diff --git a/.codeql-config.yml b/.codeql-config.yml
new file mode 100644
index 0000000..1311657
--- /dev/null
+++ b/.codeql-config.yml
@@ -0,0 +1,31 @@
+name: "Cryptsetup CodeQL config"
+
+query-filters:
+- exclude:
+     id: cpp/fixme-comment
+- exclude:
+     id: cpp/empty-block
+- exclude:
+     id: cpp/poorly-documented-function
+- exclude:
+     id: cpp/loop-variable-changed
+- exclude:
+     id: cpp/empty-if
+- exclude:
+     id: cpp/long-switch
+- exclude:
+     id: cpp/complex-condition
+- exclude:
+     id: cpp/commented-out-code
+
+# These produce many false positives
+- exclude:
+     id: cpp/uninitialized-local
+- exclude:
+     id: cpp/path-injection
+- exclude:
+     id: cpp/missing-check-scanf
+
+# CodeQL should understand coverity [toctou] comments
+- exclude:
+     id: cpp/toctou-race-condition
diff --git a/.gitignore b/.gitignore
index 3b59b1b..537c3a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 po/*gmo
 *~
-#Makefile
+Makefile
 Makefile.in
 Makefile.in.in
 *.lo
@@ -17,6 +17,7 @@ ABOUT-NLS
 aclocal.m4
 autom4te.cache/
 compile
+compile_commands.json
 config.guess
 config.h
 config.h.in
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3153145..c5c3f26 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,23 +1,23 @@
 stages:
   - test
+  - test-opal
 
-.dump_kernel_log:
+.fail_if_coredump_generated:
   after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo journalctl > /mnt/artifacts/journalctl.log
     - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
 
 include:
   - local: .gitlab/ci/debian.yml
   - local: .gitlab/ci/fedora.yml
-  - local: .gitlab/ci/rhel.yml
+  - local: .gitlab/ci/fedora-opal.yml
   - local: .gitlab/ci/centos.yml
-  - local: .gitlab/ci/annocheck.yml
+#  - local: .gitlab/ci/annocheck.yml
   - local: .gitlab/ci/csmock.yml
   - local: .gitlab/ci/gitlab-shared-docker.yml
   - local: .gitlab/ci/compilation-various-disables.yml
   - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
   - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
+  - local: .gitlab/ci/compilation-spellcheck.yml
   - local: .gitlab/ci/alpinelinux.yml
-  - local: .gitlab/ci/ubuntu-32bit.yml
+  - local: .gitlab/ci/debian-i686.yml
   - local: .gitlab/ci/cifuzz.yml
diff --git a/.gitlab/ci/alpinelinux.yml b/.gitlab/ci/alpinelinux.yml
index 81bd6cb..5c9f587 100644
--- a/.gitlab/ci/alpinelinux.yml
+++ b/.gitlab/ci/alpinelinux.yml
@@ -1,14 +1,16 @@
 .alpinelinux-dependencies:
-  after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo cp /var/log/messages /mnt/artifacts/
-    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
+  variables:
+    DISTRO: cryptsetup-alpine-edge
+  extends:
+    - .fail_if_coredump_generated
   before_script:
     - >
       sudo apk add
-      lvm2-dev openssl1.1-compat-dev popt-dev util-linux-dev json-c-dev
-      argon2-dev device-mapper which sharutils gettext gettext-dev automake
+      lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
+      argon2-dev device-mapper which sharutils gettext-dev argp-standalone automake
       autoconf libtool build-base keyutils tar jq expect git asciidoctor
+    # Be sure we have updated basic tools and system
+    - sudo apk upgrade gcc binutils build-base musl
     - ./autogen.sh
     - ./configure --prefix=/usr --libdir=/lib --sbindir=/sbin --disable-static --enable-libargon2 --with-crypto_backend=openssl --disable-external-tokens --disable-ssh-token --enable-asciidoc
 
@@ -17,7 +19,7 @@ test-main-commit-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:
@@ -38,7 +40,7 @@ test-mergerq-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:
diff --git a/.gitlab/ci/annocheck.yml b/.gitlab/ci/annocheck.yml
index 5b3a715..8d12dfb 100644
--- a/.gitlab/ci/annocheck.yml
+++ b/.gitlab/ci/annocheck.yml
@@ -1,19 +1,18 @@
 test-main-commit-job-annocheck:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   tags:
     - libvirt
-    - rhel9-annocheck
+    - cryptsetup-rhel-9
   stage: test
   interruptible: true
   allow_failure: true
   variables:
+    DISTRO: cryptsetup-rhel-9
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
   script:
-    - /opt/build-rpm-script.sh > /dev/null 2>&1
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8
+    - sudo /opt/run-annocheck.sh
diff --git a/.gitlab/ci/build_srpm b/.gitlab/ci/build_srpm
new file mode 100755
index 0000000..240276c
--- /dev/null
+++ b/.gitlab/ci/build_srpm
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+SAVED_PWD=$(pwd)
+GIT_DIR="$SAVED_PWD/upstream_git"
+SPEC="$GIT_DIR/misc/fedora/cryptsetup.spec"
+
+rm -fr $GIT_DIR
+
+git clone -q --depth 1 https://gitlab.com/cryptsetup/cryptsetup.git $GIT_DIR
+cd $GIT_DIR
+
+GIT_COMMIT=$(git rev-parse --short=8 HEAD)
+[ -z "$GIT_COMMIT" ] && exit 1
+
+sed -i "s/^AC_INIT.*/AC_INIT([cryptsetup],[$GIT_COMMIT])/" $GIT_DIR/configure.ac
+sed -i "s/^Version:.*/Version: $GIT_COMMIT/" $SPEC
+sed -i "s/%{version_no_tilde}/$GIT_COMMIT/" $SPEC
+sed -i "2i %global source_date_epoch_from_changelog 0" $SPEC
+sed -i "3i %define _unpackaged_files_terminate_build 0" $SPEC
+
+./autogen.sh
+./configure
+make -j dist
+
+rpmbuild --define "_sourcedir $GIT_DIR" --define "_srcrpmdir $SAVED_PWD" -bs $SPEC
+
+cd $SAVED_PWD
+rm -fr $GIT_DIR
+
+exit 0
diff --git a/.gitlab/ci/centos.yml b/.gitlab/ci/centos.yml
index 6f5559c..310aa15 100644
--- a/.gitlab/ci/centos.yml
+++ b/.gitlab/ci/centos.yml
@@ -1,14 +1,16 @@
 .centos-openssl-backend:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
+    - sudo dnf clean all
     - >
       sudo dnf -y -q  install
       autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
       libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
       libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
       pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
-      expect gettext git jq keyutils openssl-devel openssl gem
+      expect gettext git jq keyutils openssl-devel openssl gem swtpm swtpm-tools
+      tpm2-tools
     - sudo gem install asciidoctor
     - sudo -E git clean -xdf
     - ./autogen.sh
@@ -21,11 +23,13 @@ test-main-commit-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-centos-stream-9
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
       when: never
@@ -42,11 +46,59 @@ test-mergerq-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-centos-stream-9
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-centos-stream10:
+  extends:
+    - .centos-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-centos-stream-10
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-centos-stream-10
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-mergerq-centos-stream10:
+  extends:
+    - .centos-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-centos-stream-10
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-centos-stream-10
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
       when: never
diff --git a/.gitlab/ci/cibuild-setup-ubuntu.sh b/.gitlab/ci/cibuild-setup-ubuntu.sh
index 07b0990..12649d4 100755
--- a/.gitlab/ci/cibuild-setup-ubuntu.sh
+++ b/.gitlab/ci/cibuild-setup-ubuntu.sh
@@ -5,17 +5,20 @@ set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
-	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
-	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	libjson-c-dev libssh-dev libblkid-dev tar libargon2-dev libpwquality-dev
+	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
+	sshpass asciidoctor
 )
 
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 
-grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
-sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
-cat /etc/apt/sources.list~ >> /etc/apt/sources.list
+sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+
+# use this on older Ubuntu
+# grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
+# sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
+# cat /etc/apt/sources.list~ >> /etc/apt/sources.list
 
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install software-properties-common wget lsb-release
@@ -28,7 +31,7 @@ if [[ $COMPILER == "gcc" ]]; then
 	PACKAGES+=(gcc-$COMPILER_VERSION)
 elif [[ $COMPILER == "clang" ]]; then
 	wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-	add-apt-repository "deb http://apt.llvm.org/${RELEASE}/   llvm-toolchain-${RELEASE}-${COMPILER_VERSION} main"
+	add-apt-repository -n "deb http://apt.llvm.org/${RELEASE}/   llvm-toolchain-${RELEASE}-${COMPILER_VERSION} main"
 
 	# scan-build
 	PACKAGES+=(clang-tools-$COMPILER_VERSION clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION)
@@ -37,14 +40,8 @@ else
 	exit 1
 fi
 
-apt-get -y update --fix-missing
+#apt-get -y update --fix-missing
+(r=3;while ! apt-get -y update --fix-missing ; do ((--r))||exit;sleep 5;echo "Retrying";done)
+
 DEBIAN_FRONTEND=noninteractive apt-get -yq install "${PACKAGES[@]}"
 apt-get -y build-dep cryptsetup
-
-echo "====================== VERSIONS ==================="
-if [[ $COMPILER == "clang" ]]; then
-	echo "Using scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
-fi
-
-${COMPILER}-$COMPILER_VERSION -v
-echo "====================== END VERSIONS ==================="
diff --git a/.gitlab/ci/cifuzz.yml b/.gitlab/ci/cifuzz.yml
index 063b912..add288c 100644
--- a/.gitlab/ci/cifuzz.yml
+++ b/.gitlab/ci/cifuzz.yml
@@ -1,46 +1,25 @@
 cifuzz:
-  variables:
-    OSS_FUZZ_PROJECT_NAME: cryptsetup
-    CFL_PLATFORM: gitlab
-    CIFUZZ_DEBUG: "True"
-    FUZZ_SECONDS: 300 # 5 minutes per fuzzer
-    ARCHITECTURE: "x86_64"
-    DRY_RUN: "False"
-    LOW_DISK_SPACE: "True"
-    BAD_BUILD_CHECK: "True"
-    LANGUAGE: "c"
-    DOCKER_HOST: "tcp://docker:2375"
-    DOCKER_IN_DOCKER: "true"
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
-  image:
-    name: gcr.io/oss-fuzz-base/cifuzz-base
-    entrypoint: [""]
-  services:
-    - docker:dind
-
+  image: ubuntu:noble
+  tags:
+    - gitlab-org-docker
   stage: test
-  parallel:
-    matrix:
-      - SANITIZER: [address, undefined, memory]
+  interruptible: true
   rules:
-    # Default code change.
-    # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    #   variables:
-    #     MODE: "code-change"
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $BUILD_AND_RUN_FUZZERS != null
   before_script:
-    # Get gitlab's container id.
-    - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
+    - apt-get -y update
+    - >
+      apt-get -y install -y -qq git clang make autoconf automake autopoint
+      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+      flex bison cmake ninja-build
+  parallel:
+    matrix:
+      # memory does not work for now
+      - SANITIZER: [address, undefined]
   script:
-    # Will build and run the fuzzers.
-    # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
-    # in GitLab CI environment
-    - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
-  artifacts:
-    # Upload artifacts when a crash makes the job fail.
-    when: always
-    paths:
-      - artifacts/
+    - cd tests/fuzz
+    - ./oss-fuzz-build.sh
+    - ls -l out
diff --git a/.gitlab/ci/clang-Wall b/.gitlab/ci/clang-Wall
index d09e154..52c2dad 100755
--- a/.gitlab/ci/clang-Wall
+++ b/.gitlab/ci/clang-Wall
@@ -25,10 +25,9 @@ EXTRA="\
  -Wswitch \
  -Wmissing-format-attribute \
  -Winit-self \
- -Wdeclaration-after-statement \
  -Wold-style-definition \
  -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
  -Wno-long-long"
 
 exec $CLANG $PEDANTIC $CONVERSION \
diff --git a/.gitlab/ci/compilation-clang.gitlab-ci.yml b/.gitlab/ci/compilation-clang.gitlab-ci.yml
index 6f5cd42..734348b 100644
--- a/.gitlab/ci/compilation-clang.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-clang.gitlab-ci.yml
@@ -3,25 +3,86 @@ test-clang-compilation:
     - .gitlab-shared-clang
   script:
     - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
+    - $CC --version
     - ./configure
     - make -j
     - make -j check-programs
 
-test-clang-Wall-script:
+test-clang-Wall-script-ubuntu:
   extends:
     - .gitlab-shared-clang
   script:
     - export CFLAGS="-g -O0"
     - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
+    - ./autogen.sh
+    - $CC --version
     - ./configure
     - make -j CFLAGS="-g -O0 -Werror"
     - make -j CFLAGS="-g -O0 -Werror" check-programs
 
-test-scan-build:
+test-clang-Wall-script-alpine:
+  extends:
+    - .gitlab-shared-clang-alpine
+  allow_failure: true
+  script:
+    - export CFLAGS="-g -O0"
+    - export CC="$CI_PROJECT_DIR/.gitlab/ci/clang-Wall"
+    - ./autogen.sh
+    - $CC --version
+    - ./configure
+    - make -j CFLAGS="-g -O0 -Werror"
+    - make -j CFLAGS="-g -O0 -Werror" check-programs
+
+test-scan-build-ubuntu:
   extends:
     - .gitlab-shared-clang
   script:
+    - ./autogen.sh
+    - echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
+    - make clean
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
+
+test-scan-build-alpine:
+  extends:
+    - .gitlab-shared-clang-alpine
+  allow_failure: true
+  script:
+    - ./autogen.sh
+    - echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0"
     - make clean
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
+
+test-scan-build-backends:
+  extends:
+    - .gitlab-shared-clang
+  parallel:
+    matrix:
+      - BACKENDS: [
+          "openssl",
+          "gcrypt",
+          "nss",
+          "kernel",
+          "nettle",
+          "mbedtls"
+      ]
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+      changes:
+        - lib/crypto_backend/*
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
+    - ./autogen.sh
+    - echo "Configuring with crypto backend $BACKENDS"
+    - echo "scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --with-crypto_backend=$BACKENDS
+    - make clean
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
+    - ./tests/vectors-test
diff --git a/.gitlab/ci/compilation-gcc.gitlab-ci.yml b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
index 00fae36..482c817 100644
--- a/.gitlab/ci/compilation-gcc.gitlab-ci.yml
+++ b/.gitlab/ci/compilation-gcc.gitlab-ci.yml
@@ -3,25 +3,83 @@ test-gcc-compilation:
     - .gitlab-shared-gcc
   script:
     - export CFLAGS="-Wall -Werror"
+    - ./autogen.sh
+    - $CC --version
     - ./configure
     - make -j
     - make -j check-programs
 
-test-gcc-Wall-script:
+test-gcc-Wall-script-ubuntu:
   extends:
     - .gitlab-shared-gcc
   script:
     - export CFLAGS="-g -O0"
     - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
+    - ./autogen.sh
+    - $CC --version
     - ./configure
     - make -j CFLAGS="-g -O0 -Werror"
     - make -j CFLAGS="-g -O0 -Werror" check-programs
 
-test-gcc-fanalyzer:
+test-gcc-Wall-script-alpine:
   extends:
-    - .gitlab-shared-gcc
+    - .gitlab-shared-gcc-alpine
+  allow_failure: true
   script:
-    - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
+    - export CFLAGS="-g -O0"
+    - export CC="$CI_PROJECT_DIR/.gitlab/ci/gcc-Wall"
+    - ./autogen.sh
+    - $CC --version
     - ./configure
+    - make -j CFLAGS="-g -O0 -Werror"
+    - make -j CFLAGS="-g -O0 -Werror" check-programs
+
+test-gcc-fanalyzer-ubuntu:
+  extends:
+    - .gitlab-shared-gcc
+  script:
+    - ./autogen.sh
+    - $CC --version
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64
+    - make -j
+    - make -j check-programs
+
+test-gcc-fanalyzer-alpine:
+  extends:
+    - .gitlab-shared-gcc-alpine
+  allow_failure: true
+  script:
+    - ./autogen.sh
+    - $CC --version
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events -Wno-analyzer-fd-leak" --host=x86_64
+    - make -j
+    - make -j check-programs
+
+test-gcc-fanalyzer-backends:
+  extends:
+    - .gitlab-shared-gcc
+  parallel:
+    matrix:
+      - BACKENDS: [
+          "openssl",
+          "gcrypt",
+          "nss",
+          "kernel",
+          "nettle",
+          "mbedtls"
+      ]
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+      changes:
+        - lib/crypto_backend/*
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev libmbedtls-dev
+    - ./autogen.sh
+    - $CC --version
+    - echo "Configuring with crypto backend $BACKENDS"
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64 --with-crypto_backend=$BACKENDS
     - make -j
     - make -j check-programs
+    - ./tests/vectors-test
diff --git a/.gitlab/ci/compilation-spellcheck.yml b/.gitlab/ci/compilation-spellcheck.yml
new file mode 100644
index 0000000..d53a197
--- /dev/null
+++ b/.gitlab/ci/compilation-spellcheck.yml
@@ -0,0 +1,20 @@
+test-run-spellcheck:
+  image: ubuntu:noble
+  tags:
+    - gitlab-org-docker
+  stage: test
+  interruptible: true
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  artifacts:
+    name: "spellcheck-$CI_COMMIT_REF_NAME"
+    paths:
+      - _spellcheck
+  before_script:
+    - apt-get -y update --fix-missing
+    - apt-get -y install git lintian codespell
+  script:
+    - echo "Running spellcheck"
+    - .gitlab/ci/spellcheck
diff --git a/.gitlab/ci/compilation-various-disables.yml b/.gitlab/ci/compilation-various-disables.yml
index 1414f9e..00ceae3 100644
--- a/.gitlab/ci/compilation-various-disables.yml
+++ b/.gitlab/ci/compilation-various-disables.yml
@@ -4,18 +4,30 @@ test-gcc-disable-compiles:
   parallel:
     matrix:
       - DISABLE_FLAGS: [
-          "--disable-keyring",
-          "--disable-external-tokens --disable-ssh-token",
-          "--disable-luks2-reencryption",
-          "--disable-cryptsetup --disable-veritysetup --disable-integritysetup",
-          "--disable-kernel_crypto",
-          "--disable-selinux",
-          "--disable-udev",
-          "--disable-internal-argon2",
-          "--disable-blkid"
+          "keyring",
+          "external-tokens ssh-token",
+          "luks2-reencryption",
+          "cryptsetup veritysetup integritysetup",
+          "kernel_crypto",
+          "udev",
+          "internal-argon2",
+          "blkid",
+          "hw-opal"
       ]
+  artifacts:
+    name: "meson-build-logs-$CI_COMMIT_REF_NAME"
+    paths:
+      - meson_builddir/meson-logs
   script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install meson ninja-build
     - export CFLAGS="-Wall -Werror"
-    - ./configure $DISABLE_FLAGS
+    - ./autogen.sh
+    - echo "Configuring with --disable-$DISABLE_FLAGS"
+    - ./configure $(for i in $DISABLE_FLAGS; do echo "--disable-$i"; done)
     - make -j
     - make -j check-programs
+    - git checkout -f && git clean -xdf
+    - meson -v
+    - echo "Configuring with -D$DISABLE_FLAGS=false"
+    - meson setup meson_builddir $(for i in $DISABLE_FLAGS; do [ "$i" == "internal-argon2" ] && echo "-Dargon-implementation=internal" || echo "-D$i=false"; done)
+    - ninja -C meson_builddir
diff --git a/.gitlab/ci/csmock.yml b/.gitlab/ci/csmock.yml
index 72b53ed..ada2d0c 100644
--- a/.gitlab/ci/csmock.yml
+++ b/.gitlab/ci/csmock.yml
@@ -1,17 +1,36 @@
+.dnf-csmock:
+  variables:
+    DISTRO: cryptsetup-fedora-rawhide
+    DISK_SIZE: 20
+  extends:
+    - .fail_if_coredump_generated
+  before_script:
+    - >
+      sudo dnf -y -q install
+      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
+      libblkid-devel libpwquality-devel libselinux-devel
+      libssh-devel libtool libuuid-devel make popt-devel
+      libsepol-devel.x86_64 pkgconfig tar uuid-devel git
+      openssl-devel asciidoctor meson ninja-build
+      rpm-build csmock
+
 test-commit-job-csmock:
   extends:
-    - .dump_kernel_log
+    - .dnf-csmock
   tags:
     - libvirt
-    - rhel7-csmock
+    - cryptsetup-fedora-rawhide
   stage: test
   interruptible: true
   allow_failure: true
-  variables:
-    RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/ || $CI_PIPELINE_SOURCE == "merge_request_event"
   script:
-    - /opt/csmock-run-script.sh
+    - .gitlab/ci/build_srpm
+    - .gitlab/ci/run_csmock
+  artifacts:
+    when: always
+    paths:
+      - cryptsetup-csmock-results.tar.xz
diff --git a/.gitlab/ci/ubuntu-32bit.yml b/.gitlab/ci/debian-i686.yml
similarity index 81%
rename from .gitlab/ci/ubuntu-32bit.yml
rename to .gitlab/ci/debian-i686.yml
index f51c059..09db9e0 100644
--- a/.gitlab/ci/ubuntu-32bit.yml
+++ b/.gitlab/ci/debian-i686.yml
@@ -1,12 +1,13 @@
-test-mergerq-job-ubuntu-32bit:
+test-mergerq-job-debian-i686:
   extends:
     - .debian-prep
   tags:
     - libvirt
-    - ubuntu-bionic-32bit
+    - cryptsetup-debian-12i686
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12i686
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
@@ -19,15 +20,16 @@ test-mergerq-job-ubuntu-32bit:
     - make -j -C tests check-programs
     - sudo -E make check
 
-test-main-commit-job-ubuntu-32bit:
+test-main-commit-job-debian-i686:
   extends:
     - .debian-prep
   tags:
     - libvirt
-    - ubuntu-bionic-32bit
+    - cryptsetup-debian-12i686
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12i686
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
diff --git a/.gitlab/ci/debian.yml b/.gitlab/ci/debian.yml
index fad9d97..0cb4480 100644
--- a/.gitlab/ci/debian.yml
+++ b/.gitlab/ci/debian.yml
@@ -1,17 +1,16 @@
 .debian-prep:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
-    - >
-      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
-      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
-      gperf libcap-dev tpm2-tss-engine-dev libmount-dev swtpm-tools
+    - sudo apt-get -y update
     - >
       sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
       pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
       libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
-      tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect
-      keyutils netcat passwd openssh-client sshpass asciidoctor
+      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
+      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
+      swtpm meson ninja-build python3-jinja2 gperf libcap-dev libtss2-dev
+      libmount-dev swtpm-tools tpm2-tools
     - sudo apt-get -y build-dep cryptsetup
     - sudo -E git clean -xdf
     - ./autogen.sh
@@ -22,11 +21,13 @@ test-mergerq-job-debian:
     - .debian-prep
   tags:
     - libvirt
-    - debian11
+    - cryptsetup-debian-unstable
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-unstable
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
@@ -41,11 +42,55 @@ test-main-commit-job-debian:
     - .debian-prep
   tags:
     - libvirt
-    - debian11
+    - cryptsetup-debian-unstable
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-unstable
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-mergerq-job-debian12:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-job-debian12:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-debian-12
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
@@ -54,3 +99,92 @@ test-main-commit-job-debian:
     - make -j
     - make -j -C tests check-programs
     - sudo -E make check
+
+# meson tests
+test-mergerq-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-unstable
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-unstable
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-debian-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-unstable
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-unstable
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-mergerq-job-debian12-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-debian12-meson:
+  extends:
+    - .debian-prep
+  tags:
+    - libvirt
+    - cryptsetup-debian-12
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-debian-12
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
diff --git a/.gitlab/ci/fedora-opal.yml b/.gitlab/ci/fedora-opal.yml
new file mode 100644
index 0000000..d7072bf
--- /dev/null
+++ b/.gitlab/ci/fedora-opal.yml
@@ -0,0 +1,145 @@
+.opal-template-fedora:
+  extends:
+    - .dnf-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-fedora-rawhide
+  stage: test-opal
+  interruptible: false
+  variables:
+    OPAL2_DEV: "/dev/nvme0n1"
+    OPAL2_PSID_FILE: "/home/gitlab-runner/psid.txt"
+    VOLATILE: 1
+  script:
+    - sudo dnf install -y -q nvme-cli
+    - sudo nvme list
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check TESTS="00modules-test compat-test-opal"
+
+# Samsung SSD 980 500GB (on tiber machine)
+test-commit-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  resource_group: samsung980-on-tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+test-mergerq-rawhide-samsung980:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  resource_group: samsung980-on-tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a809"
+
+# WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
+# Disabled on 2025-03-20, seems broken
+#test-commit-rawhide-sn740:
+#  rules:
+#    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#      when: never
+#    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+#  extends:
+#    - .opal-template-fedora
+#  tags:
+#    - tiber
+#  resource_group: sn740-on-tiber
+#  interruptible: false
+#  variables:
+#    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+#    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+#
+#test-mergerq-rawhide-sn740:
+#  rules:
+#    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#      when: never
+#    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+#  extends:
+#    - .opal-template-fedora
+#  tags:
+#    - tiber
+#  resource_group: sn740-on-tiber
+#  interruptible: false
+#  variables:
+#    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+#    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+# Samsung SSD 980 PRO 1TB (on trantor machine)
+test-commit-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  resource_group: samsung980pro-on-trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
+test-mergerq-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  resource_group: samsung980pro-on-trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
+# # UMIS RPETJ256MGE2MDQ (on tiber machine)
+# test-commit-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   resource_group: umis-on-tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"
+#
+# test-mergerq-rawhide-umis:
+#   rules:
+#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+#       when: never
+#     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+#   extends:
+#     - .opal-template-fedora
+#   tags:
+#     - tiber
+#   resource_group: umis-on-tiber
+#   stage: test
+#   interruptible: false
+#   variables:
+#     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
+#     PCI_PASSTHROUGH_DEVICE_ID: "6302"
diff --git a/.gitlab/ci/fedora.yml b/.gitlab/ci/fedora.yml
index 7fd9c7e..cbd1e13 100644
--- a/.gitlab/ci/fedora.yml
+++ b/.gitlab/ci/fedora.yml
@@ -1,20 +1,19 @@
 .dnf-openssl-backend:
-  extends:
-    - .dump_kernel_log
-  before_script:
-    - >
-      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
-      sudo dnf -y -q install
-      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
-      libmount-devel swtpm-tools
-    - >
-      sudo dnf -y -q install
+  variables:
+    DISTRO: cryptsetup-fedora-rawhide
+    PKGS: >-
       autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
       libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
       libssh-devel libtool libuuid-devel make popt-devel
       libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
       sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
-      keyutils openssl-devel openssl asciidoctor
+      keyutils openssl-devel openssl asciidoctor swtpm meson ninja-build
+      python3-jinja2 gperf libcap-devel tpm2-tss-devel libmount-devel swtpm-tools
+  extends:
+    - .fail_if_coredump_generated
+  before_script:
+    - sudo dnf clean all
+    - (r=3;while ! sudo dnf -y -q install $PKGS ; do ((--r))||exit;sleep 5;echo "Retrying";done)
     - sudo -E git clean -xdf
     - ./autogen.sh
     - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl --enable-asciidoc
@@ -24,12 +23,14 @@ test-main-commit-job-rawhide:
     - .dnf-openssl-backend
   tags:
     - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
   stage: test
   interruptible: true
   allow_failure: true
   variables:
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+    RUN_SYSTEMD_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
@@ -44,12 +45,14 @@ test-mergerq-job-rawhide:
     - .dnf-openssl-backend
   tags:
     - libvirt
-    - fedora-rawhide
+    - cryptsetup-fedora-rawhide
   stage: test
   interruptible: true
   allow_failure: true
   variables:
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+    RUN_SYSTEMD_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
diff --git a/.gitlab/ci/gcc-Wall b/.gitlab/ci/gcc-Wall
index 6669504..bc78705 100755
--- a/.gitlab/ci/gcc-Wall
+++ b/.gitlab/ci/gcc-Wall
@@ -31,12 +31,13 @@ EXTRA="-Wextra \
  -Wunsafe-loop-optimizations \
  -Wold-style-definition \
  -Wno-missing-field-initializers \
- -Wno-unused-parameter \
+ -Wunused-parameter \
  -Wno-long-long \
  -Wmaybe-uninitialized \
  -Wvla \
  -Wformat-overflow \
- -Wformat-truncation"
+ -Wformat-truncation \
+ -Wstringop-overread"
 
 exec $GCC $PEDANTIC $CONVERSION \
 	-Wall $Wuninitialized \
diff --git a/.gitlab/ci/gitlab-shared-docker.yml b/.gitlab/ci/gitlab-shared-docker.yml
index 1edacc8..59659e8 100644
--- a/.gitlab/ci/gitlab-shared-docker.yml
+++ b/.gitlab/ci/gitlab-shared-docker.yml
@@ -1,5 +1,6 @@
-.gitlab-shared-docker:
-  image: ubuntu:focal
+# Ubuntu
+.gitlab-shared-docker-ubuntu:
+  image: ubuntu:noble
   tags:
     - gitlab-org-docker
   stage: test
@@ -12,20 +13,49 @@
     - .gitlab/ci/cibuild-setup-ubuntu.sh
     - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
     - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
-    - ./autogen.sh
+
+# Alpine
+.gitlab-shared-docker-alpine:
+  image: alpine:latest
+  tags:
+    - gitlab-org-docker
+  stage: test
+  interruptible: true
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  before_script:
+    - apk add bash build-base clang clang-analyzer argp-standalone lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev device-mapper gettext-dev libssh-dev automake autoconf libtool tar asciidoctor
+    - export CC="${COMPILER}${COMPILER_VERSION:+-$COMPILER_VERSION}"
+    - export CXX="${COMPILER}++${COMPILER_VERSION:+-$COMPILER_VERSION}"
 
 .gitlab-shared-gcc:
   extends:
-    - .gitlab-shared-docker
+    - .gitlab-shared-docker-ubuntu
   variables:
     COMPILER: "gcc"
-    COMPILER_VERSION: "11"
-    RUN_SSH_PLUGIN_TEST: "1"
+    COMPILER_VERSION: "14"
+    CC: "gcc-14"
 
 .gitlab-shared-clang:
   extends:
-    - .gitlab-shared-docker
+    - .gitlab-shared-docker-ubuntu
+  variables:
+    COMPILER: "clang"
+    COMPILER_VERSION: "20"
+    CC: "clang-20"
+
+.gitlab-shared-gcc-alpine:
+  extends:
+    - .gitlab-shared-docker-alpine
+  variables:
+    COMPILER: "gcc"
+    CC: "gcc"
+
+.gitlab-shared-clang-alpine:
+  extends:
+    - .gitlab-shared-docker-alpine
   variables:
     COMPILER: "clang"
-    COMPILER_VERSION: "13"
-    RUN_SSH_PLUGIN_TEST: "1"
+    CC: "clang"
diff --git a/.gitlab/ci/rhel.yml b/.gitlab/ci/rhel.yml
deleted file mode 100644
index f71533c..0000000
--- a/.gitlab/ci/rhel.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-.rhel-openssl-backend:
-  extends:
-    - .dump_kernel_log
-  before_script:
-    - >
-      sudo yum -y -q  install
-      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
-      libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
-      libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
-      pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
-      expect gettext git jq keyutils openssl-devel openssl gem > /dev/null 2>&1
-    - sudo gem install asciidoctor
-    - sudo -E git clean -xdf
-    - ./autogen.sh
-    - ./configure --enable-fips --enable-pwquality --with-crypto_backend=openssl --enable-asciidoc
-
-# non-FIPS jobs
-
-test-main-commit-rhel8:
-  extends:
-    - .rhel-openssl-backend
-  tags:
-    - libvirt
-    - rhel8
-  stage: test
-  interruptible: true
-  variables:
-    RUN_SSH_PLUGIN_TEST: "1"
-  rules:
-    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
-      when: never
-    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-  script:
-    - make -j
-    - make -j -C tests check-programs
-    - sudo -E make check
-
-test-main-commit-rhel9:
-  extends:
-    - .rhel-openssl-backend
-  tags:
-    - libvirt
-    - rhel9
-  stage: test
-  interruptible: true
-  variables:
-    RUN_SSH_PLUGIN_TEST: "1"
-  rules:
-    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
-      when: never
-    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-  script:
-    - make -j
-    - make -j -C tests check-programs
-    - sudo -E make check
-
-# FIPS jobs
-
-test-main-commit-rhel8-fips:
-  extends:
-    - .rhel-openssl-backend
-  tags:
-    - libvirt
-    - rhel8-fips
-  stage: test
-  interruptible: true
-  variables:
-    RUN_SSH_PLUGIN_TEST: "1"
-  rules:
-    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
-      when: never
-    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-  script:
-    - fips-mode-setup --check || exit 1
-    - make -j
-    - make -j -C tests check-programs
-    - sudo -E make check
-
-test-main-commit-rhel9-fips:
-  extends:
-    - .rhel-openssl-backend
-  tags:
-    - libvirt
-    - rhel9-fips
-  stage: test
-  interruptible: true
-  allow_failure: true
-  variables:
-    RUN_SSH_PLUGIN_TEST: "1"
-  rules:
-    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
-      when: never
-    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-  script:
-    - fips-mode-setup --check || exit 1
-    - make -j
-    - make -j -C tests check-programs
-    - sudo -E make check
diff --git a/.gitlab/ci/run_csmock b/.gitlab/ci/run_csmock
new file mode 100755
index 0000000..707e0ff
--- /dev/null
+++ b/.gitlab/ci/run_csmock
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+CSMOCK="sudo /usr/bin/csmock"
+CSMOCK_TOOLS="gcc,clang,cppcheck,shellcheck"
+CSMOCK_TXZ="cryptsetup-csmock-results.tar.xz"
+CSMOCK_ERR="cryptsetup-csmock-results/scan-results.err"
+
+$CSMOCK cryptsetup-*.src.rpm \
+       --keep-going --force \
+       --cswrap-timeout 300 \
+       --skip-patches \
+       --tools $CSMOCK_TOOLS \
+       --output $CSMOCK_TXZ \
+       --gcc-analyze \
+       --cppcheck-add-flag=--check-level=exhaustive \
+       || { echo "csmock command failed"; exit 2; }
+
+tar xJf $CSMOCK_TXZ $CSMOCK_ERR --strip-components 1 \
+       && test -s $CSMOCK_ERR \
+       && { echo "csmock discovered important errors"; echo 3; }
+
+exit 0
diff --git a/.gitlab/ci/spellcheck b/.gitlab/ci/spellcheck
new file mode 100755
index 0000000..6a92f62
--- /dev/null
+++ b/.gitlab/ci/spellcheck
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+DIR="_spellcheck"
+
+[ ! -d $DIR ] && mkdir $DIR
+
+echo "[SPELLINTIAN]"
+git ls-tree -rz --name-only HEAD | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | \
+    xargs -r0 spellintian | \
+    grep -v "(duplicate word)" | \
+    grep -v "docs/" | tee $DIR/spell1.txt
+
+echo "[CODESPELL]"
+git ls-tree -rz --name-only HEAD | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | \
+    xargs -r0 codespell | \
+    grep -v "EXPCT" | \
+    grep -v "params, prams" | \
+    grep -v "pad, padded" | \
+    grep -v "CIPHER, CHIP" | \
+    grep -v "gost" | \
+    grep -v "userA" | \
+    grep -v "re-use" | \
+    grep -v "fo ==" | \
+    grep -v "docs/" | tee $DIR/spell2.txt
+
+
+[ -s $DIR/spell1.txt ] && exit 1
+[ -s $DIR/spell2.txt ] && exit 2
+
+exit 0
diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md
index f8837aa..88ad54b 100644
--- a/.gitlab/issue_templates/Bug.md
+++ b/.gitlab/issue_templates/Bug.md
@@ -9,7 +9,10 @@
 
 ### Debug log
 <!-- Paste a debug log of the failing command (add --debug option) between the markers below (to keep raw debug format).-->
+<!-- We need a lot of information from the debug log; without it, we cannot process your report. -->
+<!-- Debug log does not contain any private information. Do not paste private data; we'll ask you for more information if needed. -->
 ```
 Output with --debug option:
 
 ```
+<!-- NOTE: WITHOUT DEBUG LOG, THE BUG REPORT WILL BE CLOSED. ALSO, PLEASE DO NOT TRY TO REMOVE PARTS OF THE DEBUG LOG! -->
diff --git a/.lgtm.yml b/.lgtm.yml
deleted file mode 100644
index 64d9cc8..0000000
--- a/.lgtm.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-queries:
-  - exclude: cpp/fixme-comment
-  - exclude: cpp/empty-block
-# symver attribute detection cannot be used, disable it for lgtm
-extraction:
-  cpp:
-    configure:
-      command:
-      - "./autogen.sh"
-      - "./configure --enable-external-tokens --enable-ssh-token"
-      - "echo \"#undef HAVE_ATTRIBUTE_SYMVER\" >> config.h"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 01bea7c..e929b6e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -119,7 +119,7 @@ libtool --mode=execute gdb --args ./cryptsetup --debug $@
 This will ensure that a properly compiled libcryptsetup file is used.
 
 ### Coding style
-Cryptsetup uses [Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html) for libcryptsetup and tools (where applicable) with some additional notes:
+Cryptsetup uses [Linux kernel coding style](https://cdn.kernel.org/doc/html/latest/process/coding-style.html) for libcryptsetup and tools (where applicable) with some additional notes:
 - Use tabulators for indentation; the line should not exceed 100 characters with an 8-character tabulator. Otherwise, use a tab of any length. :-).
 - The minimal C standard required is C99.
 - The ``goto`` use is allowed only for error path (``goto out`` for common code path, ``goto err`` for specific error code path).
@@ -127,7 +127,8 @@ Cryptsetup uses [Linux kernel coding style](https://www.kernel.org/doc/html/late
 - Use an elaborative description in the patch header.
 - No need to use sign-off-by lines.
 - Use name prefixes (``crypt_``, ``LUKS2_`` and similar).
-- Avoid extensive preprocessor use (specifically ``#ifdef`` sections).
+- Avoid extensive preprocessor use (specifically conditional ``#if`` or ``#ifdef`` sections).
+- To check detected configuration options stored in config.h, always use ``#if SOMETHING`` (do NOT use ``#ifdef``).
 - Use output only through ``log_err, log_std, log_verbose, log_dbg`` macros.
   The ``log_dbg`` is always in English; the others should be wrapped in the ``_()`` macro for translation.
 - Use ``assert()`` but only for simple invariants and variables (avoid calling functions).
diff --git a/FAQ.md b/FAQ.md
index 4441ff5..21e806f 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -38,7 +38,7 @@
   LUKS1 and LUKS2.
  
   The LUKS1 on-disk format specification is at  
-  https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf  
+  https://cdn.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf  
   The LUKS2 on-disk format specification is at  
   https://gitlab.com/cryptsetup/LUKS2-docs
 
@@ -705,9 +705,12 @@
   this.  The only legitimate reason I can think of is if you want to have
   two LUKS devices with the same volume key.  Even then, I think it would
   be preferable to just use key-slots with the same passphrase, or to use
-  plain dm-crypt instead.  If you really have a good reason, please tell
-  me.  If I am convinced, I will add how to do this here.
+  plain dm-crypt instead.
 
+  Use the --volume-key-file option, like this:
+```
+    cryptsetup luksFormat --volume-key-file keyfile /dev/loop0
+```
 
   * **2.12 What are the security requirements for a key read from file?**
 
@@ -1923,10 +1926,6 @@
   Hence, LUKS has no kill option because it would do much more harm than
   good.
 
-  Still, if you have a good use-case (i.e.  non-abstract real-world
-  situation) where a Nuke-Option would actually be beneficial, please let
-  me know.
-
 
  * **5.22 Does cryptsetup open network connections to websites, etc. ?**
 
@@ -2680,8 +2679,7 @@ can be converted to the raw volume key for example via:
 
   Note that at the time this FAQ item was written, 1.5.4 was the latest
   1.5.x version and it has the flaw, i.e.  works with the old Whirlpool
-  version.  Possibly later 1.5.x versions will work as well.  If not,
-  please let me know.
+  version.  Possibly later 1.5.x versions will work as well.
 
   The only two ways to access older LUKS containers created with Whirlpool
   are to either decrypt with an old gcrypt version that has the flaw or to
@@ -2797,8 +2795,7 @@ can be converted to the raw volume key for example via:
   03) Creating your own initrd
 
   The two examples below should give you most of what is needed.  This is
-  tested with LUKS1 and should work with LUKS2 as well.  If not, please
-  let me know.
+  tested with LUKS1 and should work with LUKS2 as well.
 
   Here is a really minimal example.  It does nothing but set up some
   things and then drop to an interactive shell.  It is perfect to try out
diff --git a/Makefile.am b/Makefile.am
index 1be9ed7..688cb77 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = README.md SECURITY.md COPYING.LGPL CONTRIBUTING.md FAQ.md docs misc autogen.sh
+EXTRA_DIST = README.md SECURITY.md README.licensing CONTRIBUTING.md FAQ.md docs misc autogen.sh
 EXTRA_DIST += meson_options.txt \
 	meson.build \
 	lib/crypto_backend/argon2/meson.build \
@@ -9,6 +9,7 @@ EXTRA_DIST += meson_options.txt \
 	scripts/meson.build \
 	src/meson.build \
 	tests/meson.build \
+	tests/fuzz/meson.build \
 	tokens/meson.build \
 	tokens/ssh/meson.build
 
@@ -24,8 +25,7 @@ AM_CPPFLAGS = \
         -DLIBDIR=\""$(libdir)"\"                \
         -DPREFIX=\""$(prefix)"\"                \
         -DSYSCONFDIR=\""$(sysconfdir)"\"        \
-        -DVERSION=\""$(VERSION)"\"              \
-        -DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
+        -DVERSION=\""$(VERSION)"\"
 AM_CFLAGS = -Wall
 AM_CXXFLAGS = -Wall
 AM_LDFLAGS =
diff --git a/README.licensing b/README.licensing
new file mode 100644
index 0000000..c20b52a
--- /dev/null
+++ b/README.licensing
@@ -0,0 +1,20 @@
+The cryptsetup project does not use the same license for all of the code and documentation.
+
+There is code and documentation under:
+
+   * GPL-2.0-or-later   - GNU General Public License version 2, or any later version
+
+   * LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
+   * LGPL-2.1-or-later  - GNU Lesser General Public License 2.1 or any later version,
+                          (with cryptsetup-OpenSSL-exception where applicable)
+
+   * Apache-2.0         - Apache License 2.0
+
+   * CC-BY-SA-4.0       - Creative Commons Attribution Share Alike 4.0 International
+
+   * Public Domain
+
+Please, check the source code for more details.
+
+The ./COPYING file (GPL-2.0-or-later) is the default license for code without
+an explicitly defined license.
diff --git a/README.md b/README.md
index 7fc88a3..7b57c17 100644
--- a/README.md
+++ b/README.md
@@ -30,28 +30,22 @@ which enables users to transport or migrate data seamlessly.
   * The latest version of the
   [LUKS2 format specification](https://gitlab.com/cryptsetup/LUKS2-docs).
   * The latest version of the
-  [LUKS1 format specification](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
+  [LUKS1 format specification](https://cdn.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
   * [Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
   * [Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
 
 Download
 --------
 Release notes and tarballs are available at
-[kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
+[kernel.org](https://cdn.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release version is 2.7.5**
-  * [cryptsetup-2.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.xz)
-  * Signature [cryptsetup-2.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.sign)
+**The latest stable cryptsetup release version is 2.8.2**
+  * [cryptsetup-2.8.2.tar.xz](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.2.tar.xz)
+  * Signature [cryptsetup-2.8.2.tar.sign](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-2.8.2.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes).
+  * [Cryptsetup 2.8.2 Release Notes](https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.2-ReleaseNotes).
 
-Previous versions
- * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
- * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
+[Previous versions](https://cdn.kernel.org/pub/linux/utils/cryptsetup)
 
 Source and API documentation
 ----------------------------
@@ -76,8 +70,7 @@ Below are the packages needed to build for certain Linux distributions:
 
 **For Fedora**:
 ```
-git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel
-libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar
+git gcc make autoconf automake gettext-devel pkgconfig openssl-devel popt-devel device-mapper-devel libuuid-devel json-c-devel libblkid-devel findutils libtool libssh-devel tar rubygem-asciidoctor
 
 Optionally: libargon2-devel libpwquality-devel
 ```
@@ -88,14 +81,13 @@ sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openss
 
 **For Debian and Ubuntu**:
 ```
-git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
-libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar
+git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar asciidoctor
 
 Optionally: libargon2-0-dev libpwquality-dev
 ```
 To run the internal testsuite (make check) you also need to install
 ```
-sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
+sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client sshpass
 ```
 
 Note that the list may change as Linux distributions evolve.
diff --git a/configure.ac b/configure.ac
index e2e73db..4ceece7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,9 +1,9 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.7.5])
+AC_INIT([cryptsetup],[2.8.2])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=22:0:10
+LIBCRYPTSETUP_VERSION_INFO=23:0:11
 
 AM_SILENT_RULES([yes])
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -399,6 +399,23 @@ AC_DEFUN([CONFIGURE_NETTLE], [
 	NO_FIPS([])
 ])
 
+AC_DEFUN([CONFIGURE_MBEDTLS], [
+	AC_CHECK_HEADERS(mbedtls/version.h,,
+		[AC_MSG_ERROR([You need mbedTLS cryptographic library.])])
+
+	saved_LIBS=$LIBS
+	AC_CHECK_LIB(mbedcrypto, mbedtls_md_init,,
+		[AC_MSG_ERROR([You need mbedTLS cryptographic library.])])
+	AC_CHECK_FUNCS(mbedtls_pkcs5_pbkdf2_hmac_ext)
+	CRYPTO_LIBS=$LIBS
+	LIBS=$saved_LIBS
+
+	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+	use_internal_pbkdf2=0
+	use_internal_argon2=1
+	NO_FIPS([])
+])
+
 dnl ==========================================================================
 saved_LIBS=$LIBS
 
@@ -481,7 +498,7 @@ fi
 
 dnl Crypto backend configuration.
 AC_ARG_WITH([crypto_backend],
-	AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle) [openssl]]),
+	AS_HELP_STRING([--with-crypto_backend=BACKEND], [crypto backend (gcrypt/openssl/nss/kernel/nettle/mbedtls) [openssl]]),
 	[], [with_crypto_backend=openssl])
 
 dnl Kernel crypto API backend needed for benchmark and tcrypt
@@ -501,6 +518,7 @@ case $with_crypto_backend in
 	nss)     CONFIGURE_NSS([]) ;;
 	kernel)  CONFIGURE_KERNEL([]) ;;
 	nettle)  CONFIGURE_NETTLE([]) ;;
+	mbedtls) CONFIGURE_MBEDTLS([]) ;;
 	*) AC_MSG_ERROR([Unknown crypto backend.]) ;;
 esac
 AM_CONDITIONAL(CRYPTO_BACKEND_GCRYPT,  test "$with_crypto_backend" = "gcrypt")
@@ -508,6 +526,7 @@ AM_CONDITIONAL(CRYPTO_BACKEND_OPENSSL, test "$with_crypto_backend" = "openssl")
 AM_CONDITIONAL(CRYPTO_BACKEND_NSS,     test "$with_crypto_backend" = "nss")
 AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL,  test "$with_crypto_backend" = "kernel")
 AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE,  test "$with_crypto_backend" = "nettle")
+AM_CONDITIONAL(CRYPTO_BACKEND_MBEDTLS, test "$with_crypto_backend" = "mbedtls")
 
 AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
 AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])
@@ -661,8 +680,36 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 ])
 CFLAGS=$saved_CFLAGS
 
+dnl Force compiler to use zero_call_used_regs("used") to check for the function attribute support.
+dnl Otherwise the compiler may falsely advertise it with __has_attribute operator, even though
+dnl it does not implement it on some archs.
+AC_MSG_CHECKING([for zero_call_used_regs(user)])
+saved_CFLAGS=$CFLAGS
+CFLAGS="-O0 -Werror"
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+	void _test_function(void);
+	__attribute__((zero_call_used_regs("used"))) void _test_function(void) {
+		volatile int *i; volatile int j = 0; if (j) *i = 0;
+	}
+]],
+[[ _test_function() ]]
+)],[
+	AC_DEFINE([HAVE_ATTRIBUTE_ZEROCALLUSEDREGS], 1, [Define to 1 to use __attribute__((zero_call_used_regs("used")))])
+	AC_MSG_RESULT([yes])
+], [
+	AC_MSG_RESULT([no])
+])
+CFLAGS=$saved_CFLAGS
+
 AC_MSG_CHECKING([for systemd tmpfiles config directory])
-PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
+if test "x$prefix" != "xNONE"; then
+	saved_PKG_CONFIG=$PKG_CONFIG
+	PKG_CONFIG="$PKG_CONFIG --define-variable=prefix='${prefix}'"
+	PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
+	PKG_CONFIG=$saved_PKG_CONFIG
+else
+	PKG_CHECK_VAR([systemd_tmpfilesdir], [systemd], [tmpfilesdir], [], [systemd_tmpfilesdir=no])
+fi
 AC_MSG_RESULT([$systemd_tmpfilesdir])
 
 AC_SUBST([DEVMAPPER_LIBS])
@@ -776,8 +823,9 @@ CS_NUM_WITH([verity-hash-block], [hash block size for verity mode], [4096])
 CS_NUM_WITH([verity-salt-size],  [salt size for verity mode], [32])
 CS_NUM_WITH([verity-fec-roots],  [parity bytes for verity FEC], [2])
 
-CS_STR_WITH([tmpfilesdir], [override default path to directory with systemd temporary files], [])
-test -z "$with_tmpfilesdir" && with_tmpfilesdir=$systemd_tmpfilesdir
+AC_ARG_WITH([tmpfilesdir],
+	AS_HELP_STRING([--with-tmpfilesdir=DIR], [override default path to directory with systemd temporary files]),
+	[], [with_tmpfilesdir=$systemd_tmpfilesdir])
 test "x$with_tmpfilesdir" = "xno" || {
 	CS_ABSPATH([${with_tmpfilesdir}],[with-tmpfilesdir])
 	DEFAULT_TMPFILESDIR=$with_tmpfilesdir
@@ -796,7 +844,9 @@ test -z "$with_luks2_lock_dir_perms" && with_luks2_lock_dir_perms=0700
 DEFAULT_LUKS2_LOCK_DIR_PERMS=$with_luks2_lock_dir_perms
 AC_SUBST(DEFAULT_LUKS2_LOCK_DIR_PERMS)
 
-CS_STR_WITH([luks2-external-tokens-path], [path to directory with LUKSv2 external token handlers (plugins)], [LIBDIR/cryptsetup])
+AC_ARG_WITH([luks2-external-tokens-path],
+	AS_HELP_STRING([--with-luks2-external-tokens-path=DIR], [path to directory with LUKSv2 external token handlers (plugins)]),
+	[], [with_luks2_external_tokens_path=""])
 if test -n "$with_luks2_external_tokens_path"; then
 	CS_ABSPATH([${with_luks2_external_tokens_path}],[with-luks2-external-tokens-path])
 	EXTERNAL_LUKS2_TOKENS_PATH=$with_luks2_external_tokens_path
@@ -804,6 +854,17 @@ else
 	EXTERNAL_LUKS2_TOKENS_PATH="\${libdir}/cryptsetup"
 fi
 AC_SUBST(EXTERNAL_LUKS2_TOKENS_PATH)
+dnl We need to define expanded EXTERNAL_LUKS2_TOKENS_PATH, but some other code can depend on prefix=NONE.
+dnl Pretend you do not see this hack :-)
+saved_prefix=$prefix
+saved_exec_prefix=$exec_prefix
+test "x$prefix" = "xNONE" && prefix="$ac_default_prefix"
+test "x$exec_prefix" = "xNONE" && exec_prefix="$prefix"
+expanded_EXTERNAL_LUKS2_TOKENS_PATH=$(eval echo "$EXTERNAL_LUKS2_TOKENS_PATH")
+expanded_EXTERNAL_LUKS2_TOKENS_PATH=$(eval echo "$expanded_EXTERNAL_LUKS2_TOKENS_PATH")
+AC_DEFINE_UNQUOTED([EXTERNAL_LUKS2_TOKENS_PATH], ["$expanded_EXTERNAL_LUKS2_TOKENS_PATH"], [path to directory with LUKSv2 external token handlers (plugins)])
+prefix=$saved_prefix
+exec_prefix=$saved_exec_prefix
 
 dnl Override default LUKS format version (for cryptsetup or cryptsetup-reencrypt format actions only).
 AC_ARG_WITH([default_luks_format],
diff --git a/debian/.gitattributes b/debian/.gitattributes
deleted file mode 100644
index 592f8c4..0000000
--- a/debian/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-/changelog merge=dpkg-mergechangelogs
diff --git a/debian/README.Debian b/debian/README.Debian
index 99633bf..d8e28bc 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -277,7 +277,7 @@ manage the keyslots for both original and backup device independently.
 
 
 10. Changing the boot order of cryptdisks init scripts
------------------------------------------------------
+------------------------------------------------------
 
  In order to support non-standard setups, it might be necessary to change the
 order of init scripts in the boot process. Cryptsetup already installs two
diff --git a/debian/README.gnupg b/debian/README.gnupg
index 837d151..5aa26d8 100644
--- a/debian/README.gnupg
+++ b/debian/README.gnupg
@@ -10,7 +10,7 @@ The following example assumes that you store the encrypted keyfile in
 First, you'll have to create the encrypted keyfile:
 
     dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \
-            --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \
+            --no-default-keyring --keyring /dev/null \
             --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg
 
 Next the LUKS device needs to be formated with the key. For that, the
diff --git a/debian/README.initramfs b/debian/README.initramfs
index d85ae9c..1afbc90 100644
--- a/debian/README.initramfs
+++ b/debian/README.initramfs
@@ -247,13 +247,13 @@ this limitation:
 
 [#671037]: https://bugs.debian.org/671037
 
-12. Storing keyfiles directly in the initrd
--------------------------------------------
+12. Storing keyfiles directly in the initramfs
+----------------------------------------------
 
 Normally devices using a keyfile are ignored (with a loud warning), and
-the key file itself is not included in the initrd, because the initramfs
+the key file itself is not included in the initramfs, because the initramfs
 image typically lives on an unencrypted `/boot` partition. However in
-some cases it is desirable to include the key file in the initrd; for
+some cases it is desirable to include the key file in the initramfs; for
 instance recent versions of GRUB support booting from encrypted block
 devices, allowing an encrypted `/boot` partition.
 
@@ -262,7 +262,7 @@ of the environment variable KEYFILE_PATTERN (interpreted as a shell
 pattern) will be included in the initramfs image. For instance if
 `/etc/crypttab` lists two key files `/etc/keys/{root,swap}.key`, you can
 add the following to `/etc/cryptsetup-initramfs/conf-hook` to add them to
-the initrd.
+the initramfs.
 
     KEYFILE_PATTERN="/etc/keys/*.key"
 
@@ -273,6 +273,17 @@ following to `/etc/initramfs-tools/initramfs.conf`.
 
     UMASK=0077
 
+13. The stages in the initramfs at which dm-crypt devices are mapped
+--------------------------------------------------------------------
+
+The devices necessary for the root filesystem, /usr, any resume swap device and
+any device with the `initramfs`-option in `crypttab` are first tried to be
+mapped (that is: "opened" or "decrypted") in `initramfs-tools`'s `local-top`-
+phase.
+Any which couldn't be mapped there are retried in the `local-block`-phase.
+
+This may be subject to change.
+
  -- David Härdeman <david@hardeman.nu>
 
  -- Jonas Meurer <mejo@debian.org>  Thu, 01 Nov 2012 13:44:31 +0100
diff --git a/debian/changelog b/debian/changelog
index f9a68ae..f7d3489 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,20 +1,108 @@
-cryptsetup (2:2.7.5-1deepin2.3) unstable; urgency=medium
- 
-  * add Chinese localization to cryptroot
- 
- -- Liang Bo <liangbo@uniontech.com>  Thu, 26 Apr 2025 16:40:22 +0800
-
-cryptsetup (2:2.7.5-1deepin2.2) unstable; urgency=medium
- 
-  * skip ERROR on usr-overlay device when updating initramfs
- 
- -- Liang Bo <liangbo@uniontech.com>  Mon, 28 Apr 2024 16:00:51 +0800
-
-cryptsetup (2:2.7.5-1deepin2.1) unstable; urgency=medium
- 
-  * revert to 2:2.7.5-1
- 
- -- Liang Bo <liangbo@uniontech.com>  Tue, 01 Apr 2024 14:52:13 +0800
+cryptsetup (2:2.8.2-1) unstable; urgency=medium
+
+  * New upstream bugfix release.
+  * d/t/cryptdisks: Add calls to `udevadm settle`.
+  * d/control: Remove `Rules-Requires-Root: no`.
+  * d/watch: Port to Version 5.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 18 Dec 2025 22:04:25 +0100
+
+cryptsetup (2:2.8.1-2) unstable; urgency=medium
+
+  * Exclude `reencryption-compat-test` from Makefile.localtest.
+    (Closes: #1122539)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 11 Dec 2025 23:29:35 +0100
+
+cryptsetup (2:2.8.1-1) unstable; urgency=medium
+
+  * New upstream release.
+  * DEP-8: Don't skip TPM trusted upstream tests.  This adds `Depends:
+    swtpm, swtpm-tools, tpm2-tools` to the upstream testsuite autopkgtest.
+  * DEP-8: Don't skip upstream's systemd plugin tests.  This adds `Depends:
+    systemd-cryptsetup` to the upstream testsuite autopkgtest.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 19 Aug 2025 13:38:37 +0200
+
+cryptsetup (2:2.8.0-3) unstable; urgency=medium
+
+  [ Nuri KÜÇÜKLER ]
+  * Add Turkish debconf templates translation.
+
+  [ Luca Boccassi ]
+  * DEP-8: Remove 80-systemd-osc-context.sh bash profile drop-in from
+    cryptroot-* test images in order to fix compatibility with systemd v258.
+    (Closes: #1110818)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 13 Aug 2025 13:38:32 +0200
+
+cryptsetup (2:2.8.0-2) unstable; urgency=medium
+
+  * Upload to unstable.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sat, 09 Aug 2025 22:21:31 +0200
+
+cryptsetup (2:2.8.0-1) experimental; urgency=medium
+
+  * New upstream release.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 24 Jun 2025 11:40:36 +0200
+
+cryptsetup (2:2.8.0~rc1-1) experimental; urgency=low
+
+  * New upstream release candidate.
+  * Drop d/patches/* applied upstream.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 16 Jun 2025 15:44:19 +0200
+
+cryptsetup (2:2.8.0~rc0-1) experimental; urgency=low
+
+  * New upstream release candidate 2.8.0, with support for inline mode (use HW
+    sectors with additional hardware metadata space).
+  * DEP-8: Add Depends: e2fsprogs.
+  * d/libcryptsetup12.symbols: Add new symbols.
+  * Adjust d/copyright.
+  * DEP-8: Build libcrypto_backend.la and crypto-check before running the
+    upstream test suite.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 12 Jun 2025 19:00:45 +0200
+
+cryptsetup (2:2.7.5-2) unstable; urgency=medium
+
+  [ Christoph Anton Mitterer ]
+  * d/README.Debian: Minor improvements.
+  * d/README.Debian: Document when during the initramfs devices are mapped.
+  * d/README.Debian: Change initrd to initramfs.
+
+  [ Stephen Gildea ]
+  * initramfs hook: Improve the "Source mismatch" error message when
+    /etc/crypttab gives a source device that does not match the current
+    source.
+
+  [ Guilhem Moulin ]
+  * DEP-8: No longer mark cryptroot-* as flaky and only run them on amd64, see
+    https://bugs.debian.org/1073052#50.
+  * Fix d/t/initramfs-hook and d/t/initramfs-hook-legacy with initramfs-tools
+    ≥0.146. (Closes: #1099818)
+  * cryptsetup-suspend-wrapper, DEP-8: Don't hardcode unmkinitramfs destdir.
+  * d/t/cryptroot-*: Pass --bitmap=internal to mdadm(8).
+  * decrypt_gnupg: Drop obsolete option --secret-keyring. (Closes: #1099760)
+  * initramfs hook: Add vmx_crypto module. (Closes: #1087271)
+  * d/copyright: Replace FSF's old postal address with an URL.
+  * Update Standards-Version to 4.7.2 (no changes necessary).
+  * Boot script: Fix prereq() logic between directories. (Closes: #1081552)
+
+  [ Carles Pina i Estany ]
+  * Added po-debconf Catalan translation. (Closes: #1101115)
+
+  [ Vladimir Petko ]
+  * Fix cryptroot-* autopkgtests on Ubuntu. (Closes: #1031198)
+
+  [ Nicolas Melot ]
+  * initramfs: Process crypttab entries with the 'initramfs' option first and
+    preserve their order. (Closes: #1055024)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sun, 04 May 2025 21:55:13 +0200
 
 cryptsetup (2:2.7.5-1) unstable; urgency=medium
 
diff --git a/debian/control b/debian/control
index 69372a4..16663f2 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,6 @@ Priority: optional
 Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net>
 Uploaders: Jonas Meurer <jonas@freesources.org>,
            Guilhem Moulin <guilhem@debian.org>
-Rules-Requires-Root: no
 Build-Depends: asciidoctor <!nodoc>,
                autoconf,
                automake (>= 1:1.12),
@@ -24,13 +23,14 @@ Build-Depends: asciidoctor <!nodoc>,
                libssh-dev,
                libssl-dev (>> 3.2~),
                libtool,
+               openssl-provider-legacy <!nocheck>,
                pkgconf,
                po-debconf,
                procps <!nocheck>,
                uuid-dev,
                xsltproc <!nodoc>,
                xxd <!nocheck>
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Homepage: https://gitlab.com/cryptsetup/cryptsetup
 Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup
 Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git -b debian/latest
diff --git a/debian/copyright b/debian/copyright
index 2334d87..963374a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -6,8 +6,8 @@ Upstream-Name: cryptsetup
 Files: *
 Copyright: © 2004      Christophe Saout <christophe@saout.de>
            © 2004-2008 Clemens Fruhwirth <clemens@endorphin.org>
-           © 2008-2023 Red Hat, Inc.
-           © 2008-2023 Milan Broz <gmazyland@gmail.com>
+           © 2008-2025 Red Hat, Inc.
+           © 2008-2025 Milan Broz <gmazyland@gmail.com>
 License: GPL-2+ with OpenSSL exception
 
 Files: debian/*
@@ -15,7 +15,7 @@ Copyright: © 2004-2005 Wesley W. Terpstra <terpstra@debian.org>
            © 2005-2006 Michael Gebetsroither <michael.geb@gmx.at>
            © 2006-2008 David Härdeman <david@hardeman.nu>
            © 2005-2015 Jonas Meurer <jonas@freesources.org>
-           © 2016-2023 Guilhem Moulin <guilhem@debian.org>
+           © 2016-2025 Guilhem Moulin <guilhem@debian.org>
 License: GPL-2+
 
 Files: debian/scripts/suspend/cryptsetup-suspend.c
@@ -57,37 +57,37 @@ Copyright: © 2005-2015 Jonas Meurer <jonas@freesources.org>
 License: GPL-2+
 
 Files: debian/tests/*
-Copyright: © 2021-2022 Guilhem Moulin <guilhem@debian.org>
+Copyright: © 2021-2025 Guilhem Moulin <guilhem@debian.org>
 License: GPL-3+
 
-Files: docs/examples/* tests/all-symbols-test.c
-Copyright: © 2011-2023 Red Hat, Inc.
+Files: docs/examples/* tests/all-symbols-test.c tests/crypto-check.c
+Copyright: © 2011-2025 Red Hat, Inc.
 License: LGPL-2.1+
 
 Files: lib/bitlk/*
-Copyright: © 2019-2023 Red Hat, Inc.
-           © 2019-2023 Milan Broz <gmazyland@gmail.com>
-           © 2019-2023 Vojtech Trefny
+Copyright: © 2019-2025 Red Hat, Inc.
+           © 2019-2025 Milan Broz <gmazyland@gmail.com>
+           © 2019-2025 Vojtech Trefny
 License: LGPL-2.1+
 
 Files: tokens/ssh/*
-Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
-           © 2020-2023 Vojtech Trefny
+Copyright: © 2016-2025 Milan Broz <gmazyland@gmail.com>
+           © 2020-2025 Vojtech Trefny
 License: LGPL-2.1+
 
 Files: tokens/ssh/cryptsetup-ssh.c
-Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com>
-           © 2021-2023 Vojtech Trefny
+Copyright: © 2016-2025 Milan Broz <gmazyland@gmail.com>
+           © 2021-2025 Vojtech Trefny
 License: GPL-2+
 
-Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/tcrypt/* lib/verity/*
-Copyright: © 2009-2023 Red Hat, Inc.
-           © 2010-2023 Milan Broz <gmazyland@gmail.com>
+Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/luks2/hw_opal/* lib/tcrypt/* lib/utils_storage_wrappers.* lib/verity/*
+Copyright: © 2009-2025 Red Hat, Inc.
+           © 2010-2025 Milan Broz <gmazyland@gmail.com>
 License: LGPL-2.1+
 
 Files: lib/crypto_backend/base64.c
 Copyright: © 2010 Lennart Poettering
-           © 2021-2023 Milan Broz <gmazyland@gmail.com>
+           © 2021-2025 Milan Broz <gmazyland@gmail.com>
 License: LGPL-2.1+
 
 Files: lib/crypto_backend/utf8.c
@@ -98,8 +98,8 @@ Copyright: © 2010 Lennart Poettering
 License: GPL-2+
 
 Files: lib/crypto_backend/crypto_openssl.c
-Copyright: © 2009-2023 Red Hat, Inc.
-           © 2010-2023 Milan Broz <gmazyland@gmail.com>
+Copyright: © 2009-2025 Red Hat, Inc.
+           © 2010-2025 Milan Broz <gmazyland@gmail.com>
 License: LGPL-2.1+ with OpenSSL exception
 
 Files: lib/fvault2/fvault2.c lib/fvault2/fvault2.h
@@ -107,8 +107,8 @@ Copyright: © 2021-2022 Pavel Tobias
 License: LGPL-2.1+ with OpenSSL exception
 
 Files: lib/keyslot_context.c lib/keyslot_context.h
-Copyright: © 2022-2023 Red Hat, Inc.
-           © 2022-2023 Ondrej Kozina <okozina@redhat.com>
+Copyright: © 2022-2025 Red Hat, Inc.
+           © 2022-2025 Ondrej Kozina <okozina@redhat.com>
 License: GPL-2+
 
 Files: lib/crypto_backend/argon2/*
@@ -122,6 +122,14 @@ Files: lib/crypto_backend/argon2/encoding.c
 Copyright: © 2015 Thomas Pornin <pornin@bolet.org>
 License: CC0 or Apache-2.0
 
+Files: tests/fuzz/FuzzerInterface.h
+Copyright: © LLVM Project
+License: Apache-2.0
+
+Files: tests/fuzz/json_proto_converter.cc tests/fuzz/json_proto_converter.h
+Copyright: © 2020 Google, Inc.
+License: Apache-2.0
+
 Files: lib/crypto_backend/crc32.c
 Copyright: © 1986 Gary S. Brown
 License: public-domain
@@ -139,7 +147,7 @@ License: public-domain
  what you wish.
 
 Files: misc/luks-header-from-active
-Copyright: © 2011-2024 Milan Broz <gmazyland@gmail.com>
+Copyright: © 2011-2025 Milan Broz <gmazyland@gmail.com>
 License: LGPL-2.1+
 
 Files: FAQ.md
@@ -158,10 +166,8 @@ License: GPL-2+
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  .
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- 02110-1301 USA.
+ You should have received a copy of the GNU General Public License along
+ with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
  On Debian systems, the complete text of the GNU General Public
  License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
@@ -177,10 +183,8 @@ License: GPL-2+ with OpenSSL exception
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  .
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- 02110-1301 USA.
+ You should have received a copy of the GNU General Public License along
+ with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
  On Debian systems, the complete text of the GNU General Public
  License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
@@ -208,9 +212,8 @@ License: GPL-3+
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  .
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software Foundation,
- Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ You should have received a copy of the GNU General Public License along
+ with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
  On Debian systems, the complete text of the GNU General Public License
  version 3 can be found in `/usr/share/common-licenses/GPL-3`.
@@ -226,10 +229,8 @@ License: LGPL-2.1+
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.
  .
- You should have received a copy of the GNU Lesser General Public
- License along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- 02110-1301 USA.
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
  On Debian systems, the complete text of the GNU Lesser General Public
  License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
@@ -245,10 +246,8 @@ License: LGPL-2.1+ with OpenSSL exception
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.
  .
- You should have received a copy of the GNU Lesser General Public
- License along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- 02110-1301 USA.
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
  On Debian systems, the complete text of the GNU Lesser General Public
  License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
diff --git a/debian/functions b/debian/functions
index 3845b9a..63ecf5d 100644
--- a/debian/functions
+++ b/debian/functions
@@ -162,7 +162,6 @@ crypttab_validate_option() {
         submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";;
         no-read-workqueue) OPTION="no_read_workqueue";;
         no-write-workqueue) OPTION="no_write_workqueue";;
-        tpm2-device) OPTION="tpm2_device";;
     esac
 
     case "$o" in
@@ -248,7 +247,6 @@ crypttab_validate_option() {
         submit-from-crypt-cpus) ;;
         no-read-workqueue) ;;
         no-write-workqueue) ;;
-        tpm2-device) ;;
         x-initrd.attach)
             unset -v OPTION ;; # ignored, cf. #1072058
         *)
@@ -597,11 +595,9 @@ _resolve_device() {
         MAJ="$maj"
         MIN="$min"
         return 0
+    else
+        cryptsetup_message "ERROR: Couldn't resolve device $spec"
     fi
-    case $spec in
-        overlay|usr-overlay) ;;
-        *) cryptsetup_message "ERROR: Couldn't resolve device $spec";;
-    esac
     return 1
 }
 
diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot
index a667354..ca759bd 100644
--- a/debian/initramfs/hooks/cryptroot
+++ b/debian/initramfs/hooks/cryptroot
@@ -51,10 +51,11 @@ crypttab_find_and_print_entry() {
 #   crypttab_parse_options().
 #   Return 0 on success, 1 on error.
 crypttab_print_entry() {
-    local DEV MAJ MIN uuid keyfile
+    local DEV MAJ MIN name_uses uuid keyfile
     if _resolve_device "$CRYPTTAB_SOURCE"; then
-        if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
-            cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
+        name_uses="$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" || name_uses="N/A"
+        if [ "$name_uses" != "$MAJ:$MIN" ]; then
+            cryptsetup_message "ERROR: Source mismatch: $CRYPTTAB_NAME uses $name_uses, but $CRYPTTAB_SOURCE is $MAJ:$MIN"
         elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \
                 [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \
                 [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \
@@ -177,6 +178,9 @@ generate_initrd_crypttab() {
     true >"$DESTDIR/cryptroot/targets"
 
     {
+        # add crypttab entries with the 'initramfs' option set
+        crypttab_foreach_entry crypttab_print_initramfs_entry
+
         if devnos="$(get_mnt_devno /)"; then
             usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
         else
@@ -190,9 +194,6 @@ generate_initrd_crypttab() {
         if devnos="$(get_mnt_devno /usr)"; then
             usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
         fi
-
-        # add crypttab entries with the 'initramfs' option set
-        crypttab_foreach_entry crypttab_print_initramfs_entry
     } 3>"$DESTDIR/cryptroot/crypttab"
     rm -f "$DESTDIR/cryptroot/targets"
 }
@@ -351,10 +352,6 @@ copy_exec /sbin/dmsetup
 
 [ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass
 
-copy_exec /bin/gettext
-mkdir -p $DESTDIR/usr/share/locale/zh_CN/LC_MESSAGES/
-cp /usr/share/locale/zh_CN/LC_MESSAGES/cryptroot.mo $DESTDIR/usr/share/locale/zh_CN/LC_MESSAGES/
-
 # We need sed. Either via busybox or as standalone binary.
 if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then
     copy_exec /bin/sed
@@ -380,7 +377,7 @@ if [ "$MODULES" = most ]; then
 else
     if [ "$MODULES" != "dep" ]; then
         # with large initramfs, we always add a basic subset of modules
-        add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
+        add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts vmx_crypto
     fi
     add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
 fi
diff --git a/debian/initramfs/po/Makefile b/debian/initramfs/po/Makefile
deleted file mode 100644
index c5fce87..0000000
--- a/debian/initramfs/po/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-XGETTEXT = xgettext
-MSGFMT = msgfmt
-MSGMERGE = msgmerge
-
-LOCALEDIR = /usr/share/locale
-
-.SUFFIXES: .po .mo .pot
-
-%.mo: %.po
-	$(MSGFMT) -o $@ $<
-
-PO = $(wildcard *.po)
-LANG = $(basename $(PO))
-MO = $(addsuffix .mo,$(LANG))
-SOURCES = ../scripts/local-top/cryptroot
-
-all: update $(MO)
-update: cryptroot.pot
-	-@for po in $(PO); do \
-	echo -n "Updating $$po"; \
-	$(MSGMERGE) -U $$po cryptroot.pot; \
-	done;
-
-cryptroot.pot: $(SOURCES)
-	$(XGETTEXT) -c -L Shell --keyword=get_loc_str \
-	-o $@ $(SOURCES)
-
-install: all
-	for i in $(MO) ; do \
-	  t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\
-	  install -d $$t ;\
-	  install -m 644 $$i $$t/cryptroot.mo ;\
-	done
-
-clean:
-	$(RM) $(MO) *~
-
-.PHONY: update
diff --git a/debian/initramfs/po/cryptroot.pot b/debian/initramfs/po/cryptroot.pot
deleted file mode 100644
index ae5338e..0000000
--- a/debian/initramfs/po/cryptroot.pot
+++ /dev/null
@@ -1,42 +0,0 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
-#
-#, fuzzy
-msgid ""
-msgstr ""
-"Project-Id-Version: PACKAGE VERSION\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-03 14:13+0800\n"
-"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
-"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
-"Language-Team: LANGUAGE <LL@li.org>\n"
-"Language: \n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=CHARSET\n"
-"Content-Transfer-Encoding: 8bit\n"
-
-#: ../scripts/local-top/cryptroot:186
-msgid "Failed to unlock automatically, please check TPM or input recovery key."
-msgstr ""
-
-#: ../scripts/local-top/cryptroot:188
-msgid "Wrong password! You have %s input chances more."
-msgstr ""
-
-#: ../scripts/local-top/cryptroot:191
-msgid "Wrong recovery key! You have %s input chances more"
-msgstr ""
-
-#: ../scripts/local-top/cryptroot:194
-msgid "Wrong password! You have %s input chances more"
-msgstr ""
-
-#: ../scripts/local-top/cryptroot:225
-msgid "Unlocking successfully!"
-msgstr ""
-
-#: ../scripts/local-top/cryptroot:230
-msgid "Please reboot!"
-msgstr ""
diff --git a/debian/initramfs/po/zh_CN.po b/debian/initramfs/po/zh_CN.po
deleted file mode 100644
index dcd2357..0000000
--- a/debian/initramfs/po/zh_CN.po
+++ /dev/null
@@ -1,43 +0,0 @@
-# Chinese translations for PACKAGE package
-# PACKAGE 软件包的简体中文翻译.
-# Copyright (C) 2024 THE PACKAGE'S COPYRIGHT HOLDER
-# This file is distributed under the same license as the PACKAGE package.
-#  <liangbo@uniontech.com>, 2024.
-#
-msgid ""
-msgstr ""
-"Project-Id-Version: \n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-03 14:13+0800\n"
-"PO-Revision-Date: 2024-01-03 14:19+0800\n"
-"Last-Translator: liangbo@uniontech.com\n"
-"Language-Team: Chinese (simplified)\n"
-"Language: zh_CN\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 2.2.1\n"
-
-#: ../scripts/local-top/cryptroot:186
-msgid "Failed to unlock automatically, please check TPM or input recovery key."
-msgstr "自动解密失败,请检查TPM硬件或输入恢复密钥解密."
-
-#: ../scripts/local-top/cryptroot:188
-msgid "Wrong password! You have %s input chances more."
-msgstr "密码错误,您还可以输入%s次."
-
-#: ../scripts/local-top/cryptroot:191
-msgid "Wrong recovery key! You have %s input chances more"
-msgstr "恢复密钥错误,您还可以输入%s次"
-
-#: ../scripts/local-top/cryptroot:194
-msgid "Wrong password! You have %s input chances more"
-msgstr "密码错误,您还可以输入%s次"
-
-#: ../scripts/local-top/cryptroot:225
-msgid "Unlocking successfully!"
-msgstr "解锁成功！"
-
-#: ../scripts/local-top/cryptroot:230
-msgid "Please reboot!"
-msgstr "多次输入错误，请重启系统后再尝试"
diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot
index c8318b1..cf32118 100644
--- a/debian/initramfs/scripts/local-top/cryptroot
+++ b/debian/initramfs/scripts/local-top/cryptroot
@@ -5,16 +5,17 @@ PREREQ="cryptroot-prepare"
 #
 # Standard initramfs preamble
 #
-prereqs()
-{
-	# Make sure that cryptroot is run last in local-top
-	local req
-	for req in "${0%/*}"/*; do
-		script="${req##*/}"
-		if [ "$script" != "${0##*/}" ]; then
-			printf '%s\n' "$script"
-		fi
-	done
+prereqs() {
+    # Make sure that cryptroot is run last in local-top
+    local req script="${0##*/}" dir
+    dir="$DESTDIR/scripts/${CRYPTROOT_STAGE-local-top}"
+    for req in "$dir"/*; do
+        test -x "$req" || continue
+        req="${req##*/}"
+        if [ "$req" != "$script" ]; then
+            printf '%s\n' "$req"
+        fi
+    done
 }
 
 case $1 in
@@ -29,19 +30,6 @@ esac
 [ -f /lib/cryptsetup/functions ] || return 0
 . /lib/cryptsetup/functions
 
-if [ -f /etc/default/locale ]; then
-	. /etc/default/locale
-fi
-if [ -z $LANG ]; then
-    if [ -n "$locales" ]; then
-        LANG=$locales
-        LANGUAGE=${locales%.*}
-    fi
-fi
-export LANG
-export LANGUAGE
-
-alias get_loc_str='gettext "cryptroot"'
 
 # wait_for_source()
 #   Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE
@@ -161,7 +149,7 @@ setup_mapping() {
         fi
     fi
 
-    local count=0 maxtries="${CRYPTTAB_OPTION_tries:-10}" recovery_tries=5 fstype vg rv
+    local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
     while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
         if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
             # unlock via keyfile
@@ -174,29 +162,8 @@ setup_mapping() {
         count=$(( $count + 1 ))
 
         if [ $rv -ne 0 ]; then
-            left_count=$(( $maxtries - $count))
-            if [ -f "/tmp/crypt_mode" ]; then
-                if [ $left_count -ge $recovery_tries ]; then
-                    left_count=$(($left_count - $recovery_tries))
-                    crypt_mode=$(cat /tmp/crypt_mode)
-                    if [ "$crypt_mode" = "tpm" ]; then
-                        count=5
-                        # make askpass accept recovery key
-                        echo "$CRYPTTAB_NAME 6" > /tmp/crypt-tries.cache
-                        pattern=$(get_loc_str "Failed to unlock automatically, please check TPM or input recovery key.")
-                    else
-                        pattern=$(get_loc_str "Wrong password! You have %s input chances more.")
-                    fi
-                else
-                    pattern=$(get_loc_str "Wrong recovery key! You have %s input chances more")
-                fi
-            else
-                pattern=$(get_loc_str "Wrong password! You have %s input chances more")
-            fi
-            wrong_pass_tip=$(printf $pattern $left_count)
-            plymouth message --text="$wrong_pass_tip"
-            sleep 2
-            plymouth message --text=""
+            cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?"
+            sleep 1
             continue
         elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
             cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping"
@@ -214,15 +181,12 @@ setup_mapping() {
             fi
         fi
 
-        plymouth message --text="$(get_loc_str "Unlocking successfully!")"
+        cryptsetup_message "$CRYPTTAB_NAME: set up successfully"
         wait_for_udev 10
         return 0
     done
 
-    plymouth message --text="$(get_loc_str "Please reboot!")"
-    while true; do
-        sleep 100
-    done
+    cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
     exit 1
 }
 
diff --git a/debian/libcryptsetup12.symbols b/debian/libcryptsetup12.symbols
index 5b30b7f..76548c9 100644
--- a/debian/libcryptsetup12.symbols
+++ b/debian/libcryptsetup12.symbols
@@ -5,6 +5,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  CRYPTSETUP_2.5@CRYPTSETUP_2.5 2:2.5
  CRYPTSETUP_2.6@CRYPTSETUP_2.6 2:2.6
  CRYPTSETUP_2.7@CRYPTSETUP_2.7 2:2.7
+ CRYPTSETUP_2.8@CRYPTSETUP_2.8 2:2.8
  crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4
  crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
  crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0
@@ -25,6 +26,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  crypt_dump_json@CRYPTSETUP_2.4 2:2.4
  crypt_format@CRYPTSETUP_2.0 2:1.4
  crypt_format@CRYPTSETUP_2.4 2:2.4
+ crypt_format_inline@CRYPTSETUP_2.8 2:2.8
  crypt_format_luks2_opal@CRYPTSETUP_2.7 2:2.7
  crypt_free@CRYPTSETUP_2.0 2:1.4
  crypt_get_active_device@CRYPTSETUP_2.0 2:1.4
@@ -43,6 +45,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  crypt_get_label@CRYPTSETUP_2.5 2:2.5
  crypt_get_metadata_device_name@CRYPTSETUP_2.0 2:2.1
  crypt_get_metadata_size@CRYPTSETUP_2.0 2:2.1
+ crypt_get_old_volume_key_size@CRYPTSETUP_2.8 2:2.8
  crypt_get_pbkdf_default@CRYPTSETUP_2.0 2:2.0.3
  crypt_get_pbkdf_type@CRYPTSETUP_2.0 2:2.0
  crypt_get_pbkdf_type_params@CRYPTSETUP_2.0 2:2.1
@@ -74,12 +77,19 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  crypt_keyslot_context_get_error@CRYPTSETUP_2.6 2:2.6
  crypt_keyslot_context_get_type@CRYPTSETUP_2.6 2:2.6
  crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_keyring@CRYPTSETUP_2.7 2:2.7
+ crypt_keyslot_context_init_by_keyring@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_signed_key@CRYPTSETUP_2.7 2:2.7
+ crypt_keyslot_context_init_by_signed_key@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_token@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_token@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_vk_in_keyring@CRYPTSETUP_2.7 2:2.7
+ crypt_keyslot_context_init_by_vk_in_keyring@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.6 2:2.6
+ crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.8 2:2.8
  crypt_keyslot_context_set_pin@CRYPTSETUP_2.6 2:2.6
  crypt_keyslot_destroy@CRYPTSETUP_2.0 2:1.4
  crypt_keyslot_get_encryption@CRYPTSETUP_2.0 2:2.1
@@ -99,6 +109,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  crypt_persistent_flags_set@CRYPTSETUP_2.0 2:2.0
  crypt_reencrypt@CRYPTSETUP_2.0 2:2.2
  crypt_reencrypt_init_by_keyring@CRYPTSETUP_2.0 2:2.2
+ crypt_reencrypt_init_by_keyslot_context@CRYPTSETUP_2.8 2:2.8
  crypt_reencrypt_init_by_passphrase@CRYPTSETUP_2.0 2:2.2
  crypt_reencrypt_run@CRYPTSETUP_2.4 2:2.4
  crypt_reencrypt_status@CRYPTSETUP_2.0 2:2.2
@@ -113,6 +124,7 @@ libcryptsetup.so.12 libcryptsetup12 #MINVER#
  crypt_resume_by_volume_key@CRYPTSETUP_2.0 2:2.3
  crypt_safe_alloc@CRYPTSETUP_2.0 2:2.3
  crypt_safe_free@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_memcpy@CRYPTSETUP_2.8 2:2.8
  crypt_safe_memzero@CRYPTSETUP_2.0 2:2.3
  crypt_safe_realloc@CRYPTSETUP_2.0 2:2.3
  crypt_set_compatibility@CRYPTSETUP_2.0 2:2.3
diff --git a/debian/patches/Exclude-reencryption-compat-test-from-Makefile.localtest.patch b/debian/patches/Exclude-reencryption-compat-test-from-Makefile.localtest.patch
new file mode 100644
index 0000000..cab0e91
--- /dev/null
+++ b/debian/patches/Exclude-reencryption-compat-test-from-Makefile.localtest.patch
@@ -0,0 +1,49 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Thu, 11 Dec 2025 23:23:36 +0100
+Subject: Exclude `reencryption-compat-test` from Makefile.localtest
+
+On Debian unstable (linux 6.17.11+deb14-amd64, udev 259~rc3-1) the test
+appears to fail with
+
+    $ sudo make -f Makefile.localtest -j tests CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y
+    […]
+    [reencryption-compat-test]
+    [1] Reencryption
+    [2] Reencryption with data shift
+    [3] Reencryption with keyfile
+    [4] Encryption of not yet encrypted device
+    [5] Reencryption using specific keyslot
+    [6] Reencryption using all active keyslots
+    [7] Reencryption of block devices with different block size
+    [512 sector]Cannot use scsi_debug module (in use or compiled-in), test skipped.
+    make: *** [Makefile.localtest:56: tests] Error 1
+
+or (linux 6.17.9+deb14-amd64, udev 259~rc2-1)
+
+    […]
+    [reencryption-compat-test]
+    [1] Reencryption
+    [2] Reencryption with data shift
+    [3] Reencryption with keyfile
+    [4] Encryption of not yet encrypted device
+    [5] Reencryption using specific keyslot
+    losetup: reenc-data: failed to set up loop device: Device or resource busy
+
+Bug-Debian: https://bugs.debian.org/1122539
+---
+ tests/Makefile.localtest | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
+index 89ce2c3..22d0d7e 100644
+--- a/tests/Makefile.localtest
++++ b/tests/Makefile.localtest
+@@ -7,7 +7,7 @@ CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYR
+ 	-DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
+ CFLAGS=-O2 -g -Wall -D_GNU_SOURCE
+ LDLIBS=-lcryptsetup -ldevmapper
+-TESTS=$(wildcard *-test *-test2) api-test api-test-2 all-symbols-test unit-utils-crypt-test
++TESTS=$(filter-out reencryption-compat-test,$(wildcard *-test *-test2)) api-test api-test-2 all-symbols-test unit-utils-crypt-test
+ TESTS_UTILS=differ unit-utils-io unit-wipe
+ 
+ ifneq ($(RUN_SSH_PLUGIN_TEST),)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..0d4147c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Exclude-reencryption-compat-test-from-Makefile.localtest.patch
diff --git a/debian/po/ca.po b/debian/po/ca.po
new file mode 100644
index 0000000..161e458
--- /dev/null
+++ b/debian/po/ca.po
@@ -0,0 +1,54 @@
+# Catalan translation of cryptsetup's debconf messages
+# Copyright © 2024 Free Software Foundation, Inc.
+# This file is distributed under the same license as the cryptsetup package.
+# poc senderi <pocsenderi@protonmail.com>, 2024.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2024-12-07 16:56+0100\n"
+"Language: ca\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Last-Translator: poc senderi <pocsenderi@protonmail.com>\n"
+"Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
+"X-Generator: Poedit 2.4.2\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "Voleu continuar amb l'eliminació del «cryptsetup»?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Aquest sistema té dispositius «dm-crypt» desbloquejats: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock the "
+"devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Si aquests dispositius es gestionen amb el «cryptsetup», és possible que no "
+"pugueu bloquejar els dispositius després de l'eliminació del paquet, tot i "
+"que es poden utilitzar altres eines per a gestionar dispositius «dm-crypt». "
+"Qualsevol apagada o reinici del sistema bloquejarà els dispositius."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"No trieu aquesta opció si voleu bloquejar els dispositius «dm-crypt» abans de "
+"l'eliminació del paquet."
diff --git a/debian/po/tr.po b/debian/po/tr.po
new file mode 100644
index 0000000..0d2fa98
--- /dev/null
+++ b/debian/po/tr.po
@@ -0,0 +1,57 @@
+# Turkish debconf translation of cryptsetup package.
+# Copyright (C) 2025 Debian Turkish L10n Team
+# This file is distributed under the same license as the cryptsetup package.
+# Translator:
+# Nuri KÜÇÜKLER <nurikucukler@yahoo.com>, 2025.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup\n"
+"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n"
+"POT-Creation-Date: 2018-06-18 01:42+0200\n"
+"PO-Revision-Date: 2025-07-09 17:25+0300\n"
+"Last-Translator: Nuri KÜÇÜKLER <nurikucukler@yahoo.com>\n"
+"Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian."
+"org>\n"
+"Language: tr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+"X-Generator: Poedit 3.2.2\n"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "Continue with cryptsetup removal?"
+msgstr "cryptsetup paketinin kaldırılmasına devam edilsin mi?"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid "This system has unlocked dm-crypt devices: ${cryptmap}"
+msgstr "Bu sistemde kilidi açılmış dm-crypt aygıtları var: ${cryptmap}"
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"If these devices are managed with cryptsetup, you might be unable to lock "
+"the devices after the package removal, though other tools can be used for "
+"managing dm-crypt devices. Any system shutdown or reboot will lock the "
+"devices."
+msgstr ""
+"Bu aygıtlar cryptsetup ile yönetiliyorsa, paket kaldırıldıktan sonra "
+"bunları yeniden kilitleyemeyebilirsiniz. Ancak dm-crypt aygıtlarını "
+"yönetmek için başka araçlar da mevcuttur. Sistem kapatılır ya da yeniden "
+"başlatılırsa, aygıtlar kilitlenecektir."
+
+#. Type: boolean
+#. Description
+#: ../cryptsetup.templates:1001
+msgid ""
+"Do not choose this option if you want to lock the dm-crypt devices before "
+"package removal."
+msgstr ""
+"Paket kaldırılmadan önce dm-crypt aygıtlarını kilitlemek için bu seçeneği "
+"tercih etmeyin."
diff --git a/debian/rules b/debian/rules
index 7727646..6c32fa1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -51,7 +51,6 @@ endif
 
 	# generate gettext po files (for luksformat)
 	$(MAKE) -C debian/scripts/po all luksformat.pot
-	$(MAKE) -C debian/initramfs/po all cryptroot.pot
 
 execute_before_dh_auto_test:
 	# tests/fake_token_path.so is built without global $(CFLAGS)
@@ -60,7 +59,6 @@ execute_before_dh_auto_test:
 execute_after_dh_auto_install:
 	# install gettext po files (for luksformat)
 	$(MAKE) -C debian/scripts/po DESTDIR=$(CURDIR)/debian/cryptsetup-bin install
-	$(MAKE) -C debian/initramfs/po DESTDIR=$(CURDIR)/debian/cryptsetup-initramfs install
 
 execute_after_dh_install:
 	# install apport files when building on Ubuntu
@@ -76,7 +74,6 @@ override_dh_installinit:
 
 execute_after_dh_auto_clean:
 	$(MAKE) -C debian/scripts/po update clean
-	$(MAKE) -C debian/initramfs/po update clean
 	if [ -f $(CURDIR)/debian/cryptsetup-initramfs.preinst.in ]; then \
 		mv -fT $(CURDIR)/debian/cryptsetup-initramfs.preinst.in $(CURDIR)/debian/cryptsetup-initramfs.preinst; \
 	fi
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
index 18ab575..5b0a1d9 100644
--- a/debian/scripts/decrypt_gnupg
+++ b/debian/scripts/decrypt_gnupg
@@ -5,7 +5,7 @@ decrypt_gpg () {
 	if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \
 		/usr/bin/gpg -q --batch --no-options  \
 		--no-random-seed-file --no-default-keyring \
-		--keyring /dev/null --secret-keyring /dev/null \
+		--keyring /dev/null \
 		--trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
 		return 1
 	fi
diff --git a/debian/scripts/suspend/cryptsetup-suspend-wrapper b/debian/scripts/suspend/cryptsetup-suspend-wrapper
index 953196c..0c60ebc 100644
--- a/debian/scripts/suspend/cryptsetup-suspend-wrapper
+++ b/debian/scripts/suspend/cryptsetup-suspend-wrapper
@@ -102,14 +102,18 @@ mount_initramfs() {
         new="y"
     fi
 
-    # unmkinitramfs(8) extracts microcode into folders "early*" and the actual initramfs into "main"
-    if [ -f "$INITRAMFS_MNT/sbin/cryptsetup" ]; then
-        INITRAMFS_DIR="$INITRAMFS_MNT"
-    elif [ -f "$INITRAMFS_MNT/main/sbin/cryptsetup" ]; then
-        INITRAMFS_DIR="$INITRAMFS_MNT/main"
-    else
-        log_error "Directory $INITRAMFS_MNT has unpected content" >&2
-        exit 1
+    INITRAMFS_DIR="$INITRAMFS_MNT"
+    if [ ! -f "$INITRAMFS_DIR/sbin/cryptsetup" ]; then
+        # unmkinitramfs(8) extracts microcode and actual initramfs into different folders
+        for p in "$INITRAMFS_MNT"/*/sbin/cryptsetup; do
+            if [ -f "$p" ] && [ -d "${p%"/sbin/cryptsetup"}/usr" ]; then
+                INITRAMFS_DIR="${p%"/sbin/cryptsetup"}"
+            fi
+        done
+        if [ ! -f "$INITRAMFS_DIR/sbin/cryptsetup" ]; then
+            log_error "Directory $INITRAMFS_MNT has unpected content" >&2
+            exit 1
+        fi
     fi
 
     if [ "$new" = "y" ]; then
diff --git a/debian/tests/control b/debian/tests/control
index 9fedc5f..0168594 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,12 +1,20 @@
 # Run the installed binaries and libraries through the full upstream test suite.
 Features: test-name=upstream-testsuite
-Test-Command: make -C ./tests -f Makefile.localtest -j tests CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y
+Test-Command:
+ dh_update_autotools_config &&
+ dh_autoreconf &&
+ make -f debian/rules override_dh_auto_configure DEB_BUILD_OPTIONS="nocheck nodoc" DEB_BUILD_PROFILES="noudeb" &&
+ make libcrypto_backend.la &&
+ cd ./tests &&
+ gcc -I ../lib -c ./crypto-check.c &&
+ gcc -o ./crypto-check ./crypto-check.o ../.libs/libcrypto_backend.a -lcrypto &&
+ make -f Makefile.localtest -j tests CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y
+    RUN_KEYRING_TRUSTED_TEST=y
+    RUN_SYSTEMD_PLUGIN_TEST=y
 Depends: cryptsetup-bin,
 # to compile tests/*.c
-  gcc,
   libcryptsetup-dev,
-  libdevmapper-dev,
-#
+  @builddeps@,
 # for hexdump(1)
   bsdextrautils,
 # for dmsetup(8)
@@ -25,6 +33,12 @@ Depends: cryptsetup-bin,
   procps,
 # for uuencode(1)
   sharutils,
+# for swtpm(8) and swtpm_ioctl(8)
+  swtpm,
+  swtpm-tools,
+  tpm2-tools,
+# for systemd-cryptenroll(1)
+  systemd-cryptsetup,
 # for xxd(1)
   xxd
 #
@@ -66,6 +80,7 @@ Tests: cryptroot-lvm, cryptroot-legacy
 # cryptsetup is not listed since we only install it in the VM.
 Depends: cryptsetup-bin,
          dosfstools [arm64 armhf],
+         e2fsprogs,
          fdisk,
          genext2fs,
          initramfs-tools-core,
@@ -83,6 +98,7 @@ Architecture: amd64
 Tests: cryptroot-md
 Depends: cryptsetup-bin,
          dosfstools [arm64 armhf],
+         e2fsprogs,
          fdisk,
          genext2fs,
          initramfs-tools-core,
@@ -100,6 +116,7 @@ Tests: cryptroot-nested
 Depends: btrfs-progs,
          cryptsetup-bin,
          dosfstools [arm64 armhf],
+         e2fsprogs,
          fdisk,
          genext2fs,
          initramfs-tools-core,
@@ -116,6 +133,7 @@ Architecture: amd64
 Tests: cryptroot-sysvinit
 Depends: cryptsetup-bin,
          dosfstools [arm64 armhf],
+         e2fsprogs,
          fdisk,
          genext2fs,
          initramfs-tools-core,
diff --git a/debian/tests/cryptdisks b/debian/tests/cryptdisks
index b8c6bcc..4276536 100755
--- a/debian/tests/cryptdisks
+++ b/debian/tests/cryptdisks
@@ -197,9 +197,11 @@ EOF
 
 # having an existing file system before the offset has no effect (cf. #994056)
 dmsetup create hidden --table "0 $offset linear $CRYPT_DEV 0"
+udevadm settle
 mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
 u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
 dd if=/dev/mapper/hidden of="$TMPDIR/hidden.img" bs=512
+udevadm settle
 dmsetup remove hidden
 u2="$(blkid -p -s UUID -o value -- "$CRYPT_DEV")"
 test "$u" = "$u2"
@@ -593,8 +595,10 @@ cat >/etc/crypttab <<-EOF
 EOF
 
 dmsetup create hidden --table "0 4096 linear $CRYPT_DEV $offset"
+udevadm settle
 mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden
 u="$(blkid -p -s UUID -o value /dev/mapper/hidden)"
+udevadm settle
 dmsetup remove hidden
 u2="$(blkid -p -O$((offset*512)) -s UUID -o value -- "$CRYPT_DEV")"
 test "$u" = "$u2"
diff --git a/debian/tests/cryptroot-lvm.d/mock b/debian/tests/cryptroot-lvm.d/mock
index f57e42f..f777763 100755
--- a/debian/tests/cryptroot-lvm.d/mock
+++ b/debian/tests/cryptroot-lvm.d/mock
@@ -36,8 +36,13 @@ else {
     expect($SERIAL => qr/(?:^|\s)?PM: suspend exit\r\n/m);
     unlock_disk("topsecret");
 
-    # consume PS1 to make sure we're at a shell prompt
-    expect($CONSOLE => qr/\A $PS1 \z/aamsx);
+    # suspend() leaves clutter in the console due to the retries
+    # that prevents test from succeeding.
+    consume($CONSOLE);
+
+    # ensure that shell is available
+    shell(q{echo ready}, rv => 0);
+
     my $out = shell(q{dmsetup info -c --noheadings -omangled_name,suspended --separator ' '});
     die if grep !/[:[:blank:]]Active$/i, split(/\r?\n/, $out);
 
diff --git a/debian/tests/cryptroot-md.d/setup b/debian/tests/cryptroot-md.d/setup
index a8f49ed..ad633c8 100644
--- a/debian/tests/cryptroot-md.d/setup
+++ b/debian/tests/cryptroot-md.d/setup
@@ -55,9 +55,9 @@ for d in vda3 vda4 vdb3 vdb4; do
     udevadm settle
 done
 
-mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 /dev/vda2 /dev/vdb2
+mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 --bitmap=internal /dev/vda2 /dev/vdb2
 mdadm --create /dev/md1 --metadata=default --level=0 --raid-devices=2 /dev/mapper/vda3_crypt /dev/mapper/vdb3_crypt
-mdadm --create /dev/md2 --metadata=default --level=1 --raid-devices=2 /dev/mapper/vda4_crypt /dev/mapper/vdb4_crypt
+mdadm --create /dev/md2 --metadata=default --level=1 --raid-devices=2 --bitmap=internal /dev/mapper/vda4_crypt /dev/mapper/vdb4_crypt
 udevadm settle
 
 lvm pvcreate /dev/md2
diff --git a/debian/tests/cryptroot-nested.d/config b/debian/tests/cryptroot-nested.d/config
index 995200c..fcfba32 100644
--- a/debian/tests/cryptroot-nested.d/config
+++ b/debian/tests/cryptroot-nested.d/config
@@ -1,6 +1,13 @@
 PKGS_EXTRA+=( btrfs-progs lvm2 mdadm )
 PKGS_EXTRA+=( cryptsetup-initramfs )
 
+# "$DISTRIBUTOR_ID" is defined in ../utils/cryptroot-common
+# Workaround for LP1831747 https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1831747
+# Add implicit dependency of cryptsetup-initramfs
+if [ "$DISTRIBUTOR_ID" = "ubuntu" ]; then
+    PKGS_EXTRA+=( e2fsprogs )
+fi
+
 # /dev/mapper/testvg-lv1_crypt and /dev/vdc are both 1G and used in RAID1 mode
 DRIVE_SIZES=( "1G" "264M" "1G" "512M" )
 
diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup
index b08da17..1b3aa7d 100644
--- a/debian/tests/cryptroot-nested.d/setup
+++ b/debian/tests/cryptroot-nested.d/setup
@@ -60,7 +60,7 @@ cryptsetup luksOpen --key-file=/keyfile --allow-discards \
     -- "/dev/testvg/lv1" "testvg-lv1_crypt"
 udevadm settle
 
-mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 \
+mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 --bitmap=internal \
     /dev/mapper/testvg-lv1_crypt /dev/vdc
 udevadm settle
 
diff --git a/debian/tests/cryptroot-sysvinit.d/config b/debian/tests/cryptroot-sysvinit.d/config
index f6b7392..1d41c24 100644
--- a/debian/tests/cryptroot-sysvinit.d/config
+++ b/debian/tests/cryptroot-sysvinit.d/config
@@ -1,5 +1,10 @@
 PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
 PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup )
-PKG_INIT="sysvinit-core"
-
+# "$DISTRIBUTOR_ID" is defined in ../utils/cryptroot-common
+case "$DISTRIBUTOR_ID" in
+    debian) PKG_INIT="sysvinit-core";;
+    ubuntu) PKG_INIT="systemd-sysv";;
+    *) echo "ERROR: Unknown distributor ID '$DISTRIBUTOR_ID', can't determine default init package" >&2;
+       exit 1;;
+esac
 # vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-sysvinit.d/mock b/debian/tests/cryptroot-sysvinit.d/mock
index b729022..ff9b05b 100755
--- a/debian/tests/cryptroot-sysvinit.d/mock
+++ b/debian/tests/cryptroot-sysvinit.d/mock
@@ -22,7 +22,8 @@ die unless $out =~ m#\Avda5\s.*\r?\n^`-vda5_crypt\s+crypt\s+/\s*\r?\n\z#m;
 # make sure only vda5 is processed at initramfs stage
 # XXX unmkinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954
 shell(q{unmkinitramfs /boot/initrd.img-`uname -r` /tmp/initramfs});
-shell(q{grep -E '^vd\S+_crypt\s' </tmp/initramfs/cryptroot/crypttab >/tmp/out});
+shell(q{find /tmp/initramfs -path "*/cryptroot/crypttab" -type f -print0 >/tmp/paths});
+shell(q{xargs -r0a/tmp/paths grep -Eh '^vd\S+_crypt\s' >/tmp/out});
 shell(q{grep -E  '^vda5_crypt\s' </tmp/out}, rv => 0);
 shell(q{grep -Ev '^vda5_crypt\s' </tmp/out}, rv => 1);
 
diff --git a/debian/tests/utils/cryptroot-common b/debian/tests/utils/cryptroot-common
index 6617670..4146a84 100755
--- a/debian/tests/utils/cryptroot-common
+++ b/debian/tests/utils/cryptroot-common
@@ -81,6 +81,7 @@ load_os_release() {
 }
 case "${DISTRIBUTOR_ID:="$(load_os_release && printf "%s" "${ID,,[A-Z]}")"}" in
     debian) APT_REPO_ORIGIN="Debian"; APT_REPO_URI="http://deb.debian.org/debian";;
+    ubuntu) APT_REPO_ORIGIN="Ubuntu"; APT_REPO_URI="http://archive.ubuntu.com/ubuntu";;
     # suitable values for derivative can be added here
     *) echo "ERROR: Unknown distributor ID '$DISTRIBUTOR_ID', can't extract APT origin" >&2;
        exit 1;;
@@ -164,6 +165,12 @@ case "$BOOT" in
     efi) PKG_BOOTLOADER="grub-efi";;
     *) echo "ERROR unknown boot method '$BOOT'" >&2; exit 1;;
 esac
+
+if [ "$DISTRIBUTOR_ID" = "ubuntu" ]; then
+    echo "Overriding kernel arch to generic"
+    KERNEL_ARCH="generic"
+fi
+
 PKG_KERNEL="linux-image-$KERNEL_ARCH"
 PKG_INIT="systemd-sysv" # default pid1
 MERGED_USR="" # use default layout for the target version
@@ -302,6 +309,12 @@ setup_apt() {
         esac >"$TEMPDIR/apt/sources.list"
     fi
 
+    # ubuntu CI populates sources.list.d with PPA source, append them to the list
+    if [ "$DISTRIBUTOR_ID" = "ubuntu" ] && [ -d /etc/apt/sources.list.d ]; then
+        echo "Append contents of /etc/apt/sources.list.d to $TEMPDIR/apt/sources.list"
+        find /etc/apt/sources.list.d -type f -name "*.list" -execdir cat {} + >> "$TEMPDIR/apt/sources.list"
+    fi
+
     local apt_repo
     for apt_repo in "${EXTRA_REPOS[@]}"; do
         printf "%s\\n" "$apt_repo" >>"$TEMPDIR/apt/sources.list"
diff --git a/debian/tests/utils/init b/debian/tests/utils/init
index 331cd6f..94f3b41 100755
--- a/debian/tests/utils/init
+++ b/debian/tests/utils/init
@@ -245,6 +245,13 @@ if [ -f /init.postinst ]; then
     rm -f "$ROOT/init.postinst"
 fi
 
+# These break 'expect' so remove it from the image under test
+if [ -f "$ROOT/usr/lib/tmpfiles.d/20-systemd-osc-context.conf" ]; then
+    rm -f "$ROOT/etc/profile.d/80-systemd-osc-context.sh"
+    mkdir -p "$ROOT/etc/tmpfiles.d"
+    ln -s /dev/null "$ROOT/etc/tmpfiles.d/20-systemd-osc-context.conf"
+fi
+
 # allow service startup again
 mv "$ROOT/sbin/start-stop-daemon.REAL" "$ROOT/sbin/start-stop-daemon"
 rm "$ROOT/usr/sbin/policy-rc.d"
diff --git a/debian/tests/utils/initramfs-hook.common b/debian/tests/utils/initramfs-hook.common
index 863d08d..4332a13 100644
--- a/debian/tests/utils/initramfs-hook.common
+++ b/debian/tests/utils/initramfs-hook.common
@@ -41,22 +41,36 @@ cat >"$TMPDIR/initramfs-tools/initramfs.conf" <<-EOF
 EOF
 
 INITRD_IMG="$TMPDIR/initrd.img"
-INITRD_DIR="$TMPDIR/initrd"
+UNMKINITRAMFS_DESTDIR="$TMPDIR/initrd"
+unset INITRD_DIR
 cleanup_initrd_dir() {
     local d
-    for d in dev proc sys; do
-        mountpoint -q "$INITRD_DIR/$d" && umount "$INITRD_DIR/$d" || true
-    done
-    rm -rf --one-file-system -- "$INITRD_DIR"
+    if [ -n "${INITRD_DIR+x}" ] && [ -d "$INITRD_DIR" ]; then
+        for d in dev proc sys; do
+            mountpoint -q "$INITRD_DIR/$d" && umount "$INITRD_DIR/$d" || true
+        done
+        rm -rf --one-file-system -- "$INITRD_DIR"
+    fi
+    rm -rf --one-file-system -- "$UNMKINITRAMFS_DESTDIR"
+    unset INITRD_DIR
 }
 trap cleanup_initrd_dir EXIT INT TERM
 
 mkinitramfs() {
-    local d
+    local d p
     command mkinitramfs -d "$TMPDIR/initramfs-tools" -o "$INITRD_IMG"
     # `mkinitramfs -k` would be better but we can't set $DESTDIR in advance
     cleanup_initrd_dir
-    command unmkinitramfs "$INITRD_IMG" "$INITRD_DIR"
+    command unmkinitramfs "$INITRD_IMG" "$UNMKINITRAMFS_DESTDIR"
+    if [ -f "$UNMKINITRAMFS_DESTDIR/sbin/cryptsetup" ]; then
+        INITRD_DIR="$UNMKINITRAMFS_DESTDIR"
+    else
+        for p in "$UNMKINITRAMFS_DESTDIR"/*/sbin/cryptsetup; do
+            if [ -f "$p" ] && [ -d "${p%"/sbin/cryptsetup"}/usr" ]; then
+                INITRD_DIR="${p%"/sbin/cryptsetup"}"
+            fi
+        done
+    fi
     for d in dev proc sys; do
         mkdir -p "$INITRD_DIR/$d"
         mount --bind "/$d" "$INITRD_DIR/$d"
diff --git a/debian/tests/utils/mock.pm b/debian/tests/utils/mock.pm
index 4db861d..36f44d2 100644
--- a/debian/tests/utils/mock.pm
+++ b/debian/tests/utils/mock.pm
@@ -98,6 +98,26 @@ sub expect(;$$) {
     #print STDERR "INFO done reading\n";
 }
 
+sub consume($) {
+    my $chan = shift;
+    my $buffer = defined $chan ? \$BUFFER{$chan} : undef;
+    if (! defined $buffer) {
+        return;
+    }
+
+    while(unpack("b*", $RBITS) != 0) {
+        my $rout = $RBITS;
+        if (select($rout, undef, undef, 1) == -1) {
+            return;
+        }
+        read_data($rout);
+        if (length($$buffer) == 0) {
+            return;
+        }
+        $$buffer = "";
+    }
+}
+
 sub write_data($$%) {
     my $chan = shift;
     my $data = shift;
@@ -168,11 +188,13 @@ BEGIN {
         hibernate
         poweroff
         expect
+        consume
     /;
 }
 
 *expect     = \&CryptrootTest::Utils::expect;
 *write_data = \&CryptrootTest::Utils::write_data;
+*consume = \&CryptrootTest::Utils::consume;
 
 sub unlock_disk($) {
     my $passphrase = shift;
@@ -231,7 +253,9 @@ sub shell($%) {
 sub suspend() {
     @QMP::EVENTS = (); # flush the event queue
 
-    write_data($CONSOLE => q{systemctl suspend});
+    # there is a race condition that causes suspend to fail.
+    # retry until success. Note, this may leave clutter in the console
+    write_data($CONSOLE => q{until systemctl suspend; do sleep 1; done});
     # while the command is asynchronous the system might suspend before
     # we have a chance to read the next $PS1
 
diff --git a/debian/watch b/debian/watch
index dabcd8b..13d9675 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,6 +1,7 @@
-version=4
-options="mode=git,pgpmode=gittag, \
-         uversionmangle=s/-(alpha|beta|rc)(\d*)$/~$1$2/, \
-         compression=gzip" \
-  https://gitlab.com/cryptsetup/cryptsetup.git \
-  refs/tags/v?@ANY_VERSION@
+Version: 5
+Mode: git
+Pgp-Mode: gittag
+Uversion-Mangle: s/-(alpha|beta|rc)(\d*)$/~$1$2/
+Compression: gzip
+Source: https://gitlab.com/cryptsetup/cryptsetup.git
+Matching-Pattern: refs/tags/@ANY_VERSION@
diff --git a/docs/examples/crypt_log_usage.c b/docs/examples/crypt_log_usage.c
index 05e3c97..de8d45c 100644
--- a/docs/examples/crypt_log_usage.c
+++ b/docs/examples/crypt_log_usage.c
@@ -2,7 +2,7 @@
 /*
  * libcryptsetup API log example
  *
- * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <stdio.h>
diff --git a/docs/examples/crypt_luks_usage.c b/docs/examples/crypt_luks_usage.c
index 002b744..784d368 100644
--- a/docs/examples/crypt_luks_usage.c
+++ b/docs/examples/crypt_luks_usage.c
@@ -2,7 +2,7 @@
 /*
  *  libcryptsetup API - using LUKS device example
  *
- * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <stdio.h>
diff --git a/docs/licenses/COPYING.Apache-2.0 b/docs/licenses/COPYING.Apache-2.0
new file mode 100644
index 0000000..d645695
--- /dev/null
+++ b/docs/licenses/COPYING.Apache-2.0
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/docs/licenses/COPYING.CC-BY-SA-4.0 b/docs/licenses/COPYING.CC-BY-SA-4.0
new file mode 100644
index 0000000..2d58298
--- /dev/null
+++ b/docs/licenses/COPYING.CC-BY-SA-4.0
@@ -0,0 +1,428 @@
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+    wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More considerations
+     for the public:
+    wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  l. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  m. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+     including for purposes of Section 3(b); and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.
+
diff --git a/docs/licenses/COPYING.GPL-2.0-or-later-WITH-cryptsetup-OpenSSL-exception b/docs/licenses/COPYING.GPL-2.0-or-later-WITH-cryptsetup-OpenSSL-exception
new file mode 100644
index 0000000..86289a1
--- /dev/null
+++ b/docs/licenses/COPYING.GPL-2.0-or-later-WITH-cryptsetup-OpenSSL-exception
@@ -0,0 +1,354 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
+
+-----
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+
+You must obey the GNU General Public License in all respects
+for all of the code used other than OpenSSL.  If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so.  If you
+do not wish to do so, delete this exception statement from your
+version.  If you delete this exception statement from all source
+files in the program, then also delete it here.
diff --git a/COPYING.LGPL b/docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
similarity index 100%
rename from COPYING.LGPL
rename to docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
diff --git a/docs/on-disk-format-luks2.pdf b/docs/on-disk-format-luks2.pdf
index eb7eaa6..6a9df01 100644
Binary files a/docs/on-disk-format-luks2.pdf and b/docs/on-disk-format-luks2.pdf differ
diff --git a/docs/v2.8.0-ReleaseNotes b/docs/v2.8.0-ReleaseNotes
new file mode 100644
index 0000000..f08909e
--- /dev/null
+++ b/docs/v2.8.0-ReleaseNotes
@@ -0,0 +1,328 @@
+Cryptsetup 2.8.0 Release Notes
+==============================
+Stable release with new features and bug fixes
+
+All users of cryptsetup 2.7 must upgrade to this version.
+
+Changes since version 2.7.5
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Introduce support for inline mode (use HW sectors with additional hardware metadata space).
+
+  Some enterprise NVMe drives allow formatting sector size with additional metadata space,
+  for example, sector size 4096 bytes + 64 bytes for metadata.
+  We hope common firmware will soon support such features in more recent models.
+
+  If this metadata space is available (not internally used by a data integrity profile),
+  it removes the need to use the dm-integrity layer for sector metadata allocation.
+  This means that the performance bottleneck caused by the dm-integrity journal is eliminated.
+
+  Note: such drive must be reformatted with an external nvme tool.
+  You can check for support (reported as LBA format) by running the command
+    "nvme id-ns -H <nvme device>" and then you can reformat to the selected profile
+  (with complete data loss) with "nvme format -l <lbaf>.
+  This way, you can also reformat NVMe drive to 4096-byte sectors,which is strongly recommended
+  for encryption performance.
+
+  The required device mapper for inline mode was introduced in Linux kernel version 6.11.
+
+  The inline mode can be used with the new --integrity-inline option.
+
+  For integritysetup, the kernel dm-integrity layer is still used, but it directly maps metadata
+  to the hardware (eliminating the journal).
+  For cryptsetup, the dm-integrity layer is eliminated, and only the dm-crypt kernel driver is used.
+  The libcryptsetup exports a new crypt_format_inline API call.
+
+  Examples (underlying device must provide inline HW metadata space):
+
+  Use integritysetup format with inline mode with default CRC32 checksums:
+
+   # integritysetup format --sector-size 4096 --integrity-inline <device> [--no-wipe]
+   # integritysetup open <device> test
+   # integritysetup status test
+     /dev/mapper/test is active.
+       type:    INTEGRITY
+       tag size: 4 [bytes]
+       integrity: crc32c
+       device: <device>
+       sector size:  4096 [bytes]
+       ...
+       inline mode
+       journal: not active
+
+  Use LUKS2 with authenticated encryption (here with AEGIS AEAD cipher):
+
+   # cryptsetup luksFormat --integrity-inline --integrity aead --sector-size 4096 \
+                -c aegis128-random --key-size 128 <device> [--integrity-no-wipe]
+   # cryptsetup open <device> test
+   # cryptsetup luksDump <device>
+     ...
+     Requirements:   inline-hw-tags
+
+  After format, the inline mode is used automatically, and no special options are needed.
+  Please check the manual pages for more details about used options.
+
+  Note that the LUKS2 authenticated encryption is still an experimental feature.
+  The inline mode only improves performance by removing the dm-integrity layer.
+
+* Finalize use of keyslot context API.
+
+  Keyslot context is a generic abstraction over keyslot manipulation.
+  It extends many exiting commands by additional functions like tokens in activation, resume,
+  reencryption and similar commands without introducing new specific API functions.
+
+* Make all keyslot context types fully self-contained.
+
+  In the previous version, the caller is responsible for releasing of some allocated memory.
+  In this version, all memory is allocated internally. The existing keyslot context API function
+  provides backward compatibility through versioned symbols.
+
+* Add --key-description and --new-key-description cryptsetup options.
+
+  These can be used for the specification of the keyring with passphrase retrieval in the open,
+  resize, luksResume, luksFormat, luksAddKey and luksDump.
+
+* Support more precise keyslot selection in reencryption initialization.
+
+  Reencryption must update stored keys in keyslots, so it needs to unlock all keyslots first.
+
+  When no specific keyslot is selected by the --key-slot option, all active keyslots are updated.
+
+  Users may narrow down the selection of keyslots by specifying either --token-id, --token-type
+  or --token-only option. Only keyslots associated with the specific token (--token-id) or
+  a specific type (--token-type) or any token (--token-only) will be updated.
+  All other keyslots will be erased after reencryption is finished.
+
+  During reencryption, there are two volume keys (old and new).
+  For very specific use cases, reencryption can also be initialized by providing
+  volume keys directly by --volume-key-file, --new-volume-key-file, --volume-key-keyring
+  or --new-volume-key-keyring options. These options allow reencryption of the device with
+  no active keyslots (these can be added later).
+  If the --force-no-keyslots option is specified, all active keyslots will be erased after
+  the reencryption operation is finished.
+
+* Allow reencryption to resume using token and volume keys.
+
+  The reencryption can be resumed using tokens (similar to initialization described above).
+  For very specific use cases, reencryption can be resumed by providing volume keys.
+
+* Cryptsetup repair command now tries to check LUKS keyslot areas for corruption.
+
+  A keyslot binary area contains an encrypted volume key diffused to a larger area by
+  the anti-forensic splitter. If this area is corrupted, the keyslot can no longer be unlocked,
+  even with the correct password.
+
+  Active keyslot area should look like random data, so some specific corruption can be detected
+  by randomness analysis.
+
+  Cryptsetup repair command now tries to analyze the area expecting a uniform distribution
+  of bytes in 4096-byte blocks. If a problem is detected, it tries to localize corruption
+  in a smaller block (using the expected bit count).
+  Both tests are based on the Chi-squared statistical test.
+
+  This analysis can replace the external keyslot check program and usually is more sensitive.
+  However, it cannot detect all corruptions and can produce false positives.
+
+  Please use it as a hint when your password is no longer accepted, and you suspect
+  header corruption. This is the example output of the analysis:
+
+  # cryptsetup repair <device>
+    Keyslot 2 binary data could be corrupted.
+      Suspected offset: 0x88000
+    You can use hexdump -v -C -n 128 -s <offset_0xXXXX> <device> to inspect the data.
+
+  The test does not modify the header. A keyslot corruption cannot be repaired.
+  You have to use a backup header.
+
+* Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
+
+  If the keyfile size is not explicitly set, it uses only first 32 bytes.
+  All Opal2 manufacturers seem to use PSID of this length.
+
+* Opal2: Avoid the Erase method and use Secure Erase for locking range.
+
+  The Erase method is defined for Single-user mode (SUM) and works on SUM-enabled locking ranges.
+  As we do not use SUM yet, this always fails and falls back to Secure erase anyway.
+
+* Opal2: Fix some error description (in debug only).
+
+  Some Opal error messages were incorrect.
+  Cryptsetup now use all codes according to TCG specifications.
+
+* Opal2: Do not allow deferred deactivation.
+
+  The self-encrypting drive must be locked immediately; deferred deactivation is not supported.
+
+* Allow --reduce-device-size and --device-size combination for reencryption (encrypt) action.
+
+  For some very specific cases, this can be used to encrypt only part of the device together
+  with allocation a new space for the LUKS header.
+
+* Fix the userspace storage backend to support kernel "capi:" cipher specification format.
+
+  This avoids unnecessary fallback to the device-mapper instead of the userspace crypto library
+  in luksFormat. The "capi:" is Linux kernel cryptographic format.
+  For example, capi:xts(aes)-plain64 is equivalent of aes-xts-plain64.
+
+* Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher specification is used.
+
+  LUKS1 never officially supported this cipher specification format.
+  Such devices cannot be converted to LUKS1 (while existing devices can still be activated).
+
+* Explicitly disallow kernel "capi:" cipher specification format for LUKS2 keyslot encryption.
+
+  This specification is intended to be used for data encryption, not for keyslots.
+
+* Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
+
+  LUKS1 does not support unbound keyslots. Such devices cannot be converted.
+
+* cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification.
+
+  Double key size as there are two keys the same way as for dm-crypt format.
+
+* Remove keyslot warning about possible failure due to low memory.
+
+  This check was intended to warn users about possible out-of-memory situations
+  but produced many false positives.
+
+* Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory.
+
+  The memory cost is intended to be limited only in low-memory situations (like virtual machines
+  without swap), not on systems with plenty of RAM.
+
+* Properly report out of memory error for cryptographic backends implementing Argon2.
+
+* Avoid KDF2 memory cost overflow on 32-bit platforms.
+
+* Do not use page size as a fallback for device block size.
+
+  This check produced wrong values if used on platforms with larger page sizes (64kB)
+  and specific underlying storage (like ZFS).
+
+* veritysetup: Check hash device size in advance.
+
+  If hashes are stored in a file image, allocate the size in advance.
+  For a block device, check if hashes (Merkle tree) fits the device.
+
+* Print a better error message for unsupported LUKS2 AEAD device resize.
+
+* Optimize LUKS2 metadata writes.
+
+  LUKS2 supports several JSON area length configurations. Do not write full metadata
+  (including padding), as it may generate noticeable overhead with LUKS2.
+
+* veritysetup: support --error-as-corruption option.
+
+  The panic/restart_on_error options were introduced in Linux kernel 6.12 and process errors
+  (like media read error) the same way as data corruption.
+  Use this flag in combination with --panic-on-corruption or --restart-on-corruption.
+
+* Report all sizes in status and dump command output in the correct units.
+
+  Since the support of --sector-size option, the meaning of "sectors" became ambiguous as it
+  usually means 512-byte sectors (device-mapper unit). Confusion occurs when the sector size
+  is 4096 bytes while units used for display are 512-byte sectors.
+
+  All status commands in tools now display units explicitly to avoid confusion.
+
+  For example:
+  # cryptsetup status test
+    ...
+    sector size:  4096 [bytes]
+    offset:  32768 [512-byte units] (134217728 [bytes])
+    size:    7501443760 [512-byte units] (30725913640960 [bytes])
+
+  If you parse the output of status commands, please check your scripts to ensure they work
+  with the new output properly.
+
+* Add --integrity-key-size option to cryptsetup.
+
+  This option can be used to set up non-standard integrity key size (e.g. for HMAC).
+  It adds a new (optional) JSON "key_size" attribute in the segment.integrity JSON object
+  (see updated LUKS2 specification). If not set, the code uses selected hash length size.
+
+* Support trusted & encrypted keyrings for plain devices.
+
+* Support plain format resize with a keyring key.
+
+  If a plain dm-crypt device references the keyring, cryptsetup now allows resizing.
+  The user must ensure that the key in the keyring is unchanged since activation.
+  Otherwise, reloading the key can cause data corruption after an unexpected key change.
+
+* TCRYPT: Clear mapping of system-encrypted partitions.
+
+  TrueCrypt/VeraCrypt supports full system encryption (only a partition table is not encrypted)
+  or system partition encryption (only a system partition is encrypted).
+  The metadata header then contains the offset and size of the encrypted area.
+  Cryptsetup needs to know the specific partition offset to calculate encryption parameters.
+
+  To properly map a partition, the user must specify a real partition device so cryptsetup
+  can calculate this offset. As the partition can be an image in a file, cryptsetup now tries
+  to determine proper parameters and use device size stored in VeraCrypt metadata.
+
+  Please see the manual page description (TCRYPT section) for a detailed description.
+
+* TCRYPT: Print all information from the decrypted metadata header in the tcryptDump command.
+
+  Print also volume sizes (if present) and flags.
+
+* Always lock the volume key structure in memory.
+
+  Some memory for safe allocation was not allocated from locked (unswappable) memory.
+  Older cryptsetup locked all memory. Selective locking was introduced in version 2.6.0.
+
+* Do not run direct-io read check on block devices.
+
+  Block devices always support direct-io.
+  This check produced unnecessary error with locked Opal2 devices.
+
+* Fix a possible segfault in deferred deactivation.
+
+  Thanks Clément Guérin for the report.
+
+* Exclude cipher allocation time from the cryptsetup benchmark.
+
+* Add Mbed-TLS optional crypto backend.
+
+  Mbed-TLS is a tiny TLS implementation designed for embedded environments.
+  The backend can be enabled with the --with-crypto_backend=mbedtls configure option.
+
+* Fix the wrong preprocessor use of #ifdef for config.h processed by Meson.
+
+  Cryptsetup supports Autoconf and, optionally, Meson configuration.
+  Part of the code wrongly used #ifdef instead of #if conditional sections.
+  This caused problems with Meson-generated config.h.
+
+* Reorganize license files.
+
+  The license text files are now in docs/licenses.
+  The COPYING file in the root directory is the default license.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible with all existing symbols.
+
+Due to the self-contained memory allocation, these symbols have the new version
+ crypt_keyslot_context_init_by_passphrase;
+ crypt_keyslot_context_init_by_keyfile;
+ crypt_keyslot_context_init_by_token;
+ crypt_keyslot_context_init_by_volume_key;
+ crypt_keyslot_context_init_by_signed_key;
+ crypt_keyslot_context_init_by_keyring;
+ crypt_keyslot_context_init_by_vk_in_keyring;
+
+New symbols:
+ crypt_format_inline
+ crypt_get_old_volume_key_size
+ crypt_reencrypt_init_by_keyslot_context
+ crypt_safe_memcpy
+
+New defines:
+ CRYPT_ACTIVATE_HIGH_PRIORITY
+ CRYPT_ACTIVATE_ERROR_AS_CORRUPTION
+ CRYPT_ACTIVATE_INLINE_MODE
+ CRYPT_REENCRYPT_CREATE_NEW_DIGEST
+
+New requirement flag:
+ CRYPT_REQUIREMENT_INLINE_HW_TAGS
diff --git a/docs/v2.8.1-ReleaseNotes b/docs/v2.8.1-ReleaseNotes
new file mode 100644
index 0000000..92f2e96
--- /dev/null
+++ b/docs/v2.8.1-ReleaseNotes
@@ -0,0 +1,40 @@
+Cryptsetup 2.8.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.8.0 must upgrade to this version.
+
+Changes since version 2.8.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
+
+* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
+
+* Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
+
+  Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
+  Null cipher is sometimes used to create an empty container for later reencryption.
+  Only an empty passphrase can activate such a container (the same as in LUKS1).
+
+* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
+  The maximum parallel cost is limited to 4 threads.
+
+* Fixes to configuration and installation scripts.
+
+  Meson and autoconf tools now properly support --prefix option for temporary directory installation.
+  Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
+  Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
+  Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
+
+* Major update to manual pages.
+
+  Try to explain the PBKDF hardcoded limits.
+  Add a better explanation for automatic integrity tag recalculation.
+  Mention crypt/verity/integritytab.
+  Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
+  Clarify that some commands do not wipe data and unify OPAL reset wording.
+  Clarify the --label option.
+  There are also many other grammar and stylistic fixes to unify the man-page style.
+
+* Fixes for false-positive and annoying (optional) warnings added in recent compilers.
diff --git a/docs/v2.8.2-ReleaseNotes b/docs/v2.8.2-ReleaseNotes
new file mode 100644
index 0000000..bc78cd8
--- /dev/null
+++ b/docs/v2.8.2-ReleaseNotes
@@ -0,0 +1,58 @@
+Cryptsetup 2.8.2 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.8.x must upgrade to this version.
+
+Changes since version 2.8.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix cryptsetup LUKS2 status for HW inline integrity device.
+  Cryptsetup status did not print the inline flag if the underlying device with
+  HW integrity tags was used.
+
+* Fix LUKS2 format with detached header and data device with HW integrity tags.
+
+* Fix PBKDF serialization flag during device activation.
+  The --serialize-memory-hard-pbkdf and CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF API flag
+  is now properly supported again. This option is an optional workaround for situations where
+  multiple devices are activated in parallel (e.g., systemd crypttab activation).
+
+* BITLK: Add support for opening devices with Clear Key in BitLocker compatible mode.
+  BitLocker devices that are not yet encrypted can contain a Clear Key that is not protected
+  by a password. Cryptsetup can now map such devices and allow the user to access data on them.
+  Note that while such a device is detected as BitLocker, it must be treated as an unencrypted
+  device. Cryptsetup still does not allow mapping of partially encrypted BitLocker devices
+  (those in the middle of the encryption process).
+
+* BITLK: Harden metadata check by properly validating BitLocker metadata.
+  BitLocker metadata store checksums and authentication tags to detect random or malicious
+  manipulation. BITLK code now properly validates these and uses a backup metadata block
+  if validation fails. Previously, only the first metadata block was used.
+
+* Fix documentation to explicitly mention units for various API functions and in help messages.
+  Note that due to compatibility reasons, cryptsetup arguments use key sizes in bits while
+  integritysetup uses bytes.
+
+* Fix handling of too-long labels and subsystem fields.
+  LUKS2 labels are stored in the binary header area, which has a limited size.
+  Cryptsetup no longer silently truncates too-long labels; it prints an error instead.
+
+* Optimize reencryption to not repeatedly test access to the device.
+
+* Allow to use PHMAC (protected HMAC) with integritysetup and cryptsetup.
+  PHMAC is used by S390 mainframes. Support was added in Linux kernel 6.17. Configuration requires
+  steps using s390-tools; once that's done, it can be handled as a common LUKS2 or integrity device.
+
+* Opal2 SED: Fix misleading error messages during the self-encrypting drives format.
+  Cryptsetup misinterpreted some error codes when the kernel interface was not available
+  or the system call failed.
+
+* Opal2 SED: Ensure the system tries to rescan the device after the PSID reset.
+  Udev should now receive change events, allowing rescan of partition table after PSID reset.
+
+* Fix typos in volume-key-file help and integritysetup man page.
+
+* Fix detection of supported compiler attributes on PPC64 architecture.
+
+* Fix const compilation warnings with new gcc and glibc headers.
diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
index 686b42c..5f1762a 100644
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -2,9 +2,9 @@
 /*
  * BITLK (BitLocker-compatible) volume handling
  *
- * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2024 Milan Broz
- * Copyright (C) 2019-2024 Vojtech Trefny
+ * Copyright (C) 2019-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2025 Milan Broz
+ * Copyright (C) 2019-2025 Vojtech Trefny
  */
 
 #include <errno.h>
@@ -111,6 +111,7 @@ struct bitlk_superblock {
 struct bitlk_fve_metadata {
 	/* FVE metadata block header */
 	uint8_t signature[8];
+	/* size of this block (in 16-byte units) */
 	uint16_t fve_size;
 	uint16_t fve_version;
 	uint16_t curr_state;
@@ -132,6 +133,32 @@ struct bitlk_fve_metadata {
 	uint64_t creation_time;
 } __attribute__ ((packed));
 
+struct bitlk_validation_hash {
+	uint16_t size;
+	uint16_t role;
+	uint16_t type;
+	uint16_t flags;
+	/* likely a hash type code, anything other than 0x2005 isn't supported */
+	uint16_t hash_type;
+	uint16_t unknown1;
+	/* SHA-256 */
+	uint8_t hash[32];
+} __attribute__ ((packed));
+
+struct bitlk_fve_metadata_validation {
+	/* FVE metadata validation block header */
+	uint16_t validation_size;
+	uint16_t validation_version;
+	uint32_t fve_crc32;
+	/* this is a single nested structure's header defined here for simplicity */
+	uint16_t nested_struct_size;
+	uint16_t nested_struct_role;
+	uint16_t nested_struct_type;
+	uint16_t nested_struct_flags;
+	/* datum containing a similar nested structure (encrypted using VMK) with hash (SHA256) */
+	uint8_t nested_struct_data[BITLK_VALIDATION_VMK_DATA_SIZE];
+} __attribute__ ((packed));
+
 struct bitlk_entry_header_block {
 	uint64_t offset;
 	uint64_t size;
@@ -237,10 +264,11 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 	bool supported = false;
 	int r = 0;
 
-	/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
+	/* only passphrase, recovery passphrase, startup key and clearkey vmks are supported (can be used to activate) */
 	supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE ||
 		    (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE ||
-		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY;
+		    (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY ||
+		    (*vmk)->protection == BITLK_PROTECTION_CLEAR_KEY;
 
 	while ((end - start) >= (ssize_t)(sizeof(key_entry_size) + sizeof(key_entry_type) + sizeof(key_entry_value))) {
 		/* size of this entry */
@@ -297,17 +325,13 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 			crypt_volume_key_add_next(&((*vmk)->vk), vk);
 		/* clear key for a partially decrypted volume */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
-			/* We currently don't want to support opening a partially decrypted
-			 * device so we don't need to store this key.
-			 *
-			 * key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
-			 * key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
-			 * vk = crypt_alloc_volume_key(key_size, key);
-			 * if (vk == NULL)
-			 * 	return -ENOMEM;
-			 * crypt_volume_key_add_next(&((*vmk)->vk), vk);
-			 */
-			log_dbg(cd, "Skipping clear key metadata entry.");
+			/* For clearkey protection, we need to store this key */
+			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
+			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
+			vk = crypt_alloc_volume_key(key_size, key);
+			if (vk == NULL)
+				return -ENOMEM;
+			crypt_volume_key_add_next(&((*vmk)->vk), vk);
 		/* unknown timestamps in recovery protected VMK */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
 			;
@@ -361,6 +385,54 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 	return 0;
 }
 
+static bool check_fve_metadata(struct bitlk_fve_metadata *fve)
+{
+	if (memcmp(fve->signature, BITLK_SIGNATURE, sizeof(fve->signature)) || le16_to_cpu(fve->fve_version) != 2 ||
+		(fve->fve_size << 4) > BITLK_FVE_METADATA_SIZE)
+		return false;
+
+	return true;
+}
+
+static bool check_fve_metadata_validation(struct bitlk_fve_metadata_validation *validation)
+{
+	/* only check if there is room for CRC-32, the actual size must be larger */
+	if (le16_to_cpu(validation->validation_size) < 8 || le16_to_cpu(validation->validation_version > 2))
+		return false;
+
+	return true;
+}
+
+static bool parse_fve_metadata_validation(struct bitlk_metadata *params, struct bitlk_fve_metadata_validation *validation)
+{
+	/* extra checks for a nested structure (MAC) and BITLK FVE metadata */
+
+	if (le16_to_cpu(validation->validation_size) < sizeof(struct bitlk_fve_metadata_validation))
+		return false;
+
+	if (le16_to_cpu(validation->nested_struct_size != BITLK_VALIDATION_VMK_HEADER_SIZE + BITLK_VALIDATION_VMK_DATA_SIZE) ||
+		le16_to_cpu(validation->nested_struct_role) != 0 ||
+		le16_to_cpu(validation->nested_struct_type) != 5)
+		return false;
+
+	/* nonce */
+	memcpy(params->validation->nonce,
+		validation->nested_struct_data,
+		BITLK_NONCE_SIZE);
+
+	/* MAC tag */
+	memcpy(params->validation->mac_tag,
+		validation->nested_struct_data + BITLK_NONCE_SIZE,
+		BITLK_VMK_MAC_TAG_SIZE);
+
+	/* AES-CCM encrypted datum with SHA256 hash */
+	memcpy(params->validation->enc_datum,
+		validation->nested_struct_data + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE,
+		BITLK_VALIDATION_VMK_DATA_SIZE - BITLK_NONCE_SIZE - BITLK_VMK_MAC_TAG_SIZE);
+
+	return true;
+}
+
 void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek)
 {
 	if (!fvek)
@@ -375,10 +447,8 @@ void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk)
 	struct bitlk_vmk *vmk_next = NULL;
 
 	while (vmk) {
-		if (vmk->guid)
-			free(vmk->guid);
-		if (vmk->name)
-			free(vmk->name);
+		free(vmk->guid);
+		free(vmk->name);
 		crypt_free_volume_key(vmk->vk);
 		vmk_next = vmk->next;
 		free(vmk);
@@ -392,8 +462,8 @@ void BITLK_bitlk_metadata_free(struct bitlk_metadata *metadata)
 		return;
 
 	free(metadata->guid);
-	if (metadata->description)
-		free(metadata->description);
+	free(metadata->description);
+	free(metadata->validation);
 	BITLK_bitlk_vmk_free(metadata->vmks);
 	BITLK_bitlk_fvek_free(metadata->fvek);
 }
@@ -405,20 +475,25 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	struct bitlk_signature sig = {};
 	struct bitlk_superblock sb = {};
 	struct bitlk_fve_metadata fve = {};
+	struct bitlk_fve_metadata_validation validation = {};
 	struct bitlk_entry_vmk entry_vmk = {};
 	uint8_t *fve_entries = NULL;
+	uint8_t *fve_validated_block = NULL;
 	size_t fve_entries_size = 0;
 	uint32_t fve_metadata_size = 0;
+	uint32_t fve_size_real = 0;
 	int fve_offset = 0;
 	char guid_buf[UUID_STR_LEN] = {0};
 	uint16_t entry_size = 0;
 	uint16_t entry_type = 0;
 	int i = 0;
 	int r = 0;
+	int valid_fve_metadata_idx = -1;
 	int start = 0;
 	size_t key_size = 0;
 	const char *key = NULL;
 	char *description = NULL;
+	struct crypt_hash *hash;
 
 	struct bitlk_vmk *vmk = NULL;
 	struct bitlk_vmk *vmk_p = params->vmks;
@@ -493,15 +568,80 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	for (i = 0; i < 3; i++)
 		params->metadata_offset[i] = le64_to_cpu(sb.fve_offset[i]);
 
-	log_dbg(cd, "Reading BITLK FVE metadata of size %zu on device %s, offset %" PRIu64 ".",
-		sizeof(fve), device_path(device), params->metadata_offset[0]);
+	fve_validated_block = malloc(BITLK_FVE_METADATA_SIZE);
+	if (fve_validated_block == NULL) {
+		r = -ENOMEM;
+		goto out;
+	}
 
-	/* read FVE metadata from the first metadata area */
-	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-		device_alignment(device), &fve, sizeof(fve), params->metadata_offset[0]) != sizeof(fve) ||
-		memcmp(fve.signature, BITLK_SIGNATURE, sizeof(fve.signature)) ||
-		le16_to_cpu(fve.fve_version) != 2) {
-		log_err(cd, _("Failed to read BITLK FVE metadata from %s."), device_path(device));
+	for (i = 0; i < 3; i++) {
+		/* iterate over FVE metadata copies and pick the valid one */
+		log_dbg(cd, "Reading BITLK FVE metadata copy #%d of size %zu on device %s, offset %" PRIu64 ".",
+			i, sizeof(fve), device_path(device), params->metadata_offset[i]);
+
+		if (read_lseek_blockwise(devfd, device_block_size(cd, device),
+			device_alignment(device), &fve, sizeof(fve), params->metadata_offset[i]) != sizeof(fve) ||
+			!check_fve_metadata(&fve) ||
+			(fve_size_real = le16_to_cpu(fve.fve_size) << 4, read_lseek_blockwise(devfd, device_block_size(cd, device),
+			device_alignment(device), &validation, sizeof(validation), params->metadata_offset[i] + fve_size_real) != sizeof(validation)) ||
+			!check_fve_metadata_validation(&validation) ||
+			/* double-fetch is here, but we aren't validating MAC */
+			read_lseek_blockwise(devfd, device_block_size(cd, device), device_alignment(device), fve_validated_block, fve_size_real,
+			params->metadata_offset[i]) != fve_size_real ||
+			(crypt_crc32(~0, fve_validated_block, fve_size_real) ^ ~0) != le32_to_cpu(validation.fve_crc32)) {
+			/* found an invalid FVE metadata copy, log and skip */
+			log_dbg(cd, _("Failed to read or validate BITLK FVE metadata copy #%d from %s."), i, device_path(device));
+		} else {
+			/* found a valid FVE metadata copy, use it */
+			valid_fve_metadata_idx = i;
+			break;
+		}
+	}
+
+	if (valid_fve_metadata_idx < 0) {
+		/* all FVE metadata copies are invalid, fail */
+		log_err(cd, _("Failed to read and validate BITLK FVE metadata from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* check that a valid FVE metadata block is in its expected location */
+	if (params->metadata_offset[valid_fve_metadata_idx] != le64_to_cpu(fve.fve_offset[valid_fve_metadata_idx])) {
+		log_err(cd, _("Failed to validate the location of BITLK FVE metadata from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* update offsets from a valid FVE metadata copy */
+	for (i = 0; i < 3; i++)
+		params->metadata_offset[i] = le64_to_cpu(fve.fve_offset[i]);
+
+	/* check that the FVE metadata hasn't changed between reads, because we are preparing for the MAC check */
+	if (memcmp(&fve, fve_validated_block, sizeof(fve)) != 0) {
+		log_err(cd, _("BITLK FVE metadata changed between reads from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	crypt_backend_memzero(&params->sha256_fve, 32);
+	if (crypt_hash_init(&hash, "sha256")) {
+		log_err(cd, _("Failed to hash BITLK FVE metadata read from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+	crypt_hash_write(hash, (const char *)fve_validated_block, fve_size_real);
+	crypt_hash_final(hash, (char *)&params->sha256_fve, 32);
+	crypt_hash_destroy(hash);
+
+	/* do some extended checks against FVE metadata, but not including MAC verification */
+	params->validation = malloc(sizeof(struct bitlk_validation));
+	if (!params->validation) {
+		r = -ENOMEM;
+		goto out;
+	}
+
+	if (!parse_fve_metadata_validation(params, &validation)) {
+		log_err(cd, _("Failed to parse BITLK FVE validation metadata from %s."), device_path(device));
 		r = -EINVAL;
 		goto out;
 	}
@@ -586,17 +726,18 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 	}
 	memset(fve_entries, 0, fve_entries_size);
 
-	log_dbg(cd, "Reading BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
-		fve_entries_size, device_path(device), params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
+	log_dbg(cd, "Getting BITLK FVE metadata entries of size %zu on device %s, offset %" PRIu64 ".",
+		fve_entries_size, device_path(device), params->metadata_offset[valid_fve_metadata_idx] + BITLK_FVE_METADATA_HEADERS_LEN);
 
-	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-		device_alignment(device), fve_entries, fve_entries_size,
-		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != (ssize_t)fve_entries_size) {
-		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
+	if (BITLK_FVE_METADATA_HEADERS_LEN + fve_entries_size > fve_size_real) {
+		log_err(cd, _("Failed to check BITLK metadata entries previously read from %s."), device_path(device));
 		r = -EINVAL;
 		goto out;
 	}
 
+	/* fetch these entries from validated buffer to avoid double-fetch */
+	memcpy(fve_entries, fve_validated_block + BITLK_FVE_METADATA_HEADERS_LEN, fve_entries_size);
+
 	while ((fve_entries_size - start) >= (sizeof(entry_size) + sizeof(entry_type))) {
 
 		/* size of this entry */
@@ -717,10 +858,10 @@ int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
 
 		start += entry_size;
 	}
-
 out:
-	if (fve_entries)
-		free(fve_entries);
+	free(fve_entries);
+	free(fve_validated_block);
+
 	return r;
 }
 
@@ -742,7 +883,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 	log_std(cd, "Description:  \t%s\n", params->description);
 	log_std(cd, "Cipher name:  \t%s\n", params->cipher);
 	log_std(cd, "Cipher mode:  \t%s\n", params->cipher_mode);
-	log_std(cd, "Cipher key:   \t%u bits\n", params->key_size);
+	log_std(cd, "Cipher key:   \t%u [bits]\n", params->key_size);
 
 	log_std(cd, "\n");
 
@@ -761,15 +902,15 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta
 
 		vk_p = vmk_p->vk;
 		while (vk_p) {
-			log_std(cd, "\tKey data size:\t%zu [bytes]\n", vk_p->keylength);
-			vk_p = vk_p->next;
+			log_std(cd, "\tKey data size:\t%zu [bytes]\n", crypt_volume_key_length(vk_p));
+			vk_p = crypt_volume_key_next(vk_p);
 		}
 		vmk_p = vmk_p->next;
 		next_id++;
 	}
 
 	log_std(cd, " %d: FVEK\n", next_id);
-	log_std(cd, "\tKey data size:\t%zu [bytes]\n", params->fvek->vk->keylength);
+	log_std(cd, "\tKey data size:\t%zu [bytes]\n", crypt_volume_key_length(params->fvek->vk));
 
 	log_std(cd, "\n");
 
@@ -987,9 +1128,13 @@ static int bitlk_kdf(const char *password,
 	struct crypt_hash *hd = NULL;
 	int len = 0;
 	char16_t *utf16Password = NULL;
+	size_t utf16Len = 0;
 	int i = 0;
 	int r = 0;
 
+	if (!password)
+		return -EINVAL;
+
 	memcpy(kdf.salt, salt, 16);
 
 	r = crypt_hash_init(&hd, BITLK_KDF_HASH);
@@ -1012,7 +1157,8 @@ static int bitlk_kdf(const char *password,
 		if (r < 0)
 			goto out;
 
-		crypt_hash_write(hd, (char*)utf16Password, passwordLen * 2);
+		utf16Len = crypt_char16_strlen(utf16Password);
+		crypt_hash_write(hd, (char*)utf16Password, utf16Len * 2);
 		r = crypt_hash_final(hd, kdf.initial_sha256, len);
 		if (r < 0)
 			goto out;
@@ -1058,11 +1204,14 @@ static int decrypt_key(struct crypt_device *cd,
 	int r;
 	uint16_t key_size = 0;
 
-	outbuf = crypt_safe_alloc(enc_key->keylength);
+	outbuf = crypt_safe_alloc(crypt_volume_key_length(enc_key));
 	if (!outbuf)
 		return -ENOMEM;
 
-	r = crypt_bitlk_decrypt_key(key->key, key->keylength, enc_key->key, outbuf, enc_key->keylength,
+	r = crypt_bitlk_decrypt_key(crypt_volume_key_get_key(key),
+				crypt_volume_key_length(key),
+				crypt_volume_key_get_key(enc_key), outbuf,
+				crypt_volume_key_length(enc_key),
 				(const char*)iv, iv_size, (const char*)tag, tag_size);
 	if (r < 0) {
 		if (r == -ENOTSUP)
@@ -1073,9 +1222,10 @@ static int decrypt_key(struct crypt_device *cd,
 	/* key_data has it's size as part of the metadata */
 	memcpy(&key_size, outbuf, 2);
 	key_size = le16_to_cpu(key_size);
-	if (enc_key->keylength != key_size) {
+	if (crypt_volume_key_length(enc_key) != key_size) {
 		log_err(cd, _("Unexpected key data size."));
-		log_dbg(cd, "Expected key data size: %zu, got %" PRIu16 "", enc_key->keylength, key_size);
+		log_dbg(cd, "Expected key data size: %zu, got %" PRIu16 "",
+			    crypt_volume_key_length(enc_key), key_size);
 
 		r = -EINVAL;
 		goto out;
@@ -1085,7 +1235,7 @@ static int decrypt_key(struct crypt_device *cd,
 		crypt_get_volume_key_size(cd) == 32) {
 		/* 128bit AES-CBC with Elephant -- key size is 256 bit (2 keys) but key data is 512 bits,
 		   data: 16B CBC key, 16B empty, 16B elephant key, 16B empty */
-		memcpy(outbuf + 16 + BITLK_OPEN_KEY_METADATA_LEN,
+		crypt_safe_memcpy(outbuf + 16 + BITLK_OPEN_KEY_METADATA_LEN,
 			outbuf + 2 * 16 + BITLK_OPEN_KEY_METADATA_LEN, 16);
 		key_size = 32 + BITLK_OPEN_KEY_METADATA_LEN;
 	}
@@ -1099,6 +1249,41 @@ static int decrypt_key(struct crypt_device *cd,
 	return r;
 }
 
+static int get_clear_key(struct crypt_device *cd, const struct bitlk_vmk *vmk, struct volume_key **vmk_dec_key)
+{
+	struct volume_key *nested_key = vmk->vk;
+
+	if (!nested_key) {
+		log_dbg(cd, "Clearkey VMK structure incomplete - missing nested key");
+		return -ENOTSUP;
+	}
+
+	struct volume_key *encrypted_vmk = crypt_volume_key_next(nested_key);
+
+	if (!encrypted_vmk) {
+		log_dbg(cd, "Clearkey VMK structure incomplete - missing encrypted VMK");
+		return -ENOTSUP;
+	}
+
+	/**
+	 *  For clearkey protection, we need to decrypt the encrypted VMK using the nested key
+	 *  and return the decrypted VMK as vmk_dec_key
+	 */
+	struct volume_key *decrypted_vmk = NULL;
+	int r = decrypt_key(cd, &decrypted_vmk, encrypted_vmk, nested_key,
+			vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
+			vmk->nonce, BITLK_NONCE_SIZE, false);
+
+	if (r == 0 && decrypted_vmk) {
+		log_dbg(cd, "Successfully decrypted VMK using nested key");
+		*vmk_dec_key = decrypted_vmk;
+		return 0;
+	} else {
+		log_dbg(cd, "Failed to decrypt VMK using nested key (error: %d)", r);
+		return r;
+	}
+}
+
 int BITLK_get_volume_key(struct crypt_device *cd,
 			 const char *password,
 			 size_t passwordLen,
@@ -1109,10 +1294,12 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 	struct volume_key *open_vmk_key = NULL;
 	struct volume_key *vmk_dec_key = NULL;
 	struct volume_key *recovery_key = NULL;
+	struct bitlk_validation_hash dec_hash = {};
 	const struct bitlk_vmk *next_vmk = NULL;
 
 	next_vmk = params->vmks;
 	while (next_vmk) {
+		bool is_decrypted = false;
 		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
 			r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
 			if (r) {
@@ -1134,7 +1321,8 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 				continue;
 			}
 			log_dbg(cd, "Trying to use given password as a recovery key.");
-			r = bitlk_kdf(recovery_key->key, recovery_key->keylength,
+			r = bitlk_kdf(crypt_volume_key_get_key(recovery_key),
+				      crypt_volume_key_length(recovery_key),
 				      true, next_vmk->salt, &vmk_dec_key);
 			crypt_free_volume_key(recovery_key);
 			if (r)
@@ -1146,8 +1334,18 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 				continue;
 			}
 			log_dbg(cd, "Trying to use external key found in provided password.");
+		} else if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
+			r = get_clear_key(cd, next_vmk, &vmk_dec_key);
+			if (r) {
+				/* something wrong happened, but we still want to check other key slots */
+				next_vmk = next_vmk->next;
+				continue;
+			}
+			is_decrypted = true;
+			open_vmk_key = vmk_dec_key;
+			log_dbg(cd, "Extracted VMK using clearkey.");
 		} else {
-			/* only passphrase, recovery passphrase and startup key VMKs supported right now */
+			/* only passphrase, recovery passphrase, startup key and clearkey VMKs supported right now */
 			log_dbg(cd, "Skipping %s", get_vmk_protection_string(next_vmk->protection));
 			next_vmk = next_vmk->next;
 			if (r == 0)
@@ -1156,19 +1354,51 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 			continue;
 		}
 
-		log_dbg(cd, "Trying to decrypt %s.", get_vmk_protection_string(next_vmk->protection));
-		r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
-				next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
-				next_vmk->nonce, BITLK_NONCE_SIZE, false);
+		if (!is_decrypted) {
+			r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
+					next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
+					next_vmk->nonce, BITLK_NONCE_SIZE, false);
+
+			crypt_free_volume_key(vmk_dec_key);
+		}
 		if (r < 0) {
 			log_dbg(cd, "Failed to decrypt VMK using provided passphrase.");
-			crypt_free_volume_key(vmk_dec_key);
+
 			if (r == -ENOTSUP)
 				return r;
 			next_vmk = next_vmk->next;
 			continue;
 		}
-		crypt_free_volume_key(vmk_dec_key);
+
+		log_dbg(cd, "Trying to decrypt validation metadata using VMK.");
+		r = crypt_bitlk_decrypt_key(crypt_volume_key_get_key(open_vmk_key),
+			crypt_volume_key_length(open_vmk_key),
+			(const char*)params->validation->enc_datum,
+			(char *)&dec_hash,
+			BITLK_VALIDATION_VMK_DATA_SIZE - BITLK_NONCE_SIZE - BITLK_VMK_MAC_TAG_SIZE,
+			(const char*)params->validation->nonce, BITLK_NONCE_SIZE,
+			(const char*)params->validation->mac_tag, BITLK_VMK_MAC_TAG_SIZE);
+		if (r < 0) {
+			log_dbg(cd, "Failed to decrypt validation metadata using VMK.");
+			crypt_free_volume_key(open_vmk_key);
+			if (r == -ENOTSUP)
+				return r;
+			break;
+		}
+
+		/* now, do the MAC validation */
+		if (le16_to_cpu(dec_hash.role) != 0 ||le16_to_cpu(dec_hash.type) != 1 ||
+			(le16_to_cpu(dec_hash.hash_type) != 0x2005)) {
+			log_dbg(cd, "Failed to parse decrypted validation metadata.");
+			crypt_free_volume_key(open_vmk_key);
+			return -ENOTSUP;
+		}
+
+		if (memcmp(dec_hash.hash, params->sha256_fve, sizeof(dec_hash.hash)) != 0) {
+			log_dbg(cd, "Failed MAC validation of BITLK FVE metadata.");
+			crypt_free_volume_key(open_vmk_key);
+			return -EINVAL;
+		}
 
 		r = decrypt_key(cd, open_fvek_key, params->fvek->vk, open_vmk_key,
 				params->fvek->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
@@ -1197,8 +1427,6 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 static int _activate_check(struct crypt_device *cd,
 		           const struct bitlk_metadata *params)
 {
-	const struct bitlk_vmk *next_vmk = NULL;
-
 	if (!params->state) {
 		log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
 		return -ENOTSUP;
@@ -1209,15 +1437,6 @@ static int _activate_check(struct crypt_device *cd,
 		return -ENOTSUP;
 	}
 
-	next_vmk = params->vmks;
-	while (next_vmk) {
-		if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
-			log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
-			return -ENOTSUP;
-		}
-		next_vmk = next_vmk->next;
-	}
-
 	return 0;
 }
 
@@ -1241,7 +1460,7 @@ static int _activate(struct crypt_device *cd,
 	uint64_t next_start = 0;
 	uint64_t next_end = 0;
 	uint64_t last_segment = 0;
-	uint32_t dmt_flags = 0;
+	uint64_t dmt_flags = 0;
 
 	r = _activate_check(cd, params);
 	if (r)
@@ -1365,7 +1584,7 @@ static int _activate(struct crypt_device *cd,
 						crypt_get_cipher_spec(cd),
 						segments[i].iv_offset,
 						segments[i].iv_offset,
-						NULL, 0,
+						NULL, 0, 0,
 						params->sector_size);
 		if (r)
 			goto out;
@@ -1401,54 +1620,17 @@ static int _activate(struct crypt_device *cd,
 	return r;
 }
 
-int BITLK_activate_by_passphrase(struct crypt_device *cd,
-				 const char *name,
-				 const char *password,
-				 size_t passwordLen,
-				 const struct bitlk_metadata *params,
-				 uint32_t flags)
-{
-	int r = 0;
-	struct volume_key *open_fvek_key = NULL;
-
-	r = _activate_check(cd, params);
-	if (r)
-		return r;
-
-	r = BITLK_get_volume_key(cd, password, passwordLen, params, &open_fvek_key);
-	if (r < 0)
-		goto out;
-
-	/* Password verify only */
-	if (!name)
-		goto out;
-
-	r = _activate(cd, name, open_fvek_key, params, flags);
-out:
-	crypt_free_volume_key(open_fvek_key);
-	return r;
-}
-
 int BITLK_activate_by_volume_key(struct crypt_device *cd,
 				 const char *name,
-				 const char *volume_key,
-				 size_t volume_key_size,
+				 struct volume_key *vk,
 				 const struct bitlk_metadata *params,
 				 uint32_t flags)
 {
-	int r = 0;
-	struct volume_key *open_fvek_key = NULL;
+	int r;
 
 	r = _activate_check(cd, params);
 	if (r)
 		return r;
 
-	open_fvek_key = crypt_alloc_volume_key(volume_key_size, volume_key);
-	if (!open_fvek_key)
-		return -ENOMEM;
-
-	r = _activate(cd, name, open_fvek_key, params, flags);
-
-	crypt_free_volume_key(open_fvek_key);
-	return r;
+	return _activate(cd, name, vk, params, flags);
 }
diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h
index f175683..dde32bf 100644
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -2,9 +2,9 @@
 /*
  * BITLK (BitLocker-compatible) header definition
  *
- * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2019-2024 Milan Broz
- * Copyright (C) 2019-2024 Vojtech Trefny
+ * Copyright (C) 2019-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2025 Milan Broz
+ * Copyright (C) 2019-2025 Vojtech Trefny
  */
 
 #ifndef _CRYPTSETUP_BITLK_H
@@ -21,6 +21,8 @@ struct volume_key;
 #define BITLK_NONCE_SIZE 12
 #define BITLK_SALT_SIZE 16
 #define BITLK_VMK_MAC_TAG_SIZE 16
+#define BITLK_VALIDATION_VMK_HEADER_SIZE 8
+#define BITLK_VALIDATION_VMK_DATA_SIZE 72
 
 #define BITLK_STATE_NORMAL 0x0004
 
@@ -85,6 +87,13 @@ struct bitlk_fvek {
 	struct volume_key *vk;
 };
 
+struct bitlk_validation {
+	uint8_t mac_tag[BITLK_VMK_MAC_TAG_SIZE];
+	uint8_t nonce[BITLK_NONCE_SIZE];
+	/* technically, this is not "VMK", but some sources call it this way */
+	uint8_t enc_datum[BITLK_VALIDATION_VMK_DATA_SIZE];
+};
+
 struct bitlk_metadata {
 	uint16_t sector_size;
 	uint64_t volume_size;
@@ -101,8 +110,10 @@ struct bitlk_metadata {
 	uint32_t metadata_version;
 	uint64_t volume_header_offset;
 	uint64_t volume_header_size;
+	const char *sha256_fve[32];
 	struct bitlk_vmk *vmks;
 	struct bitlk_fvek *fvek;
+	struct bitlk_validation *validation;
 };
 
 int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params);
@@ -115,17 +126,9 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 			 const struct bitlk_metadata *params,
 			 struct volume_key **open_fvek_key);
 
-int BITLK_activate_by_passphrase(struct crypt_device *cd,
-				 const char *name,
-				 const char *password,
-				 size_t passwordLen,
-				 const struct bitlk_metadata *params,
-				 uint32_t flags);
-
 int BITLK_activate_by_volume_key(struct crypt_device *cd,
 				 const char *name,
-				 const char *volume_key,
-				 size_t volume_key_size,
+				 struct volume_key *vk,
 				 const struct bitlk_metadata *params,
 				 uint32_t flags);
 
diff --git a/lib/bitops.h b/lib/bitops.h
index a991687..1ef9718 100644
--- a/lib/bitops.h
+++ b/lib/bitops.h
@@ -10,13 +10,13 @@
 #include <stdint.h>
 #include <sys/param.h>
 
-#if defined(HAVE_BYTESWAP_H)
+#if HAVE_BYTESWAP_H
 # include <byteswap.h>
 #endif
 
-#if defined(HAVE_ENDIAN_H)
+#if HAVE_ENDIAN_H
 #  include <endian.h>
-#elif defined(HAVE_SYS_ENDIAN_H)	/* BSDs have them here */
+#elif HAVE_SYS_ENDIAN_H /* BSDs have them here */
 #  include <sys/endian.h>
 #endif
 
diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c
index 3886d29..21e008e 100644
--- a/lib/crypt_plain.c
+++ b/lib/crypt_plain.c
@@ -3,8 +3,8 @@
  * cryptsetup plain device helper functions
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #include <string.h>
@@ -92,7 +92,7 @@ int crypt_plain_hash(struct crypt_device *cd,
 			log_dbg(cd, "Too short plain passphrase.");
 			return -EINVAL;
 		}
-		memcpy(key, passphrase, hash_size);
+		crypt_safe_memcpy(key, passphrase, hash_size);
 		r = 0;
 	} else
 		r = hash(hash_name_buf, hash_size, key, passphrase_size, passphrase);
diff --git a/lib/crypto_backend/Makemodule.am b/lib/crypto_backend/Makemodule.am
index 7507763..a983637 100644
--- a/lib/crypto_backend/Makemodule.am
+++ b/lib/crypto_backend/Makemodule.am
@@ -13,7 +13,8 @@ libcrypto_backend_la_SOURCES = \
 	lib/crypto_backend/utf8.c \
 	lib/crypto_backend/argon2_generic.c \
 	lib/crypto_backend/cipher_generic.c \
-	lib/crypto_backend/cipher_check.c
+	lib/crypto_backend/cipher_check.c \
+	lib/crypto_backend/memutils.c
 
 if CRYPTO_BACKEND_GCRYPT
 libcrypto_backend_la_SOURCES += lib/crypto_backend/crypto_gcrypt.c
@@ -30,6 +31,9 @@ endif
 if CRYPTO_BACKEND_NETTLE
 libcrypto_backend_la_SOURCES += lib/crypto_backend/crypto_nettle.c
 endif
+if CRYPTO_BACKEND_MBEDTLS
+libcrypto_backend_la_SOURCES += lib/crypto_backend/crypto_mbedtls.c
+endif
 
 if CRYPTO_INTERNAL_PBKDF2
 libcrypto_backend_la_SOURCES += lib/crypto_backend/pbkdf2_generic.c
diff --git a/lib/crypto_backend/argon2/blake2/blake2b.c b/lib/crypto_backend/argon2/blake2/blake2b.c
index d8f69e8..66b2df6 100644
--- a/lib/crypto_backend/argon2/blake2/blake2b.c
+++ b/lib/crypto_backend/argon2/blake2/blake2b.c
@@ -360,7 +360,7 @@ int blake2b_long(void *pout, size_t outlen, const void *in, size_t inlen) {
         TRY(blake2b_final(&blake_state, out, outlen));
     } else {
         uint32_t toproduce;
-        uint8_t out_buffer[BLAKE2B_OUTBYTES];
+        uint8_t out_buffer[BLAKE2B_OUTBYTES] = {0};
         uint8_t in_buffer[BLAKE2B_OUTBYTES];
         TRY(blake2b_init(&blake_state, BLAKE2B_OUTBYTES));
         TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
index f128d84..1f74a44 100644
--- a/lib/crypto_backend/argon2/core.c
+++ b/lib/crypto_backend/argon2/core.c
@@ -128,7 +128,7 @@ void secure_wipe_memory(void *v, size_t n) {
 void secure_wipe_memory(void *v, size_t n) {
     memset_s(v, n, 0, n);
 }
-#elif defined(HAVE_EXPLICIT_BZERO)
+#elif HAVE_EXPLICIT_BZERO
 void secure_wipe_memory(void *v, size_t n) {
     explicit_bzero(v, n);
 }
@@ -356,12 +356,9 @@ static int fill_memory_blocks_mt(argon2_instance_t *instance) {
     }
 
 fail:
-    if (thread != NULL) {
-        free(thread);
-    }
-    if (thr_data != NULL) {
-        free(thr_data);
-    }
+    free(thread);
+    free(thr_data);
+
     return rc;
 }
 
diff --git a/lib/crypto_backend/argon2/encoding.c b/lib/crypto_backend/argon2/encoding.c
index a717263..4020977 100644
--- a/lib/crypto_backend/argon2/encoding.c
+++ b/lib/crypto_backend/argon2/encoding.c
@@ -83,7 +83,7 @@
 static int b64_byte_to_char(unsigned x) {
     return (LT(x, 26) & (x + 'A')) |
            (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) |
-           (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') |
+           (GE(x, 52) & LT(x, 62) & (x - (52 - '0'))) | (EQ(x, 62) & '+') |
            (EQ(x, 63) & '/');
 }
 
diff --git a/lib/crypto_backend/argon2_generic.c b/lib/crypto_backend/argon2_generic.c
index e69799e..d50bb9b 100644
--- a/lib/crypto_backend/argon2_generic.c
+++ b/lib/crypto_backend/argon2_generic.c
@@ -2,8 +2,8 @@
 /*
  * Argon2 PBKDF2 library wrapper
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Milan Broz
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Milan Broz
  */
 
 #include <errno.h>
diff --git a/lib/crypto_backend/base64.c b/lib/crypto_backend/base64.c
index e196f6b..d9733a0 100644
--- a/lib/crypto_backend/base64.c
+++ b/lib/crypto_backend/base64.c
@@ -5,7 +5,7 @@
  * Copyright (C) 2010 Lennart Poettering
  *
  * cryptsetup related changes
- * Copyright (C) 2021-2024 Milan Broz
+ * Copyright (C) 2021-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -19,7 +19,7 @@
 /* https://tools.ietf.org/html/rfc4648#section-4 */
 static char base64char(int x)
 {
-	static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	static const char table[65] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 				      "abcdefghijklmnopqrstuvwxyz"
 				      "0123456789+/";
 	return table[x & 63];
diff --git a/lib/crypto_backend/cipher_check.c b/lib/crypto_backend/cipher_check.c
index 524ffe3..d8c7a60 100644
--- a/lib/crypto_backend/cipher_check.c
+++ b/lib/crypto_backend/cipher_check.c
@@ -2,8 +2,8 @@
 /*
  * Cipher performance check
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Milan Broz
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -42,43 +42,36 @@ static int time_ms(struct timespec *start, struct timespec *end, double *ms)
 	return 0;
 }
 
-static int cipher_perf_one(const char *name, const char *mode, char *buffer, size_t buffer_size,
-			  const char *key, size_t key_size, const char *iv, size_t iv_size, int enc)
+static int cipher_perf_one(struct crypt_cipher_kernel *cipher, char *buffer, size_t buffer_size,
+			   const char *iv, size_t iv_size, int enc)
 {
-	struct crypt_cipher_kernel cipher;
 	size_t done = 0, block = CIPHER_BLOCK_BYTES;
 	int r;
 
 	if (buffer_size < block)
 		block = buffer_size;
 
-	r = crypt_cipher_init_kernel(&cipher, name, mode, key, key_size);
-	if (r < 0)
-		return r;
-
 	while (done < buffer_size) {
 		if ((done + block) > buffer_size)
 			block = buffer_size - done;
 
 		if (enc)
-			r = crypt_cipher_encrypt_kernel(&cipher, &buffer[done], &buffer[done],
+			r = crypt_cipher_encrypt_kernel(cipher, &buffer[done], &buffer[done],
 						 block, iv, iv_size);
 		else
-			r = crypt_cipher_decrypt_kernel(&cipher, &buffer[done], &buffer[done],
+			r = crypt_cipher_decrypt_kernel(cipher, &buffer[done], &buffer[done],
 						 block, iv, iv_size);
 		if (r < 0)
-			break;
+			return r;
 
 		done += block;
 	}
 
-	crypt_cipher_destroy_kernel(&cipher);
-
-	return r;
+	return 0;
 }
-static int cipher_measure(const char *name, const char *mode, char *buffer, size_t buffer_size,
-			  const char *key, size_t key_size, const char *iv, size_t iv_size,
-			  int encrypt, double *ms)
+
+static int cipher_measure(struct crypt_cipher_kernel *cipher, char *buffer, size_t buffer_size,
+			  const char *iv, size_t iv_size, int encrypt, double *ms)
 {
 	struct timespec start, end;
 	int r;
@@ -90,7 +83,7 @@ static int cipher_measure(const char *name, const char *mode, char *buffer, size
 	if (clock_gettime(CLOCK_MONOTONIC_RAW, &start) < 0)
 		return -EINVAL;
 
-	r = cipher_perf_one(name, mode, buffer, buffer_size, key, key_size, iv, iv_size, encrypt);
+	r = cipher_perf_one(cipher, buffer, buffer_size, iv, iv_size, encrypt);
 	if (r < 0)
 		return r;
 
@@ -118,15 +111,20 @@ int crypt_cipher_perf_kernel(const char *name, const char *mode, char *buffer, s
 			     const char *key, size_t key_size, const char *iv, size_t iv_size,
 			     double *encryption_mbs, double *decryption_mbs)
 {
+	struct crypt_cipher_kernel cipher;
 	double ms_enc, ms_dec, ms;
 	int r, repeat_enc, repeat_dec;
 
+	r = crypt_cipher_init_kernel(&cipher, name, mode, key, key_size);
+	if (r < 0)
+		return r;
+
 	ms_enc = 0.0;
 	repeat_enc = 1;
 	while (ms_enc < 1000.0) {
-		r = cipher_measure(name, mode, buffer, buffer_size, key, key_size, iv, iv_size, 1, &ms);
+		r = cipher_measure(&cipher, buffer, buffer_size, iv, iv_size, 1, &ms);
 		if (r < 0)
-			return r;
+			goto out;
 		ms_enc += ms;
 		repeat_enc++;
 	}
@@ -134,9 +132,9 @@ int crypt_cipher_perf_kernel(const char *name, const char *mode, char *buffer, s
 	ms_dec = 0.0;
 	repeat_dec = 1;
 	while (ms_dec < 1000.0) {
-		r = cipher_measure(name, mode, buffer, buffer_size, key, key_size, iv, iv_size, 0, &ms);
+		r = cipher_measure(&cipher, buffer, buffer_size, iv, iv_size, 0, &ms);
 		if (r < 0)
-			return r;
+			goto out;
 		ms_dec += ms;
 		repeat_dec++;
 	}
@@ -144,5 +142,8 @@ int crypt_cipher_perf_kernel(const char *name, const char *mode, char *buffer, s
 	*encryption_mbs = speed_mbs(buffer_size * repeat_enc, ms_enc);
 	*decryption_mbs = speed_mbs(buffer_size * repeat_dec, ms_dec);
 
-	return  0;
+	r = 0;
+out:
+	crypt_cipher_destroy_kernel(&cipher);
+	return r;
 }
diff --git a/lib/crypto_backend/cipher_generic.c b/lib/crypto_backend/cipher_generic.c
index 41774a2..be7e4a0 100644
--- a/lib/crypto_backend/cipher_generic.c
+++ b/lib/crypto_backend/cipher_generic.c
@@ -2,8 +2,8 @@
 /*
  * Linux kernel cipher generic utilities
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Milan Broz
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Milan Broz
  */
 
 #include <errno.h>
diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
index 6a5db9b..9c37cf1 100644
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -2,8 +2,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #ifndef _CRYPTO_BACKEND_H
@@ -14,13 +14,17 @@
 #include <stdbool.h>
 #include <stddef.h>
 #include <string.h>
-#ifdef HAVE_UCHAR_H
+#if HAVE_UCHAR_H
 #include <uchar.h>
 #else
 #define char32_t uint32_t
 #define char16_t uint16_t
 #endif
 
+# ifdef __cplusplus
+extern "C" {
+# endif
+
 struct crypt_hash;
 struct crypt_hmac;
 struct crypt_cipher;
@@ -89,6 +93,7 @@ int crypt_base64_decode(char **out, size_t *out_length, const char *in, size_t i
 /* UTF8/16 */
 int crypt_utf16_to_utf8(char **out, const char16_t *s, size_t length /* bytes! */);
 int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length);
+size_t crypt_char16_strlen(const char16_t *s);
 
 /* Block ciphers */
 int crypt_cipher_ivsize(const char *name, const char *mode);
@@ -132,15 +137,10 @@ int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
 			    const char *tag, size_t tag_length);
 
 /* Memzero helper (memset on stack can be optimized out) */
-static inline void crypt_backend_memzero(void *s, size_t n)
-{
-#ifdef HAVE_EXPLICIT_BZERO
-	explicit_bzero(s, n);
-#else
-	volatile uint8_t *p = (volatile uint8_t *)s;
-	while(n--) *p++ = 0;
-#endif
-}
+void crypt_backend_memzero(void *s, size_t n);
+
+/* Memcpy helper to avoid spilling sensitive data through additional registers */
+void *crypt_backend_memcpy(void *dst, const void *src, size_t n);
 
 /* Memcmp helper (memcmp in constant time) */
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
@@ -148,4 +148,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
 /* crypto backend running in FIPS mode */
 bool crypt_fips_mode(void);
 
+# ifdef __cplusplus
+}
+# endif
+
 #endif /* _CRYPTO_BACKEND_H */
diff --git a/lib/crypto_backend/crypto_backend_internal.h b/lib/crypto_backend/crypto_backend_internal.h
index 9f01968..5326094 100644
--- a/lib/crypto_backend/crypto_backend_internal.h
+++ b/lib/crypto_backend/crypto_backend_internal.h
@@ -2,8 +2,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #ifndef _CRYPTO_BACKEND_INTERNAL_H
@@ -47,17 +47,6 @@ int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
 				   const char *tag, size_t tag_length);
 
 /* Internal implementation for constant time memory comparison */
-static inline int crypt_internal_memeq(const void *m1, const void *m2, size_t n)
-{
-	const unsigned char *_m1 = (const unsigned char *) m1;
-	const unsigned char *_m2 = (const unsigned char *) m2;
-	unsigned char result = 0;
-	size_t i;
-
-	for (i = 0; i < n; i++)
-		result |= _m1[i] ^ _m2[i];
-
-	return result;
-}
+int crypt_internal_memeq(const void *m1, const void *m2, size_t n);
 
 #endif /* _CRYPTO_BACKEND_INTERNAL_H */
diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c
index 7019798..72918eb 100644
--- a/lib/crypto_backend/crypto_cipher_kernel.c
+++ b/lib/crypto_backend/crypto_cipher_kernel.c
@@ -2,8 +2,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation (skcipher)
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -14,7 +14,7 @@
 #include <sys/stat.h>
 #include "crypto_backend_internal.h"
 
-#ifdef ENABLE_AF_ALG
+#if ENABLE_AF_ALG
 
 #include <linux/if_alg.h>
 
@@ -40,6 +40,8 @@ static int _crypt_cipher_init(struct crypt_cipher_kernel *ctx,
 			      const void *key, size_t key_length,
 			      size_t tag_length, struct sockaddr_alg *sa)
 {
+	void *optval = NULL;
+
 	if (!ctx)
 		return -EINVAL;
 
@@ -60,7 +62,7 @@ static int _crypt_cipher_init(struct crypt_cipher_kernel *ctx,
 		return -EINVAL;
 	}
 
-	if (tag_length && setsockopt(ctx->tfmfd, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL, tag_length) < 0) {
+	if (tag_length && setsockopt(ctx->tfmfd, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, &optval, tag_length) < 0) {
 		crypt_cipher_destroy_kernel(ctx);
 		return -EINVAL;
 	}
@@ -97,6 +99,20 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 	return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
 }
 
+/* musl has broken CMSG_NXTHDR macro in system headers */
+static inline struct cmsghdr *_CMSG_NXTHDR(struct msghdr* mhdr, struct cmsghdr* cmsg)
+{
+#if !defined(__GLIBC__) && defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wcast-align"
+#pragma clang diagnostic ignored "-Wsign-compare"
+	return CMSG_NXTHDR(mhdr, cmsg);
+#pragma clang diagnostic pop
+#else
+	return CMSG_NXTHDR(mhdr, cmsg);
+#endif
+}
+
 /* The in/out should be aligned to page boundary */
 /* coverity[ -taint_source : arg-3 ] */
 static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
@@ -144,7 +160,7 @@ static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
 
 	/* Set IV */
 	if (iv) {
-		header = CMSG_NXTHDR(&msg, header);
+		header = _CMSG_NXTHDR(&msg, header);
 		if (!header)
 			return -EINVAL;
 
@@ -153,7 +169,7 @@ static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
 		header->cmsg_len = iv_msg_size;
 		alg_iv = (void*)CMSG_DATA(header);
 		alg_iv->ivlen = iv_length;
-		memcpy(alg_iv->iv, iv, iv_length);
+		crypt_backend_memcpy(alg_iv->iv, iv, iv_length);
 	}
 
 	len = sendmsg(ctx->opfd, &msg, 0);
@@ -200,8 +216,8 @@ int crypt_cipher_check_kernel(const char *name, const char *mode,
 			      const char *integrity, size_t key_length)
 {
 	struct crypt_cipher_kernel c;
-	char mode_name[64], tmp_salg_name[180], *real_mode = NULL, *cipher_iv = NULL, *key;
-	const char *salg_type;
+	char mode_name[64], tmp_salg_name[180], *cipher_iv = NULL, *key;
+	const char *salg_type, *real_mode;
 	bool aead;
 	int r;
 	struct sockaddr_alg sa = {
@@ -209,6 +225,7 @@ int crypt_cipher_check_kernel(const char *name, const char *mode,
 	};
 
 	aead = integrity && strcmp(integrity, "none");
+	real_mode = NULL;
 
 	/* Remove IV if present */
 	if (mode) {
@@ -229,14 +246,22 @@ int crypt_cipher_check_kernel(const char *name, const char *mode,
 	memset(tmp_salg_name, 0, sizeof(tmp_salg_name));
 
 	/* FIXME: this is duplicating a part of devmapper backend */
-	if (aead && !strcmp(integrity, "poly1305"))
-		r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc7539(%s,%s)", name, integrity);
-	else if (!real_mode)
-		r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s", name);
-	else if (aead && !strcmp(real_mode, "ccm"))
-		r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc4309(%s(%s))", real_mode, name);
-	else
-		r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s(%s)", real_mode, name);
+	if (aead) {
+		/* In AEAD, mode parameter can be just IV like "random" */
+		if (!strcmp(integrity, "poly1305"))
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc7539(%s,%s)", name, integrity);
+		else if (!real_mode)
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s", name);
+		else if (!strcmp(real_mode, "ccm"))
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "rfc4309(%s(%s))", real_mode, name);
+		else
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s(%s)", real_mode, name);
+	} else {
+		if (!mode)
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s", name);
+		else
+			r = snprintf(tmp_salg_name, sizeof(tmp_salg_name), "%s(%s)", real_mode ?: mode_name, name);
+	}
 
 	if (r < 0 || (size_t)r >= sizeof(tmp_salg_name))
 		return -EINVAL;
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
index d188e02..a50cb45 100644
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -2,8 +2,8 @@
 /*
  * GCRYPT crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -249,7 +249,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 	if (!hash)
 		return -EINVAL;
 
-	memcpy(buffer, hash, length);
+	crypt_backend_memcpy(buffer, hash, length);
 	crypt_hash_restart(ctx);
 
 	return 0;
@@ -323,7 +323,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 	if (!hash)
 		return -EINVAL;
 
-	memcpy(buffer, hash, length);
+	crypt_backend_memcpy(buffer, hash, length);
 	crypt_hmac_restart(ctx);
 
 	return 0;
@@ -451,6 +451,7 @@ static int gcrypt_argon2(const char *type,
 		.dispatch_job = gcrypt_dispatch_job,
 		.wait_all_jobs = gcrypt_wait_all_jobs
 	};
+	gpg_error_t err;
 
 	if (!strcmp(type, "argon2i"))
 		atype = GCRY_KDF_ARGON2I;
@@ -464,12 +465,11 @@ static int gcrypt_argon2(const char *type,
 	param[2] = memory;
 	param[3] = parallel;
 
-	if (gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4,
+	err = gcry_kdf_open(&hd, GCRY_KDF_ARGON2, atype, param, 4,
 			password, password_length, salt, salt_length,
-			NULL, 0, NULL, 0)) {
-		free(threads.jobs_ctx);
-		return -EINVAL;
-	}
+			NULL, 0, NULL, 0);
+	if (err)
+		return ((err & GPG_ERR_CODE_MASK) == GPG_ERR_ENOMEM) ? -ENOMEM : -EINVAL;
 
 	if (parallel == 1) {
 		/* Do not use threads here */
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
index 719dcb3..8b96e9e 100644
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -2,8 +2,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #include <stdlib.h>
diff --git a/lib/crypto_backend/crypto_mbedtls.c b/lib/crypto_backend/crypto_mbedtls.c
new file mode 100644
index 0000000..09d7e16
--- /dev/null
+++ b/lib/crypto_backend/crypto_mbedtls.c
@@ -0,0 +1,535 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * Mbed TLS crypto backend implementation
+ *
+ * Copyright (C) 2024-2025 Yiyuan Zhong
+ */
+
+#include "crypto_backend.h"
+
+#include <errno.h>
+#include <stdlib.h>
+
+#include <mbedtls/ccm.h>
+#include <mbedtls/constant_time.h>
+#include <mbedtls/cipher.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/md.h>
+#include <mbedtls/pkcs5.h>
+#include <mbedtls/version.h>
+
+#include "crypto_backend_internal.h"
+
+struct crypt_hash {
+	const mbedtls_md_info_t *info;
+	mbedtls_md_context_t md;
+};
+
+struct crypt_hmac {
+	const mbedtls_md_info_t *info;
+	mbedtls_md_context_t md;
+};
+
+struct crypt_cipher {
+	const mbedtls_cipher_info_t *info;
+	mbedtls_cipher_context_t enc;
+	mbedtls_cipher_context_t dec;
+	int ecb;
+};
+
+static bool g_initialized = false;
+static char g_backend_version[32];
+static mbedtls_entropy_context g_entropy;
+static mbedtls_ctr_drbg_context g_ctr_drbg;
+
+static const mbedtls_md_info_t *crypt_get_hash(const char *name)
+{
+	static const struct hash_alg {
+		const char *name;
+		mbedtls_md_type_t type;
+	} kHash[] = {
+		{"sha1",      MBEDTLS_MD_SHA1     },
+		{"sha224",    MBEDTLS_MD_SHA224   },
+		{"sha256",    MBEDTLS_MD_SHA256   },
+		{"sha384",    MBEDTLS_MD_SHA384   },
+		{"sha512",    MBEDTLS_MD_SHA512   },
+		{"ripemd160", MBEDTLS_MD_RIPEMD160},
+		{NULL,        0,                  }
+	};
+
+	size_t i = 0;
+
+	while (name && kHash[i].name) {
+		if (strcmp(kHash[i].name, name) == 0)
+			return mbedtls_md_info_from_type(kHash[i].type);
+		i++;
+	}
+
+	return NULL;
+}
+
+int crypt_backend_init(bool fips)
+{
+	int ret;
+
+	if (g_initialized)
+		return 0;
+
+	if (fips)
+		return -ENOTSUP;
+
+	mbedtls_version_get_string_full(g_backend_version);
+
+	mbedtls_entropy_init(&g_entropy);
+	mbedtls_ctr_drbg_init(&g_ctr_drbg);
+
+	ret = mbedtls_ctr_drbg_seed(
+		&g_ctr_drbg, mbedtls_entropy_func,
+		&g_entropy, NULL, MBEDTLS_CTR_DRBG_ENTROPY_LEN);
+
+	if (ret)
+		return -EINVAL;
+
+	g_initialized = true;
+	return 0;
+}
+
+void crypt_backend_destroy(void)
+{
+	if (!g_initialized)
+		return;
+
+	mbedtls_ctr_drbg_free(&g_ctr_drbg);
+	mbedtls_entropy_free(&g_entropy);
+	g_initialized = false;
+}
+
+uint32_t crypt_backend_flags(void)
+{
+	return 0;
+}
+
+const char *crypt_backend_version(void)
+{
+	return g_backend_version;
+}
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}
+
+int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
+{
+	return mbedtls_ct_memcmp(m1, m2, n);
+}
+
+/* HASH */
+int crypt_hash_size(const char *name)
+{
+	const mbedtls_md_info_t *info;
+	info = crypt_get_hash(name);
+	return info ? mbedtls_md_get_size(info) : -ENOENT;
+}
+
+int crypt_hash_init(struct crypt_hash **ctx, const char *name)
+{
+	struct crypt_hash *h;
+
+	h = malloc(sizeof(*h));
+	if (!h)
+		return -ENOMEM;
+
+	h->info = crypt_get_hash(name);
+	if (!h->info) {
+		free(h);
+		return -ENOENT;
+	}
+
+	mbedtls_md_init(&h->md);
+
+	if (mbedtls_md_setup(&h->md, h->info, 0)) {
+		mbedtls_md_free(&h->md);
+		free(h);
+		return -EINVAL;
+	}
+
+	if (mbedtls_md_starts(&h->md)) {
+		mbedtls_md_free(&h->md);
+		free(h);
+		return -EINVAL;
+	}
+
+	*ctx = h;
+	return 0;
+}
+
+int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
+{
+	if (mbedtls_md_update(&ctx->md, (const unsigned char *)buffer, length))
+		return -EINVAL;
+
+	return 0;
+}
+
+int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
+{
+	unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+
+	if (length > mbedtls_md_get_size(ctx->info))
+		return -EINVAL;
+
+	if (mbedtls_md_finish(&ctx->md, tmp))
+		return -EINVAL;
+
+	crypt_backend_memcpy(buffer, tmp, length);
+	crypt_backend_memzero(tmp, sizeof(tmp));
+
+	if (mbedtls_md_starts(&ctx->md))
+		return -EINVAL;
+
+	return 0;
+}
+
+void crypt_hash_destroy(struct crypt_hash *ctx)
+{
+	mbedtls_md_free(&ctx->md);
+	crypt_backend_memzero(ctx, sizeof(*ctx));
+	free(ctx);
+}
+
+/* HMAC */
+int crypt_hmac_size(const char *name)
+{
+	return crypt_hash_size(name);
+}
+
+int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
+		    const void *key, size_t key_length)
+{
+	struct crypt_hmac *h;
+
+	h = malloc(sizeof(*h));
+	if (!h)
+		return -ENOMEM;
+
+	h->info = crypt_get_hash(name);
+	if (!h->info) {
+		free(h);
+		return -ENOENT;
+	}
+
+	mbedtls_md_init(&h->md);
+
+	if (mbedtls_md_setup(&h->md, h->info, 1)) {
+		mbedtls_md_free(&h->md);
+		free(h);
+		return -EINVAL;
+	}
+
+	if (mbedtls_md_hmac_starts(&h->md, key, key_length)) {
+		mbedtls_md_free(&h->md);
+		free(h);
+		return -EINVAL;
+	}
+
+	*ctx = h;
+	return 0;
+}
+
+int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
+{
+	if (mbedtls_md_hmac_update(&ctx->md, (const unsigned char *)buffer, length))
+		return -EINVAL;
+
+	return 0;
+}
+
+int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
+{
+	unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+
+	if (length > mbedtls_md_get_size(ctx->info))
+		return -EINVAL;
+
+	if (mbedtls_md_hmac_finish(&ctx->md, tmp))
+		return -EINVAL;
+
+	crypt_backend_memcpy(buffer, tmp, length);
+	crypt_backend_memzero(tmp, sizeof(tmp));
+
+	if (mbedtls_md_hmac_reset(&ctx->md))
+		return -EINVAL;
+
+	return 0;
+}
+
+void crypt_hmac_destroy(struct crypt_hmac *ctx)
+{
+	mbedtls_md_free(&ctx->md);
+	crypt_backend_memzero(ctx, sizeof(*ctx));
+	free(ctx);
+}
+
+/* RNG */
+int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
+{
+	if (fips)
+		return -ENOTSUP;
+
+	/* Allow skipping reseeding for non-cryptographic strong random numbers */
+	if (quality == CRYPT_RND_NORMAL || quality == CRYPT_RND_SALT)
+		mbedtls_ctr_drbg_set_prediction_resistance(&g_ctr_drbg, MBEDTLS_CTR_DRBG_PR_OFF);
+	else
+		mbedtls_ctr_drbg_set_prediction_resistance(&g_ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON);
+
+	if (mbedtls_ctr_drbg_random(&g_ctr_drbg, (unsigned char *)buffer, length))
+		return -EINVAL;
+
+	return 0;
+}
+
+/* CIPHER */
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+		      const char *mode, const void *key, size_t key_length)
+{
+	static const struct {
+		const char *name;
+		mbedtls_cipher_id_t id;
+	} kCipher[] = {
+		{ "aes",      MBEDTLS_CIPHER_ID_AES      },
+		{ "aria",     MBEDTLS_CIPHER_ID_ARIA     },
+		{ "camellia", MBEDTLS_CIPHER_ID_CAMELLIA },
+		{ NULL,       0                          }
+	};
+
+	static const struct {
+		const char *name;
+		mbedtls_cipher_mode_t mode;
+	} kMode[] = {
+		{ "ecb", MBEDTLS_MODE_ECB },
+		{ "cbc", MBEDTLS_MODE_CBC },
+		{ "cfb", MBEDTLS_MODE_CFB },
+		{ "ofb", MBEDTLS_MODE_OFB },
+		{ "ctr", MBEDTLS_MODE_CTR },
+		{ "xts", MBEDTLS_MODE_XTS },
+		{ NULL,  0                }
+	};
+
+	mbedtls_cipher_id_t cid = MBEDTLS_CIPHER_ID_NONE;
+	mbedtls_cipher_mode_t cmode = MBEDTLS_MODE_NONE;
+	struct crypt_cipher *h;
+	size_t i;
+	int bits;
+
+	for (i = 0; kCipher[i].name; i++) {
+		if (strcmp(kCipher[i].name, name) == 0) {
+			cid = kCipher[i].id;
+			break;
+		}
+	}
+
+	for (i = 0; kMode[i].name; i++) {
+		if (strcmp(kMode[i].name, mode) == 0) {
+			cmode = kMode[i].mode;
+			break;
+		}
+	}
+
+	if (cid == MBEDTLS_CIPHER_ID_NONE || cmode == MBEDTLS_MODE_NONE)
+		return -ENOENT;
+
+	h = malloc(sizeof(*h));
+	if (!h)
+		return -ENOMEM;
+
+	bits = key_length * 8;
+	h->info = mbedtls_cipher_info_from_values(cid, bits, cmode);
+	if (!h->info) {
+		free(h);
+		return -ENOENT;
+	}
+
+	mbedtls_cipher_init(&h->enc);
+	mbedtls_cipher_init(&h->dec);
+	if (mbedtls_cipher_setup(&h->enc, h->info)                     ||
+	    mbedtls_cipher_setup(&h->dec, h->info)                     ||
+	    mbedtls_cipher_setkey(&h->enc, key, bits, MBEDTLS_ENCRYPT) ||
+	    mbedtls_cipher_setkey(&h->dec, key, bits, MBEDTLS_DECRYPT)) {
+
+		mbedtls_cipher_free(&h->dec);
+		mbedtls_cipher_free(&h->enc);
+		free(h);
+		return -EINVAL;
+	}
+
+	if (cmode == MBEDTLS_MODE_CBC) {
+		if (mbedtls_cipher_set_padding_mode(&h->enc, MBEDTLS_PADDING_NONE) ||
+		    mbedtls_cipher_set_padding_mode(&h->dec, MBEDTLS_PADDING_NONE)) {
+
+			mbedtls_cipher_free(&h->dec);
+			mbedtls_cipher_free(&h->enc);
+			free(h);
+			return -EINVAL;
+		}
+	}
+
+	h->ecb = cmode == MBEDTLS_MODE_ECB;
+	*ctx = h;
+	return 0;
+}
+
+void crypt_cipher_destroy(struct crypt_cipher *ctx)
+{
+	mbedtls_cipher_free(&ctx->dec);
+	mbedtls_cipher_free(&ctx->enc);
+	free(ctx);
+}
+
+static int crypt_cipher_crypt(
+	mbedtls_cipher_context_t *ctx,
+	const char *in, char *out, size_t length,
+	const char *iv, size_t iv_length,
+	int ecb)
+{
+	const unsigned char *input;
+	unsigned char *output;
+	size_t outlen;
+	size_t block;
+	size_t len;
+
+	if (ecb) /* ECB requires exactly block length input */
+		block = mbedtls_cipher_get_block_size(ctx);
+	else
+		block = length;
+
+	input = (const unsigned char *)in;
+	output = (unsigned char *)out;
+
+	if (mbedtls_cipher_set_iv(ctx, (const unsigned char *)iv, iv_length))
+		return -EINVAL;
+
+	if (mbedtls_cipher_reset(ctx))
+		return -EINVAL;
+
+	while (length) {
+		len = length < block ? length : block;
+		if (mbedtls_cipher_update(ctx, input, len, output, &outlen))
+			return -EINVAL;
+
+		output += outlen;
+		length -= len;
+		input += len;
+	}
+
+	if (mbedtls_cipher_finish(ctx, output, &outlen))
+		return -EINVAL;
+
+	return 0;
+}
+
+int crypt_cipher_encrypt(struct crypt_cipher *ctx,
+                         const char *in, char *out, size_t length,
+                         const char *iv, size_t iv_length)
+{
+	return crypt_cipher_crypt(&ctx->enc, in, out, length, iv, iv_length, ctx->ecb);
+}
+
+int crypt_cipher_decrypt(struct crypt_cipher *ctx,
+                         const char *in, char *out, size_t length,
+                         const char *iv, size_t iv_length)
+{
+	return crypt_cipher_crypt(&ctx->dec, in, out, length, iv, iv_length, ctx->ecb);
+}
+
+bool crypt_cipher_kernel_only(struct crypt_cipher *ctx __attribute__((unused)))
+{
+	return false;
+}
+
+int crypt_pbkdf(const char *kdf, const char *hash,
+                const char *password, size_t password_length,
+                const char *salt, size_t salt_length,
+                char *key, size_t key_length,
+                uint32_t iterations, uint32_t memory, uint32_t parallel)
+{
+	const mbedtls_md_info_t *info;
+#if !HAVE_MBEDTLS_PKCS5_PBKDF2_HMAC_EXT
+	mbedtls_md_context_t md;
+#endif
+
+	if (!kdf)
+		return -EINVAL;
+
+	if (strcmp(kdf, "pbkdf2") == 0) {
+		info = crypt_get_hash(hash);
+		if (!info)
+			return -EINVAL;
+
+#if HAVE_MBEDTLS_PKCS5_PBKDF2_HMAC_EXT
+		if (mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_get_type(info),
+						  (const unsigned char *)password, password_length,
+						  (const unsigned char *)salt, salt_length,
+						  iterations, key_length, (unsigned char *)key)) {
+
+			return -EINVAL;
+		}
+#else
+		mbedtls_md_init(&md);
+		if (mbedtls_md_setup(&md, info, 1))
+			return -EINVAL;
+
+		if (mbedtls_pkcs5_pbkdf2_hmac(&md,
+					      (const unsigned char *)password, password_length,
+					      (const unsigned char *)salt, salt_length,
+					      iterations, key_length, (unsigned char *)key)) {
+
+			mbedtls_md_free(&md);
+			return -EINVAL;
+		}
+
+		mbedtls_md_free(&md);
+#endif
+		return 0;
+
+	} else if (strncmp(kdf, "argon2", 6) == 0) {
+		return argon2(kdf, password, password_length, salt, salt_length,
+			      key, key_length, iterations, memory, parallel);
+	}
+
+	return -EINVAL;
+}
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+                            const char *in, char *out, size_t length,
+                            const char *iv, size_t iv_length,
+                            const char *tag, size_t tag_length)
+{
+	const unsigned char *tagptr;
+	const unsigned char *input;
+	const unsigned char *ivptr;
+	mbedtls_ccm_context ctx;
+	unsigned char *output;
+
+	tagptr = (const unsigned char *)tag;
+	ivptr = (const unsigned char *)iv;
+	input = (const unsigned char *)in;
+	output = (unsigned char *)out;
+	mbedtls_ccm_init(&ctx);
+
+	if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key, key_length * 8)) {
+		mbedtls_ccm_free(&ctx);
+		return -EINVAL;
+	}
+
+	if (mbedtls_ccm_auth_decrypt(&ctx, length, ivptr, iv_length, NULL, 0,
+				     input, output, tagptr, tag_length)) {
+
+		mbedtls_ccm_free(&ctx);
+		return -EINVAL;
+	}
+
+	mbedtls_ccm_free(&ctx);
+	return 0;
+}
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
index 4c91271..3ce239a 100644
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -2,8 +2,8 @@
 /*
  * Nettle crypto backend implementation
  *
- * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2024 Milan Broz
+ * Copyright (C) 2011-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -298,7 +298,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 		return -ENOMEM;
 	}
 
