: manpage
:manmanual: Maintenance Commands
:mansource: cryptsetup {release-version}
:man-linkstyle: pass:[blue R < >]
:COMMON_OPTIONS:
:ACTION_TOKEN:

== Name

cryptsetup-token - manage LUKS2 tokens

== SYNOPSIS

*cryptsetup _token_ <add|remove|import|export|unassign> [<options>] <device>*

== DESCRIPTION

Action _add_ creates a new keyring token to enable auto-activation of the device.
For the auto-activation, the passphrase must be stored in the keyring with the specified description.
Usually, the passphrase should be stored in the _user_ or _user-session_ keyring.
The _token_ command is supported only for LUKS2.

For adding a new keyring token, the option --key-description is mandatory.
Also, a new token is assigned to the keyslot specified with --key-slot option or to all active keyslots if the --key-slot option is omitted.

To remove an existing token, specify the token ID that should be removed with --token-id option.

*WARNING:* The action _token remove_ removes any token type, not just _keyring_ type from token slot specified by --token-id option.

Action _import_ can store an arbitrary valid JSON data in the LUKS2 token.
It may be passed via standard input or a file passed in --json-file option.
If you specify --key-slot, a successfully imported token is also assigned to the keyslot.

Action _export_ writes requested token JSON to a file passed with --json-file or to standard output.

Action _unassign_ removes token binding to specified keyslot.
Both token and keyslot must be specified by --token-id and --key-slot parameters.

If --token-id is used with action _add_ or action _import_ and a token with that ID already exists, option --token-replace can replace the existing token.

*<options>* can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file, --token-replace, --unbound, --external tokens-path].

include::man/common_options.adoc[]
include::man/common_footer.adoc[]