cryptsetup-ssh - Man Page

manage LUKS2 SSH token


cryptsetup-ssh <action> [<options>] <action args>


Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server.

This plugin currently allows only adding a token to an existing key slot. See cryptsetup(8) for instructions on how to remove, import or export the token.

Add operation

add <options> <device>

Adds the SSH token to <device>.

The specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device. Provided credentials will be used by cryptsetup to get the password when opening the device using the token.

Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.



Keyslot to assign the token to. If not specified, the token will be assigned to the first key slot matching provided passphrase.


Path to the SSH key for connecting to the remote server.


Path to the key file on the remote server.


IP address/URL of the remote server for this token.


Username used for the remote server.


Show debug messages


Show debug messages including JSON metadata

--verbose,  -v

Shows more detailed error messages

--help,  -?

Show help

--version,  -V

Print program version


The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.


The cryptsetup-ssh tool is written by Vojtech Trefny.

Reporting Bugs

Report bugs at cryptsetup mailing list or in Issues project section.

Please attach output of the failed command with --debug option added.

See Also

Cryptsetup FAQ

cryptsetup(8), integritysetup(8) and veritysetup(8)


Part of cryptsetup project.


2023-07-19 cryptsetup-ssh 2.6.1 Maintenance Commands