-	memcpy(h->key, key, key_length);
+	crypt_backend_memcpy(h->key, key, key_length);
 	h->key_length = key_length;
 
 	h->hash->init(&h->nettle_ctx);
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
index 19b2202..bbf6533 100644
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -2,8 +2,8 @@
 /*
  * NSS crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -164,7 +164,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 	if (PK11_DigestFinal(ctx->md, tmp, &tmp_len, length) != SECSuccess)
 		return -EINVAL;
 
-	memcpy(buffer, tmp, length);
+	crypt_backend_memcpy(buffer, tmp, length);
 	crypt_backend_memzero(tmp, sizeof(tmp));
 
 	if (tmp_len < length)
@@ -264,7 +264,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 	if (PK11_DigestFinal(ctx->md, tmp, &tmp_len, length) != SECSuccess)
 		return -EINVAL;
 
-	memcpy(buffer, tmp, length);
+	crypt_backend_memcpy(buffer, tmp, length);
 	crypt_backend_memzero(tmp, sizeof(tmp));
 
 	if (tmp_len < length)
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 60e43ca..762cd71 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -2,8 +2,8 @@
 /*
  * OPENSSL crypto backend implementation
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2024 Milan Broz
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -19,6 +19,7 @@
 #include <openssl/provider.h>
 #include <openssl/kdf.h>
 #include <openssl/core_names.h>
+#include <openssl/err.h>
 static OSSL_PROVIDER *ossl_legacy = NULL;
 static OSSL_PROVIDER *ossl_default = NULL;
 static OSSL_LIB_CTX  *ossl_ctx = NULL;
@@ -381,7 +382,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 	if (EVP_DigestFinal_ex(ctx->md, tmp, &tmp_len) != 1)
 		return -EINVAL;
 
-	memcpy(buffer, tmp, length);
+	crypt_backend_memcpy(buffer, tmp, length);
 	crypt_backend_memzero(tmp, sizeof(tmp));
 
 	if (tmp_len < length)
@@ -510,7 +511,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 
 	HMAC_Final(ctx->md, tmp, &tmp_len);
 #endif
-	memcpy(buffer, tmp, length);
+	crypt_backend_memcpy(buffer, tmp, length);
 	crypt_backend_memzero(tmp, sizeof(tmp));
 
 	if (tmp_len < length)
@@ -638,6 +639,10 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
 	EVP_KDF_CTX_free(ctx);
 	EVP_KDF_free(argon2);
 
+	/* Memory allocation is common issue with memory-hard Argon2 */
+	if (r == 0 && ERR_GET_REASON(ERR_get_error()) == ERR_R_MALLOC_FAILURE)
+		return -ENOMEM;
+
 	/* _derive() returns 0 or negative value on error, 1 on success */
 	return r == 1 ? 0 : -EINVAL;
 #else
diff --git a/lib/crypto_backend/crypto_storage.c b/lib/crypto_backend/crypto_storage.c
index 0eed502..edd4db7 100644
--- a/lib/crypto_backend/crypto_storage.c
+++ b/lib/crypto_backend/crypto_storage.c
@@ -3,16 +3,19 @@
  * Generic wrapper for storage encryption modes and Initial Vectors
  * (reimplementation of some functions from Linux dm-crypt kernel)
  *
- * Copyright (C) 2014-2024 Milan Broz
+ * Copyright (C) 2014-2025 Milan Broz
  */
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <strings.h>
 #include "bitops.h"
 #include "crypto_backend.h"
 
-#define SECTOR_SHIFT	9
+#define SECTOR_SHIFT       9
+#define MAX_CAPI_LEN      64
+#define MAX_CAPI_LEN_STR "63"
 
 /*
  * Internal IV helper
@@ -74,7 +77,7 @@ static int crypt_sector_iv_init(struct crypt_sector_iv *ctx,
 		ctx->type = IV_PLAIN;
 	} else if (!strncasecmp(iv_name, "essiv:", 6)) {
 		struct crypt_hash *h = NULL;
-		char *hash_name = strchr(iv_name, ':');
+		const char *hash_name = strchr(iv_name, ':');
 		int hash_size;
 		char tmp[256];
 
@@ -212,36 +215,49 @@ int crypt_storage_init(struct crypt_storage **ctx,
 		       bool large_iv)
 {
 	struct crypt_storage *s;
-	char mode_name[64];
+	char cipher_name[MAX_CAPI_LEN], mode_name[MAX_CAPI_LEN], mode_tmp[MAX_CAPI_LEN];
 	char *cipher_iv = NULL;
-	int r = -EIO;
+	int r;
 
 	if (sector_size < (1 << SECTOR_SHIFT) ||
 	    sector_size > (1 << (SECTOR_SHIFT + 3)) ||
 	    sector_size & (sector_size - 1))
 		return -EINVAL;
 
-	s = malloc(sizeof(*s));
-	if (!s)
-		return -ENOMEM;
-	memset(s, 0, sizeof(*s));
+	/* Convert from capi mode */
+	if (!strncmp(cipher, "capi:", 5)) {
+		r = sscanf(cipher, "capi:%" MAX_CAPI_LEN_STR "[^(](%" MAX_CAPI_LEN_STR "[^)])", mode_tmp, cipher_name);
+		if (r != 2)
+			return -EINVAL;
+		r = snprintf(mode_name, sizeof(mode_name), "%s-%s", mode_tmp, cipher_mode);
+		if (r < 0 || (size_t)r >= sizeof(mode_name))
+			return -EINVAL;
+	} else {
+		strncpy(cipher_name, cipher, sizeof(cipher_name));
+		cipher_name[sizeof(cipher_name) - 1] = 0;
+		strncpy(mode_name, cipher_mode, sizeof(mode_name));
+		mode_name[sizeof(mode_name) - 1] = 0;
+	}
 
 	/* Remove IV if present */
-	strncpy(mode_name, cipher_mode, sizeof(mode_name));
-	mode_name[sizeof(mode_name) - 1] = 0;
 	cipher_iv = strchr(mode_name, '-');
 	if (cipher_iv) {
 		*cipher_iv = '\0';
 		cipher_iv++;
 	}
 
-	r = crypt_cipher_init(&s->cipher, cipher, mode_name, key, key_length);
+	s = malloc(sizeof(*s));
+	if (!s)
+		return -ENOMEM;
+	memset(s, 0, sizeof(*s));
+
+	r = crypt_cipher_init(&s->cipher, cipher_name, mode_name, key, key_length);
 	if (r) {
 		crypt_storage_destroy(s);
 		return r;
 	}
 
-	r = crypt_sector_iv_init(&s->cipher_iv, cipher, mode_name, cipher_iv, key, key_length, sector_size);
+	r = crypt_sector_iv_init(&s->cipher_iv, cipher_name, mode_name, cipher_iv, key, key_length, sector_size);
 	if (r) {
 		crypt_storage_destroy(s);
 		return r;
diff --git a/lib/crypto_backend/memutils.c b/lib/crypto_backend/memutils.c
new file mode 100644
index 0000000..a041b3e
--- /dev/null
+++ b/lib/crypto_backend/memutils.c
@@ -0,0 +1,61 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * Safe memory utilities
+ *
+ * Copyright (C) 2024-2025 Milan Broz
+ */
+
+#include "crypto_backend_internal.h"
+
+#define ATTR_NOINLINE __attribute__ ((noinline))
+#define ATTR_ZERO_REGS
+#if HAVE_ATTRIBUTE_ZEROCALLUSEDREGS
+#    undef ATTR_ZERO_REGS
+#    define ATTR_ZERO_REGS __attribute__ ((zero_call_used_regs("used")))
+#endif
+
+/* Workaround for https://github.com/google/sanitizers/issues/1507 */
+#if defined __has_feature
+# if __has_feature (memory_sanitizer)
+#   undef HAVE_EXPLICIT_BZERO
+# endif
+#endif
+
+/* Memzero helper (memset on stack can be optimized out) */
+ATTR_NOINLINE ATTR_ZERO_REGS
+void crypt_backend_memzero(void *s, size_t n)
+{
+#if HAVE_EXPLICIT_BZERO
+	explicit_bzero(s, n);
+#else
+	volatile uint8_t *p = (volatile uint8_t *)s;
+	while(n--) *p++ = 0;
+#endif
+}
+
+/* Memcpy helper to avoid spilling sensitive data through additional registers */
+ATTR_NOINLINE ATTR_ZERO_REGS
+void *crypt_backend_memcpy(void *dst, const void *src, size_t n)
+{
+	volatile uint8_t *d = (volatile uint8_t *)dst;
+	const volatile uint8_t *s = (const volatile uint8_t *)src;
+
+	while(n--) *d++ = *s++;
+
+	return dst;
+}
+
+/* Internal implementation for constant time memory comparison */
+ATTR_NOINLINE ATTR_ZERO_REGS
+int crypt_internal_memeq(const void *m1, const void *m2, size_t n)
+{
+	const unsigned char *_m1 = (const unsigned char *) m1;
+	const unsigned char *_m2 = (const unsigned char *) m2;
+	unsigned char result = 0;
+	size_t i;
+
+	for (i = 0; i < n; i++)
+		result |= _m1[i] ^ _m2[i];
+
+	return result;
+}
diff --git a/lib/crypto_backend/meson.build b/lib/crypto_backend/meson.build
index d6c31fd..43cf40e 100644
--- a/lib/crypto_backend/meson.build
+++ b/lib/crypto_backend/meson.build
@@ -11,6 +11,7 @@ libcrypto_backend_link_with = []
 libcrypto_backend_sources = files(
     'argon2_generic.c',
     'base64.c',
+    'memutils.c',
     'cipher_check.c',
     'cipher_generic.c',
     'crc32.c',
diff --git a/lib/crypto_backend/pbkdf2_generic.c b/lib/crypto_backend/pbkdf2_generic.c
index cebaea4..e5e5a9c 100644
--- a/lib/crypto_backend/pbkdf2_generic.c
+++ b/lib/crypto_backend/pbkdf2_generic.c
@@ -5,8 +5,8 @@
  * Copyright (C) 2004 Free Software Foundation
  *
  * cryptsetup related changes
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <errno.h>
diff --git a/lib/crypto_backend/pbkdf_check.c b/lib/crypto_backend/pbkdf_check.c
index d5e1257..5eb21f3 100644
--- a/lib/crypto_backend/pbkdf_check.c
+++ b/lib/crypto_backend/pbkdf_check.c
@@ -1,8 +1,8 @@
 // SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * PBKDF performance check
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  * Copyright (C) 2016-2020 Ondrej Mosnacek
  */
 
@@ -300,6 +300,7 @@ static int crypt_argon2_check(const char *kdf, const char *password,
 	} while (ms < ms_atleast || ms > ms_atmost);
 out:
 	if (key) {
+		/* Key can be derived from a real provided password */
 		crypt_backend_memzero(key, key_length);
 		free(key);
 	}
@@ -381,6 +382,7 @@ static int crypt_pbkdf_check(const char *kdf, const char *hash,
 	}
 out:
 	if (key) {
+		/* Key can be derived from a real provided password */
 		crypt_backend_memzero(key, key_length);
 		free(key);
 	}
@@ -406,6 +408,9 @@ int crypt_pbkdf_perf(const char *kdf, const char *hash,
 	if (r < 0)
 		return r;
 
+	if (parallel_threads > pbkdf_limits.max_parallel)
+		return -EINVAL;
+
 	min_memory = pbkdf_limits.min_bench_memory;
 	if (min_memory > max_memory_kb)
 		min_memory = max_memory_kb;
diff --git a/lib/crypto_backend/utf8.c b/lib/crypto_backend/utf8.c
index 07a45eb..c68d1b7 100644
--- a/lib/crypto_backend/utf8.c
+++ b/lib/crypto_backend/utf8.c
@@ -5,7 +5,7 @@
  * Copyright (C) 2010 Lennart Poettering
  *
  * cryptsetup related changes
- * Copyright (C) 2021-2024 Vojtech Trefny
+ * Copyright (C) 2021-2025 Vojtech Trefny
 
  * Parts of the original systemd implementation are based on the GLIB utf8
  * validation functions.
@@ -274,3 +274,20 @@ int crypt_utf8_to_utf16(char16_t **out, const char *s, size_t length)
 	*p = 0;
 	return 0;
 }
+
+/**
+ * crypt_char16_strlen()
+ * @s: string to get length of
+ *
+ * Returns: number of 16-bit words in the string
+ */
+size_t crypt_char16_strlen(const char16_t *s) {
+	size_t n = 0;
+
+	assert(s);
+
+	while (*s != 0)
+		n++, s++;
+
+	return n;
+}
diff --git a/lib/fvault2/fvault2.c b/lib/fvault2/fvault2.c
index f55f2c4..59f4570 100644
--- a/lib/fvault2/fvault2.c
+++ b/lib/fvault2/fvault2.c
@@ -513,6 +513,7 @@ static int _read_volume_header(
 	int r = 0;
 	struct device *dev = crypt_metadata_device(cd);
 	struct volume_header *vol_header = NULL;
+	void *enc_key = NULL;
 
 	assert(sizeof(*vol_header) == FVAULT2_VOL_HEADER_SIZE);
 
@@ -557,8 +558,8 @@ static int _read_volume_header(
 		goto out;
 	}
 
-	*enc_md_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
-	if (*enc_md_key == NULL) {
+	enc_key = crypt_safe_alloc(FVAULT2_XTS_KEY_SIZE);
+	if (!enc_key) {
 		r = -ENOMEM;
 		goto out;
 	}
@@ -566,9 +567,15 @@ static int _read_volume_header(
 	*block_size = le32_to_cpu(vol_header->block_size);
 	*disklbl_blkoff = le64_to_cpu(vol_header->disklbl_blkoff);
 	uuid_unparse(vol_header->ph_vol_uuid, ph_vol_uuid);
-	memcpy((*enc_md_key)->key, vol_header->key_data, FVAULT2_AES_KEY_SIZE);
-	memcpy((*enc_md_key)->key + FVAULT2_AES_KEY_SIZE,
+	crypt_safe_memcpy(enc_key, vol_header->key_data, FVAULT2_AES_KEY_SIZE);
+	crypt_safe_memcpy((char *)enc_key + FVAULT2_AES_KEY_SIZE,
 		vol_header->ph_vol_uuid, FVAULT2_AES_KEY_SIZE);
+
+	*enc_md_key = crypt_alloc_volume_key_by_safe_alloc(&enc_key);
+	if (*enc_md_key == NULL) {
+		crypt_safe_free(enc_key);
+		r = -ENOMEM;
+	}
 out:
 	free(vol_header);
 	return r;
@@ -704,7 +711,7 @@ static int _read_encrypted_metadata(
 		goto out;
 	}
 
-	r = crypt_cipher_init(&cipher, "aes", "xts", key->key, FVAULT2_XTS_KEY_SIZE);
+	r = crypt_cipher_init(&cipher, "aes", "xts", crypt_volume_key_get_key(key), FVAULT2_XTS_KEY_SIZE);
 	if (r < 0)
 		goto out;
 
@@ -835,8 +842,7 @@ static int _activate(
 	r = dm_crypt_target_set(&dm_dev.segment, 0, dm_dev.size,
 		crypt_data_device(cd), vol_key, cipher,
 		crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
-		crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
-		crypt_get_sector_size(cd));
+		NULL, 0, 0, crypt_get_sector_size(cd));
 
 	if (!r)
 		r = dm_create_device(cd, name, CRYPT_FVAULT2, &dm_dev);
@@ -893,15 +899,14 @@ int FVAULT2_get_volume_key(
 	const char *passphrase,
 	size_t passphrase_len,
 	const struct fvault2_params *params,
-	struct volume_key **vol_key)
+	struct volume_key **r_vol_key)
 {
 	int r = 0;
 	uint8_t family_uuid_bin[FVAULT2_UUID_BIN_SIZE];
-	struct volume_key *passphrase_key = NULL;
-	struct volume_key *kek = NULL;
 	struct crypt_hash *hash = NULL;
+	void *passphrase_key = NULL, *kek = NULL, *vol_key= NULL;
 
-	*vol_key = NULL;
+	*r_vol_key = NULL;
 
 	if (uuid_parse(params->family_uuid, family_uuid_bin) < 0) {
 		log_dbg(cd, "Could not parse logical volume family UUID: %s.",
@@ -910,61 +915,62 @@ int FVAULT2_get_volume_key(
 		goto out;
 	}
 
-	passphrase_key = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+	passphrase_key = crypt_safe_alloc(FVAULT2_AES_KEY_SIZE);
 	if (passphrase_key == NULL) {
 		r = -ENOMEM;
 		goto out;
 	}
 
 	r = crypt_pbkdf("pbkdf2", "sha256", passphrase, passphrase_len,
-		params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, passphrase_key->key,
+		params->pbkdf2_salt, FVAULT2_PBKDF2_SALT_SIZE, passphrase_key,
 		FVAULT2_AES_KEY_SIZE, params->pbkdf2_iters, 0, 0);
 	if (r < 0)
 		goto out;
 
-	kek = crypt_alloc_volume_key(FVAULT2_AES_KEY_SIZE, NULL);
+	kek = crypt_safe_alloc(FVAULT2_AES_KEY_SIZE);
 	if (kek == NULL) {
 		r = -ENOMEM;
 		goto out;
 	}
 
-	r = _unwrap_key(passphrase_key->key, FVAULT2_AES_KEY_SIZE, params->wrapped_kek,
-			FVAULT2_WRAPPED_KEY_SIZE, kek->key, FVAULT2_AES_KEY_SIZE);
+	r = _unwrap_key(passphrase_key, FVAULT2_AES_KEY_SIZE, params->wrapped_kek,
+			FVAULT2_WRAPPED_KEY_SIZE, kek, FVAULT2_AES_KEY_SIZE);
 	if (r < 0)
 		goto out;
 
-	*vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, NULL);
-	if (*vol_key == NULL) {
+	vol_key = crypt_safe_alloc(FVAULT2_XTS_KEY_SIZE);
+	if (vol_key == NULL) {
 		r = -ENOMEM;
 		goto out;
 	}
 
-	r = _unwrap_key(kek->key, FVAULT2_AES_KEY_SIZE, params->wrapped_vk,
-		FVAULT2_WRAPPED_KEY_SIZE, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+	r = _unwrap_key(kek, FVAULT2_AES_KEY_SIZE, params->wrapped_vk,
+		FVAULT2_WRAPPED_KEY_SIZE, vol_key, FVAULT2_AES_KEY_SIZE);
 	if (r < 0)
 		goto out;
 
 	r = crypt_hash_init(&hash, "sha256");
 	if (r < 0)
 		goto out;
-	r = crypt_hash_write(hash, (*vol_key)->key, FVAULT2_AES_KEY_SIZE);
+	r = crypt_hash_write(hash, vol_key, FVAULT2_AES_KEY_SIZE);
 	if (r < 0)
 		goto out;
 	r = crypt_hash_write(hash, (char *)family_uuid_bin,
 		FVAULT2_UUID_BIN_SIZE);
 	if (r < 0)
 		goto out;
-	r = crypt_hash_final(hash, (*vol_key)->key + FVAULT2_AES_KEY_SIZE,
+	r = crypt_hash_final(hash, (char *)vol_key + FVAULT2_AES_KEY_SIZE,
 		FVAULT2_AES_KEY_SIZE);
 	if (r < 0)
 		goto out;
+
+	*r_vol_key = crypt_alloc_volume_key_by_safe_alloc(&vol_key);
+	if (!*r_vol_key)
+		r = -ENOMEM;
 out:
-	crypt_free_volume_key(passphrase_key);
-	crypt_free_volume_key(kek);
-	if (r < 0) {
-		crypt_free_volume_key(*vol_key);
-		*vol_key = NULL;
-	}
+	crypt_safe_free(passphrase_key);
+	crypt_safe_free(kek);
+	crypt_safe_free(vol_key);
 	if (hash != NULL)
 		crypt_hash_destroy(hash);
 	return r;
@@ -997,48 +1003,19 @@ int FVAULT2_dump(
 	return 0;
 }
 
-int FVAULT2_activate_by_passphrase(
+int FVAULT2_activate_by_volume_key(
 	struct crypt_device *cd,
 	const char *name,
-	const char *passphrase,
-	size_t passphrase_len,
+	struct volume_key *vk,
 	const struct fvault2_params *params,
 	uint32_t flags)
 {
-	int r;
-	struct volume_key *vol_key = NULL;
-
-	r = FVAULT2_get_volume_key(cd, passphrase, passphrase_len, params, &vol_key);
-	if (r < 0)
-		return r;
+	assert(crypt_volume_key_length(vk) == FVAULT2_XTS_KEY_SIZE);
 
-	if (name)
-	    r = _activate(cd, name, vol_key, params, flags);
-
-	crypt_free_volume_key(vol_key);
-	return r;
+	return _activate(cd, name, vk, params, flags);
 }
 
-int FVAULT2_activate_by_volume_key(
-	struct crypt_device *cd,
-	const char *name,
-	const char *key,
-	size_t key_size,
-	const struct fvault2_params *params,
-	uint32_t flags)
+size_t FVAULT2_volume_key_size(void)
 {
-	int r = 0;
-	struct volume_key *vol_key = NULL;
-
-	if (key_size != FVAULT2_XTS_KEY_SIZE)
-		return -EINVAL;
-
-	vol_key = crypt_alloc_volume_key(FVAULT2_XTS_KEY_SIZE, key);
-	if (vol_key == NULL)
-		return -ENOMEM;
-
-	r = _activate(cd, name, vol_key, params, flags);
-
-	crypt_free_volume_key(vol_key);
-	return r;
+	return FVAULT2_XTS_KEY_SIZE;
 }
diff --git a/lib/fvault2/fvault2.h b/lib/fvault2/fvault2.h
index 8a03280..ad6ad5e 100644
--- a/lib/fvault2/fvault2.h
+++ b/lib/fvault2/fvault2.h
@@ -41,27 +41,20 @@ int FVAULT2_get_volume_key(
 	const char *passphrase,
 	size_t passphrase_len,
 	const struct fvault2_params *params,
-	struct volume_key **vol_key);
+	struct volume_key **r_vol_key);
 
 int FVAULT2_dump(
 	struct crypt_device *cd,
 	struct device *device,
 	const struct fvault2_params *params);
 
-int FVAULT2_activate_by_passphrase(
-	struct crypt_device *cd,
-	const char *name,
-	const char *passphrase,
-	size_t passphrase_len,
-	const struct fvault2_params *params,
-	uint32_t flags);
-
 int FVAULT2_activate_by_volume_key(
 	struct crypt_device *cd,
 	const char *name,
-	const char *key,
-	size_t key_size,
+	struct volume_key *vk,
 	const struct fvault2_params *params,
 	uint32_t flags);
 
+size_t FVAULT2_volume_key_size(void);
+
 #endif
diff --git a/lib/integrity/integrity.c b/lib/integrity/integrity.c
index 37d0737..a10050d 100644
--- a/lib/integrity/integrity.c
+++ b/lib/integrity/integrity.c
@@ -2,7 +2,7 @@
 /*
  * Integrity volume handling
  *
- * Copyright (C) 2016-2024 Milan Broz
+ * Copyright (C) 2016-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -31,16 +31,22 @@ static int INTEGRITY_read_superblock(struct crypt_device *cd,
 {
 	int devfd, r;
 
+	log_dbg(cd, "Reading kernel dm-integrity metadata on %s.", device_path(device));
+
 	devfd = device_open(cd, device, O_RDONLY);
 	if(devfd < 0)
 		return -EINVAL;
 
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
-	    device_alignment(device), sb, sizeof(*sb), offset) != sizeof(*sb) ||
-	    memcmp(sb->magic, SB_MAGIC, sizeof(sb->magic))) {
+	    device_alignment(device), sb, sizeof(*sb), offset) != sizeof(*sb)) {
+		log_dbg(cd, "Cannot read kernel dm-integrity metadata on %s.", device_path(device));
+		return -EINVAL;
+	}
+
+	if (memcmp(sb->magic, SB_MAGIC, sizeof(sb->magic))) {
 		log_dbg(cd, "No kernel dm-integrity metadata detected on %s.", device_path(device));
 		r = -EINVAL;
-	} else if (sb->version < SB_VERSION_1 || sb->version > SB_VERSION_5) {
+	} else if (sb->version < SB_VERSION_1 || sb->version > SB_VERSION_6) {
 		log_err(cd, _("Incompatible kernel dm-integrity metadata (version %u) detected on %s."),
 			sb->version, device_path(device));
 		r = -EINVAL;
@@ -67,8 +73,10 @@ int INTEGRITY_read_sb(struct crypt_device *cd,
 	if (r)
 		return r;
 
-	params->sector_size = SECTOR_SIZE << sb.log2_sectors_per_block;
-	params->tag_size = sb.integrity_tag_size;
+	if (params) {
+		params->sector_size = SECTOR_SIZE << sb.log2_sectors_per_block;
+		params->tag_size = sb.integrity_tag_size;
+	}
 
 	if (flags)
 		*flags = sb.flags;
@@ -79,28 +87,32 @@ int INTEGRITY_read_sb(struct crypt_device *cd,
 int INTEGRITY_dump(struct crypt_device *cd, struct device *device, uint64_t offset)
 {
 	struct superblock sb;
+	uint64_t sector_size;
 	int r;
 
 	r = INTEGRITY_read_superblock(cd, device, offset, &sb);
 	if (r)
 		return r;
 
-	log_std(cd, "Info for integrity device %s.\n", device_path(device));
-	log_std(cd, "superblock_version %d\n", (unsigned)sb.version);
-	log_std(cd, "log2_interleave_sectors %d\n", sb.log2_interleave_sectors);
-	log_std(cd, "integrity_tag_size %u\n", sb.integrity_tag_size);
-	log_std(cd, "journal_sections %u\n", sb.journal_sections);
-	log_std(cd, "provided_data_sectors %" PRIu64 "\n", sb.provided_data_sectors);
-	log_std(cd, "sector_size %u\n", SECTOR_SIZE << sb.log2_sectors_per_block);
+	sector_size = (uint64_t)SECTOR_SIZE << sb.log2_sectors_per_block;
+	log_std(cd, "INTEGRITY header information for %s.\n", device_path(device));
+	log_std(cd, "version: %d\n", (unsigned)sb.version);
+	log_std(cd, "tag size: %u [bytes]\n", sb.integrity_tag_size);
+	log_std(cd, "sector size: %" PRIu64 " [bytes]\n", sector_size);
+	log_std(cd, "data size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n",
+		sb.provided_data_sectors, sb.provided_data_sectors * SECTOR_SIZE);
 	if (sb.version >= SB_VERSION_2 && (sb.flags & SB_FLAG_RECALCULATING))
-		log_std(cd, "recalc_sector %" PRIu64 "\n", sb.recalc_sector);
-	log_std(cd, "log2_blocks_per_bitmap %u\n", sb.log2_blocks_per_bitmap_bit);
-	log_std(cd, "flags %s%s%s%s%s\n",
+		log_std(cd, "recalculate sector: %" PRIu64 "\n", sb.recalc_sector);
+	log_std(cd, "journal sections: %u\n", sb.journal_sections);
+	log_std(cd, "log2 interleave sectors: %d\n", sb.log2_interleave_sectors);
+	log_std(cd, "log2 blocks per bitmap: %u\n", sb.log2_blocks_per_bitmap_bit);
+	log_std(cd, "flags: %s%s%s%s%s%s\n",
 		sb.flags & SB_FLAG_HAVE_JOURNAL_MAC ? "have_journal_mac " : "",
 		sb.flags & SB_FLAG_RECALCULATING ? "recalculating " : "",
 		sb.flags & SB_FLAG_DIRTY_BITMAP ? "dirty_bitmap " : "",
 		sb.flags & SB_FLAG_FIXED_PADDING ? "fix_padding " : "",
-		sb.flags & SB_FLAG_FIXED_HMAC ? "fix_hmac " : "");
+		sb.flags & SB_FLAG_FIXED_HMAC ? "fix_hmac " : "",
+		sb.flags & SB_FLAG_INLINE ? "inline " : "");
 
 	return 0;
 }
@@ -120,26 +132,42 @@ int INTEGRITY_data_sectors(struct crypt_device *cd,
 	return 0;
 }
 
-int INTEGRITY_key_size(const char *integrity)
+int INTEGRITY_key_size(const char *integrity, int required_key_size)
 {
+	int ks = 0;
+
+	if (!integrity && required_key_size)
+		return -EINVAL;
+
 	if (!integrity)
 		return 0;
 
 	//FIXME: use crypto backend hash size
 	if (!strcmp(integrity, "aead"))
-		return 0;
+		ks = 0;
 	else if (!strcmp(integrity, "hmac(sha1)"))
-		return 20;
+		ks = required_key_size ?: 20;
 	else if (!strcmp(integrity, "hmac(sha256)"))
-		return 32;
+		ks = required_key_size ?: 32;
 	else if (!strcmp(integrity, "hmac(sha512)"))
-		return 64;
+		ks = required_key_size ?: 64;
+	else if (!strcmp(integrity, "phmac(sha1)"))
+		ks = required_key_size ?: -EINVAL;
+	else if (!strcmp(integrity, "phmac(sha256)"))
+		ks = required_key_size ?: -EINVAL;
+	else if (!strcmp(integrity, "phmac(sha512)"))
+		ks = required_key_size ?: -EINVAL;
 	else if (!strcmp(integrity, "poly1305"))
-		return 0;
+		ks = 0;
 	else if (!strcmp(integrity, "none"))
-		return 0;
+		ks = 0;
+	else
+		return -EINVAL;
 
-	return -EINVAL;
+	if (required_key_size && ks != required_key_size)
+		return -EINVAL;
+
+	return ks;
 }
 
 /* Return hash or hmac(hash) size, if known */
@@ -158,6 +186,8 @@ int INTEGRITY_hash_tag_size(const char *integrity)
 		return 8;
 
 	r = sscanf(integrity, "hmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
+	if (r != 1)
+		r = sscanf(integrity, "phmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
 	if (r == 1)
 		r = crypt_hash_size(hash);
 	else
@@ -200,6 +230,12 @@ int INTEGRITY_tag_size(const char *integrity,
 		auth_tag_size = 32;
 	else if (!strcmp(integrity, "hmac(sha512)"))
 		auth_tag_size = 64;
+	else if (!strcmp(integrity, "phmac(sha1)"))
+		auth_tag_size = 20;
+	else if (!strcmp(integrity, "phmac(sha256)"))
+		auth_tag_size = 32;
+	else if (!strcmp(integrity, "phmac(sha512)"))
+		auth_tag_size = 64;
 	else if (!strcmp(integrity, "poly1305")) {
 		if (iv_tag_size)
 			iv_tag_size = 12;
@@ -230,6 +266,9 @@ int INTEGRITY_create_dmd_device(struct crypt_device *cd,
 	if (sb_flags & SB_FLAG_RECALCULATING)
 		dmd->flags |= CRYPT_ACTIVATE_RECALCULATE;
 
+	if (sb_flags & SB_FLAG_INLINE)
+		dmd->flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
+
 	r = INTEGRITY_data_sectors(cd, INTEGRITY_metadata_device(cd),
 				   crypt_get_data_offset(cd) * SECTOR_SIZE, &dmd->size);
 	if (r < 0)
@@ -249,14 +288,15 @@ int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
 		       uint32_t sb_flags)
 {
 	int r;
-	uint32_t dmi_flags;
+	uint64_t dmi_flags;
 	struct dm_target *tgt = &dmd->segment;
 
 	if (!single_segment(dmd) || tgt->type != DM_INTEGRITY)
 		return -EINVAL;
 
-	log_dbg(cd, "Trying to activate INTEGRITY device on top of %s, using name %s, tag size %d, provided sectors %" PRIu64".",
-		device_path(tgt->data_device), name, tgt->u.integrity.tag_size, dmd->size);
+	log_dbg(cd, "Trying to activate INTEGRITY device on top of %s, using name %s, tag size %d%s, provided sectors %" PRIu64".",
+		device_path(tgt->data_device), name, tgt->u.integrity.tag_size,
+		(sb_flags & SB_FLAG_INLINE) ? " (inline)" :"", dmd->size);
 
 	r = create_or_reload_device(cd, name, type, dmd);
 
@@ -280,6 +320,12 @@ int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
 		return -ENOTSUP;
 	}
 
+	if (r < 0 && (sb_flags & SB_FLAG_INLINE) && !dm_flags(cd, DM_INTEGRITY, &dmi_flags) &&
+	    !(dmi_flags & DM_INTEGRITY_INLINE_MODE_SUPPORTED)) {
+		log_err(cd, _("Kernel does not support dm-integrity inline mode."));
+		return -ENOTSUP;
+	}
+
 	return r;
 }
 
@@ -372,11 +418,14 @@ static int _create_reduced_device(struct crypt_device *cd,
 
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
+		     struct volume_key *integrity_key,
 		     struct volume_key *journal_crypt_key,
 		     struct volume_key *journal_mac_key,
-		     uint64_t backing_device_sectors)
+		     uint64_t backing_device_sectors,
+		     uint32_t *sb_flags,
+		     bool integrity_inline)
 {
-	uint32_t dmi_flags;
+	uint64_t dmi_flags;
 	char reduced_device_name[70], tmp_name[64], tmp_uuid[40];
 	struct crypt_dm_active_device dmdi = {
 		.size = 8,
@@ -387,7 +436,6 @@ int INTEGRITY_format(struct crypt_device *cd,
 	uuid_t tmp_uuid_bin;
 	uint64_t data_offset_sectors;
 	struct device *p_metadata_device, *p_data_device, *reduced_device = NULL;
-	struct volume_key *vk = NULL;
 
 	uuid_generate(tmp_uuid_bin);
 	uuid_unparse(tmp_uuid_bin, tmp_uuid);
@@ -422,19 +470,18 @@ int INTEGRITY_format(struct crypt_device *cd,
 		p_data_device = crypt_data_device(cd);
 	}
 
-	/* There is no data area, we can actually use fake zeroed key */
-	if (params && params->integrity_key_size)
-		vk = crypt_alloc_volume_key(params->integrity_key_size, NULL);
+	if (integrity_inline)
+		dmdi.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
 
 	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, p_metadata_device,
 			p_data_device, crypt_get_integrity_tag_size(cd),
-			data_offset_sectors, crypt_get_sector_size(cd), vk,
+			data_offset_sectors, crypt_get_sector_size(cd), integrity_key,
 			journal_crypt_key, journal_mac_key, params);
 	if (r < 0)
 		goto err;
 
-	log_dbg(cd, "Trying to format INTEGRITY device on top of %s, tmp name %s, tag size %d.",
-		device_path(tgt->data_device), tmp_name, tgt->u.integrity.tag_size);
+	log_dbg(cd, "Trying to format INTEGRITY device on top of %s, tmp name %s, tag size %d%s.",
+		device_path(tgt->data_device), tmp_name, tgt->u.integrity.tag_size, integrity_inline ? " (inline)" : "");
 
 	r = device_block_adjust(cd, tgt->data_device, DEV_EXCL, tgt->u.integrity.offset, NULL, NULL);
 	if (r < 0 && (dm_flags(cd, DM_INTEGRITY, &dmi_flags) || !(dmi_flags & DM_INTEGRITY_SUPPORTED))) {
@@ -455,9 +502,14 @@ int INTEGRITY_format(struct crypt_device *cd,
 		goto err;
 
 	r = dm_remove_device(cd, tmp_name, CRYPT_DEACTIVATE_FORCE);
+	if (r)
+		goto err;
+
+	/* reload sb_flags from superblock (important for SB_FLAG_INLINE) */
+	if (sb_flags)
+		r = INTEGRITY_read_sb(cd, NULL, sb_flags);
 err:
 	dm_targets_free(cd, &dmdi);
-	crypt_free_volume_key(vk);
 	if (reduced_device) {
 		dm_remove_device(cd, reduced_device_name, CRYPT_DEACTIVATE_FORCE);
 		device_free(cd, reduced_device);
diff --git a/lib/integrity/integrity.h b/lib/integrity/integrity.h
index 049a299..ff1293f 100644
--- a/lib/integrity/integrity.h
+++ b/lib/integrity/integrity.h
@@ -2,13 +2,14 @@
 /*
  * Integrity header definition
  *
- * Copyright (C) 2016-2024 Milan Broz
+ * Copyright (C) 2016-2025 Milan Broz
  */
 
 #ifndef _CRYPTSETUP_INTEGRITY_H
 #define _CRYPTSETUP_INTEGRITY_H
 
 #include <stdint.h>
+#include <stdbool.h>
 
 struct crypt_device;
 struct device;
@@ -23,12 +24,14 @@ struct crypt_dm_active_device;
 #define SB_VERSION_3	3
 #define SB_VERSION_4	4
 #define SB_VERSION_5	5
+#define SB_VERSION_6	6
 
 #define SB_FLAG_HAVE_JOURNAL_MAC	(1 << 0)
 #define SB_FLAG_RECALCULATING		(1 << 1) /* V2 only */
 #define SB_FLAG_DIRTY_BITMAP		(1 << 2) /* V3 only */
 #define SB_FLAG_FIXED_PADDING		(1 << 3) /* V4 only */
 #define SB_FLAG_FIXED_HMAC		(1 << 4) /* V5 only */
+#define SB_FLAG_INLINE			(1 << 5) /* V6 only */
 
 struct superblock {
 	uint8_t magic[8];
@@ -40,8 +43,10 @@ struct superblock {
 	uint32_t flags;
 	uint8_t log2_sectors_per_block;
 	uint8_t log2_blocks_per_bitmap_bit; /* V3 only */
-	uint8_t pad[2];
+	uint8_t pad[2]; /* (padding) */
 	uint64_t recalc_sector; /* V2 only */
+	uint8_t pad2[8]; /* (padding) */
+	uint8_t salt[16]; /* for fixed hmac, V5 only */
 } __attribute__ ((packed));
 
 int INTEGRITY_read_sb(struct crypt_device *cd,
@@ -53,7 +58,7 @@ int INTEGRITY_dump(struct crypt_device *cd, struct device *device, uint64_t offs
 int INTEGRITY_data_sectors(struct crypt_device *cd,
 			   struct device *device, uint64_t offset,
 			   uint64_t *data_sectors);
-int INTEGRITY_key_size(const char *integrity);
+int INTEGRITY_key_size(const char *integrity, int required_key_size);
 int INTEGRITY_tag_size(const char *integrity,
 		       const char *cipher,
 		       const char *cipher_mode);
@@ -61,9 +66,12 @@ int INTEGRITY_hash_tag_size(const char *integrity);
 
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
+		     struct volume_key *integrity_key,
 		     struct volume_key *journal_crypt_key,
 		     struct volume_key *journal_mac_key,
-		     uint64_t backing_device_sectors);
+		     uint64_t backing_device_sectors,
+		     uint32_t *sb_flags,
+		     bool integrity_inline);
 
 int INTEGRITY_activate(struct crypt_device *cd,
 		       const char *name,
diff --git a/lib/internal.h b/lib/internal.h
index 765bf15..56efa46 100644
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef INTERNAL_H
@@ -48,24 +48,36 @@
 
 struct crypt_device;
 struct luks2_reencrypt;
+struct volume_key;
 
-struct volume_key {
-	int id;
-	size_t keylength;
-	const char *key_description;
-	struct volume_key *next;
-	char key[];
-};
+typedef enum {
+	KEY_QUALITY_KEY = 0,
+	KEY_QUALITY_NORMAL,
+	KEY_QUALITY_EMPTY
+} key_quality_info;
 
 struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key);
-struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength);
+struct volume_key *crypt_alloc_volume_key_by_safe_alloc(void **safe_alloc);
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength,
+					     key_quality_info quality);
 void crypt_free_volume_key(struct volume_key *vk);
-int crypt_volume_key_set_description(struct volume_key *key, const char *key_description);
+const char *crypt_volume_key_get_key(const struct volume_key *vk);
+size_t crypt_volume_key_length(const struct volume_key *vk);
+int crypt_volume_key_set_description(struct volume_key *key,
+				     const char *key_description, key_type_t keyring_key_type);
+int crypt_volume_key_set_description_by_name(struct volume_key *vk, const char *key_name);
+key_type_t crypt_volume_key_kernel_key_type(const struct volume_key *vk);
+const char *crypt_volume_key_description(const struct volume_key *vk);
 void crypt_volume_key_set_id(struct volume_key *vk, int id);
 int crypt_volume_key_get_id(const struct volume_key *vk);
 void crypt_volume_key_add_next(struct volume_key **vks, struct volume_key *vk);
 struct volume_key *crypt_volume_key_next(struct volume_key *vk);
 struct volume_key *crypt_volume_key_by_id(struct volume_key *vk, int id);
+void crypt_volume_key_pass_safe_alloc(struct volume_key *vk, void **safe_alloc);
+bool crypt_volume_key_is_set(const struct volume_key *vk);
+bool crypt_volume_key_upload_kernel_key(struct volume_key *vk);
+void crypt_volume_key_drop_uploaded_kernel_key(struct crypt_device *cd, struct volume_key *vk);
+void crypt_volume_key_drop_kernel_key(struct crypt_device *cd, struct volume_key *vk);
 
 struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd);
 int init_pbkdf_type(struct crypt_device *cd,
@@ -86,7 +98,6 @@ int device_alloc_no_check(struct device **device, const char *path);
 void device_close(struct crypt_device *cd, struct device *device);
 void device_free(struct crypt_device *cd, struct device *device);
 const char *device_path(const struct device *device);
-const char *device_dm_name(const struct device *device);
 const char *device_block_path(const struct device *device);
 void device_topology_alignment(struct crypt_device *cd,
 			       struct device *device,
@@ -104,6 +115,7 @@ int device_is_identical(struct device *device1, struct device *device2);
 int device_is_rotational(struct device *device);
 int device_is_dax(struct device *device);
 int device_is_zoned(struct device *device);
+int device_is_nop_dif(struct device *device, uint32_t *tag_size);
 size_t device_alignment(struct device *device);
 int device_direct_io(const struct device *device);
 int device_fallocate(struct device *device, uint64_t size);
@@ -155,6 +167,7 @@ char *crypt_lookup_dev(const char *dev_id);
 int crypt_dev_is_rotational(int major, int minor);
 int crypt_dev_is_dax(int major, int minor);
 int crypt_dev_is_zoned(int major, int minor);
+int crypt_dev_is_nop_dif(int major, int minor, uint32_t *tag_size);
 int crypt_dev_is_partition(const char *dev_path);
 char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
 int crypt_dev_get_partition_number(const char *dev_path);
@@ -162,8 +175,6 @@ char *crypt_get_base_device(const char *dev_path);
 uint64_t crypt_dev_partition_offset(const char *dev_path);
 int lookup_by_disk_id(const char *dm_uuid);
 int lookup_by_sysfs_uuid_field(const char *dm_uuid);
-int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid);
-int crypt_uuid_type_cmp(const char *dm_uuid, const char *type);
 
 size_t crypt_getpagesize(void);
 unsigned crypt_cpusonline(void);
@@ -217,7 +228,7 @@ int crypt_wipe_device(struct crypt_device *cd,
 
 /* Internal integrity helpers */
 const char *crypt_get_integrity(struct crypt_device *cd);
-int crypt_get_integrity_key_size(struct crypt_device *cd);
+int crypt_get_integrity_key_size(struct crypt_device *cd, bool dm_compat);
 int crypt_get_integrity_tag_size(struct crypt_device *cd);
 
 int crypt_key_in_keyring(struct crypt_device *cd);
@@ -231,9 +242,18 @@ int crypt_keyring_get_key_by_name(struct crypt_device *cd,
 		const char *key_description,
 		char **key,
 		size_t *key_size);
+
+int crypt_keyring_get_keysize_by_name(struct crypt_device *cd,
+		const char *key_description,
+		size_t *r_key_size);
+
 int crypt_use_keyring_for_vk(struct crypt_device *cd);
-void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype);
-void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks);
+void crypt_unlink_key_from_thread_keyring(struct crypt_device *cd,
+		key_serial_t key_id);
+void crypt_unlink_key_by_description_from_thread_keyring(struct crypt_device *cd,
+		const char *key_description,
+		key_type_t ktype);
+void crypt_drop_uploaded_keyring_key(struct crypt_device *cd, struct volume_key *vks);
 
 static inline uint64_t compact_version(uint16_t major, uint16_t minor, uint16_t patch, uint16_t release)
 {
@@ -266,4 +286,6 @@ static inline bool uint64_mult_overflow(uint64_t *u, uint64_t b, size_t size)
 #define KEY_EXTERNAL_VERIFICATION -1
 #define KEY_VERIFIED 0
 
+size_t crypt_safe_alloc_size(const void *data);
+
 #endif /* INTERNAL_H */
diff --git a/lib/keyslot_context.c b/lib/keyslot_context.c
index 5d8852f..1b13782 100644
--- a/lib/keyslot_context.c
+++ b/lib/keyslot_context.c
@@ -2,12 +2,14 @@
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022-2024 Ondrej Kozina
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Ondrej Kozina
  */
 
 #include <errno.h>
 
+#include "bitlk/bitlk.h"
+#include "fvault2/fvault2.h"
 #include "luks1/luks.h"
 #include "luks2/luks2.h"
 #include "keyslot_context.h"
@@ -58,6 +60,44 @@ static int get_luks2_volume_key_by_passphrase(struct crypt_device *cd,
 	return get_luks2_key_by_passphrase(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
 }
 
+static int get_bitlk_volume_key_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct bitlk_metadata *params,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(params);
+	assert(r_vk);
+
+	r = BITLK_get_volume_key(cd, kc->u.p.passphrase, kc->u.p.passphrase_size, params, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_fvault2_volume_key_by_passphrase(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct fvault2_params *params,
+	struct volume_key **r_vk)
+{
+	int r;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(params);
+	assert(r_vk);
+
+	r = FVAULT2_get_volume_key(cd, kc->u.p.passphrase, kc->u.p.passphrase_size, params, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
 static int get_passphrase_by_passphrase(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
 	const char **r_passphrase,
@@ -160,6 +200,56 @@ static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
 	return r;
 }
 
+static int get_bitlk_volume_key_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct bitlk_metadata *params,
+	struct volume_key **r_vk)
+{
+	int r;
+	const char *passphrase;
+	size_t passphrase_size;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+	assert(params);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+	if (r < 0)
+		return r;
+
+	r = BITLK_get_volume_key(cd, passphrase, passphrase_size, params, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
+static int get_fvault2_volume_key_by_keyfile(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct fvault2_params *params,
+	struct volume_key **r_vk)
+{
+	int r;
+	const char *passphrase;
+	size_t passphrase_size;
+
+	assert(cd);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+	assert(params);
+	assert(r_vk);
+
+	r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
+	if (r < 0)
+		return r;
+
+	r = FVAULT2_get_volume_key(cd, passphrase, passphrase_size, params, r_vk);
+	if (r < 0)
+		kc->error = r;
+
+	return r;
+}
+
 static int get_key_by_key(struct crypt_device *cd __attribute__((unused)),
 	struct crypt_keyslot_context *kc,
 	int keyslot __attribute__((unused)),
@@ -198,6 +288,22 @@ static int get_generic_volume_key_by_key(struct crypt_device *cd,
 	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
 }
 
+static int get_bitlk_volume_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct bitlk_metadata *params __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
+static int get_fvault2_volume_key_by_key(struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct fvault2_params *params __attribute__((unused)),
+	struct volume_key **r_vk)
+{
+	return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
+}
+
 static int get_generic_signed_key_by_key(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
 	struct volume_key **r_vk,
@@ -354,7 +460,7 @@ static int get_luks2_key_by_keyring(struct crypt_device *cd,
 	if (r < 0)
 		kc->error = r;
 
-	return 0;
+	return r;
 }
 
 static int get_luks2_volume_key_by_keyring(struct crypt_device *cd,
@@ -373,7 +479,7 @@ static int get_luks1_volume_key_by_keyring(struct crypt_device *cd,
 	int r;
 
 	assert(cd);
-	assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
 	assert(r_vk);
 
 	r = get_passphrase_by_keyring(cd, kc, CONST_CAST(const char **) &kc->i_passphrase,
@@ -414,9 +520,9 @@ static int get_key_by_vk_in_keyring(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	*r_vk = crypt_alloc_volume_key(key_size, key);
-	crypt_safe_free(key);
+	*r_vk = crypt_alloc_volume_key_by_safe_alloc((void **)&key);
 	if (!*r_vk) {
+		crypt_safe_free(key);
 		kc->error = -ENOMEM;
 		return kc->error;
 	}
@@ -432,16 +538,41 @@ static int get_volume_key_by_vk_in_keyring(struct crypt_device *cd,
 	return get_key_by_vk_in_keyring(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
 }
 
-static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
+static void crypt_keyslot_context_init_common(struct crypt_keyslot_context *kc)
 {
 	assert(kc);
 
+	kc->version = KC_VERSION_BASIC;
 	kc->error = 0;
 	kc->i_passphrase = NULL;
 	kc->i_passphrase_size = 0;
 }
 
-void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
+static void keyring_context_free(struct crypt_keyslot_context *kc)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYRING);
+
+	free(kc->u.kr.i_key_description);
+}
+
+static int keyring_get_key_size(struct crypt_device *cd, struct crypt_keyslot_context *kc, size_t *r_key_size)
+{
+	int r;
+
+	assert(kc && kc->type == CRYPT_KC_TYPE_VK_KEYRING);
+	assert(r_key_size);
+
+	if (!kc->u.vk_kr.i_key_size) {
+		r = crypt_keyring_get_keysize_by_name(cd, kc->u.vk_kr.key_description, &kc->u.vk_kr.i_key_size);
+		if (r < 0)
+			return r;
+	}
+
+	*r_key_size = kc->u.vk_kr.i_key_size;
+	return 0;
+}
+
+void crypt_keyslot_context_init_by_keyring_internal(struct crypt_keyslot_context *kc,
 	const char *key_description)
 {
 	assert(kc);
@@ -450,18 +581,32 @@ void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
 	kc->u.kr.key_description = key_description;
 
 	kc->get_luks2_key = get_luks2_key_by_keyring;
-	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyring;
 	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyring;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyring;
 	kc->get_passphrase = get_passphrase_by_keyring;
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
-	kc->get_verity_volume_key = NULL;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	kc->context_free = keyring_context_free;
+	crypt_keyslot_context_init_common(kc);
+}
+
+static void key_context_free(struct crypt_keyslot_context *kc)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
+
+	crypt_free_volume_key(kc->u.k.i_vk);
 }
 
-void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+static int key_get_key_size(struct crypt_device *cd __attribute__((unused)),
+			       struct crypt_keyslot_context *kc,
+			       size_t *r_key_size)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
+	assert(r_key_size);
+
+	*r_key_size = kc->u.k.volume_key_size;
+	return 0;
+}
+
+void crypt_keyslot_context_init_by_key_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size)
 {
@@ -470,19 +615,29 @@ void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
 	kc->type = CRYPT_KC_TYPE_KEY;
 	kc->u.k.volume_key = volume_key;
 	kc->u.k.volume_key_size = volume_key_size;
+
 	kc->get_luks2_key = get_key_by_key;
-	kc->get_luks2_volume_key = get_volume_key_by_key;
 	kc->get_luks1_volume_key = get_volume_key_by_key;
-	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
+	kc->get_luks2_volume_key = get_volume_key_by_key;
 	kc->get_plain_volume_key = get_generic_volume_key_by_key;
-	kc->get_bitlk_volume_key = get_generic_volume_key_by_key;
-	kc->get_fvault2_volume_key = get_generic_volume_key_by_key;
+	kc->get_bitlk_volume_key = get_bitlk_volume_key_by_key;
+	kc->get_fvault2_volume_key = get_fvault2_volume_key_by_key;
 	kc->get_verity_volume_key = get_generic_signed_key_by_key;
 	kc->get_integrity_volume_key = get_generic_volume_key_by_key;
-	unlock_method_init_internal(kc);
+	kc->get_key_size = key_get_key_size;
+	kc->context_free = key_context_free;
+	crypt_keyslot_context_init_common(kc);
 }
 
-void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+static void signed_key_context_free(struct crypt_keyslot_context *kc)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_SIGNED_KEY);
+
+	crypt_free_volume_key(kc->u.ks.i_vk);
+	crypt_free_volume_key(kc->u.ks.i_vk_sig);
+}
+
+void crypt_keyslot_context_init_by_signed_key_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size,
 	const char *signature,
@@ -495,19 +650,13 @@ void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_conte
 	kc->u.ks.volume_key_size = volume_key_size;
 	kc->u.ks.signature = signature;
 	kc->u.ks.signature_size = signature_size;
-	kc->get_luks2_key = NULL;
-	kc->get_luks2_volume_key = NULL;
-	kc->get_luks1_volume_key = NULL;
-	kc->get_passphrase = NULL;
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
+
 	kc->get_verity_volume_key = get_generic_signed_key_by_key;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	kc->context_free = signed_key_context_free;
+	crypt_keyslot_context_init_common(kc);
 }
 
-void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_passphrase_internal(struct crypt_keyslot_context *kc,
 	const char *passphrase,
 	size_t passphrase_size)
 {
@@ -516,19 +665,24 @@ void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_conte
 	kc->type = CRYPT_KC_TYPE_PASSPHRASE;
 	kc->u.p.passphrase = passphrase;
 	kc->u.p.passphrase_size = passphrase_size;
+
 	kc->get_luks2_key = get_luks2_key_by_passphrase;
-	kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
 	kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
+	kc->get_bitlk_volume_key = get_bitlk_volume_key_by_passphrase;
+	kc->get_fvault2_volume_key = get_fvault2_volume_key_by_passphrase;
 	kc->get_passphrase = get_passphrase_by_passphrase;
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
-	kc->get_verity_volume_key = NULL;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	crypt_keyslot_context_init_common(kc);
+}
+
+static void keyfile_context_free(struct crypt_keyslot_context *kc)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
+
+	free(kc->u.kf.i_keyfile);
 }
 
-void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_keyfile_internal(struct crypt_keyslot_context *kc,
 	const char *keyfile,
 	size_t keyfile_size,
 	uint64_t keyfile_offset)
@@ -537,21 +691,28 @@ void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context
 
 	kc->type = CRYPT_KC_TYPE_KEYFILE;
 	kc->u.kf.keyfile = keyfile;
-	kc->u.kf.keyfile_size = keyfile_size;
 	kc->u.kf.keyfile_offset = keyfile_offset;
+	kc->u.kf.keyfile_size = keyfile_size;
+
 	kc->get_luks2_key = get_luks2_key_by_keyfile;
-	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
 	kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
+	kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
+	kc->get_bitlk_volume_key = get_bitlk_volume_key_by_keyfile;
+	kc->get_fvault2_volume_key = get_fvault2_volume_key_by_keyfile;
 	kc->get_passphrase = get_passphrase_by_keyfile;
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
-	kc->get_verity_volume_key = NULL;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	kc->context_free = keyfile_context_free;
+	crypt_keyslot_context_init_common(kc);
 }
 
-void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+static void token_context_free(struct crypt_keyslot_context *kc)
+{
+	assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
+
+	free(kc->u.t.i_type);
+	crypt_safe_free(kc->u.t.i_pin);
+}
+
+void crypt_keyslot_context_init_by_token_internal(struct crypt_keyslot_context *kc,
 	int token,
 	const char *type,
 	const char *pin,
@@ -566,47 +727,30 @@ void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *k
 	kc->u.t.pin = pin;
 	kc->u.t.pin_size = pin_size;
 	kc->u.t.usrptr = usrptr;
+
 	kc->get_luks2_key = get_luks2_key_by_token;
 	kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
-	kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
 	kc->get_passphrase = get_passphrase_by_token;
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
-	kc->get_verity_volume_key = NULL;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	kc->context_free = token_context_free;
+	crypt_keyslot_context_init_common(kc);
 }
 
-void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
-	const char *key_description)
+static void vk_in_keyring_context_free(struct crypt_keyslot_context *kc)
 {
-	assert(kc);
-
-	kc->type = CRYPT_KC_TYPE_VK_KEYRING;
-	kc->u.vk_kr.key_description = key_description;
+	assert(kc && kc->type == CRYPT_KC_TYPE_VK_KEYRING);
 
-	kc->get_luks2_key = get_key_by_vk_in_keyring;
-	kc->get_luks2_volume_key = get_volume_key_by_vk_in_keyring;
-	kc->get_luks1_volume_key = NULL;
-	kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
-	kc->get_plain_volume_key = NULL;
-	kc->get_bitlk_volume_key = NULL;
-	kc->get_fvault2_volume_key = NULL;
-	kc->get_verity_volume_key = NULL;
-	kc->get_integrity_volume_key = NULL;
-	unlock_method_init_internal(kc);
+	free(kc->u.vk_kr.i_key_description);
 }
 
-
 void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
 {
 	if (!kc)
 		return;
 
+	if (kc->context_free)
+		kc->context_free(kc);
+
 	crypt_safe_free(kc->i_passphrase);
-	kc->i_passphrase = NULL;
-	kc->i_passphrase_size = 0;
 }
 
 void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
@@ -615,157 +759,443 @@ void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
 	free(kc);
 }
 
-int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd __attribute__((unused)),
-	const char *passphrase,
+static int _crypt_keyslot_context_init_by_passphrase(const char *passphrase,
 	size_t passphrase_size,
-	struct crypt_keyslot_context **kc)
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
 {
 	struct crypt_keyslot_context *tmp;
+	char *i_passphrase = NULL;
 
 	if (!kc || !passphrase)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_passphrase_init_internal(tmp, passphrase, passphrase_size);
+	if (self_contained) {
+		if (passphrase_size) {
+			i_passphrase = crypt_safe_alloc(passphrase_size);
+			if (!i_passphrase) {
+				free(tmp);
+				return -ENOMEM;
+			}
+			crypt_safe_memcpy(i_passphrase, passphrase, passphrase_size);
+			passphrase = i_passphrase;
+		} else
+			/*
+			 * some crypto backend libraries expect a pointer even though
+			 * passed passphrase size is set to zero.
+			 */
+			passphrase = "";
+	}
+
+	crypt_keyslot_context_init_by_passphrase_internal(tmp, passphrase, passphrase_size);
+
+	if (self_contained) {
+		tmp->i_passphrase = i_passphrase;
+		tmp->i_passphrase_size = passphrase_size;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd __attribute__((unused)),
-	const char *keyfile,
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_passphrase, 2, 8,
+	/* crypt_keyslot_context_init_by_passphrase parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *passphrase,
+	size_t passphrase_size,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_passphrase(passphrase, passphrase_size, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_passphrase, 2, 6,
+	/* crypt_keyslot_context_init_by_passphrase parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *passphrase,
+	size_t passphrase_size,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_passphrase(passphrase, passphrase_size, kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_keyfile(const char *keyfile,
 	size_t keyfile_size,
 	uint64_t keyfile_offset,
-	struct crypt_keyslot_context **kc)
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
 {
+	char *i_keyfile;
 	struct crypt_keyslot_context *tmp;
 
 	if (!kc || !keyfile)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_keyfile_init_internal(tmp, keyfile, keyfile_size, keyfile_offset);
+	if (self_contained) {
+		i_keyfile = strdup(keyfile);
+		if (!i_keyfile) {
+			free(tmp);
+			return -ENOMEM;
+		}
+		keyfile = i_keyfile;
+	}
+
+	crypt_keyslot_context_init_by_keyfile_internal(tmp, keyfile, keyfile_size, keyfile_offset);
+
+	if (self_contained) {
+		tmp->u.kf.i_keyfile = i_keyfile;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_token(struct crypt_device *cd __attribute__((unused)),
-	int token,
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_keyfile, 2, 8,
+	/* crypt_keyslot_context_init_by_keyfile parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_keyfile(keyfile, keyfile_size, keyfile_offset, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_keyfile, 2, 6,
+	/* crypt_keyslot_context_init_by_keyfile parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *keyfile,
+	size_t keyfile_size,
+	uint64_t keyfile_offset,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_keyfile(keyfile, keyfile_size, keyfile_offset, kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_token(int token,
 	const char *type,
 	const char *pin, size_t pin_size,
 	void *usrptr,
-	struct crypt_keyslot_context **kc)
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
 {
+	char *i_type = NULL, *i_pin = NULL;
 	struct crypt_keyslot_context *tmp;
 
-	if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN))
+	if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN) ||
+	    (pin && !pin_size))
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_token_init_internal(tmp, token, type, pin, pin_size, usrptr);
+	if (self_contained && type) {
+		if (!(i_type = strdup(type)))
+			goto err;
+		type = i_type;
+	}
+
+	if (self_contained && pin) {
+		if (!(i_pin = crypt_safe_alloc(pin_size)))
+			goto err;
+		crypt_safe_memcpy(i_pin, pin, pin_size);
+		pin = i_pin;
+	}
+
+	crypt_keyslot_context_init_by_token_internal(tmp, token, type, pin, pin_size, usrptr);
+
+	if (self_contained) {
+		tmp->u.t.i_pin = i_pin;
+		tmp->u.t.i_type = i_type;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
+err:
+	crypt_safe_free(i_pin);
+	free(i_type);
+	free(tmp);
+
+	return -ENOMEM;
 }
 
-int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd __attribute__((unused)),
-	const char *volume_key,
-	size_t volume_key_size,
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_token, 2, 8,
+	/* crypt_keyslot_context_init_by_token parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	int token,
+	const char *type,
+	const char *pin, size_t pin_size,
+	void *usrptr,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_token(token, type, pin, pin_size, usrptr, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_token, 2, 6,
+	/* crypt_keyslot_context_init_by_token parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	int token,
+	const char *type,
+	const char *pin, size_t pin_size,
+	void *usrptr,
 	struct crypt_keyslot_context **kc)
 {
+	return _crypt_keyslot_context_init_by_token(token, type, pin, pin_size, usrptr, kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_volume_key(const char *volume_key,
+	size_t volume_key_size,
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
+{
+	struct volume_key *i_vk = NULL;
 	struct crypt_keyslot_context *tmp;
 
 	if (!kc)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_key_init_internal(tmp, volume_key, volume_key_size);
+	if (self_contained && volume_key) {
+		if (!(i_vk = crypt_alloc_volume_key(volume_key_size, volume_key))) {
+			free(tmp);
+			return -ENOMEM;
+		}
+		volume_key = crypt_volume_key_get_key(i_vk);
+	}
+
+	crypt_keyslot_context_init_by_key_internal(tmp, volume_key, volume_key_size);
+
+	if (self_contained) {
+		tmp->u.k.i_vk = i_vk;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd __attribute__((unused)),
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_volume_key, 2, 8,
+	/* crypt_keyslot_context_init_by_volume_key parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_volume_key(volume_key, volume_key_size, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_volume_key, 2, 6,
+	/* crypt_keyslot_context_init_by_volume_key parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
 	const char *volume_key,
+	size_t volume_key_size,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_volume_key(volume_key, volume_key_size, kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_signed_key(const char *volume_key,
 	size_t volume_key_size,
 	const char *signature,
 	size_t signature_size,
-	struct crypt_keyslot_context **kc)
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
 {
+	struct volume_key *i_vk = NULL, *i_vk_sig = NULL;
 	struct crypt_keyslot_context *tmp;
 
 	if (!kc)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_signed_key_init_internal(tmp, volume_key, volume_key_size,
+	if (self_contained && volume_key) {
+		if (!(i_vk = crypt_alloc_volume_key(volume_key_size, volume_key)))
+			goto err;
+		volume_key = crypt_volume_key_get_key(i_vk);
+	}
+
+	if (self_contained && signature) {
+		if (!(i_vk_sig = crypt_alloc_volume_key(signature_size, signature)))
+			goto err;
+		signature = crypt_volume_key_get_key(i_vk_sig);
+	}
+
+	crypt_keyslot_context_init_by_signed_key_internal(tmp, volume_key, volume_key_size,
 		signature, signature_size);
 
+	if (self_contained) {
+		tmp->u.ks.i_vk = i_vk;
+		tmp->u.ks.i_vk_sig = i_vk_sig;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
+
 	*kc = tmp;
 
 	return 0;
+err:
+	crypt_free_volume_key(i_vk);
+	crypt_free_volume_key(i_vk_sig);
+	free(tmp);
+
+	return -ENOMEM;
 }
 
-int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd __attribute__((unused)),
-	const char *key_description,
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_signed_key, 2, 8,
+	/* crypt_keyslot_context_init_by_signed_key parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_signed_key(volume_key, volume_key_size, signature, signature_size,  kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_signed_key, 2, 7,
+	/* crypt_keyslot_context_init_by_signed_key parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
 	struct crypt_keyslot_context **kc)
 {
+	return _crypt_keyslot_context_init_by_signed_key(volume_key, volume_key_size, signature, signature_size,  kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_keyring(const char *key_description,
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
+{
+	char *i_key_description;
 	struct crypt_keyslot_context *tmp;
 
-	if (!kc)
+	if (!kc || !key_description)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_keyring_internal(tmp, key_description);
+	if (self_contained) {
+		if (!(i_key_description = strdup(key_description))) {
+			free(tmp);
+			return -ENOMEM;
+		}
+		key_description = i_key_description;
+	}
+
+	crypt_keyslot_context_init_by_keyring_internal(tmp, key_description);
+
+	if (self_contained) {
+		tmp->u.kr.i_key_description = i_key_description;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
 }
 
-int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd __attribute__((unused)),
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_keyring, 2, 8,
+	/* crypt_keyslot_context_init_by_keyring parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_keyring(key_description, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_keyring, 2, 7,
+	/* crypt_keyslot_context_init_by_keyring parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
 	const char *key_description,
 	struct crypt_keyslot_context **kc)
 {
+	return _crypt_keyslot_context_init_by_keyring(key_description, kc, false);
+}
+
+static int _crypt_keyslot_context_init_by_vk_in_keyring(const char *key_description,
+	struct crypt_keyslot_context **kc,
+	bool self_contained)
+{
+	char *i_key_description;
 	struct crypt_keyslot_context *tmp;
 
-	if (!kc)
+	if (!kc || !key_description)
 		return -EINVAL;
 
-	tmp = malloc(sizeof(*tmp));
+	tmp = crypt_zalloc(sizeof(*tmp));
 	if (!tmp)
 		return -ENOMEM;
 
-	crypt_keyslot_unlock_by_vk_in_keyring_internal(tmp, key_description);
+	if (self_contained) {
+		if (!(i_key_description = strdup(key_description))) {
+			free(tmp);
+			return -ENOMEM;
+		}
+		key_description = i_key_description;
+	}
+
+	tmp->type = CRYPT_KC_TYPE_VK_KEYRING;
+	tmp->u.vk_kr.key_description = key_description;
+
+	tmp->get_luks2_key = get_key_by_vk_in_keyring;
+	tmp->get_luks2_volume_key = get_volume_key_by_vk_in_keyring;
+	tmp->get_key_size = keyring_get_key_size;
+	tmp->context_free = vk_in_keyring_context_free;
+	crypt_keyslot_context_init_common(tmp);
+
+	if (self_contained) {
+		tmp->u.vk_kr.i_key_description = i_key_description;
+		tmp->version = KC_VERSION_SELF_CONTAINED;
+	}
 
 	*kc = tmp;
 
 	return 0;
 }
 
+CRYPT_SYMBOL_EXPORT_NEW(int, crypt_keyslot_context_init_by_vk_in_keyring, 2, 8,
+	/* crypt_keyslot_context_init_by_vk_in_keyring parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_vk_in_keyring(key_description, kc, true);
+}
+
+CRYPT_SYMBOL_EXPORT_OLD(int, crypt_keyslot_context_init_by_vk_in_keyring, 2, 7,
+	/* crypt_keyslot_context_init_by_vk_in_keyring parameters follows */
+	struct crypt_device *cd __attribute__((unused)),
+	const char *key_description,
+	struct crypt_keyslot_context **kc)
+{
+	return _crypt_keyslot_context_init_by_vk_in_keyring(key_description, kc, false);
+}
+
 int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
 {
 	return kc ? kc->error : -EINVAL;
@@ -775,10 +1205,21 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd __attribute__((unused)
 	const char *pin, size_t pin_size,
 	struct crypt_keyslot_context *kc)
 {
+	char *i_pin = NULL;
+
 	if (!kc || kc->type != CRYPT_KC_TYPE_TOKEN)
 		return -EINVAL;
 
-	kc->u.t.pin = pin;
+	if (kc->version >= KC_VERSION_SELF_CONTAINED && pin) {
+		if (!(i_pin = crypt_safe_alloc(pin_size)))
+			return -ENOMEM;
+		crypt_safe_memcpy(i_pin, pin, pin_size);
+	}
+
+	crypt_safe_free(kc->u.t.i_pin);
+	kc->u.t.i_pin = i_pin;
+
+	kc->u.t.pin = i_pin ?: pin;
 	kc->u.t.pin_size = pin_size;
 	kc->error = 0;
 
diff --git a/lib/keyslot_context.h b/lib/keyslot_context.h
index a7f834a..a2e42b2 100644
--- a/lib/keyslot_context.h
+++ b/lib/keyslot_context.h
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022-2024 Ondrej Kozina
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Ondrej Kozina
  */
 
 #ifndef KEYSLOT_CONTEXT_H
@@ -14,6 +14,9 @@
 
 #include "internal.h"
 
+struct bitlk_metadata;
+struct fvault2_params;
+
 typedef int (*keyslot_context_get_key) (
 	struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
@@ -32,6 +35,19 @@ typedef int (*keyslot_context_get_generic_volume_key) (
 	struct crypt_keyslot_context *kc,
 	struct volume_key **r_vk);
 
+typedef int (*keyslot_context_get_bitlk_volume_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct bitlk_metadata *params,
+	struct volume_key **r_vk);
+
+typedef int (*keyslot_context_get_fvault2_volume_key) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	const struct fvault2_params *params,
+	struct volume_key **r_vk);
+
+
 typedef int (*keyslot_context_get_generic_signed_key) (
 	struct crypt_device *cd,
 	struct crypt_keyslot_context *kc,
@@ -44,10 +60,28 @@ typedef int (*keyslot_context_get_passphrase) (
 	const char **r_passphrase,
 	size_t *r_passphrase_size);
 
+typedef void (*keyslot_context_free) (
+	struct crypt_keyslot_context *kc);
+
+typedef int (*keyslot_context_get_key_size) (
+	struct crypt_device *cd,
+	struct crypt_keyslot_context *kc,
+	size_t *r_key_size);
+
+#define KC_VERSION_BASIC          UINT8_C(1)
+#define KC_VERSION_SELF_CONTAINED UINT8_C(2)
+
 /* crypt_keyslot_context */
 struct crypt_keyslot_context {
 	int type;
 
+	/* versions:
+	 * v1: All passed pointers (e.g.: type, passphrase, keyfile,...) must
+	 *     be valid after ctx initialization.
+	 * v2: Fully self-contained
+	 */
+	uint8_t version;
+
 	union {
 	struct {
 		const char *passphrase;
@@ -55,31 +89,40 @@ struct crypt_keyslot_context {
 	} p;
 	struct {
 		const char *keyfile;
+		char *i_keyfile;
 		uint64_t keyfile_offset;
 		size_t keyfile_size;
 	} kf;
 	struct {
 		int id;
 		const char *type;
+		char *i_type;
 		const char *pin;
+		char *i_pin;
 		size_t pin_size;
 		void *usrptr;
 	} t;
 	struct {
 		const char *volume_key;
 		size_t volume_key_size;
+		struct volume_key *i_vk;
 	} k;
 	struct {
 		const char *volume_key;
 		size_t volume_key_size;
+		struct volume_key *i_vk;
 		const char *signature;
 		size_t signature_size;
+		struct volume_key *i_vk_sig;
 	} ks;
 	struct {
 		const char *key_description;
+		char *i_key_description;
 	} kr;
 	struct {
 		const char *key_description;
+		char *i_key_description;
+		size_t i_key_size;
 	} vk_kr;
 	} u;
 
@@ -92,45 +135,44 @@ struct crypt_keyslot_context {
 	keyslot_context_get_volume_key		get_luks1_volume_key;
 	keyslot_context_get_volume_key		get_luks2_volume_key;
 	keyslot_context_get_generic_volume_key	get_plain_volume_key;
-	keyslot_context_get_generic_volume_key	get_bitlk_volume_key;
-	keyslot_context_get_generic_volume_key	get_fvault2_volume_key;
+	keyslot_context_get_bitlk_volume_key	get_bitlk_volume_key;
+	keyslot_context_get_fvault2_volume_key	get_fvault2_volume_key;
 	keyslot_context_get_generic_signed_key	get_verity_volume_key;
 	keyslot_context_get_generic_volume_key	get_integrity_volume_key;
 	keyslot_context_get_passphrase		get_passphrase;
+	keyslot_context_get_key_size		get_key_size;
+	keyslot_context_free			context_free;
 };
 
 void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *method);
 
-void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_key_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size);
 
-void crypt_keyslot_unlock_by_signed_key_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_signed_key_internal(struct crypt_keyslot_context *kc,
 	const char *volume_key,
 	size_t volume_key_size,
 	const char *signature,
 	size_t signature_size);
 
-void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_passphrase_internal(struct crypt_keyslot_context *kc,
 	const char *passphrase,
 	size_t passphrase_size);
 
-void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_keyfile_internal(struct crypt_keyslot_context *kc,
 	const char *keyfile,
 	size_t keyfile_size,
 	uint64_t keyfile_offset);
 
-void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_token_internal(struct crypt_keyslot_context *kc,
 	int token,
 	const char *type,
 	const char *pin,
 	size_t pin_size,
 	void *usrptr);
 
-void crypt_keyslot_unlock_by_keyring_internal(struct crypt_keyslot_context *kc,
-	const char *key_description);
-
-void crypt_keyslot_unlock_by_vk_in_keyring_internal(struct crypt_keyslot_context *kc,
+void crypt_keyslot_context_init_by_keyring_internal(struct crypt_keyslot_context *kc,
 	const char *key_description);
 
 const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc);
diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index afc2a8d..e645b18 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 /**
@@ -74,13 +74,13 @@ int crypt_init_data_device(struct crypt_device **cd,
  * and, optionally, from separate metadata (header) device
  * and check if provided device exists.
  *
- * @return @e 0 on success or negative errno value otherwise.
- *
  * @param cd returns crypt device handle for active device
  * @param name name of active crypt device
  * @param header_device optional device containing on-disk header
  * 	  (@e NULL if it the same as underlying device on there is no on-disk header)
  *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
  * @post In case @e device points to active LUKS device but header load fails,
  * context device type is set to @e NULL and @e 0 is returned as if it were successful.
  * Context with @e NULL device type can only be deactivated by crypt_deactivate
@@ -137,7 +137,7 @@ void crypt_set_confirm_callback(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param device path to device
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  */
 int crypt_set_data_device(struct crypt_device *cd, const char *device);
 
@@ -145,13 +145,13 @@ int crypt_set_data_device(struct crypt_device *cd, const char *device);
  * Set data device offset in 512-byte sectors.
  * Used for LUKS.
  * This function is replacement for data alignment fields in LUKS param struct.
- * If set to 0 (default), old behaviour is preserved.
+ * If set to @e 0 (default), old behaviour is preserved.
  * This value is reset on @link crypt_load @endlink.
  *
  * @param cd crypt device handle
  * @param data_offset data offset in bytes
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Data offset must be aligned to multiple of 8 (alignment to 4096-byte sectors)
  * and must be big enough to accommodate the whole LUKS header with all keyslots.
@@ -232,7 +232,6 @@ void crypt_logf(struct crypt_device *cd, int level, const char *format, ...);
  *
  * @param cd crypt device handle
  * @param rng_type kernel random number generator to use
- *
  */
 void crypt_set_rng_type(struct crypt_device *cd, int rng_type);
 
@@ -240,8 +239,8 @@ void crypt_set_rng_type(struct crypt_device *cd, int rng_type);
  * Get which RNG (random number generator) is used for generating long term key.
  *
  * @param cd crypt device handle
- * @return RNG type on success or negative errno value otherwise.
  *
+ * @return RNG type on success or negative errno value otherwise.
  */
 int crypt_get_rng_type(struct crypt_device *cd);
 
@@ -252,7 +251,7 @@ struct crypt_pbkdf_type {
 	const char *type;         /**< PBKDF algorithm  */
 	const char *hash;         /**< Hash algorithm */
 	uint32_t time_ms;         /**< Requested time cost [milliseconds] */
-	uint32_t iterations;      /**< Iterations, 0 or benchmarked value. */
+	uint32_t iterations;      /**< Iterations, @e 0 or benchmarked value. */
 	uint32_t max_memory_kb;   /**< Requested or benchmarked  memory cost [kilobytes] */
 	uint32_t parallel_threads;/**< Requested parallel cost [threads] */
 	uint32_t flags;           /**< CRYPT_PBKDF* flags */
@@ -277,7 +276,7 @@ struct crypt_pbkdf_type {
  * @param cd crypt device handle
  * @param pbkdf PBKDF parameters
  *
- * @return 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note For LUKS1, only PBKDF2 is supported, other settings will be rejected.
  * @note For non-LUKS context types the call succeeds, but PBKDF is not used.
@@ -290,8 +289,7 @@ int crypt_set_pbkdf_type(struct crypt_device *cd,
  *
  * @param pbkdf_type type of PBKDF
  *
- * @return struct on success or NULL value otherwise.
- *
+ * @return struct on success or @e NULL value otherwise.
  */
 const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_type);
 
@@ -301,8 +299,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ
  *
  * @param type type of device (see @link crypt-type @endlink)
  *
- * @return struct on success or NULL value otherwise.
- *
+ * @return struct on success or @e NULL value otherwise.
  */
 const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type);
 
@@ -312,8 +309,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_default(const char *type);
  *
  * @param cd crypt device handle
  *
- * @return struct on success or NULL value otherwise.
- *
+ * @return struct on success or @e NULL value otherwise.
  */
 const struct crypt_pbkdf_type *crypt_get_pbkdf_type(struct crypt_device *cd);
 
@@ -335,9 +331,9 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
  * \b Deprecated, only for backward compatibility. Memory with keys are locked automatically.
  *
  * @param cd crypt device handle, can be @e NULL
- * @param lock 0 to unlock otherwise lock memory
+ * @param lock @e 0 to unlock otherwise lock memory
  *
- * @returns Value indicating whether the memory is locked (function can be called multiple times).
+ * @return Value indicating whether the memory is locked (function can be called multiple times).
  *
  * @note Only root can do this.
  * @note It locks/unlocks all process memory, not only crypt context.
@@ -348,9 +344,9 @@ int crypt_memory_lock(struct crypt_device *cd, int lock) __attribute__((deprecat
  * Set global lock protection for on-disk metadata (file-based locking).
  *
  * @param cd crypt device handle, can be @e NULL
- * @param enable 0 to disable locking otherwise enable it (default)
+ * @param enable @e 0 to disable locking otherwise enable it (default)
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Locking applied only for some metadata formats (LUKS2).
  * @note The switch is global on the library level.
@@ -366,7 +362,7 @@ int crypt_metadata_locking(struct crypt_device *cd, int enable);
  * @param metadata_size size in bytes of JSON area + 4k binary header
  * @param keyslots_size size in bytes of binary keyslots area
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note The metadata area is stored twice and both copies contain 4k binary header.
  * Only 16,32,64,128,256,512,1024,2048 and 4096 kB value is allowed (see LUKS2 specification).
@@ -384,7 +380,7 @@ int crypt_set_metadata_size(struct crypt_device *cd,
  * @param metadata_size size in bytes of JSON area + 4k binary header
  * @param keyslots_size size in bytes of binary keyslots area
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  */
 int crypt_get_metadata_size(struct crypt_device *cd,
 	uint64_t *metadata_size,
@@ -426,6 +422,7 @@ int crypt_get_metadata_size(struct crypt_device *cd,
  * Get device type
  *
  * @param cd crypt device handle
+ *
  * @return string according to device type or @e NULL if not known.
  */
 const char *crypt_get_type(struct crypt_device *cd);
@@ -454,14 +451,14 @@ const char *crypt_get_default_type(void);
  * Get HW encryption type
  *
  * @return HW encryption type (see @link crypt-hw-encryption-types @endlink)
- *         or negative errno otherwise.
+ *         or negative errno value otherwise.
  */
 int crypt_get_hw_encryption_type(struct crypt_device *cd);
 
 /**
  * Get HW encryption (like OPAL) key size (in bytes)
  *
- * @return key size or 0 if no HW encryption is used.
+ * @return key size or @e 0 if no HW encryption is used.
  */
 int crypt_get_hw_encryption_key_size(struct crypt_device *cd);
 
@@ -499,7 +496,6 @@ struct crypt_params_luks1 {
  * Structure used as parameter for loop-AES device type.
  *
  * @see crypt_format
- *
  */
 struct crypt_params_loopaes {
 	const char *hash; /**< key hash function */
@@ -512,7 +508,6 @@ struct crypt_params_loopaes {
  * Structure used as parameter for dm-verity device type.
  *
  * @see crypt_format, crypt_load
- *
  */
 struct crypt_params_verity {
 	const char *hash_name;     /**< hash function */
@@ -545,7 +540,6 @@ struct crypt_params_verity {
  * Structure used as parameter for TCRYPT device type.
  *
  * @see crypt_load
- *
  */
 struct crypt_params_tcrypt {
 	const char *passphrase;    /**< passphrase to unlock header (input only) */
@@ -593,8 +587,8 @@ struct crypt_params_integrity {
 	uint32_t tag_size;                   /**< tag size per-sector in bytes */
 	uint32_t sector_size;                /**< sector size in bytes */
 	uint32_t buffer_sectors;             /**< number of sectors in one buffer */
-	const char *integrity;               /**< integrity algorithm, NULL for LUKS2 */
-	uint32_t integrity_key_size;         /**< integrity key size in bytes, info only, 0 for LUKS2 */
+	const char *integrity;               /**< integrity algorithm, @e NULL for LUKS2 */
+	uint32_t integrity_key_size;         /**< integrity key size in bytes, info only */
 
 	const char *journal_integrity;       /**< journal integrity algorithm */
 	const char *journal_integrity_key;   /**< journal integrity key, only for crypt_load */
@@ -612,7 +606,6 @@ struct crypt_params_integrity {
  *
  * @note during crypt_format @e data_device attribute determines
  * 	 if the LUKS2 header is separated from encrypted payload device
- *
  */
 struct crypt_params_luks2 {
 	const struct crypt_pbkdf_type *pbkdf; /**< PBKDF (and hash) parameters or @e NULL*/
@@ -620,7 +613,7 @@ struct crypt_params_luks2 {
 	const struct crypt_params_integrity *integrity_params; /**< Data integrity parameters or @e NULL*/
 	size_t data_alignment;   /**< data area alignment in 512B sectors, data offset is multiple of this */
 	const char *data_device; /**< detached encrypted data device or @e NULL */
-	uint32_t sector_size;    /**< encryption sector size, 0 triggers auto-detection for optimal encryption sector size */
+	uint32_t sector_size;    /**< encryption sector size, @e 0 triggers auto-detection for optimal encryption sector size */
 	const char *label;       /**< header label or @e NULL*/
 	const char *subsystem;   /**< header subsystem label or @e NULL*/
 };
@@ -629,7 +622,6 @@ struct crypt_params_luks2 {
  * Structure used as parameter for OPAL (HW encrypted) device type.
  *
  * @see crypt_format_luks2_opal
- *
  */
 struct crypt_params_hw_opal {
 	const char *admin_key;   /**< admin key */
@@ -659,7 +651,7 @@ struct crypt_params_hw_opal {
  * @param volume_key_size size of volume key in bytes.
  * @param params crypt type specific parameters (see @link crypt-type @endlink)
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Note that crypt_format does not create LUKS keyslot (any version). To create keyslot
  *	 call any crypt_keyslot_add_* function.
@@ -681,15 +673,15 @@ int crypt_format(struct crypt_device *cd,
  * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
  *
  * @param cd crypt device handle
- * @param cipher for SW encryption (e.g. "aes") or NULL for HW encryption only
- * @param cipher_mode including IV specification (e.g. "xts-plain") or NULL for HW encryption only
+ * @param cipher for SW encryption (e.g. "aes") or @e NULL for HW encryption only
+ * @param cipher_mode including IV specification (e.g. "xts-plain") or @e NULL for HW encryption only
  * @param uuid requested UUID or @e NULL if it should be generated
  * @param volume_keys pre-generated volume keys or @e NULL if it should be generated (only for LUKS2 SW encryption)
  * @param volume_keys_size size of volume keys in bytes (only for SW encryption).
  * @param params LUKS2 crypt type specific parameters (see @link crypt-type @endlink)
  * @param opal_params OPAL specific parameters
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Note that crypt_format_luks2_opal does not create LUKS keyslot.
  *       To create keyslot call any crypt_keyslot_add_* function.
@@ -703,6 +695,35 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 	struct crypt_params_luks2 *params,
 	struct crypt_params_hw_opal *opal_params);
 
+/**
+ * Create (format) new integrity-protected device using integrity inline mode (HW sector tags).
+ * This can be used for @e INTEGRITY and @e LUKS2 with integrity protection
+ *
+ * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
+ *
+ * @param cd crypt device handle
+ * @param type type of device (optional params struct must be of this type)
+ * @param cipher (e.g. "aes") or @e NULL for @e INTEGRITY
+ * @param cipher_mode including IV specification (e.g. "xts-plain") or @e NULL for @e INTEGRITY
+ * @param uuid requested UUID or @e NULL if it should be generated
+ * @param volume_key pre-generated integrity/volume key (if needed) or @e NULL
+ * @param volume_key_size size of volume/integrity key in bytes.
+ * @param params crypt type specific parameters (see @link crypt-type @endlink)
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note Journal parameters must be set to zero in integrity part of @e params.
+ * 	Only tag_size, sector_size, buffer_sectors, integrity options should be set.
+ */
+int crypt_format_inline(struct crypt_device *cd,
+	const char *type,
+	const char *cipher,
+	const char *cipher_mode,
+	const char *uuid,
+	const char *volume_key,
+	size_t volume_key_size,
+	void *params);
+
 /**
  * Set format compatibility flags.
  *
@@ -716,7 +737,7 @@ void crypt_set_compatibility(struct crypt_device *cd, uint32_t flags);
  *
  * @param cd crypt device handle
  *
- * @returns compatibility flags
+ * @return compatibility flags
  */
 uint32_t crypt_get_compatibility(struct crypt_device *cd);
 
@@ -734,7 +755,7 @@ uint32_t crypt_get_compatibility(struct crypt_device *cd);
  * @param type type of device (optional params struct must be of this type)
  * @param params crypt type specific parameters (see @link crypt-type @endlink)
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Currently, only LUKS1->LUKS2 and LUKS2->LUKS1 conversions are supported.
  *	 Not all LUKS2 devices may be converted back to LUKS1. To make such a conversion
@@ -755,7 +776,7 @@ int crypt_convert(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param uuid requested UUID or @e NULL if it should be generated
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Currently, only LUKS device type are supported
  */
@@ -769,7 +790,7 @@ int crypt_set_uuid(struct crypt_device *cd,
  * @param label requested label or @e NULL
  * @param subsystem requested subsystem label or @e NULL
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Currently, only LUKS2 device type is supported
  */
@@ -803,10 +824,10 @@ const char *crypt_get_subsystem(struct crypt_device *cd);
  * dm-crypt target.
  *
  * @param cd crypt device handle, can be @e NULL
- * @param enable 0 to disable loading of volume keys via kernel keyring
+ * @param enable @e 0 to disable loading of volume keys via kernel keyring
  * 	  (classical method) otherwise enable it (default)
  *
- * @returns @e 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Currently loading of volume keys via kernel keyring is supported
  * 	 (and enabled by default) only for LUKS2 devices.
@@ -821,14 +842,13 @@ int crypt_volume_key_keyring(struct crypt_device *cd, int enable);
  * @param requested_type @link crypt-type @endlink or @e NULL for all known
  * @param params crypt type specific parameters (see @link crypt-type @endlink)
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @post In case LUKS header is read successfully but payload device is too small
  * error is returned and device type in context is set to @e NULL
  *
  * @note Note that load works only for device types with on-disk metadata.
  * @note Function does not print visible error message if metadata is not present.
- *
  */
 int crypt_load(struct crypt_device *cd,
 	const char *requested_type,
@@ -841,7 +861,7 @@ int crypt_load(struct crypt_device *cd,
  * @param requested_type @link crypt-type @endlink or @e NULL for all known
  * @param params crypt type specific parameters (see @link crypt-type @endlink)
  *
- * @returns 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note For LUKS2 device crypt_repair bypass blkid checks and
  * 	 perform auto-recovery even though there're third party device
@@ -880,10 +900,9 @@ int crypt_resize(struct crypt_device *cd,
  * @param cd crypt device handle, can be @e NULL
  * @param name name of device to suspend
  *
- * @return 0 on success or negative errno value otherwise.
+ * @return @e 0 on success or negative errno value otherwise.
  *
  * @note Only LUKS device type is supported
- *
  */
 int crypt_suspend(struct crypt_device *cd,
 	const char *name);
@@ -898,7 +917,7 @@ int crypt_suspend(struct crypt_device *cd,
  * @param passphrase passphrase used to unlock volume key
  * @param passphrase_size size of @e passphrase (binary data)
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note Only LUKS device type is supported
  */
@@ -915,10 +934,10 @@ int crypt_resume_by_passphrase(struct crypt_device *cd,
  * @param name name of device to resume
  * @param keyslot requested keyslot or CRYPT_ANY_SLOT
  * @param keyfile key file used to unlock volume key
- * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
+ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
  * @param keyfile_offset number of bytes to skip at start of keyfile
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  */
 int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd,
 	const char *name,
@@ -951,7 +970,7 @@ int crypt_resume_by_keyfile(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param name name of device to resume
  * @param volume_key provided volume key
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  *
  * @return @e 0 on success or negative errno value otherwise.
  */
@@ -969,7 +988,7 @@ int crypt_resume_by_volume_key(struct crypt_device *cd,
  * @param pin_size size of @e pin
  * @param usrptr provided identification in callback
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note EPERM errno means token provided passphrase successfully, but
  *       passphrase did not unlock any keyslot associated with the token.
@@ -978,7 +997,7 @@ int crypt_resume_by_volume_key(struct crypt_device *cd,
  *       eligible to resume LUKS2 device.
  *
  * @note ENOANO errno means that token is PIN protected and was either missing
- *       (NULL) or wrong.
+ *       (@e NULL) or wrong.
  *
  * @note Negative EAGAIN errno means token handler requires additional hardware
  *       not present in the system to unlock keyslot.
@@ -1007,7 +1026,7 @@ int crypt_resume_by_token_pin(struct crypt_device *cd,
  * @param kc keyslot context providing volume key or passphrase.
  *
  * @return unlocked key slot number for passphrase-based unlock, zero for other
- *         unlock methods (e.g. volume key context) or negative errno on error.
+ *         unlock methods (e.g. volume key context) or negative errno value on error.
  */
 int crypt_resume_by_keyslot_context(struct crypt_device *cd,
 			       const char *name,
@@ -1036,7 +1055,7 @@ int crypt_resume_by_keyslot_context(struct crypt_device *cd,
  * @param new_passphrase passphrase for new keyslot
  * @param new_passphrase_size size of @e new_passphrase (binary data)
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  */
 int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
 	int keyslot,
@@ -1058,7 +1077,7 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
  * @param new_passphrase passphrase for new keyslot
  * @param new_passphrase_size size of @e new_passphrase (binary data)
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  */
 int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
 	int keyslot_old,
@@ -1082,7 +1101,7 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
  * @param new_keyfile_size number of bytes to read from @e new_keyfile, @e 0 is unlimited
  * @param new_keyfile_offset number of bytes to skip at start of new_keyfile
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  */
 int crypt_keyslot_add_by_keyfile_device_offset(struct crypt_device *cd,
 	int keyslot,
@@ -1123,11 +1142,11 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param keyslot requested keyslot or CRYPT_ANY_SLOT
  * @param volume_key provided volume key or @e NULL if used after crypt_format
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param passphrase passphrase for new keyslot
  * @param passphrase_size size of passphrase
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  */
 int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
 	int keyslot,
@@ -1153,12 +1172,12 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param keyslot requested keyslot or CRYPT_ANY_SLOT
  * @param volume_key provided volume key or @e NULL (see note below)
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param passphrase passphrase for new keyslot
  * @param passphrase_size size of passphrase
  * @param flags key flags to set
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  *
  * @note in case volume_key is @e NULL following first matching rule will apply:
  * @li if cd is device handle used in crypt_format() by current process, the volume
@@ -1203,7 +1222,11 @@ void crypt_keyslot_context_free(struct crypt_keyslot_context *kc);
  * @param passphrase_size size of passphrase
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_PASSPHRASE
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
+ *
+ * @note The original buffer containing passphrase passed in parameters does
+ * 	 not have to be valid after context initialization. The context
+ * 	 contains copy of the original before freed with @link crypt_keyslot_context_free @endlink.
  */
 int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
 	const char *passphrase,
@@ -1220,7 +1243,7 @@ int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
  * @param keyfile_offset number of bytes to skip at start of keyfile
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYFILE
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  */
 int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
 	const char *keyfile,
@@ -1240,7 +1263,7 @@ int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
  * @param usrptr provided identification in callback
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_TOKEN
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  */
 int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
 	int token,
@@ -1256,10 +1279,10 @@ int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
  *
  * @param volume_key provided volume key or @e NULL if used after crypt_format
  *        or with CRYPT_VOLUME_KEY_NO_SEGMENT flag
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEY
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  */
 int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
 	const char *volume_key,
@@ -1272,12 +1295,12 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
  * @param cd crypt device handle initialized to device context
  *
  * @param volume_key provided volume key
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param signature buffer with signature for the key
- * @param signature_size bsize of signature buffer
+ * @param signature_size size of signature buffer
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  *
  * @note currently supported only with VERITY devices.
  */
@@ -1297,7 +1320,7 @@ int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd,
  *        for passphrase in
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  */
 int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd,
 	const char *key_description,
@@ -1313,7 +1336,7 @@ int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd,
  *        or a text representation in the form "%<key_type>:<key_name>"
  * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
  *
- * @return zero on success or negative errno otherwise.
+ * @return zero on success or negative errno value otherwise.
  */
 int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd,
 	const char *key_description,
@@ -1343,7 +1366,7 @@ int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc);
  * @param pin_size size of @e pin
  * @param kc LUKS2 keyslot context (only @link CRYPT_KC_TYPE_TOKEN @endlink is allowed)
  *
- * @return zero on success or negative errno otherwise
+ * @return zero on success or negative errno value otherwise
  */
 int crypt_keyslot_context_set_pin(struct crypt_device *cd,
 	const char *pin, size_t pin_size,
@@ -1379,7 +1402,7 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
  *
  * @param kc keyslot context
  *
- * @return crypt keyslot context type id (see @link crypt-keyslot-context-types @endlink) or negative errno otherwise.
+ * @return crypt keyslot context type id (see @link crypt-keyslot-context-types @endlink) or negative errno value otherwise.
  */
 int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
 /** @} */
@@ -1398,7 +1421,7 @@ int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
  * @param new_kc keyslot context providing passphrase for new keyslot.
  * @param flags key flags to set
  *
- * @return allocated key slot number or negative errno otherwise.
+ * @return allocated key slot number or negative errno value otherwise.
  *
  * @note new_kc can not be @e CRYPT_KC_TYPE_KEY type keyslot context.
  *
@@ -1504,6 +1527,12 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
 #define CRYPT_ACTIVATE_RECALCULATE_RESET (UINT32_C(1) << 26)
 /** dm-verity: try to use tasklets */
 #define CRYPT_ACTIVATE_TASKLETS (UINT32_C(1) << 27)
+/** dm-crypt: use high-priority workqueues */
+#define CRYPT_ACTIVATE_HIGH_PRIORITY (UINT32_C(1) << 28)
+/** dm-verity: also restart/panic on error, use with RESTART_ON_CORRUPTION or PANIC_ON_CORRUPTION */
+#define CRYPT_ACTIVATE_ERROR_AS_CORRUPTION (UINT32_C(1) << 29)
+/** dm-integrity: inline mode for compatible hardware profile */
+#define CRYPT_ACTIVATE_INLINE_MODE (UINT32_C(1) << 30)
 
 /**
  * Active device runtime attributes
@@ -1523,7 +1552,6 @@ struct crypt_active_device {
  * @param cad preallocated active device attributes to fill
  *
  * @return @e 0 on success or negative errno value otherwise
- *
  */
 int crypt_get_active_device(struct crypt_device *cd,
 	const char *name,
@@ -1536,7 +1564,6 @@ int crypt_get_active_device(struct crypt_device *cd,
  * @param name name of active device
  *
  * @return number of integrity failures or @e 0 otherwise
- *
  */
 uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
 	const char *name);
@@ -1557,6 +1584,8 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
 #define CRYPT_REQUIREMENT_ONLINE_REENCRYPT	(UINT32_C(1) << 1)
 /** Device configured with OPAL support */
 #define CRYPT_REQUIREMENT_OPAL			(UINT32_C(1) << 2)
+/** Device configured with inline HW tags */
+#define CRYPT_REQUIREMENT_INLINE_HW_TAGS	(UINT32_C(1) << 3)
 /** unknown requirement in header (output only) */
 #define CRYPT_REQUIREMENT_UNKNOWN		(UINT32_C(1) << 31)
 
@@ -1579,9 +1608,11 @@ typedef enum {
  *
  * @note Valid only for LUKS2.
  *
- * @note Not all activation flags can be stored. Only ALLOW_DISCARD,
- * 	 SAME_CPU_CRYPT, SUBMIT_FROM_CRYPT_CPU and NO_JOURNAL can be
- * 	 stored persistently.
+ * @note Not all activation flags can be stored. Only CRYPT_ACTIVATE_ALLOW_DISCARDS,
+ *       CRYPT_ACTIVATE_SAME_CPU_CRYPT, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS,
+ *       CRYPT_ACTIVATE_NO_JOURNAL, CRYPT_ACTIVATE_NO_READ_WORKQUEUE,
+ *       CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE and CRYPT_ACTIVATE_HIGH_PRIORITY
+ *       can be stored persistently.
  *
  * @note Only requirements flags recognised by current library may be set.
  *	 CRYPT_REQUIREMENT_UNKNOWN is illegal (output only) in set operation.
@@ -1633,7 +1664,7 @@ int crypt_persistent_flags_get(struct crypt_device *cd,
  * @param flags activation flags
  *
  * @return unlocked key slot number for passphrase-based unlock, zero for other
- *         unlock methods (e.g. volume key context) or negative errno on error.
+ *         unlock methods (e.g. volume key context) or negative errno value on error.
  */
 int crypt_activate_by_keyslot_context(struct crypt_device *cd,
 	const char *name,
@@ -1653,7 +1684,7 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
  * @param passphrase_size size of @e passphrase
  * @param flags activation flags
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  */
 int crypt_activate_by_passphrase(struct crypt_device *cd,
 	const char *name,
@@ -1669,11 +1700,11 @@ int crypt_activate_by_passphrase(struct crypt_device *cd,
  * @param name name of device to create, if @e NULL only check keyfile
  * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
  * @param keyfile key file used to unlock volume key
- * @param keyfile_size number of bytes to read from keyfile, 0 is unlimited
+ * @param keyfile_size number of bytes to read from keyfile, @e 0 is unlimited
  * @param keyfile_offset number of bytes to skip at start of keyfile
  * @param flags activation flags
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  */
 int crypt_activate_by_keyfile_device_offset(struct crypt_device *cd,
 	const char *name,
@@ -1710,7 +1741,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param name name of device to create, if @e NULL only check volume key
  * @param volume_key provided volume key (or @e NULL to use internal)
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param flags activation flags
  *
  * @return @e 0 on success or negative errno value otherwise.
@@ -1721,7 +1752,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
  * @note For VERITY the volume key means root hash required for activation.
  * 	 Because kernel dm-verity is always read only, you have to provide
  * 	 CRYPT_ACTIVATE_READONLY flag always.
- * @note For TCRYPT the volume key should be always NULL
+ * @note For TCRYPT the volume key should be always @e NULL
  * 	 the key from decrypted header is used instead.
  * @note For BITLK the name cannot be @e NULL checking volume key is not
  * 	 supported for BITLK, the device will be activated even if the
@@ -1739,9 +1770,9 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
  * @param cd crypt device handle
  * @param name name of device to create
  * @param volume_key provided volume key
- * @param volume_key_size size of volume_key
+ * @param volume_key_size size of volume_key in bytes
  * @param signature buffer with signature for the key
- * @param signature_size bsize of signature buffer
+ * @param signature_size size of signature buffer
  * @param flags activation flags
  *
  * @return @e 0 on success or negative errno value otherwise.
@@ -1797,7 +1828,6 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
  * @param flags deactivation flags
  *
  * @return @e 0 on success or negative errno value otherwise.
- *
  */
 int crypt_deactivate_by_name(struct crypt_device *cd,
 	const char *name,
@@ -1822,11 +1852,11 @@ int crypt_deactivate(struct crypt_device *cd, const char *name);
  * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
  * @param volume_key buffer for volume key
  * @param volume_key_size on input, size of buffer @e volume_key,
- *        on output size of @e volume_key
+ *        on output size of @e volume_key in bytes
  * @param passphrase passphrase used to unlock volume key
  * @param passphrase_size size of @e passphrase
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note For TCRYPT cipher chain is the volume key concatenated
  * 	 for all ciphers in chain.
@@ -1849,17 +1879,17 @@ int crypt_volume_key_get(struct crypt_device *cd,
  * @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
  * @param volume_key buffer for volume key
  * @param volume_key_size on input, size of buffer @e volume_key,
- *        on output size of @e volume_key
+ *        on output size of @e volume_key in bytes
  * @param kc keyslot context used to unlock volume key
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note See @link crypt-keyslot-context-types @endlink for info on keyslot
  * 	 context initialization.
  * @note For TCRYPT cipher chain is the volume key concatenated
- * 	 for all ciphers in chain (kc may be NULL).
+ * 	 for all ciphers in chain (kc may be @e NULL).
  * @note For VERITY the volume key means root hash used for activation
- * 	 (kc may be NULL).
+ * 	 (kc may be @e NULL).
  * @note For LUKS devices, if kc is @e NULL and volume key is cached in
  * 	 device context it returns the volume key generated in preceding
  * 	 @link crypt_format @endlink call.
@@ -1882,7 +1912,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
  *
  * @param cd crypt device handle
  * @param volume_key provided volume key
- * @param volume_key_size size of @e volume_key
+ * @param volume_key_size size of @e volume_key in bytes
  *
  * @return @e 0 on success or negative errno value otherwise.
  *
@@ -1918,7 +1948,6 @@ typedef enum {
  * @param name crypt device name
  *
  * @return value defined by crypt_status_info.
- *
  */
 crypt_status_info crypt_status(struct crypt_device *cd, const char *name);
 
@@ -1935,7 +1964,7 @@ int crypt_dump(struct crypt_device *cd);
  * Dump JSON-formatted information about LUKS2 device
  *
  * @param cd crypt device handle (only LUKS2 format supported)
- * @param json buffer with JSON, if NULL use log callback for output
+ * @param json buffer with JSON, if @e NULL use log callback for output
  * @param flags dump flags (reserved)
  *
  * @return @e 0 on success or negative errno value otherwise.
@@ -1948,7 +1977,6 @@ int crypt_dump_json(struct crypt_device *cd, const char **json, uint32_t flags);
  * @param cd crypt device handle
  *
  * @return used cipher, e.g. "aes" or @e NULL otherwise
- *
  */
 const char *crypt_get_cipher(struct crypt_device *cd);
 
@@ -1958,7 +1986,6 @@ const char *crypt_get_cipher(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return used cipher mode e.g. "xts-plain" or @e otherwise
- *
  */
 const char *crypt_get_cipher_mode(struct crypt_device *cd);
 
@@ -1968,7 +1995,6 @@ const char *crypt_get_cipher_mode(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return device UUID or @e NULL if not set
- *
  */
 const char *crypt_get_uuid(struct crypt_device *cd);
 
@@ -1978,7 +2004,6 @@ const char *crypt_get_uuid(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return path to underlying device name
- *
  */
 const char *crypt_get_device_name(struct crypt_device *cd);
 
@@ -1988,7 +2013,6 @@ const char *crypt_get_device_name(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return path to underlying device name
- *
  */
 const char *crypt_get_metadata_device_name(struct crypt_device *cd);
 
@@ -1998,7 +2022,6 @@ const char *crypt_get_metadata_device_name(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return device offset in sectors
- *
  */
 uint64_t crypt_get_data_offset(struct crypt_device *cd);
 
@@ -2008,7 +2031,6 @@ uint64_t crypt_get_data_offset(struct crypt_device *cd);
  * @param cd crypt device handle
  *
  * @return IV offset
- *
  */
 uint64_t crypt_get_iv_offset(struct crypt_device *cd);
 
@@ -2024,13 +2046,25 @@ uint64_t crypt_get_iv_offset(struct crypt_device *cd);
  */
 int crypt_get_volume_key_size(struct crypt_device *cd);
 
+/**
+ * Get size (in bytes) of old volume key for LUKS2 device in reencryption.
+ *
+ * @param cd crypt LUKS2 device handle
+ *
+ * @return old volume key size when device is in reencryption state
+ *
+ * @note For LUKS2, this function can be used only if there is at least
+ *       one keyslot assigned to old data segment. Also with reencryption
+ *       mode 'encrypt' there's no old volume key.
+ */
+int crypt_get_old_volume_key_size(struct crypt_device *cd);
+
 /**
  * Get size (in bytes) of encryption sector for crypt device.
  *
  * @param cd crypt device handle
  *
  * @return sector size
- *
  */
 int crypt_get_sector_size(struct crypt_device *cd);
 
@@ -2056,7 +2090,6 @@ int crypt_header_is_detached(struct crypt_device *cd);
  * @param vp verity device info
  *
  * @e 0 on success or negative errno value otherwise.
- *
  */
 int crypt_get_verity_info(struct crypt_device *cd,
 	struct crypt_params_verity *vp);
@@ -2068,7 +2101,6 @@ int crypt_get_verity_info(struct crypt_device *cd,
  * @param ip verity device info
  *
  * @e 0 on success or negative errno value otherwise.
- *
  */
 int crypt_get_integrity_info(struct crypt_device *cd,
 	struct crypt_params_integrity *ip);
@@ -2116,7 +2148,7 @@ int crypt_benchmark(struct crypt_device *cd,
  * @param password_size size of password
  * @param salt salt for benchmark
  * @param salt_size size of salt
- * @param volume_key_size output volume key size
+ * @param volume_key_size output volume key size in bytes
  * @param progress callback function
  * @param usrptr provided identification in callback
  *
@@ -2158,7 +2190,6 @@ typedef enum {
  * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
  *
  * @return value defined by crypt_keyslot_info
- *
  */
 crypt_keyslot_info crypt_keyslot_status(struct crypt_device *cd, int keyslot);
 
@@ -2198,7 +2229,7 @@ int crypt_keyslot_set_priority(struct crypt_device *cd, int keyslot, crypt_keysl
  *
  * @param type crypt device type
  *
- * @return slot count or negative errno otherwise if device
+ * @return slot count or negative errno value otherwise if device
  * doesn't not support keyslots.
  */
 int crypt_keyslot_max(const char *type);
@@ -2212,7 +2243,6 @@ int crypt_keyslot_max(const char *type);
  * @param length length of keyslot area (in bytes)
  *
  * @return @e 0 on success or negative errno value otherwise.
- *
  */
 int crypt_keyslot_area(struct crypt_device *cd,
 	int keyslot,
@@ -2269,7 +2299,7 @@ int crypt_keyslot_get_pbkdf(struct crypt_device *cd, int keyslot, struct crypt_p
  * @return @e 0 on success or negative errno value otherwise.
  *
  * @note To reset to default keyslot encryption (the same as for data)
- *       set cipher to NULL and key size to 0.
+ *       set cipher to @e NULL and key size to 0.
  */
 int crypt_keyslot_set_encryption(struct crypt_device *cd,
 	const char *cipher,
@@ -2297,7 +2327,6 @@ const char *crypt_get_dir(void);
  * @param backup_file file to backup header to
  *
  * @return @e 0 on success or negative errno value otherwise.
- *
  */
 int crypt_header_backup(struct crypt_device *cd,
 	const char *requested_type,
@@ -2336,7 +2365,6 @@ int crypt_header_restore(struct crypt_device *cd,
  * Set the debug level for library
  *
  * @param level debug level
- *
  */
 void crypt_set_debug_level(int level);
 /** @} */
@@ -2353,8 +2381,8 @@ void crypt_set_debug_level(int level);
  * @param cd crypt device handle
  * @param keyfile keyfile to read
  * @param key buffer for key
- * @param key_size_read size of read key
- * @param keyfile_offset key offset in keyfile
+ * @param key_size_read size of read key in bytes
+ * @param keyfile_offset key offset in bytes in keyfile
  * @param key_size exact key length to read from file or 0
  * @param flags keyfile read flags
  *
@@ -2481,7 +2509,7 @@ int crypt_wipe_hw_opal(struct crypt_device *cd,
  *
  * @param type crypt device type
  *
- * @return token count or negative errno otherwise if device
+ * @return token count or negative errno value otherwise if device
  * doesn't not support tokens.
  *
  * @note Real number of supported tokens for a particular device depends
@@ -2499,7 +2527,7 @@ int crypt_token_max(const char *type);
  * @param token token id
  * @param json buffer with JSON
  *
- * @return allocated token id or negative errno otherwise.
+ * @return allocated token id or negative errno value otherwise.
  */
 int crypt_token_json_get(struct crypt_device *cd,
 	int token,
@@ -2512,7 +2540,7 @@ int crypt_token_json_get(struct crypt_device *cd,
  * @param token token id or @e CRYPT_ANY_TOKEN to allocate new one
  * @param json buffer with JSON or @e NULL to remove token
  *
- * @return allocated token id or negative errno otherwise.
+ * @return allocated token id or negative errno value otherwise.
  *
  * @note The buffer must be in proper JSON format and must contain at least
  *       string "type" with slot type and an array of string names "keyslots".
@@ -2542,7 +2570,7 @@ typedef enum {
  * @param type pointer for returned type string
  *
  * @return token status info. For any returned status (besides CRYPT_TOKEN_INVALID
- * 	   and CRYPT_TOKEN_INACTIVE) and if type parameter is not NULL it will
+ * 	   and CRYPT_TOKEN_INACTIVE) and if type parameter is not @e NULL it will
  * 	   contain address of type string.
  *
  * @note if required, create a copy of string referenced in *type before calling next
@@ -2554,7 +2582,6 @@ crypt_token_info crypt_token_status(struct crypt_device *cd, int token, const ch
  * LUKS2 keyring token parameters.
  *
  * @see crypt_token_builtin_set
- *
  */
 struct crypt_token_params_luks2_keyring {
 	const char *key_description; /**< Reference in keyring */
@@ -2567,8 +2594,7 @@ struct crypt_token_params_luks2_keyring {
  * @param token token id or @e CRYPT_ANY_TOKEN to allocate new one
  * @param params luks2 keyring token params
  *
- * @return allocated token id or negative errno otherwise.
- *
+ * @return allocated token id or negative errno value otherwise.
  */
 int crypt_token_luks2_keyring_set(struct crypt_device *cd,
 	int token,
@@ -2581,7 +2607,7 @@ int crypt_token_luks2_keyring_set(struct crypt_device *cd,
  * @param token existing luks2 keyring token id
  * @param params returned luks2 keyring token params
  *
- * @return allocated token id or negative errno otherwise.
+ * @return allocated token id or negative errno value otherwise.
  *
  * @note do not call free() on params members. Members are valid only
  * 	 until next libcryptsetup function is called.
@@ -2595,11 +2621,11 @@ int crypt_token_luks2_keyring_get(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be assigned to token (CRYPT_ANY SLOT
  * 	  assigns all active keyslots to token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be assigned or negative errno value otherwise.
  */
 int crypt_token_assign_keyslot(struct crypt_device *cd,
 	int token,
@@ -2610,11 +2636,11 @@ int crypt_token_assign_keyslot(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be unassigned from token (CRYPT_ANY SLOT
  * 	  unassigns all active keyslots from token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be unassigned or negative errno value otherwise.
  */
 int crypt_token_unassign_keyslot(struct crypt_device *cd,
 	int token,
@@ -2627,9 +2653,9 @@ int crypt_token_unassign_keyslot(struct crypt_device *cd,
  * @param token token id
  * @param keyslot keyslot
  *
- * @return 0 on success (token exists and is assigned to the keyslot),
+ * @return @e 0 on success (token exists and is assigned to the keyslot),
  *	   -ENOENT if token is not assigned to a keyslot (token, keyslot
- *	   or both may be inactive) or other negative errno otherwise.
+ *	   or both may be inactive) or other negative errno value otherwise.
  */
 int crypt_token_is_assigned(struct crypt_device *cd,
 	int token,
@@ -2647,8 +2673,8 @@ int crypt_token_is_assigned(struct crypt_device *cd,
  * @param buffer_len length of the buffer
  * @param usrptr user data in @link crypt_activate_by_token @endlink
  *
- * @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
- *         negative errno otherwise.
+ * @return @e 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
+ *         negative errno value otherwise.
  *
  * @note Negative ENOANO errno means that token is PIN protected and caller should
  *       use @link crypt_activate_by_token_pin @endlink with PIN provided.
@@ -2677,8 +2703,8 @@ typedef int (*crypt_token_open_func) (
  * @param buffer_len length of the buffer
  * @param usrptr user data in @link crypt_activate_by_token @endlink
  *
- * @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
- *         negative errno otherwise.
+ * @return @e 0 on success (token passed LUKS2 keyslot passphrase in buffer) or
+ *         negative errno value otherwise.
  *
  * @note Negative ENOANO errno means that token is PIN protected and PIN was
  *       missing or wrong.
@@ -2738,7 +2764,6 @@ typedef void (*crypt_token_dump_func) (struct crypt_device *cd, const char *json
  *
  * @note The returned string is advised to contain only version.
  *	 For example '1.0.0' or 'v1.2.3.4'.
- *
  */
 typedef const char * (*crypt_token_version_func) (void);
 
@@ -2811,7 +2836,7 @@ void crypt_token_external_disable(void);
  * @param usrptr provided identification in callback
  * @param flags activation flags
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note EPERM errno means token provided passphrase successfully, but
  *       passphrase did not unlock any keyslot associated with the token.
@@ -2828,7 +2853,7 @@ void crypt_token_external_disable(void);
  * @note with @e token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
  *       to unlock device using any available token. It may happen that various token handlers
  *       return different error codes. At the end loop returns error codes in the following
- *       order (from the most significant to the least) any negative errno except those
+ *       order (from the most significant to the least) any negative errno value except those
  *       listed below, non negative token id (success), -ENOANO, -EAGAIN, -EPERM, -ENOENT.
  */
 int crypt_activate_by_token(struct crypt_device *cd,
@@ -2849,7 +2874,7 @@ int crypt_activate_by_token(struct crypt_device *cd,
  * @param usrptr provided identification in callback
  * @param flags activation flags
  *
- * @return unlocked key slot number or negative errno otherwise.
+ * @return unlocked key slot number or negative errno value otherwise.
  *
  * @note EPERM errno means token provided passphrase successfully, but
  *       passphrase did not unlock any keyslot associated with the token.
@@ -2858,7 +2883,7 @@ int crypt_activate_by_token(struct crypt_device *cd,
  *       eligible to unlock device.
  *
  * @note ENOANO errno means that token is PIN protected and was either missing
- *       (NULL) or wrong.
+ *       (@e NULL) or wrong.
  *
  * @note Negative EAGAIN errno means token handler requires additional hardware
  *       not present in the system.
@@ -2866,7 +2891,7 @@ int crypt_activate_by_token(struct crypt_device *cd,
  * @note with @e token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
  *       to unlock device using any available token. It may happen that various token handlers
  *       return different error codes. At the end loop returns error codes in the following
- *       order (from the most significant to the least) any negative errno except those
+ *       order (from the most significant to the least) any negative errno value except those
  *       listed below, non negative token id (success), -ENOANO, -EAGAIN, -EPERM, -ENOENT.
  */
 int crypt_activate_by_token_pin(struct crypt_device *cd,
@@ -2899,6 +2924,12 @@ int crypt_activate_by_token_pin(struct crypt_device *cd,
 #define CRYPT_REENCRYPT_RECOVERY           (UINT32_C(1) << 3)
 /** Reencryption requires metadata protection. (in/out) */
 #define CRYPT_REENCRYPT_REPAIR_NEEDED      (UINT32_C(1) << 4)
+/**
+ *  Calculate new (future) volume key digest directly during
+ *  reencryption initialization. The keyslot context for new
+ *  volume key must be CRYPT_KC_TYPE_KEY or
+ *  CRYPT_KC_TYPE_VK_KEYRING. (in) */
+#define CRYPT_REENCRYPT_CREATE_NEW_DIGEST  (UINT32_C(1) << 5)
 
 /**
  * Reencryption direction
@@ -2955,7 +2986,7 @@ struct crypt_params_reencrypt {
  * @param cipher_mode cipher mode and IV (e.g. "xts-plain64")
  * @param params reencryption parameters @link crypt_params_reencrypt @endlink.
  *
- * @return reencryption key slot number or negative errno otherwise.
+ * @return reencryption key slot number or negative errno value otherwise.
  */
 int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *name,
@@ -2984,7 +3015,7 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
  * @param cipher_mode cipher mode and IV (e.g. "xts-plain64")
  * @param params reencryption parameters @link crypt_params_reencrypt @endlink.
  *
- * @return reencryption key slot number or negative errno otherwise.
+ * @return reencryption key slot number or negative errno value otherwise.
  */
 int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 	const char *name,
@@ -2995,6 +3026,71 @@ int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params);
 
+/**
+ *
+ * Initialize or reload LUKS2 reencryption operation using keyslot contexts.
+ *
+ * The function can initialize reencryption on-disk metadata or reload reencryption
+ * context from on-disk LUSK2 metadata to resume interrupted operation.
+ *
+ * If the device is not in reencryption state (@link crypt_reencrypt_status @endlink
+ * returns @link CRYPT_REENCRYPT_NONE @endlink) the function initializes on-disk
+ * metadata to include all necessary reencryption segments and new encryption
+ * parameters (cipher, cipher mode, encryption sector size) according to the
+ * provided parameters.
+ *
+ * If on-disk metadata already describes reencryption operation
+ * (@link crypt_reencrypt_status @endlink returns @link CRYPT_REENCRYPT_CLEAN @endlink),
+ * it loads these parameters and internally initializes reencryption context. It also verifies
+ * if the device is eligible to resume reencryption operation. Some reencryption parameters
+ * (@link crypt_params_reencrypt @endlink) may be modified depending on the original values in
+ * the initialization call. When resuming the operation, all parameters may be omitted except
+ * @e cd, @e name (offline/online),@e kc_old and @e kc_new.
+ *
+ * If on-disk metadata describes reencryption operation requiring recovery
+ * (@link crypt_reencrypt_status @endlink returns @link CRYPT_REENCRYPT_CRASH @endlink),
+ * it can be recovered by adding @link CRYPT_REENCRYPT_RECOVERY @endlink flag in @link
+ * crypt_params_reencrypt @endlink parameter.
+ *
+ * @param cd crypt device handle
+ * @param name name of the active device or @e NULL for offline reencryption
+ * @param kc_old keyslot context providing access to volume key in keyslot id @e keyslot_old.
+ * @param kc_new keyslot context providing access to volume key in keyslot id @e keyslot_new.
+ * @param keyslot_old keyslot id containing current volume key for the device or CRYPT_ANY_SLOT
+ * @param keyslot_new keyslot id containing (unbound) future volume key in encryption or reencryption
+ *        operation. It must be set in the initialization call except when initializing the decrypt
+ *        operation. In reencryption operation it may contain also the current volume key in case the
+ *        volume key change is not requested.
+ * @param cipher new cipher specification (e.g. "aes") or @e NULL in decryption. Relevant only
+ * 	  during metadata initialization.
+ * @param cipher_mode cipher mode and IV (e.g. "xts-plain64") or @e NULL in decryption.
+ * 	  Relevant only during metadata initialization.
+ * @param params reencryption parameters @link crypt_params_reencrypt @endlink.
+ *
+ * @return reencryption key slot number or negative errno value otherwise.
+ *
+ * @note Only after successful reencryption initialization you may run the operation with
+ * 	 @link crypt_reencrypt_run @endlink.
+ *
+ * @note During @link CRYPT_REENCRYPT_REENCRYPT @endlink operation it is highly recommended
+ * 	 to use same keyslot context (same passphrase, token, keyfile, etc) in both @e kc_old
+ * 	 and @e kc_new parameters for at least one keyslot containing future volume key and one
+ * 	 keyslot containing current volume key. If the same keyslot context can not be used
+ * 	 to unlock any current or any future volume key it would be impossible to perform reencryption
+ * 	 crash recovery during device activation for example after system reboot. Any keyslot
+ * 	 passphrase may be changed in-before initializing reencryption operation via @link
+ * 	 crypt_keyslot_change_by_passphrase @endlink.
+ */
+int crypt_reencrypt_init_by_keyslot_context(struct crypt_device *cd,
+	const char *name,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
+	int keyslot_old,
+	int keyslot_new,
+	const char *cipher,
+	const char *cipher_mode,
+	const struct crypt_params_reencrypt *params);
+
 /**
  * Legacy data reencryption function.
  *
@@ -3089,6 +3185,15 @@ void *crypt_safe_realloc(void *data, size_t size);
  */
 void crypt_safe_memzero(void *data, size_t size);
 
+/**
+ * Memcpy helper to avoid spilling sensitive data through additional registers
+ *
+ * @param dst pointer to memory to be written
+ * @param src pointer to memory to be copied
+ * @param size size of memory in bytes
+ */
+void *crypt_safe_memcpy(void *dst, const void *src, size_t size);
+
 /** @} */
 
 /**
@@ -3107,7 +3212,7 @@ void crypt_safe_memzero(void *data, size_t size);
  *
  * The @e old_key_description argument is required only for
  * devices that are in re-encryption and have two volume keys at the same time
- * (old and new). You can set the @e old_key_description to NULL,
+ * (old and new). You can set the @e old_key_description to @e NULL,
  * but if you supply number of keys less than required, the function will
  * return -ESRCH.  In that case you need to call the function again and set
  * the missing key description. When supplying just one key description, make
diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym
index 89d6468..3a54431 100644
--- a/lib/libcryptsetup.sym
+++ b/lib/libcryptsetup.sym
@@ -180,3 +180,18 @@ CRYPTSETUP_2.7 {
 		crypt_set_keyring_to_link;
 		crypt_wipe_hw_opal;
 } CRYPTSETUP_2.6;
+
+CRYPTSETUP_2.8 {
+	global:
+		crypt_safe_memcpy;
+		crypt_keyslot_context_init_by_passphrase;
+		crypt_keyslot_context_init_by_keyfile;
+		crypt_keyslot_context_init_by_token;
+		crypt_keyslot_context_init_by_volume_key;
+		crypt_keyslot_context_init_by_signed_key;
+		crypt_keyslot_context_init_by_keyring;
+		crypt_keyslot_context_init_by_vk_in_keyring;
+		crypt_reencrypt_init_by_keyslot_context;
+		crypt_get_old_volume_key_size;
+		crypt_format_inline;
+} CRYPTSETUP_2.7;
diff --git a/lib/libcryptsetup_macros.h b/lib/libcryptsetup_macros.h
index 00af58c..657c48f 100644
--- a/lib/libcryptsetup_macros.h
+++ b/lib/libcryptsetup_macros.h
@@ -2,8 +2,8 @@
 /*
  * Definitions of common constant and generic macros of libcryptsetup
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef _LIBCRYPTSETUP_MACROS_H
@@ -49,9 +49,17 @@
 #define DEFAULT_MEM_ALIGNMENT	4096
 
 #define DM_UUID_LEN		129
+#define DM_NAME_LEN		128
 #define DM_BY_ID_PREFIX		"dm-uuid-"
 #define DM_BY_ID_PREFIX_LEN	8
 #define DM_UUID_PREFIX		"CRYPT-"
 #define DM_UUID_PREFIX_LEN	6
 
+#define OPAL_PSID_LEN		32
+
+/* LUKS AF stripes, never set to any other value than 4000 */
+#ifndef LUKS_STRIPES
+# define LUKS_STRIPES 4000
+#endif
+
 #endif /* _LIBCRYPTSETUP_MACROS_H */
diff --git a/lib/libcryptsetup_symver.h b/lib/libcryptsetup_symver.h
index 62d3018..6d18ab5 100644
--- a/lib/libcryptsetup_symver.h
+++ b/lib/libcryptsetup_symver.h
@@ -2,7 +2,7 @@
 /*
  * Helpers for defining versioned symbols
  *
- * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2021-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef _LIBCRYPTSETUP_SYMVER_H
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index d7eadc8..743efb9 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -15,7 +15,7 @@
 #include <libdevmapper.h>
 #include <uuid/uuid.h>
 #include <sys/stat.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 #include "internal.h"
@@ -36,7 +36,7 @@ static bool _dm_integrity_checked = false;
 static bool _dm_zero_checked = false;
 
 static int _quiet_log = 0;
-static uint32_t _dm_flags = 0;
+static uint64_t _dm_flags = 0;
 
 static struct crypt_device *_context = NULL;
 static int _dm_use_count = 0;
@@ -61,7 +61,7 @@ static int _dm_udev_wait(uint32_t cookie) { return 0; };
 
 static int _dm_use_udev(void)
 {
-#ifdef USE_UDEV /* cannot be enabled if devmapper is too old */
+#if USE_UDEV /* cannot be enabled if devmapper is too old */
 	return dm_udev_get_sync_support();
 #else
 	return 0;
@@ -157,6 +157,12 @@ static void _dm_set_crypt_compat(struct crypt_device *cd,
 	if (_dm_satisfies_version(1, 22, 0, crypt_maj, crypt_min, crypt_patch))
 		_dm_flags |= DM_CRYPT_NO_WORKQUEUE_SUPPORTED;
 
+	if (_dm_satisfies_version(1, 26, 0, crypt_maj, crypt_min, crypt_patch))
+		_dm_flags |= DM_CRYPT_HIGH_PRIORITY_SUPPORTED;
+
+	if (_dm_satisfies_version(1, 28, 0, crypt_maj, crypt_min, crypt_patch))
+		_dm_flags |= DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED;
+
 	_dm_crypt_checked = true;
 }
 
@@ -194,6 +200,10 @@ static void _dm_set_verity_compat(struct crypt_device *cd,
 	if (_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
 		_dm_flags |= DM_VERITY_TASKLETS_SUPPORTED;
 
+	/* There is actually no correct version set, just use the last available */
+	if (_dm_satisfies_version(1, 10, 0, verity_maj, verity_min, verity_patch))
+		_dm_flags |= DM_VERITY_ERROR_AS_CORRUPTION_SUPPORTED;
+
 	_dm_verity_checked = true;
 }
 
@@ -228,6 +238,9 @@ static void _dm_set_integrity_compat(struct crypt_device *cd,
 	if (_dm_satisfies_version(1, 8, 0, integrity_maj, integrity_min, integrity_patch))
 		_dm_flags |= DM_INTEGRITY_RESET_RECALC_SUPPORTED;
 
+	if (_dm_satisfies_version(1, 12, 0, integrity_maj, integrity_min, integrity_patch))
+		_dm_flags |= DM_INTEGRITY_INLINE_MODE_SUPPORTED;
+
 	_dm_integrity_checked = true;
 }
 
@@ -358,7 +371,7 @@ static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_typ
 	return r;
 }
 
-int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags)
+int dm_flags(struct crypt_device *cd, dm_target_type target, uint64_t *flags)
 {
 	_dm_check_versions(cd, target);
 	*flags = _dm_flags;
@@ -537,6 +550,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 	int r, max_size, null_cipher = 0, num_options = 0, keystr_len = 0;
 	char *params = NULL, *hexkey = NULL;
 	char sector_feature[32], features[512], integrity_dm[256], cipher_dm[256];
+	char int_ksize_feature[32];
 
 	if (!tgt)
 		return NULL;
@@ -558,22 +572,29 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 		num_options++;
 	if (flags & CRYPT_ACTIVATE_IV_LARGE_SECTORS)
 		num_options++;
+	if (flags & CRYPT_ACTIVATE_HIGH_PRIORITY)
+		num_options++;
 	if (tgt->u.crypt.integrity)
 		num_options++;
 	if (tgt->u.crypt.sector_size != SECTOR_SIZE)
 		num_options++;
+	if (tgt->u.crypt.integrity && tgt->u.crypt.integrity_key_size)
+		num_options++;
 
-	if (num_options) { /* MAX length  int32 + 15 + 15 + 23 + 18 + 19 + 17 + 13 + int32 + integrity_str */
-		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s%s%s", num_options,
+	if (num_options) { /* MAX length  int32 + 15 + 15 + 23 + 18 + 19 + 17 + 14 + 13 + int32 + integrity_str + 21 + int32 */
+		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s%s%s%s%s", num_options,
 		(flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? " allow_discards" : "",
 		(flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? " same_cpu_crypt" : "",
 		(flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? " submit_from_crypt_cpus" : "",
 		(flags & CRYPT_ACTIVATE_NO_READ_WORKQUEUE) ? " no_read_workqueue" : "",
 		(flags & CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) ? " no_write_workqueue" : "",
 		(flags & CRYPT_ACTIVATE_IV_LARGE_SECTORS) ? " iv_large_sectors" : "",
+		(flags & CRYPT_ACTIVATE_HIGH_PRIORITY) ? " high_priority" : "",
 		(tgt->u.crypt.sector_size != SECTOR_SIZE) ?
 			_uf(sector_feature, sizeof(sector_feature), "sector_size", tgt->u.crypt.sector_size) : "",
-		integrity_dm);
+		integrity_dm,
+		(tgt->u.crypt.integrity && tgt->u.crypt.integrity_key_size) ?
+			_uf(int_ksize_feature, sizeof(int_ksize_feature), "integrity_key_size", tgt->u.crypt.integrity_key_size) : "");
 		if (r < 0 || (size_t)r >= sizeof(features))
 			goto out;
 	} else
@@ -582,19 +603,26 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
 	if (crypt_is_cipher_null(cipher_dm))
 		null_cipher = 1;
 
-	if (null_cipher)
+	if (null_cipher || crypt_volume_key_length(tgt->u.crypt.vk) == 0)
 		hexkey = crypt_bytes_to_hex(0, NULL);
 	else if (flags & CRYPT_ACTIVATE_KEYRING_KEY) {
-		keystr_len = strlen(tgt->u.crypt.vk->key_description) + int_log10(tgt->u.crypt.vk->keylength) + 10;
+		if (!crypt_volume_key_description(tgt->u.crypt.vk) ||
+		    crypt_volume_key_kernel_key_type(tgt->u.crypt.vk) == INVALID_KEY)
+			goto out;
+		keystr_len = strlen(crypt_volume_key_description(tgt->u.crypt.vk)) +
+			int_log10(crypt_volume_key_length(tgt->u.crypt.vk)) +
+			24 /* type and separators */;
 		hexkey = crypt_safe_alloc(keystr_len);
 		if (!hexkey)
 			goto out;
-		r = snprintf(hexkey, keystr_len, ":%zu:logon:%s", tgt->u.crypt.vk->keylength,
-			     tgt->u.crypt.vk->key_description);
+		r = snprintf(hexkey, keystr_len, ":%zu:%s:%s", crypt_volume_key_length(tgt->u.crypt.vk),
+			     key_type_name(crypt_volume_key_kernel_key_type(tgt->u.crypt.vk)),
+			     crypt_volume_key_description(tgt->u.crypt.vk));
 		if (r < 0 || r >= keystr_len)
 			goto out;
 	} else
-		hexkey = crypt_bytes_to_hex(tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key);
+		hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.crypt.vk),
+					    crypt_volume_key_get_key(tgt->u.crypt.vk));
 
 	if (!hexkey)
 		goto out;
@@ -646,6 +674,8 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
 		num_options++;
 	if (flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION)
 		num_options++;
+	if (flags & CRYPT_ACTIVATE_ERROR_AS_CORRUPTION)
+		num_options++;
 	if (flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS)
 		num_options++;
 	if (flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE)
@@ -683,10 +713,12 @@ static char *get_dm_verity_params(const struct dm_target *tgt, uint32_t flags)
 		*verity_verify_args = '\0';
 
 	if (num_options) {  /* MAX length int32 + 18 + 22 + 20 + 19 + 19 + 22 */
-		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s", num_options,
+		r = snprintf(features, sizeof(features), " %d%s%s%s%s%s%s%s", num_options,
 		(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
 		(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
 		(flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? " panic_on_corruption" : "",
+		(flags & CRYPT_ACTIVATE_ERROR_AS_CORRUPTION) ? ((flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ?
+			" panic_on_error" : " restart_on_error") : "",
 		(flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "",
 		(flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? " check_at_most_once" : "",
 		(flags & CRYPT_ACTIVATE_TASKLETS) ? " try_verify_in_tasklet" : "");
@@ -742,13 +774,13 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
 	if (!tgt)
 		return NULL;
 
-	max_integrity = (tgt->u.integrity.integrity && tgt->u.integrity.vk ? tgt->u.integrity.vk->keylength * 2 : 0) +
+	max_integrity = (tgt->u.integrity.integrity && tgt->u.integrity.vk ? crypt_volume_key_length(tgt->u.integrity.vk) * 2 : 0) +
 		(tgt->u.integrity.integrity ? strlen(tgt->u.integrity.integrity) : 0) + 32;
 	max_journal_integrity = (tgt->u.integrity.journal_integrity && tgt->u.integrity.journal_integrity_key ?
-		tgt->u.integrity.journal_integrity_key->keylength * 2 : 0) +
+		crypt_volume_key_length(tgt->u.integrity.journal_integrity_key) * 2 : 0) +
 		(tgt->u.integrity.journal_integrity ? strlen(tgt->u.integrity.journal_integrity) : 0) + 32;
 	max_journal_crypt = (tgt->u.integrity.journal_crypt && tgt->u.integrity.journal_crypt_key ?
-		tgt->u.integrity.journal_crypt_key->keylength * 2 : 0) +
+		crypt_volume_key_length(tgt->u.integrity.journal_crypt_key) * 2 : 0) +
 		(tgt->u.integrity.journal_crypt ? strlen(tgt->u.integrity.journal_crypt) : 0) + 32;
 	max_size = strlen(device_block_path(tgt->data_device)) +
 		(tgt->u.integrity.meta_device ? strlen(device_block_path(tgt->u.integrity.meta_device)) : 0) +
@@ -766,7 +798,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
 		num_options++;
 
 		if (tgt->u.integrity.vk) {
-			hexkey = crypt_bytes_to_hex(tgt->u.integrity.vk->keylength, tgt->u.integrity.vk->key);
+			hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.vk),
+						    crypt_volume_key_get_key(tgt->u.integrity.vk));
 			if (!hexkey)
 				goto out;
 		} else
@@ -783,8 +816,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
 		num_options++;
 
 		if (tgt->u.integrity.journal_integrity_key) {
-			hexkey = crypt_bytes_to_hex( tgt->u.integrity.journal_integrity_key->keylength,
-				tgt->u.integrity.journal_integrity_key->key);
+			hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.journal_integrity_key),
+				crypt_volume_key_get_key(tgt->u.integrity.journal_integrity_key));
 			if (!hexkey)
 				goto out;
 		} else
@@ -801,8 +834,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
 		num_options++;
 
 		if (tgt->u.integrity.journal_crypt_key) {
-			hexkey = crypt_bytes_to_hex(tgt->u.integrity.journal_crypt_key->keylength,
-				tgt->u.integrity.journal_crypt_key->key);
+			hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.journal_crypt_key),
+						    crypt_volume_key_get_key(tgt->u.integrity.journal_crypt_key));
 			if (!hexkey)
 				goto out;
 		} else
@@ -873,7 +906,9 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags
 	if (r < 0 || r >= max_size)
 		goto out;
 
-	if (flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP)
+	if (flags & CRYPT_ACTIVATE_INLINE_MODE)
+		mode = 'I';
+	else if (flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP)
 		mode = 'B';
 	else if (flags & CRYPT_ACTIVATE_RECOVERY)
 		mode = 'R';
@@ -967,7 +1002,7 @@ static int _dm_remove(const char *name, int udev_wait, int deferred)
 	return r;
 }
 
-static int _dm_simple(int task, const char *name, uint32_t dmflags)
+static int _dm_simple(int task, const char *name, uint64_t dmflags)
 {
 	int r = 0;
 	struct dm_task *dmt;
@@ -992,7 +1027,7 @@ static int _dm_simple(int task, const char *name, uint32_t dmflags)
 	return r;
 }
 
-static int _dm_resume_device(const char *name, uint32_t flags);
+static int _dm_resume_device(const char *name, uint64_t dmflags);
 
 static int _error_device(const char *name, size_t size)
 {
@@ -1078,7 +1113,7 @@ int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags)
 	int retries = (flags & CRYPT_DEACTIVATE_FORCE) ? RETRY_COUNT : 1;
 	int deferred = (flags & CRYPT_DEACTIVATE_DEFERRED) ? 1 : 0;
 	int error_target = 0;
-	uint32_t dmt_flags;
+	uint64_t dmt_flags;
 
 	if (!name)
 		return -EINVAL;
@@ -1428,7 +1463,7 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 	return r;
 }
 
-static int _dm_resume_device(const char *name, uint32_t dmflags)
+static int _dm_resume_device(const char *name, uint64_t dmflags)
 {
 	struct dm_task *dmt;
 	int r = -EINVAL;
@@ -1610,7 +1645,7 @@ int dm_targets_allocate(struct dm_target *first, unsigned count)
 	return 0;
 }
 
-static int check_retry(struct crypt_device *cd, uint32_t *dmd_flags, uint32_t dmt_flags)
+static int check_retry(struct crypt_device *cd, uint32_t *dmd_flags, uint64_t dmt_flags)
 {
 	int ret = 0;
 
@@ -1646,6 +1681,14 @@ static int check_retry(struct crypt_device *cd, uint32_t *dmd_flags, uint32_t dm
 		ret = 1;
 	}
 
+	/* Drop high-priority workqueue options if not supported */
+	if ((*dmd_flags & CRYPT_ACTIVATE_HIGH_PRIORITY) &&
+	    !(dmt_flags & DM_CRYPT_HIGH_PRIORITY_SUPPORTED)) {
+		log_dbg(cd, "dm-crypt does not support high-priority option");
+		*dmd_flags = *dmd_flags & ~CRYPT_ACTIVATE_HIGH_PRIORITY;
+		ret = 1;
+	}
+
 	return ret;
 }
 
@@ -1653,7 +1696,7 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 		     const char *type,
 		     struct crypt_dm_active_device *dmd)
 {
-	uint32_t dmt_flags = 0;
+	uint64_t dmt_flags = 0;
 	int r = -EINVAL;
 
 	if (!type || !dmd)
@@ -1698,6 +1741,12 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 		r = -EINVAL;
 	}
 
+	if ((dmd->flags & CRYPT_ACTIVATE_ERROR_AS_CORRUPTION) &&
+	    !(dmt_flags & DM_VERITY_ERROR_AS_CORRUPTION_SUPPORTED)) {
+		log_err(cd, _("Requested dm-verity data corruption handling options are not supported."));
+		r = -EINVAL;
+	}
+
 	if (dmd->flags & CRYPT_ACTIVATE_TASKLETS &&
 	    !(dmt_flags & DM_VERITY_TASKLETS_SUPPORTED)) {
 		log_err(cd, _("Requested dm-verity tasklets option is not supported."));
@@ -1730,6 +1779,10 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 			log_err(cd, _("The device size is not multiple of the requested sector size."));
 			r = -EINVAL;
 		}
+		if (dmd->segment.u.crypt.integrity_key_size && !(dmt_flags & DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED)) {
+			log_err(cd, _("Requested integrity_key_size option is not supported."));
+			r = -EINVAL;
+		}
 	}
 
 	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_RECALCULATE) &&
@@ -1755,6 +1808,12 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 		log_err(cd, _("Requested dm-integrity bitmap mode is not supported."));
 		r = -EINVAL;
 	}
+
+	if (dmd->segment.type == DM_INTEGRITY && (dmd->flags & CRYPT_ACTIVATE_INLINE_MODE) &&
+	    !(dmt_flags & DM_INTEGRITY_INLINE_MODE_SUPPORTED)) {
+		log_err(cd, _("Requested dm-integrity inline mode is not supported."));
+		r = -EINVAL;
+	}
 out:
 	/*
 	 * Print warning if activating dm-crypt cipher_null device unless it's reencryption helper or
@@ -1769,10 +1828,10 @@ int dm_create_device(struct crypt_device *cd, const char *name,
 }
 
 int dm_reload_device(struct crypt_device *cd, const char *name,
-		     struct crypt_dm_active_device *dmd, uint32_t dmflags, unsigned resume)
+		     struct crypt_dm_active_device *dmd, uint64_t dmflags, unsigned resume)
 {
 	int r;
-	uint32_t dmt_flags;
+	uint64_t dmt_flags;
 
 	if (!dmd)
 		return -EINVAL;
@@ -1958,18 +2017,19 @@ int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint
 }
 
 /* FIXME use hex wrapper, user val wrappers for line parsing */
-static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
+static int _dm_target_query_crypt(struct crypt_device *cd, uint64_t get_flags,
 				  char *params, struct dm_target *tgt,
 				  uint32_t *act_flags)
 {
 	uint64_t val64;
-	char *rcipher, *rintegrity, *key_, *rdevice, *endp, buffer[3], *arg, *key_desc;
+	char *rcipher, *rintegrity, *key_, *rdevice, *endp, buffer[3], *arg, *key_desc, keyring[16];
 	unsigned int i, val;
 	int r;
 	size_t key_size;
 	struct device *data_device = NULL;
 	char *cipher = NULL, *integrity = NULL;
 	struct volume_key *vk = NULL;
+	void *key = NULL;
 
 	tgt->type = DM_CRYPT;
 	tgt->direction = TARGET_QUERY;
@@ -2039,12 +2099,16 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
 				*act_flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
 			else if (!strcasecmp(arg, "iv_large_sectors"))
 				*act_flags |= CRYPT_ACTIVATE_IV_LARGE_SECTORS;
+			else if (!strcasecmp(arg, "high_priority"))
+				*act_flags |= CRYPT_ACTIVATE_HIGH_PRIORITY;
 			else if (sscanf(arg, "integrity:%u:", &val) == 1) {
 				tgt->u.crypt.tag_size = val;
 				rintegrity = strchr(arg + strlen("integrity:"), ':');
 				if (!rintegrity)
 					goto err;
 				rintegrity++;
+			} else if (sscanf(arg, "integrity_key_size:%u", &val) == 1) {
+				tgt->u.crypt.integrity_key_size = val;
 			} else if (sscanf(arg, "sector_size:%u", &val) == 1) {
 				tgt->u.crypt.sector_size = val;
 			} else /* unknown option */
@@ -2086,25 +2150,35 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
 			if (key_[0] == ':') {
 				/* :<key_size>:<key_type>:<key_description> */
 				key_desc = NULL;
+				r = -ENOMEM;
 				endp = strpbrk(key_ + 1, ":");
-				if (endp)
-					key_desc = strpbrk(endp + 1, ":");
-				if (!key_desc) {
+				if (!endp)
+					goto err;
+				key_desc = strpbrk(endp + 1, ":");
+				if (!key_desc)
+					goto err;
+				memcpy(keyring, endp + 1, key_desc - endp - 1);
+				keyring[key_desc - endp - 1] = '\0';
+				key_desc++;
+				r = crypt_volume_key_set_description(vk, key_desc, key_type_by_name(keyring));
+				if (r < 0)
+					goto err;
+			} else if (key_size) {
+				key = crypt_safe_alloc(key_size);
+				if (!key) {
 					r = -ENOMEM;
 					goto err;
 				}
-				key_desc++;
-				crypt_volume_key_set_description(vk, key_desc);
-			} else {
 				buffer[2] = '\0';
-				for(i = 0; i < vk->keylength; i++) {
-					memcpy(buffer, &key_[i * 2], 2);
-					vk->key[i] = strtoul(buffer, &endp, 16);
+				for(i = 0; i < crypt_volume_key_length(vk); i++) {
+					crypt_safe_memcpy(buffer, &key_[i * 2], 2);
+					*((char *)key + i) = strtoul(buffer, &endp, 16);
 					if (endp != &buffer[2]) {
 						r = -EINVAL;
 						goto err;
 					}
 				}
+				crypt_volume_key_pass_safe_alloc(vk, &key);
 			}
 		}
 	}
@@ -2123,12 +2197,13 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
 	free(cipher);
 	free(integrity);
 	device_free(cd, data_device);
+	crypt_safe_free(key);
 	crypt_free_volume_key(vk);
 	return r;
 }
 
 static int _dm_target_query_verity(struct crypt_device *cd,
-				   uint32_t get_flags,
+				   uint64_t get_flags,
 			           char *params,
 			           struct dm_target *tgt,
 				   uint32_t *act_flags)
@@ -2287,6 +2362,9 @@ static int _dm_target_query_verity(struct crypt_device *cd,
 				*act_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
 			else if (!strcasecmp(arg, "panic_on_corruption"))
 				*act_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION;
+			else if (!strcasecmp(arg, "restart_on_error") ||
+				 !strcasecmp(arg, "panic_on_error"))
+				*act_flags |= CRYPT_ACTIVATE_ERROR_AS_CORRUPTION;
 			else if (!strcasecmp(arg, "ignore_zero_blocks"))
 				*act_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
 			else if (!strcasecmp(arg, "check_at_most_once"))
@@ -2387,7 +2465,7 @@ static int _dm_target_query_verity(struct crypt_device *cd,
 }
 
 static int _dm_target_query_integrity(struct crypt_device *cd,
-			     uint32_t get_flags,
+			     uint64_t get_flags,
 			     char *params,
 			     struct dm_target *tgt,
 			     uint32_t *act_flags)
@@ -2435,7 +2513,7 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
 
 	/* journal */
 	c = toupper(*(++params));
-	if (!*params || *(++params) != ' ' || (c != 'D' && c != 'J' && c != 'R' && c != 'B'))
+	if (!*params || *(++params) != ' ' || (c != 'D' && c != 'J' && c != 'R' && c != 'B' && c != 'I'))
 		goto err;
 	if (c == 'D')
 		*act_flags |= CRYPT_ACTIVATE_NO_JOURNAL;
@@ -2445,168 +2523,169 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
 		*act_flags |= CRYPT_ACTIVATE_NO_JOURNAL;
 		*act_flags |= CRYPT_ACTIVATE_NO_JOURNAL_BITMAP;
 	}
+	if (c == 'I') {
+		*act_flags |= CRYPT_ACTIVATE_NO_JOURNAL;
+		*act_flags |= CRYPT_ACTIVATE_INLINE_MODE;
+	}
 
 	tgt->u.integrity.sector_size = SECTOR_SIZE;
 
-	/* Features section */
-	if (params) {
-		/* Number of arguments */
-		val64 = strtoull(params, &params, 10);
-		if (*params != ' ')
-			goto err;
-		params++;
+	/* Features section, number of arguments (always included) */
+	val64 = strtoull(params, &params, 10);
+	if (*params != ' ')
+		goto err;
+	params++;
 
-		features = (int)val64;
-		for (i = 0; i < features; i++) {
-			r = -EINVAL;
-			if (!params)
+	features = (int)val64;
+	for (i = 0; i < features; i++) {
+		r = -EINVAL;
+		if (!params)
+			goto err;
+		arg = strsep(&params, " ");
+		if (sscanf(arg, "journal_sectors:%u", &val) == 1)
+			tgt->u.integrity.journal_size = val * SECTOR_SIZE;
+		else if (sscanf(arg, "journal_watermark:%u", &val) == 1)
+			tgt->u.integrity.journal_watermark = val;
+		else if (sscanf(arg, "sectors_per_bit:%" PRIu64, &val64) == 1) {
+			if (val64 > UINT_MAX)
 				goto err;
-			arg = strsep(&params, " ");
-			if (sscanf(arg, "journal_sectors:%u", &val) == 1)
-				tgt->u.integrity.journal_size = val * SECTOR_SIZE;
-			else if (sscanf(arg, "journal_watermark:%u", &val) == 1)
-				tgt->u.integrity.journal_watermark = val;
-			else if (sscanf(arg, "sectors_per_bit:%" PRIu64, &val64) == 1) {
-				if (val64 > UINT_MAX)
+			/* overloaded value for bitmap mode */
+			tgt->u.integrity.journal_watermark = (unsigned int)val64;
+		} else if (sscanf(arg, "commit_time:%u", &val) == 1)
+			tgt->u.integrity.journal_commit_time = val;
+		else if (sscanf(arg, "bitmap_flush_interval:%u", &val) == 1)
+			/* overloaded value for bitmap mode */
+			tgt->u.integrity.journal_commit_time = val;
+		else if (sscanf(arg, "interleave_sectors:%u", &val) == 1)
+			tgt->u.integrity.interleave_sectors = val;
+		else if (sscanf(arg, "block_size:%u", &val) == 1)
+			tgt->u.integrity.sector_size = val;
+		else if (sscanf(arg, "buffer_sectors:%u", &val) == 1)
+			tgt->u.integrity.buffer_sectors = val;
+		else if (!strncmp(arg, "internal_hash:", 14) && !integrity) {
+			str = &arg[14];
+			arg = strsep(&str, ":");
+			if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
+				integrity = strdup(arg);
+				if (!integrity) {
+					r = -ENOMEM;
 					goto err;
-				/* overloaded value for bitmap mode */
-				tgt->u.integrity.journal_watermark = (unsigned int)val64;
-			} else if (sscanf(arg, "commit_time:%u", &val) == 1)
-				tgt->u.integrity.journal_commit_time = val;
-			else if (sscanf(arg, "bitmap_flush_interval:%u", &val) == 1)
-				/* overloaded value for bitmap mode */
-				tgt->u.integrity.journal_commit_time = val;
-			else if (sscanf(arg, "interleave_sectors:%u", &val) == 1)
-				tgt->u.integrity.interleave_sectors = val;
-			else if (sscanf(arg, "block_size:%u", &val) == 1)
-				tgt->u.integrity.sector_size = val;
-			else if (sscanf(arg, "buffer_sectors:%u", &val) == 1)
-				tgt->u.integrity.buffer_sectors = val;
-			else if (!strncmp(arg, "internal_hash:", 14) && !integrity) {
-				str = &arg[14];
-				arg = strsep(&str, ":");
-				if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
-					integrity = strdup(arg);
-					if (!integrity) {
-						r = -ENOMEM;
-						goto err;
-					}
 				}
+			}
 
-				if (str) {
-					len = crypt_hex_to_bytes(str, &str2, 1);
-					if (len < 0) {
-						r = len;
-						goto err;
-					}
-
-					r = 0;
-					if (get_flags & DM_ACTIVE_CRYPT_KEY) {
-						vk = crypt_alloc_volume_key(len, str2);
-						if (!vk)
-							r = -ENOMEM;
-					} else if (get_flags & DM_ACTIVE_CRYPT_KEYSIZE) {
-						vk = crypt_alloc_volume_key(len, NULL);
-						if (!vk)
-							r = -ENOMEM;
-					}
-					crypt_safe_free(str2);
-					if (r < 0)
-						goto err;
-				}
-			} else if (!strncmp(arg, "meta_device:", 12) && !meta_device) {
-				if (get_flags & DM_ACTIVE_DEVICE) {
-					str = crypt_lookup_dev(&arg[12]);
-					r = device_alloc(cd, &meta_device, str);
-					free(str);
-					if (r < 0 && r != -ENOTBLK)
-						goto err;
+			if (str) {
+				len = crypt_hex_to_bytes(str, &str2, 1);
+				if (len < 0) {
+					r = len;
+					goto err;
 				}
-			} else if (!strncmp(arg, "journal_crypt:", 14) && !journal_crypt) {
-				str = &arg[14];
-				arg = strsep(&str, ":");
-				if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
-					journal_crypt = strdup(arg);
-					if (!journal_crypt) {
+
+				r = 0;
+				if (get_flags & DM_ACTIVE_CRYPT_KEY) {
+					vk = crypt_alloc_volume_key(len, str2);
+					if (!vk)
+						r = -ENOMEM;
+				} else if (get_flags & DM_ACTIVE_CRYPT_KEYSIZE) {
+					vk = crypt_alloc_volume_key(len, NULL);
+					if (!vk)
 						r = -ENOMEM;
-						goto err;
-					}
 				}
+				crypt_safe_free(str2);
+				if (r < 0)
+					goto err;
+			}
+		} else if (!strncmp(arg, "meta_device:", 12) && !meta_device) {
+			if (get_flags & DM_ACTIVE_DEVICE) {
+				str = crypt_lookup_dev(&arg[12]);
+				r = device_alloc(cd, &meta_device, str);
+				free(str);
+				if (r < 0 && r != -ENOTBLK)
+					goto err;
+			}
+		} else if (!strncmp(arg, "journal_crypt:", 14) && !journal_crypt) {
+			str = &arg[14];
+			arg = strsep(&str, ":");
+			if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
+				journal_crypt = strdup(arg);
+				if (!journal_crypt) {
+					r = -ENOMEM;
+					goto err;
+				}
+			}
 
-				if (str) {
-					len = crypt_hex_to_bytes(str, &str2, 1);
-					if (len < 0) {
-						r = len;
-						goto err;
-					}
-
-					r = 0;
-					if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEY) {
-						journal_crypt_key = crypt_alloc_volume_key(len, str2);
-						if (!journal_crypt_key)
-							r = -ENOMEM;
-					} else if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE) {
-						journal_crypt_key = crypt_alloc_volume_key(len, NULL);
-						if (!journal_crypt_key)
-							r = -ENOMEM;
-					}
-					crypt_safe_free(str2);
-					if (r < 0)
-						goto err;
+			if (str) {
+				len = crypt_hex_to_bytes(str, &str2, 1);
+				if (len < 0) {
+					r = len;
+					goto err;
 				}
-			} else if (!strncmp(arg, "journal_mac:", 12) && !journal_integrity) {
-				str = &arg[12];
-				arg = strsep(&str, ":");
-				if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
-					journal_integrity = strdup(arg);
-					if (!journal_integrity) {
+
+				r = 0;
+				if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEY) {
+					journal_crypt_key = crypt_alloc_volume_key(len, str2);
+					if (!journal_crypt_key)
+						r = -ENOMEM;
+				} else if (get_flags & DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE) {
+					journal_crypt_key = crypt_alloc_volume_key(len, NULL);
+					if (!journal_crypt_key)
 						r = -ENOMEM;
-						goto err;
-					}
 				}
+				crypt_safe_free(str2);
+				if (r < 0)
+					goto err;
+			}
+		} else if (!strncmp(arg, "journal_mac:", 12) && !journal_integrity) {
+			str = &arg[12];
+			arg = strsep(&str, ":");
+			if (get_flags & DM_ACTIVE_INTEGRITY_PARAMS) {
+				journal_integrity = strdup(arg);
+				if (!journal_integrity) {
+					r = -ENOMEM;
+					goto err;
+				}
+			}
 
-				if (str) {
-					len = crypt_hex_to_bytes(str, &str2, 1);
-					if (len < 0) {
-						r = len;
-						goto err;
-					}
-
-					r = 0;
-					if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEY) {
-						journal_integrity_key = crypt_alloc_volume_key(len, str2);
-						if (!journal_integrity_key)
-							r = -ENOMEM;
-					} else if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEYSIZE) {
-						journal_integrity_key = crypt_alloc_volume_key(len, NULL);
-						if (!journal_integrity_key)
-							r = -ENOMEM;
-					}
-					crypt_safe_free(str2);
-					if (r < 0)
-						goto err;
+			if (str) {
+				len = crypt_hex_to_bytes(str, &str2, 1);
+				if (len < 0) {
+					r = len;
+					goto err;
 				}
-			} else if (!strcmp(arg, "recalculate")) {
-				*act_flags |= CRYPT_ACTIVATE_RECALCULATE;
-			} else if (!strcmp(arg, "reset_recalculate")) {
-				*act_flags |= CRYPT_ACTIVATE_RECALCULATE_RESET;
-			} else if (!strcmp(arg, "fix_padding")) {
-				tgt->u.integrity.fix_padding = true;
-			} else if (!strcmp(arg, "fix_hmac")) {
-				tgt->u.integrity.fix_hmac = true;
-			} else if (!strcmp(arg, "legacy_recalculate")) {
-				tgt->u.integrity.legacy_recalc = true;
-			} else if (!strcmp(arg, "allow_discards")) {
-				*act_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
-			} else /* unknown option */
-				goto err;
-		}
 
-		/* All parameters should be processed */
-		if (params && *params) {
-			r = -EINVAL;
+				r = 0;
+				if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEY) {
+					journal_integrity_key = crypt_alloc_volume_key(len, str2);
+					if (!journal_integrity_key)
+						r = -ENOMEM;
+				} else if (get_flags & DM_ACTIVE_JOURNAL_MAC_KEYSIZE) {
+					journal_integrity_key = crypt_alloc_volume_key(len, NULL);
+					if (!journal_integrity_key)
+						r = -ENOMEM;
+				}
+				crypt_safe_free(str2);
+				if (r < 0)
+					goto err;
+			}
+		} else if (!strcmp(arg, "recalculate")) {
+			*act_flags |= CRYPT_ACTIVATE_RECALCULATE;
+		} else if (!strcmp(arg, "reset_recalculate")) {
+			*act_flags |= CRYPT_ACTIVATE_RECALCULATE_RESET;
+		} else if (!strcmp(arg, "fix_padding")) {
+			tgt->u.integrity.fix_padding = true;
+		} else if (!strcmp(arg, "fix_hmac")) {
+			tgt->u.integrity.fix_hmac = true;
+		} else if (!strcmp(arg, "legacy_recalculate")) {
+			tgt->u.integrity.legacy_recalc = true;
+		} else if (!strcmp(arg, "allow_discards")) {
+			*act_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
+		} else /* unknown option */
 			goto err;
-		}
+	}
+
+	/* All parameters should be processed */
+	if (params && *params) {
+		r = -EINVAL;
+		goto err;
 	}
 
 	if (data_device)
@@ -2639,7 +2718,7 @@ static int _dm_target_query_integrity(struct crypt_device *cd,
 }
 
 static int _dm_target_query_linear(struct crypt_device *cd, struct dm_target *tgt,
-				   uint32_t get_flags, char *params)
+				   uint64_t get_flags, char *params)
 {
 	uint64_t val64;
 	char *rdevice, *arg;
@@ -2701,7 +2780,7 @@ static int _dm_target_query_zero(struct dm_target *tgt)
  */
 static int dm_target_query(struct crypt_device *cd, struct dm_target *tgt, const uint64_t *start,
 		    const uint64_t *length, const char *target_type,
-		    char *params, uint32_t get_flags, uint32_t *act_flags)
+		    char *params, uint64_t get_flags, uint32_t *act_flags)
 {
 	int r = -ENOTSUP;
 
@@ -2727,7 +2806,7 @@ static int dm_target_query(struct crypt_device *cd, struct dm_target *tgt, const
 }
 
 static int _dm_query_device(struct crypt_device *cd, const char *name,
-		    uint32_t get_flags, struct crypt_dm_active_device *dmd)
+		    uint64_t get_flags, struct crypt_dm_active_device *dmd)
 {
 	struct dm_target *t;
 	struct dm_task *dmt;
@@ -2828,7 +2907,7 @@ static int _dm_query_device(struct crypt_device *cd, const char *name,
 }
 
 int dm_query_device(struct crypt_device *cd, const char *name,
-		    uint32_t get_flags, struct crypt_dm_active_device *dmd)
+		    uint64_t get_flags, struct crypt_dm_active_device *dmd)
 {
 	int r;
 
@@ -2980,9 +3059,9 @@ static int _dm_message(const char *name, const char *msg)
 	return r;
 }
 
-int dm_suspend_device(struct crypt_device *cd, const char *name, uint32_t dmflags)
+int dm_suspend_device(struct crypt_device *cd, const char *name, uint64_t dmflags)
 {
-	uint32_t dmt_flags;
+	uint64_t dmt_flags;
 	int r = -ENOTSUP;
 
 	if (dm_init_context(cd, DM_UNKNOWN))
@@ -3014,7 +3093,7 @@ int dm_suspend_device(struct crypt_device *cd, const char *name, uint32_t dmflag
 	return r;
 }
 
-int dm_resume_device(struct crypt_device *cd, const char *name, uint32_t dmflags)
+int dm_resume_device(struct crypt_device *cd, const char *name, uint64_t dmflags)
 {
 	int r;
 
@@ -3031,7 +3110,7 @@ int dm_resume_device(struct crypt_device *cd, const char *name, uint32_t dmflags
 int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 				const struct volume_key *vk)
 {
-	uint32_t dmt_flags;
+	uint64_t dmt_flags;
 	int msg_size;
 	char *msg = NULL, *key = NULL;
 	int r = -ENOTSUP;
@@ -3042,12 +3121,12 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 	if (!(dmt_flags & DM_KEY_WIPE_SUPPORTED))
 		goto out;
 
-	if (!vk->keylength)
+	if (!crypt_volume_key_length(vk))
 		msg_size = 11; // key set -
-	else if (vk->key_description)
-		msg_size = strlen(vk->key_description) + int_log10(vk->keylength) + 18;
+	else if (crypt_volume_key_description(vk))
+		msg_size = strlen(crypt_volume_key_description(vk)) + int_log10(crypt_volume_key_length(vk)) + 18;
 	else
-		msg_size = vk->keylength * 2 + 10; // key set <key>
+		msg_size = crypt_volume_key_length(vk) * 2 + 10; // key set <key>
 
 	msg = crypt_safe_alloc(msg_size);
 	if (!msg) {
@@ -3055,11 +3134,15 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 		goto out;
 	}
 
-	if (vk->key_description) {
-		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength,
-			     vk->key_description);
-	} else  {
-		key = crypt_bytes_to_hex(vk->keylength, vk->key);
+	if (crypt_volume_key_description(vk)) {
+		r = snprintf(msg, msg_size, "key set :%zu:logon:%s", crypt_volume_key_length(vk),
+			     crypt_volume_key_description(vk));
+	} else {
+		if (!crypt_volume_key_length(vk))
+			key = crypt_bytes_to_hex(0, NULL);
+		else
+			key = crypt_bytes_to_hex(crypt_volume_key_length(vk),
+						 crypt_volume_key_get_key(vk));
 		if (!key) {
 			r = -ENOMEM;
 			goto out;
@@ -3106,6 +3189,54 @@ int dm_get_iname(const char *name, char **iname, bool with_path)
 	return r < 0 ? -ENOMEM : 0;
 }
 
+char *dm_get_active_iname(struct crypt_device *cd, const char *name)
+{
+	struct crypt_dm_active_device dmd = {}, dmdi = {};
+	struct dm_target *tgt = &dmd.segment, *tgti = &dmdi.segment;
+	char *ipath = NULL, *iname = NULL, *ret_iname = NULL;
+	struct stat st;
+
+	if (!name)
+		return NULL;
+
+	if (dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd) < 0)
+		return NULL;
+
+	if (!single_segment(&dmd))
+		goto out;
+
+	if (tgt->type != DM_CRYPT || tgt->u.crypt.tag_size == 0)
+		goto out;
+
+	if (dm_get_iname(name, &iname, false) < 0)
+		goto out;
+
+	if (dm_get_iname(name, &ipath, true) < 0)
+		goto out;
+
+	if (stat(ipath, &st) < 0 || !S_ISBLK(st.st_mode))
+		goto out;
+
+	if (dm_query_device(cd, iname, DM_ACTIVE_UUID, &dmdi) < 0)
+		goto out;
+
+	if (single_segment(&dmdi) &&
+	    tgti->type == DM_INTEGRITY &&
+	    dm_uuid_integrity_cmp(dmd.uuid, dmdi.uuid) == 0) {
+		ret_iname = iname;
+		iname = NULL;
+	}
+out:
+	dm_targets_free(cd, &dmdi);
+	dm_targets_free(cd, &dmd);
+	free(CONST_CAST(void*)dmd.uuid);
+	free(CONST_CAST(void*)dmdi.uuid);
+	free(ipath);
+	free(iname);
+
+	return ret_iname;
+}
+
 int dm_is_dm_device(int major)
 {
 	return dm_is_dm_major((uint32_t)major);
@@ -3116,9 +3247,96 @@ int dm_is_dm_kernel_name(const char *name)
 	return strncmp(name, "dm-", 3) ? 0 : 1;
 }
 
+/*
+ * compares UUIDs returned by device-mapper (striped by cryptsetup) and uuid in header
+ */
+int dm_uuid_cmp(const char *dm_uuid, const char *hdr_uuid)
+{
+	int i, j;
+	const char *str;
+
+	if (!dm_uuid || !hdr_uuid)
+		return -EINVAL;
+
+	/* skip beyond LUKS2_HW_OPAL prefix */
+	if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL)))
+		dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL);
+
+	str = strchr(dm_uuid, '-');
+	if (!str)
+		return -EINVAL;
+
+	for (i = 0, j = 1; hdr_uuid[i]; i++) {
+		if (hdr_uuid[i] == '-')
+			continue;
+
+		if (!str[j] || str[j] == '-')
+			return -EINVAL;
+
+		if (str[j] != hdr_uuid[i])
+			return -EINVAL;
+		j++;
+	}
+
+	return 0;
+}
+
+/*
+ * compares two UUIDs returned by device-mapper (striped by cryptsetup)
+ * used for stacked LUKS2 & INTEGRITY devices
+ */
+int dm_uuid_integrity_cmp(const char *dm_uuid, const char *dmi_uuid)
+{
+	int i;
+	const char *str, *stri;
+
+	if (!dm_uuid || !dmi_uuid)
+		return -EINVAL;
+
+	/* skip beyond LUKS2_HW_OPAL prefix */
+	if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL)))
+		dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL);
+
+	str = strchr(dm_uuid, '-');
+	if (!str)
+		return -EINVAL;
+
+	stri = strchr(dmi_uuid, '-');
+	if (!stri)
+		return -EINVAL;
+
+	for (i = 1; str[i] && str[i] != '-'; i++) {
+		if (!stri[i])
+			return -EINVAL;
+
+		if (str[i] != stri[i])
+			return -EINVAL;
+	}
+
+	return 0;
+}
+
+/*
+ * compares type of active device to provided string
+ */
+int dm_uuid_type_cmp(const char *dm_uuid, const char *type)
+{
+	size_t len;
+
+	assert(type);
+
+	len = strlen(type);
+	if (dm_uuid && strlen(dm_uuid) > len &&
+	    !strncmp(dm_uuid, type, len) && dm_uuid[len] == '-')
+		return 0;
+
+	return -ENODEV;
+}
+
 int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct volume_key *vk, const char *cipher,
-	uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
+	uint64_t iv_offset, uint64_t data_offset,
+	const char *integrity, uint32_t integrity_key_size, uint32_t tag_size,
 	uint32_t sector_size)
 {
 	char *dm_integrity = NULL;
@@ -3144,6 +3362,7 @@ int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg
 	tgt->u.crypt.offset = data_offset;
 	tgt->u.crypt.tag_size = tag_size;
 	tgt->u.crypt.sector_size = sector_size;
+	tgt->u.crypt.integrity_key_size = integrity_key_size;
 
 	return 0;
 }
@@ -3183,7 +3402,7 @@ int dm_integrity_target_set(struct crypt_device *cd,
 			struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
 			const struct crypt_params_integrity *ip)
 {
-	uint32_t dmi_flags;
+	uint64_t dmi_flags;
 
 	if (!data_device)
 		return -EINVAL;
diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c
index 8aec3de..bdd9ded 100644
--- a/lib/loopaes/loopaes.c
+++ b/lib/loopaes/loopaes.c
@@ -2,8 +2,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2024 Milan Broz
+ * Copyright (C) 2011-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -69,6 +69,7 @@ static int hash_keys(struct crypt_device *cd,
 	char tweak, *key_ptr;
 	unsigned int i;
 	int r = 0;
+	void *key = NULL;
 
 	hash_name = hash_override ?: get_hash(key_len_output);
 	tweak = get_tweak(keys_count);
@@ -79,24 +80,30 @@ static int hash_keys(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	*vk = crypt_alloc_volume_key((size_t)key_len_output * keys_count, NULL);
-	if (!*vk)
+	key = crypt_safe_alloc((size_t)key_len_output * keys_count);
+	if (!key)
 		return -ENOMEM;
 
 	for (i = 0; i < keys_count; i++) {
-		key_ptr = &(*vk)->key[i * key_len_output];
+		key_ptr = &((char *)key)[i * key_len_output];
 		r = hash_key(input_keys[i], key_len_input, key_ptr,
 			     key_len_output, hash_name);
 		if (r < 0)
-			break;
+			goto err;
 
 		key_ptr[0] ^= tweak;
 	}
 
-	if (r < 0 && *vk) {
-		crypt_free_volume_key(*vk);
-		*vk = NULL;
+	*vk = crypt_alloc_volume_key_by_safe_alloc(&key);
+	if (!*vk) {
+		r = -ENOMEM;
+		goto err;
 	}
+
+	return 0;
+err:
+	crypt_safe_free(key);
+	*vk = NULL;
 	return r;
 }
 
@@ -191,7 +198,7 @@ int LOOPAES_activate(struct crypt_device *cd,
 		     uint32_t flags)
 {
 	int r;
-	uint32_t req_flags, dmc_flags;
+	uint64_t req_flags, dmc_flags;
 	char *cipher = NULL;
 	struct crypt_dm_active_device dmd = {
 		.flags = flags,
@@ -213,9 +220,8 @@ int LOOPAES_activate(struct crypt_device *cd,
 		return -ENOMEM;
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
-			vk, cipher, crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			vk, cipher, crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+			NULL, 0, 0, crypt_get_sector_size(cd));
 
 	if (r) {
 		free(cipher);
diff --git a/lib/loopaes/loopaes.h b/lib/loopaes/loopaes.h
index 878f2da..425ca22 100644
--- a/lib/loopaes/loopaes.h
+++ b/lib/loopaes/loopaes.h
@@ -2,8 +2,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2024 Milan Broz
+ * Copyright (C) 2011-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2025 Milan Broz
  */
 
 #ifndef _LOOPAES_H
diff --git a/lib/luks1/af.c b/lib/luks1/af.c
index e312b30..7ab153d 100644
--- a/lib/luks1/af.c
+++ b/lib/luks1/af.c
@@ -3,7 +3,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.
diff --git a/lib/luks1/af.h b/lib/luks1/af.h
index 0dcd233..08f3757 100644
--- a/lib/luks1/af.h
+++ b/lib/luks1/af.h
@@ -3,7 +3,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef INCLUDED_CRYPTSETUP_LUKS_AF_H
diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c
index 63e47fc..de8aa30 100644
--- a/lib/luks1/keyencryption.c
+++ b/lib/luks1/keyencryption.c
@@ -3,8 +3,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -18,7 +18,8 @@
 static void _error_hint(struct crypt_device *ctx, const char *device,
 			const char *cipher, const char *mode, size_t keyLength)
 {
-	char *c, cipher_spec[MAX_CIPHER_LEN * 3];
+	const char *c;
+	char cipher_spec[MAX_CIPHER_LEN * 3];
 
 	if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0)
 		return;
@@ -88,7 +89,7 @@ static int LUKS_endec_template(char *src, size_t srcLength,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
 			crypt_metadata_device(ctx), vk, cipher_spec, 0, sector,
-			NULL, 0, SECTOR_SIZE);
+			NULL, 0, 0, SECTOR_SIZE);
 	if (r)
 		goto out;
 
@@ -96,7 +97,7 @@ static int LUKS_endec_template(char *src, size_t srcLength,
 	if (r < 0) {
 		if (r != -EACCES && r != -ENOTSUP)
 			_error_hint(ctx, device_path(crypt_metadata_device(ctx)),
-				    cipher, cipher_mode, vk->keylength * 8);
+				    cipher, cipher_mode, crypt_volume_key_length(vk) * 8);
 		r = -EIO;
 		goto out;
 	}
@@ -140,7 +141,8 @@ int LUKS_encrypt_to_storage(char *src, size_t srcLength,
 		return -EINVAL;
 
 	/* Encrypt buffer */
-	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, crypt_volume_key_get_key(vk),
+			crypt_volume_key_length(vk), false);
 
 	if (r)
 		log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
@@ -153,7 +155,7 @@ int LUKS_encrypt_to_storage(char *src, size_t srcLength,
 
 	if (r) {
 		_error_hint(ctx, device_path(device), cipher, cipher_mode,
-			    vk->keylength * 8);
+			    crypt_volume_key_length(vk) * 8);
 		return r;
 	}
 
@@ -205,7 +207,8 @@ int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
 	if (MISALIGNED_512(dstLength))
 		return -EINVAL;
 
-	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, crypt_volume_key_get_key(vk),
+			crypt_volume_key_length(vk), false);
 
 	if (r)
 		log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
@@ -218,7 +221,7 @@ int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
 
 	if (r) {
 		_error_hint(ctx, device_path(device), cipher, cipher_mode,
-			    vk->keylength * 8);
+			   crypt_volume_key_length(vk) * 8);
 		return r;
 	}
 
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index 5d8fe96..3792981 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -3,8 +3,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2013-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2013-2025 Milan Broz
  */
 
 #include <sys/types.h>
@@ -378,7 +378,7 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
 {
 	struct luks_phdr temp_phdr;
 	const unsigned char *sector = (const unsigned char*)phdr;
-	struct volume_key *vk;
+	struct volume_key *fake_vk;
 	int i, bad, r, need_write = 0;
 
 	if (phdr->keyBytes != 16 && phdr->keyBytes != 32 && phdr->keyBytes != 64) {
@@ -424,8 +424,8 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
 	if (r < 0)
 		return -EINVAL;
 
-	vk = crypt_alloc_volume_key(phdr->keyBytes, NULL);
-	if (!vk)
+	fake_vk = crypt_generate_volume_key(ctx, phdr->keyBytes, KEY_QUALITY_EMPTY);
+	if (!fake_vk)
 		return -ENOMEM;
 
 	log_verbose(ctx, _("Repairing keyslots."));
@@ -433,7 +433,7 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
 	log_dbg(ctx, "Generating second header with the same parameters for check.");
 	/* cipherName, cipherMode, hashSpec, uuid are already null terminated */
 	/* payloadOffset - cannot check */
-	r = LUKS_generate_phdr(&temp_phdr, vk, phdr->cipherName, phdr->cipherMode,
+	r = LUKS_generate_phdr(&temp_phdr, fake_vk, phdr->cipherName, phdr->cipherMode,
 			       phdr->hashSpec, phdr->uuid,
 			       phdr->payloadOffset * SECTOR_SIZE, 0, 0, ctx);
 	if (r < 0)
@@ -492,7 +492,7 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
 out:
 	if (r)
 		log_err(ctx, _("Repair failed."));
-	crypt_free_volume_key(vk);
+	crypt_free_volume_key(fake_vk);
 	crypt_safe_memzero(&temp_phdr, sizeof(temp_phdr));
 	return r;
 }
@@ -710,14 +710,12 @@ int LUKS_check_cipher(struct crypt_device *ctx, size_t keylength, const char *ci
 
 	log_dbg(ctx, "Checking if cipher %s-%s is usable.", cipher, cipher_mode);
 
-	empty_key = crypt_alloc_volume_key(keylength, NULL);
+	/* No need to get KEY quality random but it must avoid known weak keys. */
+	empty_key = crypt_generate_volume_key(ctx, keylength, KEY_QUALITY_NORMAL);
 	if (!empty_key)
 		return -ENOMEM;
 
-	/* No need to get KEY quality random but it must avoid known weak keys. */
-	r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
-	if (!r)
-		r = LUKS_decrypt_from_storage(buf, sizeof(buf), cipher, cipher_mode, empty_key, 0, ctx);
+	r = LUKS_decrypt_from_storage(buf, sizeof(buf), cipher, cipher_mode, empty_key, 0, ctx);
 
 	crypt_free_volume_key(empty_key);
 	crypt_safe_memzero(buf, sizeof(buf));
@@ -748,7 +746,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 
 	memset(header, 0, sizeof(struct luks_phdr));
 
-	keyslot_sectors = AF_split_sectors(vk->keylength, LUKS_STRIPES);
+	keyslot_sectors = AF_split_sectors(crypt_volume_key_length(vk), LUKS_STRIPES);
 	header_sectors = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE;
 
 	for (i = 0; i < LUKS_NUMKEYS; i++) {
@@ -795,7 +793,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L-1);
 	_to_lower(header->hashSpec, LUKS_HASHSPEC_L);
 
-	header->keyBytes=vk->keylength;
+	header->keyBytes = crypt_volume_key_length(vk);
 
 	log_dbg(ctx, "Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes",
 		header->version, header->hashSpec ,header->cipherName, header->cipherMode,
@@ -809,7 +807,7 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 
 	/* Compute volume key digest */
 	pbkdf = crypt_get_pbkdf(ctx);
-	r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, vk->keylength);
+	r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, crypt_volume_key_length(vk));
 	if (r < 0)
 		return r;
 	assert(pbkdf->iterations);
@@ -824,7 +822,9 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	header->mkDigestIterations = AT_LEAST((uint32_t)PBKDF2_temp, LUKS_MKD_ITERATIONS_MIN);
 	assert(header->mkDigestIterations);
 
-	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, header->hashSpec, vk->key,vk->keylength,
+	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, header->hashSpec,
+			crypt_volume_key_get_key(vk),
+			crypt_volume_key_length(vk),
 			header->mkDigestSalt, LUKS_SALTSIZE,
 			header->mkDigest,LUKS_DIGESTSIZE,
 			header->mkDigestIterations, 0, 0);
@@ -866,8 +866,9 @@ int LUKS_set_key(unsigned int keyIndex,
 		 struct luks_phdr *hdr, struct volume_key *vk,
 		 struct crypt_device *ctx)
 {
-	struct volume_key *derived_key;
+	struct volume_key *derived_vk = NULL;
 	char *AfKey = NULL;
+	void *derived_key = NULL;
 	size_t AFEKSize;
 	struct crypt_pbkdf_type *pbkdf;
 	int r;
@@ -886,7 +887,7 @@ int LUKS_set_key(unsigned int keyIndex,
 
 	log_dbg(ctx, "Calculating data for key slot %d", keyIndex);
 	pbkdf = crypt_get_pbkdf(ctx);
-	r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, vk->keylength);
+	r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, crypt_volume_key_length(vk));
 	if (r < 0)
 		return r;
 	assert(pbkdf->iterations);
@@ -899,9 +900,11 @@ int LUKS_set_key(unsigned int keyIndex,
 	log_dbg(ctx, "Key slot %d use %" PRIu32 " password iterations.", keyIndex,
 		hdr->keyblock[keyIndex].passwordIterations);
 
-	derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
-	if (!derived_key)
-		return -ENOMEM;
+	derived_key = crypt_safe_alloc(hdr->keyBytes);
+	if (!derived_key) {
+		r = -ENOMEM;
+		goto out;
+	}
 
 	r = crypt_random_get(ctx, hdr->keyblock[keyIndex].passwordSalt,
 		       LUKS_SALTSIZE, CRYPT_RND_SALT);
@@ -910,7 +913,7 @@ int LUKS_set_key(unsigned int keyIndex,
 
 	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, password, passwordLen,
 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
-			derived_key->key, hdr->keyBytes,
+			derived_key, hdr->keyBytes,
 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
 	if (r < 0) {
 		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
@@ -919,11 +922,17 @@ int LUKS_set_key(unsigned int keyIndex,
 		goto out;
 	}
 
+	derived_vk = crypt_alloc_volume_key_by_safe_alloc(&derived_key);
+	if (!derived_vk) {
+		r = -ENOMEM;
+		goto out;
+	}
+
 	/*
 	 * AF splitting, the volume key stored in vk->key is split to AfKey
 	 */
-	assert(vk->keylength == hdr->keyBytes);
-	AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
+	assert(crypt_volume_key_length(vk) == hdr->keyBytes);
+	AFEKSize = AF_split_sectors(crypt_volume_key_length(vk), hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE;
 	AfKey = crypt_safe_alloc(AFEKSize);
 	if (!AfKey) {
 		r = -ENOMEM;
@@ -932,7 +941,8 @@ int LUKS_set_key(unsigned int keyIndex,
 
 	log_dbg(ctx, "Using hash %s for AF in key slot %d, %d stripes",
 		hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes);
-	r = AF_split(ctx, vk->key, AfKey, vk->keylength, hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
+	r = AF_split(ctx, crypt_volume_key_get_key(vk), AfKey, crypt_volume_key_length(vk),
+			hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
 	if (r < 0)
 		goto out;
 
@@ -942,7 +952,7 @@ int LUKS_set_key(unsigned int keyIndex,
 	r = LUKS_encrypt_to_storage(AfKey,
 				    AFEKSize,
 				    hdr->cipherName, hdr->cipherMode,
-				    derived_key,
+				    derived_vk,
 				    hdr->keyblock[keyIndex].keyMaterialOffset,
 				    ctx);
 	if (r < 0)
@@ -960,7 +970,8 @@ int LUKS_set_key(unsigned int keyIndex,
 	r = 0;
 out:
 	crypt_safe_free(AfKey);
-	crypt_free_volume_key(derived_key);
+	crypt_safe_free(derived_key);
+	crypt_free_volume_key(derived_vk);
 	return r;
 }
 
@@ -970,7 +981,8 @@ int LUKS_verify_volume_key(const struct luks_phdr *hdr,
 {
 	char checkHashBuf[LUKS_DIGESTSIZE];
 
-	if (crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, vk->key, vk->keylength,
+	if (crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, crypt_volume_key_get_key(vk),
+			crypt_volume_key_length(vk),
 			hdr->mkDigestSalt, LUKS_SALTSIZE,
 			checkHashBuf, LUKS_DIGESTSIZE,
 			hdr->mkDigestIterations, 0, 0) < 0)
@@ -987,12 +999,13 @@ static int LUKS_open_key(unsigned int keyIndex,
 		  const char *password,
 		  size_t passwordLen,
 		  struct luks_phdr *hdr,
-		  struct volume_key **vk,
+		  struct volume_key **r_vk,
 		  struct crypt_device *ctx)
 {
 	crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
-	struct volume_key *derived_key;
+	struct volume_key *derived_vk = NULL, *vk = NULL;
 	char *AfKey = NULL;
+	void *key = NULL, *derived_key = NULL;
 	size_t AFEKSize;
 	int r;
 
@@ -1002,12 +1015,12 @@ static int LUKS_open_key(unsigned int keyIndex,
 	if (ki < CRYPT_SLOT_ACTIVE)
 		return -ENOENT;
 
-	derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+	derived_key = crypt_safe_alloc(hdr->keyBytes);
 	if (!derived_key)
 		return -ENOMEM;
 
-	*vk = crypt_alloc_volume_key(hdr->keyBytes, NULL);
-	if (!*vk) {
+	key = crypt_safe_alloc(hdr->keyBytes);
+	if (!key) {
 		r = -ENOMEM;
 		goto out;
 	}
@@ -1021,39 +1034,57 @@ static int LUKS_open_key(unsigned int keyIndex,
 
 	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, password, passwordLen,
 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
-			derived_key->key, hdr->keyBytes,
+			derived_key, hdr->keyBytes,
 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
 	if (r < 0) {
 		log_err(ctx, _("Cannot open keyslot (using hash %s)."), hdr->hashSpec);
 		goto out;
 	}
 
+	derived_vk = crypt_alloc_volume_key_by_safe_alloc(&derived_key);
+	if (!derived_vk) {
+		r = -ENOMEM;
+		goto out;
+	}
+
 	log_dbg(ctx, "Reading key slot %d area.", keyIndex);
 	r = LUKS_decrypt_from_storage(AfKey,
 				      AFEKSize,
 				      hdr->cipherName, hdr->cipherMode,
-				      derived_key,
+				      derived_vk,
 				      hdr->keyblock[keyIndex].keyMaterialOffset,
 				      ctx);
 	if (r < 0)
 		goto out;
 
-	r = AF_merge(AfKey, (*vk)->key, (*vk)->keylength, hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
+	r = AF_merge(AfKey, key, hdr->keyBytes, hdr->keyblock[keyIndex].stripes, hdr->hashSpec);
 	if (r < 0)
 		goto out;
 
-	r = LUKS_verify_volume_key(hdr, *vk);
+	vk = crypt_alloc_volume_key_by_safe_alloc(&key);
+	if (!vk) {
+		r = -ENOMEM;
+		goto out;
+	}
+
+	r = LUKS_verify_volume_key(hdr, vk);
+	if (r < 0)
+		goto out;
 
