Your company here — click to reach over 10,000 unique daily visitors

cryptsetup-ssh - Man Page

manage LUKS2 SSH token


cryptsetup-ssh <action> [<options>] <action args>


Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server.

This plugin currently allows only adding a token to an existing key slot. See cryptsetup(8) for instructions on how to remove, import or export the token.

Add operation

add <options> <device>

Adds the SSH token to <device>.

The specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device. Provided credentials will be used by cryptsetup to get the password when opening the device using the token.

Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.



Show debug messages


Show debug messages including JSON metadata

--help,  -?

Show help


Keyslot to assign the token to. If not specified, the token will be assigned to the first key slot matching provided passphrase.


Path to the SSH key for connecting to the remote server.


Path to the key file on the remote server.


IP address/URL of the remote server for this token.


Username used for the remote server.

--verbose,  -v

Shows more detailed error messages

--version,  -V

Print program version


The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.


The cryptsetup-ssh tool is written by Vojtech Trefny.

Reporting Bugs

Report bugs at cryptsetup mailing list or in Issues project section.

Please attach output of the failed command with --debug option added.

See Also

Cryptsetup FAQ

cryptsetup(8), integritysetup(8) and veritysetup(8)


Part of cryptsetup project.


2024-06-17 cryptsetup-ssh 2.7.3 Maintenance Commands