What does cryptsetup luksAddKey --new-key-description do?

What does cryptsetup luksAddKey --new-key-description do?

[Borden]

I can't seem to figure this out through the usual means. `man cryptsetup-luksAddKey` says:

--new-key-description text : Set the key description in the keyring that will be used for new passphrase retrieval.

... which I assume is the kernel's keyring. Passing --new-key-description="Value" yields:
# Verifying key from keyslot 0, digest 0.
# Requesting key Value (user type)
# keyring_request_key_id failed with errno 126.
Failed to read passphrase from keyring.
# Rolling back in-memory LUKS2 json metadata.
# Releasing crypt device /home/me/dev.img context.
# Releasing device-mapper backend.
# Closing read only fd for /home/me/dev.img.
Command failed with code -1 (wrong or missing parameters).

luksAddKey works fine without --new-key-description. I'm trying to understand what this parameter does and how it should work. I'd also like to ask that the manpage be updated to explain this parameter a little more thoroughly. I'm not sure how I am supposed to know what I'm doing wrong with the documentation. AI said it should work, so there must be a problem with my bash or cryptsetup installation. Something's obviously missing.

Re: What does cryptsetup luksAddKey --new-key-description do?

[Ondrej Kozina]

Hi,

On 13/06/2026 03:32, Borden wrote:
> I can't seem to figure this out through the usual means. `man cryptsetup-luksAddKey` says:
> 
> --new-key-description text : Set the key description in the keyring that will be used for new passphrase retrieval.
> 
> ... which I assume is the kernel's keyring. Passing --new-key-description="Value" yields:
> # Verifying key from keyslot 0, digest 0.
> # Requesting key Value (user type)
> # keyring_request_key_id failed with errno 126.
> Failed to read passphrase from keyring.
> # Rolling back in-memory LUKS2 json metadata.
> # Releasing crypt device /home/me/dev.img context.
> # Releasing device-mapper backend.
> # Closing read only fd for /home/me/dev.img.
> Command failed with code -1 (wrong or missing parameters).
> 
> luksAddKey works fine without --new-key-description. I'm trying to understand what this parameter does and how it should work. I'd also like to ask that the manpage be updated to explain this parameter a little more thoroughly. I'm not sure how I am supposed to know what I'm doing wrong with the documentation. AI said it should work, so there must be a problem with my bash or cryptsetup installation. Something's obviously missing.
> 

It reads a passphrase for a new keyslot from a kernel keyring key with 
the description provided as --new-key-desription value argument.

I'll improve the man pages description to make it clear. Feel free to 
open new issue on https://gitlab.com/cryptsetup/cryptsetup

With regards
O.

Re: What does cryptsetup luksAddKey --new-key-description do?

[Borden]

Jun 15, 2026, 05:33 by okozina@redhat.com:

> It reads a passphrase for a new keyslot from a kernel keyring key with the description provided as --new-key-desription value argument.
>
> I'll improve the man pages description to make it clear. Feel free to open new issue on > https://gitlab.com/cryptsetup/cryptsetup
>
Thank you. It was unclear that description refers specifically to the kernel keyring. I thought it might have been a LUKS label or something.

As long as this shows up in search results so you don't have to be bothered about this again, I'm happy.