 	/* Allow only empty passphrase with null cipher */
-	if (!r && crypt_is_cipher_null(hdr->cipherName) && passwordLen)
+	if (crypt_is_cipher_null(hdr->cipherName) && passwordLen)
 		r = -EPERM;
+	else
+		*r_vk = vk;
 out:
 	if (r < 0) {
-		crypt_free_volume_key(*vk);
-		*vk = NULL;
+		crypt_free_volume_key(vk);
+		*r_vk = NULL;
 	}
 	crypt_safe_free(AfKey);
-	crypt_free_volume_key(derived_key);
+	crypt_safe_free(key);
+	crypt_safe_free(derived_key);
+	crypt_free_volume_key(derived_vk);
 	return r;
 }
 
@@ -1204,8 +1235,7 @@ int LUKS1_activate(struct crypt_device *cd,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			crypt_get_data_offset(cd), NULL, 0, 0, crypt_get_sector_size(cd));
 	if (!r)
 		r = create_or_reload_device(cd, name, CRYPT_LUKS1, &dmd);
 
diff --git a/lib/luks1/luks.h b/lib/luks1/luks.h
index befdc3a..80f6544 100644
--- a/lib/luks1/luks.h
+++ b/lib/luks1/luks.h
@@ -3,7 +3,7 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef INCLUDED_CRYPTSETUP_LUKS_LUKS_H
diff --git a/lib/luks2/hw_opal/hw_opal.c b/lib/luks2/hw_opal/hw_opal.c
index a56e882..3256393 100644
--- a/lib/luks2/hw_opal/hw_opal.c
+++ b/lib/luks2/hw_opal/hw_opal.c
@@ -3,7 +3,8 @@
  * OPAL utilities
  *
  * Copyright (C) 2022-2023 Luca Boccassi <bluca@debian.org>
- *               2023 Ondrej Kozina <okozina@redhat.com>
+ * Copyright (C) 2023-2025 Ondrej Kozina <okozina@redhat.com>
+ * Copyright (C) 2024-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -16,7 +17,7 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 
@@ -35,33 +36,32 @@
  * Section 5.1.5: Method Status Codes
  * Names and values from table 166 */
 typedef enum OpalStatus {
-	OPAL_STATUS_SUCCESS,
-	OPAL_STATUS_NOT_AUTHORIZED,
-	OPAL_STATUS_OBSOLETE0, /* Undefined but possible return values are called 'obsolete' */
-	OPAL_STATUS_SP_BUSY,
-	OPAL_STATUS_SP_FAILED,
-	OPAL_STATUS_SP_DISABLED,
-	OPAL_STATUS_SP_FROZEN,
-	OPAL_STATUS_NO_SESSIONS_AVAILABLE,
-	OPAL_STATUS_UNIQUENESS_CONFLICT,
-	OPAL_STATUS_INSUFFICIENT_SPACE,
-	OPAL_STATUS_INSUFFICIENT_ROWS,
-	OPAL_STATUS_INVALID_PARAMETER,
-	OPAL_STATUS_OBSOLETE1,
-	OPAL_STATUS_OBSOLETE2,
-	OPAL_STATUS_TPER_MALFUNCTION,
-	OPAL_STATUS_TRANSACTION_FAILURE,
-	OPAL_STATUS_RESPONSE_OVERFLOW,
-	OPAL_STATUS_AUTHORITY_LOCKED_OUT,
-	OPAL_STATUS_FAIL = 0x3F, /* As defined by specification */
-	_OPAL_STATUS_MAX,
-	_OPAL_STATUS_INVALID = -EINVAL,
+	OPAL_STATUS_SUCCESS = 0x00,
+	OPAL_STATUS_NOT_AUTHORIZED = 0x01,
+	OPAL_STATUS_OBSOLETE0 = 0x02, /* Undefined but possible return values are called 'obsolete' */
+	OPAL_STATUS_SP_BUSY = 0x03,
+	OPAL_STATUS_SP_FAILED = 0x04,
+	OPAL_STATUS_SP_DISABLED = 0x05,
+	OPAL_STATUS_SP_FROZEN = 0x06,
+	OPAL_STATUS_NO_SESSIONS_AVAILABLE = 0x07,
+	OPAL_STATUS_UNIQUENESS_CONFLICT = 0x08,
+	OPAL_STATUS_INSUFFICIENT_SPACE = 0x09,
+	OPAL_STATUS_INSUFFICIENT_ROWS = 0x0a,
+	OPAL_STATUS_OBSOLETE1 = 0x0b, /* Undefined but possible return values are called 'obsolete' */
+	OPAL_STATUS_INVALID_PARAMETER = 0x0c,
+	OPAL_STATUS_OBSOLETE2 = 0x0d,
+	OPAL_STATUS_OBSOLETE3 = 0x0e,
+	OPAL_STATUS_TPER_MALFUNCTION = 0x0f,
+	OPAL_STATUS_TRANSACTION_FAILURE = 0x10,
+	OPAL_STATUS_RESPONSE_OVERFLOW = 0x11,
+	OPAL_STATUS_AUTHORITY_LOCKED_OUT = 0x12,
+	_OPAL_STATUS_MAX = 0x13,
 } OpalStatus;
 
 static const char* const opal_status_table[_OPAL_STATUS_MAX] = {
 	[OPAL_STATUS_SUCCESS]               = "success",
 	[OPAL_STATUS_NOT_AUTHORIZED]        = "not authorized",
-	[OPAL_STATUS_OBSOLETE0]             = "obsolete",
+	[OPAL_STATUS_OBSOLETE0]             = "obsolete (0x02)",
 	[OPAL_STATUS_SP_BUSY]               = "SP busy",
 	[OPAL_STATUS_SP_FAILED]             = "SP failed",
 	[OPAL_STATUS_SP_DISABLED]           = "SP disabled",
@@ -70,14 +70,14 @@ static const char* const opal_status_table[_OPAL_STATUS_MAX] = {
 	[OPAL_STATUS_UNIQUENESS_CONFLICT]   = "uniqueness conflict",
 	[OPAL_STATUS_INSUFFICIENT_SPACE]    = "insufficient space",
 	[OPAL_STATUS_INSUFFICIENT_ROWS]     = "insufficient rows",
+	[OPAL_STATUS_OBSOLETE1]             = "obsolete (0x0b)",
 	[OPAL_STATUS_INVALID_PARAMETER]     = "invalid parameter",
-	[OPAL_STATUS_OBSOLETE1]             = "obsolete",
-	[OPAL_STATUS_OBSOLETE2]             = "obsolete",
+	[OPAL_STATUS_OBSOLETE2]             = "obsolete (0x0d)",
+	[OPAL_STATUS_OBSOLETE3]             = "obsolete (0x0e)",
 	[OPAL_STATUS_TPER_MALFUNCTION]      = "TPer malfunction",
 	[OPAL_STATUS_TRANSACTION_FAILURE]   = "transaction failure",
 	[OPAL_STATUS_RESPONSE_OVERFLOW]     = "response overflow",
 	[OPAL_STATUS_AUTHORITY_LOCKED_OUT]  = "authority locked out",
-	[OPAL_STATUS_FAIL]                  = "unknown failure",
 };
 
 static const char *opal_status_to_string(int t)
@@ -85,6 +85,10 @@ static const char *opal_status_to_string(int t)
 	if (t < 0)
 		return strerror(-t);
 
+	/* Fail, as defined by specification */
+	if (t == 0x3f)
+		return "unknown failure";
+
 	if (t >= _OPAL_STATUS_MAX)
 		return "unknown error";
 
@@ -232,6 +236,8 @@ static int opal_ioctl(struct crypt_device *cd, int fd, unsigned long rq, void *a
 
 	opal_ioctl_debug(cd, rq, args, false, 0);
 	r = ioctl(fd, rq, args);
+	if (r < 0)
+		r = -errno;
 	opal_ioctl_debug(cd, rq, args, true, r);
 
 	return r;
@@ -306,12 +312,13 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd,
 		.session = {
 			.who = segment_number + 1,
 			.opal_key = {
-				.key_len = vk->keylength,
+				.key_len = crypt_volume_key_length(vk),
 				.lr = segment_number
 			}
 		}
 	};
-	memcpy(lrs->session.opal_key.key, vk->key, vk->keylength);
+	crypt_safe_memcpy(lrs->session.opal_key.key, crypt_volume_key_get_key(vk),
+			  crypt_volume_key_length(vk));
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_GET_LR_STATUS, lrs);
 	if (r != OPAL_STATUS_SUCCESS) {
@@ -413,7 +420,7 @@ int opal_setup_ranges(struct crypt_device *cd,
 	assert(dev);
 	assert(vk);
 	assert(admin_key);
-	assert(vk->keylength <= OPAL_KEY_MAX);
+	assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX);
 	assert(opal_block_bytes >= SECTOR_SIZE);
 
 	if (admin_key_len > OPAL_KEY_MAX)
@@ -448,7 +455,7 @@ int opal_setup_ranges(struct crypt_device *cd,
 			 */
 			.lr = { 1, 2, 3, 4, 5, 6, 7, 8 },
 		};
-		memcpy(activate->key.key, admin_key, admin_key_len);
+		crypt_safe_memcpy(activate->key.key, admin_key, admin_key_len);
 
 		r = opal_ioctl(cd, fd, IOC_OPAL_TAKE_OWNERSHIP, &activate->key);
 		if (r < 0) {
@@ -470,6 +477,8 @@ int opal_setup_ranges(struct crypt_device *cd,
 		}
 
 		r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_LSP, activate);
+		if (r < 0)
+			goto out;
 		if (r != OPAL_STATUS_SUCCESS) {
 			log_dbg(cd, "Failed to activate OPAL device '%s': %s",
 				crypt_get_device_name(cd), opal_status_to_string(r));
@@ -490,19 +499,16 @@ int opal_setup_ranges(struct crypt_device *cd,
 				.key_len = admin_key_len,
 			},
 		};
-		memcpy(user_session->opal_key.key, admin_key, admin_key_len);
+		crypt_safe_memcpy(user_session->opal_key.key, admin_key, admin_key_len);
 
-		r = opal_ioctl(cd, fd, IOC_OPAL_ERASE_LR, user_session);
+		r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
+		if (r < 0)
+			goto out;
 		if (r != OPAL_STATUS_SUCCESS) {
-			log_dbg(cd, "Failed to reset (erase) OPAL locking range %u on device '%s': %s",
+			log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
 				segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
-			r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
-			if (r != OPAL_STATUS_SUCCESS) {
-				log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
-					segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
-				r = -EINVAL;
-				goto out;
-			}
+			r = -EINVAL;
+			goto out;
 		}
 	}
 
@@ -519,9 +525,11 @@ int opal_setup_ranges(struct crypt_device *cd,
 			.key_len = admin_key_len,
 		},
 	};
-	memcpy(user_session->opal_key.key, admin_key, admin_key_len);
+	crypt_safe_memcpy(user_session->opal_key.key, admin_key, admin_key_len);
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_ACTIVATE_USR, user_session);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to activate OPAL user on device '%s': %s",
 			crypt_get_device_name(cd), opal_status_to_string(r));
@@ -544,9 +552,11 @@ int opal_setup_ranges(struct crypt_device *cd,
 		},
 		.l_state = OPAL_RO,
 	};
-	memcpy(user_add_to_lr->session.opal_key.key, admin_key, admin_key_len);
+	crypt_safe_memcpy(user_add_to_lr->session.opal_key.key, admin_key, admin_key_len);
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to add OPAL user to locking range %u (RO) on device '%s': %s",
 			segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
@@ -555,6 +565,8 @@ int opal_setup_ranges(struct crypt_device *cd,
 	}
 	user_add_to_lr->l_state = OPAL_RW;
 	r = opal_ioctl(cd, fd, IOC_OPAL_ADD_USR_TO_LR, user_add_to_lr);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to add OPAL user to locking range %u (RW) on device '%s': %s",
 			segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
@@ -578,15 +590,18 @@ int opal_setup_ranges(struct crypt_device *cd,
 		.new_user_pw = {
 			.who = segment_number + 1,
 			.opal_key = {
-				.key_len = vk->keylength,
+				.key_len = crypt_volume_key_length(vk),
 				.lr = segment_number,
 			},
 		},
 	};
-	memcpy(new_pw->new_user_pw.opal_key.key, vk->key, vk->keylength);
-	memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len);
+	crypt_safe_memcpy(new_pw->new_user_pw.opal_key.key, crypt_volume_key_get_key(vk),
+			  crypt_volume_key_length(vk));
+	crypt_safe_memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len);
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_SET_PW, new_pw);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to set OPAL user password on device '%s': (%d) %s",
 			crypt_get_device_name(cd), r, opal_status_to_string(r));
@@ -616,9 +631,11 @@ int opal_setup_ranges(struct crypt_device *cd,
 			},
 		},
 	};
-	memcpy(setup->session.opal_key.key, admin_key, admin_key_len);
+	crypt_safe_memcpy(setup->session.opal_key.key, admin_key, admin_key_len);
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to setup locking range of length %llu at offset %llu on OPAL device '%s': %s",
 			setup->range_length, setup->range_start, crypt_get_device_name(cd), opal_status_to_string(r));
@@ -638,14 +655,17 @@ int opal_setup_ranges(struct crypt_device *cd,
 		.session = {
 			.who = segment_number + 1,
 			.opal_key = {
-				.key_len = vk->keylength,
+				.key_len = crypt_volume_key_length(vk),
 				.lr = segment_number,
 			},
 		}
 	};
-	memcpy(lock->session.opal_key.key, vk->key, vk->keylength);
+	crypt_safe_memcpy(lock->session.opal_key.key, crypt_volume_key_get_key(vk),
+			  crypt_volume_key_length(vk));
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, lock);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		log_dbg(cd, "Failed to lock OPAL device '%s': %s",
 			crypt_get_device_name(cd), opal_status_to_string(r));
@@ -696,10 +716,11 @@ static int opal_lock_unlock(struct crypt_device *cd,
 		return -EIO;
 
 	if (!lock) {
-		assert(vk->keylength <= OPAL_KEY_MAX);
+		assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX);
 
-		unlock.session.opal_key.key_len = vk->keylength;
-		memcpy(unlock.session.opal_key.key, vk->key, vk->keylength);
+		unlock.session.opal_key.key_len = crypt_volume_key_length(vk);
+		crypt_safe_memcpy(unlock.session.opal_key.key, crypt_volume_key_get_key(vk),
+				  crypt_volume_key_length(vk));
 	}
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, &unlock);
@@ -734,6 +755,8 @@ static int opal_lock_unlock(struct crypt_device *cd,
 		unlock.flags = OPAL_SAVE_FOR_LOCK;
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_SAVE, &unlock);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
 		if (!lock)
 			log_std(cd, "Failed to prepare OPAL device '%s' for sleep resume, be aware before suspending: %s",
@@ -787,11 +810,15 @@ int opal_factory_reset(struct crypt_device *cd,
 	if (password_len > OPAL_KEY_MAX)
 		return -EINVAL;
 
-	fd = device_open(cd, dev, O_RDONLY);
+	/*
+	 * Submit PSID reset on R/W file descriptor so it
+	 * triggers blkid rescan after we close it.
+	 */
+	fd = device_open(cd, dev, O_RDWR);
 	if (fd < 0)
 		return -EIO;
 
-	memcpy(reset.key, password, password_len);
+	crypt_safe_memcpy(reset.key, password, password_len);
 
 	r = opal_ioctl(cd, fd, IOC_OPAL_PSID_REVERT_TPR, &reset);
 	if (r < 0) {
@@ -848,7 +875,7 @@ int opal_reset_segment(struct crypt_device *cd,
 			.key_len = password_len,
 		},
 	};
-	memcpy(user_session->opal_key.key, password, password_len);
+	crypt_safe_memcpy(user_session->opal_key.key, password, password_len);
 
 	fd = device_open(cd, dev, O_RDONLY);
 	if (fd < 0) {
@@ -856,42 +883,39 @@ int opal_reset_segment(struct crypt_device *cd,
 		goto out;
 	}
 
-	r = opal_ioctl(cd, fd, IOC_OPAL_ERASE_LR, user_session);
+	r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
+	if (r < 0)
+		goto out;
 	if (r != OPAL_STATUS_SUCCESS) {
-		log_dbg(cd, "Failed to reset (erase) OPAL locking range %u on device '%s': %s",
+		log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
 			segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
-		r = opal_ioctl(cd, fd, IOC_OPAL_SECURE_ERASE_LR, user_session);
-		if (r != OPAL_STATUS_SUCCESS) {
-			log_dbg(cd, "Failed to reset (secure erase) OPAL locking range %u on device '%s': %s",
-				segment_number, crypt_get_device_name(cd), opal_status_to_string(r));
-			r = -EINVAL;
-			goto out;
-		}
+		r = -EINVAL;
+		goto out;
+	}
 
-		/* Unlike IOC_OPAL_ERASE_LR, IOC_OPAL_SECURE_ERASE_LR does not disable the locking range,
-		 * we have to do that by hand.
-		 */
-		setup = crypt_safe_alloc(sizeof(struct opal_user_lr_setup));
-		if (!setup) {
-			r = -ENOMEM;
-			goto out;
-		}
-		*setup = (struct opal_user_lr_setup) {
-			.range_start = 0,
-			.range_length = 0,
-			.session = {
-				.who = OPAL_ADMIN1,
-				.opal_key = user_session->opal_key,
-			},
-		};
+	/* Disable the locking range */
+	setup = crypt_safe_alloc(sizeof(struct opal_user_lr_setup));
+	if (!setup) {
+		r = -ENOMEM;
+		goto out;
+	}
+	*setup = (struct opal_user_lr_setup) {
+		.range_start = 0,
+		.range_length = 0,
+		.session = {
+			.who = OPAL_ADMIN1,
+			.opal_key = user_session->opal_key,
+		},
+	};
 
-		r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
-		if (r != OPAL_STATUS_SUCCESS) {
-			log_dbg(cd, "Failed to disable locking range on OPAL device '%s': %s",
-				crypt_get_device_name(cd), opal_status_to_string(r));
-			r = -EINVAL;
-			goto out;
-		}
+	r = opal_ioctl(cd, fd, IOC_OPAL_LR_SETUP, setup);
+	if (r < 0)
+		goto out;
+	if (r != OPAL_STATUS_SUCCESS) {
+		log_dbg(cd, "Failed to disable locking range on OPAL device '%s': %s",
+			crypt_get_device_name(cd), opal_status_to_string(r));
+		r = -EINVAL;
+		goto out;
 	}
 out:
 	crypt_safe_free(user_session);
diff --git a/lib/luks2/hw_opal/hw_opal.h b/lib/luks2/hw_opal/hw_opal.h
index f25c2b6..f0058a5 100644
--- a/lib/luks2/hw_opal/hw_opal.h
+++ b/lib/luks2/hw_opal/hw_opal.h
@@ -3,7 +3,8 @@
  * OPAL utilities
  *
  * Copyright (C) 2022-2023 Luca Boccassi <bluca@debian.org>
- *               2023 Ondrej Kozina <okozina@redhat.com>
+ * Copyright (C) 2023-2025 Ondrej Kozina <okozina@redhat.com>
+ * Copyright (C) 2024-2025 Milan Broz
  */
 
 #ifndef _UTILS_OPAL
diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
index 609162f..30568db 100644
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #ifndef _CRYPTSETUP_LUKS2_ONDISK_H
@@ -37,6 +37,8 @@
 
 #define LUKS2_DIGEST_MAX 8
 
+#define LUKS2_MIN_INTEGRITY_KEY_BYTES 16
+
 #define CRYPT_ANY_SEGMENT -1
 #define CRYPT_DEFAULT_SEGMENT -2
 #define CRYPT_ONE_SEGMENT -3
@@ -109,6 +111,7 @@ struct luks2_hdr {
 	char		uuid[LUKS2_UUID_L];
 	void		*jobj;
 	void		*jobj_rollback;
+	size_t		on_disk_json_end_offset;
 };
 
 struct luks2_keyslot_params {
@@ -196,11 +199,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 	size_t password_len,
 	struct volume_key **vk);
 
-int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
+int LUKS2_keyslot_context_open_all_segments(struct crypt_device *cd,
 	int keyslot_old,
 	int keyslot_new,
-	const char *password,
-	size_t password_len,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
 	struct volume_key **vks);
 
 int LUKS2_keyslot_store(struct crypt_device *cd,
@@ -228,6 +231,24 @@ int LUKS2_keyslot_swap(struct crypt_device *cd,
 	int keyslot,
 	int keyslot2);
 
+/*
+ * Segments
+ */
+
+bool LUKS2_segment_set_size(struct luks2_hdr *hdr,
+	int segment,
+	const uint64_t *segment_size_bytes);
+
+bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment);
+bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment);
+bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment);
+
+int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment,
+				  uint32_t *ret_opal_segment_number);
+int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment);
+
+bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr);
+
 /*
  * Generic LUKS2 token
  */
@@ -263,17 +284,6 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd,
 	int token,
 	const char **type);
 
-int LUKS2_token_open_and_activate(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	int token,
-	const char *name,
-	const char *type,
-	const char *pin,
-	size_t pin_size,
-	uint32_t flags,
-	void *usrptr);
-
 int LUKS2_token_unlock_key(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
@@ -307,8 +317,7 @@ void crypt_token_unload_external_all(struct crypt_device *cd);
 /*
  * Generic LUKS2 digest
  */
-int LUKS2_digest_any_matching(struct crypt_device *cd,
-		struct luks2_hdr *hdr,
+int LUKS2_digest_verify_by_any_matching(struct crypt_device *cd,
 		const struct volume_key *vk);
 
 int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
@@ -371,6 +380,7 @@ int LUKS2_generate_hdr(
 	const struct volume_key *vk,
 	const char *cipher_spec,
 	const char *integrity,
+	uint32_t integrity_key_size, /* in bytes, only if separate (HMAC) */
 	const char *uuid,
 	unsigned int sector_size,
 	uint64_t data_offset,
@@ -398,8 +408,10 @@ int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic);
 uint32_t LUKS2_get_sector_size(struct luks2_hdr *hdr);
 const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment);
 const char *LUKS2_get_integrity(struct luks2_hdr *hdr, int segment);
+int LUKS2_get_integrity_key_size(struct luks2_hdr *hdr, int segment);
 int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
 	 struct luks2_keyslot_params *params);
+int LUKS2_get_old_volume_key_size(struct luks2_hdr *hdr);
 int LUKS2_get_volume_key_size(struct luks2_hdr *hdr, int segment);
 int LUKS2_get_keyslot_stored_key_size(struct luks2_hdr *hdr, int keyslot);
 const char *LUKS2_get_keyslot_cipher(struct luks2_hdr *hdr, int keyslot, size_t *key_size);
@@ -427,7 +439,7 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
 /*
  * Requirements for device activation or header modification
  */
-int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs);
+void LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs);
 int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs, bool commit);
 int LUKS2_config_set_requirement_version(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id, uint8_t req_version, bool commit);
 
@@ -435,12 +447,10 @@ int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version);
 
 bool LUKS2_reencrypt_requirement_candidate(struct luks2_hdr *hdr);
 
-int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet);
+int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t reqs_mask, int quiet);
 
 int LUKS2_key_description_by_segment(struct crypt_device *cd,
 		struct luks2_hdr *hdr, struct volume_key *vk, int segment);
-int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
-		struct luks2_hdr *hdr, struct volume_key *vk, int keyslot);
 int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
 		struct volume_key *vk, int digest);
 
@@ -454,13 +464,6 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd,
 /*
  * LUKS2 reencryption
  */
-int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
-	int keyslot_old,
-	int keyslot_new,
-	const char *passphrase,
-	size_t passphrase_size,
-	struct volume_key **vks);
-
 int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
 	struct volume_key *vks);
 
@@ -489,20 +492,10 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd,
 	bool device_exclusive_check,
 	bool dynamic);
 
-void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd,
-        struct luks2_hdr *hdr,
-        struct volume_key *vk);
-
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks);
 
-int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	const struct reenc_protection *rp,
-	int reencrypt_keyslot,
-	uint64_t *r_length);
-
-void LUKS2_reencrypt_protection_erase(struct reenc_protection *rp);
+unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr);
 
 #endif
diff --git a/lib/luks2/luks2_digest.c b/lib/luks2/luks2_digest.c
index a38a220..fb9a902 100644
--- a/lib/luks2/luks2_digest.c
+++ b/lib/luks2/luks2_digest.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, digest handling
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
@@ -75,7 +75,7 @@ int LUKS2_digest_create(struct crypt_device *cd,
 
 	log_dbg(cd, "Creating new digest %d (%s).", digest, type);
 
-	return dh->store(cd, digest, vk->key, vk->keylength) ?: digest;
+	return dh->store(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)) ?: digest;
 }
 
 int LUKS2_digest_by_keyslot(struct luks2_hdr *hdr, int keyslot)
@@ -108,7 +108,7 @@ int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
 	if (!h)
 		return -EINVAL;
 
-	r = h->verify(cd, digest, vk->key, vk->keylength);
+	r = h->verify(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk));
 	if (r < 0) {
 		log_dbg(cd, "Digest %d (%s) verify failed with %d.", digest, h->name, r);
 		return r;
@@ -143,8 +143,7 @@ int LUKS2_digest_dump(struct crypt_device *cd, int digest)
 	return h->dump(cd, digest);
 }
 
-int LUKS2_digest_any_matching(struct crypt_device *cd,
-		struct luks2_hdr *hdr __attribute__((unused)),
+int LUKS2_digest_verify_by_any_matching(struct crypt_device *cd,
 		const struct volume_key *vk)
 {
 	int digest;
@@ -161,7 +160,7 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 	int segment,
 	const struct volume_key *vk)
 {
-	int r = -EINVAL;
+	int r;
 	unsigned s;
 
 	if (segment == CRYPT_ANY_SEGMENT) {
@@ -173,7 +172,11 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 		return -EPERM;
 	}
 
-	return LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, segment), vk);
+	r = LUKS2_digest_by_segment(hdr, segment);
+	if (r < 0)
+		return r;
+
+	return LUKS2_digest_verify_by_digest(cd, r, vk);
 }
 
 /* FIXME: segment can have more digests */
@@ -420,21 +423,7 @@ int LUKS2_key_description_by_segment(struct crypt_device *cd,
 	char *desc = get_key_description_by_digest(cd, LUKS2_digest_by_segment(hdr, segment));
 	int r;
 
-	r = crypt_volume_key_set_description(vk, desc);
-	free(desc);
-	return r;
-}
-
-int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
-		struct luks2_hdr *hdr, struct volume_key *vk, int keyslot)
-{
-	char *desc = get_key_description_by_digest(cd, LUKS2_digest_by_keyslot(hdr, keyslot));
-	int r;
-
-	r = crypt_volume_key_set_description(vk, desc);
-	if (!r)
-		r = crypt_volume_key_load_in_keyring(cd, vk);
-
+	r = crypt_volume_key_set_description(vk, desc, LOGON_KEY);
 	free(desc);
 	return r;
 }
@@ -445,7 +434,7 @@ int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
 	char *desc = get_key_description_by_digest(cd, digest);
 	int r;
 
-	r = crypt_volume_key_set_description(vk, desc);
+	r = crypt_volume_key_set_description(vk, desc, LOGON_KEY);
 	if (!r)
 		r = crypt_volume_key_load_in_keyring(cd, vk);
 
diff --git a/lib/luks2/luks2_digest_pbkdf2.c b/lib/luks2/luks2_digest_pbkdf2.c
index 3e88e6a..e5e06ee 100644
--- a/lib/luks2/luks2_digest_pbkdf2.c
+++ b/lib/luks2/luks2_digest_pbkdf2.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible)
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
index 5939aab..e649f89 100644
--- a/lib/luks2/luks2_disk_metadata.c
+++ b/lib/luks2/luks2_disk_metadata.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
@@ -289,22 +289,25 @@ static int hdr_read_disk(struct crypt_device *cd,
  */
 static int hdr_write_disk(struct crypt_device *cd,
 			  struct device *device, struct luks2_hdr *hdr,
-			  const char *json_area, int secondary)
+			  const char *json_area, size_t write_area_len,
+			  int secondary)
 {
 	struct luks2_hdr_disk hdr_disk;
 	uint64_t offset = secondary ? hdr->hdr_size : 0;
 	size_t hdr_json_len;
 	int devfd, r;
 
+	hdr_json_len = hdr->hdr_size - LUKS2_HDR_BIN_LEN;
+
+	assert(write_area_len <= hdr_json_len);
+
 	log_dbg(cd, "Trying to write LUKS2 header (%zu bytes) at offset %" PRIu64 ".",
-		hdr->hdr_size, offset);
+		write_area_len, offset);
 
 	devfd = device_open_locked(cd, device, O_RDWR);
 	if (devfd < 0)
 		return devfd == -1 ? -EINVAL : devfd;
 
-	hdr_json_len = hdr->hdr_size - LUKS2_HDR_BIN_LEN;
-
 	hdr_to_disk(hdr, &hdr_disk, secondary, offset);
 
 	/*
@@ -321,8 +324,8 @@ static int hdr_write_disk(struct crypt_device *cd,
 	 */
 	if (write_lseek_blockwise(devfd, device_block_size(cd, device),
 				  device_alignment(device),
-				  CONST_CAST(char*)json_area, hdr_json_len,
-				  LUKS2_HDR_BIN_LEN + offset) < (ssize_t)hdr_json_len) {
+				  CONST_CAST(char*)json_area, write_area_len,
+				  LUKS2_HDR_BIN_LEN + offset) < (ssize_t)write_area_len) {
 		return -EIO;
 	}
 
@@ -401,7 +404,7 @@ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, struct
 {
 	char *json_area;
 	const char *json_text;
-	size_t json_area_len;
+	size_t json_data_len, json_area_len, json_area_write_len;
 	int r;
 
 	if (hdr->version != 2) {
@@ -413,29 +416,47 @@ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, struct
 	if (r)
 		return r;
 
-	/*
-	 * Allocate and zero JSON area (of proper header size).
-	 */
-	json_area_len = hdr->hdr_size - LUKS2_HDR_BIN_LEN;
-	json_area = crypt_zalloc(json_area_len);
-	if (!json_area)
-		return -ENOMEM;
-
 	/*
 	 * Generate text space-efficient JSON representation to json area.
 	 */
-	json_text = json_object_to_json_string_ext(hdr->jobj,
-			JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+	json_text = crypt_jobj_to_string_on_disk(hdr->jobj);
 	if (!json_text || !*json_text) {
 		log_dbg(cd, "Cannot parse JSON object to text representation.");
-		free(json_area);
 		return -ENOMEM;
 	}
-	if (strlen(json_text) > (json_area_len - 1)) {
-		log_dbg(cd, "JSON is too large (%zu > %zu).", strlen(json_text), json_area_len);
-		free(json_area);
+
+	json_area_len = hdr->hdr_size - LUKS2_HDR_BIN_LEN;
+	json_area_write_len = json_data_len = strlen(json_text);
+
+	if (json_data_len > (json_area_len - 1)) {
+		log_dbg(cd, "JSON is too large (%zu > %zu).", json_data_len, json_area_len - 1);
 		return -EINVAL;
 	}
+
+	/*
+	 * Allocate and zero JSON area (of proper header size).
+	 */
+	json_area = crypt_zalloc(json_area_len);
+	if (!json_area)
+		return -ENOMEM;
+
+	/*
+	 * If the metadata in 'json_area' buffer is smaller than last on-disk
+	 * metadata we also have to erase the remaining bytes between the tail
+	 * of current metadata and the on-disk metadata end pointer. Set write
+	 * area length large enough to overwrite it.
+	 *
+	 * If seqid_check is turned off (during LUKS2 format) write entire
+	 * LUKS2 metadata size instead.
+	 *
+	 * Turn off the optimization also during metadata upconversion
+	 * (hdr->on_disk_json_end_offset == 0).
+	 */
+	if (seqid_check && (json_data_len < hdr->on_disk_json_end_offset))
+		json_area_write_len = hdr->on_disk_json_end_offset;
+	else if (!seqid_check || !hdr->on_disk_json_end_offset)
+		json_area_write_len = json_area_len;
+
 	strncpy(json_area, json_text, json_area_len);
 
 	if (seqid_check)
@@ -451,13 +472,16 @@ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, struct
 	hdr->seqid++;
 
 	/* Write primary and secondary header */
-	r = hdr_write_disk(cd, device, hdr, json_area, 0);
+	r = hdr_write_disk(cd, device, hdr, json_area, json_area_write_len, 0);
 	if (!r)
-		r = hdr_write_disk(cd, device, hdr, json_area, 1);
+		r = hdr_write_disk(cd, device, hdr, json_area, json_area_write_len, 1);
 
 	if (r)
 		log_dbg(cd, "LUKS2 header write failed (%d).", r);
 
+	/* store new json end pointer or reset it on error */
+	hdr->on_disk_json_end_offset = r ? 0 : json_data_len;
+
 	device_write_unlock(cd, device);
 
 	free(json_area);
@@ -525,12 +549,15 @@ static int validate_luks2_json_object(struct crypt_device *cd, json_object *jobj
 }
 
 static json_object *parse_and_validate_json(struct crypt_device *cd,
-					    const char *json_area, uint64_t hdr_size)
+					    const char *json_area, uint64_t hdr_size,
+					    uint64_t *json_area_end)
 {
 	int json_len, r;
 	json_object *jobj;
 	uint64_t max_length;
 
+	assert(json_area_end);
+
 	if (hdr_size <= LUKS2_HDR_BIN_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
 		log_dbg(cd, "LUKS2 header JSON has bogus size 0x%04" PRIx64 ".", hdr_size);
 		return NULL;
@@ -554,6 +581,8 @@ static json_object *parse_and_validate_json(struct crypt_device *cd,
 		jobj = NULL;
 	}
 
+	*json_area_end = json_len;
+
 	return jobj;
 }
 
@@ -617,7 +646,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 	json_object *jobj_hdr1 = NULL, *jobj_hdr2 = NULL;
 	unsigned int i;
 	int r;
-	uint64_t hdr_size;
+	uint64_t hdr_size, json_area_end1 = 0, json_area_end2 = 0;
 	uint64_t hdr2_offsets[] = LUKS2_HDR2_OFFSETS;
 
 	/* Skip auto-recovery if locks are disabled and we're not doing LUKS2 explicit repair */
@@ -632,7 +661,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 	state_hdr1 = HDR_FAIL;
 	r = hdr_read_disk(cd, device, &hdr_disk1, &json_area1, 0, 0);
 	if (r == 0) {
-		jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size));
+		jobj_hdr1 = parse_and_validate_json(cd, json_area1, be64_to_cpu(hdr_disk1.hdr_size), &json_area_end1);
 		state_hdr1 = jobj_hdr1 ? HDR_OK : HDR_OBSOLETE;
 	} else if (r == -EIO)
 		state_hdr1 = HDR_FAIL_IO;
@@ -644,7 +673,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 	if (state_hdr1 != HDR_FAIL && state_hdr1 != HDR_FAIL_IO) {
 		r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, be64_to_cpu(hdr_disk1.hdr_size), 1);
 		if (r == 0) {
-			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size));
+			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size), &json_area_end2);
 			state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE;
 		} else if (r == -EIO)
 			state_hdr2 = HDR_FAIL_IO;
@@ -657,7 +686,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 			r = hdr_read_disk(cd, device, &hdr_disk2, &json_area2, hdr2_offsets[i], 1);
 
 		if (r == 0) {
-			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size));
+			jobj_hdr2 = parse_and_validate_json(cd, json_area2, be64_to_cpu(hdr_disk2.hdr_size), &json_area_end2);
 			state_hdr2 = jobj_hdr2 ? HDR_OK : HDR_OBSOLETE;
 		} else if (r == -EIO)
 			state_hdr2 = HDR_FAIL_IO;
@@ -706,7 +735,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 				log_dbg(cd, "Cannot generate header salt.");
 			else {
 				hdr_from_disk(&hdr_disk1, &hdr_disk2, hdr, 0);
-				r = hdr_write_disk(cd, device, hdr, json_area1, 1);
+				r = hdr_write_disk(cd, device, hdr, json_area1, hdr->hdr_size - LUKS2_HDR_BIN_LEN, 1);
 			}
 			if (r)
 				log_dbg(cd, "Secondary LUKS2 header recovery failed.");
@@ -727,7 +756,7 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 				log_dbg(cd, "Cannot generate header salt.");
 			else {
 				hdr_from_disk(&hdr_disk2, &hdr_disk1, hdr, 1);
-				r = hdr_write_disk(cd, device, hdr, json_area2, 0);
+				r = hdr_write_disk(cd, device, hdr, json_area2, hdr->hdr_size - LUKS2_HDR_BIN_LEN, 0);
 			}
 			if (r)
 				log_dbg(cd, "Primary LUKS2 header recovery failed.");
@@ -756,6 +785,11 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 		json_object_put(jobj_hdr1);
 	}
 
+	if (json_area_end1 > json_area_end2)
+		hdr->on_disk_json_end_offset = json_area_end1;
+	else
+		hdr->on_disk_json_end_offset = json_area_end2;
+
 	/*
 	 * FIXME: should this fail? At least one header was read correctly.
 	 * r = (state_hdr1 == HDR_FAIL_IO || state_hdr2 == HDR_FAIL_IO) ? -EIO : -EINVAL;
diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
index 6f991c0..adaea91 100644
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -1,9 +1,9 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
- * LUKS - Linux Unified Key Setup v2
+ * LUKS - Linux Unified Key Setup v2 (with JSON internals)
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #ifndef _CRYPTSETUP_LUKS2_INTERNAL_H
@@ -48,6 +48,16 @@ uint64_t crypt_jobj_get_uint64(json_object *jobj);
 uint32_t crypt_jobj_get_uint32(json_object *jobj);
 json_object *crypt_jobj_new_uint64(uint64_t value);
 
+/*
+ * Generate json format string representation libcryptsetup uses
+ * to store json metadata on disk.
+ */
+static inline const char *crypt_jobj_to_string_on_disk(json_object *jobj)
+{
+	return json_object_to_json_string_ext(jobj,
+			JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+}
+
 int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
 int json_object_object_add_by_uint_by_ref(json_object *jobj, unsigned key, json_object **jobj_val_ref);
 void json_object_object_del_by_uint(json_object *jobj, unsigned key);
@@ -89,7 +99,7 @@ json_object *LUKS2_array_remove(json_object *array, const char *num);
  */
 
 /**
- * LUKS2 keyslots handlers (EXPERIMENTAL)
+ * LUKS2 keyslots handlers
  */
 typedef int (*keyslot_alloc_func)(struct crypt_device *cd, int keyslot,
 				  size_t volume_key_len,
@@ -152,7 +162,7 @@ struct reenc_protection {
 };
 
 /**
- * LUKS2 digest handlers (EXPERIMENTAL)
+ * LUKS2 digest handlers
  */
 typedef int (*digest_verify_func)(struct crypt_device *cd, int digest,
 				  const char *volume_key, size_t volume_key_len);
@@ -292,7 +302,7 @@ void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
 json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
 json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length,
-				       const char *cipher, const char *integrity,
+				       const char *cipher, const char *integrity, uint32_t integrity_key_size,
 				       uint32_t sector_size, unsigned reencryption);
 json_object *json_segment_create_opal(uint64_t offset, const uint64_t *length,
 				      uint32_t segment_number, uint32_t key_size);
@@ -337,10 +347,6 @@ uint64_t LUKS2_segment_size(struct luks2_hdr *hdr,
 	int segment,
 	unsigned blockwise);
 
-bool LUKS2_segment_set_size(struct luks2_hdr *hdr,
-	int segment,
-	const uint64_t *segment_size_bytes);
-
 uint64_t LUKS2_opal_segment_size(struct luks2_hdr *hdr,
 	int segment,
 	unsigned blockwise);
@@ -349,14 +355,6 @@ int LUKS2_segment_is_type(struct luks2_hdr *hdr,
 	int segment,
 	const char *type);
 
-bool LUKS2_segment_is_hw_opal(struct luks2_hdr *hdr, int segment);
-bool LUKS2_segment_is_hw_opal_crypt(struct luks2_hdr *hdr, int segment);
-bool LUKS2_segment_is_hw_opal_only(struct luks2_hdr *hdr, int segment);
-
-int LUKS2_get_opal_segment_number(struct luks2_hdr *hdr, int segment,
-				  uint32_t *ret_opal_segment_number);
-int LUKS2_get_opal_key_size(struct luks2_hdr *hdr, int segment);
-
 int LUKS2_segment_by_type(struct luks2_hdr *hdr,
 	const char *type);
 
@@ -365,13 +363,20 @@ int LUKS2_last_segment_by_type(struct luks2_hdr *hdr,
 
 int LUKS2_get_default_segment(struct luks2_hdr *hdr);
 
-bool LUKS2_segments_dynamic_size(struct luks2_hdr *hdr);
-
 int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
-unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr);
+int LUKS2_reencrypt_segment_new(struct luks2_hdr *hdr);
+int LUKS2_reencrypt_segment_old(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
 
+int LUKS2_reencrypt_max_hotzone_size(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	const struct reenc_protection *rp,
+	int reencrypt_keyslot,
+	uint64_t *r_length);
+
+void LUKS2_reencrypt_protection_erase(struct reenc_protection *rp);
+
 /*
  * Generic LUKS2 digest
  */
diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
index 2c7031c..2098028 100644
--- a/lib/luks2/luks2_json_format.c
+++ b/lib/luks2/luks2_json_format.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 header format code
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
@@ -193,6 +193,7 @@ int LUKS2_generate_hdr(
 	const struct volume_key *vk,
 	const char *cipher_spec,
 	const char *integrity,
+	uint32_t integrity_key_size, /* in bytes, only if separate (HMAC) */
 	const char *uuid,
 	unsigned int sector_size,  /* in bytes */
 	uint64_t data_offset,      /* in bytes */
@@ -279,8 +280,8 @@ int LUKS2_generate_hdr(
 	if (!opal_key_size)
 		jobj_segment = json_segment_create_crypt(data_offset, 0,
 							 NULL, cipher_spec,
-							 integrity, sector_size,
-							 0);
+							 integrity, integrity_key_size,
+							 sector_size, 0);
 	else if (opal_key_size && cipher_spec)
 		jobj_segment = json_segment_create_opal_crypt(data_offset, &device_size_bytes,
 							      opal_segment_number, opal_key_size, 0,
diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
index d30d52d..15e83a8 100644
--- a/lib/luks2/luks2_json_metadata.c
+++ b/lib/luks2/luks2_json_metadata.c
@@ -2,9 +2,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
- * Copyright (C) 2015-2024 Ondrej Kozina
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
+ * Copyright (C) 2015-2025 Ondrej Kozina
  */
 
 #include "luks2_internal.h"
@@ -13,8 +13,6 @@
 #include <ctype.h>
 #include <uuid/uuid.h>
 
-#define LUKS_STRIPES 4000
-
 struct interval {
 	uint64_t offset;
 	uint64_t length;
@@ -467,8 +465,7 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj
 	json_object_object_get_ex(hdr_jobj, "config", &jobj);
 	json_object_object_get_ex(jobj, "json_size", &jobj1);
 
-	json = json_object_to_json_string_ext(hdr_jobj,
-		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+	json = crypt_jobj_to_string_on_disk(hdr_jobj);
 	if (!json)
 		return 1;
 
@@ -636,6 +633,11 @@ static int reqs_opal(uint32_t reqs)
 	return reqs & CRYPT_REQUIREMENT_OPAL;
 }
 
+static int reqs_inline_hw_tags(uint32_t reqs)
+{
+	return reqs & CRYPT_REQUIREMENT_INLINE_HW_TAGS;
+}
+
 /*
  * Config section requirements object must be valid.
  * Also general segments section must be validated first.
@@ -644,14 +646,12 @@ static int validate_reencrypt_segments(struct crypt_device *cd, json_object *hdr
 {
 	json_object *jobj, *jobj_backup_previous = NULL, *jobj_backup_final = NULL;
 	uint32_t reqs;
-	int i, r;
+	int i;
 	struct luks2_hdr dummy = {
 		.jobj = hdr_jobj
 	};
 
-	r = LUKS2_config_get_requirements(cd, &dummy, &reqs);
-	if (r)
-		return 1;
+	LUKS2_config_get_requirements(cd, &dummy, &reqs);
 
 	if (reqs_reencrypt_online(reqs)) {
 		for (i = first_backup; i < segments_count; i++) {
@@ -1272,7 +1272,11 @@ int LUKS2_hdr_uuid(struct crypt_device *cd, struct luks2_hdr *hdr, const char *u
 int LUKS2_hdr_labels(struct crypt_device *cd, struct luks2_hdr *hdr,
 		     const char *label, const char *subsystem, int commit)
 {
-	//FIXME: check if the labels are the same and skip this.
+	if ((label && strlen(label) >= LUKS2_LABEL_L) ||
+	    (subsystem && strlen(subsystem) >= LUKS2_LABEL_L)) {
+		log_err(cd, _("Label is too long."));
+		return -EINVAL;
+	}
 
 	memset(hdr->label, 0, LUKS2_LABEL_L);
 	if (label)
@@ -1426,7 +1430,8 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
 	}
 
 	/* do not allow header restore from backup with unmet requirements */
-	if (LUKS2_unmet_requirements(cd, &hdr_file, CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1)) {
+	if (LUKS2_unmet_requirements(cd, &hdr_file,
+	    CRYPT_REQUIREMENT_ONLINE_REENCRYPT | CRYPT_REQUIREMENT_INLINE_HW_TAGS, 1)) {
 		log_err(cd, _("Forbidden LUKS2 requirements detected in backup %s."),
 			backup_file);
 		r = -ETXTBSY;
@@ -1458,9 +1463,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
 	r = LUKS2_hdr_read(cd, &tmp_hdr, 0);
 	if (r == 0) {
 		log_dbg(cd, "Device %s already contains LUKS2 header, checking UUID and requirements.", device_path(device));
-		r = LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs);
-		if (r)
-			goto out;
+		LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs);
 
 		if (memcmp(tmp_hdr.uuid, hdr_file.uuid, LUKS2_UUID_L))
 			diff_uuid = 1;
@@ -1544,7 +1547,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
  * Persistent config flags
  */
 static const struct  {
-	uint32_t flag;
+	uint64_t flag;
 	const char *description;
 } persistent_flags[] = {
 	{ CRYPT_ACTIVATE_ALLOW_DISCARDS,         "allow-discards" },
@@ -1553,6 +1556,7 @@ static const struct  {
 	{ CRYPT_ACTIVATE_NO_JOURNAL,             "no-journal" },
 	{ CRYPT_ACTIVATE_NO_READ_WORKQUEUE,      "no-read-workqueue" },
 	{ CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE,     "no-write-workqueue" },
+	{ CRYPT_ACTIVATE_HIGH_PRIORITY,          "high_priority" },
 	{ 0, NULL }
 };
 
@@ -1642,6 +1646,7 @@ static const struct requirement_flag requirements_flags[] = {
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 2, "online-reencrypt-v2" },
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 3, "online-reencrypt-v3" },
 	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1, "online-reencrypt" },
+	{ CRYPT_REQUIREMENT_INLINE_HW_TAGS,   1, "inline-hw-tags" },
 	{ CRYPT_REQUIREMENT_OPAL,	      1, "opal" },
 	{ 0, 0, NULL }
 };
@@ -1764,7 +1769,7 @@ static const struct requirement_flag *stored_requirement_name_by_id(struct luks2
 /*
  * returns count of requirements (past cryptsetup 2.0 release)
  */
-int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs)
+void LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs)
 {
 	json_object *jobj_mandatory, *jobj;
 	int i, len;
@@ -1777,11 +1782,11 @@ int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 
 	jobj_mandatory = mandatory_requirements_jobj(hdr);
 	if (!jobj_mandatory)
-		return 0;
+		return;
 
 	len = (int) json_object_array_length(jobj_mandatory);
 	if (len <= 0)
-		return 0;
+		return;
 
 	log_dbg(cd, "LUKS2 requirements detected:");
 
@@ -1792,8 +1797,6 @@ int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 				        reqs_unknown(req->flag) ? "un" : "");
 		*reqs |= req->flag;
 	}
-
-	return 0;
 }
 
 int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs, bool commit)
@@ -1801,7 +1804,7 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 	json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
 	int i, r = -EINVAL;
 	const struct requirement_flag *req;
-	uint32_t req_id;
+	uint64_t req_id;
 
 	if (!hdr)
 		return -EINVAL;
@@ -2128,6 +2131,10 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
 		    json_object_object_get_ex(jobj1, "type", &jobj2))
 			log_std(cd, "\tintegrity: %s\n", json_object_get_string(jobj2));
 
+		if (json_object_object_get_ex(jobj_segment, "integrity", &jobj1) &&
+		    json_object_object_get_ex(jobj1, "key_size", &jobj2))
+			log_std(cd, "\tintegrity key size: %" PRIu32 " [bits]\n", crypt_jobj_get_uint32(jobj2) * 8);
+
 		if (json_object_object_get_ex(jobj_segment, "flags", &jobj1) &&
 		    (flags = (int)json_object_array_length(jobj1)) > 0) {
 			jobj2 = json_object_array_get_idx(jobj1, 0);
@@ -2304,12 +2311,7 @@ crypt_reencrypt_info LUKS2_reencrypt_status(struct luks2_hdr *hdr)
 {
 	uint32_t reqs;
 
-	/*
-	 * Any unknown requirement or offline reencryption should abort
-	 * anything related to online-reencryption handling
-	 */
-	if (LUKS2_config_get_requirements(NULL, hdr, &reqs))
-		return CRYPT_REENCRYPT_INVALID;
+	LUKS2_config_get_requirements(NULL, hdr, &reqs);
 
 	if (!reqs_reencrypt_online(reqs))
 		return CRYPT_REENCRYPT_NONE;
@@ -2363,6 +2365,24 @@ const char *LUKS2_get_integrity(struct luks2_hdr *hdr, int segment)
 	return json_object_get_string(jobj3);
 }
 
+int LUKS2_get_integrity_key_size(struct luks2_hdr *hdr, int segment)
+{
+	json_object *jobj1, *jobj2, *jobj3;
+
+	jobj1 = LUKS2_get_segment_jobj(hdr, segment);
+	if (!jobj1)
+		return -1;
+
+	if (!json_object_object_get_ex(jobj1, "integrity", &jobj2))
+		return -1;
+
+	/* The value is optional, do not fail if not present */
+	if (!json_object_object_get_ex(jobj2, "key_size", &jobj3))
+		return 0;
+
+	return json_object_get_int(jobj3);
+}
+
 /* FIXME: this only ensures that once we have journal encryption, it is not ignored. */
 /* implement segment count and type restrictions (crypt and only single crypt) */
 static int LUKS2_integrity_compatible(struct luks2_hdr *hdr)
@@ -2450,6 +2470,19 @@ int LUKS2_get_volume_key_size(struct luks2_hdr *hdr, int segment)
 	return -1;
 }
 
+int LUKS2_get_old_volume_key_size(struct luks2_hdr *hdr)
+{
+	int old_segment;
+
+	assert(hdr);
+
+	old_segment = LUKS2_reencrypt_segment_old(hdr);
+	if (old_segment < 0)
+		return old_segment;
+
+	return LUKS2_get_volume_key_size(hdr, old_segment);
+}
+
 uint32_t LUKS2_get_sector_size(struct luks2_hdr *hdr)
 {
 	return json_segment_get_sector_size(LUKS2_get_segment_jobj(hdr, CRYPT_DEFAULT_SEGMENT));
@@ -2518,7 +2551,7 @@ int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
 					crypt_data_device(cd), vk,
 					json_segment_get_cipher(jobj),
 					json_segment_get_iv_offset(jobj),
-					segment_offset, "none", 0,
+					segment_offset, "none", 0, 0,
 					json_segment_get_sector_size(jobj));
 			if (r) {
 				log_err(cd, _("Failed to set dm-crypt segment."));
@@ -2632,7 +2665,7 @@ int LUKS2_activate(struct crypt_device *cd,
 {
 	int r;
 	bool dynamic, read_lock, write_lock, opal_lock_on_error = false;
-	uint32_t opal_segment_number;
+	uint32_t opal_segment_number, req_flags;
 	uint64_t range_offset_sectors, range_length_sectors, device_length_bytes;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 	struct crypt_dm_active_device dmdi = {}, dmd = {
@@ -2641,7 +2674,8 @@ int LUKS2_activate(struct crypt_device *cd,
 	struct crypt_lock_handle *opal_lh = NULL;
 
 	/* do not allow activation when particular requirements detected */
-	if ((r = LUKS2_unmet_requirements(cd, hdr, CRYPT_REQUIREMENT_OPAL, 0)))
+	if ((r = LUKS2_unmet_requirements(cd, hdr,
+	     CRYPT_REQUIREMENT_OPAL | CRYPT_REQUIREMENT_INLINE_HW_TAGS, 0)))
 		return r;
 
 	/* Check that cipher is in compatible format */
@@ -2714,7 +2748,7 @@ int LUKS2_activate(struct crypt_device *cd,
 					crypt_key, crypt_get_cipher_spec(cd),
 					crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
 					crypt_get_integrity(cd) ?: "none",
-					crypt_get_integrity_tag_size(cd),
+					crypt_get_integrity_key_size(cd, true), crypt_get_integrity_tag_size(cd),
 					crypt_get_sector_size(cd));
 	} else
 		r = dm_linear_target_set(&dmd.segment, 0,
@@ -2730,7 +2764,13 @@ int LUKS2_activate(struct crypt_device *cd,
 
 	dmd.flags |= flags;
 
-	if (crypt_get_integrity_tag_size(cd)) {
+	if (crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &req_flags)) {
+		r = -EINVAL;
+		goto out;
+	}
+
+	if (crypt_get_integrity_tag_size(cd) &&
+	    !(req_flags & CRYPT_REQUIREMENT_INLINE_HW_TAGS)) {
 		if (!LUKS2_integrity_compatible(hdr)) {
 			log_err(cd, _("Unsupported device integrity configuration."));
 			r = -EINVAL;
@@ -2810,14 +2850,14 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 	struct crypt_dm_active_device dmdc;
 	uint32_t opal_segment_number;
 	char **dep, deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = { 0 };
-	const char *namei = NULL;
+	char *iname = NULL;
 	struct crypt_lock_handle *reencrypt_lock = NULL, *opal_lh = NULL;
 
 	if (!dmd || !dmd->uuid || strncmp(CRYPT_LUKS2, dmd->uuid, sizeof(CRYPT_LUKS2)-1))
 		return -EINVAL;
 
 	/* uuid mismatch with metadata (if available) */
-	if (hdr && crypt_uuid_cmp(dmd->uuid, hdr->uuid))
+	if (hdr && dm_uuid_cmp(dmd->uuid, hdr->uuid))
 		return -EINVAL;
 
 	r = snprintf(deps_uuid_prefix, sizeof(deps_uuid_prefix), CRYPT_SUBDEV "-%.32s", dmd->uuid + 6);
@@ -2825,15 +2865,15 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 		return -EINVAL;
 
 	/* check if active device has LUKS2-OPAL dm uuid prefix */
-	dm_opal_uuid = !crypt_uuid_type_cmp(dmd->uuid, CRYPT_LUKS2_HW_OPAL);
+	dm_opal_uuid = !dm_uuid_type_cmp(dmd->uuid, CRYPT_LUKS2_HW_OPAL);
 	if (dm_opal_uuid && hdr && !LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT))
 		return -EINVAL;
 
 	tgt = &dmd->segment;
 
 	/* TODO: We have LUKS2 dependencies now */
-	if (single_segment(dmd) && tgt->type == DM_CRYPT && tgt->u.crypt.tag_size)
-		namei = device_dm_name(tgt->data_device);
+	if (tgt->type == DM_CRYPT && tgt->u.crypt.tag_size)
+	    iname = dm_get_active_iname(cd, name);
 
 	r = dm_device_deps(cd, name, deps_uuid_prefix, deps, ARRAY_SIZE(deps));
 	if (r < 0)
@@ -2871,23 +2911,34 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 		tgt = &dmdc.segment;
 		while (tgt) {
 			if (tgt->type == DM_CRYPT)
-				crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
-					LOGON_KEY);
+				crypt_volume_key_drop_kernel_key(cd, tgt->u.crypt.vk);
 			tgt = tgt->next;
 		}
 	}
 	dm_targets_free(cd, &dmdc);
 
 	/* TODO: We have LUKS2 dependencies now */
-	if (r >= 0 && namei) {
-		log_dbg(cd, "Deactivating integrity device %s.", namei);
-		r = dm_remove_device(cd, namei, 0);
+	if (r >= 0 && iname) {
+		log_dbg(cd, "Deactivating integrity device %s.", iname);
+		r = dm_remove_device(cd, iname, 0);
 	}
 
 	if (!r) {
 		ret = 0;
 		dep = deps;
 		while (*dep) {
+			/*
+			 * FIXME: dm-integrity has now proper SUBDEV prefix so
+			 * it would be deactivated here, but due to specific
+			 * dm_remove_device(iname) above the iname device
+			 * is no longer active. This will be fixed when
+			 * we switch to SUBDEV deactivation after 2.8 release.
+			 */
+			if (iname && !strcmp(*dep, iname)) {
+				dep++;
+				continue;
+			}
+
 			log_dbg(cd, "Deactivating LUKS2 dependent device %s.", *dep);
 			r = dm_query_device(cd, *dep, DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_CRYPT_KEYSIZE, &dmdc);
 			if (r < 0) {
@@ -2907,8 +2958,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 				tgt = &dmdc.segment;
 				while (tgt) {
 					if (tgt->type == DM_CRYPT)
-						crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
-							LOGON_KEY);
+						crypt_volume_key_drop_kernel_key(cd, tgt->u.crypt.vk);
 					tgt = tgt->next;
 				}
 			}
@@ -2950,6 +3000,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 out:
 	opal_exclusive_unlock(cd, opal_lh);
 	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
+	free(iname);
 	dep = deps;
 	while (*dep)
 		free(*dep++);
@@ -2957,16 +3008,11 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 	return r;
 }
 
-int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet)
+int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t reqs_mask, int quiet)
 {
 	uint32_t reqs;
-	int r = LUKS2_config_get_requirements(cd, hdr, &reqs);
 
-	if (r) {
-		if (!quiet)
-			log_err(cd, _("Failed to read LUKS2 requirements."));
-		return r;
-	}
+	LUKS2_config_get_requirements(cd, hdr, &reqs);
 
 	/* do not mask unknown requirements check */
 	if (reqs_unknown(reqs)) {
@@ -2984,6 +3030,8 @@ int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uin
 		log_err(cd, _("Operation incompatible with device marked for LUKS2 reencryption. Aborting."));
 	if (reqs_opal(reqs) && !quiet)
 		log_err(cd, _("Operation incompatible with device using OPAL. Aborting."));
+	if (reqs_inline_hw_tags(reqs) && !quiet)
+		log_err(cd, _("Operation incompatible with device using inline HW tags. Aborting."));
 
 	/* any remaining unmasked requirement fails the check */
 	return reqs ? -EINVAL : 0;
@@ -3092,22 +3140,22 @@ int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd __attribute__((unuse
 	if (r < 0)
 		return -EINVAL;
 
-	if (vk->keylength < opal_user_key_size)
+	if (crypt_volume_key_length(vk) < opal_user_key_size)
 		return -EINVAL;
 
 	/* OPAL SEGMENT only */
-	if (vk->keylength == opal_user_key_size) {
+	if (crypt_volume_key_length(vk) == opal_user_key_size) {
 		*ret_crypt_key = NULL;
 		*ret_opal_key = NULL;
 		return 0;
 	}
 
-	opal_key = crypt_alloc_volume_key(opal_user_key_size, vk->key);
+	opal_key = crypt_alloc_volume_key(opal_user_key_size, crypt_volume_key_get_key(vk));
 	if (!opal_key)
 		return -ENOMEM;
 
-	crypt_key = crypt_alloc_volume_key(vk->keylength - opal_user_key_size,
-					   vk->key + opal_user_key_size);
+	crypt_key = crypt_alloc_volume_key(crypt_volume_key_length(vk) - opal_user_key_size,
+					   crypt_volume_key_get_key(vk) + opal_user_key_size);
 	if (!crypt_key) {
 		crypt_free_volume_key(opal_key);
 		return -ENOMEM;
diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
index bb9d453..9072570 100644
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -2,11 +2,12 @@
 /*
  * LUKS - Linux Unified Key Setup v2, keyslot handling
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
+#include "keyslot_context.h"
 
 /* Internal implementations */
 extern const keyslot_handler luks2_keyslot;
@@ -75,8 +76,38 @@ int LUKS2_keyslot_find_empty(struct crypt_device *cd, struct luks2_hdr *hdr, siz
 /* Check if a keyslot is assigned to specific segment */
 static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
 {
-	int keyslot_digest, count = 0;
+	json_object *jobj_keyslots, *jobj;
+	crypt_keyslot_priority slot_priority;
 	unsigned s;
+	int keyslot_digest, count = 0;
+
+	/*
+	 * Must not be called with both keyslot == CRYPT_ANY_SLOT
+	 * and segment == CRYPT_ONE_SEGMENT. The CRYPT_DEFAULT_SEGMENT
+	 * and CRYPT_ANY_SEGMENT are handled properly in upper layer.
+	 */
+	assert(keyslot >= 0 || segment >= 0);
+
+	if (keyslot == CRYPT_ANY_SLOT) {
+		json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
+
+		json_object_object_foreach(jobj_keyslots, slot, val) {
+			if (!json_object_object_get_ex(val, "priority", &jobj))
+				slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
+			else
+				slot_priority = json_object_get_int(jobj);
+
+			if (slot_priority < CRYPT_SLOT_PRIORITY_NORMAL)
+				continue;
+
+			keyslot_digest = LUKS2_digest_by_keyslot(hdr, atoi(slot));
+			if (keyslot_digest >= 0 &&
+			    keyslot_digest == LUKS2_digest_by_segment(hdr, segment))
+				return 1;
+		}
+
+		return 0;
+	}
 
 	keyslot_digest = LUKS2_digest_by_keyslot(hdr, keyslot);
 	if (keyslot_digest < 0)
@@ -93,16 +124,6 @@ static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
 	return count;
 }
 
-static int _keyslot_for_digest(struct luks2_hdr *hdr, int keyslot, int digest)
-{
-	int r = -EINVAL;
-
-	r = LUKS2_digest_by_keyslot(hdr, keyslot);
-	if (r < 0)
-		return r;
-	return r == digest ? 0 : -ENOENT;
-}
-
 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
 {
 	int r = -EINVAL;
@@ -144,7 +165,17 @@ int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *ciphe
 {
 	char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
 
-	if (!cipher_spec || crypt_is_cipher_null(cipher_spec))
+	if (!cipher_spec)
+		return 1;
+
+	/*
+	 * Do not allow capi format for keyslots
+	 * Note: It always failed in ivsize check later anyway.
+	 */
+	if (!strncmp(cipher_spec, "capi:", 5))
+		return 1;
+
+	if (crypt_is_cipher_null(cipher_spec))
 		return 1;
 
 	if (crypt_parse_name_and_mode(cipher_spec, cipher, NULL, cipher_mode) < 0)
@@ -318,61 +349,43 @@ static int _open_and_verify(struct crypt_device *cd,
 	int keyslot,
 	const char *password,
 	size_t password_len,
-	struct volume_key **vk)
+	struct volume_key **r_vk)
 {
 	int r, key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
+	struct volume_key *vk = NULL;
+	void *key = NULL;
 
 	if (key_size < 0)
 		return -EINVAL;
 
-	*vk = crypt_alloc_volume_key(key_size, NULL);
-	if (!*vk)
+	key = crypt_safe_alloc(key_size);
+	if (!key)
 		return -ENOMEM;
 
-	r = h->open(cd, keyslot, password, password_len, (*vk)->key, (*vk)->keylength);
-	if (r < 0)
-		log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
-	else
-		r = LUKS2_digest_verify(cd, hdr, *vk, keyslot);
-
+	r = h->open(cd, keyslot, password, password_len, key, key_size);
 	if (r < 0) {
-		crypt_free_volume_key(*vk);
-		*vk = NULL;
+		log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
+		goto err;
 	}
 
-	crypt_volume_key_set_id(*vk, r);
-
-	return r < 0 ? r : keyslot;
-}
-
-static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	int digest,
-	const char *password,
-	size_t password_len,
-	struct volume_key **vk)
-{
-	const keyslot_handler *h;
-	int r;
-
-	if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
-		return -ENOENT;
-
-	r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
-	if (r) {
-		log_dbg(cd, "Keyslot %d validation failed.", keyslot);
-		return r;
+	vk = crypt_alloc_volume_key_by_safe_alloc(&key);
+	if (!vk) {
+		r = -ENOMEM;
+		goto err;
 	}
 
-	r = _keyslot_for_digest(hdr, keyslot, digest);
-	if (r) {
-		if (r == -ENOENT)
-			log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
-		return r;
-	}
+	r = LUKS2_digest_verify(cd, hdr, vk, keyslot);
+	if (r < 0)
+		goto err;
 
-	return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
+	crypt_volume_key_set_id(vk, r);
+	*r_vk = vk;
+	return keyslot;
+err:
+	crypt_safe_free(key);
+	crypt_free_volume_key(vk);
+
+	return r;
 }
 
 static int LUKS2_open_and_verify(struct crypt_device *cd,
@@ -405,12 +418,12 @@ static int LUKS2_open_and_verify(struct crypt_device *cd,
 	return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
 }
 
-static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
+static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	crypt_keyslot_priority priority,
 	const char *password,
 	size_t password_len,
-	int digest,
+	int segment,
 	struct volume_key **vk)
 {
 	json_object *jobj_keyslots, *jobj;
@@ -434,7 +447,7 @@ static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
 			continue;
 		}
 
-		r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
+		r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
 
 		/* Do not retry for errors that are no -EPERM or -ENOENT,
 		   former meaning password wrong, latter key slot unusable for segment */
@@ -448,113 +461,83 @@ static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
 	return r;
 }
 
-static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	crypt_keyslot_priority priority,
-	const char *password,
-	size_t password_len,
-	int segment,
-	struct volume_key **vk)
+static int keyslot_context_open_all_segments(struct crypt_device *cd,
+	int keyslot_old,
+	int keyslot_new,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
+	struct volume_key **r_vks)
 {
-	json_object *jobj_keyslots, *jobj;
-	crypt_keyslot_priority slot_priority;
-	int keyslot, r = -ENOENT, r_old;
-
-	json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
-
-	json_object_object_foreach(jobj_keyslots, slot, val) {
-		r_old = r;
-
-		if (!json_object_object_get_ex(val, "priority", &jobj))
-			slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
-		else
-			slot_priority = json_object_get_int(jobj);
-
-		keyslot = atoi(slot);
-		if (slot_priority != priority) {
-			log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
-				keyslot, slot_priority, priority);
-			continue;
-		}
+	int segment_old, segment_new, digest_old = -1, digest_new = -1, r = -ENOENT;
+	struct luks2_hdr *hdr;
+	struct volume_key *vk = NULL;
 
-		r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
+	assert(cd);
+	assert(!kc_old || kc_old->get_luks2_key);
+	assert(!kc_new || kc_new->get_luks2_key);
+	assert(r_vks);
 
-		/* Do not retry for errors that are no -EPERM or -ENOENT,
-		   former meaning password wrong, latter key slot unusable for segment */
-		if ((r != -EPERM) && (r != -ENOENT))
-			break;
-		/* If a previous keyslot failed with EPERM (bad password) prefer it */
-		if (r_old == -EPERM && r == -ENOENT)
-			r = -EPERM;
-	}
+	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 
-	return r;
-}
+	segment_old = LUKS2_reencrypt_segment_old(hdr);
+	segment_new = LUKS2_reencrypt_segment_new(hdr);
 
-static int LUKS2_keyslot_open_by_digest(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	int digest,
-	const char *password,
-	size_t password_len,
-	struct volume_key **vk)
-{
-	int r_prio, r = -EINVAL;
+	if (segment_old < 0 || segment_new < 0)
+		return -EINVAL;
 
-	if (digest < 0)
-		return r;
+	digest_old = LUKS2_digest_by_segment(hdr, segment_old);
+	digest_new = LUKS2_digest_by_segment(hdr, segment_new);
 
-	if (keyslot == CRYPT_ANY_SLOT) {
-		r_prio = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
-			password, password_len, digest, vk);
-		if (r_prio >= 0)
-			r = r_prio;
-		else if (r_prio != -EPERM && r_prio != -ENOENT)
-			r = r_prio;
-		else
-			r = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
-				password, password_len, digest, vk);
-		/* Prefer password wrong to no entry from priority slot */
-		if (r_prio == -EPERM && r == -ENOENT)
-			r = r_prio;
-	} else
-		r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
+	if (digest_old >= 0 && digest_new >= 0 && digest_old != digest_new && (!kc_old || !kc_new))
+		return -ESRCH;
 
-	return r;
-}
+	if (digest_old >= 0 && kc_old) {
+		log_dbg(cd, "Checking current volume key (digest %d, segment: %d) using keyslot %d.",
+			    digest_old, segment_old, keyslot_old);
 
-int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
-	int keyslot_old,
-	int keyslot_new,
-	const char *password,
-	size_t password_len,
-	struct volume_key **vks)
-{
-	struct volume_key *vk = NULL;
-	int digest_old, digest_new, r = -EINVAL;
-	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+		/* key and key in keyring types do not have association with any keyslot */
+		if (kc_old->type != CRYPT_KC_TYPE_KEY && kc_old->type != CRYPT_KC_TYPE_VK_KEYRING) {
+			r = LUKS2_keyslot_for_segment(hdr, keyslot_old, segment_old);
+			if (r < 0)
+				goto out;
+		}
 
-	digest_old = LUKS2_reencrypt_digest_old(hdr);
-	if (digest_old >= 0) {
-		log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_old, keyslot_old);
-		r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
+		r = kc_old->get_luks2_key(cd, kc_old, keyslot_old, segment_old, &vk);
 		if (r < 0)
 			goto out;
-		crypt_volume_key_add_next(vks, vk);
+		crypt_volume_key_add_next(r_vks, vk);
+		if (crypt_volume_key_get_id(vk) < 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old)
+			crypt_volume_key_set_id(vk, digest_old);
+		if (crypt_volume_key_get_id(vk) != digest_old) {
+			r = -EPERM;
+			goto out;
+		}
 	}
 
-	digest_new = LUKS2_reencrypt_digest_new(hdr);
-	if (digest_new >= 0 && digest_old != digest_new) {
-		log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_new, keyslot_new);
-		r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
+	if (digest_new >= 0 && digest_old != digest_new && kc_new) {
+		log_dbg(cd, "Checking new volume key (digest %d, segment: %d) using keyslot %d.",
+			    digest_new, segment_new, keyslot_new);
+
+		/* key and key in keyring types do not have association with any keyslot */
+		if (kc_new->type != CRYPT_KC_TYPE_KEY && kc_new->type != CRYPT_KC_TYPE_VK_KEYRING) {
+			r = LUKS2_keyslot_for_segment(hdr, keyslot_new, segment_new);
+			if (r < 0)
+				goto out;
+		}
+
+		r = kc_new->get_luks2_key(cd, kc_new, keyslot_new, segment_new, &vk);
 		if (r < 0)
 			goto out;
-		crypt_volume_key_add_next(vks, vk);
+		crypt_volume_key_add_next(r_vks, vk);
+		if (crypt_volume_key_get_id(vk) < 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new)
+			crypt_volume_key_set_id(vk, digest_new);
+		if (crypt_volume_key_get_id(vk) != digest_new)
+			r = -EPERM;
 	}
 out:
 	if (r < 0) {
-		crypt_free_volume_key(*vks);
-		*vks = NULL;
+		crypt_free_volume_key(*r_vks);
+		*r_vks = NULL;
 
 		if (r == -ENOMEM)
 			log_err(cd, _("Not enough available memory to open a keyslot."));
@@ -564,6 +547,25 @@ int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
 	return r;
 }
 
+int LUKS2_keyslot_context_open_all_segments(struct crypt_device *cd,
+	int keyslot1,
+	int keyslot2,
+	struct crypt_keyslot_context *kc1,
+	struct crypt_keyslot_context *kc2,
+	struct volume_key **r_vks)
+{
+	int r, r2;
+
+	r = keyslot_context_open_all_segments(cd, keyslot1, keyslot2, kc1, kc2, r_vks);
+	if (r == -EPERM || r == -ENOENT) {
+		r2 = keyslot_context_open_all_segments(cd, keyslot2, keyslot1, kc2, kc1, r_vks);
+		if (r2 != -ENOENT)
+			r = r2;
+	}
+
+	return r;
+}
+
 int LUKS2_keyslot_open(struct crypt_device *cd,
 	int keyslot,
 	int segment,
@@ -646,7 +648,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
 		if (!h)
 			return -EINVAL;
 
-		r = h->alloc(cd, keyslot, vk->keylength, params);
+		r = h->alloc(cd, keyslot, crypt_volume_key_length(vk), params);
 		if (r)
 			return r;
 	} else {
@@ -670,7 +672,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
 		return -EINVAL;
 
 	return h->store(cd, keyslot, password, password_len,
-			vk->key, vk->keylength);
+			crypt_volume_key_get_key(vk), crypt_volume_key_length(vk));
 }
 
 int LUKS2_keyslot_wipe(struct crypt_device *cd,
@@ -861,8 +863,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
 		return -EINVAL;
 
-	if (LUKS2_config_get_requirements(cd, &dummy, &reqs))
-		return -EINVAL;
+	LUKS2_config_get_requirements(cd, &dummy, &reqs);
 
 	json_object_object_foreach(jobj_keyslots, slot, val) {
 		keyslot = atoi(slot);
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index 2040fdc..ec68236 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include <limits.h>
@@ -14,7 +14,6 @@
 
 #define LUKS_SALTSIZE 32
 #define LUKS_SLOT_ITERATIONS_MIN 1000
-#define LUKS_STRIPES 4000
 
 /* Serialize memory-hard keyslot access: optional workaround for parallel processing */
 #define MIN_MEMORY_FOR_SERIALIZE_LOCK_KB 32*1024 /* 32MB */
@@ -25,7 +24,7 @@ static int luks2_encrypt_to_storage(char *src, size_t srcLength,
 	struct volume_key *vk, unsigned int sector,
 	struct crypt_device *cd)
 {
-#ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
+#if !ENABLE_AF_ALG /* Support for old kernel without Crypto API */
 	return LUKS_encrypt_to_storage(src, srcLength, cipher, cipher_mode, vk, sector, cd);
 #else
 	struct crypt_storage *s;
@@ -37,7 +36,8 @@ static int luks2_encrypt_to_storage(char *src, size_t srcLength,
 		return -EINVAL;
 
 	/* Encrypt buffer */
-	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode,
+			       crypt_volume_key_get_key(vk), crypt_volume_key_length(vk), false);
 	if (r) {
 		log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
 		return r;
@@ -75,7 +75,7 @@ static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
 	unsigned int sector, struct crypt_device *cd)
 {
 	struct device *device = crypt_metadata_device(cd);
-#ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
+#if !ENABLE_AF_ALG /* Support for old kernel without Crypto API */
 	int r = device_read_lock(cd, device);
 	if (r) {
 		log_err(cd, _("Failed to acquire read lock on device %s."), device_path(device));
@@ -92,7 +92,9 @@ static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
 	if (MISALIGNED_512(dstLength))
 		return -EINVAL;
 
-	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
+	r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode,
+			       crypt_volume_key_get_key(vk),
+			       crypt_volume_key_length(vk), false);
 	if (r) {
 		log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
 		return r;
@@ -190,7 +192,6 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 	const char *password, size_t passwordLen,
 	const char *volume_key, size_t volume_key_len)
 {
-	struct volume_key *derived_key;
 	char *salt = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
 	char *AfKey = NULL;
 	const char *af_hash = NULL;
@@ -199,6 +200,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 	uint64_t area_offset;
 	struct crypt_pbkdf_type pbkdf;
 	int r;
+	struct volume_key *derived_vk = NULL;
+	void *derived_key = NULL;
 
 	if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
 	    !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
@@ -236,7 +239,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 	/*
 	 * Allocate derived key storage.
 	 */
-	derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
+	derived_key = crypt_safe_alloc(keyslot_key_len);
 	if (!derived_key) {
 		free(salt);
 		return -ENOMEM;
@@ -247,7 +250,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 	log_dbg(cd, "Running keyslot key derivation.");
 	r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
 			salt, LUKS_SALTSIZE,
-			derived_key->key, derived_key->keylength,
+			derived_key, keyslot_key_len,
 			pbkdf.iterations, pbkdf.max_memory_kb,
 			pbkdf.parallel_threads);
 	free(salt);
@@ -255,16 +258,17 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
 		     pbkdf.iterations > INT_MAX)
 			log_err(cd, _("PBKDF2 iteration value overflow."));
-		crypt_free_volume_key(derived_key);
-		return r;
+		if (r == -ENOMEM)
+			log_err(cd, _("Not enough memory for keyslot key derivation."));
+		goto out;
 	}
 
 	// FIXME: verity key_size to AFEKSize
 	AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
 	AfKey = crypt_safe_alloc(AFEKSize);
 	if (!AfKey) {
-		crypt_free_volume_key(derived_key);
-		return -ENOMEM;
+		r = -ENOMEM;
+		goto out;
 	}
 
 	r = crypt_hash_size(af_hash);
@@ -273,15 +277,23 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 	else
 		r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash);
 
-	if (r == 0) {
-		log_dbg(cd, "Updating keyslot area [0x%04" PRIx64 "].", area_offset);
-		/* FIXME: sector_offset should be size_t, fix LUKS_encrypt... accordingly */
-		r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode,
-				    derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
+	if (r < 0)
+		goto out;
+
+	derived_vk = crypt_alloc_volume_key_by_safe_alloc(&derived_key);
+	if (!derived_vk) {
+		r = -ENOMEM;
+		goto out;
 	}
 
+	log_dbg(cd, "Updating keyslot area [0x%04" PRIx64 "].", area_offset);
+	/* FIXME: sector_offset should be size_t, fix LUKS_encrypt... accordingly */
+	r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode,
+			    derived_vk, (unsigned)(area_offset / SECTOR_SIZE), cd);
+out:
 	crypt_safe_free(AfKey);
-	crypt_free_volume_key(derived_key);
+	crypt_safe_free(derived_key);
+	crypt_free_volume_key(derived_vk);
 	if (r < 0)
 		return r;
 
@@ -293,8 +305,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	const char *password, size_t passwordLen,
 	char *volume_key, size_t volume_key_len)
 {
-	struct volume_key *derived_key = NULL;
-	struct crypt_pbkdf_type pbkdf, *cd_pbkdf;
+	struct crypt_pbkdf_type pbkdf;
 	char *AfKey = NULL;
 	size_t AFEKSize;
 	const char *af_hash = NULL;
@@ -304,6 +315,8 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	size_t keyslot_key_len;
 	bool try_serialize_lock = false;
 	int r;
+	struct volume_key *derived_vk = NULL;
+	void *derived_key = NULL;
 
 	if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
 	    !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
@@ -323,6 +336,10 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	if (r < 0)
 		return r;
 
+	/* Allow only empty passphrase with null cipher */
+	if (crypt_is_cipher_null(cipher) && passwordLen)
+		return -EPERM;
+
 	if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
 		return -EINVAL;
 	keyslot_key_len = json_object_get_int(jobj2);
@@ -334,7 +351,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	/*
 	 * Allocate derived key storage space.
 	 */
-	derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
+	derived_key = crypt_safe_alloc(keyslot_key_len);
 	if (!derived_key) {
 		r = -ENOMEM;
 		goto out;
@@ -347,16 +364,6 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 		goto out;
 	}
 
-	/*
-	 * Print warning when keyslot requires more memory than available
-	 * (if maximum memory was adjusted - no swap, not enough memory),
-	 * but be silent if user set keyslot memory cost above default limit intentionally.
-	 */
-	cd_pbkdf = crypt_get_pbkdf(cd);
-	if (cd_pbkdf->max_memory_kb && pbkdf.max_memory_kb > cd_pbkdf->max_memory_kb &&
-	    pbkdf.max_memory_kb <= DEFAULT_LUKS2_MEMORY_KB)
-		log_std(cd, _("Warning: keyslot operation could fail as it requires more than available memory.\n"));
-
 	/*
 	 * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
 	 */
@@ -371,20 +378,27 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	log_dbg(cd, "Running keyslot key derivation.");
 	r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
 			salt, LUKS_SALTSIZE,
-			derived_key->key, derived_key->keylength,
+			derived_key, keyslot_key_len,
 			pbkdf.iterations, pbkdf.max_memory_kb,
 			pbkdf.parallel_threads);
 
 	if (try_serialize_lock)
 		crypt_serialize_unlock(cd);
 
-	if (r == 0) {
-		log_dbg(cd, "Reading keyslot area [0x%04" PRIx64 "].", area_offset);
-		/* FIXME: sector_offset should be size_t, fix LUKS_decrypt... accordingly */
-		r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mode,
-				      derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
+	if (r < 0)
+		goto out;
+
+	derived_vk = crypt_alloc_volume_key_by_safe_alloc(&derived_key);
+	if (!derived_vk) {
+		r = -ENOMEM;
+		goto out;
 	}
 
+	log_dbg(cd, "Reading keyslot area [0x%04" PRIx64 "].", area_offset);
+	/* FIXME: sector_offset should be size_t, fix LUKS_decrypt... accordingly */
+	r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mode,
+			      derived_vk, (unsigned)(area_offset / SECTOR_SIZE), cd);
+
 	if (r == 0) {
 		r = crypt_hash_size(af_hash);
 		if (r < 0)
@@ -394,8 +408,9 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 	}
 out:
 	free(salt);
-	crypt_free_volume_key(derived_key);
+	crypt_free_volume_key(derived_vk);
 	crypt_safe_free(AfKey);
+	crypt_safe_free(derived_key);
 
 	return r;
 }
diff --git a/lib/luks2/luks2_keyslot_reenc.c b/lib/luks2/luks2_keyslot_reenc.c
index 79b96f6..180ac56 100644
--- a/lib/luks2/luks2_keyslot_reenc.c
+++ b/lib/luks2/luks2_keyslot_reenc.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include "luks2_internal.h"
diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c
index d652761..6c75f16 100644
--- a/lib/luks2/luks2_luks1_convert.c
+++ b/lib/luks2/luks2_luks1_convert.c
@@ -2,9 +2,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS1 conversion code
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Ondrej Kozina
- * Copyright (C) 2015-2024 Milan Broz
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Ondrej Kozina
+ * Copyright (C) 2015-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
@@ -570,6 +570,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	json_object *jobj = NULL;
 	size_t buf_size, buf_offset, luks1_size, luks1_shift = 2 * LUKS2_HDR_16K_LEN - LUKS_ALIGN_KEYSLOTS;
 	uint64_t required_size, max_size = crypt_get_data_offset(cd) * SECTOR_SIZE;
+	char cipher_spec[MAX_CAPI_LEN];
 
 	/* for detached headers max size == device size */
 	if (!max_size && (r = device_size(crypt_metadata_device(cd), &max_size)))
@@ -591,6 +592,15 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 		return -EINVAL;
 	}
 
+	r = snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", hdr1->cipherName, hdr1->cipherMode);
+	if (r < 0 || (size_t)r >= sizeof(cipher_spec))
+		return -EINVAL;
+	if (LUKS2_keyslot_cipher_incompatible(cd, cipher_spec)) {
+		log_err(cd, _("Unable to use cipher specification %s-%s for LUKS2 keyslot."),
+			hdr1->cipherName, hdr1->cipherMode);
+		return -EINVAL;
+	}
+
 	if (luksmeta_header_present(cd, luks1_size))
 		return -EINVAL;
 
@@ -687,30 +697,54 @@ static int keyslot_LUKS1_compatible(struct crypt_device *cd, struct luks2_hdr *h
 	if (!jobj_keyslot)
 		return 1;
 
-	if (!json_object_object_get_ex(jobj_keyslot, "type", &jobj) ||
-	    strcmp(json_object_get_string(jobj), "luks2"))
+	/* Keyslot type */
+	if (!json_object_object_get_ex(jobj_keyslot, "type", &jobj))
+		return 0;
+	if (strcmp(json_object_get_string(jobj), "luks2")) {
+		log_dbg(cd, "Keyslot %d type %s is not compatible.",
+			keyslot, json_object_get_string(jobj));
 		return 0;
+	}
 
-	/* Using PBKDF2, this implies memory and parallel is not used. */
+	/* Keyslot uses PBKDF2, this implies memory and parallel is not used. */
 	jobj = NULL;
 	if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
-	    !json_object_object_get_ex(jobj_kdf, "type", &jobj) ||
-	    strcmp(json_object_get_string(jobj), CRYPT_KDF_PBKDF2) ||
-	    !json_object_object_get_ex(jobj_kdf, "hash", &jobj) ||
-	    strcmp(json_object_get_string(jobj), hash))
+	    !json_object_object_get_ex(jobj_kdf, "type", &jobj))
+		return 0;
+	if (strcmp(json_object_get_string(jobj), CRYPT_KDF_PBKDF2)) {
+		log_dbg(cd, "Keyslot %d does not use PBKDF2.", keyslot);
+		return 0;
+	}
+
+	/* Keyslot KDF hash is the same as the digest hash. */
+	jobj = NULL;
+	if (!json_object_object_get_ex(jobj_kdf, "hash", &jobj))
+		return 0;
+	if (strcmp(json_object_get_string(jobj), hash)) {
+		log_dbg(cd, "Keyslot %d PBKDF uses different hash %s than digest hash %s.",
+			keyslot, json_object_get_string(jobj), hash);
 		return 0;
+	}
 
+	/* Keyslot AF use compatible striptes. */
 	jobj = NULL;
 	if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
-	    !json_object_object_get_ex(jobj_af, "stripes", &jobj) ||
-	    json_object_get_int(jobj) != LUKS_STRIPES)
+	    !json_object_object_get_ex(jobj_af, "stripes", &jobj))
+		return 0;
+	if (json_object_get_int(jobj) != LUKS_STRIPES) {
+		log_dbg(cd, "Keyslot %d AF uses incompatible stripes count.", keyslot);
 		return 0;
+	}
 
+	/* Keyslot AF hash is the same as the digest hash. */
 	jobj = NULL;
-	if (!json_object_object_get_ex(jobj_af, "hash", &jobj) ||
-	    (crypt_hash_size(json_object_get_string(jobj)) < 0) ||
-	    strcmp(json_object_get_string(jobj), hash))
+	if (!json_object_object_get_ex(jobj_af, "hash", &jobj))
+		return 0;
+	if (strcmp(json_object_get_string(jobj), hash)) {
+		log_dbg(cd, "Keyslot %d AF uses different hash %s than digest hash %s.",
+			keyslot, json_object_get_string(jobj), hash);
 		return 0;
+	}
 
 	ks_cipher = LUKS2_get_keyslot_cipher(hdr, keyslot, &ks_key_size);
 	data_cipher = LUKS2_get_cipher(hdr, CRYPT_DEFAULT_SEGMENT);
@@ -743,6 +777,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 	int i, r, last_active = 0;
 	uint64_t offset, area_length;
 	char *buf, luksMagic[] = LUKS_MAGIC;
+	crypt_keyslot_info ki;
 
 	jobj_digest  = LUKS2_get_digest_jobj(hdr2, 0);
 	if (!jobj_digest)
@@ -767,6 +802,8 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 	if (!json_object_object_get_ex(jobj_digest, "hash", &jobj2))
 		return -EINVAL;
 	hash = json_object_get_string(jobj2);
+	if (crypt_hash_size(hash) < 0)
+		return -EINVAL;
 
 	r = crypt_parse_name_and_mode(LUKS2_get_cipher(hdr2, CRYPT_DEFAULT_SEGMENT), cipher, NULL, cipher_mode);
 	if (r < 0)
@@ -791,19 +828,28 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 	}
 
 	r = LUKS2_get_volume_key_size(hdr2, 0);
-	if (r < 0)
+	if (r < 0) {
+		log_err(cd, _("Cannot convert to LUKS1 format - there are no active keyslots."), r);
 		return -EINVAL;
+	}
 	key_size = r;
 
 	for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {
-		if (LUKS2_keyslot_info(hdr2, i) == CRYPT_SLOT_INACTIVE)
+		ki = LUKS2_keyslot_info(hdr2, i);
+
+		if (ki == CRYPT_SLOT_INACTIVE)
 			continue;
 
-		if (LUKS2_keyslot_info(hdr2, i) == CRYPT_SLOT_INVALID) {
+		if (ki == CRYPT_SLOT_INVALID) {
 			log_err(cd, _("Cannot convert to LUKS1 format - keyslot %u is in invalid state."), i);
 			return -EINVAL;
 		}
 
+		if (ki == CRYPT_SLOT_UNBOUND) {
+			log_err(cd, _("Cannot convert to LUKS1 format - keyslot %u is unbound."), i);
+			return -EINVAL;
+		}
+
 		if (i >= LUKS_NUMKEYS) {
 			log_err(cd, _("Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."), i);
 			return -EINVAL;
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 05f69d1..3210b58 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -2,12 +2,13 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption helpers
  *
- * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2024 Ondrej Kozina
+ * Copyright (C) 2015-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2025 Ondrej Kozina
  */
 
 #include "luks2_internal.h"
 #include "utils_device_locking.h"
+#include "keyslot_context.h"
 
 struct luks2_reencrypt {
 	/* reencryption window attributes */
@@ -53,6 +54,8 @@ struct luks2_reencrypt {
 	uint32_t wflags1;
 	uint32_t wflags2;
 
+	struct device *hotzone_device;
+
 	struct crypt_lock_handle *reenc_lock;
 };
 #if USE_LUKS2_REENCRYPTION
@@ -170,6 +173,16 @@ int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr)
 	return reencrypt_digest(hdr, 0);
 }
 
+int LUKS2_reencrypt_segment_new(struct luks2_hdr *hdr)
+{
+	return LUKS2_get_segment_id_by_flag(hdr, "backup-final");
+}
+
+int LUKS2_reencrypt_segment_old(struct luks2_hdr *hdr)
+{
+	return LUKS2_get_segment_id_by_flag(hdr, "backup-previous");
+}
+
 unsigned LUKS2_reencrypt_vks_count(struct luks2_hdr *hdr)
 {
 	int digest_old, digest_new;
@@ -299,7 +312,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr *
 						      rh->offset >> SECTOR_SHIFT,
 						      &rh->length,
 						      reencrypt_segment_cipher_new(hdr),
-						      NULL, /* integrity */
+						      NULL, 0, /* integrity */
 						      reencrypt_get_sector_size_new(hdr),
 						      1);
 
@@ -355,7 +368,7 @@ static json_object *reencrypt_make_segment_new(struct crypt_device *cd,
 						  crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 						  segment_length,
 						  reencrypt_segment_cipher_new(hdr),
-						  NULL, /* integrity */
+						  NULL, 0, /* integrity */
 						  reencrypt_get_sector_size_new(hdr), 0);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 0);
@@ -467,7 +480,7 @@ static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd,
 				crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 				segment_length,
 				reencrypt_segment_cipher_new(hdr),
-			        NULL, /* integrity */
+			        NULL, 0, /* integrity */
 				reencrypt_get_sector_size_new(hdr), 1);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 1);
@@ -492,7 +505,7 @@ static json_object *reencrypt_make_segment_old(struct crypt_device *cd,
 						    crypt_get_iv_offset(cd) + (segment_offset >> SECTOR_SHIFT),
 						    segment_length,
 						    reencrypt_segment_cipher_old(hdr),
-						    NULL, /* integrity */
+						    NULL, 0, /* integrity */
 						    reencrypt_get_sector_size_old(hdr),
 						    0);
 		break;
@@ -871,11 +884,13 @@ void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
 	rh->cw1 = NULL;
 	crypt_storage_wrapper_destroy(rh->cw2);
 	rh->cw2 = NULL;
+	device_free(cd, rh->hotzone_device);
+	rh->hotzone_device = NULL;
 
 	free(rh->device_name);
 	free(rh->overlay_name);
 	free(rh->hotzone_name);
-	crypt_drop_keyring_key(cd, rh->vks);
+	crypt_drop_uploaded_keyring_key(cd, rh->vks);
 	crypt_free_volume_key(rh->vks);
 	device_release_excl(cd, crypt_data_device(cd));
 	crypt_unlock_internal(cd, rh->reenc_lock);
@@ -1471,8 +1486,7 @@ static int reencrypt_update_flag(struct crypt_device *cd, uint8_t version,
 		return LUKS2_config_set_requirement_version(cd, hdr, CRYPT_REQUIREMENT_ONLINE_REENCRYPT, version, commit);
 	}
 
-	if (LUKS2_config_get_requirements(cd, hdr, &reqs))
-		return -EINVAL;
+	LUKS2_config_get_requirements(cd, hdr, &reqs);
 
 	reqs &= ~CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
 
@@ -1920,14 +1934,13 @@ static int reencrypt_assign_segments(struct crypt_device *cd,
 }
 
 static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_hdr *hdr,
-					  uint64_t dev_size, uint64_t data_shift, bool move_first_segment,
+					  uint64_t dev_size, uint64_t data_size, uint64_t data_shift, bool move_first_segment,
 					  crypt_reencrypt_direction_info di)
 {
 	int r;
 	uint64_t first_segment_offset, first_segment_length,
 		 second_segment_offset, second_segment_length,
-		 data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT,
-		 data_size = dev_size - data_shift;
+		 data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
 	json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
 
 	if (dev_size < data_shift)
@@ -1994,13 +2007,17 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	uint64_t moved_segment_length,
 	crypt_reencrypt_direction_info di)
 {
-	int r;
+	int digest, r;
 	uint64_t data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
 	json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
 
 	if (di == CRYPT_REENCRYPT_BACKWARD)
 		return -ENOTSUP;
 
+	digest = LUKS2_digest_by_segment(hdr, CRYPT_DEFAULT_SEGMENT);
+	if (digest < 0)
+		return -EINVAL;
+
 	/*
 	 * future data_device layout:
 	 * [encrypted first segment (max data shift size)][gap (data shift size)][second encrypted data segment]
@@ -2012,7 +2029,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	r = -EINVAL;
 	jobj_segment_first = json_segment_create_crypt(0, crypt_get_iv_offset(cd),
 				&moved_segment_length, crypt_get_cipher_spec(cd),
-				NULL, crypt_get_sector_size(cd), 0);
+				NULL, 0, crypt_get_sector_size(cd), 0);
 
 	if (!jobj_segment_first) {
 		log_dbg(cd, "Failed generate 1st segment.");
@@ -2028,7 +2045,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 								crypt_get_iv_offset(cd) + (moved_segment_length >> SECTOR_SHIFT),
 								NULL,
 								crypt_get_cipher_spec(cd),
-								NULL, /* integrity */
+								NULL, 0, /* integrity */
 								crypt_get_sector_size(cd), 0);
 		if (!jobj_segment_second) {
 			r = -EINVAL;
@@ -2042,7 +2059,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	}
 
 	if (!(r = LUKS2_segments_set(cd, hdr, jobj_segments, 0)))
-		return LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, 0, 1, 0);
+		return LUKS2_digest_segment_assign(cd, hdr, CRYPT_ANY_SEGMENT, digest, 1, 0);
 err:
 	json_object_put(jobj_segment_first);
 	json_object_put(jobj_segment_second);
@@ -2099,8 +2116,7 @@ static int reencrypt_make_targets(struct crypt_device *cd,
 						json_segment_get_cipher(jobj),
 						json_segment_get_iv_offset(jobj),
 						segment_offset,
-						"none",
-						0,
+						"none", 0, 0,
 						json_segment_get_sector_size(jobj));
 			if (r) {
 				log_err(cd, _("Failed to set dm-crypt segment."));
@@ -2130,34 +2146,22 @@ static int reencrypt_make_targets(struct crypt_device *cd,
  * 	2) can't we derive hotzone device name from crypt context? (unlocked name, device uuid, etc?)
  */
 static int reencrypt_load_overlay_device(struct crypt_device *cd, struct luks2_hdr *hdr,
-	const char *overlay, const char *hotzone, struct volume_key *vks, uint64_t size,
+	const char *overlay, struct device *hotzone_device, struct volume_key *vks, uint64_t size,
 	uint32_t flags)
 {
-	char hz_path[PATH_MAX];
 	int r;
 
-	struct device *hz_dev = NULL;
 	struct crypt_dm_active_device dmd = {
 		.flags = flags,
 	};
 
 	log_dbg(cd, "Loading new table for overlay device %s.", overlay);
 
-	r = snprintf(hz_path, PATH_MAX, "%s/%s", dm_get_dir(), hotzone);
-	if (r < 0 || r >= PATH_MAX) {
-		r = -EINVAL;
-		goto out;
-	}
-
-	r = device_alloc(cd, &hz_dev, hz_path);
-	if (r)
-		goto out;
-
 	r = dm_targets_allocate(&dmd.segment, LUKS2_segments_count(hdr));
 	if (r)
 		goto out;
 
-	r = reencrypt_make_targets(cd, hdr, hz_dev, vks, &dmd.segment, size);
+	r = reencrypt_make_targets(cd, hdr, hotzone_device, vks, &dmd.segment, size);
 	if (r < 0)
 		goto out;
 
@@ -2166,7 +2170,6 @@ static int reencrypt_load_overlay_device(struct crypt_device *cd, struct luks2_h
 	/* what else on error here ? */
 out:
 	dm_targets_free(cd, &dmd);
-	device_free(cd, hz_dev);
 
 	return r;
 }
@@ -2175,7 +2178,7 @@ static int reencrypt_replace_device(struct crypt_device *cd, const char *target,
 {
 	int r, exists = 1;
 	struct crypt_dm_active_device dmd_source, dmd_target = {};
-	uint32_t dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;
+	uint64_t dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;
 
 	log_dbg(cd, "Replacing table in device %s with table from device %s.", target, source);
 
@@ -2293,9 +2296,13 @@ static int reencrypt_activate_hotzone_device(struct crypt_device *cd, const char
 }
 
 static int reencrypt_init_device_stack(struct crypt_device *cd,
-		                     const struct luks2_reencrypt *rh)
+		                     struct luks2_reencrypt *rh)
 {
 	int r;
+	char hz_path[PATH_MAX];
+
+	assert(rh);
+	assert(!rh->hotzone_device);
 
 	/* Activate hotzone device 1:1 linear mapping to data_device */
 	r = reencrypt_activate_hotzone_device(cd, rh->hotzone_name, rh->device_size, CRYPT_ACTIVATE_PRIVATE);
@@ -2304,6 +2311,18 @@ static int reencrypt_init_device_stack(struct crypt_device *cd,
 		return r;
 	}
 
+	r = snprintf(hz_path, PATH_MAX, "%s/%s", dm_get_dir(), rh->hotzone_name);
+	if (r < 0 || r >= PATH_MAX) {
+		r = -EINVAL;
+		goto err;
+	}
+
+	r = device_alloc(cd, &rh->hotzone_device, hz_path);
+	if (r) {
+		log_err(cd, _("Failed to allocate hotzone device %s."), rh->hotzone_name);
+		goto err;
+	}
+
 	/*
 	 * Activate overlay device with exactly same table as original 'name' mapping.
 	 * Note that within this step the 'name' device may already include a table
@@ -2383,11 +2402,12 @@ static int reencrypt_refresh_overlay_devices(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		const char *overlay,
 		const char *hotzone,
+		struct device *hotzone_device,
 		struct volume_key *vks,
 		uint64_t device_size,
 		uint32_t flags)
 {
-	int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone, vks, device_size, flags);
+	int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone_device, vks, device_size, flags);
 	if (r) {
 		log_err(cd, _("Failed to reload device %s."), overlay);
 		return REENC_ERR;
@@ -2455,23 +2475,20 @@ static int reencrypt_move_data(struct crypt_device *cd,
 
 static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		int keyslot_new,
+		int digest_new,
 		const char *cipher,
 		uint64_t data_offset,
 		const struct crypt_params_reencrypt *params)
 {
 	const char *type;
-	int r, segment, moved_segment = -1, digest_old = -1, digest_new = -1;
+	int r, segment, moved_segment = -1, digest_old = -1;
 	json_object *jobj_tmp, *jobj_segment_new = NULL, *jobj_segment_old = NULL, *jobj_segment_bcp = NULL;
 	uint32_t sector_size = params->luks2 ? params->luks2->sector_size : SECTOR_SIZE;
 	uint64_t segment_offset, tmp, data_shift = params->data_shift << SECTOR_SHIFT,
 		 device_size = params->device_size << SECTOR_SHIFT;
 
-	if (params->mode != CRYPT_REENCRYPT_DECRYPT) {
-		digest_new = LUKS2_digest_by_keyslot(hdr, keyslot_new);
-		if (digest_new < 0)
-			return -EINVAL;
-	}
+	if (params->mode != CRYPT_REENCRYPT_DECRYPT && digest_new < 0)
+		return -EINVAL;
 
 	if (params->mode != CRYPT_REENCRYPT_ENCRYPT) {
 		digest_old = LUKS2_digest_by_segment(hdr, CRYPT_DEFAULT_SEGMENT);
@@ -2518,7 +2535,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 						json_segment_get_iv_offset(jobj_tmp),
 						device_size ? &device_size : NULL,
 						json_segment_get_cipher(jobj_tmp),
-						NULL, /* integrity */
+						NULL, 0, /* integrity */
 						json_segment_get_sector_size(jobj_tmp),
 						0);
 		} else {
@@ -2565,7 +2582,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		}
 		jobj_segment_new = json_segment_create_crypt(segment_offset,
 							crypt_get_iv_offset(cd),
-							NULL, cipher, NULL, sector_size, 0);
+							NULL, cipher, NULL, 0, sector_size, 0);
 	} else if (params->mode == CRYPT_REENCRYPT_DECRYPT) {
 		segment_offset = data_offset;
 		if (modify_offset(&segment_offset, data_shift, params->direction)) {
@@ -2668,7 +2685,7 @@ static int reencrypt_upload_keys(struct crypt_device *cd,
 
 	if (digest_old >= 0 && !crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr)) &&
 	    (r = reencrypt_upload_single_key(cd, digest_old, vks))) {
-		crypt_drop_keyring_key(cd, vks);
+		crypt_drop_uploaded_keyring_key(cd, vks);
 		return r;
 	}
 
@@ -2779,8 +2796,7 @@ static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
 		uint32_t sector_size,
 		uint64_t data_size,
 		uint64_t data_offset,
-		const char *passphrase,
-		size_t passphrase_size,
+		struct crypt_keyslot_context *kc_old,
 		int keyslot_old,
 		const struct crypt_params_reencrypt *params,
 		struct volume_key **vks)
@@ -2839,7 +2855,7 @@ static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
 	if (r)
 		goto out;
 
-	r = reencrypt_make_backup_segments(cd, hdr, CRYPT_ANY_SLOT, NULL, data_offset, params);
+	r = reencrypt_make_backup_segments(cd, hdr, CRYPT_ANY_DIGEST, NULL, data_offset, params);
 	if (r) {
 		log_dbg(cd, "Failed to create reencryption backup device segments.");
 		goto out;
@@ -2875,8 +2891,8 @@ static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
 		goto out;
 	}
 
-	r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, CRYPT_ANY_SLOT,
-					    passphrase, passphrase_size, vks);
+	r = LUKS2_keyslot_context_open_all_segments(cd, keyslot_old, CRYPT_ANY_SLOT,
+						    kc_old, NULL, vks);
 	if (r < 0)
 		goto out;
 
@@ -2900,6 +2916,8 @@ static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
 
 		jobj_segments_old = reencrypt_segments_old(hdr);
 		if (!jobj_segments_old) {
+			dm_targets_free(cd, &dmd_target);
+			free(CONST_CAST(void*)dmd_target.uuid);
 			r = -EINVAL;
 			goto out;
 		}
@@ -2971,8 +2989,8 @@ static int reencrypt_decrypt_with_datashift_init(struct crypt_device *cd,
 static int reencrypt_init(struct crypt_device *cd,
 		const char *name,
 		struct luks2_hdr *hdr,
-		const char *passphrase,
-		size_t passphrase_size,
+		struct crypt_keyslot_context *kc_old,
+		struct crypt_keyslot_context *kc_new,
 		int keyslot_old,
 		int keyslot_new,
 		const char *cipher,
@@ -2983,8 +3001,9 @@ static int reencrypt_init(struct crypt_device *cd,
 	bool move_first_segment;
 	char _cipher[128];
 	uint32_t check_sector_size, new_sector_size, old_sector_size;
-	int r, reencrypt_keyslot, devfd = -1;
-	uint64_t data_offset, data_size = 0;
+	int digest_new, r, reencrypt_keyslot, devfd = -1;
+	uint64_t data_offset_bytes, data_size_bytes, data_shift_bytes, device_size_bytes;
+	struct volume_key *vk;
 	struct crypt_dm_active_device dmd_target, dmd_source = {
 		.uuid = crypt_get_uuid(cd),
 		.flags = CRYPT_ACTIVATE_SHARED /* turn off exclusive open checks */
@@ -2997,7 +3016,8 @@ static int reencrypt_init(struct crypt_device *cd,
 		return -EINVAL;
 
 	if (params->mode != CRYPT_REENCRYPT_DECRYPT &&
-	    (!params->luks2 || !(cipher && cipher_mode) || keyslot_new < 0))
+	    (!params->luks2 || !(cipher && cipher_mode) ||
+	     (keyslot_new < 0 && !(params->flags & CRYPT_REENCRYPT_CREATE_NEW_DIGEST))))
 		return -EINVAL;
 
 	log_dbg(cd, "Initializing reencryption (mode: %s) in LUKS2 metadata.",
@@ -3024,31 +3044,54 @@ static int reencrypt_init(struct crypt_device *cd,
 	if (r < 0 || (size_t)r >= sizeof(_cipher))
 		return -EINVAL;
 
-	data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
+	data_offset_bytes = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
 
 	r = device_check_access(cd, crypt_data_device(cd), DEV_OK);
 	if (r)
 		return r;
 
-	r = device_check_size(cd, crypt_data_device(cd), data_offset, 1);
+	r = device_check_size(cd, crypt_data_device(cd), data_offset_bytes, 1);
 	if (r)
 		return r;
 
-	r = device_size(crypt_data_device(cd), &data_size);
+	r = device_size(crypt_data_device(cd), &device_size_bytes);
 	if (r)
 		return r;
 
-	data_size -= data_offset;
+	if (move_first_segment && params->mode == CRYPT_REENCRYPT_ENCRYPT &&
+	    params->data_shift < LUKS2_get_data_offset(hdr)) {
+		log_err(cd, _("Data shift (%" PRIu64 " sectors) is less than future data offset (%" PRIu64 " sectors)."),
+			params->data_shift, LUKS2_get_data_offset(hdr));
+		return -EINVAL;
+	}
+
+	device_size_bytes -= data_offset_bytes;
+	data_shift_bytes = params->data_shift << SECTOR_SHIFT;
+	data_size_bytes = params->device_size << SECTOR_SHIFT;
+
+	if (device_size_bytes < data_shift_bytes && params->direction == CRYPT_REENCRYPT_BACKWARD) {
+		log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
+		return -EINVAL;
+	}
 
-	if (params->device_size) {
-		if ((params->device_size << SECTOR_SHIFT) > data_size) {
+	if (data_size_bytes > device_size_bytes) {
+		log_err(cd, _("Reduced data size is larger than real device size."));
+		return -EINVAL;
+	}
+
+	if (data_size_bytes && params->mode == CRYPT_REENCRYPT_ENCRYPT &&
+	    move_first_segment && data_shift_bytes) {
+		if (data_size_bytes > device_size_bytes - data_shift_bytes) {
 			log_err(cd, _("Reduced data size is larger than real device size."));
 			return -EINVAL;
-		} else
-			data_size = params->device_size << SECTOR_SHIFT;
-	}
+		}
+	} else if (!data_size_bytes && params->mode == CRYPT_REENCRYPT_ENCRYPT &&
+	    move_first_segment && data_shift_bytes)
+		data_size_bytes = device_size_bytes - data_shift_bytes;
+	else if (!data_size_bytes)
+		data_size_bytes = device_size_bytes;
 
-	if (MISALIGNED(data_size, check_sector_size)) {
+	if (MISALIGNED(data_size_bytes, check_sector_size)) {
 		log_err(cd, _("Data device is not aligned to encryption sector size (%" PRIu32 " bytes)."), check_sector_size);
 		return -EINVAL;
 	}
@@ -3059,34 +3102,23 @@ static int reencrypt_init(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	if (params->mode == CRYPT_REENCRYPT_DECRYPT && (params->data_shift > 0) && move_first_segment)
+	if (params->mode == CRYPT_REENCRYPT_DECRYPT && data_shift_bytes && move_first_segment)
 		return reencrypt_decrypt_with_datashift_init(cd, name, hdr,
 							     reencrypt_keyslot,
 							     check_sector_size,
-							     data_size,
-							     data_offset,
-							     passphrase,
-							     passphrase_size,
+							     data_size_bytes,
+							     data_offset_bytes,
+							     kc_old,
 							     keyslot_old,
 							     params,
 							     vks);
 
-
 	/*
 	 * We must perform data move with exclusive open data device
 	 * to exclude another cryptsetup process to colide with
 	 * encryption initialization (or mount)
 	 */
 	if (move_first_segment) {
-		if (data_size < (params->data_shift << SECTOR_SHIFT)) {
-			log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
-			return -EINVAL;
-		}
-		if (params->data_shift < LUKS2_get_data_offset(hdr)) {
-			log_err(cd, _("Data shift (%" PRIu64 " sectors) is less than future data offset (%" PRIu64 " sectors)."),
-				params->data_shift, LUKS2_get_data_offset(hdr));
-			return -EINVAL;
-		}
 		devfd = device_open_excl(cd, crypt_data_device(cd), O_RDWR);
 		if (devfd < 0) {
 			if (devfd == -EBUSY)
@@ -3098,15 +3130,33 @@ static int reencrypt_init(struct crypt_device *cd,
 
 	if (params->mode == CRYPT_REENCRYPT_ENCRYPT) {
 		/* in-memory only */
-		r = reencrypt_set_encrypt_segments(cd, hdr, data_size,
-						   params->data_shift << SECTOR_SHIFT,
+		r = reencrypt_set_encrypt_segments(cd, hdr, device_size_bytes, data_size_bytes,
+						   data_shift_bytes,
 						   move_first_segment,
 						   params->direction);
 		if (r)
 			goto out;
 	}
 
-	r = reencrypt_make_backup_segments(cd, hdr, keyslot_new, _cipher, data_offset, params);
+	if (params->flags & CRYPT_REENCRYPT_CREATE_NEW_DIGEST) {
+		assert(kc_new->get_luks2_key);
+		r = kc_new->get_luks2_key(cd, kc_new, CRYPT_ANY_SLOT, CRYPT_ANY_SEGMENT, &vk);
+		if (r < 0)
+			goto out;
+
+		/* do not create new digest in case it matches the current one */
+		r = LUKS2_digest_verify_by_segment(cd, hdr, CRYPT_DEFAULT_SEGMENT, vk);
+		if (r == -EPERM || r == -ENOENT)
+			r = LUKS2_digest_create(cd, "pbkdf2", hdr, vk);
+
+		crypt_free_volume_key(vk);
+		if (r < 0)
+			goto out;
+		digest_new = r;
+	} else
+		digest_new = LUKS2_digest_by_keyslot(hdr, keyslot_new);
+
+	r = reencrypt_make_backup_segments(cd, hdr, digest_new, _cipher, data_offset_bytes, params);
 	if (r) {
 		log_dbg(cd, "Failed to create reencryption backup device segments.");
 		goto out;
@@ -3121,7 +3171,7 @@ static int reencrypt_init(struct crypt_device *cd,
 	if (r < 0)
 		goto out;
 
-	r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, vks);
+	r = LUKS2_keyslot_context_open_all_segments(cd, keyslot_old, keyslot_new, kc_old, kc_new, vks);
 	if (r < 0)
 		goto out;
 
@@ -3155,12 +3205,12 @@ static int reencrypt_init(struct crypt_device *cd,
 			goto out;
 	}
 
-	if (move_first_segment && reencrypt_move_data(cd, devfd, params->data_shift << SECTOR_SHIFT, params->mode)) {
+	if (move_first_segment && reencrypt_move_data(cd, devfd, data_shift_bytes, params->mode)) {
 		r = -EIO;
 		goto out;
 	}
 
-	/* This must be first and only write in LUKS2 metadata during _reencrypt_init */
+	/* This must be first and only write in LUKS2 metadata during reencrypt_init */
 	r = reencrypt_update_flag(cd, LUKS2_REENCRYPT_REQ_VERSION, true, true);
 	if (r) {
 		log_dbg(cd, "Failed to set online-reencryption requirement.");
@@ -3356,7 +3406,7 @@ int LUKS2_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid
 			 dm_uuid + 6, dm_uuid + 14, dm_uuid + 18, dm_uuid + 22, dm_uuid + 26);
 		if (r < 0 || (size_t)r != (sizeof(hdr_uuid) - 1))
 			return -EINVAL;
-	} else if (crypt_uuid_cmp(dm_uuid, uuid))
+	} else if (dm_uuid_cmp(dm_uuid, uuid))
 		return -EINVAL;
 
 	return reencrypt_lock_internal(cd, uuid, reencrypt_lock);
@@ -3385,10 +3435,8 @@ static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *
 	struct crypt_lock_handle *h;
 
 	ri = LUKS2_reencrypt_status(hdr);
-	if (ri == CRYPT_REENCRYPT_INVALID) {
-		log_err(cd, _("Failed to get reencryption state."));
+	if (ri == CRYPT_REENCRYPT_INVALID)
 		return -EINVAL;
-	}
 	if (ri < CRYPT_REENCRYPT_CLEAN) {
 		log_err(cd, _("Device is not in reencryption."));
 		return -EINVAL;
@@ -3421,10 +3469,10 @@ static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *
 	return -EINVAL;
 }
 
-static int reencrypt_load_by_passphrase(struct crypt_device *cd,
+static int reencrypt_load_by_keyslot_context(struct crypt_device *cd,
 		const char *name,
-		const char *passphrase,
-		size_t passphrase_size,
+		struct crypt_keyslot_context *kc_old,
+		struct crypt_keyslot_context *kc_new,
 		int keyslot_old,
 		int keyslot_new,
 		struct volume_key **vks,
@@ -3504,7 +3552,8 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	r = reencrypt_verify_keys(cd, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
 	if (r == -ENOENT) {
 		log_dbg(cd, "Keys are not ready. Unlocking all volume keys.");
-		r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, vks);
+		r = LUKS2_keyslot_context_open_all_segments(cd, keyslot_old, keyslot_new,
+							    kc_old, kc_new, vks);
 	}
 
 	if (r < 0)
@@ -3530,7 +3579,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 		 * above. The code checks if new VK is eligible for keyring.
 		 */
 		vk = crypt_volume_key_by_id(*vks, LUKS2_reencrypt_digest_new(hdr));
-		if (vk && vk->key_description && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) {
+		if (vk && crypt_volume_key_description(vk) && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) {
 			flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 			dmd_source.flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 		}
@@ -3629,12 +3678,37 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	return r;
 }
 
-static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
+static int reencrypt_locked_recovery(struct crypt_device *cd,
+	int keyslot_old,
+	int keyslot_new,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
+	struct volume_key **r_vks)
+{
+	int keyslot, r = -EINVAL;
+	struct volume_key *_vks = NULL;
+
+	r = LUKS2_keyslot_context_open_all_segments(cd, keyslot_old, keyslot_new,
+						    kc_old, kc_new, &_vks);
+	if (r < 0)
+		return r;
+	keyslot = r;
+
+	r = LUKS2_reencrypt_locked_recovery_by_vks(cd, _vks);
+	if (!r && r_vks)
+		MOVE_REF(*r_vks, _vks);
+
+	crypt_free_volume_key(_vks);
+
+	return r < 0 ? r : keyslot;
+}
+
+static int reencrypt_recovery_by_keyslot_context(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot_old,
 	int keyslot_new,
-	const char *passphrase,
-	size_t passphrase_size)
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new)
 {
 	int r;
 	crypt_reencrypt_info ri;
@@ -3661,8 +3735,8 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 	}
 
 	if (ri == CRYPT_REENCRYPT_CRASH) {
-		r = LUKS2_reencrypt_locked_recovery_by_passphrase(cd, keyslot_old, keyslot_new,
-				passphrase, passphrase_size, NULL);
+		r = reencrypt_locked_recovery(cd, keyslot_old, keyslot_new,
+						    kc_old, kc_new, NULL);
 		if (r < 0)
 			log_err(cd, _("LUKS2 reencryption recovery failed."));
 	} else {
@@ -3674,13 +3748,13 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 	return r;
 }
 
-static int reencrypt_repair_by_passphrase(
+static int reencrypt_repair(
 		struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		int keyslot_old,
 		int keyslot_new,
-		const char *passphrase,
-		size_t passphrase_size)
+		struct crypt_keyslot_context *kc_old,
+		struct crypt_keyslot_context *kc_new)
 {
 	int r;
 	struct crypt_lock_handle *reencrypt_lock;
@@ -3745,7 +3819,7 @@ static int reencrypt_repair_by_passphrase(
 	else
 		requirement_version = LUKS2_REENCRYPT_REQ_VERSION;
 
-	r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, &vks);
+	r = LUKS2_keyslot_context_open_all_segments(cd, keyslot_old, keyslot_new, kc_old, kc_new, &vks);
 	if (r < 0)
 		goto out;
 
@@ -3764,10 +3838,10 @@ static int reencrypt_repair_by_passphrase(
 
 }
 
-static int reencrypt_init_by_passphrase(struct crypt_device *cd,
+static int reencrypt_init_by_keyslot_context(struct crypt_device *cd,
 	const char *name,
-	const char *passphrase,
-	size_t passphrase_size,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
 	int keyslot_old,
 	int keyslot_new,
 	const char *cipher,
@@ -3776,30 +3850,42 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 {
 	int r;
 	crypt_reencrypt_info ri;
+	size_t key_length;
 	struct volume_key *vks = NULL;
 	uint32_t flags = params ? params->flags : 0;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 
+	if (params && (params->flags & CRYPT_REENCRYPT_CREATE_NEW_DIGEST) &&
+	    (!kc_new || !kc_new->get_luks2_key || !kc_new->get_key_size ||
+	     (params->flags & CRYPT_REENCRYPT_RESUME_ONLY)))
+		return -EINVAL;
+
 	/* short-circuit in reencryption metadata update and finish immediately. */
 	if (flags & CRYPT_REENCRYPT_REPAIR_NEEDED)
-		return reencrypt_repair_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
+		return reencrypt_repair(cd, hdr, keyslot_old, keyslot_new, kc_old, kc_new);
 
 	/* short-circuit in recovery and finish immediately. */
 	if (flags & CRYPT_REENCRYPT_RECOVERY)
-		return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
+		return reencrypt_recovery_by_keyslot_context(cd, hdr, keyslot_old, keyslot_new, kc_old, kc_new);
 
 	if (name && !device_direct_io(crypt_data_device(cd))) {
 		log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
-		/* FIXME: Add more specific error mesage for translation later. */
+		/* FIXME: Add more specific error message for translation later. */
 		log_err(cd, _("Failed to initialize reencryption device stack."));
 		return -EINVAL;
 	}
 
 	if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
-		r = crypt_keyslot_get_key_size(cd, keyslot_new);
+		if (keyslot_new == CRYPT_ANY_SLOT && kc_new && kc_new->get_key_size)
+			r = kc_new->get_key_size(cd, kc_new, &key_length);
+		else {
+			r = crypt_keyslot_get_key_size(cd, keyslot_new);
+			if (r >= 0)
+				key_length = r;
+		}
 		if (r < 0)
 			return r;
-		r = LUKS2_check_cipher(cd, r, cipher, cipher_mode);
+		r = LUKS2_check_cipher(cd, key_length, cipher, cipher_mode);
 		if (r < 0) {
 			log_err(cd, _("Unable to use cipher specification %s-%s for LUKS2."), cipher, cipher_mode);
 			return r;
@@ -3823,7 +3909,8 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	}
 
 	if (ri == CRYPT_REENCRYPT_NONE && !(flags & CRYPT_REENCRYPT_RESUME_ONLY)) {
-		r = reencrypt_init(cd, name, hdr, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params, &vks);
+		r = reencrypt_init(cd, name, hdr, kc_old, kc_new, keyslot_old,
+				   keyslot_new, cipher, cipher_mode, params, &vks);
 		if (r < 0)
 			log_err(cd, _("Failed to initialize LUKS2 reencryption in metadata."));
 	} else if (ri > CRYPT_REENCRYPT_NONE) {
@@ -3836,18 +3923,19 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	if (r < 0 || (flags & CRYPT_REENCRYPT_INITIALIZE_ONLY))
 		goto out;
 
-	r = reencrypt_load_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, &vks, params);
+	r = reencrypt_load_by_keyslot_context(cd, name, kc_old, kc_new, keyslot_old,
+					      keyslot_new, &vks, params);
 out:
 	if (r < 0)
-		crypt_drop_keyring_key(cd, vks);
+		crypt_drop_uploaded_keyring_key(cd, vks);
 	crypt_free_volume_key(vks);
 	return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt");
 }
 #else
-static int reencrypt_init_by_passphrase(struct crypt_device *cd,
+static int reencrypt_init_by_keyslot_context(struct crypt_device *cd,
 	const char *name __attribute__((unused)),
-	const char *passphrase __attribute__((unused)),
-	size_t passphrase_size __attribute__((unused)),
+	struct crypt_keyslot_context *kc_old __attribute__((unused)),
+	struct crypt_keyslot_context *kc_new __attribute__((unused)),
 	int keyslot_old __attribute__((unused)),
 	int keyslot_new __attribute__((unused)),
 	const char *cipher __attribute__((unused)),
@@ -3869,8 +3957,7 @@ int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 	const struct crypt_params_reencrypt *params)
 {
 	int r;
-	char *passphrase;
-	size_t passphrase_size;
+	struct crypt_keyslot_context kc = {0};
 
 	if (onlyLUKS2reencrypt(cd) || !passphrase_description)
 		return -EINVAL;
@@ -3882,17 +3969,11 @@ int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	r = crypt_keyring_get_user_key(cd, passphrase_description, &passphrase, &passphrase_size);
-	if (r < 0) {
-		log_dbg(cd, "crypt_keyring_get_user_key failed (error %d)", r);
-		log_err(cd, _("Failed to read passphrase from keyring."));
-		return -EINVAL;
-	}
-
-	r = reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
+	crypt_keyslot_context_init_by_keyring_internal(&kc, passphrase_description);
+	r = reencrypt_init_by_keyslot_context(cd, name, &kc, &kc, keyslot_old,
+					      keyslot_new, cipher, cipher_mode, params);
 
-	crypt_safe_memzero(passphrase, passphrase_size);
-	free(passphrase);
+	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
 }
@@ -3907,6 +3988,9 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params)
 {
+	int r;
+	struct crypt_keyslot_context kc = {0};
+
 	if (onlyLUKS2reencrypt(cd) || !passphrase)
 		return -EINVAL;
 	if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY))
@@ -3917,7 +4001,37 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
+	crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
+
+	r = reencrypt_init_by_keyslot_context(cd, name, &kc, &kc, keyslot_old,
+					      keyslot_new, cipher, cipher_mode, params);
+
+	crypt_keyslot_context_destroy_internal(&kc);
+
+	return r;
+}
+
+int crypt_reencrypt_init_by_keyslot_context(struct crypt_device *cd,
+	const char *name,
+	struct crypt_keyslot_context *kc_old,
+	struct crypt_keyslot_context *kc_new,
+	int keyslot_old,
+	int keyslot_new,
+	const char *cipher,
+	const char *cipher_mode,
+	const struct crypt_params_reencrypt *params)
+{
+	if (onlyLUKS2reencrypt(cd) || (!kc_old && !kc_new))
+		return -EINVAL;
+	if (params && (params->flags & CRYPT_REENCRYPT_INITIALIZE_ONLY) && (params->flags & CRYPT_REENCRYPT_RESUME_ONLY))
+		return -EINVAL;
+
+	if (device_is_dax(crypt_data_device(cd)) > 0) {
+		log_err(cd, _("Reencryption is not supported for DAX (persistent memory) devices."));
+		return -EINVAL;
+	}
+
+	return reencrypt_init_by_keyslot_context(cd, name, kc_old, kc_new, keyslot_old, keyslot_new, cipher, cipher_mode, params);
 }
 
 #if USE_LUKS2_REENCRYPTION
@@ -3977,7 +4091,8 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
 	}
 
 	if (online) {
-		r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size, rh->flags);
+		r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name,
+						      rh->hotzone_device, rh->vks, rh->device_size, rh->flags);
 		/* Teardown overlay devices with dm-error. None bio shall pass! */
 		if (r != REENC_OK)
 			return r;
@@ -4103,7 +4218,7 @@ static int reencrypt_wipe_unused_device_area(struct crypt_device *cd, struct luk
 static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
 {
 	int i, r;
-	uint32_t dmt_flags;
+	uint64_t dmt_flags;
 	bool finished = !(rh->device_size > rh->progress);
 
 	if (rh->rp.type == REENC_PROTECTION_NONE &&
@@ -4386,76 +4501,17 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
 }
 #if USE_LUKS2_REENCRYPTION
 /* returns keyslot number on success (>= 0) or negative errnor otherwise */
-int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
-	int keyslot_old,
-	int keyslot_new,
-	const char *passphrase,
-	size_t passphrase_size,
-	struct volume_key **vks)
-{
-	uint64_t minimal_size, device_size;
-	int keyslot, r = -EINVAL;
-	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
-	struct volume_key *vk = NULL, *_vks = NULL;
-
-	log_dbg(cd, "Entering reencryption crash recovery.");
-
-	if (LUKS2_get_data_size(hdr, &minimal_size, NULL))
-		return r;
-
-	r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new,
-			passphrase, passphrase_size, &_vks);
-	if (r < 0)
-		goto out;
-	keyslot = r;
-
-	if (crypt_use_keyring_for_vk(cd))
-		vk = _vks;
-
-	while (vk) {
-		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
-		if (r < 0)
-			goto out;
-		vk = crypt_volume_key_next(vk);
-	}
-
-	if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
-		goto out;
-
-	r = reencrypt_recovery(cd, hdr, device_size, _vks);
-
-	if (!r && vks)
-		MOVE_REF(*vks, _vks);
-out:
-	if (r < 0)
-		crypt_drop_keyring_key(cd, _vks);
-	crypt_free_volume_key(_vks);
-
-	return r < 0 ? r : keyslot;
-}
-
 int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
 	struct volume_key *vks)
 {
 	uint64_t minimal_size, device_size;
 	int r = -EINVAL;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
-	struct volume_key *vk = NULL;
 
 	log_dbg(cd, "Entering reencryption crash recovery.");
 
 	if (LUKS2_get_data_size(hdr, &minimal_size, NULL))
 		return r;
-
-	if (crypt_use_keyring_for_vk(cd))
-		vk = vks;
-	while (vk) {
-		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
-		if (r < 0)
-			goto out;
-		vk = crypt_volume_key_next(vk);
-	}
-
 	if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
 		goto out;
 
@@ -4463,7 +4519,7 @@ int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
 
 out:
 	if (r < 0)
-		crypt_drop_keyring_key(cd, vks);
+		crypt_drop_uploaded_keyring_key(cd, vks);
 	return r;
 }
 #endif
diff --git a/lib/luks2/luks2_reencrypt_digest.c b/lib/luks2/luks2_reencrypt_digest.c
index 94e77be..9db88a4 100644
--- a/lib/luks2/luks2_reencrypt_digest.c
+++ b/lib/luks2/luks2_reencrypt_digest.c
@@ -2,9 +2,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption digest helpers
  *
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2022-2024 Ondrej Kozina
- * Copyright (C) 2022-2024 Milan Broz
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Ondrej Kozina
+ * Copyright (C) 2022-2025 Milan Broz
  */
 
 #include "luks2_internal.h"
@@ -240,10 +240,10 @@ static size_t reenc_keyslot_serialize(struct luks2_hdr *hdr, uint8_t *buffer)
 	return srs(j, buffer);
 }
 
-static size_t blob_serialize(void *blob, size_t length, uint8_t *buffer)
+static size_t blob_serialize(const void *blob, size_t length, uint8_t *buffer)
 {
 	if (buffer)
-		memcpy(buffer, blob, length);
+		crypt_safe_memcpy(buffer, blob, length);
 
 	return length;
 }
@@ -252,12 +252,13 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks,
 	uint8_t version,
-	struct volume_key **verification_data)
+	struct volume_key **r_verification_data)
 {
 	uint8_t *ptr;
-	int digest_new, digest_old;
-	struct volume_key *data = NULL, *vk_old = NULL, *vk_new = NULL;
+	int digest_new, digest_old, r = -EINVAL;
+	struct volume_key *verification_data = NULL, *vk_old = NULL, *vk_new = NULL;
 	size_t keyslot_data_len, segments_data_len, data_len = 2;
+	void *data = NULL;
 
 	/*
 	 * This works up to (including) version v207.
@@ -274,7 +275,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
 			log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_old);
 			return -EINVAL;
 		}
-		data_len += blob_serialize(vk_old->key, vk_old->keylength, NULL);
+		data_len += blob_serialize(crypt_volume_key_get_key(vk_old), crypt_volume_key_length(vk_old), NULL);
 	}
 
 	if (digest_new >= 0 && digest_old != digest_new) {
@@ -283,7 +284,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
 			log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_new);
 			return -EINVAL;
 		}
-		data_len += blob_serialize(vk_new->key, vk_new->keylength, NULL);
+		data_len += blob_serialize(crypt_volume_key_get_key(vk_new), crypt_volume_key_length(vk_new), NULL);
 	}
 
 	if (data_len == 2)
@@ -299,20 +300,22 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
 	data_len += segments_data_len;
 
 	/* Alloc and fill serialization data */
-	data = crypt_alloc_volume_key(data_len, NULL);
+	data = crypt_safe_alloc(data_len);
 	if (!data)
 		return -ENOMEM;
 
-	ptr = (uint8_t*)data->key;
+	ptr = (uint8_t*)data;
 
 	*ptr++ = 0x76;
 	*ptr++ = 0x30 + version;
 
 	if (vk_old)
-		ptr += blob_serialize(vk_old->key, vk_old->keylength, ptr);
+		ptr += blob_serialize(crypt_volume_key_get_key(vk_old),
+				      crypt_volume_key_length(vk_old), ptr);
 
 	if (vk_new)
-		ptr += blob_serialize(vk_new->key, vk_new->keylength, ptr);
+		ptr += blob_serialize(crypt_volume_key_get_key(vk_new),
+				      crypt_volume_key_length(vk_new), ptr);
 
 	if (!reenc_keyslot_serialize(hdr, ptr))
 		goto bad;
@@ -322,14 +325,20 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
 		goto bad;
 	ptr += segments_data_len;
 
-	assert((size_t)(ptr - (uint8_t*)data->key) == data_len);
+	assert((size_t)(ptr - (uint8_t*)data) == data_len);
 
-	*verification_data = data;
+	verification_data = crypt_alloc_volume_key_by_safe_alloc(&data);
+	if (!verification_data) {
+		r = -ENOMEM;
+		goto bad;
+	}
+	*r_verification_data = verification_data;
 
 	return 0;
 bad:
-	crypt_free_volume_key(data);
-	return -EINVAL;
+	crypt_safe_free(data);
+	crypt_free_volume_key(verification_data);
+	return r;
 }
 
 int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
@@ -362,22 +371,6 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
 	return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0);
 }
 
-void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vk)
-{
-	int digest_old, digest_new;
-
-	digest_old = LUKS2_reencrypt_digest_old(hdr);
-	digest_new = LUKS2_reencrypt_digest_new(hdr);
-
-	while (vk) {
-		if (digest_old >= 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old)
-			crypt_volume_key_set_id(vk, digest_old);
-		if (digest_new >= 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new)
-			crypt_volume_key_set_id(vk, digest_new);
-		vk = vk->next;
-	}
-}
-
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks)
diff --git a/lib/luks2/luks2_segment.c b/lib/luks2/luks2_segment.c
index c2feb92..6284ca8 100644
--- a/lib/luks2/luks2_segment.c
+++ b/lib/luks2/luks2_segment.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, internal segment handling
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #include "luks2_internal.h"
@@ -270,7 +270,7 @@ json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length,
 }
 
 static bool json_add_crypt_fields(json_object *jobj_segment, uint64_t iv_offset,
-				  const char *cipher, const char *integrity,
+				  const char *cipher, const char *integrity, uint32_t integrity_key_size,
 				  uint32_t sector_size, unsigned reencryption)
 {
 	json_object *jobj_integrity;
@@ -289,6 +289,8 @@ static bool json_add_crypt_fields(json_object *jobj_segment, uint64_t iv_offset,
 		json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity));
 		json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none"));
 		json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none"));
+		if (integrity_key_size)
+			json_object_object_add(jobj_integrity, "key_size", json_object_new_int(integrity_key_size));
 		json_object_object_add(jobj_segment,   "integrity", jobj_integrity);
 	}
 
@@ -300,7 +302,7 @@ static bool json_add_crypt_fields(json_object *jobj_segment, uint64_t iv_offset,
 
 json_object *json_segment_create_crypt(uint64_t offset,
 				  uint64_t iv_offset, const uint64_t *length,
-				  const char *cipher, const char *integrity,
+				  const char *cipher, const char *integrity, uint32_t integrity_key_size,
 				  uint32_t sector_size, unsigned reencryption)
 {
 	json_object *jobj = _segment_create_generic("crypt", offset, length);
@@ -308,7 +310,7 @@ json_object *json_segment_create_crypt(uint64_t offset,
 	if (!jobj)
 		return NULL;
 
-	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption))
+	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, integrity_key_size, sector_size, reencryption))
 		return jobj;
 
 	json_object_put(jobj);
@@ -350,7 +352,7 @@ json_object *json_segment_create_opal_crypt(uint64_t offset, const uint64_t *len
 
 	json_add_opal_fields(jobj, length, segment_number, key_size);
 
-	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, sector_size, reencryption))
+	if (json_add_crypt_fields(jobj, iv_offset, cipher, integrity, 0, sector_size, reencryption))
 		return jobj;
 
 	json_object_put(jobj);
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 83bf089..89e7682 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -2,16 +2,16 @@
 /*
  * LUKS - Linux Unified Key Setup v2, token handling
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Milan Broz
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Milan Broz
  */
 
 #include <ctype.h>
-#include <dlfcn.h>
 
 #include "luks2_internal.h"
 
 #if USE_EXTERNAL_TOKENS
+#include <dlfcn.h>
 #define TOKENS_PATH_MAX PATH_MAX
 static bool external_tokens_enabled = true;
 static char external_tokens_path[TOKENS_PATH_MAX] = EXTERNAL_LUKS2_TOKENS_PATH;
@@ -101,10 +101,11 @@ static void *token_dlvsym(struct crypt_device *cd,
 	char *error;
 	void *sym;
 
-#ifdef HAVE_DLVSYM
+#if HAVE_DLVSYM
 	log_dbg(cd, "Loading symbol %s@%s.", symbol, version);
 	sym = dlvsym(handle, symbol, version);
 #else
+	UNUSED(version);
 	log_dbg(cd, "Loading default version of symbol %s.", symbol);
 	sym = dlsym(handle, symbol);
 #endif
@@ -443,12 +444,6 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd,
 	return is_builtin_candidate(tmp) ? CRYPT_TOKEN_INTERNAL_UNKNOWN : CRYPT_TOKEN_EXTERNAL_UNKNOWN;
 }
 
-static const char *token_json_to_string(json_object *jobj_token)
-{
-	return json_object_to_json_string_ext(jobj_token,
-		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
-}
-
 static int token_is_usable(struct luks2_hdr *hdr, json_object *jobj_token, int keyslot, int segment,
 			   crypt_keyslot_priority minimal_priority, bool requires_keyslot)
 {
@@ -548,7 +543,7 @@ static int token_open(struct crypt_device *cd,
 	if (!(h = LUKS2_token_handler(cd, token)))
 		return -ENOENT;
 
-	if (h->validate && h->validate(cd, token_json_to_string(jobj_token))) {
+	if (h->validate && h->validate(cd, crypt_jobj_to_string_on_disk(jobj_token))) {
 		log_dbg(cd, "Token %d (%s) validation failed.", token, h->name);
 		return -ENOENT;
 	}
@@ -842,71 +837,6 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
 	return r;
 }
 
-int LUKS2_token_open_and_activate(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	int token,
-	const char *name,
-	const char *type,
-	const char *pin,
-	size_t pin_size,
-	uint32_t flags,
-	void *usrptr)
-{
-	bool use_keyring;
-	int r, segment;
-	struct volume_key *p_crypt, *p_opal, *crypt_key = NULL, *opal_key = NULL, *vk = NULL;
-
-	if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY)
-		segment = CRYPT_ANY_SEGMENT;
-	else
-		segment = CRYPT_DEFAULT_SEGMENT;
-
-	r = LUKS2_token_unlock_key(cd, hdr, keyslot, token, type, pin, pin_size, segment, usrptr, &vk);
-	if (r < 0)
-		return r;
-
-	assert(vk);
-
-	keyslot = r;
-
-	if (LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT)) {
-		r = LUKS2_split_crypt_and_opal_keys(cd, hdr, vk, &crypt_key, &opal_key);
-		if (r < 0) {
-			crypt_free_volume_key(vk);
-			return r;
-		}
-
-		p_crypt = crypt_key;
-		p_opal = opal_key ?: vk;
-	} else {
-		p_crypt = vk;
-		p_opal = NULL;
-	}
-
-	if (!crypt_use_keyring_for_vk(cd) || !p_crypt)
-		use_keyring = false;
-	else
-		use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
-			       (flags & CRYPT_ACTIVATE_KEYRING_KEY));
-
-	if (use_keyring) {
-		if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, p_crypt, keyslot)))
-			flags |= CRYPT_ACTIVATE_KEYRING_KEY;
-	}
-
-	if (r >= 0 && name)
-		r = LUKS2_activate(cd, name, p_crypt, p_opal, flags);
-
-	if (r < 0)
-		crypt_drop_keyring_key(cd, p_crypt);
-	crypt_free_volume_key(vk);
-	crypt_free_volume_key(crypt_key);
-	crypt_free_volume_key(opal_key);
-
-	return r < 0 ? r : keyslot;
-}
-
 void LUKS2_token_dump(struct crypt_device *cd, int token)
 {
 	const crypt_token_handler *h;
@@ -916,8 +846,7 @@ void LUKS2_token_dump(struct crypt_device *cd, int token)
 	if (h && h->dump) {
 		jobj_token = LUKS2_get_token_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), token);
 		if (jobj_token)
-			h->dump(cd, json_object_to_json_string_ext(jobj_token,
-				JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE));
+			h->dump(cd, crypt_jobj_to_string_on_disk(jobj_token));
 	}
 }
 
@@ -929,7 +858,7 @@ int LUKS2_token_json_get(struct luks2_hdr *hdr, int token, const char **json)
 	if (!jobj_token)
 		return -EINVAL;
 
-	*json = token_json_to_string(jobj_token);
+	*json = crypt_jobj_to_string_on_disk(jobj_token);
 	return 0;
 }
 
@@ -1137,7 +1066,7 @@ int LUKS2_token_unlock_passphrase(struct crypt_device *cd,
 	if (!r) {
 		*passphrase = crypt_safe_alloc(buffer_size);
 		if (*passphrase) {
-			memcpy(*passphrase, buffer, buffer_size);
+			crypt_safe_memcpy(*passphrase, buffer, buffer_size);
 			*passphrase_size = buffer_size;
 		} else
 			r = -ENOMEM;
diff --git a/lib/luks2/luks2_token_keyring.c b/lib/luks2/luks2_token_keyring.c
index c455aa0..c8a33a5 100644
--- a/lib/luks2/luks2_token_keyring.c
+++ b/lib/luks2/luks2_token_keyring.c
@@ -2,8 +2,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, kernel keyring token
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include "luks2_internal.h"
diff --git a/lib/nls.h b/lib/nls.h
index 39760b1..64a271f 100644
--- a/lib/nls.h
+++ b/lib/nls.h
@@ -5,14 +5,14 @@
 #define LOCALEDIR "/usr/share/locale"
 #endif
 
-#ifdef HAVE_LOCALE_H
+#if HAVE_LOCALE_H
 # include <locale.h>
 #else
 # undef setlocale
 # define setlocale(Category, Locale) /* empty */
 #endif
 
-#ifdef ENABLE_NLS
+#if ENABLE_NLS
 # include <libintl.h>
 # define _(Text) gettext (Text)
 # ifdef gettext_noop
diff --git a/lib/random.c b/lib/random.c
index 4720daf..06d2713 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -2,7 +2,7 @@
 /*
  * cryptsetup kernel RNG access functions
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <stdlib.h>
diff --git a/lib/setup.c b/lib/setup.c
index 66044f4..f1e8d92 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <string.h>
@@ -18,7 +18,6 @@
 #include "libcryptsetup.h"
 #include "luks1/luks.h"
 #include "luks2/luks2.h"
-#include "luks2/luks2_internal.h"
 #include "loopaes/loopaes.h"
 #include "verity/verity.h"
 #include "tcrypt/tcrypt.h"
@@ -290,16 +289,17 @@ static int process_key(struct crypt_device *cd, const char *hash_name,
 		       struct volume_key **vk)
 {
 	int r;
+	void *key = NULL;
 
 	if (!key_size)
 		return -EINVAL;
 
-	*vk = crypt_alloc_volume_key(key_size, NULL);
-	if (!*vk)
-		return -ENOMEM;
-
 	if (hash_name) {
-		r = crypt_plain_hash(cd, hash_name, (*vk)->key, key_size, pass, passLen);
+		key = crypt_safe_alloc(key_size);
+		if (!key)
+			return -ENOMEM;
+
+		r = crypt_plain_hash(cd, hash_name, key, key_size, pass, passLen);
 		if (r < 0) {
 			if (r == -ENOENT)
 				log_err(cd, _("Hash algorithm %s not supported."),
@@ -307,17 +307,27 @@ static int process_key(struct crypt_device *cd, const char *hash_name,
 			else
 				log_err(cd, _("Key processing error (using hash %s)."),
 					hash_name);
-			crypt_free_volume_key(*vk);
-			*vk = NULL;
+			crypt_safe_free(key);
 			return -EINVAL;
 		}
-	} else if (passLen > key_size) {
-		memcpy((*vk)->key, pass, key_size);
+		*vk = crypt_alloc_volume_key_by_safe_alloc(&key);
+	} else if (passLen >= key_size) {
+		*vk = crypt_alloc_volume_key(key_size, pass);
 	} else {
-		memcpy((*vk)->key, pass, passLen);
+		key = crypt_safe_alloc(key_size);
+		if (!key)
+			return -ENOMEM;
+
+		crypt_safe_memcpy(key, pass, passLen);
+
+		*vk = crypt_alloc_volume_key_by_safe_alloc(&key);
 	}
 
-	return 0;
+	r = *vk ? 0 : -ENOMEM;
+
+	crypt_safe_free(key);
+
+	return r;
 }
 
 static int isPLAIN(const char *type)
@@ -404,7 +414,7 @@ static int onlyLUKSnoRequirements(struct crypt_device *cd)
 
 static int onlyLUKS(struct crypt_device *cd)
 {
-	return _onlyLUKS(cd, 0, CRYPT_REQUIREMENT_OPAL);
+	return _onlyLUKS(cd, 0, CRYPT_REQUIREMENT_OPAL | CRYPT_REQUIREMENT_INLINE_HW_TAGS);
 }
 
 static int _onlyLUKS2(struct crypt_device *cd, uint32_t cdflags, uint32_t mask)
@@ -437,7 +447,7 @@ static int onlyLUKS2unrestricted(struct crypt_device *cd)
 /* Internal only */
 int onlyLUKS2(struct crypt_device *cd)
 {
-	return _onlyLUKS2(cd, 0, CRYPT_REQUIREMENT_OPAL);
+	return _onlyLUKS2(cd, 0, CRYPT_REQUIREMENT_OPAL | CRYPT_REQUIREMENT_INLINE_HW_TAGS);
 }
 
 /* Internal only */
@@ -502,92 +512,6 @@ static int keyslot_verify_or_find_empty(struct crypt_device *cd, int *keyslot)
 	return 0;
 }
 
-/*
- * compares UUIDs returned by device-mapper (striped by cryptsetup) and uuid in header
- */
-int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid)
-{
-	int i, j;
-	char *str;
-
-	if (!dm_uuid || !hdr_uuid)
-		return -EINVAL;
-
-	/* skip beyond LUKS2_HW_OPAL prefix */
-	if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL)))
-		dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL);
-
-	str = strchr(dm_uuid, '-');
-	if (!str)
-		return -EINVAL;
-
-	for (i = 0, j = 1; hdr_uuid[i]; i++) {
-		if (hdr_uuid[i] == '-')
-			continue;
-
-		if (!str[j] || str[j] == '-')
-			return -EINVAL;
-
-		if (str[j] != hdr_uuid[i])
-			return -EINVAL;
-		j++;
-	}
-
-	return 0;
-}
-
-/*
- * compares two UUIDs returned by device-mapper (striped by cryptsetup)
- * used for stacked LUKS2 & INTEGRITY devices
- */
-static int crypt_uuid_integrity_cmp(const char *dm_uuid, const char *dmi_uuid)
-{
-	int i;
-	char *str, *stri;
-
-	if (!dm_uuid || !dmi_uuid)
-		return -EINVAL;
-
-	/* skip beyond LUKS2_HW_OPAL prefix */
-	if (!strncmp(dm_uuid, CRYPT_LUKS2_HW_OPAL, strlen(CRYPT_LUKS2_HW_OPAL)))
-		dm_uuid = dm_uuid + strlen(CRYPT_LUKS2_HW_OPAL);
-
-	str = strchr(dm_uuid, '-');
-	if (!str)
-		return -EINVAL;
-
-	stri = strchr(dmi_uuid, '-');
-	if (!stri)
-		return -EINVAL;
-
-	for (i = 1; str[i] && str[i] != '-'; i++) {
-		if (!stri[i])
-			return -EINVAL;
-
-		if (str[i] != stri[i])
-			return -EINVAL;
-	}
-
-	return 0;
-}
-
-/*
- * compares type of active device to provided string
- */
-int crypt_uuid_type_cmp(const char *dm_uuid, const char *type)
-{
-	size_t len;
-
-	assert(type);
-
-	len = strlen(type);
-	if (dm_uuid && strlen(dm_uuid) > len &&
-	    !strncmp(dm_uuid, type, len) && dm_uuid[len] == '-')
-		return 0;
-
-	return -ENODEV;
-}
-
 int PLAIN_activate(struct crypt_device *cd,
 		     const char *name,
 		     struct volume_key *vk,
@@ -610,8 +534,7 @@ int PLAIN_activate(struct crypt_device *cd,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			crypt_get_data_offset(cd), NULL, 0, 0, crypt_get_sector_size(cd));
 	if (r < 0)
 		return r;
 
@@ -1264,7 +1187,7 @@ static int _init_by_name_crypt_none(struct crypt_device *cd)
 			r = -EINVAL;
 		else {
 			cd->u.none.cipher_mode = cd->u.none.cipher_spec + strlen(cd->u.none.cipher) + 1;
-			cd->u.none.key_size = tgt->u.crypt.vk->keylength;
+			cd->u.none.key_size = crypt_volume_key_length(tgt->u.crypt.vk);
 			r = 0;
 		}
 	}
@@ -1301,7 +1224,8 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 	bool found = false;
 	char **dep, *cipher_spec = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
 	char deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = {};
-	const char *dev, *namei;
+	const char *dev;
+	char *iname = NULL;
 	int key_nums, r;
 	struct crypt_dm_active_device dmd, dmdi = {}, dmdep = {};
 	struct dm_target *tgt = &dmd.segment, *tgti = &dmdi.segment;
@@ -1349,16 +1273,13 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 
 	dep = deps;
 
-	if (tgt->type == DM_CRYPT && tgt->u.crypt.integrity && (namei = device_dm_name(tgt->data_device))) {
-		r = dm_query_device(cd, namei, DM_ACTIVE_DEVICE, &dmdi);
+	if (tgt->type == DM_CRYPT && tgt->u.crypt.tag_size &&
+	     (iname = dm_get_active_iname(cd, name))) {
+
+		r = dm_query_device(cd, iname, DM_ACTIVE_DEVICE, &dmdi);
+		free(iname);
 		if (r < 0)
 			goto out;
-		if (!single_segment(&dmdi) || tgti->type != DM_INTEGRITY) {
-			log_dbg(cd, "Unsupported device table detected in %s.", namei);
-			r = -EINVAL;
-			goto out;
-		}
-
 		/*
 		 * Data device for crypt with integrity is not dm-integrity device,
 		 * but always the device underlying dm-integrity.
@@ -1409,19 +1330,21 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 		cd->u.plain.hdr.offset = tgt->u.crypt.offset;
 		cd->u.plain.hdr.skip = tgt->u.crypt.iv_offset;
 		cd->u.plain.hdr.sector_size = tgt->u.crypt.sector_size;
-		cd->u.plain.key_size = tgt->u.crypt.vk->keylength;
+		cd->u.plain.key_size = crypt_volume_key_length(tgt->u.crypt.vk);
 		cd->u.plain.cipher = strdup(cipher);
 		MOVE_REF(cd->u.plain.cipher_spec, cipher_spec);
 		cd->u.plain.cipher_mode = cd->u.plain.cipher_spec + strlen(cipher) + 1;
+		if (dmd.flags & CRYPT_ACTIVATE_KEYRING_KEY)
+			crypt_set_key_in_keyring(cd, 1);
 	} else if (isLOOPAES(cd->type) && single_segment(&dmd) && tgt->type == DM_CRYPT) {
 		cd->u.loopaes.hdr.offset = tgt->u.crypt.offset;
 		cd->u.loopaes.cipher = strdup(cipher);
 		MOVE_REF(cd->u.loopaes.cipher_spec, cipher_spec);
 		cd->u.loopaes.cipher_mode = cd->u.loopaes.cipher_spec + strlen(cipher) + 1;
 		/* version 3 uses last key for IV */
-		if (tgt->u.crypt.vk->keylength % key_nums)
+		if (crypt_volume_key_length(tgt->u.crypt.vk) % key_nums)
 			key_nums++;
-		cd->u.loopaes.key_size = tgt->u.crypt.vk->keylength / key_nums;
+		cd->u.loopaes.key_size = crypt_volume_key_length(tgt->u.crypt.vk) / key_nums;
 	} else if (isLUKS1(cd->type) || isLUKS2(cd->type)) {
 		if (crypt_metadata_device(cd)) {
 			r = _crypt_load_luks(cd, cd->type, true, false);
@@ -1434,7 +1357,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
 				goto out;
 			}
 			/* check whether UUIDs match each other */
-			r = crypt_uuid_cmp(dmd.uuid, LUKS_UUID(cd));
+			r = dm_uuid_cmp(dmd.uuid, LUKS_UUID(cd));
 			if (r < 0) {
 				log_dbg(cd, "LUKS device header uuid: %s mismatches DM returned uuid %s",
 					LUKS_UUID(cd), dmd.uuid);
@@ -1558,11 +1481,11 @@ static int _init_by_name_integrity(struct crypt_device *cd, const char *name)
 		MOVE_REF(cd->u.integrity.params.journal_crypt, tgt->u.integrity.journal_crypt);
 
 		if (tgt->u.integrity.vk)
-			cd->u.integrity.params.integrity_key_size = tgt->u.integrity.vk->keylength;
+			cd->u.integrity.params.integrity_key_size = crypt_volume_key_length(tgt->u.integrity.vk);
 		if (tgt->u.integrity.journal_integrity_key)
-			cd->u.integrity.params.journal_integrity_key_size = tgt->u.integrity.journal_integrity_key->keylength;
+			cd->u.integrity.params.journal_integrity_key_size = crypt_volume_key_length(tgt->u.integrity.journal_integrity_key);
 		if (tgt->u.integrity.journal_crypt_key)
-			cd->u.integrity.params.integrity_key_size = tgt->u.integrity.journal_crypt_key->keylength;
+			cd->u.integrity.params.journal_crypt_key_size = crypt_volume_key_length(tgt->u.integrity.journal_crypt_key);
 		MOVE_REF(cd->metadata_device, tgt->u.integrity.meta_device);
 	}
 out:
@@ -1796,7 +1719,7 @@ static int _crypt_format_luks1(struct crypt_device *cd,
 		cd->volume_key = crypt_alloc_volume_key(volume_key_size,
 						      volume_key);
 	else
-		cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
+		cd->volume_key = crypt_generate_volume_key(cd, volume_key_size, KEY_QUALITY_KEY);
 
 	if (!cd->volume_key)
 		return -ENOMEM;
@@ -1886,9 +1809,11 @@ static int LUKS2_check_encryption_params(struct crypt_device *cd,
 	const char *cipher,
 	const char *cipher_mode,
 	const char *integrity,
+	size_t required_integrity_key_size,
 	size_t volume_key_size,
 	const struct crypt_params_luks2 *params,
-	const char **ret_integrity)
+	const char **ret_integrity,
+	size_t *ret_integrity_key_size)
 {
 	int r, integrity_key_size = 0;
 
@@ -1899,8 +1824,7 @@ static int LUKS2_check_encryption_params(struct crypt_device *cd,
 	if (integrity) {
 		if (params->integrity_params) {
 			/* Standalone dm-integrity must not be used */
-			if (params->integrity_params->integrity ||
-			    params->integrity_params->integrity_key_size)
+			if (params->integrity_params->integrity)
 				return -EINVAL;
 			/* FIXME: journal encryption and MAC is here not yet supported */
 			if (params->integrity_params->journal_crypt ||
@@ -1914,15 +1838,19 @@ static int LUKS2_check_encryption_params(struct crypt_device *cd,
 			else
 				return -EINVAL;
 		}
-		integrity_key_size = INTEGRITY_key_size(integrity);
+		integrity_key_size = INTEGRITY_key_size(integrity, required_integrity_key_size);
 		if ((integrity_key_size < 0) || (integrity_key_size >= (int)volume_key_size)) {
 			log_err(cd, _("Volume key is too small for encryption with integrity extensions."));
 			return -EINVAL;
 		}
+		if (integrity_key_size && integrity_key_size < LUKS2_MIN_INTEGRITY_KEY_BYTES) {
+			log_err(cd, _("Integrity key size is too small."));
+			return -EINVAL;
+		}
 	}
 
 	/* FIXME: allow this later also for normal ciphers (check AF_ALG availability. */
-	if (integrity && !integrity_key_size) {
+	if (integrity && integrity_key_size == 0) {
 		r = crypt_cipher_check_kernel(cipher, cipher_mode, integrity, volume_key_size);
 		if (r < 0) {
 			log_err(cd, _("Cipher %s-%s (key size %zd bits) is not available."),
@@ -1940,6 +1868,8 @@ static int LUKS2_check_encryption_params(struct crypt_device *cd,
 	}
 
 	*ret_integrity = integrity;
+	if (ret_integrity_key_size)
+		*ret_integrity_key_size = required_integrity_key_size ? integrity_key_size : 0;
 
 	return 0;
 }
@@ -1948,7 +1878,7 @@ static int LUKS2_check_encryption_sector(struct crypt_device *cd, uint64_t devic
 		uint64_t data_offset_bytes, uint32_t sector_size, bool modify_sector_size,
 		bool verify_data_area_alignment, uint32_t *ret_sector_size)
 {
-	uint32_t dmc_flags;
+	uint64_t dmc_flags;
 
 	assert(ret_sector_size);
 
@@ -1999,7 +1929,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 			       const char *volume_key,
 			       size_t volume_key_size,
 			       struct crypt_params_luks2 *params,
-			       bool sector_size_autodetect)
+			       bool sector_size_autodetect, bool integrity_inline)
 {
 	int r;
 	unsigned long required_alignment = DEFAULT_DISK_ALIGNMENT;
@@ -2007,6 +1937,8 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 	unsigned int sector_size;
 	char cipher_spec[2*MAX_CAPI_ONE_LEN];
 	const char *integrity = params ? params->integrity : NULL;
+	size_t integrity_key_size = 0; /* only for independent, separate key in HMAC */
+	struct volume_key *integrity_key = NULL;
 	uint64_t data_offset_bytes, dev_size, metadata_size_bytes, keyslots_size_bytes;
 
 	cd->u.luks2.hdr.jobj = NULL;
@@ -2066,7 +1998,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 		cd->volume_key = crypt_alloc_volume_key(volume_key_size,
 						      volume_key);
 	else
-		cd->volume_key = crypt_generate_volume_key(cd, volume_key_size);
+		cd->volume_key = crypt_generate_volume_key(cd, volume_key_size, KEY_QUALITY_KEY);
 
 	if (!cd->volume_key)
 		return -ENOMEM;
@@ -2091,8 +2023,11 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 				       &required_alignment,
 				       &alignment_offset, DEFAULT_DISK_ALIGNMENT);
 
-	r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity,
-					  volume_key_size, params, &integrity);
+	if (params && params->integrity_params && params->integrity_params->integrity_key_size)
+		integrity_key_size = params->integrity_params->integrity_key_size;
+
+	r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity, integrity_key_size,
+					  volume_key_size, params, &integrity, &integrity_key_size);
 	if (r < 0)
 		goto out;
 
@@ -2122,7 +2057,8 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 
 	r = LUKS2_generate_hdr(cd, &cd->u.luks2.hdr, cd->volume_key,
 			       cipher_spec,
-			       integrity, uuid,
+			       integrity, integrity_key_size,
+			       uuid,
 			       sector_size,
 			       data_offset_bytes,
 			       metadata_size_bytes, keyslots_size_bytes,
@@ -2130,6 +2066,14 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 	if (r < 0)
 		goto out;
 
+	if (integrity_inline) {
+		log_dbg(cd, "Adding LUKS2 inline HW tags requirement flag.");
+		r = LUKS2_config_set_requirement_version(cd, &cd->u.luks2.hdr,
+			CRYPT_REQUIREMENT_INLINE_HW_TAGS, 1, false);
+		if (r < 0)
+			goto out;
+	}
+
 	if (params && (params->label || params->subsystem)) {
 		r = LUKS2_hdr_labels(cd, &cd->u.luks2.hdr,
 				     params->label, params->subsystem, 0);
@@ -2167,11 +2111,24 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 
 			goto out;
 		}
+	}
 
-		r = INTEGRITY_format(cd, params ? params->integrity_params : NULL, NULL, NULL, 0);
+	/* Format underlying virtual dm-integrity device */
+	if (!integrity_inline && crypt_get_integrity_tag_size(cd)) {
+		if (integrity_key_size) {
+			integrity_key = crypt_alloc_volume_key(integrity_key_size,
+					crypt_volume_key_get_key(cd->volume_key) + volume_key_size - integrity_key_size);
+			if (!integrity_key) {
+				r = -ENOMEM;
+				goto out;
+			}
+		}
+		r = INTEGRITY_format(cd, params ? params->integrity_params : NULL,
+				     integrity_key, NULL, NULL, 0, NULL, false);
 		if (r)
 			log_err(cd, _("Cannot format integrity for device %s."),
 				data_device_path(cd));
+		crypt_free_volume_key(integrity_key);
 	}
 
 	if (r < 0)
@@ -2336,6 +2293,8 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 	int r;
 	char cipher_spec[128];
 	const char *integrity = params ? params->integrity : NULL;
+	size_t integrity_key_size = 0; /* only for independent, separate key in HMAC */
+	struct volume_key *integrity_key = NULL;
 	uint32_t sector_size, opal_block_bytes, opal_segment_number = 1; /* We'll use the partition number if available later */
 	uint64_t alignment_offset_bytes, data_offset_bytes, device_size_bytes, opal_alignment_granularity_blocks,
 		 partition_offset_sectors, range_offset_blocks, range_size_bytes,
@@ -2415,7 +2374,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 	if (volume_keys)
 		cd->volume_key = crypt_alloc_volume_key(volume_keys_size, volume_keys);
 	else
-		cd->volume_key = crypt_generate_volume_key(cd, volume_keys_size);
+		cd->volume_key = crypt_generate_volume_key(cd, volume_keys_size, KEY_QUALITY_KEY);
 
 	if (!cd->volume_key) {
 		r = -ENOMEM;
@@ -2423,7 +2382,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 	}
 
 	if (cipher) {
-		user_key = crypt_alloc_volume_key(opal_params->user_key_size, cd->volume_key->key);
+		user_key = crypt_alloc_volume_key(opal_params->user_key_size, crypt_volume_key_get_key(cd->volume_key));
 		if (!user_key) {
 			r = -ENOMEM;
 			goto out;
@@ -2475,9 +2434,12 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 		opal_segment_number = r;
 
 	if (cipher) {
-		r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity,
+		if (params->integrity_params && params->integrity_params->integrity_key_size)
+			integrity_key_size = params->integrity_params->integrity_key_size;
+
+		r = LUKS2_check_encryption_params(cd, cipher, cipher_mode, integrity, 0,
 						  volume_keys_size - opal_params->user_key_size,
-						  params, &integrity);
+						  params, &integrity, &integrity_key_size);
 		if (r < 0)
 			goto out;
 	}
@@ -2524,7 +2486,9 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 	}
 
 	r = LUKS2_generate_hdr(cd, &cd->u.luks2.hdr, cd->volume_key,
-			       cipher ? cipher_spec : NULL, integrity, uuid,
+			       cipher ? cipher_spec : NULL,
+			       integrity, integrity_key_size,
+			       uuid,
 			       sector_size,
 			       data_offset_bytes,
 			       metadata_size_bytes, keyslots_size_bytes,
@@ -2603,15 +2567,27 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 			goto out;
 		}
 
-		r = INTEGRITY_format(cd, params->integrity_params, NULL, NULL,
+		if (integrity_key_size) {
+			integrity_key = crypt_alloc_volume_key(integrity_key_size,
+				crypt_volume_key_get_key(cd->volume_key) + volume_keys_size - integrity_key_size);
+
+			if (!integrity_key) {
+				r = -ENOMEM;
+				goto out;
+			}
+		}
+
+		r = INTEGRITY_format(cd, params->integrity_params, integrity_key, NULL, NULL,
 				     /*
 				      * Create reduced dm-integrity device only if locking range size does
 				      * not match device size.
 				      */
-				     device_size_bytes != range_size_bytes ? range_size_bytes / SECTOR_SIZE : 0);
+				     device_size_bytes != range_size_bytes ? range_size_bytes / SECTOR_SIZE : 0, NULL, false);
 		if (r)
 			log_err(cd, _("Cannot format integrity for device %s."),
 				data_device_path(cd));
+
+		crypt_free_volume_key(integrity_key);
 		if (r < 0)
 			goto out;
 
@@ -2887,12 +2863,14 @@ static int _crypt_format_verity(struct crypt_device *cd,
 
 static int _crypt_format_integrity(struct crypt_device *cd,
 				   const char *uuid,
-				   struct crypt_params_integrity *params)
+				   struct crypt_params_integrity *params,
+				   const char *integrity_key, size_t integrity_key_size,
+				   bool integrity_inline)
 {
 	int r;
 	uint32_t integrity_tag_size;
 	char *integrity = NULL, *journal_integrity = NULL, *journal_crypt = NULL;
-	struct volume_key *journal_crypt_key = NULL, *journal_mac_key = NULL;
+	struct volume_key *journal_crypt_key = NULL, *journal_mac_key = NULL, *ik = NULL;
 
 	if (!params)
 		return -EINVAL;
@@ -2902,6 +2880,11 @@ static int _crypt_format_integrity(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
+	if (integrity_key_size && integrity_key_size != params->integrity_key_size) {
+		log_err(cd, _("Integrity key size mismatch."));
+		return -EINVAL;
+	}
+
 	r = device_check_access(cd, crypt_metadata_device(cd), DEV_EXCL);
 	if (r < 0)
 		return r;
@@ -2968,10 +2951,24 @@ static int _crypt_format_integrity(struct crypt_device *cd,
 	cd->u.integrity.params.journal_integrity = journal_integrity;
 	cd->u.integrity.params.journal_crypt = journal_crypt;
 
-	r = INTEGRITY_format(cd, params, cd->u.integrity.journal_crypt_key, cd->u.integrity.journal_mac_key, 0);
+	if (params->integrity_key_size) {
+		if (!integrity_key)
+			ik = crypt_generate_volume_key(cd, params->integrity_key_size, KEY_QUALITY_EMPTY);
+		else
+			ik = crypt_alloc_volume_key(params->integrity_key_size, integrity_key);
+		if (!ik) {
+			r = -ENOMEM;
+			goto out;
+		}
+	}
+
+	r = INTEGRITY_format(cd, params, ik, cd->u.integrity.journal_crypt_key,
+			     cd->u.integrity.journal_mac_key, 0, &cd->u.integrity.sb_flags,
+			     integrity_inline);
 	if (r)
-		log_err(cd, _("Cannot format integrity for device %s."),
-			mdata_device_path(cd));
+		log_err(cd, _("Cannot format integrity for device %s."), mdata_device_path(cd));
+
+	crypt_free_volume_key(ik);
 out:
 	if (r) {
 		crypt_free_volume_key(journal_crypt_key);
@@ -2984,6 +2981,128 @@ static int _crypt_format_integrity(struct crypt_device *cd,
 	return r;
 }
 
+int crypt_format_inline(struct crypt_device *cd,
+	const char *type,
+	const char *cipher,
+	const char *cipher_mode,
+	const char *uuid,
+	const char *volume_key,
+	size_t volume_key_size,
+	void *params)
+{
+	struct crypt_params_luks2 *lparams;
+	const struct crypt_params_integrity *iparams;
+	uint32_t device_tag_size, required_tag_size;
+	struct device *idevice;
+	size_t sector_size, required_sector_size;
+	int r;
+
+	if (!cd || !params)
+		return -EINVAL;
+
+	if (cd->type) {
+		log_dbg(cd, "Context already formatted as %s.", cd->type);
+		return -EINVAL;
+	}
+
+	log_dbg(cd, "Formatting device %s as type %s with inline tags.", mdata_device_path(cd) ?: "(none)", type);
+
+	crypt_reset_null_type(cd);
+
+	r = init_crypto(cd);
+	if (r < 0)
+		return r;
+
+	if (isINTEGRITY(type)) {
+		lparams = NULL;
+		iparams = params;
+		idevice = crypt_metadata_device(cd);
+		required_sector_size = iparams->sector_size;
+		required_tag_size = iparams->tag_size;
+
+		/* Unused in standalone integrity */
+		if (cipher || cipher_mode)
+			return -EINVAL;
+	} else if (isLUKS2(type)) {
+		lparams = params;
+		iparams = lparams->integrity_params;
+
+		if (lparams->data_device) {
+			if (!cd->metadata_device)
+				cd->metadata_device = cd->device;
+			else
+				device_free(cd, cd->device);
+			cd->device = NULL;
+			if (device_alloc(cd, &cd->device, lparams->data_device) < 0)
+				return -ENOMEM;
+		}
+
+		idevice = crypt_data_device(cd);
+		required_sector_size = lparams->sector_size;
+
+		if (!lparams->integrity || !idevice)
+			return -EINVAL;
+
+		required_tag_size = INTEGRITY_tag_size(lparams->integrity, cipher, cipher_mode);
+	} else {
+		log_err(cd, _("Unknown or unsupported device type %s requested."), type);
+		return -EINVAL;
+	}
+
+	/* In inline mode journal will be never used, check that params are not set */
+	if (iparams && (iparams->journal_size || iparams->journal_watermark || iparams->journal_commit_time ||
+	    iparams->interleave_sectors || iparams->journal_integrity || iparams->journal_integrity_key ||
+	    iparams->journal_integrity_key_size || iparams->journal_crypt || iparams->journal_crypt_key ||
+	    iparams->journal_integrity_key_size))
+		return -EINVAL;
+
+	r = device_is_nop_dif(idevice, &device_tag_size);
+	if (r < 0)
+		return r;
+
+	if (!r) {
+		log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
+		return -EINVAL;
+	}
+
+	/* We can get device_tag_size = 0 as kernel provides this info only for some block devices */
+	if (device_tag_size > 0 && device_tag_size < required_tag_size) {
+		log_err(cd, _("Inline tag size %" PRIu32 " [bytes] is larger than %" PRIu32 " provided by device %s."),
+			required_tag_size, device_tag_size, mdata_device_path(cd));
+		return -EINVAL;
+	}
+	log_dbg(cd, "Inline integrity is supported (%" PRIu32 ").", device_tag_size);
+
+	/* Inline must use sectors size as hardware device */
+	sector_size = device_block_size(cd, idevice);
+	if (!sector_size)
+		return -EINVAL;
+
+	/* No autodetection, use device sector size */
+	if (isLUKS2(type) && lparams && !required_sector_size)
+		lparams->sector_size = sector_size;
+	else if (sector_size != required_sector_size) {
+		log_err(cd, _("Sector must be the same as device hardware sector (%zu bytes)."), sector_size);
+		return -EINVAL;
+	}
+
+	if (isINTEGRITY(type))
+		r = _crypt_format_integrity(cd, uuid, params, volume_key, volume_key_size, true);
+	else if (isLUKS2(type))
+		r = _crypt_format_luks2(cd, cipher, cipher_mode,
+					uuid, volume_key, volume_key_size, params, false, true);
+	else
+		r = -EINVAL;
+
+	if (r < 0) {
+		crypt_set_null_type(cd);
+		crypt_free_volume_key(cd->volume_key);
+		cd->volume_key = NULL;
+	}
+
+	return r;
+}
+
 static int _crypt_format(struct crypt_device *cd,
 	const char *type,
 	const char *cipher,
@@ -3020,15 +3139,15 @@ static int _crypt_format(struct crypt_device *cd,
 					uuid, volume_key, volume_key_size, params);
 	else if (isLUKS2(type))
 		r = _crypt_format_luks2(cd, cipher, cipher_mode,
-					uuid, volume_key, volume_key_size, params, sector_size_autodetect);
+					uuid, volume_key, volume_key_size, params, sector_size_autodetect, false);
 	else if (isLOOPAES(type))
 		r = _crypt_format_loopaes(cd, cipher, uuid, volume_key_size, params);
 	else if (isVERITY(type))
 		r = _crypt_format_verity(cd, uuid, params);
 	else if (isINTEGRITY(type))
-		r = _crypt_format_integrity(cd, uuid, params);
+		r = _crypt_format_integrity(cd, uuid, params, volume_key, volume_key_size, false);
 	else {
-		log_err(cd, _("Unknown crypt device type %s requested."), type);
+		log_err(cd, _("Unknown or unsupported device type %s requested."), type);
 		r = -EINVAL;
 	}
 
@@ -3102,22 +3221,62 @@ int crypt_repair(struct crypt_device *cd,
 }
 
 /* compare volume keys */
-static int _compare_volume_keys(struct volume_key *svk, unsigned skeyring_only,
-				struct volume_key *tvk, unsigned tkeyring_only)
+static int _compare_volume_keys(struct volume_key *svk, struct volume_key *tvk)
+{
+	if (svk == tvk)
+		return 0;
+
+	if (!svk || !tvk)
+		return 1;
+
+	if (crypt_volume_key_length(svk) != crypt_volume_key_length(tvk))
+		return 1;
+
+	/* No switch between keyring and direct key specification */
+	if ((!crypt_volume_key_description(svk) && crypt_volume_key_description(tvk)) ||
+	    (crypt_volume_key_description(svk) && !crypt_volume_key_description(tvk)) ||
+	    (!crypt_volume_key_is_set(svk) && crypt_volume_key_is_set(tvk)) ||
+	    (crypt_volume_key_is_set(svk) && !crypt_volume_key_is_set(tvk)))
+		return 1;
+
+	if (crypt_volume_key_description(svk) &&
+	    (crypt_volume_key_kernel_key_type(svk) != crypt_volume_key_kernel_key_type(tvk) ||
+	    strcmp(crypt_volume_key_description(svk), crypt_volume_key_description(tvk))))
+		return 1;
+
+	if (crypt_volume_key_is_set(svk) &&
+	    crypt_backend_memeq(crypt_volume_key_get_key(svk),
+				crypt_volume_key_get_key(tvk),
+				crypt_volume_key_length(svk)))
+		return 1;
+
+	return 0;
+}
+
+static int _compare_volume_keys_luks2(struct volume_key *svk, struct volume_key *tvk)
 {
-	if (!svk && !tvk)
+	if (svk == tvk)
 		return 0;
-	else if (!svk || !tvk)
+
+	if (!svk || !tvk)
 		return 1;
 
-	if (svk->keylength != tvk->keylength)
+	if (crypt_volume_key_length(svk) != crypt_volume_key_length(tvk))
 		return 1;
 
-	if (!skeyring_only && !tkeyring_only)
-		return crypt_backend_memeq(svk->key, tvk->key, svk->keylength);
+	if ((!crypt_volume_key_is_set(svk) && !crypt_volume_key_description(svk)) ||
+	    (!crypt_volume_key_is_set(tvk) && !crypt_volume_key_description(tvk)))
+		return 1;
+
+	if (crypt_volume_key_is_set(svk) && crypt_volume_key_is_set(tvk) &&
+	    crypt_backend_memeq(crypt_volume_key_get_key(svk),
+				crypt_volume_key_get_key(tvk),
+				crypt_volume_key_length(svk)))
+		return 1;
 
-	if (svk->key_description && tvk->key_description)
-		return strcmp(svk->key_description, tvk->key_description);
+	if (crypt_volume_key_description(svk) && crypt_volume_key_description(tvk))
+		return (crypt_volume_key_kernel_key_type(svk) != crypt_volume_key_kernel_key_type(tvk) ||
+			strcmp(crypt_volume_key_description(svk), crypt_volume_key_description(tvk)));
 
 	return 0;
 }
@@ -3131,14 +3290,22 @@ static int _compare_device_types(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	if (isLUKS2(cd->type) && !strncmp("INTEGRITY-", tgt->uuid, strlen("INTEGRITY-"))) {
-		if (crypt_uuid_cmp(tgt->uuid, src->uuid)) {
+	/*
+	 * FIXME: The CRYPT_SUBDEV prefix should be enough but we need
+	 * to keep INTEGRITY- for dm-integrity subdevices opened with
+	 * cryptsetup version < 2.8.0. Drop the INTEGRITY condition
+	 * in next Y release.
+	 */
+	if (isLUKS2(cd->type) &&
+	    (!strncmp("INTEGRITY-", tgt->uuid, strlen("INTEGRITY-")) ||
+	     !strncmp(CRYPT_SUBDEV, tgt->uuid, strlen(CRYPT_SUBDEV)))) {
+		if (dm_uuid_cmp(tgt->uuid, src->uuid)) {
 			log_dbg(cd, "LUKS UUID mismatch.");
 			return -EINVAL;
 		}
 	} else if (isLUKS(cd->type)) {
 		if (!src->uuid || strncmp(cd->type, tgt->uuid, strlen(cd->type)) ||
-		    crypt_uuid_cmp(tgt->uuid, src->uuid)) {
+		    dm_uuid_cmp(tgt->uuid, src->uuid)) {
 			log_dbg(cd, "LUKS UUID mismatch.");
 			return -EINVAL;
 		}
@@ -3183,9 +3350,14 @@ static int _compare_crypt_devices(struct crypt_device *cd,
 		goto out;
 	}
 
-	if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
+	if (crypt_volume_key_length(tgt->u.crypt.vk) == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
 		log_dbg(cd, "Existing device uses cipher null. Skipping key comparison.");
-	else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) {
+	else if (cd && isLUKS2(cd->type)) {
+		if (_compare_volume_keys_luks2(src->u.crypt.vk, tgt->u.crypt.vk)) {
+			log_dbg(cd, "Keys in LUKS2 context and target device do not match.");
+			goto out;
+		}
+	} else if (_compare_volume_keys(src->u.crypt.vk, tgt->u.crypt.vk)) {
 		log_dbg(cd, "Keys in context and target device do not match.");
 		goto out;
 	}
@@ -3245,9 +3417,9 @@ static int _compare_integrity_devices(struct crypt_device *cd,
 	}
 
 	/* unfortunately dm-integrity doesn't support keyring */
-	if (_compare_volume_keys(src->u.integrity.vk, 0, tgt->u.integrity.vk, 0) ||
-	    _compare_volume_keys(src->u.integrity.journal_integrity_key, 0, tgt->u.integrity.journal_integrity_key, 0) ||
-	    _compare_volume_keys(src->u.integrity.journal_crypt_key, 0, tgt->u.integrity.journal_crypt_key, 0)) {
+	if (_compare_volume_keys(src->u.integrity.vk, tgt->u.integrity.vk) ||
+	    _compare_volume_keys(src->u.integrity.journal_integrity_key, tgt->u.integrity.journal_integrity_key) ||
+	    _compare_volume_keys(src->u.integrity.journal_crypt_key, tgt->u.integrity.journal_crypt_key)) {
 		log_dbg(cd, "Journal keys do not match.");
 		return -EINVAL;
 	}
@@ -3313,15 +3485,20 @@ int crypt_compare_dm_devices(struct crypt_device *cd,
 }
 
 static int _reload_device(struct crypt_device *cd, const char *name,
-			  struct crypt_dm_active_device *sdmd, uint32_t dmflags)
+			  struct crypt_dm_active_device *sdmd, uint64_t dmflags)
 {
 	int r;
 	struct crypt_dm_active_device tdmd;
 	struct dm_target *src, *tgt = &tdmd.segment;
 
-	if (!cd || !cd->type || !name || !(sdmd->flags & CRYPT_ACTIVATE_REFRESH))
+	assert(cd);
+	assert(sdmd);
+
+	if (!cd->type || !name || !(sdmd->flags & CRYPT_ACTIVATE_REFRESH))
 		return -EINVAL;
 
+	src = &sdmd->segment;
+
 	r = dm_query_device(cd, name, DM_ACTIVE_DEVICE | DM_ACTIVE_CRYPT_CIPHER |
 				  DM_ACTIVE_UUID | DM_ACTIVE_CRYPT_KEYSIZE |
 				  DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_INTEGRITY_PARAMS |
@@ -3345,25 +3522,24 @@ static int _reload_device(struct crypt_device *cd, const char *name,
 		goto out;
 	}
 
-	src = &sdmd->segment;
-
 	/* Changing read only flag for active device makes no sense */
 	if (tdmd.flags & CRYPT_ACTIVATE_READONLY)
 		sdmd->flags |= CRYPT_ACTIVATE_READONLY;
 	else
 		sdmd->flags &= ~CRYPT_ACTIVATE_READONLY;
 
-	if (tgt->type == DM_CRYPT && sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) {
-		r = crypt_volume_key_set_description(tgt->u.crypt.vk, src->u.crypt.vk->key_description);
-		if (r)
-			goto out;
-	} else if (tgt->type == DM_CRYPT) {
+	/*
+	 * Only LUKS2 allows altering between volume key
+	 * passed by hexbyte representation and reference
+	 * to kernel keyring service.
+	 *
+	 * To make it easier pass src key directly after
+	 * it was properly verified in crypt_compare_dm_devices
+	 * call above.
+	 */
+	if (isLUKS2(cd->type) && tgt->type == DM_CRYPT && src->u.crypt.vk) {
 		crypt_free_volume_key(tgt->u.crypt.vk);
-		tgt->u.crypt.vk = crypt_alloc_volume_key(src->u.crypt.vk->keylength, src->u.crypt.vk->key);
-		if (!tgt->u.crypt.vk) {
-			r = -ENOMEM;
-			goto out;
-		}
+		tgt->u.crypt.vk = src->u.crypt.vk;
 	}
 
 	if (tgt->type == DM_CRYPT)
@@ -3383,6 +3559,10 @@ static int _reload_device(struct crypt_device *cd, const char *name,
 
 	r = dm_reload_device(cd, name, &tdmd, dmflags, 1);
 out:
+	/* otherwise dm_targets_free would free src key */
+	if (src->u.crypt.vk == tgt->u.crypt.vk)
+		tgt->u.crypt.vk = NULL;
+
 	dm_targets_free(cd, &tdmd);
 	free(CONST_CAST(void*)tdmd.uuid);
 
@@ -3402,9 +3582,16 @@ static int _reload_device_with_integrity(struct crypt_device *cd,
 	struct device *data_device = NULL;
 	bool clear = false;
 
-	if (!cd || !cd->type || !name || !iname || !(sdmd->flags & CRYPT_ACTIVATE_REFRESH))
+	assert(cd);
+	assert(sdmd);
+	assert(sdmdi);
+
+	if (!cd->type || !name || !iname || !(sdmd->flags & CRYPT_ACTIVATE_REFRESH))
 		return -EINVAL;
 
+	src = &sdmd->segment;
+	srci = &sdmdi->segment;
+
 	r = dm_query_device(cd, name, DM_ACTIVE_DEVICE | DM_ACTIVE_CRYPT_CIPHER |
 				  DM_ACTIVE_UUID | DM_ACTIVE_CRYPT_KEYSIZE |
 				  DM_ACTIVE_CRYPT_KEY, &tdmd);
@@ -3439,11 +3626,10 @@ static int _reload_device_with_integrity(struct crypt_device *cd,
 	}
 
 	/* unsupported underneath dm-crypt with auth. encryption */
-	if (sdmdi->segment.u.integrity.meta_device || tdmdi.segment.u.integrity.meta_device)
-		return -ENOTSUP;
-
-	src = &sdmd->segment;
-	srci = &sdmdi->segment;
+	if (sdmdi->segment.u.integrity.meta_device || tdmdi.segment.u.integrity.meta_device) {
+		r = -ENOTSUP;
+		goto out;
+	}
 
 	r = device_alloc(cd, &data_device, ipath);
 	if (r < 0)
@@ -3473,18 +3659,13 @@ static int _reload_device_with_integrity(struct crypt_device *cd,
 	else
 		sdmdi->flags &= ~CRYPT_ACTIVATE_READONLY;
 
-	if (sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) {
-		r = crypt_volume_key_set_description(tgt->u.crypt.vk, src->u.crypt.vk->key_description);
-		if (r)
-			goto out;
-	} else {
-		crypt_free_volume_key(tgt->u.crypt.vk);
-		tgt->u.crypt.vk = crypt_alloc_volume_key(src->u.crypt.vk->keylength, src->u.crypt.vk->key);
-		if (!tgt->u.crypt.vk) {
-			r = -ENOMEM;
-			goto out;
-		}
-	}
+	/*
+	 * To make it easier pass src key directly after
+	 * it was properly verified in crypt_compare_dm_devices
+	 * call above.
+	 */
+	crypt_free_volume_key(tgt->u.crypt.vk);
+	tgt->u.crypt.vk = src->u.crypt.vk;
 
 	r = device_block_adjust(cd, src->data_device, DEV_OK,
 				src->u.crypt.offset, &sdmd->size, NULL);
@@ -3550,6 +3731,9 @@ static int _reload_device_with_integrity(struct crypt_device *cd,
 			dm_resume_device(cd, iname, 0);
 	}
 
+	/* otherwise dm_targets_free would free src key */
+	if (tgt->u.crypt.vk == src->u.crypt.vk)
+		tgt->u.crypt.vk = NULL;
 	dm_targets_free(cd, &tdmd);
 	dm_targets_free(cd, &tdmdi);
 	free(CONST_CAST(void*)tdmdi.uuid);
@@ -3564,7 +3748,7 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 	struct crypt_dm_active_device dmdq, dmd = {};
 	struct dm_target *tgt = &dmdq.segment;
 	struct crypt_params_integrity params = {};
-	uint32_t supported_flags = 0, dmflags = 0;
+	uint64_t supported_flags = 0, dmflags = 0;
 	uint64_t old_size;
 	int r;
 
@@ -3582,6 +3766,11 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 		return -EINVAL;
 	}
 
+	if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd)) {
+		log_err(cd, _("Resize of LUKS2 device with integrity protection is not supported."));
+		return -ENOTSUP;
+	}
+
 	if (new_size)
 		log_dbg(cd, "Resizing device %s to %" PRIu64 " sectors.", name, new_size);
 	else
@@ -3606,13 +3795,14 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 	}
 
 	if (crypt_key_in_keyring(cd)) {
-		if (!isLUKS2(cd->type)) {
+		if (isLUKS2(cd->type))
+			r = LUKS2_key_description_by_segment(cd, &cd->u.luks2.hdr,
+						tgt->u.crypt.vk, CRYPT_DEFAULT_SEGMENT);
+		else if (isPLAIN(cd->type))
+			r = 0; /* key description was set on table load */
+		else
 			r = -EINVAL;
-			goto out;
-		}
-		r = LUKS2_key_description_by_segment(cd, &cd->u.luks2.hdr,
-					tgt->u.crypt.vk, CRYPT_DEFAULT_SEGMENT);
-		if (r)
+		if (r < 0)
 			goto out;
 
 		dmdq.flags |= CRYPT_ACTIVATE_KEYRING_KEY;
@@ -3695,7 +3885,7 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 		r = dm_crypt_target_set(&dmd.segment, 0, new_size, crypt_data_device(cd),
 				tgt->u.crypt.vk, crypt_get_cipher_spec(cd),
 				crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
-				crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
+				crypt_get_integrity(cd), crypt_get_integrity_key_size(cd, true), crypt_get_integrity_tag_size(cd),
 				crypt_get_sector_size(cd));
 		if (r < 0)
 			goto out;
@@ -3927,24 +4117,6 @@ void crypt_free(struct crypt_device *cd)
 	free(cd);
 }
 
-static char *crypt_get_device_key_description(struct crypt_device *cd, const char *name)
-{
-	char *desc = NULL;
-	struct crypt_dm_active_device dmd;
-	struct dm_target *tgt = &dmd.segment;
-
-	if (dm_query_device(cd, name, DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_CRYPT_KEYSIZE, &dmd) < 0)
-		return NULL;
-
-	if (single_segment(&dmd) && tgt->type == DM_CRYPT &&
-	    (dmd.flags & CRYPT_ACTIVATE_KEYRING_KEY) && tgt->u.crypt.vk->key_description)
-		desc = strdup(tgt->u.crypt.vk->key_description);
-
-	dm_targets_free(cd, &dmd);
-
-	return desc;
-}
-
 int crypt_suspend(struct crypt_device *cd,
 		  const char *name)
 {
@@ -3952,9 +4124,10 @@ int crypt_suspend(struct crypt_device *cd,
 	crypt_status_info ci;
 	int r;
 	struct crypt_dm_active_device dmd, dmdi = {};
-	uint32_t opal_segment_number = 1, dmflags = DM_SUSPEND_WIPE_KEY;
+	uint32_t opal_segment_number = 1;
+	uint64_t dmflags = DM_SUSPEND_WIPE_KEY;
 	struct dm_target *tgt = &dmd.segment;
-	char *key_desc = NULL, *iname = NULL;
+	char *iname = NULL;
 	struct crypt_lock_handle *opal_lh = NULL;
 
 	if (!cd || !name)
@@ -3971,15 +4144,17 @@ int crypt_suspend(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	r = dm_query_device(cd, name, DM_ACTIVE_UUID, &dmd);
+	r = dm_query_device(cd, name,
+			    DM_ACTIVE_UUID | DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_CRYPT_KEYSIZE,
+			    &dmd);
 	if (r < 0)
 		return r;
 
 	log_dbg(cd, "Checking if active device %s has UUID type LUKS.", name);
 
-	r = crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2);
+	r = dm_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2);
 	if (r < 0)
-		r = crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1);
+		r = dm_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1);
 
 	if (r < 0) {
 		log_err(cd, _("This operation is supported only for LUKS device."));
@@ -3988,45 +4163,32 @@ int crypt_suspend(struct crypt_device *cd,
 
 	r = -EINVAL;
 
-	if (isLUKS2(cd->type) && crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2)) {
+	if (isLUKS2(cd->type) && dm_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2)) {
 		log_dbg(cd, "LUKS device header type: %s mismatches DM device type.", cd->type);
 		goto out;
 	}
 
-	if (isLUKS1(cd->type) && crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1)) {
+	if (isLUKS1(cd->type) && dm_uuid_type_cmp(dmd.uuid, CRYPT_LUKS1)) {
 		log_dbg(cd, "LUKS device header type: %s mismatches DM device type.", cd->type);
 		goto out;
 	}
 
 	/* check if active device has LUKS2-OPAL dm uuid prefix */
-	dm_opal_uuid = !crypt_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2_HW_OPAL);
+	dm_opal_uuid = !dm_uuid_type_cmp(dmd.uuid, CRYPT_LUKS2_HW_OPAL);
 
 	if (!dm_opal_uuid && isLUKS2(cd->type) &&
 	    LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT))
 		goto out;
 
-	if (cd->type && (r = crypt_uuid_cmp(dmd.uuid, LUKS_UUID(cd))) < 0) {
+	if (cd->type && (r = dm_uuid_cmp(dmd.uuid, LUKS_UUID(cd))) < 0) {
 		log_dbg(cd, "LUKS device header uuid: %s mismatches DM returned uuid %s",
 			LUKS_UUID(cd), dmd.uuid);
 		goto out;
 	}
 
 	/* check UUID of integrity device underneath crypt device */
-	if (crypt_get_integrity_tag_size(cd)) {
-		r = dm_get_iname(name, &iname, false);
-		if (r)
-			goto out;
-
-		r = dm_query_device(cd, iname, DM_ACTIVE_UUID, &dmdi);
-		if (r < 0)
-			goto out;
-
-		r = crypt_uuid_integrity_cmp(dmd.uuid, dmdi.uuid);
-		if (r < 0) {
-			log_dbg(cd, "Integrity device uuid: %s mismatches crypt device uuid %s", dmdi.uuid, dmd.uuid);
-			goto out;
-		}
-	}
+	if (crypt_get_integrity_tag_size(cd))
+	    iname = dm_get_active_iname(cd, name);
 
 	r = dm_status_suspended(cd, name);
 	if (r < 0)
@@ -4038,8 +4200,6 @@ int crypt_suspend(struct crypt_device *cd,
 		goto out;
 	}
 
-	key_desc = crypt_get_device_key_description(cd, name);
-
 	if (dm_opal_uuid && crypt_data_device(cd)) {
 		if (isLUKS2(cd->type)) {
 			r = LUKS2_get_opal_segment_number(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, &opal_segment_number);
@@ -4068,13 +4228,14 @@ int crypt_suspend(struct crypt_device *cd,
 	}
 
 	/* Suspend integrity device underneath; keep crypt suspended if it fails */
-	if (crypt_get_integrity_tag_size(cd)) {
+	if (iname) {
 		r = dm_suspend_device(cd, iname, 0);
 		if (r)
 			log_err(cd, _("Error during suspending device %s."), iname);
 	}
 
