Ah yes. the pdf. I forgot about that doc too. Based on the luks2 spec and your examples I am importing/exporting token data but finding it non intuitive and inconsistent. I have two keyslots for device /dev/sdb2 and I'm trying to assign the tokens to keyslot 1. I can assign to all keyslots or to keyslot 0 but NOT keyslot 1. Here is the short output. Debug doesn't give me any useful information but I'll post some for the last two commands. $ echo '{ "type" : "blah" , "keyslots" : [], "foo" : "bar" }' | ./cryptsetup token import /dev/sdb2 --key-slot 1 Failed to assign token 0 to keyslot 1. $ echo '{ "type" : "blah" , "keyslots" : [ ], "foo" : "bar" }' | ./cryptsetup token import /dev/sdb2 --key-slot 1 Failed to assign token 0 to keyslot 1. $ echo '{ "type" : "blah" , "keyslots" : [1], "foo" : "bar" }' | ./cryptsetup token import /dev/sdb2 Failed to import token from file. $ echo '{ "type" : "blah" , "keyslots" : [1], "foo" : "bar" }' | ./cryptsetup token import /dev/sdb2 --key-slot 1 Failed to import token from file. $ echo '{ "type" : "blah" , "keyslots" : [], "foo" : "bar" }' | ./cryptsetup token import /dev/sdb2 --key-slot 0 $ echo '{ "type" : "blah" , "keyslots" : [], "foo0" : "bar0" }' | ./cryptsetup token import /dev/sdb2 --key-slot 0 $ echo '{ "type" : "blah" , "keyslots" : [], "all" : "all" }' | ./cryptsetup token import /dev/sdb2 $ echo '{ "type" : "blah" , "keyslots" : [], "all" : "1" }' | ./cryptsetup token import /dev/sdb2 $ echo '{ "type" : "blah" , "keyslots" : [], "all" : "2" }' | ./cryptsetup token import /dev/sdb2 $ echo '{ "type" : "blah" , "keyslots" : [], "all" : "3" }' | ./cryptsetup token import /dev/sdb2 $ cryptsetup luksDump /dev/sdb2 --debug-json ... "tokens":{ "0":{ "type":"blah", "keyslots":[ "0" ], "foo":"bar" }, "1":{ "type":"blah", "keyslots":[ "0" ], "foo0":"bar0" }, "2":{ "type":"blah", "keyslots":[ ], "all":"all" }, }, ... $ echo '{ "type" : "blah" , "keyslots" : [], "key1" : "does not work" }' | ./cryptsetup token import /dev/sdb2 --key-slot 1 --debug # cryptsetup 2.4.0-rc1 processing "/home/jt/local/cryptsetup/cryptsetup.jt/.libs/cryptsetup token import /dev/sdb2 --key-slot 1 --debug" # Running command token. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating context for crypt device /dev/sdb2. # Trying to open and read device /dev/sdb2 with direct-io. # Initialising device-mapper backend library. # Trying to load LUKS2 crypt type from device /dev/sdb2. # Crypto backend (OpenSSL 1.1.1j 16 Feb 2021) initialized in cryptsetup library version 2.4.0-rc1. # Detected kernel Linux 5.11.0-25-generic x86_64. # Loading LUKS2 header (repair disabled). # Acquiring read lock for device /dev/sdb2. # Opening lock resource file /run/cryptsetup/L_8:18 # Verifying lock handle for /dev/sdb2. # Device /dev/sdb2 READ lock taken. # Trying to read primary LUKS2 header at offset 0x0. # Opening locked device /dev/sdb2 # Veryfing locked device handle (bdev) # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:57e4caf994053134277ddb302b8d729fb8818d14bcf6eeecefb05cdffec8407f (on-disk) # Checksum:57e4caf994053134277ddb302b8d729fb8818d14bcf6eeecefb05cdffec8407f (in-memory) # Trying to read secondary LUKS2 header at offset 0x4000. # Reusing open ro fd on device /dev/sdb2 # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:c3b853e230c1cc786bc6b95cb40650b89b6060bba018d39beb89a26d43eb8af2 (on-disk) # Checksum:c3b853e230c1cc786bc6b95cb40650b89b6060bba018d39beb89a26d43eb8af2 (in-memory) # Device size 1907359744, offset 16777216. # Device /dev/sdb2 READ lock released. # PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4. # STDIN descriptor JSON read requested. # Updating JSON for token -1. # Trying to load /usr/lib/cryptsetup/libcryptsetup-token-blah.so. # /usr/lib/cryptsetup/libcryptsetup-token-blah.so: cannot open shared object file: No such file or directory # Device size 1907359744, offset 16777216. # Acquiring write lock for device /dev/sdb2. # Opening lock resource file /run/cryptsetup/L_8:18 # Verifying lock handle for /dev/sdb2. # Device /dev/sdb2 WRITE lock taken. # Checking context sequence id matches value stored on disk. # Reusing open ro fd on device /dev/sdb2 # Trying to write LUKS2 header (16384 bytes) at offset 0. # Opening locked device /dev/sdb2 # Veryfing locked device handle (bdev) # Checksum:d5b36f9571c82d4ea76e086e1e16934c2ef99b953d171f6ffbf3ae3e7c47bba3 (in-memory) # Trying to write LUKS2 header (16384 bytes) at offset 16384. # Reusing open rw fd on device /dev/sdb2 # Checksum:75aa1286798a9d47acbdf6cf7b67c3b6a3e7af748624bdca64ad222d7e954e4f (in-memory) # Device /dev/sdb2 WRITE lock released. # Keyslot 1 assigned to token 6. # Keyslots section "" is missing "1" (object) specification. Failed to assign token 6 to keyslot 1. # Updating JSON for token 6. # Device size 1907359744, offset 16777216. # Acquiring write lock for device /dev/sdb2. # Opening lock resource file /run/cryptsetup/L_8:18 # Verifying lock handle for /dev/sdb2. # Device /dev/sdb2 WRITE lock taken. # Checking context sequence id matches value stored on disk. # Reusing open ro fd on device /dev/sdb2 # Trying to write LUKS2 header (16384 bytes) at offset 0. # Reusing open rw fd on device /dev/sdb2 # Checksum:29f1ecbb169f48d69be0ae5b2c8a3cfc42d8d25bf0853dcd3119eb27faa6a568 (in-memory) # Trying to write LUKS2 header (16384 bytes) at offset 16384. # Reusing open rw fd on device /dev/sdb2 # Checksum:b20770ce7233f9d53f39f863d160f4f511088f860e30502c03a48574da981212 (in-memory) # Device /dev/sdb2 WRITE lock released. # Releasing crypt device /dev/sdb2 context. # Releasing device-mapper backend. # Closing read only fd for /dev/sdb2. # Closing read write fd for /dev/sdb2. Command failed with code -1 (wrong or missing parameters). $ echo '{ "type" : "blah" , "keyslots" : [1], "key1" : "does not work" }' | ./cryptsetup token import /dev/sdb2 --key-slot 1 --debug # cryptsetup 2.4.0-rc1 processing "/home/jt/local/cryptsetup/cryptsetup.jt/.libs/cryptsetup token import /dev/sdb2 --key-slot 1 --debug" # Running command token. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating context for crypt device /dev/sdb2. # Trying to open and read device /dev/sdb2 with direct-io. # Initialising device-mapper backend library. # Trying to load LUKS2 crypt type from device /dev/sdb2. # Crypto backend (OpenSSL 1.1.1j 16 Feb 2021) initialized in cryptsetup library version 2.4.0-rc1. # Detected kernel Linux 5.11.0-25-generic x86_64. # Loading LUKS2 header (repair disabled). # Acquiring read lock for device /dev/sdb2. # Opening lock resource file /run/cryptsetup/L_8:18 # Verifying lock handle for /dev/sdb2. # Device /dev/sdb2 READ lock taken. # Trying to read primary LUKS2 header at offset 0x0. # Opening locked device /dev/sdb2 # Veryfing locked device handle (bdev) # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:29f1ecbb169f48d69be0ae5b2c8a3cfc42d8d25bf0853dcd3119eb27faa6a568 (on-disk) # Checksum:29f1ecbb169f48d69be0ae5b2c8a3cfc42d8d25bf0853dcd3119eb27faa6a568 (in-memory) # Trying to read secondary LUKS2 header at offset 0x4000. # Reusing open ro fd on device /dev/sdb2 # LUKS2 header version 2 of size 16384 bytes, checksum sha256. # Checksum:b20770ce7233f9d53f39f863d160f4f511088f860e30502c03a48574da981212 (on-disk) # Checksum:b20770ce7233f9d53f39f863d160f4f511088f860e30502c03a48574da981212 (in-memory) # Device size 1907359744, offset 16777216. # Device /dev/sdb2 READ lock released. # PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4. # STDIN descriptor JSON read requested. # Updating JSON for token -1. # Illegal value type in keyslots array at index 0. Failed to import token from file. # Releasing crypt device /dev/sdb2 context. # Releasing device-mapper backend. # Closing read only fd for /dev/sdb2. Command failed with code -1 (wrong or missing parameters). -- JT _______________________________________________ dm-crypt mailing list -- dm-crypt@xxxxxxxx To unsubscribe send an email to dm-crypt-leave@xxxxxxxx