systemd-cryptenroll

Enroll new password

$ systemd-cryptenroll --password [/dev/luks_device]

$ systemd-cryptenroll --recovery-key [/dev/luks_device]

$ systemd-cryptenroll --pkcs11-token-uri [list|auto|uri] [/dev/luks_device]

$ systemd-cryptenroll --fido2-device [list|auto|/path/to/hidraw] [/dev/luks_device]

$ systemd-cryptenroll --fido2-device auto --fido2-with-user-verification yes [/dev/luks_device]

$ systemd-cryptenroll --tpm2-device auto --tpm2-with-pin yes [/dev/luks_device]

$ systemd-cryptenroll --wipe-slot [empty|password|fido2|pkcs11|tpm2|recovery|all] [/dev/luks_device]

systemd-cryptenroll [OPTIONS] [DEVICE]

systemd-cryptenroll manages enrollment of unlock methods for LUKS2 encrypted volumes. It supports five types: passwords, recovery keys, PKCS#11 tokens (smartcards like YubiKeys), FIDO2 tokens (with hmac-secret extension), and TPM2 security chips.
The tool stores token metadata in LUKS2's JSON token area, enabling automatic unlocking during boot when configured with `/etc/crypttab` or the initramfs.

--password

Enroll a new password

Enroll a randomly generated recovery passphrase

List or enroll PKCS#11 token (smartcard)

List or enroll FIDO2 device

Require biometric verification for FIDO2

Enroll TPM2 security chip

Require additional PIN with TPM2

Unlock using FIDO2 device (to enroll another method)

Remove enrolled methods (password, fido2, pkcs11, tpm2, recovery, all, empty)

Works only with LUKS2 volumes, not LUKS1. Requires an existing unlock method to enroll new ones. TPM2 enrollments can be bound to specific PCR states, which may break if software is updated. Multiple FIDO2 tokens may require multiple PIN prompts.

systemd-cryptenroll was added to systemd to provide a unified interface for modern hardware-based disk encryption unlocking. It complements cryptsetup and integrates with systemd's boot process for seamless encrypted root filesystem support.

cryptsetup(8), systemd-cryptsetup(8)