-	crypt_drop_keyring_key_by_description(cd, key_desc, cd->keyring_key_type);
+	if (single_segment(&dmd) && tgt->type == DM_CRYPT)
+		crypt_volume_key_drop_kernel_key(cd, tgt->u.crypt.vk);
 
 	if (dm_opal_uuid && crypt_data_device(cd)) {
 		r = opal_exclusive_lock(cd, crypt_data_device(cd), &opal_lh);
@@ -4088,7 +4249,6 @@ int crypt_suspend(struct crypt_device *cd,
 		log_err(cd, _("Device %s was suspended but hardware OPAL device cannot be locked."), name);
 out:
 	opal_exclusive_unlock(cd, opal_lh);
-	free(key_desc);
 	free(iname);
 	dm_targets_free(cd, &dmd);
 	dm_targets_free(cd, &dmdi);
@@ -4141,7 +4301,9 @@ static void crypt_unlink_key_from_custom_keyring(struct crypt_device *cd, key_se
 	log_err(cd, _("Failed to unlink volume key from user specified keyring."));
 }
 
-static key_serial_t crypt_single_volume_key_load_in_user_keyring(struct crypt_device *cd, struct volume_key *vk, const char *user_key_name)
+static key_serial_t crypt_single_volume_key_load_in_custom_keyring(struct crypt_device *cd,
+								   struct volume_key *vk,
+								   const char *user_key_name)
 {
 	key_serial_t kid;
 	const char *type_name;
@@ -4155,15 +4317,20 @@ static key_serial_t crypt_single_volume_key_load_in_user_keyring(struct crypt_de
 	log_dbg(cd, "Linking volume key (type %s, name %s) to the specified keyring",
 		    type_name, user_key_name);
 
-	kid = keyring_add_key_to_custom_keyring(cd->keyring_key_type, user_key_name, vk->key, vk->keylength, cd->keyring_to_link_vk);
-	if (kid <= 0) {
-		log_dbg(cd, "The keyring_link_key_to_keyring function failed (error %d).", errno);
-	}
+	kid = keyring_add_key_to_keyring(cd->keyring_key_type, user_key_name,
+					 crypt_volume_key_get_key(vk),
+					 crypt_volume_key_length(vk),
+					 cd->keyring_to_link_vk);
+	if (kid <= 0)
+		log_dbg(cd, "The keyring_add_key_to_keyring function failed (error %d).", errno);
 
 	return kid;
 }
 
-static int crypt_volume_key_load_in_user_keyring(struct crypt_device *cd, struct volume_key *vk, key_serial_t *kid1_out, key_serial_t *kid2_out)
+static int crypt_volume_key_load_in_custom_keyring(struct crypt_device *cd,
+						   struct volume_key *vk,
+						   key_serial_t *kid1_out,
+						   key_serial_t *kid2_out)
 {
 	key_serial_t kid1, kid2 = 0;
 
@@ -4174,14 +4341,14 @@ static int crypt_volume_key_load_in_user_keyring(struct crypt_device *cd, struct
 	if (!vk || !key_type_name(cd->keyring_key_type))
 		return -EINVAL;
 
-	kid1 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name1);
+	kid1 = crypt_single_volume_key_load_in_custom_keyring(cd, vk, cd->user_key_name1);
 	if (kid1 <= 0)
 		return -EINVAL;
 
-	vk = vk->next;
+	vk = crypt_volume_key_next(vk);
 	if (vk) {
 		assert(cd->user_key_name2);
-		kid2 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name2);
+		kid2 = crypt_single_volume_key_load_in_custom_keyring(cd, vk, cd->user_key_name2);
 		if (kid2 <= 0) {
 			crypt_unlink_key_from_custom_keyring(cd, kid1);
 			return -EINVAL;
@@ -4251,7 +4418,7 @@ static int resume_luks2_by_volume_key(struct crypt_device *cd,
 
 		/* upload volume key in custom keyring if requested */
 		if (cd->link_vk_to_keyring) {
-			r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2);
+			r = crypt_volume_key_load_in_custom_keyring(cd, vk, &kid1, &kid2);
 			if (r < 0) {
 				log_err(cd, _("Failed to link volume key in user defined keyring."));
 				goto out;
@@ -4273,14 +4440,12 @@ static int resume_luks2_by_volume_key(struct crypt_device *cd,
 		}
 	}
 
-	if (crypt_get_integrity_tag_size(cd)) {
-		r = dm_get_iname(name, &iname, false);
-		if (r)
-			goto out;
-
+	if (crypt_get_integrity_tag_size(cd) &&
+	    (iname = dm_get_active_iname(cd, name))) {
 		r = dm_resume_device(cd, iname, 0);
 		if (r)
 			log_err(cd, _("Error during resuming device %s."), iname);
+		free(iname);
 	}
 
 	if (enc_type == CRYPT_OPAL_HW_ONLY)
@@ -4295,7 +4460,7 @@ static int resume_luks2_by_volume_key(struct crypt_device *cd,
 
 out:
 	if (r < 0) {
-		crypt_drop_keyring_key(cd, p_crypt);
+		crypt_drop_uploaded_keyring_key(cd, p_crypt);
 		if (cd->link_vk_to_keyring && kid1)
 			crypt_unlink_key_from_custom_keyring(cd, kid1);
 		if (cd->link_vk_to_keyring && kid2)
@@ -4309,7 +4474,6 @@ static int resume_luks2_by_volume_key(struct crypt_device *cd,
 	crypt_free_volume_key(zerokey);
 	crypt_free_volume_key(opal_key);
 	crypt_free_volume_key(crypt_key);
-	free(iname);
 
 	return r;
 }
@@ -4395,9 +4559,9 @@ int crypt_resume_by_passphrase(struct crypt_device *cd,
 			       size_t passphrase_size)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
 	r = crypt_resume_by_keyslot_context(cd, name, keyslot, &kc);
 	crypt_keyslot_context_destroy_internal(&kc);
 
@@ -4412,9 +4576,9 @@ int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd,
 					  uint64_t keyfile_offset)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset);
+	crypt_keyslot_context_init_by_keyfile_internal(&kc, keyfile, keyfile_size, keyfile_offset);
 	r = crypt_resume_by_keyslot_context(cd, name, keyslot, &kc);
 	crypt_keyslot_context_destroy_internal(&kc);
 
@@ -4448,9 +4612,9 @@ int crypt_resume_by_volume_key(struct crypt_device *cd,
 	size_t volume_key_size)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+	crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
 	r = crypt_resume_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc);
 	crypt_keyslot_context_destroy_internal(&kc);
 
@@ -4465,9 +4629,9 @@ int crypt_resume_by_token_pin(struct crypt_device *cd, const char *name,
 	void *usrptr)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_token_init_internal(&kc, token, type, pin, pin_size, usrptr);
+	crypt_keyslot_context_init_by_token_internal(&kc, token, type, pin, pin_size, usrptr);
 	r = crypt_resume_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc);
 	crypt_keyslot_context_destroy_internal(&kc);
 
@@ -4485,13 +4649,13 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
 	size_t new_passphrase_size)
 {
 	int r;
-	struct crypt_keyslot_context kc, new_kc;
+	struct crypt_keyslot_context kc = {}, new_kc = {};
 
 	if (!passphrase || !new_passphrase)
 		return -EINVAL;
 
-	crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
-	crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, new_passphrase, new_passphrase_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&new_kc, new_passphrase, new_passphrase_size);
 
 	r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
 
@@ -4545,21 +4709,21 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
 	}
 	keyslot_old = r;
 
-	if (isLUKS2(cd->type)) {
+	if (isLUKS1(cd->type)) {
+		if (keyslot_new == CRYPT_ANY_SLOT) {
+			keyslot_new = LUKS_keyslot_find_empty(&cd->u.luks1.hdr);
+			if (keyslot_new < 0)
+				keyslot_new = keyslot_old;
+		}
+	} else if (isLUKS2(cd->type)) {
 		/* If there is a free keyslot (both id and binary area) avoid in-place keyslot area overwrite  */
 		if (keyslot_new == CRYPT_ANY_SLOT || keyslot_new == keyslot_old) {
-			keyslot_new = LUKS2_keyslot_find_empty(cd, &cd->u.luks2.hdr, vk->keylength);
+			keyslot_new = LUKS2_keyslot_find_empty(cd, &cd->u.luks2.hdr, crypt_volume_key_length(vk));
 			if (keyslot_new < 0)
 				keyslot_new = keyslot_old;
 			else
 				keyslot_swap = true;
 		}
-	} else if (isLUKS1(cd->type)) {
-		if (keyslot_new == CRYPT_ANY_SLOT) {
-			keyslot_new = LUKS_keyslot_find_empty(&cd->u.luks1.hdr);
-			if (keyslot_new < 0)
-				keyslot_new = keyslot_old;
-		}
 	}
 	log_dbg(cd, "Key change, old slot %d, new slot %d.", keyslot_old, keyslot_new);
 
@@ -4629,13 +4793,13 @@ int crypt_keyslot_add_by_keyfile_device_offset(struct crypt_device *cd,
 	uint64_t new_keyfile_offset)
 {
 	int r;
-	struct crypt_keyslot_context kc, new_kc;
+	struct crypt_keyslot_context kc = {}, new_kc = {};
 
 	if (!keyfile || !new_keyfile)
 		return -EINVAL;
 
-	crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset);
-	crypt_keyslot_unlock_by_keyfile_init_internal(&new_kc, new_keyfile, new_keyfile_size, new_keyfile_offset);
+	crypt_keyslot_context_init_by_keyfile_internal(&kc, keyfile, keyfile_size, keyfile_offset);
+	crypt_keyslot_context_init_by_keyfile_internal(&new_kc, new_keyfile, new_keyfile_size, new_keyfile_offset);
 
 	r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
 
@@ -4679,13 +4843,13 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
 	size_t passphrase_size)
 {
 	int r;
-	struct crypt_keyslot_context kc, new_kc;
+	struct crypt_keyslot_context kc = {}, new_kc = {};
 
 	if (!passphrase)
 		return -EINVAL;
 
-	crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
-	crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, passphrase, passphrase_size);
+	crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&new_kc, passphrase, passphrase_size);
 
 	r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, 0);
 
@@ -4786,7 +4950,7 @@ static int _create_device_with_integrity(struct crypt_device *cd,
 
 	device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL;
 
-	r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_INTEGRITY, dmdi, 0);
+	r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_SUBDEV, dmdi, 0);
 	if (r)
 		return r;
 
@@ -4835,8 +4999,7 @@ int create_or_reload_device(struct crypt_device *cd, const char *name,
 	int r;
 	enum devcheck device_check;
 	struct dm_target *tgt;
-	uint64_t offset;
-	uint32_t dmflags = 0;
+	uint64_t offset, dmflags = 0;
 
 	if (!type || !name || !single_segment(dmd))
 		return -EINVAL;
@@ -4919,86 +5082,6 @@ int create_or_reload_device_with_integrity(struct crypt_device *cd, const char *
 	return r;
 }
 
-static int _open_and_activate(struct crypt_device *cd,
-	int keyslot,
-	const char *name,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags)
-{
-	bool use_keyring;
-	int r;
-	struct volume_key *p_crypt = NULL, *p_opal = NULL, *crypt_key = NULL, *opal_key = NULL, *vk = NULL;
-	key_serial_t kid1 = 0, kid2 = 0;
-
-	r = LUKS2_keyslot_open(cd, keyslot,
-			       (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ?
-			       CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT,
-			       passphrase, passphrase_size, &vk);
-	if (r < 0)
-		return r;
-	keyslot = r;
-
-	/* split the key only if we do activation */
-	if (name && LUKS2_segment_is_hw_opal(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)) {
-		r = LUKS2_split_crypt_and_opal_keys(cd, &cd->u.luks2.hdr,
-						    vk, &crypt_key,
-						    &opal_key);
-		if (r < 0)
-			goto out;
-
-		/* copy volume key digest id in crypt subkey */
-		crypt_volume_key_set_id(crypt_key, crypt_volume_key_get_id(vk));
-
-		p_crypt = crypt_key;
-		p_opal = opal_key ?: vk;
-	} else
-		p_crypt = vk;
-
-	if (!crypt_use_keyring_for_vk(cd))
-		use_keyring = false;
-	else
-		use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
-			       (flags & CRYPT_ACTIVATE_KEYRING_KEY));
-
-	if (use_keyring) {
-		/* upload dm-crypt part of volume key in thread keyring if requested */
-		if (p_crypt) {
-			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, p_crypt,
-								       crypt_volume_key_get_id(p_crypt));
-			if (r < 0)
-				goto out;
-			flags |= CRYPT_ACTIVATE_KEYRING_KEY;
-		}
-
-		/* upload the volume key in custom user keyring if requested */
-		if (cd->link_vk_to_keyring) {
-			r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2);
-			if (r < 0) {
-				log_err(cd, _("Failed to link volume key in user defined keyring."));
-				goto out;
-			}
-		}
-	}
-
-	if (name)
-		r = LUKS2_activate(cd, name, p_crypt, p_opal, flags);
-out:
-	if (r < 0) {
-		crypt_drop_keyring_key(cd, p_crypt);
-		if (cd->link_vk_to_keyring && kid1)
-			crypt_unlink_key_from_custom_keyring(cd, kid1);
-		if (cd->link_vk_to_keyring && kid2)
-			crypt_unlink_key_from_custom_keyring(cd, kid2);
-	}
-	crypt_free_volume_key(vk);
-	crypt_free_volume_key(crypt_key);
-	crypt_free_volume_key(opal_key);
-
-	return r < 0 ? r : keyslot;
-}
-
-#if USE_LUKS2_REENCRYPTION
 static int load_all_keys(struct crypt_device *cd, struct volume_key *vks)
 {
 	int r;
@@ -5014,55 +5097,8 @@ static int load_all_keys(struct crypt_device *cd, struct volume_key *vks)
 	return 0;
 }
 
-static int _open_all_keys(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags,
-	struct volume_key **vks)
-{
-	int r, segment;
-	struct volume_key *_vks = NULL;
-	crypt_reencrypt_info ri = LUKS2_reencrypt_status(hdr);
-
-	segment = (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ? CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT;
-
-	switch (ri) {
-	case CRYPT_REENCRYPT_NONE:
-		r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase, passphrase_size, &_vks);
-		break;
-	case CRYPT_REENCRYPT_CLEAN:
-	case CRYPT_REENCRYPT_CRASH:
-		if (segment == CRYPT_ANY_SEGMENT)
-			r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase,
-					       passphrase_size, &_vks);
-		else
-			r = LUKS2_keyslot_open_all_segments(cd, keyslot,
-					keyslot, passphrase, passphrase_size,
-					&_vks);
-		break;
-	default:
-		r = -EINVAL;
-	}
-
-	if (keyslot == CRYPT_ANY_SLOT)
-		keyslot = r;
-
-	if (r >= 0 && (flags & CRYPT_ACTIVATE_KEYRING_KEY))
-		r = load_all_keys(cd, _vks);
-
-	if (r >= 0 && vks)
-		MOVE_REF(*vks, _vks);
-
-	if (r < 0)
-		crypt_drop_keyring_key(cd, _vks);
-	crypt_free_volume_key(_vks);
-
-	return r < 0 ? r : keyslot;
-}
-
-static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd,
+#if USE_LUKS2_REENCRYPTION
+static int _activate_reencrypt_device_by_vk(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	const char *name,
 	struct volume_key *vks,
@@ -5073,14 +5109,10 @@ static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd,
 	uint64_t minimal_size, device_size;
 	int r = 0;
 	struct crypt_lock_handle *reencrypt_lock = NULL;
-	key_serial_t kid1 = 0, kid2 = 0;
 	struct volume_key *vk;
 
-	if (!vks)
-		return -EINVAL;
-
-	if (crypt_use_keyring_for_vk(cd))
-		flags |= CRYPT_ACTIVATE_KEYRING_KEY;
+	assert(hdr);
+	assert(vks);
 
 	r = LUKS2_reencrypt_lock(cd, &reencrypt_lock);
 	if (r) {
@@ -5095,17 +5127,29 @@ static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd,
 		goto out;
 
 	ri = LUKS2_reencrypt_status(hdr);
+	if (ri == CRYPT_REENCRYPT_INVALID) {
+		r = -EINVAL;
+		goto out;
+	}
 
-	if (ri == CRYPT_REENCRYPT_CRASH) {
-		r = LUKS2_reencrypt_locked_recovery_by_vks(cd, vks);
-		if (r < 0) {
-			log_err(cd, _("LUKS2 reencryption recovery using volume key(s) failed."));
+	if (ri > CRYPT_REENCRYPT_NONE) {
+		/* it's sufficient to force re-verify the reencrypt digest only */
+		r = LUKS2_reencrypt_digest_verify(cd, &cd->u.luks2.hdr, vks);
+		if (r < 0)
 			goto out;
-		}
 
-		ri = LUKS2_reencrypt_status(hdr);
+		if (ri == CRYPT_REENCRYPT_CRASH) {
+			r = LUKS2_reencrypt_locked_recovery_by_vks(cd, vks);
+			if (r < 0) {
+				log_err(cd, _("LUKS2 reencryption recovery using volume key(s) failed."));
+				goto out;
+			}
+
+			ri = LUKS2_reencrypt_status(hdr);
+		}
 	}
-	/* recovery finished reencryption or it's already finished */
+
+	/* recovery finished reencryption or it was already finished after metadata reload */
 	if (ri == CRYPT_REENCRYPT_NONE) {
 		vk = crypt_volume_key_by_id(vks, LUKS2_digest_by_segment(hdr, CRYPT_DEFAULT_SEGMENT));
 		if (!vk) {
@@ -5114,13 +5158,6 @@ static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd,
 		}
 
 		r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
-		if (r == -EPERM || r == -ENOENT)
-			log_err(cd, _("Volume key does not match the volume."));
-		if (r >= 0 && cd->link_vk_to_keyring) {
-			kid1 = crypt_single_volume_key_load_in_user_keyring(cd, vk, cd->user_key_name1);
-			if (kid1 <= 0)
-				r = -EINVAL;
-		}
 		if (r >= 0)
 			r = LUKS2_activate(cd, name, vk, NULL, flags);
 		goto out;
@@ -5130,185 +5167,26 @@ static int _open_and_activate_reencrypt_device_by_vk(struct crypt_device *cd,
 		goto out;
 	}
 
-	if ((flags & CRYPT_ACTIVATE_KEYRING_KEY)) {
-		r = load_all_keys(cd, vks);
-		if (r < 0)
-			goto out;
-	}
-
 	if ((r = LUKS2_get_data_size(hdr, &minimal_size, &dynamic_size)))
 		goto out;
 
-	r = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
-	if (r < 0)
-		goto out;
-
 	log_dbg(cd, "Entering clean reencryption state mode.");
 
-	r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, dynamic_size);
+	r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size,
+					      !(flags & CRYPT_ACTIVATE_SHARED),
+					      dynamic_size);
 	if (r < 0)
 		goto out;
-	if (cd->link_vk_to_keyring) {
-		r = crypt_volume_key_load_in_user_keyring(cd, vks, &kid1, &kid2);
-		if (r < 0) {
-			log_err(cd, _("Failed to link volume keys in user defined keyring."));
-			goto out;
-		}
-	}
 	r = LUKS2_activate_multi(cd, name, vks, device_size >> SECTOR_SHIFT, flags);
 out:
 	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
-	crypt_drop_keyring_key(cd, vks);
 
 	return r;
 }
 
-static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	const char *name,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags)
-{
-	bool dynamic_size;
-	crypt_reencrypt_info ri;
-	uint64_t minimal_size, device_size;
-	struct volume_key *vks = NULL;
-	int r = 0;
-	struct crypt_lock_handle *reencrypt_lock = NULL;
-	key_serial_t kid1 = 0, kid2 = 0;
-
-	if (crypt_use_keyring_for_vk(cd))
-		flags |= CRYPT_ACTIVATE_KEYRING_KEY;
-
-	r = LUKS2_reencrypt_lock(cd, &reencrypt_lock);
-	if (r) {
-		if (r == -EBUSY)
-			log_err(cd, _("Reencryption in-progress. Cannot activate device."));
-		else
-			log_err(cd, _("Failed to get reencryption lock."));
-		return r;
-	}
-
-	if ((r = crypt_load(cd, CRYPT_LUKS2, NULL)))
-		goto out;
-
-	ri = LUKS2_reencrypt_status(hdr);
-
-	if (ri == CRYPT_REENCRYPT_CRASH) {
-		r = LUKS2_reencrypt_locked_recovery_by_passphrase(cd, keyslot,
-				keyslot, passphrase, passphrase_size, &vks);
-		if (r < 0) {
-			log_err(cd, _("LUKS2 reencryption recovery failed."));
-			goto out;
-		}
-		keyslot = r;
-
-		ri = LUKS2_reencrypt_status(hdr);
-	}
-
-	/* recovery finished reencryption or it's already finished */
-	if (ri == CRYPT_REENCRYPT_NONE) {
-		crypt_drop_keyring_key(cd, vks);
-		crypt_free_volume_key(vks);
-		LUKS2_reencrypt_unlock(cd, reencrypt_lock);
-		return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags);
-	}
-
-	if (ri > CRYPT_REENCRYPT_CLEAN) {
-		r = -EINVAL;
-		goto out;
-	}
-
-	if (LUKS2_get_data_size(hdr, &minimal_size, &dynamic_size))
-		goto out;
-
-	if (!vks) {
-		r = _open_all_keys(cd, hdr, keyslot, passphrase, passphrase_size, flags, &vks);
-		if (r >= 0)
-			keyslot = r;
-	}
-
-	if (r >= 0) {
-		r = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
-		if (r < 0)
-			goto out;
-	}
-
-	log_dbg(cd, "Entering clean reencryption state mode.");
-
-	if (cd->link_vk_to_keyring) {
-		r = crypt_volume_key_load_in_user_keyring(cd, vks, &kid1, &kid2);
-		if (r < 0) {
-			log_err(cd, _("Failed to link volume keys in user defined keyring."));
-			goto out;
-		}
-	}
-
-	if (r >= 0)
-		r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size,
-						      !(flags & CRYPT_ACTIVATE_SHARED),
-						      dynamic_size);
-
-	if (r >= 0)
-		r = LUKS2_activate_multi(cd, name, vks, device_size >> SECTOR_SHIFT, flags);
-out:
-	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
-	if (r < 0) {
-		crypt_drop_keyring_key(cd, vks);
-		if (cd->link_vk_to_keyring && kid1)
-			crypt_unlink_key_from_custom_keyring(cd, kid1);
-		if (cd->link_vk_to_keyring && kid2)
-			crypt_unlink_key_from_custom_keyring(cd, kid2);
-	}
-
-	crypt_free_volume_key(vks);
-
-	return r < 0 ? r : keyslot;
-}
-
 /*
  * Activation/deactivation of a device
  */
-static int _open_and_activate_luks2(struct crypt_device *cd,
-	int keyslot,
-	const char *name,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags)
-{
-	crypt_reencrypt_info ri;
-	int r, rv;
-	struct luks2_hdr *hdr = &cd->u.luks2.hdr;
-	struct volume_key *vks = NULL;
-
-	ri = LUKS2_reencrypt_status(hdr);
-	if (ri == CRYPT_REENCRYPT_INVALID)
-		return -EINVAL;
-
-	if (ri > CRYPT_REENCRYPT_NONE) {
-		if (name)
-			r = _open_and_activate_reencrypt_device(cd, hdr, keyslot, name, passphrase,
-					passphrase_size, flags);
-		else {
-			r = _open_all_keys(cd, hdr, keyslot, passphrase,
-					   passphrase_size, flags, &vks);
-			if (r < 0)
-				return r;
-
-			rv = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
-			crypt_free_volume_key(vks);
-			if (rv < 0)
-				return rv;
-		}
-	} else
-		r = _open_and_activate(cd, keyslot, name, passphrase,
-				passphrase_size, flags);
-
-	return r;
-}
-
 static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 	const char *name,
 	struct volume_key *vk,
@@ -5317,27 +5195,13 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 {
 	int r;
 	crypt_reencrypt_info ri;
-	int digest_new, digest_old;
-	struct volume_key *vk_old = NULL, *vk_new = NULL;
 	ri = LUKS2_reencrypt_status(&cd->u.luks2.hdr);
 	if (ri == CRYPT_REENCRYPT_INVALID)
 		return -EINVAL;
 
 	if (ri > CRYPT_REENCRYPT_NONE) {
-		digest_new = LUKS2_reencrypt_digest_new(&cd->u.luks2.hdr);
-		digest_old = LUKS2_reencrypt_digest_old(&cd->u.luks2.hdr);
-
-		if (digest_new >= 0) {
-			vk_new = crypt_volume_key_by_id(vk, digest_new);
-			assert(vk_new);
-			assert(crypt_volume_key_get_id(vk_new) == digest_new);
-		}
-		if (digest_old >= 0) {
-			vk_old = crypt_volume_key_by_id(vk, digest_old);
-			assert(vk_old);
-			assert(crypt_volume_key_get_id(vk_old) == digest_old);
-		}
-		r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags);
+		/* reencryption must reverify keys after taking the reencryption lock and reloading metadata */
+		r = _activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags);
 	} else {
 		/* hw-opal data segment type does not require volume key for activation */
 		assert(!vk || crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
@@ -5347,27 +5211,6 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 	return r;
 }
 #else
-static int _open_and_activate_luks2(struct crypt_device *cd,
-	int keyslot,
-	const char *name,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags)
-{
-	crypt_reencrypt_info ri;
-
-	ri = LUKS2_reencrypt_status(&cd->u.luks2.hdr);
-	if (ri == CRYPT_REENCRYPT_INVALID)
-		return -EINVAL;
-
-	if (ri > CRYPT_REENCRYPT_NONE) {
-		log_err(cd, _("This operation is not supported for this device type."));
-		return -ENOTSUP;
-	}
-
-	return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags);
-}
-
 static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 	const char *name,
 	struct volume_key *vk,
@@ -5392,76 +5235,6 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 }
 #endif
 
-static int _activate_by_passphrase(struct crypt_device *cd,
-	const char *name,
-	int keyslot,
-	const char *passphrase,
-	size_t passphrase_size,
-	uint32_t flags)
-{
-	int r;
-	struct volume_key *vk = NULL;
-
-	if ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd))
-		return -EINVAL;
-
-	if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name)
-		return -EINVAL;
-
-	r = _check_header_data_overlap(cd, name);
-	if (r < 0)
-		return r;
-
-	if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
-		cd->memory_hard_pbkdf_lock_enabled = true;
-
-	/* plain, use hashed passphrase */
-	if (isPLAIN(cd->type)) {
-		r = -EINVAL;
-		if (!name)
-			goto out;
-
-		r = process_key(cd, cd->u.plain.hdr.hash,
-				cd->u.plain.key_size,
-				passphrase, passphrase_size, &vk);
-		if (r < 0)
-			goto out;
-
-		r = PLAIN_activate(cd, name, vk, cd->u.plain.hdr.size, flags);
-		keyslot = 0;
-	} else if (isLUKS1(cd->type)) {
-		r = LUKS_open_key_with_hdr(keyslot, passphrase,
-					   passphrase_size, &cd->u.luks1.hdr, &vk, cd);
-		if (r >= 0) {
-			keyslot = r;
-			if (name)
-				r = LUKS1_activate(cd, name, vk, flags);
-		}
-	} else if (isLUKS2(cd->type)) {
-		r = _open_and_activate_luks2(cd, keyslot, name, passphrase, passphrase_size, flags);
-		keyslot = r;
-	} else if (isBITLK(cd->type)) {
-		r = BITLK_activate_by_passphrase(cd, name, passphrase, passphrase_size,
-						 &cd->u.bitlk.params, flags);
-		keyslot = 0;
-	} else if (isFVAULT2(cd->type)) {
-		r = FVAULT2_activate_by_passphrase(cd, name, passphrase, passphrase_size,
-			&cd->u.fvault2.params, flags);
-		keyslot = 0;
-	} else {
-		log_err(cd, _("Device type is not properly initialized."));
-		r = -EINVAL;
-	}
-out:
-	if (r < 0)
-		crypt_drop_keyring_key(cd, vk);
-	crypt_free_volume_key(vk);
-
-	cd->memory_hard_pbkdf_lock_enabled = false;
-
-	return r < 0 ? r : keyslot;
-}
-
 static int _activate_loopaes(struct crypt_device *cd,
 	const char *name,
 	const char *buffer,
@@ -5476,7 +5249,7 @@ static int _activate_loopaes(struct crypt_device *cd,
 	buffer_copy = crypt_safe_alloc(buffer_size);
 	if (!buffer_copy)
 		return -ENOMEM;
-	memcpy(buffer_copy, buffer, buffer_size);
+	crypt_safe_memcpy(buffer_copy, buffer, buffer_size);
 
 	r = LOOPAES_parse_keyfile(cd, &vk, cd->u.loopaes.hdr.hash, &key_count,
 				  buffer_copy, buffer_size);
@@ -5515,45 +5288,45 @@ static int _activate_check_status(struct crypt_device *cd, const char *name, uns
 	return r;
 }
 
+static int _verify_reencrypt_keys(struct crypt_device *cd, struct volume_key *vks)
+{
+	int r;
+
+	assert(cd && (isLUKS2(cd->type)));
+
+	r = LUKS2_reencrypt_digest_verify(cd, &cd->u.luks2.hdr, vks);
+	if (r == -EPERM || r == -ENOENT || r == -EINVAL)
+		log_err(cd, _("Reencryption volume keys do not match the volume."));
+
+	return r;
+}
+
 static int _verify_key(struct crypt_device *cd,
-	int segment,
+	bool unbound_key,
 	struct volume_key *vk)
 {
 	int r = -EINVAL;
-	crypt_reencrypt_info ri;
-	struct luks2_hdr *hdr = &cd->u.luks2.hdr;
 
 	assert(cd);
 
 	if (isPLAIN(cd->type)) {
-		if (vk && vk->keylength == cd->u.plain.key_size) {
+		if (vk && crypt_volume_key_length(vk) == cd->u.plain.key_size) {
 			r = KEY_VERIFIED;
 		} else
 			log_err(cd, _("Incorrect volume key specified for plain device."));
 	} else if (isLUKS1(cd->type)) {
+		if (!vk)
+			return -EINVAL;
+
 		r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
-		if (r == -EPERM)
-			log_err(cd, _("Volume key does not match the volume."));
 	} else if (isLUKS2(cd->type)) {
-		ri = LUKS2_reencrypt_status(hdr);
-		if (ri == CRYPT_REENCRYPT_INVALID)
+		if (!vk)
 			return -EINVAL;
 
-		if (ri > CRYPT_REENCRYPT_NONE) {
-			LUKS2_reencrypt_lookup_key_ids(cd, hdr, vk);
-			r = LUKS2_reencrypt_digest_verify(cd, hdr, vk);
-			if (r == -EPERM || r == -ENOENT || r == -EINVAL)
-				log_err(cd, _("Reencryption volume keys do not match the volume."));
-			return r;
-		}
-
-		if (segment == CRYPT_ANY_SEGMENT)
-			r = LUKS2_digest_any_matching(cd, &cd->u.luks2.hdr, vk);
-		else {
-			r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, segment, vk);
-			if (r == -EPERM || r == -ENOENT)
-				log_err(cd, _("Volume key does not match the volume."));
-		}
+		if (unbound_key)
+			r = LUKS2_digest_verify_by_any_matching(cd, vk);
+		else
+			r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
 	} else if (isVERITY(cd->type))
 		r = KEY_VERIFIED;
 	else if (isTCRYPT(cd->type))
@@ -5562,7 +5335,10 @@ static int _verify_key(struct crypt_device *cd,
 		r = KEY_VERIFIED;
 	else if (isBITLK(cd->type))
 		r = KEY_VERIFIED;
-	else
+	else if (isFVAULT2(cd->type)) {
+		if (vk && crypt_volume_key_length(vk) == FVAULT2_volume_key_size())
+			r = KEY_VERIFIED;
+	} else
 		log_err(cd, _("Device type is not properly initialized."));
 
 	if (r >= KEY_VERIFIED)
@@ -5617,8 +5393,12 @@ static int _activate_by_volume_key(struct crypt_device *cd,
 				       cd->u.integrity.sb_flags);
 	} else if (isBITLK(cd->type)) {
 		assert(!external_key);
-		r = BITLK_activate_by_volume_key(cd, name, vk->key, vk->keylength,
-						 &cd->u.bitlk.params, flags);
+		assert(crypt_volume_key_get_id(vk) == KEY_VERIFIED);
+		r = BITLK_activate_by_volume_key(cd, name, vk, &cd->u.bitlk.params, flags);
+	} else if (isFVAULT2(cd->type)) {
+		assert(!external_key);
+		assert(crypt_volume_key_get_id(vk) == KEY_VERIFIED);
+		r = FVAULT2_activate_by_volume_key(cd, name, vk, &cd->u.fvault2.params, flags);
 	} else {
 		log_err(cd, _("Device type is not properly initialized."));
 		r = -EINVAL;
@@ -5628,19 +5408,19 @@ static int _activate_by_volume_key(struct crypt_device *cd,
 }
 
 int crypt_activate_by_keyslot_context(struct crypt_device *cd,
-const char *name,
+	const char *name,
 	int keyslot,
 	struct crypt_keyslot_context *kc,
 	int additional_keyslot,
 	struct crypt_keyslot_context *additional_kc,
 	uint32_t flags)
 {
-	bool use_keyring;
+	bool use_keyring, luks2_reencryption = false;
 	struct volume_key *p_ext_key, *crypt_key = NULL, *opal_key = NULL, *vk = NULL,
 		*vk_sign = NULL, *p_crypt = NULL;
 	size_t passphrase_size;
 	const char *passphrase = NULL;
-	int unlocked_keyslot, required_keys, unlocked_keys = 0, r = -EINVAL;
+	int unlocked_keyslot, r = -EINVAL;
 	key_serial_t kid1 = 0, kid2 = 0;
 	struct luks2_hdr *hdr = &cd->u.luks2.hdr;
 
@@ -5655,6 +5435,8 @@ const char *name,
 		return -EINVAL;
 	if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name)
 		return -EINVAL;
+	if (!additional_kc && (additional_keyslot != CRYPT_ANY_SLOT))
+		return -EINVAL;
 	if ((kc->type == CRYPT_KC_TYPE_KEYRING) && !kernel_keyring_support()) {
 		log_err(cd, _("Kernel keyring is not supported by the kernel."));
 		return -EINVAL;
@@ -5670,61 +5452,67 @@ const char *name,
 	if (r < 0)
 		return r;
 
-	/* for TCRYPT and token skip passphrase activation */
-	if (kc->get_passphrase && kc->type != CRYPT_KC_TYPE_TOKEN && !isTCRYPT(cd->type)) {
+	if (kc->get_passphrase && kc->type != CRYPT_KC_TYPE_TOKEN &&
+	    isLOOPAES(cd->type)) {
 		r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
 		if (r < 0)
 			return r;
-		/* TODO: Only loopaes should by activated by passphrase method */
-		if (passphrase) {
-			if (isLOOPAES(cd->type))
-				return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
-			else
-				return _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
-		}
+
+		return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
 	}
-	/* only passphrase unlock is supported with loopaes */
-	if (isLOOPAES(cd->type))
-		return -EINVAL;
 
-	/* activate by volume key */
+	if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
+		cd->memory_hard_pbkdf_lock_enabled = true;
+
+	/* acquire the volume key(s) */
 	r = -EINVAL;
 	if (isLUKS1(cd->type)) {
 		if (kc->get_luks1_volume_key)
 			r = kc->get_luks1_volume_key(cd, kc, keyslot, &vk);
 	} else if (isLUKS2(cd->type)) {
-		required_keys = LUKS2_reencrypt_vks_count(hdr);
-
-		if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY && kc->get_luks2_key)
-			r = kc->get_luks2_key(cd, kc, keyslot, CRYPT_ANY_SEGMENT, &vk);
-		else if (kc->get_luks2_volume_key)
-			r = kc->get_luks2_volume_key(cd, kc, keyslot, &vk);
-		if (r >= 0) {
-			unlocked_keys++;
-
-			if (required_keys > 1 && vk && additional_kc) {
-				if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY && additional_kc->get_luks2_key)
-					r = additional_kc->get_luks2_key(cd, additional_kc, additional_keyslot, CRYPT_ANY_SEGMENT, &vk->next);
-				else if (additional_kc->get_luks2_volume_key)
-					r = additional_kc->get_luks2_volume_key(cd, additional_kc, additional_keyslot, &vk->next);
-				if (r >= 0)
-					unlocked_keys++;
+		if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) {
+			if (kc->get_luks2_key)
+				r = kc->get_luks2_key(cd, kc, keyslot, CRYPT_ANY_SEGMENT, &vk);
+		} else {
+			switch (LUKS2_reencrypt_status(hdr)) {
+			case CRYPT_REENCRYPT_NONE:
+				if (kc->get_luks2_volume_key)
+					r = kc->get_luks2_volume_key(cd, kc, keyslot, &vk);
+				break;
+			case CRYPT_REENCRYPT_CLEAN: /* fall-through */
+			case CRYPT_REENCRYPT_CRASH:
+				luks2_reencryption = true;
+				r = LUKS2_keyslot_context_open_all_segments(cd, keyslot, additional_keyslot, kc, additional_kc, &vk);
+				/* fall-through */
+			default:
+				break;
 			}
-
-			if (unlocked_keys < required_keys)
-				r = -ESRCH;
 		}
 	} else if (isTCRYPT(cd->type)) {
 		r = 0;
 	} else if (name && isPLAIN(cd->type)) {
-		if (kc->get_plain_volume_key)
+		if (kc->type == CRYPT_KC_TYPE_VK_KEYRING) {
+			vk = crypt_alloc_volume_key(cd->u.plain.key_size, NULL);
+			if (!vk)
+				return -ENOMEM;
+			r = crypt_volume_key_set_description_by_name(vk, kc->u.vk_kr.key_description);
+			if (r < 0)
+				log_err(cd, _("Cannot use keyring key %s."), kc->u.vk_kr.key_description);
+		} else if (kc->get_passphrase && kc->type != CRYPT_KC_TYPE_TOKEN) {
+			r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
+			if (r < 0)
+				return r;
+			r = process_key(cd, cd->u.plain.hdr.hash,
+					cd->u.plain.key_size,
+					passphrase, passphrase_size, &vk);
+		} else if (kc->get_plain_volume_key)
 			r = kc->get_plain_volume_key(cd, kc, &vk);
-	} else if (name && isBITLK(cd->type)) {
-		if (kc->get_bitlk_volume_key)
-			r = kc->get_bitlk_volume_key(cd, kc, &vk);
+	} else if (isBITLK(cd->type)) {
+		if (kc->get_bitlk_volume_key && (name || kc->type != CRYPT_KC_TYPE_KEY))
+			r = kc->get_bitlk_volume_key(cd, kc, &cd->u.bitlk.params, &vk);
 	} else if (isFVAULT2(cd->type)) {
 		if (kc->get_fvault2_volume_key)
-			r = kc->get_fvault2_volume_key(cd, kc, &vk);
+			r = kc->get_fvault2_volume_key(cd, kc, &cd->u.fvault2.params, &vk);
 	} else if (isVERITY(cd->type) && (name || kc->type != CRYPT_KC_TYPE_SIGNED_KEY)) {
 		if (kc->get_verity_volume_key)
 			r = kc->get_verity_volume_key(cd, kc, &vk, &vk_sign);
@@ -5744,7 +5532,8 @@ const char *name,
 	unlocked_keyslot = r;
 
 	if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) {
-		vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+		vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key),
+					    crypt_volume_key_get_key(cd->volume_key));
 		r = vk ? 0 : -ENOMEM;
 	}
 	if (r == -ENOENT && isINTEGRITY(cd->type))
@@ -5753,9 +5542,11 @@ const char *name,
 	if (r < 0)
 		goto out;
 
-	r = _verify_key(cd,
-			flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY ? CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT,
-			vk);
+	if (luks2_reencryption)
+		r = _verify_reencrypt_keys(cd, vk);
+	else
+		r = _verify_key(cd, flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY, vk);
+
 	if (r < 0)
 		goto out;
 
@@ -5781,13 +5572,14 @@ const char *name,
 		if (!crypt_use_keyring_for_vk(cd))
 			use_keyring = false;
 		else
-			use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
+			/* Force keyring use for activation of LUKS2 device in reencryption */
+			use_keyring = (name && (luks2_reencryption || !crypt_is_cipher_null(crypt_get_cipher(cd)))) ||
 				      (flags & CRYPT_ACTIVATE_KEYRING_KEY);
 
 		if (use_keyring) {
 			/* upload dm-crypt part of volume key in thread keyring if requested */
 			if (p_crypt) {
-				r = LUKS2_volume_key_load_in_keyring_by_digest(cd, p_crypt, crypt_volume_key_get_id(p_crypt));
+				r = load_all_keys(cd, p_crypt);
 				if (r < 0)
 					goto out;
 				flags |= CRYPT_ACTIVATE_KEYRING_KEY;
@@ -5795,7 +5587,7 @@ const char *name,
 
 			/* upload the volume key in custom user keyring if requested */
 			if (cd->link_vk_to_keyring) {
-				r = crypt_volume_key_load_in_user_keyring(cd, vk, &kid1, &kid2);
+				r = crypt_volume_key_load_in_custom_keyring(cd, vk, &kid1, &kid2);
 				if (r < 0) {
 					log_err(cd, _("Failed to link volume key in user defined keyring."));
 					goto out;
@@ -5814,8 +5606,8 @@ const char *name,
 		r = unlocked_keyslot;
 out:
 	if (r < 0) {
-		crypt_drop_keyring_key(cd, vk);
-		crypt_drop_keyring_key(cd, p_crypt);
+		crypt_drop_uploaded_keyring_key(cd, vk);
+		crypt_drop_uploaded_keyring_key(cd, crypt_key);
 		if (cd->link_vk_to_keyring && kid1)
 			crypt_unlink_key_from_custom_keyring(cd, kid1);
 		if (cd->link_vk_to_keyring && kid2)
@@ -5837,10 +5629,10 @@ int crypt_activate_by_passphrase(struct crypt_device *cd,
 	uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
-	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags);
+	crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
+	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, &kc, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
@@ -5855,10 +5647,10 @@ int crypt_activate_by_keyfile_device_offset(struct crypt_device *cd,
 	uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset);
-	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags);
+	crypt_keyslot_context_init_by_keyfile_internal(&kc, keyfile, keyfile_size, keyfile_offset);
+	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, &kc, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
@@ -5894,10 +5686,10 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 	uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
-	r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags);
+	crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
+	r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc, CRYPT_ANY_SLOT, &kc, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
@@ -5912,7 +5704,7 @@ int crypt_activate_by_signed_key(struct crypt_device *cd,
 	uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
 	if (!cd || !isVERITY(cd->type))
 		return -EINVAL;
@@ -5923,10 +5715,10 @@ int crypt_activate_by_signed_key(struct crypt_device *cd,
 	}
 
 	if (signature)
-		crypt_keyslot_unlock_by_signed_key_init_internal(&kc, volume_key, volume_key_size,
+		crypt_keyslot_context_init_by_signed_key_internal(&kc, volume_key, volume_key_size,
 			signature, signature_size);
 	else
-		crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+		crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
 	r = crypt_activate_by_keyslot_context(cd, name, -2 /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
@@ -5939,7 +5731,7 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t
 	struct luks2_hdr *hdr2 = NULL;
 	struct crypt_dm_active_device dmd = {};
 	int r;
-	uint32_t get_flags = DM_ACTIVE_DEVICE | DM_ACTIVE_UUID | DM_ACTIVE_HOLDERS;
+	uint64_t get_flags = DM_ACTIVE_DEVICE | DM_ACTIVE_UUID | DM_ACTIVE_HOLDERS;
 
 	if (!name)
 		return -EINVAL;
@@ -5957,13 +5749,10 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t
 	}
 
 	if (flags & (CRYPT_DEACTIVATE_DEFERRED | CRYPT_DEACTIVATE_DEFERRED_CANCEL)) {
-		struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
-		if (hdr) {
-			json_object *jobj = json_segments_get_segment(LUKS2_get_segments_jobj(hdr), 0);
-			if (jobj && !strcmp(json_segment_type(jobj), "hw-opal")) {
-				log_err(cd, _("OPAL does not support deferred deactivation."));
-				return -EINVAL;
-			}
+		r = crypt_get_hw_encryption_type(cd);
+		if (r == CRYPT_SW_AND_OPAL_HW || r == CRYPT_OPAL_HW_ONLY) {
+			log_err(cd, _("OPAL does not support deferred deactivation."));
+			return -EINVAL;
 		}
 	}
 
@@ -5974,13 +5763,6 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t
 	switch (crypt_status(cd, name)) {
 		case CRYPT_ACTIVE:
 		case CRYPT_BUSY:
-			if (flags & CRYPT_DEACTIVATE_DEFERRED_CANCEL) {
-				r = dm_cancel_deferred_removal(name);
-				if (r < 0)
-					log_err(cd, _("Could not cancel deferred remove from device %s."), name);
-				break;
-			}
-
 			r = dm_query_device(cd, name, get_flags, &dmd);
 			if (r >= 0) {
 				if (dmd.holders) {
@@ -5990,8 +5772,23 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t
 				}
 			}
 
-			if (isLUKS2(cd->type))
-				hdr2 = crypt_get_hdr(cd, CRYPT_LUKS2);
+			/* For detached header case or missing metadata we need to check for OPAL2 devices
+			 * from DM UUID */
+			if (dmd.uuid && (flags & (CRYPT_DEACTIVATE_DEFERRED | CRYPT_DEACTIVATE_DEFERRED_CANCEL)) &&
+			    !strncmp(CRYPT_LUKS2_HW_OPAL, dmd.uuid, sizeof(CRYPT_LUKS2_HW_OPAL)-1)) {
+				log_err(cd, _("OPAL does not support deferred deactivation."));
+				r = -EINVAL;
+				break;
+			}
+
+			if (flags & CRYPT_DEACTIVATE_DEFERRED_CANCEL) {
+				r = dm_cancel_deferred_removal(name);
+				if (r < 0)
+					log_err(cd, _("Could not cancel deferred remove from device %s."), name);
+				break;
+			}
+
+			hdr2 = crypt_get_hdr(cd, CRYPT_LUKS2);
 
 			if ((dmd.uuid && !strncmp(CRYPT_LUKS2, dmd.uuid, sizeof(CRYPT_LUKS2)-1)) || hdr2)
 				r = LUKS2_deactivate(cd, name, hdr2, &dmd, flags);
@@ -6030,7 +5827,7 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
 {
 	int r;
 	struct crypt_dm_active_device dmd, dmdi = {};
-	const char *namei = NULL;
+	char *iname = NULL;
 	struct dm_target *tgt = &dmd.segment;
 	uint64_t min_offset = UINT64_MAX;
 
@@ -6041,11 +5838,18 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
 	if (r < 0)
 		return r;
 
-	/* For LUKS2 with integrity we need flags from underlying dm-integrity */
-	if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) && single_segment(&dmd)) {
-		namei = device_dm_name(tgt->data_device);
-		if (namei && dm_query_device(cd, namei, 0, &dmdi) >= 0)
-			dmd.flags |= dmdi.flags;
+	/*
+	 * For integrity and LUKS2 (and detached header where context is NULL)
+	 * we need flags from underlying dm-integrity device.
+	 * This check must be skipped for non-LUKS2 integrity device.
+	 */
+	if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) {
+	    if ((iname = dm_get_active_iname(cd, name))) {
+	        if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
+	            dmd.flags |= dmdi.flags;
+	        free(iname);
+	    } else
+	        dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
 	}
 
 	if (cd && isTCRYPT(cd->type)) {
@@ -6111,12 +5915,12 @@ int crypt_volume_key_get(struct crypt_device *cd,
 	size_t passphrase_size)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
 	if (!passphrase)
 		return crypt_volume_key_get_by_keyslot_context(cd, keyslot, volume_key, volume_key_size, NULL);
 
-	crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
 
 	r = crypt_volume_key_get_by_keyslot_context(cd, keyslot, volume_key, volume_key_size, &kc);
 
@@ -6137,7 +5941,7 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
 	struct volume_key *vk = NULL;
 
 	if (!cd || !volume_key || !volume_key_size ||
-	    (!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type)))
+	    (!kc && !isLUKS(cd->type) && !isTCRYPT(cd->type) && !isVERITY(cd->type) && !isBITLK(cd->type)))
 		return -EINVAL;
 
 	if (isLUKS2(cd->type) && keyslot != CRYPT_ANY_SLOT)
@@ -6156,12 +5960,6 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
 	if (kc && (!kc->get_passphrase || kc->type == CRYPT_KC_TYPE_KEY))
 		return -EINVAL;
 
-	if (kc) {
-		r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
-		if (r < 0)
-			return r;
-	}
-
 	r = -EINVAL;
 
 	if (isLUKS2(cd->type)) {
@@ -6180,16 +5978,20 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
 			r = -ENOENT;
 		else
 			r = kc->get_luks1_volume_key(cd, kc, keyslot, &vk);
-	} else if (isPLAIN(cd->type)) {
-		if (passphrase && cd->u.plain.hdr.hash)
+	} else if (isPLAIN(cd->type) && cd->u.plain.hdr.hash) {
+		if (kc && kc->get_passphrase && kc->type != CRYPT_KC_TYPE_TOKEN) {
+			r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
+			if (r < 0)
+				return r;
 			r = process_key(cd, cd->u.plain.hdr.hash, key_len,
 					passphrase, passphrase_size, &vk);
+		}
 		if (r < 0)
 			log_err(cd, _("Cannot retrieve volume key for plain device."));
 	} else if (isVERITY(cd->type)) {
 		/* volume_key == root hash */
 		if (cd->u.verity.root_hash) {
-			memcpy(volume_key, cd->u.verity.root_hash, cd->u.verity.root_hash_size);
+			crypt_safe_memcpy(volume_key, cd->u.verity.root_hash, cd->u.verity.root_hash_size);
 			*volume_key_size = cd->u.verity.root_hash_size;
 			r = 0;
 		} else
@@ -6197,26 +5999,29 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
 	} else if (isTCRYPT(cd->type)) {
 		r = TCRYPT_get_volume_key(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params, &vk);
 	} else if (isBITLK(cd->type)) {
-		if (passphrase)
-			r = BITLK_get_volume_key(cd, passphrase, passphrase_size, &cd->u.bitlk.params, &vk);
+		if (kc && kc->get_bitlk_volume_key)
+			r = kc->get_bitlk_volume_key(cd, kc, &cd->u.bitlk.params, &vk);
+		else if (!kc)
+			r = BITLK_get_volume_key(cd, NULL, 0, &cd->u.bitlk.params, &vk);
 		if (r < 0)
 			log_err(cd, _("Cannot retrieve volume key for BITLK device."));
 	} else if (isFVAULT2(cd->type)) {
-		if (passphrase)
-			r = FVAULT2_get_volume_key(cd, passphrase, passphrase_size, &cd->u.fvault2.params, &vk);
+		if (kc && kc->get_fvault2_volume_key)
+			r = kc->get_fvault2_volume_key(cd, kc, &cd->u.fvault2.params, &vk);
 		if (r < 0)
 			log_err(cd, _("Cannot retrieve volume key for FVAULT2 device."));
 	} else
 		log_err(cd, _("This operation is not supported for %s crypt device."), cd->type ?: "(none)");
 
 	if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) {
-		vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key);
+		vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key),
+					    crypt_volume_key_get_key(cd->volume_key));
 		r = vk ? 0 : -ENOMEM;
 	}
 
 	if (r >= 0 && vk) {
-		memcpy(volume_key, vk->key, vk->keylength);
-		*volume_key_size = vk->keylength;
+		crypt_safe_memcpy(volume_key, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk));
+		*volume_key_size = crypt_volume_key_length(vk);
 	}
 
 	crypt_free_volume_key(vk);
@@ -6518,12 +6323,20 @@ const char *crypt_get_integrity(struct crypt_device *cd)
 }
 
 /* INTERNAL only */
-int crypt_get_integrity_key_size(struct crypt_device *cd)
+int crypt_get_integrity_key_size(struct crypt_device *cd, bool dm_compat)
 {
 	int key_size = 0;
 
-	if (isINTEGRITY(cd->type) || isLUKS2(cd->type) || !cd->type)
-		key_size = INTEGRITY_key_size(crypt_get_integrity(cd));
+	if (isLUKS2(cd->type)) {
+		key_size = INTEGRITY_key_size(crypt_get_integrity(cd),
+					      LUKS2_get_integrity_key_size(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
+		if (dm_compat && key_size > 0 &&
+		    key_size == INTEGRITY_key_size(crypt_get_integrity(cd), 0))
+			return 0;
+	}
+
+	if (isINTEGRITY(cd->type) || !cd->type)
+		key_size = INTEGRITY_key_size(crypt_get_integrity(cd),  0);
 
 	return key_size > 0 ? key_size : 0;
 }
@@ -6628,7 +6441,7 @@ int crypt_get_volume_key_size(struct crypt_device *cd)
 	if (isLUKS2(cd->type)) {
 		r = LUKS2_get_volume_key_size(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
 		if (r < 0 && cd->volume_key)
-			r = cd->volume_key->keylength;
+			r = crypt_volume_key_length(cd->volume_key);
 		return r < 0 ? 0 : r;
 	}
 
@@ -6653,6 +6466,19 @@ int crypt_get_volume_key_size(struct crypt_device *cd)
 	return 0;
 }
 
+int crypt_get_old_volume_key_size(struct crypt_device *cd)
+{
+	int r = _onlyLUKS2(cd, CRYPT_CD_QUIET,
+			   CRYPT_REQUIREMENT_ONLINE_REENCRYPT | CRYPT_REQUIREMENT_OPAL);
+
+	if (r < 0)
+		return 0;
+
+	r = LUKS2_get_old_volume_key_size(&cd->u.luks2.hdr);
+
+	return r < 0 ? 0 : r;
+}
+
 int crypt_get_hw_encryption_key_size(struct crypt_device *cd)
 {
 	if (!cd || !isLUKS2(cd->type))
@@ -7002,7 +6828,7 @@ int crypt_get_integrity_info(struct crypt_device *cd,
 		ip->buffer_sectors = cd->u.integrity.params.buffer_sectors;
 
 		ip->integrity = cd->u.integrity.params.integrity;
-		ip->integrity_key_size = crypt_get_integrity_key_size(cd);
+		ip->integrity_key_size = crypt_get_integrity_key_size(cd, false);
 
 		ip->journal_integrity = cd->u.integrity.params.journal_integrity;
 		ip->journal_integrity_key_size = cd->u.integrity.params.journal_integrity_key_size;
@@ -7021,7 +6847,7 @@ int crypt_get_integrity_info(struct crypt_device *cd,
 		ip->buffer_sectors = 0; // FIXME
 
 		ip->integrity = LUKS2_get_integrity(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
-		ip->integrity_key_size = crypt_get_integrity_key_size(cd);
+		ip->integrity_key_size = crypt_get_integrity_key_size(cd, false);
 		ip->tag_size = INTEGRITY_tag_size(ip->integrity, crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
 
 		ip->journal_integrity = NULL;
@@ -7035,7 +6861,7 @@ int crypt_get_integrity_info(struct crypt_device *cd,
 	} else if (!cd->type) {
 		memset(ip, 0, sizeof(*ip));
 		ip->integrity = crypt_get_integrity(cd);
-		ip->integrity_key_size = crypt_get_integrity_key_size(cd);
+		ip->integrity_key_size = crypt_get_integrity_key_size(cd, false);
 		ip->tag_size = crypt_get_integrity_tag_size(cd);
 	}
 
@@ -7081,12 +6907,11 @@ int crypt_convert(struct crypt_device *cd,
 /* Internal access function to header pointer */
 void *crypt_get_hdr(struct crypt_device *cd, const char *type)
 {
-	/* One type can be OPAL */
-	if (isLUKS2(type) && isLUKS2(cd->type))
-		return &cd->u.luks2.hdr;
+	assert(cd);
+	assert(type);
 
 	/* If requested type differs, ignore it */
-	if (strcmp(cd->type, type))
+	if (!cd->type || strcmp(cd->type, type))
 		return NULL;
 
 	if (isPLAIN(cd->type))
@@ -7095,6 +6920,9 @@ void *crypt_get_hdr(struct crypt_device *cd, const char *type)
 	if (isLUKS1(cd->type))
 		return &cd->u.luks1.hdr;
 
+	if (isLUKS2(type))
+		return &cd->u.luks2.hdr;
+
 	if (isLOOPAES(cd->type))
 		return &cd->u.loopaes;
 
@@ -7127,10 +6955,10 @@ int crypt_activate_by_token_pin(struct crypt_device *cd, const char *name,
 	void *usrptr, uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
-	crypt_keyslot_unlock_by_token_init_internal(&kc, token, type, pin, pin_size, usrptr);
-	r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc, CRYPT_ANY_SLOT, NULL, flags);
+	crypt_keyslot_context_init_by_token_internal(&kc, token, type, pin, pin_size, usrptr);
+	r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc, CRYPT_ANY_SLOT, &kc, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
@@ -7252,6 +7080,9 @@ int crypt_token_assign_keyslot(struct crypt_device *cd, int token, int keyslot)
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 1, 1);
 }
 
@@ -7262,6 +7093,9 @@ int crypt_token_unassign_keyslot(struct crypt_device *cd, int token, int keyslot
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 0, 1);
 }
 
@@ -7319,8 +7153,10 @@ int crypt_persistent_flags_get(struct crypt_device *cd, crypt_flags_type type, u
 	if (type == CRYPT_FLAGS_ACTIVATION)
 		return LUKS2_config_get_flags(cd, &cd->u.luks2.hdr, flags);
 
-	if (type == CRYPT_FLAGS_REQUIREMENTS)
-		return LUKS2_config_get_requirements(cd, &cd->u.luks2.hdr, flags);
+	if (type == CRYPT_FLAGS_REQUIREMENTS) {
+		LUKS2_config_get_requirements(cd, &cd->u.luks2.hdr, flags);
+		return 0;
+	}
 
 	return -EINVAL;
 }
@@ -7483,17 +7319,22 @@ static int keyslot_add_by_key(struct crypt_device *cd,
 	digest = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
 	if (digest >= 0) /* if key matches volume key digest tear down new vk flag */
 		flags &= ~CRYPT_VOLUME_KEY_SET;
-	else {
+	else if (digest == -EPERM) {
 		/* if key matches any existing digest, do not create new digest */
 		if ((flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
-			digest = LUKS2_digest_any_matching(cd, &cd->u.luks2.hdr, vk);
+			digest = LUKS2_digest_verify_by_any_matching(cd, vk);
+
+		/* Anything other than -EPERM or -ENOENT suggests broken metadata. Abort */
+		if (digest < 0 && digest != -ENOENT && digest != -EPERM)
+			return digest;
 
 		/* no segment flag or new vk flag requires new key digest */
 		if (flags & (CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_SET)) {
 			if (digest < 0 || !(flags & CRYPT_VOLUME_KEY_DIGEST_REUSE))
 				digest = LUKS2_digest_create(cd, "pbkdf2", &cd->u.luks2.hdr, vk);
 		}
-	}
+	} else /* Anything other than -EPERM suggests broken metadata. Abort */
+		return digest;
 
 	r = digest;
 	if (r < 0) {
@@ -7524,7 +7365,7 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
 	uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc, new_kc;
+	struct crypt_keyslot_context kc = {}, new_kc = {};
 
 	if (!passphrase || ((flags & CRYPT_VOLUME_KEY_NO_SEGMENT) &&
 			    (flags & CRYPT_VOLUME_KEY_SET)))
@@ -7536,9 +7377,9 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
 	if ((flags & CRYPT_VOLUME_KEY_SET) && crypt_keyslot_status(cd, keyslot) > CRYPT_SLOT_INACTIVE &&
 	    isLUKS2(cd->type)) {
 		if (volume_key)
-			crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
+			crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
 		else
-			crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size);
+			crypt_keyslot_context_init_by_passphrase_internal(&kc, passphrase, passphrase_size);
 
 		r = verify_and_update_segment_digest(cd, &cd->u.luks2.hdr, keyslot, &kc);
 
@@ -7547,8 +7388,8 @@ int crypt_keyslot_add_by_key(struct crypt_device *cd,
 		return r;
 	}
 
-	crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size);
-	crypt_keyslot_unlock_by_passphrase_init_internal(&new_kc, passphrase, passphrase_size);
+	crypt_keyslot_context_init_by_key_internal(&kc, volume_key, volume_key_size);
+	crypt_keyslot_context_init_by_passphrase_internal(&new_kc, passphrase, passphrase_size);
 
 	r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, &kc, keyslot, &new_kc, flags);
 
@@ -7614,11 +7455,12 @@ int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
 
 	if (r == -ENOENT) {
 		if ((flags & CRYPT_VOLUME_KEY_NO_SEGMENT) && kc->type == CRYPT_KC_TYPE_KEY) {
-			if (!(vk = crypt_generate_volume_key(cd, kc->u.k.volume_key_size)))
+			if (!(vk = crypt_generate_volume_key(cd, kc->u.k.volume_key_size, KEY_QUALITY_KEY)))
 				return -ENOMEM;
 			r = 0;
 		} else if (cd->volume_key) {
-			if (!(vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key)))
+			if (!(vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key),
+							  crypt_volume_key_get_key(cd->volume_key))))
 				return -ENOMEM;
 			r = 0;
 		} else if (active_slots == 0) {
@@ -7652,10 +7494,13 @@ int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
  */
 int crypt_use_keyring_for_vk(struct crypt_device *cd)
 {
-	uint32_t dmc_flags;
+	uint64_t dmc_flags;
 
 	/* dm backend must be initialized */
-	if (!cd || !isLUKS2(cd->type))
+	if (!cd)
+		return 0;
+
+	if (!isPLAIN(cd->type) && !isLUKS2(cd->type))
 		return 0;
 
 	if (!_vk_via_keyring || !kernel_keyring_support())
@@ -7676,26 +7521,25 @@ int crypt_volume_key_keyring(struct crypt_device *cd __attribute__((unused)), in
 /* internal only */
 int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk)
 {
-	key_serial_t kid;
-
 	if (!vk || !cd)
 		return -EINVAL;
 
-	if (!vk->key_description) {
+	if (!crypt_volume_key_description(vk)) {
 		log_dbg(cd, "Invalid key description");
 		return -EINVAL;
 	}
 
-	log_dbg(cd, "Loading key (type logon, name %s) in thread keyring.", vk->key_description);
+	log_dbg(cd, "Loading key (type logon, name %s) in thread keyring.",
+		crypt_volume_key_description(vk));
 
-	kid = keyring_add_key_in_thread_keyring(LOGON_KEY, vk->key_description, vk->key, vk->keylength);
-	if (kid < 0) {
+	if (crypt_volume_key_upload_kernel_key(vk)) {
+		crypt_set_key_in_keyring(cd, 1);
+		return 0;
+	} else {
 		log_dbg(cd, "keyring_add_key_in_thread_keyring failed (error %d)", errno);
 		log_err(cd, _("Failed to load key in kernel keyring."));
-	} else
-		crypt_set_key_in_keyring(cd, 1);
-
-	return kid < 0 ? -EINVAL : 0;
+		return -EINVAL;
+	}
 }
 
 /* internal only */
@@ -7742,7 +7586,34 @@ int crypt_keyring_get_key_by_name(struct crypt_device *cd,
 	if (!key_description || !key || !key_size)
 		return -EINVAL;
 
-	log_dbg(cd, "Searching for key by name %s.", key_description);
+	log_dbg(cd, "Searching for kernel key by name %s.", key_description);
+
+	kid = keyring_find_key_id_by_name(key_description);
+	if (kid == 0) {
+		log_dbg(cd, "keyring_find_key_id_by_name failed with errno %d.", errno);
+		return -ENOENT;
+	}
+
+	log_dbg(cd, "Reading content of kernel key (id %" PRIi32 ").", kid);
+
+	r = keyring_read_key(kid, key, key_size);
+	if (r < 0)
+		log_dbg(cd, "keyring_read_key failed with errno %d.", errno);
+
+	return r;
+}
+
+int crypt_keyring_get_keysize_by_name(struct crypt_device *cd,
+		const char *key_description,
+		size_t *r_key_size)
+{
+	int r;
+	key_serial_t kid;
+
+	if (!key_description || !r_key_size)
+		return -EINVAL;
+
+	log_dbg(cd, "Searching for kernel key by name %s.", key_description);
 
 	kid = keyring_find_key_id_by_name(key_description);
 	if (kid == -ENOTSUP) {
@@ -7759,9 +7630,9 @@ int crypt_keyring_get_key_by_name(struct crypt_device *cd,
 
 	log_dbg(cd, "Reading content of kernel key (id %" PRIi32 ").", kid);
 
-	r = keyring_read_key(kid, key, key_size);
+	r = keyring_read_keysize(kid, r_key_size);
 	if (r < 0)
-		log_dbg(cd, "keyring_read_key failed with errno %d.", errno);
+		log_dbg(cd, "keyring_read_keysize failed with errno %d.", errno);
 
 	return r;
 }
@@ -7782,7 +7653,18 @@ void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring)
 }
 
 /* internal only */
-void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype)
+void crypt_unlink_key_from_thread_keyring(struct crypt_device *cd,
+		key_serial_t key_id)
+{
+	log_dbg(cd, "Unlinking volume key (id: %" PRIi32 ") from thread keyring.", key_id);
+
+	if (keyring_unlink_key_from_thread_keyring(key_id))
+		log_dbg(cd, "keyring_unlink_key_from_thread_keyring failed with errno %d.", errno);
+}
+
+void crypt_unlink_key_by_description_from_thread_keyring(struct crypt_device *cd,
+		const char *key_description,
+		key_type_t ktype)
 {
 	key_serial_t kid;
 	const char *type_name = key_type_name(ktype);
@@ -7790,7 +7672,7 @@ void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *
 	if (!key_description || !type_name)
 		return;
 
-	log_dbg(cd, "Requesting kernel key %s (type %s) for unlink from thread keyring.", key_description, type_name);
+	log_dbg(cd, "Requesting kernel key %s (type %s).", key_description, type_name);
 
 	crypt_set_key_in_keyring(cd, 0);
 
@@ -7803,14 +7685,7 @@ void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *
 		return;
 	}
 
-	log_dbg(cd, "Unlinking volume key (id: %" PRIi32 ") from thread keyring.", kid);
-
-	if (!keyring_unlink_key_from_thread_keyring(kid))
-		return;
-
-	log_dbg(cd, "keyring_unlink_key_from_thread_keyring failed with errno %d.", errno);
-	log_err(cd, _("Failed to unlink volume key from thread keyring."));
-
+	crypt_unlink_key_from_thread_keyring(cd, kid);
 }
 
 int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description,
@@ -7877,12 +7752,12 @@ int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_descripti
 }
 
 /* internal only */
-void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks)
+void crypt_drop_uploaded_keyring_key(struct crypt_device *cd, struct volume_key *vks)
 {
 	struct volume_key *vk = vks;
 
 	while (vk) {
-		crypt_drop_keyring_key_by_description(cd, vk->key_description, LOGON_KEY);
+		crypt_volume_key_drop_uploaded_kernel_key(cd, vk);
 		vk = crypt_volume_key_next(vk);
 	}
 }
@@ -7894,13 +7769,13 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
 			      uint32_t flags)
 {
 	int r;
-	struct crypt_keyslot_context kc;
+	struct crypt_keyslot_context kc = {};
 
 	if (!cd || !key_description)
 		return -EINVAL;
 
-	crypt_keyslot_unlock_by_keyring_internal(&kc, key_description);
-	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags);
+	crypt_keyslot_context_init_by_keyring_internal(&kc, key_description);
+	r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, &kc, flags);
 	crypt_keyslot_context_destroy_internal(&kc);
 
 	return r;
diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
index f1ed858..8fbe651 100644
--- a/lib/tcrypt/tcrypt.c
+++ b/lib/tcrypt/tcrypt.c
@@ -2,8 +2,8 @@
 /*
  * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -17,30 +17,30 @@
 
 /* TCRYPT PBKDF variants */
 static const struct {
-	unsigned int legacy:1;
-	unsigned int veracrypt:1;
+	bool legacy;
+	bool veracrypt;
 	const char *name;
 	const char *hash;
 	unsigned int iterations;
 	uint32_t veracrypt_pim_const;
 	uint32_t veracrypt_pim_mult;
 } tcrypt_kdf[] = {
-	{ 0, 0, "pbkdf2", "ripemd160",   2000, 0, 0 },
-	{ 0, 0, "pbkdf2", "ripemd160",   1000, 0, 0 },
-	{ 0, 0, "pbkdf2", "sha512",      1000, 0, 0 },
-	{ 0, 0, "pbkdf2", "whirlpool",   1000, 0, 0 },
-	{ 1, 0, "pbkdf2", "sha1",        2000, 0, 0 },
-	{ 0, 1, "pbkdf2", "sha512",    500000, 15000, 1000 },
-	{ 0, 1, "pbkdf2", "whirlpool", 500000, 15000, 1000 },
-	{ 0, 1, "pbkdf2", "sha256",    500000, 15000, 1000 }, // VeraCrypt 1.0f
-	{ 0, 1, "pbkdf2", "sha256",    200000,     0, 2048 }, // boot only
-	{ 0, 1, "pbkdf2", "blake2s-256", 500000, 15000, 1000 }, // VeraCrypt 1.26.2
-	{ 0, 1, "pbkdf2", "blake2s-256", 200000,     0, 2048 }, // boot only
-	{ 0, 1, "pbkdf2", "ripemd160", 655331, 15000, 1000 },
-	{ 0, 1, "pbkdf2", "ripemd160", 327661,     0, 2048 }, // boot only
-	{ 0, 1, "pbkdf2", "stribog512",500000, 15000, 1000 },
-//	{ 0, 1, "pbkdf2", "stribog512",200000,     0, 2048 }, // boot only
-	{ 0, 0,     NULL,        NULL,      0,     0,    0 }
+	{ false, false, "pbkdf2", "ripemd160",   2000, 0, 0 },
+	{ false, false, "pbkdf2", "ripemd160",   1000, 0, 0 },
+	{ false, false, "pbkdf2", "sha512",      1000, 0, 0 },
+	{ false, false, "pbkdf2", "whirlpool",   1000, 0, 0 },
+	{  true, false, "pbkdf2", "sha1",        2000, 0, 0 },
+	{ false,  true, "pbkdf2", "sha512",    500000, 15000, 1000 },
+	{ false,  true, "pbkdf2", "whirlpool", 500000, 15000, 1000 },
+	{ false,  true, "pbkdf2", "sha256",    500000, 15000, 1000 }, // VeraCrypt 1.0f
+	{ false,  true, "pbkdf2", "sha256",    200000,     0, 2048 }, // boot only
+	{ false,  true, "pbkdf2", "blake2s-256", 500000, 15000, 1000 }, // VeraCrypt 1.26.2
+	{ false,  true, "pbkdf2", "blake2s-256", 200000,     0, 2048 }, // boot only
+	{ false,  true, "pbkdf2", "ripemd160", 655331, 15000, 1000 },
+	{ false,  true, "pbkdf2", "ripemd160", 327661,     0, 2048 }, // boot only
+	{ false,  true, "pbkdf2", "stribog512",500000, 15000, 1000 },
+//	{ false,  true, "pbkdf2", "stribog512",200000,     0, 2048 }, // boot only
+	{ false, false,     NULL,        NULL,      0,     0,    0 }
 };
 
 struct tcrypt_alg {
@@ -53,95 +53,95 @@ struct tcrypt_alg {
 };
 
 struct tcrypt_algs {
-	unsigned int legacy:1;
+	bool legacy;
 	unsigned int chain_count;
 	unsigned int chain_key_size;
 	const char *long_name;
 	const char *mode;
-	struct tcrypt_alg cipher[3];
+	const struct tcrypt_alg cipher[3];
 };
 
 /* TCRYPT cipher variants */
-static struct tcrypt_algs tcrypt_cipher[] = {
+static const struct tcrypt_algs tcrypt_cipher[] = {
 /* XTS mode */
-{0,1,64,"aes","xts-plain64",
+{false,1,64,"aes","xts-plain64",
 	{{"aes",    64,16,0,32,0}}},
-{0,1,64,"serpent","xts-plain64",
+{false,1,64,"serpent","xts-plain64",
 	{{"serpent",64,16,0,32,0}}},
-{0,1,64,"twofish","xts-plain64",
+{false,1,64,"twofish","xts-plain64",
 	{{"twofish",64,16,0,32,0}}},
-{0,2,128,"twofish-aes","xts-plain64",
+{false,2,128,"twofish-aes","xts-plain64",
 	{{"twofish",64,16, 0,64,0},
 	 {"aes",    64,16,32,96,0}}},
-{0,3,192,"serpent-twofish-aes","xts-plain64",
+{false,3,192,"serpent-twofish-aes","xts-plain64",
 	{{"serpent",64,16, 0, 96,0},
 	 {"twofish",64,16,32,128,0},
 	 {"aes",    64,16,64,160,0}}},
-{0,2,128,"aes-serpent","xts-plain64",
+{false,2,128,"aes-serpent","xts-plain64",
 	{{"aes",    64,16, 0,64,0},
 	 {"serpent",64,16,32,96,0}}},
-{0,3,192,"aes-twofish-serpent","xts-plain64",
+{false,3,192,"aes-twofish-serpent","xts-plain64",
 	{{"aes",    64,16, 0, 96,0},
 	 {"twofish",64,16,32,128,0},
 	 {"serpent",64,16,64,160,0}}},
-{0,2,128,"serpent-twofish","xts-plain64",
+{false,2,128,"serpent-twofish","xts-plain64",
 	{{"serpent",64,16, 0,64,0},
 	 {"twofish",64,16,32,96,0}}},
-{0,1,64,"camellia","xts-plain64",
+{false,1,64,"camellia","xts-plain64",
 	{{"camellia",    64,16,0,32,0}}},
-{0,1,64,"kuznyechik","xts-plain64",
+{false,1,64,"kuznyechik","xts-plain64",
 	{{"kuznyechik",  64,16,0,32,0}}},
-{0,2,128,"kuznyechik-camellia","xts-plain64",
+{false,2,128,"kuznyechik-camellia","xts-plain64",
 	{{"kuznyechik",64,16, 0,64,0},
 	 {"camellia",  64,16,32,96,0}}},
-{0,2,128,"twofish-kuznyechik","xts-plain64",
+{false,2,128,"twofish-kuznyechik","xts-plain64",
 	{{"twofish",   64,16, 0,64,0},
 	 {"kuznyechik",64,16,32,96,0}}},
-{0,2,128,"serpent-camellia","xts-plain64",
+{false,2,128,"serpent-camellia","xts-plain64",
 	{{"serpent",   64,16, 0,64,0},
 	 {"camellia",  64,16,32,96,0}}},
-{0,2,128,"aes-kuznyechik","xts-plain64",
+{false,2,128,"aes-kuznyechik","xts-plain64",
 	{{"aes",       64,16, 0,64,0},
 	 {"kuznyechik",64,16,32,96,0}}},
-{0,3,192,"camellia-serpent-kuznyechik","xts-plain64",
+{false,3,192,"camellia-serpent-kuznyechik","xts-plain64",
 	{{"camellia",  64,16, 0, 96,0},
 	 {"serpent",   64,16,32,128,0},
 	 {"kuznyechik",64,16,64,160,0}}},
 
 /* LRW mode */
-{0,1,48,"aes","lrw-benbi",
+{false,1,48,"aes","lrw-benbi",
 	{{"aes",    48,16,32,0,0}}},
-{0,1,48,"serpent","lrw-benbi",
+{false,1,48,"serpent","lrw-benbi",
 	{{"serpent",48,16,32,0,0}}},
-{0,1,48,"twofish","lrw-benbi",
+{false,1,48,"twofish","lrw-benbi",
 	{{"twofish",48,16,32,0,0}}},
-{0,2,96,"twofish-aes","lrw-benbi",
+{false,2,96,"twofish-aes","lrw-benbi",
 	{{"twofish",48,16,32,0,0},
 	 {"aes",    48,16,64,0,0}}},
-{0,3,144,"serpent-twofish-aes","lrw-benbi",
+{false,3,144,"serpent-twofish-aes","lrw-benbi",
 	{{"serpent",48,16,32,0,0},
 	 {"twofish",48,16,64,0,0},
 	 {"aes",    48,16,96,0,0}}},
-{0,2,96,"aes-serpent","lrw-benbi",
+{false,2,96,"aes-serpent","lrw-benbi",
 	{{"aes",    48,16,32,0,0},
 	 {"serpent",48,16,64,0,0}}},
-{0,3,144,"aes-twofish-serpent","lrw-benbi",
+{false,3,144,"aes-twofish-serpent","lrw-benbi",
 	{{"aes",    48,16,32,0,0},
 	 {"twofish",48,16,64,0,0},
 	 {"serpent",48,16,96,0,0}}},
-{0,2,96,"serpent-twofish", "lrw-benbi",
+{false,2,96,"serpent-twofish", "lrw-benbi",
 	{{"serpent",48,16,32,0,0},
 	 {"twofish",48,16,64,0,0}}},
 
 /* Kernel LRW block size is fixed to 16 bytes for GF(2^128)
  * thus cannot be used with blowfish where block is 8 bytes.
  * There also no GF(2^64) support.
-{1,1,64,"blowfish_le","lrw-benbi",
+{true,1,64,"blowfish_le","lrw-benbi",
 	 {{"blowfish_le",64,8,32,0,0}}},
-{1,2,112,"blowfish_le-aes","lrw-benbi",
+{true,2,112,"blowfish_le-aes","lrw-benbi",
 	 {{"blowfish_le",64, 8,32,0,0},
 	  {"aes",        48,16,88,0,0}}},
-{1,3,160,"serpent-blowfish_le-aes","lrw-benbi",
+{true,3,160,"serpent-blowfish_le-aes","lrw-benbi",
 	  {{"serpent",    48,16, 32,0,0},
 	   {"blowfish_le",64, 8, 64,0,0},
 	   {"aes",        48,16,120,0,0}}},*/
@@ -150,39 +150,39 @@ static struct tcrypt_algs tcrypt_cipher[] = {
  * CBC + "outer" CBC (both with whitening)
  * chain_key_size: alg_keys_bytes + IV_seed_bytes + whitening_bytes
  */
-{1,1,32+16+16,"aes","cbc-tcw",
+{true,1,32+16+16,"aes","cbc-tcw",
 	{{"aes",    32,16,32,0,32}}},
-{1,1,32+16+16,"serpent","cbc-tcw",
+{true,1,32+16+16,"serpent","cbc-tcw",
 	{{"serpent",32,16,32,0,32}}},
-{1,1,32+16+16,"twofish","cbc-tcw",
+{true,1,32+16+16,"twofish","cbc-tcw",
 	{{"twofish",32,16,32,0,32}}},
-{1,2,64+16+16,"twofish-aes","cbci-tcrypt",
+{true,2,64+16+16,"twofish-aes","cbci-tcrypt",
 	{{"twofish",32,16,32,0,0},
 	 {"aes",    32,16,64,0,32}}},
-{1,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
+{true,3,96+16+16,"serpent-twofish-aes","cbci-tcrypt",
 	{{"serpent",32,16,32,0,0},
 	 {"twofish",32,16,64,0,0},
 	 {"aes",    32,16,96,0,32}}},
-{1,2,64+16+16,"aes-serpent","cbci-tcrypt",
+{true,2,64+16+16,"aes-serpent","cbci-tcrypt",
 	{{"aes",    32,16,32,0,0},
 	 {"serpent",32,16,64,0,32}}},
-{1,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
+{true,3,96+16+16,"aes-twofish-serpent", "cbci-tcrypt",
 	{{"aes",    32,16,32,0,0},
 	 {"twofish",32,16,64,0,0},
 	 {"serpent",32,16,96,0,32}}},
-{1,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
+{true,2,64+16+16,"serpent-twofish", "cbci-tcrypt",
 	{{"serpent",32,16,32,0,0},
 	 {"twofish",32,16,64,0,32}}},
-{1,1,16+8+16,"cast5","cbc-tcw",
+{true,1,16+8+16,"cast5","cbc-tcw",
 	{{"cast5",   16,8,32,0,24}}},
-{1,1,24+8+16,"des3_ede","cbc-tcw",
+{true,1,24+8+16,"des3_ede","cbc-tcw",
 	{{"des3_ede",24,8,32,0,24}}},
-{1,1,56+8+16,"blowfish_le","cbc-tcrypt",
+{true,1,56+8+16,"blowfish_le","cbc-tcrypt",
 	{{"blowfish_le",56,8,32,0,24}}},
-{1,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
+{true,2,88+16+16,"blowfish_le-aes","cbc-tcrypt",
 	{{"blowfish_le",56, 8,32,0,0},
 	 {"aes",        32,16,88,0,32}}},
-{1,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
+{true,3,120+16+16,"serpent-blowfish_le-aes","cbc-tcrypt",
 	{{"serpent",    32,16, 32,0,0},
 	 {"blowfish_le",56, 8, 64,0,0},
 	 {"aes",        32,16,120,0,32}}},
@@ -258,7 +258,7 @@ static void TCRYPT_swab_le(char *buf)
 	*r = swab32(*r);
 }
 
-static int decrypt_blowfish_le_cbc(struct tcrypt_alg *alg,
+static int decrypt_blowfish_le_cbc(const struct tcrypt_alg *alg,
 				   const char *key, char *buf)
 {
 	int bs = alg->iv_size;
@@ -301,27 +301,27 @@ static void TCRYPT_remove_whitening(char *buf, const char *key)
 		buf[j] ^= key[j % 8];
 }
 
-static void TCRYPT_copy_key(struct tcrypt_alg *alg, const char *mode,
+static void TCRYPT_copy_key(const struct tcrypt_alg *alg, const char *mode,
 			     char *out_key, const char *key)
 {
 	int ks2;
 	if (!strncmp(mode, "xts", 3)) {
 		ks2 = alg->key_size / 2;
-		memcpy(out_key, &key[alg->key_offset], ks2);
-		memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
+		crypt_safe_memcpy(out_key, &key[alg->key_offset], ks2);
+		crypt_safe_memcpy(&out_key[ks2], &key[alg->iv_offset], ks2);
 	} else if (!strncmp(mode, "lrw", 3)) {
 		ks2 = alg->key_size - TCRYPT_LRW_IKEY_LEN;
-		memcpy(out_key, &key[alg->key_offset], ks2);
-		memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
+		crypt_safe_memcpy(out_key, &key[alg->key_offset], ks2);
+		crypt_safe_memcpy(&out_key[ks2], key, TCRYPT_LRW_IKEY_LEN);
 	} else if (!strncmp(mode, "cbc", 3)) {
-		memcpy(out_key, &key[alg->key_offset], alg->key_size);
+		crypt_safe_memcpy(out_key, &key[alg->key_offset], alg->key_size);
 		/* IV + whitening */
-		memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
+		crypt_safe_memcpy(&out_key[alg->key_size], &key[alg->iv_offset],
 		       alg->key_extra_size);
 	}
 }
 
-static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
+static int TCRYPT_decrypt_hdr_one(const struct tcrypt_alg *alg, const char *mode,
 				   const char *key,struct tcrypt_phdr *hdr)
 {
 	char backend_key[TCRYPT_HDR_KEY_LEN];
@@ -365,7 +365,7 @@ static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
  * For chained ciphers and CBC mode we need "outer" decryption.
  * Backend doesn't provide this, so implement it here directly using ECB.
  */
-static int TCRYPT_decrypt_cbci(struct tcrypt_algs *ciphers,
+static int TCRYPT_decrypt_cbci(const struct tcrypt_algs *ciphers,
 				const char *key, struct tcrypt_phdr *hdr)
 {
 	struct crypt_cipher *cipher[3];
@@ -606,7 +606,7 @@ static int TCRYPT_init_hdr(struct crypt_device *cd,
 
 	if ((r < 0 && skipped && skipped == i) || r == -ENOTSUP) {
 		log_err(cd, _("Required kernel crypto interface not available."));
-#ifdef ENABLE_AF_ALG
+#if ENABLE_AF_ALG
 		log_err(cd, _("Ensure you have algif_skcipher kernel module loaded."));
 #endif
 		r = -ENOTSUP;
@@ -707,7 +707,7 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
 	return r;
 }
 
-static struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
+static const struct tcrypt_algs *TCRYPT_get_algs(const char *cipher, const char *mode)
 {
 	int i;
 
@@ -732,11 +732,12 @@ int TCRYPT_activate(struct crypt_device *cd,
 	char *part_path;
 	unsigned int i;
 	int r;
-	uint32_t req_flags, dmc_flags;
-	struct tcrypt_algs *algs;
+	uint64_t req_flags, dmc_flags;
+	const struct tcrypt_algs *algs;
 	enum devcheck device_check;
-	uint64_t offset = crypt_get_data_offset(cd);
+	uint64_t offset, iv_offset;
 	struct volume_key *vk = NULL;
+	void *key = NULL;
 	struct device  *ptr_dev = crypt_data_device(cd), *device = NULL, *part_device = NULL;
 	struct crypt_dm_active_device dmd = {
 		.flags = flags
@@ -779,24 +780,64 @@ int TCRYPT_activate(struct crypt_device *cd,
 	else
 		device_check = DEV_EXCL;
 
-	if ((params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) &&
-	     !crypt_dev_is_partition(device_path(crypt_data_device(cd)))) {
-		part_path = crypt_get_partition_device(device_path(crypt_data_device(cd)),
-						       crypt_get_data_offset(cd), dmd.size);
-		if (part_path) {
-			if (!device_alloc(cd, &part_device, part_path)) {
-				log_verbose(cd, _("Activating TCRYPT system encryption for partition %s."),
-					    part_path);
-				ptr_dev = part_device;
+	offset = crypt_get_data_offset(cd);
+	iv_offset = crypt_get_iv_offset(cd);
+
+	/*
+	 * System encryption is tricky, as the TCRYPT header is outside the partition area.
+	 * It can be a system partition only (TCRYPT header offset contains MK offset to
+	 * a particular partition) or the whole system (then MK offset starts on the header itself).
+	 * IV offset is always partition offset, but device offset depends on whether the user
+	 * copied the whole disk or just one encrypted partition.
+	 * This code tries to guess the most common situations but can still fail and use wrong offsets.
+	 * Recent UEFI systems never use whole system encryption.
+	 */
+	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+		if (crypt_dev_is_partition(device_path(crypt_data_device(cd)))) {
+			/* One partition */
+			offset = 0;
+			iv_offset = crypt_dev_partition_offset(device_path(crypt_data_device(cd)));
+		} else if (crypt_dev_is_partition(device_path(crypt_metadata_device(cd)))) {
+			/* One partition image, header is the original partition */
+			offset = 0;
+			iv_offset = crypt_dev_partition_offset(device_path(crypt_metadata_device(cd)));
+		} else {
+			/* No partition info, try partition-only mode searching for partition. */
+			part_path = crypt_get_partition_device(device_path(crypt_data_device(cd)),
+							       iv_offset, hdr->d.volume_size / SECTOR_SIZE);
+			if (!part_path)
+				part_path = crypt_get_partition_device(device_path(crypt_metadata_device(cd)),
+								       iv_offset, hdr->d.volume_size / SECTOR_SIZE);
+			if (part_path) {
+				if (!device_alloc(cd, &part_device, part_path)) {
+					log_verbose(cd, _("Activating TCRYPT system encryption for partition %s."),
+						part_path);
+					ptr_dev = part_device;
+					offset = 0;
+					iv_offset = crypt_dev_partition_offset(part_path);
+				}
+				free(part_path);
+			} else if (device_is_identical(crypt_metadata_device(cd), crypt_data_device(cd))) {
+				/*
+				 * We have no partition offset and TCRYPT system header is on the data device.
+				 * Use the whole device mapping.
+				 * There can be active partitions, do not use exclusive flag.
+				 */
+				device_check = DEV_OK;
+				dmd.size = hdr->d.volume_size / SECTOR_SIZE;
+				log_err(cd, _("Cannot determine TCRYPT system partition offset, activating whole encrypted area."));
+			} else {
+				/*
+				 * We have no partition offset and TCRYPT system header is on the metadata device
+				 * (TCRYPT system header was NOT read from data device).
+				 * Expect that data device is a copy of partition and not the whole device.
+				 * This will not work for whole system encryption, though.
+				 */
 				offset = 0;
+				log_err(cd, _("Cannot determine TCRYPT system partition offset, activating device as a system partition."));
 			}
-			free(part_path);
-		} else
-			/*
-			 * System encryption use the whole device mapping, there can
-			 * be active partitions.
-			 */
-			device_check = DEV_OK;
+		}
+		log_dbg(cd, "TCRYPT system encryption data_offset %" PRIu64 ", iv_offset %" PRIu64 ".", offset, iv_offset);
 	}
 
 	r = device_block_adjust(cd, ptr_dev, device_check,
@@ -825,8 +866,16 @@ int TCRYPT_activate(struct crypt_device *cd,
 			dmd.flags = flags | CRYPT_ACTIVATE_PRIVATE;
 		}
 
+		key = crypt_safe_alloc(crypt_volume_key_length(vk));
+		if (!key) {
+			r = -ENOMEM;
+			break;
+		}
+
 		TCRYPT_copy_key(&algs->cipher[i-1], algs->mode,
-				vk->key, hdr->d.keys);
+				key, hdr->d.keys);
+
+		crypt_volume_key_pass_safe_alloc(vk, &key);
 
 		if (algs->chain_count != i) {
 			if (snprintf(dm_dev_name, sizeof(dm_dev_name), "%s/%s_%d", dm_get_dir(), name, i) < 0) {
@@ -847,16 +896,13 @@ int TCRYPT_activate(struct crypt_device *cd,
 		}
 
 		r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, ptr_dev, vk,
-				cipher_spec, crypt_get_iv_offset(cd), offset,
-				crypt_get_integrity(cd),
-				crypt_get_integrity_tag_size(cd),
-				crypt_get_sector_size(cd));
+				cipher_spec, iv_offset, offset, NULL, 0, 0, crypt_get_sector_size(cd));
 		if (r)
 			break;
 
 		log_dbg(cd, "Trying to activate TCRYPT device %s using cipher %s.",
 			dm_name, dmd.segment.u.crypt.cipher);
-		r = dm_create_device(cd, dm_name, CRYPT_TCRYPT, &dmd);
+		r = dm_create_device(cd, dm_name, i == 1 ? CRYPT_TCRYPT : CRYPT_SUBDEV, &dmd);
 
 		dm_targets_free(cd, &dmd);
 		device_free(cd, device);
@@ -873,12 +919,33 @@ int TCRYPT_activate(struct crypt_device *cd,
 	}
 
 out:
+	crypt_safe_free(key);
 	crypt_free_volume_key(vk);
 	device_free(cd, device);
 	device_free(cd, part_device);
 	return r;
 }
 
+static bool is_tcrypt_subdev(const char *dm_uuid, const char *base_uuid)
+{
+	const char *base_uuid_name;
+
+	assert(base_uuid);
+	base_uuid_name = strchr(base_uuid, '-');
+
+	if (!dm_uuid || !base_uuid_name)
+		return false;
+
+	if (!strncmp(dm_uuid, "SUBDEV-", 7))
+		return !strncmp(dm_uuid + 6, base_uuid_name, strlen(base_uuid_name));
+
+	/*
+	 * FIXME: Drop after shift to dependency based deactivation (CRYPT_SUBDEV)
+	 * in later releases
+	 */
+	return !strncmp(dm_uuid, base_uuid, strlen(base_uuid));
+}
+
 static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
 		      const char *base_uuid, int index, uint32_t flags)
 {
@@ -894,7 +961,7 @@ static int TCRYPT_remove_one(struct crypt_device *cd, const char *name,
 		return r;
 
 	r = dm_query_device(cd, dm_name, DM_ACTIVE_UUID, &dmd);
-	if (!r && !strncmp(dmd.uuid, base_uuid, strlen(base_uuid)))
+	if (!r && is_tcrypt_subdev(dmd.uuid, base_uuid))
 		r = dm_remove_device(cd, dm_name, flags);
 
 	free(CONST_CAST(void*)dmd.uuid);
@@ -916,6 +983,7 @@ int TCRYPT_deactivate(struct crypt_device *cd, const char *name, uint32_t flags)
 	if (r < 0)
 		goto out;
 
+	/* FIXME: replace with dependency based deactivation (CRYPT_SUBDEV) in later releases */
 	r = TCRYPT_remove_one(cd, name, dmd.uuid, 1, flags);
 	if (r < 0)
 		goto out;
@@ -934,8 +1002,10 @@ static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
 {
 	struct crypt_dm_active_device dmd;
 	struct dm_target *tgt = &dmd.segment;
-	char dm_name[PATH_MAX], *c;
+	const char *c;
+	char dm_name[PATH_MAX];
 	int r;
+	size_t cipher_len = MAX_CIPHER_LEN;
 
 	if (snprintf(dm_name, sizeof(dm_name), "%s_%d", name, index) < 0)
 		return -ENOMEM;
@@ -957,12 +1027,12 @@ static int TCRYPT_status_one(struct crypt_device *cd, const char *name,
 
 	r = 0;
 
-	if (!strncmp(dmd.uuid, base_uuid, strlen(base_uuid))) {
+	if (is_tcrypt_subdev(dmd.uuid, base_uuid)) {
 		if ((c = strchr(tgt->u.crypt.cipher, '-')))
-			*c = '\0';
+			cipher_len = c - tgt->u.crypt.cipher;
 		strcat(cipher, "-");
-		strncat(cipher, tgt->u.crypt.cipher, MAX_CIPHER_LEN);
-		*key_size += tgt->u.crypt.vk->keylength;
+		strncat(cipher, tgt->u.crypt.cipher, cipher_len);
+		*key_size += crypt_volume_key_length(tgt->u.crypt.vk);
 		tcrypt_hdr->d.mk_offset = tgt->u.crypt.offset * SECTOR_SIZE;
 		device_free(cd, *device);
 		MOVE_REF(*device, tgt->data_device);
@@ -981,7 +1051,7 @@ int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
 			struct crypt_params_tcrypt *tcrypt_params,
 			struct tcrypt_phdr *tcrypt_hdr)
 {
-	struct tcrypt_algs *algs;
+	const struct tcrypt_algs *algs;
 	char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN+1], *tmp;
 	size_t key_size;
 	int r;
@@ -999,7 +1069,7 @@ int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
 	mode[MAX_CIPHER_LEN] = '\0';
 	strncpy(mode, ++tmp, MAX_CIPHER_LEN);
 
-	key_size = tgt->u.crypt.vk->keylength;
+	key_size = crypt_volume_key_length(tgt->u.crypt.vk);
 	r = TCRYPT_status_one(cd, name, uuid, 1, &key_size,
 			      cipher, tcrypt_hdr, device);
 	if (!r)
@@ -1028,9 +1098,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 	if (!hdr->d.version) {
 		/* No real header loaded, initialized by active device, use default mk_offset */
 	} else if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
-		/* Mapping through whole device, not partition! */
-		if (crypt_dev_is_partition(device_path(crypt_data_device(cd))))
-			return 0;
+		/* Mapping through whole device or partition, return mk_offset */
 	} else if (params->mode && !strncmp(params->mode, "xts", 3)) {
 		if (hdr->d.version < 3)
 			return 1;
@@ -1057,25 +1125,12 @@ uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
 			      struct tcrypt_phdr *hdr,
 			      struct crypt_params_tcrypt *params)
 {
-	uint64_t iv_offset, partition_offset;
-
 	if (params->mode && !strncmp(params->mode, "xts", 3))
-		iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
+		return TCRYPT_get_data_offset(cd, hdr, params);
 	else if (params->mode && !strncmp(params->mode, "lrw", 3))
-		iv_offset = 0;
-	else
-		iv_offset = hdr->d.mk_offset / SECTOR_SIZE;
+		return 0;
 
-	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
-		partition_offset = crypt_dev_partition_offset(device_path(crypt_data_device(cd)));
-		/* FIXME: we need to deal with overflow sooner */
-		if (iv_offset > (UINT64_MAX - partition_offset))
-			iv_offset = UINT64_MAX;
-		else
-			iv_offset += partition_offset;
-	}
-
-	return iv_offset;
+	return hdr->d.mk_offset / SECTOR_SIZE;
 }
 
 int TCRYPT_get_volume_key(struct crypt_device *cd,
@@ -1083,8 +1138,9 @@ int TCRYPT_get_volume_key(struct crypt_device *cd,
 			  struct crypt_params_tcrypt *params,
 			  struct volume_key **vk)
 {
-	struct tcrypt_algs *algs;
+	const struct tcrypt_algs *algs;
 	unsigned int i, key_index;
+	void *key = NULL;
 
 	if (!hdr->d.version) {
 		log_err(cd, _("This function is not supported without TCRYPT header load."));
@@ -1095,16 +1151,22 @@ int TCRYPT_get_volume_key(struct crypt_device *cd,
 	if (!algs)
 		return -EINVAL;
 
-	*vk = crypt_alloc_volume_key(params->key_size, NULL);
-	if (!*vk)
+	key = crypt_safe_alloc(params->key_size);
+	if (!key)
 		return -ENOMEM;
 
 	for (i = 0, key_index = 0; i < algs->chain_count; i++) {
 		TCRYPT_copy_key(&algs->cipher[i], algs->mode,
-				&(*vk)->key[key_index], hdr->d.keys);
+				&((char *)key)[key_index], hdr->d.keys);
 		key_index += algs->cipher[i].key_size;
 	}
 
+	*vk = crypt_alloc_volume_key_by_safe_alloc(&key);
+	if (!*vk) {
+		crypt_safe_free(key);
+		return -ENOMEM;
+	}
+
 	return 0;
 }
 
@@ -1119,9 +1181,14 @@ int TCRYPT_dump(struct crypt_device *cd,
 		log_std(cd, "Version:       \t%d\n", hdr->d.version);
 		log_std(cd, "Driver req.:\t%x.%x\n", hdr->d.version_tc >> 8,
 						    hdr->d.version_tc & 0xFF);
-
-		log_std(cd, "Sector size:\t%" PRIu32 "\n", hdr->d.sector_size);
-		log_std(cd, "MK offset:\t%" PRIu64 "\n", hdr->d.mk_offset);
+		log_std(cd, "Flags:       \t0x%x\n", hdr->d.flags);
+
+		log_std(cd, "Sector size:\t%" PRIu32 " [bytes]\n", hdr->d.sector_size);
+		log_std(cd, "MK offset:\t%" PRIu64 " [bytes]\n", hdr->d.mk_offset);
+		if (hdr->d.volume_size)
+			log_std(cd, "Volume size:\t%" PRIu64 " [bytes]\n", hdr->d.volume_size);
+		if (hdr->d.hidden_volume_size)
+			log_std(cd, "Hidden size:\t%" PRIu64 " [bytes]\n", hdr->d.hidden_volume_size);
 		log_std(cd, "PBKDF2 hash:\t%s\n", params->hash_name);
 	}
 	log_std(cd, "Cipher chain:\t%s\n", params->cipher);
diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h
index 8efccb8..db3b723 100644
--- a/lib/tcrypt/tcrypt.h
+++ b/lib/tcrypt/tcrypt.h
@@ -2,8 +2,8 @@
 /*
  * TCRYPT (TrueCrypt-compatible)  header definition
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #ifndef _CRYPTSETUP_TCRYPT_H
diff --git a/lib/utils.c b/lib/utils.c
index 7a6df4c..afde568 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdio.h>
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
index 51f7e65..3694f27 100644
--- a/lib/utils_benchmark.c
+++ b/lib/utils_benchmark.c
@@ -2,8 +2,8 @@
 /*
  * libcryptsetup - cryptsetup library, cipher benchmark
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <stdlib.h>
diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c
index a5cf5ad..44e501b 100644
--- a/lib/utils_blkid.c
+++ b/lib/utils_blkid.c
@@ -2,7 +2,7 @@
 /*
  * blkid probe utilities
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <errno.h>
@@ -15,7 +15,7 @@
 #include "utils_blkid.h"
 #include "utils_io.h"
 
-#ifdef HAVE_BLKID
+#if HAVE_BLKID
 
 #include <blkid/blkid.h>
 /* make bad checksums flag optional */
@@ -26,7 +26,7 @@ struct blkid_handle {
 	int fd;
 	blkid_probe pr;
 };
-#ifndef HAVE_BLKID_WIPE
+#if !HAVE_BLKID_WIPE
 static size_t crypt_getpagesize(void)
 {
 	long r = sysconf(_SC_PAGESIZE);
@@ -38,7 +38,7 @@ void blk_set_chains_for_wipes(struct blkid_handle *h)
 {
 	blkid_probe_enable_partitions(h->pr, 1);
 	blkid_probe_set_partitions_flags(h->pr, 0
-#ifdef HAVE_BLKID_WIPE
+#if HAVE_BLKID_WIPE
 	| BLKID_PARTS_MAGIC
 #endif
 	);
@@ -198,10 +198,10 @@ void blk_free(struct blkid_handle *h)
 	free(h);
 }
 
-#ifndef HAVE_BLKID_WIPE
+#if !HAVE_BLKID_WIPE
 static int blk_step_back(struct blkid_handle *h)
 {
-#ifdef HAVE_BLKID_STEP_BACK
+#if HAVE_BLKID_STEP_BACK
 	return blkid_probe_step_back(h->pr);
 #else
 	blkid_reset_probe(h->pr);
@@ -213,7 +213,7 @@ static int blk_step_back(struct blkid_handle *h)
 
 int blk_do_wipe(struct blkid_handle *h)
 {
-#ifdef HAVE_BLKID_WIPE
+#if HAVE_BLKID_WIPE
 	return blkid_do_wipe(h->pr, 0);
 #else
 	const char *offset;
diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h
index 6d7f70f..2112575 100644
--- a/lib/utils_blkid.h
+++ b/lib/utils_blkid.h
@@ -2,7 +2,7 @@
 /*
  * blkid probe utilities
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef _UTILS_BLKID_H
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 31ac678..a5eca18 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -3,8 +3,8 @@
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -95,7 +95,7 @@ int crypt_parse_hash_integrity_mode(const char *s, char *integrity)
 }
 
 int crypt_parse_integrity_mode(const char *s, char *integrity,
-			       int *integrity_key_size)
+			       int *integrity_key_size, int required_key_size)
 {
 	int ks = 0, r = 0;
 
@@ -108,18 +108,37 @@ int crypt_parse_integrity_mode(const char *s, char *integrity,
 	    !strcmp(s, "none")) {
 		strncpy(integrity, s, MAX_CIPHER_LEN);
 		ks = 0;
+		if (required_key_size != ks)
+			r = -EINVAL;
 	} else if (!strcmp(s, "hmac-sha1")) {
 		strncpy(integrity, "hmac(sha1)", MAX_CIPHER_LEN);
-		ks = 20;
+		ks = required_key_size ?: 20;
 	} else if (!strcmp(s, "hmac-sha256")) {
 		strncpy(integrity, "hmac(sha256)", MAX_CIPHER_LEN);
-		ks = 32;
+		ks = required_key_size ?: 32;
 	} else if (!strcmp(s, "hmac-sha512")) {
-		ks = 64;
 		strncpy(integrity, "hmac(sha512)", MAX_CIPHER_LEN);
+		ks = required_key_size ?: 64;
+	} else if (!strcmp(s, "phmac-sha1")) {
+		strncpy(integrity, "phmac(sha1)", MAX_CIPHER_LEN);
+		ks = required_key_size;
+		if (!required_key_size)
+			r = -EINVAL;
+	} else if (!strcmp(s, "phmac-sha256")) {
+		strncpy(integrity, "phmac(sha256)", MAX_CIPHER_LEN);
+		ks = required_key_size;
+		if (!required_key_size)
+			r = -EINVAL;
+	} else if (!strcmp(s, "phmac-sha512")) {
+		strncpy(integrity, "phmac(sha512)", MAX_CIPHER_LEN);
+		ks = required_key_size;
+		if (!required_key_size)
+			r = -EINVAL;
 	} else if (!strcmp(s, "cmac-aes")) {
-		ks = 16;
 		strncpy(integrity, "cmac(aes)", MAX_CIPHER_LEN);
+		ks = 16;
+		if (required_key_size && required_key_size != ks)
+			r = -EINVAL;
 	} else
 		r = -EINVAL;
 
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
index 470cbeb..21cf4b5 100644
--- a/lib/utils_crypt.h
+++ b/lib/utils_crypt.h
@@ -3,8 +3,8 @@
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef _UTILS_CRYPT_H
@@ -28,7 +28,7 @@ int crypt_parse_name_and_mode(const char *s, char *cipher,
 			      int *key_nums, char *cipher_mode);
 int crypt_parse_hash_integrity_mode(const char *s, char *integrity);
 int crypt_parse_integrity_mode(const char *s, char *integrity,
-			       int *integrity_key_size);
+			       int *integrity_key_size, int required_key_size);
 int crypt_parse_pbkdf(const char *s, const char **pbkdf);
 
 ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc);
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 6b7af6e..1cdbcc6 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <string.h>
@@ -16,10 +16,10 @@
 #include <sys/ioctl.h>
 #include <linux/fs.h>
 #include <unistd.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
-#ifdef HAVE_SYS_STATVFS_H
+#if HAVE_SYS_STATVFS_H
 # include <sys/statvfs.h>
 #endif
 #include "internal.h"
@@ -48,19 +48,19 @@ struct device {
 
 static size_t device_fs_block_size_fd(int fd)
 {
-	size_t page_size = crypt_getpagesize();
+	size_t max_size = MAX_SECTOR_SIZE;
 
-#ifdef HAVE_SYS_STATVFS_H
+#if HAVE_SYS_STATVFS_H
 	struct statvfs buf;
 
 	/*
 	 * NOTE: some filesystems (NFS) returns bogus blocksize (1MB).
 	 * Page-size io should always work and avoids increasing IO beyond aligned LUKS header.
 	 */
-	if (!fstatvfs(fd, &buf) && buf.f_bsize && buf.f_bsize <= page_size)
+	if (!fstatvfs(fd, &buf) && buf.f_bsize && buf.f_bsize <= max_size)
 		return (size_t)buf.f_bsize;
 #endif
-	return page_size;
+	return max_size;
 }
 
 static size_t device_block_size_fd(int fd, size_t *min_size)
@@ -127,19 +127,19 @@ static size_t device_alignment_fd(int devfd)
 	return (size_t)alignment;
 }
 
-static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
+static int device_read_test(struct crypt_device *cd, int devfd)
 {
 	char buffer[512];
-	int r = -EIO;
+	int r;
 	size_t minsize = 0, blocksize, alignment;
-	const char *dm_name;
+	struct stat st;
+
+	/* skip check for block devices, direct-io must work there  */
+	if (fstat(devfd, &st) < 0)
+		return -EINVAL;
 
-	/* skip check for suspended DM devices */
-	dm_name = device_dm_name(device);
-	if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
-		log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
+	if (S_ISBLK(st.st_mode))
 		return 0;
-	}
 
 	blocksize = device_block_size_fd(devfd, &minsize);
 	alignment = device_alignment_fd(devfd);
@@ -153,10 +153,13 @@ static int device_read_test(struct crypt_device *cd, int devfd, struct device *d
 	if (minsize > sizeof(buffer))
 		minsize = sizeof(buffer);
 
-	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
+	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize) {
+		log_dbg(cd, "Direct-io read works.");
 		r = 0;
-
-	log_dbg(cd, "Direct-io is supported and works.");
+	} else {
+		log_dbg(cd, "Direct-io read failed.");
+		r = -EIO;
+	}
 
 	crypt_safe_memzero(buffer, sizeof(buffer));
 	return r;
@@ -180,12 +183,12 @@ static int device_ready(struct crypt_device *cd, struct device *device)
 		return -EINVAL;
 
 	if (device->o_direct) {
-		log_dbg(cd, "Trying to open and read device %s with direct-io.",
+		log_dbg(cd, "Trying to open device %s with direct-io.",
 			device_path(device));
 		device->o_direct = 0;
 		devfd = open(device_path(device), O_RDONLY | O_DIRECT);
 		if (devfd >= 0) {
-			if (device_read_test(cd, devfd, device) == 0) {
+			if (device_read_test(cd, devfd) == 0) {
 				device->o_direct = 1;
 			} else {
 				close(devfd);
@@ -473,21 +476,6 @@ const char *device_block_path(const struct device *device)
 	return device->path;
 }
 
-/* Get device-mapper name of device (if possible) */
-const char *device_dm_name(const struct device *device)
-{
-	const char *dmdir = dm_get_dir();
-	size_t dmdir_len = strlen(dmdir);
-
-	if (!device)
-		return NULL;
-
-	if (strncmp(device->path, dmdir, dmdir_len))
-		return NULL;
-
-	return &device->path[dmdir_len+1];
-}
-
 /* Get path to device / file */
 const char *device_path(const struct device *device)
 {
@@ -530,7 +518,7 @@ void device_topology_alignment(struct crypt_device *cd,
 
 	/* minimum io size */
 	if (ioctl(fd, BLKIOMIN, &min_io_size) == -1) {
-		log_dbg(cd, "Topology info for %s not supported, using default offset %lu bytes.",
+		log_dbg(cd, "Topology info for %s not supported, using default alignment %lu bytes.",
 			device->path, default_alignment);
 		goto out;
 	}
@@ -1014,6 +1002,36 @@ int device_is_zoned(struct device *device)
 	return crypt_dev_is_zoned(major(st.st_rdev), minor(st.st_rdev));
 }
 
+int device_is_nop_dif(struct device *device, uint32_t *tag_size)
+{
+	char *base_device_path;
+	int r;
+	struct stat st;
+
+	if (!device)
+		return -EINVAL;
+
+	/*
+	 * For partition devices, check integrity profile on the base device.
+	 * Partition device nodes don't advertise integrity profile directly
+	 * via sysfs attributes.
+	 */
+	base_device_path = crypt_get_base_device(device_path(device));
+	if (base_device_path) {
+		r = stat(base_device_path, &st);
+		free(base_device_path);
+	} else
+		r = stat(device_path(device), &st);
+
+	if (r < 0)
+		return -EINVAL;
+
+	if (!S_ISBLK(st.st_mode))
+		return 0;
+
+	return crypt_dev_is_nop_dif(major(st.st_rdev), minor(st.st_rdev), tag_size);
+}
+
 size_t device_alignment(struct device *device)
 {
 	int devfd;
diff --git a/lib/utils_device_locking.c b/lib/utils_device_locking.c
index 57a467d..8859223 100644
--- a/lib/utils_device_locking.c
+++ b/lib/utils_device_locking.c
@@ -2,8 +2,8 @@
 /*
  * Metadata on-disk locking for processes serialization
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include <errno.h>
@@ -15,7 +15,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 #include <libgen.h>
diff --git a/lib/utils_device_locking.h b/lib/utils_device_locking.h
index 4287dbf..9cc25ca 100644
--- a/lib/utils_device_locking.h
+++ b/lib/utils_device_locking.h
@@ -2,8 +2,8 @@
 /*
  * Metadata on-disk locking for processes serialization
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #ifndef _CRYPTSETUP_UTILS_LOCKING_H
diff --git a/lib/utils_devpath.c b/lib/utils_devpath.c
index 2c94048..28039f0 100644
--- a/lib/utils_devpath.c
+++ b/lib/utils_devpath.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <string.h>
@@ -17,7 +17,7 @@
 #include <limits.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 #include "internal.h"
@@ -262,6 +262,29 @@ int crypt_dev_is_zoned(int major, int minor)
 	return strncmp(buf, "none", 4) ? 1 : 0;
 }
 
+int crypt_dev_is_nop_dif(int major, int minor, uint32_t *tag_size)
+{
+	char buf[64] = {};
+	uint64_t val = 0;
+
+	if (!_sysfs_get_string(major, minor, buf, sizeof(buf), "integrity/format"))
+		return 0;
+
+	if (strncmp(buf, "nop", 3))
+		return 0;
+
+	/* this field is currently supported only for NVMe */
+	_sysfs_get_uint64(major, minor, &val, "metadata_bytes");
+
+	/* tag_size should be 0, but it is set by dm-integrity, try it as a fallback */
+	if (val == 0)
+		_sysfs_get_uint64(major, minor, &val, "integrity/tag_size");
+
+	/* we can still return 0 and support metadata, caller must handle it */
+	*tag_size = (uint32_t)val;
+	return 1;
+}
+
 int crypt_dev_is_partition(const char *dev_path)
 {
 	uint64_t val;
@@ -420,7 +443,7 @@ int lookup_by_disk_id(const char *dm_uuid)
 {
 	struct dirent *entry;
 	struct stat st;
-	int r = 0; /* not found */
+	int dfd, r = 0; /* not found */
 	DIR *dir = opendir("/dev/disk/by-id");
 
 	if (!dir)
@@ -432,7 +455,8 @@ int lookup_by_disk_id(const char *dm_uuid)
 		    !strncmp(entry->d_name, "..", 2))
 			continue;
 
-		if (fstatat(dirfd(dir), entry->d_name, &st, AT_SYMLINK_NOFOLLOW)) {
+		dfd = dirfd(dir);
+		if (dfd < 0 || fstatat(dfd, entry->d_name, &st, AT_SYMLINK_NOFOLLOW)) {
 			r = -EINVAL;
 			break;
 		}
@@ -457,7 +481,7 @@ int lookup_by_sysfs_uuid_field(const char *dm_uuid)
 	char subpath[PATH_MAX], uuid[DM_UUID_LEN];
 	ssize_t s;
 	struct stat st;
-	int fd, len, r = 0; /* not found */
+	int fd, dfd, len, r = 0; /* not found */
 	DIR *dir = opendir("/sys/block/");
 
 	if (!dir)
@@ -476,7 +500,10 @@ int lookup_by_sysfs_uuid_field(const char *dm_uuid)
 		}
 
 		/* looking for dm-X/dm/uuid file, symlinks are fine */
-		fd = openat(dirfd(dir), subpath, O_RDONLY | O_CLOEXEC);
+		dfd = dirfd(dir);
+		if (dfd < 0)
+			continue;
+		fd = openat(dfd, subpath, O_RDONLY | O_CLOEXEC);
 		if (fd < 0)
 			continue;
 
diff --git a/lib/utils_dm.h b/lib/utils_dm.h
index 29ff777..4a55811 100644
--- a/lib/utils_dm.h
+++ b/lib/utils_dm.h
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef _UTILS_DM_H
@@ -22,72 +22,71 @@ struct device;
 struct crypt_params_integrity;
 
 /* Device mapper internal flags */
-#define DM_RESUME_PRIVATE      (1 << 4) /* CRYPT_ACTIVATE_PRIVATE */
-#define DM_SUSPEND_SKIP_LOCKFS (1 << 5)
-#define DM_SUSPEND_WIPE_KEY    (1 << 6)
-#define DM_SUSPEND_NOFLUSH     (1 << 7)
+#define DM_RESUME_PRIVATE (UINT64_C(1) << 4) /* CRYPT_ACTIVATE_PRIVATE */
+#define DM_SUSPEND_SKIP_LOCKFS (UINT64_C(1) << 5)
+#define DM_SUSPEND_WIPE_KEY (UINT64_C(1) << 6)
+#define DM_SUSPEND_NOFLUSH (UINT64_C(1) << 7)
 
-static inline uint32_t act2dmflags(uint32_t act_flags)
+static inline uint64_t act2dmflags(uint64_t act_flags)
 {
 	return (act_flags & DM_RESUME_PRIVATE);
 }
 
 /* Device mapper backend - kernel support flags */
-#define DM_KEY_WIPE_SUPPORTED (1 << 0)	/* key wipe message */
-#define DM_LMK_SUPPORTED      (1 << 1)	/* lmk mode */
-#define DM_SECURE_SUPPORTED   (1 << 2)	/* wipe (secure) buffer flag */
-#define DM_PLAIN64_SUPPORTED  (1 << 3)	/* plain64 IV */
-#define DM_DISCARDS_SUPPORTED (1 << 4)	/* discards/TRIM option is supported */
-#define DM_VERITY_SUPPORTED   (1 << 5)	/* dm-verity target supported */
-#define DM_TCW_SUPPORTED      (1 << 6)	/* tcw (TCRYPT CBC with whitening) */
-#define DM_SAME_CPU_CRYPT_SUPPORTED (1 << 7) /* same_cpu_crypt */
-#define DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (1 << 8) /* submit_from_crypt_cpus */
-#define DM_VERITY_ON_CORRUPTION_SUPPORTED (1 << 9) /* ignore/restart_on_corruption, ignore_zero_block */
-#define DM_VERITY_FEC_SUPPORTED (1 << 10) /* Forward Error Correction (FEC) */
-#define DM_KERNEL_KEYRING_SUPPORTED (1 << 11) /* dm-crypt allows loading kernel keyring keys */
-#define DM_INTEGRITY_SUPPORTED (1 << 12) /* dm-integrity target supported */
-#define DM_SECTOR_SIZE_SUPPORTED (1 << 13) /* support for sector size setting in dm-crypt/dm-integrity */
-#define DM_CAPI_STRING_SUPPORTED (1 << 14) /* support for cryptoapi format cipher definition */
-#define DM_DEFERRED_SUPPORTED (1 << 15) /* deferred removal of device */
-#define DM_INTEGRITY_RECALC_SUPPORTED (1 << 16) /* dm-integrity automatic recalculation supported */
-#define DM_INTEGRITY_BITMAP_SUPPORTED (1 << 17) /* dm-integrity bitmap mode supported */
-#define DM_GET_TARGET_VERSION_SUPPORTED (1 << 18) /* dm DM_GET_TARGET version ioctl supported */
-#define DM_INTEGRITY_FIX_PADDING_SUPPORTED (1 << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
-#define DM_BITLK_EBOIV_SUPPORTED (1 << 20) /* EBOIV for BITLK supported */
-#define DM_BITLK_ELEPHANT_SUPPORTED (1 << 21) /* Elephant diffuser for BITLK supported */
-#define DM_VERITY_SIGNATURE_SUPPORTED (1 << 22) /* Verity option root_hash_sig_key_desc supported */
-#define DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */
-#define DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
-#define DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption  */
-#define DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt support for bypassing workqueues  */
-#define DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */
-#define DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */
-#define DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */
+#define DM_KEY_WIPE_SUPPORTED (UINT64_C(1) << 0) /* key wipe message */
+#define DM_LMK_SUPPORTED (UINT64_C(1) << 1) /* lmk mode */
+#define DM_SECURE_SUPPORTED (UINT64_C(1) << 2) /* wipe (secure) buffer flag */
+#define DM_PLAIN64_SUPPORTED (UINT64_C(1) << 3) /* plain64 IV */
+#define DM_DISCARDS_SUPPORTED (UINT64_C(1) << 4) /* discards/TRIM option is supported */
+#define DM_VERITY_SUPPORTED (UINT64_C(1) << 5) /* dm-verity target supported */
+#define DM_TCW_SUPPORTED (UINT64_C(1) << 6) /* tcw (TCRYPT CBC with whitening) */
+#define DM_SAME_CPU_CRYPT_SUPPORTED (UINT64_C(1) << 7) /* same_cpu_crypt */
+#define DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (UINT64_C(1) << 8) /* submit_from_crypt_cpus */
+#define DM_VERITY_ON_CORRUPTION_SUPPORTED (UINT64_C(1) << 9) /* ignore/restart_on_corruption, ignore_zero_block */
+#define DM_VERITY_FEC_SUPPORTED (UINT64_C(1) << 10) /* Forward Error Correction (FEC) */
+#define DM_KERNEL_KEYRING_SUPPORTED (UINT64_C(1) << 11) /* dm-crypt allows loading kernel keyring keys */
+#define DM_INTEGRITY_SUPPORTED (UINT64_C(1) << 12) /* dm-integrity target supported */
+#define DM_SECTOR_SIZE_SUPPORTED (UINT64_C(1) << 13) /* support for sector size setting in dm-crypt/dm-integrity */
+#define DM_CAPI_STRING_SUPPORTED (UINT64_C(1) << 14) /* support for cryptoapi format cipher definition */
+#define DM_DEFERRED_SUPPORTED (UINT64_C(1) << 15) /* deferred removal of device */
+#define DM_INTEGRITY_RECALC_SUPPORTED (UINT64_C(1) << 16) /* dm-integrity automatic recalculation supported */
+#define DM_INTEGRITY_BITMAP_SUPPORTED (UINT64_C(1) << 17) /* dm-integrity bitmap mode supported */
+#define DM_GET_TARGET_VERSION_SUPPORTED (UINT64_C(1) << 18) /* dm DM_GET_TARGET version ioctl supported */
+#define DM_INTEGRITY_FIX_PADDING_SUPPORTED (UINT64_C(1) << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
+#define DM_BITLK_EBOIV_SUPPORTED (UINT64_C(1) << 20) /* EBOIV for BITLK supported */
+#define DM_BITLK_ELEPHANT_SUPPORTED (UINT64_C(1) << 21) /* Elephant diffuser for BITLK supported */
+#define DM_VERITY_SIGNATURE_SUPPORTED (UINT64_C(1) << 22) /* Verity option root_hash_sig_key_desc supported */
+#define DM_INTEGRITY_DISCARDS_SUPPORTED (UINT64_C(1) << 23) /* dm-integrity discards/TRIM option is supported */
+#define DM_INTEGRITY_RESIZE_SUPPORTED (UINT64_C(1) << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
+#define DM_VERITY_PANIC_CORRUPTION_SUPPORTED (UINT64_C(1) << 24) /* dm-verity panic on corruption  */
+#define DM_CRYPT_NO_WORKQUEUE_SUPPORTED (UINT64_C(1) << 25) /* dm-crypt support for bypassing workqueues  */
+#define DM_INTEGRITY_FIX_HMAC_SUPPORTED (UINT64_C(1) << 26) /* hmac covers also superblock */
+#define DM_INTEGRITY_RESET_RECALC_SUPPORTED (UINT64_C(1) << 27) /* dm-integrity automatic recalculation supported */
+#define DM_VERITY_TASKLETS_SUPPORTED (UINT64_C(1) << 28) /* dm-verity tasklets supported */
+#define DM_CRYPT_HIGH_PRIORITY_SUPPORTED (UINT64_C(1) << 29) /* dm-crypt high priority workqueue flag supported  */
+#define DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED (UINT64_C(1) << 30) /* dm-crypt support for integrity_key_size option */
+#define DM_VERITY_ERROR_AS_CORRUPTION_SUPPORTED (UINT64_C(1) << 31) /* dm-verity restart/panic on corruption supported */
+#define DM_INTEGRITY_INLINE_MODE_SUPPORTED (UINT64_C(1) << 32) /* dm-integrity inline mode supported */
 
 typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_ZERO, DM_UNKNOWN } dm_target_type;
 enum tdirection { TARGET_EMPTY = 0, TARGET_SET, TARGET_QUERY };
 
-int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags);
-
-#define DM_ACTIVE_DEVICE	(1 << 0)
-#define DM_ACTIVE_UUID		(1 << 1)
-#define DM_ACTIVE_HOLDERS	(1 << 2)
-
-#define DM_ACTIVE_CRYPT_CIPHER	(1 << 3)
-#define DM_ACTIVE_CRYPT_KEYSIZE	(1 << 4)
-#define DM_ACTIVE_CRYPT_KEY	(1 << 5)
-
-#define DM_ACTIVE_VERITY_ROOT_HASH	(1 << 6)
-#define DM_ACTIVE_VERITY_HASH_DEVICE	(1 << 7)
-#define DM_ACTIVE_VERITY_PARAMS		(1 << 8)
-
-#define DM_ACTIVE_INTEGRITY_PARAMS	(1 << 9)
-
-#define DM_ACTIVE_JOURNAL_CRYPT_KEY	(1 << 10)
-#define DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE	(1 << 11)
-
-#define DM_ACTIVE_JOURNAL_MAC_KEY	(1 << 12)
-#define DM_ACTIVE_JOURNAL_MAC_KEYSIZE	(1 << 13)
+int dm_flags(struct crypt_device *cd, dm_target_type target, uint64_t *flags);
+
+#define DM_ACTIVE_DEVICE (UINT64_C(1) << 0)
+#define DM_ACTIVE_UUID (UINT64_C(1) << 1)
+#define DM_ACTIVE_HOLDERS (UINT64_C(1) << 2)
+#define DM_ACTIVE_CRYPT_CIPHER (UINT64_C(1) << 3)
+#define DM_ACTIVE_CRYPT_KEYSIZE (UINT64_C(1) << 4)
+#define DM_ACTIVE_CRYPT_KEY (UINT64_C(1) << 5)
+#define DM_ACTIVE_VERITY_ROOT_HASH (UINT64_C(1) << 6)
+#define DM_ACTIVE_VERITY_HASH_DEVICE (UINT64_C(1) << 7)
+#define DM_ACTIVE_VERITY_PARAMS (UINT64_C(1) << 8)
+#define DM_ACTIVE_INTEGRITY_PARAMS (UINT64_C(1) << 9)
+#define DM_ACTIVE_JOURNAL_CRYPT_KEY (UINT64_C(1) << 10)
+#define DM_ACTIVE_JOURNAL_CRYPT_KEYSIZE (UINT64_C(1) << 11)
+#define DM_ACTIVE_JOURNAL_MAC_KEY (UINT64_C(1) << 12)
+#define DM_ACTIVE_JOURNAL_MAC_KEYSIZE (UINT64_C(1) << 13)
 
 struct dm_target {
 	dm_target_type type;
@@ -108,6 +107,7 @@ struct dm_target {
 		uint64_t iv_offset;	/* IV initialisation sector */
 		uint32_t tag_size;	/* additional on-disk tag size */
 		uint32_t sector_size;	/* encryption sector size */
+		uint32_t integrity_key_size; /* explicit integrity key size (HMAC), 0 for default */
 	} crypt;
 	struct {
 		struct device *hash_device;
@@ -182,8 +182,9 @@ void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd
 
 int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct volume_key *vk, const char *cipher,
-	uint64_t iv_offset, uint64_t data_offset, const char *integrity,
-	uint32_t tag_size, uint32_t sector_size);
+	uint64_t iv_offset, uint64_t data_offset,
+	const char *integrity, uint32_t integrity_key_size, uint32_t tag_size,
+	uint32_t sector_size);
 int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct device *hash_device, struct device *fec_device,
 	const char *root_hash, uint32_t root_hash_size, const char* root_hash_sig_key_desc,
@@ -205,15 +206,15 @@ int dm_status_suspended(struct crypt_device *cd, const char *name);
 int dm_status_verity_ok(struct crypt_device *cd, const char *name);
 int dm_status_integrity_failures(struct crypt_device *cd, const char *name, uint64_t *count);
 int dm_query_device(struct crypt_device *cd, const char *name,
-		    uint32_t get_flags, struct crypt_dm_active_device *dmd);
+		    uint64_t get_flags, struct crypt_dm_active_device *dmd);
 int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix,
 		   char **names, size_t names_length);
 int dm_create_device(struct crypt_device *cd, const char *name,
 		     const char *type, struct crypt_dm_active_device *dmd);
 int dm_reload_device(struct crypt_device *cd, const char *name,
-		     struct crypt_dm_active_device *dmd, uint32_t dmflags, unsigned resume);
-int dm_suspend_device(struct crypt_device *cd, const char *name, uint32_t dmflags);
-int dm_resume_device(struct crypt_device *cd, const char *name, uint32_t dmflags);
+		     struct crypt_dm_active_device *dmd, uint64_t dmflags, unsigned resume);
+int dm_suspend_device(struct crypt_device *cd, const char *name, uint64_t dmflags);
+int dm_resume_device(struct crypt_device *cd, const char *name, uint64_t dmflags);
 int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name,
 				const struct volume_key *vk);
 int dm_error_device(struct crypt_device *cd, const char *name);
@@ -222,6 +223,11 @@ int dm_cancel_deferred_removal(const char *name);
 
 const char *dm_get_dir(void);
 int dm_get_iname(const char *name, char **iname, bool with_path);
+char *dm_get_active_iname(struct crypt_device *cd, const char *name);
+
+int dm_uuid_cmp(const char *dm_uuid, const char *hdr_uuid);
+int dm_uuid_type_cmp(const char *dm_uuid, const char *type);
+int dm_uuid_integrity_cmp(const char *dm_uuid, const char *dmi_uuid);
 
 int lookup_dm_dev_by_uuid(struct crypt_device *cd, const char *uuid, const char *type);
 
diff --git a/lib/utils_io.c b/lib/utils_io.c
index 1e47673..801f6d6 100644
--- a/lib/utils_io.c
+++ b/lib/utils_io.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <errno.h>
@@ -278,7 +278,7 @@ ssize_t read_lseek_blockwise(int fd, size_t bsize, size_t alignment,
 		length -= innerCount;
 	}
 
-	ret = read_blockwise(fd, bsize, alignment, buf, length);
+	ret = length ? read_blockwise(fd, bsize, alignment, buf, length) : 0;
 	if (ret >= 0)
 		ret += innerCount;
 out:
diff --git a/lib/utils_io.h b/lib/utils_io.h
index 404c0f5..f80cf17 100644
--- a/lib/utils_io.h
+++ b/lib/utils_io.h
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef _CRYPTSETUP_UTILS_IO_H
diff --git a/lib/utils_keyring.c b/lib/utils_keyring.c
index 4a0cc53..73df346 100644
--- a/lib/utils_keyring.c
+++ b/lib/utils_keyring.c
@@ -2,8 +2,8 @@
 /*
  * kernel keyring utilities
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include <assert.h>
@@ -21,17 +21,17 @@
 #include "libcryptsetup_macros.h"
 #include "utils_keyring.h"
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 
 static const struct {
 	key_type_t type;
 	const char *type_name;
 } key_types[] = {
-	{ LOGON_KEY,	"logon" },
-	{ USER_KEY,	"user"	},
-	{ BIG_KEY,	"big_key"	},
-	{ TRUSTED_KEY,	"trusted"	},
-	{ ENCRYPTED_KEY,	"encrypted"	},
+	{ LOGON_KEY,     "logon" },
+	{ USER_KEY,      "user" },
+	{ BIG_KEY,       "big_key" },
+	{ TRUSTED_KEY,   "trusted" },
+	{ ENCRYPTED_KEY, "encrypted" },
 };
 
 #include <linux/keyctl.h>
@@ -150,7 +150,11 @@ static key_serial_t find_key_by_type_and_desc(const char *type, const char *desc
 	do {
 		id = request_key(type, desc, NULL, 0);
 	} while (id < 0 && errno == EINTR);
-	if (id >= 0 || errno == ENOMEM)
+
+	if (id < 0 && errno == ENOMEM)
+		return 0;
+
+	if (id >= 0)
 		return id;
 
 	f = open("/proc/keys", O_RDONLY);
@@ -191,7 +195,7 @@ int keyring_check(void)
 	return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS;
 }
 
-static key_serial_t keyring_add_key_in_keyring(key_type_t ktype,
+key_serial_t keyring_add_key_to_keyring(key_type_t ktype,
 		const char *key_desc,
 		const void *key,
 		size_t key_size,
@@ -207,7 +211,7 @@ static key_serial_t keyring_add_key_in_keyring(key_type_t ktype,
 
 key_serial_t keyring_add_key_in_thread_keyring(key_type_t ktype, const char *key_desc, const void *key, size_t key_size)
 {
-	return keyring_add_key_in_keyring(ktype, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING);
+	return keyring_add_key_to_keyring(ktype, key_desc, key, key_size, KEY_SPEC_THREAD_KEYRING);
 }
 
 key_serial_t keyring_request_key_id(key_type_t key_type,
@@ -222,29 +226,45 @@ key_serial_t keyring_request_key_id(key_type_t key_type,
 	return kid;
 }
 
+int keyring_read_keysize(key_serial_t kid,
+		size_t *r_key_size)
+{
+	long r;
+
+	assert(r_key_size);
+
+	/* just get payload size */
+	r = keyctl_read(kid, NULL, 0);
+	if (r > 0) {
+		*r_key_size = r;
+		return 0;
+	}
+
+	return -EINVAL;
+}
+
 int keyring_read_key(key_serial_t kid,
 		char **key,
 		size_t *key_size)
 {
-	long r;
+	int r;
+	size_t len;
 	char *buf = NULL;
-	size_t len = 0;
 
 	assert(key);
 	assert(key_size);
 
 	/* just get payload size */
-	r = keyctl_read(kid, NULL, 0);
-	if (r > 0) {
-		len = r;
-		buf = crypt_safe_alloc(len);
-		if (!buf)
-			return -ENOMEM;
+	r = keyring_read_keysize(kid, &len);
+	if (r < 0)
+		return r;
 
-		/* retrieve actual payload data */
-		r = keyctl_read(kid, buf, len);
-	}
+	buf = crypt_safe_alloc(len);
+	if (!buf)
+		return -ENOMEM;
 
+	/* retrieve actual payload data */
+	r = keyctl_read(kid, buf, len);
 	if (r < 0) {
 		crypt_safe_free(buf);
 		return -EINVAL;
@@ -277,6 +297,37 @@ const char *key_type_name(key_type_t type)
 	return NULL;
 }
 
+key_type_t keyring_type_and_name(const char *key_name, const char **name)
+{
+	const char *name_tmp;
+	char type[16];
+	size_t type_len;
+
+	if (!key_name || key_name[0] != '%')
+		return INVALID_KEY;
+
+	key_name++;
+	if (!*key_name || *key_name == ':')
+		return INVALID_KEY;
+
+	name_tmp = strchr(key_name, ':');
+	if (!name_tmp)
+		return INVALID_KEY;
+	name_tmp++;
+
+	type_len = name_tmp - key_name - 1;
+	if (type_len >= sizeof(type) - 1)
+		return INVALID_KEY;
+
+	memcpy(type, key_name, type_len);
+	type[type_len] = '\0';
+
+	if (name)
+		*name = name_tmp;
+
+	return key_type_by_name(type);
+}
+
 key_serial_t keyring_find_key_id_by_name(const char *key_name)
 {
 	key_serial_t id = 0;
@@ -333,8 +384,7 @@ key_serial_t keyring_find_key_id_by_name(const char *key_name)
 		id = 0;
 
 out:
-	if (name_copy)
-		free(name_copy);
+	free(name_copy);
 
 	return id;
 }
@@ -375,20 +425,6 @@ key_type_t key_type_by_name(const char *name)
 	return INVALID_KEY;
 }
 
-key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype,
-				      const char *key_desc,
-				      const void *key,
-				      size_t key_size,
-				      key_serial_t keyring_to_link)
-{
-	const char *type_name = key_type_name(ktype);
-
-	if (!type_name || !key_desc)
-		return -EINVAL;
-
-	return add_key(type_name, key_desc, key, key_size, keyring_to_link);
-}
-
 #else /* KERNEL_KEYRING */
 #pragma GCC diagnostic ignored "-Wunused-parameter"
 
@@ -408,6 +444,12 @@ key_serial_t keyring_request_key_id(key_type_t key_type,
 	return -ENOTSUP;
 }
 
+int keyring_read_keysize(key_serial_t kid,
+		size_t *r_key_size)
+{
+	return -ENOTSUP;
+}
+
 int keyring_read_key(key_serial_t kid,
 		char **key,
 		size_t *key_size)
@@ -425,6 +467,11 @@ const char *key_type_name(key_type_t type)
 	return NULL;
 }
 
+key_type_t keyring_type_and_name(const char *key_name, const char **name)
+{
+	return INVALID_KEY;
+}
+
 key_serial_t keyring_find_key_id_by_name(const char *key_name)
 {
 	return 0;
@@ -440,11 +487,11 @@ key_type_t key_type_by_name(const char *name)
 	return INVALID_KEY;
 }
 
-key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype,
-				      const char *key_desc,
-				      const void *key,
-				      size_t key_size,
-				      key_serial_t keyring_to_link)
+key_serial_t keyring_add_key_to_keyring(key_type_t ktype,
+					const char *key_desc,
+					const void *key,
+					size_t key_size,
+					key_serial_t keyring_to_link)
 {
 	return -ENOTSUP;
 }
diff --git a/lib/utils_keyring.h b/lib/utils_keyring.h
index 33d8f22..67debf6 100644
--- a/lib/utils_keyring.h
+++ b/lib/utils_keyring.h
@@ -2,8 +2,8 @@
 /*
  * kernel keyring syscall wrappers
  *
- * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2016-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #ifndef _UTILS_KEYRING
@@ -21,6 +21,7 @@ typedef enum { LOGON_KEY = 0, USER_KEY, BIG_KEY, TRUSTED_KEY, ENCRYPTED_KEY, INV
 
 const char *key_type_name(key_type_t ktype);
 key_type_t key_type_by_name(const char *name);
+key_type_t keyring_type_and_name(const char *key_name, const char **name);
 key_serial_t keyring_find_key_id_by_name(const char *key_name);
 key_serial_t keyring_find_keyring_id_by_name(const char *keyring_name);
 
@@ -29,6 +30,9 @@ int keyring_check(void);
 key_serial_t keyring_request_key_id(key_type_t key_type,
 		const char *key_description);
 
+int keyring_read_keysize(key_serial_t kid,
+		size_t *r_key_size);
+
 int keyring_read_key(key_serial_t kid,
 		char **key,
 		size_t *key_size);
@@ -39,7 +43,7 @@ key_serial_t keyring_add_key_in_thread_keyring(
 	const void *key,
 	size_t key_size);
 
-key_serial_t keyring_add_key_to_custom_keyring(key_type_t ktype, const char *key_desc, const void *key,
+key_serial_t keyring_add_key_to_keyring(key_type_t ktype, const char *key_desc, const void *key,
 				      size_t key_size, key_serial_t keyring_to_link);
 int keyring_unlink_key_from_keyring(key_serial_t kid, key_serial_t keyring_id);
 int keyring_unlink_key_from_thread_keyring(key_serial_t kid);
diff --git a/lib/utils_loop.c b/lib/utils_loop.c
index 6af47f5..ec85678 100644
--- a/lib/utils_loop.c
+++ b/lib/utils_loop.c
@@ -2,8 +2,8 @@
 /*
  * loopback block device utilities
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -15,7 +15,7 @@
 #include <limits.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 #include <linux/types.h>
diff --git a/lib/utils_loop.h b/lib/utils_loop.h
index a0c7491..4edeff3 100644
--- a/lib/utils_loop.h
+++ b/lib/utils_loop.h
@@ -2,8 +2,8 @@
 /*
  * loopback block device utilities
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef _UTILS_LOOP_H
diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c
index 56971f2..87e9419 100644
--- a/lib/utils_pbkdf.c
+++ b/lib/utils_pbkdf.c
@@ -2,8 +2,8 @@
 /*
  * utils_pbkdf - PBKDF settings for libcryptsetup
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -63,9 +63,11 @@ uint32_t pbkdf_adjusted_phys_memory_kb(void)
 	memory_kb /= 2;
 
 	/*
-	 * Never use more that half of available free memory on system without swap.
+	 * On systems with < 4GB RAM without swap
+	 * never use more that half of available free memory.
+	 * This is a temporary hack to avoid OOM on small systems.
 	 */
-	if (!crypt_swapavailable()) {
+	if (memory_kb < (2 * 1024 * 1024) && !crypt_swapavailable()) {
 		free_kb = crypt_getphysmemoryfree_kb();
 
 		/*
@@ -159,10 +161,19 @@ int verify_pbkdf_params(struct crypt_device *cd,
 			pbkdf_limits.max_memory);
 		r = -EINVAL;
 	}
+	if (1024ULL * pbkdf->max_memory_kb > SIZE_MAX) {
+		log_err(cd, _("Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."));
+		r = -EINVAL;
+	}
 	if (!pbkdf->max_memory_kb) {
 		log_err(cd, _("Requested maximum PBKDF memory cannot be zero."));
 		r = -EINVAL;
 	}
+	if (pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
+		log_err(cd, _("Requested maximum PBKDF parallel cost is too high (maximum is %d)."),
+			pbkdf_limits.max_parallel);
+		r = -EINVAL;
+	}
 	if (!pbkdf->parallel_threads) {
 		log_err(cd, _("Requested PBKDF parallel threads cannot be zero."));
 		r = -EINVAL;
@@ -235,12 +246,6 @@ int init_pbkdf_type(struct crypt_device *cd,
 	cd_pbkdf->max_memory_kb = pbkdf->max_memory_kb;
 	cd_pbkdf->parallel_threads = pbkdf->parallel_threads;
 
-	if (cd_pbkdf->parallel_threads > pbkdf_limits.max_parallel) {
-		log_dbg(cd, "Maximum PBKDF threads is %d (requested %d).",
-			pbkdf_limits.max_parallel, cd_pbkdf->parallel_threads);
-		cd_pbkdf->parallel_threads = pbkdf_limits.max_parallel;
-	}
-
 	/* Do not limit threads by online CPUs if user forced values (no benchmark). */
 	if (cd_pbkdf->parallel_threads && !(cd_pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK)) {
 		cpus = crypt_cpusonline();
diff --git a/lib/utils_safe_memory.c b/lib/utils_safe_memory.c
index 0b1dc7e..5ee68d2 100644
--- a/lib/utils_safe_memory.c
+++ b/lib/utils_safe_memory.c
@@ -2,15 +2,13 @@
 /*
  * utils_safe_memory - safe memory helpers
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
-#include <stdlib.h>
-#include <stdbool.h>
 #include <string.h>
 #include <sys/mman.h>
-#include "libcryptsetup.h"
+#include "internal.h"
 
 struct safe_allocation {
 	size_t size;
@@ -28,14 +26,16 @@ void crypt_safe_memzero(void *data, size_t size)
 	if (!data)
 		return;
 
-#ifdef HAVE_EXPLICIT_BZERO
-	explicit_bzero(data, size);
-#else
-	volatile uint8_t *p = (volatile uint8_t *)data;
+	return crypt_backend_memzero(data, size);
+}
+
+/* Memcpy helper to avoid spilling sensitive data through additional registers */
+void *crypt_safe_memcpy(void *dst, const void *src, size_t size)
+{
+	if (!dst || !src)
+		return NULL;
 
-	while(size--)
-		*p++ = 0;
-#endif
+	return crypt_backend_memcpy(dst, src, size);
 }
 
 /* safe allocations */
@@ -50,7 +50,7 @@ void *crypt_safe_alloc(size_t size)
 	if (!alloc)
 		return NULL;
 
-	crypt_safe_memzero(alloc, size + OVERHEAD);
+	crypt_backend_memzero(alloc, size + OVERHEAD);
 	alloc->size = size;
 
 	/* Ignore failure if it is over limit. */
@@ -73,7 +73,7 @@ void crypt_safe_free(void *data)
 	p = (char *)data - OVERHEAD;
 	alloc = (struct safe_allocation *)p;
 
-	crypt_safe_memzero(data, alloc->size);
+	crypt_backend_memzero(data, alloc->size);
 
 	if (alloc->locked) {
 		munlock(alloc, alloc->size + OVERHEAD);
@@ -101,9 +101,21 @@ void *crypt_safe_realloc(void *data, size_t size)
 		if (size > alloc->size)
 			size = alloc->size;
 
-		memcpy(new_data, data, size);
+		crypt_backend_memcpy(new_data, data, size);
 	}
 
 	crypt_safe_free(data);
 	return new_data;
 }
+
+size_t crypt_safe_alloc_size(const void *data)
+{
+	const void *p;
+
+	if (!data)
+		return 0;
+
+	p = (const char *)data - OVERHEAD;
+
+	return ((const struct safe_allocation *)p)->size;
+}
diff --git a/lib/utils_storage_wrappers.c b/lib/utils_storage_wrappers.c
index 52f065c..54492d0 100644
--- a/lib/utils_storage_wrappers.c
+++ b/lib/utils_storage_wrappers.c
@@ -3,7 +3,7 @@
  * Generic wrapper for storage functions
  * (experimental only)
  *
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #include <errno.h>
@@ -49,7 +49,9 @@ static int crypt_storage_backend_init(struct crypt_device *cd,
 	struct crypt_storage *s;
 
 	/* iv_start, sector_size */
-	r = crypt_storage_init(&s, sector_size, cipher, cipher_mode, vk->key, vk->keylength, flags & LARGE_IV);
+	r = crypt_storage_init(&s, sector_size, cipher, cipher_mode,
+			       crypt_volume_key_get_key(vk),
+			       crypt_volume_key_length(vk), flags & LARGE_IV);
 	if (r)
 		return r;
 
@@ -103,18 +105,11 @@ static int crypt_storage_dmcrypt_init(
 	if (dmd.flags & CRYPT_ACTIVATE_READONLY)
 		mode = (open_flags & ~O_ACCMODE) | O_RDONLY;
 
-	if (vk->key_description)
+	if (crypt_volume_key_description(vk))
 		dmd.flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 
-	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
-			    device,
-			    vk,
-			    cipher_spec,
-			    iv_start,
-			    device_offset,
-			    NULL,
-			    0,
-			    sector_size);
+	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, device, vk, cipher_spec, iv_start,
+				device_offset, NULL, 0, 0, sector_size);
 	if (r)
 		return r;
 
diff --git a/lib/utils_storage_wrappers.h b/lib/utils_storage_wrappers.h
index ebc7ed3..c7a64b2 100644
--- a/lib/utils_storage_wrappers.h
+++ b/lib/utils_storage_wrappers.h
@@ -3,7 +3,7 @@
  * Generic wrapper for storage functions
  * (experimental only)
  *
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #ifndef _UTILS_STORAGE_WRAPPERS_H
diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
index 2aa74e6..6a26ded 100644
--- a/lib/utils_wipe.c
+++ b/lib/utils_wipe.c
@@ -3,8 +3,8 @@
  * utils_wipe - wipe a device
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <stdlib.h>
@@ -50,7 +50,7 @@ static void wipeSpecial(char *buffer, size_t buffer_size, unsigned int turn)
 {
 	unsigned int i;
 
-	unsigned char write_modes[][3] = {
+	const unsigned char write_modes[27][4] = {
 		{"\x55\x55\x55"}, {"\xaa\xaa\xaa"}, {"\x92\x49\x24"},
 		{"\x49\x24\x92"}, {"\x24\x92\x49"}, {"\x00\x00\x00"},
 		{"\x11\x11\x11"}, {"\x22\x22\x22"}, {"\x33\x33\x33"},
@@ -172,6 +172,10 @@ int crypt_wipe_device(struct crypt_device *cd,
 	/* Note: LUKS1 calls it with wipe_block not aligned to multiple of bsize */
 	bsize = device_block_size(cd, device);
 	alignment = device_alignment(device);
+
+	log_dbg(cd, "Wipe device %s [%u], offset %" PRIu64 ", length %" PRIu64 ", block %zu, bsize %zu, align %zu.",
+		device_path(device), (unsigned)pattern, offset, length, wipe_block_size, bsize, alignment);
+
 	if (!bsize || !alignment || !wipe_block_size)
 		return -EINVAL;
 
@@ -287,9 +291,6 @@ int crypt_wipe(struct crypt_device *cd,
 	if (!wipe_block_size)
 		wipe_block_size = 1024*1024;
 
-	log_dbg(cd, "Wipe [%u] device %s, offset %" PRIu64 ", length %" PRIu64 ", block %zu.",
-		(unsigned)pattern, device_path(device), offset, length, wipe_block_size);
-
 	r = crypt_wipe_device(cd, device, pattern, offset, length,
 			      wipe_block_size, progress, usrptr);
 
diff --git a/lib/verity/rs.h b/lib/verity/rs.h
index 48f3a09..195e00c 100644
--- a/lib/verity/rs.h
+++ b/lib/verity/rs.h
@@ -4,7 +4,7 @@
  *
  * Copyright (C) 2004 Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef _LIBFEC_RS_H
diff --git a/lib/verity/rs_decode_char.c b/lib/verity/rs_decode_char.c
index 0fcceae..f819dea 100644
--- a/lib/verity/rs_decode_char.c
+++ b/lib/verity/rs_decode_char.c
@@ -4,7 +4,7 @@
  *
  * Copyright (C) 2002, Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <string.h>
diff --git a/lib/verity/rs_encode_char.c b/lib/verity/rs_encode_char.c
index 259b29d..8d1b6c3 100644
--- a/lib/verity/rs_encode_char.c
+++ b/lib/verity/rs_encode_char.c
@@ -4,7 +4,7 @@
  *
  * Copyright (C) 2002, Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <string.h>
diff --git a/lib/verity/verity.c b/lib/verity/verity.c
index 5fe1cf7..65f5f4e 100644
--- a/lib/verity/verity.c
+++ b/lib/verity/verity.c
@@ -2,7 +2,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <errno.h>
@@ -271,7 +271,8 @@ int VERITY_verify_params(struct crypt_device *cd,
 		return 0;
 
 	log_dbg(cd, "Verification of VERITY data in userspace required.");
-	r = VERITY_verify(cd, hdr, root_hash->key, root_hash->keylength);
+	r = VERITY_verify(cd, hdr, crypt_volume_key_get_key(root_hash),
+			  crypt_volume_key_length(root_hash));
 
 	if ((r == -EPERM || r == -EFAULT) && fec_device) {
 		v = r;
@@ -300,9 +301,9 @@ int VERITY_activate(struct crypt_device *cd,
 		     struct crypt_params_verity *verity_hdr,
 		     uint32_t activation_flags)
 {
-	uint32_t dmv_flags;
+	uint64_t dmv_flags;
 	int r;
-	key_serial_t kid;
+	key_serial_t kid = 0;
 	char *description = NULL;
 	struct crypt_dm_active_device dmd = { 0 };
 
@@ -324,7 +325,9 @@ int VERITY_activate(struct crypt_device *cd,
 			return -EINVAL;
 
 		log_dbg(cd, "Adding signature %s (type user) into thread keyring.", description);
-		kid = keyring_add_key_in_thread_keyring(USER_KEY, description, signature->key, signature->keylength);
+		kid = keyring_add_key_in_thread_keyring(USER_KEY, description,
+							crypt_volume_key_get_key(signature),
+							crypt_volume_key_length(signature));
 		if (kid < 0) {
 			log_dbg(cd, "keyring_add_key_in_thread_keyring failed with errno %d.", errno);
 			log_err(cd, _("Failed to load key in kernel keyring."));
@@ -352,8 +355,8 @@ int VERITY_activate(struct crypt_device *cd,
 	}
 
 	r = dm_verity_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
-			crypt_metadata_device(cd), fec_device, root_hash->key,
-			root_hash->keylength, description,
+			crypt_metadata_device(cd), fec_device, crypt_volume_key_get_key(root_hash),
+			crypt_volume_key_length(root_hash), description,
 			VERITY_hash_offset_block(verity_hdr),
 			VERITY_FEC_blocks(cd, fec_device, verity_hdr), verity_hdr);
 
@@ -381,7 +384,12 @@ int VERITY_activate(struct crypt_device *cd,
 
 	r = 0;
 out:
-	crypt_drop_keyring_key_by_description(cd, description, USER_KEY);
+	if (signature) {
+		log_dbg(cd, "Unlinking signature (id: %" PRIi32 ") from thread keyring.", kid);
+
+		if (keyring_unlink_key_from_thread_keyring(kid))
+			log_dbg(cd, "keyring_unlink_key_from_thread_keyring failed with errno %d.", errno);
+	}
 	free(description);
 	dm_targets_free(cd, &dmd);
 	return r;
@@ -411,13 +419,13 @@ int VERITY_dump(struct crypt_device *cd,
 			verity_blocks += rs_blocks;
 	}
 
-	log_std(cd, "VERITY header information for %s\n", device_path(crypt_metadata_device(cd)));
+	log_std(cd, "VERITY header information for %s.\n", device_path(crypt_metadata_device(cd)));
 	log_std(cd, "UUID:            \t%s\n", crypt_get_uuid(cd) ?: "");
 	log_std(cd, "Hash type:       \t%u\n", verity_hdr->hash_type);
 	log_std(cd, "Data blocks:     \t%" PRIu64 "\n", verity_hdr->data_size);
-	log_std(cd, "Data block size: \t%u\n", verity_hdr->data_block_size);
+	log_std(cd, "Data block size: \t%u [bytes]\n", verity_hdr->data_block_size);
 	log_std(cd, "Hash blocks:     \t%" PRIu64 "\n", hash_blocks);
-	log_std(cd, "Hash block size: \t%u\n", verity_hdr->hash_block_size);
+	log_std(cd, "Hash block size: \t%u [bytes]\n", verity_hdr->hash_block_size);
 	log_std(cd, "Hash algorithm:  \t%s\n", verity_hdr->hash_name);
 	if (fec_device && fec_blocks) {
 		log_std(cd, "FEC RS roots:   \t%" PRIu32 "\n", verity_hdr->fec_roots);
diff --git a/lib/verity/verity.h b/lib/verity/verity.h
index f0c43a7..7d79810 100644
--- a/lib/verity/verity.h
+++ b/lib/verity/verity.h
@@ -2,7 +2,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef _VERITY_H
diff --git a/lib/verity/verity_fec.c b/lib/verity/verity_fec.c
index ca60b2e..2dfb4ac 100644
--- a/lib/verity/verity_fec.c
+++ b/lib/verity/verity_fec.c
@@ -3,7 +3,7 @@
  * dm-verity Forward Error Correction (FEC) support
  *
  * Copyright (C) 2015 Google, Inc. All rights reserved.
- * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <stdlib.h>
diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c
index 56b1569..02333de 100644
--- a/lib/verity/verity_hash.c
+++ b/lib/verity/verity_hash.c
@@ -2,7 +2,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <errno.h>
@@ -302,6 +302,11 @@ static int VERITY_create_or_verify_hash(struct crypt_device *cd, bool verify,
 		hash_device_offset_max - params->hash_area_offset);
 	log_dbg(cd, "Using %d hash levels.", levels);
 
+	r = device_check_size(cd, crypt_metadata_device(cd),
+			      hash_device_offset_max - params->hash_area_offset, 1);
+	if (r < 0)
+		return r;
+
 	data_file = fopen(device_path(crypt_data_device(cd)), "r");
 	if (!data_file) {
 		log_err(cd, _("Cannot open device %s."),
diff --git a/lib/volumekey.c b/lib/volumekey.c
index 034e16e..afa0cb8 100644
--- a/lib/volumekey.c
+++ b/lib/volumekey.c
@@ -3,7 +3,7 @@
  * cryptsetup volume key implementation
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <string.h>
@@ -13,6 +13,16 @@
 
 #include "internal.h"
 
+struct volume_key {
+	int id;
+	size_t keylength; /* length in bytes */
+	const char *key_description; /* keyring key name/description */
+	key_type_t keyring_key_type; /* kernel keyring key type */
+	key_serial_t key_id; /* kernel key id of volume key representation linked in thread keyring */
+	struct volume_key *next;
+	char *key;
+};
+
 struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key)
 {
 	struct volume_key *vk;
@@ -20,39 +30,117 @@ struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key)
 	if (keylength > (SIZE_MAX - sizeof(*vk)))
 		return NULL;
 
-	vk = malloc(sizeof(*vk) + keylength);
+	vk = crypt_zalloc(sizeof(*vk));
 	if (!vk)
 		return NULL;
 
-	vk->key_description = NULL;
+	vk->keyring_key_type = INVALID_KEY;
+	vk->key_id = -1;
 	vk->keylength = keylength;
 	vk->id = KEY_NOT_VERIFIED;
-	vk->next = NULL;
 
 	/* keylength 0 is valid => no key */
-	if (vk->keylength) {
-		if (key)
-			memcpy(&vk->key, key, keylength);
-		else
-			crypt_safe_memzero(&vk->key, keylength);
+	if (vk->keylength && key) {
+		vk->key = crypt_safe_alloc(keylength);
+		if (!vk->key) {
+			free(vk);
+			return NULL;
+		}
+		crypt_safe_memcpy(vk->key, key, keylength);
 	}
 
 	return vk;
 }
 
-int crypt_volume_key_set_description(struct volume_key *vk, const char *key_description)
+struct volume_key *crypt_alloc_volume_key_by_safe_alloc(void **safe_alloc)
+{
+	size_t keylength;
+	struct volume_key *vk;
+
+	if (!safe_alloc)
+		return NULL;
+
+	keylength = crypt_safe_alloc_size(*safe_alloc);
+	if (!keylength)
+		return NULL;
+
+	vk = crypt_alloc_volume_key(keylength, NULL);
+	if (!vk)
+		return NULL;
+
+	vk->key = *safe_alloc;
+	*safe_alloc = NULL;
+
+	return vk;
+}
+
+void crypt_volume_key_pass_safe_alloc(struct volume_key *vk, void **safe_alloc)
+{
+	assert(vk);
+	assert(vk->keylength);
+	assert(safe_alloc);
+	assert(crypt_safe_alloc_size(*safe_alloc) == vk->keylength);
+
+	crypt_safe_free(vk->key);
+	vk->key = *safe_alloc;
+	*safe_alloc = NULL;
+}
+
+const char *crypt_volume_key_get_key(const struct volume_key *vk)
+{
+	assert(vk && vk->key);
+
+	return vk->key;
+}
+
+size_t crypt_volume_key_length(const struct volume_key *vk)
+{
+	assert(vk);
+
+	return vk->keylength;
+}
+
+int crypt_volume_key_set_description(struct volume_key *vk,
+				     const char *key_description, key_type_t keyring_key_type)
 {
 	if (!vk)
 		return -EINVAL;
 
 	free(CONST_CAST(void*)vk->key_description);
 	vk->key_description = NULL;
+	vk->keyring_key_type = keyring_key_type;
 	if (key_description && !(vk->key_description = strdup(key_description)))
 		return -ENOMEM;
 
 	return 0;
 }
 
+int crypt_volume_key_set_description_by_name(struct volume_key *vk, const char *key_name)
+{
+	const char *key_description = NULL;
+	key_type_t keyring_key_type = keyring_type_and_name(key_name, &key_description);
+
+	if (keyring_key_type == INVALID_KEY)
+		return -EINVAL;
+
+	return crypt_volume_key_set_description(vk, key_description, keyring_key_type);
+}
+
+const char *crypt_volume_key_description(const struct volume_key *vk)
+{
+	assert(vk);
+
+	return vk->key_description;
+}
+
+
+key_type_t crypt_volume_key_kernel_key_type(const struct volume_key *vk)
+{
+	assert(vk);
+
+	return vk->keyring_key_type;
+}
+
 void crypt_volume_key_set_id(struct volume_key *vk, int id)
 {
 	if (vk && id >= 0)
@@ -107,28 +195,88 @@ void crypt_free_volume_key(struct volume_key *vk)
 	struct volume_key *vk_next;
 
 	while (vk) {
-		crypt_safe_memzero(vk->key, vk->keylength);
-		vk->keylength = 0;
 		free(CONST_CAST(void*)vk->key_description);
+		crypt_safe_free(vk->key);
 		vk_next = vk->next;
 		free(vk);
 		vk = vk_next;
 	}
 }
 
-struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength)
+struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength,
+					     key_quality_info quality)
 {
 	int r;
-	struct volume_key *vk;
+	void *key;
+	struct volume_key *vk = NULL;
 
-	vk = crypt_alloc_volume_key(keylength, NULL);
-	if (!vk)
+	key = crypt_safe_alloc(keylength);
+	if (!key)
 		return NULL;
 
-	r = crypt_random_get(cd, vk->key, keylength, CRYPT_RND_KEY);
-	if(r < 0) {
-		crypt_free_volume_key(vk);
-		return NULL;
+	switch (quality) {
+	case KEY_QUALITY_KEY:
+		r = crypt_random_get(cd, key, keylength, CRYPT_RND_KEY);
+		break;
+	case KEY_QUALITY_NORMAL:
+		r = crypt_random_get(cd, key, keylength, CRYPT_RND_NORMAL);
+		break;
+	case KEY_QUALITY_EMPTY:
+		r = 0;
+		break;
+	default:
+		abort();
 	}
+
+	if (!r)
+		vk = crypt_alloc_volume_key(keylength, NULL);
+	if (vk)
+		vk->key = key;
+	else
+		crypt_safe_free(key);
+
 	return vk;
 }
+
+bool crypt_volume_key_is_set(const struct volume_key *vk)
+{
+	return vk && vk->key;
+}
+
+bool crypt_volume_key_upload_kernel_key(struct volume_key *vk)
+{
+	key_serial_t kid;
+
+	assert(vk && vk->key && vk->key_description && vk->keyring_key_type != INVALID_KEY);
+
+	kid = keyring_add_key_in_thread_keyring(vk->keyring_key_type, vk->key_description,
+					 vk->key, vk->keylength);
+	if (kid >= 0) {
+		vk->key_id = kid;
+		return true;
+	}
+
+	return false;
+}
+
+void crypt_volume_key_drop_kernel_key(struct crypt_device *cd, struct volume_key *vk)
+{
+	assert(vk);
+	assert(vk->key_description || vk->keyring_key_type == INVALID_KEY);
+	assert(!vk->key_description || vk->keyring_key_type != INVALID_KEY);
+
+	crypt_unlink_key_by_description_from_thread_keyring(cd,
+							    vk->key_description,
+							    vk->keyring_key_type);
+}
+
+void crypt_volume_key_drop_uploaded_kernel_key(struct crypt_device *cd, struct volume_key *vk)
+{
+	assert(vk);
+
+	if (vk->key_id < 0)
+		return;
+
+	crypt_unlink_key_from_thread_keyring(cd, vk->key_id);
+	vk->key_id = -1;
+}
diff --git a/man/common_footer.adoc b/man/common_footer.adoc
index 21302eb..6747aee 100644
--- a/man/common_footer.adoc
+++ b/man/common_footer.adoc
@@ -1,17 +1,15 @@
-
 == REPORTING BUGS
 
-Report bugs at mailto:cryptsetup@lists.linux.dev[*cryptsetup mailing list*]
-or in https://gitlab.com/cryptsetup/cryptsetup/-/issues/new[*Issues project section*].
+Report bugs at mailto:cryptsetup@lists.linux.dev[cryptsetup mailing list] or in https://gitlab.com/cryptsetup/cryptsetup/-/issues/new[Issues project section].
 
-Please attach output of the failed command with --debug option added.
+Please attach the output of the failed command with --debug option added.
 
 == SEE ALSO
 
-https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[*Cryptsetup FAQ*]
+https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions[Cryptsetup FAQ]
 
 *cryptsetup*(8), *integritysetup*(8) and *veritysetup*(8)
 
 == CRYPTSETUP
 
-Part of https://gitlab.com/cryptsetup/cryptsetup/[*cryptsetup project*].
+Part of https://gitlab.com/cryptsetup/cryptsetup/[cryptsetup project].
diff --git a/man/common_options.adoc b/man/common_options.adoc
index 523b775..31ca962 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -1,48 +1,42 @@
 == OPTIONS
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
-*--align-payload <number of 512 byte sectors>*::
+*--align-payload* _<number of 512 byte sectors>_ (DEPRECATED, use --offset)::
 Align payload at a boundary of _value_ 512-byte sectors.
 +
-If not specified, cryptsetup tries to use the topology info provided by
-the kernel for the underlying device to get the optimal alignment. If
-not available (or the calculated value is a multiple of the default)
-data is by default aligned to a 1MiB boundary (i.e. 2048 512-byte
-sectors).
+If not specified, cryptsetup tries to use the topology info provided by the kernel for the underlying device to get the optimal alignment.
+If not available (or the calculated value is a multiple of the default), data is by default aligned to a 1MiB boundary (i.e., 2048 512-byte sectors).
 +
-For a detached LUKS header, this option specifies the offset on the data
-device. See also the --header option.
+For a detached LUKS header, this option specifies the offset on the data device.
+See also the --header option.
 +
-*WARNING:* This option is DEPRECATED and has often unexpected impact to
-the data offset and keyslot area size (for LUKS2) due to the complex
-rounding. For fixed data device offset use _--offset_ option instead.
+This option is DEPRECATED and has an unexpected impact on the data offset and keyslot area size (for LUKS2) due to the complex rounding.
+For fixed data device offset, use --offset option instead.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_REFRESH[]
 *--allow-discards*::
-Allow the use of discard (TRIM) requests for the device. This is also not
-supported for LUKS2 devices with data integrity protection.
+Allow the use of discard (TRIM) requests for the device.
+This is also not supported for LUKS2 devices with data integrity protection.
 +
-*WARNING:* This command can have a negative security impact because it
-can make filesystem-level operations visible on the physical device. For
-example, information leaking filesystem type, used space, etc. may be
-extractable from the physical device if the discarded blocks can be
-located later. If in doubt, do not use it.
+*WARNING:* This command can have a negative security impact because it can make filesystem-level operations visible on the physical device.
+For example, information leaking filesystem type, used space, etc., may be extractable from the physical device if the discarded blocks can be located later.
+If in doubt, do not use it.
 +
-A kernel version of 3.1 or later is needed. For earlier kernels, this
-option is ignored.
+A kernel version of 3.1 or later is needed.
+For earlier kernels, this option is ignored.
 endif::[]
 
 ifdef::COMMON_OPTIONS[]
-*--batch-mode, -q*::
-Suppresses all confirmation questions. Use with care!
+*--batch-mode*, *-q*::
+Suppresses all confirmation questions.
+Use with care!
 +
-If the --verify-passphrase option is not specified, this option also
-switches off the passphrase verification.
+If the --verify-passphrase option is not specified, this option also switches off the passphrase verification.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--block-size* _value_ *(LUKS1 only)*::
+*--block-size* _value_ (LUKS1 only)::
 Use re-encryption block size of _value_ in MiB.
 +
 Values can be between 1 and 64 MiB.
@@ -50,50 +44,47 @@ endif::[]
 
 ifdef::ACTION_CLOSE[]
 *--cancel-deferred*::
-Removes a previously configured deferred device removal in _close_
-command.
+Removes a previously configured deferred device removal in the _close_ command.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT,ACTION_TCRYPTDUMP,ACTION_BENCHMARK[]
-*--cipher, -c* _<cipher-spec>_::
+*--cipher*, *-c* _<cipher-spec>_::
 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
-Set the cipher specification string for _plain_ device type.
+Set the cipher specification string for the _plain_ device type.
 +
-For _tcrypt_ device type it restricts checked cipher chains when looking for header.
+For the _tcrypt_ device type, it restricts checked cipher chains when looking for the header.
 endif::[]
 ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_TCRYPTDUMP[]
 Set the cipher specification string.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
 *LUKS2*:
-Set the cipher specification string for data segment only.
+Set the cipher specification string for the data segment only.
 +
 *LUKS1*:
-Set the cipher specification string for data segment and keyslots.
+Set the cipher specification string for the data segment and keyslots.
 +
-*NOTE*: In encrypt mode, if cipher specification is omitted the default cipher is applied.
-In reencrypt mode, if no new cipher specification is requested, the existing cipher will remain
-in use. Unless the existing cipher was "cipher_null". In that case default cipher would
-be applied as in encrypt mode.
+The default cipher is applied if the cipher specification is omitted in encrypt mode.
++
+In reencrypt mode, if no new cipher specification is requested, the existing cipher will remain.
+The only exception is if the cipher is "cipher_null", then the default cipher is used.
 endif::[]
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
 +
 _cryptsetup --help_ shows the compiled-in defaults.
 +
-If a hash is part of the cipher specification, then it is used as part
-of the IV generation. For example, ESSIV needs a hash function, while
-"plain64" does not and hence none is specified.
+If a hash is part of the cipher specification, then it is used as part of the IV generation.
+For example, ESSIV needs a hash function, while "plain64" does not and hence none is specified.
 +
-For XTS mode you can optionally set a key size of 512 bits with the -s
-option. Key size for XTS mode is twice that for other modes for the same
-security level.
+For XTS mode, you can optionally set a key size of 512 bits with the -s option.
+Key size for XTS mode is twice that for other modes for the same security level.
 endif::[]
 endif::[]
 
 ifdef::COMMON_OPTIONS[]
-*--debug or --debug-json*::
-Run in debug mode with full diagnostic logs. Debug output lines are
-always prefixed by *#*.
+*--debug* or *--debug-json*::
+Run in debug mode with full diagnostic logs.
+Debug output lines are always prefixed by *#*.
 +
 If --debug-json is used, additional LUKS2 JSON data structures are printed.
 endif::[]
@@ -105,38 +96,41 @@ endif::[]
 
 ifdef::ACTION_CLOSE[]
 *--deferred*::
-Defers device removal in _close_ command until the last user closes
-it.
+Defers device removal in the _close_ command until the last user closes it.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_REENCRYPT,ACTION_RESIZE[]
 *--device-size* _size[units]_::
 ifndef::ACTION_RESIZE[]
-Instead of real device size, use specified value.
+Instead of the real device size, use the specified value.
 endif::[]
 ifdef::ACTION_RESIZE[]
-Sets new size of the device. If unset real device size is used.
+Sets the new size of the device.
+If unset, the real device size is used.
 endif::[]
 ifdef::ACTION_OPEN[]
 Usable only with _plain_ device type.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-It means that only specified area (from the start of the device
-to the specified size) will be reencrypted.
+It means that only the specified area (from the start of the device to the specified size) will be reencrypted.
++
+*LUKS2*:
+When used together with --reduce-device-size, only the initial _size_ value (--device-size parameter) of data is shifted backwards while being encrypted.
 +
-*WARNING:* This is destructive operation. Data beyond --device-size limit may
-be lost after operation gets finished.
+The sum of --device-size and --reduce-device-size values must not exceed the real device size.
++
+*WARNING:* This is a destructive operation.
+Data beyond --device-size limit may be lost after the operation is finished.
 endif::[]
 +
 If no unit suffix is specified, the size is in bytes.
 +
-Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB,MiB,GiB,TiB)
-for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
+Unit suffix can be S for 512 byte sectors, K/M/G/T (or KiB, MiB, GiB, TiB) for units with 1024 base or KB/MB/GB/TB for 1000 base (SI scale).
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
 *--disable-blkid*::
-Disable use of blkid library for checking and wiping on-disk signatures.
+Disable use of the blkid library for checking and wiping on-disk signatures.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[]
@@ -146,102 +140,102 @@ endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_REFRESH,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_REENCRYPT[]
 *--disable-keyring*::
-Do not load volume key in kernel keyring and store it directly in the
-dm-crypt target instead. This option is supported only for the LUKS2 type.
+Do not load the volume key in the kernel keyring; store it directly in the dm-crypt target instead.
+This option is supported only for the LUKS2 type.
 endif::[]
 
 ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP,ACTION_TCRYPTDUMP[]
 *--disable-locks*::
-Disable lock protection for metadata on disk. This option is valid
-only for LUKS2 and ignored for other formats.
+Disable lock protection for metadata on disk.
+This option is valid only for LUKS2 and is ignored for other formats.
 +
 ifdef::ACTION_REENCRYPT[]
-*NOTE:* With locking disabled LUKS2 images in files can be fully (re)encrypted
-offline without need for super user privileges provided used block ciphers are
-available in crypto backend.
+With locking disabled, LUKS2 images in files can be fully (re)encrypted offline without the need for superuser privileges provided that the used block ciphers are available in the crypto backend.
 +
 endif::[]
-*WARNING:* Do not use this option unless you run cryptsetup in a
-restricted environment where locking is impossible to perform (where
-/run directory cannot be used).
+*WARNING:* Do not use this option unless you run cryptsetup in a restricted environment where locking is impossible to perform (where /run directory cannot be used).
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
 *--disable-veracrypt*::
-This option can be used to disable VeraCrypt compatible mode (only
-TrueCrypt devices are recognized). Only for TCRYPT extension. See
-_TCRYPT_ section in *cryptsetup*(8) for more info.
+This option can be used to disable VeraCrypt compatible mode (only TrueCrypt devices are recognized).
+See the _TCRYPT_ section in *cryptsetup*(8) for more info.
 endif::[]
 
 ifdef::ACTION_LUKSDUMP[]
 *--dump-json-metadata*::
-For _luksDump_ (LUKS2 only) this option prints content of LUKS2 header
-JSON metadata area.
+For _luksDump_ (LUKS2 only), this option prints the content of the LUKS2 header JSON metadata area.
 endif::[]
 
 ifdef::ACTION_LUKSDUMP,ACTION_TCRYPTDUMP,ACTION_BITLKDUMP[]
-*--dump-volume-key, --dump-master-key (OBSOLETE alias)*::
-Print the volume key in the displayed information. Use with care,
-as the volume key can be used to bypass
-the passphrases, see also option --volume-key-file.
+*--dump-volume-key*::
+--dump-master-key (OBSOLETE alias)::
+Print the volume key in the displayed information.
+Use with care, as the volume key can be used to bypass the passphrases, see also option --volume-key-file.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--encrypt, --new, -N*::
-Initialize (and run) device in-place encryption mode.
+*--encrypt*, *--new*, *-N*::
+Initialize (and run) the device in-place encryption mode.
 endif::[]
 
 ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[]
-*--external-tokens-path* _absolute_path_::
-Override system directory path where cryptsetup searches for external token
-handlers (or token plugins). It must be absolute path (starting with '/' character).
+*--external-tokens-path* _<absolute path>_::
+Override the system directory path where cryptsetup searches for external token handlers (or token plugins).
+It must be an absolute path (starting with '/' character).
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--force-no-keyslots* (LUKS2 only)::
+Enforce initialization of reencryption operation with additional --volume-key-file, --new-volume-key-file, --volume-key-keyring or --new-volume-key-keyring parameters.
+It would result in the deletion of all remaining LUKS2 keyslots containing the volume key.
++
+LUKS2 keyslot with the new volume key may be added after the reencryption operation is finished.
+See *cryptsetup-luksAddKey*(8) command.
++
+*WARNING:* Use with extreme caution!
+If you lose the volume key stored in a file or in a kernel keyring before adding the LUKS2 keyslot containing the new volume key, the device will become unusable, and all data will be lost.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--force-offline-reencrypt (LUKS2 only)*::
+*--force-offline-reencrypt* (LUKS2 only)::
 Bypass active device auto-detection and enforce offline reencryption.
 +
-This option is useful especially for reencryption of LUKS2 images put in
-files (auto-detection is not reliable in this scenario).
+This option is useful especially for reencryption of LUKS2 images put in files (auto-detection is not reliable in this scenario).
 +
-It may also help in case active device auto-detection on particular
-data device does not work or report errors.
+It may also help in case active device auto-detection on a particular data device does not work or report errors.
 +
-*WARNING:* Use with extreme caution! This may destroy data if the device
-is activated and/or actively used.
+*WARNING:* Use with extreme caution! This may destroy data if the device is activated and/or actively used.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
 *--force-password*::
 Do not use password quality checking for new LUKS passwords.
 +
-This option is ignored if cryptsetup is built without password
-quality checking support.
+This option is ignored if cryptsetup is built without password quality checking support.
 +
-For more info about password quality check, see the manual page for
-*pwquality.conf(5)* and *passwdqc.conf(5)*.
+For more info about password quality check, see the manual page for *pwquality.conf*(5) and *passwdqc.conf*(5).
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_TCRYPTDUMP,ACTION_BENCHMARK,ACTION_REENCRYPT[]
-*--hash, -h* _<hash-spec>_::
+*--hash*, *-h* _<hash-spec>_::
 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
-Specifies the passphrase hash. Applies to _plain_ and _loopaes_ device types only.
+Specifies the passphrase hash.
+Applies to _plain_ and _loopaes_ device types only.
 +
-For _tcrypt_ device type, it restricts checked PBKDF2 variants when looking for header.
+For the _tcrypt_ device type, it restricts the checked PBKDF2 variants when looking for the header.
 endif::[]
 ifdef::ACTION_LUKSFORMAT[]
-Specifies the hash used in the LUKS key setup scheme and volume key
-digest.
+Specifies the hash used in the LUKS key setup scheme and volume key digest.
 endif::[]
 ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_TCRYPTDUMP[]
-The specified hash is used for PBKDF2 and AF splitter.
+The specified hash is used for PBKDF2 and the AF splitter.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
 *LUKS1:*
 Specifies the hash used in the LUKS1 key setup scheme and volume key digest.
 +
-*NOTE*: if this parameter is not specified, default hash algorithm is always used
-for new LUKS1 device header.
+If this parameter is not specified, the default hash algorithm is always used for a new LUKS1 device header.
 +
 *LUKS2:* Ignored unless new keyslot pbkdf algorithm is set to PBKDF2 (see --pbkdf).
 endif::[]
@@ -254,34 +248,28 @@ endif::[]
 endif::[]
 
 ifndef::ACTION_BENCHMARK,ACTION_BITLKDUMP[]
-*--header <device or file storing the LUKS header>*::
+*--header* _<device or file storing the LUKS header>_::
 ifndef::ACTION_OPEN,ACTION_ERASE[]
-Use a detached (separated) metadata device or file where the LUKS
-header is stored. This option allows one to store ciphertext and LUKS
-header on different devices.
+Use a detached (separated) metadata device or file where the LUKS header is stored.
+This option allows one to store the ciphertext and LUKS header on different devices.
 +
 endif::[]
 ifdef::ACTION_OPEN[]
-Specify detached (separated) metadata device or file where the header is stored.
+Specify a detached (separated) metadata device or file where the header is stored.
 +
-*WARNING:* There is no check whether the ciphertext device specified
-actually belongs to the header given. In fact, you can specify an
-arbitrary device as the ciphertext device with the --header option.
+*WARNING:* There is no check whether the ciphertext device specified actually belongs to the header given.
+In fact, you can specify an arbitrary device as the ciphertext device with the --header option.
 Use with care.
 endif::[]
 ifndef::ACTION_REENCRYPT[]
 ifdef::ACTION_LUKSFORMAT[]
-With a file name as the argument to --header, the file
-will be automatically created if it does not exist. See the cryptsetup
-FAQ for header size calculation.
+With a file name as the argument to --header, the file will be automatically created if it does not exist.
+See the cryptsetup FAQ for header size calculation.
 +
-The --align-payload option is taken as absolute sector alignment on ciphertext
-device and can be zero.
+The --align-payload option is taken as absolute sector alignment on the ciphertext device and can be zero.
 endif::[]
 ifndef::ACTION_LUKSFORMAT,ACTION_OPEN,ACTION_ERASE[]
-For commands that change the LUKS header (e.g. _luksAddKey_),
-specify the device or file with the LUKS header directly as the LUKS
-device.
+For commands that change the LUKS header (e.g., _luksAddKey_), specify the device or file with the LUKS header directly as the LUKS device.
 endif::[]
 endif::[]
 ifdef::ACTION_REENCRYPT[]
@@ -289,208 +277,202 @@ If used with --encrypt/--new option, the header file will be created (or overwri
 Use with care.
 +
 *LUKS2*:
-For decryption mode the option may be used to export original LUKS2 header
-to a detached file. The passed future file must not exist at the time
-of initializing the decryption operation. This frees space in head of data
-device so that data can be moved at original LUKS2 header location. Later on
-decryption operation continues as if the ordinary detached header was passed.
+For decryption mode, the option may be used to export the original LUKS2 header to a detached file.
+The passed future file must not exist at the time of initializing the decryption operation.
+This frees space in the head of the data device so that data can be moved at the original LUKS2 header location.
+Later on, the decryption operation continues as if the ordinary detached header was passed.
 +
-*WARNING:* Never put exported header file in a filesystem on top of device
-you are about to decrypt! It would cause a deadlock.
+*WARNING:* Never put an exported header file in a filesystem on top of the device you are about to decrypt!
+It would cause a deadlock.
 endif::[]
 ifdef::ACTION_ERASE[]
-Use to specify detached LUKS2 header when erasing HW OPAL enabled data device.
+Use to specify a detached LUKS2 header when erasing OPAL self-encrypting drive.
 endif::[]
 endif::[]
 
 ifdef::ACTION_LUKSHEADERBACKUP,ACTION_LUKSHEADERRESTORE[]
-*--header-backup-file <file>*::
-Specify file with header backup file.
+*--header-backup-file* _file_::
+Specify a file with the header backup file.
 endif::[]
 
 ifdef::COMMON_OPTIONS[]
-*--help, -?*::
+*--help*, *-?*::
 Show help text and default parameters.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--hotzone-size* _size_ *(LUKS2 only)*::
-This option can be used to set an upper limit on the size of
-reencryption area (hotzone). The _size_ can be specified with unit
-suffix (for example 50M). Note that actual hotzone size may be less
-than specified <size> due to other limitations (free space in keyslots
-area or available memory).
+*--hotzone-size* _size_ (LUKS2 only)::
+This option can be used to set an upper limit on the size of the reencryption area (hotzone).
+The _size_ can be specified with a unit suffix (for example, 50M).
+Note that the actual hotzone size may be less than specified <size> due to other limitations (free space in keyslots area or available memory).
 +
-With decryption mode for devices with LUKS2 header placed in head of data
-device, the option specifies how large is the first data segment moved
-from original data offset pointer.
+With decryption mode for devices with LUKS2 header placed in the head of the data device, the option specifies how large is the first data segment moved from the original data offset pointer.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT[]
 *--hw-opal*::
-Format LUKS2 device with dm-crypt encryption stacked on top HW based encryption configured
-on SED OPAL locking range. This option enables both SW and HW based data encryption.
+Format LUKS2 device with dm-crypt encryption stacked on top of HW-based encryption configured on SED OPAL locking range.
+This option enables both SW and HW based data encryption.
 endif::[]
 
 ifdef::ACTION_ERASE[]
 *--hw-opal-factory-reset*::
-Erase *ALL* data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any,
-and does not require a valid LUKS2 header to be present on the device to run. After providing
-correct PSID via interactive prompt or via *--key-file* parameter the device is erased.
-PSID is usually printed on the OPAL device label (either directly or as a QR code).
+Erase *ALL* data on the OPAL self-encrypting drive.
+The option does not require a valid LUKS2 header to be present on the device to run.
+After providing the correct PSID via interactive prompt or via --key-file parameter the device is erased.
++
+PSID is usually printed on the OPAL drive label (either directly or as a QR code).
+PSID must be entered without any dashes, spaces or underscores.
++
+PSID should be treated as sensitive information as it allows anyone with remote access to the OPAL drive to destroy data even if the device is locked.
+Be sure you do not leak PSID through transparent packaging during transport or images of the drive posted online.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT[]
 *--hw-opal-only*::
-Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2
-format only manages locking range unlock key. This option enables HW based data encryption managed
-by SED OPAL drive only.
+Format LUKS2 device with HW based encryption configured on SED OPAL locking range only.
+LUKS2 format only manages the locking range unlock key.
+This option enables HW-based data encryption managed by the SED OPAL drive only.
 +
-*NOTE*: Please note that with OPAL-only (--hw-opal-only) encryption,
-the configured OPAL administrator PIN (passphrase) allows unlocking
-all configured locking ranges without LUKS keyslot decryption
-(without knowledge of LUKS passphrase).
-Because of many observed problems with compatibility, cryptsetup
-currently DOES NOT use OPAL single-user mode, which would allow such
-decoupling of OPAL admin PIN access.
+Please note that with OPAL-only (--hw-opal-only) encryption, the configured OPAL administrator PIN (passphrase) allows unlocking all configured locking ranges without LUKS keyslot decryption (without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup currently DOES NOT use OPAL single-user mode, which would allow such decoupling of OPAL admin PIN access.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--init-only (LUKS2 only)*::
-Initialize reencryption (any mode) operation in LUKS2 metadata only
-and exit. If any reencrypt operation is already initialized in
-metadata, the command with --init-only parameter fails.
+*--init-only* (LUKS2 only)::
+Initialize reencryption (any mode) operation in LUKS2 metadata only and exit.
+If any reencrypt operation is already initialized in metadata, the command with --init-only parameter fails.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT[]
-*--integrity <integrity algorithm>*::
-Specify integrity algorithm to be used for authenticated disk
-encryption in LUKS2.
+*--integrity* _<integrity algorithm>_::
+Specify the integrity algorithm to be used for authenticated disk encryption in LUKS2.
 +
-*WARNING: This extension is EXPERIMENTAL* and requires dm-integrity
-kernel target (available since kernel version 4.12). For native AEAD
-modes, also enable "User-space interface for AEAD cipher algorithms" in
-"Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config
-option).
+*WARNING: This extension is EXPERIMENTAL* and requires dm-integrity kernel target.
+For native AEAD modes, also enable "User-space interface for AEAD cipher algorithms" in the "Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config option).
 +
-For more info, see _AUTHENTICATED DISK ENCRYPTION_ section in *cryptsetup*(8).
+For more info, see the _AUTHENTICATED DISK ENCRYPTION_ section in *cryptsetup*(8).
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--integrity-inline*::
+Store integrity tags in hardware sector integrity fields.
+The device must support sectors with additional protection information (PI, also known as DIF - data integrity field) of the requested size.
+Another storage subsystem must not use the additional field (the device must present a "nop" profile in the kernel).
+Note that some devices must be reformatted at a low level to support this option; for NVMe devices, see nvme(1) id-ns LBA profiles.
++
+No journal or bitmap is used in this mode.
+The device should operate with native speed (without any overhead).
+This option is available since the Linux kernel version 6.11.
+endif::[]
+
+ifdef::ACTION_LUKSFORMAT[]
+*--integrity-key-size* _bits_::
+The size of the data integrity key.
+The argument has to be a multiple of 8.
+Configurable only for HMAC integrity.
+The default integrity key size is set to the same as the hash output length.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT[]
 *--integrity-legacy-padding*::
 Use inefficient legacy padding.
 +
-*WARNING*: Do not use this option until you need compatibility with specific
-old kernel.
+Do not use this option until you need compatibility with a specific old kernel.
 endif::[]
 
 ifdef::ACTION_REFRESH[]
 *--integrity-no-journal*::
-Activate device with integrity protection without using data journal
-(direct write of data and integrity tags). Note that without journal
-power fail can cause non-atomic write and data corruption. Use only if
-journalling is performed on a different storage layer.
+Activate device with integrity protection without using data journal (direct write of data and integrity tags).
+Note that without a journal, a power failure can cause non-atomic writes and data corruption.
+Use only if journaling is performed on a different storage layer.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT[]
 *--integrity-no-wipe*::
-Skip wiping of device authentication (integrity) tags. If you skip
-this step, sectors will report invalid integrity tag until an
-application write to the sector.
+Skip wiping of device authentication (integrity) tags.
+If you skip this step, sectors will report an invalid integrity tag until an application writes to the sector.
 +
-*NOTE:* Even some writes to the device can fail if the write is not
-aligned to page size and page-cache initiates read of a sector with
-invalid integrity tag.
+Skipping this step could also cause write failures due to IO operation alignments.
+For example, kernel page cache can request a read of a full page that fails due to an uninitialized integrity tag.
+It is usually a bug in the application that tries to read data that was not written before.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
-*--iter-time, -i <number of milliseconds>*::
+*--iter-time*, *-i* _<number of milliseconds>_::
 ifndef::ACTION_REENCRYPT[]
 The number of milliseconds to spend with PBKDF passphrase processing.
-Specifying 0 as parameter selects the compiled-in default.
+Specifying 0 as a parameter selects the compiled-in default.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-The number of milliseconds to spend with PBKDF passphrase processing for the
-new LUKS header.
+The number of milliseconds to spend with PBKDF passphrase processing for the new LUKS header.
 endif::[]
 endif::[]
 
 ifdef::ACTION_OPEN[]
 *--iv-large-sectors*::
-Count Initialization Vector (IV) in larger sector size (if set)
-instead of 512 bytes sectors. This option can be used only with _plain_
-device type.
+Count Initialization Vector (IV) in larger sector size (if set) instead of 512-byte sectors.
+This option can be used only with the _plain_ device type.
 +
-*NOTE:* This option does not have any performance or security impact,
-use it only for accessing incompatible existing disk images from other
-systems that require this option.
+This option does not have any performance or security impact; use it only for accessing incompatible existing disk images from other systems that require this option.
 endif::[]
 
 ifdef::ACTION_TOKEN[]
 *--json-file*::
-Read token JSON from a file or write token to it. --json-file=- reads JSON from
-standard input or writes it to standard output respectively.
+Read the token JSON from a file or write the token to it.
+Option --json-file=- reads JSON from standard input or writes it to standard output, respectively.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
 *--keep-key*::
 *LUKS2*:
-Do not change effective volume key and change other parameters provided
-it is requested.
+Do not change the effective volume key, and change other parameters if requested.
 +
 *LUKS1*:
-Reencrypt only the LUKS1 header and keyslots. Skips data in-place reencryption.
+Reencrypt only the LUKS1 header and keyslots.
+Skips data in-place reencryption.
 endif::[]
 
-ifdef::ACTION_TOKEN[]
-*--key-description <text>*::
-Set key description in keyring for use with _token_ command.
+ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSDUMP,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_TOKEN[]
+*--key-description* _text_::
+Set the key description in the keyring that will be used for passphrase retrieval.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_TCRYPTDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
-*--key-file, -d* _name_::
-Read the passphrase from file.
+*--key-file*, *-d* _file_::
+Read the passphrase from the file.
 +
 If the name given is "-", then the passphrase will be read from stdin.
 In this case, reading will not stop at newline characters.
 +
 ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY[]
-The passphrase supplied via --key-file is always the passphrase for existing
-keyslot requested by the command.
+The passphrase supplied via --key-file is always the passphrase for the existing keyslot requested by the command.
 +
 ifdef::ACTION_LUKSADDKEY[]
-If you want to set a new passphrase via key file, you have to use a
-positional argument or parameter --new-keyfile.
+If you want to set a new passphrase via key file, you have to use a positional argument or parameter --new-keyfile.
 endif::[]
 ifdef::ACTION_LUKSCHANGEKEY[]
-If you want to set a new passphrase via key file, you have to use a
-positional argument.
+If you want to set a new passphrase via a key file, you have to use a positional argument.
 endif::[]
 +
 endif::[]
 ifdef::ACTION_OPEN[]
-*NOTE:* With _plain_ device type, the passphrase obtained via --key-file option is
-passed directly in dm-crypt. Unlike the interactive mode (stdin)
-where digest (--hash option) of the passphrase is passed in dm-crypt instead.
+With _plain_ device type, the passphrase obtained via --key-file option is passed directly in dm-crypt.
+Unlike the interactive mode (stdin), where the digest of the passphrase is passed in dm-crypt instead.
 +
 endif::[]
 ifndef::ACTION_REENCRYPT[]
 See section _NOTES ON PASSPHRASE PROCESSING_ in *cryptsetup*(8) for more information.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-*WARNING:* --key-file option can be used only if there is only one active keyslot,
-or alternatively, also if --key-slot option is specified (then all other keyslots
-will be disabled in new LUKS device).
+The --key-file option can be used only if there is only one active keyslot, or alternatively, also if --key-slot option is specified (then all other keyslots will be disabled in the new LUKS device).
 +
-If this option is not used, cryptsetup will ask for all active keyslot
-passphrases.
+If this option is not used, cryptsetup will ask for all active keyslot passphrases.
 endif::[]
 endif::[]
 ifdef::ACTION_ERASE[]
-*--key-file, -d* _name_ *(LUKS2 with HW OPAL only)*::
-
-Read the Admin PIN or PSID (with --hw-opal-factory-reset) from file
-depending on options used.
+*--key-file*, *-d* _file_ (LUKS2 with HW OPAL only)::
+Read the Admin PIN or PSID (with --hw-opal-factory-reset) from the file, depending on options used.
 +
 If the name given is "-", then the secret will be read from stdin.
 In this case, reading will not stop at newline characters.
@@ -503,190 +485,218 @@ Skip _value_ bytes at the beginning of the key file.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_BITLKDUMP[]
-*--keyfile-size, -l* _value_::
-Read a maximum of _value_ bytes from the key file. The default is to
-read the whole file up to the compiled-in maximum that can be queried
-with --help. Supplying more data than the compiled-in maximum aborts
-the operation.
+*--keyfile-size*, *-l* _value_::
+Read a maximum of _value_ bytes from the key file.
+The default is to read the whole file up to the compiled-in maximum that can be queried with --help.
+Supplying more data than the compiled-in maximum aborts the operation.
 +
-This option is useful to cut trailing newlines, for example. If
---keyfile-offset is also given, the size count starts after the offset.
+This option is useful to cut trailing newlines, for example.
+If --keyfile-offset is also given, the size count starts after the offset.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT,ACTION_BENCHMARK,ACTION_LUKSADDKEY[]
-*--key-size, -s* _bits_::
-ifndef::ACTION_LUKSADDKEY[]
-Sets key size in _bits_. The argument has to be a multiple of 8. The
-possible key-sizes are limited by the cipher and mode used.
+*--key-size*, *-s* _bits_::
+ifndef::ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
+Sets key size in _bits_.
+The argument has to be a multiple of 8.
+The possible key sizes are limited by the cipher and mode used.
 +
-See /proc/crypto for more information. Note that key-size in
-/proc/crypto is stated in bytes.
+See /proc/crypto for more information.
+Note that the key size in /proc/crypto is stated in bytes.
 +
 endif::[]
 ifdef::ACTION_LUKSADDKEY[]
-Provide volume key size in _bits_. The argument has to be a multiple of 8.
+Provide volume key size in _bits_.
+The argument has to be a multiple of 8.
 +
-This option is required when parameter --volume-key-file is used to provide
-current volume key. Also, it is used when new unbound keyslot is created by
-specifying --unbound parameter.
+This option is required when the parameter --volume-key-file is used to provide current volume key.
+Also, it is used when a new unbound keyslot is created by specifying --unbound parameter.
 endif::[]
 ifdef::ACTION_OPEN[]
-This option can be used for _plain_ device type only.
+This option can be used for _plain_ and _luks_ devices.
+For LUKS2 devices in reencryption, you may use the parameter twice to specify both old and new volume key sizes.
+Each --key-size option corresponds to the respective --volume-key-file parameter (also allowed to be used up to two times).
 endif::[]
 ifndef::ACTION_REENCRYPT,ACTION_OPEN,ACTION_LUKSADDKEY[]
-This option can be used for _open --type plain_ or _luksFormat_. All
-other LUKS actions will use the key-size specified in the LUKS header.
+This option can be used for _open --type plain_ or _luksFormat_.
+All other LUKS actions will use the key size specified in the LUKS header.
 Use _cryptsetup --help_ to show the compiled-in defaults.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-*LUKS1*:
-If you are increasing key size, there must be enough space in the LUKS header
-for enlarged keyslots (data offset must be large enough) or reencryption
-cannot be performed.
+*LUKS2*:
+Provide current key size in _bits_.
+The argument has to be a multiple of 8.
+Useful when specifying the size of the current volume key when no keyslot is active.
 +
-If there is not enough space for keyslots with new key size,
-you can destructively shrink device with --reduce-device-size option.
+*LUKS1*:
+See --new-key-size.
 endif::[]
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_CONFIG,ACTION_TOKEN,ACTION_REPAIR,ACTION_REENCRYPT[]
-*--key-slot, -S <0-N>*::
+*--key-slot*, *-S* _<0-N>_::
 ifdef::ACTION_LUKSADDKEY[]
-When used together with parameter --new-key-slot this option allows you to specify which
-key slot is selected for unlocking volume key.
+When used together with the parameter --new-key-slot, this option allows you to specify which keyslot is selected for unlocking the volume key.
 +
-*NOTE:* This option is ignored if existing volume key gets unlocked
-via LUKS2 token (--token-id, --token-type or --token-only parameters) or
-when volume key is provided directly via --volume-key-file parameter.
+This option is ignored if the existing volume key gets unlocked via LUKS2 token (--token-id, --token-type or --token-only parameters) or when volume key is provided directly via --volume-key-file parameter.
 +
-*NOTE:* To maintain backward compatibility, without --new-key-slot parameter,
-this option allows you to specify which key slot is selected for the new key.
+To maintain backward compatibility, without --new-key-slot parameter, this option allows you to specify which keyslot is selected for the new key.
 endif::[]
 ifndef::ACTION_OPEN,ACTION_LUKSADDKEY[]
-For LUKS operations that add key material, this option allows you to
-specify which key slot is selected for the new key.
+For LUKS operations that add key material, this option allows you to specify which keyslot is selected for the new key.
 endif::[]
 ifdef::ACTION_OPEN[]
-This option selects a specific key-slot to
-compare the passphrase against. If the given passphrase would only
-match a different key-slot, the operation fails.
+This option selects a specific keyslot to compare the passphrase against.
+If the given passphrase would only matches a different keyslot, the operation fails.
 endif::[]
 +
 ifdef::ACTION_REENCRYPT[]
-For reencryption mode it selects specific keyslot (and passphrase) that can be used to unlock new volume key.
-If used all other keyslots get removed after reencryption operation is finished.
+For reencryption mode, it selects a specific keyslot (and passphrase) that can be used to unlock the new volume key.
+If used, all other keyslots get removed after the reencryption operation is finished.
 +
 endif::[]
-The maximum number of key slots depends on the LUKS version. LUKS1 can have up
-to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area
-size and key size, but a valid key slot ID can always be between 0 and
-31 for LUKS2.
+The maximum number of keyslots depends on the LUKS version.
+LUKS1 can have up to 8 keyslots.
+LUKS2 can have up to 32 keyslots based on keyslot area size and key size, but a valid keyslot ID can always be between 0 and 31 for LUKS2.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
-*--keyslot-cipher <cipher-spec>*::
-This option can be used to set specific cipher encryption for the
-LUKS2 keyslot area.
+*--keyslot-cipher* _<cipher-spec>_::
+This option can be used to set specific cipher encryption for the LUKS2 keyslot area.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
-*--keyslot-key-size <bits>*::
-This option can be used to set specific key size for the LUKS2 keyslot
-area.
+*--keyslot-key-size* _<bits>_::
+This option can be used to set a specific key size for the LUKS2 keyslot area.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_CONFIG,ACTION_REENCRYPT[]
-*--label <LABEL> --subsystem <SUBSYSTEM>*::
+*--label* _<label>_,  *--subsystem* _<subsystem>_::
 Set label and subsystem description for LUKS2 device.
-The label and subsystem are optional fields and can be later used
-in udev scripts for triggering user actions once the device marked
-by these labels is detected.
+These are similar to filesystem labels.
+The label and subsystem are optional fields and can be later used in udev scripts to trigger user actions once the device marked by these labels is detected.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME[]
-*--link-vk-to-keyring* _<keyring_description>::<key_description>_::
-Link volume key in a keyring with specified key name. The volume key is linked only
-if requested action is successfully finished (with --test-passphrase the verified
-volume key is linked in a keyring without taking further action).
+*--link-vk-to-keyring* _<keyring description>::<key description>_::
+Link the volume key in a keyring with the specified key name.
+The volume key is linked only if the requested action is successfully finished (with --test-passphrase, the verified volume key is linked in a keyring without taking further action).
 +
-_<keyring_description>_ string has to contain existing kernel keyring
-description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.
-Or, the keyring may also be specified directly by numeric key id. Also special keyring notations
-starting with "@" may be used to select existing predefined kernel keyrings.
+The _<keyring description>_ string has to contain the existing kernel keyring description.
+The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.
+Or, the keyring may also be specified directly by numeric key id.
+Also, special keyring notations starting with "@" may be used to select existing predefined kernel keyrings.
 +
-The string "::" is delimiter used to separate keyring description and key description.
+The string "::" is a delimiter used to separate the keyring description and key description.
 +
-_<key_description>_ part describes key type and key name of volume key linked in the keyring
-described in _<keyring_description>_. The type may be specified by adding "%<type_name>:" prefix in front of
-key name. If type is missing default _user_ type is applied. If the key of same name and same type already exists (already linked in the keyring)
-it will get replaced in the process.
+_<key description>_ part describes key type and key name of volume key linked in the keyring described in _<keyring description>_.
+The type may be specified by adding a "%<type_name>:" prefix in front of the key name.
+If the type is missing, the default _user_ type is applied.
+If the key of the same name and type already exists (already linked in the keyring), it will get replaced in the process.
 +
-See also *KEY IDENTIFIERS* section of *keyctl*(1).
+See also the *KEY IDENTIFIERS* section of *keyctl*(1).
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
-*--luks2-keyslots-size <size>*::
-This option can be used to set specific size of the LUKS2 binary
-keyslot area (key material is encrypted there). The value must be
-aligned to multiple of 4096 bytes with maximum size 128MB. The <size>
-can be specified with unit suffix (for example 128k).
+*--luks2-keyslots-size* _size_::
+This option can be used to set a specific size of the LUKS2 binary keyslot area (key material is encrypted there).
+The value must be aligned to a multiple of 4096 bytes with a maximum size 128MB.
+The <size> can be specified with a unit suffix (for example, 128k).
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
-*--luks2-metadata-size <size>*::
-This option can be used to enlarge the LUKS2 metadata (JSON) area. The
-size includes 4096 bytes for binary metadata (usable JSON area is
-smaller of the binary area). According to LUKS2 specification, only
-these values are valid: 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096
-kB The <size> can be specified with unit suffix (for example 128k).
+*--luks2-metadata-size* _size_::
+This option can be used to enlarge the LUKS2 metadata (JSON) area.
+The size includes 4096 bytes for binary metadata (usable JSON area is smaller of the binary area).
+According to the LUKS2 specification, only these values are valid: 16, 32, 64, 128, 256, 512, 1024, 2048 and 4096 kB.
+The <size> can be specified with a unit suffix (for example, 128k).
 endif::[]
 
 ifdef::ACTION_LUKSADDKEY[]
 *--new-keyfile* _name_::
-Read the passphrase for a new keyslot from file.
+Read the passphrase for a new keyslot from a file.
 +
 If the name given is "-", then the passphrase will be read from stdin.
 In this case, reading will not stop at newline characters.
 +
-This is alternative method to positional argument when adding new
-passphrase via kefile.
+This is an alternative method to positional argument when adding a new passphrase via keyfile.
 endif::[]
 
 ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY[]
 *--new-keyfile-offset* _value_::
-Skip _value_ bytes at the start when adding a new passphrase from key
-file.
+Skip _value_ bytes at the start when adding a new passphrase from the key file.
 endif::[]
 
 ifdef::ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY[]
 *--new-keyfile-size* _value_::
-Read a maximum of _value_ bytes when adding a new passphrase from key
-file. The default is to read the whole file up to
-the compiled-in maximum length that can be queried with --help.
-Supplying more than the compiled in maximum aborts the operation. When
---new-keyfile-offset is also given, reading starts after the offset.
+Read a maximum of _value_ bytes when adding a new passphrase from the key file.
+The default is to read the whole file up to the compiled-in maximum length that can be queried with --help.
+Supplying more than the compiled-in maximum aborts the operation.
+When --new-keyfile-offset is also given, reading starts after the offset.
 endif::[]
 
 ifdef::ACTION_LUKSADDKEY[]
-*--new-key-slot <0-N>*::
-This option allows you to specify which key slot is selected for
-the new key.
+*--new-key-description* _text_::
+Set the key description in the keyring that will be used for new passphrase retrieval.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--new-key-size* _bits_::
+Sets new key size in _bits_.
+The argument has to be a multiple of 8.
+The possible key sizes are limited by the new cipher and mode used in reencryption.
++
+See /proc/crypto for more information.
+Note that the key size in /proc/crypto is stated in bytes.
++
+*LUKS1*:
+If you are increasing key size, there must be enough space in the LUKS header for enlarged keyslots (data offset must be large enough), or reencryption cannot be performed.
 +
-*NOTE:* When used this option affects --key-slot option.
+If there is not enough space for keyslots with the new key size, you can destructively shrink the device with --reduce-device-size option.
+endif::[]
+
+ifdef::ACTION_LUKSADDKEY[]
+*--new-key-slot* _<0-N>_::
+This option allows you to specify which keyslot is selected for the new key.
 +
-The maximum number of key slots depends on the LUKS version. LUKS1 can have up
-to 8 key slots. LUKS2 can have up to 32 key slots based on key slot area
-size and key size, but a valid key slot ID can always be between 0 and
-31 for LUKS2.
+The maximum number of keyslots depends on the LUKS version.
+LUKS1 can have up to 8 keyslots.
+LUKS2 can have up to 32 keyslots based on keyslot area size and key size, but a valid keyslot ID can always be between 0 and 31 for LUKS2.
 endif::[]
 
 ifdef::ACTION_LUKSADDKEY[]
-*--new-token-id*::
+*--new-token-id* _<id>_::
 Specify what token to use to get the passphrase for a new keyslot.
 endif::[]
 
+ifdef::ACTION_REENCRYPT[]
+*--new-volume-key-file* _file_::
+Use (set) the new volume key stored in a file.
+The option must be paired with --new-key-size parameter when initializing the reencryption operation.
++
+*WARNING:* If you create your own volume key, you need to make sure to do it right.
+Otherwise, you can end up with a low-entropy or otherwise partially predictable volume key, which will compromise security.
+endif::[]
+
+ifdef::ACTION_REENCRYPT[]
+*--new-volume-key-keyring* _<key description>_::
+Use (set) the new volume key stored in a keyring.
++
+The size of the key stored in a keyring must be compatible with the new cipher used in the reencryption operation.
+See /proc/crypto for more information.
+Note that the key size in /proc/crypto is stated in bytes.
++
+The _<key description>_ uses keyctl-compatible syntax.
+This can either be a numeric key ID or a string name in the format _%<key type>:<key name>_.
+See also the *KEY IDENTIFIERS* section of *keyctl*(1).
+When no _%<key type>:_ prefix is specified, we assume the key type is _user_ (default type).
++
+*WARNING:* If you create your own volume key, you need to make sure to do it right.
+Otherwise, you can end up with a low-entropy or otherwise partially predictable volume key, which will compromise security.
+endif::[]
+
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
-*--offset, -o <number of 512 byte sectors>*::
+*--offset*, *-o* _<number of 512 byte sectors>_::
 Start offset in the backend device in 512-byte sectors.
 ifdef::ACTION_OPEN[]
 This option is only relevant with plain or loopaes device types.
@@ -696,159 +706,147 @@ This option is only relevant for the encrypt mode.
 endif::[]
 +
 ifndef::ACTION_OPEN[]
-The --offset option sets the data offset (payload) of data
-device and must be aligned to 4096-byte sectors (must be multiple of
-8). This option cannot be combined with --align-payload option.
+The --offset option sets the data offset (payload) of the data device and must be aligned to 4096-byte sectors (must be a multiple of 8).
+This option cannot be combined with --align-payload option.
 endif::[]
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
-*--pbkdf <PBKDF spec>*::
-Set Password-Based Key Derivation Function (PBKDF) algorithm for LUKS
-keyslot. The PBKDF can be: _pbkdf2_ (for PBKDF2 according to RFC2898),
-_argon2i_ for Argon2i or _argon2id_ for Argon2id (see
-https://www.cryptolux.org/index.php/Argon2[Argon2] for more info).
-+
-For LUKS1, only PBKDF2 is accepted (no need to use this option). The
-default PBKDF for LUKS2 is set during compilation time and is available
-in _cryptsetup --help_ output.
-+
-A PBKDF is used for increasing dictionary and brute-force attack cost
-for keyslot passwords. The parameters can be time, memory and parallel
-cost.
-+
-For PBKDF2, only time cost (number of iterations) applies. For
-Argon2i/id, there is also memory cost (memory required during the
-process of key derivation) and parallel cost (number of threads that run
-in parallel during the key derivation.
-+
-Note that increasing memory cost also increases time, so the final
-parameter values are measured by a benchmark. The benchmark tries to
-find iteration time (_--iter-time_) with required memory cost
-_--pbkdf-memory_. If it is not possible, the memory cost is decreased as
-well. The parallel cost _--pbkdf-parallel_ is constant and is checked
-against available CPU cores.
-+
-You can see all PBKDF parameters for particular LUKS2 keyslot with
-*cryptsetup-luksDump*(8) command.
-+
-*NOTE:* If you do not want to use benchmark and want to specify all
-parameters directly, use _--pbkdf-force-iterations_ with
-_--pbkdf-memory_ and _--pbkdf-parallel_. This will override the values
-without benchmarking. Note it can cause extremely long unlocking time
-or cause out-of-memory conditions with unconditional process termination.
-Use only in specific cases, for example, if you know that the formatted
-device will be used on some small embedded system.
-+
-*MINIMAL AND MAXIMAL PBKDF COSTS:* For *PBKDF2*, the minimum iteration
-count is 1000 and maximum is 4294967295 (maximum for 32bit unsigned
-integer). Memory and parallel costs are unused for PBKDF2. For *Argon2i*
-and *Argon2id*, minimum iteration count (CPU cost) is 4 and maximum is
-4294967295 (maximum for 32bit unsigned integer). Minimum memory cost is
-32 KiB and maximum is 4 GiB. (Limited by addressable memory on some CPU
-platforms.) If the memory cost parameter is benchmarked (not specified
-by a parameter) it is always in range from 64 MiB to 1 GiB. The parallel
-cost minimum is 1 and maximum 4 (if enough CPUs cores are available,
-otherwise it is decreased).
+*--pbkdf* _<PBKDF spec>_::
+Set Password-Based Key Derivation Function (PBKDF) algorithm for LUKS keyslot.
+The PBKDF can be: _pbkdf2_ (for PBKDF2 according to RFC2898), _argon2i_ for Argon2i or _argon2id_ for Argon2id (see https://www.cryptolux.org/index.php/Argon2[Argon2] for more info).
++
+For LUKS1, only PBKDF2 is accepted (no need to use this option).
+The default PBKDF for LUKS2 is set during compilation time and is available in the _cryptsetup --help_ output.
++
+A PBKDF is used for increasing the dictionary and brute-force attack cost for keyslot passwords.
+The parameters can be time, memory and parallel cost.
++
+For PBKDF2, only the time cost (number of iterations) applies.
+For Argon2i/id, there is also memory cost (memory required during the process of key derivation) and parallel cost (number of threads that run in parallel during the key derivation.
++
+Note that increasing memory cost also increases time, so the final parameter values are measured by a benchmark.
+The benchmark tries to find iteration time (--iter-time) with required memory cost --pbkdf-memory.
+If it is not possible, the memory cost is decreased as well.
+The parallel cost --pbkdf-parallel is constant and is checked against available CPU cores.
++
+You can see all PBKDF parameters for a particular LUKS2 keyslot with the *cryptsetup-luksDump*(8) command.
++
+If you do not want to use benchmark and want to specify all parameters directly, use --pbkdf-force-iterations with --pbkdf-memory and --pbkdf-parallel.
+This will override the values without benchmarking.
+Note it can cause extremely long unlocking time or cause out-of-memory conditions with unconditional process termination.
+Use only in specific cases, for example, if you know that the formatted device will be used on some small embedded system.
++
+*MINIMAL AND MAXIMAL PBKDF COSTS:* For *PBKDF2*, the minimum iteration count is 1000 and the maximum is 4294967295 (maximum for 32-bit unsigned integer).
+Memory and parallel costs are not supported for PBKDF2.
+For *Argon2i* and *Argon2id*, the minimum iteration count (CPU cost) is 4, and the maximum is 4294967295 (maximum for a 32-bit unsigned integer).
+Minimum memory cost is 32 KiB and maximum is 4 GiB.
+If the memory cost parameter is benchmarked (not specified by a parameter), it is always in the range from 64 MiB to 1 GiB.
+Memory cost above 1GiB (up to the 4GiB maximum) can be setup only by the --pbkdf-memory parameter.
+The parallel cost minimum is 1 and maximum 4 (if enough CPU cores are available, otherwise it is decreased by the available CPU cores).
++
+*WARNING:* Increasing PBKDF computational costs above the mentioned limits provides negligible additional security improvement.
+While elevated costs significantly increase brute-force overhead, they offer negligible protection against dictionary attacks.
+The marginal cost increase for processing an entire dictionary remains fundamentally insufficient.
++
+The hardcoded PBKDF limits represent engineered trade-offs between cryptographic security and operational usability.
+LUKS maintains portability and must be used within a reasonable time on resource-constrained systems.
++
+Cryptsetup deliberately restricts maximum memory cost (4 GiB) and parallel cost (4) parameters due to architectural limitations (like embedded and legacy systems).
++
+PBKDF memory cost mandates actual physical RAM allocation with intensive write operations that must remain in physical RAM.
+Any swap usage results in unacceptable performance degradation.
+Memory management often overcommits allocations beyond available physical memory, expecting most allocated memory to remain unused.
+In such situations, as PBKDF always uses all allocated memory, it frequently causes out-of-memory failures that abort cryptsetup operations.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT[]
-*--pbkdf-force-iterations <num>*::
-Avoid PBKDF benchmark and set time cost (iterations) directly. It can
-be used for LUKS/LUKS2 device only. See _--pbkdf_ option for more
-info.
+*--pbkdf-force-iterations* _number_::
+Avoid the PBKDF benchmark and set the time cost (iterations) directly.
+It can be used only for a LUKS/LUKS2 device.
+See --pbkdf option for more info.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
-*--pbkdf-memory <number>*::
-Set the memory cost for PBKDF (for Argon2i/id the number represents
-kilobytes). Note that it is maximal value, PBKDF benchmark or
-available physical memory can decrease it. This option is not
-available for PBKDF2.
+*--pbkdf-memory* _number_::
+Set the memory cost for PBKDF (for Argon2i/id, the number represents kilobytes).
+Note that it is the maximal value; PBKDF benchmark or available physical memory can decrease it.
+This option is not available for PBKDF2.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_REENCRYPT,ACTION_BENCHMARK[]
-*--pbkdf-parallel <number>*::
-Set the parallel cost for PBKDF (number of threads, up to 4). Note
-that it is maximal value, it is decreased automatically if CPU online
-count is lower. This option is not available for PBKDF2.
+*--pbkdf-parallel* _number_::
+Set the parallel cost for PBKDF (number of threads, up to 4).
+Note that it is the maximal value; it is decreased automatically if the CPU online count is lower.
+This option is not available for PBKDF2.
+endif::[]
+
+ifdef::ACTION_REFRESH,ACTION_OPEN[]
+*--perf-high_priority*::
+Set dm-crypt workqueues and the writer thread to high priority.
+This improves throughput and latency of dm-crypt while degrading the general responsiveness of the system.
++
+This option is available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
+Needs kernel 6.10 or later.
 endif::[]
 
 ifdef::ACTION_REFRESH,ACTION_OPEN[]
-*--perf-no_read_workqueue, --perf-no_write_workqueue*::
-Bypass dm-crypt internal workqueue and process read or write requests
-synchronously.
+*--perf-no_read_workqueue*, *--perf-no_write_workqueue*::
+Bypass dm-crypt internal workqueue and process read or write requests synchronously.
 +
-*NOTE:* These options are available only for low-level dm-crypt
-performance tuning, use only if you need a change to default dm-crypt
-behaviour. Needs kernel 5.9 or later.
+These options are available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
+Needs kernel 5.9 or later.
 endif::[]
 
 ifdef::ACTION_REFRESH,ACTION_OPEN[]
 *--perf-same_cpu_crypt*::
-Perform encryption using the same cpu that IO was submitted on. The
-default is to use an unbound workqueue so that encryption work is
-automatically balanced between available CPUs.
+Perform encryption using the same CPU on which that IO was submitted.
+The default is to use an unbound workqueue so that encryption work is automatically balanced between available CPUs.
 +
-*NOTE:* This option is available only for low-level dm-crypt performance
-tuning, use only if you need a change to default dm-crypt behaviour.
-Needs kernel 4.0 or later.
+This option is available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
 endif::[]
 
 ifdef::ACTION_REFRESH,ACTION_OPEN[]
 *--perf-submit_from_crypt_cpus*::
-Disable offloading writes to a separate thread after encryption. There
-are some situations where offloading write bios from the encryption
-threads to a single thread degrades performance significantly. The
-default is to offload write bios to the same thread.
+Disable offloading writes to a separate thread after encryption.
+There are some situations where offloading write bios from the encryption threads to a single thread degrades performance significantly.
+The default is to offload write bios to the same thread.
 +
-*NOTE:* This option is available only for low-level dm-crypt performance
-tuning, use only if you need a change to default dm-crypt behaviour.
-Needs kernel 4.0 or later.
+This option is available only for low-level dm-crypt performance tuning, use only if you need a change to the default dm-crypt behaviour.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_REFRESH[]
 *--persistent*::
-If used with LUKS2 devices and activation commands like _open_ or
-_refresh_, the specified activation flags are persistently written
-into metadata and used next time automatically even for normal
-activation. (No need to use cryptab or other system configuration
-files.)
+If used with LUKS2 devices and activation commands like _open_ or _refresh_, the specified activation flags are persistently written into metadata and used next time automatically, even for normal activation.
+(No need to use cryptab or other system configuration files.)
 +
-If you need to remove a persistent flag, use _--persistent_ without the
-flag you want to remove (e.g. to disable persistently stored discard
-flag, use _--persistent_ without _--allow-discards_).
+If you need to remove a persistent flag, use --persistent without the flag you want to remove (e.g., to disable the persistently stored discard flag, use --persistent without --allow-discards).
 +
-Only _--allow-discards_, _--perf-same_cpu_crypt_,
-_--perf-submit_from_crypt_cpus_, _--perf-no_read_workqueue_,
-_--perf-no_write_workqueue_ and _--integrity-no-journal_ can be stored
-persistently.
+Only --allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue and --integrity-no-journal can be stored persistently.
 endif::[]
 
 ifdef::ACTION_CONFIG[]
-*--priority <normal|prefer|ignore>*::
-Set a priority for LUKS2 keyslot. The _prefer_ priority marked slots
-are tried before _normal_ priority. The _ignored_ priority means, that
-slot is never used, if not explicitly requested by _--key-slot_
-option.
+*--priority* _<normal|prefer|ignore>_::
+Set a priority for LUKS2 keyslot.
+The _prefer_ priority marked slots are tried before the _normal_ priority.
+The _ignored_ priority means that the slot is never used, if not explicitly requested by --key-slot option.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
 *--progress-frequency* _seconds_::
 ifndef::ACTION_REENCRYPT[]
-Print separate line every _seconds_ with wipe progress.
+Print a separate line every _seconds_ with wipe progress.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-Print separate line every _seconds_ with reencryption progress.
+Print a separate line every _seconds_ with reencryption progress.
 endif::[]
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
 *--progress-json*::
-Prints progress data in JSON format suitable mostly for machine
-processing. It prints separate line every half second (or based on
-_--progress-frequency_ value). The JSON output looks as follows during
-progress (except it's compact single line):
+Prints progress data in JSON format, which is suitable mostly for machine processing.
+It prints a separate line every half second (or based on --progress-frequency value).
+The JSON output looks as follows during progress (except it's a compact single line):
 +
 ....
 {
@@ -861,83 +859,73 @@ progress (except it's compact single line):
 }
 ....
 +
-Note on numbers in JSON output: Due to JSON parsers limitations all
-numbers are represented in a string format due to need of full 64bit
-unsigned integers.
+Note on numbers in JSON output: Due to JSON parser limitations, all numbers are represented in a string format due to the need for full 64-bit unsigned integers.
 endif::[]
 
 ifdef::ACTION_OPEN[]
-*--readonly, -r*::
-set up a read-only mapping.
+*--readonly*, *-r*::
+Set up a read-only mapping.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
 *--reduce-device-size* _size_::
-This means that last _size_ sectors on the original device will be lost,
-data will be effectively shifted by specified number of sectors.
+This means that the last _size_ sectors on the original device will be lost, and data will be effectively shifted by the specified number of sectors.
 +
-It could be useful if you added some space to underlying partition or
-logical volume (so last _size_ sectors contains no data).
+It could be useful if you added some space to the underlying partition or logical volume (so the ast _size_ sectors contains no data).
 +
-For units suffix see --device-size parameter description.
+For units suffix, see --device-size parameter description.
 +
-*WARNING:* This is a destructive operation and cannot be reverted. Use
-with extreme care - accidentally overwritten filesystems are usually
-unrecoverable.
+*WARNING:* This is a destructive operation and cannot be reverted.
+Use with extreme care - accidentally overwritten filesystems are usually unrecoverable.
 +
 *LUKS2*:
-Initialize LUKS2 reencryption with data device size reduction
-(currently only encryption mode is supported).
+Initialize LUKS2 reencryption with data device size reduction (currently, only encryption mode is supported).
+The last _size_ sectors on the original plaintext device is used for temporarily storing the original first data segment.
+The former first data segment is replaced with LUKS2 header (half the _size_ value), and plaintext data is shifted backwards (again half the _size_ value) while being encrypted.
 +
-Recommended minimal size is twice the default LUKS2 header size
-(--reduce-device-size 32M) for encryption mode.
+The recommended minimum size is twice the default LUKS2 header size (--reduce-device-size 32M) for encryption mode.
++
+The sum of --device-size and --reduce-device-size values must not exceed the real device size.
 +
 *LUKS1*:
-Enlarge data offset to specified value by shrinking device size.
+Enlarge the data offset to the specified value by shrinking the device size.
 +
-You cannot shrink device more than by 64 MiB (131072 sectors).
+You cannot shrink the device by more than 64 MiB (131072 sectors).
 endif::[]
 
 ifdef::ACTION_OPEN[]
 *--refresh*::
-Refreshes an active device with new set of parameters. See
-*cryptsetup-refresh*(8) for more details.
+Refreshes an active device with a new set of parameters.
+See *cryptsetup-refresh*(8) for more details.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--resilience* _mode_ *(LUKS2 only)*::
-Reencryption resilience _mode_ can be one of _checksum_, _journal_ or
-_none_.
+*--resilience* _mode_ (LUKS2 only)::
+Reencryption resilience _mode_ can be one of _checksum_, _journal_ or _none_.
 +
-_checksum_: default mode, where individual checksums of ciphertext
-hotzone sectors are stored, so the recovery process can detect which
-sectors were already reencrypted. It requires that the device sector
-write is atomic.
+_checksum_: default mode, where individual checksums of ciphertext hotzone sectors are stored, so the recovery process can detect which sectors were already reencrypted.
+It requires that the device sector write is atomic.
 +
-_journal_: the hotzone is journaled in the binary area (so the data are
-written twice).
+_journal_: The hotzone is journaled in the binary area (so the data are written twice).
 +
-_none_: performance mode. There is no protection and the only way it's
-safe to interrupt the reencryption is similar to old offline
-reencryption utility.
+_none_: Performance mode.
+There is no protection, and the only way it's safe to interrupt the reencryption is similar to an old offline reencryption utility.
 +
-Resilience modes can be changed unless _datashift_ mode is used for
-operation initialization (encryption with --reduce-device-size option)
+Resilience modes can be changed unless _datashift_ mode is used for operation initialization (encryption with --reduce-device-size option).
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--resilience-hash* _hash_ *(LUKS2 only)*::
-The _hash_ algorithm used with "--resilience checksum" only. The default
-hash is sha256. With other resilience modes, the hash parameter is
-ignored.
+*--resilience-hash* _hash_ (LUKS2 only)::
+The _hash_ algorithm is used with "--resilience checksum" only.
+The default hash is sha256.
+With other resilience modes, the hash parameter is ignored.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--resume-only (LUKS2 only)*::
-Resume reencryption (any mode) operation already described in LUKS2
-metadata. If no reencrypt operation is initialized, the command with
---resume-only parameter fails. Useful for resuming reencrypt operation
-without accidentally triggering new reencryption operation.
+*--resume-only* (LUKS2 only)::
+Resume reencryption (any mode) operation that is already described in LUKS2 metadata.
+If no reencrypt operation is initialized, the command with --resume-only parameter fails.
+Useful for resuming the reencrypt operation without accidentally triggering a new reencryption operation.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
@@ -946,72 +934,56 @@ ifndef::ACTION_REENCRYPT[]
 endif::[]
 ifndef::ACTION_REENCRYPT[]
 ifdef::ACTION_OPEN[]
-Set encryption sector size for use with _plain_ device type. It must be power of two
-and in range 512 - 4096 bytes. The default mode is 512 bytes.
-+
-Note that if sector size is higher than underlying device hardware
-sector, using this option can increase risk on incomplete sector writes during a
-power fail.
+Set encryption sector size for use with _plain_ device type.
+It must be a power of two and in the 512 - 4096 bytes range.
+The default encryption sector size is 512 bytes.
 endif::[]
 ifdef::ACTION_LUKSFORMAT[]
-Set sector size for use with disk encryption. It must be power of two
-and in range 512 - 4096 bytes. This option is available only with LUKS2
-format.
-+
-For LUKS2 devices it's established based on parameters provided by
-underlying data device. For native 4K block devices it's 4096 bytes.
-For 4K/512e (4K physical sector size with 512 bytes emulation) it's
-4096 bytes. For drives reporting only 512 bytes block size it remains
-512 bytes. If data device is regular file put in filesystem it's 4096
-bytes.
+Set encryption sector size for use with _LUKS2_ device type.
+It must be a power of two and in the 512 - 4096 bytes range.
 +
-Note that if sector size is higher than underlying device hardware
-sector and there is not integrity protection that uses data journal,
-using this option can increase risk on incomplete sector writes during a
-power fail.
+The encryption sector size is set based on the underlying data device if not specified explicitly.
+For native 4096-byte physical sector devices, it is set to 4096 bytes.
+For 4096/512e (4096-byte physical sector size with 512-byte sector emulation), it is set to 4096 bytes.
+For drives reporting only a 512-byte physical sector size, it is set to 512 bytes.
+If the data device is a regular file (container), it is set to 4096 bytes.
 +
-If used together with _--integrity_ option and dm-integrity journal, the
-atomicity of writes is guaranteed in all cases (but it cost write
-performance - data has to be written twice).
+If used together with the --integrity option and dm-integrity journal, the atomicity of writes is guaranteed in all cases (but it costs write performance - data has to be written twice).
 endif::[]
 +
-Increasing sector size from 512 bytes to 4096 bytes can provide better
-performance on most of the modern storage devices and also with some hw
-encryption accelerators.
+Increasing sector size from 512 to 4096 bytes can provide better performance on most modern storage devices and with some hardware encryption accelerators.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-*--sector-size* _bytes_ *(LUKS2 only)*::
-Reencrypt device with new encryption sector size enforced.
+*--sector-size* _bytes_ (LUKS2 only)::
+Reencrypt the device with a new encryption sector size enforced.
 +
-*WARNING:* Increasing encryption sector size may break hosted filesystem. Do not
-run reencryption with --force-offline-reencrypt if unsure what block size
-was filesystem formatted with.
+*WARNING:* Increasing the encryption sector size may break the hosted filesystem.
+Do not run reencryption with --force-offline-reencrypt if unsure what block size the filesystem was formatted with.
 endif::[]
++
+Note that using a sector size larger than the underlying storage device's physical sector size may result in data corruption during unexpected power failures.
+A power failure during write operations may result in only partial completion of the encryption sector write, leaving encrypted data in an inconsistent state that cannot be properly decrypted.
 endif::[]
 
 ifdef::ACTION_OPEN[]
 *--serialize-memory-hard-pbkdf*::
-Use a global lock to serialize unlocking of keyslots using memory-hard
-PBKDF.
+Use a global lock to serialize unlocking of keyslots using memory-hard PBKDF.
 +
-*NOTE:* This is (ugly) workaround for a specific situation when multiple
-devices are activated in parallel and system instead of reporting out of
-memory starts unconditionally stop processes using out-of-memory killer.
+This is a workaround for a specific situation when multiple devices are activated in parallel, and the system, instead of reporting out of memory, starts unconditionally stop processes using the out-of-memory killer.
 +
-*DO NOT USE* this switch until you are implementing boot environment
-with parallel devices activation!
+*DO NOT USE* this switch until you are implementing the boot environment with parallel devices activation!
 endif::[]
 
 ifdef::ACTION_OPEN[]
 *--shared*::
 Creates an additional mapping for one common ciphertext device.
-Arbitrary mappings are supported. This option is only relevant for the
-_plain_ device type. Use --offset, --size and --skip to specify
-the mapped area.
+Arbitrary mappings are supported.
+This option is only relevant for the _plain_ device type.
+Use --offset, --size and --skip to specify the mapped area.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE[]
-*--size, -b <number of 512 byte sectors>*::
+*--size*, *-b* _<number of 512 byte sectors>_::
 Set the size of the device in sectors of 512 bytes.
 ifdef::ACTION_OPEN[]
 Usable only with _plain_ device type.
@@ -1019,125 +991,157 @@ endif::[]
 endif::[]
 
 ifdef::ACTION_OPEN[]
-*--skip, -p <number of 512 byte sectors>*::
-Start offset used in IV calculation in 512-byte sectors (how many
-sectors of the encrypted data to skip at the beginning). This option
-is only relevant with plain or loopaes device types.
+*--skip*, *-p* _<number of 512 byte sectors>_::
+Start offset used in IV calculation in 512-byte sectors (how many sectors of the encrypted data to skip at the beginning).
+This option is only relevant with plain or loopaes device types.
 +
-Hence, if --offset _n_, and --skip _s_, sector _n_ (the first sector of
-the encrypted device) will get a sector number of _s_ for the IV
-calculation.
+Hence, if --offset _n_, and --skip _s_, sector _n_ (the first sector of the encrypted device) will get a sector number of _s_ for the IV calculation.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
 *--tcrypt-backup*::
 *--tcrypt-hidden*::
 *--tcrypt-system*::
-Specify which TrueCrypt on-disk
-header will be used to open the device. See _TCRYPT_ section in
-*cryptsetup*(8) for more info.
+Specify which TrueCrypt on-disk header will be used to open the device.
+See the _TCRYPT_ section in *cryptsetup*(8) for more info.
++
+Using a system-encrypted device with the --tcrypt-system option requires specific settings to work as expected.
++
+TrueCrypt/VeraCrypt supports full system encryption (only a partition table is not encrypted) or system partition encryption (only a system partition is encrypted).
+The metadata header then contains the offset and size of the encrypted area.
+Cryptsetup needs to know the specific partition offset to calculate encryption parameters.
+To properly map a partition, you must specify a real partition device so cryptsetup can calculate this offset.
++
+While you can use a full device as a parameter (/dev/sdb), always prefer to specify the partition you want to map (/dev/sdb1), as only the system partition mode can be detected this way.
++
+For mapping images (stored in a file), you can use the additional --header option with the real partition device.
+If the --header is used (and it is different from the data image), cryptsetup expects that the data image contains a snapshot of the data partition only.
++
+If --header is not used (or points to the same image), cryptsetup expects that the image contains a full disk (including the partition table).
+This can map a full encrypted area that is not directly mountable as a filesystem.
+Please prefer creating a loop device with partitions (*losetup -P*, see *losetup*(8) man page) and use a real partition (/dev/loopXp1) as the device parameter.
 endif::[]
 
 ifdef::ACTION_OPEN[]
 *--test-passphrase*::
-Do not activate the device, just verify passphrase. The device mapping name is
-not mandatory if this option is used.
+Do not activate the device, just verify the passphrase.
+The device mapping name is not mandatory if this option is used.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSKILLSLOT,ACTION_LUKSDUMP,ACTION_REENCRYPT,ACTION_REPAIR,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TCRYPTDUMP,ACTION_BITLKDUMP[]
-*--timeout, -t <number of seconds>*::
-The number of seconds to wait before timeout on passphrase input via
-terminal. It is relevant every time a passphrase is asked.
+*--timeout*, *-t* _seconds_::
+The number of seconds to wait before a timeout on passphrase input via terminal.
+It is relevant every time a passphrase is asked.
 It has no effect if used in conjunction with --key-file.
 +
-This option is useful when the system should not stall if the user
-does not input a passphrase, e.g. during boot. The default is a value
-of 0 seconds, which means to wait forever.
+This option is useful when the system should not stall if the user does not input a passphrase, e.g., during boot.
+The default is a value of 0 seconds, which means to wait forever.
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-id*::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify what keyslots (associated with the selected token) to use for LUKS2 reencryption.
+If the reencryption operation changes the effective volume key, only keyslots associated with the token and unlocked successfully will be available after the reencryption operation is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_TOKEN,ACTION_LUKSADDKEY[]
-Specify what token to use and allow token PIN prompt to take precedence over interactive
-keyslot passphrase prompt. If omitted, all available tokens (not protected by PIN)
-will be checked before proceeding further with passphrase prompt.
+Specify what token to use and allow the token PIN prompt to take precedence over the interactive keyslot passphrase prompt.
+If omitted, all available tokens (not protected by PIN) will be checked before proceeding further with the passphrase prompt.
 endif::[]
 ifdef::ACTION_LUKSADDKEY[]
-Specify what token to use when unlocking existing keyslot to get volume key.
+Specify what token to use when unlocking the existing keyslot to get the volume key.
 endif::[]
 ifdef::ACTION_TOKEN[]
-Specify token number. If omitted, first unused token id is used when adding or importing
-new token.
+Specify the token number.
+If omitted, the first unused token id is used when adding or importing a new token.
 endif::[]
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-only*::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify that all keyslots associated with any token will be used for LUKS2 reencryption.
+If the reencryption operation changes the effective volume key, only keyslots associated with any token will be available after the reencryption operation is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_LUKSADDKEY[]
-Do not proceed further with action if token based keyslot unlock failed. Without the
-option, action asks for passphrase to proceed further.
+Do not proceed further with the action if the token-based keyslot unlock failed.
+Without the option, the action asks for a passphrase to proceed further.
 +
-It allows LUKS2 tokens protected by PIN to take precedence over interactive keyslot
-passphrase prompt.
+It allows LUKS2 tokens protected by PIN to take precedence over the interactive keyslot passphrase prompt.
 endif::[]
 ifdef::ACTION_LUKSADDKEY[]
-Use only LUKS2 tokens to unlock existing volume key.
+Use only LUKS2 tokens to unlock the existing volume key.
 +
-*NOTE*: To create a new keyslot using passphrase provided by a token use --new-token-id parameter.
+To create a new keyslot using the passphrase provided by a token, use --new-token-id parameter.
 endif::[]
 endif::[]
 
 ifdef::ACTION_TOKEN[]
 *--token-replace*::
-Replace an existing token when adding or importing a token with the
---token-id option.
+Replace an existing token when adding or importing a token with the --token-id option.
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
 *--token-type* _type_::
+ifdef::ACTION_REENCRYPT[]
+*LUKS2 reencryption initialization:*
+Specify what keyslots (associated with the selected token type) to use for LUKS2 reencryption.
+If the reencryption operation changes the effective volume key, only keyslots associated with the token type and unlocked successfully will be available after the reencryption operation is finished.
++
+*LUKS2 reencryption resume:*
+// paragraph continues below
+endif::[]
 ifndef::ACTION_LUKSADDKEY[]
-Restrict tokens eligible for operation to specific token _type_.
+Restrict tokens eligible for operation to a specific token _type_.
 Mostly useful when no --token-id is specified.
 +
-It allows LUKS2 _type_ tokens protected by PIN to take precedence over interactive keyslot
-passphrase prompt.
+It allows LUKS2 _type_ tokens protected by PIN to take precedence over the interactive keyslot passphrase prompt.
 endif::[]
 ifdef::ACTION_LUKSADDKEY[]
-Specify what token type (all _type_ tokens) to use when unlocking existing keyslot to get volume key.
+Specify what token type (all _type_ tokens) to use when unlocking the existing keyslot to get the volume key.
 endif::[]
 endif::[]
 
-
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_REENCRYPT[]
-*--tries, -T*::
-How often the input of the passphrase shall be retried. The default is 3 tries.
+*--tries*, *-T*::
+How often the input of the passphrase shall be retried.
+The default is 3 tries.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSKILLSLOT,ACTION_ISLUKS,ACTION_LUKSDUMP,ACTION_LUKSUUID,ACTION_CONVERT,ACTION_REPAIR,ACTION_REENCRYPT[]
-*--type <device-type>*::
+*--type* _type_::
 ifndef::ACTION_REENCRYPT[]
-Specifies required device type, for more info read _BASIC ACTIONS_ section in *cryptsetup*(8).
+Specifies required device type, for more info, read the _BASIC ACTIONS_ section in *cryptsetup*(8).
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-Specifies required (encryption mode) or expected (other modes) LUKS format. Accepts only _luks1_ or _luks2_.
+Specifies required (encryption mode) or expected (other modes) LUKS format.
+Accepts only _luks1_ or _luks2_.
 endif::[]
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_TOKEN[]
 *--unbound*::
 ifdef::ACTION_LUKSADDKEY[]
-Creates new LUKS2 unbound keyslot.
+Creates a new LUKS2 unbound keyslot.
 endif::[]
 ifdef::ACTION_LUKSDUMP[]
-Dumps existing LUKS2 unbound keyslot.
+Dumps the existing LUKS2 unbound keyslot.
 endif::[]
 ifdef::ACTION_OPEN[]
-Allowed only together with --test-passphrase parameter, it allows one to test
-passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase
-can be tested only when specific keyslot is selected via --key-slot parameter.
+Allowed only together with --test-passphrase parameter, it allows one to test the passphrase for an unbound LUKS2 keyslot.
+Otherwise, an unbound keyslot passphrase can be tested only when a specific keyslot is selected via --key-slot parameter.
 endif::[]
 ifdef::ACTION_TOKEN[]
-Creates new LUKS2 keyring token assigned to no keyslot. Usable only with _add_ action.
+Creates a new LUKS2 keyring token assigned to no keyslot.
+Usable only with the _add_ action.
 endif::[]
 endif::[]
 
@@ -1147,18 +1151,16 @@ Show short option help.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--use-directio (LUKS1 only)*::
-Use direct-io (O_DIRECT) for all read/write data operations related
-to block device undergoing reencryption.
+*--use-directio* (LUKS1 only)::
+Use direct-io (O_DIRECT) for all read/write data operations related to the block device undergoing reencryption.
 +
-Useful if direct-io operations perform better than normal buffered
-operations (e.g. in virtual environments).
+Useful if direct-io operations perform better than normal buffered operations (e.g., in virtual environments).
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--use-fsync (LUKS1 only)*::
-Use fsync call after every written block. This applies for reencryption
-log files as well.
+*--use-fsync* (LUKS1 only)::
+Use the fsync call after every written block.
+This applies to reencryption log files as well.
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
@@ -1168,64 +1170,50 @@ ifdef::ACTION_REENCRYPT[]
 Define which kernel random number generator will be used to create the volume key.
 endif::[]
 ifndef::ACTION_REENCRYPT[]
-For _luksFormat_ these options define which kernel random number
-generator will be used to create the volume key (which is a long-term
-key).
+For _luksFormat_, these options define which kernel random number generator will be used to create the volume key (which is a long-term key).
 +
-See *NOTES ON RANDOM NUMBER GENERATORS* in *cryptsetup*(8) for more
-information. Use _cryptsetup --help_ to show the compiled-in default random
-number generator.
-+
-*WARNING:* In a low-entropy situation (e.g. in an embedded system) and older
-kernels, both selections are problematic. Using /dev/urandom can lead to weak keys.
-Using /dev/random can block a long time, potentially forever, if not
-enough entropy can be harvested by the kernel.
+Do not use these options with recent kernels (later than version 5.6).
+For more details, see *NOTES ON RANDOM NUMBER GENERATORS* in *cryptsetup*(8) and *urandom*(4).
 endif::[]
 endif::[]
 
 ifdef::ACTION_LUKSFORMAT,ACTION_LUKSUUID,ACTION_REENCRYPT[]
-*--uuid <UUID>*::
+*--uuid* _UUID_::
 ifndef::ACTION_REENCRYPT[]
-Use the provided _UUID_ for the _luksFormat_ command instead of
-generating a new one. Changes the existing _UUID_ when used with the
-_luksUUID_ command.
+Use the provided _UUID_ for the _luksFormat_ command instead of generating a new one.
+Changes the existing _UUID_ when used with the _luksUUID_ command.
 +
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-When used in encryption mode use the provided _UUID_ for the new LUKS header
-instead of generating a new one.
+When used in encryption mode, use the provided _UUID_ for the new LUKS header instead of generating a new one.
 +
 *LUKS1 (only in decryption mode)*:
-To find out what _UUID_ to pass look for temporary files LUKS-_UUID_.[|log|org|new]
-of the interrupted decryption process.
+To find out what _UUID_ to pass, look for temporary files LUKS-_UUID_.[|log|org|new] of the interrupted decryption process.
 +
 endif::[]
-The _UUID_ must be provided in the standard UUID format, e.g.
-12345678-1234-1234-1234-123456789abc.
+The _UUID_ must be provided in the standard UUID format, e.g., 12345678-1234-1234-1234-123456789abc.
 endif::[]
 
 ifdef::ACTION_TCRYPTDUMP,ACTION_OPEN[]
 *--veracrypt*::
-This option is ignored as VeraCrypt compatible mode is supported by
-default.
+This option is ignored as VeraCrypt compatible mode is supported by default.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
 *--veracrypt-pim*::
 *--veracrypt-query-pim*::
-Use a custom Personal Iteration Multiplier (PIM) for
-VeraCrypt device. See _TCRYPT_ section in *cryptsetup*(8) for more info.
+Use a custom Personal Iteration Multiplier (PIM) for the VeraCrypt device.
+See the _TCRYPT_ section in *cryptsetup*(8) for more info.
 endif::[]
 
 ifdef::ACTION_ISLUKS[]
-*--verbose, -v*::
+*--verbose*, *-v*::
 Print more information on command execution.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSFORMAT,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_LUKSREMOVEKEY,ACTION_LUKSCHANGEKEY,ACTION_LUKSCONVERTKEY,ACTION_LUKSKILLSLOT,ACTION_REPAIR,ACTION_TCRYPTDUMP,ACTION_REENCRYPT[]
-*--verify-passphrase, -y*::
-When interactively asking for a passphrase, ask for it twice and
-complain if both inputs do not match.
+*--verify-passphrase*, *-y*::
+When interactively asking for a passphrase, ask for it twice and complain if both inputs do not match.
 ifdef::ACTION_OPEN[]
 Advised when creating a _plain_ type mapping for the first time.
 endif::[]
@@ -1233,58 +1221,71 @@ Ignored on input from file or stdin.
 endif::[]
 
 ifdef::COMMON_OPTIONS[]
-*--version, -V*::
+*--version*, *-V*::
 Show the program version.
 endif::[]
 
 ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_BITLKDUMP,ACTION_REENCRYPT[]
-*--volume-key-file, --master-key-file (OBSOLETE alias)*::
+*--volume-key-file* _file_::
+--master-key-file file (OBSOLETE alias)::
 ifndef::ACTION_REENCRYPT[]
 Use a volume key stored in a file.
++
 endif::[]
 ifdef::ACTION_FORMAT[]
+This allows creating a LUKS header with this specific volume key.
+If the volume key was taken from an existing LUKS header and all other parameters are the same, then the new header decrypts the data encrypted with the header from which the volume key was taken.
 +
-This allows creating a LUKS header with this specific
-volume key. If the volume key was taken from an existing LUKS header and
-all other parameters are the same, then the new header decrypts the data
-encrypted with the header the volume key was taken from. +
 endif::[]
 ifdef::ACTION_LUKSDUMP,ACTION_BITLKDUMP[]
-The volume key is stored in a file instead of being printed out to standard output. +
+The volume key is stored in a file instead of being printed out to standard output.
++
 endif::[]
 ifdef::ACTION_LUKSADDKEY[]
-This allows adding a new keyslot without having to know passphrase to existing one.
-It may be also used when no keyslot is active.
+This allows adding a new keyslot without having to know the passphrase to the existing one.
+It may also be used when no keyslot is active.
 +
 endif::[]
 ifdef::ACTION_OPEN[]
-This allows one to open _luks_ and _bitlk_ device types without giving a passphrase. +
+This allows one to open _luks_ and _bitlk_ device types without giving a passphrase.
++
+For devices in reencryption, the option may be used twice to specify both old and new volume keys.
+When using the option twice, make sure you pair each --volume-key-file option with the respective --key-size parameter as well.
 endif::[]
 ifdef::ACTION_REENCRYPT[]
-Use (set) new volume key stored in a file. +
+*LUKS2*:
+Provides the current volume key stored in a file.
+It can be used to reencrypt the device with no active keyslot together with --new-volume-key-file or --new-volume-key-keyring options.
++
+*LUKS1*:
+See --new-volume-key-file.
++
 endif::[]
-ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY,ACTION_REENCRYPT[]
-*WARNING:* If you create your own volume key, you need to make sure to
-do it right. Otherwise, you can end up with a low-entropy or otherwise
-partially predictable volume key which will compromise security.
+ifdef::ACTION_LUKSFORMAT,ACTION_LUKSADDKEY[]
+*WARNING:* If you create your own volume key, you need to make sure to do it right.
+Otherwise, you can end up with a low-entropy or otherwise partially predictable volume key, which will compromise security.
 endif::[]
 endif::[]
 
-ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
+ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY[]
 *--volume-key-keyring* _<key description>_::
 Use a volume key stored in a keyring.
-This allows one to open _luks_ and device types without giving a passphrase.
-The key and associated type has to be readable from userspace so that volume
-key digest may be verified in before activation.
+This allows one to open _luks_ and _plain_ device types without giving a passphrase.
++
+For LUKS, the key and associated type have to be readable from userspace so that the volume key digest may be verified before activation.
+For devices in reencryption, the option may be used twice to specify both old and new volume keys.
++
+For PLAIN type, the user must ensure that the key in the keyring is unchanged since activation.
+Otherwise, reloading the key can cause data corruption after an unexpected key change.
 +
-The _<key description>_ uses keyctl-compatible syntax. This can either be a
-numeric key ID or a string name in the format _%<key type>:<key name>_. See
-also *KEY IDENTIFIERS* section of *keyctl*(1). When no _%<key type>:_ prefix
-is specified we assume the key type is _user_ (default type).
+The _<key description>_ uses keyctl-compatible syntax.
+This can either be a numeric key ID or a string name in the format _%<key type>:<key name>_.
+See also the *KEY IDENTIFIERS* section of *keyctl*(1).
+When no _%<key type>:_ prefix is specified, we assume the key type is _user_ (default type).
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]
-*--write-log (LUKS1 only)*::
-Update log file after every block write. This can slow down reencryption
-but will minimize data loss in the case of system crash.
+*--write-log* (LUKS1 only)::
+Update the log file after every block is written.
+This can slow down reencryption, but it will minimize data loss in the case of a system crash.
 endif::[]
diff --git a/man/cryptsetup-benchmark.8.adoc b/man/cryptsetup-benchmark.8.adoc
index caaacba..c93b620 100644
--- a/man/cryptsetup-benchmark.8.adoc
+++ b/man/cryptsetup-benchmark.8.adoc
@@ -16,26 +16,20 @@ cryptsetup-benchmark - benchmarks ciphers and KDF
 
 == DESCRIPTION
 
-Benchmarks ciphers and KDF (key derivation function). Without
-parameters, it tries to measure few common configurations.
+Benchmarks, ciphers and KDF (key derivation function).
+Without parameters, it tries to measure a few common configurations.
 
-To benchmark other ciphers or modes, you need to specify *--cipher* and
-*--key-size* options.
+To benchmark other ciphers or modes, specify --cipher and --key-size options.
 
-To benchmark PBKDF you need to specify *--pbkdf* or *--hash* with optional
-cost parameters *--iter-time*, *--pbkdf-memory* or *--pbkdf-parallel*.
+To benchmark PBKDF you need to specify --pbkdf or --hash with optional cost parameters --iter-time, --pbkdf-memory or --pbkdf-parallel.
 
-*NOTE:* This benchmark uses memory only and is only informative. You
-cannot directly predict real storage encryption speed from it.
+This benchmark uses memory only and is only informative.
+You cannot directly predict real storage encryption speed from it.
 
-For testing block ciphers, this benchmark requires kernel userspace
-crypto API to be available (introduced in Linux kernel 2.6.38). If you
-are configuring kernel yourself, enable "User-space interface for
-symmetric key cipher algorithms" in "Cryptographic API" section
-(CRYPTO_USER_API_SKCIPHER .config option).
+For testing block ciphers, this benchmark requires the kernel userspace crypto API to be available.
+If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
 
-*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time,
---pbkdf-memory, --pbkdf-parallel].
+*<options>* can be [--cipher, --key-size, --hash, --pbkdf, --iter-time, --pbkdf-memory, --pbkdf-parallel].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-bitlkDump.8.adoc b/man/cryptsetup-bitlkDump.8.adoc
index 6dc273f..d54abf0 100644
--- a/man/cryptsetup-bitlkDump.8.adoc
+++ b/man/cryptsetup-bitlkDump.8.adoc
@@ -18,17 +18,14 @@ cryptsetup-bitlkDump - dump the header information of a BITLK (BitLocker compati
 
 Dump the header information of a BITLK (BitLocker compatible) device.
 
-If the --dump-volume-key option is used, the BITLK device volume key
-is dumped instead of header information. You have to provide password
-or keyfile to dump volume key.
+If the --dump-volume-key option is used, the BITLK device volume key is dumped instead of header information.
+You have to provide a password or keyfile to dump the volume key.
 
-Beware that the volume key can be used to decrypt the data stored in
-the container without a passphrase.
-This means that if the volume key is compromised, the whole device has
-to be erased to prevent further access. Use this option carefully.
+Beware that the volume key can be used to decrypt the data stored in the container without a passphrase.
+This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
+Use this option carefully.
 
-*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
---keyfile-offset, --keyfile-size, --timeout].
+*<options>* can be [--dump-volume-key, --volume-key-file, --key-file, --keyfile-offset, --keyfile-size, --timeout].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-close.8.adoc b/man/cryptsetup-close.8.adoc
index 28813d3..443c3d7 100644
--- a/man/cryptsetup-close.8.adoc
+++ b/man/cryptsetup-close.8.adoc
@@ -16,13 +16,9 @@ cryptsetup-close - removes the existing mapping <name> (and the associated key)
 
 == DESCRIPTION
 
-Removes the existing mapping <name> and wipes the key from kernel
-memory.
+Removes the existing mapping <name> and wipes the key from kernel memory.
 
-For backward compatibility, there are *close* command aliases: *remove*,
-*plainClose*, *luksClose*, *loopaesClose*, *tcryptClose*, *bitlkClose*
-(all behave exactly the same, device type is determined automatically
-from the active device).
+For backward compatibility, there are *close* command aliases: *remove*, *plainClose*, *luksClose*, *loopaesClose*, *tcryptClose*, *bitlkClose* (all behave the same, device type is determined automatically from the active device).
 
 *<options>* can be [--deferred, --cancel-deferred, --header, --disable-locks].
 
diff --git a/man/cryptsetup-config.8.adoc b/man/cryptsetup-config.8.adoc
index c664242..2137249 100644
--- a/man/cryptsetup-config.8.adoc
+++ b/man/cryptsetup-config.8.adoc
@@ -16,15 +16,12 @@ cryptsetup-config - set permanent configuration options (store to LUKS header)
 
 == DESCRIPTION
 
-Set permanent configuration options (store to LUKS header). The _config_
-command is supported only for LUKS2.
+Set permanent configuration options (store to LUKS header).
+The _config_ command is supported only for LUKS2.
 
-The permanent options can be _--priority_ to set priority (normal,
-prefer, ignore) for keyslot (specified by _--key-slot_) or _--label_ and
-_--subsystem_.
+The permanent options can be --priority to set priority (normal, prefer, ignore) for keyslot (specified by --key-slot) or --label and --subsystem.
 
-*<options>* can be [--priority, --label, --subsystem, --key-slot,
---header, --disable-locks].
+*<options>* can be [--priority, --label, --subsystem, --key-slot, --header, --disable-locks].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-convert.8.adoc b/man/cryptsetup-convert.8.adoc
index dbb4c23..bd32042 100644
--- a/man/cryptsetup-convert.8.adoc
+++ b/man/cryptsetup-convert.8.adoc
@@ -16,20 +16,21 @@ cryptsetup-convert - converts the device between LUKS1 and LUKS2 format
 
 == DESCRIPTION
 
-Converts the device between LUKS1 and LUKS2 format (if possible). The
-conversion will not be performed if there is an additional LUKS2 feature
-or LUKS1 has unsupported header size.
+Converts the device between LUKS1 and LUKS2 format (if possible).
+The conversion will not be performed if there is an additional LUKS2 feature or LUKS1 has an unsupported header size.
 
-Conversion (both directions) must be performed on inactive device. There
-must not be active dm-crypt mapping established for LUKS header
-requested for conversion.
+For conversion from LUKS2 to LUKS1, all active keyslots must use the PBKDF2 key-derivation function.
+The PBKDF2 and anti-forensic filter (AF) hash must be the same as the hash used in the digest.
+All keyslot numbers must be lower than 8 (LUKS1 maximum slot number).
+There must be at least one active keyslot and no unbound or reencryption keyslots.
 
-The *--type* option is mandatory with the following accepted values: _luks1_ or
-_luks2_.
+Conversion (both directions) must be performed on an inactive device.
+There must not be an active dm-crypt mapping established for the LUKS header requested for conversion.
 
-*WARNING:* The _convert_ action can destroy the LUKS header in the case
-of a crash during conversion or if a media error occurs. Always create a
-header backup before performing this operation!
+The *--type* option is mandatory with the following accepted values: _luks1_ or _luks2_.
+
+*WARNING:* The _convert_ action can destroy the LUKS header in the case of a crash during conversion or if a media error occurs.
+Always create a header backup before performing this operation!
 
 *<options>* can be [--header, --type, --disable-locks].
 
diff --git a/man/cryptsetup-erase.8.adoc b/man/cryptsetup-erase.8.adoc
index 6ad7eca..c03e0e4 100644
--- a/man/cryptsetup-erase.8.adoc
+++ b/man/cryptsetup-erase.8.adoc
@@ -17,16 +17,18 @@ cryptsetup-erase, cryptsetup-luksErase - erase all keyslots
 
 == DESCRIPTION
 
-Erase all keyslots and make the LUKS container permanently inaccessible.
-Unless the device is configured with HW OPAL support you do not need to
-provide any password for this operation.
+Erase all keyslots, removing the volume key.
+Unless the device is configured with OPAL self-encrypting drive support, you do not need to provide any password for this operation.
 
-*WARNING:* This operation is irreversible.
+This operation is irreversible.
+Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable.
+Header backup cannot be used to recover data from OPAL self-encrypting drives, as the keys are permanently removed from hardware.
 
-*WARNING:* with *--hw-opal-factory-reset* ALL data is lost on the device,
-regardless of the partition it is ran on, if any, and regardless of any LUKS2
-header backup, and does not require a valid LUKS2 header to be present on the
-device to run.
+The *erase* does not wipe or overwrite the data area.
+It only removes all active keyslots from the LUKS device.
+See the cryptsetup FAQ for more information on how to wipe the whole device, including encrypted data.
+
+Note that the --hw-opal-factory-reset option for OPAL self-encrypting drive will erase ALL data on the drive, regardless of the partition it is run on.
 
 *<options>* can be [--header, --disable-locks, --hw-opal-factory-reset, --key-file].
 
diff --git a/man/cryptsetup-fvault2Dump.8.adoc b/man/cryptsetup-fvault2Dump.8.adoc
index 0831899..b2b911f 100644
--- a/man/cryptsetup-fvault2Dump.8.adoc
+++ b/man/cryptsetup-fvault2Dump.8.adoc
@@ -18,17 +18,14 @@ cryptsetup-fvault2Dump - dump the header information of a FVAULT2 (FileVault2 co
 
 Dump the header information of a FVAULT2 (FileVault2 compatible) device.
 
-If the --dump-volume-key option is used, the FVAULT2 device volume key
-is dumped instead of header information. You have to provide password
-or keyfile to dump volume key.
+If the --dump-volume-key option is used, the FVAULT2 device volume key is dumped instead of header information.
+You have to provide a password or keyfile to dump the volume key.
 
-Beware that the volume key can be used to decrypt the data stored in
-the container without a passphrase.
-This means that if the volume key is compromised, the whole device has
-to be erased to prevent further access. Use this option carefully.
+Beware that the volume key can be used to decrypt the data stored in the container without a passphrase.
+This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
+Use this option carefully.
 
-*<options>* can be [--dump-volume-key, --volume-key-file, --key-file,
---keyfile-offset, --keyfile-size, --timeout].
+*<options>* can be [--dump-volume-key, --volume-key-file, --key-file, --keyfile-offset, --keyfile-size, --timeout].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-isLuks.8.adoc b/man/cryptsetup-isLuks.8.adoc
index aac559c..22bd5d6 100644
--- a/man/cryptsetup-isLuks.8.adoc
+++ b/man/cryptsetup-isLuks.8.adoc
@@ -16,12 +16,12 @@ cryptsetup-isLuks - check if a device is a LUKS device
 
 == DESCRIPTION
 
-Returns true, if <device> is a LUKS device, false otherwise.
+Returns true if <device> is a LUKS device, false otherwise.
 
 Use option -v to get human-readable feedback.
 'Command successful.' means the device is a LUKS device.
 
-By specifying --type you may query for specific LUKS version.
+By specifying --type, you may query for a specific LUKS version.
 
 *<options>* can be [--header, --type, --disable-locks].
 
diff --git a/man/cryptsetup-luksAddKey.8.adoc b/man/cryptsetup-luksAddKey.8.adoc
index 306ef64..b0bc1d0 100644
--- a/man/cryptsetup-luksAddKey.8.adoc
+++ b/man/cryptsetup-luksAddKey.8.adoc
@@ -16,41 +16,32 @@ cryptsetup-luksAddKey - add a new passphrase
 
 == DESCRIPTION
 
-Adds a keyslot protected by a new passphrase. An existing passphrase
-must be supplied interactively, via --key-file or LUKS2 token (plugin).
-Alternatively to existing passphrase user may pass directly volume key
-(via --volume-key-file or --volume-key-keyring). The new passphrase to be added
-can be specified interactively, read from the file given as the positional
-argument (also via --new-keyfile parameter) or via LUKS2 token.
-
-*NOTE:* with --unbound option the action creates new unbound LUKS2
-keyslot. The keyslot cannot be used for device activation. If you don't
-pass new key via --volume-key-file option, new random key is generated.
-Existing passphrase for any active keyslot is not required.
-
-*NOTE:* some parameters are effective only if used with LUKS2 format
-that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
-algorithm is always the same for all keyslots.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot,
---new-key-slot, --volume-key-file, --volume-key-keyring, --force-password,
---hash, --header, --disable-locks, --iter-time, --pbkdf,
---pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type,
---keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id,
---token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
+Adds a keyslot protected by a new passphrase.
+An existing passphrase must be supplied interactively, via --key-file or LUKS2 token (plugin).
+Alternatively to the existing passphrase, the user may pass directly the volume key (via --volume-key-file or --volume-key-keyring).
+The new passphrase to be added can be specified interactively, read from the file given as the positional argument (also via --new-keyfile parameter) or via LUKS2 token.
+
+The --unbound option creates a new unbound LUKS2 keyslot.
+An unbound keyslot stores an independent key that cannot be used for device activation.
+A new random key is generated if you don't pass a new key via the --volume-key-file option.
+The existing passphrase for any active keyslot is not required.
+
+Some parameters are effective only if used with the LUKS2 format that supports per-keyslot parameters.
+For LUKS1, the PBKDF type and hash algorithm are always the same for all keyslots.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile, --new-keyfile-offset, --new-keyfile-size, --key-slot, --new-key-slot, --volume-key-file, --volume-key-keyring, --force-password, --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, --token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
 
 include::man/common_options.adoc[]
 
 == EXAMPLES
 
-*NOTE*: When not specified otherwise interactive passphrase prompt is always default method.
+The interactive passphrase prompt is always the default method when not specified otherwise.
 
-Add new keyslot using interactive passphrase prompt for both existing and new passphrase:
+Add new keyslot using interactive passphrase prompt for both existing and new passphrases:
 
 *cryptsetup luksAddKey /dev/device*
 
-Add new keyslot using LUKS2 tokens to unlock existing keyslot with interactive passphrase prompt for new passphrase:
+Add a new keyslot using LUKS2 tokens to unlock the existing keyslot with an interactive passphrase prompt for the new passphrase:
 
 *cryptsetup luksAddKey --token-only /dev/device*
 
@@ -63,8 +54,7 @@ Add new keyslot using interactive passphrase prompt for existing keyslot, readin
 *cryptsetup luksAddKey --new-keyfile key_file /dev/device* or
 *cryptsetup luksAddKey /dev/device key_file*
 
-Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist
-and respective token plugin must be available):
+Add new keyslot using volume stored in volume_key_file and LUKS2 token in slot 5 to get new keyslot passphrase (token in slot 5 must exist and respective token plugin must be available):
 
 *cryptsetup luksAddKey --volume-key-file volume_key_file --new-token-id 5 /dev/device*
 
diff --git a/man/cryptsetup-luksChangeKey.8.adoc b/man/cryptsetup-luksChangeKey.8.adoc
index 23376c0..ac52dea 100644
--- a/man/cryptsetup-luksChangeKey.8.adoc
+++ b/man/cryptsetup-luksChangeKey.8.adoc
@@ -16,33 +16,23 @@ cryptsetup-luksChangeKey - change an existing passphrase
 
 == DESCRIPTION
 
-Changes an existing passphrase. The passphrase to be changed must be
-supplied interactively or via --key-file. The new passphrase can be
-supplied interactively or in a file given as the positional argument.
-
-If a key-slot is specified (via --key-slot), the passphrase for that
-key-slot must be given and the new passphrase will overwrite the
-specified key-slot. If no key-slot is specified and there is still a
-free key-slot, then the new passphrase will be put into a free key-slot
-before the key-slot containing the old passphrase is purged. If there is
-no free key-slot, then the key-slot with the old passphrase is
-overwritten directly.
-
-*WARNING:* If a key-slot is overwritten, a media failure during this
-operation can cause the overwrite to fail after the old passphrase has
-been wiped and make the LUKS container inaccessible. LUKS2 mitigates
-that by never overwriting existing keyslot area as long as there's
-a free space in keyslots area at least for one more LUKS2 keyslot.
-
-*NOTE:* some parameters are effective only if used with LUKS2 format
-that supports per-keyslot parameters. For LUKS1, PBKDF type and hash
-algorithm is always the same for all keyslots.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations,
---pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot,
---force-password, --hash, --header, --disable-locks, --type,
---keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
+Changes an existing passphrase.
+The passphrase to be changed must be supplied interactively or via --key-file.
+The new passphrase can be supplied interactively or in a file given as the positional argument.
+
+If a keyslot is specified (via --key-slot), the passphrase for that keyslot must be given, and the new passphrase will overwrite the specified keyslot.
+If no keyslot is specified and there is still a free keyslot, then the new passphrase will be put into a free keyslot before the keyslot containing the old passphrase is purged.
+If there is no free keyslot, then the keyslot with the old passphrase is overwritten directly.
+
+*WARNING:* If a keyslot is overwritten, a media failure during this operation can cause the overwrite to fail after the old passphrase has been wiped, making the LUKS container inaccessible.
+LUKS2 mitigates that by never overwriting the existing keyslot area as long as there's a free space in the keyslots area at least for one more LUKS2 keyslot.
+
+If you need to use both luksChangeKey and reencrypt (e.g., to recover from a key leak), you need to use them in that order to avoid leaking the new volume key.
+
+Some parameters are effective only if used with the LUKS2 format that supports per-keyslot parameters.
+For LUKS1, the PBKDF type and hash algorithm are always the same for all keyslots.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --new-keyfile-size, --key-slot, --force-password, --hash, --header, --disable-locks, --type, --keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksConvertKey.8.adoc b/man/cryptsetup-luksConvertKey.8.adoc
index c626542..705c73a 100644
--- a/man/cryptsetup-luksConvertKey.8.adoc
+++ b/man/cryptsetup-luksConvertKey.8.adoc
@@ -16,26 +16,17 @@ cryptsetup-luksConvertKey - converts an existing LUKS2 keyslot to new PBKDF para
 
 == DESCRIPTION
 
-Converts an existing LUKS2 keyslot to new PBKDF parameters. The
-passphrase for keyslot to be converted must be supplied interactively or
-via --key-file. If no --pbkdf parameters are specified LUKS2 default
-PBKDF values will apply.
-
-If a keyslot is specified (via --key-slot), the passphrase for that
-keyslot must be given. If no keyslot is specified and there is still a
-free keyslot, then the new parameters will be put into a free keyslot
-before the keyslot containing the old parameters is purged. If there is
-no free keyslot, then the keyslot with the old parameters is overwritten
-directly.
-
-*WARNING:* If a keyslot is overwritten, a media failure during this
-operation can cause the overwrite to fail after the old parameters have
-been wiped and make the LUKS container inaccessible.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---key-slot, --hash, --header, --disable-locks, --iter-time, --pbkdf,
---pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel,
---keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
+Converts an existing LUKS2 keyslot to new PBKDF parameters.
+The passphrase for the keyslot to be converted must be supplied interactively or via --key-file.
+If no --pbkdf parameters are specified LUKS2 default PBKDF values will apply.
+
+If a keyslot is specified (via --key-slot), the passphrase for that keyslot must be given.
+If no keyslot is specified and there is still a free keyslot, the new parameters will be put into a free keyslot before the keyslot containing the old parameters is purged.
+If there is no free keyslot, the keyslot with the old parameters is directly overwritten.
+
+*WARNING:* If a keyslot is overwritten, a media failure during this operation can cause the overwrite to fail after the old parameters have been wiped, making the LUKS container inaccessible.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-slot, --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --keyslot-cipher, --keyslot-key-size, --timeout, --verify-passphrase].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksDump.8.adoc b/man/cryptsetup-luksDump.8.adoc
index b1b3907..1e149c2 100644
--- a/man/cryptsetup-luksDump.8.adoc
+++ b/man/cryptsetup-luksDump.8.adoc
@@ -18,33 +18,22 @@ cryptsetup-luksDump - dump the header information of a LUKS device
 
 Dump the header information of a LUKS device.
 
-If the --dump-volume-key option is used, the LUKS device volume key is
-dumped instead of the keyslot info. Together with the --volume-key-file
-option, volume key is dumped to a file instead of standard output.
-Beware that the volume key cannot be changed without reencryption and
-can be used to decrypt the data stored in the LUKS container without a
-passphrase and even without the LUKS header. This means that if the
-volume key is compromised, the whole device has to be erased or
-reencrypted to prevent further access. Use this option carefully.
-
-To dump the volume key, a passphrase has to be supplied, either
-interactively or via --key-file.
-
-To dump unbound key (LUKS2 format only), --unbound parameter, specific
---key-slot id and proper passphrase has to be supplied, either
-interactively or via --key-file. Optional --volume-key-file parameter
-enables unbound keyslot dump to a file.
-
-To dump LUKS2 JSON metadata (without basic header information like UUID)
-use --dump-json-metadata option.
-
-*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
---keyfile-offset, --keyfile-size, --header, --disable-locks,
---volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
-
-*WARNING:* If --dump-volume-key is used with --key-file and the argument
-to --key-file is '-', no validation question will be asked and no
-warning given.
+If the --dump-volume-key option is used, the LUKS device volume key is dumped instead of the keyslot info.
+With the --volume-key-file option, the volume key is dumped to a file instead of standard output.
+Beware that the volume key cannot be changed without reencryption and can be used to decrypt the data stored in the LUKS container without a passphrase and even without the LUKS header.
+This means that if the volume key is compromised, the whole device has to be erased or reencrypted to prevent further access.
+Use this option carefully.
+
+A passphrase must be supplied to dump the volume key, either interactively or via --key-file.
+
+To dump an unbound key (LUKS2 format only), --unbound parameter, specific --key-slot id and proper passphrase must be supplied, interactively or via --key-file.
+Optional --volume-key-file parameter enables unbound keyslot dump to a file.
+
+To dump LUKS2 JSON metadata (without basic header information like UUID), use the --dump-json-metadata option.
+
+If --dump-volume-key is used with --key-file and the argument to --key-file is '-', no validation question will be asked and no warning given.
+
+*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksFormat.8.adoc b/man/cryptsetup-luksFormat.8.adoc
index e0e9e2a..755daef 100644
--- a/man/cryptsetup-luksFormat.8.adoc
+++ b/man/cryptsetup-luksFormat.8.adoc
@@ -16,42 +16,29 @@ cryptsetup-luksFormat - initialize a LUKS partition and set the initial passphra
 
 == DESCRIPTION
 
-Initializes a LUKS partition and sets the initial passphrase (for
-key-slot 0), either via prompting or via <key file>. Note that if the
-second argument is present, then the passphrase is taken from the file
-given there, without the need to use the --key-file option. Also note
-that for both forms of reading the passphrase from a file you can give
-'-' as file name, which results in the passphrase being read from stdin
-and the safety-question being skipped.
-
-You cannot call luksFormat on a device or filesystem that is mapped or
-in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The
-device or filesystem has to be un-mounted in order to call luksFormat.
-
-To use specific version of LUKS format, use _--type luks1_ or _type luks2_.
-
-To use OPAL hardware encryption on a self-encrypting drive, use
-_--hw-opal_ or _--hw-opal-only_. Note that some OPAL drives can require
-a PSID reset (with possible deletion of data) before using the LUKS format
-with OPAL options.
-See  _--hw-opal-factory-reset_ option in cryptsetup _erase_ command.
-
-*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size,
---key-slot, --key-file (takes precedence over optional second argument),
---keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid,
---volume-key-file, --iter-time, --header, --pbkdf-force-iterations,
---force-password, --disable-locks, --timeout, --type, --offset,
---align-payload (deprecated)].
-
-For LUKS2, additional *<options>* can be [--integrity,
---integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf,
---pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring,
---luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher,
---keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].
-
-*WARNING:* Doing a luksFormat on an existing LUKS container will make
-all data in the old container permanently irretrievable unless you have a
-header backup.
+Initializes a LUKS partition and sets the passphrase via prompting or <key file>.
+Note that if the second argument is present, the passphrase is taken from the file given there, without using the --key-file option.
+Also note that for both forms of reading the passphrase from a file, you can give '-' as a file name, which results in the passphrase being read from stdin and the safety question being skipped.
+
+You cannot call luksFormat on a device or filesystem that is mapped or in use, e.g., a mounted filesystem, used in LVM, active RAID member, etc.
+The device or filesystem has to be unmounted in order to call luksFormat.
+
+To enforce a specific version of LUKS format, use _--type luks1_ or _type luks2_.
+The default format is LUKS2.
+
+To use hardware encryption on an OPAL self-encrypting drive, use --hw-opal or --hw-opal-only.
+Note that some OPAL drives can require a PSID reset (with deletion of data) before using the LUKS format with OPAL options.
+See --hw-opal-factory-reset option in cryptsetup _erase_ command.
+
+Doing a luksFormat on an existing LUKS container will regenerate the volume key.
+Unless you have a header backup, all old encrypted data in the container will be permanently irretrievable.
+Note that luksFormat does not wipe or overwrite the data area.
+It only creates a new LUKS header with fresh keyslots.
+See cryptsetup FAQ for more info on how to wipe the whole device, including encrypted data.
+
+*<options>* can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), --keyfile-offset, --keyfile-size, --use-random, --use-urandom, --uuid, --volume-key-file, --iter-time, --header, --pbkdf-force-iterations, --force-password, --disable-locks, --timeout, --type, --offset, --align-payload (DEPRECATED)].
+
+For LUKS2, additional *<options>* can be [--integrity, --integrity-no-wipe, --sector-size, --label, --subsystem, --pbkdf, --pbkdf-memory, --pbkdf-parallel, --disable-locks, --disable-keyring, --luks2-metadata-size, --luks2-keyslots-size, --keyslot-cipher, --keyslot-key-size, --integrity-legacy-padding, --hw-opal, --hw-opal-only].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksHeaderBackup.8.adoc b/man/cryptsetup-luksHeaderBackup.8.adoc
index 1f57f25..184c9b4 100644
--- a/man/cryptsetup-luksHeaderBackup.8.adoc
+++ b/man/cryptsetup-luksHeaderBackup.8.adoc
@@ -16,20 +16,15 @@ cryptsetup-luksHeaderBackup - store a binary backup of the LUKS header and keysl
 
 == DESCRIPTION
 
-Stores a binary backup of the LUKS header and keyslot area. +
-*NOTE:* Using '-' as filename writes the header backup to a file named
-'-'.
+Stores a binary backup of the LUKS header and keyslot area.
 
-*<options>* can be [--header, --header-backup-file, --disable-locks].
+Using '-' as a filename writes the header backup to a file named '-'.
+
+The backup file and a passphrase valid at the time of backup allow decryption of the LUKS data area, even if the passphrase was later changed or removed from the LUKS device.
+Note that with a header backup, you lose the ability to wipe the LUKS device securely by just overwriting the header and keyslots.
+You must either securely erase all header backups or overwrite the encrypted data area.
 
-*WARNING:* This backup file and a passphrase valid at the time of backup
-allows decryption of the LUKS data area, even if the passphrase was
-later changed or removed from the LUKS device. Also note that with a
-header backup you lose the ability to securely wipe the LUKS device by
-just overwriting the header and key-slots. You either need to securely
-erase all header backups in addition or overwrite the encrypted data
-area as well. The second option is less secure, as some sectors can
-survive, e.g., due to defect management.
+*<options>* can be [--header, --header-backup-file, --disable-locks].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksHeaderRestore.8.adoc b/man/cryptsetup-luksHeaderRestore.8.adoc
index e7fa8aa..c3142a0 100644
--- a/man/cryptsetup-luksHeaderRestore.8.adoc
+++ b/man/cryptsetup-luksHeaderRestore.8.adoc
@@ -16,19 +16,16 @@ cryptsetup-luksHeaderRestore - restore a binary backup of the LUKS header and ke
 
 == DESCRIPTION
 
-Restores a binary backup of the LUKS header and keyslot area from the
-specified file. +
-*NOTE:* Using '-' as filename reads the header backup from a file named '-'.
+Restores a binary backup of the LUKS header and keyslot area from the specified file.
 
-*<options>* can be [--header, --header-backup-file, --disable-locks].
+Using '-' as a filename reads the header backup from a file named '-'.
+
+All keyslots will be replaced; only the passphrases from the backup will work afterward.
 
-*WARNING:* Header and keyslots will be replaced, only the passphrases
-from the backup will work afterward.
+This command requires that the volume key size and data offset of the LUKS header and backup match.
+Alternatively, the backup will also be written if the device has no LUKS header.
 
-This command requires that the volume key size and data offset of the
-LUKS header already on the device and of the header backup match.
-Alternatively, if there is no LUKS header on the device, the backup will
-also be written to it.
+*<options>* can be [--header, --header-backup-file, --disable-locks].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksKillSlot.8.adoc b/man/cryptsetup-luksKillSlot.8.adoc
index 4575387..4dcf72e 100644
--- a/man/cryptsetup-luksKillSlot.8.adoc
+++ b/man/cryptsetup-luksKillSlot.8.adoc
@@ -8,33 +8,28 @@
 
 == Name
 
-cryptsetup-luksKillSlot - wipe a key-slot from the LUKS device
+cryptsetup-luksKillSlot - wipe a keyslot from the LUKS device
 
 == SYNOPSIS
 
-*cryptsetup _luksKillSlot_ [<options>] <device> <key slot number>*
+*cryptsetup _luksKillSlot_ [<options>] <device> <number>*
 
 == DESCRIPTION
 
-Wipe the key-slot number <key slot> from the LUKS device. Except running
-in batch-mode (-q) a remaining passphrase must be supplied, either
-interactively or via --key-file. This command can remove the last
-remaining key-slot, but requires an interactive confirmation when doing
-so. Removing the last passphrase makes a LUKS container permanently
-inaccessible.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---header, --disable-locks, --type, --verify-passphrase, --timeout].
-
-*WARNING:* If you read the passphrase from stdin (without further
-argument or with '-' as an argument to --key-file), batch-mode (-q) will
-be implicitly switched on and no warning will be given when you remove
-the last remaining passphrase from a LUKS container. Removing the last
-passphrase makes the LUKS container permanently inaccessible.
-
-*NOTE:* If there is no passphrase provided (on stdin or through
---key-file argument) and batch-mode (-q) is active, the key-slot is
-removed without any other warning.
+Wipe the keyslot with the number from the LUKS device.
+
+Except running in batch-mode (-q), a remaining passphrase must be supplied, either interactively or via --key-file.
+This command can remove the last remaining keyslot, but requires an interactive confirmation when doing so.
+Removing the last passphrase makes a LUKS container permanently inaccessible.
+
+If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container.
+Removing the last passphrase makes the LUKS container permanently inaccessible.
+
+If no passphrase is provided (on stdin or through --key-file argument) and batch-mode (-q) is active, the keyslot is removed without any other warning.
+
+This operation removes only the key in a particular keyslot; it does not wipe any encrypted data.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --verify-passphrase, --timeout].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksRemoveKey.8.adoc b/man/cryptsetup-luksRemoveKey.8.adoc
index b414f18..3f0315c 100644
--- a/man/cryptsetup-luksRemoveKey.8.adoc
+++ b/man/cryptsetup-luksRemoveKey.8.adoc
@@ -16,18 +16,15 @@ cryptsetup-luksRemoveKey - remove the supplied passphrase from the LUKS device
 
 == DESCRIPTION
 
-Removes the supplied passphrase from the LUKS device. The passphrase to
-be removed can be specified interactively, as the positional argument or
-via --key-file.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---header, --disable-locks, --type, --timeout, --verify-passphrase].
-
-*WARNING:* If you read the passphrase from stdin (without further
-argument or with '-' as an argument to --key-file), batch-mode (-q) will
-be implicitly switched on and no warning will be given when you remove
-the last remaining passphrase from a LUKS container. Removing the last
-passphrase makes the LUKS container permanently inaccessible.
+Removes the supplied passphrase from the LUKS device.
+The passphrase to be removed can be specified interactively, as the positional argument or via --key-file.
+
+If you read the passphrase from stdin (without further argument or with '-' as an argument to --key-file), batch-mode (-q) will be implicitly switched on and no warning will be given when you remove the last remaining passphrase from a LUKS container.
+Removing the last passphrase makes the LUKS container permanently inaccessible.
+
+This operation removes only the key in a particular keyslot; it does not wipe any encrypted data.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, --type, --timeout, --verify-passphrase].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksResume.8.adoc b/man/cryptsetup-luksResume.8.adoc
index ba9f690..03a434d 100644
--- a/man/cryptsetup-luksResume.8.adoc
+++ b/man/cryptsetup-luksResume.8.adoc
@@ -16,15 +16,10 @@ cryptsetup-luksResume - resume a suspended device and reinstate the key
 
 == DESCRIPTION
 
-Resumes a suspended device and reinstates the encryption key. Prompts
-interactively for a passphrase if no token is usable (LUKS2 only) or
---key-file is not given.
-
-*<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
---key-slot, --header, --disable-keyring, --disable-locks, --token-id,
---token-only, --token-type, --disable-external-tokens, --type, --tries,
---timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring,
---external-tokens-path].
+Resumes a suspended device and reinstates the encryption key.
+Prompts interactively for a passphrase if no token is usable (LUKS2 only) or --key-file is not given.
+
+*<options>* can be [--key-file, --keyfile-size, --keyfile-offset, --key-slot, --header, --disable-keyring, --disable-locks, --token-id, --token-only, --token-type, --disable-external-tokens, --type, --tries, --timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring, --external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksSuspend.8.adoc b/man/cryptsetup-luksSuspend.8.adoc
index c5f90ce..576c94a 100644
--- a/man/cryptsetup-luksSuspend.8.adoc
+++ b/man/cryptsetup-luksSuspend.8.adoc
@@ -16,22 +16,15 @@ cryptsetup-luksSuspend - suspends an active device and wipes the key
 
 == DESCRIPTION
 
-Suspends an active device (all IO operations will block and accesses to
-the device will wait indefinitely) and wipes the encryption key from
-kernel memory. Needs kernel 2.6.19 or later.
+Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory.
 
-While the _luksSuspend_ operation wipes encryption keys from memory,
-it does not remove possible plaintext data in various caches or in-kernel
-metadata for mounted filesystems.
+While the _luksSuspend_ operation wipes encryption keys from memory, it does not remove possible plaintext data in various caches or in-kernel metadata for mounted filesystems.
 
-After this operation, you have to use _luksResume_ to reinstate the
-encryption key and unblock the device or _close_ to remove the mapped
-device.
+After this operation, you must use _luksResume_ to reinstate the encryption key and unblock the device or _close_ to remove the mapped device.
 
-*<options>* can be [--header, --disable-locks].
+*WARNING:* To avoid deadlock, never suspend the device on which the cryptsetup binary resides.
 
-*WARNING:* Never suspend the device on which the cryptsetup binary
-resides.
+*<options>* can be [--header, --disable-locks].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-luksUUID.8.adoc b/man/cryptsetup-luksUUID.8.adoc
index 8ffe9ff..3ead583 100644
--- a/man/cryptsetup-luksUUID.8.adoc
+++ b/man/cryptsetup-luksUUID.8.adoc
@@ -16,8 +16,9 @@ cryptsetup-luksUUID - print or set the UUID of a LUKS device
 
 == DESCRIPTION
 
-Print the UUID of a LUKS device. +
-Set new UUID if _--uuid_ option is specified.
+Print the UUID of a LUKS device.
+
+Set new UUID if --uuid option is specified.
 
 *<options>* can be [--header, --uuid, --type, --disable-locks].
 
diff --git a/man/cryptsetup-open.8.adoc b/man/cryptsetup-open.8.adoc
index 73a5dc5..90e8b0f 100644
--- a/man/cryptsetup-open.8.adoc
+++ b/man/cryptsetup-open.8.adoc
@@ -17,10 +17,9 @@ cryptsetup-open, cryptsetup-create, cryptsetup-plainOpen, cryptsetup-luksOpen, c
 == DESCRIPTION
 Opens (creates a mapping with) <name> backed by device <device>.
 
-Device type can be _plain_, _luks_ (default), _luks1_, _luks2_,
-_loopaes_ or _tcrypt_.
+Device type can be _plain_, _luks_ (default), _luks1_, _luks2_, _loopaes_ or _tcrypt_.
 
-For backward compatibility there are *open* command aliases:
+For backward compatibility, there are *open* command aliases:
 
 *create* (argument-order <name> <device>): open --type plain +
 *plainOpen*: open --type plain +
@@ -29,147 +28,117 @@ For backward compatibility there are *open* command aliases:
 *tcryptOpen*: open --type tcrypt +
 *bitlkOpen*: open --type bitlk
 
-*<options>* are type specific and are described below for individual
-device types. For *create*, the order of the <name> and <device> options
-is inverted for historical reasons, all other aliases use the standard
-*<device> <name>* order.
+*<options>* are type-specific and are described below for individual device types.
+For *create*, the order of the <name> and <device> options is inverted for historical reasons; all other aliases use the standard *<device> <name>* order.
 
 === PLAIN
 *open --type plain <device> <name>* --cipher <spec> --key-size <bits> --hash <alg> +
-plainOpen <device> <name> (*old syntax*) +
-create <name> <device> (*OBSOLETE syntax*)
+plainOpen <device> <name> (old syntax) +
+create <name> <device> (OBSOLETE syntax)
 
 Opens (creates a mapping with) <name> backed by device <device>.
 
-*WARNING:* You should always specify options *--cipher*, *--key-size* and
-(if no keyfile is used) then also *--hash* to avoid incompatibility as
-default values can be different in older cryptsetup versions. +
+You should always specify options --cipher, --key-size and (if no keyfile or keyring is used) then also --hash to avoid incompatibility, as default values can differ in older cryptsetup versions.
 
-*<options>* can be [--hash, --cipher, --verify-passphrase, --sector-size,
---key-file, --keyfile-size, --keyfile-offset, --key-size, --offset,
---skip, --device-size, --size, --readonly, --shared, --allow-discards,
---refresh, --timeout, --verify-passphrase, --iv-large-sectors].
+The plain format also allows retrieving a volume key from a kernel keyring specified by --volume-key-keyring.
+The key in the kernel keyring must be configured before issuing cryptsetup commands, as cryptsetup does not upload any keys to the keyring in plain mode.
+For subsequent commands (like resize), the user must ensure that the key in the keyring is unchanged.
+Otherwise, reloading the key can cause data corruption after an unexpected key change.
 
-Example: 'cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 /dev/sda10 e1' maps the raw
-encrypted device /dev/sda10 to the mapped (decrypted) device
-/dev/mapper/e1, which can then be mounted, fsck-ed or have a filesystem
-created on it.
+*<options>* can be [--hash, --cipher, --sector-size, --key-file, --keyfile-size, --keyfile-offset, --key-size, --offset, --skip, --device-size, --size, --readonly, --shared, --allow-discards, --refresh, --timeout, --verify-passphrase, --iv-large-sectors, --volume-key-keyring].
+
+*EXAMPLES:*
+
+To map the encrypted device /dev/sda10 to the decrypted device /dev/mapper/e1, you can use:
+
+*cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --hash sha256 /dev/sda10 e1*
+
+The decrypted device can then be used as a normal block device to mount a filesystem.
+
+To map a device with a volume key in the preconfigured trusted or encrypted keyring, you need to specify the keyring with the key and remove the hash specification, for example, to use *%trusted:mykey*:
+
+*cryptsetup open --type plain /dev/sda10 e1 --volume-key-keyring=%trusted:mykey --cipher aes-xts-plain64 --key-size 256*
+
+Note that the key size must match the preconfigured key in the keyring.
 
 === LUKS
 *open <device> <name>* +
-open --type <luks1|luks2> <device> <name> (*explicit version request*) +
-luksOpen <device> <name> (*old syntax*)
+open --type <luks1|luks2> <device> <name> (explicit version request) +
+luksOpen <device> <name> (old syntax)
 
-Opens the LUKS device <device> and sets up a mapping <name> after
-successful verification of the supplied passphrase.
+Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.
 
 First, the passphrase is searched in LUKS2 tokens unprotected by PIN.
-If such token does not exist (or fails to unlock keyslot) and
-also the passphrase is not supplied via --key-file, the command
-prompts for passphrase interactively.
-
-If there is valid LUKS2 token but it requires PIN to unlock assigned keyslot,
-it is not used unless one of following options is added: --token-only,
---token-type where type matches desired PIN protected token or --token-id with id
-matching PIN protected token.
-
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size,
---readonly, --test-passphrase, --allow-discards, --header, --key-slot,
---volume-key-file, --token-id, --token-only, --token-type,
---disable-external-tokens, --disable-keyring, --disable-locks, --type,
---refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
---verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring,
---external-tokens-path].
+If such a token does not exist (or fails to unlock keyslot) and the passphrase is not supplied via --key-file, the command prompts for passphrase interactively.
+
+If there is a valid LUKS2 token but it requires a PIN to unlock the assigned keyslot, it is not used unless one of the following options is added: --token-only,
+--token-type where type matches the desired PIN-protected token or --token-id with id matching the PIN-protected token.
+
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --readonly, --test-passphrase, --allow-discards, --header, --key-slot, --volume-key-file, --token-id, --token-only, --token-type, --disable-external-tokens, --disable-keyring, --disable-locks, --type, --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout, --verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring, --external-tokens-path].
 
 === loopAES
 *open --type loopaes <device> <name> --key-file <keyfile>* +
-loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
+loopaesOpen <device> <name> --key-file <keyfile> (old syntax)
 
 Opens the loop-AES <device> and sets up a mapping <name>.
 
-If the key file is encrypted with GnuPG, then you have to use
---key-file=- and decrypt it before use, e.g., like this: +
-gpg --decrypt <keyfile> | cryptsetup loopaesOpen --key-file=- <device>
-<name>
+If the key file is encrypted with GnuPG, then you have to use --key-file=- and decrypt it before use, e.g., like this:
+*gpg --decrypt <keyfile> | cryptsetup loopaesOpen --key-file=- <device> <name>*.
 
-*WARNING:* The loop-AES extension cannot use the direct input of the key
-file on the real terminal because the keys are separated by end-of-line and
-only part of the multi-key file would be read. +
-If you need it in script, just use the pipe redirection: +
-echo $keyfile | cryptsetup loopaesOpen --key-file=- <device> <name>
+The loop-AES extension cannot use the direct input of the key file on the real terminal because the keys are separated by end-of-line, and only part of the multi-key file would be read.
+If you need it in script, just use the pipe redirection: *echo $keyfile | cryptsetup loopaesOpen --key-file=- <device> <name>*.
 
-Use *--keyfile-size* to specify the proper key length if needed.
+Use --keyfile-size to specify the proper key length if needed.
 
-Use *--offset* to specify device offset. Note that the units need to be
-specified in number of 512 byte sectors.
+Use --offset to specify device offset.
+Note that the units need to be specified in terms of 512-byte sectors.
 
-Use *--skip* to specify the IV offset. If the original device used an
-offset and but did not use it in IV sector calculations, you have to
-explicitly use *--skip 0* in addition to the offset parameter.
+Use --skip to specify the IV offset.
+If the original device used an offset but did not use it in IV sector calculations, you must explicitly use --skip 0 in addition to the offset parameter.
 
-Use *--hash* to override the default hash function for passphrase
-hashing (otherwise it is detected according to key size).
+Use --hash to override the default hash function for passphrase hashing (otherwise it is detected according to key size).
 
-*<options>* can be [--cipher, --key-file, --keyfile-size, --keyfile-offset,
---key-size, --offset, --skip, --hash, --readonly, --allow-discards, --refresh].
+*<options>* can be [--cipher, --key-file, --keyfile-size, --keyfile-offset, --key-size, --offset, --skip, --hash, --readonly, --allow-discards, --refresh].
 
 === TrueCrypt and VeraCrypt
 *open --type tcrypt <device> <name>* +
-tcryptOpen <device> <name> (*old syntax*)
+tcryptOpen <device> <name> (old syntax)
 
 Opens the TCRYPT (TrueCrypt and VeraCrypt compatible) <device> and sets
 up a mapping <name>.
 
-*<options>* can be [--key-file, --tcrypt-hidden, --tcrypt-system,
---tcrypt-backup, --readonly, --test-passphrase, --allow-discards,
---veracrypt (ignored), --disable-veracrypt, --veracrypt-pim,
---veracrypt-query-pim, --header,
---cipher, --hash, --tries, --timeout, --verify-passphrase].
+The --key-file option allows a combination of file content with the passphrase
+The --key-file option can be repeated.
+Note that using keyfiles differs from LUKS keyfile logic.
 
-The keyfile parameter allows a combination of file content with the
-passphrase and can be repeated. Note that using keyfiles is compatible
-with TCRYPT and is different from LUKS keyfile logic.
+If --cipher or --hash options are used, only cipher chains or PBKDF2 variants with the specified hash algorithms are checked.
+This could speed up unlocking the device (but also reveals some information about the container).
 
-If *--cipher* or *--hash* options are used, only cipher chains or PBKDF2
-variants with the specified hash algorithms are checked. This could
-speed up unlocking the device (but also it reveals some information
-about the container).
+If you use --header in combination with hidden or system options, the header file must contain specific headers in the same positions as the original encrypted container.
 
-If you use *--header* in combination with hidden or system options, the
-header file must contain specific headers on the same positions as the
-original encrypted container.
+Option --allow-discards cannot be combined with option --tcrypt-hidden.
+For normal mapping, it can cause the destruction of hidden volume (hidden volume appears as unused space for outer volume, so this space can be discarded).
 
-*WARNING:* Option *--allow-discards* cannot be combined with option
-*--tcrypt-hidden*. For normal mapping, it can cause the *destruction of
-hidden volume* (hidden volume appears as unused space for outer volume
-so this space can be discarded).
+*<options>* can be [--key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --readonly, --test-passphrase, --allow-discards, --veracrypt (ignored), --disable-veracrypt, --veracrypt-pim, --veracrypt-query-pim, --header, --cipher, --hash, --tries, --timeout, --verify-passphrase].
 
 === BitLocker
 *open --type bitlk <device> <name>* +
-bitlkOpen <device> <name> (*old syntax*)
+bitlkOpen <device> <name> (old syntax)
 
-Opens the BITLK (a BitLocker compatible) <device> and sets up a mapping
-<name>.
+Opens the BITLK (a BitLocker compatible) <device> and sets up a mapping <name>.
 
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
---readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
---timeout, --verify-passphrase].
+Note that --test-passphrase doesn't work with --volume-key-file because we cannot check whether the provided volume key is correct for this device.
+When using --volume-key-file, the device will be opened even if the provided key is incorrect.
 
-Note that *--test-passphrase* doesn't work with *--volume-key-file* because
-we cannot check whether the provided volume key is correct for this device
-or not. When using *--volume-key-file* the device will be opened even if
-the provided key is not correct.
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size, --readonly, --test-passphrase, --allow-discards --volume-key-file, --tries, --timeout, --verify-passphrase].
 
 === FileVault2
 *open --type fvault2 <device> <name>* +
-fvault2Open <device> <name> (*old syntax*)
+fvault2Open <device> <name> (old syntax)
 
-Opens the FVAULT2 (a FileVault2 compatible) <device> and sets up a mapping
-<name>.
+Opens the FVAULT2 (a FileVault2 compatible) <device> and sets up a mapping <name>.
 
-*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size,
---readonly, --test-passphrase, --allow-discards --volume-key-file, --tries,
---timeout, --verify-passphrase].
+*<options>* can be [--key-file, --keyfile-offset, --keyfile-size, --key-size, --readonly, --test-passphrase, --allow-discards --volume-key-file, --tries, --timeout, --verify-passphrase].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-reencrypt.8.adoc b/man/cryptsetup-reencrypt.8.adoc
index 387b0a9..83fac42 100644
--- a/man/cryptsetup-reencrypt.8.adoc
+++ b/man/cryptsetup-reencrypt.8.adoc
@@ -26,25 +26,20 @@ There are 3 basic modes of operation:
 
 <device> or --active-name <name> (LUKS2 only) is mandatory parameter.
 
-Cryptsetup _reencrypt_ action can be used to change reencryption parameters
-which otherwise require full on-disk data change (re-encryption). The
-_reencrypt_ action reencrypts data on LUKS device in-place.
+Cryptsetup _reencrypt_ action can be used to change reencryption parameters, which otherwise require full on-disk data change (re-encryption).
+The _reencrypt_ action reencrypts data on the LUKS device in-place.
 
-You can regenerate *volume key* (the real key used in on-disk encryption
-unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size*
-(LUKS2 only).
+You can regenerate *volume key* (the real key used in on-disk encryption unlocked by passphrase), *cipher*, *cipher mode* or *encryption sector size* (LUKS2 only).
 
-Reencryption process may be safely interrupted by a user via SIGINT
-signal (ctrl+c). Same applies to SIGTERM signal (i.e. issued by systemd
-during system shutdown).
+If you need to use both luksChangeKey and reencrypt (e.g., to recover from a leak), you need to use them in that order to avoid leaking the new volume key.
 
-For in-place encryption mode, the _reencrypt_ action additionally takes all
-options available for _luksFormat_ action for respective LUKS version (see
-cryptsetup-luksFormat man page for more details). See *cryptsetup-luksFormat*(8).
+The reencryption process may be safely interrupted by a user via SIGINT signal (ctrl+c).
+The same applies to the SIGTERM signal (i.e., issued by systemd during system shutdown).
 
-*NOTE* that for encrypt and decrypt mode, the whole device must be
-treated as unencrypted -- there are no guarantees of confidentiality as
-part of the device contains plaintext.
+For in-place encryption mode, the _reencrypt_ action additionally takes all options available for the _luksFormat_ action for the respective LUKS version (see cryptsetup-luksFormat man page for more details).
+See *cryptsetup-luksFormat*(8).
+
+Note that for encrypt and decrypt mode, the whole device must be treated as unencrypted -- there are no guarantees of confidentiality as part of the device contains plaintext.
 
 *ALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS ACTION ON LUKS DEVICE.*
 
@@ -93,53 +88,45 @@ part of the device contains plaintext.
 
 == LUKS2 REENCRYPTION
 
-With <device> parameter cryptsetup looks up active <device> dm mapping.
-If no active mapping is detected, it starts offline LUKS2 reencryption
-otherwise online reencryption takes place.
+With the <device> parameter, cryptsetup looks up the active <device> dm mapping.
+If no active mapping is detected, it starts offline LUKS2 reencryption; otherwise, online reencryption occurs.
 
-To resume already initialized or interrupted reencryption, just run the
-cryptsetup _reencrypt_ command again to continue the reencryption
-operation. Reencryption may be resumed with different --resilience or
---hotzone-size unless implicit datashift resilience mode is used: either
-encrypt mode with --reduce-device-size option or decrypt mode with
-original LUKS2 header exported in --header file.
+To resume already initialized or interrupted reencryption, just run the cryptsetup _reencrypt_ command again to continue the reencryption operation.
+Reencryption may be resumed with different --resilience or --hotzone-size unless implicit datashift resilience mode is used: either encrypt mode with --reduce-device-size option or decrypt mode with original LUKS2 header exported in --header file.
 
-If the reencryption process was interrupted abruptly (reencryption
-process crash, system crash, poweroff) it may require recovery. The
-recovery is currently run automatically on next activation (action
-_open_) when needed or explicitly by user (action _repair_).
+If the reencryption process was interrupted abruptly (reencryption process crash, system crash, or power off), it may require recovery.
+The recovery is run automatically on next activation (action _open_) when needed or explicitly by the user (action _repair_).
 
-Optional parameter <new_name> takes effect only with encrypt option
-and it activates device <new_name> immediately after encryption
-initialization gets finished. That's useful when device needs to be
-ready as soon as possible and mounted (used) before full data area
-encryption is completed.
+The optional parameter <new_name> takes effect only with the encrypt option, and it activates device <new_name> immediately after encryption initialization is finished.
+That's useful when the device needs to be ready as soon as possible and mounted (used) before full data area encryption is completed.
 
 == LUKS1 REENCRYPTION
 
-Current working directory must be writable and temporary files created during
-reencryption must be present. During reencryption process the LUKS1 device is
-marked unavailable and must be offline (no dm-crypt mapping or mounted
-filesystem).
+The current working directory must be writable, and temporary files created during reencryption must be present.
+During reencryption, the LUKS1 device is marked unavailable and must be offline (no dm-crypt mapping or mounted filesystem).
 
-*WARNING*: The LUKS1 reencryption code is not resistant to hardware
-or kernel failures during reencryption (you can lose your data in this case).
+*WARNING*: The LUKS1 reencryption code is not resistant to hardware or kernel failures during reencryption (you can lose your data in this case).
 
 include::man/common_options.adoc[]
 
 == EXAMPLES
 
-*NOTE*: You may drop *--type luks2* option as long as LUKS2 format is
-default.
+You may drop *--type luks2* option as long as LUKS2 format is default.
 
 === LUKS2 ENCRYPTION EXAMPLES
 
-Encrypt LUKS2 device (in-place). Make sure last 32 MiB on _/dev/plaintext_
-is unused (e.g.: does not contain filesystem data):
+Encrypt LUKS2 device (in-place).
+Make sure the last 32 MiB on _/dev/plaintext_ is unused (e.g., does not contain filesystem data):
 
 *cryptsetup reencrypt --encrypt --type luks2 --reduce-device-size 32m /dev/plaintext_device*
 
-Encrypt LUKS2 device (in-place) with detached header put in a file:
+Encrypt LUKS2 device (in-place).
+Only the initial 1 GiB of original _/dev/plaintext_ data is encrypted while being shifted backwards.
+Make sure the last 32 MiB (tail) on the data device is unused (e.g., does not contain any data):
+
+*cryptsetup reencrypt --encrypt --type luks2 --device-size 1g --reduce-device-size 32m /dev/plaintext_device*
+
+Encrypt LUKS2 device (in-place) with detached header, put in a file:
 
 *cryptsetup reencrypt --encrypt --type luks2 --header my_luks2_header /dev/plaintext_device*
 
@@ -147,7 +134,7 @@ Initialize LUKS2 in-place encryption operation only and activate the device (not
 
 *cryptsetup reencrypt --encrypt --type luks2 --init-only --reduce-device-size 32m /dev/plaintext_device my_future_luks_device*
 
-Resume online encryption on device initialized in example above:
+Resume online encryption on the device initialized in the example above:
 
 *cryptsetup reencrypt --resume-only /dev/plaintext_device* or
 *cryptsetup reencrypt --active-name my_future_luks_device*
@@ -158,9 +145,19 @@ Reencrypt LUKS2 device (refresh volume key only):
 
 *cryptsetup reencrypt /dev/encrypted_device*
 
+Reencrypt LUKS2 device using keyslot(s) associated with the token 3.
+All other keyslots will be removed after the reencryption finishes.
+
+*cryptsetup reencrypt --token-id 3 /dev/encrypted_device*
+
+Reencrypt LUKS2 device using keyslots associated with all 'systemd-tpm2' tokens.
+All other keyslots will be removed after the reencryption finishes.
+
+*cryptsetup reencrypt --token-type systemd-tpm2 /dev/encrypted_device*
+
 === LUKS2 DECRYPTION EXAMPLES
 
-Decrypt LUKS2 device with header put in head of data device (header file does not exist):
+Decrypt LUKS2 device with header put in the head of the data device (header file does not exist):
 
 *cryptsetup reencrypt --decrypt --header /export/header/to/file /dev/encrypted_device*
 
diff --git a/man/cryptsetup-refresh.8.adoc b/man/cryptsetup-refresh.8.adoc
index b79a80a..de88669 100644
--- a/man/cryptsetup-refresh.8.adoc
+++ b/man/cryptsetup-refresh.8.adoc
@@ -18,36 +18,24 @@ cryptsetup-refresh - refresh parameters of an active mapping
 
 Refreshes parameters of active mapping <name>.
 
-Updates parameters of active device <name> without the need to deactivate
-the device (and umount filesystem). Currently, it supports parameters
-refresh on following devices: LUKS1, LUKS2 (including authenticated
-encryption), plain crypt and loop-AES.
+Update parameters of active device <name> without the need to deactivate the device (and unmount the filesystem).
+Currently, it supports parameter refresh on the following devices: LUKS1, LUKS2 (including authenticated encryption), plain crypt and loop-AES.
 
-Mandatory parameters are identical to those of an open action for
-the respective device type.
+Mandatory parameters are identical to those of an open action for the respective device type.
 
-You may change following parameters on all devices
---perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
---perf-no_read_workqueue, --perf-no_write_workqueue and
---allow-discards.
+You may change the following parameters on all devices --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue and --allow-discards.
 
-Refreshing the device without any optional parameter will refresh the device
-with default setting (respective to device type).
+Refreshing the device without any optional parameter will refresh the device with the default setting (respective to device type).
 
 *LUKS2 only:*
 
-The --integrity-no-journal parameter affects only LUKS2 devices with
-the underlying dm-integrity device.
+The --integrity-no-journal parameter affects only LUKS2 devices with the underlying dm-integrity device.
 
-Adding option --persistent stores any combination of device parameters
-above in LUKS2 metadata (only after successful refresh operation).
+Adding option --persistent stores any combination of device parameters above in LUKS2 metadata (only after successful refresh operation).
 
-The --disable-keyring parameter refreshes a device with volume key passed in
-dm-crypt driver.
+The --disable-keyring parameter refreshes a device with the volume key passed in the dm-crypt driver.
 
-*<options>* can be [--allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus,
---perf-no_read_workqueue, --perf-no_write_workqueue, --header, --disable-keyring,
---disable-locks, --persistent, --integrity-no-journal].
+*<options>* can be [--allow-discards, --perf-same_cpu_crypt, --perf-submit_from_crypt_cpus, --perf-no_read_workqueue, --perf-no_write_workqueue, --header, --disable-keyring, --disable-locks, --persistent, --integrity-no-journal].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-repair.8.adoc b/man/cryptsetup-repair.8.adoc
index 22ad9cb..95eda68 100644
--- a/man/cryptsetup-repair.8.adoc
+++ b/man/cryptsetup-repair.8.adoc
@@ -16,28 +16,37 @@ cryptsetup-repair - repair the device metadata
 
 == DESCRIPTION
 
-Tries to repair the device metadata if possible. Currently supported
-only for LUKS device type.
+Tries to repair the device metadata if possible.
+Currently supported only for LUKS device type.
 
-This command is useful to fix some known benign LUKS metadata header
-corruptions. Only basic corruptions of unused keyslot are fixable. This
-command will only change the LUKS header, not any key-slot data. You may
-enforce LUKS version by adding --type option.
+This command is useful for fixing some known benign LUKS metadata header corruptions.
+Only basic corruptions of unused keyslot are fixable.
+This command will only change the LUKS header, not any keyslot data.
+You may enforce LUKS version by adding --type option.
 
-It also repairs (upgrades) LUKS2 reencryption metadata by adding
-a metadata digest that protects it against malicious changes.
+It also repairs (upgrades) LUKS2 reencryption metadata by adding a metadata digest that protects it against malicious changes.
 
-If LUKS2 reencryption was interrupted in the middle of writing
-reencryption segment the repair command can be used to perform
-reencryption recovery so that reencryption can continue later.
-Repairing reencryption requires verification of reencryption
-keyslot so passphrase or keyfile is needed.
+If LUKS2 reencryption was interrupted while writing the reencryption segment, the repair command can perform reencryption recovery so that reencryption can continue later.
+Repairing reencryption requires verification of the reencryption keyslot, so a passphrase or keyfile is needed.
 
-*<options>* can be [--timeout, --verify-passphrase, --disable-locks,
---type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
+*WARNING:* Always create a binary backup of the original header before calling this command.
 
-*WARNING:* Always create a binary backup of the original header before
-calling this command.
+=== LUKS keyslots corruption detection
+
+The repair command also checks for detectable corruption of keyslot content.
+Corruption of a keyslot results in a situation where a known password is no longer accepted.
+It can happen due to storage media failure or overwriting the keyslot area with other data.
+Only certain corruptions, usually only a low-entropy area (like zeroed blocks), can be detected.
+
+The detection prints only warnings.
+It does not modify keyslots.
+It can also print more specific offsets on the device for detailed manual inspection.
+
+Please note that the warning can be a false positive (no real corruption happened).
+Conversely, if the keyslot is corrupted, no recovery is possible.
+You have to use the LUKS header backup.
+
+*<options>* can be [--timeout, --verify-passphrase, --disable-locks, --type, --header, --key-file, --keyfile-size, --keyfile-offset, --key-slot].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-resize.8.adoc b/man/cryptsetup-resize.8.adoc
index b9a5502..636c980 100644
--- a/man/cryptsetup-resize.8.adoc
+++ b/man/cryptsetup-resize.8.adoc
@@ -18,25 +18,17 @@ cryptsetup-resize - resize an active mapping
 
 Resizes an active mapping <name>.
 
-If --size (in 512-bytes sectors) or --device-size are not specified, the
-size is computed from the underlying device. For LUKS it is the size of
-the underlying device without the area reserved for LUKS header (see
-data payload offset in *luksDump* command). For plain crypt device, the
-whole device size is used.
-
-Note that this does not change the raw device geometry, it just changes
-how many sectors of the raw device are represented in the mapped device.
-
-If cryptsetup detected volume key for active device loaded in kernel
-keyring service, resize action would first try to retrieve the key using
-a token. Only if it failed, it'd ask for a passphrase to unlock a
-keyslot (LUKS) or to derive a volume key again (plain mode). The kernel
-keyring is used by default for LUKS2 devices.
-
-*<options>* can be [--size, --device-size, --token-id, --token-only,
---token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
---timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
---verify-passphrase, --timeout, --external-tokens-path].
+If --size (in 512-byte sectors) or --device-size is not specified, the size is computed from the underlying device.
+For LUKS, it is the size of the underlying device without the area reserved for the LUKS header (see data payload offset in the *luksDump* command).
+For a plain crypt device, the whole device size is used.
+
+Note that this does not change the raw device geometry; it just changes how many sectors of the raw device are represented in the mapped device.
+
+If cryptsetup detected a volume key for the active device loaded in the kernel keyring service, the resize action would first try to retrieve the key using a token.
+Only if it failed, it'd ask for a passphrase to unlock a keyslot (LUKS) or to derive a volume key again (plain mode).
+The kernel keyring is used by default for LUKS2 devices.
+
+*<options>* can be [--size, --device-size, --token-id, --token-only, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring, --volume-key-keyring, --verify-passphrase, --timeout, --external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-ssh.8.adoc b/man/cryptsetup-ssh.8.adoc
index d2c2c06..753b603 100644
--- a/man/cryptsetup-ssh.8.adoc
+++ b/man/cryptsetup-ssh.8.adoc
@@ -14,12 +14,10 @@ cryptsetup-ssh - manage LUKS2 SSH token
 
 == DESCRIPTION
 
-Experimental cryptsetup plugin for unlocking LUKS2 devices with token
-connected to an SSH server.
+Experimental cryptsetup plugin for unlocking LUKS2 devices with a token connected to an SSH server.
 
-This plugin currently allows only adding a token to an existing key
-slot. See *cryptsetup(8)* for instructions on how to remove, import or
-export the token.
+This plugin currently allows only adding a token to an existing keyslot.
+See *cryptsetup*(8) for instructions on how to remove, import or export the token.
 
 === Add operation
 
@@ -27,13 +25,10 @@ export the token.
 
 Adds the SSH token to *<device>*.
 
-The specified SSH server must contain a key file on the specified path with
-a passphrase for an existing key slot on the device. Provided
-credentials will be used by cryptsetup to get the password when opening
-the device using the token.
+The specified SSH server must contain a key file on the specified path with a passphrase for an existing keyslot on the device.
+Provided credentials will be used by cryptsetup to get the password when opening the device using the token.
 
-Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are
-required for this operation.
+Options --ssh-server, --ssh-user, --ssh-keypath and --ssh-path are required for this operation.
 
 == OPTIONS
 
@@ -43,35 +38,34 @@ Show debug messages
 *--debug-json*::
 Show debug messages including JSON metadata
 
-*--help, -?*::
+*--help*, *-?*::
 Show help
 
-**--key-slot**=_NUM_::
-Keyslot to assign the token to. If not specified, the token will be
-assigned to the first key slot matching provided passphrase.
+*--key-slot* _number_::
+Keyslot to assign the token to.
+If not specified, the token will be assigned to the first keyslot matching the provided passphrase.
 
-**--ssh-keypath**=_STRING_::
+*--ssh-keypath* _string_::
 Path to the SSH key for connecting to the remote server.
 
-**--ssh-path**=_STRING_::
+*--ssh-path* _string_::
 Path to the key file on the remote server.
 
-**--ssh-server**=_STRING_::
+*--ssh-server* _string_::
 IP address/URL of the remote server for this token.
 
-**--ssh-user**=_STRING_::
-Username used for the remote server.
+*--ssh-user* _string_::
+The username used for the remote server.
 
-*--verbose, -v*::
+*--verbose*, *-v*::
 Shows more detailed error messages
 
-*--version, -V*::
+*--version*, *-V*::
 Print program version
 
 == NOTES
 
-The information provided when adding the token (SSH server address, user
-and paths) will be stored in the LUKS2 header in plaintext.
+The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext.
 
 == AUTHORS
 
diff --git a/man/cryptsetup-tcryptDump.8.adoc b/man/cryptsetup-tcryptDump.8.adoc
index 51d5041..8478efb 100644
--- a/man/cryptsetup-tcryptDump.8.adoc
+++ b/man/cryptsetup-tcryptDump.8.adoc
@@ -18,20 +18,16 @@ cryptsetup-tcryptDump - dump the header information of a TCRYPT (TrueCrypt or Ve
 
 Dump the header information of a TCRYPT (TrueCrypt or VeraCrypt compatible) device.
 
-If the --dump-volume-key option is used, the TCRYPT device volume key is
-dumped instead of TCRYPT header info. Beware that the volume key (or
-concatenated volume keys if cipher chain is used) can be used to decrypt
-the data stored in the TCRYPT container without a passphrase. This means
-that if the volume key is compromised, the whole device has to be erased
-to prevent further access. Use this option carefully.
-
-*<options>* can be [--dump-volume-key, --key-file, --tcrypt-hidden,
---tcrypt-system, --tcrypt-backup, --veracrypt (ignored), --disable-veracrypt,
---veracrypt-pim, --veracrypt-query-pim, --cipher, --hash, --header,
---verify-passphrase, --timeout].
-
-The keyfile parameter allows a combination of file content with the
-passphrase and can be repeated.
+If the --dump-volume-key option is used, the TCRYPT device volume key is dumped instead of the TCRYPT header info.
+Beware that the volume key (or concatenated volume keys if a cipher chain is used) can be used to decrypt the data stored in the TCRYPT container without a passphrase.
+This means that if the volume key is compromised, the whole device has to be erased to prevent further access.
+Use this option carefully.
+
+The --key-file option allows a combination of file content with the passphrase
+The --key-file option can be repeated.
+Note that using keyfiles differs from LUKS keyfile logic.
+
+*<options>* can be [--dump-volume-key, --key-file, --tcrypt-hidden, --tcrypt-system, --tcrypt-backup, --veracrypt (ignored), --disable-veracrypt, --veracrypt-pim, --veracrypt-query-pim, --cipher, --hash, --header, --verify-passphrase, --timeout].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc
index 5fa6af8..9fcc09e 100644
--- a/man/cryptsetup-token.8.adoc
+++ b/man/cryptsetup-token.8.adoc
@@ -16,40 +16,30 @@ cryptsetup-token - manage LUKS2 tokens
 
 == DESCRIPTION
 
-Action _add_ creates a new keyring token to enable auto-activation of the
-device. For the auto-activation, the passphrase must be stored in
-keyring with the specified description. Usually, the passphrase should
-be stored in _user_ or _user-session_ keyring. The _token_ command is
-supported only for LUKS2.
+Action _add_ creates a new keyring token to enable auto-activation of the device.
+For the auto-activation, the passphrase must be stored in the keyring with the specified description.
+Usually, the passphrase should be stored in the _user_ or _user-session_ keyring.
+The _token_ command is supported only for LUKS2.
 
-For adding new keyring token, option --key-description is mandatory.
-Also, new token is assigned to key slot specified with --key-slot option
-or to all active key slots in the case --key-slot option is omitted.
+For adding a new keyring token, the option --key-description is mandatory.
+Also, a new token is assigned to the keyslot specified with --key-slot option or to all active keyslots if the --key-slot option is omitted.
 
-To remove existing token, specify the token ID which should be removed
-with --token-id option.
+To remove an existing token, specify the token ID that should be removed with --token-id option.
 
-*WARNING:* The action _token remove_ removes any token type, not just
-_keyring_ type from token slot specified by --token-id option.
+*WARNING:* The action _token remove_ removes any token type, not just _keyring_ type from token slot specified by --token-id option.
 
-Action _import_ can store arbitrary valid token json in LUKS2 header. It
-may be passed via standard input or via file passed in --json-file
-option. If you specify --key-slot then successfully imported token is
-also assigned to the key slot.
+Action _import_ can store an arbitrary valid JSON data in the LUKS2 token.
+It may be passed via standard input or a file passed in --json-file option.
+If you specify --key-slot, a successfully imported token is also assigned to the keyslot.
 
-Action _export_ writes requested token JSON to a file passed with
---json-file or to standard output.
+Action _export_ writes requested token JSON to a file passed with --json-file or to standard output.
 
-Action _unassign_ removes token binding to specified keyslot. Both token
-and keyslot must be specified by --token-id and --key-slot parameters.
+Action _unassign_ removes token binding to specified keyslot.
+Both token and keyslot must be specified by --token-id and --key-slot parameters.
 
-If --token-id is used with action _add_ or action _import_ and a token
-with that ID already exists, option --token-replace can be used to
-replace the existing token.
+If --token-id is used with action _add_ or action _import_ and a token with that ID already exists, option --token-replace can replace the existing token.
 
-*<options>* can be [--header, --token-id, --key-slot, --key-description,
---disable-external-tokens, --disable-locks, --disable-keyring,
---json-file, --token-replace, --unbound, --external-tokens-path].
+*<options>* can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, --json-file, --token-replace, --unbound, --external tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup.8.adoc b/man/cryptsetup.8.adoc
index 442012d..7fc0c05 100644
--- a/man/cryptsetup.8.adoc
+++ b/man/cryptsetup.8.adoc
@@ -6,7 +6,7 @@
 
 == Name
 
-cryptsetup - manage plain dm-crypt, LUKS, and other encrypted volumes
+cryptsetup - utility for configuring and managing encrypted storage devices
 
 == SYNOPSIS
 
@@ -14,19 +14,21 @@ cryptsetup - manage plain dm-crypt, LUKS, and other encrypted volumes
 
 == DESCRIPTION
 
-cryptsetup is used to conveniently setup dm-crypt managed device-mapper
-mappings. These include plain dm-crypt volumes and LUKS volumes. The
-difference is that LUKS uses a metadata header and can hence offer more
-features than plain dm-crypt. On the other hand, the header is visible
-and vulnerable to damage.
+*Cryptsetup* is a utility for configuring and managing full-disk encryption on storage devices.
+It can encrypt block devices (such as hard drives or partitions) and containers (disk images stored as files).
 
-In addition, cryptsetup provides limited support for the use of loop-AES
-volumes, TrueCrypt, VeraCrypt, BitLocker and FileVault2 compatible volumes,
-and for hardware-based encryption on OPAL capable drives.
+When you unlock an encrypted volume, *cryptsetup* creates a new device mapping that applications can access like any regular storage device.
+The actual encryption and decryption work is performed transparently by the kernel's device-mapper dm-crypt driver.
 
-For more information about specific cryptsetup action see
-*cryptsetup-<action>*(8), where *<action>* is the name of the
-cryptsetup action.
+*Cryptsetup* works with two main volume types: plain encrypted volumes and LUKS (Linux Unified Key Setup) volumes.
+Plain volumes provide basic encryption, while LUKS volumes include a metadata header that enables advanced features like multiple keyslots and key management.
+Additionally, LUKS can be used to manage hardware-based encryption on OPAL-capable storage drives.
+
+*Cryptsetup* also provides limited support for volumes created by other encryption systems, including *loop-AES*, *TrueCrypt*, *VeraCrypt*, *BitLocker*, and *FileVault2*.
+
+For more information about a specific cryptsetup action, see *cryptsetup-<action>*(8), where *<action>* is the name of the cryptsetup action.
+
+Cryptsetup devices can be activated during boot through *crypttab*(5), which is part of *systemd*(1) or other system init scripts.
 
 == BASIC ACTIONS
 
@@ -35,47 +37,46 @@ The following are valid actions for all supported device types.
 === OPEN
 *open <device> <name> --type <device_type>*
 
-Opens (creates a mapping with) <name> backed by device <device>. +
+Opens (creates a mapping with) <name> backed by device <device>.
 See *cryptsetup-open*(8).
 
 === CLOSE
 *close <name>*
 
-Removes the existing mapping <name> and wipes the key from kernel memory. +
+Removes the existing mapping <name> and wipes the key from kernel memory.
 See *cryptsetup-close*(8).
 
 === STATUS
 *status <name>*
 
-Reports the status for the mapping <name>. +
+Reports the status for the mapping <name>.
 See *cryptsetup-status*(8).
 
 === RESIZE
 *resize <name>*
 
-Resizes an active mapping <name>. +
+Resizes an active mapping <name>.
 See *cryptsetup-resize*(8).
 
 === REFRESH
 *refresh <name>*
 
-Refreshes parameters of active mapping <name>. +
+Refreshes parameters of active mapping <name>.
 See *cryptsetup-refresh*(8).
 
 === REENCRYPT
 *reencrypt <device> or --active-name <name> [<new_name>]*
 
-Run LUKS device reencryption. +
+Run LUKS device reencryption.
 See *cryptsetup-reencrypt*(8).
 
 == PLAIN MODE
 
-Plain dm-crypt encrypts the device sector-by-sector with a single,
-non-salted hash of the passphrase. No checks are performed, no metadata
-is used. There is no formatting operation. When the raw device is mapped
-(opened), the usual device operations can be used on the mapped device,
-including filesystem creation. Mapped devices usually reside in
-/dev/mapper/<name>.
+Plain dm-crypt encrypts the device sector-by-sector with a single, non-salted hash of the passphrase.
+No checks are performed, and no metadata is used.
+There is no formatting operation.
+When the raw device is mapped (opened), the usual device operations can be used on the mapped device, including filesystem creation.
+Mapped devices usually reside in /dev/mapper/<name>.
 
 The following are valid plain device type actions:
 
@@ -83,292 +84,229 @@ The following are valid plain device type actions:
 *open --type plain <device> <name>* +
 create <name> <device> (*OBSOLETE syntax*)
 
-Opens (creates a mapping with) <name> backed by device <device>. +
+Opens (creates a mapping with) <name> backed by device <device>.
 See *cryptsetup-open*(8).
 
 == LUKS EXTENSION
 
-LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It
-adds a standardized header at the start of the device, a key-slot area
-directly behind the header and the bulk data area behind that. The whole
-set is called a 'LUKS container'. The device that a LUKS container
-resides on is called a 'LUKS device'. For most purposes, both terms can
-be used interchangeably. But note that when the LUKS header is at a
-nonzero offset in a device, then the device is not a LUKS device
-anymore, but has a LUKS container stored in it at an offset.
-
-LUKS can manage multiple passphrases that can be individually revoked or
-changed and that can be securely scrubbed from persistent media due to
-the use of anti-forensic stripes. Passphrases are protected against
-brute-force and dictionary attacks by Password-Based Key Derivation
-Function (PBKDF).
-
-LUKS2 is a new version of header format that allows additional
-extensions like different PBKDF algorithm or authenticated encryption.
-You can format device with LUKS2 header if you specify *--type luks2* in
-*luksFormat* command. For activation, the format is already recognized
-automatically.
-
-Each passphrase, also called a *key* in this document, is associated
-with one of 8 key-slots. Key operations that do not specify a slot
-affect the first slot that matches the supplied passphrase or the first
-empty slot if a new passphrase is added.
-
-The *<device>* parameter can also be specified by a LUKS UUID in the
-format UUID=<uuid>. Translation to real device name uses symlinks in
-/dev/disk/by-uuid directory.
-
-To specify a detached header, the *--header* parameter can be used in
-all LUKS commands and always takes precedence over the positional
-*<device>* parameter.
+LUKS, the Linux Unified Key Setup, is a standard for disk encryption.
+It adds a standardized header at the start of the device, a keyslot area directly behind the header and the bulk data area behind that.
+The whole set is called a 'LUKS container'.
+The device that a LUKS container resides on is called a 'LUKS device'.
+For most purposes, both terms can be used interchangeably.
+
+LUKS can manage multiple passphrases that can be individually revoked or changed.
+Each passphrase uses an individual keyslot containing a volume key for data encryption.
+Keyslots can be securely scrubbed from persistent media due to the use of anti-forensic stripes.
+Passphrases are protected against brute-force attacks by the Password-Based Key Derivation Function (PBKDF).
+A passphrase stored in a file is called a key file.
+The only difference between a passphrase and a key file is that a key file can contain binary data.
+Both are processed the same.
+
+LUKS version 1 (or LUKS1) is the original metadata format, while LUKS2 is a new version that allows additional extensions like different PBKDF algorithms or authenticated encryption.
+You can format the device with a specific LUKS version with *--type luks1* or *--type luks2* in the *luksFormat* command.
+Normally, you do not need to specify any version as it is recognized automatically.
+The default format is LUKS2.
+
+The *<device>* parameter can also be specified by a LUKS UUID in the format UUID=<uuid>.
+
+The LUKS header can be detached from data (stored separately).
+To specify a detached header, the --header parameter can be used in all LUKS commands and always takes precedence over the positional *<device>* parameter.
 
 The following are valid LUKS actions:
 
 === FORMAT
 *luksFormat <device> [<key file>]*
 
-Initializes a LUKS partition and sets the initial passphrase (for key-slot 0). +
+Initializes a LUKS partition and sets the initial passphrase (for keyslot 0).
 See *cryptsetup-luksFormat*(8).
 
 === OPEN
 *open --type luks <device> <name>* +
 luksOpen <device> <name> (*old syntax*)
 
-Opens the LUKS device <device> and sets up a mapping <name> after
-successful verification of the supplied passphrase. +
+Opens the LUKS device <device> and sets up a mapping <name> after successful verification of the supplied passphrase.
 See *cryptsetup-open*(8).
 
 === SUSPEND
 *luksSuspend <name>*
 
-Suspends an active device (all IO operations will block and accesses to
-the device will wait indefinitely) and wipes the encryption key from
-kernel memory. +
+Suspends an active device (all IO operations will block and accesses to the device will wait indefinitely) and wipes the encryption key from kernel memory.
 See *cryptsetup-luksSuspend*(8).
 
 === RESUME
 *luksResume <name>*
 
-Resumes a suspended device and reinstates the encryption key. +
+Resumes a suspended device and reinstates the encryption key.
 See *cryptsetup-luksResume*(8).
 
 === ADD KEY
 *luksAddKey <device> [<key file with new key>]*
 
-Adds a new passphrase using an existing passphrase. +
+Adds a new passphrase using an existing passphrase.
 See *cryptsetup-luksAddKey*(8).
 
 === REMOVE KEY
 *luksRemoveKey <device> [<key file with passphrase to be removed>]*
 
-Removes the supplied passphrase from the LUKS device. +
+Removes the supplied passphrase from the LUKS device.
 See *cryptsetup-luksRemoveKey*(8).
 
 === CHANGE KEY
 *luksChangeKey <device> [<new key file>]*
 
-Changes an existing passphrase. +
+Changes an existing passphrase.
 See *cryptsetup-luksChangeKey*(8).
 
 === CONVERT KEY
 *luksConvertKey <device>*
 
-Converts an existing LUKS2 keyslot to new PBKDF parameters. +
+Converts an existing LUKS2 keyslot to new PBKDF parameters.
 See *cryptsetup-luksConvertKey*(8).
 
 === KILL SLOT
-*luksKillSlot <device> <key slot number>*
+*luksKillSlot <device> <number>*
 
-Wipe the key-slot number <key slot> from the LUKS device. +
+Wipe the keyslot with the <number> from the LUKS device.
 See *cryptsetup-luksKillSlot*(8).
 
 === ERASE
 *erase <device>* +
 luksErase <device> (*old syntax*)
 
-Erase all keyslots and make the LUKS container permanently inaccessible. +
+Erase all keyslots and make the LUKS container permanently inaccessible.
 See *cryptsetup-erase*(8).
 
 === UUID
 *luksUUID <device>*
 
-Print or set the UUID of a LUKS device. +
+Print or set the UUID of a LUKS device.
 See *cryptsetup-luksUUID*(8).
 
 === IS LUKS
 *isLuks <device>*
 
-Returns true, if <device> is a LUKS device, false otherwise. +
+Returns true, if <device> is a LUKS device, false otherwise.
 See *cryptsetup-isLuks*(8).
 
 === DUMP
 *luksDump <device>*
 
-Dump the header information of a LUKS device. +
+Dump the header information of a LUKS device.
 See *cryptsetup-luksDump*(8).
 
 === HEADER BACKUP
 *luksHeaderBackup <device> --header-backup-file <file>*
 
-Stores a binary backup of the LUKS header and keyslot area. +
+Stores a binary backup of the LUKS header and keyslot area.
 See *cryptsetup-luksHeaderBackup*(8).
 
 === HEADER RESTORE
 *luksHeaderRestore <device> --header-backup-file <file>*
 
-Restores a binary backup of the LUKS header and keyslot area from the
-specified file. +
+Restores a binary backup of the LUKS header and keyslot area from the specified file.
 See *cryptsetup-luksHeaderRestore*(8).
 
 === TOKEN
 *token <add|remove|import|export> <device>*
 
-Manipulate token objects used for obtaining passphrases. +
+Manipulate token objects used for obtaining passphrases.
 See *cryptsetup-token*(8).
 
 === CONVERT
 *convert <device> --type <format>*
 
-Converts the device between LUKS1 and LUKS2 format (if possible). +
+Converts the device between LUKS1 and LUKS2 format (if possible).
 See *cryptsetup-convert*(8).
 
 === CONFIG
 *config <device>*
 
-Set permanent configuration options (store to LUKS header). +
+Set permanent configuration options (store to LUKS header).
 See *cryptsetup-config*(8).
 
 == loop-AES EXTENSION
 
-cryptsetup supports mapping loop-AES encrypted partition using a
-compatibility mode.
+Cryptsetup supports mapping a loop-AES encrypted partition using a compatibility mode.
 
 === OPEN
 *open --type loopaes <device> <name> --key-file <keyfile>* +
 loopaesOpen <device> <name> --key-file <keyfile> (*old syntax*)
 
-Opens the loop-AES <device> and sets up a mapping <name>. +
+Opens the loop-AES <device> and sets up a mapping <name>.
 See *cryptsetup-open*(8).
 
-See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES]
-for more information regarding loop-AES.
+See also section 7 of the FAQ and http://loop-aes.sourceforge.net[loop-AES] for more information regarding loop-AES.
 
 == TCRYPT (TrueCrypt and VeraCrypt compatible) EXTENSION
 
-cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt encrypted
-partition using a native Linux kernel API. Header formatting and TCRYPT
-header change is not supported, cryptsetup never changes TCRYPT header
-on-device.
-
-TCRYPT extension requires kernel userspace crypto API to be available
-(introduced in Linux kernel 2.6.38). If you are configuring kernel
-yourself, enable "User-space interface for symmetric key cipher
-algorithms" in "Cryptographic API" section
-(CRYPTO_USER_API_SKCIPHER .config option).
-
-Because TCRYPT header is encrypted, you have to always provide valid
-passphrase and keyfiles.
+Cryptsetup supports mapping of TrueCrypt, tcplay, or VeraCrypt encrypted partitions using a native Linux kernel API.
+Header formatting and TCRYPT header change are not supported; cryptsetup never changes the TCRYPT header on-device.
 
-Cryptsetup should recognize all header variants, except legacy cipher
-chains using LRW encryption mode with 64 bits encryption block (namely
-Blowfish in LRW mode is not recognized, this is limitation of kernel
-crypto API).
+TCRYPT extension requires the kernel userspace crypto API to be available.
+If you are configuring the kernel yourself, enable "User-space interface for symmetric key cipher algorithms" in "Cryptographic API" section (CRYPTO_USER_API_SKCIPHER .config option).
 
-VeraCrypt is extension of TrueCrypt header with increased iteration
-count so unlocking can take quite a lot of time.
+Because the TCRYPT header is encrypted, you must always provide a valid passphrase and keyfiles.
 
-To open a VeraCrypt device with a custom Personal Iteration Multiplier
-(PIM) value, use either the *--veracrypt-pim=<PIM>* option to directly
-specify the PIM on the command- line or use *--veracrypt-query-pim* to
-be prompted for the PIM.
+Cryptsetup should recognize all header variants, except legacy cipher chains using LRW encryption mode with a 64-bit encryption block (namely, Blowfish in LRW mode is not recognized; this is a limitation of the kernel crypto API).
 
-The PIM value affects the number of iterations applied during key
-derivation. Please refer to
-https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html[PIM]
-for more detailed information.
+VeraCrypt is an extension of TrueCrypt with an increased iteration count, so unlocking can take quite a lot of time.
 
-If you need to disable VeraCrypt device support, use
-*--disable-veracrypt* option.
+To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM) value, use either the --veracrypt-pim PIM option to directly specify the PIM on the command line or use --veracrypt-query-pim to be prompted for the PIM.
 
-*NOTE:* Activation with *tcryptOpen* is supported only for cipher chains
-using LRW or XTS encryption modes.
+The PIM value affects the number of iterations applied during key derivation.
+Please refer to https://veracrypt.io/en/Personal%20Iterations%20Multiplier%20(PIM).html[PIM] for more detailed information.
 
-The *tcryptDump* command should work for all recognized TCRYPT devices
-and doesn't require superuser privilege.
+If you need to disable VeraCrypt device support, use --disable-veracrypt option.
 
-To map system device (device with boot loader where the whole encrypted
-system resides) use *--tcrypt-system* option. You can use partition
-device as the parameter (parameter must be real partition device, not an
-image in a file), then only this partition is mapped.
+Activation with *tcryptOpen* is supported only for cipher chains using LRW or XTS encryption modes.
 
-If you have the whole TCRYPT device as a file image and you want to map
-multiple partition encrypted with system encryption, please create
-loopback mapping with partitions first (*losetup -P*, see *losetup(8)*
-man page for more info), and use loop partition as the device parameter.
+The *tcryptDump* command should work for all recognized TCRYPT devices and doesn't require superuser privilege.
 
-If you use the whole base device as a parameter, one device for the
-whole system encryption is mapped. This mode is available only for
-backward compatibility with older cryptsetup versions which mapped
-TCRYPT system encryption using the whole device.
+To map the system device (device with boot loader where the whole encrypted system resides), use --tcrypt-system option.
+Please read specific info in *cryptsetup-tcryptOpen*(8) --tcrypt-system option section as mapping system-encrypted device is tricky.
 
-To use hidden header (and map hidden device, if available), use
-*--tcrypt-hidden* option.
+To use a hidden header (and map hidden device, if available), use --tcrypt-hidden option.
 
-To explicitly use backup (secondary) header, use *--tcrypt-backup*
-option.
+To explicitly use the backup (secondary) header, use --tcrypt-backup option.
 
-*NOTE:* There is no protection for a hidden volume if the outer volume
-is mounted. The reason is that if there were any protection, it would
-require some metadata describing what to protect in the outer volume and
-the hidden volume would become detectable.
+There is no protection for a hidden volume if the outer volume is mounted.
+The reason is that if there were any protection, it would require some metadata describing what to protect in the outer volume, and the hidden volume would become detectable.
 
 === OPEN
 *open --type tcrypt <device> <name>* +
 tcryptOpen_ <device> <name> (*old syntax*)
 
-Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping
-<name>. +
+Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
 See *cryptsetup-open*(8).
 
 === DUMP
 *tcryptDump <device>*
 
-Dump the header information of a TCRYPT device. +
+Dump the header information of a TCRYPT device.
 See *cryptsetup-tcryptDump*(8).
 
-See also https://en.wikipedia.org/wiki/TrueCrypt[*TrueCrypt*] and
-https://en.wikipedia.org/wiki/VeraCrypt[*VeraCrypt*] pages for more information.
+See also https://en.wikipedia.org/wiki/TrueCrypt[TrueCrypt] and https://en.wikipedia.org/wiki/VeraCrypt[VeraCrypt] pages for more information.
 
-Please note that cryptsetup does not use TrueCrypt or VeraCrypt code, please
-report all problems related to this compatibility extension to the cryptsetup
-project.
+Please note that cryptsetup does not use TrueCrypt or VeraCrypt code; please report all problems related to this compatibility extension to the cryptsetup project.
 
 == BITLK (Windows BitLocker compatible) EXTENSION
 
-cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted
-partition using a native Linux kernel API. Header formatting and BITLK
-header changes are not supported, cryptsetup never changes BITLK header
-on-device.
+Cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted partitions using a native Linux kernel API.
+Header formatting and BITLK header changes are not supported; cryptsetup never changes the BITLK header on-device.
 
-BITLK extension requires kernel userspace crypto API to be available
-(for details see TCRYPT section).
+BITLK extension requires the kernel userspace crypto API to be available (for details, see the TCRYPT section).
 
-Cryptsetup should recognize all BITLK header variants, except legacy
-header used in Windows Vista systems and partially decrypted BitLocker
-devices. Activation of legacy devices encrypted in CBC mode requires at
-least Linux kernel version 5.3 and for devices using Elephant diffuser
-kernel 5.6.
+Cryptsetup should recognize all BITLK header variants, except the legacy header used in Windows Vista systems and partially decrypted BitLocker devices.
+Activation of legacy devices encrypted in CBC mode requires at least a Linux kernel version 5.3, and for devices using the Elephant diffuser, kernel 5.6.
 
-The *bitlkDump* command should work for all recognized BITLK devices and
-doesn't require superuser privilege.
+The *bitlkDump* command should work for all recognized BITLK devices and doesn't require superuser privilege.
 
-For unlocking with the *open* a password or a recovery passphrase or a
-startup key must be provided.
+For unlocking with the *open*, a password, a recovery passphrase, or a startup key must be provided.
 
-Additionally unlocking using volume key is supported. You must provide
-BitLocker Full Volume Encryption Key (FVEK) using the --volume-key-file
-option. The key must be decrypted and without the header (only
-128/256/512 bits of key data depending on used cipher and mode).
+Additionally, unlocking using the volume key is supported.
+You must provide BitLocker Full Volume Encryption Key (FVEK) using the --volume-key-file option.
+The key must be decrypted and without the header (only 128/256/512 bits of key data depending on the used cipher and mode).
 
 Other unlocking methods (TPM, SmartCard) are not supported.
 
@@ -376,42 +314,31 @@ Other unlocking methods (TPM, SmartCard) are not supported.
 *open --type bitlk <device> <name>* +
 bitlkOpen <device> <name> (*old syntax*)
 
-Opens the BITLK (a BitLocker-compatible) <device> and sets up a mapping
-<name>. +
+Opens the BITLK (a BitLocker-compatible) <device> and sets up a mapping <name>.
 See *cryptsetup-open*(8).
 
 === DUMP
 *bitlkDump <device>*
 
-Dump the header information of a BITLK device. +
+Dump the header information of a BITLK device.
 See *cryptsetup-bitlkDump*(8).
 
-Please note that cryptsetup does not use any Windows BitLocker code,
-please report all problems related to this compatibility extension to
-the cryptsetup project.
+Please note that cryptsetup does not use any Windows BitLocker code; please report all problems related to this compatibility extension to the cryptsetup project.
 
 == FVAULT2 (Apple macOS FileVault2 compatible) EXTENSION
 
-cryptsetup supports the mapping of FileVault2 (FileVault2 full-disk
-encryption) by Apple for the macOS operating system using a native Linux
-kernel API.
+Cryptsetup supports the mapping of FileVault2 (FileVault2 full-disk encryption) by Apple for the macOS operating system using a native Linux kernel API.
 
-*NOTE:* cryptsetup supports only FileVault2 based on Core Storage and HFS+
-filesystem (introduced in MacOS X 10.7 Lion).
-It does NOT support the new version of FileVault based on the APFS
-filesystem used in recent macOS versions.
+Cryptsetup supports only FileVault2 based on Core Storage and HFS+ filesystem (introduced in MacOS X 10.7 Lion).
+It does NOT support the new version of FileVault based on the APFS filesystem used in recent macOS versions.
 
-Header formatting and FVAULT2 header changes are not supported;
-cryptsetup never changes the FVAULT2 header on-device.
+Header formatting and FVAULT2 header changes are not supported; cryptsetup never changes the FVAULT2 header on-device.
 
-FVAULT2 extension requires kernel userspace crypto API to be available
-(for details, see TCRYPT section) and kernel driver for HFS+ (hfsplus)
-filesystem.
+FVAULT2 extension requires the kernel userspace crypto API to be available (for details, see the TCRYPT section) and a kernel driver for the HFS+ (hfsplus) filesystem.
 
 Cryptsetup should recognize the basic configuration for portable drives.
 
-The *fvault2Dump* command should work for all recognized FVAULT2 devices
-and doesn't require superuser privilege.
+The *fvault2Dump* command should work for all recognized FVAULT2 devices and doesn't require superuser privilege.
 
 For unlocking with the *open*, a password must be provided.
 Other unlocking methods are not supported.
@@ -420,126 +347,102 @@ Other unlocking methods are not supported.
 *open --type fvault2 <device> <name>* +
 fvault2Open <device> <name> (*old syntax*)
 
-Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second
-partition on the device) and sets up a mapping <name>. +
+Opens the FVAULT2 (a FileVault2-compatible) <device> (usually the second partition on the device) and sets up a mapping <name>.
 See *cryptsetup-open*(8).
 
 == SED (Self Encrypting Drive) OPAL EXTENSION
 
-cryptsetup supports using native hardware encryption on drives that provide an
-*OPAL* interface, both nested with *dm-crypt* and standalone. Passphrases,
-tokens and metadata are stored using the LUKS2 header format, and are thus
-compatible with any software or system that uses LUKS2 (e.g.: tokens).
+Cryptsetup supports using native hardware encryption on drives that provide an *OPAL* interface, both nested with *dm-crypt* and standalone.
+Passphrases, tokens and metadata are stored using the LUKS2 header format, and are thus compatible with any software or system that uses LUKS2 (e.g., tokens).
 
-*WARNING:* this support is new and experimental, and requires at least kernel
-v6.4. Resizing devices is not supported.
+OPAL support requires at least kernel v6.4.
+Resizing devices is not supported.
 
-*--hw-opal* can be specified for OPAL + dm-crypt, and
-*--hw-opal-only* can be specified to use OPAL only, without a dm-crypt layer.
+The --hw-opal can be specified for OPAL + dm-crypt, and --hw-opal-only can be specified to use OPAL only, without a dm-crypt layer.
 
-Opening, closing and enrolling tokens work in the same way as with LUKS2 and
-dm-crypt. The new parameters are only necessary when formatting, the LUKS2
-metadata will ensure the right setup is performed when opening or closing. If
-no *subsystem* is specified, it will be automatically set to *HW-OPAL* so that
-it is immediately apparent when a device uses OPAL.
+Opening, closing and enrolling tokens work the same way as with LUKS2 and dm-crypt.
+The new parameters are only necessary when formatting; the LUKS2 metadata will ensure the right setup is performed when opening or closing.
+
+If no *subsystem* label is specified, it will be automatically set to *HW-OPAL* so that it is immediately apparent when a device uses OPAL.
 
 === FORMAT
 *luksFormat --type luks2 --hw-opal <device> [<key file>]*
 
-Additionally specify *--hw-opal-only* instead of *--hw-opal* to avoid the
-dm-crypt layer. Other than the usual passphrase, an admin password will have
-to be specified when formatting the first partition of the drive, and will have
-to be re-supplied when formatting any other partition until a factory reset
-is performed.
+Additionally specify --hw-opal-only instead of --hw-opal to avoid the dm-crypt layer.
+Other than the usual passphrase, an admin password will have to be specified when formatting the drive's first partition, and will have to be re-supplied when formatting any other partition until a factory reset is performed.
 
 === ERASE
 *erase <device>*
 
-Securely erase a partition or device. Requires admin password.
-Additionally specify *--hw-opal-factory-reset* for a FULL factory reset of the
-drive, using the drive's *PSID* (typically printed on the label) instead of the
-admin password.
-*WARNING*: a factory reset will cause ALL data on the device to be lost,
-regardless of the partition it is ran on, if any, and regardless of any LUKS2
-header backup.
+Securely erase a partition or device.
+Requires admin password.
+Additionally specify --hw-opal-factory-reset for a FULL factory reset of the drive, using the drive's *PSID* (typically printed on the label) instead of the admin password.
+
+PSID must be entered without dashes, spaces or underscores.
+
+*WARNING*: A factory reset will cause ALL data on the device to be lost, regardless of the partition it is run on, if any, and regardless of any LUKS2 header backup.
 
 == MISCELLANEOUS ACTIONS
 
 === REPAIR
 *repair <device>*
 
-Tries to repair the device metadata if possible. Currently supported
-only for LUKS device type. +
+Tries to repair the device metadata if possible.
+Currently supported only for LUKS device type.
 See *cryptsetup-repair*(8).
 
 === BENCHMARK
 *benchmark <options>*
 
-Benchmarks ciphers and KDF (key derivation function). +
+Benchmarks, ciphers and KDF (key derivation function).
 See *cryptsetup-benchmark*(8).
 
-== PLAIN DM-CRYPT OR LUKS?
+== PLAIN MODE OR LUKS?
 
-Unless you understand the cryptographic background well, use LUKS. With
-plain dm-crypt there are a number of possible user errors that massively
-decrease security. While LUKS cannot fix them all, it can lessen the
-impact for many of them.
+Unless you understand the cryptographic background well, use LUKS.
+With plain mode, there are a number of possible user errors that massively decrease security.
+While LUKS cannot fix them all, it can lessen the impact for many of them.
 
 == WARNINGS
 
-A lot of good information on the risks of using encrypted storage, on
-handling problems and on security aspects can be found in the
-Cryptsetup FAQ. Read it. Nonetheless, some risks deserve to be
-mentioned here.
-
-*Backup:* Storage media die. Encryption has no influence on that. Backup
-is mandatory for encrypted data as well, if the data has any worth. See
-the Cryptsetup FAQ for advice on how to do a backup of an encrypted
-volume.
-
-*Character encoding:* If you enter a passphrase with special symbols,
-the passphrase can change depending on character encoding. Keyboard
-settings can also change, which can make blind input hard or impossible.
-For example, switching from some ASCII 8-bit variant to UTF-8 can lead
-to a different binary encoding and hence different passphrase seen by
-cryptsetup, even if what you see on the terminal is exactly the same. It
-is therefore highly recommended to select passphrase characters only
-from 7-bit ASCII, as the encoding for 7-bit ASCII stays the same for all
-ASCII variants and UTF-8.
-
-*LUKS header:* If the header of a LUKS volume gets damaged, all data is
-permanently lost unless you have a header-backup. If a key-slot is
-damaged, it can only be restored from a header-backup or if another
-active key-slot with known passphrase is undamaged. Damaging the LUKS
-header is something people manage to do with surprising frequency. This
-risk is the result of a trade-off between security and safety, as LUKS
-is designed for fast and secure wiping by just overwriting header and
-key-slot area.
-
-*Previously used partitions:* If a partition was previously used, it is
-a very good idea to wipe filesystem signatures, data, etc. before
-creating a LUKS or plain dm-crypt container on it. For a quick removal
-of filesystem signatures, use *wipefs*(8). Take care though that this may
-not remove everything. In particular, MD RAID signatures at the end of a
-device may survive. It also does not remove data. For a full wipe,
-overwrite the whole partition before container creation. If you do not
-know how to do that, the cryptsetup FAQ describes several options.
+A lot of good information on the risks of using encrypted storage, on handling problems and on security aspects can be found in the Cryptsetup FAQ.
+Read it.
+Nonetheless, some risks deserve to be mentioned here.
+
+*Backup:* Storage media die.
+Encryption has no influence on that.
+Backup is mandatory for encrypted data as well, if the data has any worth.
+See the Cryptsetup FAQ for advice on how to back up an encrypted volume.
+
+*Character encoding:* If you enter a passphrase with special symbols, the passphrase can change depending on character encoding.
+Keyboard settings can also be changed, which can make blind input hard or impossible.
+For example, switching from some ASCII 8-bit variant to UTF-8 can lead to a different binary encoding and hence a different passphrase seen by cryptsetup, even if what you see on the terminal is exactly the same.
+It is therefore highly recommended to select passphrase characters only from 7-bit ASCII, as the encoding for 7-bit ASCII stays the same for all ASCII variants and UTF-8.
+
+*LUKS header:* If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header backup.
+If a keyslot is damaged, it can only be restored from a header backup or if another active keyslot with a known passphrase is undamaged.
+This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting the header and keyslot area.
+
+*Previously used partitions:* If a partition was previously used, it is a very good idea to wipe filesystem signatures, data, etc., before creating a LUKS or plain dm-crypt container.
+For a quick removal of filesystem signatures, use *wipefs*(8) with the --all option.
+Note that it does not remove data; it only invalidates known format signatures.
+For a full wipe, overwrite the whole partition before creating a container.
+If you do not know how to do that, the cryptsetup FAQ describes several options.
 
 == EXAMPLES
 
 Example 1: Create LUKS 2 container on block device /dev/sdX.::
   sudo cryptsetup --type luks2 luksFormat /dev/sdX
-Example 2: Add an additional passphrase to key slot 5.::
+Example 2: Add an additional passphrase to keyslot 5.::
   sudo cryptsetup luksAddKey --key-slot 5 /dev/sdX
-Example 3: Create LUKS header backup and save it to file.::
+Example 3: Create LUKS header backup and save it to a file.::
   sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file
   /var/tmp/NameOfBackupFile
 Example 4: Open LUKS container on /dev/sdX and map it to sdX_crypt.::
   sudo cryptsetup open /dev/sdX sdX_crypt
-*WARNING: The command in example 5 will erase all key slots.*::
-  Your cannot use your LUKS container afterward anymore unless you have
-  a backup to restore.
-Example 5: Erase all key slots on /dev/sdX.::
+*WARNING: The command in example 5 will erase all keyslots.*::
+  You cannot use your LUKS container afterward anymore unless you have a backup to restore.
+Example 5: Erase all keyslots on /dev/sdX.::
   sudo cryptsetup erase /dev/sdX
 Example 6: Restore LUKS header from backup file.::
   sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file
@@ -549,213 +452,157 @@ Example 6: Restore LUKS header from backup file.::
 
 Cryptsetup returns *0* on success and a non-zero value on error.
 
-Error codes are: *1* wrong parameters, *2* no permission (bad passphrase),
-*3* out of memory, *4* wrong device specified, *5* device already exists
-or device is busy.
+Error codes are: *1* wrong parameters, *2* no permission (bad passphrase), *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
 
 == NOTES
 
 === Passphrase processing for PLAIN mode
 
-Note that no iterated hashing or salting is done in plain mode. If
-hashing is done, it is a single direct hash. This means that low-entropy
-passphrases are easy to attack in plain mode.
+Note that no iterated hashing or salting is done in plain mode.
+If hashing is done, it is a single direct hash.
+This means that low-entropy passphrases are easy to attack in plain mode.
 
-*From a terminal*: The passphrase is read until the first newline, i.e.
-'\n'. The input without the newline character is processed with the
-default hash or the hash specified with --hash. The hash result will be
-truncated to the key size of the used cipher, or the size specified with
--s.
+*From a terminal*: The passphrase is read until the first newline, i.e., '\n'.
+The input without the newline character is processed with the default hash or the hash specified with --hash.
+The hash result will be truncated to the key size of the used cipher, or the size specified with -s.
 
-*From stdin*: Reading will continue until a newline (or until the
-maximum input size is reached), with the trailing newline stripped. The
-maximum input size is defined by the same compiled-in default as for the
-maximum key file size and can be overwritten using --keyfile-size
-option.
+*From stdin*: Reading will continue until a newline (or until the maximum input size is reached), with the trailing newline stripped.
+The maximum input size is defined by the same compiled-in default as the maximum key file size and can be overwritten using the --keyfile-size option.
 
-The data read will be hashed with the default hash or the hash specified
-with --hash. The hash result will be truncated to the key size of the
-used cipher, or the size specified with -s.
+The data read will be hashed with the default hash or the hash specified with --hash.
+The hash result will be truncated to the key size of the used cipher, or the size specified with -s.
 
-Note that if --key-file=- is used for reading the key from stdin,
-trailing newlines are not stripped from the input.
+Note that if --key-file=- is used for reading the key from stdin, trailing newlines are not stripped from the input.
 
-If "plain" is used as argument to --hash, the input data will not be
-hashed. Instead, it will be zero padded (if shorter than the key size)
-or truncated (if longer than the key size) and used directly as the
-binary key. This is useful for directly specifying a binary key. No
-warning will be given if the amount of data read from stdin is less than
-the key size.
+If "plain" is used as an argument to --hash, the input data will not be hashed.
+Instead, it will be zero-padded (if shorter than the key size) or truncated (if longer than the key size) and used directly as the binary key.
+This is useful for directly specifying a binary key.
+No warning will be given if the amount of data read from stdin is less than the key size.
 
-*From a key file*: It will be truncated to the key size of the used
-cipher or the size given by -s and directly used as a binary key.
+*From a key file*: It will be truncated to the key size of the used cipher or the size given by -s and directly used as a binary key.
 
-*WARNING*: The --hash argument is being ignored. The --hash option is
-usable only for stdin input in plain mode.
+The --hash argument is being ignored.
+The --hash option is usable only for stdin input in plain mode.
 
-If the key file is shorter than the key, cryptsetup will quit with an
-error. The maximum input size is defined by the same compiled-in default
-as for the maximum key file size and can be overwritten using
---keyfile-size option.
+If the key file is shorter than the key, cryptsetup will quit with an error.
+The maximum input size is defined by the same compiled-in default as the maximum key file size and can be overwritten using the --keyfile-size option.
 
 === Passphrase processing for LUKS
 
-LUKS uses PBKDF to protect against dictionary attacks and to give some
-protection to low-entropy passphrases (see cryptsetup FAQ).
+*From a terminal*: The passphrase is read until the first newline and then processed by PBKDF2 without the newline character.
 
-*From a terminal*: The passphrase is read until the first newline and
-then processed by PBKDF2 without the newline character.
+*From stdin*: LUKS will read passphrases from stdin up to the first newline character or the compiled-in maximum key file length.
+If --keyfile-size is given, it is ignored.
 
-*From stdin*: LUKS will read passphrases from stdin up to the first
-newline character or the compiled-in maximum key file length. If
---keyfile-size is given, it is ignored.
+*From key file*: The complete keyfile is read up to the compiled-in maximum size.
+Newline characters do not terminate the input.
+The --keyfile-size option can be used to limit what is read.
 
-*From key file*: The complete keyfile is read up to the compiled-in
-maximum size. Newline characters do not terminate the input. The
---keyfile-size option can be used to limit what is read.
+LUKS uses *Password-Based Key Derivation Function* (PBKDF) to protect against brute-force attacks and to give some protection to low-entropy passphrases (see cryptsetup FAQ).
+LUKS1 supports the PBKDF2 algorithm only, while LUKS2 also supports memory-hard Argon2.
+PBKDFs are configured with costs: how long the iteration should run (CPU cost or iteration count), how much memory is used (memory cost), and how many parallel processes are used (parallel cost).
+PBKDF2 supports only iteration count.
+Cryptsetup uses PBKDF benchmarking to calculate optimal costs based on the computer where the new passphrase is being initialized.
+If needed, these costs can also be overwritten.
+Note that there are some hardcoded limits, for details see *MINIMAL AND MAXIMAL PBKDF COSTS* section in --pbkdf option description.
 
-*Passphrase processing*: Whenever a passphrase is added to a LUKS header
-(luksAddKey, luksFormat), the user may specify how much the time the
-passphrase processing should consume. The time is used to determine the
-iteration count for PBKDF2 and higher times will offer better protection
-for low-entropy passphrases, but open will take longer to complete. For
-passphrases that have entropy higher than the used key length, higher
-iteration times will not increase security.
+Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat), the user may specify how much time the passphrase processing should consume.
+The time is used to determine the iteration count for PBKDF2, and higher times will offer better protection for low-entropy passphrases, but the open command will take longer to complete.
+For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.
 
-The default setting of one or two seconds is sufficient for most
-practical cases. The only exception is a low-entropy passphrase used on
-a device with a slow CPU, as this will result in a low iteration count.
-On a slow device, it may be advisable to increase the iteration time
-using the --iter-time option in order to obtain a higher iteration
-count. This does slow down all later luksOpen operations accordingly.
+The default setting of one or two seconds is sufficient for most practical cases.
+The only exception is a low-entropy passphrase used on a device with a slow CPU, as this will result in a low iteration count.
+On a slow device, it may be advisable to increase the iteration time using the --iter-time option to obtain a higher iteration count.
+This does slow down all later luksOpen operations accordingly.
 
 === Incoherent behavior for invalid passphrases/keys
 
-LUKS checks for a valid passphrase when an encrypted partition is
-unlocked. The behavior of plain dm-crypt is different. It will always
-decrypt with the passphrase given. If the given passphrase is wrong, the
-device mapped by plain dm-crypt will essentially still contain encrypted
-data and will be unreadable.
+LUKS checks for a valid passphrase when a keyslot is decrypted.
+
+The behavior of plain dm-crypt is different.
+It will always unlock the device with the passphrase given.
+If the given passphrase is wrong, the device mapped by plain dm-crypt will use the wrong encryption key, and the data will be unreadable.
 
 === Supported ciphers, modes, hashes and key sizes
 
-The available combinations of ciphers, modes, hashes and key sizes
-depend on kernel support. See /proc/crypto for a list of available
-options. You might need to load additional kernel crypto modules in
-order to get more options.
+The available combinations of ciphers, modes, hashes and key sizes depend on kernel support.
+See /proc/crypto for a list of available options.
+You might need to load additional kernel crypto modules to get more options.
 
-For the --hash option, if the crypto backend is libgcrypt, then all
-algorithms supported by the gcrypt library are available. For other
-crypto backends, some algorithms may be missing.
+Cryptsetup processes many operations outside of the kernel, so the configured cryptographic library must also support selected algorithms.
+Some algorithms may be missing as cryptsetup can be compiled with various cryptographic backends (libraries).
 
 === Notes on passphrases
 
-Mathematics can't be bribed. Make sure you keep your passphrases safe.
-There are a few nice tricks for constructing a fallback, when suddenly
-out of the blue, your brain refuses to cooperate. These fallbacks need
-LUKS, as it's only possible with LUKS to have multiple passphrases.
-Still, if your attacker model does not prevent it, storing your
-passphrase in a sealed envelope somewhere may be a good idea as well.
+Mathematics can't be bribed.
+Make sure you keep your passphrases safe.
+There are a few nice tricks for constructing a fallback when suddenly, out of the blue, your brain refuses to cooperate.
+These fallbacks need LUKS, as it's only possible with LUKS to have multiple passphrases.
+Still, if your attacker model does not prevent it, storing your passphrase in a sealed envelope somewhere may be a good idea as well.
 
 === Notes on Random Number Generators
 
-Random Number Generators (RNG) used in cryptsetup are always the kernel
-RNGs without any modifications or additions to data stream produced.
+Random Number Generators (RNGs) used in cryptsetup are always the kernel RNGs without any modifications or additions to the data stream produced.
 
-There are two types of randomness cryptsetup/LUKS needs. One type (which
-always uses /dev/urandom) is used for salts, the AF splitter and for
-wiping deleted keyslots.
+There are two types of randomness that cryptsetup/LUKS needs.
+One type is used for salts, the AF splitter and for wiping deleted keyslots.
+The second type is used for the volume key.
 
-The second type is used for the volume key. You can switch between using
-/dev/random and /dev/urandom here, see *--use-random* and
-*--use-urandom* options. Using /dev/random on a system without enough
-entropy sources can cause *luksFormat* to block until the requested
-amount of random data is gathered. In a low-entropy situation (embedded
-system), this can take a very long time and potentially forever. At the
-same time, using /dev/urandom in a low-entropy situation will produce
-low-quality keys. This is a serious problem, but solving it is out of
-scope for a mere man-page. See *urandom(4)* for more information.
+With recent kernels (Linux kernel 5.6), you do not need to worry about selecting RNG (/dev/random or /dev/urandom).
+In a low-entropy situation (embedded system), initialization of the kernel RNG can take a very long time, but this happens before cryptsetup can even be started.
+Use _cryptsetup --help_ to show the compiled-in default random number generator.
+See *urandom*(4) for more information.
 
 === Authenticated disk encryption (EXPERIMENTAL)
 
-Since Linux kernel version 4.12 dm-crypt supports authenticated disk
-encryption.
-
-Normal disk encryption modes are length-preserving (plaintext sector is
-of the same size as a ciphertext sector) and can provide only
-confidentiality protection, but not cryptographically sound data
-integrity protection.
+Normal disk encryption modes are length-preserving (the plaintext sector is the same size as a ciphertext sector) and can provide only confidentiality protection, not cryptographically sound data integrity protection.
 
-Authenticated modes require additional space per-sector for
-authentication tag and use Authenticated Encryption with Additional Data
-(AEAD) algorithms.
+Authenticated modes require additional space per-sector for the authentication tag and use Authenticated Encryption with Additional Data (AEAD) algorithms.
 
-If you configure LUKS2 device with data integrity protection, there will
-be an underlying dm-integrity device, which provides additional
-per-sector metadata space and also provide data journal protection to
-ensure atomicity of data and metadata update. Because there must be
-additional space for metadata and journal, the available space for the
-device will be smaller than for length-preserving modes.
+If you configure a LUKS2 device with data integrity protection, there will be an underlying dm-integrity device, which provides additional per-sector metadata space and data journal protection to ensure atomicity of data and metadata updates.
+Because there must be additional space for metadata and journal, the available space for the device will be smaller than for length-preserving modes.
 
 The dm-crypt device then resides on top of such a dm-integrity device.
-All activation and deactivation of this device stack is performed by
-cryptsetup, there is no difference in using *luksOpen* for integrity
-protected devices. If you want to format LUKS2 device with data
-integrity protection, use *--integrity* option (see *cryptsetup-luksFormat(8)*).
-
-Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices,
-*cryptsetup(8)* can't offer support for discards (TRIM) in authenticated
-encryption mode, because the underlying dm-crypt kernel module does not support
-this functionality when dm-integrity is used as auth tag space allocator
-(see *--allow-discards* in *cryptsetup-luksFormat(8)*).
-
-Some integrity modes requires two independent keys (key for encryption
-and for authentication). Both these keys are stored in one LUKS keyslot.
-
-*WARNING:* All support for authenticated modes is experimental and there
-are only some modes available for now. Note that there are a very few
-authenticated encryption algorithms that are suitable for disk
-encryption. You also cannot use CRC32 or any other non-cryptographic
-checksums (other than the special integrity mode "none"). If for some
-reason you want to have integrity control without using authentication
-mode, then you should separately configure dm-integrity independently of
-LUKS2.
+All activation and deactivation of this device stack is performed by cryptsetup; there is no difference in using *luksOpen* for integrity-protected devices.
+If you want to format a LUKS2 device with data integrity protection, use --integrity option (see *cryptsetup-luksFormat*(8)).
+
+Albeit Linux kernel 5.7 added TRIM support for standalone dm-integrity devices, *cryptsetup*(8) can't offer support for discards (TRIM) in authenticated encryption mode, because the underlying dm-crypt kernel module does not support this functionality when dm-integrity is used as auth tag space allocator (see --allow-discards in *cryptsetup-open*(8)).
+
+Some integrity modes require two independent keys (a key for encryption and authentication).
+Both these keys are stored in one LUKS keyslot.
+
+Support for authenticated modes is experimental, and only some modes are available now.
+Note that very few authenticated encryption algorithms are suitable for disk encryption.
+You also cannot use CRC32 or other non-cryptographic checksums (other than the special integrity mode "none").
+If, for some reason, you want to have integrity control without using authentication mode, then you should separately configure dm-integrity independently of LUKS2.
 
 === Notes on loopback device use
 
-Cryptsetup is usually used directly on a block device (disk partition or
-LVM volume). However, if the device argument is a file, cryptsetup tries
-to allocate a loopback device and map it into this file. This mode
-requires Linux kernel 2.6.25 or more recent which supports the loop
-autoclear flag (loop device is cleared on the last close automatically).
-Of course, you can always map a file to a loop-device manually. See the
-cryptsetup FAQ for an example.
+Cryptsetup is usually used directly on a block device (disk partition or LVM volume).
+However, if the device argument is a file, cryptsetup tries to allocate a loopback device and map it into this file.
+Of course, you can always map a file to a loop device manually.
+See the cryptsetup FAQ for an example.
 
-When device mapping is active, you can see the loop backing file in the
-status command output. Also see losetup(8).
+When device mapping is active, you can see the loop backing file in the status command output.
+Also see losetup(8).
 
 === LUKS2 header locking
 
-The LUKS2 on-disk metadata is updated in several steps and to achieve
-proper atomic update, there is a locking mechanism. For an image in
-file, code uses *flock(2)* system call. For a block device, lock is
-performed over a special file stored in a locking directory (by default
-*/run/cryptsetup*). The locking directory should be created with the
-proper security context by the distribution during the boot-up phase.
-Only LUKS2 uses locks, other formats do not use this mechanism.
+The LUKS2 on-disk metadata is updated in several steps, and to achieve a proper atomic update, there is a locking mechanism.
+For an image in a file, the code uses the *flock*(2) system call.
+For a block device, lock is performed over a special file stored in a locking directory (by default */run/cryptsetup*).
+The locking directory should be created with the proper security context by the distribution during the boot-up phase.
+Only LUKS2 uses locks; other formats do not use this mechanism.
 
 === LUKS on-disk format specification
 
-For LUKS on-disk metadata specification see
-https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification[*LUKS1*] and
-https://gitlab.com/cryptsetup/LUKS2-docs[*LUKS2*].
+For LUKS on-disk metadata specification, see https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification[LUKS1] and https://gitlab.com/cryptsetup/LUKS2-docs[LUKS2].
 
 == AUTHORS
 
-Cryptsetup is originally written by mailto:jana@saout.de[Jana Saout]. +
-The LUKS extensions and original man page were written by
-mailto:clemens@endorphin.org[Clemens Fruhwirth]. +
-Man page extensions by mailto:gmazyland@gmail.com[Milan Broz]. +
+Cryptsetup was originally written by mailto:jana@saout.de[Jana Saout].
+The LUKS extensions and original man page were written by mailto:clemens@endorphin.org[Clemens Fruhwirth].
+Man page extensions by mailto:gmazyland@gmail.com[Milan Broz].
 Man page rewrite and extension by mailto:arno@wagner.name[Arno Wagner].
 
 include::man/common_footer.adoc[]
diff --git a/man/integritysetup.8.adoc b/man/integritysetup.8.adoc
index 26b957c..95842bb 100644
--- a/man/integritysetup.8.adoc
+++ b/man/integritysetup.8.adoc
@@ -6,7 +6,7 @@
 
 == NAME
 
-integritysetup - manage dm-integrity (block level integrity) volumes
+integritysetup - utility for configuring and managing dm-integrity devices
 
 == SYNOPSIS
 
@@ -14,14 +14,15 @@ integritysetup - manage dm-integrity (block level integrity) volumes
 
 == DESCRIPTION
 
-Integritysetup is used to configure dm-integrity managed device-mapper
-mappings.
+*Integritysetup* is a utility for configuring and managing kernel dm-integrity devices.
 
-Device-mapper integrity target provides read-write transparent integrity
-checking of block devices. The dm-integrity target emulates an additional
-data integrity field per-sector. You can use this additional field
-directly with integritysetup utility, or indirectly (for authenticated
-encryption) through cryptsetup.
+Kernel device-mapper *dm-integrity* target emulates an additional data integrity tag per disk sector and provides transparent data integrity protection of block devices.
+
+You can configure these additional integrity tags directly with *integritysetup*, or indirectly (for authenticated encryption) through *LUKS2* and *cryptsetup*(8).
+Unlike *dm-verity*, *dm-integrity* devices support both read and write operations.
+The kernel performs data integrity checking transparently using a selected checksum or cryptographic hash algorithm.
+
+Integrity devices can be activated during boot through *integritytab*(5), which is part of *systemd*(1).
 
 == BASIC ACTIONS
 
@@ -30,38 +31,28 @@ Integritysetup supports these operations:
 === FORMAT
 *format <device>*
 
-Formats <device> (calculates space and dm-integrity superblock and wipes
-the device).
+Formats <device> (calculates space and dm-integrity superblock and wipes the device).
 
-*<options>* can be [--data-device, --batch-mode, --no-wipe,
---journal-size, --interleave-sectors, --tag-size, --integrity,
---integrity-key-size, --integrity-key-file, --sector-size,
---progress-frequency, --progress-json].
+*<options>* can be [--data-device, --batch-mode, --no-wipe, --journal-size, --interleave-sectors, --tag-size, --integrity, --integrity-key-size, --integrity-key-file, --sector-size, --progress-frequency, --progress-json].
 
 === OPEN
 *open <device> <name>* +
-create <name> <device> (*OBSOLETE syntax*)
+create <name> <device> (OBSOLETE syntax)
 
 Open a mapping with <name> backed by device <device>.
 
-If the integrity algorithm of the device is non-default,
-then the algorithm should be specified with the *--integrity* option.
+If the integrity algorithm of the device is non-default, then the algorithm should be specified with the --integrity option.
 This will not be detected from the device.
 
-*<options>* can be [--data-device, --batch-mode, --journal-watermark,
---journal-commit-time, --buffer-sectors, --integrity,
---integrity-key-size, --integrity-key-file, --integrity-no-journal,
---integrity-recalculate,
---integrity-recalculate-reset,--integrity-recovery-mode,
---allow-discards].
+*<options>* can be [--data-device, --batch-mode, --journal-watermark, --journal-commit-time, --buffer-sectors, --integrity, --integrity-key-size, --integrity-key-file, --integrity-no-journal, --integrity-recalculate, --integrity-recalculate-reset,--integrity-recovery-mode, --allow-discards].
 
 === CLOSE
 *close <name>* +
-remove <name> (*OBSOLETE syntax*)
+remove <name> (OBSOLETE syntax)
 
 Removes existing mapping <name>.
 
-*<options>* can be [--deferred] or [--cancel-deferred]
+*<options>* can be [--deferred] or [--cancel-deferred].
 
 === STATUS
 *status <name>*
@@ -71,165 +62,163 @@ Reports status for the active integrity mapping <name>.
 === DUMP
 *dump <device>*
 
-Reports parameters from on-disk stored superblock.
+Report parameters from the on-disk stored superblock.
 
 === RESIZE
 *resize <name>*
 
 Resizes an active mapping <name>.
 
-If --size (in 512-bytes sectors) or --device-size are not specified, the
-size is computed from the underlying device. After resize, the
-*recalculating* flag is set. If --wipe flag is set and the size of the
-device is increased, the newly added section will be wiped.
+If --size (in 512-byte sectors) or --device-size is not specified, the size is computed from the underlying device.
+After resize, the *recalculating* flag is set.
+If --wipe flag is set and the size of the device is increased, the newly added section will be wiped.
 
-Increasing the size of integrity volumes is available since the Linux
-kernel version 5.7, shrinking should work on older kernels too.
+Increasing the size of integrity volumes has been possible since the Linux kernel version 5.7; shrinking should work on older kernels, too.
 
 *<options>* can be [--size, --device-size, --wipe].
 
 == OPTIONS
 *--allow-discards*::
-Allow the use of discard (TRIM) requests for the device. This option
-is available since the Linux kernel version 5.7.
+Allow the use of discard (TRIM) requests for the device.
+This option is available since the Linux kernel version 5.7.
 
-*--batch-mode, -q*::
+*--batch-mode*, *-q*::
 Do not ask for confirmation.
 
-*--bitmap-flush-time MS*::
+*--bitmap-flush-time* _ms_::
 Bitmap flush time in milliseconds.
 +
 *WARNING:*
-In case of a crash, it is possible that the data and integrity tag
-doesn't match if the journal is disabled.
+In case of a crash, it is possible that the data and integrity tag don't match if the journal is disabled.
 
-*--bitmap-sectors-per-bit SECTORS*::
-Number of 512-byte sectors per bitmap bit, the value must be power of
-two.
+*--bitmap-sectors-per-bit* _sectors_::
+The number of 512-byte sectors per bitmap bit must be a power of two.
 
-*--buffer-sectors SECTORS*::
+*--buffer-sectors* _sectors_::
 The number of sectors in one buffer.
 +
-The tag area is accessed using buffers, the large buffer size means that
-the I/O size will be larger, but there could be less I/Os issued.
+The tag area is accessed using buffers; the large buffer size means the I/O size will be larger, but there could be less I/Os issued.
 
 *--cancel-deferred*::
-Removes a previously configured deferred device removal in *close*
-command.
+Removes a previously configured deferred device removal in the *close* command.
 
-*--data-device <data_device>*::
-Specify a separate data device that contains existing data. The
-<device> then will contain calculated integrity tags and journal for
-data on <data_device>.
+*--data-device* _<data_device>_::
+Specify a separate data device that contains existing data.
+The <device> will then contain calculated integrity tags and a journal for data on <data_device>.
 +
-*NOTE:* To not wipe the data device after initial format, also specify
---no-wipe option and activate with --integrity-recalculate to
-automatically recalculate integrity tags.
+To not wipe the data device after initial format, also specify --no-wipe option and activate with --integrity-recalculate to recalculate integrity tags automatically.
 
 *--debug*::
-Run in debug mode with full diagnostic logs. Debug output lines are
-always prefixed by *#*.
+Run in debug mode with full diagnostic logs.
+Debug output lines are always prefixed by *#*.
 
 *--deferred*::
-Defers device removal in *close* command until the last user closes
-it.
+Defers device removal in the *close* command until the last user closes it.
 
-*--help, -?*::
+*--help*, *-?*::
 Show help text and default parameters.
 
-*--integrity, -I ALGORITHM*::
-Use internal integrity calculation (standalone mode). The integrity
-algorithm can be CRC (crc32c/crc32), non-cryptographic hash function
-(xxhash64) or hash function (sha1, sha256).
+*--integrity*, *-I* _algorithm_::
+Use internal integrity calculation (standalone mode).
+The integrity algorithm can be CRC (crc32c/crc32), a non-cryptographic hash function (xxhash64) or a hash function (sha1, sha256).
++
+For HMAC (hmac-sha256), you must specify an integrity key and its size.
+
+*--integrity-bitmap-mode*, *-B*::
+Use alternate bitmap mode (available since Linux kernel 5.2), where dm-integrity uses a bitmap instead of a journal.
+If a bit in the bitmap is 1, the corresponding region's data and integrity tags are not synchronized - if the machine crashes, the unsynchronized regions will be recalculated.
+The bitmap mode is faster than the journal mode because we don't have to write the data twice.
+However, it is also less reliable because if data corruption happens when the machine crashes, it may not be detected.
+
+*--integrity-inline*::
+Store integrity tags in hardware sector integrity fields.
+The device must support sectors with additional protection information (PI, also known as DIF - data integrity field) of the requested size.
+Another storage subsystem must not use the additional field (the device must present a "nop" profile in the kernel).
+Note that some devices must be reformatted at a low level to support this option; for NVMe devices, see nvme(1) id-ns LBA profiles.
 +
-For HMAC (hmac-sha256) you have also to specify an integrity key and its
-size.
-
-*--integrity-bitmap-mode. -B*::
-Use alternate bitmap mode (available since Linux kernel 5.2) where
-dm-integrity uses bitmap instead of a journal. If a bit in the bitmap
-is 1, the corresponding region's data and integrity tags are not
-synchronized - if the machine crashes, the unsynchronized regions will
-be recalculated. The bitmap mode is faster than the journal mode,
-because we don't have to write the data twice, but it is also less
-reliable, because if data corruption happens when the machine crashes,
-it may not be detected.
-
-*--integrity-key-file FILE*::
+No journal or bitmap is used in this mode.
+The device should operate with native speed (without any overhead).
++
+This option is available since the Linux kernel version 6.11.
+
+*--integrity-key-file* _file_::
 The file with the integrity key.
 
-*--integrity-key-size BYTES*::
-The size of the data integrity key. Maximum is 4096 bytes.
+*--integrity-key-size* _bytes_::
+The size of the data integrity key.
+Maximum is 4096 bytes.
 
-*--integrity-no-journal, -D*::
-Disable journal for integrity device.
+*--integrity-no-journal*, *-D*::
+Disable the journal for the integrity device.
 
 *--integrity-recalculate*::
-Automatically recalculate integrity tags in kernel on activation. The
-device can be used during automatic integrity recalculation but
-becomes fully integrity protected only after the background operation
-is finished. This option is available since the Linux kernel version
-4.19.
+Automatically recalculate integrity tags in the kernel on activation.
+The device can be used during automatic integrity recalculation, but becomes fully integrity protected only after the background operation is finished.
++
+The primary intended use case is to skip initialization (wiping) of the data device after the initial format (see --no-wipe option).
+This parameter can be used for activation, then the kernel will recalculate integrity tags in the background.
+The integrity superblock contains a device offset that indicates the boundary to which the integrity tags are already updated.
+You can check this offset with the dump command.
 
 *--integrity-recalculate-reset*::
-Restart recalculation from the beginning of the device. It can be used
-to change the integrity checksum function. Note it does not change the
-tag length. This option is available since the Linux kernel version
-5.13.
+Restart recalculation from the beginning of the device.
+It can be used to change the integrity checksum function.
+Note, it does not change the tag length.
+This option is available since the Linux kernel version 5.13.
 
-*--integrity-recovery-mode. -R*::
+*--integrity-recovery-mode*, *-R*::
 Recovery mode (no journal, no tag checking).
 
-*--interleave-sectors SECTORS*::
+*--interleave-sectors* _sectors_::
 The number of interleaved sectors.
 
-*--journal-commit-time MS*::
-Commit time in milliseconds. When this time passes (and no explicit
-flush operation was issued), the journal is written.
+*--journal-commit-time* _ms_::
+Commit time in milliseconds.
+The journal is written when this time passes (and no explicit flush operation was issued).
 
-*--journal-crypt ALGORITHM*::
-Encryption algorithm for journal data area. You can use a block cipher
-here such as cbc-aes or a stream cipher, for example, chacha20 or
-ctr-aes.
+*--journal-crypt* _algorithm_::
+Encryption algorithm for the journal data area.
+You can use a block cipher here, such as cbc-aes or a stream cipher, for example, chacha20 or ctr-aes.
 +
-*NOTE:* The journal encryption options are only intended for testing.
+The journal encryption options are only intended for testing.
 Using journal encryption does not make sense without encryption of the data.
 
-*--journal-crypt-key-file FILE*::
+*--journal-crypt-key-file* _file_::
 The file with the journal encryption key.
 
-*--journal-crypt-key-size BYTES*::
-The size of the journal encryption key. Maximum is 4096 bytes.
+*--journal-crypt-key-size* _bytes_::
+The size of the journal encryption key.
+Maximum is 4096 bytes.
 
-*--journal-integrity ALGORITHM*::
-Integrity algorithm for journal area. See --integrity option for
-detailed specification.
+*--journal-integrity* _algorithm_::
+Integrity algorithm for the journal area.
+See --integrity option for detailed specification.
 
-*--journal-integrity-key-file FILE*::
+*--journal-integrity-key-file* _file_::
 The file with the integrity key.
 
-*--journal-integrity-key-size BYTES*::
-The size of the journal integrity key. Maximum is 4096 bytes.
+*--journal-integrity-key-size* _bytes_::
+The size of the journal integrity key.
+Maximum is 4096 bytes.
 
-*--journal-size, -j BYTES*::
+*--journal-size*, *-j* _bytes_::
 Size of the journal.
 
-*--journal-watermark PERCENT*::
-Journal watermark in percents. When the size of the journal exceeds
-this watermark, the journal flush will be started.
+*--journal-watermark* _percent_::
+Journal watermark in percent.
+When the journal size exceeds this watermark, the journal flush will be started.
 
 *--no-wipe*::
-Do not wipe the device after format. A device that is not initially
-wiped will contain invalid checksums.
+Do not wipe the device after formatting.
+A device that is not initially wiped will contain invalid checksums.
 
-*--progress-frequency <seconds>*::
-Print separate line every <seconds> with wipe progress.
+*--progress-frequency* _seconds_::
+Print a separate line every <seconds> with wipe progress.
 
 *--progress-json*::
-Prints wipe progress data in json format suitable mostly for machine
-processing. It prints separate line every half second (or based on
---progress-frequency value). The JSON output looks as follows during
-wipe progress (except it's compact single line):
+Prints wipe progress data in JSON format, which is suitable mostly for machine processing.
+It prints a separate line every half second (or based on --progress-frequency value).
+The JSON output looks as follows during wipe progress (except it's a compact single line):
 +
 ....
 {
@@ -242,39 +231,32 @@ wipe progress (except it's compact single line):
 }
 ....
 +
-Note on numbers in JSON output: Due to JSON parsers limitations all
-numbers are represented in a string format due to need of full 64bit
-unsigned integers.
+Note on numbers in JSON output: Due to JSON parsers' limitations, all numbers are represented in a string format due to the need for full 64-bit unsigned integers.
 
-*--sector-size, -s BYTES*::
+*--sector-size*, *-s* _bytes_::
 Sector size (power of two: 512, 1024, 2048, 4096).
 
-*--tag-size, -t BYTES*::
-Size of the integrity tag per-sector (here the integrity function will
-store authentication tag).
+*--tag-size*, *-t* _bytes_::
+Size of the integrity tag per-sector (here, the integrity function will store the authentication tag).
 +
-*NOTE:* The size can be smaller that output size of the hash function,
-in that case only part of the hash will be stored.
+The size can be smaller than the output size of the hash function; in that case, only part of the hash will be stored.
 
 *--usage*::
 Show short option help.
 
-*--verbose, -v*::
+*--verbose*, *-v*::
 Print more information on command execution.
 
-*--version, -V*::
+*--version*, *-V*::
 Show the program version.
 
 *--wipe*::
-Wipe the newly allocated area after resize to bigger size. If this
-flag is not set, checksums will be calculated for the data previously
-stored in the newly allocated area.
+Wipe the newly allocated area after resizing to a bigger size.
+If this flag is not set, checksums will be calculated for previously stored data in the newly allocated area.
 
 == LEGACY COMPATIBILITY OPTIONS
 
-*WARNING:*::
-Do not use these options until you need compatibility with specific
-old kernel.
+Do not use these options until you need compatibility with a specific old kernel.
 
 *--integrity-legacy-padding*::
 Use inefficient legacy padding.
@@ -283,22 +265,17 @@ Use inefficient legacy padding.
 Use old flawed HMAC calculation (also does not protect superblock).
 
 *--integrity-legacy-recalculate*::
-Allow insecure recalculating of volumes with HMAC keys (recalculation
-offset in superblock is not protected).
+Allow insecure recalculating of volumes with HMAC keys (recalculation offset in superblock is not protected).
 
 == RETURN CODES
 
 Integritysetup returns *0* on success and a non-zero value on error.
 
-Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
-*4* wrong device specified, *5* device already exists or device is busy.
+Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
 
 == NOTES
-The dm-integrity target is available since Linux kernel version 4.12.
 
-Format and activation of an integrity device always require superuser
-privilege because the superblock is calculated and handled in
-dm-integrity kernel target.
+Format and activation of an integrity device always require superuser privilege because the superblock is calculated and handled in the dm-integrity kernel target.
 
 == EXAMPLES
 
@@ -312,13 +289,11 @@ Open the device with default parameters:
 
 Format the device in standalone mode for use with HMAC(SHA256):
 
-*integritysetup format <device> --tag-size 32 --integrity hmac-sha256
---integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
+*integritysetup format <device> --tag-size 32 --integrity hmac-sha256 --integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
 
 Open (activate) the device with HMAC(SHA256) and HMAC key in file:
 
-*integritysetup open <device> test --integrity hmac-sha256
---integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
+*integritysetup open <device> test --integrity hmac-sha256 --integrity-key-file <keyfile> --integrity-key-size <key_bytes>*
 
 Dump dm-integrity superblock information:
 
@@ -326,8 +301,7 @@ Dump dm-integrity superblock information:
 
 == DM-INTEGRITY ON-DISK FORMAT
 
-The on-disk format specification available at
-https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[*DMIntegrity*] page.
+The on-disk format specification is available on the https://gitlab.com/cryptsetup/cryptsetup/wikis/DMIntegrity[DMIntegrity] page.
 
 == AUTHORS
 
diff --git a/man/meson.build b/man/meson.build
index 5013093..74df0b3 100644
--- a/man/meson.build
+++ b/man/meson.build
@@ -23,6 +23,7 @@ cryptsetup_manpages = [
             'cryptsetup-loopaesOpen.8',
             'cryptsetup-tcryptOpen.8',
             'cryptsetup-bitlkOpen.8',
+            'cryptsetup-fvault2Open.8',
         ],
     ],
     [
diff --git a/man/veritysetup.8.adoc b/man/veritysetup.8.adoc
index 3b7618a..4028c67 100644
--- a/man/veritysetup.8.adoc
+++ b/man/veritysetup.8.adoc
@@ -6,7 +6,7 @@
 
 == NAME
 
-veritysetup - manage dm-verity (block level verification) volumes
+veritysetup - utility for configuring and managing dm-verity devices
 
 == SYNOPSIS
 
@@ -14,13 +14,15 @@ veritysetup - manage dm-verity (block level verification) volumes
 
 == DESCRIPTION
 
-Veritysetup is used to configure dm-verity managed device-mapper
-mappings.
+*Veritysetup* is a utility for configuring and managing kernel *dm-verity* devices.
 
-Device-mapper verity target provides read-only transparent integrity
-checking of block devices using kernel crypto API.
+Kernel device-mapper *dm-verity* target provides read-only transparent data integrity protection of block devices.
 
-The dm-verity devices are always read-only.
+When you configure the *dm-verity* device, veritysetup creates a new mapping that applications can access like any regular storage device.
+The kernel performs the verification transparently by comparing each block against pre-computed cryptographic hashes.
+The verification uses a Merkle tree and happens transparently at the kernel level without affecting applications.
+
+Verity devices can be activated during boot through *veritytab*(5), which is part of *systemd*(1).
 
 == BASIC ACTIONS
 
@@ -29,69 +31,55 @@ Veritysetup supports these operations:
 === FORMAT
 *format <data_device> <hash_device>*
 
-Calculates and permanently stores hash verification data for
-data_device. Hash area can be located on the same device after data if
-specified by --hash-offset option.
+Calculates and permanently stores hash verification data for the data_device.
+Hash area can be located on the same device after data, if specified by --hash-offset option.
 
-Note you need to provide root hash string for device verification or
-activation. Root hash must be trusted.
+You need to provide the root hash string for device verification or activation.
+Root hash must be trusted.
 
-The data or hash device argument can be block device or file image. If
-hash device path doesn't exist, it will be created as file.
+The data or hash device argument can be a block device or a file image.
+If the hash device path doesn't exist, it will be created as a file.
 
-*<options>* can be [--hash, --no-superblock, --format,
---data-block-size, --hash-block-size, --data-blocks, --hash-offset,
---salt, --uuid, --root-hash-file].
+*<options>* can be [--hash, --no-superblock, --format, --data-block-size, --hash-block-size, --data-blocks, --hash-offset, --salt, --uuid, --root-hash-file].
 
-If option --root-hash-file is used, the root hash is stored in
-hex-encoded text format in <path>.
+If option --root-hash-file is used, the root hash is stored in hex-encoded text format in <path>.
 
 === OPEN
 *open <data_device> <name> <hash_device> <root_hash>* +
 *open <data_device> <name> <hash_device> --root-hash-file <path>* +
-create <name> <data_device> <hash_device> <root_hash> (*OBSOLETE syntax*)
+create <name> <data_device> <hash_device> <root_hash> (OBSOLETE syntax)
 
-Creates a mapping with <name> backed by device <data_device> and using
-<hash_device> for in-kernel verification.
+Creates a mapping with <name> backed by device <data_device> and using <hash_device> for in-kernel verification.
 
 The <root_hash> is a hexadecimal string.
 
-*<options>* can be [--hash-offset, --no-superblock, --ignore-corruption
-or --restart-on-corruption, --panic-on-corruption, --ignore-zero-blocks,
---check-at-most-once, --root-hash-signature, --root-hash-file, --use-tasklets,
---shared].
+*<options>* can be [--hash-offset, --no-superblock, --ignore-corruption or --restart-on-corruption, --panic-on-corruption, --ignore-zero-blocks, --check-at-most-once, --root-hash-signature, --root-hash-file, --use-tasklets, --shared].
 
-If option --root-hash-file is used, the root hash is read from <path>
-instead of from the command line parameter. Expects hex-encoded text,
-without terminating newline.
+If option --root-hash-file is used, the root hash is read from <path> instead of the command line parameter.
+Expects hex-encoded text, without a terminating newline.
 
-If option --no-superblock is used, you have to use as the same options
-as in initial format operation.
+If --no-superblock is used, you must use the same options as in the initial format operation.
 
 === VERIFY
 *verify <data_device> <hash_device> <root_hash>* +
 *verify <data_device> <hash_device> --root-hash-file <path>*
 
-Verifies data on data_device with use of hash blocks stored on
-hash_device.
+Verifies data on data_device using hash blocks stored on hash_device.
 
-This command performs userspace verification, no kernel device is
-created.
+This command performs userspace verification; no kernel device is created.
 
 The <root_hash> is a hexadecimal string.
 
-If option --root-hash-file is used, the root hash is read from <path>
-instead of from the command line parameter. Expects hex-encoded text,
-without terminating newline.
+If option --root-hash-file is used, the root hash is read from <path> instead of the command line parameter.
+Expects hex-encoded text, without a terminating newline.
 
 *<options>* can be [--hash-offset, --no-superblock, --root-hash-file].
 
-If option --no-superblock is used, you have to use as the same options
-as in initial format operation.
+If --no-superblock is used, you must use the same options as in the initial format operation.
 
 === CLOSE
 *close <name>* +
-remove <name> (*OBSOLETE syntax*)
+remove <name> (OBSOLETE syntax)
 
 Removes existing mapping <name>.
 
@@ -105,212 +93,187 @@ Reports status for the active verity mapping <name>.
 === DUMP
 *dump <hash_device>*
 
-Reports parameters of verity device from on-disk stored superblock.
+Report parameters of the verity device from the on-disk stored superblock.
 
 *<options>* can be [--hash-offset].
 
 == OPTIONS
-*--batch-mode, -q*::
+*--batch-mode*, *-q*::
 Do not ask for confirmation.
 
 *--cancel-deferred*::
-Removes a previously configured deferred device removal in *close*
-command.
+Cancels a previously configured deferred device removal in the *close* command.
 
 *--check-at-most-once*::
-Instruct kernel to verify blocks only the first time they are read
-from the data device, rather than every time.
+Instruct the kernel to verify blocks only once they are read from the data device, rather than every time.
 +
-*WARNING:* It provides a reduced level of security because only offline
-tampering of the data device's content will be detected, not online
-tampering. This option is available since Linux kernel version 4.17.
+*WARNING:* It provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering.
 
-*--data-blocks=blocks*::
-Size of data device used in verification. If not specified, the whole
-device is used.
+*--data-blocks* _blocks_::
+Size of the data device used in verification.
+If not specified, the whole device is used.
 
-*--data-block-size=bytes*::
-Used block size for the data device. (Note kernel supports only
-page-size as maximum here.)
+*--data-block-size* _bytes_::
+Used block size for the data device.
+Maximum is the page size used by the kernel.
 
 *--debug*::
-Run in debug mode with full diagnostic logs. Debug output lines are
-always prefixed by *#*.
+Run in debug mode with full diagnostic logs.
+Debug output lines are always prefixed by *#*.
 
 *--deferred*::
-Defers device removal in *close* command until the last user closes
-it.
+Defers device removal in the *close* command until the last user closes it.
+
+*--error-as-corruption*::
+Handle device I/O errors the same as data corruption.
+This option must be combined with --restart-on-corruption or --panic-on-corruption.
 
-*--fec-device=fec_device*::
-Use forward error correction (FEC) to recover from corruption if hash
-verification fails. Use encoding data from the specified device.
+*--fec-device* _device_::
+Use forward error correction (FEC) to recover from corruption if hash verification fails.
+Use encoding data from the specified device.
 +
-The fec device argument can be block device or file image. For format,
-if fec device path doesn't exist, it will be created as file.
+The FEC device argument can be a block device or a file image.
+For format, if the FEC device path doesn't exist, it will be created as a file.
 +
-Block sizes for data and hash devices must match. Also, if the verity
-data_device is encrypted the fec_device should be too.
+Block sizes for data and hash devices must match.
+Also, if the verity data_device is encrypted, the fec_device should be too.
 +
-FEC calculation covers data, hash area, and optional foreign metadata
-stored on the same device with the hash tree (additional space after
-hash area). Size of this optional additional area protected by FEC is
-calculated from image sizes, so you must be sure that you use the same
-images for activation.
+FEC calculation covers data, hash area, and optional foreign metadata stored on the same device as the hash tree (additional space after the hash area).
+The size of this optional additional area protected by FEC is calculated from image sizes, so you must use the same images for activation.
 +
-If the hash device is in a separate image, metadata covers the whole
-rest of the image after the hash area.
+If the hash device is in a separate image, metadata covers the entire image after the hash area.
 +
-If hash and FEC device is in the image, metadata ends on the FEC area
-offset.
+The metadata ends on the FEC area offset if the hash and FEC device are in the image.
 
-*--fec-offset=bytes*::
-This is the offset, in bytes, from the start of the FEC device to the
-beginning of the encoding data.
+*--fec-offset* _bytes_::
+This is the offset, in bytes, from the start of the FEC device to the beginning of the encoding data.
 
-*--fec-roots=num*::
-Number of generator roots. This equals to the number of parity bytes
-in the encoding data. In RS(M, N) encoding, the number of roots is
-M-N. M is 255 and M-N is between 2 and 24 (including).
+*--fec-roots* _number_::
+Number of generator roots.
+This equals the number of parity bytes in the encoding data.
+In RS(M, N) encoding, the number of roots is M-N.
+M is 255, and M-N is between 2 and 24 (including).
 
-*--format=number*::
-Specifies the hash version type. Format type 0 is original Chrome OS
-version. Format type 1 is current version.
+*--format* _number_::
+Specifies the hash version type.
+Format type 0 is the original Chrome OS version.
+Format type 1 is the current version.
 
-*--hash=hash*::
-Hash algorithm for dm-verity. For default see --help option.
+*--hash* _hash_::
+Hash algorithm for dm-verity.
+For default, see --help option.
 
-*--hash-block-size=bytes*::
-Used block size for the hash device. (Note kernel supports only
-page-size as maximum here.)
+*--hash-block-size* _bytes_::
+Used block size for the hash device.
+Maximum is the page size used by the kernel.
 
-*--hash-offset=bytes*::
-Offset of hash area/superblock on hash_device. Value must be aligned
-to disk sector offset.
+*--hash-offset* _bytes_::
+Offset of hash area/superblock on hash_device.
+Value must be aligned with the disk sector offset.
 
-*--help, -?*::
+*--help*, *-?*::
 Show help text and default parameters.
 
-*--ignore-corruption, --restart-on-corruption, --panic-on-corruption*::
-Defines what to do if data integrity problem is detected (data
-corruption).
+*--ignore-corruption*, *--restart-on-corruption*, *--panic-on-corruption*::
+Defines what to do if a data integrity problem (data corruption) is detected.
 +
-Without these options kernel fails the IO operation with I/O error. With
---ignore-corruption option the corruption is only logged. With
---restart-on-corruption or --panic-on-corruption the kernel is restarted
-(panicked) immediately. (You have to provide way how to avoid restart
-loops.)
+Without these options, the kernel fails the I/O operation with an I/O error.
+With --ignore-corruption option, the corruption is only logged.
+With --restart-on-corruption or --panic-on-corruption, the kernel is restarted (panicked) immediately.
+(You have to provide a way to avoid restart loops.)
 +
-*WARNING:* Use these options only for very specific cases. These options
-are available since Linux kernel version 4.1.
+Use these options only for very specific cases.
 
 *--ignore-zero-blocks*::
-Instruct kernel to not verify blocks that are expected to contain
-zeroes and always directly return zeroes instead.
+Instruct the kernel not to verify blocks expected to contain zeroes and always directly return zeroes instead.
 +
-*WARNING:* Use this option only in very specific cases. This option is
-available since Linux kernel version 4.5.
+Use this option only in very specific cases.
 
 *--no-superblock*::
-Create or use dm-verity without permanent on-disk superblock.
+Create or use dm-verity without a permanent on-disk superblock.
 
-*--root-hash-file=FILE*::
+*--root-hash-file* _file_*::
 Path to file with stored root hash in hex-encoded text.
 
-*--root-hash-signature=FILE*::
-Path to root hash signature file used to verify the root hash (in
-kernel). This feature requires Linux kernel version 5.4 or more
-recent.
+*--root-hash-signature* _file_*::
+A path to the root hash signature file used to verify the root hash (in kernel).
+This feature requires a Linux kernel version 5.4 or more recent.
 
 *--salt=hex string*::
-Salt used for format or verification. Format is a hexadecimal string.
+Salt used for formatting or verification.
+Format is a hexadecimal string.
 
 *--shared*::
-Allows data device to be used in shared mode. The data device is not checked
-for exclusive access in-before the device activation and may be mapped in multiple
-verity mappings.
+Allows the data device to be used in shared mode.
+The data device is not checked for exclusive access before the device activation and may be mapped in multiple verity mappings.
 
 *--usage*::
 Show short option help.
 
 *--use-tasklets*::
-Try to use kernel tasklets in dm-verity driver for performance reasons.
+Try to use kernel tasklets in the dm-verity driver for performance reasons.
 This option is available since Linux kernel version 6.0.
 
-*--uuid=UUID*::
-Use the provided UUID for format command instead of generating new
-one.
+*--uuid* _UUID_::
+Use the provided UUID for the format command instead of generating a new one.
 +
-The UUID must be provided in standard UUID format, e.g.
-12345678-1234-1234-1234-123456789abc.
+The UUID must be provided in standard UUID format, e.g., 12345678-1234-1234-1234-123456789abc.
 
-*--verbose, -v*::
+*--verbose*, *-v*::
 Print more information on command execution.
 
-*--version, -V*::
+*--version*, *-V*::
 Show the program version.
 
 == RETURN CODES
 
 Veritysetup returns *0* on success and a non-zero value on error.
 
-Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory,
-*4* wrong device specified, *5* device already exists or device is busy.
+Error codes are: *1* wrong parameters, *2* no permission, *3* out of memory, *4* wrong device specified, *5* device already exists or device is busy.
 
 == EXAMPLES
 
 *veritysetup --data-blocks=256 format <data_device> <hash_device>*
 
-Calculates and stores verification data on hash_device for the first 256
-blocks (of block-size). If hash_device does not exist, it is created (as
-file image).
+Calculates and stores verification data on hash_device for the first 256 blocks (of block size).
+If hash_device does not exist, it is created (as a file image).
 
 *veritysetup format --root-hash-file <path> <data_device> <hash_device>*
 
-Calculates and stores verification data on hash_device for the whole
-data_device, and store the root hash as hex-encoded text in <path>.
+Calculates and stores verification data on hash_device for the whole data_device, and stores the root hash as hex-encoded text in <path>.
 
-*veritysetup --data-blocks=256 --hash-offset=1052672 format <device>
-<device>*
+*veritysetup --data-blocks=256 --hash-offset=1052672 format <device> <device>*
 
-Verification data (hashes) is stored on the same device as data
-(starting at hash-offset). Hash-offset must be greater than number of
-blocks in data-area.
+Verification data (hashes) is stored on the same device as data (starting at hash-offset).
+Hash offset must be greater than the number of blocks in the data area.
 
-*veritysetup --data-blocks=256 --hash-offset=1052672 create test-device
-<device> <device> <root_hash>*
+*veritysetup --data-blocks=256 --hash-offset=1052672 create test-device <device> <device> <root_hash>*
 
-Activates the verity device named test-device. Options --data-blocks and
---hash-offset are the same as in the format command. The <root_hash> was
-calculated in format command.
+Activates the verity device named test-device.
+Options --data-blocks and --hash-offset are the same as in the format command.
+The <root_hash> was calculated in the format command.
 
-*veritysetup --data-blocks=256 --hash-offset=1052672 verify
-<data_device> <hash_device> <root_hash>*
+*veritysetup --data-blocks=256 --hash-offset=1052672 verify <data_device> <hash_device> <root_hash>*
 
 Verifies device without activation (in userspace).
 
-*veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file
-<path> verify <data_device> <hash_device>*
+*veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file <path> verify <data_device> <hash_device>*
 
-Verifies device without activation (in userspace). Root hash passed via
-a file rather than inline.
+Verifies device without activation (in userspace).
+Root hash is passed via file rather than inline.
 
-*veritysetup --fec-device=<fec_device> --fec-roots=10 format
-<data_device> <hash_device>*
+*veritysetup --fec-device=<fec_device> --fec-roots=10 format <data_device> <hash_device>*
 
-Calculates and stores verification and encoding data for data_device.
+Calculates and stores verification and encoding data for the data_device.
 
 == DM-VERITY ON-DISK SPECIFICATION
 
-The on-disk format specification is available at
-https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity[*DMVerity*] page.
+The on-disk format specification is available on the https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity[DMVerity] page.
 
 == AUTHORS
 
-The first implementation of veritysetup was written by Chrome OS
-authors.
+The first implementation of veritysetup was written by Chrome OS authors.
 
-This version is based on verification code written by
-mailto:mpatocka@redhat.com[Mikulas Patocka] and rewritten for libcryptsetup
-by mailto:gmazyland@gmail.com[Milan Broz].
+This version is based on verification code written by mailto:mpatocka@redhat.com[Mikulas Patocka] and rewritten for libcryptsetup by mailto:gmazyland@gmail.com[Milan Broz].
 
 include::man/common_footer.adoc[]
diff --git a/meson.build b/meson.build
index f8b3c37..c238039 100644
--- a/meson.build
+++ b/meson.build
@@ -2,9 +2,9 @@ project('cryptsetup',
     'c',
     default_options: [ 'prefix=/usr' ],
     meson_version: '>=0.64',
-    version: '2.7.5')
+    version: '2.8.2')
 
-libcryptsetup_version = '12.10.0'
+libcryptsetup_version = '12.11.0'
 
 includes_root = include_directories('.')
 includes_lib = include_directories('lib')
@@ -31,7 +31,6 @@ default_string_options = [
     'default-luks1-cipher',
     'default-luks1-hash',
     'default-luks1-mode',
-    'default-luks2-external-tokens-path',
     'default-luks2-keyslot-cipher',
     'default-luks2-lock-path',
     'default-luks2-pbkdf',
@@ -98,6 +97,7 @@ required_headers = [
     'locale.h',
     'malloc.h',
     'stdint.h',
+    'sys/endian.h',
     'sys/ioctl.h',
     'sys/mman.h',
     'sys/statvfs.h',
@@ -555,6 +555,28 @@ elif get_option('crypto-backend') == 'nettle'
     assert(cc.has_function('nettle_pbkdf2_hmac_sha256',
             dependencies: crypto_backend_library),
         'You need Nettle library version 2.6 or more recent.')
+elif get_option('crypto-backend') == 'mbedtls'
+    if get_option('fips')
+        error('mbedtls crypto backend is not supported with FIPS enabled')
+    endif
+
+    assert(cc.has_header('mbedtls/version.h'),
+        'You need mbedTLS cryptographic library.')
+
+    mbedcrypto = cc.find_library('mbedcrypto',
+        static: enable_static)
+    assert(cc.has_function('mbedtls_md_init',
+            prefix: '#include <mbedtls/md.h>', dependencies: mbedcrypto),
+        'You need mbedcrypto library.')
+
+    conf.set10('HAVE_MBEDTLS_PKCS5_PBKDF2_HMAC_EXT',
+        cc.has_function('mbedtls_pkcs5_pbkdf2_hmac_ext',
+            prefix: '#include <mbedtls/pkcs5.h>', dependencies: mbedcrypto),
+        description: 'Define to 1 if you have the `mbedtls_pkcs5_pbkdf2_hmac_ext\' function.')
+
+    crypto_backend_library = mbedcrypto
+    use_internal_pbkdf2 = false
+    use_internal_argon2 = true
 endif
 conf.set10('USE_INTERNAL_PBKDF2', use_internal_pbkdf2)
 
@@ -675,6 +697,21 @@ if cc.links(
         description: 'Define to 1 to use __attribute__((symver))')
 endif
 
+# ==========================================================================
+# Check compiler support for zero_called_used_regs("used") function attribute
+if cc.links(
+        '''void _test_fn(void);
+
+        __attribute__((zero_call_used_regs("used"))) void _test_fn(void) {
+		volatile int *i; volatile int j = 0; if (j) *i = 0;
+        }
+        int main(void) { _test_fn(); return 0; }''',
+        args: ['-O0', '-Werror' ],
+        name: 'for zero_call_used_regs("used") attribute support')
+    conf.set10('HAVE_ATTRIBUTE_ZEROCALLUSEDREGS', true,
+        description: 'Define to 1 to use __attribute__((zero_call_used_regs("used")))')
+endif
+
 # ==========================================================================
 
 if get_option('dev-random')
@@ -689,7 +726,9 @@ if tmpfilesdir == ''
         method: 'pkg-config',
         required: false)
     if systemd.found()
-        tmpfilesdir = systemd.get_variable(pkgconfig: 'tmpfilesdir', default_value: '')
+        tmpfilesdir = systemd.get_variable('tmpfilesdir',
+                        pkgconfig_define: ['prefix', get_option('prefix')],
+                        default_value: '')
     endif
 endif
 
@@ -708,12 +747,12 @@ endif
 assert(get_option('default-luks2-lock-path').startswith('/'),
     'default-luks2-lock-path has to be an absolute path')
 
-luks2_external_tokens_path = get_option('default-luks2-external-tokens-path')
-if luks2_external_tokens_path == 'LIBDIR/cryptsetup'
+luks2_external_tokens_path = get_option('luks2-external-tokens-path')
+if luks2_external_tokens_path == ''
     luks2_external_tokens_path = join_paths(get_option('prefix'), get_option('libdir'), 'cryptsetup')
 endif
 assert(luks2_external_tokens_path.startswith('/'),
-    'default-luks2-external-tokens-path has to be an absolute path')
+    'luks2-external-tokens-path has to be an absolute path')
 conf.set_quoted('EXTERNAL_LUKS2_TOKENS_PATH', luks2_external_tokens_path,
     description: 'path to directory with LUKSv2 external token handlers (plugins)')
 
diff --git a/meson_options.txt b/meson_options.txt
index 63713c5..dba7f6e 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,7 +1,7 @@
 option('argon-implementation', type : 'combo', choices : ['none', 'internal', 'libargon2'], description : 'which implementation of Argon2 PBKDF shall be used (cryptsetup internal, external libargon2 (PHC) or disable Argon2 support)', value : 'internal')
 option('asciidoc', type : 'feature', description : 'generate man pages from asciidoc', value : 'enabled')
 option('blkid', type : 'boolean', description : 'use of blkid for device signature detection and wiping', value : true)
-option('crypto-backend', type : 'combo', choices : ['gcrypt', 'openssl', 'nss', 'kernel', 'nettle'], description : 'crypto backend', value : 'openssl')
+option('crypto-backend', type : 'combo', choices : ['gcrypt', 'openssl', 'nss', 'kernel', 'nettle', 'mbedtls'], description : 'crypto backend', value : 'openssl')
 option('cryptsetup', type : 'boolean', description : 'cryptsetup support', value : true)
 option('default-integrity-keyfile-size-maxkb', type : 'integer', description : 'maximum integritysetup keyfile size (in KiB)', value : 4)
 option('default-keyfile-size-maxkb', type : 'integer', description : 'maximum keyfile size (in KiB)', value : 8192)
@@ -12,7 +12,6 @@ option('default-luks1-hash', type : 'string', description : 'hash function for L
 option('default-luks1-iter-time', type : 'integer', description : 'PBKDF2 iteration time for LUKS1 (in ms)', value : 2000)
 option('default-luks1-keybits', type : 'integer', description : 'key length in bits for LUKS1', value : 256)
 option('default-luks1-mode', type : 'string', description : 'cipher mode for LUKS1', value : 'xts-plain64')
-option('default-luks2-external-tokens-path', type : 'string', description : 'path to directory with LUKSv2 external token handlers (plugins)', value : 'LIBDIR/cryptsetup')
 option('default-luks2-iter-time', type : 'integer', description : 'Argon2 PBKDF iteration time for LUKS2 (in ms)', value : 2000)
 option('default-luks2-keyslot-cipher', type : 'string', description : 'fallback cipher for LUKS2 keyslot (if data encryption is incompatible)', value : 'aes-xts-plain64')
 option('default-luks2-keyslot-keybits', type : 'integer', description : 'fallback key size for LUKS2 keyslot (if data encryption is incompatible)', value : 512)
@@ -45,6 +44,7 @@ option('integritysetup', type : 'boolean', description : 'integritysetup Support
 option('internal-sse-argon2', type : 'boolean', description : 'use internal SSE implementation of Argon2 PBKDF', value : false)
 option('kernel_crypto', type : 'boolean', description : 'kernel userspace crypto (no benchmark and tcrypt)', value : true)
 option('keyring', type : 'boolean', description : 'kernel keyring support and builtin kernel keyring token', value : true)
+option('luks2-external-tokens-path', type : 'string', description : 'path to directory with LUKSv2 external token handlers (plugins)')
 option('luks2-reencryption', type : 'boolean', description : 'LUKS2 online reencryption extension', value : true)
 option('luks_adjust_xts_keysize', type : 'boolean', description : 'XTS mode requires two keys, double default LUKS keysize if needed', value : true)
 option('nls', type : 'boolean', description : 'use Native Language Support', value : true)
diff --git a/misc/dict_search/crypt_dict.c b/misc/dict_search/crypt_dict.c
index b9c7508..1e68220 100644
--- a/misc/dict_search/crypt_dict.c
+++ b/misc/dict_search/crypt_dict.c
@@ -128,7 +128,7 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	/* run scan in separate processes, it is up to scheduler to assign CPUs inteligently */
+	/* run scan in separate processes, it is up to scheduler to assign CPUs intelligently */
 	for (i = 0; i < procs; i++)
 		check(cd, argv[3], i, procs);
 
diff --git a/misc/fedora/cryptsetup.spec b/misc/fedora/cryptsetup.spec
index 49d4c20..0067737 100644
--- a/misc/fedora/cryptsetup.spec
+++ b/misc/fedora/cryptsetup.spec
@@ -2,7 +2,7 @@
 
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.5
+Version: 2.8.2
 Release: 1%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup
@@ -18,7 +18,7 @@ Obsoletes: %{name}-reencrypt <= %{version}
 Provides: %{name}-reencrypt = %{version}
 
 %global upstream_version %{version_no_tilde}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
+Source0: https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-%{upstream_version}.tar.xz
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -106,14 +106,14 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
 %{_libdir}/pkgconfig/libcryptsetup.pc
 
 %files libs -f cryptsetup.lang
-%license COPYING COPYING.LGPL
+%license COPYING
 %{_libdir}/libcryptsetup.so.*
 %dir %{_libdir}/%{name}/
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %files ssh-token
-%license COPYING COPYING.LGPL
+%license COPYING
 %{_libdir}/%{name}/libcryptsetup-token-ssh.so
 %{_mandir}/man8/cryptsetup-ssh.8.gz
 %{_sbindir}/cryptsetup-ssh
diff --git a/misc/keyslot_checker/chk_luks_keyslots.c b/misc/keyslot_checker/chk_luks_keyslots.c
index 68916fb..fa73ded 100644
--- a/misc/keyslot_checker/chk_luks_keyslots.c
+++ b/misc/keyslot_checker/chk_luks_keyslots.c
@@ -161,7 +161,7 @@ static int check_keyslots(FILE *out, struct crypt_device *cd, int f_luks)
 	crypt_keyslot_info ki;
 	unsigned char buffer[sector_size];
 
-	for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1) ; i++) {
+	for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)) ; i++) {
 		fprintf(out, "- processing keyslot %d:", i);
 		ki = crypt_keyslot_status(cd, i);
 		if (ki == CRYPT_SLOT_INACTIVE) {
@@ -338,7 +338,7 @@ int main(int argc, char **argv)
 	 * This should also make sure a valid LUKS1 header is on disk
 	 * and hence we should be able to skip magic and version checks.
 	 */
-	res = crypt_load(cd, CRYPT_LUKS1, NULL);
+	res = crypt_load(cd, CRYPT_LUKS, NULL);
 	if (res < 0) {
 		fprintf(stderr, "crypt_load() failed. LUKS header too broken/absent?\n");
 		crypt_free(cd);
diff --git a/po/LINGUAS b/po/LINGUAS
index 1ad138e..541c4ce 100644
--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -13,6 +13,7 @@ pl
 pt_BR
 ro
 ru
+sk
 sr
 sv
 uk
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 7e22598..c10e35d 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -53,5 +53,7 @@ src/utils_reencrypt.c
 src/utils_reencrypt_luks1.c
 src/utils_blockdev.c
 src/utils_args.c
+src/utils_key_description.c
+src/utils_keyslot_check.c
 tokens/ssh/cryptsetup-ssh.c
 tokens/ssh/ssh-utils.c
diff --git a/po/cryptsetup.pot b/po/cryptsetup.pot
index 172163a..793dbbe 100644
--- a/po/cryptsetup.pot
+++ b/po/cryptsetup.pot
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.5\n"
+"Project-Id-Version: cryptsetup 2.8.2\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-09-02 22:57+0200\n"
+"POT-Creation-Date: 2025-12-18 16:52+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,70 +16,78 @@ msgstr ""
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr ""
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr ""
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr ""
 
-#: lib/libdevmapper.c:1563
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr ""
 
-#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1688 lib/libdevmapper.c:1791
-#: lib/libdevmapper.c:1794
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1697 lib/libdevmapper.c:1709
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1703
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1715
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1721
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1725
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1730
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr ""
 
-#: lib/libdevmapper.c:1737 lib/libdevmapper.c:1743
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1749 lib/libdevmapper.c:1797 lib/libdevmapper.c:1800
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1755
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:2791
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr ""
@@ -112,622 +120,645 @@ msgstr ""
 msgid "Error reading from RNG."
 msgstr ""
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr ""
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr ""
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr ""
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr ""
 
-#: lib/setup.c:305 lib/setup.c:2790 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr ""
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr ""
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr ""
 
-#: lib/setup.c:385 lib/setup.c:3985
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr ""
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr ""
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr ""
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr ""
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr ""
 
-#: lib/setup.c:607 lib/setup.c:3685
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr ""
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr ""
 
-#: lib/setup.c:746 lib/setup.c:3576 lib/setup.c:5364 lib/setup.c:5384
-#: lib/luks2/luks2_reencrypt.c:3857 lib/luks2/luks2_reencrypt.c:4319
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr ""
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr ""
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
 #: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr ""
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr ""
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr ""
 
-#: lib/setup.c:1592 lib/setup.c:3330 lib/setup.c:3412 lib/setup.c:3424
-#: lib/setup.c:3594 lib/setup.c:6008
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr ""
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr ""
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr ""
 
-#: lib/setup.c:1696 lib/setup.c:2693
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr ""
 
-#: lib/setup.c:1701 lib/setup.c:2698 lib/setup.c:2901
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1706 lib/setup.c:2703
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr ""
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3679
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr ""
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2369
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr ""
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr ""
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2375
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr ""
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid ""
 "WARNING: DAX device can corrupt data as it does not guarantee atomic sector "
 "updates.\n"
 msgstr ""
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2553
-#: lib/setup.c:2600 lib/setup.c:2913
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr ""
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid ""
 "Device %s is too small for activation, there is no remaining space for "
 "data.\n"
 msgstr ""
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr ""
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr ""
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr ""
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid ""
 "WARNING: The device activation will fail, dm-crypt is missing support for "
 "requested encryption sector size.\n"
 msgstr ""
 
-#: lib/setup.c:2147 lib/setup.c:2496 lib/setup.c:2556 lib/utils_device.c:908
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4379
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr ""
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2593 lib/setup.c:2639
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr ""
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2596 lib/setup.c:2642
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr ""
 
-#: lib/setup.c:2173 lib/setup.c:2613 lib/setup.c:2973
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr ""
 
-#: lib/setup.c:2191 lib/setup.c:2650
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr ""
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr ""
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr ""
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr ""
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr ""
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr ""
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr ""
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid ""
 "Requested data alignment does not satisfy locking range alignment "
 "requirements."
 msgstr ""
 
-#: lib/setup.c:2506
+#: lib/setup.c:2468
 #, c-format
 msgid ""
 "Compensating device size by %<PRIu64> sectors to align it with OPAL "
 "alignment granularity."
 msgstr ""
 
-#: lib/setup.c:2564 lib/setup.c:4082 lib/setup.c:4265 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr ""
 
-#: lib/setup.c:2574
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr ""
 
-#: lib/setup.c:2576
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr ""
 
-#: lib/setup.c:2646
+#: lib/setup.c:2622
 #, c-format
 msgid ""
 "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr ""
 
-#: lib/setup.c:2648
+#: lib/setup.c:2624
 msgid ""
 "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for "
 "recovery."
 msgstr ""
 
-#: lib/setup.c:2668
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr ""
 
-#: lib/setup.c:2688
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr ""
 
-#: lib/setup.c:2733
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr ""
 
-#: lib/setup.c:2744 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr ""
 
-#: lib/setup.c:2750 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr ""
 
-#: lib/setup.c:2755 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr ""
 
-#: lib/setup.c:2760
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr ""
 
-#: lib/setup.c:2784
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr ""
 
-#: lib/setup.c:2809
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2816
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2952
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr ""
+
+#: lib/setup.c:2935
 #, c-format
 msgid ""
 "WARNING: Requested tag size %d bytes differs from %s size output (%d "
 "bytes).\n"
 msgstr ""
 
-#: lib/setup.c:3031
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
+msgid "Unknown or unsupported device type %s requested."
 msgstr ""
 
-#: lib/setup.c:3338 lib/setup.c:3417 lib/setup.c:3430
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr ""
+
+#: lib/setup.c:3070
+#, c-format
+msgid ""
+"Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by "
+"device %s."
+msgstr ""
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr ""
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:3344 lib/setup.c:3437 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:3461
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr ""
 
-#: lib/setup.c:3498 lib/setup.c:3503 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4118
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr ""
 
-#: lib/setup.c:3509 lib/setup.c:3515 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr ""
 
-#: lib/setup.c:3521 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4031
-#: lib/luks2/luks2_reencrypt.c:4122
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr ""
 
-#: lib/setup.c:3536
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr ""
 
-#: lib/setup.c:3539 lib/setup.c:3541
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr ""
 
-#: lib/setup.c:3581
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr ""
 
-#: lib/setup.c:3626
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr ""
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr ""
 
-#: lib/setup.c:3670
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr ""
 
-#: lib/setup.c:3736
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr ""
 
-#: lib/setup.c:3768
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr ""
 
-#: lib/setup.c:3860
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr ""
 
-#: lib/setup.c:3970
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr ""
 
-#: lib/setup.c:4036
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr ""
 
-#: lib/setup.c:4064
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:4066 lib/setup.c:4074
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr ""
 
-#: lib/setup.c:4088
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr ""
 
-#: lib/setup.c:4120 lib/setup.c:4292
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:4122 lib/setup.c:4283 lib/setup.c:4294
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr ""
 
-#: lib/setup.c:4141
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr ""
 
-#: lib/setup.c:4256 lib/setup.c:4978 lib/setup.c:5800
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr ""
 
-#: lib/setup.c:4357 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr ""
 
-#: lib/setup.c:4458 lib/setup.c:5118 lib/setup.c:5536 lib/setup.c:5555
-#: lib/setup.c:7429 lib/setup.c:7451 lib/setup.c:7500 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr ""
 
-#: lib/setup.c:4612
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr ""
 
-#: lib/setup.c:4710
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr ""
 
-#: lib/setup.c:4716 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr ""
 
-#: lib/setup.c:4735
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr ""
 
-#: lib/setup.c:5088 lib/setup.c:5188
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr ""
 
-#: lib/setup.c:5090 lib/setup.c:5190 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr ""
 
-#: lib/setup.c:5102
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr ""
 
-#: lib/setup.c:5154 lib/setup.c:5244
-msgid "Failed to link volume keys in user defined keyring."
-msgstr ""
-
-#: lib/setup.c:5203 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr ""
-
-#: lib/setup.c:5452 lib/setup.c:5566 lib/setup.c:5623
-msgid "Device type is not properly initialized."
-msgstr ""
-
-#: lib/setup.c:5507
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr ""
 
-#: lib/setup.c:5514
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr ""
 
-#: lib/setup.c:5532
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr ""
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr ""
 
-#: lib/setup.c:5546
-msgid "Reencryption volume keys do not match the volume."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
 msgstr ""
 
-#: lib/setup.c:5659
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr ""
 
-#: lib/setup.c:5663
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr ""
 
-#: lib/setup.c:5921
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr ""
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr ""
 
-#: lib/setup.c:5964
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr ""
 
-#: lib/setup.c:5980
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
-msgid "Could not cancel deferred remove from device %s."
+msgid "Device %s is still in use."
 msgstr ""
 
-#: lib/setup.c:5987 lib/setup.c:6003 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5787
 #, c-format
-msgid "Device %s is still in use."
+msgid "Could not cancel deferred remove from device %s."
 msgstr ""
 
-#: lib/setup.c:6012
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr ""
 
-#: lib/setup.c:6152
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr ""
 
-#: lib/setup.c:6169
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr ""
 
-#: lib/setup.c:6178
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr ""
 
-#: lib/setup.c:6188
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr ""
 
-#: lib/setup.c:6196
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr ""
 
-#: lib/setup.c:6203
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr ""
 
-#: lib/setup.c:6208
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr ""
 
-#: lib/setup.c:6210
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr ""
 
-#: lib/setup.c:6394 lib/setup.c:6405
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:6764
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr ""
 
-#: lib/setup.c:7072
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr ""
 
-#: lib/setup.c:7370 lib/setup.c:7509
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr ""
 
-#: lib/setup.c:7394
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr ""
 
-#: lib/setup.c:7400
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr ""
 
-#: lib/setup.c:7625
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr ""
 
-#: lib/setup.c:7694 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr ""
 
-#: lib/setup.c:7812
-msgid "Failed to unlink volume key from thread keyring."
-msgstr ""
-
-#: lib/setup.c:7856
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr ""
 
-#: lib/setup.c:7921
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr ""
 
@@ -768,109 +799,120 @@ msgstr ""
 msgid "Cannot read requested amount of data."
 msgstr ""
 
-#: lib/utils_device.c:204 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr ""
 
-#: lib/utils_device.c:214
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr ""
 
-#: lib/utils_device.c:558
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr ""
 
-#: lib/utils_device.c:719
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr ""
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr ""
 
-#: lib/utils_device.c:804
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr ""
 
-#: lib/utils_device.c:807
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr ""
 
-#: lib/utils_device.c:830
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr ""
 
-#: lib/utils_device.c:841
+#: lib/utils_device.c:829
 msgid ""
 "Attaching loopback device failed (loop device with autoclear flag is "
 "required)."
 msgstr ""
 
-#: lib/utils_device.c:889
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr ""
 
-#: lib/utils_device.c:897
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr ""
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr ""
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr ""
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr ""
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr ""
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid ""
 "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid ""
+"Requested maximum PBKDF memory cost is too high (limited by the integer "
+"maximal size)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr ""
 
@@ -900,72 +942,72 @@ msgid ""
 "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr ""
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:700
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
 #: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr ""
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr ""
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr ""
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
 "Check that kernel supports %s cipher (check syslog for more info)."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr ""
 
@@ -981,32 +1023,32 @@ msgstr ""
 msgid "LUKS keyslot %u is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr ""
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr ""
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr ""
@@ -1032,7 +1074,7 @@ msgid ""
 "keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1057,7 +1099,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr ""
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr ""
@@ -1104,7 +1146,7 @@ msgstr ""
 msgid "LUKS hash %s is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr ""
 
@@ -1118,18 +1160,18 @@ msgstr ""
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid ""
 "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr ""
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr ""
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr ""
 
@@ -1138,48 +1180,48 @@ msgstr ""
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr ""
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr ""
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr ""
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr ""
 
@@ -1198,180 +1240,213 @@ msgstr ""
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid ""
+"Cannot determine TCRYPT system partition offset, activating whole encrypted "
+"area."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:837
+msgid ""
+"Cannot determine TCRYPT system partition offset, activating device as a "
+"system partition."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid ""
 "Unexpected metadata entry type '%u' found when parsing supported Volume "
 "Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid ""
 "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid ""
 "Unexpected metadata entry value '%u' found when parsing supported Volume "
 "Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:603
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
+msgid "Failed to read and validate BITLK FVE metadata from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:628
+#, c-format
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
+msgid "Failed to check BITLK metadata entries previously read from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr ""
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid ""
 "WARNING: BitLocker volume size %<PRIu64> does not match the underlying "
 "device size %<PRIu64>"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid ""
 "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid ""
 "Cannot activate device, kernel dm-crypt is missing support for BITLK "
 "Elephant diffuser."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid ""
 "Cannot activate device, kernel dm-crypt is missing support for large sector "
 "size."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr ""
@@ -1408,24 +1483,24 @@ msgstr ""
 msgid "Root hash signature required."
 msgstr ""
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:365
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr ""
 
-#: lib/verity/verity.c:369
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr ""
 
-#: lib/verity/verity.c:380
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr ""
 
@@ -1448,23 +1523,23 @@ msgstr ""
 msgid "Hash area overflow."
 msgstr ""
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr ""
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid ""
 "WARNING: Kernel cannot activate device if data block size exceeds page size "
@@ -1516,226 +1591,232 @@ msgstr ""
 msgid "Failed to determine size for device %s."
 msgstr ""
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr ""
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr ""
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr ""
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid ""
 "Kernel refuses to activate insecure recalculate option (see legacy "
 "activation options to override)."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid ""
 "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid ""
 "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 "
 "keyslot count is very limited.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid ""
 "Binary header with keyslot areas size differ on device and backup, restore "
 "failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid ""
 "does not contain LUKS2 header. Replacing header can destroy data on that "
 "device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid ""
 "already contains LUKS2 header. Replacing header will destroy existing "
 "keyslots."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
 "Replacing header with backup may corrupt the data on that device!"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
 "Replacing header with backup may corrupt data."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid ""
 "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4168
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr ""
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid ""
 "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid ""
 "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
-#, c-format
-msgid "Hash algorithm %s is not available."
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid ""
-"Warning: keyslot operation could fail as it requires more than available "
-"memory.\n"
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
+#, c-format
+msgid "Hash algorithm %s is not available."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr ""
 
@@ -1763,552 +1844,564 @@ msgstr ""
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3804
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid ""
 "Cannot convert to LUKS1 format - default segment encryption sector size is "
 "not 512 bytes."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid ""
 "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid ""
 "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still "
 "active."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3963
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3975
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3989
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid ""
 "Source and target device sizes don't match. Source %<PRIu64>, target: "
 "%<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid ""
 "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid ""
 "Moved segment too large. Requested size %<PRIu64>, available space for: "
 "%<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3045
-msgid "Reduced data size is larger than real device size."
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid ""
+"Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> "
+"sectors)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3052
-#, c-format
-msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
+msgid "Reduced data size is larger than real device size."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3086
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
-msgid ""
-"Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> "
-"sectors)."
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4285
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3794 lib/luks2/luks2_reencrypt.c:4238
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
 msgid "Failed to initialize reencryption device stack."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3828
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3881 lib/luks2/luks2_reencrypt.c:3916
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3888
-msgid "Failed to read passphrase from keyring."
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:3945
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4004
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4009
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4014
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4022
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4111
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4134
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4140
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4150
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4160
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid ""
 "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> "
 "sectors long."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4164
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4169
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4221
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4227
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4261 lib/luks2/luks2_reencrypt.c:4298
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid ""
 "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr ""
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr ""
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
+#: src/cryptsetup.c:93
+msgid ""
+"Keyslot encryption parameters are not compatible with LUKS2 keyslot "
+"encryption."
 msgstr ""
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:502
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
 #: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid ""
 "WARNING: Using default options for cipher (%s-%s, key size %u bits) that "
 "could be incompatible with older versions."
 msgstr ""
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid ""
 "WARNING: Using default options for hash (%s) that could be incompatible with "
 "older versions."
 msgstr ""
 
-#: src/cryptsetup.c:202
+#: src/cryptsetup.c:169
 msgid ""
-"For plain mode, always use options --cipher, --key-size and if no keyfile is "
-"used, then also --hash."
+"For plain mode, always use options --cipher, --key-size and if no keyfile or "
+"keyring is used, then also --hash."
 msgstr ""
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid ""
 "WARNING: The --hash parameter is being ignored in plain mode with keyfile "
 "specified.\n"
 msgstr ""
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid ""
 "WARNING: The --keyfile-size option is being ignored, the read size is the "
 "same as the encryption key size.\n"
 msgstr ""
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr ""
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid ""
 "Detected device signature(s) on %s. Proceeding further may damage existing "
 "data."
 msgstr ""
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr ""
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr ""
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr ""
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr ""
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr ""
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid ""
 "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
 "This dump should be always stored encrypted on safe place."
 msgstr ""
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr ""
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid ""
 "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:845 src/veritysetup.c:312 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr ""
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr ""
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid ""
 "Resize of active device requires volume key in keyring but --disable-keyring "
 "option is set."
 msgstr ""
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr ""
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr ""
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr ""
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr ""
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid ""
 "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit "
 "key (requested %u ms time)\n"
 msgstr ""
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr ""
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr ""
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the "
 "reencryption operation is desirable (see luksDump output)\n"
@@ -2316,623 +2409,653 @@ msgid ""
 "genuine."
 msgstr ""
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr ""
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr ""
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr ""
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr ""
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr ""
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
 msgstr ""
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will "
 "contain invalid checksum).\n"
 msgstr ""
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr ""
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid ""
+"OPAL hw-only encryption does not support --cipher and --key-size, options "
+"ignored."
+msgstr ""
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr ""
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr ""
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr ""
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr ""
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr ""
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr ""
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr ""
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr ""
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:428
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr ""
 
-#: src/cryptsetup.c:1751
-msgid ""
-"Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr ""
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr ""
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr ""
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr ""
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr ""
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr ""
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid ""
 "LUKS file container %s is too small for activation, there is no remaining "
 "space for data."
 msgstr ""
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid ""
 "Cannot determine volume key size for LUKS without keyslots, please use --key-"
 "size option."
 msgstr ""
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr ""
+
+#: src/cryptsetup.c:1891
+msgid ""
+"Some specified activation parameters were ignored with OPAL hw-only "
+"encryption."
+msgstr ""
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr ""
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr ""
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid ""
 "This is the last keyslot. Device will become unusable after purging this key."
 msgstr ""
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr ""
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr ""
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr ""
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr ""
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1094
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr ""
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1080
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr ""
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr ""
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr ""
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr ""
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr ""
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr ""
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr ""
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr ""
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr ""
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr ""
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr ""
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid ""
 "WARNING: WHOLE disk will be factory reset and all data will be lost! "
 "Continue?"
 msgstr ""
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
 "Device will become unusable after this operation."
 msgstr ""
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr ""
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr ""
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr ""
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr ""
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr ""
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr ""
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr ""
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr ""
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr ""
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid ""
 "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only "
 "for TCRYPT device."
 msgstr ""
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid ""
 "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT "
 "device type."
 msgstr ""
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid ""
 "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr ""
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid ""
 "Option --veracrypt-query-pim is supported only for VeraCrypt compatible "
 "devices."
 msgstr ""
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid ""
 "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr ""
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr ""
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr ""
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr ""
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid ""
 "Option --offset with open action is only supported for plain and loopaes "
 "devices."
 msgstr ""
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr ""
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid ""
 "Sector size option with open action is supported only for plain devices."
 msgstr ""
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid ""
 "Large IV sectors option is supported only for opening plain type device with "
 "sector size larger than 512 bytes."
 msgstr ""
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid ""
 "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and "
 "FVAULT2 devices."
 msgstr ""
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr ""
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:660 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
 msgid ""
-"Options --cancel-deferred and --deferred cannot be used at the same time."
+"Option --volume-key-keyring cannot be combined with --hash or --volume-key-"
+"file."
 msgstr ""
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
+#: src/cryptsetup.c:3365
+msgid ""
+"Both --volume-key-file options must be paired with respective --key-size "
+"options."
 msgstr ""
 
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
+msgid ""
+"Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr ""
+
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr ""
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid ""
 "Option --integrity-no-wipe can be used only for format action with integrity "
 "extension."
 msgstr ""
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr ""
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr ""
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr ""
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr ""
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr ""
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:480 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr ""
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:481 src/veritysetup.c:482 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr ""
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:481 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr ""
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr ""
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr ""
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr ""
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr ""
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr ""
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr ""
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr ""
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr ""
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr ""
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr ""
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr ""
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr ""
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr ""
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr ""
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr ""
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr ""
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr ""
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr ""
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr ""
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr ""
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr ""
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr ""
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:498 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
 msgstr ""
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2942,7 +3065,7 @@ msgid ""
 "bitlkClose, fvault2Close\n"
 msgstr ""
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2952,31 +3075,31 @@ msgid ""
 "<key file> optional key file for the new key for luksAddKey action\n"
 msgstr ""
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in metadata format is %s (for luksFormat action).\n"
 msgstr ""
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2988,7 +3111,7 @@ msgid ""
 "\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
 msgstr ""
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2998,113 +3121,125 @@ msgid ""
 "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
 msgstr ""
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid ""
 "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:640 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr ""
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1143
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr ""
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr ""
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr ""
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr ""
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr ""
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr ""
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:561 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr ""
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:562 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr ""
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:563 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr ""
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:574 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr ""
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:595 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr ""
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:604 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr ""
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:635 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr ""
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr ""
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid ""
 "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/"
 "argon2id."
 msgstr ""
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr ""
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr ""
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr ""
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr ""
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr ""
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr ""
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr ""
 
@@ -3132,72 +3267,72 @@ msgstr ""
 msgid "Cannot write to root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:187 src/veritysetup.c:465
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr ""
 
-#: src/veritysetup.c:204 src/veritysetup.c:221
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:209
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:230
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr ""
 
-#: src/veritysetup.c:238
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr ""
 
-#: src/veritysetup.c:245
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr ""
 
-#: src/veritysetup.c:268 src/veritysetup.c:282
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr ""
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr ""
 
-#: src/veritysetup.c:478 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr ""
 
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr ""
 
-#: src/veritysetup.c:479
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr ""
 
-#: src/veritysetup.c:480
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr ""
 
-#: src/veritysetup.c:482 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr ""
 
-#: src/veritysetup.c:483
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr ""
 
-#: src/veritysetup.c:483 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr ""
 
-#: src/veritysetup.c:502
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3207,7 +3342,7 @@ msgid ""
 "<root_hash> hash of the root node on <hash_device>\n"
 msgstr ""
 
-#: src/veritysetup.c:509
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3216,19 +3351,25 @@ msgid ""
 "Hash format: %u\n"
 msgstr ""
 
-#: src/veritysetup.c:650
+#: src/veritysetup.c:657
 msgid ""
 "Option --ignore-corruption and --restart-on-corruption cannot be used "
 "together."
 msgstr ""
 
-#: src/veritysetup.c:655
+#: src/veritysetup.c:662
 msgid ""
 "Option --panic-on-corruption and --restart-on-corruption cannot be used "
 "together."
 msgstr ""
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid ""
+"Option --error-as-corruption must be used with --panic-on-corruption or --"
+"restart-on-corruption."
+msgstr ""
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3236,31 +3377,35 @@ msgid ""
 "integrity-recalculate)."
 msgstr ""
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr ""
+
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
 msgstr ""
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:297
 msgid ""
 "Setting recalculate flag is not supported, you may consider using --wipe "
 "instead."
 msgstr ""
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr ""
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr ""
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr ""
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3268,7 +3413,7 @@ msgid ""
 "<integrity_device> is the device containing data with integrity tags\n"
 msgstr ""
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3277,48 +3422,56 @@ msgid ""
 "\tMaximum keyfile size: %dkB\n"
 msgstr ""
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr ""
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid ""
 "Journal integrity algorithm must be specified if journal integrity key is "
 "used."
 msgstr ""
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid ""
 "Both journal encryption key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid ""
 "Journal encryption algorithm must be specified if journal encryption key is "
 "used."
 msgstr ""
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr ""
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr ""
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr ""
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr ""
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr ""
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3461,6 +3614,14 @@ msgstr ""
 msgid "Cannot write to keyfile %s."
 msgstr ""
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr ""
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr ""
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3520,6 +3681,11 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr ""
 
+#: src/utils_password.c:197
+msgid ""
+"Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr ""
+
 #: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr ""
@@ -3558,56 +3724,56 @@ msgstr ""
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr ""
 
-#: src/utils_luks.c:174
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr ""
 
-#: src/utils_luks.c:188
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr ""
 
-#: src/utils_luks.c:195
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr ""
 
-#: src/utils_luks.c:200
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
 msgstr ""
 
-#: src/utils_luks.c:241
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr ""
 
-#: src/utils_luks.c:250
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
 msgstr ""
 
-#: src/utils_luks.c:254
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr ""
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr ""
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3616,7 +3782,7 @@ msgid ""
 "To run reencryption in online mode, use --active-name parameter instead.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or "
@@ -3625,235 +3791,250 @@ msgid ""
 "(dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid ""
 "Requested --resilience option cannot be applied to current reencryption "
 "operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid ""
 "Device is in reencryption using datashift resilience. Requested --resilience "
 "option cannot be applied."
 msgstr ""
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid ""
+"Cannot determine volume key size for LUKS without keyslots, please use --new-"
+"key-size option."
+msgstr ""
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr ""
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid ""
 "Device %s is already in LUKS2 reencryption. Do you wish to resume previously "
 "initialised operation?"
 msgstr ""
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr ""
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr ""
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr ""
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
 "(block size: %<PRIu32> bytes) detected on device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid ""
 "Encryption without detached header (--header) is not possible without data "
 "device size reduction (--reduce-device-size)."
 msgstr ""
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid ""
 "Requested data offset must be less than or equal to half of --reduce-device-"
 "size parameter."
 msgstr ""
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid ""
 "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> "
 "(sectors).\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr ""
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr ""
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr ""
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr ""
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr ""
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid ""
 "Header file %s does not exist. Do you want to initialize LUKS2 decryption of "
 "device %s and export LUKS2 header to file %s?"
 msgstr ""
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr ""
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid ""
 "LUKS2 decryption is supported with detached header device only (with data "
 "offset set to 0)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr ""
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1045
+#: src/utils_reencrypt.c:1559
 msgid ""
-"Key file can be used only with --key-slot or with exactly one key slot "
-"active."
+"Key file or keyring key description can be used only with --key-slot or with "
+"exactly one key slot active."
 msgstr ""
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1092
-#: src/utils_reencrypt_luks1.c:1103
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr ""
 
-#: src/utils_reencrypt.c:1070
+#: src/utils_reencrypt.c:1876
 #, c-format
-msgid "Enter passphrase for key slot %u: "
+msgid "Switching data encryption cipher to %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1122
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid ""
+"Use --force-no-keyslots to reencrypt device with active keyslots by passing "
+"volume keys directly."
 msgstr ""
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr ""
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option "
 "(dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
 #: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr ""
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr ""
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr ""
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr ""
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr ""
@@ -3954,6 +4135,12 @@ msgstr ""
 msgid "Provided UUID is invalid."
 msgstr ""
 
+#: src/utils_reencrypt_luks1.c:1045
+msgid ""
+"Key file can be used only with --key-slot or with exactly one key slot "
+"active."
+msgstr ""
+
 #: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr ""
@@ -3981,45 +4168,45 @@ msgstr ""
 msgid ", set cipher to "
 msgstr ""
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr ""
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr ""
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr ""
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr ""
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr ""
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr ""
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr ""
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr ""
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr ""
@@ -4034,6 +4221,53 @@ msgstr ""
 msgid "Option --%s is not allowed with %s action."
 msgstr ""
 
+#: src/utils_key_description.c:66
+msgid ""
+"Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr ""
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr ""
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr ""
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr ""
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr ""
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr ""
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid ""
+"You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the "
+"data.\n"
+msgstr ""
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr ""
diff --git a/po/cs.po b/po/cs.po
index b492440..7c98f4d 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -4,7 +4,7 @@
 # Milan Broz <mbroz@redhat.com>, 2010.
 # Petr Pisar <petr.pisar@atlas.cz>, 2010, 2011, 2012, 2013, 2014, 2015, 2016.
 # Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020, 2021, 2022, 2023.
-# Petr Pisar <petr.pisar@atlas.cz>, 2024.
+# Petr Pisar <petr.pisar@atlas.cz>, 2024, 2025.
 #
 # See `LUKS On-Disk Format Specification' document to clarify some terms.
 #
@@ -29,13 +29,14 @@
 # signature → značka, vzorec nebo podpis (záleží na kontextu)
 # suspend → uspat
 # token → token
+# unbound (key slot) → nepřiřazená (pozice klíče k oblasti s daty)
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-09 20:13+02:00\n"
+"POT-Creation-Date: 2025-08-13 13:45+0200\n"
+"PO-Revision-Date: 2025-08-14 21:32+02:00\n"
 "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
 "Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
 "Language: cs\n"
@@ -45,70 +46,78 @@ msgstr ""
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Nelze inicializovat device-mapper, nespuštěno superuživatelem."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Požadovaný příznak odložení není podporován."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID pro zařízení %s bylo zkráceno."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Neznámý druh cíle DM."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Požadované výkonnostní volby dm-cryptu nejsou podporovány."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Požadované volby, jak zacházet s poškozením dat dm-verity, nejsou podporovány."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Požadovaná volba taskletu dm-cryptu není podporována."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Požadované FEC volby dm-cryptu nejsou podporovány."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Požadované volby integrity dat nejsou podporovány."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
-msgstr "Požadované volby sector_size není podporována."
+msgstr "Požadovaná volba sector_size není podporována."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "Velikost zařízení není násobkem požadované velikosti sektoru."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Požadovaná volba integrity_key_size není podporována."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Požadovaný automatický přepočet značek integrity není podporován."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2777
 msgid "Discard/TRIM is not supported."
 msgstr "Zahazování (TRIM) není podporováno."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Požadovaný režim bitmapy integrity DM není podporován."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Požadovaný režim inline integrity DM není podporován."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Dotaz na část dm-%s selhal."
@@ -143,752 +152,782 @@ msgstr "Požadována neznámá kvalita generátoru náhodných čísel."
 msgid "Error reading from RNG."
 msgstr "Chyba při čtení z generátoru náhodných čísel."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "Podpora pro Opal je v libcryptsetup vypnuta."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Zařízení %s nebo jádro nepodporuje šifrování Opal."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Implementaci šifrovacího generátoru náhodných čísel nelze inicializovat."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Implementaci šifrování nelze inicializovat."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hašovací algoritmus %s není podporován."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Chyba zpracování klíče (za použití haše %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4145
 msgid "This operation is supported only for LUKS device."
 msgstr "Tato operace je podporována jen u zařízení LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Tato operace je podporována jen u zařízení LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3093
 msgid "All key slots full."
 msgstr "Všechny pozice klíčů jsou obsazeny."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3860
 msgid "Device size is not aligned to device logical block size."
 msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru zařízení."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Nalezena hlavička, ale zařízení %s je příliš malé."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
+#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
 msgid "This operation is not supported for this device type."
 msgstr "Tato operace není na zařízení tohoto typu podporována."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Zakázaná operace spolu s probíhajícím přešifrování."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Nahrání původních metadat LUKS2 do paměti selhalo."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1773
+#: src/cryptsetup.c:1957 src/cryptsetup.c:2012 src/cryptsetup.c:2210
+#: src/cryptsetup.c:2355 src/cryptsetup.c:2633 src/cryptsetup.c:2946
+#: src/cryptsetup.c:3014 src/utils_reencrypt.c:2280
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Zařízení %s není platným zařízením LUKS."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nepodporovaná verze LUKS %d."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Na aktivním zařízení %s nebyl nalezen žádný známý vzorek určující šifrování."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
+#: lib/setup.c:3768 lib/setup.c:5787
 #, c-format
 msgid "Device %s is not active."
 msgstr "Zařízení %s není aktivní."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Neplatné parametry plain šifry."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Neplatná velikost klíče."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID není na šifře tohoto typu podporováno."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Zařízení s oddělenými metadaty není na šifře tohoto typu podporováno."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3026
+#: src/cryptsetup.c:1485 src/cryptsetup.c:3753
 msgid "Unsupported encryption sector size."
 msgstr "Nepodporovaná velikost šifrovaného sektoru."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
 msgid "Device size is not aligned to requested sector size."
 msgstr "Velikost zařízení není zarovnaná na požadovanou velikost sektoru."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "LUKS nelze bez zařízení naformátovat."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Zónové zařízení %s nelze použít pro hlavičku LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Požadované zarovnání dat není slučitelné s polohou dat."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "POZOR: Zařízené DAX může poškodit data, protože nezaručuje atomické aktualizace sektorů.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Ze zařízení %s nelze odstranit hlavičku."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Zařízení %s je na aktivaci příliš malé. Nezbývá žádné místo pro data.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Klíč svazku je příliš malý na šifrovaní s rozšířeními pro integritu."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Velikost klíče integrity je příliš malý."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Šifra %s-%s (velikost klíče %zd bitů) není dostupná."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "POZOR: Aktivace zařízení selže, dm-crypt nepodporuje požadovanou velikost šifrovaného sektoru.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_reencrypt.c:3065
+#: lib/luks2/luks2_reencrypt.c:4485
 #, c-format
 msgid "Device %s is too small."
 msgstr "Zařízení %s je příliš malé."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Zařízení %s, které se používá, nelze formátovat."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Zařízení %s nelze formátovat, povolení zamítnuto."
 
 # FIXME "format integrity" is nonsense
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Zařízení %s není možné formátovat integritu."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Zařízení %s nelze formátovat."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Parametry zarovnání Opal nelze získat."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Chybná velikost logického bloku Opal."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:303
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Chybná velikost logického bloku Opal se liší od velikosti bloku zařízení."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "Požadovaná poloha dat není slučitelná s velikostí bloku Opal."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "Požadované zarovnání dat není slučitelné se zarovnáním Opal."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "Poloha dat nesplňuje požadavky Opal na zarovnání."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "Požadované zarovnání dat nesplňuje požadavky na zarovnání uzamykatelné oblasti."
 
 # TODO: Pluralize
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Velikost zařízení byla dorovnána %<PRIu64> sektory, aby lícovala s granularitou zarovnání Opal."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Získání zámku Opal na zařízení %s selhalo."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Nesprávný klíč správce Opal."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Část Opal nelze nastavit."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Zařízení %s nelze formátovat, zařízení Opal je asi zcela chráněno proti zápisu."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Toto je snad chyba ve firmwaru. Resetujte Opal zařízení pomocí PSID a znovu jej zapojte."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "Reset uzamykatelné oblasti %d na zařízení %s selhal."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "LOOPAES nelze bez zařízení naformátovat."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "VERITY nelze bez zařízení naformátovat."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nepodporovaný druh VERITY haše %d."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Nepodporovaná velikost bloku VERITY."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Nepodporovaná poloha haše VERITY."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nepodporovaná poloha VERITY FEC."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Oblast dat se překrývá s oblastí haše."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Oblast FEC se překrývá s oblastí haše."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Oblast dat se překrývá s oblastí FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Velikost klíče integrity neodpovídá."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "POZOR: Požadovaná velikost značky %d bajtů se liší od výstupu velikosti %s (%d bajtů).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3037 lib/setup.c:3135
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Požadován neznámý typ šifrovaného zařízení %s."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Požadován neznámý nebo nepodporovaný typ zařízení %s."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3049
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Zařízení %s neposkytuje položky pro inline integritu dat."
+
+#: lib/setup.c:3055
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Velikost inline značky %<PRIu32> bajtů je větší než %<PRIu32> poskytovaných zařízením %s."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Sektor musí být stejný jako hardwarový sektor zařízení (%zu bajtů)."
+
+#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nepodporované parametry na zařízení %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
+#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Neodpovídající parametry na zařízení %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3632
 msgid "Crypt devices mismatch."
 msgstr "Zařízení dmcryptu si neodpovídají."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
+#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Zařízení %s nebylo možné znovu zavést."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
+#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Zařízení %s nebylo možné pozastavit."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
+#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4228
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Zařízení %s nebylo možné probudit."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3702
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Nepřekonatelná chyba při zavádění zařízení %s (nad zařízením %s)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3705 lib/setup.c:3707
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Zařízení %s nebylo možné přepnout do dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3750
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Zařízení LUKS2 se statickou velikostí nelze změnit velikost."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3755
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Změna velikosti zařízení LUKS2 s ochranou integrity není podporována."
+
+#: lib/setup.c:3801
 msgid "Cannot resize loop device."
 msgstr "Zařízení zpětné smyčky nelze změnit velikost."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3845
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr ""
 "POZOR: Maximální velikost je již nastavena nebo změna velikosti není jádrem\n"
 "podporována.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3911
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Změna velikosti selhala, jádro ji nepodporuje."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3943
 msgid "Do you really want to change UUID of device?"
 msgstr "Opravdu chcete změnit UUID zařízení?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4035
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Soubor se zálohou hlavičky neobsahuje kompatibilní hlavičku LUKS."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4128
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Svazek %s není aktivní."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4183
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Svazek %s je již uspán."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4209
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Uspání není na zařízení %s podporováno."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4211 lib/setup.c:4219
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Chyba při uspávání zařízení %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4234
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Zařízení %s bylo uspáno, ale hardwarové zařízení Opal nelze uzamknout."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4265 lib/setup.c:4442
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Probuzení není na zařízení %s podporováno."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Chyba při probouzení zařízení %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4286
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Z klíčenky zadané uživatelem se nepodařilo odpojit klíč svazku."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4408 lib/setup.c:5574
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Do uživatelem zadané klíčenky se nepodařilo přidat klíč svazku."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4506 src/cryptsetup.c:2714
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Svazek %s není uspán."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
+#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
 msgid "Volume key does not match the volume."
 msgstr "Heslo svazku neodpovídá svazku."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4761
 msgid "Failed to swap new key slot."
 msgstr "Záměna novou pozicí klíče se nezdařila."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4859
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Pozice klíče %d je neplatná."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Pozice klíče %d není aktivní."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4884
 msgid "Device header overlaps with data area."
 msgstr "Hlavička zařízení se překrývá s datovou oblastí."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5105
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Přešifrování již probíhá. Zařízení nelze aktivovat."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
+#: lib/luks2/luks2_reencrypt.c:3714
 msgid "Failed to get reencryption lock."
 msgstr "Získání zámku pro přešifrování selhalo."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5129
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "Obnova přešifrování LUKS2 pomocí klíčů svazku selhala."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Do uživatelem zadané klíčenky se nepodařilo přidat klíče svazku."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Obnova přešifrování LUKS2 selhala."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Typ zařízení není řádně inicializován."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5265
 #, c-format
 msgid "Device %s already exists."
 msgstr "Zařízení %s již existuje."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5272
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Zařízení %s nelze použít. Název není platný nebo zařízení se stále používá."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5284
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Klíče pro přešifrování svazku neodpovídají svazku."
+
+#: lib/setup.c:5301
 msgid "Incorrect volume key specified for plain device."
 msgstr "Byl zadán neplatný klíč svazku."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Klíče pro přešifrování svazku neodpovídají svazku."
+#: lib/setup.c:5327 lib/setup.c:5388
+msgid "Device type is not properly initialized."
+msgstr "Typ zařízení není řádně inicializován."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5426
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Jaderná klíčenka není jádrem podporována."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5430
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Jaderná klíčenka chybí: je potřeba pro předání podpisu do jádra."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5482
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Klíčem klíčenky %s nelze použít."
+
+#: lib/setup.c:5695
 msgid "Incorrect root hash specified for verity device."
 msgstr "K zařízení VERITY byl zadán neplatný kořenový haš."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5736 lib/setup.c:5761
 msgid "OPAL does not support deferred deactivation."
 msgstr "Opal nepodporuje odloženou deaktivaci."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Odložené odebrání zařízení %s nebylo možné zrušit."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Zařízení %s se stále používá."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5769
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Odložené odebrání zařízení %s nebylo možné zrušit."
+
+#: lib/setup.c:5791
 #, c-format
 msgid "Invalid device %s."
 msgstr "Neplatné zařízení %s."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5932
 msgid "Volume key buffer too small."
 msgstr "Vyhrazená paměť pro klíč svazku je příliš malá."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5943
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Nelze získat klíč svazku pro zařízení LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5952
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Nelze získat klíč svazku pro zařízení LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5966
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Nelze získat klíč svazku pro otevřené zařízení."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5974
 msgid "Cannot retrieve root hash for verity device."
 msgstr "K zařízení VERITY nelze získat kořenový otisk."
 
-#: lib/setup.c:6199
+#: lib/setup.c:5981
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Nelze získat klíč svazku pro zařízení BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:5986
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Nelze získat klíč svazku pro zařízení FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:5988
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Na šifrovaném zařízení %s není tato operace podporována."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6173 lib/setup.c:6184
 msgid "Dump operation is not supported for this device type."
 msgstr "Operace výpisu není na zařízení tohoto typu podporována."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6564
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Počátek dat není násobkem %u bajtů."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6872
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Zařízení %s, které se stále používá, nelze konvertovat."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7180 lib/setup.c:7324
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Přiřazení pozice klíče %u jakožto nového klíče svazku se nezdařilo."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7204
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Inicializace parametrů výchozí pozice klíče LUKS2 selhala."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7210
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Přiřazení pozice klíče %d k otisku se nezdařilo."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7441
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7514 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Klíč se nepodařilo přidat do jaderné klíčenky."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Klíč se nepodařilo odstranit z klíčenky vlákna."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7705
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Klíčenku zadanou jako „%s“ nebylo možné nalézt."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7770
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Získání zámku pro tvrdý přístup do globální paměti selhalo."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Soubor s klíčem se nepodařilo otevřít."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Soubor s klíčem nelze z terminálu přečíst."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "O souboru s klíčem nebylo možné zjistit údaje."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Nelze se přesunout na požadované místo v souboru s klíčem."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Při čtení hesla došla paměť."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Chyba při čtení hesla."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Na vstupu není nic k přečtení."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Maximální délka souboru s klíčem překročena."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Požadované množství dat nelze načíst."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:2253
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Zařízení %s není kompatibilní."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "U zařízení s daty se ignoruje chybná optimální velikost I/O (%u bajtů)."
 
 # TODO: Pluralize
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Zařízení %s je příliš malé. Je třeba alespoň %<PRIu64> bajtů."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Zařízení %s nelze použít, protože se již používá (již namapováno nebo připojeno)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Zařízení %s nelze použít, povolení zamítnuto."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "O zařízení %s nelze získat údaje."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Zařízení typu loopback nelze použít, nespuštěno superuživatelem."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Připojení zařízení zpětné smyčky selhalo (požadováno zařízení s příznakem autoclear)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Požadovaná poloha je za hranicí skutečné velikosti zařízení %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Zařízení %s má nulovou velikost."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Požadovaný cílový čas PBKDF nemůže být nula."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Neznámý druh PBKDF %s."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Požadovaný haš %s není podporován."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Požadovaný druh PBKDF není podporován formátem LUKS1."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Při PBKDF2 nesmí být nastavena maximální paměť pro PBKDF nebo počet souběžných vláken."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Vynucený počet opakování je pro %s příliš nízký (minimum je %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Vynucená cena paměti je pro %s příliš nízká (minimum je %u kilobajtů)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Požadovaná maximální cena PBKDF paměti je příliš vysoká (maximum je %d kilobajtů)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Požadovaná maximální cena PBKDF paměti je příliš vysoká (omezena maximální velikostí číselného typu)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Požadované maximum paměti PBKDF nemůže být nula."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Požadovaná maximální cena paralelizace PBKDF je příliš vysoká (maximum je %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Požadovaný počet souběžných vláken PBKDF nemůže být nula."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "V režimu FIPS je podporován jen PBKDF2."
 
@@ -915,21 +954,21 @@ msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (není adre
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (%s není adresářem)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Nelze se přesunout na požadované místo v zařízení."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Chyba při čištění zařízení na pozici %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "Chybné PSID systému Opal."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Zařízení Opal nelze vymazat."
 
@@ -951,8 +990,8 @@ msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Zápis šifry by měl být ve tvaru [šifra]-[režim]-[iv]."
 
 #: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1514 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Na zařízení %s nelze zapsat, povolení zamítnuto."
@@ -965,24 +1004,24 @@ msgstr "Otevření dočasného zařízení s úložištěm klíče selhalo."
 msgid "Failed to access temporary keystore device."
 msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:188 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Chyba vstupu/výstupu při šifrování pozice klíče."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:235 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1517 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Zařízení %s nelze otevřít."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:246 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Chyba vstupu/výstupu při dešifrování pozice klíče."
 
@@ -1018,12 +1057,12 @@ msgid "Backup file does not contain valid LUKS header."
 msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1446
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Nelze otevřít soubor se zálohou hlavičky %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1454
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Soubor se zálohou hlavičky %s nelze načíst."
@@ -1045,7 +1084,7 @@ msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na d
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1486
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1072,7 +1111,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Haš šifry opraven na malý písmena (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Požadovaný haš LUKSu %s není podporován."
@@ -1119,7 +1158,7 @@ msgstr "Režim LUKS šifry %s není platný."
 msgid "LUKS hash %s is invalid."
 msgstr "LUKS haš %s není platný."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1360
 msgid "No known problems detected for LUKS header."
 msgstr "V hlavičce LUKS nenalezen žádný známý problém."
 
@@ -1134,17 +1173,17 @@ msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Chyba při opakovaném čtení hlavičky LUKS po aktualizaci zařízení %s."
 
 # TODO: Pluralize
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Poloha dat u hlavičky LUKS musí být buď 0 nebo více než velikost hlavičky."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Poskytnut UUID LUKSu ve špatném tvaru."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo."
 
@@ -1153,48 +1192,48 @@ msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo."
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Hlavičku LUKS nelze vytvořit: výpočet otisku hlavičky (haš %s) selhal."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Pozice klíče %d je aktivní, nejprve ji uvolněte."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Pozice klíče %d obsahuje příliš málo útržků. Manipulace s hlavičkou?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Čítač opakování PBKDF2 přetekl."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Pozici s klíčem nezle otevřít (za použití haše %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Zařízení %s není možné smazat."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Zjištěn dosud nepodporovaný soubor s klíčem šifrovaný pomocí GPG."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Prosím, použijte gpg --decrypt SOUBOR_S_KLÍČEM | cryptsetup --keyfile=- …\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Zjištěn nekompatibilní soubor s klíčem loop-AES."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Jádro nepodporuje mapování kompatibilní s loop-AES."
 
@@ -1213,33 +1252,41 @@ msgstr "Překročena maximální délka hesla TCRYPT (%zu)."
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Hašovací algoritmus PBKDF2 %s není podporován, přeskakuje se."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1233
 msgid "Required kernel crypto interface not available."
 msgstr "Požadované kryptografické rozhraní jádra není dostupné."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1235
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Ujistěte se, že jaderný modul algif_skcipher je zaveden."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivace nad sektory o velikosti %d není podporována."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Jádro nepodporuje aktivaci v tomto zastaralém režimu TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Aktivuje se systémové šifrování TCRYPT pro oddíl %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Polohu systémového oddílu TCRYPT nelze určit. Aktivuje se celá šifrovaná oblast."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Polohu systémového oddílu TCRYPT nelze určit. Zařízení se aktivuje co by systémový oddíl."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1144
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována."
 
@@ -1262,68 +1309,68 @@ msgstr "Při rozboru hlavního klíče svazku byl nalezen nečekaný řetězec (
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Při rozboru hlavního klíče svazku byl nalezen záznam metadat s nečekanou hodnotou „%u“."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:450
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK verze 1 není v současnosti podporován."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:456
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Neplatná nebo neznámá značka zavaděče zařízení BITLK."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:468
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Nepodporovaná velikost sektoru %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:476
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Z %s nebylo možné načíst hlavičku BITLK."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:501
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr "Z %s nebylo možné přečíst metadata BITLK FVE."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:552
 msgid "Unknown or unsupported encryption type."
 msgstr "Neznámý nebo nepodporovaný druh šifrování."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:592
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr "Z %s nebylo možné načíst položky metadat BITLK."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:709
 msgid "Failed to convert BITLK volume description"
 msgstr "Převod popisu svazku BITLK se nezdařil"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:872
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Při rozboru externího klíče byla v metadatech nalezena položka nečekaného typu „%u“."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:895
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "GUID „%s“ souboru BEK neodpovídá GUID svazku."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:899
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Při rozboru externího klíče byla v metadatech nalezena položka s nečekanou hodnotou „%u“."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:938
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Nepodporovaná metadata BEK verze %<PRIu32>."
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Nečekaná velikost metadat BEK %<PRIu32> neodpovídá délce souboru BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:969
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Při rozboru startovacího klíče byla v metadatech nalezena nečekaná položka."
 
@@ -1335,47 +1382,47 @@ msgstr "Tato operace není podporována."
 msgid "Unexpected key data size."
 msgstr "Nečekaná velikost údajů o klíči."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1205
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Toto zařízení BITLK je v nepodporovaném stavu a nelze jej aktivovat."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1210
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Zařízení BITLK s typem „%s“ nelze aktivovat."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Aktivace částečně dešifrovaného zařízení BITLK není podporována."
+#: lib/bitlk/bitlk.c:1217
+msgid "Activation of BITLK device with clear key protection is not supported."
+msgstr "Aktivace zařízení BITLK s ochranou pomocí nešifrovaného klíče není podporována."
 
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1258
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "POZOR: Velikost svazku BitLockeru %<PRIu64> neodpovídá velikosti zařízení ve zpod %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1385
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu inicializačního vektoru BITLK."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1389
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu difuzéru Elephant BITLK."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1393
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu velikostí velkých sektorů."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1397
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Zařízení nelze aktivovat. Chybí jaderný modul dm-zero."
 
 # FIXME: Pluralize
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Z hlavičky svazku nebylo možné přečíst %u bajtů."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Nepodporovaná verze FVAULT2 %<PRIu16>."
@@ -1412,25 +1459,25 @@ msgstr "Ověření podpisu kořenového otisku není podporováno."
 msgid "Root hash signature required."
 msgstr "Je potřeba podpis kořenového otisku."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Chyby v zařízení FEC nelze opravit."
 
 # TODO: Pluralize
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Nalezeno %u opravitelných chyb v zařízení FEC."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Jádro nepodporuje mapování dm-verity."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Jádro nepodporuje volbu pro podpis dm-verity."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Po aktivaci zjistilo zařízení VERITY poškození."
 
@@ -1453,23 +1500,23 @@ msgstr "Ověření na pozici %<PRIu64> selhalo."
 msgid "Hash area overflow."
 msgstr "Přetečení oblasti haše."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Ověření datové oblasti selhalo."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Ověření kořenového haše selhalo."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Při vytváření oblasti haší došlo k chybě na vstupu/výstupu."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Oblast haší se nepodařilo vytvořit."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "POZOR: Jádro nemůže aktivovat zařízení, pokud velikost datového bloku přesahuje velikost stránky (%u)."
@@ -1519,36 +1566,40 @@ msgstr "Neplatná délka části FEC."
 msgid "Failed to determine size for device %s."
 msgstr "Velikost zařízení %s se nepodařilo určit."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Neslučitelná metadata jaderného dm-integrity (verze %u) byla nalezena na %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:290 lib/integrity/integrity.c:474
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Jádro nepodporuje mapování dm-integrity."
 
 # Fixed metadata means fix_padding attribute of dm-integrity target
 # documented as "use a smaller padding".
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:296
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Jádro nepodporuje drobné zarovnání metadat dm-integrity."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:305
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Jádro odmítá aktivovat volbu nebezpečného přepočtu (pro přebití vizte zastaralé volby aktivace)"
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:311
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Jádro nepodporuje mapování dm-integrity s inline režimem."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1506
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Získání zámku pro zápis do zařízení %s selhalo."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Zjištěn pokus o současnou aktualizaci metadat LUKS2. Operace se ruší."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1557,59 +1608,59 @@ msgstr ""
 "Prosím, spusťte obnovu příkazem „cryptsetup repair“."
 
 # TODO: Pluralize
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "POZOR: oblast s pozicemi klíčů (%<PRIu64> bajtů) je příliš malá, dostupný počet pozic klíčů LUKS2 je značně omezen.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Požadovaná poloha dat je příliš nízká."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "POZOR: Metadata LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "POZOR: Oblast s pozicemi klíčů pro LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
 
 #: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
 #: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Získání zámku pro čtení ze zařízení %s selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1431
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "V záloze %s byly zjištěny zakázané požadavky na LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1470
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Počátek dat se liší mezi zařízením a zálohou, obnova se nezdařila."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1476
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Velikost binární hlavičky s oblastí pro pozice klíčů se liší mezi zařízením a zálohou, obnova se nezdařila."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1483
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Zařízení %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1484
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "neobsahuje hlavičku LUKS2. Nahrazení hlavičky může zničit data na daném zařízení."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "již obsahuje hlavičku LUKS2. Nahrazení hlavičky zničí existující pozice s klíči."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1619,7 +1670,7 @@ msgstr ""
 "POZOR: Ve skutečné hlavičce zařízení byly objeveny neznámé požadavky na LUKS2!\n"
 "Nahrazení hlavičky zálohou může zničit data na zařízení!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1634,106 +1685,106 @@ msgstr ""
 msgid "Ignored unknown flag %s."
 msgstr "Neznámý příznak %s ignorován."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2541 lib/luks2/luks2_reencrypt.c:2105
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Chybí klíč pro dm-crypt část %u."
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2553 lib/luks2/luks2_reencrypt.c:2118
 msgid "Failed to set dm-crypt segment."
 msgstr "Nastavení části dm-crypt selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2559 lib/luks2/luks2_reencrypt.c:2124
 msgid "Failed to set dm-linear segment."
 msgstr "Nastavení části dm-linear selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2679 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "V hlavičce LUKS2 nebyl nalezen žádný známý vzorek určující šifru."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2687
 msgid "OPAL device must have static device size."
 msgstr "Zařízení Opal musí mít statickou velikost zařízení."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2707
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Šifrované zařízení Opal zajišťující neporušenost musí být menší než uzamykatelná oblast."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2712
 msgid "OPAL device must have same size as locking range."
 msgstr "Zařízení Opal musí mít stejnou velikost jako uzamykatelná oblast."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2732
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Opal zařízení %s je již odemknuto.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2771
 msgid "Unsupported device integrity configuration."
 msgstr "Nepodporovaná konfigurace integrity zařízení."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2787
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Dm-integrity zařízení nižší úrovně poskytlo nečekané datové sektory."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2882
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Probíhá přešifrování. Zařízení nelze deaktivovat."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2893 lib/luks2/luks2_reencrypt.c:4274
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Výměna pozastaveného zařízení %s za cíl dm-error selhala."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2972 lib/luks2/luks2_json_metadata.c:2994
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Zařízení %s bylo deaktivováno, avšak hardwarové zařízené Opal nelze uzamknout."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Čtení požadavků na LUKS2 selhalo."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3016
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Zjištěny nesplněné požadavky na LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3024
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Operace se neslučuje se zařízením označeným pro zastaralé přešifrování. Operace se ruší."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3026
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Operace se neslučuje se zařízením označeným pro přešifrování LUKS2. Operace se ruší."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Operace se neslučuje se zařízením používajícím Opal. Operace se ruší."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3030
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Operace se neslučuje se zařízením používajícím inline hardwarové značky. Operace se ruší."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Nedostatek paměti pro otevření pozice s klíčem."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Otevření pozice s klíčem selhalo."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Šifru %s-%s nelze použít pro pozici s klíčem."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Nedostatek paměti pro odvození klíče pro pozici s klíčem."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:401
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2725
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Hašovací algoritmus %s není dostupný."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Pozor: operace s pozicí klíče by mohla selhat, protože potřebuje více paměti, než je k dispozici.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:518
 msgid "No space for new keyslot."
 msgstr "Pro novou pozicí klíče není místo."
 
@@ -1759,429 +1810,434 @@ msgstr "Nelze zjistit stav zařízení s UUID: %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Hlavičky s dodatečnými metadaty LUKSMETA nelze převést."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3882
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "LUKS2 neumožňuje použít šifru zadanou jako %s-%s."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Pozice s klíčem LUKS2 neumožňuje použít šifru zadanou jako %s-%s."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Oblast s pozicemi klíčů nelze přesunout. Nedostatek místa."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Nelze převést do formátu LUKS2 – neplatná metadata."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Oblast s pozicemi klíčů nelze přesunout. Oblast s pozicemi klíčů LUKS2 je příliš malá."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Oblast s pozicemi klíčů nelze přesunout."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Nelze převést do formátu LUKS1 – výchozí velikost sektoru šifrování části není 512 bajtů."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Nelze převést do formátu LUKS1 – otisky v pozicích s klíči nejsou slučitelné s LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Nelze převést do formátu LUKS1 – zařízení používá šifru se zabaleným klíčem %s."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Nelze převést do formátu LUKS1 – zařízení používá více částí."
 
 # TODO: Pluralize
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Nelze převést do formátu LUKS1 – hlavička LUKS2 obsahuje %u token(ů)."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Nelze převést do formátu LUKS1 – žádná pozice s klíčem není aktivní."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
-msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u je v nesprávném stavu."
+msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u je v nesprávném stavu."
+
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u není přiřazena."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u (nad maximem pozic) je stále aktivní."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
-msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u není slučitelná s LUKS1."
+msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u není slučitelná s LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1194
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Velikost horké zóny musí být násobek vypočteného zarovnání zóny (%zu bajtů)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1199
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Velikost zařízení musí být násobek vypočteného zarovnání zóny (%zu bajtů)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1406 lib/luks2/luks2_reencrypt.c:1592
+#: lib/luks2/luks2_reencrypt.c:1675 lib/luks2/luks2_reencrypt.c:1717
+#: lib/luks2/luks2_reencrypt.c:4069
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Obálku pro starou část úložiště se nepodařilo inicializovat."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1420 lib/luks2/luks2_reencrypt.c:1570
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Obálku pro novou část úložiště se nepodařilo inicializovat."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1546 lib/luks2/luks2_reencrypt.c:4081
 msgid "Failed to initialize hotzone protection."
 msgstr "Ochranu horké zóny se nepodařilo inicializovat."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1619
 msgid "Failed to read checksums for current hotzone."
 msgstr "Kontrolní součty pro aktuální horkou zónu se nepodařilo přečíst."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1626 lib/luks2/luks2_reencrypt.c:4095
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Čtení oblasti s horkou zónou počínaje na %<PRIu64> selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1645
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Sektor %zu nebylo možné rozšifrovat."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1651
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Sektor %zu nebylo možné obnovit."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2217
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Velikosti zdrojového a cílového zařízení se neshodují. Zdroj %<PRIu64>, cíl %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2315
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Aktivace zařízení horké zóny %s selhala."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2332
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Aktivace překryvného zařízení %s se skutečnou tabulkou původu selhala."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Zavedení nového mapování pro zařízení %s selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2410
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Zásobník zařízení k přešifrování se nepodařilo obnovit."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2607
 msgid "Failed to set new keyslots area size."
 msgstr "Nastavení velikosti nové oblasti s pozicemi klíčů selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2743
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Hodnota posunu dat není zarovnána s velikostí šifrovaného sektoru (%<PRIu32> bajtů)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2780 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Nepodporovaný režim odolnosti %s"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2816
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Velikost přesunované oblasti nemůže být větší než hodnota posunu dat."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2858
 msgid "Invalid reencryption resilience parameters."
 msgstr "Neplatné parametry režimu odolnosti při přešifrování."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2880
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Přesunovaná oblast je příliš velká. Požadovaná velikost %<PRIu64>, dostupné místo %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2969
 msgid "Failed to clear table."
 msgstr "Vyprázdnění tabulky selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3055
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Posun dat (%<PRIu64> sektorů) je menší než budoucí poloha dat (%<PRIu64> sektorů)."
+
+#: lib/luks2/luks2_reencrypt.c:3070 lib/luks2/luks2_reencrypt.c:3077
 msgid "Reduced data size is larger than real device size."
 msgstr "Zmenšená velikost dat je větší než velikost skutečného zařízení"
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3087
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Zařízení s daty není zarovnáno na velikost šifrovaného sektoru (%<PRIu32> bajtů)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Posun dat (%<PRIu64> sektorů) je menší než budoucí poloha dat (%<PRIu64> sektorů)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3117 lib/luks2/luks2_reencrypt.c:3632
+#: lib/luks2/luks2_reencrypt.c:3653
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Zařízení %s nebylo možné otevřít ve výlučném režimu (již namapováno nebo připojeno)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3324
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Zařízení není označeno pro přešifrování LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3341 lib/luks2/luks2_reencrypt.c:4391
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Načtení kontextu přešifrování LUKS2 selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Stavu přešifrování se nepodařilo zjistit."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3433 lib/luks2/luks2_reencrypt.c:3773
 msgid "Device is not in reencryption."
 msgstr "Zařízení se nepřešifrovává."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3440 lib/luks2/luks2_reencrypt.c:3780
 msgid "Reencryption process is already running."
 msgstr "Proces přešifrování již běží."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3442 lib/luks2/luks2_reencrypt.c:3782
 msgid "Failed to acquire reencryption lock."
 msgstr "Získání zámku pro přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3460
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "V přešifrování nelze pokračovat. Spusťte nejprve obnovu přešifrování."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3596
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Aktivní velikost zařízení a velikost požadovaná k přešifrování si neodpovídají."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3610
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "V parametrech přešifrování je požadována zakázaná velikost zařízení."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3712
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Probíhá přešifrování. Obnovu nelze provést."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3733
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Obnova přešifrování LUKS2 selhala."
+
+#: lib/luks2/luks2_reencrypt.c:3866 lib/luks2/luks2_reencrypt.c:4344
+msgid "Failed to initialize reencryption device stack."
+msgstr "Zásobník zařízení k přešifrování se nepodařilo inicializovat."
+
+#: lib/luks2/luks2_reencrypt.c:3899
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "V metadatech je přešifrování LUKS2 již inicializováno."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Inicializace přešifrování LUKS2 v metadatech selhala."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3960 lib/luks2/luks2_reencrypt.c:3992
+#: lib/luks2/luks2_reencrypt.c:4022
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Na zařízeních DAX (trvalá paměť) není přešifrování podporováno."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Čtení hesla z klíčenky selhalo."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4051
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Nastavení segmentů zařízení pro další horkou zónu přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4103
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Metadata pro odolnost při přešifrování se nepodařilo zapsat."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4110
 msgid "Decryption failed."
 msgstr "Rozšifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Zápis oblasti s horkou zónou počínaje na %<PRIu64> selhal."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4120
 msgid "Failed to sync data."
 msgstr "Synchronizace dat selhala."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4128
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Po dokončení přešifrování aktuální horké zóny se nepodařilo aktualizovat metadata."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4217
 msgid "Failed to write LUKS2 metadata."
 msgstr "Zápis metadat LUKS2 selhal."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4240
 msgid "Failed to wipe unused data device area."
 msgstr "Vyčištění oblasti zařízení s nepoužívanými daty selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4246
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Odstranění nepoužívané (nepřiřazené) pozice s klíčem %d selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4256
 msgid "Failed to remove reencryption keyslot."
 msgstr "Odstranění pozice s klíčem přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4266
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Nepřekonatelná chyba při přešifrování bloku na pozici %<PRIu64> dlouhého %<PRIu64> sektorů."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4270
 msgid "Online reencryption failed."
 msgstr "Přešifrování za běhu selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4275
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Zařízení neprobouzejte, dokud jej ručně nenahradíte chybovým cílem."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4327
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "V přešifrování nelze pokračovat. Přešifrování se nachází v nečekaném stavu."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4333
 msgid "Missing or invalid reencrypt context."
 msgstr "Chybějící nebo neplatný kontext přešifrování."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Zásobník zařízení k přešifrování se nepodařilo inicializovat."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4367 lib/luks2/luks2_reencrypt.c:4404
 msgid "Failed to update reencryption context."
 msgstr "Kontext přešifrování se nepodařilo aktualizovat."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Metadata o přešifrování jsou neplatná."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:333
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "Opal oblast %d na pozici %<PRIu64> neodpovídá očekávaným hodnotám %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:340
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "Délka %2$<PRIu64> Opal oblasti %1$d neodpovídá velikosti zařízení %3$<PRIu64>"
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:346
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "Uzamykaní Opal oblasti %d je vypnuto."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:356 lib/luks2/hw_opal/hw_opal.c:363
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Nečekaný status uzamykání Opal oblasti %d"
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametry pro šifrování pozice s klíčem lze nastavit jen u zařízení LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Zadejte PIN k tokenu: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Zadejte PIN k tokenu %d: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Parametry pro šifrování pozice s klíčem se neslučují s šifrováním pozice s klíčem LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1171 src/cryptsetup.c:1538
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Nelze najít žádný známý vzorek se specifikaci šifry."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "POZOR: Pro šifru se použijí výchozí volby (%s-%s, velikost klíče %u bitů), což může být neslučitelné se staršími verzemi."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "POZOR: Pro haš se použijí výchozí volby (%s), což by mohlo být neslučitelné se staršími verzemi."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "Pro režim plain vždy použijte volby --cipher a --key-size a není-li zadán soubor s klíčem, rovněž --hash."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Pro režim plain vždy použijte volby --cipher a --key-size a není-li zadán soubor s klíčem nebo klíčenka, rovněž --hash."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "POZOR: Jedná-li se o režim plain a je-li určen soubor s klíčem, parametr --hash se ignoruje.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "POZOR: Přepínač --keyfile-size se ignoruje, velikost pro čtení je stejná jako velikosti šifrovacího klíče.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1368 src/cryptsetup.c:1591
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2137
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "Prohledávání blkid selhalo u %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Na %s byla nalezen vzorec zařízení. Pokračování může poškodit existující data."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1254 src/cryptsetup.c:1302
+#: src/cryptsetup.c:1375 src/cryptsetup.c:1515 src/cryptsetup.c:1603
+#: src/cryptsetup.c:2488 src/cryptsetup.c:2917 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Operace zrušena.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Je vyžadován přepínač --key-file."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Zadejte PIM VeraCryptu: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Neplatná hodnota VIM: chyba rozboru"
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Neplatná hodnota PIM: 0"
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Neplatná hodnota PIM: mimo rozsah"
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "S tímto heslem není rozpoznatelná žádná hlavička zařízení."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Zařízení %s není platným zařízením BITLK."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Nelze určit velikost BITLK klíče svazku. Prosím, použijte přepínač --key-size."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:542
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2191,7 +2247,7 @@ msgstr ""
 "který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
 "Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:609 src/cryptsetup.c:690 src/cryptsetup.c:2513
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2201,85 +2257,85 @@ msgstr ""
 "který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
 "Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:745 src/cryptsetup.c:777
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Zařízení %s není platným zařízením FVAULT2."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:785
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Nelze určit velikost klíče svazku pro FVAULT2. Prosím, použijte přepínač --key-size."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:839 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Zařízení %s je stále aktivní a naplánováno pro odložené odstranění.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:872 src/cryptsetup.c:1801 src/cryptsetup.c:2075
+#: src/cryptsetup.c:2222 src/cryptsetup.c:2641 src/cryptsetup.c:2722
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Cestu k externím tokenům %s se nepodařilo nastavit."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:881
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Změna velikosti aktivního zařízení vyžaduje klíč svazku v klíčence. Byl však použit přepínač --disable-keyring."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1050
 msgid "Benchmark interrupted."
 msgstr "Hodnocení výkonu přerušeno."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     –\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1073
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iterací za sekundu pro %zubitový klíč\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s –\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1089
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iterací, %5u paměti, %1u souběžných vláken (procesorů) pro %zubitový klíč (požadován čas %u ms)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1113
 msgid "Result of benchmark is not reliable."
 msgstr "Výsledek hodnocení výkonu není spolehlivý."
 
 # ???: are aproximated?
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1163
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Testy jsou počítány jen z práce s pamětí (žádné I/O úložiště).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1188
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*sAlgoritmus |      Klíč |       Šifrování |     Dešifrování\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1196
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Šifra %s (s %ibitovým klíčem) není dostupná."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1215
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#    Algoritmus |      Klíč |       Šifrování |     Dešifrování\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1226
 msgid "N/A"
 msgstr "–"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1251
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2288,27 +2344,27 @@ msgstr ""
 "přešifrování je žádoucí (vizte výstup luksDump) a pokračujte (zvýšení verze\n"
 "metadat) pouze, když poznáte, že operace je chtěná."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1257
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Zadejte heslo pro ochránění metadat o přešifrování a pro zvýšení jejich verze: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1301
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Opravdu pokračovat s obnovou přešifrování LUKS2?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Zadejte heslo pro ověření otisku metadat o přešifrování: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1312
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Zadejte heslo pro obnovení přešifrování: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1374
 msgid "Really try to repair LUKS device header?"
 msgstr "Opravdu se pokusit opravit hlavičku zařízení LUKS?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1402 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2316,7 +2372,7 @@ msgstr ""
 "\n"
 "Výmaz přerušen."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1407 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2325,158 +2381,169 @@ msgstr ""
 "Lze přerušit pomocí Ctrl+C (zbytek nesmazaného zařízení bude obsahovat\n"
 "neplatné součty).\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1429 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Dočasné zařízení %s nelze deaktivovat."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1477
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "Čistě hardwarové šifrování Opal nepodporuje --cipher a --key-size. Přepínače se ignorují."
+
+#: src/cryptsetup.c:1490
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Volby integrity lze použít jen při formátu LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1495 src/cryptsetup.c:1575
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nepodporované volby velikosti metadat LUKS2."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1500
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "Opal je podporován jen s formátem LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1505
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Inline hardwarové značky jsou podporovány jen s formátem LUKS2."
+
+#: src/cryptsetup.c:1514
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Soubor s hlavičkou neexistuje. Chcete jej vytvořit?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1522
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Soubor s hlavičkou %s nelze vytvořit."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1548 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Nelze najít žádný známý vzorek se specifikací integrity."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1550
+msgid "Cannot use specified integrity key size."
+msgstr "Zadanou velikost klíče integrity nelze použít."
+
+#: src/cryptsetup.c:1568
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "%s nelze použít pro hlavičku uvnitř disku."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1597 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Toto nevratně přepíše data na %s."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1634
 msgid "OPAL Admin password cannot be empty."
 msgstr "Heslo správce Opal nemůže být prázdné."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1648 src/cryptsetup.c:2092 src/cryptsetup.c:2235
+#: src/cryptsetup.c:2370 src/cryptsetup.c:2436 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Nastavení parametrů PBKDF selhalo."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "Určení typu v přepínači --link-vk-to-keyring pro zadání klíčenky se ignoruje."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Typy klíčů musí být stejné pro oba klíče svazku."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Oba klíče svazku musí být přidány do stejné klíčenky."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Musíte zadat více názvů klíčů."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Neplatná hodnota --link-vk-to-keyring."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1779
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Zmenšená poloha dat je dovolena jen u oddělené hlavičky LUKS."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1786
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Souborový kontejner LUKS %s je na aktivaci příliš malý. Nezbývá žádné místo pro data."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1828 src/cryptsetup.c:2241 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Bez pozic pro klíče nelze určit velikost LUKS klíče svazku. Prosím, použijte přepínač --key-size."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1847 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Zařízení vyžaduje dva klíče svazku."
+
+#: src/cryptsetup.c:1882
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Některé zadané aktivační parametry byly při čistě hardwarovém šifrování Opal ignorovány."
+
+#: src/cryptsetup.c:1887
 msgid "Device activated but cannot make flags persistent."
 msgstr "Zařízení aktivováno, ale příznaky nelze učinit trvalými."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1967 src/cryptsetup.c:2035
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Ke smazání vybrán klíč na pozici %d."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1979 src/cryptsetup.c:2039
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr ""
 "Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n"
 "zařízení použít."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1980
 msgid "Enter any remaining passphrase: "
 msgstr "Zadejte jakékoliv jiné heslo: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1981 src/cryptsetup.c:2041
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operace zrušena, pozice klíče NEBYLA vymazána.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2017
 msgid "Enter passphrase to be deleted: "
 msgstr "Zadejte heslo, které se má smazat: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2067 src/cryptsetup.c:2419 src/cryptsetup.c:3079
+#: src/cryptsetup.c:3246
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Zařízení %s není platným zařízením LUKS2."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2106 src/cryptsetup.c:2305
 msgid "Enter new passphrase for key slot: "
 msgstr "Zadejte nové heslo pro pozici klíče: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2140 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Zadejte PIN k tokenu: "
+
+#: src/cryptsetup.c:2142 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Zadejte PIN k tokenu %d: "
+
+#: src/cryptsetup.c:2201
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "POZOR: Parametr --key-slot se použije pro číslo nové pozice klíče.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2278 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Zadejte jakékoliv existující heslo: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2374
 msgid "Enter passphrase to be changed: "
 msgstr "Zadejte heslo, které má být změněno: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2390 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Zadejte nové heslo: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2440
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Zadejte heslo pro pozici klíče, který má být převeden: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2464
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "U operace isLuks je podporován pouze jeden argument se zařízením."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2569
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Pozice klíče %d neobsahuje nepřiřazený klíč."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2574
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2484,52 +2551,52 @@ msgstr ""
 "Výpis hlavičky s nepřiřazeným klíčem je citlivý údaj.\n"
 "Tento výpis by měl být uložen na bezpečném místě a v zašifrované podobě."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2669 src/cryptsetup.c:2705
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s není název aktivního zařízení %s."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2700
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s není název aktivního zařízení LUKS nebo mu chybí hlavička."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2777 src/cryptsetup.c:2796
 msgid "Option --header-backup-file is required."
 msgstr "Je vyžadován přepínač --header-backup-file."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2827
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s není zařízení spravované nástrojem cryptsetup."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2838
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Reaktivace není na zařízení typu %s podporována"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2888
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Nerozpoznaná metadata druhu zařízení %s."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2890
 msgid "Command requires device and mapped name as arguments."
 msgstr "Příkaz vyžaduje jako argumenty zařízení a mapovaný název."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2908
 msgid "Enter OPAL PSID: "
 msgstr "Zadejte Opal PSID: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2908
 msgid "Enter OPAL Admin password: "
 msgstr "Zadejte heslo správce Opal: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2916
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "POZOR: CELÝ disk bude uveden do továrního nastavení a všechna data budou ztracena! Pokračovat?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2959
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2538,356 +2605,368 @@ msgstr ""
 "Tento úkon smaže všechny pozice s klíči na zařízení %s.\n"
 "Po jeho dokončení zařízení bude nepoužitelné."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2966
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operace zrušena, pozice s klíči NEBYLY smazány.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3005
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Neplatný druh formátu LUKS. Podporován je pouze LUKS1 a LUKS2."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3021
 #, c-format
 msgid "Device is already %s type."
 msgstr "Zařízení je již druhu %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3028
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Tato operace převede formát %s na %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3031
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operace zrušena, zařízení NEBYLO převedeno.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3071
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Chybí přepínač --priority, --label nebo --subsystem."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3105 src/cryptsetup.c:3145 src/cryptsetup.c:3165
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d je neplatný."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3108 src/cryptsetup.c:3168
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d se používá."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3120
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Přidání tokenu %d klíčenky LUKS2 selhalo."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3131 src/cryptsetup.c:3194
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Přiřazení tokenu %d do pozice s klíčem %d selhalo."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d se nepoužívá."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3185
 msgid "Failed to import token from file."
 msgstr "Import tokenu ze souboru selhal."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3210
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Získání tokenu %d za účelem exportu selhalo."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3223
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Token %d není přiřazen pozici s klíčem %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3225 src/cryptsetup.c:3232
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Zrušení přiřazení tokenu %d k pozici s klíčem %d selhalo."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3291
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3294
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Přepínače --veracrypt a --disable-veracrypt jsou podporovány jen u typu zařízení TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3297
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Přepínač --veracrypt-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3301
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Přepínač --veracrypt-query-pim je podporován jen u zařízení kompatibilním s VeraCrypt."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3303
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Přepínače --veracrypt-pim a --veracrypt-query-pim se vzájemně vylučují."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3312
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Přepínač --persistent není dovolen současně s --test-passphrase."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3315
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Přepínače --refresh a --test-passphrase se vzájemně vylučují."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3318
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3321
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3324
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Při otevírání je přepínač --offset podporován jen u zařízení plain a loopaes."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3327
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3331
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Otevírání s přepínačem velikosti sektoru je podporován jen u zařízení plain."
 
 # FIXME: "Large IV sectors" should read "IV large sectors".
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3335
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Volba inicializačního vektoru s velkými sektory je podporována jen při otevírání zařízení typu plain s velikostí sektoru větší než 512 bajtů."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3340
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS, TCRYPT, BITLK a FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3343 src/cryptsetup.c:3373
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Přepínače --device-size a --size nelze kombinovat."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3346
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Přepínač --unbound je dovolen jen při otevírání zařízení LUKS."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3349
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Přepínač --unbound není dovolen současně s --test-passphrase."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3353
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Přepínač --volume-key-keyring nelze použít s přepínači --hash a --volume-key-file."
+
+#: src/cryptsetup.c:3356
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Oba přepínače --volume-key-file musí být ve dvojici s odpovídajícími přepínači --key-size."
+
+#: src/cryptsetup.c:3365 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Přepínače --cancel-deferred a --deferred se vzájemně vylučují."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Přepínače --reduce-device-size a --device-size nelze kombinovat."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3381
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Přepínač --active-name lze použít jen u zařízení LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3384
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Přepínače --active-name a --force-offline-reencrypt nelze kombinovat."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3387
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Přepínače --new-volume-key-file a --keep-key nelze kombinovat."
+
+#: src/cryptsetup.c:3390
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Přepínače --new-volume-key-keyring a --keep-key nelze kombinovat."
+
+#: src/cryptsetup.c:3398 src/cryptsetup.c:3428
 msgid "Keyslot specification is required."
 msgstr "Je nutné určit pozici s klíčem."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3406
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Přepínače --align-payload a --offset nelze kombinovat."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3409
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Přepínač --integrity-no-wipe smí být použit jen při formátování s rozšířením integrity."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3412
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3420
 msgid "Key size is required with --unbound option."
 msgstr "Přepínač --unbound vyžaduje velikost klíče."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3440
 msgid "Invalid token action."
 msgstr "Neplatná operace tokenu."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3443
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Parametr --key-description je při přidávání tokenu povinný."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3460
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Akce vyžaduje určitý token. Použijte parametr --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3451
 msgid "Option --unbound is valid only with token add action."
 msgstr "Přepínač --unbound lze použít pouze s akcí přidání."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3453
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Přepínače --key-slot a --unbound nelze kombinovat."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3458
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Akce vyžaduje určitou pozici klíče. Použijte parametr --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3474
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<zařízení> [--type <druh>] [<název>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3474 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "otevře zařízení jako <název>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3475 src/cryptsetup.c:3476 src/cryptsetup.c:3477
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<název>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3475 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "zavře zařízení (odstraní mapování)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3476 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "změní velikost aktivního zařízení"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3477
 msgid "show device status"
 msgstr "zobrazí stav zařízení"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3478
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <šifra>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3478
 msgid "benchmark cipher"
 msgstr "zhodnotí výkon šifry"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3479 src/cryptsetup.c:3480 src/cryptsetup.c:3481
+#: src/cryptsetup.c:3482 src/cryptsetup.c:3483 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3494 src/cryptsetup.c:3495 src/cryptsetup.c:3496
+#: src/cryptsetup.c:3497 src/cryptsetup.c:3498 src/cryptsetup.c:3499
 msgid "<device>"
 msgstr "<zařízení>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3479
 msgid "try to repair on-disk metadata"
 msgstr "pokusí se opravit metadata uložená na disku"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3480
 msgid "reencrypt LUKS2 device"
 msgstr "přešifruje zařízení LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3481
 msgid "erase all keyslots (remove encryption key)"
 msgstr "smaže všechny pozice s klíči (odstraní šifrovací klíč)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3482
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "převede formát LUKS do/z formátu LUKS2"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3483
 msgid "set permanent configuration options for LUKS2"
 msgstr "nastaví trvalé volby konfigurace pro LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485
 msgid "<device> [<new key file>]"
 msgstr "<zařízení> [<soubor_s_novým_klíčem>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3484
 msgid "formats a LUKS device"
 msgstr "naformátuje zařízení LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3485
 msgid "add key to LUKS device"
 msgstr "do zařízení LUKS přidá klíč"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3486 src/cryptsetup.c:3487 src/cryptsetup.c:3488
 msgid "<device> [<key file>]"
 msgstr "<zařízení> [<soubor_s_klíčem>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3486
 msgid "removes supplied key or key file from LUKS device"
 msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3487
 msgid "changes supplied key or key file of LUKS device"
 msgstr "změní zadaný klíč nebo soubor s klíčem u zařízení LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3488
 msgid "converts a key to new pbkdf parameters"
 msgstr "převede klíč do nových parametrů PBKDF"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3489
 msgid "<device> <key slot>"
 msgstr "<zařízení> <pozice_klíče>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3489
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "smaže klíč s číslem <pozice_klíče> ze zařízení LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3490
 msgid "print UUID of LUKS device"
 msgstr "zobrazí UUID zařízení LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3491
 msgid "tests <device> for LUKS partition header"
 msgstr "otestuje <zařízení> na hlavičku oddílu LUKS"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3492
 msgid "dump LUKS partition information"
 msgstr "vypíše údaje o oddílu LUKS"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3493
 msgid "dump TCRYPT device information"
 msgstr "vypíše údaje o oddílu TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3494
 msgid "dump BITLK device information"
 msgstr "vypíše údaje o zařízení BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3495
 msgid "dump FVAULT2 device information"
 msgstr "vypíše údaje o zařízení FVAULT2"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3496
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3497
 msgid "Resume suspended LUKS device"
 msgstr "Probudí uspané zařízení LUKS"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3498
 msgid "Backup LUKS device header and keyslots"
 msgstr "Zálohuje hlavičku zařízení LUKS a jeho pozice s klíči"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3499
 msgid "Restore LUKS device header and keyslots"
 msgstr "Obnoví hlavičku zařízení LUKS a jeho pozice s klíči"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3500
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <zařízení>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3500
 msgid "Manipulate LUKS2 tokens"
 msgstr "Zachází s tokeny LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3519 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2895,7 +2974,7 @@ msgstr ""
 "\n"
 "<akce> je jedna z:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3525
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2907,7 +2986,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3529
 #, c-format
 msgid ""
 "\n"
@@ -2922,7 +3001,7 @@ msgstr ""
 "<pozice_klíče> je číslo pozice klíče LUKS, který se má upravit\n"
 "<soubor_s_klíčem> je volitelný soubor s novým klíčem pro akci luksAddKey\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3536
 #, c-format
 msgid ""
 "\n"
@@ -2931,7 +3010,7 @@ msgstr ""
 "\n"
 "Výchozí zakompilovaný formát metadat (pro akci luksFormat) je %s.\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3541
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2939,12 +3018,12 @@ msgstr ""
 "\n"
 "Podpora pro zásuvný modul externího tokenu LUKS2 je zapnuta.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3542
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Cesta k zásuvnému modulu externího tokenu LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3544
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2952,7 +3031,7 @@ msgstr ""
 "\n"
 "Podpora pro zásuvný modul externího tokenu LUKS2 je vypnuta.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3548
 #, c-format
 msgid ""
 "\n"
@@ -2969,7 +3048,7 @@ msgstr ""
 "Výchozí PBKDF pro LUKS2: %s\n"
 "\tDoba iterací: %d, nutná paměť: %d kB, souběžná vlákna: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3559
 #, c-format
 msgid ""
 "\n"
@@ -2984,111 +3063,123 @@ msgstr ""
 "\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n"
 "\tLUKS: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3568
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: V režimu XTS (dva vnitřní klíče) bude výchozí velikost klíče zdvojnásobena.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3586 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: vyžaduje %s jako argumenty"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3626 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Pozice klíče není platná."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3654
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Velikost zařízení musí být násobkem 512bajtových sektorů."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3659
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Zadána neplatná maximální velikost horké zóny při přešifrování."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3673 src/cryptsetup.c:3690 src/cryptsetup.c:3702
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Velikost klíče musí být násobkem 8 bitů."
 
+#: src/cryptsetup.c:3680
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Zadat lze nejvíce 2 velikosti klíče."
+
 # TODO: Pluralize
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3709 src/cryptsetup.c:3720
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Zadat lze nejvíce %d klíčů svazku."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3732
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Zadat lze nejvíce %d klíčenek."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3741
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Maximální velikost zmenšení zařízení je 1 GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3744
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Velikost zmenšení musí být násobkem 512bajtových sektorů."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3761
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Přepínač --priority smí mít pouze argument ignore, normal a prefer."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3780 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Zobrazí tuto nápovědu"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3781 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Zobrazí stručný návod na použití"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3782 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Vypíše verzi balíku"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3793 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Přepínače nápovědy:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3816 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[PŘEPÍNAČ…] <akce> <přepínače_akce>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3825 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Chybí argument <akce>."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3904 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Neznámá akce."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3922
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3928
 msgid "Only one --key-file argument is allowed."
 msgstr "Je dovolen pouze jeden argument přepínače --key-file."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3933
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Funkce pro odvození klíče na základě hesla (PBKDF) smí být pouze pbkdf2 nebo argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3938
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Vynucené iterace PBKDF nelze kombinovat s volnou doby iterací."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3943
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Je-li klíčenka vypnuta, klíč svazku nelze do klíčenky přidat."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3948
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Je-li klíčenka vypnuta, popis klíče z klíčenky nelze použít."
+
+#: src/cryptsetup.c:3953
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Inline integrita musí být použita spolu s přepínačem --integrity."
+
+#: src/cryptsetup.c:3964
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Přepínače --keyslot-cipher a --keyslot-key-size musí být použity spolu."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3972
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Žádný úkon nebude proveden. Zavoláno s přepínačem --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3985
 msgid "Cannot disable metadata locking."
 msgstr "Zamykání metadata nelze vypnout."
 
@@ -3116,72 +3207,72 @@ msgstr "Nelze vytvořit soubor %s s kořenovým hašem určený k zápisu."
 msgid "Cannot write to root hash file %s."
 msgstr "Do souboru %s s kořenovým hašem nelze zapsat."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Zařízení %s není platným zařízením VERITY."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Soubor %s s kořenovým hašem nelze vytvořit."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Neplatný soubor %s s kořenovým hašem."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Zadán neplatný řetězec s kořenovým hašem."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Neplatné soubor s podpisem %s."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Soubor s podpisem %s nelze číst."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Příkaz vyžaduje argument <kořenový_haš> nebo přepínač --root-hash-file."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<zařízení_dat> <zařízení_hašů>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "naformátuje zařízení"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<zařízení_dat> <zařízení_hašů> [<kořenový_haš>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "ověří zařízení"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<zařízení_dat> <název> <zařízení_hašů> [<kořenový_haš>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "zobrazí stav aktivního zařízení"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<zařízení_hašů>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "zobrazí údaje z disku"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3196,7 +3287,7 @@ msgstr ""
 "<zařízení_hašů> je zařízení obsahující ověřovací data\n"
 "<kořenový_haš> haš kořenového uzlu na <zařízení_hašů>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3207,15 +3298,19 @@ msgstr ""
 "Výchozí zakompilované parametry dm-verity:\n"
 "\tHaš: %s, Datový blok (bajty): %u, Blok hašů (bajty): %u, Velikost soli: %u, Formát haše: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Přepínače --ignore-corruption a --restart-on-corruption nelze použít najednou."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Přepínač --panic-on-corruption a --restart-on-corruption nelze použít najednou."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Přepínač --error-as-corruption potřebuje přepínač --panic-on-corruption nebo --restart-on-corruption."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3225,29 +3320,33 @@ msgstr ""
 "Pro zachování datového zařízení použije přepínač --no-wipe (a pak jej\n"
 "aktivujte pomocí --integrity-recalculate)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Formátováno s velikostí značky %u, vnitřní integrita %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Formátováno s velikostí značky %u%s, vnitřní integrita %s.\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (inline hardwarové značky)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Nastavení příznaku přepočtu není podporováno, místo toho zvažte použití --wipe."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Zařízení %s není platným zařízením INTEGRITY."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<zařízení_s_daty_integrity>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<zařízení_s_daty_integrity> <název>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3258,7 +3357,7 @@ msgstr ""
 "<název> je zařízení, které bude vytvořeno pod %s\n"
 "<zařízení_s_daty_integrity> je zařízení obsahující data se značkami integrity\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3272,43 +3371,51 @@ msgstr ""
 "\tMaximální velikost souboru s klíčem: %d kB\n"
 
 # TODO: Pluralize
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Neplatná velikost --%s. Maximální je %u bajtů."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s klíčem a velikostí klíče."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s klíčem žurnálu a velikostí klíče."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Je-li použit klíč integrity žurnálu, musí být zadán algoritmus integrity žurnálu."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s šifrovacím klíčem žurnálu a velikostí klíče."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Je-li použit šifrovací klíč žurnálu, musí být zadán algoritmus šifrování žurnálu."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Přepínače režimu bitmapy a obnovení se vzájemně vylučují."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Přepínače žurnálu nelze použití spolu s režimem bitmapy."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Přepínače bitmapy lze použít jen při režimu bitmapy."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Režim inline nelze kombinovat s možnostmi žurnálu a bitmapy."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Režim inline nelze kombinovat se odděleným zařízením pro data."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3457,6 +3564,14 @@ msgstr "Soubor s klíčem %s nelze otevřít pro zápis."
 msgid "Cannot write to keyfile %s."
 msgstr "Do souboru s klíčem %s nelze zapsat."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Název je příliš dlouhý."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Název nesmí obsahovat znak „/“."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3519,37 +3634,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Kontrola odolnosti hesla selhala: Špatné heslo (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Čtení se zastavilo na maximální délce pro interaktivní vstup, heslo může být zkráceno."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Chyba při čtení hesla z terminálu."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Ověřte heslo: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Hesla se neshodují."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Ve vstupu z terminálu nelze měnit polohu."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Zadejte heslo: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Zadejte heslo pro %s: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "S tímto heslem není dostupný žádný klíč."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Nejsou dostupné žádné použitelné pozice s klíči."
 
@@ -3557,20 +3676,20 @@ msgstr "Nejsou dostupné žádné použitelné pozice s klíči."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Se vstupem mimo terminál nelze ověřit heslo."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Soubor %s se nepodařilo otevřít pouze pro čtení."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Poskytněte JSON s platným tokenem LUKS2:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Soubor s dokumentem JSON se nepodařilo přečíst."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3578,12 +3697,12 @@ msgstr ""
 "\n"
 "Čtení přerušeno."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Otevření souboru %s pro zápis selhalo."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3591,26 +3710,26 @@ msgstr ""
 "\n"
 "Zápis přerušen."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Zapsaní souboru s dokumentem JSON selhalo."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Automaticky nalezené aktivní zařízení DM „%s“ pro datové zařízení %s.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Držitele zařízení %s nebylo možné automaticky nalézt."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Zařízení %s není blokovým zařízením.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3623,7 +3742,7 @@ msgstr ""
 "To může vést k poškození dat, bylo-li zařízení ve skutečnosti aktivováno.\n"
 "Pro přešifrování za běhu použijte parametr --active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3633,45 +3752,49 @@ msgstr ""
 "aktivní, nebo ne. Pro obejití kontroly a spuštění v režimu offline\n"
 "(nebezpečné!) použijte --force-offline-reencrypt."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Na současnou operaci přešifrování nelze použít požadovaný přepínač --resilience."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Zařízení není ve stavu přešifrování LUKS2. Neslučitelný přepínač --encrypt."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Zařízení není ve stavu dešifrování LUKS2. Neslučitelný přepínač --decrypt."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Zařízení je ve stavu přešifrování pomocí odolnosti posunu dat. Požadovaný přepínač --resilience nelze použít."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1923
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Bez pozic pro klíče nelze určit velikost klíče svazku LUKS. Prosím, použijte přepínač --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Zařízení vyžaduje obnovu přešifrování. Spusťte nejprve opravu."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Zařízení %s je již ve stavu přešifrování LUKS2. Přejete si dokončit dříve zahájenou operaci?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Zastaralé přešifrování LUKS2 již není podporováno."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Zařízení LUKS2 nastavené k používání Opal nelze přešifrovat."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Přešifrování zařízení s profilem integrity není podporováno."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3680,103 +3803,110 @@ msgstr ""
 "Požadovaný --sector-size %<PRIu32> není slučitelný se superblokem %s\n"
 "(velikost bloku %<PRIu32> bajtů) nalezeném na zařízení %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2203
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Přešifrování bez oddělené hlavičky (--header) není možné bez zmenšení velikosti datového zařízení (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Požadovaný počátek dat musí být menší nebo roven polovině parametru --reduce-device-size"
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Upravuje se hodnota --reduce-device-size na dvojnásobek --offset %<PRIu64> (v sektorech).\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Dočasný soubor s hlavičkou %s již existuje. Operace se ruší."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Dočasný soubor s hlavičkou %s nelze vytvořit."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Velikost metadat LUKS2 je větší než hodnota posunu dat."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Umístění nové hlavičky na začátek zařízení %s selhalo."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Aktivní zařízení %s není LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Obnovuje se původní hlavička LUKS2."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Obnovení původní hlavičky LUKS2 selhalo."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Soubor s hlavičkou %s neexistuje. Přejete si zahájit dešifrování LUKS2 zařízení %s a export hlavičku LUKS2 do souboru %s?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Přidání práv na čtení/zápis souboru s hlavičkou selhalo."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Inicializace přešifrování selhala. Záloha hlavičky je dostupná v %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Dešifrování LUKS2 je podporováno jen u zařízení s oddělenou hlavičkou (počátek dat na 0)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Toto zařízení nebylo možné odemknout žádným tokenem."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Nedostatek pozic s klíči pro přešifrování."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Soubor s klíčem a popis klíče v klíčence lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Zadejte heslo pro pozici klíče %d: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Zadejte heslo pro pozici klíče %u: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Přepíná se algoritmus šifrování dat na %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1976 src/utils_reencrypt.c:1997
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Pro přešifrování zařízení s aktivními pozicemi klíče přímým předáním klíčů svazku použijte --force-no-keyslots."
+
+#: src/utils_reencrypt.c:1992
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Přepínač --new-volume-key-file musí být ve dvojici s --new-key-size."
+
+#: src/utils_reencrypt.c:2034
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Žádné parametry oblasti s daty nebyly změněny. Přešifrování zrušeno."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2071
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3785,8 +3915,8 @@ msgstr ""
 "podporováno. Nejprve zařízení aktivujte, nebo použijte přepínač\n"
 "--force-offline-reencrypt (nebezpečné!)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2113 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3794,67 +3924,67 @@ msgstr ""
 "\n"
 "Přešifrování přerušeno."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2118
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Dokončuje se přešifrování LUKS ve vynuceném režimu offline.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2141
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Zařízení %s obsahuje porušená metadata LUKS. Operace se ruší."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2157 src/utils_reencrypt.c:2179
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Zařízení %s je již zařízením LUKS. Operace se ruší."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2185
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Zařízení %s je již ve stavu přešifrování LUKS. Operace se ruší."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2268
 msgid "LUKS2 decryption requires --header option."
 msgstr "Dešifrování LUKS2 vyžaduje přepínač --header."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2316
 msgid "Command requires device as argument."
 msgstr "Příkaz vyžaduje jako argument zařízení."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2329
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Neslučitelné verze. Zařízení %s je LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2335
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2341
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Neslučitelné verze. Zařízení %s je LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2347
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Neslučitelné verze. Zařízení %s je ve stavu přešifrování LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2353
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Přešifrování LUKS2 je již inicializováno. Operace se ruší."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2360
 msgid "Device reencryption not in progress."
 msgstr "Neprobíhá žádné přešifrování zařízení."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Alokace zarovnané paměti se nezdařila."
 
@@ -3877,11 +4007,11 @@ msgstr "Zařízení %s není možné zapsat."
 msgid "Cannot write reencryption log file."
 msgstr "Nelze zapsat soubor s protokolem přešifrování."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Soubor s protokolem přešifrování nelze načíst."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Chybný formát protokolu."
 
@@ -3890,130 +4020,134 @@ msgstr "Chybný formát protokolu."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Soubor s protokolem %s existuje, pokračuje se v přerušeném přešifrování.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Aktivuje se dočasné zařízení za pomoci staré hlavičky LUKS."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Aktivuje se dočasné zařízení za pomoci nové hlavičky LUKS."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Aktivace dočasných zařízení selhala."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Nastavení polohy dat selhalo."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Nastavení velikosti metadat selhalo."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Byla vytvořena nová hlavička LUKS zařízení %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Záloha hlavičky %s zařízení %s byla vytvořena."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Záložní hlavičky LUKS se nepodařilo vytvořit."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Hlavičku %s na zařízení %s nelze obnovit."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Hlavička %s na zařízení %s byla obnovena."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Nelze otevřít dočasné zařízení LUKS."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Velikost zařízení nelze zjistit."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Chyba vstupu/výstupu během přešifrování."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Poskytnuté UUID není platné."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Nelze otevřít soubor s protokolem přešifrování."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Žádné dešifrování není rozpracované. Poskytnuté UUID lze použít jen k dokončení pozastaveného procesu dešifrování."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Přešifrování změní: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "klíč svazku"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "nastaví haš na "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", nastaví šifru na "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "POZOR: Zařízení %s již obsahuje vzorec oddílu „%s“.\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "POZOR: Zařízení %s již obsahuje vzorec superbloku „%s“.\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Sondu vzorců zařízení se nepodařilo inicializovat."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "O zařízení %s nebylo možné zjistit údaje."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Soubor %s nebylo možné otevřít pro čtení i zápis."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Existující vzorec oddílu „%s“ na zařízení %s bude vymazán."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Existující vzorec superbloku „%s“ na zařízení %s bude vymazán."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Odstranění vzorce ze zařízení selhalo."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Otestování zařízení %s na vzorce selhalo."
@@ -4028,6 +4162,50 @@ msgstr "Zadána neplatná velikost v parametru --%s."
 msgid "Option --%s is not allowed with %s action."
 msgstr "Přepínač --%s není dovolen s akcí %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Určení typu v přepínači --link-vk-to-keyring pro zadání klíčenky se ignoruje."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Typy klíčů musí být stejné pro oba klíče svazku."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Oba klíče svazku musí být přidány do stejné klíčenky."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Musíte zadat více názvů klíčů."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Neplatná hodnota --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Binární data pozice klíče %d mohou být poškozena.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Podezřelé místo: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Další podezřelá místa nebudou hlášena.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Z tohoto zařízení nelze pozici klíče %d přečíst."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Data lze prozkoumat pomocí „hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\"“.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Zapsaní dokumentu JSON pro token SSH selhalo."
@@ -4195,6 +4373,34 @@ msgstr "Na stroji není povolena autentizace veřejným klíčem.\n"
 msgid "Public key authentication error: "
 msgstr "Chyba při autentizaci veřejným klíčem: "
 
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Do uživatelem zadané klíčenky se nepodařilo přidat klíče svazku."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Klíč se nepodařilo odstranit z klíčenky vlákna."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Aktivace částečně dešifrovaného zařízení BITLK není podporována."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Čtení požadavků na LUKS2 selhalo."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Pozor: operace s pozicí klíče by mohla selhat, protože potřebuje více paměti, než je k dispozici.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Stavu přešifrování se nepodařilo zjistit."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Čtení hesla z klíčenky selhalo."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Přepínače --reduce-device-size a --device-size nelze kombinovat."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Zadejte heslo pro pozici klíče %u: "
+
 #~ msgid "compiled-in"
 #~ msgstr "zakompilována"
 
@@ -4274,9 +4480,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "Přepínač --keep-key lze použít jen s přepínači --hash, --iter-time nebo --pbkdf-force-iterations."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "Přepínač --new nelze být použit spolu s --decrypt."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "Přepínač --decrypt se neslučuje se zadanými parametry."
 
@@ -4367,9 +4570,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Aktualizace ukazatele postupu (v sekundách)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Kolikrát se lze zeptat na heslo"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Zarovnává data na hranici <n> sektorů – pro luksFormat"
 
@@ -4822,9 +5022,6 @@ msgstr "Chyba při autentizaci veřejným klíčem: "
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Neplatné parametry velikosti pro zařízení VERITY."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "Je-li použit klíč integrity, musí být zadán algoritmus integrity."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Špatná velikost klíče."
 
diff --git a/po/de.po b/po/de.po
index 84d68e8..ad7727c 100644
--- a/po/de.po
+++ b/po/de.po
@@ -1,14 +1,14 @@
 # German translation for the cryptsetup package.
 # Copyright (C) 2010 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Roland Illig <roland.illig@gmx.de>, 2010-2024.
+# Roland Illig <roland.illig@gmx.de>, 2010-2025.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-07 20:31+0200\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-14 15:42+0100\n"
 "Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
 "Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
 "Language: de\n"
@@ -17,72 +17,80 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 3.4.4\n"
+"X-Generator: Poedit 3.7\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden, da das Programm nicht mit Root-Rechten läuft."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden. Ist das Kernelmodul »dm_mod« geladen?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Verlangter »deferred«-Schalter wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID für Gerät »%s« wurde verkürzt."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Unbekannte Art des dm-Ziels."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Die verlangten dm-crypt-Performance-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Die verlangten dm-verity-Datenbeschädigungs-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Die verlangte dm-verity-Tasklet-Option wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Die verlangten dm-verity-FEC-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Die verlangten Datenintegritäts-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "Die verlangte sector_size-Option wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "Gerätegröße ist kein Vielfaches der gewünschten Sektorgröße."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Die verlangte integrity_key_size-Option wird nicht unterstützt."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Die verlangte automatische Berechnung der Integritätsangaben wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "»Discard/TRIM« wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Der verlangte Bitmap-Modus für dm-Integrität wird nicht unterstützt."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Der verlangte Inline-Modus für dm-Integrität wird nicht unterstützt."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Fehler beim Abfragen des »dm-%s«-Segments."
@@ -116,747 +124,777 @@ msgstr "Unbekannte Qualität des Zufallszahlengenerators verlangt."
 msgid "Error reading from RNG."
 msgstr "Fehler beim Einlesen vom Zufallszahlengenerator."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "OPAL-Unterstützung ist in libcryptsetup deaktiviert."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Gerät »%s« oder Kernel unterstützt OPAL-Verschlüsselung nicht."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Fehler beim Initialisieren des Krypto-Zufallszahlengenerator-Backends."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Fehler beim Initialisieren des Krypto-Backends."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hash-Algorithmus »%s« wird nicht unterstützt."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Diese Operation wird nur für LUKS2-Geräte unterstützt."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "Alle Schlüsselfächer sind voll."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Header gefunden, aber Gerät »%s« ist zu klein."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "Diese Operation wird für diese Geräteart nicht unterstützt."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Ungültige Operation, während die Wiederverschlüsselung läuft."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Fehler beim Rückabwickeln der LUKS2-Metadaten im Speicher."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nicht unterstützte LUKS-Version %d."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Kein bekanntes Verschlüsselungsmuster für aktives Gerät »%s« entdeckt."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "Gerät »%s« ist nicht aktiv."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Zugrundeliegendes Gerät für das Kryptogerät »%s« ist verschwunden."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Ungültige Parameter für Plain-Verschlüsselung."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Ungültige Schlüsselgröße."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID wird für diese Verschlüsselungsart nicht unterstützt."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Gerät für separierte Metadaten wird für diese Verschlüsselungsart nicht unterstützt."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "Gerätegröße ist nicht an verlangter Sektorgröße ausgerichtet."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Ohne Gerät kann LUKS nicht formatiert werden."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Gezontes Gerät »%s« kann nicht für einen LUKS-Kopfbereich verwendet werden."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Die angeforderte Datenausrichtung ist nicht mit dem Datenoffset kompatibel."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "Warnung: DAX-Gerät kann Daten beschädigen, da es nicht garantiert, dass Sektoren atomar aktualisiert werden.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Fehler beim Auslöschen des Headers auf Gerät »%s«."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Gerät %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Laufwerksschlüssel ist zu klein für die Verschlüsselung mit Integritätserweiterungen."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Integritäts-Schlüsselgröße ist zu klein."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Verschlüsselung »%s-%s« (Schlüsselgröße %zd Bits) ist nicht verfügbar."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "WARNUNG: Die Geräteaktivierung wird fehlschlagen, dm-crypt fehlt die Unterstützung für die angeforderte Verschlüsselungsgröße.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "Gerät »%s« ist zu klein."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Gerät »%s« kann nicht formatiert werden, da es gerade benutzt wird."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Gerät »%s« kann nicht formatiert werden, Zugriff verweigert."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Fehler beim Formatieren der Integrität auf Gerät »%s«."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Gerät »%s« kann nicht formatiert werden."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Fehler beim Ermitteln der OPAL-Ausrichtungs-Parameter."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Falsche Größe für logischen OPAL-Block."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Falsche Größe für logischen OPAL-Block, weicht von der Geräte-Blockgröße ab."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "Der gewünschte Datenoffset ist nicht mit der OPAL-Blockgröße kompatibel."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "Die gewünschte Datenausrichtung ist nicht mit der OPAL-Ausrichtung kompatibel."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "Der Datenoffset erfüllt die OPAL-Ausrichtungsbedingungen nicht."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "Die gewünschte Datenausrichtung erfüllt die Anforderungen an die Ausrichtung des Sperrbereichs nicht."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Gerätegröße wird um %<PRIu64> Sektoren angepasst, um zur Granularität der OPAL-Ausrichtung zu passen."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Fehler beim Zugriff auf die OPAL-Sperre für das Gerät »%s«."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Falscher OPAL-Admin-Schlüssel."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Fehler beim Einrichten des OPAL-Segments."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Gerät »%s« kann nicht formatiert werden, OPAL-Gerät scheint jetzt komplett schreibgeschützt zu sein."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Das könnte ein Fehler in der Firmware sein. Lassen Sie »OPAL PSID reset und reconnect« zur Wiederherstellung."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "Fehler beim Zurücksetzen des Sperrbereichs %d auf Gerät »%s«."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Ohne Gerät kann LOOPAES nicht formatiert werden."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Ohne Gerät kann VERITY nicht formatiert werden."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nicht unterstützte VERITY-Hash-Art %d."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Nicht unterstützte VERITY-Blockgröße."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Nicht unterstützter VERITY-Hash-Offset."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nicht unterstützter VERITY-FEC-Offset."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Datenbereich und Hashbereich überlappen sich."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Hashbereich und FEC-Bereich überlappen sich."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Datenbereich und FEC-Bereich überlappen sich."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Größen der Integritätsschlüssel passen nicht zusammen."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "WARNUNG: Angeforderte Taggröße mit %d Bytes unterscheidet sich von der Ausgabe der Größe %s (%d Bytes).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Unbekannte Art des Verschlüsselungsgeräts »%s« verlangt."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Unbekannte oder nicht unterstützte Art des Verschlüsselungsgeräts »%s« verlangt."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Gerät »%s« bietet keine Datenfelder für Inline-Integrität."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Die Inline-Tag-Größe %<PRIu32> [Bytes] ist größer als die %<PRIu32> vom Gerät %s bereitgestellte."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Der Sektor muss mit dem Hardware-Sektor des Geräts übereinstimmen (%zu Bytes)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nicht unterstützte Parameter für Gerät %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parameter für Gerät %s sind durcheinander."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Verschlüsselungsgeräte passen nicht zusammen."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Gerät »%s« konnte nicht neugeladen werden."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Gerät »%s« konnte nicht stillgelegt werden."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Gerät »%s« konnte nicht fortgesetzt werden."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Schwerwiegender Fehler beim Neuladen von Gerät »%s« (über Gerät »%s«)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Gerät »%s« konnte nicht auf dm-error umgeschaltet werden."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Größe des LUKS2-Geräts kann nicht geändert werden, da sie statisch ist."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Die Größenänderung eines LUKS2-Geräts mit Integritätsschutz wird nicht unterstützt."
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "Fehler beim Ändern der Größe des Loopback-Geräts."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "WARNUNG: Die maximale Größe ist bereits eingestellt oder der Kernel unterstützt die Größenänderung nicht.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Fehler bei Größenänderung, der Kernel unterstützt sie nicht."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "Wollen Sie wirklich die UUID des Geräts ändern?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Header-Backupdatei enthält keinen kompatiblen LUKS-Header."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Laufwerk »%s« ist nicht aktiv."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Laufwerk »%s« ist bereits im Ruhezustand."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Gerät »%s« ist im Ruhezustand, aber das Hardware-OPAL-Gerät kann nicht gesperrt werden."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Fehler beim Ablösen des Laufwerkschlüssels vom benutzerspezifischen Schlüsselbund."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Fehler beim Verknüpfen des Laufwerkschlüssels im benutzerspezifischen Schlüsselbund."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Laufwerk »%s« ist nicht im Ruhezustand."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Schlüsselfach %d ist ungültig."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Schlüsselfach %d ist nicht aktiv."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "Geräteheader und Datenbereich überlappen sich."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Wiederverschlüsselung läuft bereits. Das Gerät kann nicht aktiviert werden."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "Fehler beim Zugriff auf die Sperre zur Wiederverschlüsselung."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung mittels Laufwerksschlüssel(n)."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Fehler beim Verknüpfen von Laufwerkschlüsseln im benutzerspezifischen Schlüsselbund."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Geräteart ist nicht richtig initialisiert."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "Das Gerät »%s« existiert bereits."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Gerät »%s« kann nicht verwendet werden, da es gerade benutzt wird oder der Name ungültig ist."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Die Laufwerksschlüssel für die Wiederverschlüsselung passen nicht zum Laufwerk."
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Die Laufwerksschlüssel für die Wiederverschlüsselung passen nicht zum Laufwerk."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Geräteart ist nicht richtig initialisiert."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Der Kernel-Schlüsselbund fehlt. Wird benötigt, um die Signatur zum Kernel zu übergeben."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Schlüsselringschlüssel »%s« kann nicht verwendet werden."
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL unterstützt verzögertes Deaktivieren nicht."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Fehler beim Abbrechen des verzögerten Löschens von Gerät »%s«."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Gerät »%s« wird gerade benutzt."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Fehler beim Abbrechen des verzögerten Löschens von Gerät »%s«."
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "Ungültiges Gerät »%s«."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "Laufwerks-Schlüsselpuffer zu klein."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS2-Gerät."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für LUKS1-Gerät."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Root-Hash für Verity-Gerät kann nicht ermittelt werden."
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für BITLK-Gerät."
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für FVAULT2-Gerät."
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Datenoffset ist kein Vielfaches von %u Bytes."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Gerät »%s« kann nicht konvertiert werden, da es gerade benutzt wird."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Schlüsselfach %u konnte nicht dem Laufwerksschlüssel zugeordnet werden."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Fehler beim Initialisieren der LUKS2-Schlüsselfach-Parameter."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Schlüsselfach %d konnte nicht dem Digest zugeordnet werden."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Fehler beim Loslösen des Laufwerkschlüssels vom Thread-Schlüsselbund."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Schlüsselbund mit der Beschreibung »%s« nicht gefunden."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Globale Speicherzugriffsserialisierungssperre konnte nicht angefordert werden."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Fehler beim Öffnen der Schlüsseldatei."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Fehler beim Einlesen der Schlüsseldatei »%s« vom Terminal."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Fehler beim Öffnen der Schlüsseldatei."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Fehler beim Zugriff auf die Schlüsseldatei."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Zu wenig Speicher zum Einlesen der Passphrase."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Fehler beim Einlesen der Passphrase."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Nichts zu lesen in der Eingabe."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Größenbegrenzung für die Schlüsseldatei überschritten."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Die gewünschte Menge an Daten kann nicht eingelesen werden."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Gerät »%s« existiert nicht oder Zugriff verweigert."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Gerät »%s« ist nicht kompatibel."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Merkwürdige Optimale-Datenübertragungs-Größe für Datengerät (%u Bytes) wird ignoriert."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Gerät »%s« ist zu klein. Mindestens %<PRIu64> Bytes erforderlich."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Gerät »%s« kann nicht benutzt werden, da es bereits anderweitig benutzt wird."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Gerät »%s« kann nicht verwendet werden, Zugriff verweigert."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Fehler beim Abrufen der Infos über Gerät »%s«."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Das Loopback-Gerät kann nicht benutzt werden, da das Programm nicht mit Root-Rechten läuft."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Anklemmen des Loopback-Geräts fehlgeschlagen (das Loopback-Gerät benötigt den »autoclear«-Schalter)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Der angeforderte Offset ist jenseits der wirklichen Größe des Geräts »%s«."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Gerät »%s« hat die Größe 0."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Verlangte Vorgabezeit für PBKDF darf nicht 0 sein."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Unbekannte PBKDF, Typ »%s«."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Verlangter Hash »%s« wird nicht unterstützt."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Verlangter PBKDF-Typ wird von LUKS1 nicht unterstützt."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Für pbkdf2 dürfen weder das Speichermaximum noch die Anzahl der Threads angegeben werden."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Anzahl der verlangten Durchläufe ist zu gering für %s (Minimum ist %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Verlangte Speicherkosten sind zu gering für %s (Minimum sind %u Kilobyte)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Das verlangte Speicherkosten-Maximum ist zu hoch (maximal %d Kilobyte)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Die angeforderten maximalen PBKDF-Speicherkosten sind zu hoch (begrenzt durch die Maximalgröße einer Ganzzahl)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Der verlangte PBKDF-Speicherbedarf darf nicht 0 sein."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Das verlangte Maximum für PBKDF-Parallelitätskosten ist zu hoch (maximal %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Die Anzahl der verlangten parallelen Threads für PBKDF darf nicht 0 sein."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Im FIPS-Modus wird ausschließlich PBKDF2 unterstützt."
 
@@ -883,25 +921,25 @@ msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (kein Verzeichn
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (%s ist kein Verzeichnis)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Fehler beim Springen zum Gerät-Offset."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Fehler beim gründlichen Löschen des Geräts, an Offset %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "Falsche OPAL-PSID."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Fehler beim Leeren des OPAL-Geräts."
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -911,47 +949,47 @@ msgstr ""
 "Stellen Sie sicher, dass der Kernel die Verschlüsselung »%s« unterstützt.\n"
 "(Sehen Sie im System-Log nach, ob sich dort Hinweise finden.)"
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Schlüsselgröße im XTS-Modus muss entweder 256 oder 512 Bits sein."
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Verschlüsselungsverfahren sollte im Format [Verfahren]-[Modus]-[IV] sein."
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Fehler beim Schreiben auf Gerät »%s«, Zugriff verweigert."
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "Fehler beim Öffnen des temporären Schlüsselspeichergeräts."
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "Fehler beim Zugriff auf das temporäre Schlüsselspeichergerät."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "E/A-Fehler beim Verschlüsseln des Schlüsselfachs."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Fehler beim Öffnen des Geräts »%s«."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "E/A-Fehler beim Entschlüsseln des Schlüsselfachs."
 
@@ -967,32 +1005,32 @@ msgstr "Gerät »%s« ist zu klein. (LUKS1 benötigt mindestens %<PRIu64> Bytes.
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS-Schlüsselfach %u ist ungültig."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Angeforderte Header-Backupdatei »%s« existiert bereits."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Fehler beim Anlegen der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Fehler beim Speichern der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Backupdatei enthält keinen gültigen LUKS-Header."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Fehler beim Öffnen der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Fehler beim Einlesen der Header-Backupdatei »%s«."
@@ -1014,7 +1052,7 @@ msgstr "enthält keinen LUKS-Header. Das Ersetzen des Headers kann Daten auf dem
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "enthält bereits einen LUKS-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1041,7 +1079,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Chiffre-Hash in Kleinbuchstaben umgewandelt (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Verlangter LUKS-Hash »%s« wird nicht unterstützt."
@@ -1089,7 +1127,7 @@ msgstr "LUKS-Verschlüsselungsmodus %s ist ungültig."
 msgid "LUKS hash %s is invalid."
 msgstr "LUKS-Hash %s ist ungültig."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "Keine bekannten Probleme im LUKS-Header erkannt."
 
@@ -1103,17 +1141,17 @@ msgstr "Fehler beim Aktualisieren des LUKS-Headers auf Gerät »%s«."
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Fehler beim Neueinlesen des LUKS-Headers nach dem Aktualisieren auf Gerät »%s«."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Daten-Offset für LUKS-Header muss entweder 0 sein oder mehr als die Headergröße."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Falsches LUKS-UUID-Format angegeben."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Einlesen des zufälligen Salts."
 
@@ -1123,48 +1161,48 @@ msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Einlesen des zufäll
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Hashen des Headers (mit Hash-Algorithmus »%s«)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Schlüsselfach %d aktiv, löschen Sie es erst."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Material für Schlüsselfach %d enthält zu wenige Streifen. Manipulation des Headers?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Überlauf im Iterationswert von PBKDF2."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Schlüsselfach kann nicht geöffnet werden (mit Hash-Algorithmus »%s«)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie ein Schlüsselfach zwischen 0 und %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Gerät »%s« kann nicht ausgelöscht werden."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Noch nicht unterstützte verschlüsselte GPG-Schlüsseldatei erkannt."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Bitte benutzen Sie »gpg --decrypt <SCHLÜSSELDATEI> | cryptsetup --keyfile=- …«\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Inkompatible Loop-AES-Schlüsseldatei erkannt."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Kernel unterstützt Loop-AES-kompatibles Mapping nicht."
 
@@ -1183,168 +1221,197 @@ msgstr "Maximale Länge der TCRYPT-Passphrase (%zu) überschritten."
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Der Hash-Algorithmus »%s« für PBKDF2 wird nicht unterstützt, überspringe diesen Teil."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "Die benötigte Crypto-Kernel-Schnittstelle ist nicht verfügbar."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Stellen Sie sicher, dass das Kernelmodul »algif_skcipher« geladen ist."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivierung wird für die Sektorengröße %d nicht unterstützt."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Der Kernel unterstützt die Aktivierung für diesen TCRYPT-Legacymodus nicht."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "TCRYPT-Systemverschlüsselung für Partition »%s« wird aktiviert."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Offset der TCRYPT-Systempartition kann nicht bestimmt werden, daher wird der gesamte verschlüsselte Bereich aktiviert."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Offset der TCRYPT-Systempartition kann nicht bestimmt werden, daher wird das Gerät als Systempartition aktiviert."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header."
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des unterstützten Volume Master Keys gefunden."
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Ungültige Zeichenkette beim Parsen des Volume Master Key gefunden."
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Unerwartete Zeichenkette »%s« beim Parsen des Volume Master Key gefunden."
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Unerwarteter Metadaten-Eintrag %u beim Einlesen des unterstützten Volume Master Key gefunden."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK Version 1 wird derzeit nicht unterstützt."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Ungültige oder unbekannte Bootsignatur für BITLK-Gerät."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Nicht unterstützte Sektorengröße %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Fehler beim Lesen des BITLK-Headers von »%s«."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Fehler beim Lesen oder Validieren der BITLK-FVE-Metadaten-Kopie Nummer %d von »%s«."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Fehler beim Lesen oder Validieren der BITLK-FVE-Metadaten von »%s«."
+
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Fehler beim Validieren des Speicherorts der BITLK-FVE-Metadaten von »%s«."
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Die BITLK-FVE-Metadaten haben sich zwischen dem Lesen von »%s« geändert."
+
+#: lib/bitlk/bitlk.c:628
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "Fehler beim Schreiben der BITLK-FVE-Metadaten von »%s«."
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Fehler beim Hashen der der BITLK-FVE-Metadaten, die von »%s« gelesen wurden."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Fehler beim Auslesen der BITLK-FVE-Validierungs-Metadaten von »%s«."
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "Unbekannte oder nicht unterstützte Verschlüsselungsart."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "Fehler beim Lesen der BITLK-Metadaten von »%s«."
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Fehler beim Überprüfen der BITLK-Metadaten-Einträge, die zuvor von »%s« gelesen wurden."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "Fehler beim Konvertieren der BITLK-Volumenbeschreibung"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des externen Schlüssels gefunden."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "Die GUID der BEK-Datei »%s« stimmt nicht mit der GUID des Laufwerks überein."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Unerwarteter Metadaten-Eintrag »%u« beim Einlesen des externen Schlüssels gefunden."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Nicht unterstützte BEK-Metadatenversion %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Unerwartete BEK-Metadatengröße %<PRIu32> stimmt nicht mit BEK-Dateilänge überein"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Einlesen des Startschlüssels gefunden."
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "Diese Operation wird nicht unterstützt."
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "Unerwartete Größe des Datenschlüssels."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Dieses BITLK-Gerät ist in einem nicht unterstützten Zustand und kann daher nicht aktiviert werden."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "BITLK-Geräte der Art »%s« können nicht aktiviert werden."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Aktivieren eines teilweise entschlüsselten BITLK-Geräts wird nicht unterstützt."
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "WARNUNG: BitLocker-Datenträgergröße %<PRIu64> stimmt nicht mit der zugrunde liegenden Gerätegröße %<PRIu64> überein"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für BITLK-IV."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Gerät kann nicht aktiviert werden, da dem Kernelmodul dm-crypt die Unterstützung für BITLK-Elephant-Verschleierer fehlt."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für große Sektoren."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Gerät kann nicht aktiviert werden, das Kernelmodul dm-crypt existiert nicht."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Fehler beim Einlesen von %u Bytes aus dem Laufwerks-Kopfbereich."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Nicht unterstützte VFAULT2-Version %<PRIu16>."
@@ -1381,24 +1448,24 @@ msgstr "Verifikation der Stammhash-Signatur wird nicht unterstützt."
 msgid "Root hash signature required."
 msgstr "Signatur des Stammhashes erforderlich."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Fehler können mit einem FEC-Gerät nicht repariert werden."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "%u reparierbare Fehler mit FEC-Gerät gefunden."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Kernel unterstützt dm-verity-Zuordnung nicht."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Kernel unterstützt Signatur-Option für dm-verity nicht."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Verity-Gerät hat eine Verfälschung nach der Aktivierung festgestellt."
 
@@ -1421,23 +1488,23 @@ msgstr "Fehler beim Verifizieren an Position %<PRIu64>."
 msgid "Hash area overflow."
 msgstr "Überlauf des Hashbereichs."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Fehler beim Verifizieren des Datenbereichs."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Fehler beim Verifizieren des Root-Hashes."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "E/A-Fehler beim Anlegen des Hash-Bereiches."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Fehler beim Anlegen des Hash-Bereiches."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "WARNUNG: Kernel kann das Gerät nicht aktivieren, wenn die Datenblockgröße die Seitengröße (%u) übersteigt."
@@ -1487,34 +1554,38 @@ msgstr "Ungültige FEC-Segmentlänge."
 msgid "Failed to determine size for device %s."
 msgstr "Fehler beim Ermitteln der Größe von Gerät »%s«."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Inkompatible Metadaten des Kernelmoduls dm-integrity (Version %u) auf %s entdeckt."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Kernel unterstützt dm-integrity-Zuordnung nicht."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Kernel unterstützt feste Ausrichtung der Metadaten für dm-integrity nicht."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Der Kernel weigert sich, die unsichere Neuberechnungs-Option zu aktivieren. Um dies zu übersteuern, können Sie die veralteten Aktivierungsoptionen nutzen."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Kernel unterstützt dm-integrity-Inlinemodus nicht."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Fehler beim exklusiven Schreibzugriff auf Gerät »%s«."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Es wurde ein Versuch erkannt, die LUKS2-Metadaten nebenläufig zu ändern. Die Operation wird abgebrochen."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1522,59 +1593,63 @@ msgstr ""
 "Gerät enthält mehrdeutige Signaturen, LUKS2 kann nicht automatisch wiederhergestellt werden.\n"
 "Bitte führen Sie \"cryptsetup repair\" zur Wiederherstellung aus."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "WARNING: Der Schlüsselfach-Bereich (%<PRIu64> Bytes) ist sehr klein, die LUKS2-Schlüsselfachanzahl ist sehr begrenzt.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Verlangter Daten-Offset ist zu klein."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "Warnung: Größe der LUKS2-Metadaten wurde auf %<PRIu64> geändert.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "Warnung: Größe des LUKS2-Schlüsselfachbereichs wurde auf %<PRIu64> Bytes geändert.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Fehler beim Zugriff auf die Lesesperre für das Gerät »%s«."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "Etikett ist zu lang."
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Verbotene LUKS2-Anforderungen in Backup »%s« entdeckt."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Unterschiedliche Datenoffsets auf Gerät und Backup. Wiederherstellung fehlgeschlagen."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Unterschiedliche Größe der Binärheader mit Schlüsselfach-Bereichen zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Gerät »%s« %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "enthält keinen LUKS2-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "enthält bereits einen LUKS2-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1584,7 +1659,7 @@ msgstr ""
 "WARNUNG: Unbekannte LUKS2-Anforderungen im echten Geräteheader entdeckt!\n"
 "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1594,111 +1669,111 @@ msgstr ""
 "WARNUNG: Unvollendete Offline-Wiederverschlüsselung auf dem Gerät entdeckt!\n"
 "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen."
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Unbekannter Schalter »%s« wird ignoriert."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Fehlender Schlüssel für dm-crypt-Segment %u"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "Fehler beim Festlegen des »dm-crypt«-Segments."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "Fehler beim Festlegen des »dm-linear«-Segments."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "Kein bekanntes Verschlüsselungsmuster in LUKS2-Kopfbereich entdeckt."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "OPAL-Gerät muss statische Gerätegröße haben."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Verschlüsseltes OPAL-Gerät mit Integrität muss kleiner als der Sperrbereich sein."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "OPAL-Gerät muss dieselbe Größe wie der Sperrbereich haben."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Das OPAL-Gerät »%s« ist bereits entsperrt.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "Nicht unterstützte Konfiguration für Geräteintegrität."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Das zugrundeliegende dm-integrity-Gerät hat unerwartete Datensektoren bereitgestellt."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Wiederverschlüsselung läuft gerade. Das Gerät kann nicht deaktiviert werden."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Das stillgelegte Gerät »%s« mit dm-error-Ziel konnte nicht in den Fehlerzustand gesetzt werden."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Gerät »%s« wurde deaktiviert, aber das Hardware-OPAL-Gerät kann nicht gesperrt werden."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Fehler beim Lesen der LUKS2-Anforderungen."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Unerfüllte LUKS2-Anforderungen entdeckt."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für Altlasten-Wiederverschlüsselung markiert ist. Wird abgebrochen."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für LUKS2-Wiederverschlüsselung markiert ist. Wird abgebrochen."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das OPAL verwendet. Wird abgebrochen."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Der Vorgang ist nicht kompatibel mit einem Gerät, das Inline-HW-Tags verwendet. Abbruch."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Nicht genügend Speicher, um ein Schlüsselfach zu öffnen."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Fehler beim Öffnen des Schlüsselfachs."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Der Algorithmus %s-%s kann nicht für Schlüsselfach-Verschlüsselung verwendet werden."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Nicht genug freier Speicher, um den Schlüssel für ein Schlüsselfach abzuleiten."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Der Hash-Algorithmus »%s« ist nicht verfügbar."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Warnung: Schlüsselbund-Vorgang könnte fehlschlagen, da er mehr Speicher benötigt als verfügbar ist.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "Nicht genug Speicherplatz für neues Schlüsselfach."
 
@@ -1724,428 +1799,438 @@ msgstr "Fehler beim Prüfen des Zustands von Gerät mit der UUID %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Fehler beim Konvertieren des Headers mit zusätzlichen LUKSMETA-Metadaten."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Die Chiffrierspezifikation %s-%s kann für LUKS2 nicht verwendet werden."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Die Verschlüsselungsangabe %s-%s kann für LUKS2-Schlüsselfach nicht verwendet werden."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Nicht genug Speicherplatz."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Fehler beim Konvertieren ins LUKS2-Format: ungültige Metadaten."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Bereich für die LUKS2-Schlüsselfächer ist zu klein."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
-msgstr "Fehler beim Konvertieren in LUKS1-Format: Standardgröße für Verschlüsselungssektoren ist nicht 512 Bytes."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Standardgröße für Verschlüsselungssektoren ist nicht 512 Bytes."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
-msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach-Digeste sind nicht zu LUKS1 kompatibel."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Schlüsselfach-Digeste sind nicht zu LUKS1 kompatibel."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
-msgstr "Fehler beim Konvertieren in LUKS1-Format: Gerät verwendet eingepacktes Verschlüsselungsverfahren %s."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Gerät verwendet eingepacktes Verschlüsselungsverfahren %s."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Fehler beim Konvertieren ins LUKS1-Format: Gerät verwendet mehr Segmente."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
-msgstr "Fehler beim Konvertieren in LUKS1-Format: LUKS2-Header enthält %u Token."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: LUKS2-Header enthält %u Token."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Es gibt keine aktiven Schlüsselfächer."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
-msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist in ungültigem Zustand."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Schlüsselfach %u ist in ungültigem Zustand."
+
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Fehler beim Konvertieren ins LUKS1-Format: Schlüsselfach %u ist unbegrenzt."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u (über Maximalfach) ist noch aktiv."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist nicht zu LUKS1 kompatibel."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Die Größe der Hotzone muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Gerätegröße muss ein Vielfaches der berechneten Zonenausrichtung (%zu Bytes) sein."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher alter Segmente."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher neuer Segmente."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr "Fehler beim Initialisieren des Hotzone-Schutzes."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr "Fehler beim Lesen der Prüfsummen für die aktuelle Hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Fehler beim Lesen des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Fehler beim Entschlüsseln von Sektor %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Fehler beim Wiederherstellen von Sektor %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Die Größe der Quell- und Zielgeräte stimmt nicht überein. Quelle %<PRIu64>, Ziel: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Fehler beim Aktivieren des Hotzone-Geräts »%s«."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Fehler bei der Speicherzuweisung des Hotzone-Geräts »%s«."
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Fehler beim Aktivieren des Überlagerungsgeräts »%s« mit der tatsächlichen Ursprungstabelle."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Fehler beim Laden der neuen Zuordnung für Gerät »%s«."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Fehler beim Auffrischen des Gerätestapels für Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "Fehler beim Festlegen der neuen Bereichsgröße für Schlüsselfächer."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Datenverschiebung ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (%<PRIu32> Bytes) ausgerichtet."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Nicht unterstützter Modus »%s« für Widerstandsfähigkeit"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Die Größe des verschobenen Segments kann nicht größer als der Wert der Datenverschiebung sein."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "Ungültige Parameter für die robuste Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Das verschobene Segment ist zu groß. Angeforderte Größe %<PRIu64>, verfügbarer Platz %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "Fehler beim Leeren der Tabelle."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Datenverschiebung (%<PRIu64> Sektoren) ist weniger als der zukünftige Datenoffset (%<PRIu64> Sektoren)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "Die reduzierte Datengröße ist größer als die tatsächliche Gerätegröße."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Datengerät ist nicht an der angeforderten Verschlüsselungs-Sektorgröße (%<PRIu32> Bytes) ausgerichtet."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Datenverschiebung (%<PRIu64> Sektoren) ist weniger als der zukünftige Datenoffset (%<PRIu64> Sektoren)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Fehler beim exklusiven Öffnen von »%s« (wird bereits anderweitig benutzt)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Das Gerät ist nicht für LUKS2-Wiederverschlüsselung markiert."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Fehler beim Laden des LUKS2-Wiederverschlüsselungs-Kontextes."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Fehler beim Einlesen des Wiederverschlüsselungs-Zustands."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "Das Gerät befindet sich nicht in der Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "Der Wiederverschlüsselungs-Vorgang läuft bereits."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "Fehler beim Zugriff auf die Schreibsperre für die Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Führen Sie zuerst die Wiederverschlüsselungs-Wiederherstellung durch."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Aktive Gerätegröße und angeforderte Wiederverschlüsselungsgröße passen nicht zusammen."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Ungültige Gerätegröße wurde in den Wiederverschlüsselungsparametern angefordert."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Wiederverschlüsselung läuft bereits. Wiederherstellung ist nicht möglich."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Fehler beim Initialisieren des Gerätestapels für Wiederverschlüsselung."
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "LUKS2-Wiederverschlüsselung ist in den Metadaten bereits initialisiert."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "LUKS2-Wiederverschlüsselung konnte in den Metadaten nicht initialisiert werden."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Wiederverschlüsselung wird für DAX-Geräte (persistenten Speicher) nicht unterstützt."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Fehler beim Festlegen der Gerätesegmente für die nächste Wiederverschlüsselungs-Hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Fehler beim Schreiben der Metadaten für robuste Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "Fehler beim Entschlüsseln."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Fehler beim Schreiben des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "Fehler beim Synchronisieren von Daten."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Fehler beim Aktualisieren der Metadaten, nachdem die aktuelle Wiederverschlüsselungs-Hotzone beendet wurde."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "Fehler beim Schreiben der LUKS2-Metadaten."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr "Fehler beim gründlichen Löschen des ungenutzten Bereichs auf dem Gerät."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Fehler beim Entfernen des ungenutzten (ungebundenen) Schlüsselfachs %d."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "Fehler beim Entfernen des Schlüsselfachs zur Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Schwerwiegender Fehler beim Wiederverschlüsseln des Blocks bei %<PRIu64>, %<PRIu64> Sektoren lang."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "Fehler bei Online-Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Das Gerät nicht fortsetzen, außer es wird manuell durch das Fehlerziel ersetzt."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Unerwarteter Zustand der Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "Fehlender oder ungültiger Wiederverschlüsselungs-Kontext."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Fehler beim Initialisieren des Gerätestapels für Wiederverschlüsselung."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "Fehler beim Aktualisieren des Wiederverschlüsselungskontexts."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Die Metadaten für die Wiederverschlüsselung sind ungültig."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "OPAL-Bereich %d mit Offset %<PRIu64> entspricht nicht dem erwarteten Wert %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "OPAL-Bereich %d mit Länge %<PRIu64> entspricht nicht der Gerätegröße %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "In OPAL-Bereich %d ist das Sperren deaktiviert."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Unerwarteter Sperrzustand in OPAL-Bereich %d."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Verschlüsselungsparameter für Schlüsselfach wird nur für LUKS2-Geräte unterstützt."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Geben Sie die PIN des Tokens ein: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Geben Sie die PIN des Tokens %d ein: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Verschlüsselungsparameter für Schlüsselfach sind nicht mit LUKS2-Schlüsselfach-Verschlüsselung kompatibel."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Kein bekanntes Verschlüsselungsmuster entdeckt."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "Warnung: Für den Verschlüsselungsalgorithmus werden die Standardeinstellungen (%s-%s, Schlüsselgröße %u Bit) verwendet, das kann inkompatibel zu älteren Versionen sein."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "Warnung: Für den Hashalgorithmus werden die Standardeinstellungen (%s) verwendet, das kann inkompatibel zu älteren Versionen sein."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "Im einfachen Modus stets die Optionen --cipher, --key-size und (wenn keine Schlüsseldatei verwendet wird) auch --hash nutzen."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Im einfachen Modus stets die Optionen --cipher, --key-size und (wenn weder Schlüsseldatei noch Schlüsselring verwendet wird) auch --hash nutzen."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "WARNUNG: Der Parameter --hash wird im Plain-Modus ignoriert, wenn eine Schlüsseldatei angegeben ist.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "WARNUNG: Die Option --keyfile-size wird ignoriert, da die Lesegröße die gleiche ist wie die Verschlüsselungsschlüsselgröße ist.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "Fehler beim Blkid-Scan für %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Gerätesignaturen auf »%s« erkannt. Wenn Sie fortfahren, könnte das bestehende Daten beschädigen."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Vorgang abgebrochen.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Die Option »--key-file« muss angegeben werden."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "VeraCrypt-PIM eingeben: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Ungültiger PIM-Wert: Formatfehler."
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Ungültiger PIM-Wert: 0."
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Ungültiger PIM-Wert: außerhalb des gültigen Bereichs."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Kein Geräte-Header mit dieser Passphrase gefunden."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Gerät »%s« ist kein gültiges BITLK-Gerät."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Die Größe des Laufwerksschlüssels für BITLK kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2157,7 +2242,7 @@ msgstr ""
 "daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
 "aufbewahrt werden."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2169,73 +2254,73 @@ msgstr ""
 "daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
 "aufbewahrt werden."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Gerät »%s« ist kein gültiges FVAULT2-Gerät."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Die Größe des Laufwerksschlüssels für FVAULT2 kann nicht ermittelt werden, bitte nutzen Sie die Option »--key-size«."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Gerät »%s« ist noch aktiv und zum verzögerten Entfernen eingeplant.\n"
 
 # upstream: period missing
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Fehler beim Festlegen des externen Tokenpfads »%s«."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Um die Größe von aktiven Geräten zu öndern, muss der Laufwerksschlüssel im Schlüsselbund sein, aber die Option --disable-keyring wurde angegeben."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "Benchmark unterbrochen."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     (nicht zutreffend)\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u Iterationen pro Sekunde für %zu-Bit-Schlüssel\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s (nicht zutreffend)\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u Iterationen, %5u Speicher, %1u parallele Threads (CPUs) für %zu-Bit-Schlüssel (Zieldauer %u Millisekunden)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "Das Ergebnis des Benchmarks ist nicht zuverlässig."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Die Tests sind nur annähernd genau, da sie nicht auf den Datenträger zugreifen.\n"
 
 # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
 # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s   Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfügbar."
@@ -2243,15 +2328,15 @@ msgstr "Verschlüsselung »%s« (mit Schlüsselgröße %i Bits) ist nicht verfü
 # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
 # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#   Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "N/A"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2259,27 +2344,27 @@ msgstr ""
 "Ungeschützte LUKS2-Metadaten für die Wiederverschlüsselung entdeckt. Bitte überprüfen Sie, ob die Wiederverschlüsselungsoperation erwünscht ist (siehe luksDump-Ausgabe)\n"
 "und fahren Sie nur fort (Upgrade der Metadaten), wenn Sie den Vorgang als echt anerkennen."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Geben Sie die Passphrase für den Schutz und das Aktualisieren der Metadaten für die Wiederverschlüsselung ein: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Wirklich mit der Wiederherstellung der LUKS2-Wiederverschlüsselung fortfahren?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Geben Sie die Passphrase für das Prüfen der Metadaten für die Wiederverschlüsselung ein: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Geben Sie die Passphrase für die Wiederherstellung der Wiederverschlüsselung ein: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "Wirklich versuchen, den LUKS-Geräteheader wiederherzustellen?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2287,7 +2372,7 @@ msgstr ""
 "\n"
 "Gründlich löschen unterbrochen."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2296,156 +2381,167 @@ msgstr ""
 "Sie können diesen Vorgang mit Strg+C unterbrechen (der nicht gesäuberte Bereich des Geräts wird dann ungültige Prüfsummen haben).\n"
 
 # upstream: it is boring that I have to translate the newline at the end of each of these messages. Translating strings without newlines is much easier and faster. Since it is redundant anyway (all calls to log_err have a trailing newline), this newline should be written implicitly.
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Fehler beim Deaktivieren des temporären Geräts »%s«."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "OPAL hw-only Verschlüsselung unterstützt nicht --cipher und --key-size, die Optionen werden ignoriert."
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Die Integritätsoption kann nur für das LUKS2-Format verwendet werden."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nicht unterstützte Optionen für Größe der LUKS-Metadaten."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL wird nur für das LUKS2-Format unterstützt."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Inline-Hardware-Tokens werden nur für das LUKS2-Format unterstützt."
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Die Headerdatei existiert nicht, soll sie angelegt werden?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Fehler beim Anlegen der Headerdatei »%s«."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Kein bekanntes Integritätsspezifikationsmuster entdeckt."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Die angegebene Integritätsschlüsselgröße kann nicht verwendet werden."
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Das Gerät »%s« kann nicht als Datenträger-Header benutzt werden."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Hiermit werden die Daten auf »%s« unwiderruflich überschrieben."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "Das OPAL-Admin-Passwort darf nicht leer sein."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Fehler beim Festlegen der PBKDF-Parameter."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "Die Typangabe in --link-vk-to-keyring wird ignoriert."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Beide Laufwerksschlüssel müssen vom gleichen Schlüsseltyp sein."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Beide Laufwerksschlüssel müssen mit demselben Schlüsselbund verknüpft sein."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Sie müssen weitere Schlüsselnamen angeben."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Ungültiger Wert für --link-vk-to-keyring."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Verringerter Datenoffset ist nur für separaten LUKS-Header erlaubt."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "LUKS-Datei-Container %s ist zu klein für die Aktivierung, es ist kein Platz mehr für Daten vorhanden."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Die Größe des Laufwerksschlüssels erfordert Schlüsselfächer, bitte nutzen Sie dazu die Option »--key-size«."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Das Gerät benötigt zwei Laufwerksschlüssel."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Einige angegebene Aktivierungsparameter wurden bei der OPAL-nur-Hardware-Verschlüsselung ignoriert."
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "Gerät aktiviert, aber die Schalter können nicht dauerhaft gespeichert werden."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Schlüsselfach %d zum Löschen ausgewählt."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Dies ist das letzte Schlüsselfach. Wenn Sie diesen Schlüssel löschen, wird das Gerät unbrauchbar."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "Geben Sie irgendeine verbleibende Passphrase ein: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Vorgang abgebrochen, das Schlüsselfach wurde NICHT gesäubert.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "Geben Sie die zu löschende Passphrase ein: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Gerät »%s« ist kein gültiges LUKS2-Gerät."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "Geben Sie die neue Passphrase für das Schlüsselfach ein: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Geben Sie die PIN des Tokens ein: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Geben Sie die PIN des Tokens %d ein: "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "WARNUNG: Der Parameter --key-slot wird für die neue Nummer des Schlüsselfachs verwendet.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Geben Sie irgendeine bestehende Passphrase ein: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "Geben Sie die zu ändernde Passphrase ein: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Geben Sie die neue Passphrase ein: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Geben Sie die Passphrase für das umzuwandelnde Schlüsselfach ein: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Die Operation »isLuks« unterstützt nur genau ein Geräte-Argument."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Schlüsselfach %d enthält keinen unverbundenen Schlüssel."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2454,52 +2550,52 @@ msgstr ""
 "Dieser Dump sollte daher ausschließlich an einem sicheren Ort und\n"
 "verschlüsselt aufbewahrt werden."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s ist kein aktives %s-Gerät."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s ist kein aktives LUKS-Gerät, oder der Header fehlt."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "Option »--header-backup-file« muss angegeben werden."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s ist kein von cryptsetup verwaltetes Gerät."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Die Geräteart »%s« kann nicht aufgefrischt werden"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Unbekannte Art »%s« des Metadaten-Geräts."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "Dieser Befehl benötigt den Gerätenamen und den zugeordneten Namen als Argumente."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "Geben Sie die OPAL-PSID ein: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "Geben Sie das OPAL-Admin-Passwort ein: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "Warnung: Der GESAMTE Datenträger wird auf die Werkseinstellungen zurückgesetzt, und alle Daten gehen verloren. Fortsetzen?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2508,351 +2604,363 @@ msgstr ""
 "Diese Operation wird alle Schlüsselfächer auf Gerät »%s« löschen.\n"
 "Dadurch wird das Gerät unbrauchbar."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Vorgang abgebrochen, die Schlüsselfächer wurden NICHT gesäubert.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Invalid LUKS type, only luks1 and luks2 are supported."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "Das Gerät hat bereits den Typ »%s«."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Diese Operation wird für »%s« ins Format »%s« umwandeln.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Vorgang abgebrochen, das Gerät wurde NICHT konvertiert.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Die Option --priority, --label oder --subsystem fehlt."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d ist ungültig."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d ist in Benutzung."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Fehler beim Hinzufügen des LUKS2-Schlüsselring-Tokens %d."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Token %d kann nicht dem Schlüsselfach %d zugeordnet werden."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d wird gerade nicht verwendet."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "Token konnte nicht aus der Datei importiert werden."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Auf Token %d kann nicht für den Export zugegriffen werden."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Token %d ist nicht dem Schlüsselfach %d zugeordnet."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Token %d kann nicht vom Schlüsselfach %d losgelöst werden."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Die Optionen --veracrypt und --disable-veracrypt werden nur für TCRYPT-kompatible Geräte unterstützt."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Die Option --veracrypt-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Die Option --veracrypt-query-pim wird nur für VeraCrypt-kompatible Geräte unterstützt."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Die Optionen --veracrypt-pim und --veracrypt-query-pim schließen sich gegenseitig aus."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Die Option --persistent ist nicht mit --test-passphrase kombinierbar."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Die Optionen --refresh und --test-passphrase schließen sich gegenseitig aus."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Die Option --shared ist nur beim beim »open«-Befehl eines Plain-Gerätes erlaubt."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Die Option --offset mit der Aktion Öffnen wird nur für einfache und loopaes-Geräte unterstützt."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Die Option \"Sektorgröße\" mit der Aktion \"Öffnen\" wird nur für einfache Geräte unterstützt."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Die Option für große IV-Sektoren wird nur unterstützt, wenn das geöffnete Gerät Sektoren größer als 512 Bytes hat."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS-, TCRYPT-, BITLK- und FVAULT2-Geräten erlaubt."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Die Optionen --device-size und --size können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Die Option »--unbound« ist nur beim »open«-Befehl eines LUKS-Gerätes erlaubt."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Die Option »--unbound« kann nur in Kombination mit »--test-passphrase« verwendet werden."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Die Option --volume-key-keyring kann nicht mit --hash oder --volume-key-file kombiniert werden."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Beide --volume-key-file-Optionen müssen mit den entsprechenden --key-size-Optionen paarweise auftreten."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Die Optionen --cancel-deferred und --deferred können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Die Optionen --reduce-device-size und --device-size können nicht kombiniert werden."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Die Option »--active-name« ist nur auf LUKS2-Geräte anwendbar."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Die Optionen »--active-name« und »--force-offline-reencrypt« können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Die Optionen --new-volume-key-file und --keep-key können nicht kombiniert werden."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Die Optionen --new-volume-key-keyring und --keep-key können nicht kombiniert werden."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "Das Schlüsselfach muss angegeben werden."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Die Optionen --align-payload und --offset können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Die Option --integrity-no-wipe ist nur für die »format«-Aktion mit Integritätserweiterung erlaubt."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Nur eine der Optionen --use-[u]random ist erlaubt."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "Die Option »--unbound« erfordert die Schlüsselgröße."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "Ungültige Token-Aktion."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Der Parameter --key-description ist Pflicht für die Aktion »token add«."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Die Aktion erfordert ein bestimmtes Token. Verwenden Sie den Parameter --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "Die Option »--unbound« kann nur zusammen mit der Aktion zum Hinzufügen eines Tokens verwendet werden."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Die Optionen --key-slot und --unbound können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Die Aktion erfordert ein bestimmtes Schlüsselfach. Verwenden Sie den Parameter --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<Gerät> [--type <Art>] [<Name>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "Gerät als <Name> öffnen"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<Name>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "Gerät schließen (Zuordnung entfernen)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "Größe des aktiven Geräts ändern"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "Gerätestatus anzeigen"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <Algorithmus>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "Verschlüsselungsalgorithmus benchmarken"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<Gerät>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "Versuchen, die Metadaten auf dem Datenträger zu reparieren"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "LUKS2-Gerät wiederverschlüsseln"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "Alle Schlüsselfächer löschen (Verschlüsselungsschlüssel entfernen)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "Zwischen den Formaten LUKS und LUKS2 umwandeln"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "Permanente Konfigurationsoptionen für LUKS2 festlegen"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<Gerät> [<neue Schlüsseldatei>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "Ein LUKS-Gerät formatieren"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "Schlüssel zu LUKS-Gerät hinzufügen"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<Gerät> [<Schlüsseldatei>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "Entfernt bereitgestellten Schlüssel oder Schlüsseldatei vom LUKS-Gerät"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "Ändert den angegebenen Schlüssel oder die Schlüsseldatei des LUKS-Geräts"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "Wandelt einen Schlüssel in neue PBKDF-Parameter um"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<Gerät> <Schlüsselfach>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "Löscht Schlüssel mit Nummer <Schlüsselfach> vom LUKS-Gerät"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "UUID des LUKS-Geräts ausgeben"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "Testet <Gerät> auf Header einer LUKS-Partition"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "LUKS-Partitionsinformationen ausgeben"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "TCRYPT-Geräteinformationen ausgeben"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "BITLK-Geräteinformationen ausgeben"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "VFAULT2-Geräteinformationen ausgeben"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "LUKS-Gerät in Ruhezustand versetzen und alle Schlüssel auslöschen (alle IOs werden eingefroren)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "LUKS-Gerät aus dem Ruhezustand aufwecken"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "Header und Schlüsselfächer eines LUKS-Geräts sichern"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "Header und Schlüsselfächer eines LUKS-Geräts wiederherstellen"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <Gerät>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "LUKS2-Token manipulieren"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2860,7 +2968,7 @@ msgstr ""
 "\n"
 "<Aktion> ist eine von:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2872,7 +2980,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2887,7 +2995,7 @@ msgstr ""
 "<Schlüsselfach> ist die Nummer des zu verändernden LUKS-Schlüsselfachs\n"
 "<Schlüsseldatei> optionale Schlüsseldatei für den neuen Schlüssel der »luksAddKey«-Aktion\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2896,7 +3004,7 @@ msgstr ""
 "\n"
 "Vorgegebenes festeingebautes Metadatenformat ist %s (für luksFormat-Aktion).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2904,12 +3012,12 @@ msgstr ""
 "\n"
 "Die Plugin-Unterstützung für externe LUKS2-Tokens ist aktiviert.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Pfad des Plugins für externe LUKS2-Token: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2917,7 +3025,7 @@ msgstr ""
 "\n"
 "Die Plugin-Unterstützung für externe LUKS2-Tokens ist deaktiviert.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2934,7 +3042,7 @@ msgstr ""
 "Vorgabe-PBKDF für LUKS2: %s\n"
 "\tIterationszeit: %d, benötigter Speicher: %d kB, parallele Threads: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2949,110 +3057,122 @@ msgstr ""
 "\tplain: %s, Schlüssel: %d Bits, Passphrase-Hashen: %s\n"
 "\tLUKS: %s, Schlüssel: %d Bits, LUKS-Header-Hashen: %s, Zufallszahlengenerator: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Standard-Schlüsselgröße mit XTS-Modus (zwei interne Schlüssel) wird verdoppelt.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: Benötigt %s als Argumente"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Schlüsselfach ist ungültig."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Die Gerätegröße muss ein Vielfaches von 512-Byte-Sektoren sein."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Ungültige Angabe der Maximalgröße für die Wiederverschlüsselungs-Hotzone."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Schlüsselgröße muss ein Vielfaches von 8 Bit sein"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Es können maximal 2 Schlüsselgrößen angegeben werden."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Es können maximal %d Laufwerksschlüssel-Angaben verarbeitet werden."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Es können maximal %d Schlüsselbund-Verknüpfungsangaben verarbeitet werden."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Die maximale Verkleinerungsgröße ist 1 GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Die verkleinerte Größe muss ein Vielfaches von 512-Byte-Sektoren sein."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Die Option --priority kann nur »ignore/normal/prefer« sein."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Diese Hilfe anzeigen"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Kurze Aufrufsyntax anzeigen"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Paketversion ausgeben"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Hilfe-Optionen:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPTION...] <Aktion> <aktionsabhängig>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Argument <Aktion> fehlt."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Unbekannte Aktion."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Die Option --key-file wirkt stärker als das angegebene Schlüsseldatei-Argument."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "Die Option --key-file ist nur einmal erlaubt."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Passwortbasierte Schlüsselableitungsfunktion (PBKDF) kann nur »pbkdf2« oder »argon2i/argon2id« sein."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Bei PBKDF darf nur entweder die Anzahl der Durchläufe oder die Zeitbegrenzung angegeben werden."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Laufwerkschlüssel kann nicht mit einem Schlüsselbund verbunden werden, solange der Schlüsselbund deaktiviert ist."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Die Beschreibung des Schlüsselbundes kann nicht verwendet werden, wenn der Schlüsselbund deaktiviert ist."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Inline-Integrität muss zusammen mit der Option »--integrity« benutzt werden."
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Die Optionen --keyslot-cipher und --keyslot-keysize können nur zusammen benutzt werden."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Es wird keine Aktion ausgeführt. Aufgerufen mit der Option --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "Fehler beim Deaktivieren der Metadaten-Dateisperre."
 
@@ -3080,72 +3200,72 @@ msgstr "Fehler beim Schreiben des Wurzel-Hash-Abbilds »%s«."
 msgid "Cannot write to root hash file %s."
 msgstr "Fehler beim Schreiben der Wurzel-Hashdatei »%s«."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Gerät »%s« ist kein gültiges VERITY-Gerät."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Fehler beim Anlegen der Wurzel-Hashdatei »%s«."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Ungültige Root-Hash-Datei »%s«."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Ungültiger Root-Hash-String angegeben."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Ungültige Signaturdatei »%s«."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Fehler beim Einlesen der Signaturdatei »%s«."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Der Befehl erfordert die Option <root_hash> oder --root-hash-file als Argument."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<Datengerät> <Hash-Gerät>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "Gerät formatieren"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<Daten-Gerät> <Hash-Gerät> [<Wurzel_Hash>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "Gerät verifizieren"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<Datengerät> <Name> <Hash-Gerät> [<Wurzel-Hash>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "Status der aktiven Geräte anzeigen"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<Hash-Gerät>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "Auf dem Datenträger gespeicherte Informationen anzeigen"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3160,7 +3280,7 @@ msgstr ""
 "<Hash-Gerät> ist das Gerät, das die Verifikationsdaten enthält\n"
 "<Root-Hash> ist der Hash des Rootknotens auf <Hash-Gerät>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3171,15 +3291,19 @@ msgstr ""
 "Einkompilierte Vorgabewerte für dm-verity:\n"
 "\tHash: %s, Datenblock (Bytes): %u, Hashblock (Bytes): %u, Salt-Größe: %u, Hashformat: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Die Optionen --ignore-corruption und --restart-on-corruption können nicht zusammen benutzt werden."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Die Optionen --panic-on-corruption und --restart-on-corruption können nicht zusammen benutzt werden."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Die Option --error-as-corruption muss mit --panic-on-corruption oder --restart-on-corruption verwendet werden."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3188,29 +3312,33 @@ msgstr ""
 "Dadurch werden Daten auf %s und %s unwiderruflich überschrieben.\n"
 "Um Daten auf dem Gerät zu bewahren, verwenden Sie die Option »--no-wipe« (und aktivieren Sie sie dann mit »--integrity-recalculate«)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Formatiert mit Etikettgröße %u und interner Integrität %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Formatiert mit Etikettgröße %u%s und interner Integrität %s.\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (Inline-Hardware-Etiketten)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Das Setzen der Option »recalculate« wird nicht unterstützt, Sie können stattdessen »--wipe« erwägen."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Gerät »%s« ist kein gültiges INTEGRITY-Gerät."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<Integritätsgerät>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<Integritätsgerät> <Name>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3221,7 +3349,7 @@ msgstr ""
 "<Name> ist das Gerät, das unter »%s« angelegt werden soll\n"
 "<Integritätsgerät> ist das Gerät, das die Daten mit Integritätsangaben enthält\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3234,43 +3362,51 @@ msgstr ""
 "\tPrüfalgorithmus: %s\n"
 "\tMaximalgröße der Schlüsseldatei: %d kB\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Ungültige Größe für --%s. Maximum ist %u Bytes."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen angegeben werden."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen für die Journalintegrität angegeben werden."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Wenn ein Integritätsschlüssel für das Journal verwendet wird, muss auch der Integritätsalgorithmus angegeben werden."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Sowohl der Verschlüsselungsschlüssel als auch die Schlüsselgröße müssen für die Journalverschlüsselung angegeben werden."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Wenn ein Verschlüsselungsschlüssel für das Journal verwendet wird, muss auch der Verschlüsselungsalgorithmus angegeben werden."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Die Modi Wiederherstellung und Bitmap schließen sich gegenseitig aus."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Die Journal-Optionen können nicht im Bitmap-Modus verwendet werden."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Die Bitmapoptionen können nur im Bitmapmodus verwendet werden."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Der Inline-Modus kann nicht mit den Optionen Journal oder Bitmap kombiniert werden."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Der Inline-Modus kann nicht mit einem separaten Datengerät kombiniert werden."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3418,6 +3554,14 @@ msgstr "Fehler beim Schreiben der Schlüsseldatei »%s«."
 msgid "Cannot write to keyfile %s."
 msgstr "Fehler beim Schreiben der Schlüsseldatei »%s«."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Der Name ist zu lang."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Der Name darf kein '/'-Zeichen enthalten."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3479,37 +3623,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Passwort-Qualitätsüberprüfung fehlgeschlagen: Falsche Passphrase (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Das Lesen wurde bei der maximalen Länge für interaktive Eingabe angehalten, dadurch kann es sein, dass die Passphrase gekürzt ist."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Fehler beim Lesen der Passphrase vom Terminal."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Passphrase bestätigen: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Passphrasen stimmen nicht überein."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Offset kann nicht zusammen mit Terminaleingabe benutzt werden."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Passphrase eingeben: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Geben Sie die Passphrase für »%s« ein: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Kein Schlüssel mit dieser Passphrase verfügbar."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Es ist kein nutzbares Schlüsselfach verfügbar."
 
@@ -3517,20 +3665,20 @@ msgstr "Es ist kein nutzbares Schlüsselfach verfügbar."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Datei %s konnte nicht im Nur-Lese-Modus geöffnet werden."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Geben Sie gültiges LUKS2-Token-JSON an:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "JSON-Datei konnte nicht gelesen werden."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3538,12 +3686,12 @@ msgstr ""
 "\n"
 "Lesen unterbrochen."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Datei %s konnte nicht im Schreibmodus geöffnet werden."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3551,26 +3699,26 @@ msgstr ""
 "\n"
 "Schreiben unterbrochen."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "JSON-Datei konnte nicht geschrieben werden."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Automatisch erkanntes aktives dm-Gerät »%s« für Datengerät »%s«.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Fehler bei der automatischen Erkennung von Gerät »%s«."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Gerät »%s« ist kein Blockgerät.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3583,7 +3731,7 @@ msgstr ""
 "Es kann zu Datenverlust kommen, wenn das Gerät gerade aktiviert ist.\n"
 "Um die Wiederverschlüsselung im Online-Modus durchzuführen, verwenden Sie stattdessen den Parameter --active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3592,45 +3740,49 @@ msgstr ""
 "Gerät %s ist kein Blockgerät. Kann nicht automatisch erkennen, ob es aktiv ist oder nicht.\n"
 "Verwenden Sie --force-offline-reencrypt, um die Prüfung zu umgehen und im Offline-Modus zu laufen (gefährlich!)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Die angeforderte Option »--resilience« kann nicht auf den aktuellen Wiederverschlüsselungsvorgang angewendet werden."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Das Gerät ist nicht der LUKS2-Verschlüsselung. Die Option »--encrypt« ist widersprüchlich."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Das Gerät ist nicht der LUKS2-Entschlüsselung. Die Option »--encrypt« ist widersprüchlich."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Das Gerät befindet sich in der Wiederverschlüsselung mit Datashift-Resilienz. Die angeforderte Option --resilience kann nicht angewendet werden."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Die Größe des Laufwerksschlüssels kann für LUKS ohne Schlüsselfächer nicht bestimmt werden, bitte verwenden Sie die Option --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Das Gerät erfordert die Wiederherstellung der Wiederverschlüsselung. Führen Sie zuerst die Reparatur aus."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Gerät %s befindet sich bereits in der LUKS2-Neuverschlüsselung. Möchten Sie den zuvor begonnenen Vorgang fortsetzen?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Die veraltete LUKS2-Wiederverschlüsselung wird nicht mehr unterstützt."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Auf einem Gerät, das für OPAL konfiguriert ist, kann die LUKS2-Wiederverschlüsselung nicht durchgeführt werden."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Wiederverschlüsselung von Geräten mit Integritätsprofil wird nicht unterstützt."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3639,103 +3791,110 @@ msgstr ""
 "Angeforderte --sector-size %<PRIu32> ist nicht kompatibel mit dem %s-Superblock\n"
 "(Blockgröße: %<PRIu32>Bytes), der auf dem Gerät %s erkannt wurde."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Verschlüsselung ohne separaten Kopfbereich (--header) ist nur möglich, wenn die Größe des Hauptgeräts reduziert wird (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Der angeforderte Datenoffset darf maximal die Hälfte des Parameters --reduce-device-size betragen."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Der Wert von --reduce-device-size wird auf das Doppelte von --offset %<PRIu64> (in Sektoren) angepasst.\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Temporäre Headerdatei »%s« existiert bereits. Wird abgebrochen."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Fehler beim Anlegen der temporären Headerdatei »%s«."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Die Größe der LUKS2-Metadaten ist größer als der Wert der Datenverschiebung."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Der neue Header konnte nicht am Kopf des Geräts %s platziert werden."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Das aktive Gerät »%s« ist kein LUKS2-Gerät."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Wiederherstellung des ursprünglichen LUKS2-Headers."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Fehler beim Wiederherstellen des ursprünglichen LUKS2-Headers."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Die Header-Datei %s existiert nicht. Möchten Sie die LUKS2-Entschlüsselung von Gerät %s initialisieren und LUKS2-Header in Datei %s exportieren?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Fehler beim Hinzufügen der Lese-/Schreibberechtigung für die exportierte Header-Datei."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Fehler beim Initialisieren der Wiederverschlüsselung. Eine Sicherungskopie des Headers befindet sich in %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "LUKS2-Entschlüsselung wird nur mit losgelöstem Headergerät unterstützt (mit Datenoffset auf 0 gesetzt)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Kein Token konnte das Gerät entsperren."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Nicht genügend freie Schlüsselfächer für Wiederverschlüsselung."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Schlüsseldatei oder Schlüsselbund kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Geben Sie die Passphrase für Schlüsselfach %d ein: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Der Verschlüsselungsalgorithmus wird auf %s geändert.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Verwenden Sie --force-no-keyslots, um Geräte mit aktiven Schlüsselfach neu zu verschlüsseln, indem Sie Laufwerksschlüssel direkt übergeben."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Die Option --new-volume-key-file muss mit --new-key-size paarweise auftreten"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Keine Datensegmentparameter geändert. Wiederverschlüsselung abgebrochen."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3743,8 +3902,8 @@ msgstr ""
 "Die Zunahme der Größe des Verschlüsselungssektors auf einem Offline-Gerät wird nicht unterstützt.\n"
 "Aktivieren Sie das Gerät zuerst oder verwenden Sie die Option »--force-offline-reencrypt« (gefährlich!)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3752,67 +3911,67 @@ msgstr ""
 "\n"
 "Wiederverschlüsselung unterbrochen."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "LUKS-Wiederverschlüsselung wird im erzwungenen Offline-Modus fortgesetzt.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Das Gerät %s enthält fehlerhafte LUKS-Metadaten. Vorgang wird abgebrochen."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Gerät %s ist bereits ein LUKS-Gerät. Vorgang wird abgebrochen."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Gerät %s befindet sich bereits in der LUKS-Wiederverschlüsselung. Vorgang wird abgebrochen."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "LUKS2-Entschlüsselung erfordert die Option »--header«."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "Dieser Befehl benötigt den Gerätenamen als Argument."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in der LUKS1-Wiederverschlüsselung."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Widersprüchliche Versionen. Gerät %s ist LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Widersprüchliche Versionen. Gerät %s befindet sich in LUKS2-Wiederverschlüsselung."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Die LUKS2-Wiederverschlüsselung wurde bereits begonnen. Die Operation wird abgebrochen."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "Derzeit läuft keine Wiederverschlüsselung."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Belegen des ausgerichteten Speichers fehlgeschlagen."
 
@@ -3835,11 +3994,11 @@ msgstr "Fehler beim Schreiben auf Gerät »%s«."
 msgid "Cannot write reencryption log file."
 msgstr "Fehler beim Speichern der Wiederverschlüsselungs-Logdatei."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Fehler beim Einlesen der Wiederverschlüsselungs-Logdatei."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Falsches Protokollformat."
 
@@ -3848,130 +4007,134 @@ msgstr "Falsches Protokollformat."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Logdatei »%s« existiert, Wiederverschlüsselung wird fortgesetzt.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Temporäres Gerät mit dem alten LUKS-Header wird aktiviert."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Temporäres Gerät mit dem neuen LUKS-Header wird aktiviert."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Fehler beim Aktivieren der temporären Geräte."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Fehler beim Festlegen des Daten-Offsets."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Fehler beim Festlegen der Metadatengröße."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Neuer LUKS-Header für Gerät »%s« angelegt."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "%s-Backup-Header von Gerät »%s« angelegt."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Fehler beim Anlegen des LUKS-Backup-Headers."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Fehler beim Wiederherstellen des %s-Headers auf Gerät »%s«."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "%s-Header auf Gerät »%s« wiederhergestellt."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Fehler beim Öffnen des temporären LUKS-Geräts."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Fehler beim Ermitteln der Gerätegröße."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "E/A-Fehler während der Wiederverschlüsselung."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Die angegebene UUID ist ungültig."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Fehler beim Öffnen der Wiederverschlüsselungs-Logdatei."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Derzeit ist keine Entschlüsselung im Gange, die angegebene UUID kann nur benutzt werden, um einen unterbrochenen Entschlüsselungsvorgang fortzusetzen."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Wiederverschlüsselung ändert: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "Laufwerksschlüssel"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr ", Hash auf "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", Verschlüsselung auf "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Partitionssignatur.\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "WARNUNG: Gerät %s enthält bereits eine '%s'-Superblock-Signatur.\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Fehler beim Initialisieren der Gerätesignatursonden."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Gerät %s konnte nicht gefunden werden."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Datei %s konnte nicht im Lese-/Schreibmodus geöffnet werden."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Die bestehende »%s«-Partitionssignatur auf Gerät %s wird gelöscht."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Die bestehende »%s«-Superblocksignatur auf Gerät %s wird gelöscht."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Fehler beim Löschen der Gerätesignatur."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Gerät %s konnte nicht auf eine Signatur geprüft werden."
@@ -3986,6 +4149,50 @@ msgstr "Ungültige Größenangabe in Parameter --%s."
 msgid "Option --%s is not allowed with %s action."
 msgstr "Die Option --%s ist nicht mit der Aktion %s kombinierbar."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Die Typangabe in --link-vk-to-keyring wird ignoriert."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Beide Laufwerksschlüssel müssen vom gleichen Schlüsseltyp sein."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Beide Laufwerksschlüssel müssen mit demselben Schlüsselbund verknüpft sein."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Sie müssen weitere Schlüsselnamen angeben."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Ungültiger Wert für --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Die Binärdaten von Schlüsselfach %d könnten verfälscht sein.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Mutmaßlicher Offset: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Spätere mutmaßliche Offsets werden unterdrückt.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Schlüsselfach %d kann nicht vom Gerät gelesen werden."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Sie können hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" verwenden, um die Daten zu prüfen.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Fehler beim Schreiben des SSH-Tokens im JSON-Format."
@@ -4154,6 +4361,37 @@ msgstr "Authentifizierung mit öffentlichem Schlüssel ist auf dem Host nicht er
 msgid "Public key authentication error: "
 msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
 
+#~ msgid "Activation of BITLK device with clear key protection is not supported."
+#~ msgstr "Die Aktivierung eines BITLK-Geräts mit klarem Schlüsselschutz wird nicht unterstützt."
+
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Fehler beim Verknüpfen von Laufwerkschlüsseln im benutzerspezifischen Schlüsselbund."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Fehler beim Loslösen des Laufwerkschlüssels vom Thread-Schlüsselbund."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Aktivieren eines teilweise entschlüsselten BITLK-Geräts wird nicht unterstützt."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Fehler beim Lesen der LUKS2-Anforderungen."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Warnung: Schlüsselbund-Vorgang könnte fehlschlagen, da er mehr Speicher benötigt als verfügbar ist.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Fehler beim Einlesen des Wiederverschlüsselungs-Zustands."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Die Optionen --reduce-device-size und --device-size können nicht kombiniert werden."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
+
 #~ msgid "compiled-in"
 #~ msgstr "integriert"
 
@@ -4232,9 +4470,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "Die Option »--keep-new« kann nur zusammen mit »--hash«, »--iter-time« oder »--pbkdf-force-iterations« benutzt werden."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "Die Option »--new« kann nicht zusammen mit »--decrypt« benutzt werden."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "Die Option --decrypt verträgt sich nicht mit den angegebenen Parametern."
 
@@ -4326,9 +4561,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Aktualisierungsintervall für Fortschrittszeile (in Sekunden)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Wie oft die Eingabe der Passphrase wiederholt werden kann"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Nutzdaten an Grenzen von <n> Sektoren ausrichten - für luksFormat"
 
@@ -4781,9 +5013,6 @@ msgstr "Fehler bei der Authentifizierung mit öffentlichem Schlüssel: "
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Ungültige Größenparameter für Verity-Gerät."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "Wenn ein Integritätsschlüssel verwendet wird, muss auch der Integritätsalgorithmus angegeben werden."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Falsche Schlüsselgröße."
 
diff --git a/po/es.po b/po/es.po
index c1da5d6..a9c493f 100644
--- a/po/es.po
+++ b/po/es.po
@@ -2,7 +2,7 @@
 # Traducciones al español para el paquete cryptsetup.
 # Copyright (C) 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Free Software Foundation, Inc.
 # This file is put in the public domain.
-# Antonio Ceballos <aceballos@gmail.com>, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2023, 2024
+# Antonio Ceballos <aceballos@gmail.com>, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2023, 2024, 2025
 #
 # ######################################################################
 # Traducciones dudosas:
@@ -73,10 +73,10 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.1-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-30 12:24+0100\n"
+"POT-Creation-Date: 2025-08-13 13:45+0200\n"
+"PO-Revision-Date: 2025-08-15 16:37+0200\n"
 "Last-Translator: Antonio Ceballos <aceballos@gmail.com>\n"
 "Language-Team: Spanish <es@tp.org.es>\n"
 "Language: es\n"
@@ -86,70 +86,78 @@ msgstr ""
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "No se puede inicializar el «device mapper», ejecutando como usuario no administrador."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "No se puede inicializar el «device-mapper». ¿Está cargado el módulo del núcleo dm_mod?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "El indicador diferido solicitado no está disponible."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "El DM-UUID del dispositivo %s ha sido truncado."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Tipo de objetivo dm desconocido."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Las opciones de rendimiento de dm-crypt solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Las opciones de manejo de corrupción de datos de dm-verity solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "La opción «tasklets» de dm-verity solicitada no está disponible."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Las opciones FEC de dm-verity solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Las opciones de integridad de datos solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "La opción sector_size solicitada no está disponible."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "El tamaño del dispositivo no es múltiplo del tamaño de sector solicitado."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "La opción integrity_key_size solicitada no está disponible."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "El recómputo automático de las etiquetas de integridad solicitado no está disponible."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2777
 msgid "Discard/TRIM is not supported."
 msgstr "Descartar/TRIM no disponible."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "El modo de mapa de bits de dm-integrity solicitado no está disponible."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "El modo en línea de dm-integrity solicitado no está disponible."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "No se ha podido consultar el segmento de dm-%s."
@@ -183,747 +191,777 @@ msgstr "La calidad solicitada para el generador de números aleatorios es descon
 msgid "Error reading from RNG."
 msgstr "Error leyendo del generador de números aleatorios."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "El soporte de OPAL está desactivado en libcryptsetup."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "El dispositivo %s o el núcleo no disponen de cifrado OPAL."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "No se puede inicializar el «backend» del generador de números aleatorios de cifrado."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "No se puede inicializar el «backend» de cifrado."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Algoritmo «hash» %s no disponible."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Error de procesamiento de la clave (usando «hash» %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "No se puede determinar el tipo de dispositivo. ¿Es incompatible la activación del dispositivo?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4145
 msgid "This operation is supported only for LUKS device."
 msgstr "Esta operación solamente está disponible para dispositivos LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Esta operación solamente está disponible para dispositivos LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3093
 msgid "All key slots full."
 msgstr "Todas las ranuras de claves están llenas."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "La ranura de claves %d no es válida; seleccione un número entre 0 y %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "La ranura de claves %d está llena; seleccione otra."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3860
 msgid "Device size is not aligned to device logical block size."
 msgstr "El tamaño del dispositivo no está alineado con el tamaño de bloque lógico del dispositivo."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Cabecera detectada pero el dispositivo %s es demasiado pequeño."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
+#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
 msgid "This operation is not supported for this device type."
 msgstr "Esta operación no está disponible para este tipo de dispositivo."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Operación con recifrado en curso no válida."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "No se han podido echar atrás los metadatos de LUKS2 en memoria."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1773
+#: src/cryptsetup.c:1957 src/cryptsetup.c:2012 src/cryptsetup.c:2210
+#: src/cryptsetup.c:2355 src/cryptsetup.c:2633 src/cryptsetup.c:2946
+#: src/cryptsetup.c:3014 src/utils_reencrypt.c:2280
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "El dispositivo %s no es un dispositivo LUKS válido."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Versión LUKS no disponible %d."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado para el dispositivo activo %s."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
+#: lib/setup.c:3768 lib/setup.c:5787
 #, c-format
 msgid "Device %s is not active."
 msgstr "El dispositivo %s no está activo."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "El dispositivo subyacente asociado al dispositivo cifrado %s ha desaparecido."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Parámetros de cifrado para modo claro no válidos."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Tamaño de clave no válido."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "El UUID no está disponible para este tipo de cifrado."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "El dispositivo de metadatos separado no está disponible para este tipo de cifrado."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3026
+#: src/cryptsetup.c:1485 src/cryptsetup.c:3753
 msgid "Unsupported encryption sector size."
 msgstr "Tamaño de sector de cifrado no admitido."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
 msgid "Device size is not aligned to requested sector size."
 msgstr "El tamaño del dispositivo no está alineado con el tamaño del sector solicitado."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Imposible dar formato LUKS sin dispositivo."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "El dispositivo zonificado %s no puede utilizarse para cabecera LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "El alineamiento de datos solicitado no es compatible con el desplazamiento de los datos."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "ATENCIÓN: El dispositivo DAX puede corromper datos ya que no garantiza actualizaciones de sector atómicas.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "No se puede limpiar la cabecera del dispositivo %s."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "El dispositivo %s es demasiado pequeño para ser activado; no queda espacio para los datos.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "La clave del volumen es demasiado pequeña para cifrado con extensiones de integridad."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "El tamaño de la clave de integridad es demasiado pequeño."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "El algoritmo de cifrado %s-%s (tamaño de clave %zd bits) no está disponible."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "ATENCIÓN: La activación del dispositivo va a fallar; dm-crypt no admite el tamaño de sector de cifrado solicitado.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_reencrypt.c:3065
+#: lib/luks2/luks2_reencrypt.c:4485
 #, c-format
 msgid "Device %s is too small."
 msgstr "El dispositivo %s es demasiado pequeño."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "No se puede dar formato al dispositivo %s en uso."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "No se puede dar formato al dispositivo %s; permiso denegado."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "No se puede dar formato a la integridad del dispositivo %s."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "No se puede dar formato al dispositivo %s."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "No se pueden obtener los parámetros de alineamiento OPAL."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Tamaño de bloque lógico OPAL falso."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:303
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Tamaño de bloque lógico OPAL falso difiere del tamaño de bloque del dispositivo."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "El desplazamiento de datos solicitado no es compatible con el tamaño de bloque OPAL."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "El alineamiento de datos solicitado no es compatible con el alineamiento OPAL."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "El desplazamiento de datos no satisface los requisitos de alineamiento OPAL."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "El alineamiento de datos solicitado no satisface los requisitos de alineamiento del rango de bloqueo."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Compensando el tamaño de dispositivo con %<PRIu64> sectores para alinearlo con la granularidad de alienamiento OPAL."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "No se ha podido adquirir el bloqueo OPAL para el dispositivo %s."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Clave de administrador de OPAL incorrecta."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "No se puede configurar el segmento de OPAL."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "No se puede dar formato al dispositivo %s; parece que el dispositivo OPAL está completamente protegido contra escritura actualmente."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Quizá esto sea un error del firmware. Ejecute un reinicio PSID OPAL y reconecte para recuperar."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "El reinicio del rango %d de bloqueo del dispositivo %s ha fallado."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Imposible dar formato LOOPAES sin dispositivo."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Imposible dar formato VERITY sin dispositivo."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Tipo de «hash» VERITY %d no disponible."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Tamaño de bloque VERITY no disponible."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Desplazamiento «hash» VERITY no disponible."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Desplazamiento FEC VERITY no disponible."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "La zona de datos se solapa con la zona «hash»."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "La zona «hash» se solapa con la zona FEC."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "La zona de datos se solapa con la zona FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Tamaño de la clave de integridad discordante."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "ATENCIÓN: El tamaño de etiqueta de %d bytes solicitado difiere del tamaño de salida de %s (%d bytes).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3037 lib/setup.c:3135
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "El tipo de dispositivo cifrado % solicitado es desconocido."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "El tipo de dispositivo %s solicitado es desconocido o no está disponible."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3049
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "El dispositivo %s no ofrece campos de datos de integridad en línea."
+
+#: lib/setup.c:3055
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "El tamaño de etiqueta en línea %<PRIu32> [bytes] es mayor que %<PRIu32> proporcionado por el dispositivo %s."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "El sector tiene que ser el mismo que el sector hardware del dispositivo (%zu bytes)."
+
+#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Parámetros no admitidos para el dispositivo %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
+#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parámetros discordantes en el dispositivo %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3632
 msgid "Crypt devices mismatch."
 msgstr "Los dispositivos de cifrado no concuerdan."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
+#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "No se ha podido recargar el dispositivo %s."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
+#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "No se ha podido suspender el dispositivo %s."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
+#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4228
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "No se ha podido reanudar el dispositivo %s."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3702
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Error grave durante la recarga del dispositivo %s (por encima del dispositivo %s)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3705 lib/setup.c:3707
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "No se ha podido conmutar el dispositivo %s a dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3750
 msgid "Can not resize LUKS2 device with static size."
 msgstr "No se ha podido cambiar el tamaño del dispositivo LUKS2 con un tamaño estático."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3755
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Redimensionar el dispositivo LUKS2 con protección de integridad no está disponible."
+
+#: lib/setup.c:3801
 msgid "Cannot resize loop device."
 msgstr "No se ha podido cambiar el tamaño del dispositivo de bucle."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3845
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "ATENCIÓN: ya se ha puesto el tamaño máximo o el núcleo no permite cambiarlo.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3911
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "El cambio de tamaño ha fallado; el núcleo no admite el cambio."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3943
 msgid "Do you really want to change UUID of device?"
 msgstr "¿Está seguro de que quiere cambiar el UUID del dispositivo?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4035
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "El fichero de copia de seguridad de la cabecera no contiene una cabecera LUKS compatible."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4128
 #, c-format
 msgid "Volume %s is not active."
 msgstr "El volumen %s no está activo."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4183
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "El volumen %s ya está suspendido."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4209
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "La suspensión no está disponible para el dispositivo %s."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4211 lib/setup.c:4219
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Error durante la suspensión del dispositivo %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4234
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Se ha suspendido el dispositivo %s pero el dispositivo OPAL hardware no puede bloquearse."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4265 lib/setup.c:4442
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "La reanudación no está disponible para el dispositivo %s."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Error durante la reanudación del dispositivo %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4286
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "No se ha podido desvincular la clave del volumen del llavero de usuario especificado."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4408 lib/setup.c:5574
 msgid "Failed to link volume key in user defined keyring."
 msgstr "No se ha podido vincular la clave del volumne en el llavero de usuario especificado."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4506 src/cryptsetup.c:2714
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "EL volumen %s no está suspendido."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
+#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
 msgid "Volume key does not match the volume."
 msgstr "La clave de volumen no corresponde a este volumen."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4761
 msgid "Failed to swap new key slot."
 msgstr "No se ha logrado intercambiar la nueva ranura de claves."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4859
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "La ranura de claves %d no es válida."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "La ranura de claves %d no está activa."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4884
 msgid "Device header overlaps with data area."
 msgstr "La cabecera del dispositivo se solapa con la zona de datos."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5105
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Recifrado en curso. No se puede activar el dispositivo."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
+#: lib/luks2/luks2_reencrypt.c:3714
 msgid "Failed to get reencryption lock."
 msgstr "No se ha podido conseguir el bloqueo de recifrado."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5129
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "La recuperación del recifrado LUKS2 utilizando la(s) clave(s) de volumen ha fallado."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "No se han podido vincular las claves de volumen en el llavero de usuario especificado."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "La recuperación del recifrado LUKS2 ha fallado."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5265
 #, c-format
 msgid "Device %s already exists."
 msgstr "El dispositivo %s ya existe."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5272
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "No se puede utilizar el dispositivo %s; el nombre no es válido o todavía está en uso."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5284
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Las claves de volumen de recifrado no corresponden a este volumen."
+
+#: lib/setup.c:5301
 msgid "Incorrect volume key specified for plain device."
 msgstr "Clave de volumen incorrecta para dispositivo no cifrado."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Las claves de volumen de recifrado no corresponden a este volumen."
+#: lib/setup.c:5327 lib/setup.c:5388
+msgid "Device type is not properly initialized."
+msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5426
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "El llavero de núcleo no está admitido en el núcleo."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5430
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "El llavero de núcleo está ausente: se necesita para pasar la firma al núcleo."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5482
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "No se puede la clave %s del llavero."
+
+#: lib/setup.c:5695
 msgid "Incorrect root hash specified for verity device."
 msgstr "«Hash» raíz incorrecta para dispositivo «verity»."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5736 lib/setup.c:5761
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL no dispone de desactivación diferida."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "No se ha podido cancelar la eliminación diferida en el dispositivo %s."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "El dispositivo %s todavía se está utilizando."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5769
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "No se ha podido cancelar la eliminación diferida en el dispositivo %s."
+
+#: lib/setup.c:5791
 #, c-format
 msgid "Invalid device %s."
 msgstr "Dispositivo inválido %s."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5932
 msgid "Volume key buffer too small."
 msgstr "El «buffer» de la clave del volumen es demasiado pequeño."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5943
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5952
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "No se puede recuperar la clave del volumen para el dispositivo LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5966
 msgid "Cannot retrieve volume key for plain device."
 msgstr "No se puede recuperar la clave para el dispositivo no cifrado."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5974
 msgid "Cannot retrieve root hash for verity device."
 msgstr "No se puede recuperar el «hash» raíz para dispositivo «verity»."
 
-#: lib/setup.c:6199
+#: lib/setup.c:5981
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "No se puede recuperar la clave del volumen para el dispositivo BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:5986
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "No se puede recuperar la clave del volumen para el dispositivo FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:5988
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Esta operación no está disponible para el dispositivo cifrado %s."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6173 lib/setup.c:6184
 msgid "Dump operation is not supported for this device type."
 msgstr "Operación de volcado no deisponible para este tipo de dispositivo."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6564
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "El desplazamiento de datos no es múltiplo de %u bytes."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6872
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "No se puede convertir el dispositivo %s que todavía está en uso."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7180 lib/setup.c:7324
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "No se ha logrado asignar la ranura de claves %u como nueva clave del volumen."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7204
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "No se han podido inicializar los parámetros predefinidos de la ranura de claves LUKS2."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7210
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "No se ha logrado asignar la ranura de claves %d al resumen."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7441
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7514 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "No se ha podido cargar la clave en el llavero del núcleo."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "No se ha podido desvincular la clave del volumen del llavero del hilo."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7705
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "No se ha podido encontrar el llavero descrito por «%s»."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7770
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "No se ha podido adquirir el bloqueo de la serialización de acceso duro de memoria global."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "No se ha podido abrir el fichero de claves."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "No se puede leer el fichero de claves desde un terminal."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "No se ha podido efectuar «stat» sobre el fichero de claves."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "No es posible situarse en la posición solicitada del fichero de claves."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Memoria agotada mientras se estaba leyendo la frase contraseña."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Error al leer la frase contraseña."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "No hay nada para leer en la entrada."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Se ha excedido el tamaño máximo de fichero de claves."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "No se puede leer la cantidad de datos solicitada."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:2253
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "El dispositivo %s no existe o el acceso al mismo ha sido denegado."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "El dispositivo %s no es compatible."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Se ignorará por falso el tamaño de optimal-io para el dispositivo de datos (%u bytes)."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "El dispositivo %s es demasiado pequeño. Se necesitan %<PRIu64> bytes como mínimo."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "No se puede usar el dispositivo %s porque ya está en uso (asignado o montado)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "No se puede utilizar el dispositivo %s; permiso denegado."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "No se puede obtener información del dispositivo %s."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "No se puede utilizar un dispositivo de bucle invertido como usuario no administrador."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "No se ha logrado asociar el dispositivo de bucle invertido (hace falta un dispositivo de bucle con marcador de auto-limpieza)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "El «offset» solicitado está más allá del tamaño real del dispositivo %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "El dispositivo %s tiene tamaño cero."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "El tiempo objetivo máximo de PBKDF no puede ser cero."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Tipo de PBKDF %s desconocido."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "La «hash» solicitada %s no está disponible."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "El tipo de PBKDF solicitado no está disponible para LUKS1."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "No se pueden establecer la memoria máxima de PBKDF ni los hilos paralelos con pbkdf2."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "El número de iteraciones forzadas es demasiado pequeño para %s (el mínimo es %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "El coste de la memoria forzada es demasiado bajo para %s (el mínimo es %u kilobytes)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "El coste de la memoria máxima solicitada de PBKDF es demasiado alto (el máximo es %d kilobytes)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "El coste de la memoria máxima solicitada de PBKDF es demasiado alto (limitado por el tamaño máximo de los enteros)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "La memoria máxima solicitada de PBKDF no puede ser cero."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "El coste paralelo de PBKDF máximo solicitado es demasiado alto (el máximo es %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Los hilos paralelos solicitados de PBKDF no pueden ser cero."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Solo se admite PBKDF2 en el modo FIPS."
 
@@ -950,21 +988,21 @@ msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (o no es
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (%s no es un directorio)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "No es posible situarse en la posición del dispositivo."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Error al limpiar el dispositivo, desplazamiento %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "PSID OPAL incorrecto."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "No se ha podido borrar el dispositivo OPAL."
 
@@ -987,8 +1025,8 @@ msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "La especificación de cifrado debería estar en formato [cipher]-[mode]-[iv]."
 
 #: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1514 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "No se puede escribir en el dispositivo %s; permiso denegado."
@@ -1001,24 +1039,24 @@ msgstr "No se ha podido abrir el dispositivo de almacenamiento de claves tempora
 msgid "Failed to access temporary keystore device."
 msgstr "No se ha podido acceder al dispositivo de almacenamiento de claves temporal."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:188 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Error de entrada/salida mientras se cifraba una ranura de claves."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:235 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1517 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "No se puede abrir el dispositivo %s."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:246 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Error de entrada/salida mientras se descifraba una ranura de claves."
 
@@ -1054,12 +1092,12 @@ msgid "Backup file does not contain valid LUKS header."
 msgstr "El fichero de copia de seguridad no contiene una cabecera LUKS válida."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1446
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "No se puede abrir el fichero de copia de seguridad de cabecerda %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1454
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "No se puede leer el fichero de copia de seguridad de cabecerda %s."
@@ -1081,7 +1119,7 @@ msgstr "no contiene cabecera LUKS. Reemplazar la cabecera puede destruir los dat
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "ya contiene cabecera LUKS. Reemplazar la cabecera destruirá las ranuras de claves existentes."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1486
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1108,7 +1146,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "«Hash» de cifrado reparado a minúsculas (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "La «hash» LUKS solicitada %s no está disponible."
@@ -1155,7 +1193,7 @@ msgstr "El modo de cifrado LUKS %s no es válido."
 msgid "LUKS hash %s is invalid."
 msgstr "El «hash» LUKS %s no es válido."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1360
 msgid "No known problems detected for LUKS header."
 msgstr "No se ha detectado ningún problema en la cabecera LUKS."
 
@@ -1169,17 +1207,17 @@ msgstr "Error al actualizar la cabecera LUKS en el dispositivo %s."
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Error al leer la cabecera LUKS después de actualizarla en el dispositivo %s."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "La posición de los datos de una cabecera LUKS debe ser 0 o superior al tamaño de la cabecera."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "El formato de UUID LUKS proporcionado es incorrecto."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "No se puede crear la cabecera LUKS: fallo en la lectura «random salt»."
 
@@ -1188,48 +1226,48 @@ msgstr "No se puede crear la cabecera LUKS: fallo en la lectura «random salt».
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "No se puede crear la cabecera LUKS: fallo en la cabecera (usando «hash» %s)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "La ranura de claves %d está activa; primero hay que purgar."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "El material de la ranura de claves %d no tiene suficientes bandas. Quizá se haya manipulado la cabecera."
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Desbordamiento del valor de iteración PBKDF2."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "No se puede abrir la ranura de claves (usando «hash» %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "La ranura %d no es válida; seleccione una ranura de claves entre 0 y %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "No se puede limpiar el dispositivo %s."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Se ha detectado un fichero de claves cifrado con GPG que el programa aún no no puede procesar."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Utilice 'gpg --decrypt <FICHERO-DE-CLAVES> | cryptsetup --keyfile=- ...'\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Se ha detectado un fichero de claves incompatible con «loop-AES»."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "El núcleo no admite asignación compatible con «loop-AES»."
 
@@ -1248,33 +1286,41 @@ msgstr "Se ha excedido la longitud máxima (%zu) de la frase contraseña TCRYPT.
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "El algoritmo «hash» %s no está disponible, por lo que se ha ignorado."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1233
 msgid "Required kernel crypto interface not available."
 msgstr "La interfaz de cifrado del núcleo requerida no está disponible."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1235
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Asegúrese de que el módulo del núcleo algof_skcipher está cargado."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "No es posible la activación para el tamaño de sector %d."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "El núcleo no dispone de activación para este modo antiguo TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Activando el sistema de cifrado TCRYPT para la partición %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "No se puede determinar el desplazamiento de la partición del sistema TCRYPT; se activará el área cifrada entera."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "No se puede determinar el desplazamiento de la partición del sistema TCRYPT; se activará el dispositivo como una partición del sistema."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "El núcleo no admite asignación compatible con TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1144
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Esta función no está disponible sin carga de cabecera TCRYPT."
 
@@ -1297,68 +1343,68 @@ msgstr "Se ha encontrado una cadena no esperada ('%s') mientras se analizaba la
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "El valor de entrada de metadatos '%u' no esperado se ha encontrado mientras se analizaba la clave maestra del volumen soportado."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:450
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK versión 1 no está admitido actualmente."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:456
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Firma de arranque no válida o desconocida para el dispositivo BITLK"
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:468
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Tamaño de sector no admitido %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:476
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "No se ha podido leer la cabecera BITLK de %s."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:501
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr "No se han podido leer los metadatos BITLK FVE de %s."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:552
 msgid "Unknown or unsupported encryption type."
 msgstr "Tipo de cifrado desconocido o no admitido."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:592
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr "No se han podido leer las entradas de los metadatos BITLK de %s."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:709
 msgid "Failed to convert BITLK volume description"
 msgstr "No se ha podido convertir el descifrado del volumen BITLK"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:872
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Tipo de entrada de metadatos '%u' encontrado inesperadamente mientras se analizaba clave externa."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:895
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "El GUID '%s' del fichero BEK no coincide con el GUID del volumen."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:899
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Valor de entrada de metadatos '%u' encontrado inesperadamente mientras se analizaba clave externa."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:938
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Versión %<PRIu32> de metadatos BEK no admitida."
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Tamaño %<PRIu32> de metadatos BEK no esperado, no coincide con la longitud del fichero BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:969
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Entrada de metadatos encontrada inesperadamente mientras se analizaba clave de inicio."
 
@@ -1370,46 +1416,46 @@ msgstr "Esta operación no está disponible."
 msgid "Unexpected key data size."
 msgstr "Tamaño de datos de la clave no esperado."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1205
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Este dispositivo BITLK se encuentra en un estado en el que no puede activarse."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1210
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Los dispositivos BITLK con tipo '%s' no puede activarse."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "La activación de un dispositivo BITLK parcialmente descifrado no puede hacerse."
+#: lib/bitlk/bitlk.c:1217
+msgid "Activation of BITLK device with clear key protection is not supported."
+msgstr "La activación del dispositivo BITLK con protección de clave en claro no está disponible."
 
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1258
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "ATENCIÓN: el tamaño del volumen «bitlocker» %<PRIu64> no coincide con el tamaño del dispositivo subyacente %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1385
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para BITLK IV."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1389
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para difusor BITLK «Elephant»."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1393
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para tamaño de sector grande."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1397
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "No se puede activar el dispositivo; falta el módulo dm-zero del núcleo."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "No se han podido leer %u «bytes» de la cabecera del volumen."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Versión de FVAULT2 no admitida %<PRIu16>."
@@ -1446,24 +1492,24 @@ msgstr "La verificación de firma «hash» raíz solicitada no está disponible.
 msgid "Root hash signature required."
 msgstr "Se requiere la firma «hash» raíz."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Los errores no pueden repararse con dispositivo FEC."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Se han encontrado %u errores reparables con dispositivo FEC."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "El núcleo no dispone de asignación «dm-verity»."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "El núcleo no dispone de opción de firma «dm-verity»."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "El dispositivo «verity» ha detectado algo corrupto después de la activación."
 
@@ -1486,23 +1532,23 @@ msgstr "La verificación ha fallado en la posición %<PRIu64>."
 msgid "Hash area overflow."
 msgstr "Desbordamiento del área «hash»."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Fallo en la verificación del área de datos."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Fallo en la verificación de la «hash» raíz."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Error de entrada/salida al crear el área «hash»."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "La creación del área «hash» ha fallado."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ATENCIÓN: el núcleo no puede activar un dispositivo si el tamaño del bloque de datos excede el tamaño de página (%u)."
@@ -1552,34 +1598,38 @@ msgstr "Longitud de segmento FEC no válida."
 msgid "Failed to determine size for device %s."
 msgstr "No se ha podido determinar el tamaño para el dispositivo %s."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Metadatos dm-integrity del núcleo incompatibles (versión %u) detectados en %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:290 lib/integrity/integrity.c:474
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "El núcleo no dispone de asociación «dm-integrity»."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:296
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "El núcleo no dispone de alineamiento de metadatos fijo «dm-integrity»."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:305
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "El núcleo rehúsa activar la opción de recálculo inseguro (véanse las opciones de activación antiguas para cambiar ese funcionamiento)."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:311
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "El núcleo no dispone de modo en línea «dm-integrity»."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1506
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "No se ha podido adquirir el bloqueo de escritura del dispositivo %s."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Se ha detectado un intento de actualizar los metadatos LUKS2 concurrentemente. Se aborta la operación."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1587,59 +1637,59 @@ msgstr ""
 "El dispositivo contiene firmas ambiguas; no se puede autorecuperar LUKS2.\n"
 "Por favor, ejecute \"cryptsetup repair\" para recuperación."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "ATENCIÓN: la zona de ranuras de claves (%<PRIu64> bytes) es muy pequeña; el número de ranuras de claves LUKS2 disponibles es muy limitado.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "El desplazamiento de datos solicitado es demasiado pequeño."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "ATENCIÓN: el tamaño de los metadatos LUKS2 ha cambiado a %<PRIu64> bytes.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "ATENCIÓN: el tamaño de la zona de ranuras de claves LUKS2 ha cambiado a %<PRIu64> bytes.\n"
 
 #: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
 #: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "No se ha podido adquirir el bloqueo de lectura para el dispositivo %s."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1431
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Se han detectado requisitos prohibidos para LUKS2 en la copia de seguridad %s."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1470
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "La posición de los datos no coinciden en el dispositivo y en la copia de seguridad; ha fallado la restauración."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1476
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "La cabecera binaria con el tamaño de las áreas de ranuras de claves no coinciden en el dispositivo y en la copia de seguridad; la restauración ha fallado."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1483
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Dispositivo %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1484
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "no contiene cabecera LUKS2. Reemplazar la cabecera puede destruir los datos en ese dispositivo."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "ya contiene cabecera LUKS2. Reemplazar la cabecera destruirá las ranuras de claves existentes."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1650,7 +1700,7 @@ msgstr ""
 "dispositivo real! Reemplazar la cabecera con la copia de seguridad puede\n"
 "corromper los datos en ese dispositivo!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1665,106 +1715,106 @@ msgstr ""
 msgid "Ignored unknown flag %s."
 msgstr "Se hará caso omiso del indicador desconocido %s."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2541 lib/luks2/luks2_reencrypt.c:2105
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Falta la clave para el segmento dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2553 lib/luks2/luks2_reencrypt.c:2118
 msgid "Failed to set dm-crypt segment."
 msgstr "No se ha podido establecer el segmento de dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2559 lib/luks2/luks2_reencrypt.c:2124
 msgid "Failed to set dm-linear segment."
 msgstr "No se ha podido establecer el segmento de dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2679 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado en la cabecera LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2687
 msgid "OPAL device must have static device size."
 msgstr "El dispositivo OPAL debe tener tamaño de dispositivo estático."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2707
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "El dispositivo OPAL con integridad cifrado debe ser más pequeño que el rango de bloqueo."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2712
 msgid "OPAL device must have same size as locking range."
 msgstr "El dispositivo OPAL debe tener el mismo tamaño que el rango de bloqueo."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2732
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "El dispositivo OPAL es %s ya desbloqueado.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2771
 msgid "Unsupported device integrity configuration."
 msgstr "Configuración de integridad de dispositivo no admitida."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2787
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "El dispositivo «dm-integrity» subyacente presenta sectores de datos inesperados."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2882
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Recifrado en curso. No se puede desactivar el dispositivo."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2893 lib/luks2/luks2_reencrypt.c:4274
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "No se ha podido reemplazar el dispositivo suspendido %s con el objetivo dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2972 lib/luks2/luks2_json_metadata.c:2994
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "El dispositivo %s ya se ha desactivado pero el dispositivo OPAL hardware no puede bloquearse."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "No se ha podido leer los requisitos LUKS2."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3016
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Se han detectado requisitos LUKS2 no satisfechos."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3024
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Operación incompatible con dispositivo marcado para recifrado obsoleto. Se aborta."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3026
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Operación incompatible con dispositivo marcado para recifrado LUKS2. Se aborta."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Operación incompatible con dispositivo que utiliza OPAL. Se aborta."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3030
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Operación incompatible con dispositivo que utiliza etiquetas HW en línea. Se aborta."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "No hay memoria disponible suficiente para abrir una ranura de claves."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Fallo al abrir la ranura de claves."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "No se puede utilizar el algoritmo de cifrado %s-%s para el cifrado de ranuras de clave."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "No hay suficiente memoria para derivación de clave de ranuras de claves."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:401
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2725
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "El algoritmo «hash» %s no está disponible."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "ATENCIÓN: la operación de ranura de claves podría fallar porque requiere más memoria de la que está disponible.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:518
 msgid "No space for new keyslot."
 msgstr "No hay espacio para la nueva ranura de claves."
 
@@ -1790,429 +1840,434 @@ msgstr "No se puede comprobar el estado del dispositivo con uuid: %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Imposible convertir cabecera con metadatos adicionales LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3882
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Imposible utilizar la especificación de cifrado %s-%s para LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Imposible utilizar la especificación de cifrado %s-%s para ranura de claves LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Imposible mover el área de la ranura de claves. No hay suficiente espacio."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "No se puede convertir a formato LUKS2 - los metadatos no son válidos."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Imposible mover el área de la ranura de claves. Área de ranuras de clave LUKS2 demasiado pequeña."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Imposible mover el área de la ranura de claves."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "No se puede convertir a formato LUKS1 - el tamaño predefinido de sector de cifrado del segmento no es 512 bytes."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "No se puede convertir a formato LUKS1 - los resúmenes de rarunas de claves no son compatibles con LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "No se puede convertir a formato LUKS1 - el dispositivo utiliza el cifrado de clave encapsulado %s."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "No se puede convertir a formato LUKS1 - el dispositivo utiliza más segmentos."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "No se puede convertir a formato LUKS1 - la cabecera LUKS2 contiene %u «token(s)»."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "No se puede convertir a formato LUKS1 - no hay ranuras de claves activas."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u está en un estado no válido."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u no está acotada."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "No se puede convertir a formato LUKS1 - la ranura %u (sobre las ranuras máximas) todavía está activa."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u no es compatible con LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1194
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "El tamaño de la zona activa debe ser múltiplo del alineamiento de zona calculado (%zu bytes)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1199
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "El tamaño del dispositivo debe ser múltiplo del alineamiento de zona calculado (%zu bytes)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1406 lib/luks2/luks2_reencrypt.c:1592
+#: lib/luks2/luks2_reencrypt.c:1675 lib/luks2/luks2_reencrypt.c:1717
+#: lib/luks2/luks2_reencrypt.c:4069
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "No se ha podido inicializar la envoltura antigua de almacenamiento del segmento."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1420 lib/luks2/luks2_reencrypt.c:1570
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "No se ha podido inicializar la envoltura nueva de almacenamiento del segmento."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1546 lib/luks2/luks2_reencrypt.c:4081
 msgid "Failed to initialize hotzone protection."
 msgstr "No se ha podido inicializar la protección de la zona caliente."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1619
 msgid "Failed to read checksums for current hotzone."
 msgstr "No se han podido leer las sumas de comprobación para la zona activa actual."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1626 lib/luks2/luks2_reencrypt.c:4095
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "No se ha podido leer la zona activa que comienza en %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1645
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "No se ha podido descifrar el sector %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1651
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "No se ha podido recuperar el sector %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2217
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Los tamaños de los dispositivos origen y destino no coinciden. Origen %<PRIu64>, destino: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2315
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "No se ha podido activar el dispositivo con zona activa %s."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2332
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "No se ha podido activar el dispositivo de superposición %s con la tabla de orígenes actual."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "No se ha podido cargar el nuevo mapa para el dispositivo %s."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2410
 msgid "Failed to refresh reencryption devices stack."
 msgstr "No se ha podido refrescar la pila del dispositivo de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2607
 msgid "Failed to set new keyslots area size."
 msgstr "No se ha logrado establecer el tamaño de las nuevas ranuras de claves."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2743
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "El valor del desplazamiento de datos no está alineado con el tamaño del sector de cifrado (%<PRIu32> bytes)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2780 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Modo de resiliencia %s no admitido."
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2816
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "El tamaño del segmento movido no puede ser mayor que el valor del desplazamiento de los datos."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2858
 msgid "Invalid reencryption resilience parameters."
 msgstr "Parámetros de resiliencia de recifrado no válidos."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2880
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Segmento movido demasiado grande. Tamaño solicitado %<PRIu64>, espacio disponible para: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2969
 msgid "Failed to clear table."
 msgstr "No se ha podido limpiar la tabla."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3055
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "El desplazamiento de datos (%<PRIu64> sectores) es menor que el desplazamiento de datos futuros (%<PRIu64> sectores)."
+
+#: lib/luks2/luks2_reencrypt.c:3070 lib/luks2/luks2_reencrypt.c:3077
 msgid "Reduced data size is larger than real device size."
 msgstr "El tamaño de los datos reducidos es mayor que el tamaño del dispositivo real."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3087
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "El dispositivo de datos no está alineado con el tamaño del sector de cifrado (%<PRIu32> bytes)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "El desplazamiento de datos (%<PRIu64> sectores) es menor que el desplazamiento de datos futuros (%<PRIu64> sectores)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3117 lib/luks2/luks2_reencrypt.c:3632
+#: lib/luks2/luks2_reencrypt.c:3653
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "No se ha podido abrir %s en modo exclusivo (ya está asignado o montado)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3324
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "El dispositivo no está marcado para recifrado LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3341 lib/luks2/luks2_reencrypt.c:4391
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "No se ha podido cargar el contexto del recifrado LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "No se ha podido obtener el estado del recifrado."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3433 lib/luks2/luks2_reencrypt.c:3773
 msgid "Device is not in reencryption."
 msgstr "El dispositivo no está en recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3440 lib/luks2/luks2_reencrypt.c:3780
 msgid "Reencryption process is already running."
 msgstr "El proceso de recifrado ya está en marcha."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3442 lib/luks2/luks2_reencrypt.c:3782
 msgid "Failed to acquire reencryption lock."
 msgstr "No se ha podido adquirir el bloqueo de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3460
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "No se puede proceder con el recifrado. Ejecute primero la recuperación de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3596
 msgid "Active device size and requested reencryption size don't match."
 msgstr "El tamaño del dispositivo activo y el tamaño de recifrado solicitado no coinciden."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3610
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "El tamaño de dispositivo solicitado en los parámetros de recifrado no es válido."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3712
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Recifrado en proceso. No se puede llevar a cabo una recuperación."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3733
+msgid "LUKS2 reencryption recovery failed."
+msgstr "La recuperación del recifrado LUKS2 ha fallado."
+
+#: lib/luks2/luks2_reencrypt.c:3866 lib/luks2/luks2_reencrypt.c:4344
+msgid "Failed to initialize reencryption device stack."
+msgstr "No se ha podido inicializar la pila del dispositivo de recifrado."
+
+#: lib/luks2/luks2_reencrypt.c:3899
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Recifrado LUKS2 ya inicializado en los metadatos."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "No se ha podido inicializar el recifrado LUKS2 en los metadatos."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3960 lib/luks2/luks2_reencrypt.c:3992
+#: lib/luks2/luks2_reencrypt.c:4022
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "El recifrado no está disponible para dispositivo DAX (memoria persistente)."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "No se ha podido leer la frase contraseña desde el llavero."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4051
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "No se han podido establecer los segmentos del dispositivo para la siguiente zona activa de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4103
 msgid "Failed to write reencryption resilience metadata."
 msgstr "No se han podido escribir los metadatos de resiliencia de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4110
 msgid "Decryption failed."
 msgstr "El descifrado ha fallado."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "No se ha podido escribir la zona activa que comienza en %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4120
 msgid "Failed to sync data."
 msgstr "No se han podido sincronizar los datos."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4128
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "No se han podido actualizar los metadatos tras completar la zona activa de recifrado actual."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4217
 msgid "Failed to write LUKS2 metadata."
 msgstr "No se han podido escribir los metadatos de LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4240
 msgid "Failed to wipe unused data device area."
 msgstr "No se ha podido limpiar el área no utilizada del dispositivo de datos."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4246
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "No se ha logrado borrar la ranura de claves (independiente) %d no utilizada."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4256
 msgid "Failed to remove reencryption keyslot."
 msgstr "No se ha podido borrar la ranura de claves de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4266
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Error fatal mientras se recifraba una porción que comienza en %<PRIu64>, de %<PRIu64> sectores de longitud."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4270
 msgid "Online reencryption failed."
 msgstr "El recifrado «online» ha fallado."
 
 # No sé cómo traducir 'error target'.
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4275
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "No reanudar el dispositivo a menos que se reemplace con «error target» manualmente."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4327
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "No se puede proceder con el recifrado. Estado de recifrado inesperado."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4333
 msgid "Missing or invalid reencrypt context."
 msgstr "Contexto de recifrado ausente o no válido."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "No se ha podido inicializar la pila del dispositivo de recifrado."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4367 lib/luks2/luks2_reencrypt.c:4404
 msgid "Failed to update reencryption context."
 msgstr "No se ha podido actualizar el contexto de recifrado."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Los metadatos de recifrado no son válidos."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:333
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "El rango OPAL %d desplazamiento %<PRIu64> no coincide con los valores esperados %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:340
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "El rango OPAL %d longitud %<PRIu64> no coincide con la longitud esperada %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:346
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "El bloqueo del rango OPAL %d está desactivado."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:356 lib/luks2/hw_opal/hw_opal.c:363
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Estado de bloqueo del rango OPAL %d inesperado."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Los parámetros de cifrado de ranura de claves solo pueden configurarse para dispositivos LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Introduzca el PIN del «token»: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Introduzca el PIN del «token» %d: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Los parámetros de cifrado de ranura de claves no son compatibles con cifrado de ranura de claves LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1171 src/cryptsetup.c:1538
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "ATENCIÓN: Se están utilizando opciones predeterminadas de cifrado (%s-%s, tamaño de clave %u bits) que podrían ser incompatibles con versiones anteriores."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "ATENCIÓN: Se están utilizando opciones predeterminadas de «hash» (%s) que podrían ser incompatibles con versiones anteriores."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "Para modo sin cifrado, utlice siempre las opciones --cipher, --key-size y, si no se utiliza fichero de claves, también --hash."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Para modo sin cifrado, utlice siempre las opciones --cipher, --key-size y, si no se utiliza fichero de claves ni llavero, también --hash."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ATENCIÓN: No se va a hacer caso del parámetro --hash en modo sin cifrado con el fichero de claves especificado.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ATENCIÓN: No se va a hacer caso de la opción --keyfile-size; el tamaño de lectura es igual al tamaño de la clave de cifrado.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1368 src/cryptsetup.c:1591
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2137
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "La exploración de Blkid ha fallado para %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Se ha(n) detectado firma(s) de dispositivo en %s. Si se prosigue, pueden dañarse los datos existentes."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1254 src/cryptsetup.c:1302
+#: src/cryptsetup.c:1375 src/cryptsetup.c:1515 src/cryptsetup.c:1603
+#: src/cryptsetup.c:2488 src/cryptsetup.c:2917 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Operación abortada.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Es necesaria la opción --key-file."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Introduzca PIM de VeraCrypt: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Valor de PIM no válido: error de análisis."
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Valor de PIM no válido: 0."
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Valor de PIM no válido: fuera de rango."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "No se ha detectado ninguna cabecera de dispositivo con esa frase contraseña."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "El dispositivo %s no es un dispositivo BITLK válido."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "No se puede determinar el tamaño de la clave del volumen para BITLK; utilice la opción --key-size."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:542
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2222,7 +2277,7 @@ msgstr ""
 "sensible que permite el acceso a una partición cifrada sin frase contraseña.\n"
 "Este volcado debería almacenarse siempre cifrado en un lugar seguro."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:609 src/cryptsetup.c:690 src/cryptsetup.c:2513
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2232,84 +2287,84 @@ msgstr ""
 "sensible que permite el acceso a una partición cifrada sin frase contraseña.\n"
 "Este volcado debería almacenarse cifrado en un lugar seguro."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:745 src/cryptsetup.c:777
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "El dispositivo %s no es un dispositivo FVAULT2 válido."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:785
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "No se puede determinar el tamaño de la clave del volumen para FVAULT2; utilice la opción --key-size."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:839 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "El dispositivo %s todavía está activo y programado para borrado diferido.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:872 src/cryptsetup.c:1801 src/cryptsetup.c:2075
+#: src/cryptsetup.c:2222 src/cryptsetup.c:2641 src/cryptsetup.c:2722
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "No se ha podido establecer la ruta de «tokens» externa %s."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:881
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "El cambio de tamaño del dispositivo activo requiere clave de volumen en el llavero pero la opción --disable-keyring está puesta."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1050
 msgid "Benchmark interrupted."
 msgstr "Comparativa interrumpida."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1073
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iteraciones por segundo para clave de %zu bits\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1089
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iteraciones, %5u memora, %1u hilos paralelos (CPUs) para clave de %zu bits (tiempo solicitado %u ms)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1113
 msgid "Result of benchmark is not reliable."
 msgstr "El resultado de la comparativa no es fiable."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1163
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Las pruebas son solo aproximadas usando memoria (no hay entrada/salida de almacenadmiento).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1188
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algoritmo |     Clave |         Cifrado |      Descifrado\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1196
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "El algoritmo de cifrado %s (con clave de %i bits) no está disponible."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1215
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algoritmo |     Clave |         Cifrado |      Descifrado\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1226
 msgid "N/A"
 msgstr "/N/A"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1251
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2317,27 +2372,27 @@ msgstr ""
 "Se han detectado metadatos de recifrado LUKS2 no protegidos. Verifique que la operación de recifrado es deseable (consulte\n"
 "la salida de luksDump) y continúe (actualización de los metadatos) únicamente si reconoce la operación como auténtica."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1257
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Introduzca la frase contraseña para proteger y actualizar los metadatos del recifrado: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1301
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "¿Está seguro de proceder con la recuperación del recifrado LUKS2?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Introduzca la frase contraseña para verificar el resumen de los metadatos del recifrado: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1312
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Introduzca la frase contraseña para la recuperación del recifrado: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1374
 msgid "Really try to repair LUKS device header?"
 msgstr "¿Está seguro de que quiere intentar reparar la cabecera del dispositivo LUKS?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1402 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2345,7 +2400,7 @@ msgstr ""
 "\n"
 "Limpieza interrumpida."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1407 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2353,156 +2408,167 @@ msgstr ""
 "Limpieza de dispositivo para inicializar la suma de comprobación de integridad.\n"
 "Puede interrumpirse pulsando CTRL+c (el resto de dispositivo no limpiado contendrá sumas de comprobación no válidas.\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1429 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "No se puede desactivar el dispositivo temporal %s."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1477
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "El cifrado solo hw OPAL no dispone de --cipher ni --key-size; se descartarán estas opciones"
+
+#: src/cryptsetup.c:1490
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "La opción de integridad solo puede utilizarse para formato LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1495 src/cryptsetup.c:1575
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Opciones de tamaño de metadatos LUKS2 no admitidas."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1500
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL solo está disponible para formato LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1505
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Las etiquetas hw en línea solo están disponibles para formato LUKS2."
+
+#: src/cryptsetup.c:1514
 msgid "Header file does not exist, do you want to create it?"
 msgstr "No existe el fichero de cabecera; ¿desea crearlo?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1522
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "No se puede crear el fichero de cabecera %s."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1548 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "No se ha detectado ningún patrón conocido de especificación de integridad."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1550
+msgid "Cannot use specified integrity key size."
+msgstr "No se puede utilizar el tamaño de clave de integridad especificado."
+
+#: src/cryptsetup.c:1568
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "No se puede utilizar %s como cabecera en disco."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1597 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Esto sobreescribirá los datos en %s de forma irrevocable."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1634
 msgid "OPAL Admin password cannot be empty."
 msgstr "La contraseña de administrador de OPAL no puede estar vacía."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1648 src/cryptsetup.c:2092 src/cryptsetup.c:2235
+#: src/cryptsetup.c:2370 src/cryptsetup.c:2436 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "No se han podido establecer los parámetros pbkdf."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "La especificación del tipo en la especificación de llavero de --link-vk-to-keyring se ignorará."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "El tipo de clave tiene que ser el mismo para ambas claves de volumen."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Ambas claves de volumen tienen que estar vinculadas al mismo llavero."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Necesita suministrar más nombres de clave."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Valor de --link-vk-to-keyring no válido."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1779
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "La posición de datos reducida está permitida solamente para cabecera LUKS separada."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1786
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "El contenedor de ficheros LUKS %s is demasiado pequeño para activarlo; no queda espacio para los datos."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1828 src/cryptsetup.c:2241 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "No se puede determinar el tamaño de la clave del volumen para LUKS2 sin ranuras de claves; utilice la opción --key-size."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1847 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "El dispositivo requiere dos claves de volumen."
+
+#: src/cryptsetup.c:1882
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Algunos parámetros de activación especificados se han descartado con el cifrado solo hw OPAL."
+
+#: src/cryptsetup.c:1887
 msgid "Device activated but cannot make flags persistent."
 msgstr "Dispositivo activado pero los indicadores no pueden hacerse persistentes."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1967 src/cryptsetup.c:2035
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "La ranura de claves %d se va a borrar."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1979 src/cryptsetup.c:2039
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Esta es la última ranura de claves. El dispositivo quedará inutilizado después de purgar esta clave."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1980
 msgid "Enter any remaining passphrase: "
 msgstr "Introduzca cualquier frase contraseña que quede: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1981 src/cryptsetup.c:2041
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operación abortada; la ranura de claves NO estaba limpia.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2017
 msgid "Enter passphrase to be deleted: "
 msgstr "Introduzca la frase contraseña que hay que borrar: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2067 src/cryptsetup.c:2419 src/cryptsetup.c:3079
+#: src/cryptsetup.c:3246
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "El dispositivo %s no es un dispositivo LUKS2 válido."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2106 src/cryptsetup.c:2305
 msgid "Enter new passphrase for key slot: "
 msgstr "Introduzca una nueva frase contraseña para la ranura de claves: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2140 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Introduzca el PIN del «token»: "
+
+#: src/cryptsetup.c:2142 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Introduzca el PIN del «token» %d: "
+
+#: src/cryptsetup.c:2201
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "ATENCIÓN: Se utiliza el parámetro --key-slot para el número de una ranura de claves nueva.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2278 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Introduzca cualquier frase contraseña que exista: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2374
 msgid "Enter passphrase to be changed: "
 msgstr "Introduzca la frase contraseña que hay que cambiar: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2390 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Introduzca una nueva frase contraseña: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2440
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Introduzca la frase contraseña para la ranura de claves que se va a convertir: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2464
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "La operación isLuks solo admite un argumento de dispositivo."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2569
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "La ranura de claves %d no contiene clave independiente."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2574
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2510,52 +2576,52 @@ msgstr ""
 "El volcado de la cabecera con clave independiente del volumen es información\n"
 "sensible. Este volcado debería almacenarse cifrado en un lugar seguro."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2669 src/cryptsetup.c:2705
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s no es un nombre de dispositivo %s activo."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2700
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s no es un nombre de dispositivo LUKS activo o falta la cabecera."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2777 src/cryptsetup.c:2796
 msgid "Option --header-backup-file is required."
 msgstr "Es necesaria la opción --header-backup-file."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2827
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s no es un dispositivo gestionable por cryptsetup."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2838
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "El refresco no está disponible para el tipo de dispositivo %s"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2888
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Tipo de dispositivo de metadatos %s no reconocido."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2890
 msgid "Command requires device and mapped name as arguments."
 msgstr "Esta orden necesita como argumentos el dispositivo y el nombre asociado."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2908
 msgid "Enter OPAL PSID: "
 msgstr "Introduzca el PSID de OPAL: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2908
 msgid "Enter OPAL Admin password: "
 msgstr "Introduzca la contraseña de administrador de OPAL: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2916
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "ATENCIÓN: ¡El disco ENTERO será restituido a la configuración de fábrica y todos los datos se perderán! ¿Continuar?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2959
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2564,351 +2630,363 @@ msgstr ""
 "Esta operación borrará todas las ranuras de claves en el dispositivo %s.\n"
 "El dispositivo quedará inutilizable después de esta operación."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2966
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operación abortada; las ranuras de claves NO estaban limpias.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3005
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Tipo LUKS no válido; solo se admiten luks1 y luks2."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3021
 #, c-format
 msgid "Device is already %s type."
 msgstr "El dispositivo ya es de tipo %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3028
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Esta operación convertirá el formato %s a %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3031
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operación abortada; el dispositivo NO estaba convertido.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3071
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Falta la opción --priority, --label o --subsystem."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3105 src/cryptsetup.c:3145 src/cryptsetup.c:3165
 #, c-format
 msgid "Token %d is invalid."
 msgstr "El «token» %d no es válido."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3108 src/cryptsetup.c:3168
 #, c-format
 msgid "Token %d in use."
 msgstr "El «token» %d está en uso."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3120
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "No se ha podido añadir el «token» %d al llavero luks."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3131 src/cryptsetup.c:3194
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "No se ha logrado asignar el «token» %d a la ranura de claves %d."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Token %d is not in use."
 msgstr "El «token» %d no está en uso."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3185
 msgid "Failed to import token from file."
 msgstr "No se ha podido importar el «token» del fichero."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3210
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "No se ha logrado obtener el «token» %d para exportar."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3223
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "El «token» %d no se ha asignado a la ranura de claves %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3225 src/cryptsetup.c:3232
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "No se ha logrado desasignar el «token» %d de la ranura de claves %d."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3291
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "La opción --tcrypt-hidden o --tcrypt-system o --tcrypt-backup solo está disponible para dispositivos TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3294
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Las opciones --veracrypt y --disable-veracrypt solo están disponibles para dispositivos de tipo TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3297
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "La opción --veracrypt-pim solo está disponible para dispositivos compatibles con VeraCrypt."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3301
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "La opción --veracrypt-query-pim  solo está disponible para dispositivos compatibles con VeraCrypt."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3303
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Las opciones --veracrypt-pim y --veracrypt-query-pim son mutuamente excluyentes."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3312
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "La opción --persistent no se permite con --test-passphrase."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3315
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Las opciones --refresh y --test-passphrase son mutuamente excluyentes."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3318
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "La opción --shared solo se permite para abrir dispositivos no cifrados."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3321
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "La opción --skip solo está disponible para abrir dispositivos no cifrados y «loopaes»."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3324
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "La opción --offset con acción de apertura solo está disponible para abrir dispositivos no cifrados y «loopaes»."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3327
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "La opción --tcrypt-hidden no puede combinarse con --allow-discards."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3331
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "La opción de tamaño de sector con acción de apertura solamente está disponible para dispositivos no cifrados."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3335
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "La opción de sectores IV grandes solo se admite para abrir dispositivo de tipo plano con tamaño de sector mayor de 512 bytes."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3340
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS, TCRYPT, BITLK y FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3343 src/cryptsetup.c:3373
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Las opciones --device-size y --size no pueden combinarse."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3346
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "La opción --unbound solo se permite para abrir dispositivos luks."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3349
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "La opción --unbound no se puede utilizar sin --test-passphrase."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3353
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "La opción --volume-key-keyring no puede combinarse con --hash ni --volume-key-file."
+
+#: src/cryptsetup.c:3356
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Todas las opciones --volume-key-file tienen que emparejarse con las respectivas opciones --key-size."
+
+#: src/cryptsetup.c:3365 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Las opciones --cancel-deferred y --deferred no pueden utilizarse a la vez."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Las opciones --reduce-device-size y --device-size no pueden combinarse."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3381
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "La opción --active-name solo puede utilizarse para dispositivos LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3384
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Las opciones --active-name y --force-offline-reencrypt no pueden combinarse."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3387
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Las opciones --new-volume-key-file y --keep-key no pueden combinarse."
+
+#: src/cryptsetup.c:3390
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Las opciones -volume-key-keyring y --keep-key no pueden combinarse."
+
+#: src/cryptsetup.c:3398 src/cryptsetup.c:3428
 msgid "Keyslot specification is required."
 msgstr "Se requiere especificación de ranura de claves."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3406
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Las opciones --align-payload y --offset no pueden combinarse."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3409
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "La opción --integrity-no-wipe solo puede usarse para la acción de formato con extensión de integridad."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3412
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Solo se permite una de las opciones --use-[u]random."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3420
 msgid "Key size is required with --unbound option."
 msgstr "El tamaño de la clave es requerido con la opción --unbound."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3440
 msgid "Invalid token action."
 msgstr "Acción de «token» no válida."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3443
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "El parámetro --key-description es obligatorio para la acción de añadir «token»."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3460
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "La acción requiere un «token» específico. Utilice el parámetro --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3451
 msgid "Option --unbound is valid only with token add action."
 msgstr "La opción --unbound solo es válida con la acción de añadir «token»."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3453
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Las opciones --key-slot y --unbound no pueden combinarse."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3458
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "La acción requiere una ranura de claves específica. Utilice el parámetro --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3474
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<dispositivo> [--type <tipo> [<nombre>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3474 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "abrir el dispositivo como <nombre>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3475 src/cryptsetup.c:3476 src/cryptsetup.c:3477
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<nombre>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3475 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "cerrar dispositivo (eliminar asociación)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3476 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "cambiar el tamaño del dispositivo activo"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3477
 msgid "show device status"
 msgstr "mostrar el estado del dispositivo"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3478
 msgid "[--cipher <cipher>]"
 msgstr "[--cypher <algoritmo_de_cifrador>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3478
 msgid "benchmark cipher"
 msgstr "algoritmo de cifrado para pruebas"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3479 src/cryptsetup.c:3480 src/cryptsetup.c:3481
+#: src/cryptsetup.c:3482 src/cryptsetup.c:3483 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3494 src/cryptsetup.c:3495 src/cryptsetup.c:3496
+#: src/cryptsetup.c:3497 src/cryptsetup.c:3498 src/cryptsetup.c:3499
 msgid "<device>"
 msgstr "<dispositivo>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3479
 msgid "try to repair on-disk metadata"
 msgstr "intentar reparar metadatos en disco"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3480
 msgid "reencrypt LUKS2 device"
 msgstr "recifrar dispositivo LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3481
 msgid "erase all keyslots (remove encryption key)"
 msgstr "borrar todas las ranuras de claves (eliminar clave de cifrado)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3482
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "convertir formato LUKS de/en LUKS2"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3483
 msgid "set permanent configuration options for LUKS2"
 msgstr "establecer opciones de configuración permanentes para LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485
 msgid "<device> [<new key file>]"
 msgstr "<dispositivo> [<nuevo fichero de claves>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3484
 msgid "formats a LUKS device"
 msgstr "da formato a un dispositivo LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3485
 msgid "add key to LUKS device"
 msgstr "añadir clave a un dispositivo LUKS"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3486 src/cryptsetup.c:3487 src/cryptsetup.c:3488
 msgid "<device> [<key file>]"
 msgstr "<dispositivo> [<fichero de claves>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3486
 msgid "removes supplied key or key file from LUKS device"
 msgstr "elimina la clave suministrada o el fichero de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3487
 msgid "changes supplied key or key file of LUKS device"
 msgstr "cambia la clave suministrada o el fichero de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3488
 msgid "converts a key to new pbkdf parameters"
 msgstr "convierte una clave a los nuevos parámetros pbkdf"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3489
 msgid "<device> <key slot>"
 msgstr "<dispositivo> <ranura de claves>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3489
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "borra la clave con el número <ranura de clave> del dispositivo LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3490
 msgid "print UUID of LUKS device"
 msgstr "imprimir el UUID del dispositivo LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3491
 msgid "tests <device> for LUKS partition header"
 msgstr "comprueba si <dispositivo> tiene cabecera de partición LUKS"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3492
 msgid "dump LUKS partition information"
 msgstr "volcar información sobre la partición LUKS"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3493
 msgid "dump TCRYPT device information"
 msgstr "volcar información sobre el dispositivo TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3494
 msgid "dump BITLK device information"
 msgstr "volcar información sobre el dispositivo BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3495
 msgid "dump FVAULT2 device information"
 msgstr "volcar información sobre el dispositivo FVAULT2"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3496
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspender el dispositivo LUKS y limpiar la clave (todas las entradas/salidas congeladas)."
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3497
 msgid "Resume suspended LUKS device"
 msgstr "Reanudar el dispositivo LUKS suspendido."
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3498
 msgid "Backup LUKS device header and keyslots"
 msgstr "Hacer copia de seguridad de la cabecera y de las ranuras de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3499
 msgid "Restore LUKS device header and keyslots"
 msgstr "Restaurar la cabecera y las ranuras de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3500
 msgid "<add|remove|import|export> <device>"
 msgstr "<añade|elimina|importa|exporta> <dispositivo>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3500
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipular «tokens» LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3519 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2916,7 +2994,7 @@ msgstr ""
 "\n"
 "<acción> es una de:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3525
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2928,7 +3006,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3529
 #, c-format
 msgid ""
 "\n"
@@ -2943,7 +3021,7 @@ msgstr ""
 "<ranura de claves> es el número de la ranura de claves que se va a modificar\n"
 "<fichero de claves> fichero de claves opcional para la nueva clave para la acción 'luksAddKey'\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3536
 #, c-format
 msgid ""
 "\n"
@@ -2952,7 +3030,7 @@ msgstr ""
 "\n"
 "El formato de metadatos predefinido de fábrica es %s (para la acción luksFormat).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3541
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2960,12 +3038,12 @@ msgstr ""
 "\n"
 "El soporte del «plugin» del «token» externo LUKS2 está activado.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3542
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "ruta del «plugin» del «token» externo LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3544
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2973,7 +3051,7 @@ msgstr ""
 "\n"
 "El soporte del «plugin» del «token» externo LUKS2 está desactivado.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3548
 #, c-format
 msgid ""
 "\n"
@@ -2990,7 +3068,7 @@ msgstr ""
 "PBKDF predefinido para LUKS2: %s\n"
 "\tTiempo de iteración: %d, Memoria requerida: %dkB, hilos en paralelo: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3559
 #, c-format
 msgid ""
 "\n"
@@ -3005,110 +3083,122 @@ msgstr ""
 "\tsin cifrado: %s, Clave: %d bits, Contraseña «hashing»: %s\n"
 "\tLUKS: %s, Clave: %d bits, «hashing» de la cabecera LUKS: %s, Generador de números aleatorios: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3568
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: El tamaño de clave predefinido con modo XTS (dos claves internas) va a ser duplicado.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3586 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: necesita %s como argumentos"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3626 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "La ranura de claves no es válida."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3654
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "El tamaño del dispositivo debe ser múltiplo de sectores de 512 bytes."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3659
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "La especificación del tamaño máximo de zona activa del dispositivo no es válida."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3673 src/cryptsetup.c:3690 src/cryptsetup.c:3702
 msgid "Key size must be a multiple of 8 bits"
 msgstr "El tamaño de clave debe ser un múltiplo de 8 bits"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3680
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Como mucho pueden suministrarse 2 especificaciones de tamaño de clave."
+
+#: src/cryptsetup.c:3709 src/cryptsetup.c:3720
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Como mucho pueden suministrarse %d especificaciones de claves de volumen."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3732
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Como mucho pueden suministrarse %d especificaciones de vínculos de llavero."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3741
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "El tamaño máximo de reducción del dispositivo es de 1 GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3744
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "El tamaño de reducción debe ser múltiplo de sectores de 512 bytes."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3761
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "La opción --priority solo puede ser ignore/normal/prefer."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3780 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Mostrar este mensaje de ayuda"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3781 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Mostrar brevemente cómo se usa"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3782 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Imprimir versión del paquete"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3793 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Opciones de ayuda:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3816 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPCIÓN...] <acción> <acción-específica>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3825 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "El argumento <acción> no se ha proporcionado."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3904 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Acción desconocida."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3922
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "La opción --key-file tiene precedencia sobre el argumento de fichero de claves especificado."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3928
 msgid "Only one --key-file argument is allowed."
 msgstr "Solo se permite un argumento --key-file."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3933
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "La función de derivación de clave basada en contraseña (PBKDF) solo puede ser pbkdf2 o argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3938
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Las iteraciones forzadas de PBKDF no pueden combinarse con la opción de tiempo de iteración."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3943
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "No se puede vincular la clave del volumen a un llavero cuando el llavero está desactivado."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3948
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "No se puede utilizar descripción de clave de llavero cuando el llavero está desactivado."
+
+#: src/cryptsetup.c:3953
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "La integridad en línea tiene que utilizarse conjuntamente con la opción --integrity."
+
+#: src/cryptsetup.c:3964
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Las opciones --keyslot-cipher y --keyslot-key-size deben utilizarse juntas."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3972
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "No se ha realizado ninguna acción. Invocado con la opción --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3985
 msgid "Cannot disable metadata locking."
 msgstr "No se puede desactivar el bloqueo de metadatos."
 
@@ -3136,72 +3226,72 @@ msgstr "No se puede crear el fichero «hash» raíz %s para escribir."
 msgid "Cannot write to root hash file %s."
 msgstr "No se puede escribir en el fichero «hash» raíz %s."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "El dispositivo %s no es un dispositivo VERITY válido."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "No se puede leer el fichero «hash» raíz %s."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "El fichero «hash» raíz %s no es válido."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "La cadena «hash» raíz especificada no es válida."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Fichero de firmas inválido %s."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "No se puede leer el fichero de firmas %s."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Esta orden necesita <«hash»_raíz> o la opción --root-hash-file como argumento."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<dispositivo_de_datos> <dispositivo_«hash»>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "dar formato al dispositivo"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<dispositivo_de_datos> <dispositivo_«hash»> [<«hash»_raíz>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "verificar dispositivo"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<dispositivo_de_datos> <nombre> <dispositivo_«hash»> [<«hash»_raíz>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "mostrar el estado del dispositivo activo"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<dispositivo_«hash»>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "mostrar información sobre el disco"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3216,7 +3306,7 @@ msgstr ""
 "<dispositivo_«hash»> es el dispositivo que contiene los datos de verificación\n"
 "<«hash»_raíz> «hash» del nodo raíz en «dispositivo—«hash»>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3227,15 +3317,19 @@ msgstr ""
 "Parámetros dm-verity predefinidos de fábrica:\n"
 "\tAlgoritmo «hash»: %s, Bloque de datos (bytes): %u, Bloque «hash» (bytes): %u, Tamaño de «salt»: %u, Formato «hash»: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Las opciones --ignore-corruption y --restart-on-corruption no pueden utilizarse juntas."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Las opciones --panic-on-corruption y --restart-on-corruption no pueden utilizarse juntas."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "La opción error-as-corruption tiene que utilizarse con --panic-on-corruption o --restart-on-corruption."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3244,29 +3338,33 @@ msgstr ""
 "Esto sobreescribirá los datos en %s y %s irrevocablemente.\n"
 "Para preservar el dispositivo de datos utilice la opción --no-wipe (y luego actívelo con --integrity-recalculate)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Formato dado con tamaño de etiqueta %u, integridad interna %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Formato dado con tamaño de etiqueta %u%s, integridad interna %s.\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (etiquetas hw en línea)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "No se puede poner la opción de recalcular; valore la alternativa de utilizar --wipe."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "El dispositivo %s no es un dispositivo INTEGRITY válido."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<dispositivo_de_integridad>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<dispositivo_de_integridad> <nombre>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3277,7 +3375,7 @@ msgstr ""
 "<nombre> es el dispositivo que se va a crear bajo %s\n"
 "<dispositivo_de_integridad> es el dispositivo que contiene datos con etiquetas de integridad\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3290,43 +3388,51 @@ msgstr ""
 "\tAlgoritmo de la suma de comprobación: %s\n"
 "\tTamaño máximo del fichero de claves: %dkB\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Tamaño de --%s no válido. El máximo es %u bytes."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Deben especificarse las opciones tanto de fichero de claves como tamaño de clave."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Deben especificarse la opción del fichero de clave de integridad del diario y la del tamaño de la clave."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Debe especificarse el algoritmo de integridad del diario si va a utilizarse la clave de integridad del diario."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Deben especificarse la opción del fichero de la clave de cifrado del diario y la del tamaño de la clave."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Debe especificarse el algoritmo de cifrado del diario si va a utilizarse la clave de cifrado del diario."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Las opciones de recuperación y de modo mapa de bits son mutuamente excluyentes."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Las opciones de diario no pueden utilizarse en modo mapa de bits."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Las opciones de mapa de bits solo pueden utilizarse en el modo mapa de bits."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "El modo en línea no puede combinarse con las opciones de diario ni de bitmap."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "El modo en línea no puede combinarse con un dispositivo de datos independiente."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3474,6 +3580,14 @@ msgstr "No se puede abrir el fichero de claves %s para escritura."
 msgid "Cannot write to keyfile %s."
 msgstr "No se puede escribir en el fichero de claves %s."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "El nombre es demasiado largo."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "El nombre tiene que contener el carácter '/'."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3535,37 +3649,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Fallo en la comprobación de la calidad de la contraseña: frase contraseña incorrecta (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Lectura detenida al alcanzar la longitud de entrada interactiva máxima; puede que la contraseña esté recortada."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Error al leer la frase contraseña desde el terminal."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Verifique la frase contraseña: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "La frase contraseña no coincide."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "No se puede usar «offset» con entrada desde terminal."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Introduzca la frase contraseña: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Introduzca la frase contraseña de %s: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "No hay ninguna clave disponible con esa frase contraseña."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "No hay niguna ranura de claves utilizable disponible."
 
@@ -3573,20 +3691,20 @@ msgstr "No hay niguna ranura de claves utilizable disponible."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "No se puede hacer verificación de frase contraseña en entradas no tty."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "No se ha podido abrir el fichero %s para solo lectura."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Proporciona «token» LUKS2 válido en JSON:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "No se ha podido leer el fichero JSON."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3594,12 +3712,12 @@ msgstr ""
 "\n"
 "Lectura interrumpida."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "No se ha podido abrir el fichero %s para escritura."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3607,26 +3725,26 @@ msgstr ""
 "\n"
 "Escritura interrumpida."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "No se ha podido escribir el fichero JSON."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Se ha detectado automáticamente el dispositivo dm activo '%s' para el dispositivo de datos %s.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "No se han podido detectar automáticamente los propietarios del dispositivo %s."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "El dispositivo %s no es un dispositivo de bloques.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3640,7 +3758,7 @@ msgstr ""
 "activado. Para realizar recifrado en modo «online», utilice en su lugar\n"
 "el parámetro --active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3649,45 +3767,49 @@ msgstr ""
 "El dispositivo %s no es un dispositivo de bloques. No puede autodetectar si está activo o no.\n"
 "Utilice --force-offline-reencrypt para saltar la comprobación y operar en modo «offline» (¡peligroso!)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "La opción --resilience solicitada no puede aplicarse a la operación de recifrado actual."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "El dispositivo no está en cifrado LUKS2. Opción conflictiva --encrypt."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "El dispositivo no está en descifrado LUKS2. Opción conflictiva --decrypt."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "El dispositivo está en recifrado utilizando resiliencia ante desplazamiento de datos. No se puede aplicar la opción -resilience solicitada."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1923
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "No se puede determinar el tamaño de la clave del volumen para LUKS sin ranuras de claves; utilice la opción --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "El dispositivo necesita recuperación del recifrado. Primero ejecute una reparación."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "El dispositivo %s ya está en recifrado LUKS2. ¿Desea reanudar la operación iniciada anteriormente?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Ya no se admite el recifrado LUKS2 antiguo."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "No se puede recifrar el dispositivo LUKS2 configurado para utilizar OPAL."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "El recifrado de dispositivo con perfil de integridad no está admitido."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3696,103 +3818,110 @@ msgstr ""
 "La solicitud --sector-size %<PRIu32> es incompatible con el superbloque %s\n"
 "(tamaño de bloque: %<PRIu32> «bytes») detectado en el dispositivo %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2203
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "El cifrado sin cabecera separada (--header) no es posible sin reducción del tamaño del dispositivo de datos (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "El desplazamiento de datos solicitado debe ser menor o igual que la mitad del parámetro --reduce-device-size."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Ajustando el valor de --reduce-device-size al doble de --offset %<PRIu64> (sectores).\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "El fichero de cabecera temporal %s ya existe. Se aborta."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "No se puede crear el fichero de cabecera temporal %s."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "El tamaño de los metadatos LUKS2 es mayor que el valor del desplazamiento de los datos."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "No se ha podido colocar la nueva cabecera en la cabeza del dispositivo %s."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s ahora está activo y preparado para cifrado «online».\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "El dispositivo activo %s no es LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Restaurando la cabecera LUKS2 original."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "La restauración de la cabecera LUKS2 original ha fallado."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "El fichero de cabecera %s no existe. ¿Dese inicializar descifrado LUKS2 del dispositivo %s y exportar la cabecera LUKS2 al fichero %s?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "No se ha podido añadir permisos de lectura/escritura al fichero de cabecera exportado."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "La inicialización del recifrado ha fallado. La copia de seguridad de la cabecera está disponible en %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "El descifrado LUKS2 solo admite dispositivo con cabecera separada (con desplazamiento de datos puesto a 0)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Ningún «token» ha podido desbloquear el dispositivo."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "No hay suficientes ranuras de claves para el recifrado."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "El fichero de claves o la descripción de clave del llavero solo pueden usarse con --key-slot o con una sola ranura de claves activa exactamente."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Introduzca la frase contraseña para la ranura de claves %d: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Introduzca la frase contraseña para la ranura de claves %u: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Cambiando el algoritmo de cifrado de datos a %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1976 src/utils_reencrypt.c:1997
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Utilice --force-no-keyslots para recifrar el dispositivo con las ranuras de clave activas pasando las claves del volumen directamente."
+
+#: src/utils_reencrypt.c:1992
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "La opción --new-volume-key-file tiene que ir emparejada con --new-key-size"
+
+#: src/utils_reencrypt.c:2034
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "No ha cambiado ningún parámetro del segmento de datos. Recifrado abortado."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2071
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3800,8 +3929,8 @@ msgstr ""
 "No se admite incrementar el tamaño de sector de cifrado en dispositivo «offline».\n"
 "Primero active el dispositivo o utilice la opción --force-offline-reencrypt (¡peligroso!)"
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2113 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3809,67 +3938,67 @@ msgstr ""
 "\n"
 "Recifrado interrumpido."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2118
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Reanudando recifrado LUKS en modo «offline» forzado.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2141
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "El dispositivo %s contiene metadatos LUKS deteriorados. Se aborta la operación."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2157 src/utils_reencrypt.c:2179
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "El dispositivo %s ya es un dispositivo LUKS. Se aborta la operación."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2185
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "El dispositivo %s ya está en recifrado LUKS. Se aborta la operación."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2268
 msgid "LUKS2 decryption requires --header option."
 msgstr "El descifrado LUKS2 requiere la opción --header."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2316
 msgid "Command requires device as argument."
 msgstr "Esta orden necesita un dispositivo como argumento."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2329
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Versiones en conflicto. El dispositivo %s es LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2335
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Versiones en conflicto. El dispositivo %s está en recifrado LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2341
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Versiones en conflicto. El dispositivo %s es LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2347
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Versiones en conflicto. El dispositivo %s está en recifrado LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2353
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "El recifrado LUKS2 ya está inicializado. Se aborta la operación."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2360
 msgid "Device reencryption not in progress."
 msgstr "El recifrado del dispositivo no está en proceso."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "No se puede abrir %s en exclusividad; el dispositivo está en uso."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "La reserva de memoria alineada ha fallado."
 
@@ -3892,11 +4021,11 @@ msgstr "No se puede escribir en el dispositivo %s."
 msgid "Cannot write reencryption log file."
 msgstr "No se puede escribir en el fichero de registro de recifrado."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "No se puede leer el fichero de registro de recifrado."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Formato del fichero de registro incorrecto."
 
@@ -3905,130 +4034,134 @@ msgstr "Formato del fichero de registro incorrecto."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "El fichero de registro %s ya existe; reanudando el recifrado.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Activando dispositivo temporal utilizando cabecera LUKS antigua."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Activando dispositivo temporal utilizando cabecera LUKS nueva."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Fallo en la activación de los dispositivos temporales."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "No se ha podido establecer el desplazamiento de los datos."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "No se ha podido establecer el tamaño de los metadatos."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Se ha creado una nueva cabecera LUKS para el dispositivo %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Se ha creado una copia de seguridad de la cabecera %s del dispositivo %s."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "No se ha podido crear la copia de seguridad de las cabeceras LUKS."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "No se puede restaurar la cabecera %s en el dispositivo %s."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Se ha restaurado la cabecera %s en el dispositivo %s."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "No se puede abrir el dispositivo LUKS temporal."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "No se puede obtener el tamaño del dispositivo."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Error de entrada/salida durante el recifrado."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "El UUID proporcionado no es válido."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "No se puede abrir el fichero de registro de recifrado."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "No hay ningún proceso de descifrado en marcha; el UUID proporcionado solo puede utilizarse para reanudar un proceso de descifrado suspendido."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "El recifrado va a cambiar: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "clave del volumen"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "nuevo algoritmo «hash» "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", nuevo algoritmo de cifrado: "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "ATENCIÓN: El dispositivo %s ya contiene una firma de partición '%s'.\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "ATENCIÓN: El dispositivo %s ya contiene una firma de superbloque '%s'.\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "No se han podido inicializar los sondeos de firma del dispositivo."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "No se ha podido efectuar «stat» sobre el dispositivo %s."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "No se ha podido abrir el fichero %s para lectura y escritura."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "La firma de la partición '%s' existente en el dispositivo %s va a ser borrada."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "La firma del superbloque '%s' existente en el dispositivo %s va a ser borrada."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "No se ha podido limpiar la firma del dispositivo."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "No se ha podido sondear el dispositivo %s para una firma."
@@ -4043,6 +4176,50 @@ msgstr "La especificación del tamaño no es válida en el parámetro --%s."
 msgid "Option --%s is not allowed with %s action."
 msgstr "La opción --%s no se permite con la acción %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "La especificación del tipo en la especificación de llavero de --link-vk-to-keyring se ignorará."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "El tipo de clave tiene que ser el mismo para ambas claves de volumen."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Ambas claves de volumen tienen que estar vinculadas al mismo llavero."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Necesita suministrar más nombres de clave."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Valor de --link-vk-to-keyring no válido."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Puede que los datos binarios de la ranura de claves %d estén corruptos.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Desplazamiento sospechado: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Se suprimen los desplazamientos sospechados subsiguientes.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "La ranura de claves %d no puede leerse del dispositivo."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Puede utilizar hexdump -v -C -n 128 -s <desplazamiento_0xXXXX> \"%s\" para inspeccionar los datos.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "No se ha podido escribir el json del «token» ssh."
@@ -4210,6 +4387,34 @@ msgstr "El método de autenticación de clave pública no está permitido en el
 msgid "Public key authentication error: "
 msgstr "Error de autenticación de clave pública: "
 
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "No se han podido vincular las claves de volumen en el llavero de usuario especificado."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "No se ha podido desvincular la clave del volumen del llavero del hilo."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "La activación de un dispositivo BITLK parcialmente descifrado no puede hacerse."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "No se ha podido leer los requisitos LUKS2."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "ATENCIÓN: la operación de ranura de claves podría fallar porque requiere más memoria de la que está disponible.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "No se ha podido obtener el estado del recifrado."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "No se ha podido leer la frase contraseña desde el llavero."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Las opciones --reduce-device-size y --device-size no pueden combinarse."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Introduzca la frase contraseña para la ranura de claves %u: "
+
 #~ msgid "compiled-in"
 #~ msgstr "integrado en la compilación"
 
@@ -4288,9 +4493,6 @@ msgstr "Error de autenticación de clave pública: "
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "La opción --keep-key solamente puede utilizarse con --hash, --iter-time o --pbkdf-force-iterations."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "La opción --new no puede utilizarse conjuntamente con --decrypt."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "La opción --decrypt es incompatible con los parámetros especificados."
 
@@ -4381,9 +4583,6 @@ msgstr "Error de autenticación de clave pública: "
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Actualización de la línea de progreso (en segundos)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Con qué frecuencia se puede volver a intentar introducir la frase contraseña"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Alinear los datos a <n> bordes de sector - para luksFormat"
 
@@ -4835,9 +5034,6 @@ msgstr "Error de autenticación de clave pública: "
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Parámetros de tamaño inválido para un dispositivo «verity»."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "El algoritmo para la integridad debe especificarse si se va a utilizar clave de integridad."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Tamaño de clave incorrecto."
 
diff --git a/po/fr.po b/po/fr.po
index 65085c9..c01f09f 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -1,16 +1,16 @@
 # Messages français pour cryptsetup.
-# Copyright (C) 2024 Free Software Foundation, Inc.
+# Copyright (C) 2025 Free Software Foundation, Inc.
 # This file is put in the public domain.
 #
 # Solveig <perso@solveig.org>, 2009.
 # Nicolas Provost <nprovost@quadriv.com>, 2011.
-# Frédéric Marchal <fmarchal@perso.be>, 2024.
+# Frédéric Marchal <fmarchal@perso.be>, 2025.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-07-24 11:39+0200\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-13 14:51+0100\n"
 "Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
 "Language-Team: French <traduc@traduc.org>\n"
 "Language: fr\n"
@@ -20,70 +20,78 @@ msgstr ""
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=2; plural=(n >= 2);\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Exécution comme un utilisateur non-root."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Le module noyau dm_mod est-il chargé ?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Le fanion différé demandé n'est pas supporté."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "Le DM-UUID du périphérique %s a été tronqué."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Type de cible dm inconnu."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Les options de performance dm-crypt demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Les options demandées de gestion de corruption des données dm-verity ne sont pas supportées."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "L'option dm-verity tasklets demandée n'est pas supportée."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Les options dm-verity FEC demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Les options d'intégrité de données demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "L'option sector_size demandée n'est pas supportée."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "La taille du périphérique n'est pas un multiple de la taille de secteur demandée."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "L'option integrity_key_size demandée n'est pas supportée."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Le recalcule automatique des balises de sécurité demandés n'est pas supporté."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM n'est pas supporté."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Le mode de carte de bits d'intégrité dm demandé n'est pas supporté."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Le mode en ligne d'intégrité dm demandé n'est pas supporté."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Échec lors de l'interrogation du segment dm-%s."
@@ -117,747 +125,777 @@ msgstr "La qualité du générateur aléatoire RNG demandé est inconnue."
 msgid "Error reading from RNG."
 msgstr "Erreur en lecture du générateur aléatoire RNG "
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "Le support de OPAL est désactivé dans libcryptsetup."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Le périphérique %s ou le noyau ne supporte pas le chiffrement OPAL."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Impossible d'initialiser le moteur aléatoire RNG pour le chiffrement."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Impossible d'initialiser le moteur de chiffrement."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "L'algorithme de hachage %s n'est pas supporté."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Erreur de traitement de clé (valeur hachage %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "Cette opération n'est possible que pour les périphériques LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Cette opération n'est possible que pour les périphériques LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "Tous les emplacements de clés sont utilisés."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0 et %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc logique du périphérique."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "En-tête détecté mais le périphérique %s est trop petit."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "Cette opération n'est pas supportée pour ce type de périphérique."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Opération illégale avec une re-chiffrement en cours."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Échec lors du retour en arrière des métadonnées LUKS2 en mémoire."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "%s n'est pas un périphérique LUKS valide."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "La version %d de LUKS n'est pas supportée."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté pour le périphérique actif %s."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "Le périphérique %s n'est pas activé."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Le périphérique sous-jacent pour le périphérique chiffré %s a disparu."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Paramètres de chiffrement non valides."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "La taille de la clé n'est pas valide."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "le UUID n'est pas supporté avec ce type de chiffrement."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Un périphérique avec des métadonnées détachées n'est pas supporté avec ce type de chiffrement."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "Taille de secteur de chiffrement non supportée."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "La taille du périphérique n'est pas alignée avec la taille de secteur demandée."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Impossible de formater en LUKS sans périphérique."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Le périphérique Zoned %s ne peut pas être utilisé pour l'en-tête LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "L'alignement de données demandé n'est pas compatible avec le décalage des données."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "ATTENTION : Un périphérique DAX peut corrompre les données car il ne garanti pas la mise à jour atomique des secteurs.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Impossible d'effacer l'en-tête du périphérique %s."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Le périphérique %s est trop petit pour l'activation, il ne reste pas d'espace pour les données.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "La clé de volume est trop petite pour chiffrer avec les extensions d'intégrité."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "La taille de la clé d'intégrité est trop petite."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Le chiffrement %s-%s (clé de %zd bits) n'est pas disponible."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "AVERTISSEMENT: L'activation du périphérique va échouer, dm-crypt ne supporte pas la taille de secteur de chiffrement demandée.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "Le périphérique %s est trop petit."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Impossible de formater le périphérique %s qui est en cours d'utilisation."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Impossible de formater le périphérique %s. Permission refusée."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Impossible de formater l'intégrité du périphérique %s."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Impossible de formater le périphérique %s"
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Impossible d'obtenir les paramètres d'alignement de OPAL."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Taille de bloc logique OPAL incorrecte."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "La taille de bloc logique OPAL est différentes de la taille de bloc du périphérique."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "L'offset de données demandé n'est pas compatible avec la taille de bloc de OPAL."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "L'alignement de données demandé n'est pas compatible avec l'alignement de OPAL."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "L'offset de données ne satisfait pas les exigences d'alignement de OPAL."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "L'alignement de données demandé les exigences de la plage d'alignement du verrouillage."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "La taille du périphérique est compensée avec %<PRIu64> secteurs pour l'aligner avec la granularité de l'alignement de OPAL."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Impossible d'acquérir le verrou OPAL sur le périphérique %s."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Clé admin OPAL incorrecte."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Impossible de configurer le segment OPAL."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Impossible de formater le périphérique %s. Le périphérique OPAL semble maintenant être complètement protégé contre l'écriture."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Il s'agit peut-être d'un bogue du micro logiciel. Exécutez une réinitialisation PSID OPAL et reconnectez pour récupération."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "La réinitialisation de la plage %d de verrouillage du périphérique %s a échouée."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Impossible de formater LOOPAES sans périphérique."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Impossible de formater VERITY sans périphérique."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Type de hachage VERITY %d non supporté."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Taille de bloc VERITY non supportée."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Décalage de hachage VERITY non supporté."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Décalage VERITY FEC non supporté."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "La zone de données recouvre la zone de hachage."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "La zone de hachage recouvre la zone FEC."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "La zone de données recouvre la zone FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Désaccord avec la taille de la clé."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "ATTENTION : La taille %d demandée pour l'étiquette est différente de la taille de sortie de %s (%d octets).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Type de chiffrement de périphérique demandé (%s) inconnu."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Type de périphérique %s demandé inconnu ou non supporté."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Le périphérique %s ne fourni pas de champs de données d'intégrité en ligne."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "La taille d'étiquette en ligne %<PRIu32> [octets] est plus grande que %<PRIu32> fournie par le périphérique %s."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Le secteur doit être le même que le secteur matériel du périphérique (%zu octets)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Paramètres non supportés sur le périphérique %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Paramètres non concordants sur le périphérique %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Désaccord entre les périphériques crypt."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Impossible de recharger le périphérique %s."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Impossible de suspendre le périphérique %s."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Impossible de redémarrer le périphérique %s."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Erreur fatale en rechargeant le périphérique %s (au dessus du périphérique %s)"
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Impossible de basculer le périphérique %s en dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Impossible de redimensionner le périphérique LUKS2 avec une taille statique."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Le redimensionnement d'un périphérique LUKS2 avec un protection d'intégrité n'est pas supporté."
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "Impossible de redimensionner le périphérique loopback."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "ATTENTION: La taille maximale est déjà définie ou le noyau ne supporte pas le redimensionnement.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Le redimensionnement a échoué, le noyau ne le supporte pas."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "Voulez vous réellement changer l'UUID du périphérique ?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Le fichier de sauvegarde de l'en-tête ne contient pas d'en-tête compatible LUKS."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Le volume %s n'est pas actif."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Le volume %s est déjà suspendu."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Le périphérique %s ne supporte pas la suspension."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Erreur lors de la suspension du périphérique %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Le périphérique %s a été suspendu mais le périphérique matériel OPAL ne sait pas être verrouillé."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Le périphérique %s ne supporte pas la remise en service."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Erreur lors de la remise en service du périphérique %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Impossible de délier la clé du porte-clé utilisateur spécifié."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Impossible de lier la clé de volume dans le porte-clé utilisateur."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Le volume %s n'est pas suspendu."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "Ceci n'est pas la clé du volume."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "Nouvel emplacement de clé impossible à échanger."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "L'emplacement de clé %d n'est pas valide."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "L'emplacement de clé %d n'est pas actif."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "L'en-tête du périphérique recouvre la zone de données."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Re-chiffrement en cours. Impossible d'activer le périphérique."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "Impossible d'obtenir le verrou de re-chiffrement."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "La récupération du rechiffrement LUKS2 avec la/les clé(s) de volume a échoué."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Impossible de lier les clés de volume dans le porte-clé utilisateur."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "La récupération du rechiffrement LUKS2 a échoué."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Type de périphérique improprement initialisé."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "Le périphérique %s existe déjà."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Impossible d'utiliser le périphérique %s, le nom est invalide ou est toujours utilisé."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Les clés de rechiffrement du volume ne correspondent pas au volume."
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "Clé de volume incorrecte pour le périphérique en clair."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Les clés de rechiffrement du volume ne correspondent pas au volume."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Type de périphérique improprement initialisé."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Le porte-clé du noyau est manquant : il est requis pour passer une signature au noyau."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Impossible d'utiliser la clé %s du porte clé."
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "Hachage racine incorrect spécifié pour le périphérique verity."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL ne supporte pas la désactivation différée."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Impossible d'annuler la suppression différée du périphérique %s."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Le périphérique %s est toujours occupé."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Impossible d'annuler la suppression différée du périphérique %s."
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "Le périphérique %s n'est pas valide."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "Le tampon de la clé du volume est trop petit."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Impossible de récupérer la clé du volume pour le périphérique LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain »."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Impossible de récupérer le hachage racine pour le périphérique verity."
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Impossible de récupérer la clé du volume pour le périphérique BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Impossible de récupérer la clé du volume pour le périphérique FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Le décalage des données n'est pas un multiple de %u octets."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Impossible de convertir le périphérique %s qui est toujours en cours d'utilisation."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Échec de l'affectation de l'emplacement de clé %u pour la nouvelle clé de volume."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Échec de l'initialisation des paramètres par défaut des emplacement de clé LUKS2."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Échec de l'affectation de l'emplacement de clé %d aux résumé."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Impossible de charger la clé dans le porte-clé du noyau."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Impossible de délier la clé de volume du thread du porte-clé."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Impossible de trouver le porte-clé décrit par « %s »."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Erreur lors de l'acquisition du verrou global de sérialisation des accès strictes à la mémoire"
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Impossible d'ouvrir le fichier de clef."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Impossible de lire le fichier de clé depuis un terminal."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Impossible d'exécuter « stat » sur le fichier de clef."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Impossible de sauter au décalage demandé dans le fichier de clé."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Plus assez de mémoire lors de la lecture de la phrase secrète."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Erreur de lecture de la phrase secrète."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Rien à lire en entrée."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Taille max. de fichier de clé dépassée."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Impossible de lire la quantité de données demandée."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Le périphérique %s n'existe pas ou l'accès y est interdit."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Le périphérique %s n'est pas compatible."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "La mauvaise taille de optimal-io est ignorée pour le périphérique de données (%u octets)."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Le périphérique %s est trop petit. Il a besoin d'au moins %<PRIu64> octets."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Impossible d'utiliser le périphérique %s actuellement utilisé (déjà mappé ou monté)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Impossible d'utiliser le périphérique %s, permission refusée."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Impossible d'obtenir des informations au sujet du périphérique %s."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Impossible d'utiliser un périphérique loopback. Fonctionne comme un utilisateur non-root."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Impossible d'associer le périphérique loopback (le drapeau « autoclear » est requis)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Le décalage demandé est au delà de la taille réelle du périphérique %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Le périphérique %s a une taille nulle."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Le temps cible PBKDF demandé ne peut pas être zéro."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Type PBKDF %s inconnu."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "L'algorithme de hachage %s demandé n'est pas supporté."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Le type PBKDF demandé n'est pas supporté par LUKS1."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "La mémoire maximum ou les threads parallèles de PBKDF ne peuvent pas être définis avec pbkdf2."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Le nombre d'itérations forcées est trop petit pour %s (le minimum est %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Le coût de la mémoire forcé est trop petit pour %s (le minimum est %u kilooctets)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Le coût de la mémoire PBKDF maximum demandée est trop grand (maximum est %d kilooctets)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Le coût de la mémoire PBKDF maximum demandée est trop grand (limité par la taille maximale d'un entier)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "La mémoire PBKDF maximum demandée ne peut pas être zéro."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Le coût parallèle PBKDF maximum demandé est trop grand (maximum est %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Le nombre de threads parallèles PBKDF demandé ne peut pas être zéro."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Seul PBKDF2 est supporté en mode FIPS."
 
@@ -884,25 +922,25 @@ msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisabl
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (%s n'est pas un répertoire)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Impossible de se déplacer au décalage du périphérique."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Erreur durant l'effacement total, offset %<PRIu64>"
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "PSID OPAL incorrecte."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Impossible d'effacer le périphérique OPAL."
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -911,48 +949,48 @@ msgstr ""
 "Impossible de configurer la correspondance des clés dm-crypt du périphérique %s.\n"
 "Vérifiez que le noyau supporte le chiffrement %s (pour plus d'informations, voir les journaux syslog)."
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "La taille de la clé en mode XTS doit être un multiple de 256 ou 512 bits."
 
 # Frédéric: Je laisse iv (initialisation vector) sous cette forme car elle est plus habituelle que vi
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "La spécification du chiffrement devrait être au format [chiffrement]-[mode]-[iv]."
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Impossible d'écrire sur le périphérique %s. Permission refusée."
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "Échec lors de l'ouverture du périphérique de stockage temporaire de clés."
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "Impossible d'accéder au périphérique de stockage temporaire de clés."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Erreur E/S pendant le chiffrement de l'emplacement de clé."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Impossible d'ouvrir le périphérique %s."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Erreur E/S pendant le déchiffrement de l'emplacement de clé."
 
@@ -968,32 +1006,32 @@ msgstr "Le périphérique %s est trop petit (LUKS1 a besoin d'au moins %<PRIu64>
 msgid "LUKS keyslot %u is invalid."
 msgstr "L'emplacement de clé LUKS %u n'est pas valide."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Le fichier de sauvegarde d'en-tête demandé %s existe déjà."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Impossible de créer le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Impossible d'écrire le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Le fichier de sauvegarde ne contient pas d'en-tête LUKS valide."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Impossible d'ouvrir le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Impossible de lire le fichier de sauvegarde d'en-tête %s."
@@ -1015,7 +1053,7 @@ msgstr "ne contient pas d'en-tête LUKS. Remplacer l'en-tête peut détruire les
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "contient déjà un en-tête LUKS. Remplacer l'en-tête détruira les emplacements de clés actuels."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1042,7 +1080,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Valeur hachée du chiffrement réparée vers des minuscules (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "L'algorithme de hachage LUKS demandé (%s) n'est pas supporté."
@@ -1089,7 +1127,7 @@ msgstr "Le mode de chiffrement LUKS %s n'est pas valide."
 msgid "LUKS hash %s is invalid."
 msgstr "La valeur hachée LUKS %s n'est pas valide."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "Aucun problème connu détecté pour l'en-tête LUKS."
 
@@ -1103,17 +1141,17 @@ msgstr "Erreur lors de la mise à jour de l'en-tête LUKS sur le périphérique
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Erreur lors de la relecture de l'en-tête LUKS après la mise à jour sur le périphérique %s."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "L'offset des données d'un en-tête LUKS doit être soit 0 ou soit plus grand que la taille de l'en-tête."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Mauvais format fourni pour le UUID LUKS."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Impossible de créer un en-tête LUKS : échec lors de la lecture de l'aléa."
 
@@ -1122,48 +1160,48 @@ msgstr "Impossible de créer un en-tête LUKS : échec lors de la lecture de l'
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Impossible de créer un en-tête LUKS : le résumé (« digest ») de l'en-tête a échoué (en utilisant l'algorithme de hachage %s)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "L'emplacement de clé %d est activé, effacez le d'abord."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Le matériel de l'emplacement de clé %d a trop peu de bandes. L'en-tête a-t-il été modifié ?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Débordement de la valeur d'itération de PBKDF2."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Impossible d'ouvrir l'emplacement de clé (en utilisant le hachage %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "L'emplacement de clé %d n'est pas valide, merci de sélectionner un emplacement entre 0 et %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Impossible d'effacer de façon sécurisée le périphérique %s."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Fichier de clé GPG chiffré détecté mais pas encore supporté."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "SVP utilisez gpg --decrypt <FICHIER DE CLE> | cryptsetup --keyfile=-...\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Fichier de clé incompatible pour boucle « loop-AES »."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Le noyau ne supporte pas les associations de type boucle « loop-AES »."
 
@@ -1182,168 +1220,197 @@ msgstr "Longueur maximum de la phrase secrète TCRYPT (%zu) dépassée."
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "L'algorithme de hachage PBKDF2 %s n'est pas supporté, ignoré."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "L'interface du noyau requise pour le chiffrement n'est pas disponible."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Vérifiez que le module du noyau algif_skcipher est chargé."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "L'activation n'est pas supportée pour des secteurs de taille %d."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Le noyau ne supporte pas l'activation pour ce mode TCRYPT historique."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Activation du chiffrement du système TCRYPT sur la partition %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Impossible de déterminer le décalage de la partition système TCRYPT, la zone de chiffrement entière est activée."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Impossible de déterminer le décalage de la partition système TCRYPT, le périphérique est activé comme une partition système."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Le noyau ne supporte pas les associations de type TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT."
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la Clé Maître du Volume supportée."
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Chaîne texte invalide rencontrée en analysant la Clé Maître du Volume."
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Chaîne texte (« %s ») inattendue rencontrée en analysant la Clé Maître du Volume supportée."
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la Clé Maître du Volume supportée."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "La version 1 de BITLK n'est actuellement pas supportée."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Signature d'amorce invalide ou inconnue pour le périphérique BITLK."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Taille de secteur %<PRIu16> non supportée."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Impossible de lire l'en-tête BITLK depuis %s."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Impossible de lire ou de valider la copie des méta-données BITLK FVE #%d depuis %s."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Impossible de lire et de valider les méta-données BITLK FVE depuis %s."
+
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Impossible de valider l'emplacement des méta-données BITLK FVE depuis %s."
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Les méta-données de BITLK FVE ont changé après la lecture depuis %s."
+
+#: lib/bitlk/bitlk.c:628
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "Impossible de lire les méta-données BITLK FVE depuis %s."
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Impossible de hacher les méta-données BITLK FVE lues depuis %s."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Impossible d'analyser les méta-données de validation de BITLK FVE depuis %s."
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "Type de chiffrement inconnu ou non supporté."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "Impossible de lire les entrées des méta-données de BITLK depuis %s."
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Impossible de contrôler les entrées des méta-données de BITLK précédemment lues depuis %s."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "Échec lors de la conversion de la description du volume BITLK"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la clé externe."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "Le GUID du fichier BEK « %s » ne correspond pas au GUID du volume."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la clé externe."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Métadonnées BEK version %<PRIu32> non supportées"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "La taille inattendue des métadonnées BEK %<PRIu32> ne correspond pas à la longueur du fichier BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Une entrée de méta-donnée inattendue a été trouvée en analysant la clé de démarrage."
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "Cette opération n'est pas supportée."
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "Taille inattendue pour les données de la clé."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Ce périphérique BITLK est dans un état non supporté et ne peut pas être activé."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Les périphériques BITLK avec le type « %s » ne peuvent pas être activés."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "L'activation d'un périphérique BITLK partiellement déchiffré n'est pas supporté."
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "AVERTISSEMENT: La taille %<PRIu64> du volume BitLocker ne correspond pas à la taille %<PRIu64> du périphérique sous-jacent"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas BITLK IV."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas le diffuseur BITLK Elephant."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas une grande taille de secteur."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Impossible d'activer le périphérique car le module dm-zero est manquant dans le noyau."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Échec à la lecture de %u octets dans l'en-tête du volume."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Version FVAULT2 %<PRIu16> non supportée."
@@ -1380,24 +1447,24 @@ msgstr "La vérification de la signature du hachage racine n'est pas supportée.
 msgid "Root hash signature required."
 msgstr "Signature de hachage racine requise."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Les erreurs ne savent pas être réparées avec un périphérique FEC."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "%u erreurs réparables ont été trouvées avec le périphérique FEC."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Le noyau ne supporte pas les associations de type dm-verity."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Le noyau ne supporte pas les options de signature dm-verity."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Le périphérique verity a détecté une corruption après l'activation."
 
@@ -1420,23 +1487,23 @@ msgstr "La vérification a échoué à la position %<PRIu64>."
 msgid "Hash area overflow."
 msgstr "Débordement de la zone de hachage."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "La vérification de la zone de données a échoué."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "La vérification du hachage de la racine a échoué."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Erreur d'entrée/sortie lors de la création de la zone de hachage."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "La création de la zone de hachage a échoué."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ATTENTION : Le kernel ne peut pas activer le périphérique si la taille des blocs de données dépasse la taille d'une page (%u)."
@@ -1486,34 +1553,38 @@ msgstr "Longueur de segment FEC invalide."
 msgid "Failed to determine size for device %s."
 msgstr "Impossible de déterminer la taille du périphérique %s."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Métadonnées dm-integrity du noyau incompatible (version %u) détectée sur %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Le noyau ne supporte pas les associations de type dm-integrity."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Le noyau ne supporte pas les alignements de méta-données fixés de dm-integrity."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Le noyau refuse d'activer l'option de recalcul non sûre (voyez les options d'activation historique pour outrepasser)."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Le noyau ne supporte pas le mode en ligne de dm-integrity."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Impossible d'acquérir un verrou en écriture sur le périphérique %s."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Tentative détectée de mettre à jour les métadonnées LUKS2 de manière concurrent. L'opération est abandonnée."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1521,59 +1592,63 @@ msgstr ""
 "Le périphérique contient une signature ambigüe, impossible de récupérer automatiquement LUKS2.\n"
 "Veuillez exécuter « cryptsetup repair » pour la récupération."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "ATTENTION: la zone des emplacements de clés (%<PRIu64> octets) est très petite, le nombre d'emplacements de clés LUKS2 est très limité.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Le décalage de données demandé est trop petit."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "ATTENTION: La taille des métadonnées LUKS2 est devenue %<PRIu64> octets.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "ATTENTION: La taille de la zone des emplacements de clés LUKS2 est devenue %<PRIu64> octets.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Impossible d'acquérir le verrou de lecture sur le périphérique %s."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "L'étiquette est trop longue."
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Des exigences LUKS2 interdites ont été détectées dans la sauvegarde %s."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Les décalages des données ne sont pas identiques sur le périphérique et la sauvegarde, la restauration a échoué."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Les en-têtes binaires avec des tailles de zones d'emplacements de clés sont différents sur le périphérique et la sauvegarde, la restauration a échouée."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Périphérique %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "ne contient pas d'en-tête LUKS2. Remplacer l'en-tête peut détruire les données de ce périphérique."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "contient déjà un en-tête LUKS2. Remplacer l'en-tête détruira les emplacements de clés actuels."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1583,7 +1658,7 @@ msgstr ""
 "ATTENTION: des exigences LUKS2 inconnues ont été détectées sur l'en-tête du périphérique réel !\n"
 "Remplacer l'en-tête par la sauvegarde peut corrompre les données sur ce périphérique !"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1593,111 +1668,111 @@ msgstr ""
 "ATTENTION: Un rechiffrement hors-ligne non terminé a été détecté sur le périphérique !\n"
 "Remplacer l'en-tête par la sauvegarde peut corrompre les données."
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Fanion inconnu %s ignoré."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Clé manquante pour le segment %u de dm-crypt"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "Impossible de définir le segment dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "Impossible de définir le segment dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté dans l'en-tête LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "Un périphérique OPAL doit avoir une taille de périphérique statique."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Un périphérique OPAL chiffré avec intégrité doit être plus petit que la plage de verrouillage."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "Un périphérique OPAL doit avoir la même taille que la plage de verrouillage."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Le périphérique OPAL %s est déjà déverrouillé.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "Configuration d'intégrité du périphérique non supportée."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Les secteurs de données fournis sont inattendus pour le périphérique dm-integrity sous-jacent."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Re-chiffrement en cours. Le périphérique ne peut être désactivé."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Échec du remplacement du périphérique suspendu %s avec la cible dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Le périphérique %s a été désactivé mais le périphérique matériel OPAL ne sait pas être verrouillé."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Échec lors de la lecture des exigences LUKS2."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Des exigences LUKS2 non rencontrées ont été détectées."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement historique. Abandon."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement LUKS2. Abandon."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Opération incompatible avec un périphérique utilisant OPAL. Abandon."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Opération incompatible avec un périphérique utilisant les étiquettes HW. Abandon."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Pas assez de mémoire disponible pour ouvrir l'emplacement de clé."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Échec de l'ouverture de l'emplacement de clé."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Impossible d'utiliser le chiffrement %s-%s pour le chiffrement de l'emplacement de clé"
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Pas assez de mémoire pour la dérivation des clés des emplacement de clés."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "L'algorithme de hachage %s n'est pas disponible."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Attention : l'opération sur l'emplacement de clé peut échouer car il requiert plus de mémoire disponible.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "Plus d'espace pour le nouvel emplacement de clé."
 
@@ -1723,429 +1798,439 @@ msgstr "Ne peut vérifier le statut du périphérique avec le uuid : %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Impossible de convertir un en-tête avec des métadonnées LUKSMETA supplémentaires."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Impossible d'utiliser la spécification de chiffrement %s-%s pour LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Impossible d'utiliser la spécification de chiffrement %s-%s pour un emplacement de clé LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Impossible de déplacer la zone des emplacements de clés. Pas assez d'espace."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Impossible de convertir au format LUKS2 – métadonnées invalides."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Impossible de déplacer la zone des emplacements de clés. Les emplacements de clés LULS2 sont trop petits."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Impossible de déplacer la zone des emplacements de clés."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Impossible de convertir au format LUKS1 – la taille du secteur de chiffrement du segment par défaut n'est pas 512 octets."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Impossible de convertir au format LUKS1 – les résumés des emplacements de clés ne sont pas compatibles avec LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise des clés de chiffrement %s emballées."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise plus de segments."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Impossible de convertir au format LUKS1 – l'en-tête LUKS2 contient %u jeton(s)."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Impossible de convertir au format LUKS1 – il n'y a pas d'emplacements de clés actifs."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u est dans un état invalide."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u n'est pas lié."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement %u (sur les emplacements maximum) est toujours actif."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u n'est pas compatible avec LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "La taille de la zone chaude doit être un multiple de l'alignement de zone calculé (%zu octets)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "La taille du périphérique doit être un multiple de l'alignement de zone calculé (%zu octets)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Impossible d'initialiser l'encapsulation pour le stockage de l'ancien segment."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Impossible d'initialiser l'encapsulation pour le stockage du nouveau segment."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr "Impossible d'initialiser la protection des zones chaudes."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr "Impossible de lire les sommes de contrôle pour la zone chaude actuelle."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Échec de la lecture de la zone chaude démarrant à %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Échec lors du déchiffrement du secteur %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Échec lors de la récupération du secteur %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Les tailles des périphériques source et cible ne correspondent pas. Source %<PRIu64>, cible: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Échec de l'activation du périphérique de zone chaude %s."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Échec de l'allocation de la zone chaude du périphérique %s."
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Impossible d'activer le périphérique de surcouche %s avec la table d'origine actuelle."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Impossible de charger la nouvelle cartographie du périphérique %s."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Impossible de rafraîchir la pile des périphériques de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "Impossible de définir la taille de la nouvelle zone des emplacements de clés."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "La valeur de décalage de données n'est pas alignée sur la taille de secteur de chiffrement (%<PRIu32> octets)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Mode de résilience %s non supporté"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "La taille du secteur déplacé ne peut pas être plus grande que la valeur de décalage des données."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "Paramètres de rechiffrement de la résilience invalides."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Le segment déplacé est trop grand. La taille demandée est %<PRIu64>, l'espace disponible est %<PRIu64>"
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "Erreur lors de la suppression de la table."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Le décalage de données (%<PRIu64> secteurs) est plus petit que le décalage de données future (%<PRIu64> secteurs)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "La taille des données réduites est plus grande que la taille réelle du périphérique."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Le périphérique de données n'est pas aligné sur la taille de secteur de chiffrement (%<PRIu32> octets)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Le décalage de données (%<PRIu64> secteurs) est plus petit que le décalage de données future (%<PRIu64> secteurs)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Erreur lors de l'ouverture de %s en mode exclusif (déjà mappé ou monté)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Le périphérique n'est pas marqué pour le rechiffrement LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Échec du chargement du contexte de rechiffrement LUKS2"
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Impossible d'obtenir l'état de rechiffrement."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "Le périphérique n'est pas en rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "Le rechiffrement est déjà en cours."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "Impossible d'acquérir le verrou de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Impossible de réaliser le rechiffrement. Exécutez d'abord la récupération du rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "La taille du périphérique actif et la taille de rechiffrement demandée ne correspondent pas."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Taille de périphérique illégale demandée dans les paramètres de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Rechiffrement en cours. La récupération ne peut pas être réalisée."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "La récupération du rechiffrement LUKS2 a échoué."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Impossible d'initialiser la pile du périphérique de rechiffrement."
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Rechiffrement LUKS2 déjà initialisé dans les métadonnées."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Échec de l'initialisation du rechiffrement LUKS2 dans les métadonnées."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Le rechiffrement n'est pas supporté avec les périphériques DAX (mémoire persistante)."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Impossible de définir les segments du périphérique pour le rechiffrement suivant de la zone chaude."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Échec lors de l'écriture des métadonnées de la résilience du rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "Échec du déchiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Échec de l'écriture de la zone chaude démarrant à %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "Erreur lors de la synchronisation des données."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Échec de la mise à jour des métadonnées après la fin du rechiffrement de la zone chaude courante."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "Échec lors de l'écriture des métadonnées LUKS2"
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr "Impossible d'effacer la zone du périphérique contenant les données inutilisées."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Erreur lors de la suppression de l'emplacement de clé inutilisé (unbound) %d."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "Erreur lors de la suppression de l'emplacement de clé de re-chiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Erreur fatale en rechiffrant le morceau commençant à %<PRIu64> d'une longueur de %<PRIu64> secteurs."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "Échec du rechiffrement en-ligne."
 
 # Frédéric: Je n'ai pas la moindre idée de ce que le développeur a voulu écrire. Qu'est-ce que "error target" dans ce contexte ?
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Ne pas redémarrer le périphérique à moins qu'il ait été remplacé manuellement par la cible en erreur."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Impossible de réaliser le rechiffrement. Statut de rechiffrement inattendu."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "Contexte de rechiffrement manquant ou invalide."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Impossible d'initialiser la pile du périphérique de rechiffrement."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "Échec de la mise à jour du contexte de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Les méta-données de rechiffrement sont invalides."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "Pour la plage OPAL %d, l'offset %<PRIu64> ne correspond pas aux valeurs %<PRIu64> attendues."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "Pour la plage OPAL %d, la longueur %<PRIu64> ne correspond pas à la longueur %<PRIu64> du périphérique."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "Pour la plage OPAL %d, le verrouillage est désactivé."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "État de verrouillage inattendu pour la plage OPAL %d."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Les paramètres de chiffrement des emplacement de clés peuvent uniquement être définis pour un périphérique LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Entrez le code PIN du jeton : "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Entrez le code PIN du jeton %d : "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Les paramètres de chiffrement des emplacement de clés ne sont pas compatibles avec le chiffrement des emplacements de LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "ATTENTION : Utilisation des options par défaut pour le chiffrement (%s-%s, taille de clé %u bits) qui pourraient être incompatibles avec les vieilles versions."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "ATTENTION : Utilisation des options par défaut pour le hachage (%s) qui pourraient être incompatibles avec les vieilles versions."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "En mode simple, utilisez toujours les options --cipher, --key-size et si aucun fichier de clé n'est utilisé, alors, aussi --hash."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "En mode simple, utilisez toujours les options --cipher, --key-size et si aucun fichier de clé ou porte clé n'est utilisé, alors, aussi --hash."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ATTENTION: Le paramètre --hash est ignoré en mode non chiffré quand le fichier de clé est spécifié.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ATTENTION: L'option --keyfile-size est ignorée. La taille de lecture est la même que la taille de la clé de chiffrement.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "L'analyse de blkid a échouée pour %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Signature(s) de périphérique détectée(s) sur %s. Continuer risque d'endommager les données existantes."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Opération interrompue.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "L'option --key-file est requise."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Entrez le PIN VeraCrypt : "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Valeur PIN invalide : erreur d'analyse"
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Valeur PIN invalide: 0"
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Valeur PIN invalide: hors des limites."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Aucun en-tête détecté avec cette phrase secrète sur le périphérique."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Le périphérique %s n'est pas un périphérique BITLK valide."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Impossible de déterminer la taille de la clé de volume pour BITLK, veuillez utiliser l'option --key-size."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2155,7 +2240,7 @@ msgstr ""
 "sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
 "Ce contenu devrait toujours être stocké, chiffré, en lieu sûr."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2165,84 +2250,84 @@ msgstr ""
 "sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
 "Ce contenu devrait être stocké, chiffré, en lieu sûr."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Le périphérique %s n'est pas un périphérique FVAULT2 valide."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Impossible de déterminer la taille de la clé de volume pour FVAULT2, veuillez utiliser l'option --key-size."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Le périphérique %s est toujours actif et prévu pour une suppression différée.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Échec en essayant de définir le chemin %s pour les jetons externes."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Le redimensionnement d'un périphérique actif requiert que la clé du volume soit dans le porte-clé mais l'option --disable-keyring est définie."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "Test de performance interrompu."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u itérations par seconde pour une clé de %zu bits\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u itérations, %5u mémoire, %1u threads parallèles (CPUs) pour une clé de %zu bits (temps de %u ms demandé)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "Le résultat de l'évaluation de performance n'est pas fiable."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Tests approximatifs en utilisant uniquement la mémoire (pas de stockage E/S).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algorithme |       Clé |     Chiffrement |    Déchiffrement\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Le chiffrement %s (avec une clé de %i bits) n'est pas disponible."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#    Algorithme |       Clé |     Chiffrement |    Déchiffrement\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "N/D"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2251,27 +2336,27 @@ msgstr ""
 "désirable (consultez la sortie de luksDump) et continuez (mise à niveau des métadonnées) uniquement si vous constatez que\n"
 "l'opération est légitime."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Entrez la phrase secrète pour protéger et mettre à niveau les métadonnées de rechiffrement : "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Réellement procéder à la récupération du rechiffrement LUKS2 ?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Entrez la phrase secrète pour vérifier le résumé des métadonnées du rechiffrement : "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Entrez la phrase secrète pour la récupération du rechiffrement : "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "Réellement essayer de réparer l'en-tête du périphérique LUKS ?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2279,7 +2364,7 @@ msgstr ""
 "\n"
 "Effacement interrompu."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2287,156 +2372,167 @@ msgstr ""
 "Effacement du périphérique pour initialiser les sommes de contrôle d'intégrité.\n"
 "Vous pouvez interrompre ceci en appuyant sur CTRL+c (le reste du périphérique effacé contiendra toujours des sommes de contrôle invalides).\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Impossible de désactiver le périphérique temporaire %s."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "Un chiffrement utilisant uniquement OPAL hw ne supporte pas --cipher et --key-size, les options sont ignorées."
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "L'option d'intégrité peut uniquement être utilisée avec le format LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Options de taille des métadonnées LUKS2 non supportées."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL est uniquement supporté avec le format LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Les étiquettes hw en ligne sont uniquement supportées avec le format LUKS2."
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Le fichier d'en-tête n'existe pas, voulez-vous le créer ?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Impossible de créer le fichier d'en-tête %s."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Aucun motif connu de spécification d'intégrité n'a été détecté."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Impossible d'utiliser la taille de clé d'intégrité spécifiée."
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Ne peut utiliser %s comme en-tête sur disque."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Cette action écrasera définitivement les données sur %s."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "Le mot de passe Admin de OPAL ne peut pas être vide."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Impossible de définir les paramètres pbkdf."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "La spécification de type dans la spécification du porte-clé --link-vk-to-keyring est ignorée."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Les types de clés doivent être les même pour les deux clés de volume."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Les deux clés de volume doivent être liée au même porte-clé"
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Vous devez fournir plus de noms de clés."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Valeur invalide pour --link-vk-to-keyring."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Décalage réduit de données est uniquement permis dans un en-tête LUKS détaché."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Le container %s du fichier LUKS est trop petit pour l'activation, il ne reste pas d'espace pour les données."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Impossible de déterminer la taille de la clé de volume pour LUKS sans emplacement de clé, veuillez utiliser l'option --key-size."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Le périphérique requiert deux clés de volume."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Certains paramètres d'activation spécifiés ont été ignorés avec le chiffrement utilisant uniquement OPAL hw."
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "Le périphérique a été activé mais les fanions ne peuvent pas être rendus permanents."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Emplacement de clé %d sélectionné pour suppression."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Ceci est le dernier emplacement de clé. Le périphérique sera inutilisable après la suppression de cette clé."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "Entrez toute phrase secrète restante : "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Opération interrompue, l'emplacement de clé n'a PAS été effacé.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "Entrez la phrase secrète à effacer : "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "%s n'est pas un périphérique LUKS2 valide."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "Entrez une nouvelle phrase secrète pour l'emplacement de clé : "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Entrez le code PIN du jeton : "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Entrez le code PIN du jeton %d : "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "ATTENTION: Le paramètre --key-slot est utilisé pour le nouveau numéro de l'emplacement de clé.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Entrez une phrase secrète existante : "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "Entrez la phrase secrète à changer : "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Entrez la nouvelle phrase secrète : "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Entrez la phrase secrète pour l'emplacement de clé à convertir: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "L'opération isLuks supporte seulement un périphérique en argument."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "L'emplacement de clé %d ne contient pas de clé non liée."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2444,52 +2540,52 @@ msgstr ""
 "Le contenu de l'en-tête avec une clé non liée est une information sensible.\n"
 "Ce contenu devrait être stocké, chiffré, en lieu sûr."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s n'est pas un nom de périphérique %s actif."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s n'est pas un nom de périphérique LUKS actif ou l'en-tête est manquant."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "L'option --header-backup-file est requise."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s n'est pas un périphérique géré par cryptsetup."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Le rafraîchissement n'est pas supporté pour un périphérique de type %s"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Type de métadonnée du périphérique %s non reconnu."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "La commande exige un périphérique et un nom de correspondance comme arguments."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "Entrez le PSID OPAL : "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "Entrez le mot de passe Admin de OPAL : "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "ATTENTION : Le disque ENTIER sera réinitialisé d'usine et toutes les données seront perdues ! Continuer ?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2498,351 +2594,363 @@ msgstr ""
 "Cette opération va supprimer tous les emplacements de clés du périphérique %s.\n"
 "Le périphérique sera inutilisable après cette opération."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Opération interrompue, les emplacements de clés n'ont PAS été effacés.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Type LUKS invalide, seuls luks1 et luks2 sont supportés."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "Le périphérique est déjà du type %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Cette opération va convertir %s au format %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Opération interrompue, le périphérique n'a PAS été converti.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "L'option --priority, --label ou --subsystem est manquante."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Le jeton %d est invalide."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "Le jeton %d est utilisé."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Échec lors de l'ajout du jeton %d au porte-clé luks2."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Échec lors de l'affectation du jeton %d à l'emplacement de clé %d."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Le jeton %d n'est pas utilisé."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "Impossible d'importer le jeton depuis le fichier."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Impossible d'obtenir le jeton %d pour l'export."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Le jeton %d n'est pas assigné à l'emplacement de clé %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Impossible de dissocier le jeton %d de l'emplacement de clé %d."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "L'option --veracrypt ou --disable-veracrypt est uniquement supportée pour un périphérique de type TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "L'option --veracrypt-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "L'option --veracrypt-query-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Les options --veracrypt-pim et --veracrypt-query-pim sont mutuellement exclusives."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "L'option --persistent n'est pas permise avec --test-passphrase."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Les options --refresh et --test-passphrase sont mutuellement exclusives."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "L'option --offset avec l'action d'ouverture est supportée uniquement pour des périphériques ordinaires et loopaes."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "L'option de taille de secteur avec l'action d'ouverture est uniquement supportée pour des périphérique ordinaires."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "L'option des secteurs IV (vecteur d'initialisation) de grande taille est supportée uniquement à l'ouverture de périphériques de type simple avec une taille de secteur supérieure à 512 octets."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS, TCRYPT, BITLK et FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Les options --device-size et --size ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "L'option --unbound est permise uniquement pour ouvrir un périphérique luks."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "L'option --unbound ne peut pas être utilisée sans --test-passphrase."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "L'option --volume-key-keyring ne peut pas être combinée avec --hash ou --volume-key-file."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Les deux options --volume-key-file doivent être appariées avec les options --key-size respectives."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Les options --cancel-deferred et --deferred ne peuvent pas être utilisées en même temps."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Les options --reduce-device-size et --device-size ne peuvent pas être combinées."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "L'option --active-name peut uniquement être définie pour un périphérique LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Les options --active-name et --force-offline-reencrypt ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Les options --new-volume-key et --keep-key ne peuvent pas être combinées."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Les options --new-volume-key-keyring et --keep-key ne peuvent pas être combinées."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "Une spécification d'emplacement de clé est requise."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Les options --align-payload et --offset ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "L'option --integrity-no-wipe peut uniquement être utilisée pour une action de formatage avec l'extension d'intégrité."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Seule une des deux possibilités --use-[u]random est autorisée."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "La taille de clé est requise avec l'option --unbound."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "L'action de jeton est invalide."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Le paramètre --key-description est requis pour l'action d'ajout d'un jeton."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "L'option --unbound est uniquement valable avec l'action d'ajout d'un jeton."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Les options --key-slot et --unbound ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<périphérique> [--type <type>] [<nom>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "ouvrir le périphérique comme <nom>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<nom>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "fermeture du périphérique (supprime le « mapping »)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "redimensionner le périphérique actif"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "afficher le statut du périphérique"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <chiffrement>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "chiffrement pour test de performance"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<périphérique>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "essayer de réparer les métadonnées sur le disque"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "rechiffrer le périphérique LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "supprimer tous les emplacements de clés (supprime la clé de chiffrement)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "convertir LUKS depuis/vers le format LUKS2"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "définir les options de configuration permanentes pour LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<périphérique> [<fichier de la nouvelle clé>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "formater un périphérique LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "ajouter une clé au périphérique LUKS"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<périphérique> [<fichier de clé>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "retire du périphérique LUKS la clé ou le fichier de clé fourni"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "modifie la clé ou le fichier de clé fourni pour le périphérique LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "converti une clé vers les nouveaux paramètres pbkdf"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<périphérique> <emplacement de clé>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "efface de façon sécurisée la clé avec le numéro <emplacement de clé> du périphérique LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "afficher l'UUID du périphérique LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "teste si <périphérique> a un en-tête de partition LUKS"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "affiche les informations LUKS de la partition"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "affiche les informations du périphérique TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "affiche les informations du périphérique BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "affiche les informations du périphérique FVAULT2"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspendre le périphérique LUKS et effacer de façon sécurisée la clé (toutes les entrées/sorties sont suspendues)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "Remettre en service le périphérique LUKS suspendu"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "Sauvegarder l'en-tête et les emplacements de clés du périphérique LUKS"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "Restaurer l'en-tête et les emplacements de clés du périphérique LUKS"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <périphérique>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipuler les jetons LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2850,7 +2958,7 @@ msgstr ""
 "\n"
 "<action> est l'une de :\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2862,7 +2970,7 @@ msgstr ""
 "\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2877,7 +2985,7 @@ msgstr ""
 "<emplacement> est le numéro de l'emplacement de clé LUKS à modifier\n"
 "<fichier de clé> est un fichier optionnel contenant la nouvelle clé pour l'action luksAddKey\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2886,7 +2994,7 @@ msgstr ""
 "\n"
 "Le format de métadonnées compilé par défaut est %s (pour l'action luksFormat).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2894,12 +3002,12 @@ msgstr ""
 "\n"
 "Le support du greffon de jeton externe LUKS2 est enabled.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Chemin du greffon de jeton externe LUKS2 : %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2907,7 +3015,7 @@ msgstr ""
 "\n"
 "Le support du greffon de jeton externe LUKS2 est désactivé.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2924,7 +3032,7 @@ msgstr ""
 "PBKDF par défaut pour LUKS2 : %s\n"
 "\tTemps d'itération: %d, Mémoire requise: %d ko, Threads parallèles: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2939,110 +3047,122 @@ msgstr ""
 "\tplain: %s, Clé: %d bits, Hachage mot de passe: %s\n"
 "\tLUKS: %s, Clé: %d bits, Hachage en-tête LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: La taille de clé par défaut en mode XTS (deux clés internes) sera doublée.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s : exige %s comme arguments."
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Emplacement de clé non valide."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "La taille du périphérique doit être un multiple d'un secteur de 512 octets."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "La spécification de la taille maximale de la zone chaude de rechiffrement est invalide."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "La taille de la clé doit être un multiple de 8 bits"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Au plus 2 spécifications de taille de clé peuvent être fournies."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Au plus %d spécifications de clés de volume peuvent être fournies."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Au plus %d spécifications de liaison de porte-clé peuvent être fournies."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "La taille maximum réduite pour le périphérique est 1 GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "La taille réduite doit être un multiple d'un secteur de 512 octets."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "L'option --priority peut uniquement être ignore/normal/prefer."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Afficher ce message d'aide"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Afficher, en résumé, la syntaxe d'invocation"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Afficher la version du paquet"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Options d'aide :"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPTION...] <action> <paramètres de l'action>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Il manque l'argument <action>."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Action inconnue."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "L'option --key-file est prioritaire par rapport à un fichier de clé spécifié en argument."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "Un seul argument --key-file est autorisé."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "La fonction de dérivation d'une clé basée sur un mot de passe (PBKDF = Password-Based Key Derivation Function) peut uniquement être pbkdf2 ou argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Les itérations forcées de PBKDF ne peuvent pas être combinées avec l'option de temps d'itération."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Impossible de lier une clé de volume à un porte-clé quand le porte-clé est désactivé."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Impossible d'utiliser la description de clé de porte-clé quand le porte-clé est désactivé."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "L'intégrité en ligne doit être utilisée avec l'option --integrity."
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Les options --keyslot-cipher et --keyslot-key-size doivent être utilisées ensembles."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Aucune action réalisée. Invoqué avec l'option --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "Impossible de désactiver le verrouillage des métadonnées."
 
@@ -3070,72 +3190,72 @@ msgstr "Impossible de créer le fichier de hachage racine %s en écriture."
 msgid "Cannot write to root hash file %s."
 msgstr "Impossible d'écrire dans le fichier de hachage racine %s."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Le périphérique %s n'est pas un périphérique VERITY valable."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Impossible de lire le fichier de hachage racine %s."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Fichier de hachage racine %s invalide."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Chaîne de hachage racine invalide."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Fichier de signature %s invalide."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Impossible de lire le fichier de signature %s."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "La commande exige <hachage_racine> ou l'option --root-hash-file comme argument."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<périph_données> <périph_hachage>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "formater le périphérique"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<périph_données> <périph_hachage> [<hachage_racine>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "vérifier le périphérique"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<périph_données> <nom> <périph_hachage> [<hachage_racine>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "afficher le statut du périphérique actif"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<périph_hachage>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "afficher les informations sur le disque"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3150,7 +3270,7 @@ msgstr ""
 "<périph_hachage> est le périphérique contenant les données de vérification\n"
 "<hachage_racine> hachage du nœud racine sur <périph_hachage>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3161,15 +3281,19 @@ msgstr ""
 "Paramètres compilés par défaut dans dm-verity :\n"
 "\tHachage: %s, Bloc données (octets): %u, Bloc hachage (octets): %u, Taille aléa: %u, Format hachage: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Les options --ignore-corruption et --restart-on-corruption ne peuvent être utilisées ensembles."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Les options --panic-on-corruption et --restart-on-corruption ne peuvent être utilisées ensembles."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "L'option --error-as-corruption doit être utilisée avec --panic-on-corruption ou --restart-on-corruption."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3178,29 +3302,33 @@ msgstr ""
 "Ceci écrasera les données sur %s et %s de manière irrévocable.\n"
 "Pour préserver le périphérique de données, utilisez l'option --no-wipe (et ensuite activez-le avec --integrity-recalculate)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Formaté avec une taille de balise de %u, intégrité interne %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Formaté avec une taille de balise de %u%s, intégrité interne %s.\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (étiquettes HW en ligne)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Définir le fanion pour le recalcul n'est pas supporté, envisagez plutôt d'utiliser --wipe."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Le périphérique %s n'est pas un périphérique INTEGRITY valable."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<périph_intégrité>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<périph_intégrigé> <nom>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3211,7 +3339,7 @@ msgstr ""
 "<nom> est le périphérique à créer sous %s\n"
 "<périph_intégrité> est le périphérique contenant les données avec les balises d'intégrité\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3224,43 +3352,51 @@ msgstr ""
 "\tAlgorithme de somme de contrôle : %s\n"
 "\tTaille maximale du fichier de clé : %dko\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "La taille --%s n'est pas valide. Le maximum est %u octets."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Les options du fichier de clé et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Les options du fichier de clé de l'intégrité du journal et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "L'algorithme d'intégrité du journal doit être spécifié si la clé d'intégrité du journal est utilisée."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Les options du fichier de clé de chiffrement du journal et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "L'algorithme de chiffrement du journal doit être spécifié si la clé de chiffrement du journal est utilisée."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Les options de mode récupération et champ de bits sont mutuellement exclusives."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Les options de journal ne peuvent pas être utilisées en mode champ de bits."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Les options de champ de bits peuvent uniquement être utilisées en mode champ de bits."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Le mode en ligne ne peut pas être combiné avec les options de journal ou de carte de bits."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Le mode en ligne ne peut pas être combiné avec un périphérique qui a des données séparées."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3408,6 +3544,14 @@ msgstr "Impossible d'ouvrir le fichier de clé %s en écriture."
 msgid "Cannot write to keyfile %s."
 msgstr "Impossible d'écrire dans le fichier de clé %s."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Le nom est trop long."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Le nom ne peut pas contenir le caractère « / »."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3469,37 +3613,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Échec de la vérification de la qualité du mot de passe : Mauvais mot de passe (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "La lecture s'est arrêtée à la longueur d'entrée interactive maximale, le mot de passe pourrait être tronqué."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Erreur de lecture de la phrase secrète depuis la console."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Vérifiez la phrase secrète : "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Les phrases secrètes ne sont pas identiques."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Le décalage n'est pas possible si l'entrée provient de la console."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Saisissez la phrase secrète : "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Saisissez la phrase secrète pour %s : "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Aucune clé disponible avec cette phrase secrète."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Aucun emplacement de clé utilisable est disponible."
 
@@ -3507,20 +3655,20 @@ msgstr "Aucun emplacement de clé utilisable est disponible."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Impossible de vérifier une phrase secrète non saisie sur une console."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Impossible d'ouvrir le fichier %s en lecture seule."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Fournissez le jeton LUKS valide au format JSON:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Impossible de lire le fichier JSON."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3528,12 +3676,12 @@ msgstr ""
 "\n"
 "Lecture interrompue."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Impossible d'ouvrir le fichier %s en écriture seule."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3541,26 +3689,26 @@ msgstr ""
 "\n"
 "Écriture interrompue."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Erreur lors de l'écriture du fichier JSON."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Périphérique dm actif auto-détecté « %s » pour le périphérique de données %s.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Échec de l'auto-détection des containers du périphérique %s."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Le périphérique %s n'est pas un périphérique blocs.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3573,7 +3721,7 @@ msgstr ""
 "Les données pourraient être corrompues si le périphérique est réellement activé.\n"
 "Pour exécuter le rechiffrement en mode en ligne, utilisez le paramètre --active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3582,45 +3730,49 @@ msgstr ""
 "Le périphérique %s n'est pas un périphérique bloc. Impossible de détecter s'il est actif ou non.\n"
 "Utilisez --force-offline-reencrypt pour passer outre la vérification et exécuter en mode hors-ligne (dangereux !)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "L'option --resilience demandée ne peut pas être appliquée à l'opération de rechiffrement courante."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Le périphérique n'est pas en cour de chiffrement LUKS2. Option --encrypt conflictuelle."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Le périphérique n'est pas en cours de déchiffrement LUKS2. Option --decrypt conflictuelle."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Le périphérique est en cours de rechiffrement en utilisant la résilience datashift. L'option --resilience demandée ne peut pas être appliquée."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Impossible de déterminer la taille de la clé de volume pour LUKS sans emplacement de clé, veuillez utiliser l'option --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Le périphérique requiert une récupération de rechiffrement. Exécuter d'abord une réparation."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS2. Voulez-vous redémarrer l'opération précédemment initialisée ?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Le rechiffrement LUKS2 historique n'est plus supporté."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Impossible de rechiffrer un périphérique LUKS2 configuré pour utiliser OPAL."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Le rechiffrement d'un périphérique avec un profil d'intégrité n'est pas supporté."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3629,103 +3781,110 @@ msgstr ""
 "La taille de secteur demandée avec --sector-size %<PRIu32> est incompatible avec le superbloc %s\n"
 "(taille de bloc : %<PRIu32> octets) détecté sur le périphérique %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Le chiffrement sans en-tête détaché (--header) n'est pas possible sans une réduction de la taille du périphérique de données (--reduce-device-size)"
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Le décalage de données demandé doit être inférieur ou égal à la moitié du paramètre --reduce-device-size."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Ajustement de la valeur de --reduce-device-size à deux fois --offset %<PRIu64> (secteurs).\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Le fichier temporaire d'en-tête %s existe déjà. Abandon."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Impossible de créer le fichier temporaire d'en-tête %s."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "La taille des métadonnées LUKS2 est plus grande que la valeur de décalage des données."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Impossible de placer le nouvel en-tête au début du périphérique %s."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Le périphérique actif %s n'est pas LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Restauration de l'en-tête LUKS2 original."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Échec de la restauration de l'en-tête LUKS2 original."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Le fichier d'en-tête %s n'existe pas. Voulez-vous initialiser le déchiffrement LUKS2 du périphérique %s et exporter l'en-tête LUKS2 dans le fichier %s ?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Échec de l'ajout des permissions lecture/écriture pour exporter le fichier d'en-tête."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "L'initialisation du rechiffrement a échoué. La sauvegarde de l'en-tête est disponible dans %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Le déchiffrement LUKS2 est uniquement supporté avec un périphérique à l'en-tête détaché (avec l'offset de données défini à 0)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Aucun jeton n'a pu déverrouiller ce périphérique."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Pas assez d'emplacements de clés libres pour le rechiffrement."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Le fichier de clé ou le porte clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Entrez la phrase secrète pour l'emplacement de clé %d : "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Basculement de l'algorithme de chiffrement de données vers %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Utilise --force-no-keyslots pour rechiffrer le périphérique avec les emplacements de clé actifs en passant directement les clés du volume."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "L'option --new-volume-key-file doit être appariée avec --new-key-size"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Aucun paramètre de segment de donnée changé. Rechiffrement abandonné."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3733,8 +3892,8 @@ msgstr ""
 "L'augmentation de la taille du secteur de chiffrement n'est pas supportée sur un périphérique hors-ligne.\n"
 "Activez d'abord le périphérique ou utilisez l'option --force-offline-reencrypt (dangereux !)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3742,67 +3901,67 @@ msgstr ""
 "\n"
 "Rechiffrement interrompu."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Redémarrage du rechiffrement LUKS en mode hors-ligne forcé.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Le périphérique %s contient des métadonnées LUKS endommagées. L'opération est abandonnée."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Le périphérique %s est déjà un périphérique LUKS. L'opération est abandonnée."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Le périphérique %s est déjà en cours de rechiffrement LUKS. L'opération est abandonnée."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "Le déchiffrement LUKS2 requiert l'option --header."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "La commande exige un périphérique comme argument."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Versions conflictuelles. Le périphérique %s est LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Versions conflictuelle. Le périphérique %s est LUKS2"
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Versions conflictuelles. Le périphérique %s est en cours de rechiffrement LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Rechiffrement LUKS2 déjà initialisé. Abandon de l'opération."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "Le rechiffrement du périphérique n'est pas en cours."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "La réservation de la mémoire alignée a échoué."
 
@@ -3825,11 +3984,11 @@ msgstr "Impossible d'écrire le périphérique %s."
 msgid "Cannot write reencryption log file."
 msgstr "Impossible d'écrire le journal de re-chiffrement."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Impossible de lire le journal de re-chiffrement."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Format de journal incorrect."
 
@@ -3838,130 +3997,134 @@ msgstr "Format de journal incorrect."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Fichier journal %s existe. Reprise du re-chiffrement.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Activation du périphérique temporaire en utilisant l'ancien en-tête LUKS."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Activation du périphérique temporaire un utilisant le nouvel en-tête LUKS."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Échec de l'activation des périphériques temporaires."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Impossible de définir les offsets des données."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Impossible de définir la taille des métadonnées."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Nouvel en-tête LUKS créé pour le périphérique %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Sauvegarde de l'en-tête %s du périphérique %s créée."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "La création de la sauvegarde des en-têtes LUKS a échoué."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Impossible de rétablir l'en-tête %s sur le périphérique %s."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "En-tête %s rétabli sur le périphérique %s."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Impossible d'ouvrir le périphérique LUKS temporaire."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Impossible d'obtenir la taille du périphérique."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Erreur E/S pendant le re-chiffrement."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Le UUID fourni est invalide."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Impossible d'ouvrir le journal de re-chiffrement."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Pas de déchiffrement en cours. Le UUID fourni ne peut être utilisé que pour reprendre un déchiffrement suspendu."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Le re-chiffrement va changer : %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "clé de volume"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "change hachage en "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", change chiffrement en "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour une partition « %s ».\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "ATTENTION: Le périphérique %s contient déjà une signature pour un superblock « %s ».\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Impossible d'initialiser les sondes de la signature du périphérique."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Impossible d'exécuter « stat » sur le périphérique %s."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Impossible d'ouvrir le fichier %s en mode lecture/écriture."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "La signature de partition « %s » existante sur le périphérique %s sera effacée."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "La signature de superbloc « %s » existante sur le périphérique %s sera effacée."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Impossible d'effacer la signature du périphérique."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Impossible de sonder le périphérique %s pour une signature."
@@ -3976,6 +4139,50 @@ msgstr "La spécification de taille est invalide dans le paramètre --%s."
 msgid "Option --%s is not allowed with %s action."
 msgstr "L'option --%s n'est pas permise avec l'action %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "La spécification de type dans la spécification du porte-clé --link-vk-to-keyring est ignorée."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Les types de clés doivent être les même pour les deux clés de volume."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Les deux clés de volume doivent être liée au même porte-clé"
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Vous devez fournir plus de noms de clés."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Valeur invalide pour --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Les données binaires de l'emplacement de clé %d pourraient être corrompues.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Offset soupçonné: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Les offsets suivants soupçonnés sont supprimés.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "L'emplacement de clé %d ne peut pas être lu depuis le périphérique."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Vous pouvez utiliser hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" pour inspecter les données.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Erreur lors de l'écriture du json du jeton ssh."
@@ -4143,6 +4350,37 @@ msgstr "La méthode d'authentification par clé publique n'est pas permise sur l
 msgid "Public key authentication error: "
 msgstr "Erreur durant l'authentification par clé publique : "
 
+#~ msgid "Activation of BITLK device with clear key protection is not supported."
+#~ msgstr "L'activation d'un périphérique BITLK avec une protection par une clé en clair n'est pas supporté."
+
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Impossible de lier les clés de volume dans le porte-clé utilisateur."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Impossible de délier la clé de volume du thread du porte-clé."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "L'activation d'un périphérique BITLK partiellement déchiffré n'est pas supporté."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Échec lors de la lecture des exigences LUKS2."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Attention : l'opération sur l'emplacement de clé peut échouer car il requiert plus de mémoire disponible.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Impossible d'obtenir l'état de rechiffrement."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Les options --reduce-device-size et --device-size ne peuvent pas être combinées."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
+
 #~ msgid "compiled-in"
 #~ msgstr "intégré dans la compilation"
 
@@ -4221,9 +4459,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "L'option --keep-key ne peut être utilisée que avec --hash, --iter-time ou --pbkdf-force-iterations²."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "L'option --new ne peut pas être utilisée avec --decrypt."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "L'option --decrypt est incompatible avec les paramètres spécifiés."
 
@@ -4314,9 +4549,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Mise à jour de la ligne de progression (en secondes)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Nombre de tentatives possibles pour entrer la phrase secrète"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Utiliser une limite de <n> secteurs pour aligner les données – pour luksFormat"
 
@@ -4768,9 +5000,6 @@ msgstr "Erreur durant l'authentification par clé publique : "
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Mauvais paramètres de taille pour le périphérique verity."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "L'algorithme d'intégrité doit être spécifié si la clé d'intégrité est utilisée."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Mauvaise taille de clé."
 
diff --git a/po/ja.po b/po/ja.po
index 719a302..30f4fa0 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -1,14 +1,14 @@
 # Japanese messages for cryptsetup.
 # Copyright (C) 2019, 2020 Free Software Foundation, Inc.
-# This file is put in the public domain, to the extent permitted under applicable law.
-# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019, 2020, 2021, 2022, 2023, 2024
+# This file is distributed under the same license as the cryptsetup package.
+# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019, 2020, 2021, 2022, 2023, 2024, 2025
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-08 11:26+0900\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-13 21:11+0900\n"
 "Last-Translator: Hiroshi Takekawa <sian@big.or.jp>\n"
 "Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
 "Language: ja\n"
@@ -17,70 +17,78 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "device-mapper を初期化できません、non-root で実行します。"
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "device-mapper を初期化できません。dm_mod モジュールはロードされてますか？"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "指定された延期フラグはサポートされていません。"
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "デバイス %s の DM-UUID は短縮されています。"
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "不明な dm target タイプです。"
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "指定された dm-crypt パフォーマンスオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "指定された dm-verity のデータ破壊時の対応についてのオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "指定された dm-verity のタスクレットオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "指定された dm-verity の誤り訂正(FEC)オプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
-msgstr "指定されたデータの無改ざん確認のオプションはサポートされていません。"
+msgstr "指定されたデータの整合性のオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "指定された sector_size オプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。"
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "指定された integrity_key_size オプションはサポートされていません。"
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "指定された改ざん確認タグの自動再計算はサポートされていません。"
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM はサポートしていません。"
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "要求された dm-integrity のビットマップモードはサポートされていません。"
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "要求された dm-integrity のインラインモードはサポートされていません。"
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "dm-%s のクエリーに失敗しました。"
@@ -114,747 +122,777 @@ msgstr "不明な RNG(乱数生成器) の質(quality)が要求されました
 msgid "Error reading from RNG."
 msgstr "RNG(乱数生成器)から読み込み中にエラー。"
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "OPAL サポートは libcryptsetup で無効化されています。"
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "デバイス %s かカーネルが OPAL 暗号化をサポートしていません。"
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "暗号向けRNG(乱数生成器)バックエンドの初期化ができません。"
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "暗号バックエンドの初期化ができません。"
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "ハッシュアルゴリズム %s がサポートされていません。"
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "鍵の処理でエラー (ハッシュ %s を使用)。"
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "デバイスタイプがわかりません。互換性のないデバイスのアクティベーションをしようとしていませんか？"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "この操作は LUKS デバイスでしかサポートされていません。"
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "この操作は LUKS2 デバイスでしかサポートされていません。"
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "キースロットがいっぱいです。"
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "キースロット %d は使われています。別の番号を選んでください。"
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "デバイスサイズが論理ブロックサイズのアライメントに合いません。"
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "ヘッダが検出されましたがデバイス %s が小さすぎます。"
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "この操作はこのデバイスタイプではサポートされていません。"
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "オフラインでの再暗号化中です。中止します。"
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "メモリ上の LUKS2 メタデータのロールバックに失敗しました。"
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "デバイス %s は有効な LUKS デバイスではありません。"
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "LUKS バージョン %d はサポートされていません。"
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "アクティブなデバイス %s に既知の暗号スペックパターンが検出されませんでした。"
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "デバイス %s はアクティブではありません。"
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "暗号化されたデバイス %s の元になるデバイスが消滅しました。"
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "不正な plain crypt のパラメータ。"
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "不正なキーサイズ。"
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID はこの暗号タイプではサポートされていません。"
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "分離したメタデータデバイスはこの暗号タイプではサポートされていません。"
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "サポートされていない暗号化セクタサイズです。"
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。"
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "デバイスなしには LUKS 形式にフォーマットできません。"
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Zonedy デバイス %s は LUKS ヘッダに使えません。"
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "要求されたデータアライメントとデータオフセットが合いません。"
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "警告: DAX デバイスはアトミックなセクタ更新を保証しないためデータが壊れることがあります。\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "デバイス %s のヘッダを消し去れません。"
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "デバイス %s はアクティベートするのに小さすぎます。データ用のスペースがありません。\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
-msgstr "ボリュームキーは改ざん耐性拡張のため暗号には鍵長が小さすぎます。"
+msgstr "ボリュームキーは整合性拡張のため暗号には鍵長が小さすぎます。"
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "整合性キーのサイズが小さすぎます。"
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "暗号 %s-%s (キーサイズ %zd ビット) は利用できません。"
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "警告: デバイスアクティベーションが失敗しました。dm-crypt が要求された暗号セクタサイズをサポートしていません。\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "デバイス %s のサイズが小さすぎます。"
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "デバイス %s は使用中のためフォーマットできません。"
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "デバイス %s は権限がないためフォーマットできません。"
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
-msgstr "デバイス %s を改ざん耐性がつくようフォーマットできません。"
+msgstr "デバイス %s を整合性確認ができるようフォーマットできません。"
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "デバイス %s をフォーマットできません。"
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "OPAL アライメントパラメータを取得できません。"
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "OPAL 論理ブロックサイズがおかしいです。"
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "OPAL 論理ブロックサイズがデバイスブロックサイズと違っておかしいです。"
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "要求されたデータオフセットが OPAL ブロックサイズと互換性がありません。"
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "要求されたデータアライメントが OPAL アライメントと互換性がありません。"
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "データオフセットが OPAL アライメント制約を満たしていません。"
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "要求されたデータアライメントはロックレンジアライメントに対する要求を満たしません。"
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "OPAL のアライメント粒度に合わせるためにデバイスサイズが %<PRIu64> セクタ少なくなります。"
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "デバイス %s の OPAL ロックを取得できませんでした。"
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "OPAL 管理者キーが正しくありません。"
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "OPAL セグメントを設定できません。"
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "デバイス %s をフォーマットできません。OPAL デバイスは完全に書き込み禁止になっているようです。"
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "おそらくファームウェアのバグです。OPAL PSID リセットをして復旧のために再接続してください。"
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "ロックレンジ %d のリセットをデバイス %s に試みましたが失敗しました。"
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "LOOPAES としてフォーマットするにはデバイスが必要です。"
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "VERITY としてフォーマットするにはデバイスが必要です。"
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "VERITY ハッシュタイプ %d はサポートしていません。"
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "サポートしていない VERITY ブロックサイズです。"
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "サポートしていない VERITY ハッシュオフセットです。"
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "サポートしていない VERITY FEC オフセットです。"
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "データ領域がハッシュ領域と重なっています。"
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "ハッシュ領域が FEC 領域と重なっています。"
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "データ領域が FEC 領域と重なっています。"
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "整合性キーのサイズが一致しません。"
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "警告: 指定されたタグのサイズ %d バイトが %s の出力サイズと異なります (%d バイト)。\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "不明な暗号デバイスタイプ %s が指定されました。"
+msgid "Unknown or unsupported device type %s requested."
+msgstr "不明もしくはサポートされていないデバイスタイプ %s が指定されました。"
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "デバイス %s はインライン整合性データフィールドを提供しません。"
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "インラインタグサイズ %<PRIu32> [bytes] が %<PRIu32> (デバイス %s より取得)より大きいです。"
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "セクタはデバイスハードウェアセクタ (%zu bytes) と同じでなければなりません。"
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "デバイス %s のパラメータはサポートしていません。"
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "デバイス %s のパラメータがミスマッチしています。"
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Crypt デバイスが一致しません。"
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "デバイス %s のリロードに失敗しました。"
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "デバイス %s のサスペンドに失敗しました。"
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "デバイス %s のリジュームに失敗しました。"
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "デバイス %s のリロード中に致命的なエラー(デバイス %s の上で)。"
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "デバイス %s を dm-error にスイッチできません。"
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "静的サイズの LUKS2 デバイスはリサイズできません。"
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "整合性プロテクションつきのLUKS2デバイスのリサイズはサポートされていません。"
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "ループデバイスはリサイズできません。"
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "警告: 最大サイズが既に設定済かカーネルがリサイズをサポートしていません。\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "リサイズに失敗しました。カーネルがサポートしていません。"
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "デバイスの UUID を本当に変更してもいいですか？"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "ヘッダのバックアップファイルの中味が LUKS ヘッダと互換性がありません。"
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "ボリューム %s はアクティブではありません。"
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "ボリューム %s は既に停止されています。"
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "デバイス %s の停止はサポートされていません。"
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "デバイス %s 停止中にエラー。"
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "デバイス %s は停止されましたが、ハードウェア OPAL デバイスはロックできません。"
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "デバイス %s は再開をサポートしていません。"
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "デバイス %s の再開中にエラー。"
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "ボリュームキーを指定されたキーリングからアンリンクできません。"
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "ボリュームキーを指定されたキーリングにリンクできません。"
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "ボリューム %s は停止されていません。"
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "ボリュームキーがボリュームに合いません。"
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "新しいキースロットを交換できませんでした。"
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "キースロット %d は不正です。"
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "キースロット %d は非アクティブです。"
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "デバイスヘッダがデータ領域に重なっています。"
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "既に再暗号化中です。デバイスをアクティベートできません。"
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "再暗号化ロックを取得できません。"
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "ボリュームキーを使った LUKS2 の再暗号化のリカバリに失敗しました。"
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "ボリュームキーをユーザが定義したキーリングにリンクできません。"
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "LUKS2 の再暗号化は既に初期化されました。"
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "デバイスタイプが正しく初期化されていません。"
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "デバイス %s は既に存在します。"
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "デバイス %s を使えません。名前が不正か使用中です。"
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "再暗号化ボリュームキーがボリュームに合いません。"
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "正しくないボリュームキーがプレーンデバイスに指定されました。"
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "再暗号化ボリュームキーがボリュームに合いません。"
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "デバイスタイプが正しく初期化されていません。"
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "カーネルがカーネルキーリングをサポートしていません。"
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "署名をカーネルに渡すのに必要なカーネルキーリングをカーネルがサポートしていません。"
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "キーリングキー %s が使えません。"
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "正しくないルートハッシュが verity デバイスに指定されました。"
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL は遅延デアクティベーションをサポートしていません。"
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "デバイス %s からの遅延削除をキャンセルできませんでした。"
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "デバイス %s は使用中です。"
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "デバイス %s からの遅延削除をキャンセルできませんでした。"
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "デバイス %s は不正です。"
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "ボリュームキーのバッファが小さすぎます。"
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "LUKS2 デバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "LUKS1 デバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "プレーンデバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "verity デバイスのルートハッシュが読み出せません。"
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "BITLK デバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "FVAULT2 デバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "この操作は %s 暗号化デバイスではサポートされていません。"
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "このデバイスタイプはダンプ操作をサポートしていません。"
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "データオフセットが %u バイトの倍数である必要があります。"
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "使用中のデバイス %s を変換できません。"
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "新しいボリュームキー向けのキースロット %u を確保できません。"
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "デフォルト LUKS2 キースロットパラメータを初期化できません。"
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "ダイジェストするためのキースロット %d が確保できません。"
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。"
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "キーをカーネルキーリングにロードできません。"
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "ボリュームキーをスレッドキーリングからアンリンクできません。"
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "キーリング \"%s\" が見つかりませんでした。"
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "グローバル memory-hard アクセス直列化ロックが取れません。"
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "キーファイルがオープンできません。"
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "ターミナルからキーファイルを読みこめません。"
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "キーファイルを stat() できません。"
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "指定されたキーファイルオフセットにシークできません。"
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "パスフレーズ読み込み中にメモリが不足しました。"
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "パスフレーズの読み込みでエラー。"
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "読もうとしたら入力が空です。"
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "キーファイルが最大サイズを超えています。"
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "指定されたサイズのデータを読み込めません。"
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "デバイス %s は存在しないかアクセスが拒否されました。"
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "デバイス %s は互換性がありません。"
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "データデバイスのおかしな(bogus) optimal-io サイズ (%u バイト) は無視します。"
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "デバイス %s が小さすぎます。少なくとも %<PRIu64> バイト必要です。"
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "デバイス %s は使用中で使えません (既にマップされているかマウントされています)。"
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "デバイス %s が使えません、拒否されました。"
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "デバイス %s についての情報が取得できません。"
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "ループバックデバイスが使えません、非 root ユーザで実行していませんか。"
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "ループデバイスのアタッチできません (autoclear 付きのループデバイスが必要です)。"
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "指定されたオフセットはデバイス %s の実際のサイズを超えています。"
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "デバイス %s のサイズが 0 です。"
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "要求された PBKDF の目標時間は 0 ではいけません。"
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "%s は不明な PBKDF タイプです。"
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "要求されたハッシュ %s はサポートしていません。"
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "要求された PBKDF タイプは LUKS1 ではサポートされていません。"
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "PBKDF の max memory や parallel threads は pbkdf2 の時は設定できません。"
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "%s について強制される最小繰り返し回数が小さすぎます (最小 %u)。"
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "%s について強制されるメモリコストが小さすぎます (最小 %u KB)。"
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "指定された PBKDF メモリコストが大きすぎます (最大 %d KB)。"
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "指定された最大 PBKDF メモリコストが大きすぎます (整数の最大値による制限)。"
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "PBKDF メモリは 0 ではいけません。"
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "指定された PBKDF 並列コストが大きすぎます (最大 %d)。"
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "要求された PBKDF 並列スレッド数は 0 ではいけません。"
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "FIPS モードでは PBKDF2 しかサポートしていません。"
 
@@ -881,25 +919,25 @@ msgstr "ロックを中止します。ロックに使うパス %s/%s が使用
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (%s はディレクトリではありません)。"
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "デバイスオフセットまで seek できません。"
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "デバイスのワイプでエラー, オフセット %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "OPAL PSID が正しくありません。"
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "OPAL デバイス を削除できません。"
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -908,47 +946,47 @@ msgstr ""
 "デバイス %s の dm-crypt のキーマッピングの設定に失敗しました。\n"
 "カーネルが暗号 %s をサポートしているか確認してください (syslog にさらに情報があります)。"
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "XTS モードのキーサイズは 256 か 512 ビットでなければなりません。"
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "暗号の指定は [暗号]-[モード]-[初期ベクタ] という形式であるべきです。"
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "デバイス %s に書き込めません。パーミッションがありません。"
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "一時的なキーストアデバイスを開けません。"
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "一時的なキーストアデバイスにアクセスできません。"
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "キースロットを暗号化中にI/Oエラーが発生しました。"
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "デバイス %s を開けません。"
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "キースロットを復号化中にI/Oエラーが発生しました。"
 
@@ -964,32 +1002,32 @@ msgstr "デバイス %s が小さすぎます。(LUKS1 は最低でも %<PRIu64>
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS キースロット %u は不正です。"
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "要求されたヘッダバックアップファイル %s は既に存在しています。"
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "ヘッダバックアップファイル %s が作成できません。"
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "ヘッダバックアップファイル %s に書き込めません。"
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "バックアップファイルが有効な LUKS ヘッダを含んでいません。"
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "ヘッダバックアップファイル %s をオープンできません。"
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "ヘッダバックアップファイル %s を読めません。"
@@ -1011,7 +1049,7 @@ msgstr "LUKS ヘッダが含まれていません。ヘッダを置き換える
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "LUKS ヘッダを既に含んでいます。ヘッダを置き換えると既にあるキースロットを破壊します。"
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1038,7 +1076,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "暗号ハッシュを小文字に修復しました (%s)。"
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "要求された LUKS ハッシュ %s はサポートしていません。"
@@ -1085,7 +1123,7 @@ msgstr "LUKS 暗号モード %s は不正です。"
 msgid "LUKS hash %s is invalid."
 msgstr "LUKS ハッシュ %s は不正です。"
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "LUKS ヘッダに既知の不具合は検出されませんでした。"
 
@@ -1099,17 +1137,17 @@ msgstr "デバイス %s の LUKS ヘッダを更新中にエラーが発生し
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "デバイス %s の LUKS ヘッダを更新後の再読み込み中にエラーが発生しました。"
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "LUKS ヘッダのデータへのオフセットは 0 かヘッダサイズより大きくなければいけません。"
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "LUKS UUID の形式が間違っています。"
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "LUKS ヘッダを作成できません: ランダムなソルトを読み込めません。"
 
@@ -1118,48 +1156,48 @@ msgstr "LUKS ヘッダを作成できません: ランダムなソルトを読
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "LUKS ヘッダを作成できません: ヘッダのハッシュが求められません (ハッシュには %s を使用)。"
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "キースロット %d が使用中なので、パージしてください。"
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "キースロット %d のストライプが少なすぎます。ヘッダを細工でもしましたか？"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "PBKDF2 イテレーション回数がオーバーフローしました。"
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "キースロットをオープンできません (ハッシュ %s を使用)。"
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "デバイス %s をワイプできません。"
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "GPG の暗号化されたキーファイルがまだサポートされていません。"
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "以下のようにしてください。 gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "互換性のない loop-AES キーファイルが検出されました。"
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "カーネルが loop-AES 互換マッピングをサポートしていません。"
 
@@ -1178,168 +1216,197 @@ msgstr "TCRYPT パスフレーズの最大長 (%zu) を超えました。"
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "PBKDF2 ハッシュアルゴリズム %s が利用できないのでスキップします。"
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "必要なカーネル crypto インターフェースが使用できません。"
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "algif_skcipher カーネルモジュールをロードしてください。"
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "アクティベーションは %d セクタサイズではサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "カーネルが TCRYPT レガシーモードのアクティベーションをサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "TCRYPT システム暗号をパーティション %s に対してアクティベーションしました。"
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "TCRYPT システムパーティションのオフセットがわからないため、全暗号領域をアクティベートします。"
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "TCRYPT システムパーティションのオフセットがわからないため、デバイスをシステムパーティションとしてアクティベートします。"
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "カーネルが TCRYPT 互換のマッピングをサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "この機能は TCRYPT ヘッダの読み込みなしではサポートしません。"
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。"
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "ボリュームマスターキーを解釈中に不正な文字列が見つかりました。"
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "ボリュームマスターキーを解釈中に予期しない文字列 ('%s') が見つかりました。"
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。"
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK version 1 はサポートされていません。"
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "BITLK デバイスのブートシグネチャが不正また不明です。"
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "サポートされていないセクタサイズ %<PRIu16> です。"
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "%s から BITLK ヘッダを読み出すのに失敗しました。"
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "BITLK FVE メタデータコピー #%d の %s からの読み込み、もしくは検証ができませんでした。"
+
+#: lib/bitlk/bitlk.c:603
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "%s から BITLK FVE メタデータを読み込めませんでした。"
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "%s からの BITLK FVE メタデータの読み込み、もしくは検証ができませんでした。"
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "%s からの BITLK FVE メタデータの位置を検証できませんでした。"
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "%s から読み込んでいる最中に BITLK FVE メタデータが変更されました。"
+
+#: lib/bitlk/bitlk.c:628
+#, c-format
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "%s から読み込んだ BITLK FVE メタデータのハッシュに失敗しました。"
+
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "%s からの BITLK FVE 検証メタデータのパースに失敗しました。"
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "不明かサポートされていない暗号化タイプです。"
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "%s から BITLK メタデータエントリを読み込めませんでした。"
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "以前 %s から読み込んだ BITLK メタデータエントリのチェックに失敗しました。"
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "BITLKボリュームの description を変換できません。"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "外部キーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。"
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "BEK ファイル GUID '%s' がボリュームの GUID と一致しません。"
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "外部キーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。"
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "サポートされていない BEK メタデータバージョン %<PRIu32> です。"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "予期しない BEK メタデータサイズ %<PRIu32> は BEK ファイルサイズと合いません"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "スタートアップキーを解釈中に予期しないメタデータエントリが見つかりました。"
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "この操作はサポートされていません。"
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "予期しないキーデータサイズです。"
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "この BITLK デバイスはサポートされてない状態にあるためアクティベートできません。"
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "タイプ '%s' の BITLK デバイスはアクティベートできません。"
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "部分的に復号された BITLK デバイスのアクティベーションはサポートされていません。"
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "警告: BitLocker ボリュームサイズ %<PRIu64> がデバイスサイズ %<PRIu64> と一致しません"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "カーネルの dm-crypt が BITLK IV をサポートしていないためデバイスをアクティベートできません。"
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "カーネルの dm-crypt が BITLK Elephant diffuser をサポートしていないためデバイスをアクティベートできません。"
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "カーネルの dm-crypt がラージセクタサイズをサポートしていないためデバイスをアクティベートできません。"
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "カーネルの dm-zero モジュールがないためデバイスをアクティベートできません。"
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "ボリュームヘッダの %u バイトを読みこめませんでした。"
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "FVAULT2 のバージョン %<PRIu16> はサポートされていません。"
@@ -1376,24 +1443,24 @@ msgstr "ルートハッシュ署名の検証はサポートしていません。
 msgid "Root hash signature required."
 msgstr "ルートハッシュ署名が必要です。"
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "FEC デバイスのエラーが修復できません。"
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "FEC デバイスに %u 個の修復可能なエラーが見つかりました。"
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "カーネルが dm-verity マッピングをサポートしていません。"
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "カーネルが dm-verity 署名オプションをサポートしていません。"
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "アクティベーションされた Verity デバイスが破損が見つかりました。"
 
@@ -1416,23 +1483,23 @@ msgstr "検証がポジション %<PRIu64> で失敗しました。"
 msgid "Hash area overflow."
 msgstr "ハッシュ領域がオーバーフロー。"
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "データ領域の検証に失敗しました。"
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "ルートハッシュの検証に失敗しました。"
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "ハッシュ領域を生成中に I/O エラー。"
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "ハッシュ領域の作成に失敗しました。"
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "警告: カーネルはデータブロックサイズがページサイズ (%u) を超えているとアクティベートできません。"
@@ -1482,34 +1549,38 @@ msgstr "FEC セグメント長が不正です。"
 msgid "Failed to determine size for device %s."
 msgstr "デバイス %s のサイズが不明です。"
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "互換性のないカーネルの dm-integrity のメタデータ (バージョン %u) が %s に検出されました。"
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "カーネルが dm-integrity マッピングをサポートしていません。"
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "カーネルが dm-integrity 固定メタデータアラインメントをサポートしていません。"
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "カーネルが安全でない再計算オプションを拒否しました (レガジーアクティベーションオプションでオーバーライドできます)。"
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "カーネルが dm-integrity インラインモードをサポートしていません。"
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "デバイス %s の書き込みのためのロックを取得できませんでした。"
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "LUKS2 メタデータの更新の並列実行をしそうになりました。実行を中止します。"
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1517,59 +1588,63 @@ msgstr ""
 "デバイスのシグネチャが曖昧なので、LUKS2 の自動修復ができません。.\n"
 "修復するには \"cryptsetup repair\" を実行してください。"
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "警告: キースロット領域 (%<PRIu64> バイト) がとても小さいため、利用可能な LUKS2 キースロット数が制限されます。\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "要求されたデータオフセットが小さすぎます。"
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "警告: LUKS2 メタデータサイズが %<PRIu64> バイトに変更されました。\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "警告: LUKS2 キースロット領域サイズが %<PRIu64> バイトに変更されました。\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "デバイス %s の読み込みのためのロックを取得できませんでした。"
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "ラベルが長すぎます。"
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "禁止された LUKS2 要求がバックアップ %s に検出されました。"
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "データオフセットがデバイスとバックアップと異なるため修復できません。"
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "キースロット領域のあるバイナリヘッダのサイズがデバイスとバックアップで異なるため修復できません。"
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "デバイス %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "LUKS2 ヘッダが含まれていません。ヘッダを置き換えるとデータを破壊しかねません。"
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "既に LUKS2 ヘッダがあります。ヘッダを置き換えると既にあるキースロットを破壊します。"
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1579,7 +1654,7 @@ msgstr ""
 "警告: 不明な LUKS2 への要求がリアルデバイスヘッダにあります！\n"
 "ヘッダをバックアップで置き換えるとデータを破壊する恐れがあります！"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1589,111 +1664,111 @@ msgstr ""
 "警告: オフラインの再暗号化が終了していません！\n"
 "ヘッダを置き換えるとデータを破壊しかねません。"
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "不明なフラグ %s を無視しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "dm-crypt セグメント %u にキーがありません"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "dm-crypt セグメントの設定に失敗しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "dm-linear セグメントの設定に失敗しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "LUKS2 ヘッダに既知の暗号スペックパターンを検出できませんでした。"
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "OPAL デバイスは固定デバイスサイズでなければなりません。"
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
-msgstr "完全性が有効な暗号化 OPAL デバイスはロックレンジより小さくなければなりません。"
+msgstr "整合性が有効な暗号化 OPAL デバイスはロックレンジより小さくなければなりません。"
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "OPAL デバイスはロックレンジと同じサイズでなければなりません。"
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "OPAL デバイス %s は既にアンロックされています。\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "サポートしていないデバイス整合性設定です。"
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "dm-integrity デバイスがデータセクタに対して期待通りではありません。"
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "再暗号化が実行中なのでデバイスのデアクティベートできません。. Cannot deactivate device."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "サスペンドされたデバイス %s を dm-error ターゲットで置き換えられません。"
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "デバイス %s はデアクティベートされましたが、ハードウェア OPAL デバイスはロックできません。"
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "LUKS2 の必要条件を読み込めませんでした。"
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr "満たせない LUKS2 の必要条件があります。"
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "操作がレガシー再暗号化とマークされたデバイスと互換性がありません。中止します。"
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "操作が LUKS2 再暗号化とマークされたデバイスと互換性がありません。中止します。"
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "操作が OPAL を用いたデバイスと互換性がありません。中止します。"
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "操作がインラインHWタグを用いたデバイスと互換性がありません。中止します。"
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "キースロットをオープンするのにメモリが足りません。"
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "キースロットのオープンに失敗しました。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "キースロットの暗号化に %s- %s 暗号は使えません。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "キースロットキー派生のためのメモリが足りません。"
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "ハッシュアルゴリズム %s が利用できません。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "警告: メモリが不足しているためキースロット操作が失敗する可能性があります。\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "新しいキースロット用の領域がありません。"
 
@@ -1719,428 +1794,438 @@ msgstr "UUID が %s のデバイスの状態が確認できません。"
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "LUKSMETA メタデータ付きのヘッダは変換できません。"
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "暗号スペック %s-%s は LUKS2 に使えません。"
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "暗号スペック %s-%s は LUKS2 キースロットに使えません。"
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "領域が足りないのでキースロット領域を動かせません。"
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "LUKS2 形式に変換できません - メタデータが不正です。"
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "LUKS2 キースロット領域が足りないのでキースロット領域を動かせません。"
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "キースロット領域を動かせません。"
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "LUKS1 形式に変換できません - デフォルトの暗号セクタサイズが 512 バイトではありません。"
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "LUKS1 形式に変換できません - キースロットのハッシュ関数が LUKS1 互換ではありません。"
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "LUKS1 形式に変換できません - ラップされたキーの暗号に %s が使われています。"
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "LUKS1 形式に変換できません - デバイスが多くのセグメントを使っています。"
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "LUKS1 形式に変換できません - LUKS2 ヘッダ %u 個のトークンを含んでいます。"
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "LUKS1 形式に変換できません - アクティブなキースロットがありません。"
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "LUKS1 形式に変換できません - キースロット %u が不正な状態です。"
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "LUKS1 形式に変換できません - キースロット %u が unbound です。"
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "LUKS1 形式に変換できません - スロット %u が(最大個数を超過して)有効です。"
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "LUKS1 形式に変換できません - キースロット %u が LUKS1 と互換ではありません。"
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "ホットゾーンサイズは計算されたゾーンアライメントの倍数である必要がありす (%zu バイト)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "デバイスサイズが計算ゾーンアライメント (%zu バイト) に合っていません。"
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "古いセグメントのストレージラッパの初期化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "新しいセグメントのストレージラッパの初期化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr "ホットゾーン保護の初期化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr "現在のホットゾーンのチェックサムを読み込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "%<PRIu64> から始めるホットゾーンエリアを読み込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "セクタ %zu を復号できません。"
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "セクタ %zu を復元できません。"
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "ソースとターゲットデバイスのサイズが一致しません。ソース %<PRIu64>, ターゲット: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "ホットゾーンデバイス %s がアクティベートできません。"
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "ホットゾーンデバイス %s を確保できません。"
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "実際の origin table があるオーバーレイデバイス %s をアクティベートできません。"
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "デバイス %s の新しいマッピングをロードできません。"
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "再暗号化デバイススタックのリフレッシュに失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "新しいキースロットエリアサイズを設定できません。"
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "データシフト値が要求された暗号化セクタサイズにアラインされていません(%<PRIu32> バイト)。"
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "耐性(resilience)モード %s はサポートしていません"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "移動されるセグメントサイズはデータシフト値より大きくできません。"
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "不正な再暗号化耐性パラメータを要求されました。"
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "移動されるセグメントが大きすぎます。要求されているサイズは %<PRIu64> ですが、使えるサイズは %<PRIu64> です。"
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "テーブルをクリアできません。"
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "データシフト (%<PRIu64> セクタ) が今後のデータオフセットより少ないです (%<PRIu64> セクタ)。"
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "小さくしたデータサイズが実際のデバイスサイズより大きいです。"
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "データデバイスが暗号化セクタサイズにアラインされていません(%<PRIu32> バイト)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "データシフト (%<PRIu64> セクタ) が今後のデータオフセットより少ないです (%<PRIu64> セクタ)。"
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "デバイス %s を排他モードでオープンでません (既にマップされているかマウントされています)。"
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "デバイスは LUKS2 再暗号化向けにマークされていません。"
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "LUKS2 再暗号化コンテキストをロードできません。"
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "再暗号化状態を取得できません。"
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "デバイス %s は再暗号化中ではありません。"
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "既に再暗号化中です。"
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "再暗号化ロックを取得できません。"
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "再暗号化を開始できません。再暗号化のリカバリを先にしてください。"
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "実際のデバイスサイズと要求された再暗号化サイズが一致しません。"
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "再暗号化のパラメータとして不正なデバイスサイズが要求されました。"
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "既に再暗号化中です。復元を実行できません。"
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "LUKS2 の再暗号化は既に初期化されました。"
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "再暗号化デバイススタックの初期化に失敗しました。"
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "メタデータの LUKS2 の再暗号化は既に初期化されました。"
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "メタデータの LUKS2 再暗号化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "再暗号化は DAX デバイスではサポートされていません。"
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "キーリングからパスフレーズが読み出せません。"
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "デバイスセグメントの次の再暗号化ホットゾーンの設定に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "再暗号化した耐性用メタデータを書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "復号に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "%<PRIu64> から始まるホットゾーンエリアに書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "データを sync できません。"
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "現在のホットゾーンの再暗号化完了後にメタデータが更新できません。"
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "LUKS2 メタデータが書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr "未使用データデバイス領域を消せません。"
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "未使用のキースロット %d を削除できませんでした。"
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "再暗号化キースロットが削除できません。"
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "%<PRIu64> から %<PRIu64> セクタのチャンクの再暗号化中に致命的なエラー。"
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "オンライン再暗号化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "手動でエラーターゲットに置き換えた場合以外はデバイスのレジュームをしないでください。"
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "再暗号化を開始できません。予期しない再暗号化状態です。"
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "ないか不正な再暗号化コンテキストです。"
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "再暗号化デバイススタックの初期化に失敗しました。"
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "再暗号化コンテキストが更新できません。"
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "再暗号化メタデータが不正です。"
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "OPAL レンジ %d オフセット %<PRIu64> が期待値 %<PRIu64> と一致しません。"
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "OPAL レンジ %d 長さ %<PRIu64> がデバイス長 %<PRIu64> と一致しません。"
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "OPAL レンジ %d ロックは無効です。"
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "OPAL レンジ %d のロック状態が期待されたものではありません。"
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "キースロットの暗号化パラメータは LUKS2 デバイスでしか設定できません。"
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "トークンPINを入力してください: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "トークン %d PINを入力してください: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "キースロットの暗号化パラメータは LUKS2 キースロット暗号化と互換性がありません。"
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "未知の暗号スペックです。"
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "警告: 古いバージョンと互換性がない可能性がある暗号 (%s-%s, キーサイズ %u ビット) のデフォルトオプションを使用します。"
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "警告: 古いバージョンと互換性がない可能性があるハッシュ (%s) のデフォルトオプションを使用します。"
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "プレインモードでは常に --cipher, --key-size オプションを使い、keyfile も使わない場合は --hash も使用してください。"
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "プレインモードでは常に --cipher, --key-size オプションを使い、keyfile も keyring も使わない場合は --hash も使用してください。"
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "警告: --hash パラメータは plain モードでキーファイルが指定されていると無視されます。\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "警告: --keyfile-size オプションは無視されて、読み込みサイズは暗号鍵のサイズと同じになります。\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "%s の Blkid スキャンが失敗しました。"
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "%s にデバイス署名が検出されました。既にあるデータを破壊しかねません。"
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "中止されました。\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "オプション --key-file が必要です。"
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "VeraCrypt PIM を入力してください: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "不正な PIM: 解釈できません。"
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "不正 PIM の値で 0 です。"
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "不正な PIM の値: 範囲外です。"
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "このパスフレーズではデバイスヘッダが検出されませんでした。"
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "デバイス %s は有効な BITLK デバイスではありません。"
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "BITLK のボリュームキーサイズが決定できないので、--key-size を使ってください。"
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2150,7 +2235,7 @@ msgstr ""
 "暗号化されたパーティションにパスフレーズなしでアクセス可能にます。\n"
 "このダンプは暗号化された安全な所に保存してください。"
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2160,84 +2245,84 @@ msgstr ""
 "暗号化されたパーティションにパスフレーズなしでアクセス可能になります。\n"
 "このダンプは暗号化された安全な所に保存してください。"
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "デバイス %s は有効な FVAULT2 デバイスではありません。"
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "FVAULT2 のボリュームキーサイズが決定できないので、--key-size を使ってください。"
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "デバイス %s はまたアクティブで後から削除される予定になっています。.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "外部トークンパス %s の設定に失敗しました。"
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "アクティブなデバイスをリサイズするにはボリュームキーがキーリングに必要ですが、--disable-keyring が指定されています。"
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "ベンチマークが中止されました。"
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     計測値なし\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u 回/秒 (%zu ビットの鍵)\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s 計測値なし\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u 回, %5u KB使用, %1u スレッド (%zu のビットの鍵) (%u ms 計測)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "ベンチマークの結果は信頼できません。"
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# テストはストレージI/Oがなくメモリ上のもののため目安です。\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algorithm |      キー |          暗号化 |           復号化\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "暗号 %s (キーサイズ %i ビット) は利用できません。"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algorithm |      キー |          暗号化 |           復号化\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "計測値なし"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2245,27 +2330,27 @@ msgstr ""
 "保護されていない LUKS2 再暗号化メタデータが検出されました。再暗号化操作が望ましいものか確認してください。(luksDump の出力を見てください)\n"
 "そのうえで、この操作が問題ないと確認できたら継続(メタデータのアップグレード)してください。"
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "再暗号化メタデータの保護とアップグレードのためのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "本当に LUKS2 再暗号化リカバリを行いますか？"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "再暗号化メタデータダイジェストを検証するためのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "再暗号化のリカバリのためのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "本当に LUKS デバイスヘッダの復元を試みていいですか？"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2273,7 +2358,7 @@ msgstr ""
 "\n"
 "ワイプが中断されました。"
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2281,156 +2366,167 @@ msgstr ""
 "整合性チェックサムの初期化のためにデバイスのデータを消去しています。\n"
 "CTRL+c で中止できます (初期化されなかったデバイスのチェックサムは正しくなくなります)。\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "一時的デバイス %s を非アクティブにできません。"
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "OPAL hw-only 暗号化は --cipher や --key-size をサポートしないため、無視されました。"
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "整合性オプションは LUKS2 形式でしか使えません。"
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "サポートされていない LUKS2 メタデータのサイズオプションです。"
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL は LUKS2 フォーマットでしかサポートされていません。"
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "インライン hw タグは LUKS2 フォーマットでしかサポートされていません。"
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "ヘッダファイルがありません。作成しますか？"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "ヘッダファイル %s を作成できません。"
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
-msgstr "サポートしている整合性確認方式が検出されませんでした。"
+msgstr "サポートしている整合性方式が検出されませんでした。"
+
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "指定されたジャーナル整合性キーのサイズが使えません。"
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "%s を on-disk ヘッダとして使えません。"
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "%s のデータを上書きします。戻せません。"
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "OPAL 管理者パスワードは空ではいけません。"
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "pbkdf パラメータを設定できません。"
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "--link-vk-to-keyring のキーリングスペックへのタイプ指定は無視されました。"
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "双方のボリュームキーのタイプは同じでなければなりません。"
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "双方のボリュームキーは同じキーリングにリンクされなければなりません。"
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "より多くのキーの名前が必要です。"
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "--link-vk-to-keyring の値が不正です。"
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "分離された LUKS ヘッダでのみ少ないデータオフセットが使えます。"
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "LUKS ファイルコンテナ %s がアクティベートするには小さすぎます。データ用の領域に空きがありません。"
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "キースロットのない LUKS のボリュームキーサイズが決定できないので、--key-size を使ってください。"
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "デバイスには2つのボリュームキーが必要です。"
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "いくつかの指定されたアクティベーションパラメータは OPAL hw-only 暗号化では無視されました。"
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "デバイスはアクティベートされましたが、フラグを恒常的なものにできません。"
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "キースロット %d は削除対象として選択されました。"
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "これは最後のキースロットです。このキーがなくなるとデバイスは使用不能になります。"
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "残っているパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "操作は中止されました。キースロットは消去されていません。\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "削除するキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "デバイス %s は有効な LUKS2 デバイスではありません。"
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "キースロットの新しいパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "トークンPINを入力してください: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "トークン %d PINを入力してください: "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "警告: --key-slot パラメータは新しいキースロット番号に使われます。\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "有効なパスフレーズをどれか入力してください: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "変更するキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "新しいキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "変換されるキースロットのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "isLuks は一つのデバイス引数しかサポートしていません。"
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "キースロット %d は unbound キーを含んでいません。"
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2438,52 +2534,52 @@ msgstr ""
 "unbound キーを使ったヘッダダンプは取り扱いに注意すべき情報です。\n"
 "このダンプは暗号化された安全な所に保存してください。"
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s はアクティブな %s デバイスではありません。"
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s はアクティブな LUKS デバイス名ではないか、ヘッダがありません。"
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "オプション --header-backup-file が必要です。"
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s は cryptsetup で管理されているデバイスではありません。"
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "リフレッシュはデバイスタイプ %s ではサポートされていません。"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "%s は認識できないメタデータデータタイプです。"
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "コマンドはデバイスとマップされた名前を引数として必要とします。"
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "OPAL PSID を入力してください: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "OPAL 管理者パスワードを入力してください: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "警告: ディスク「全体」が出荷状態にリセットされ、データは全て消失します！続けますか？"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2492,351 +2588,363 @@ msgstr ""
 "この処理はデバイス %s の全てのキースロットを消去します。\n"
 "デバイスのデータは使用できなくなります。"
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "処理は中止されました。キースロットは消去されません。\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "不正な LUKS タイプです。luks1 と luks2 しかサポートしていません。"
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "デバイスは既にタイプ %s です。"
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "この処理は %s から %s フォーマットに変換します。\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "処理は中止されました。デバイスは変換されませんでした。\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "オプション --priority, --label か --subsystem がありません。"
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "トークン %d は不正です。"
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "トークン %d は使用中です。"
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "luks2-キーリングトークン %d を追加できませんでした。"
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "トークン %d をキースロット %d に割りあてられませんでした。"
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "トークン %d は使われていません。"
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "ファイルからトークンをインポートできません。"
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "トークン %d をエクスポートのために取得できませんでした。"
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "トークン %d をキースロット %d に割りあてられませんでした。"
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "トークン %d をキースロット %d の割り当てから解除できませんでした。"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "--tcrypt-hidden と --tcrypt-system と --tcrypt-backup は TCRYPT デバイスしか使えません。"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "--veracrypt や --disable-veracrypt は TCRYPT デバイスでしか使えません。"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "--veracrypt-pim は VeraCrypt 互換デバイスにしか使えません。"
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "--veracrypt-query-pim は VeraCrypt 互換デバイスにしか使えません。"
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "--veracrypt-pim と --veracrypt-query-pim はどちらかしか使えません。"
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "--persistent は --test-passphrase と一緒には使えません。"
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "--refresh と --test-passphrase は同時には使えません。"
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "--shared は plain デバイスの open にしか使えません。"
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "--skip は plain か loopaes デバイスの open にしか使えません。"
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "--offset は plain か loopaes デバイスの open にしか使えません。"
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "--tcrypt-hidden は --allow-discards と一緒に使えません。"
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "オープン時のセクタサイズオプションは plain デバイスでしかサポートされていません。"
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "大きな IV セクタオプションは plain タイプでセクタサイズが 512 バイトより大きいものをオープンする時しかサポートしていません。"
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "--test-passphrase は LUKS か TCRYPT か BITLK か FVAULT2 デバイスの open にしか使えません。."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "--device-size と --size は一緒に使えません。"
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "オプション --unbound は luks デバイスの open にしか使えません。"
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "オプション --unbound は --test-passphrase がないと使えません。"
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "--volume-key-keyring オプションは --hash や --volume-key-file と一緒には使えません。"
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "--volume-key-file オプションは対応する --key-size オプションとペアになる必要があります。"
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "オプション --cancel-deferred と --deferred は同時に使えません。"
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "オプション --reduce-device-size と --device-size は一緒に使えません。"
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "オプション --active-nameは LUKS2 デバイスでしか設定できません。"
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "オプション --active-name と --force-offline-reencrypt は一緒に使えません。"
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "--new-volume-key-file オプションと --keep-key は一緒に使えません。"
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "--new-volume-key-keyring オプションと --keep-key は一緒に使えません。"
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "キースロットの指定が必要です。"
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "--align-payload と --offset は一緒に使えません。"
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
-msgstr "--integrity-no-wipe は format で integrity extension 付きの時しか使えません。"
+msgstr "--integrity-no-wipe は format で整合性拡張付きの時しか使えません。"
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "--use-[u]random は一つしか使えません。"
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "--unbound にはキーサイズが必要です。"
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "不正なトークンアクションです。"
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "--key-description はトークン追加には必須です。"
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "トークンを必要としています。--token-id を使用してください。"
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "オプション --unbound はトークンの追加にしか使えません。"
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "--key-slot と --unbound は一緒に使えません。"
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "特定のキースロットを必要としています。--key-slot を使用してください。"
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<デバイス> [--type <タイプ>] [<名前>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "デバイスを <名前> としてオープン"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<名前>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "デバイスをクローズします (マッピングを削除します)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "アクティブデバイスをリサイズ"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "デバイスステータスを表示"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <暗号>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "暗号ベンチマーク"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<デバイス>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "on-disk メタデータを修復しようとしています"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "LUKS2 デバイスを再暗号化"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "全てのキースロットを消去します (暗号鍵も削除します)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "LUKS2 から LUKS もしくは LUKS から LUKS2 形式に変換します"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "LUKS2 の permanent configuration オプションを設定します"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<デバイス> [<新しいキーファイル>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "LUKS デバイスをフォーマットします"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "LUKS デバイスにキーを追加します"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<デバイス> [<キーファイル>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "与えられたキーかキーファイルを LUKS デバイスから削除します。"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "与えられた LUKS デバイスのキーかキーファイルを変更します"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "キーを新しい pbkdf パラメータに変換します"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<デバイス> <キースロット>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "<キースロット>のキーを LUKS デバイスから削除します"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "LUKS デバイスの UUID を表示"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "<デバイス> の LUKS パーティションヘッダをテストします"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "LUKS パーティション情報をダンプします"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "TCRYPT デバイス情報をダンプします"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "BITLK デバイス情報をダンプします"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "FVAULT2 デバイス情報をダンプします"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "LUKS デバイスを停止してキーを削除します (全てのI/Oは停止します)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "停止していた LUKS デバイスを再開します"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "LUKS デバイスヘッダとキースロットをバックアップします"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "LUKS デバイスヘッダとキースロットをリストアします"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <デバイス>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "LUKS2 トークンを操作します"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2844,7 +2952,7 @@ msgstr ""
 "\n"
 "<action> は以下のうちの一つです:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2856,7 +2964,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2871,7 +2979,7 @@ msgstr ""
 "<キースロット> は変更する LUKS キースロット番号\n"
 "<キーファイル> は luskAddKey でオプションで与えられる新しいキーのキーファイル\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2880,7 +2988,7 @@ msgstr ""
 "\n"
 "デフォルトのコンパイル時に決められたメタデータ形式は %s です(luksFormat で使われます)。\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2888,12 +2996,12 @@ msgstr ""
 "\n"
 "LUKS2 外部トークンプラグインサポートは有効です。\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "LUKS2 外部トークンプラグインパス: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2901,7 +3009,7 @@ msgstr ""
 "\n"
 "LUKS2 外部トークンプラグインサポートは無効です。\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2918,7 +3026,7 @@ msgstr ""
 "デフォルト LUKS2 向け PBKDF: %s\n"
 "\t繰り返す時間: %d, 使うメモリ: %dkB, 並列スレッド: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2933,110 +3041,122 @@ msgstr ""
 "\tplain: %s, キー: %d ビット, パスワードハッシュ: %s\n"
 "\tLUKS: %s, キー: %d ビット, LUKS ヘッダハッシュ: %s, 乱数生成: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: XTS モードのデフォルトキーサイズは (2つの内部キーがあるため) 倍になります。\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: は %s を引数で与える必要があります"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "キースロットは不正です。"
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "デバイスサイズは 512 バイトセクタの倍数である必要があります。"
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "再暗号化ホットゾーン最大サイズの指定が不正です。"
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "キーサイズは 8bit の倍数でなければなりません"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "多くても2つのキーサイズ設定しか指定できません。"
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "多くても %d 個のボリュームキーしか指定できません。"
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "多くても %d 個のキーリングリンクしか指定できません。"
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "デバイスを減らせる最大値は 1 GiB です。"
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "減らすサイズは 512 バイトセクタの倍数である必要があります。"
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "--priority の引数は ignore/normal/prefer のいずれかのみです。"
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "このヘルプを表示します"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "コンパクトな使用法表示をします"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "パッケージのバージョンを表示"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "ヘルプオプション:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[オプション...] <アクション> <アクション特有>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "<アクション> がありません。"
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "未知のアクションです。"
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "--key-file は他で指定されたキーファイルを上書きします。"
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "--key-file は一つしか使えません。"
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "パスワードからキーを作る関数 (PBKDF) は pbkdf2 argon2i argon2id のいずれかのみです。"
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "PBKDF の繰り返し回数の強制と繰り返し時間指定オプションは共存できません。"
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "キーリングが無効化されているためボリュームキーをキーリングにリンクできません。"
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "キーリングが無効化されているためキーリングキー記述を使えません。"
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "インライン整合性拡張は --integrity オプション付きの時しか使えません。"
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "--keyslot-cipher と --keyslot-key-size は同時に使う必要があります。"
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "--test-args オプションつきだったため、何もしません。\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "メタデータロックを禁止できません。"
 
@@ -3064,72 +3184,72 @@ msgstr "ルートハッシュファイル %s を書けるように作成でき
 msgid "Cannot write to root hash file %s."
 msgstr "ルートハッシュファイル %s に書き込めません。"
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "デバイス %s が有効な VERITY デバイスではありません。"
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "ルートハッシュファイル %s を読み込めません。"
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "不正なルートハッシュファイル %s です。"
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "不正なルートハッシュ文字列が指定されました。"
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "署名ファイル %s が不正です。"
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "署名ファイル %s を読み込めませんでした。"
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "コマンドは <root_hash> か --root-hash-file オプションを引数として必要とします。"
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<データデバイス> <ハッシュデバイス>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "デバイスをフォーマット"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<データデバイス> <ハッシュデバイス> [<ルートハッシュ>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "デバイスを検証"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<データデバイス> <名前> <ハッシュデバイス> [<ルートハッシュ>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "アクティブデバイスのステータスを表示"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<ハッシュデバイス>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "ディスク上の情報を表示"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3144,7 +3264,7 @@ msgstr ""
 "<ハッシュデバイス> は検証用データが入るデバイス\n"
 "<ルートハッシュ> は <ハッシュデバイス> のルートノードのハッシュ\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3155,15 +3275,19 @@ msgstr ""
 "コンパイル時に決めた dm-verity のデフォルトパラメータ:\n"
 "\tハッシュ: %s, データブロック (バイト): %u, ハッシュブロック (バイト): %u, ソルトサイズ: %u, ハッシュフォーマット: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "--ignore-corruption と --restart-on-corruption は同時に使えません。"
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "--panic-on-corruption と --restart-on-corruption は同時に使えません。"
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "--error-as-corruption オプションは --panic-on-corruption か --restart-on-corruption と一緒に使う必要があります。"
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3172,29 +3296,33 @@ msgstr ""
 "%s と %s のデータを復元不能な形で上書きします。\n"
 "データデバイスを保持するにはオプション --no-wipe を使ってください (その後、--integrity-recalculate を付けてアクティベートしてください)。"
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "タグサイズ %u、内部整合性は %s でフォーマットされました。\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "タグサイズ %u%s、内部整合性は %s でフォーマットされました。\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (インラインHWタグ)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "再計算フラグの設定はサポートされていません。代わりに --wipe を使うことを検討してください。"
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "デバイス %s が有効な INTEGRITY デバイスではありません。"
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<整合性デバイス>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<整合性デバイス> <名前>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3205,7 +3333,7 @@ msgstr ""
 "<名前> は %s に作られるデバイス\n"
 "<整合性デバイス> は整合性タグを格納するデバイス\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3218,43 +3346,51 @@ msgstr ""
 "\tチェックサムアルゴリズム: %s\n"
 "        最大キーファイルサイズ: %dkB\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "不正な --%s サイズです。最大は %u バイトです。"
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "ジャーナル整合性キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "ジャーナル整合性キーを使う場合はアルゴリズムの指定が必要です。"
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "ジャーナル暗号キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "ジャーナル暗号キーを使う場合はアルゴリズムの指定が必要です。"
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "リカバリと bitmap モードオプションは同時には使えません。"
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "ジャーナルオプションは bitmap モードでは使えません。"
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "bitmap オプションは bitmap モードでしか使えません。"
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "インラインモードは journal や bitmap オプションと一緒に使えません。"
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "インラインモードは分離データデバイスと一緒には使えません。"
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3402,6 +3538,14 @@ msgstr "キーファイル %s を書き込み用にオープンできません
 msgid "Cannot write to keyfile %s."
 msgstr "キーファイル %s に書き込めません。"
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "名前が長すぎます。"
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "名前に '/' を含められません。"
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3463,37 +3607,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "パスワードの質が確認できません: 質の悪いパスフレーズ (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "最大インタラクティブ入力長に達し読み込みを止めたため、パスフレーズの後が欠けた可能性があります。"
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "端末からパスフレーズを読み込めません。"
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "同じパスフレーズを入力してください: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "パスフレーズが一致しません。"
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "端末からの入力でオフセットは使用できません。"
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "パスフレーズを入力してください: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "%s のパスフレーズを入力してください: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "このパスフレーズで使用可能なキーはありません。"
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "使用可能なキースロットがありません。"
 
@@ -3501,20 +3649,20 @@ msgstr "使用可能なキースロットがありません。"
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "tty 入力以外ではパスフレーズ認証できません。"
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "ファイル %s を読み込み専用モードでオープンできません。"
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "妥当な LUKS2 トークンを JSON で与えてください:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "JSON ファイルを読み込めません。"
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3522,12 +3670,12 @@ msgstr ""
 "\n"
 "読み込みが中断されました。"
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "ファイル %s を書き込みモードでオープンできません。"
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3535,26 +3683,26 @@ msgstr ""
 "\n"
 "書き込みが中断されました。"
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "JSON ファイルに書き込めません。"
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "データデバイス %2s のアクティブな dm デバイス '%1s'を自動検出しました。\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "デバイス %s のホルダ(holders)を自動検出できません。"
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "デバイス %s は有効なブロックデバイスではありません。\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3567,7 +3715,7 @@ msgstr ""
 "アクティベートされていたらデータが破壊されるかもしれません。\n"
 "再暗号化をオンラインで行う場合は --active-name を代わりに使ってください。\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3576,45 +3724,49 @@ msgstr ""
 "デバイス %s はブロックデバイスではありません。アクティブであろうとなかろうと自動検出できません。\n"
 "このチェックをバイパスしてオフラインモードで動作するには --force-offline-reencrypt を使ってください。(ただし危険です!)。"
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "要求された --resilience オプションは現在の再暗号化処理に適用できません。"
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "デバイスは LUKS2 暗号化状態にありません。オプション --encrypt と競合します。"
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "デバイスは LUKS2 復号状態にありません。オプション --decrypt と競合します。"
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "デバイスはデータシフト耐性を使った再暗号化状態にあります。--resilience オプションは適用できません。"
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "キースロットのない LUKS のボリュームキーサイズが決定できないので、--new-key-size を使ってください。"
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "デバイスは再暗号化リカバリが必要です。先に修復してください。"
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "デバイス %s は既に LUKS2 再暗号化状態にあります。以前に初期化された処理に復帰しますか？"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "古い LUKS2 再暗号化はサポートされなくなりました。"
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "OPAL を使うよう設定された LUKS2 デバイスは再暗号化できません。"
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "整合性プロファイルつきのデバイスの再暗号化はサポートされていません。"
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3623,103 +3775,110 @@ msgstr ""
 "要求された --sector-size %<PRIu32> は %s superblock\n"
 "(ブロックサイズ: %<PRIu32> バイト、デバイス %s)と互換性がありません。"
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "データデバイスサイズの縮小(--reduce-device-size)なしに分離ヘッダ(--header)による暗号化はできません。"
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "要求されたデータオフセットは --reduce-device-size パラメータの半分以下である必要があります。"
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "--reduce-device-size の値を --offset %<PRIu64> (セクタ) の倍にします。\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "テンポラリヘッダファイル %s は既に存在しているので、中止します。"
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "テンポラリヘッダファイル %s を作成できません。"
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "LUKS2 メタデータサイズがデータシフト値より大きいです。"
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "デバイス %s の先頭に新しいヘッダを置けません。"
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s がアクティブでオンライン暗号化可能です。\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "アクティブなデバイス %s は LUKS2 ではありません。"
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "オリジナルの LUKS2 ヘッダを復元しています。"
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "オリジナルの LUKS ヘッダの復元に失敗しました。"
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "ヘッダファイル %s が存在しません。デバイス %s の復号化をして LUKS2 ヘッダをファイル %s に出力しますか？"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "エクスポートされたヘッダファイルに読み書き権限を付与できません。"
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "再暗号化の初期化に失敗しました。ヘッダのバックアップは %s にあります。"
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "LUKS2 復号は分離(detached)ヘッダデバイスしかサポートしていません(データへのオフセットが0)。"
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "デバイスをアンロックできるトークンがありません。"
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "再暗号化に必要な空きキースロットがありません。"
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "キーファイルやキーリングキー記述は --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "キースロット %d のパスフレーズを入力してください: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "キースロット %u のパスフレーズを入力してください: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "データの暗号化用の暗号アルゴリズムを %s にします。\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "アクティブキースロットがあるデバイスを再暗号化するには --force-no-keyslots を使いボリュームキーを直接渡してください。"
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "--new-volume-key-file オプションは --new-key-size とペアにする必要があります。"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "データセグメントのパラメータが変わっていません。再暗号化を中止します。"
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3727,8 +3886,8 @@ msgstr ""
 "オフラインデバイスの暗号化セクタサイズの増加はサポートしていません。\n"
 "まずデバイスをアクティベートするか、--force-offline-reencrypt オプションを使ってください (ただし危険です！)。"
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3736,67 +3895,67 @@ msgstr ""
 "\n"
 "再暗号化が中断されました。"
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "LUKS 再暗号化を強制オフラインモードで再開します。\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "デバイス %s は壊れた LUKS メタデータを含んでいます。処理を中止します。"
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "デバイス %s は既に LUKS デバイスです。処理を中止します。"
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "デバイス %s は既に LUKS 再暗号化状態にあります。処理を中止します。"
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "LUKS2 復号には --header オプションが必要です。"
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "コマンドはデバイスを引数として必要とします。"
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "バージョンが衝突しています。デバイス %s は LUKS1 です。"
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "バージョンが衝突しています。デバイス %s は LUKS1 再暗号化状態にあります。"
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "バージョンが衝突しています。デバイス %s は LUKS2 です。"
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "バージョンが衝突しています。デバイス %s は LUKS2 再暗号化状態にあります。"
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "LUKS2 再暗号化が既に初期化済なので操作を中止します。"
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "再暗号化処理を実行中ではありません。"
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "デバイスが使用中のため %s を排他的にオープンできません。"
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "アライメントつきメモリの確保ができませんでした。"
 
@@ -3819,11 +3978,11 @@ msgstr "デバイス %s に書き込めません。"
 msgid "Cannot write reencryption log file."
 msgstr "再暗号化ログファイルに書きこめません。"
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "再暗号化ログファイルを読み込めません。"
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "誤ったログフォーマットです。"
 
@@ -3832,130 +3991,134 @@ msgstr "誤ったログフォーマットです。"
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "ログファイル %s が既にあるので再暗号化を再開します。\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "古い LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "新しい LUKS ヘッダを使っているテンポラリデバイスを有効にします。"
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "テンポラリデバイスの有効化に失敗しました。"
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "データオフセットの設定に失敗しました。"
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "メタデータサイズの設定に失敗しました。"
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "デバイス %s の新しい LUKS ヘッダを作成しました。"
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "%s ヘッダバックアップデバイス %s が作成されました。"
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "LUKS バックアップヘッダが作成できません。"
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "デバイス %2s の %1s ヘッダが復元できません。"
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "デバイス %2s の %1s ヘッダを復元しました。"
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "テンポラリ LUKS デバイスをオープンできません。"
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "デバイスサイズを取得できません。"
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "再暗号化中に I/O エラーが発生しました。"
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "与えられた UUID が不正です。"
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "再暗号化ログファイルを開けません。"
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "復号を実行中ではありません。与えられた UUID は中止された復号を再開するためだけに使えます。"
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "再暗号化で以下が変わります: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "ボリュームキー"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "ハッシュ"
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr "暗号(cipher)"
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "警告: デバイス %s が既に '%s' パーティションシグネチャを含んでいます。\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "警告: デバイス %s が既に '%s' のスーパーブロックシグネチャを含んでいます。\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "デバイスシグネチャ検出の初期化に失敗しました。"
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "デバイス %s の stat() に失敗しました。"
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "ファイル %s を読み書き可能なモードでオープンできません。"
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "今ある '%s' パーティションシグネチャはデバイス %s から消されます。"
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "今ある '%s' スーパーブロックシグネチャはデバイス %s から消されます。"
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "デバイスシグネチャを消せません。"
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "デバイス %s のシグネチャが検出できません。"
@@ -3970,6 +4133,50 @@ msgstr "--%s のサイズの指定が不正です。"
 msgid "Option --%s is not allowed with %s action."
 msgstr "オプション --%s は %s アクションと一緒には使えません。"
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "--link-vk-to-keyring のキーリングスペックへのタイプ指定は無視されました。"
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "双方のボリュームキーのタイプは同じでなければなりません。"
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "双方のボリュームキーは同じキーリングにリンクされなければなりません。"
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "より多くのキーの名前が必要です。"
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "--link-vk-to-keyring の値が不正です。"
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "キースロット %d のバイナリデータが壊れている可能性があります。\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  疑いのあるオフセット: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  それ以降の疑わしいオフセットの表示は抑制されました。\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "キースロット %d をデバイスから読み込めません。"
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "データを調査するには hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" を使うことができます。\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "ssh token json ファイルに書き込めません。"
diff --git a/po/ka.po b/po/ka.po
index 189e176..6bc83ad 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -1,651 +1,791 @@
 # Georgian translation for cryptsetup.
 # Copyright (C) 2022 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Temuri Doghonadze <temuri.doghonadze@gmail.com>, 2022.
+# Temuri Doghonadze <temuri.doghonadze@gmail.com>, 2022 2025.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.6.0-rc1\n"
+"Project-Id-Version: cryptsetup 2.8.0-rc1\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2022-11-20 12:38+0100\n"
-"PO-Revision-Date: 2022-12-28 18:51+0100\n"
+"POT-Creation-Date: 2025-06-16 13:51+0200\n"
+"PO-Revision-Date: 2025-06-24 14:51+0200\n"
 "Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
 "Language-Team: Georgian <(nothing)>\n"
 "Language: ka\n"
-"X-Bugs: Report translation errors to the Language-Team address.\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 3.2.2\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.6\n"
 
 #: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
-msgstr ""
+msgstr "შეუძლებელია device-mapper-ის ინიციალიზაცია. გაშვებულია არა-root მომხმარებლით."
 
 #: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
-msgstr ""
+msgstr "შეუძლებელია device-mapper-ის ინიციალიზაცია. ბირთვის მოდული dm_mod ჩატვირთულია?"
 
-#: lib/libdevmapper.c:1102
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1171
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr ""
 
-#: lib/libdevmapper.c:1501
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "უცნობი dm სამიზნის ტიპი."
 
-#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
-#: lib/libdevmapper.c:1727
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1641
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1653
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1663
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
+#: lib/libdevmapper.c:1779
+msgid "The device size is not multiple of the requested sector size."
+msgstr ""
+
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "მოთხოვნილი პარამეტრი integrity_key_size მხარდაჭერილი არაა."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
-#: lib/luks2/luks2_json_metadata.c:2620
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2777
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM მხარდაუჭერელია."
 
-#: lib/libdevmapper.c:1688
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:2724
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr ""
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr ""
 
-#: lib/random.c:73
+#: lib/random.c:60
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
 msgstr ""
 
-#: lib/random.c:77
+#: lib/random.c:64
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "გასაღების გენერაცია (%d%% მზადაა).\n"
 
-#: lib/random.c:163
+#: lib/random.c:150
 msgid "Running in FIPS mode."
 msgstr "FIPS რეჟიმში მუშაობა."
 
-#: lib/random.c:169
+#: lib/random.c:156
 msgid "Fatal error during RNG initialisation."
 msgstr "ფატალური შეცდომა RNG-ის ინიციალიზაციისას."
 
-#: lib/random.c:207
+#: lib/random.c:194
 msgid "Unknown RNG quality requested."
 msgstr "RNG-ის მოთხოვნილი ხარისხი უცნობია."
 
-#: lib/random.c:212
+#: lib/random.c:199
 msgid "Error reading from RNG."
 msgstr "RNG-დან წაკითხვის შეცდომა."
 
-#: lib/setup.c:231
+#: lib/setup.c:248
+msgid "OPAL support is disabled in libcryptsetup."
+msgstr ""
+
+#: lib/setup.c:250
+#, c-format
+msgid "Device %s or kernel does not support OPAL encryption."
+msgstr ""
+
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "კრიპტოს RNG უკანაბოლოს ინიციალიზაციის შეცდომა."
 
-#: lib/setup.c:237
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "კრიპტო უკანაბოლოს ინიციალიზაციის შეცდომა."
 
-#: lib/setup.c:268 lib/setup.c:2139 lib/verity/verity.c:122
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
-msgstr ""
+msgstr "ჰეშის ალგორითმი %s მხარდაჭერილი არაა."
 
-#: lib/setup.c:271 lib/loopaes/loopaes.c:90
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "გასაღების დამუშავების შეცდომა (გამოყენებული ჰეში %s)."
 
-#: lib/setup.c:342 lib/setup.c:369
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr ""
 
-#: lib/setup.c:348 lib/setup.c:3308
+#: lib/setup.c:395 lib/setup.c:4139
 msgid "This operation is supported only for LUKS device."
 msgstr ""
 
-#: lib/setup.c:375
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr ""
 
-#: lib/setup.c:430 lib/luks2/luks2_reencrypt.c:3010
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3093
 msgid "All key slots full."
 msgstr "გასაღების ყველა სლოტი სავსეა."
 
-#: lib/setup.c:441
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr ""
 
-#: lib/setup.c:447
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr ""
 
-#: lib/setup.c:532 lib/setup.c:3030
+#: lib/setup.c:531 lib/setup.c:3854
 msgid "Device size is not aligned to device logical block size."
 msgstr ""
 
-#: lib/setup.c:630
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
-msgstr ""
+msgstr "თავსართი აღმოჩენილია, მაგრამ მოწყობილობა %s მეტისმეტად პატარაა."
 
-#: lib/setup.c:671 lib/setup.c:2930 lib/setup.c:4275
-#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
+#: lib/setup.c:669 lib/setup.c:3739 lib/setup.c:5206
+#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
 msgid "This operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:676
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr ""
 
-#: lib/setup.c:762
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr ""
 
-#: lib/setup.c:849 lib/luks1/keymanage.c:247 lib/luks1/keymanage.c:525
-#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
-#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
-#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
-#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1433
-#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1773
+#: src/cryptsetup.c:1957 src/cryptsetup.c:2012 src/cryptsetup.c:2210
+#: src/cryptsetup.c:2355 src/cryptsetup.c:2633 src/cryptsetup.c:2946
+#: src/cryptsetup.c:3014 src/utils_reencrypt.c:2280
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
-msgstr ""
+msgstr "მოწყობილობა %s სწორი LUKS მოწყობილობა არაა."
 
-#: lib/setup.c:852 lib/luks1/keymanage.c:528
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "LUKS-ის მხარდაუჭერელი ვერსია %d."
 
-#: lib/setup.c:1479 lib/setup.c:2679 lib/setup.c:2761 lib/setup.c:2773
-#: lib/setup.c:2940 lib/setup.c:4752
+#: lib/setup.c:1270
+#, c-format
+msgid "No known cipher specification pattern detected for active device %s."
+msgstr ""
+
+#: lib/setup.c:1515 lib/setup.c:3486 lib/setup.c:3578 lib/setup.c:3590
+#: lib/setup.c:3762 lib/setup.c:5781
 #, c-format
 msgid "Device %s is not active."
 msgstr "მოწყობილობა %s აქტიური არაა."
 
-#: lib/setup.c:1496
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "ქვეშმყოფი მოწყობილობა დაშიფრული მოწყობილობისთვის %s სადღაც აორთქლდა."
 
-#: lib/setup.c:1578
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "უბრალოდ შიფრაციის არასწორი პარამეტრები."
 
-#: lib/setup.c:1583 lib/setup.c:2042
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "გასაღების არასწორი ზომა."
 
-#: lib/setup.c:1588 lib/setup.c:2047 lib/setup.c:2250
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1593 lib/setup.c:2052
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1603 lib/setup.c:1819 lib/luks2/luks2_reencrypt.c:2966
-#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3026
+#: src/cryptsetup.c:1485 src/cryptsetup.c:3753
 msgid "Unsupported encryption sector size."
 msgstr ""
 
-#: lib/setup.c:1611 lib/setup.c:1947 lib/setup.c:3024
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3848
 msgid "Device size is not aligned to requested sector size."
 msgstr ""
 
-#: lib/setup.c:1663 lib/setup.c:1787
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr ""
 
-#: lib/setup.c:1669 lib/setup.c:1793
+#: lib/setup.c:1704 lib/setup.c:1956
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr ""
+
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr ""
 
-#: lib/setup.c:1744 lib/setup.c:1964 lib/setup.c:1985 lib/setup.c:2262
+#: lib/setup.c:1751 lib/setup.c:1981
+msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
+msgstr ""
+
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr ""
 
-#: lib/setup.c:1757 lib/setup.c:2024
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr ""
 
-#: lib/setup.c:1828
-msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr ""
-
-#: lib/setup.c:1851
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr ""
 
-#: lib/setup.c:1911
-#, c-format
-msgid "Cipher %s-%s (key size %zd bits) is not available."
-msgstr ""
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "მთლიანობის გასაღების ზომა მეტისმეტად პატარაა."
 
-#: lib/setup.c:1937
+#: lib/setup.c:1856
 #, c-format
-msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr ""
 
-#: lib/setup.c:1941
-#, c-format
-msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+#: lib/setup.c:1897
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr ""
 
-#: lib/setup.c:1967 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_reencrypt.c:3065
+#: lib/luks2/luks2_reencrypt.c:4485
 #, c-format
 msgid "Device %s is too small."
 msgstr "მოწყობილობა ძალიან პატარაა %s."
 
-#: lib/setup.c:1978 lib/setup.c:2004
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
-msgstr ""
+msgstr "მოწყობილობის %s დაფორმატება შეუძლებელია. ის გამოიყენება."
 
-#: lib/setup.c:1981 lib/setup.c:2007
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
-msgstr ""
+msgstr "მოწყობილობის %s დაფორმატება შეუძლებელია. წვდომა აკრძალულია."
 
-#: lib/setup.c:1993 lib/setup.c:2322
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr ""
 
-#: lib/setup.c:2011
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "მოწყობილობის ფორმატირების (%s) შეცდომა."
 
-#: lib/setup.c:2037
-msgid "Can't format LOOPAES without device."
+#: lib/setup.c:2191
+msgid "Cannot get OPAL alignment parameters."
 msgstr ""
 
-#: lib/setup.c:2082
-msgid "Can't format VERITY without device."
+#: lib/setup.c:2203
+msgid "Bogus OPAL logical block size."
+msgstr ""
+
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:303
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr ""
+
+#: lib/setup.c:2214
+msgid "Requested data offset is not compatible with OPAL block size."
+msgstr ""
+
+#: lib/setup.c:2221
+msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr ""
 
-#: lib/setup.c:2093 lib/verity/verity.c:101
+#: lib/setup.c:2241
+msgid "Data offset does not satisfy OPAL alignment requirements."
+msgstr ""
+
+#: lib/setup.c:2254
+msgid "Requested data alignment does not satisfy locking range alignment requirements."
+msgstr ""
+
+#: lib/setup.c:2468
 #, c-format
-msgid "Unsupported VERITY hash type %d."
+msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr ""
 
-#: lib/setup.c:2099 lib/verity/verity.c:109
-msgid "Unsupported VERITY block size."
+#: lib/setup.c:2528 lib/setup.c:4222 lib/setup.c:4411 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
 msgstr ""
 
-#: lib/setup.c:2104 lib/verity/verity.c:74
-msgid "Unsupported VERITY hash offset."
+#: lib/setup.c:2538
+msgid "Incorrect OPAL Admin key."
 msgstr ""
 
-#: lib/setup.c:2109
-msgid "Unsupported VERITY FEC offset."
+#: lib/setup.c:2540
+msgid "Cannot setup OPAL segment."
 msgstr ""
 
-#: lib/setup.c:2133
-msgid "Data area overlaps with hash area."
+#: lib/setup.c:2622
+#, c-format
+msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr ""
 
-#: lib/setup.c:2158
-msgid "Hash area overlaps with FEC area."
+#: lib/setup.c:2624
+msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr ""
 
-#: lib/setup.c:2165
-msgid "Data area overlaps with FEC area."
+#: lib/setup.c:2644
+#, c-format
+msgid "Locking range %d reset on device %s failed."
 msgstr ""
 
-#: lib/setup.c:2301
+#: lib/setup.c:2664
+msgid "Can't format LOOPAES without device."
+msgstr "ვერ დავაფორმატებ LOOPAES-ს მოწყობილობის გარეშე."
+
+#: lib/setup.c:2709
+msgid "Can't format VERITY without device."
+msgstr "ვერ დავაფორმატებ VETRITY-ს მოწყობილობის გარეშე."
+
+#: lib/setup.c:2720 lib/verity/verity.c:88
+#, c-format
+msgid "Unsupported VERITY hash type %d."
+msgstr "მხარდაუჭერელი VERITY-ის ჰეშის ტიპი %d."
+
+#: lib/setup.c:2726 lib/verity/verity.c:96
+msgid "Unsupported VERITY block size."
+msgstr "მხარდაუჭერელი VERITY-ის ბლოკის ზომა."
+
+#: lib/setup.c:2731 lib/verity/verity.c:61
+msgid "Unsupported VERITY hash offset."
+msgstr "მხარდაუჭერელი VERITY-ის ჰეშის წანაცვლება."
+
+#: lib/setup.c:2736
+msgid "Unsupported VERITY FEC offset."
+msgstr "მხარდაუჭერელი VERITY FEC-ის ჰეშის წანაცვლება."
+
+#: lib/setup.c:2760
+msgid "Data area overlaps with hash area."
+msgstr "მონაცემების არე ჰეშის არეს გადაფარავს."
+
+#: lib/setup.c:2785
+msgid "Hash area overlaps with FEC area."
+msgstr "ჰეშის არე FEC-ის არეს გადაფარავს."
+
+#: lib/setup.c:2792
+msgid "Data area overlaps with FEC area."
+msgstr "მონაცემების არე FEC-ის არეს გადაფარავს."
+
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "მთლიანობის გასაღების ზომა არ ემთხვევა."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr ""
 
-#: lib/setup.c:2380
+#: lib/setup.c:3031 lib/setup.c:3129
+#, c-format
+msgid "Unknown or unsupported device type %s requested."
+msgstr "მოთხოვნილი მოწყობილობის ტიპი %s უცნობი ან მხარდაუჭერელია."
+
+#: lib/setup.c:3043
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr ""
+
+#: lib/setup.c:3049
 #, c-format
-msgid "Unknown crypt device type %s requested."
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
 msgstr ""
 
-#: lib/setup.c:2687 lib/setup.c:2766 lib/setup.c:2779
+#: lib/setup.c:3064
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr ""
+
+#: lib/setup.c:3494 lib/setup.c:3583 lib/setup.c:3596
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:2693 lib/setup.c:2786 lib/luks2/luks2_reencrypt.c:2862
-#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
+#: lib/setup.c:3500 lib/setup.c:3603 lib/luks2/luks2_reencrypt.c:2920
+#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:2810
+#: lib/setup.c:3626
 msgid "Crypt devices mismatch."
 msgstr ""
 
-#: lib/setup.c:2847 lib/setup.c:2852 lib/luks2/luks2_reencrypt.c:2361
-#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
+#: lib/setup.c:3658 lib/setup.c:3663 lib/luks2/luks2_reencrypt.c:2404
+#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
 #, c-format
 msgid "Failed to reload device %s."
 msgstr ""
 
-#: lib/setup.c:2858 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2332
-#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
+#: lib/setup.c:3669 lib/setup.c:3675 lib/luks2/luks2_reencrypt.c:2375
+#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr ""
 
-#: lib/setup.c:2870 lib/luks2/luks2_reencrypt.c:2346
-#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
-#: lib/luks2/luks2_reencrypt.c:4036
+#: lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2389
+#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4228
 #, c-format
 msgid "Failed to resume device %s."
 msgstr ""
 
-#: lib/setup.c:2885
+#: lib/setup.c:3696
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr ""
 
-#: lib/setup.c:2888 lib/setup.c:2890
+#: lib/setup.c:3699 lib/setup.c:3701
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr ""
 
-#: lib/setup.c:2972
+#: lib/setup.c:3744
+msgid "Can not resize LUKS2 device with static size."
+msgstr "სტატიკური ზომის მქონე LUKS2 მოწყობილობის ზომის შეცვლა შეუძლებელია."
+
+#: lib/setup.c:3749
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr ""
+
+#: lib/setup.c:3795
 msgid "Cannot resize loop device."
 msgstr "Loop მოწყობილობის ზომის შეცვლა შეუძლებელია."
 
-#: lib/setup.c:3015
+#: lib/setup.c:3839
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr ""
 
-#: lib/setup.c:3076
+#: lib/setup.c:3905
 msgid "Resize failed, the kernel doesn't support it."
 msgstr ""
 
-#: lib/setup.c:3108
+#: lib/setup.c:3937
 msgid "Do you really want to change UUID of device?"
 msgstr ""
 
-#: lib/setup.c:3200
+#: lib/setup.c:4029
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr ""
 
-#: lib/setup.c:3316
+#: lib/setup.c:4122
 #, c-format
 msgid "Volume %s is not active."
 msgstr "ტომი %s აქტიური არაა."
 
-#: lib/setup.c:3327
+#: lib/setup.c:4177
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr ""
 
-#: lib/setup.c:3340
+#: lib/setup.c:4203
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:3342
+#: lib/setup.c:4205 lib/setup.c:4213
 #, c-format
 msgid "Error during suspending device %s."
 msgstr ""
 
-#: lib/setup.c:3377
+#: lib/setup.c:4228
+#, c-format
+msgid "Device %s was suspended but hardware OPAL device cannot be locked."
+msgstr ""
+
+#: lib/setup.c:4259 lib/setup.c:4436
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:3379
+#: lib/setup.c:4261 lib/setup.c:4426 lib/setup.c:4438
 #, c-format
 msgid "Error during resuming device %s."
 msgstr ""
 
-#: lib/setup.c:3413 lib/setup.c:3461 lib/setup.c:3532 lib/setup.c:3577
-#: src/cryptsetup.c:2479
+#: lib/setup.c:4280
+msgid "Failed to unlink volume key from user specified keyring."
+msgstr ""
+
+#: lib/setup.c:4402 lib/setup.c:5568
+msgid "Failed to link volume key in user defined keyring."
+msgstr ""
+
+#: lib/setup.c:4500 src/cryptsetup.c:2714
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr ""
 
-#: lib/setup.c:3547 lib/setup.c:4528 lib/setup.c:4541 lib/setup.c:4549
-#: lib/setup.c:4562 lib/setup.c:6145 lib/setup.c:6167 lib/setup.c:6216
-#: src/cryptsetup.c:2011
+#: lib/setup.c:4601 lib/setup.c:7233 lib/setup.c:7255 lib/setup.c:7309
+#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
 msgid "Volume key does not match the volume."
 msgstr "ტომის გასაღები ტომს არ ემთხვევა."
 
-#: lib/setup.c:3725
+#: lib/setup.c:4755
 msgid "Failed to swap new key slot."
 msgstr ""
 
-#: lib/setup.c:3823
+#: lib/setup.c:4853
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "გასაღების სლოტი %d არასწორია."
 
-#: lib/setup.c:3829 src/cryptsetup.c:1740 src/cryptsetup.c:2208
-#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
+#: lib/setup.c:4859 src/cryptsetup.c:1970 src/cryptsetup.c:2430
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "გასაღების სლოტი %d აქტიური არაა."
 
-#: lib/setup.c:3848
+#: lib/setup.c:4878
 msgid "Device header overlaps with data area."
 msgstr ""
 
-#: lib/setup.c:4153
+#: lib/setup.c:5099
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr ""
 
-#: lib/setup.c:4155 lib/luks2/luks2_json_metadata.c:2703
-#: lib/luks2/luks2_reencrypt.c:3590
+#: lib/setup.c:5101 lib/luks2/luks2_json_metadata.c:2884
+#: lib/luks2/luks2_reencrypt.c:3714
 msgid "Failed to get reencryption lock."
 msgstr ""
 
-#: lib/setup.c:4168 lib/luks2/luks2_reencrypt.c:3609
-msgid "LUKS2 reencryption recovery failed."
+#: lib/setup.c:5123
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr ""
 
-#: lib/setup.c:4340 lib/setup.c:4606
-msgid "Device type is not properly initialized."
-msgstr ""
-
-#: lib/setup.c:4388
+#: lib/setup.c:5259
 #, c-format
 msgid "Device %s already exists."
 msgstr "მოწყობლობა %s უკვე არსებობს."
 
-#: lib/setup.c:4395
+#: lib/setup.c:5266
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr ""
 
-#: lib/setup.c:4515
+#: lib/setup.c:5278
+msgid "Reencryption volume keys do not match the volume."
+msgstr "თავიდან დაშიფვრის ტომის გასაღებები ტომს არ ემთხვევა."
+
+#: lib/setup.c:5295
 msgid "Incorrect volume key specified for plain device."
 msgstr ""
 
-#: lib/setup.c:4632
-msgid "Incorrect root hash specified for verity device."
+#: lib/setup.c:5321 lib/setup.c:5382
+msgid "Device type is not properly initialized."
 msgstr ""
 
-#: lib/setup.c:4642
-msgid "Root hash signature required."
+#: lib/setup.c:5420
+msgid "Kernel keyring is not supported by the kernel."
 msgstr ""
 
-#: lib/setup.c:4651
+#: lib/setup.c:5424
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr ""
 
-#: lib/setup.c:4668 lib/setup.c:6411
-msgid "Failed to load key in kernel keyring."
+#: lib/setup.c:5476
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "გამოყენების შეცდომა ბრელოკის გასაღებისთვის %s."
+
+#: lib/setup.c:5689
+msgid "Incorrect root hash specified for verity device."
 msgstr ""
 
-#: lib/setup.c:4724
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
+#: lib/setup.c:5730 lib/setup.c:5755
+msgid "OPAL does not support deferred deactivation."
 msgstr ""
 
-#: lib/setup.c:4731 lib/setup.c:4747 lib/luks2/luks2_json_metadata.c:2756
-#: src/utils_reencrypt.c:116
+#: lib/setup.c:5745 lib/setup.c:5776 lib/luks2/luks2_json_metadata.c:2949
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "მოწყობილობა %s ჯერ კიდევ გამოიყენება."
 
-#: lib/setup.c:4756
+#: lib/setup.c:5763
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr ""
+
+#: lib/setup.c:5785
 #, c-format
 msgid "Invalid device %s."
 msgstr "არასწორი მოწყობილობა '%s'."
 
-#: lib/setup.c:4896
+#: lib/setup.c:5926
 msgid "Volume key buffer too small."
 msgstr "ტომის გასაღების ბუფერი ძალიან პატარაა."
 
-#: lib/setup.c:4913
+#: lib/setup.c:5937
 msgid "Cannot retrieve volume key for LUKS2 device."
-msgstr ""
+msgstr "ვერ მივიღე ტომის გასაღები LUKS2 მოწყობილობისთვის."
 
-#: lib/setup.c:4922
+#: lib/setup.c:5946
 msgid "Cannot retrieve volume key for LUKS1 device."
-msgstr ""
+msgstr "ვერ მივიღე ტომის გასაღები LUKS1 მოწყობილობისთვის."
 
-#: lib/setup.c:4932
+#: lib/setup.c:5960
 msgid "Cannot retrieve volume key for plain device."
 msgstr "უბრალო მოწყობილობისთვის ტომის გასაღების მიღების შეცდომა."
 
-#: lib/setup.c:4940
+#: lib/setup.c:5968
 msgid "Cannot retrieve root hash for verity device."
-msgstr ""
+msgstr "ვერ მივიღე ძირითადი ჰეში VERITY მოწყობილობებისთვის."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5975
 msgid "Cannot retrieve volume key for BITLK device."
-msgstr ""
+msgstr "ვერ მივიღე ტომის გასაღები BITLK მოწყობილობისთვის."
 
-#: lib/setup.c:4952
+#: lib/setup.c:5980
 msgid "Cannot retrieve volume key for FVAULT2 device."
-msgstr ""
+msgstr "ვერ მივიღე ტომის გასაღები FVAULT2 მოწყობილობისთვის."
 
-#: lib/setup.c:4954
+#: lib/setup.c:5982
 #, c-format
 msgid "This operation is not supported for %s crypt device."
-msgstr ""
+msgstr "ეს ოპერაცია მხარდაჭერილი არაა %s კრიპტომოწყობილობისთვის."
 
-#: lib/setup.c:5135 lib/setup.c:5146
+#: lib/setup.c:6167 lib/setup.c:6178
 msgid "Dump operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:5488
+#: lib/setup.c:6558
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr ""
 
-#: lib/setup.c:5776
+#: lib/setup.c:6866
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr ""
 
-#: lib/setup.c:6086 lib/setup.c:6225
+#: lib/setup.c:7174 lib/setup.c:7318
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr ""
 
-#: lib/setup.c:6110
+#: lib/setup.c:7198
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr ""
 
-#: lib/setup.c:6116
+#: lib/setup.c:7204
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr ""
 
-#: lib/setup.c:6341
+#: lib/setup.c:7435
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr ""
 
-#: lib/setup.c:6478
-msgid "Kernel keyring is not supported by the kernel."
+#: lib/setup.c:7508 lib/verity/verity.c:333
+msgid "Failed to load key in kernel keyring."
 msgstr ""
 
-#: lib/setup.c:6488 lib/luks2/luks2_reencrypt.c:3807
+#: lib/setup.c:7699
 #, c-format
-msgid "Failed to read passphrase from keyring (error %d)."
+msgid "Could not find keyring described by \"%s\"."
 msgstr ""
 
-#: lib/setup.c:6512
+#: lib/setup.c:7764
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr ""
 
-#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "გასაღების ფაილის გახსნის შეცდომა."
 
-#: lib/utils.c:163
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr ""
 
-#: lib/utils.c:179
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "გასაღების ფაილის აღმოჩენის შეცდომა."
 
-#: lib/utils.c:187 lib/utils.c:208
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr ""
 
-#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:227
-#: src/utils_password.c:239
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "არასაკმარისი მეხსიერება საკვანძო ფრაზის წაკითხვისას."
 
-#: lib/utils.c:237
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "საკვანძო ფრაზის წაკითხვის შეცდომა."
 
-#: lib/utils.c:254
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr ""
 
-#: lib/utils.c:261
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr ""
 
-#: lib/utils.c:266
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr ""
 
-#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1408
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:2253
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr ""
@@ -655,1889 +795,2093 @@ msgstr ""
 msgid "Device %s is not compatible."
 msgstr ""
 
-#: lib/utils_device.c:561
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr ""
 
-#: lib/utils_device.c:722
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr ""
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr ""
 
-#: lib/utils_device.c:807
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr ""
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr ""
 
-#: lib/utils_device.c:833
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr ""
 
-#: lib/utils_device.c:844
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr ""
 
-#: lib/utils_device.c:892
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr ""
 
-#: lib/utils_device.c:900
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
-msgstr ""
+msgstr "მოწყობილობის %s ზომა ნულის ტოლია."
 
-#: lib/utils_pbkdf.c:100
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:106
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr ""
 
-#: lib/utils_pbkdf.c:111
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr ""
 
-#: lib/utils_pbkdf.c:122
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr ""
 
-#: lib/utils_pbkdf.c:128
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr ""
 
-#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:148
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:155
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr ""
 
-#: lib/utils_pbkdf.c:160
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:164
+#: lib/utils_pbkdf.c:173
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr ""
 
-#: lib/utils_pbkdf.c:184
+#: lib/utils_pbkdf.c:193
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr ""
 
-#: lib/utils_benchmark.c:174
+#: lib/utils_benchmark.c:171
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr ""
 
-#: lib/utils_benchmark.c:193
+#: lib/utils_benchmark.c:190
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr ""
 
-#: lib/utils_benchmark.c:213
+#: lib/utils_benchmark.c:210
 msgid "Not compatible PBKDF options."
 msgstr ""
 
-#: lib/utils_device_locking.c:101
+#: lib/utils_device_locking.c:88
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr ""
 
-#: lib/utils_device_locking.c:118
+#: lib/utils_device_locking.c:105
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr ""
 
-#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
-#: src/utils_reencrypt_luks1.c:832
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr ""
 
-#: lib/utils_wipe.c:247
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:39
+#: lib/utils_wipe.c:332
+msgid "Incorrect OPAL PSID."
+msgstr ""
+
+#: lib/utils_wipe.c:334
+msgid "Cannot erase OPAL device."
+msgstr "OPAL მოწყობილობის წაშლა შეუძლებელია."
+
+#: lib/luks1/keyencryption.c:26
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
 "Check that kernel supports %s cipher (check syslog for more info)."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:44
+#: lib/luks1/keyencryption.c:31
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:46
+#: lib/luks1/keyencryption.c:33
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:675 lib/luks1/keymanage.c:1126
-#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
+#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1514 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:120
+#: lib/luks1/keyencryption.c:107
 msgid "Failed to open temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:127
+#: lib/luks1/keyencryption.c:114
 msgid "Failed to access temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:61
-#: lib/luks2/luks2_keyslot_luks2.c:79 lib/luks2/luks2_keyslot_reenc.c:192
+#: lib/luks1/keyencryption.c:188 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:628 lib/luks1/keymanage.c:678 lib/tcrypt/tcrypt.c:679
-#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
-#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
-#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
-#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
-#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
-#: src/utils_reencrypt_luks1.c:133
+#: lib/luks1/keyencryption.c:235 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1517 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "მოწყობილობის გახსნის შეცდომა: '%s'."
 
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:138
+#: lib/luks1/keyencryption.c:246 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keymanage.c:129
+#: lib/luks1/keymanage.c:117
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr ""
 
-#: lib/luks1/keymanage.c:150 lib/luks1/keymanage.c:158
-#: lib/luks1/keymanage.c:170 lib/luks1/keymanage.c:181
-#: lib/luks1/keymanage.c:193
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:265 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr ""
 
-#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1355
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:274 lib/luks2/luks2_json_metadata.c:1362
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1399
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
 msgid "Backup file does not contain valid LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:591
-#: lib/luks2/luks2_json_metadata.c:1420
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1446
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1428
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1454
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:326
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:334
 #, c-format
 msgid "Device %s %s%s"
 msgstr "მოწყობილობა %s %s%s"
 
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:335
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr ""
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:336
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1462
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1486
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
 msgstr ""
 
-#: lib/luks1/keymanage.c:396
+#: lib/luks1/keymanage.c:385
 msgid "Non standard key size, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:406
+#: lib/luks1/keymanage.c:395
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:415
+#: lib/luks1/keymanage.c:404
 #, c-format
 msgid "Cipher mode repaired (%s -> %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:426
+#: lib/luks1/keymanage.c:415
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:534
-#: lib/luks1/keymanage.c:790
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr ""
 
-#: lib/luks1/keymanage.c:442
+#: lib/luks1/keymanage.c:431
 msgid "Repairing keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:461
+#: lib/luks1/keymanage.c:450
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:469
+#: lib/luks1/keymanage.c:458
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:478
+#: lib/luks1/keymanage.c:467
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr ""
 
-#: lib/luks1/keymanage.c:483
+#: lib/luks1/keymanage.c:472
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr ""
 
-#: lib/luks1/keymanage.c:500
+#: lib/luks1/keymanage.c:489
 msgid "Writing LUKS header to disk."
 msgstr ""
 
-#: lib/luks1/keymanage.c:505
+#: lib/luks1/keymanage.c:494
 msgid "Repair failed."
 msgstr "შეკეთების შეცდომა."
 
-#: lib/luks1/keymanage.c:560
+#: lib/luks1/keymanage.c:549
 #, c-format
 msgid "LUKS cipher mode %s is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:565
+#: lib/luks1/keymanage.c:554
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:572 src/cryptsetup.c:1281
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1360
 msgid "No known problems detected for LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:700
+#: lib/luks1/keymanage.c:689
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:708
+#: lib/luks1/keymanage.c:697
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:784
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr ""
 
-#: lib/luks1/keymanage.c:795 lib/luks1/keymanage.c:864
-#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
-#: src/utils_reencrypt.c:514
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr ""
 
-#: lib/luks1/keymanage.c:817
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:843
+#: lib/luks1/keymanage.c:832
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:887
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr ""
 
-#: lib/luks1/keymanage.c:893
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr ""
 
-#: lib/luks1/keymanage.c:1034
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
+msgid "PBKDF2 iteration value overflow."
+msgstr ""
+
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1112
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1130 lib/luks2/luks2_keyslot.c:718
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:146
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:147
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr ""
 
-#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr ""
 
-#: lib/loopaes/loopaes.c:245
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:508
+#: lib/tcrypt/tcrypt.c:497
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "გასაღების ფაილის %s წაკითხვის შეცდომა."
 
-#: lib/tcrypt/tcrypt.c:558
+#: lib/tcrypt/tcrypt.c:547
 #, c-format
 msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:600
+#: lib/tcrypt/tcrypt.c:589
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1233
 msgid "Required kernel crypto interface not available."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1235
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:762
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:768
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:799
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:882
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr ""
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:1095
+#: lib/tcrypt/tcrypt.c:1126
 msgid "This function is not supported without TCRYPT header load."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:275
+#: lib/bitlk/bitlk.c:265
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:328
+#: lib/bitlk/bitlk.c:327
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:332
+#: lib/bitlk/bitlk.c:331
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:349
+#: lib/bitlk/bitlk.c:351
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:451
+#: lib/bitlk/bitlk.c:450
 msgid "BITLK version 1 is currently not supported."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:457
+#: lib/bitlk/bitlk.c:456
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:469
+#: lib/bitlk/bitlk.c:468
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:477
+#: lib/bitlk/bitlk.c:476
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:502
+#: lib/bitlk/bitlk.c:501
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:554
+#: lib/bitlk/bitlk.c:552
 msgid "Unknown or unsupported encryption type."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:587
+#: lib/bitlk/bitlk.c:592
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:681
+#: lib/bitlk/bitlk.c:709
 msgid "Failed to convert BITLK volume description"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:841
+#: lib/bitlk/bitlk.c:872
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:860
+#: lib/bitlk/bitlk.c:895
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:864
+#: lib/bitlk/bitlk.c:899
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:903
+#: lib/bitlk/bitlk.c:938
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:908
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:933
+#: lib/bitlk/bitlk.c:969
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1029
+#: lib/bitlk/bitlk.c:1067
 msgid "This operation is not supported."
 msgstr "ეს ოპერაცია მხარდაუჭერელია."
 
-#: lib/bitlk/bitlk.c:1037
+#: lib/bitlk/bitlk.c:1075
 msgid "Unexpected key data size."
 msgstr "გასაღების მონაცემების მოულოდნელი ზომა."
 
-#: lib/bitlk/bitlk.c:1163
+#: lib/bitlk/bitlk.c:1203
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1168
+#: lib/bitlk/bitlk.c:1208
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1175
-msgid "Activation of partially decrypted BITLK device is not supported."
+#: lib/bitlk/bitlk.c:1215
+msgid "Activation of BITLK device with clear key protection is not supported."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1216
+#: lib/bitlk/bitlk.c:1256
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1343
+#: lib/bitlk/bitlk.c:1383
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1347
+#: lib/bitlk/bitlk.c:1387
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1351
+#: lib/bitlk/bitlk.c:1391
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr ""
 
-#: lib/bitlk/bitlk.c:1355
+#: lib/bitlk/bitlk.c:1395
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:542
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:554
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr ""
 
-#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
 #, c-format
 msgid "Verity device %s does not use on-disk header."
 msgstr ""
 
-#: lib/verity/verity.c:96
+#: lib/verity/verity.c:83
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr ""
 
-#: lib/verity/verity.c:131
+#: lib/verity/verity.c:118
 msgid "VERITY header corrupted."
 msgstr "VERITY თავსართი დაზიანებულია."
 
-#: lib/verity/verity.c:176
+#: lib/verity/verity.c:163
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr ""
 
-#: lib/verity/verity.c:220
+#: lib/verity/verity.c:207
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr ""
 
-#: lib/verity/verity.c:278
+#: lib/verity/verity.c:261
 msgid "Root hash signature verification is not supported."
 msgstr ""
 
-#: lib/verity/verity.c:290
+#: lib/verity/verity.c:266
+msgid "Root hash signature required."
+msgstr ""
+
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:292
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:335
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr ""
 
-#: lib/verity/verity.c:339
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr ""
 
-#: lib/verity/verity.c:350
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr ""
 
-#: lib/verity/verity_hash.c:66
+#: lib/verity/verity_hash.c:53
 #, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
-#: lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
 msgid "Device offset overflow."
 msgstr "მოწყობილობის წანაცვლების გადავსება."
 
-#: lib/verity/verity_hash.c:218
+#: lib/verity/verity_hash.c:205
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "გადამოწმების შეცდომა მდებარეობაზე %<PRIu64>."
 
-#: lib/verity/verity_hash.c:307
+#: lib/verity/verity_hash.c:294
 msgid "Hash area overflow."
 msgstr "ჰეშის ფართის გადავსება."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "მონაცემების რეგიონის გადამოწმების შეცდომა."
 
-#: lib/verity/verity_hash.c:385
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:391
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr ""
 
-#: lib/verity/verity_hash.c:393
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:428
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr ""
 
-#: lib/verity/verity_fec.c:131
+#: lib/verity/verity_fec.c:118
 msgid "Failed to allocate RS context."
 msgstr ""
 
-#: lib/verity/verity_fec.c:149
+#: lib/verity/verity_fec.c:136
 msgid "Failed to allocate buffer."
 msgstr "ბუფერის გამოყოფის შეცდომა."
 
-#: lib/verity/verity_fec.c:159
+#: lib/verity/verity_fec.c:146
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr ""
 
-#: lib/verity/verity_fec.c:172
+#: lib/verity/verity_fec.c:159
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:180
+#: lib/verity/verity_fec.c:167
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:192
+#: lib/verity/verity_fec.c:179
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:208
+#: lib/verity/verity_fec.c:195
 msgid "Block sizes must match for FEC."
 msgstr ""
 
-#: lib/verity/verity_fec.c:214
+#: lib/verity/verity_fec.c:201
 msgid "Invalid number of parity bytes."
 msgstr ""
 
-#: lib/verity/verity_fec.c:248
+#: lib/verity/verity_fec.c:235
 msgid "Invalid FEC segment length."
 msgstr ""
 
-#: lib/verity/verity_fec.c:316
+#: lib/verity/verity_fec.c:303
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr ""
 
-#: lib/integrity/integrity.c:57
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr ""
 
-#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+#: lib/integrity/integrity.c:290 lib/integrity/integrity.c:474
 msgid "Kernel does not support dm-integrity mapping."
 msgstr ""
 
-#: lib/integrity/integrity.c:283
+#: lib/integrity/integrity.c:296
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr ""
 
-#: lib/integrity/integrity.c:292
+#: lib/integrity/integrity.c:305
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
-#: lib/luks2/luks2_json_metadata.c:1482
+#: lib/integrity/integrity.c:311
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1506
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:400
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr ""
 
-#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:229
+#: lib/luks2/luks2_json_format.c:219
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr ""
+
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr ""
 
-#: lib/luks2/luks2_json_format.c:274
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
-msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr ""
+
+#: lib/luks2/luks2_json_format.c:463
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
-#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:93
-#: lib/luks2/luks2_keyslot_luks2.c:115
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1405
+#: lib/luks2/luks2_json_metadata.c:1431
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1446
+#: lib/luks2/luks2_json_metadata.c:1470
 msgid "Data offset differ on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1452
+#: lib/luks2/luks2_json_metadata.c:1476
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1459
+#: lib/luks2/luks2_json_metadata.c:1483
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "მოწყობილობა %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1460
+#: lib/luks2/luks2_json_metadata.c:1484
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1461
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1463
+#: lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
 "Replacing header with backup may corrupt the data on that device!"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1465
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
 "Replacing header with backup may corrupt data."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1562
+#: lib/luks2/luks2_json_metadata.c:1587
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "უცნობი ალამი იგნორირებულია %s."
 
-#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
+#: lib/luks2/luks2_json_metadata.c:2541 lib/luks2/luks2_reencrypt.c:2105
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
+#: lib/luks2/luks2_json_metadata.c:2553 lib/luks2/luks2_reencrypt.c:2118
 msgid "Failed to set dm-crypt segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
+#: lib/luks2/luks2_json_metadata.c:2559 lib/luks2/luks2_reencrypt.c:2124
 msgid "Failed to set dm-linear segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2615
+#: lib/luks2/luks2_json_metadata.c:2679 src/utils_reencrypt.c:578
+msgid "No known cipher specification pattern detected in LUKS2 header."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2687
+msgid "OPAL device must have static device size."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2707
+msgid "Encrypted OPAL device with integrity must be smaller than locking range."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2712
+msgid "OPAL device must have same size as locking range."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2732
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "OPAL მოწყობილობა %s უკვე განბლოკილია.\n"
+
+#: lib/luks2/luks2_json_metadata.c:2771
 msgid "Unsupported device integrity configuration."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2701
+#: lib/luks2/luks2_json_metadata.c:2787
+msgid "Underlying dm-integrity device with unexpected provided data sectors."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:2882
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
+#: lib/luks2/luks2_json_metadata.c:2893 lib/luks2/luks2_reencrypt.c:4274
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2792
-msgid "Failed to read LUKS2 requirements."
+#: lib/luks2/luks2_json_metadata.c:2972 lib/luks2/luks2_json_metadata.c:2994
+#, c-format
+msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2799
+#: lib/luks2/luks2_json_metadata.c:3016
 msgid "Unmet LUKS2 requirements detected."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2807
+#: lib/luks2/luks2_json_metadata.c:3024
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2809
+#: lib/luks2/luks2_json_metadata.c:3026
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+#: lib/luks2/luks2_json_metadata.c:3028
+msgid "Operation incompatible with device using OPAL. Aborting."
+msgstr ""
+
+#: lib/luks2/luks2_json_metadata.c:3030
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:54 lib/luks2/luks2_keyslot_luks2.c:109
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:281 lib/luks2/luks2_keyslot_luks2.c:390
-#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr ""
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:401
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2725
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_luks2.c:506
+#: lib/luks2/luks2_keyslot_luks2.c:518
 msgid "No space for new keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_reenc.c:593
+#: lib/luks2/luks2_keyslot_reenc.c:583
 msgid "Invalid reencryption resilience mode change requested."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_reenc.c:714
+#: lib/luks2/luks2_keyslot_reenc.c:704
 #, c-format
 msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot_reenc.c:724
+#: lib/luks2/luks2_keyslot_reenc.c:714
 msgid "Failed to refresh reencryption verification digest."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:512
+#: lib/luks2/luks2_luks1_convert.c:532
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:538
+#: lib/luks2/luks2_luks1_convert.c:558
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3882
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:584
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:619
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:636
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:732
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:740
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:752
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:757
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:765
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:779
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:784
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1152
+#: lib/luks2/luks2_reencrypt.c:1194
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1157
+#: lib/luks2/luks2_reencrypt.c:1199
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
-#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
-#: lib/luks2/luks2_reencrypt.c:3877
+#: lib/luks2/luks2_reencrypt.c:1406 lib/luks2/luks2_reencrypt.c:1592
+#: lib/luks2/luks2_reencrypt.c:1675 lib/luks2/luks2_reencrypt.c:1717
+#: lib/luks2/luks2_reencrypt.c:4069
 msgid "Failed to initialize old segment storage wrapper."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
+#: lib/luks2/luks2_reencrypt.c:1420 lib/luks2/luks2_reencrypt.c:1570
 msgid "Failed to initialize new segment storage wrapper."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+#: lib/luks2/luks2_reencrypt.c:1546 lib/luks2/luks2_reencrypt.c:4081
 msgid "Failed to initialize hotzone protection."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1578
+#: lib/luks2/luks2_reencrypt.c:1619
 msgid "Failed to read checksums for current hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
+#: lib/luks2/luks2_reencrypt.c:1626 lib/luks2/luks2_reencrypt.c:4095
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1604
+#: lib/luks2/luks2_reencrypt.c:1645
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1610
+#: lib/luks2/luks2_reencrypt.c:1651
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2174
+#: lib/luks2/luks2_reencrypt.c:2217
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2272
+#: lib/luks2/luks2_reencrypt.c:2315
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2289
+#: lib/luks2/luks2_reencrypt.c:2332
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2296
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2367
+#: lib/luks2/luks2_reencrypt.c:2410
 msgid "Failed to refresh reencryption devices stack."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2550
+#: lib/luks2/luks2_reencrypt.c:2607
 msgid "Failed to set new keyslots area size."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2686
+#: lib/luks2/luks2_reencrypt.c:2743
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#: lib/luks2/luks2_reencrypt.c:2780 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2760
+#: lib/luks2/luks2_reencrypt.c:2816
 msgid "Moved segment size can not be greater than data shift value."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2802
+#: lib/luks2/luks2_reencrypt.c:2858
 msgid "Invalid reencryption resilience parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2824
+#: lib/luks2/luks2_reencrypt.c:2880
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2911
+#: lib/luks2/luks2_reencrypt.c:2969
 msgid "Failed to clear table."
 msgstr "ცხრილის გასუფთავება შეუძლებელია."
 
-#: lib/luks2/luks2_reencrypt.c:2997
-msgid "Reduced data size is larger than real device size."
+#: lib/luks2/luks2_reencrypt.c:3055
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3004
-#, c-format
-msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+#: lib/luks2/luks2_reencrypt.c:3070 lib/luks2/luks2_reencrypt.c:3077
+msgid "Reduced data size is larger than real device size."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3038
+#: lib/luks2/luks2_reencrypt.c:3087
 #, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
-#: lib/luks2/luks2_reencrypt.c:3554
+#: lib/luks2/luks2_reencrypt.c:3117 lib/luks2/luks2_reencrypt.c:3632
+#: lib/luks2/luks2_reencrypt.c:3653
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3324
 msgid "Device not marked for LUKS2 reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
+#: lib/luks2/luks2_reencrypt.c:3341 lib/luks2/luks2_reencrypt.c:4391
 msgid "Failed to load LUKS2 reencryption context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3331
-msgid "Failed to get reencryption state."
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
+#: lib/luks2/luks2_reencrypt.c:3433 lib/luks2/luks2_reencrypt.c:3773
 msgid "Device is not in reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
+#: lib/luks2/luks2_reencrypt.c:3440 lib/luks2/luks2_reencrypt.c:3780
 msgid "Reencryption process is already running."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
+#: lib/luks2/luks2_reencrypt.c:3442 lib/luks2/luks2_reencrypt.c:3782
 msgid "Failed to acquire reencryption lock."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3362
+#: lib/luks2/luks2_reencrypt.c:3460
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3497
+#: lib/luks2/luks2_reencrypt.c:3596
 msgid "Active device size and requested reencryption size don't match."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3511
+#: lib/luks2/luks2_reencrypt.c:3610
 msgid "Illegal device size requested in reencryption parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3588
+#: lib/luks2/luks2_reencrypt.c:3712
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3757
+#: lib/luks2/luks2_reencrypt.c:3733
+msgid "LUKS2 reencryption recovery failed."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3866 lib/luks2/luks2_reencrypt.c:4344
+msgid "Failed to initialize reencryption device stack."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3899
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3764
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3859
+#: lib/luks2/luks2_reencrypt.c:3960 lib/luks2/luks2_reencrypt.c:3992
+#: lib/luks2/luks2_reencrypt.c:4022
+msgid "Reencryption is not supported for DAX (persistent memory) devices."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:4051
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3911
+#: lib/luks2/luks2_reencrypt.c:4103
 msgid "Failed to write reencryption resilience metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3918
+#: lib/luks2/luks2_reencrypt.c:4110
 msgid "Decryption failed."
 msgstr "გაშიფვრის შეცდომა."
 
-#: lib/luks2/luks2_reencrypt.c:3923
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3928
+#: lib/luks2/luks2_reencrypt.c:4120
 msgid "Failed to sync data."
 msgstr "მონაცემების სინქრონიზაციის შეცდომა."
 
-#: lib/luks2/luks2_reencrypt.c:3936
+#: lib/luks2/luks2_reencrypt.c:4128
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4025
+#: lib/luks2/luks2_reencrypt.c:4217
 msgid "Failed to write LUKS2 metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4048
+#: lib/luks2/luks2_reencrypt.c:4240
 msgid "Failed to wipe unused data device area."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4054
+#: lib/luks2/luks2_reencrypt.c:4246
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4064
+#: lib/luks2/luks2_reencrypt.c:4256
 msgid "Failed to remove reencryption keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4074
+#: lib/luks2/luks2_reencrypt.c:4266
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4078
+#: lib/luks2/luks2_reencrypt.c:4270
 msgid "Online reencryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4083
+#: lib/luks2/luks2_reencrypt.c:4275
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4327
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4333
 msgid "Missing or invalid reencrypt context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4150
-msgid "Failed to initialize reencryption device stack."
-msgstr ""
-
-#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
+#: lib/luks2/luks2_reencrypt.c:4367 lib/luks2/luks2_reencrypt.c:4404
 msgid "Failed to update reencryption context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt_digest.c:405
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr ""
 
-#: src/cryptsetup.c:85
-msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+#: lib/luks2/hw_opal/hw_opal.c:333
+#, c-format
+msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr ""
 
-#: src/cryptsetup.c:108 src/cryptsetup.c:1901
+#: lib/luks2/hw_opal/hw_opal.c:340
 #, c-format
-msgid "Enter token PIN: "
-msgstr "შეიყვანეთ კოდის PIN კოდი: "
+msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
+msgstr ""
 
-#: src/cryptsetup.c:110 src/cryptsetup.c:1903
+#: lib/luks2/hw_opal/hw_opal.c:346
 #, c-format
-msgid "Enter token %d PIN: "
+msgid "OPAL range %d locking is disabled."
+msgstr ""
+
+#: lib/luks2/hw_opal/hw_opal.c:356 lib/luks2/hw_opal/hw_opal.c:363
+#, c-format
+msgid "Unexpected OPAL range %d lock state."
 msgstr ""
 
-#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
-#: src/utils_reencrypt.c:1097 src/utils_reencrypt_luks1.c:517
-#: src/utils_reencrypt_luks1.c:580
+#: src/cryptsetup.c:87
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr ""
+
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr ""
+
+#: src/cryptsetup.c:150 src/cryptsetup.c:1171 src/cryptsetup.c:1538
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:167
-msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+#: src/cryptsetup.c:160
+#, c-format
+msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
+msgstr ""
+
+#: src/cryptsetup.c:165
+#, c-format
+msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
+msgstr ""
+
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
 msgstr ""
 
 #: src/cryptsetup.c:175
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr ""
+
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr ""
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:226 src/cryptsetup.c:1368 src/cryptsetup.c:1591
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2137
+#, c-format
+msgid "Blkid scan failed for %s."
+msgstr ""
+
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr ""
 
-#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
-#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
-#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
-#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:724
+#: src/cryptsetup.c:238 src/cryptsetup.c:1254 src/cryptsetup.c:1302
+#: src/cryptsetup.c:1375 src/cryptsetup.c:1515 src/cryptsetup.c:1603
+#: src/cryptsetup.c:2488 src/cryptsetup.c:2917 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "ოპერაცია გაუქმდა.\n"
 
-#: src/cryptsetup.c:294
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:345
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr ""
 
-#: src/cryptsetup.c:354
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr ""
 
-#: src/cryptsetup.c:357
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr ""
 
-#: src/cryptsetup.c:360
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr ""
 
-#: src/cryptsetup.c:383
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#: src/cryptsetup.c:492 src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr ""
 
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:506
+#: src/cryptsetup.c:542
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
 "This dump should be always stored encrypted on safe place."
 msgstr ""
 
-#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
+#: src/cryptsetup.c:609 src/cryptsetup.c:690 src/cryptsetup.c:2513
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#: src/cryptsetup.c:745 src/cryptsetup.c:777
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr ""
 
-#: src/cryptsetup.c:747
+#: src/cryptsetup.c:785
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
+#: src/cryptsetup.c:839 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr ""
 
-#: src/cryptsetup.c:835
+#: src/cryptsetup.c:872 src/cryptsetup.c:1801 src/cryptsetup.c:2075
+#: src/cryptsetup.c:2222 src/cryptsetup.c:2641 src/cryptsetup.c:2722
+#: src/cryptsetup.c:3255
+#, c-format
+msgid "Failed to set external tokens path %s."
+msgstr ""
+
+#: src/cryptsetup.c:881
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr ""
 
-#: src/cryptsetup.c:982
+#: src/cryptsetup.c:1050
 msgid "Benchmark interrupted."
 msgstr ""
 
-#: src/cryptsetup.c:1003
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:1005
+#: src/cryptsetup.c:1073
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr ""
 
-#: src/cryptsetup.c:1019
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:1021
+#: src/cryptsetup.c:1089
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr ""
 
-#: src/cryptsetup.c:1045
+#: src/cryptsetup.c:1113
 msgid "Result of benchmark is not reliable."
 msgstr ""
 
-#: src/cryptsetup.c:1095
+#: src/cryptsetup.c:1163
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1115
+#: src/cryptsetup.c:1188
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s ალგორითმი |       გასაღები |      დაშიფვრა |      გაშიფვრა\n"
 
-#: src/cryptsetup.c:1119
+#: src/cryptsetup.c:1196
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1138
+#: src/cryptsetup.c:1215
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     ალგორითმი |       გასაღები |      დაშიფვრა |      გაშიფვრა\n"
 
-#: src/cryptsetup.c:1149
+#: src/cryptsetup.c:1226
 msgid "N/A"
 msgstr "N/A"
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1251
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
 msgstr ""
 
-#: src/cryptsetup.c:1180
+#: src/cryptsetup.c:1257
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr ""
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1301
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr ""
 
-#: src/cryptsetup.c:1233
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr ""
 
-#: src/cryptsetup.c:1235
+#: src/cryptsetup.c:1312
 msgid "Enter passphrase for reencryption recovery: "
 msgstr ""
 
-#: src/cryptsetup.c:1290
+#: src/cryptsetup.c:1374
 msgid "Really try to repair LUKS device header?"
 msgstr ""
 
-#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+#: src/cryptsetup.c:1402 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
 msgstr ""
 
-#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
+#: src/cryptsetup.c:1407 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
 msgstr ""
 
-#: src/cryptsetup.c:1341 src/integritysetup.c:116
+#: src/cryptsetup.c:1429 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr ""
 
-#: src/cryptsetup.c:1392
+#: src/cryptsetup.c:1477
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr ""
+
+#: src/cryptsetup.c:1490
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
+#: src/cryptsetup.c:1495 src/cryptsetup.c:1575
 msgid "Unsupported LUKS2 metadata size options."
 msgstr ""
 
-#: src/cryptsetup.c:1406
+#: src/cryptsetup.c:1500
+msgid "OPAL is supported only for LUKS2 format."
+msgstr ""
+
+#: src/cryptsetup.c:1505
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr ""
+
+#: src/cryptsetup.c:1514
 msgid "Header file does not exist, do you want to create it?"
 msgstr ""
 
-#: src/cryptsetup.c:1414
+#: src/cryptsetup.c:1522
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "თავსართის ფაილის (%s) შექმნის შეცდომა."
 
-#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
-#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
-#: src/integritysetup.c:333
+#: src/cryptsetup.c:1548 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:1450
+#: src/cryptsetup.c:1550
+msgid "Cannot use specified integrity key size."
+msgstr "მითითებული მთლიანობის გასაღების ზომის გამოყენება შეუძლებელია."
+
+#: src/cryptsetup.c:1568
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr ""
 
-#: src/cryptsetup.c:1474 src/integritysetup.c:181
+#: src/cryptsetup.c:1597 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr ""
 
-#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
-#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
+#: src/cryptsetup.c:1634
+msgid "OPAL Admin password cannot be empty."
+msgstr ""
+
+#: src/cryptsetup.c:1648 src/cryptsetup.c:2092 src/cryptsetup.c:2235
+#: src/cryptsetup.c:2370 src/cryptsetup.c:2436 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr ""
 
-#: src/cryptsetup.c:1593
+#: src/cryptsetup.c:1779
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr ""
 
-#: src/cryptsetup.c:1600
+#: src/cryptsetup.c:1786
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr ""
 
-#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
+#: src/cryptsetup.c:1828 src/cryptsetup.c:2241 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:1658
+#: src/cryptsetup.c:1847 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr ""
+
+#: src/cryptsetup.c:1882
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr ""
+
+#: src/cryptsetup.c:1887
 msgid "Device activated but cannot make flags persistent."
 msgstr ""
 
-#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
+#: src/cryptsetup.c:1967 src/cryptsetup.c:2035
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr ""
 
-#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
+#: src/cryptsetup.c:1979 src/cryptsetup.c:2039
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr ""
 
-#: src/cryptsetup.c:1750
+#: src/cryptsetup.c:1980
 msgid "Enter any remaining passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
+#: src/cryptsetup.c:1981 src/cryptsetup.c:2041
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:1787
+#: src/cryptsetup.c:2017
 msgid "Enter passphrase to be deleted: "
 msgstr ""
 
-#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
-#: src/cryptsetup.c:2948
+#: src/cryptsetup.c:2067 src/cryptsetup.c:2419 src/cryptsetup.c:3079
+#: src/cryptsetup.c:3246
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
+#: src/cryptsetup.c:2106 src/cryptsetup.c:2305
 msgid "Enter new passphrase for key slot: "
 msgstr ""
 
-#: src/cryptsetup.c:1968
+#: src/cryptsetup.c:2140 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "შეიყვანეთ კოდის PIN კოდი: "
+
+#: src/cryptsetup.c:2142 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr ""
+
+#: src/cryptsetup.c:2201
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
+#: src/cryptsetup.c:2278 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:2152
+#: src/cryptsetup.c:2374
 msgid "Enter passphrase to be changed: "
 msgstr ""
 
-#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
+#: src/cryptsetup.c:2390 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "შეიყვანეთ ახალი საკვანძო ფრაზა: "
 
-#: src/cryptsetup.c:2218
+#: src/cryptsetup.c:2440
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr ""
 
-#: src/cryptsetup.c:2242
+#: src/cryptsetup.c:2464
 msgid "Only one device argument for isLuks operation is supported."
 msgstr ""
 
-#: src/cryptsetup.c:2350
+#: src/cryptsetup.c:2569
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr ""
 
-#: src/cryptsetup.c:2355
+#: src/cryptsetup.c:2574
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
+#: src/cryptsetup.c:2669 src/cryptsetup.c:2705
 #, c-format
 msgid "%s is not active %s device name."
 msgstr ""
 
-#: src/cryptsetup.c:2465
+#: src/cryptsetup.c:2700
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr ""
 
-#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
+#: src/cryptsetup.c:2777 src/cryptsetup.c:2796
 msgid "Option --header-backup-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:2577
+#: src/cryptsetup.c:2827
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr ""
 
-#: src/cryptsetup.c:2588
+#: src/cryptsetup.c:2838
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr ""
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2888
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr ""
 
-#: src/cryptsetup.c:2640
+#: src/cryptsetup.c:2890
 msgid "Command requires device and mapped name as arguments."
 msgstr ""
 
-#: src/cryptsetup.c:2661
+#: src/cryptsetup.c:2908
+msgid "Enter OPAL PSID: "
+msgstr "შეიყვანეთ OPAL PSID: "
+
+#: src/cryptsetup.c:2908
+msgid "Enter OPAL Admin password: "
+msgstr "შეიყვანეთ OPAL-ის ადმინისტრატორის პაროლი: "
+
+#: src/cryptsetup.c:2916
+msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
+msgstr ""
+
+#: src/cryptsetup.c:2959
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
 "Device will become unusable after this operation."
 msgstr ""
 
-#: src/cryptsetup.c:2668
+#: src/cryptsetup.c:2966
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:3005
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr ""
 
-#: src/cryptsetup.c:2723
+#: src/cryptsetup.c:3021
 #, c-format
 msgid "Device is already %s type."
 msgstr ""
 
-#: src/cryptsetup.c:2730
+#: src/cryptsetup.c:3028
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2733
+#: src/cryptsetup.c:3031
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2773
+#: src/cryptsetup.c:3071
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr ""
 
-#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
+#: src/cryptsetup.c:3105 src/cryptsetup.c:3145 src/cryptsetup.c:3165
 #, c-format
 msgid "Token %d is invalid."
 msgstr "კოდი %d არასწორია."
 
-#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
+#: src/cryptsetup.c:3108 src/cryptsetup.c:3168
 #, c-format
 msgid "Token %d in use."
 msgstr "კოდი %d გამოიყენება."
 
-#: src/cryptsetup.c:2822
+#: src/cryptsetup.c:3120
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr ""
 
-#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
+#: src/cryptsetup.c:3131 src/cryptsetup.c:3194
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:2850
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Token %d is not in use."
 msgstr "კოდი %d არ გამოიყენება."
 
-#: src/cryptsetup.c:2887
+#: src/cryptsetup.c:3185
 msgid "Failed to import token from file."
 msgstr ""
 
-#: src/cryptsetup.c:2912
+#: src/cryptsetup.c:3210
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr ""
 
-#: src/cryptsetup.c:2925
+#: src/cryptsetup.c:3223
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
+#: src/cryptsetup.c:3225 src/cryptsetup.c:3232
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:2983
+#: src/cryptsetup.c:3291
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr ""
 
-#: src/cryptsetup.c:2986
+#: src/cryptsetup.c:3294
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr ""
 
-#: src/cryptsetup.c:2989
+#: src/cryptsetup.c:3297
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr ""
 
-#: src/cryptsetup.c:2993
+#: src/cryptsetup.c:3301
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr ""
 
-#: src/cryptsetup.c:2995
+#: src/cryptsetup.c:3303
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr ""
 
-#: src/cryptsetup.c:3004
+#: src/cryptsetup.c:3312
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:3007
+#: src/cryptsetup.c:3315
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr ""
 
-#: src/cryptsetup.c:3010
+#: src/cryptsetup.c:3318
 msgid "Option --shared is allowed only for open of plain device."
 msgstr ""
 
-#: src/cryptsetup.c:3013
+#: src/cryptsetup.c:3321
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr ""
 
-#: src/cryptsetup.c:3016
+#: src/cryptsetup.c:3324
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr ""
 
-#: src/cryptsetup.c:3019
+#: src/cryptsetup.c:3327
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr ""
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:3331
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr ""
 
-#: src/cryptsetup.c:3027
+#: src/cryptsetup.c:3335
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr ""
 
-#: src/cryptsetup.c:3032
+#: src/cryptsetup.c:3340
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr ""
 
-#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+#: src/cryptsetup.c:3343 src/cryptsetup.c:3373
 msgid "Options --device-size and --size cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3038
+#: src/cryptsetup.c:3346
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr ""
 
-#: src/cryptsetup.c:3041
+#: src/cryptsetup.c:3349
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
-msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+#: src/cryptsetup.c:3353
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr ""
+
+#: src/cryptsetup.c:3356
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
 msgstr ""
 
-#: src/cryptsetup.c:3066
-msgid "Options --reduce-device-size and --data-size cannot be combined."
+#: src/cryptsetup.c:3365 src/veritysetup.c:673 src/integritysetup.c:784
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr ""
 
-#: src/cryptsetup.c:3069
+#: src/cryptsetup.c:3381
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:3072
+#: src/cryptsetup.c:3384
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+#: src/cryptsetup.c:3387
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3390
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3398 src/cryptsetup.c:3428
 msgid "Keyslot specification is required."
 msgstr ""
 
-#: src/cryptsetup.c:3088
+#: src/cryptsetup.c:3406
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3091
+#: src/cryptsetup.c:3409
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr ""
 
-#: src/cryptsetup.c:3094
+#: src/cryptsetup.c:3412
 msgid "Only one of --use-[u]random options is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:3102
+#: src/cryptsetup.c:3420
 msgid "Key size is required with --unbound option."
 msgstr ""
 
-#: src/cryptsetup.c:3122
+#: src/cryptsetup.c:3440
 msgid "Invalid token action."
 msgstr "არასწორი კოდის ქმედება."
 
-#: src/cryptsetup.c:3125
+#: src/cryptsetup.c:3443
 msgid "--key-description parameter is mandatory for token add action."
 msgstr ""
 
-#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3460
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3133
+#: src/cryptsetup.c:3451
 msgid "Option --unbound is valid only with token add action."
 msgstr ""
 
-#: src/cryptsetup.c:3135
+#: src/cryptsetup.c:3453
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3140
+#: src/cryptsetup.c:3458
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3156
+#: src/cryptsetup.c:3474
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<მოწყობილობა> [--type <ტიპი>] [<სახელი>]"
 
-#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
+#: src/cryptsetup.c:3474 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr ""
 
-#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
-#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
-#: src/integritysetup.c:537 src/integritysetup.c:539
+#: src/cryptsetup.c:3475 src/cryptsetup.c:3476 src/cryptsetup.c:3477
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<name>"
 
-#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
+#: src/cryptsetup.c:3475 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr ""
 
-#: src/cryptsetup.c:3158 src/integritysetup.c:539
+#: src/cryptsetup.c:3476 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "აქტიური მოწყობილობის ზომის შეცვლა"
 
-#: src/cryptsetup.c:3159
+#: src/cryptsetup.c:3477
 msgid "show device status"
 msgstr "მოწყობილობის მდგომარეობის ჩვენება"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3478
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <შიფრი>]"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3478
 msgid "benchmark cipher"
 msgstr ""
 
-#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
-#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
-#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
-#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
-#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
+#: src/cryptsetup.c:3479 src/cryptsetup.c:3480 src/cryptsetup.c:3481
+#: src/cryptsetup.c:3482 src/cryptsetup.c:3483 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3494 src/cryptsetup.c:3495 src/cryptsetup.c:3496
+#: src/cryptsetup.c:3497 src/cryptsetup.c:3498 src/cryptsetup.c:3499
 msgid "<device>"
 msgstr "<მოწყობილობა>"
 
-#: src/cryptsetup.c:3161
+#: src/cryptsetup.c:3479
 msgid "try to repair on-disk metadata"
 msgstr ""
 
-#: src/cryptsetup.c:3162
+#: src/cryptsetup.c:3480
 msgid "reencrypt LUKS2 device"
 msgstr ""
 
-#: src/cryptsetup.c:3163
+#: src/cryptsetup.c:3481
 msgid "erase all keyslots (remove encryption key)"
 msgstr ""
 
-#: src/cryptsetup.c:3164
+#: src/cryptsetup.c:3482
 msgid "convert LUKS from/to LUKS2 format"
 msgstr ""
 
-#: src/cryptsetup.c:3165
+#: src/cryptsetup.c:3483
 msgid "set permanent configuration options for LUKS2"
 msgstr ""
 
-#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485
 msgid "<device> [<new key file>]"
 msgstr ""
 
-#: src/cryptsetup.c:3166
+#: src/cryptsetup.c:3484
 msgid "formats a LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3167
+#: src/cryptsetup.c:3485
 msgid "add key to LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
+#: src/cryptsetup.c:3486 src/cryptsetup.c:3487 src/cryptsetup.c:3488
 msgid "<device> [<key file>]"
 msgstr "<მოწყობილობა> [<გასაღების ფაილი>]"
 
-#: src/cryptsetup.c:3168
+#: src/cryptsetup.c:3486
 msgid "removes supplied key or key file from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3169
+#: src/cryptsetup.c:3487
 msgid "changes supplied key or key file of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3170
+#: src/cryptsetup.c:3488
 msgid "converts a key to new pbkdf parameters"
 msgstr ""
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3489
 msgid "<device> <key slot>"
 msgstr ""
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3489
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3172
+#: src/cryptsetup.c:3490
 msgid "print UUID of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3173
+#: src/cryptsetup.c:3491
 msgid "tests <device> for LUKS partition header"
 msgstr ""
 
-#: src/cryptsetup.c:3174
+#: src/cryptsetup.c:3492
 msgid "dump LUKS partition information"
 msgstr ""
 
-#: src/cryptsetup.c:3175
+#: src/cryptsetup.c:3493
 msgid "dump TCRYPT device information"
 msgstr ""
 
-#: src/cryptsetup.c:3176
+#: src/cryptsetup.c:3494
 msgid "dump BITLK device information"
 msgstr ""
 
-#: src/cryptsetup.c:3177
+#: src/cryptsetup.c:3495
 msgid "dump FVAULT2 device information"
 msgstr ""
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3496
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr ""
 
-#: src/cryptsetup.c:3179
+#: src/cryptsetup.c:3497
 msgid "Resume suspended LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3180
+#: src/cryptsetup.c:3498
 msgid "Backup LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3181
+#: src/cryptsetup.c:3499
 msgid "Restore LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3500
 msgid "<add|remove|import|export> <device>"
 msgstr ""
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3500
 msgid "Manipulate LUKS2 tokens"
 msgstr ""
 
-#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
+#: src/cryptsetup.c:3519 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2545,7 +2889,7 @@ msgstr ""
 "\n"
 "<ქმედება> შეიძლება იყოს:\n"
 
-#: src/cryptsetup.c:3207
+#: src/cryptsetup.c:3525
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2553,7 +2897,7 @@ msgid ""
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 msgstr ""
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3529
 #, c-format
 msgid ""
 "\n"
@@ -2563,34 +2907,31 @@ msgid ""
 "<key file> optional key file for the new key for luksAddKey action\n"
 msgstr ""
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3536
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in metadata format is %s (for luksFormat action).\n"
 msgstr ""
 
-#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
-#, c-format
+#: src/cryptsetup.c:3541
 msgid ""
 "\n"
-"LUKS2 external token plugin support is %s.\n"
-msgstr ""
-
-#: src/cryptsetup.c:3223
-msgid "compiled-in"
+"LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3542
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3226
-msgid "disabled"
-msgstr "გამორთულია"
+#: src/cryptsetup.c:3544
+msgid ""
+"\n"
+"LUKS2 external token plugin support is disabled.\n"
+msgstr ""
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3548
 #, c-format
 msgid ""
 "\n"
@@ -2601,7 +2942,7 @@ msgid ""
 "\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
 msgstr ""
 
-#: src/cryptsetup.c:3241
+#: src/cryptsetup.c:3559
 #, c-format
 msgid ""
 "\n"
@@ -2611,189 +2952,215 @@ msgid ""
 "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
 msgstr ""
 
-#: src/cryptsetup.c:3250
+#: src/cryptsetup.c:3568
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
+#: src/cryptsetup.c:3586 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr ""
 
-#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
+#: src/cryptsetup.c:3626 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "გასაღების სლოტი არასწორია."
 
-#: src/cryptsetup.c:3335
+#: src/cryptsetup.c:3654
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3340
+#: src/cryptsetup.c:3659
 msgid "Invalid max reencryption hotzone size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
+#: src/cryptsetup.c:3673 src/cryptsetup.c:3690 src/cryptsetup.c:3702
 msgid "Key size must be a multiple of 8 bits"
 msgstr ""
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3680
+msgid "At most 2 key size specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3709 src/cryptsetup.c:3720
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3732
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3741
 msgid "Maximum device reduce size is 1 GiB."
 msgstr ""
 
-#: src/cryptsetup.c:3374
+#: src/cryptsetup.c:3744
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3761
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr ""
 
-#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
+#: src/cryptsetup.c:3780 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "დახმარების ამ შეტყობინების ჩვენება"
 
-#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
+#: src/cryptsetup.c:3781 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "გამოყენების მოკლე შეტყობინება"
 
-#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
+#: src/cryptsetup.c:3782 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "პაკეტის ვერსიის გამოტანა"
 
-#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
+#: src/cryptsetup.c:3793 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "დახმარების პარამეტრები:"
 
-#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
+#: src/cryptsetup.c:3816 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr ""
 
-#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
+#: src/cryptsetup.c:3825 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr ""
 
-#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
+#: src/cryptsetup.c:3904 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "უცნობი ქმედება."
 
-#: src/cryptsetup.c:3546
+#: src/cryptsetup.c:3922
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr ""
 
-#: src/cryptsetup.c:3552
+#: src/cryptsetup.c:3928
 msgid "Only one --key-file argument is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3933
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr ""
 
-#: src/cryptsetup.c:3562
+#: src/cryptsetup.c:3938
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr ""
 
-#: src/cryptsetup.c:3573
+#: src/cryptsetup.c:3943
+msgid "Cannot link volume key to a keyring when keyring is disabled."
+msgstr ""
+
+#: src/cryptsetup.c:3948
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr ""
+
+#: src/cryptsetup.c:3953
+msgid "Inline integrity must be used together with --integrity option."
+msgstr ""
+
+#: src/cryptsetup.c:3964
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr ""
 
-#: src/cryptsetup.c:3581
+#: src/cryptsetup.c:3972
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3985
 msgid "Cannot disable metadata locking."
 msgstr ""
 
-#: src/veritysetup.c:54
+#: src/veritysetup.c:41
 msgid "Invalid salt string specified."
 msgstr "მარილის მითითებული სტრიქონი არასწორია."
 
-#: src/veritysetup.c:87
+#: src/veritysetup.c:74
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr ""
 
-#: src/veritysetup.c:97
+#: src/veritysetup.c:84
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr ""
 
-#: src/veritysetup.c:136
+#: src/veritysetup.c:123
 #, c-format
 msgid "Cannot create root hash file %s for writing."
 msgstr ""
 
-#: src/veritysetup.c:143
+#: src/veritysetup.c:130
 #, c-format
 msgid "Cannot write to root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:198 src/veritysetup.c:476
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr ""
 
-#: src/veritysetup.c:215 src/veritysetup.c:232
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:220
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr ""
 
-#: src/veritysetup.c:241
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr ""
 
-#: src/veritysetup.c:249
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr ""
 
-#: src/veritysetup.c:256
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr ""
 
-#: src/veritysetup.c:279 src/veritysetup.c:293
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr ""
 
-#: src/veritysetup.c:489
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr ""
 
-#: src/veritysetup.c:489 src/integritysetup.c:534
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "მოწყობილობის ფორმატირება"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr ""
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "მოწყობილობის გადამოწმება"
 
-#: src/veritysetup.c:491
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr ""
 
-#: src/veritysetup.c:493 src/integritysetup.c:537
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "აქტიურ მოწყობილობის სტატუსის ჩვენება"
 
-#: src/veritysetup.c:494
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<ჰეშის მოწყობილობა>"
 
-#: src/veritysetup.c:494 src/integritysetup.c:538
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr ""
 
-#: src/veritysetup.c:513
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -2803,7 +3170,7 @@ msgid ""
 "<root_hash> hash of the root node on <hash_device>\n"
 msgstr ""
 
-#: src/veritysetup.c:520
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -2811,44 +3178,52 @@ msgid ""
 "\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
 msgstr ""
 
-#: src/veritysetup.c:658
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr ""
 
-#: src/veritysetup.c:663
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr ""
 
-#: src/integritysetup.c:177
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr ""
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
 "To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
 msgstr ""
 
-#: src/integritysetup.c:212
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr ""
+
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
 msgstr ""
 
-#: src/integritysetup.c:289
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr ""
 
-#: src/integritysetup.c:364 src/integritysetup.c:521
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr ""
 
-#: src/integritysetup.c:534 src/integritysetup.c:538
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr ""
 
-#: src/integritysetup.c:535
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr ""
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -2856,7 +3231,7 @@ msgid ""
 "<integrity_device> is the device containing data with integrity tags\n"
 msgstr ""
 
-#: src/integritysetup.c:563
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -2865,44 +3240,52 @@ msgid ""
 "\tMaximum keyfile size: %dkB\n"
 msgstr ""
 
-#: src/integritysetup.c:620
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr ""
 
-#: src/integritysetup.c:720
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:724
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:727
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr ""
 
-#: src/integritysetup.c:731
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:734
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr ""
 
-#: src/integritysetup.c:738
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr ""
 
-#: src/integritysetup.c:745
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr ""
 
-#: src/integritysetup.c:750
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr ""
 
-#: src/utils_tools.c:118
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr ""
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr ""
+
+#: src/utils_tools.c:105
 msgid ""
 "\n"
 "WARNING!\n"
@@ -2913,7 +3296,7 @@ msgstr ""
 "========\n"
 
 #. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:120
+#: src/utils_tools.c:107
 #, c-format
 msgid ""
 "%s\n"
@@ -2921,152 +3304,160 @@ msgid ""
 "Are you sure? (Type 'yes' in capital letters): "
 msgstr ""
 
-#: src/utils_tools.c:126
+#: src/utils_tools.c:113
 msgid "Error reading response from terminal."
 msgstr "ტერმინალიდან მიღებული პასუხის წაკითხვის შეცდომა."
 
-#: src/utils_tools.c:158
+#: src/utils_tools.c:145
 msgid "Command successful."
 msgstr "ბრძანება წარმატებულია."
 
-#: src/utils_tools.c:166
+#: src/utils_tools.c:153
 msgid "wrong or missing parameters"
 msgstr "ნაკლული ან არასწორი პარამეტრები"
 
-#: src/utils_tools.c:168
+#: src/utils_tools.c:155
 msgid "no permission or bad passphrase"
 msgstr "აკრძალული წვდომა ან არასწორი საკვანძო ფრაზა"
 
-#: src/utils_tools.c:170
+#: src/utils_tools.c:157
 msgid "out of memory"
 msgstr "მეხსიერებას გარეთ"
 
-#: src/utils_tools.c:172
+#: src/utils_tools.c:159
 msgid "wrong device or file specified"
 msgstr "მითითებული მოწყობილობა ან ფაილი არასწორია"
 
-#: src/utils_tools.c:174
+#: src/utils_tools.c:161
 msgid "device already exists or device is busy"
 msgstr "მოწყობილობა უკვე არსებობს ან დაკავებულია"
 
-#: src/utils_tools.c:176
+#: src/utils_tools.c:163
 msgid "unknown error"
 msgstr "უცნობი შეცდომა"
 
-#: src/utils_tools.c:178
+#: src/utils_tools.c:165
 #, c-format
 msgid "Command failed with code %i (%s)."
 msgstr ""
 
-#: src/utils_tools.c:256
+#: src/utils_tools.c:243
 #, c-format
 msgid "Key slot %i created."
 msgstr ""
 
-#: src/utils_tools.c:258
+#: src/utils_tools.c:245
 #, c-format
 msgid "Key slot %i unlocked."
 msgstr ""
 
-#: src/utils_tools.c:260
+#: src/utils_tools.c:247
 #, c-format
 msgid "Key slot %i removed."
 msgstr ""
 
-#: src/utils_tools.c:269
+#: src/utils_tools.c:256
 #, c-format
 msgid "Token %i created."
 msgstr ""
 
-#: src/utils_tools.c:271
+#: src/utils_tools.c:258
 #, c-format
 msgid "Token %i removed."
 msgstr ""
 
-#: src/utils_tools.c:281
+#: src/utils_tools.c:268
 msgid "No token could be unlocked with this PIN."
 msgstr ""
 
-#: src/utils_tools.c:283
+#: src/utils_tools.c:270
 #, c-format
 msgid "Token %i requires PIN."
 msgstr ""
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:272
 #, c-format
 msgid "Token (type %s) requires PIN."
 msgstr ""
 
-#: src/utils_tools.c:288
+#: src/utils_tools.c:275
 #, c-format
 msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr ""
 
-#: src/utils_tools.c:290
+#: src/utils_tools.c:277
 #, c-format
 msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr ""
 
-#: src/utils_tools.c:293
+#: src/utils_tools.c:280
 #, c-format
 msgid "Token %i requires additional missing resource."
 msgstr ""
 
-#: src/utils_tools.c:295
+#: src/utils_tools.c:282
 #, c-format
 msgid "Token (type %s) requires additional missing resource."
 msgstr ""
 
-#: src/utils_tools.c:298
+#: src/utils_tools.c:285
 #, c-format
 msgid "No usable token (type %s) is available."
 msgstr ""
 
-#: src/utils_tools.c:300
+#: src/utils_tools.c:287
 msgid "No usable token is available."
 msgstr ""
 
-#: src/utils_tools.c:393
+#: src/utils_tools.c:380
 #, c-format
 msgid "Cannot read keyfile %s."
 msgstr ""
 
-#: src/utils_tools.c:398
+#: src/utils_tools.c:385
 #, c-format
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr ""
 
-#: src/utils_tools.c:423
+#: src/utils_tools.c:410
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr ""
 
-#: src/utils_tools.c:430
+#: src/utils_tools.c:417
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr ""
 
-#: src/utils_progress.c:74
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr ""
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr ""
+
+#: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>m%02<PRIu64>s"
 
-#: src/utils_progress.c:76
+#: src/utils_progress.c:63
 #, c-format
 msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>სთ%02<PRIu64>წთ%02<PRIu64>წმ"
 
-#: src/utils_progress.c:78
+#: src/utils_progress.c:65
 #, c-format
 msgid "%02<PRIu64> days"
 msgstr "%02<PRIu64> დღე"
 
-#: src/utils_progress.c:105 src/utils_progress.c:138
+#: src/utils_progress.c:92 src/utils_progress.c:125
 #, c-format
 msgid "%4<PRIu64> %s written"
 msgstr "%4<PRIu64> %s ჩაწერილია"
 
-#: src/utils_progress.c:109 src/utils_progress.c:142
+#: src/utils_progress.c:96 src/utils_progress.c:129
 #, c-format
 msgid "speed %5.1f %s/s"
 msgstr "სიჩქარე %5.1f %s/წმ"
@@ -3075,7 +3466,7 @@ msgstr "სიჩქარე %5.1f %s/წმ"
 #. to get translated as well. 'eol' is always new-line or empty.
 #. See above.
 #.
-#: src/utils_progress.c:118
+#: src/utils_progress.c:105
 #, c-format
 msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
 msgstr "მიმდინარეობა: %5.1f%%, დარჩენილია %s, %s, %s%s"
@@ -3083,80 +3474,84 @@ msgstr "მიმდინარეობა: %5.1f%%, დარჩენილ
 #. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
 #. to get translated as well. See above
 #.
-#: src/utils_progress.c:150
+#: src/utils_progress.c:137
 #, c-format
 msgid "Finished, time %s, %s, %s\n"
 msgstr "დასრულდა. დრო: %s, %s, %s\n"
 
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_password.c:28 src/utils_password.c:59
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr ""
 
-#: src/utils_password.c:49
+#: src/utils_password.c:36
 #, c-format
 msgid ""
 "Password quality check failed:\n"
 " %s"
 msgstr ""
 
-#: src/utils_password.c:81
+#: src/utils_password.c:66
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr ""
 
-#: src/utils_password.c:232 src/utils_password.c:246
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr ""
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr ""
 
-#: src/utils_password.c:244
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "გადაამოწმეთ საკვანძო ფრაზა: "
 
-#: src/utils_password.c:251
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "საკვანძო ფრაზები არ ემთხვევა."
 
-#: src/utils_password.c:289
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr ""
 
-#: src/utils_password.c:293
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "შეიყვანეთ საკვანძო ფრაზა: "
 
-#: src/utils_password.c:296
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "შეიყვანეთ საკვანძო ფრაზა \"%s\"-სთვის: "
 
-#: src/utils_password.c:330
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr ""
 
-#: src/utils_password.c:332
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr ""
 
-#: src/utils_luks.c:67
+#: src/utils_luks.c:55
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr ""
 
-#: src/utils_luks.c:182
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr ""
 
-#: src/utils_luks.c:195
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr ""
 
-#: src/utils_luks.c:202
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "JSON ფაილის წაკითხვის შეცდომა."
 
-#: src/utils_luks.c:207
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3164,12 +3559,12 @@ msgstr ""
 "\n"
 "წაკითხვა შეწყდა."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr ""
 
-#: src/utils_luks.c:257
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3177,26 +3572,26 @@ msgstr ""
 "\n"
 "ჩაწერა შეწყდა."
 
-#: src/utils_luks.c:261
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "JSON ფაილი ჩაწერის შეცდომა."
 
-#: src/utils_reencrypt.c:120
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:124
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr ""
 
-#: src/utils_reencrypt.c:130
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:132
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3205,158 +3600,173 @@ msgid ""
 "To run reencryption in online mode, use --active-name parameter instead.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
 "Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
-#: src/utils_reencrypt.c:231
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:203
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:215
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr ""
 
-#: src/utils_reencrypt.c:293
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1923
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr ""
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr ""
 
-#: src/utils_reencrypt.c:307
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr ""
 
-#: src/utils_reencrypt.c:353
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr ""
 
-#: src/utils_reencrypt.c:418
+#: src/utils_reencrypt.c:566
+msgid "Can not reencrypt LUKS2 device configured to use OPAL."
+msgstr ""
+
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr ""
 
-#: src/utils_reencrypt.c:449
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
 "(block size: %<PRIu32> bytes) detected on device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:494
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2203
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr ""
 
-#: src/utils_reencrypt.c:500
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr ""
 
-#: src/utils_reencrypt.c:510
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:540
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr ""
 
-#: src/utils_reencrypt.c:542 src/utils_reencrypt.c:549
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:574
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr ""
 
-#: src/utils_reencrypt.c:611
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:621
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:657
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr ""
 
-#: src/utils_reencrypt.c:685
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr ""
 
-#: src/utils_reencrypt.c:693
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr ""
 
-#: src/utils_reencrypt.c:719
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr ""
 
-#: src/utils_reencrypt.c:767
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr ""
 
-#: src/utils_reencrypt.c:820
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:848
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr ""
 
-#: src/utils_reencrypt.c:983 src/utils_reencrypt.c:992
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr ""
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1013 src/utils_reencrypt_luks1.c:1100
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
 msgstr ""
 
-#: src/utils_reencrypt.c:1022 src/utils_reencrypt_luks1.c:1147
-#: src/utils_reencrypt_luks1.c:1158
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr ""
 
-#: src/utils_reencrypt.c:1034
+#: src/utils_reencrypt.c:1876
 #, c-format
-msgid "Enter passphrase for key slot %u: "
+msgid "Switching data encryption cipher to %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1086
-#, c-format
-msgid "Switching data encryption cipher to %s.\n"
+#: src/utils_reencrypt.c:1976 src/utils_reencrypt.c:1997
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr ""
+
+#: src/utils_reencrypt.c:1992
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
 msgstr ""
 
-#: src/utils_reencrypt.c:1140
+#: src/utils_reencrypt.c:2034
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1242
+#: src/utils_reencrypt.c:2071
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1282 src/utils_reencrypt_luks1.c:726
-#: src/utils_reencrypt_luks1.c:798
+#: src/utils_reencrypt.c:2113 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3364,207 +3774,211 @@ msgstr ""
 "\n"
 "თავიდან დაშიფვრა შეწყვეტილია."
 
-#: src/utils_reencrypt.c:1287
+#: src/utils_reencrypt.c:2118
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:1304
+#: src/utils_reencrypt.c:2141
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1320 src/utils_reencrypt.c:1342
+#: src/utils_reencrypt.c:2157 src/utils_reencrypt.c:2179
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1348
+#: src/utils_reencrypt.c:2185
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1421
+#: src/utils_reencrypt.c:2268
 msgid "LUKS2 decryption requires --header option."
 msgstr ""
 
-#: src/utils_reencrypt.c:1469
+#: src/utils_reencrypt.c:2316
 msgid "Command requires device as argument."
 msgstr ""
 
-#: src/utils_reencrypt.c:1482
+#: src/utils_reencrypt.c:2329
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr ""
 
-#: src/utils_reencrypt.c:1488
+#: src/utils_reencrypt.c:2335
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1494
+#: src/utils_reencrypt.c:2341
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr ""
 
-#: src/utils_reencrypt.c:1500
+#: src/utils_reencrypt.c:2347
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr ""
 
-#: src/utils_reencrypt.c:1506
+#: src/utils_reencrypt.c:2353
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:1513
+#: src/utils_reencrypt.c:2360
 msgid "Device reencryption not in progress."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:150
+#: src/utils_reencrypt_luks1.c:137
 #, c-format
 msgid "Cannot read device %s."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:161
+#: src/utils_reencrypt_luks1.c:148
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:177
+#: src/utils_reencrypt_luks1.c:164
 #, c-format
 msgid "Cannot write device %s."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:226
+#: src/utils_reencrypt_luks1.c:213
 msgid "Cannot write reencryption log file."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:282
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:293
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "ჟურნალის არასწორი ფორმატი."
 
-#: src/utils_reencrypt_luks1.c:320
+#: src/utils_reencrypt_luks1.c:307
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:369
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:379
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:389
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:449
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:455
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:463
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:500
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:556
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:685
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:687
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "მოწყობილობის ზომის მიღების შეცდომა."
 
-#: src/utils_reencrypt_luks1.c:968
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:998
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "მითითებული UUID არასწორია."
 
-#: src/utils_reencrypt_luks1.c:1224
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr ""
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:1230
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:1286
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr ""
 
-#: src/utils_reencrypt_luks1.c:1287
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "ტომის გასაღები"
 
-#: src/utils_reencrypt_luks1.c:1289
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "ჰეშის დაყენება "
 
-#: src/utils_reencrypt_luks1.c:1290
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ""
 
-#: src/utils_blockdev.c:189
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr ""
 
-#: src/utils_blockdev.c:197
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr ""
 
-#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr ""
 
-#: src/utils_blockdev.c:274
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr ""
 
-#: src/utils_blockdev.c:289
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr ""
@@ -3588,16 +4002,60 @@ msgstr ""
 msgid "Failed to probe device %s for a signature."
 msgstr ""
 
-#: src/utils_args.c:65
+#: src/utils_args.c:52
 #, c-format
 msgid "Invalid size specification in parameter --%s."
 msgstr ""
 
-#: src/utils_args.c:125
+#: src/utils_args.c:112
 #, c-format
 msgid "Option --%s is not allowed with %s action."
 msgstr ""
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr ""
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr ""
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr ""
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr ""
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr ""
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr ""
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr ""
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr ""
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr ""
@@ -3636,121 +4094,128 @@ msgstr ""
 msgid "Path to the SSH key for connecting to the remote server"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:146
-msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
+#: tokens/ssh/cryptsetup-ssh.c:147
+msgid "Path to directory containinig libcryptsetup external tokens"
 msgstr ""
 
 #: tokens/ssh/cryptsetup-ssh.c:148
+msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
+msgstr ""
+
+#: tokens/ssh/cryptsetup-ssh.c:150
 msgid "Generic options:"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
 msgid "Shows more detailed error messages"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:150
+#: tokens/ssh/cryptsetup-ssh.c:152
 msgid "Show debug messages"
-msgstr ""
+msgstr "გამართვის შეტყობინებების ჩვენება"
 
-#: tokens/ssh/cryptsetup-ssh.c:151
+#: tokens/ssh/cryptsetup-ssh.c:153
 msgid "Show debug messages including JSON metadata"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:262
+#: tokens/ssh/cryptsetup-ssh.c:268
 msgid "Failed to open and import private key:\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:272
 msgid "Failed to import private key (password protected?).\n"
 msgstr ""
 
 #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:268
+#: tokens/ssh/cryptsetup-ssh.c:274
 #, c-format
 msgid "%s@%s's password: "
 msgstr "%s@%s-ის პაროლი: "
 
-#: tokens/ssh/cryptsetup-ssh.c:357
+#: tokens/ssh/cryptsetup-ssh.c:363
 #, c-format
 msgid "Failed to parse arguments.\n"
 msgstr "არგუმენტების დამუშავების შეცდომა.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:368
+#: tokens/ssh/cryptsetup-ssh.c:374
 #, c-format
 msgid "An action must be specified\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:374
+#: tokens/ssh/cryptsetup-ssh.c:380
 #, c-format
 msgid "Device must be specified for '%s' action.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:379
+#: tokens/ssh/cryptsetup-ssh.c:385
 #, c-format
 msgid "SSH server must be specified for '%s' action.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:384
+#: tokens/ssh/cryptsetup-ssh.c:390
 #, c-format
 msgid "SSH user must be specified for '%s' action.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:389
+#: tokens/ssh/cryptsetup-ssh.c:395
 #, c-format
 msgid "SSH path must be specified for '%s' action.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:394
+#: tokens/ssh/cryptsetup-ssh.c:400
 #, c-format
 msgid "SSH key path must be specified for '%s' action.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:401
+#: tokens/ssh/cryptsetup-ssh.c:407
 #, c-format
 msgid "Failed open %s using provided credentials.\n"
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:417
+#: tokens/ssh/cryptsetup-ssh.c:424
 #, c-format
 msgid "Only 'add' action is currently supported by this plugin.\n"
 msgstr ""
 
-#: tokens/ssh/ssh-utils.c:46
+#: tokens/ssh/ssh-utils.c:33
 msgid "Cannot create sftp session: "
 msgstr "SFTP სესიის შექმნის შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:53
+#: tokens/ssh/ssh-utils.c:40
 msgid "Cannot init sftp session: "
 msgstr "SFTP სესიის ინიციალიზაციის შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
 msgid "Cannot open sftp session: "
 msgstr "SFTP სესიის გახსნის შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:66
+#: tokens/ssh/ssh-utils.c:53
 msgid "Cannot stat sftp file: "
 msgstr "SFTP ფაილის აღმოჩენის შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:74
+#: tokens/ssh/ssh-utils.c:61
 msgid "Not enough memory.\n"
 msgstr "არასაკმარისი მეხსიერება.\n"
 
-#: tokens/ssh/ssh-utils.c:81
+#: tokens/ssh/ssh-utils.c:68
 msgid "Cannot read remote key: "
 msgstr "დაშორებული გასაღების წაკითხვის შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:122
+#: tokens/ssh/ssh-utils.c:109
 msgid "Connection failed: "
 msgstr "მიერთების შეცდომა: "
 
-#: tokens/ssh/ssh-utils.c:132
+#: tokens/ssh/ssh-utils.c:119
 msgid "Server not known: "
 msgstr "სერვერი უცნობია: "
 
-#: tokens/ssh/ssh-utils.c:160
+#: tokens/ssh/ssh-utils.c:147
 msgid "Public key auth method not allowed on host.\n"
 msgstr ""
 
-#: tokens/ssh/ssh-utils.c:171
+#: tokens/ssh/ssh-utils.c:158
 msgid "Public key authentication error: "
 msgstr ""
+
+#~ msgid "disabled"
+#~ msgstr "გამორთულია"
diff --git a/po/pl.po b/po/pl.po
index 9d2d000..6356d63 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -1,14 +1,14 @@
 # Polish translation for cryptsetup.
 # Copyright (C) 2010 Free Software Foundation, Inc.
 # This file is put in the public domain.
-# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2024.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2025.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-07 17:15+0200\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-13 15:15+0100\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
 "Language: pl\n"
@@ -18,70 +18,78 @@ msgstr ""
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Nie można zainicjować device-mappera w czasie działania jako nie-root."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Nie można zainicjować device-mappera. Czy moduł jądra dm_mod jest wczytany?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Żądana flaga odroczona nie jest obsługiwana."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID dla urządzenia %s został skrócony."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Nieznany typ celu dm."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Żądane opcje dm-crypta dotyczące wydajności nie są obsługiwane."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Żądane opcje dm-verity dotyczące obsługi uszkodzenia danych nie są obsługiwane."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Żądana opcja taskletów dm-verity nie jest obsługiwana."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Żądane opcje FEC dm-verity nie są obsługiwane."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Żądane opcje integralności danych nie są obsługiwane."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "Żądana opcja sector_size nie jest obsługiwana."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "Rozmiar urządzenia nie jest wielokrotnością żądanego rozmiaru sektura."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Żądana opcja integrity_key_size nie jest obsługiwana."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Żądane automatyczne przeliczenie znaczników integralności nie jest obsługiwane."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "Porzucenie/TRIM nie jest obsługiwane."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Żądany tryb bitmapy dm-integrity nie jest obsługiwany."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Żądany tryb wbudowany dm-integrity nie jest obsługiwany."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Nie udało się odpytać segmentu dm-%s."
@@ -115,747 +123,777 @@ msgstr "Nieznane żądanie jakości RNG."
 msgid "Error reading from RNG."
 msgstr "Błąd odczytu z RNG."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "Obsługa OPAL jest wyłączona w libcryptsetup."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Urządzenie %s lub jądro nie obsługuje szyfrowania OPAL."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Nie można zainicjować backendu kryptograficznego RNG."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Nie można zainicjować backendu kryptograficznego."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Algorytm skrótu %s nie jest obsługiwany."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Błąd przetwarzania klucza (użyto algorytmu skrótu %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób uaktywniania urządzenia?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "Wszyskie miejsca na klucze są pełne."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Numer klucza %d jest błędny, proszę wybrać wartość między 0 a %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Miejsce na klucz %d jest pełne, proszę wybrać inne."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "Rozmiar urządzenia nie jest wyrównany do rozmiaru bloku logicznego urządzenia."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Wykryto nagłówek, ale urządzenie %s jest zbyt małe."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "Ta operacja nie jest obsługiwana dla tego rodzaju urządzenia."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Niedozwolona operacja w trakcie ponownego szyfrowania."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Nie udało się wycofać zmian w metadanych LUKS2 w pamięci."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nieobsługiwana wersja LUKS %d."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Nie wykryto znanego wzorca określającego szyfr dla aktywnego urządzenia %s."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "Urządzenie %s nie jest aktywne."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Urządzenie stojące za urządzeniem szyfrowanym %s zniknęło."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Błędne parametry szyfru plain."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Błędny rozmiar klucza."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID nie jest obsługiwany dla tego rodzaju szyfrowania."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Osobne urządzenie metadanych nie jest obsługiwane dla tego rodzaju szyfrowania."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "Nieobsługiwany rozmiar sektora szyfrowania."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "Rozmiar urządzenia nie jest wyrównany do żądanego rozmiaru sektura."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Nie można sformatować LUKS-a bez urządzenia."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Urządzenie Zoned %s nie może być używane dla nagłówka LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Żądane wyrównanie metadanych nie jest zgodne z offsetem danych."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "UWAGA: urządzenie DAX może uszkodzić dane, ponieważ nie gwarantuje atomowych uaktualnień sektorów.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Nie można wymazać nagłówka na urządzeniu %s."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Urządzenie %s jest zbyt małe do uaktywnienia, nie ma miejsca pozostałego na dane.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Klucz wolumenu jest zbyt mały do szyfrowania z rozszerzeniami integralności."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Rozmiar klucza integralności jest zbyt mały."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Szyfr %s-%s (rozmiar klucza w bitach: %zd) nie jest dostępny."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "UWAGA: uaktywnienie urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "Urządzenie %s jest zbyt małe."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Nie można sformatować urządzenia %s, które jest w użyciu."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Nie można sformatować urządzenia %s, brak uprawnień."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Nie można sformatować integralności dla urządzenia %s."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Nie można sformatować urządzenia %s."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Nie można pobrać parametrów wyrównania OPAL."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Błędny rozmiar bloku logicznego OPAL."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Błędny rozmiar bloku logicznego OPAL różni się od rozmiaru bloku urządzenia."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "Żądana pozycja danych nie jest zgodna z rozmiarem bloku OPAL."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "Żądane wyrównanie danych nie jest zgodne z wyrównaniem OPAL."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "Pozycja danych nie jest zgodna z wymaganiami wyrównania OPAL."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "Żądane wyrównanie danych nie jest zgodne z wymaganiami wyrównania zakresu blokowania."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Kompensacja rozmiaru urządzenia o %<PRIu64> sektorów, aby wyrównać do rozdzielczości wyrównania OPAL."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Nie udało się uzyskać blokady OPAL na urządzeniu %s."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Niepoprawny klucz administratora OPAL."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Nie można ustawić segmentu OPAL."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Nie można sformatować urządzenia %s, urządzenie OPAL obecnie wygląda na w pełni zabezpieczone przed zapisem."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "To prawdopodobnie błąd w oprogramowaniu sprzętowym. W celu odtworzenia można zresetować PSID OPAL i połączyć ponownie."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "Reset zakresu blokowania %d na urządzeniu %s nie powiódł się."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Nie można sformatować urządzenia LUKSAES bez urządzenia."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Nie można sformatować VERITY bez urządzenia."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nieobsługiwany typ hasza VERITY %d."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Nieobsługiwany rozmiar bloku VERITY."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Nieobsługiwany offset hasza VERITY."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nieobsługiwany offset FEC VERITY."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Obszar danych zachodzi na obszar skrótów."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Obszar skrótu zachodzi na obszar FEC."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Obszar danych zachodzi na obszar FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Niezgodność rozmiaru klucza integralności."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "UWAGA: żądany rozmiar znacznika %d B różni się od rozmiaru wyjścia %s (%d B).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Nieznany typ żądanego urządzenia szyfrującego %s."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Żądany nieznany lub nieobsługiwany typ urządzenia %s."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Urządzenie %s nie zapewnia wbudowanych pól danych integralności."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Rozmiar znacznika wbudowanego %<PRIu32> B jest większy niż %<PRIu32> zapewniany przez urządzenie %s."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Sektor musi być tego samego rozmiaru, co sektor sprzętowy urządzenia (%zu B)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nieobsługiwane parametry urządzenia %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Niezgodne parametry dla urządzenia %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Urządzenia szyfrowane nie zgadzają się."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Nie udało się przeładować urządzenia %s."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Nie udało się wstrzymać urządzenia %s."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Nie udało wznowić urządzenia %s."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Błąd krytyczny przy przeładowywaniu urządzenia %s (w oparciu o urządzenie %s)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Nie udało się przełączyć urządzenia %s na dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Nie można zmienić rozmiaru urządzenia LUKS2 o rozmiarze statycznym."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Zmiana rozmiaru urządzenia LUKS2 z ochroną integralności nie jest obsługiwana."
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "Nie można zmienić rozmiaru urządzenia loopback."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "UWAGA: maksymalny rozmiar jest już ustawiony lub jądro nie obsługuje zmiany rozmiaru.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Zmiana rozmiaru nie powiodła się, jądro tego nie obsługuje."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "Czy na pewno zmienić UUID urządzenia?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Plik nagłówka kopii zapasowej nie zawiera zgodnego nagłówka LUKS."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Wolumen %s nie jest aktywny."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Wolumen %s już został wstrzymany."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Wstrzymywanie nie jest obsługiwane dla urządzenia %s."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Błąd podczas wstrzymywania urządzenia %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Urządzenie %s zostało wstrzymane, ale sprzętowe urządzenie OPAL nie może być zablokowane."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Wznawianie nie jest obsługiwane dla urządzenia %s."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Błąd podczas wznawiania urządzenia %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Nie udało się odłączyć klucza wolumenu z pęku kluczy podanego przez użytkownika."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Nie udało się dołączuć klucza wolumenu do pęku kluczy zdefiniowanego przez użytkownika."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Wolumen %s nie jest wstrzymany."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "Klucz wolumenu nie pasuje do wolumenu."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "Nie udało się podstawić nowego klucza."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Numer klucza %d jest nieprawidłowy."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Klucz %d nie jest aktywny."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "Nagłówek urządzenia zachodzi na obszar danych."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Ponowne szyfrowanie trwa. Nie można uaktywnić urządzenia."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "Nie udało się uzyskać blokady ponownego szyfrowania."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "Odtwarzanie ponownego szyfrowania LUKS2 przy użyciu kluczy wolumenu nie powiodło się."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Nie udało się dołączyć kluczy wolumenu do pęku kluczy zdefiniowanego przez użytkownika."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Odtwarzanie ponownego szyfrowania LUKS2 nie powiodło się."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Typ urządzenia nie został właściwie zainicjalizowany."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "Urządzenie %s już istnieje."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Nie można użyć urządzenia %s, nazwa jest nieprawidłowa lub nadal w użyciu."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Klucze ponownego szyfrowania wolumenu nie pasują do wolumenu."
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "Podano niewłaściwy klucz wolumenu dla zwykłego urządzenia."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Klucze ponownego szyfrowania wolumenu nie pasują do wolumenu."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Typ urządzenia nie został właściwie zainicjalizowany."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Pęk kluczy w jądrze nie jest obsługiwany przez jądro."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Brak pęku kluczy w jądrze: wymagany do przekazania podpisu do jądra."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Nie można użyć klucza pęku kluczy %s."
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL nie obsługuje odroczonej dezaktywacji."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Nie udało się anulować opóźnionego usuwania z urządzenia %s."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Urządzenie %s jest nadal w użyciu."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Nie udało się anulować opóźnionego usuwania z urządzenia %s."
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "Błędne urządzenie %s."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "Bufor klucza wolumenu zbyt mały."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Nie można odtworzyć klucza wolumenu dla zwykłego urządzenia."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Nie można odtworzyć hasza głównego dla urządzenia VERITY."
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Nie można odtworzyć klucza wolumenu dla urządzenia FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Ta operacja nie jest obsługiwana dla urządzenia szyfrującego %s."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "Operacja zrzutu nie jest obsługiwana dla tego rodzaju urządzenia."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Offset danych nie jest wielokrotnością liczby bajtów %u."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Nie można przekonwertować urządzenia %s, które jest nadal w użyciu."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Nie udało się przypisać klucza %u jako nowego klucza wolumenu."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Nie udało się zainicjować domyślnych parametrów klucza LUKS2."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Nie udało się przypisać klucza %d do skrótu."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Nie udało się odłączyć klucza wolumenu z pęku klucza wątku."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Nie udało się odnaleźć pęku kluczy opisanego przez \"%s\"."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Nie udało się uzyskać globalnej blokady serializacji dostępu ciężkiego pamięciowo."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Nie udało się otworzyć pliku klucza."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Nie można odczytać pliku klucza z terminala."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Nie udało się wykonać stat na pliku klucza."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Nie można przemieścić się do żądanego położenia pliku klucza."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Brak pamięci podczas odczytu hasła."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Błąd podczas odczytu hasła."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Na wejściu nie ma nic do odczytu."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Przekroczono maksymalny rozmiar pliku klucza."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Nie można odczytać żądanej ilości danych."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Urządzenie %s nie istnieje lub dostęp jest zabroniony."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Urządzenie %s nie jest zgodne."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Zignorowano niewłaściwy rozmiar optimal-io dla urządzenia danych (%u bajtów)."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Urządzenie %s jest zbyt małe. Wymagane przynajmniej %<PRIu64> bajtów."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Nie można użyć urządzenia %s, które jest w użyciu (już podmapowane lub zamontowane)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Nie można użyć urządzenia %s, brak uprawnień."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Nie można uzyskać informacji o urządzeniu %s."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Nie można użyć urządzenia loopback w czasie działania jako nie-root."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Nie udało się podłączyć urządzenia loopback (wymagane urządzenie loop z flagą autoclear)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Żądany offset jest poza rzeczywistym rozmiarem urządzenia %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Urządzenie %s ma zerowy rozmiar."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Żądany czas docelowy PBKDF nie może być zerowy."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Nieznany typ PBKDF %s."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Żądany skrót %s nie jest obsługiwany."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Żądany typ PBKDF nie jest obsługiwany dla LUKS1."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Wartości maksymalnej pamięci lub liczby wątków PBKDF nie mogą być ustawione dla PBKDF2."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Wymuszona liczba iteracji jest zbyt mała dla %s (minimum to %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Wymuszony koszt pamięciowy jest zbyt mały dla %s (minimum to %u kB)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Żądany maksymalny koszt pamięciowy PBKDF jest zbyt duży (maksimum to %d kB)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Żądany maksymalny koszt pamięciowy PBKDF jest zbyt duży (ograniczony maksymalnym rozmiarem liczby całkowitej)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Żądana maksymalna pamięć PBKDF nie może być zerowa."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Żądany maksymalny koszt równoległy PBKDF jest zbyt duży (maksimum to %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Żądana liczba wątków PBKDF nie może być zerowa."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "W trybie FIPS obsługiwana jest tylko PBKDF2."
 
@@ -882,25 +920,25 @@ msgstr "Blokowanie nie powiodło się. Ścieżka blokady %s/%s jest nieużywalna
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Blokowanie przerwane. Ścieżka blokady %s/%s jest nieużywalna (%s nie jest katalogiem)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Nie można przemieścić się we właściwe położenie urządzenia."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Błąd wymazywania urządzenia, offset %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "Niepoprawny PSID OPAL."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Nie można wymazać urządzenia OPAL."
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -909,47 +947,47 @@ msgstr ""
 "Nie udało się ustawić odwzorowania klucza dm-crypt dla urządzenia %s.\n"
 "Proszę sprawdzić, czy jądro obsługuje szyfr %s (więcej informacji w syslogu)."
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Rozmiar klucza w trybie XTS musi wynosić 256 lub 512 bitów."
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Określenie szyfru powinno być w formacie [szyfr]-[tryb]-[iv]."
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Nie można zapisać na urządzenie %s, brak uprawnień."
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "Nie udało się otworzyć urządzenia do tymczasowego przechowywania kluczy."
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "Nie udało się uzyskać dostępu do urządzenia do tymczasowego przechowywania kluczy."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Błąd we/wy podczas szyfrowania klucza."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Nie można otworzyć urządzenia %s."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Błąd we/wy podczas odszyfrowywania klucza."
 
@@ -965,32 +1003,32 @@ msgstr "Urządzenie %s jest zbyt małe (LUKS1 wymaga przynajmniej %<PRIu64> bajt
 msgid "LUKS keyslot %u is invalid."
 msgstr "Numer klucza LUKS %u jest nieprawidłowy."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Żądany plik kopii zapasowej nagłówka %s już istnieje."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Nie można utworzyć pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Nie można zapisać pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Plik kopii zapasowej nie zawiera prawidłowego nagłówka LUKS."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Nie można otworzyć pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Nie można odczytać pliku kopii zapasowej nagłówka %s."
@@ -1012,7 +1050,7 @@ msgstr "nie zawiera nagłówka LUKS. Nadpisanie nagłówka może zniszczyć dane
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "już zawiera nagłówek LUKS. Nadpisanie nagłówka zniszczy istniejące klucze."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1039,7 +1077,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Skrót szyfru poprawiony na małe litery (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Żądany skrót LUKS %s nie jest obsługiwany."
@@ -1086,7 +1124,7 @@ msgstr "Tryb szyfru LUKS %s jest nieprawidłowy."
 msgid "LUKS hash %s is invalid."
 msgstr "Skrót LUKS %s jest nieprawidłowy."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "W nagłówku LUKS nie wykryto żadnych znanych problemów."
 
@@ -1100,17 +1138,17 @@ msgstr "Błąd podczas uaktualniania nagłówka LUKS na urządzeniu %s."
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Błęd podczas ponownego odczytu nagłówka LUKS po uaktualnieniu na urządzeniu %s."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Offset danych dla nagłówka LUKS musi wynosić 0 lub więcej niż rozmiar nagłówka."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Podano zły format LUKS UUID."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powiódł się."
 
@@ -1119,48 +1157,48 @@ msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powió
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Nie można utworzyć nagłówka LUKS: uzyskanie skrótu nagłówka nie powiodło się (przy użyciu algorytmu %s)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Klucz numer %d jest aktywny, należy go najpierw wyczyścić."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Klucz %d zawiera zbyt mało pasów. Zmieniony nagłówek?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Przepełnienie wartości iteracji PBKDF2"
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Nie można otworzyć klucza (przy użyciu skrótu %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Numer klucza %d jest błędny, proszę wybrać numer od 0 do %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Nie można wymazać urządzenia %s."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Wykryto jeszcze nie obsługiwany plik klucza szyfrowany GPG."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Proszę użyć gpg --decrypt <PLIK-KLUCZA> | cryptsetup --keyfile=- ...\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Wykryto niekompatybilny plik klucza loop-AES."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Jądro nie obsługuje odwzorowań zgodnych z loop-AES."
 
@@ -1179,168 +1217,197 @@ msgstr "Przekroczono maksymalną długość hasła TCRYPT (%zu)."
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Algorytm skrótu PBKDF2 %s nie jest dostępny, pominięto."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "Wymagany interfejs kryptograficzny jądra nie jest dostępny."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Proszę upewnić się, że moduł jądra algif_skcipher został załadowany."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Uaktywnianie nie jest obsługiwane dla rozmiaru sektora %d."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Jądro nie obsługuje uaktywniania dla tego starego trybu TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Włączanie szyfrowania systemu TCRYPT dla partycji %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Nie można określić pozycji partycji systemowej TCRYPT, aktywacja całego obszaru zaszyfrowanego."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Nie można określić pozycji partycji systemowej TCRYPT, aktywacja urządzenia jako partycji systemowej."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Jądro nie obsługuje odwzorowań zgodnych z TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Ta funkcja nie jest obsługiwana bez załadowanego nagłówka TCRYPT."
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany wpis metadanych typu '%u'."
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Przy analizie Głównego Klucza Wolumenu napotkano błędny ciąg znaków."
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany ciąg znaków ('%s')."
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwaną wartość wpisu metadanych '%u'."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK w wersji 1 nie jest obecnie obsługiwany."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Błędna lub nieznana sygnatura rozruchowa urządzenia BITLK."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Nieobsługiwany rozmiar sektora %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Nie udało się odczytać nagłówka BITLK z %s."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Nie udało się odczytać lub sprawdzić poprawności kopii #%d metadanych BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Nie udało się odczytać i sprawdzić poprawności metadanych BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:610
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "Nie udało się odczytać metadanych BITLK FVE z %s."
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Nie udało się sprawdzić poprawności lokalizacji metadanych BITLK FVE z %s."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Metadane BITLK FVE zmieniły się pomiędzy odczytami z %s."
+
+#: lib/bitlk/bitlk.c:628
+#, c-format
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Nie udało się policzyć skrótu metadanych BITLK FVE odczytanych z %s."
+
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Nie udało się przeanalizywać metadanych poprawności BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "Nieznany lub nieobsługiwany rodzaj szyfrowania."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "Nie udało się odczytać wpisów metadanych BITLK z %s."
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Nie udało się sprawdzić wpisów metadanych BITLK, odczytanych wcześniej z %s."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "Nie udało się przekonwertować opisu wolumenu BITLK"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwany wpis metadanych typu '%u'."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "GUI pliku BEK '%s' nie pasuje do GUID-a wolumenu."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Przy analizie zewnętrznego klucza napotkano nieoczekiwaną wartość wpisu metadanych '%u'."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Nieobsługiwana wersja metadanych BEK %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Nieoczekiwany rozmiar metadanych BEK %<PRIu32> nie zgadza się z długością pliku BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Przy analizie klucza początkowego napotkano nieoczekiwany wpis metadanych."
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "Ta operacja nie jest obsługiwana."
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "Nieoczekiwany rozmiar danych klucza."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "To urządzenie BITLK jest w nieobsługiwanym stanie i może być uaktywnione."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Urządzenia BITLK o typie '%s' nie mogą być uaktywnione."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Uaktywnianie częściowo odszyfrowanych urządzeń BITLK nie jest obsługiwane."
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "UWAGA: rozmiar wolumenu BitLockera %<PRIu64> nie zgadza się z rozmiarem urządzenia %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Nie można uaktywnić urządzenia, brak obsługi BITLK IV w module dm-crypt jądra."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Nie można uaktywnić urządzenia, brak obsługi dyfuzora BITLK Elephant w module dm-crypt jądra."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Nie można uaktywnić urządzenia, brak obsługi dużego rozmiaru sektora w module dm-crypt jądra."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Nie można uaktywnić urządzenia, brak modułu jądra dm-zero."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Nie można odczytać %u bajtów nagłówka wolumenu."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Nieobsługiwana wersja FVAULT2 %<PRIu16>."
@@ -1377,31 +1444,31 @@ msgstr "Weryfikacja podpisu hasza głównego nie jest obsługiwana."
 msgid "Root hash signature required."
 msgstr "Wymagany podpis hasza głównego."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Błędów nie można naprawić z urządzeniem FEC."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Znaleziono %u błędów możliwych do naprawienia z urządzeniem FEC."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Jądro nie obsługuje odwzorowań dm-verity."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Jądro nie obsługuje opcji podpisu dm-verity."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Urządzenie VERITY wykryło uszkodzenie po uaktywnieniu."
 
 #: lib/verity/verity_hash.c:53
 #, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
-msgstr "Nie wyzerowane miejsce zapasowe na pozycji %<PRIu64>."
+msgstr "Niewyzerowane miejsce zapasowe na pozycji %<PRIu64>."
 
 #: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
 #: lib/verity/verity_hash.c:298
@@ -1417,23 +1484,23 @@ msgstr "Weryfikacja nie powiodła się na pozycji %<PRIu64>."
 msgid "Hash area overflow."
 msgstr "Przepełnienie obszaru skrótu."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Weryfikacja obszaru danych nie powiodła się."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Weryfikacja głównego hasza nie powiodła się."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Błąd wejścia/wyjścia podczas tworzenia obszaru haszy."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Tworzenie obszaru haszy nie powiodło się."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "UWAGA: Jądro nie może uaktywnić urządzenia, jeśli rozmiar bloku danych przekracza rozmiar strony (%u)."
@@ -1483,34 +1550,38 @@ msgstr "Błędna długość segmentu FEC."
 msgid "Failed to determine size for device %s."
 msgstr "Nie udało się określić rozmiaru urządzenia %s."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Wykryto niezgodne metadane dm-integrity jądra (wersja %u) na %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Jądro nie obsługuje odwzorowań dm-integrity."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Jądro nie obsługuje stałego wyrównania metadanych dm-integrity."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Jądro odmawia uaktywnienia niebezpiecznej opcji przeliczenia (p. stare opcje aktywacji, aby wymusić)."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Jądro nie obsługuje trybu wbudowanego dm-integrity."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Nie udało się uzyskać blokady dla zapisu na urządzeniu %s."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Wykryto próbę jednoczesnego uaktualnienia metadanych LUKS2. Przerywanie operacji."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1518,59 +1589,63 @@ msgstr ""
 "Urządzenie zawiera niejednoznaczne sygnatury, nie można automatycznie odtworzyć LUKS2.\n"
 "W celu odtworzenia należy uruchomić \"cryptsetup repair\"."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "UWAGA: obszar kluczy (%<PRIu64> bajtów) bardzo mały, dostępna liczba kluczy LUKS2 jest bardzo ograniczona.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Żądany offset danych jest zbyt mały."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "UWAGA: rozmiar metadanych LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "UWAGA: rozmiar obszaru kluczy LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Nie udało się uzyskać blokady do odczytu na urządzeniu %s."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "Etykieta jest zbyt długa."
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Wykryto zabronione wymagania LUKS2 w kopii zapasowej %s."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Offset danych różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Nagłówek binarny z rozmiarem obszarów kluczy różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Urządzenie %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "nie zawiera nagłówka LUKS2. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "już zawiera nagłówek LUKS2. Nadpisanie nagłówka zniszczy istniejące klucze."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1580,121 +1655,121 @@ msgstr ""
 "UWAGA: wykryto nieznane wymagania LUKS2 w nagłówku prawdziwego urządzenia!\n"
 "Nadpisanie nagłówka kopią zapasową może uszkodzić dane na tym urządzeniu!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
 "Replacing header with backup may corrupt data."
 msgstr ""
 "\n"
-"UWAGA: wykryto nie zakończone ponowne szyfrowanie offline na urządzeniu!\n"
+"UWAGA: wykryto niezakończone ponowne szyfrowanie offline na urządzeniu!\n"
 "Nadpisanie nagłówka kopią zapasową może uszkodzić dane."
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Zignorowano nieznaną flagę %s."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Brak klucza dla segmentu dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "Nie udało się ustawić segmentu dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "Nie udało się ustawić segmentu dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "Nie wykryto znanego wzorca określającego szyfr w nagłówku LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "Urządzenie OPAL musi mieć statyczny rozmiar."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Szyfrowane urządzenie OPAL z integralnością musi być mniejsze, niż zakres blokowania."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "Urządzenie OPAL musi mieć ten sam rozmiar, co zakres blokowania."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Urządzenie OPAL %s jest już odblokowane.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "Nieobsługiwana konfiguracja integralności urządzenia."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Urządzenie dm-integrity stojące poniżej o nieoczekiwanych sektorach danych."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Podobne szyfrowanie trwa. Nie można dezaktywować urządzenia."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Nie udało się zastąpić wstrzymanego urządzenia %s celem dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Urządzenie %s zostało dezaktywowane, ale sprzętowe urządzenie OPAL nie może być zablokowane."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Nie udało się odczytać wymagań LUKS2."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
-msgstr "Wykryto nie spełnione wymagania LUKS2."
+msgstr "Wykryto niespełnione wymagania LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania starym szyfrem. Przerwano."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania LUKS2. Przerwano."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Operacja niezgodna z urządzeniem używającym OPAL. Przerwano."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Operacja niezgodna z urządzeniem używającym wbudowanych znaczników HW. Przerwano."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Za mało dostępnej pamięci, aby otworzyć klucz."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Nie udało się otworzyć klucza."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Nie można użyć szyfru %s-%s do szyfrowania kluczy."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Za mało pamięci na wyprowadzenie klucza z miejsca."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Algorytm skrótu %s nie jest dostępny."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Uwaga: operacja na kluczu może się nie powieść, bo wymaga więcej pamięci, niż dostępna.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "Brak miejsca na nowy klucz."
 
@@ -1720,428 +1795,438 @@ msgstr "Nie można sprawdzić stanu urządzenia mającego UUID: %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Nie można przekonwertować nagłówka z dodatkowymi metadanymi LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Nie można użyć określenia szyfru %s-%s dla LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Nie można użyć określenia szyfru %s-%s dla klucza LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Nie można przenieść obszaru kluczy. Brak miejsca."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Nie można przekonwertować do formatu LUKS1 - błędne metadane."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Nie można przenieść obszaru kluczy. Obszar kluczy LUKS2 zbyt mały."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Nie można przenieść obszaru kluczy."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Nie można przekonwertować do formatu LUKS1 - domyślny rozmiar sektora szyfrowania segmentu nie wynosi 512 bajtów."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Nie można przekonwertować formatu LUKS1 - skróty kluczy nie są zgodne z LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa szyfru %s z obudowanym kluczem."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa większej liczby segmentów."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Nie można przekonwertować do formatu LUKS1 - nagłówek LUKS2 zawiera %u token(ów)."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Nie można przekonwertować do formatu LUKS1 - nie ma aktywnych kluczy."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u jest w błędnym stanie."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u nie jest podłączony."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u (powyzej maksimum) jest nadal aktywny."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u nie jest zgodny z LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
-msgstr "Rozmiar strefy hotzone musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)."
+msgstr "Rozmiar strefy gorącej musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Rozmiar urządzenia musi być wielokrotnością wyliczonego wyrównania strefy (bajtów: %zu)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Nie udało się zainicjować obudowania przestrzeni starego segmentu."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Nie udało się zainicjować obudowania przestrzeni nowego segmentu."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
-msgstr "Nie udało się zainicjować ochrony strefy hotzone."
+msgstr "Nie udało się zainicjować ochrony strefy gorącej."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
-msgstr "Nie udało się odczytać sum kontrolnych dla aktualnej strefy hotzone."
+msgstr "Nie udało się odczytać sum kontrolnych dla aktualnej strefy gorącej."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
-msgstr "Nie udało się odczytać obszaru hotzone zaczynającego się od %<PRIu64>."
+msgstr "Nie udało się odczytać obszaru strefy gorącej zaczynającego się od %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Nie udało się odszyfrować sektora %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Nie udało się odtworzyć sektora %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Rozmiary urządzenia źródłowego i docelowego różnią się. Źródłowe %<PRIu64>, docelowe: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
-msgstr "Nie udało się uaktywnić urządzenia hotzone %s."
+msgstr "Nie udało się uaktywnić urządzenia strefy gorącej %s."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Nie udało się przydzielić urządzenia strefy gorącej %s."
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Nie udało się uaktywnić urządzenia nakładkowego %s z aktualną tablicą źródła."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Nie udało się załadować nowego odwzorowania dla urządzenia %s."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Nie udało się odświeżyć stosu urządzenia ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "Nie udało się ustawić nowego rozmiaru obszaru kluczy."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Wartość przesunięcia danych nie jest wyrównana do rozmiaru sektora szyfrowania (%<PRIu32> B)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Nieobsługiwany tryb odporności %s"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Rozmiar przenoszonego segmentu nie może być większy niż wartość przesunięcia danych."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "Błędne parametry odporności przy ponownym szyfrowaniu."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Przenoszony segment zbyt duży. Żądany rozmiar %<PRIu64>, dostępne miejsce: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "Nie udało się wyczyścić tablicy."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Przesunięcie danych (sektorów: %<PRIu64>) jest mniejsze niż przyszły offset danych (sektorów: %<PRIu64>)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "Zmniejszony rozmiar danych jest większy niż rzeczywisty rozmiar urządzenia."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Urzędzenie danych nie jest wyrównane do rozmiaru sektora szyfrowania (%<PRIu32> B)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Przesunięcie danych (sektorów: %<PRIu64>) jest mniejsze niż przyszły offset danych (sektorów: %<PRIu64>)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Nie udało się otworzyć %s w trybie wyłączności (już odwzorowano lub zamontowano)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Urządzenie nie jest oznaczone do ponownego szyfrowania LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Nie udało się załadować kontekstu ponownego szyfrowania LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Nie udało się pobrać stanu ponownego szyfrowania."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "Urządzenie nie jest w trakcie ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "Proces ponownego szyfrowania już trwa."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "Nie udało się uzyskać blokady dla ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Nie można kontynuować ponownego szyfrowania. Należy najpierw uruchomić odtworzenie ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Rozmiar urządzenia aktywnego oraz żądany rozmiar ponownego szyfrowania różnią się."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "W parametrach ponownego szyfrowania zażądano niedozwolonego rozmiaru urządzenia."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Ponowne szyfrowanie trwa. Nie można wykonać odzyskiwania."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Odtwarzanie ponownego szyfrowania LUKS2 nie powiodło się."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Nie udało się zainicjować stosu urządzenia ponownego szyfrowania."
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane w metadanych."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Nie udało się zainicjować ponownego szyfrowania LUKS2 w metadanych."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Ponowne szyfrowanie nie jest obsługiwane dla urządzeń DAX (pamięci trwałej)."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Nie udało się odczytać hasła z pęku kluczy."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
-msgstr "Nie udało się ustawić segmentów urządzeń dla następnej strefy hotzone ponownego szyfrowania."
+msgstr "Nie udało się ustawić segmentów urządzeń dla następnej strefy gorącej ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Nie udało się zapisać metadanych odporności ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "Odszyfrowanie nie powiodło się."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
-msgstr "Nie udało się zapisać obszaru hotzone zaczynającego się od %<PRIu64>."
+msgstr "Nie udało się zapisać obszaru strefy gorącej zaczynającego się od %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "Nie udało się zsynchronizować danych."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
-msgstr "Nie udało się uaktualnić metadanych po zakończeniu aktualnej strefy hotzone ponownego szyfrowania."
+msgstr "Nie udało się uaktualnić metadanych po zakończeniu aktualnej strefy gorącej ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "Nie udało się zapisać metadanych LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
-msgstr "Nie udało się wymazać nie używanego obszaru urządzenia danych."
+msgstr "Nie udało się wymazać nieużywanego obszaru urządzenia danych."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
-msgstr "Nie udało się usunąć nie używanego (nie przypisanego) obszaru klucza %d."
+msgstr "Nie udało się usunąć nieużywanego (nieprzypisanego) obszaru klucza %d."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "Nie udało się usunąć obszaru klucza ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Błąd krytyczny podczas ponownego szyfrowania fragmentu zaczynającego się od %<PRIu64> o długości w sektorach %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "Ponowne szyfrowanie online nie powiodło się."
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Proszę nie wznawiać urządzenia dopóki nie zostanie zastąpione celem błędnym ręcznie."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Nie można kontynuować ponownego szyfrowania. Nieoczekiwany stan ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "Brak lub błędny kontekst ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Nie udało się zainicjować stosu urządzenia ponownego szyfrowania."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "Nie udało się uaktualnić kontekstu ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Metadane ponownego szyfrowania są błędne."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "Pozycja zakresu OPAL %d %<PRIu64> nie pasuje do oczekiwanych wartości %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "Długość zakresu OPAL %d %<PRIu64> nie pasuje do długości urządzenia %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "Blokowanie zakresu OPAL %d wyłączone."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Nieoczekiwany stan blokowania zakresu OPAL %d."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametry szyfrowania kluczy mogą być ustawione tylko dla urządzeń LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Proszę wprowadzić PIN: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Proszę wprowadzić PIN tokenu %d: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Parametry szyfrowania kluczy nie są zgodne z szyfrowaniem kluczy LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Nie wykryto znanego wzorca określającego szyfr."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "UWAGA: użycie domyślnych opcji szyfru (%s-%s, rozmiar klucza w bitach %u) może być niezgodne ze starszymi wersjami."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "UWAGA: użycie domyślnych opcji skrótu (%s) może być niezgodne ze starszymi wersjami."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "W trybie zwykłym bez podania klucza zawsze należy użyć opcji --cipher, --key-size, a następnie --hash."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "W trybie zwykłym bez użycia klucza ani pęku kluczy zawsze należy użyć opcji --cipher, --key-size, a następnie --hash."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "UWAGA: Parametr --hash jest ignorowany w trybie zwykłym z podanym plikiem klucza.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "UWAGA: Opcja --keyfile-size jest ignorowana, rozmiar odczytu jest taki sam, jak rozmiar klucza szyfrującego.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "Skanowanie blkid dla %s nie powiodło się."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Wykryto sygnatury urządzeń na %s. Dalsze operacje mogą uszkodzić istniejące dane."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Operacja przerwana.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Wymagana jest opcja --key-file."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Proszę wprowadzić PIM VeraCrypt: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Błędna wartość PIM: błąd składni."
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Błędna wartość PIM: 0."
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Błędna wartość PIM: poza zakresem."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Nie wykryto nagłówka urządzenia z tym hasłem."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem BITLK."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Nie można określić rozmiaru klucza wolumenu dla BITLK, proszę użyć opcji --key-size."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2152,7 +2237,7 @@ msgstr ""
 "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
 "w bezpiecznym miejscu."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2163,112 +2248,112 @@ msgstr ""
 "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
 "w bezpiecznym miejscu."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem FVAULT2."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Nie można określić rozmiaru klucza wolumenu dla FVAULT2, proszę użyć opcji --key-size."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Urządzenie %s jest nadal aktywne i zaplanowane do odroczonego usunięcia.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Nie udało się ustawić ścieżki tokenów zewnętrznych %s."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Zmiana rozmiaru aktywnego urządzenia wymaga klucza wolumenu w pęku, ale ustawiono opcję --disable-keyring."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "Test szybkości przerwany."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/D\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iteracji/sekundę dla klucza %zu-bitowego\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/D\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iteracji, pamięć: %5u, równoległe wątki (CPU): %1u dla klucza %zu-bitowego (żądany czas %u ms)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "Wynik testu wydajności nie jest wiarygodny."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Testy są przybliżone tylko z użyciem pamięci (bez we/wy na dysk).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s  Algorytm |     Klucz |     Szyfrowanie | Odszyfrowywanie\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Szyfr %s (rozmiar klucza w bitach: %i) nie jest dostępny."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#      Algorytm |     Klucz |     Szyfrowanie | Odszyfrowywanie\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "N/D"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
 msgstr ""
-"Wybryto nie zabezpieczone metadane ponownego szyfrowania LUKS2. Proszę sprawdzić, czy operacja ponownego szyfrowania jest pożądana (p. wyjście luksDump)\n"
+"Wybryto niezabezpieczone metadane ponownego szyfrowania LUKS2. Proszę sprawdzić, czy operacja ponownego szyfrowania jest pożądana (p. wyjście luksDump)\n"
 "i kontynuować (uaktualnić metadane) tylko jeśli ta operacja ma być faktycznie wykonana."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Hasło do zabezpieczenia i uaktualnienia metadanych ponownego szyfrowania: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Naprawdę kontynuować odtwarzanie ponownego szyfrowania LUKS2?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Hasło do weryfikacji skrótu metadanych ponownego szyfrowania: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Hasło do odtwarzania ponownego szyfrowania: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "Naprawdę próbować naprawić nagłówek urządzenia LUKS?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2276,164 +2361,175 @@ msgstr ""
 "\n"
 "Wymazywanie przerwane."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
 msgstr ""
 "Czyszczenie urządzenia w celu zainicjowania sumy kontrolnej integralności.\n"
-"Można przerwać ten proces wciskając Ctrl+C (reszta nie wymazanego urządzenia będzie zawierać błędną sumę kontrolną).\n"
+"Można przerwać ten proces wciskając Ctrl+C (reszta niewymazanego urządzenia będzie zawierać błędną sumę kontrolną).\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Nie można dezaktywować urządzenia tymczasowego %s."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "Szyfrowanie wyłącznie sprzętowe OPAL nie obsługuje --cipher i --key-size, opcje zignorowano."
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Opcja integralności może być używana tylko dla formatu LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nieobsługiwane opcje rozmiaru metadanych LUKS2."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL jest obsługiwany tylko dla formatu LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Znaczniki hw wbudowane są obsługiwane tylko dla formatu LUKS2."
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Plik nagłówka nie istnieje, czy utworzyć go?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Nie można utworzyć pliku nagłówka %s."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Nie wykryto znanego wzorca określającego integralność."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Nie można użyć podanego rozmiaru klucza integralności."
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Nie można użyć %s jako nagłówka na dysku."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "To nieodwołalnie nadpisze dane na %s."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "Hasło administratora OPAL nie może być puste."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Nie udało się ustawić parametrów PBKDF."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "Opis typu w opisie pęku kluczy --link-vk-to-keyring jest ignorowany."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Typy kluczy muszą być takie same dla obu kluczy wolumenu."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Oba klucze wolumenu muszą być dołączone do tego samego pęku kluczy."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Trzeba podać więcej nazw kluczy."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Błędna wartość --link-vk-to-keyring."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Offset zmniejszonych danych jest dozwolony tylko dla odłączonego nagłówka LUKS."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Kontener plikowy LUKS %s jest zbyt mały do uaktywnienia, nie ma miejsca pozostałego na dane."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Nie można określić rozmiaru klucza wolumenu dla LUKS bez kluczy, proszę użyć opcji --key-size."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Urządzenie wymaga dwóch kluczy wolumenu."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Niektóre podane parametry aktywacji zostały zignorowane przy szyforwaniu wyłącznie sprzętowym OPAL."
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "Urządzenie uaktywnione, ale nie można uczynić flag trwałymi."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Klucz %d jest wybrany do usunięcia."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "To jest ostatni klucz. Urządzenie stanie się bezużyteczne po usunięciu tego klucza."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "Dowolne pozostałe hasło: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operacja przerwana, klucz NIE został wymazany.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "Hasło do usunięcia: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS2."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "Nowe hasło dla klucza: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Proszę wprowadzić PIN: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Proszę wprowadzić PIN tokenu %d: "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "UWAGA: Parametr --key-slot jest używany do numeru nowego klucza.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Dowolne istniejące hasło: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "Hasło, które ma być zmienione: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Nowe hasło: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Hasło dla klucza do konwersji: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Dla operacji isLuks obsługiwany jest tylko jeden argument będący urządzeniem."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Miejsce %d nie zawiera niepowiązanego klucza."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2442,52 +2538,52 @@ msgstr ""
 "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
 "w bezpiecznym miejscu."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s nie jest nazwą aktywnego urządzenia %s."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s nie jest nazwą aktywnego urządzenia LUKS lub brak nagłówka."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "Wymagana jest opcja --header-backup-file."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s nie jest urządzeniem zarządzanym przez cryptsetup."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Odświeżanie nie jest obsługiwane dla typu urządzenia %s"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
-msgstr "Nie rozpoznany typ urządzenia metadanych %s."
+msgstr "Nierozpoznany typ urządzenia metadanych %s."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "Polecenie wymaga urządzenia i nazwy odwzorowywanej jako argumentów."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "Proszę wprowadzić PSID OPAL: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "Hasło administratora OPAL: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "UWAGA: CAŁY dysk będzie przywrócony do stanu fabrycznego i wszystkie dane zostaną utracone! Kontynuować?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2496,351 +2592,363 @@ msgstr ""
 "Ta operacja usunię wszystkie klucze na urządzeniu %s.\n"
 "Urządzenie po tej operacji stanie się bezużyteczne."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operacja przerwana, klucze NIE zostały wymazane.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Błędny typ LUKS, obsługiwane są tylko luks1 i luks2."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "Urządzenie już ma typ %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Ta operacja przekonwertuje %s do formatu %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operacja przerwana, urządzenie NIE zostało skonwertowane.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Brak opcji --priority, --label lub --subsystem."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d jest błędny."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d jest w użyciu."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Nie udało się dodać tokenu %d do pęku kluczy luks2."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Nie udało się przypisać tokenu %d do klucza %d."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d nie jest w użyciu."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "Nie udało się zaimportować tokenu z pliku."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Nie udało się pobrać tokenu %d do eksportu."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Token %d nie jest przypisany do klucza %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Nie udało się usunąć przypisania tokenu %d do klucza %d."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Opcje --veracrypt i --disable-veracrypt są obsługiwane tylko dla typu urządzeń TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Opcja --veracrypt-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Opcja --veracrypt-query-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Opcje --veracrypt-pim i --veracrypt-query-pim wykluczają się wzajemnie."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Opcja --persistent nie jest dozwolona z --test-passphrase."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Opcje --refresh i --test-passphrase wykluczają się wzajemnie."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Opcja --offset z akcją open jest obsługiwana tylko dla urządzeń plain i loopaes."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Opcja rozmiaru sektora z akcją open jest obsługiwana tylko dla urządzeń plain."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Opcja dużych rozmiarów sektorów IV jest obsługiwana tylko przy otwieraniu urządzeń typu plain z sektorem większym niż 512 bajtów."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS, TRCYPT, BITLK i FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Opcji --device-size i --size nie można łączyć."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Opcja --unbound jest dozwolona tylko dla operacji otwarcia urządzenia LUKS."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Opcja --unbound nie może być użyta bez --test-passphrase."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Opcji --volume-key-keyring nie można łączyć z --hash ani --volume-key-file."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Obie opcje --volume-key-file muszą być sparowane z odpowiednimi opcjami --key-size."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Opcje --cancel-deferred i --deferred nie mogą być użyte naraz."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Opcji --reduce-device-size i --device-size nie można łączyć."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Opcja --active-name może być ustawiona tylko dla urządzenia LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Opcji --active-name i --force-offline-reencrypt nie można łączyć."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Opcji --new-volume-key-file i --keep-key nie można łączyć."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Opcji --new-volume-key-keyring i --keep-key nie można łączyć."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "Wymagane jest określenie klucza."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Opcji --align-payload i --offset nie można łączyć."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Opcja --integrity-no-wipe może być użyta tylko do akcji formatowania z rozszerzeniem integralności."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "Przy opcji --unbound wymagany jest rozmiar klucza."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "Błędna akcja token."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Parametr --key-description jest wymagany do akcji dodania tokenu."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Akcja wymaga określonego tokenu. Należy użyć parametru --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "Opcja --unbound jest dozwolona tylko dla operacji dodania tokenu."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Opcji --key-slot i --unbound nie można łączyć."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Akcja wymaga określonego klucza. Należy użyć parametru --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<uządzenie> [--type <typ>] [<nazwa>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "otwarcie urządzenia jako <nazwa>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<nazwa>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "zamknięcie urządzenia (usunięcie odwzorowania)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "zmiana rozmiaru aktywnego urządzenia"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "pokazanie stanu urządzenia"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <szyfr>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "test szybkości szyfru"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<urządzenie>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "próba naprawy metadanych na dysku"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "ponowne szyfrowanie urządzenia LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "usunięcie wszystkich kluczy (usunięcie klucza szyfrującego)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "przekonwertowanie formatu LUKS z/do LUKS2"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "ustawienie opcji trwałej konfiguracji dla LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<urządzenie> [<nowy plik klucza>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "sformatowanie urządzenia LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "dodanie klucza do urządzenia LUKS"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<urządzenie> [<plik klucza>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "usunięcie podanego klucza lub pliku klucza z urządzenia LUKS"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "zmiana podanego klucza lub pliku klucza urządzenia LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "konwersja klucza na nowe parametry pbkdf"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<urządzenie> <numer klucza>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "wymazanie klucza o numerze <numer klucza> z urządzenia LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "wypisanie UUID-a urządzenia LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "sprawdzenie <urządzenia> pod kątem nagłówka partycji LUKS"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "zrzut informacji o partycji LUKS"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "zrzut informacji o urządzeniu TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "zrzut informacji o urządzeniu BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "zrzut informacji o urządzeniu FVAULT2"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Wstrzymanie urządzenia LUKS i wymazanie klucza (zamraża wszystkie operacje we/wy)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "Wznowienie zatrzymanego urządzenia LUKS"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "Kopia zapasowa nagłówka i kluczy urządzenia LUKS"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "Odtworzenie nagłówka i kluczy urządzenia LUKS z kopii zapasowej"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <urządzenie>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "Operacja na tokenach LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2848,7 +2956,7 @@ msgstr ""
 "\n"
 "<akcja> to jedno z:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2860,7 +2968,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2875,7 +2983,7 @@ msgstr ""
 "<numer klucza> to numer klucza LUKS do zmiany\n"
 "<plik klucza> to opcjonalny plik nowego klucza dla akcji luksAddKey\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2884,7 +2992,7 @@ msgstr ""
 "\n"
 "Domyślny wkompilowany format metadanych to %s (dla akcji luksFormat).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2892,12 +3000,12 @@ msgstr ""
 "\n"
 "Obsługa zewnętrznych wtyczek tokenów LUKS2 jest włączona.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Ścieżka zewnętrznych wtyczek tokenów LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2905,7 +3013,7 @@ msgstr ""
 "\n"
 "Obsługa zewnętrznych wtyczek tokenów LUKS2 jest wyłączona.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2922,7 +3030,7 @@ msgstr ""
 "Domyślny PBKDF dla LUKS2: %s\n"
 "\tCzas iteracji: %d, wymagana pamięć: %dkB, liczba wątków: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2937,110 +3045,122 @@ msgstr ""
 "\tplain: %s, bitów klucza: %d, skrót hasła: %s\n"
 "\tLUKS: %s, bitów klucza: %d, skrót nagłówka LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Domyślny rozmiar klucza z trybem XTS (dwa klucze wewnętrzne) będzie podwojony.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: wymaga %s jako argumentów"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Numer klucza jest nieprawidłowy."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Rozmiar urządzenia musi być wielokrotnością 512-bajtowego sektora."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
-msgstr "Błędne określenie maksymalnego rozmiaru strefy hotzone ponownego szyfrowania."
+msgstr "Błędne określenie maksymalnego rozmiaru strefy gorącej ponownego szyfrowania."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Rozmiar klucza musi być wielokrotnością 8 bitów"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Można podać najwyżej 2 określenia rozmiarów kluczy."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Określono za dużo kluczy wolumenu, można podać najwyżej %d."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Określono za dużo dołączeń pęków kluczy, można podać najwyżej %d."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 1GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Rozmiar ograniczenia musi być wielokrotnością 512-bajtowego sektora."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Opcja --priority może mieć wartości tylko ignore/normal/prefer."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Wyświetlenie tego opisu"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Wyświetlenie krótkiej informacji o składni"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Wypisanie wersji pakietu"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Opcje pomocnicze:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPCJA...] <akcja> <parametry-akcji>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Brak argumentu <akcja>."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Nieznana akcja."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "Dozwolony jest tylko jeden argument --key-file."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Funkcja pochodna klucza oparta na haśle (PBKDF) może być tylko pbkdf2 lub argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Wymuszonych iteracji PBKDF nie można łączyć z opcją czasu iteracji."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Nie można dołączyć klucza wolumenu do pęku kluczy, kiedy pęk kluczy jest wyłączony."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Nie można użyć opisu klucza pęku kluczy, kiedy pęk kluczy jest wyłączony."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Integralności wbudowanej należy używać wraz z opcją --integrity."
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Opcje --keyslot-cipher i --keyslot-key-size muszą być użyte łącznie."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Nie wykonano akcji. Wywołano z opcją --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "Nie można wyłączyć blokowania metadanych."
 
@@ -3068,72 +3188,72 @@ msgstr "Nie można utworzyć pliku głównego hasza %s do zapisu."
 msgid "Cannot write to root hash file %s."
 msgstr "Nie można zapisać pliku głównego hasza %s."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem VERITY."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Nie można odczytać pliku głównego hasza %s."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Błędny plik głównego hasza %s."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Podano błędny łańcuch głównego hasza."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Błędny plik podpisu %s."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Nie można odczytać pliku klucza %s."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Polecenie wymaga <głównego_hasza> lub opcji --root-hash-file jako argumentu."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<urządzenie_danych> <urządzenie_haszy>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "sformatowanie urządzenia"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<urządzenie_danych> <urządzenie_haszy> [<główny_hasz>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "weryfikacja urządzenia"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<urządzenie_danych> <nazwa> <urządzenie_haszy> [<główny_hasz>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "pokazanie stanu aktywnego urządzenia"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<urządzenie_haszy>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "wyświetlenie informacji z dysku"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3148,7 +3268,7 @@ msgstr ""
 "<urządzenie_haszy> to urządzenie zawierające dane weryfikacyjne\n"
 "<główny_hasz> to hasz głównego węzła na <urządzeniu_haszy>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3159,15 +3279,19 @@ msgstr ""
 "Domyślnie wkompilowane parametry dm-verity:\n"
 "\tHasz: %s, blok danych (bajtów): %u, blok haszy (bajtów): %u, rozmiar zarodka: %u, format haszy: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Opcji --ignore-corruption oraz --restart-on-corruption nie można użyć naraz."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Opcji --panic-on-corruption oraz --restart-on-corruption nie można użyć naraz."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Opcja --error-as-corruption musi być użyta z --panic-on-corruption lub --restart-on-corruption."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3176,29 +3300,33 @@ msgstr ""
 "Ta operacja nieodwracalnie nadpisze dane na %s i %s.\n"
 "Aby zachować urządzenie danych, można użyć opcji --no-wipe (a następnie uaktywnić z --integrity-recalculate)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Sformatowano z rozmiarem znacznika %u, wewnętrzna integralność %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Sformatowano z rozmiarem znacznika %u%s, wewnętrzna integralność %s.\n"
+
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (wbudowane znaczniki hw)"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Ustawianie flagi recalculate nie jest obsługiwane, zamiast tego można rozważyć użycie --wipe."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem INTEGRITY."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<urządzenie_integralności>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<urządzenie_integralności> <nazwa>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3209,7 +3337,7 @@ msgstr ""
 "<nazwa> to urządzenie do utworzenia pod %s\n"
 "<urządzenie_integralności> to urządzenie zawierające dane ze znacznikami integralności\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3222,43 +3350,51 @@ msgstr ""
 "\tAlgorytm sumy kontrolnej: %s\n"
 "\tMaksymalny rozmiar pliku klucza: %dkB\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Błędny rozmiar --%s. Maksimum w bajtach to %u."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku klucza i rozmiaru klucza."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku klucza integralności i rozmiaru klucza."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Algorytm integralności kroniki musi być podany, jeśli używany jest klucz integralności kroniki."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku szyfrowania kroniki i rozmiaru klucza."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Algorytm szyfrowania kroniki musi być podany, jeśli używany jest klucz szyfrowania kroniki."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Opcje trybu odtwarzania i bitmapy wykluczają się wzajemnie."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Opcji kroniki nie można używać w trybie bitmapy."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Opcje bitmapy mogą być używane tylko w trybie bitmapy."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Tryb wbudowany nie może być łączony z opcjami kroniki ani bitmapy."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Tryb wbudowany nie może być łączony z osobnym urządzeniem danych."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3406,6 +3542,14 @@ msgstr "Nie można otworzyć pliku klucza %s do zapisu."
 msgid "Cannot write to keyfile %s."
 msgstr "Nie można zapisać pliku klucza %s."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Nazwa jest zbyt długa."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Nazwa nie może zawierać znaku '/'."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3467,37 +3611,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Sprawdzenie jakości hasła nie powiodło się: błędne hasło (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Odczyt zatrzymał się na maksymalnej długości interaktywnego wejścia, hasło może być skrócone."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Błąd podczas odczytu hasła z terminala."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Weryfikacja hasła: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Hasła nie zgadzają się."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Nie można użyć offsetu, jeśli wejściem jest terminal."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Hasło: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Hasło dla %s: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Dla tego hasła nie ma dostępnego klucza."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Brak dostępnego miejsca na klucz."
 
@@ -3505,20 +3653,20 @@ msgstr "Brak dostępnego miejsca na klucz."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Nie udało się otworzyć pliku %s tylko do odczytu."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Poprawny token JSON dla LUKS2:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Nie udało się odczytać pliku JSON."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3526,12 +3674,12 @@ msgstr ""
 "\n"
 "Odczyt przerwany."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Nie udało się otworzyć pliku %s do zapisu."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3539,26 +3687,26 @@ msgstr ""
 "\n"
 "Zapis przerwany."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Nie udało się zapisać pliku JSON."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Wykryto aktywne urządzenie dm '%s' dla urządzenia danych %s.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Nie udało się wykryć właścicieli urządzenia %s."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Urządzenie %s nie jest urządzeniem blokowym.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3572,7 +3720,7 @@ msgstr ""
 "Aby uruchomić ponowne szyfrowanie w trybie online, należy użyć parametru\n"
 "--active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3581,45 +3729,49 @@ msgstr ""
 "Urządzenie %s nie jest urządzeniem blokowym. Nie można wykryć, czy jest aktywne.\n"
 "Można użyć --force-offline-reencrypt aby obejść to sprawdzenie i uruchomić w trybie offline (niebezpieczne!)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Nie można użyć żądanej opcji --resilience do obecnej operacji ponownego szyfrowania."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Urządzenie nie jest w trybie szyfrowania LUKS2. Konflikt opcji --encrypt."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Urządzenie nie jest w trybie odszyfrowywania LUKS2. Konflikt opcji --decrypt."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Urządzenie jest w trybie ponownego szyfrowania z użyciem odporności przesunięcia danych. Nie można użyć żądanej opcji --resilience."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Nie można określić rozmiaru klucza wolumenu dla LUKS bez kluczy, proszę użyć opcji --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Urządzenie wymaga odtwarzania ponownego szyfrowania. Najpierw należy uruchomić naprawę."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS2. Czy wznowić uprzednio zainicjowaną operację?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Stara wersja ponownego szyfrowania LUKS2 nie jest już obsługiwana."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Nie można ponownie zaszyfrować urządzenia LUKS2 skonfigurowanego do używania OPAL."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Ponowne szyfrowanie urządzenia z profilem integralności nie jest obsługiwane."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3628,103 +3780,110 @@ msgstr ""
 "Żądany --sector-size %<PRIu32> jest niezgodny z superblokiem %s\n"
 "(rozmiar bloku: %<PRIu32> B), wykrytym na urządzeniu %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Szyfrowanie bez odłączonego nagłówka (--header) jest niemożliwe bez ograniczenia rozmiaru urządzenia danych (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Żądany offset danych musi być mniejszy lub równy połowie parametru --reduce-device-size."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Modyfikowanie wartości --reduce-device-size do dwukrotności parametru --offset %<PRIu64> (w sektorach).\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Plik nagłówka %s już istnieje. Przerwano."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Nie można utworzyć pliku tymczasowego nagłówka %s."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Rozmiar metadanych LUKS2 jest większy niż wartość przesunięcia danych."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Nie udało się umieścić nowego nagłówka na początku urządzenia %s."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Aktywne urządzenie %s nie jest urządzeniem LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Odtwarzanie oryginalnego nagłówka LUKS2."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Odtwarzanie oryginalnego nagłówka LUKS2 nie powiodło się."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Plik nagłówka %s nie istnieje. Czy zainicjować odszyfrowywanie LUKS2 urządzenia %s i eksport nagłówka LUKS2 do pliku %s?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Nie udało się dodać uprawnień odczytu/zapisu do pliku wyeksportowanego nagłówka."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Inicjowanie ponownego szyfrowania nie powiodło się. Kopia zapasowa nagłówka jest dostępna w %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Odszyfrowanie LUKS2 jest obsługiwane tylko z urządzeniem z odłączonym nagłówkiem (z offsetem danych ustawionym na 0)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Żaden token nie może odblokować urządzenia."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Za mało wolnych kluczy do ponownego szyfrowania."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Pliku klucza lub opisu klucza pęku kluczy można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Hasło dla klucza %d: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Hasło dla klucza %u: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Zmiana szyfru do szyfrowania danych na %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Można użyć --force-no-keyslots, aby ponownie zaszyfrować urządzenie z aktywnymi kluczami przekazując bezpośrednio klucze wolumenu."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Opcja --new-volume-key-file musi być sparowana z --new-key-size"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Nie zmieniono parametrów segmentu danych. Ponowne szyfrowanie przerwane."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3732,8 +3891,8 @@ msgstr ""
 "Zwiększanie rozmiaru sektora szyfrowania na urządzeniu offline nie jest obsługiwane.\n"
 "Należy najpierw uaktywnić urządzenie lub użyć opcji --force-offline-reencrypt (niebezpieczna!)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3741,67 +3900,67 @@ msgstr ""
 "\n"
 "Ponowne szyfrowanie przerwane."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Wznawianie ponownego szyfrowania LUKS w wymuszonym trybie offline.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Urządzenie %s zawiera uszkodzone metadane LUKS. Przerwano operację."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Urządzenie %s jest już urządzeniem LUKS. Przerwano operację."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Urządzenie %s jest już w trybie ponownego szyfrowania LUKS. Przerwano operację."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "Odszyfrowanie LUKS2 wymaga opcji --header."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "Polecenie wymaga urządzenia jako argumentu."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Konflikt wersji. Urządzenie %s jest urządzeniem LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Konflikt wersji. Urządzenie %s jest w trybie ponownego szyfrowania LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane. Przerywanie operacji."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "Ponowne szyfrowanie urządzenia nie jest w toku."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Przydzielenie wyrównanego obszaru pamięci nie powiodło się."
 
@@ -3824,11 +3983,11 @@ msgstr "Nie można zapisać na urządzenie %s."
 msgid "Cannot write reencryption log file."
 msgstr "Nie można zapisać pliku logu ponownego szyfrowania."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Nie można odczytać pliku logu ponownego szyfrowania."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Niewłaściwy format logu."
 
@@ -3837,130 +3996,134 @@ msgstr "Niewłaściwy format logu."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Plik logu %s istnieje, wznowienie ponownego szyfrowania.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu starego nagłówka LUKS."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu nowego nagłówka LUKS."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Uaktywnianie urządzeń tymczasowych nie powiodła się."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Nie udało się ustawić offsetu danych."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Nie udało się ustawić rozmiaru metadanych."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Utworzono nowy nagłówek LUKS dla urządzenia %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Utworzono kopię zapasową nagłówka %s urządzenia %s."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Tworzenie kopii zapasowych nagłówków LUKS nie powiodło się."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Nie można odtworzyć nagłówka %s na urządzeniu %s."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Odtworzono nagłówek %s na urządzeniu %s."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Nie można otworzyć tymczasowego urządzenia LUKS."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Nie można pobrać rozmiaru urządzenia."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Błąd we/wy podczas ponownego szyfrowania."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Dostarczony UUID jest nieprawidłowy."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Pliku klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Nie można otworzyć pliku logu ponownego szyfrowania."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Nie w trakcie odszyfrowywania; dostarczony UUID może być użyty tylko do wznowienia wstrzymanego procesu odszyfrowywania."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Ponowne szyfrowanie zmieni: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "klucz wolumenu"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "hasz na "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", szyfr na"
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "UWAGA: urządzenie %s już zawiera sygnaturę partycji '%s'.\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "UWAGA: urządzenie %s już zawiera sygnaturę superbloku '%s'.\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Nie udało się zainicjować sond sygnatur urządzeń."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Nie udało się wykonać stat na urządzeniu %s."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Nie udało się otworzyć pliku %s do odczytu i zapisu."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Istniejąca sygnatura partycji '%s' na urządzeniu %s zostanie wymazana."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Istniejąca sygnatura superbloku '%s' na urządzeniu %s zostanie wymazana."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Nie udało się wymazać sygnatury urządzenia."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Nie udało się sprawdzić sygnatury urządzenia %s."
@@ -3975,6 +4138,50 @@ msgstr "Błędne określenie rozmiaru w parametrze --%s."
 msgid "Option --%s is not allowed with %s action."
 msgstr "Opcja --%s nie jest dozwolona z akcją %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Opis typu w opisie pęku kluczy --link-vk-to-keyring jest ignorowany."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Typy kluczy muszą być takie same dla obu kluczy wolumenu."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Oba klucze wolumenu muszą być dołączone do tego samego pęku kluczy."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Trzeba podać więcej nazw kluczy."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Błędna wartość --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Binarne dane klucza %d mogą być uszkodzone.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Podejrzana pozycja: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Kolejne podejrzane pozycje zotaną pominięte.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Klucza %d nie można odczytać z urządzenia."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Można użyć hexdump -v -C -n 128 -s <pozycja_0xXXXX> \"%s\", aby zbadać dane.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Nie udało się zapisać danych JSON tokenu SSH."
diff --git a/po/ro.po b/po/ro.po
index 4ec2c98..de84ba4 100644
--- a/po/ro.po
+++ b/po/ro.po
@@ -1,10 +1,10 @@
 # Romanian translation for cryptsetup.
 # Mesajele în limba română pentru pachetul cryptsetup.
-# Copyright © 2023, 2024 Free Software Foundation, Inc.
+# Copyright © 2023, 2024, 2025 Free Software Foundation, Inc.
 # This file is put in the public domain.
 # This file is distributed under the same license as the cryptsetup package.
 #
-# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023, 2024.
+# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023, 2024, 2025.
 #
 # Cronologia traducerii fișierului „cryptsetup”:
 # Traducerea inițială, făcută de R-GC, pentru versiunea cryptsetup 2.6.0-rc1.
@@ -13,14 +13,18 @@
 # Actualizare a traducerii pentru versiunea 2.7.0-rc1, făcută de R-GC, dec-2023.
 # Actualizare a traducerii pentru versiunea 2.7.1-rc0, făcută de R-GC, mar-2024.
 # Actualizare a traducerii pentru versiunea 2.7.3-rc0, făcută de R-GC, iun-2024.
+# Actualizare a traducerii pentru versiunea 2.8.0-rc0, făcută de R-GC, iun-2025.
+# Actualizare a traducerii pentru versiunea 2.8.0-rc1, făcută de R-GC, iun-2025.
+# Actualizare a traducerii pentru versiunea 2.8.1-rc0, făcută de R-GC, aug-2025.
+# Actualizare a traducerii pentru versiunea 2.8.2-rc0, făcută de R-GC, dec-2025.
 # Actualizare a traducerii pentru versiunea Y, făcută de X, Y(luna-anul).
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-07 18:35+0200\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-13 14:14+0100\n"
 "Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n"
 "Language-Team: Romanian <translation-team-ro@lists.sourceforge.net>\n"
 "Language: ro\n"
@@ -29,72 +33,80 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : (n==0 || ((n%100) > 0 && (n%100) < 20)) ? 1 : 2);\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 3.4.3\n"
+"X-Generator: Poedit 3.6\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Nu se poate inițializa «device-mapper», rulând ca utilizator non-root."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Nu se poate inițializa «device-mapper». Este încărcat modulul nucleului, «dm_mod»?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Fanionul de întârziere solicitat nu este acceptat."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID pentru dispozitivul %s a fost trunchiat."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Tip de țintă dm necunoscut."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Opțiunile de performanță dm-crypt solicitate nu sunt acceptate."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Opțiunile de gestionare a corupției datelor dm-verity solicitate nu sunt acceptate."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Opțiunea de tasklets dm-verity solicitată nu este acceptată."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Opțiunile FEC dm-verity solicitate nu sunt acceptate."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Opțiunile de integritate a datelor solicitate nu sunt acceptate."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "Opțiunea sector_size solicitată nu este acceptată."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "Dimensiunea dispozitivului nu este un multiplu al dimensiunii solicitate a sectorului."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Opțiunea integrity_key_size solicitată nu este acceptată."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Recalcularea automată a etichetelor de integritate solicitată nu este acceptată."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "Înlăturarea/Decuparea(TRIM) nu este acceptată."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Modul de hartă de biți dm-integrity solicitat nu este acceptat."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Modul inline dm-integrity solicitat nu este acceptat."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Nu s-a putut interoga segmentul dm-%s."
@@ -128,747 +140,777 @@ msgstr "Calitatea solicitată pentru generatorul de numere aleatoare(RNG) este n
 msgid "Error reading from RNG."
 msgstr "Eroare la citirea din generatorul de numere aleatorii(RNG)."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "Suportul pentru OPAL este dezactivat în libcryptsetup."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Dispozitivul %s sau nucleul nu acceptă criptarea OPAL."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Nu s-a putut inițializa utilitarul de criptare al generatorului de numere aleatorii(RNG)."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Nu s-a putut inițializa utilitarul de criptare ."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Algoritmul sumei de control %s nu este acceptat."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Eroare de procesare a cheii (folosind suma de control %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Nu se poate determina tipul de dispozitiv. Activare a dispozitivului incompatibilă?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "Această operație este acceptată doar pentru dispozitive LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Această operație este acceptată doar pentru dispozitive LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "Toate sloturile pentru chei sunt ocupate."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Slotul de cheie %d este nu este valid, selectați între 0 și %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Slotul pentru chei %d este ocupat, selectați altul."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea blocului logic al dispozitivului."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Antet detectat, dar dispozitivul %s este prea mic."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "Această operație nu este suportată pentru acest tip de dispozitiv."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Operație ilegală cu recriptare în curs."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Nu s-au putut reîncărca metadatele LUKS2 în memorie."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Dispozitivul %s nu este un dispozitiv LUKS valid."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Versiunea %d de LUKS nu este acceptată."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Nu a fost detectat niciun model cunoscut de specificație de cifrare pentru dispozitivul activ %s."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "Dispozitivul %s nu este activ."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Dispozitivul subiacent pentru dispozitivul criptat %s a dispărut."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Parametrii de criptare simplă sunt incorecți."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Dimensiunea cheii este nevalidă."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID-ul nu este acceptat pentru acest tip de criptare."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Dispozitivul cu metadate detașate nu este acceptat pentru acest tip de criptare."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "Dimensiunea sectorului de criptare nu este acceptată."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "Dimensiunea dispozitivului nu este aliniată la dimensiunea sectorului solicitată."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Formatarea LUKS fără dispozitiv nu este posibilă."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Dispozitivul %s divizat în zone nu poate fi utilizat pentru antetul LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Alinierea datelor solicitată nu este compatibilă cu poziția datelor."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "AVERTISMENT: Dispozitivul DAX poate corupe datele, deoarece nu garantează actualizări atomice ale sectoarelor.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Nu se poate șterge antetul pe dispozitivul %s."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Dispozitivul %s este prea mic pentru activare, nu a mai rămas spațiu pentru date.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Cheia de volum este prea mică pentru criptare cu extensii de integritate."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Dimensiunea cheii de integritate este prea mică."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Cifrul %s-%s (dimensiunea cheii %zd biți) nu este disponibil."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "AVERTISMENT: Activarea dispozitivului va eșua, dm-crypt nu are suport pentru dimensiunea sectorului de criptare solicitată.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "Dispozitivul %s este prea mic."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Nu se poate formata dispozitivul %s, este în uz."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Nu se poate formata dispozitivul %s; permisiune refuzată."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Nu se poate formata integritatea pentru dispozitivul %s."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Nu se poate formata dispozitivul %s."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Nu se pot obține parametrii de aliniere OPAL."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Dimensiune falsă a blocului logic OPAL."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Dimensiunea falsă a blocului logic OPAL diferă de dimensiunea blocului dispozitivului."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "Intervalul(offset) de date solicitat nu este compatibil cu dimensiunea blocului OPAL."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "Alinierea datelor solicitată nu este compatibilă cu alinierea OPAL."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "Intervalul datelor nu îndeplinește cerințele de aliniere OPAL."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "Alinierea datelor solicitată nu satisface cerințele de aliniere a intervalului de blocare."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Compensarea dimensiunii dispozitivului cu %<PRIu64> sectoare pentru a-l alinia cu gradul de finețe al alinierii OPAL."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Nu s-a putut obține blocarea OPAL pe dispozitivul %s."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Cheie de administrare OPAL incorectă."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Nu se poate configura segmentul OPAL."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Nu se poate formata dispozitivul %s, dispozitivul OPAL pare a fi complet protejat la scriere acum."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Aceasta este probabil o eroare în firmware. Efectuați reinițierea PSID OPAL și reconectați-vă pentru recuperare."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "Reinițierea intervalului de blocare %d pe dispozitivul %s a eșuat."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Nu se poate formata LOOPAES fără dispozitiv."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Nu se poate formata VERITY fără dispozitiv."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Tip de sumă de control VERITY neacceptat %d."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Dimensiunea blocului VERITY nu este acceptată."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Decalajul sumei de control VERITY nu este acceptat."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Decalajul FEC VERITY nu este acceptat."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Zona de date se suprapune cu zona de sume de control."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Zona sumelor de control se suprapune cu zona FEC."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Zona de date se suprapune cu zona FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Dimensiunea cheii de integritate nu coincide."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "AVERTISMENT: Dimensiunea solicitată a etichetei %d octeți diferă de dimensiunea %s de ieșire (%d octeți).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "A fost solicitat un tip de dispozitiv de criptare necunoscut %s."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "A fost solicitat un tip de dispozitiv %s necunoscut sau neacceptat."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Dispozitivul %s nu furnizează câmpuri de date de integritate în linie „inline”."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Dimensiunea etichetei în linie %<PRIu32> [ cteți] este mai mare decât %<PRIu32> furnizată de dispozitivul %s."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Sectorul trebuie să fie la fel ca sectorul hardware al dispozitivului (%zu octeți)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Parametri neacceptați pentru dispozitivul %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parametrii nepotriviți în dispozitivul %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Dispozitivele de criptare nu se potrivesc."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Nu s-a putut reîncărca dispozitivul %s."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Nu s-a putut suspenda dispozitivul %s."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Nu s-a putut reîncărca dispozitivul %s."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Eroare fatală la reîncărcarea dispozitivului %s (în partea superioară a dispozitivului %s)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Nu s-a putut comuta dispozitivul %s la dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Nu se poate redimensiona dispozitivul LUKS2 cu o dimensiune statică."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Redimensionarea dispozitivului LUKS2 cu protecție de integritate nu este acceptată."
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "Nu se poate redimensiona dispozitivul de buclă."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "AVERTISMENT: Dimensiunea maximă a fost deja stabilită sau nucleul nu acceptă redimensionarea.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Redimensionarea nu a reușit, nucleul nu acceptă redimensionarea."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "Chiar doriți să schimbați UUID-ul dispozitivului?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Fișierul de copie de rezervă pentru antet nu conține un antet LUKS compatibil."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Volumul %s nu este activ."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Volumul %s este deja suspendat."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Suspendarea nu este acceptată pentru dispozitivul %s."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Eroare la suspendarea dispozitivului %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Dispozitivul %s a fost suspendat, dar dispozitivul hardware OPAL nu poate fi blocat."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Reluarea activității nu este acceptată pentru dispozitivul %s."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Eroare la reluarea activității dispozitivului %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Nu s-a putut dezlega cheia de volum de la inelul de chei specificat de utilizator."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Nu s-a putut leg cheia de volum la inelul de chei specificat de utilizator."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Volumul %s nu este suspendat."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "Cheia de volum nu se potrivește cu volumul."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "Nu s-a putut efectua interschimbarea cu noul slot pentru cheie."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Slotul de cheie %d nu este valid."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Slotul de cheie %d nu este activ."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "Antetul dispozitivului se suprapune cu zona de date."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Recriptare în curs. Nu se poate activa dispozitivul."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "Nu s-a putut obține blocarea pentru recriptare."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "Recuperarea recriptării LUKS2 utilizând cheia (cheile) de volum a eșuat."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Nu s-au putut lega cheile de volum la inelul de chei specificat de utilizator."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Recuperarea recriptării LUKS2 a eșuat."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Tipul de dispozitiv nu este inițializat corect."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "Dispozitivul %s există deja."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Nu se poate folosi dispozitivul %s, numele este nevalid sau este încă în uz."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Cheile de recriptare a volumului nu se potrivesc cu volumul."
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "Este specificată o cheie de volum incorectă pentru un dispozitiv cu criptare normală."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Cheile de recriptare a volumului nu se potrivesc cu volumul."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Tipul de dispozitiv nu este inițializat corect."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Inelul de chei pentru nucleu nu este acceptat de nucleu actual."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Lipsește inelul de chei pentru nucleu: este necesar pentru transmiterea semnăturii către nucleu."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Nu se poate utiliza cheia inelului de chei %s."
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "Sumă de control rădăcină incorectă specificată pentru dispozitivul verity."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "OPAL nu acceptă dezactivarea amânată."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Nu s-a putut anula eliminarea întârziată din dispozitivul %s."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Dispozitivul %s este încă în uz."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Nu s-a putut anula eliminarea întârziată din dispozitivul %s."
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "Dispozitiv nevalid %s."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "Memoria tampon a cheii de volum este prea mică."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Nu se poate recupera cheia de volum pentru dispozitivul LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Nu se poate recupera tasta de volum pentru dispozitivul normal."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Nu se poate recupera suma de control rădăcină pentru dispozitivul verity."
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Nu se poate recupera cheia de volum pentru dispozitivul BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Nu se poate recupera cheia de volum pentru dispozitivul FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Această operație nu este acceptată pentru dispozitivul criptat %s."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "Operația de descărcare nu este acceptată pentru acest tip de dispozitiv."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Decalajul datelor nu este multiplu de %u octeți."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Nu se poate converti dispozitivul %s care este încă în uz."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Nu s-a putut atribui slotul %u ca nouă cheie de volum."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Nu s-au putut inițializa parametrii impliciți pentru slotul de cheie LUKS2."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Nu s-a putut aloca slotul de cheie %d pentru a digera."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Nu se poate adăuga slotul pentru cheie, toate sloturile sunt dezactivate și nu este furnizată nicio cheie pentru volum."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Nu s-a putut încărca cheia în inelul de chei al nucleului."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Nu s-a putut dezlega cheia de la inelul de chei al firului."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Nu s-a putut găsi inelul de chei descris de „%s”."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Nu s-a putut obține blocarea de serializare a accesului la memoria-hardwarw globală."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Nu s-a putut deschide fișierul cheii."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Nu se poate citi fișierul de cheie de la un terminal."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Nu s-a putut obține starea fișierului de cheie."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Nu se poate căuta poziția fișierului de cheie solicitat."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Memoria epuizată în timpul citirii frazei de acces."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Eroare la citirea frazei de acces."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Nimic de citit la intrare."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Dimensiunea maximă a fișierului de cheie a fost depășită."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Nu se poate citi cantitatea de date solicitată."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Dispozitivul %s nu există sau accesul a fost refuzat."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Dispozitivul %s nu este compatibil."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Se ignoră dimensiunea optimă de transfer de date falsă pentru dispozitivul de date (%u octeți)."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Dispozitivul %s este prea mic. Aveți nevoie de cel puțin %<PRIu64> octeți."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Nu se poate utiliza dispozitivul %s care este în uz (deja cartografiat sau montat)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Nu se poate utiliza dispozitivul %s, permisiune refuzată."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Nu se pot obține informații despre dispozitivul %s."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Nu se poate utiliza un dispozitiv loopback, deoarece programul nu rulează cu privilegii de root."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Atașarea dispozitivului de loopback a eșuat (este necesar un dispozitiv de buclă cu fanion de ștergere automată)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Decalajul solicitat depășește dimensiunea reală a dispozitivului %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Dispozitivul %s are dimensiune zero."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Ora specificată pentru PBKDF nu poate fi zero."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Tip PBKDF necunoscut %s."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Suma de control solicitată %s nu este acceptată."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Tipul PBKDF solicitat nu este acceptat pentru LUKS1."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Memoria maximă PBKDF sau firele de execuție paralele nu trebuie definite cu pbkdf2."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Numărul de iterații forțate este prea mic pentru %s (minimul este %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Costul memoriei forțate este prea mic pentru %s (minimul este de %u kiloocteți)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Costul maxim de memorie PBKDF solicitat este prea mare (maximul este de %d kiloocteți)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Costul maxim de memorie PBKDF solicitat este prea mare (limitat de dimensiunea maximă întreagă)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Memoria PBKDF maximă solicitată nu poate fi zero."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Costul paralel maxim PBKDF solicitat este prea mare (maximul este %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Firele paralele de execuție PBKDF solicitate nu pot fi zero."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Doar PBKDF2 este acceptat în modul FIPS."
 
@@ -895,25 +937,25 @@ msgstr "Blocarea a fost anulată. Ruta de blocare %s/%s este inutilizabilă (nu
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Blocarea a fost anulată. Ruta de blocare %s/%s este inutilizabilă (%s nu este un director)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Nu se poate căuta la poziția dispozitivului."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Eroare de ștergere a dispozitivului, decalaj %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "PSID OPAL incorect."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Nu se poate șterge dispozitivul OPAL."
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -922,47 +964,47 @@ msgstr ""
 "Nu s-a putut configura asocierea cheii dm-crypt la dispozitivul %s.\n"
 "Verificați dacă nucleul acceptă cifrul %s (verificați syslog pentru mai multe informații)."
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Dimensiunea cheii în modul XTS trebuie să fie de 256 sau 512 biți."
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Specificațiile de cifrare ar trebui să fie în formatul [cifrarea]-[mod]-[iv]."
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Nu se poate scrie în dispozitivul %s, permisiune refuzată."
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "Nu s-a putut deschide dispozitivul pentru stocarea temporară a cheilor."
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "Nu s-a putut accesa dispozitivul pentru stocarea temporară a cheilor."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Eroare de In/Ieș în timpul criptării slotului de cheie."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Nu s-a putut deschide dispozitivul %s."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Eroare de In/Ieș la decriptarea slotului de cheie."
 
@@ -978,32 +1020,32 @@ msgstr "Dispozitivul %s este prea mic. (LUKS1 necesită cel puțin %<PRIu64> oct
 msgid "LUKS keyslot %u is invalid."
 msgstr "Slotul de cheie LUKS %u nu este valid."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Fișierul de copie de rezervă pentru antetul solicitat %s există deja."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Nu se poate crea fișierul de copie de rezervă al antetului %s."
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Nu se poate scrie fișierul de copie de rezervă al antetului %s."
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Fișierul de copie de rezervă nu conține antet LUKS valid."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Nu se poate deschide fișierul de copie de rezervă al antetului %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Nu se poate citi fișierul de copie de rezervă al antetului %s."
@@ -1025,7 +1067,7 @@ msgstr "nu conține antetul LUKS. Înlocuirea antetului poate distruge datele de
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "conține deja antetul LUKS. Înlocuirea antetului va distruge sloturile de chei existente."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1052,7 +1094,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Cifrul sumei de control(hash) reparat la minuscule (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Suma de control(hash) LUKS solicitată %s nu este acceptată."
@@ -1099,7 +1141,7 @@ msgstr "Modul de cifrare LUKS %s este nevalid."
 msgid "LUKS hash %s is invalid."
 msgstr "Suma de control(hash) LUKS %s nu este validă."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "Nu s-a detectat nicio problemă cunoscută pentru antetul LUKS."
 
@@ -1113,17 +1155,17 @@ msgstr "Eroare în timpul actualizării antetului LUKS pe dispozitivul %s."
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Eroare la recitirea antetului LUKS după actualizare pe dispozitivul %s."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Decalajul datelor pentru antetul LUKS trebuie să fie 0 sau mai mare decât dimensiunea antetului."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Formatul UUID LUKS furnizat este greșit."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Nu se poate crea antetul LUKS: citirea datelor «salt» aleatoare a eșuat."
 
@@ -1132,48 +1174,48 @@ msgstr "Nu se poate crea antetul LUKS: citirea datelor «salt» aleatoare a eșu
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Nu se poate crea antetul LUKS: calcularea sumei de control a antetului a eșuat (folosind suma de control(hash) %s)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Slot de cheie %d activ, curățați mai întâi."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Materialul de la slotul de cheie %d nu are suficiente benzi. Antetul a fost manipulat?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Depășire a valorii de iterație a PBKDF2."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Nu se poate deschide slotul de cheie (folosind suma de control(hash) %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Slotul de cheie %d nu este valid, selectați slotul de cheie între 0 și %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Nu se poate șterge dispozitivul %s."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Fișierul cheie criptat GPG, detectat, nu este încă acceptat."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Utilizați «gpg --decrypt <fișier_cheie>» | «cryptsetup --keyfile=-...»\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "S-a detectat un fișier de cheie loop-AES incompatibil."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Nucleul nu acceptă asocierea compatibilă cu bucla loop-AES."
 
@@ -1192,168 +1234,197 @@ msgstr "Lungimea maximă a frazei de acces TCRYPT (%zu) a fost depășită."
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Algoritmul sumei de control(hash) PBKDF2 %s nu este disponibil, se omite."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "Interfața necesară de criptare a nucleului nu este disponibilă."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Asigurați-vă că aveți modulul nucleului «algif_skcipher», încărcat."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Activarea nu este acceptată pentru dimensiunea sectorului de %d."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Nucleul nu acceptă activarea pentru acest mod vechi TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Se activează criptarea sistemului TCRYPT pentru partiția %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Nu se poate determina decalajul partiției de sistem TCRYPT, se activează întreaga zonă criptată."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Nu se poate determina decalajul partiției de sistem TCRYPT, se activează dispozitivul ca partiție de sistem."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Nucleul nu acceptă asocierea compatibilă cu TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Această funcție nu este acceptată fără încărcarea antetului TCRYPT."
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Tip neașteptat de intrare de metadate „%u” găsit la analizarea cheii master de volum acceptate."
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "S-a găsit șir nevalid la analizarea cheii master de volum."
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Șir neașteptat („%s”) găsit la analizarea cheii master de volum acceptate."
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Valoare neașteptată a intrării de metadate „%u” a fost găsită la analizarea cheii master de volum acceptate."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "Versiunea 1 BITLK nu este acceptată în prezent."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Semnătură de pornire nevalidă sau necunoscută pentru dispozitivul BITLK."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Dimensiunea sectorului neacceptată, %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Nu s-a putut citi antetul BITLK de la %s."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Nu s-a putut citi sau valida copia metadatelor BITLK FVE #%d din %s."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Nu s-au putut citi și valida metadatele BITLK FVE din %s."
+
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Nu s-a putut valida locația metadatelor BITLK FVE din %s."
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Metadatele BITLK FVE s-au modificat între citirile din %s."
+
+#: lib/bitlk/bitlk.c:628
+#, c-format
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Eșec la calcularea/verificarea sumelor de control ale metadatelor BITLK FVE citite din %s."
+
+#: lib/bitlk/bitlk.c:644
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "Nu s-au putut citi metadatele BITLK FVE de la %s."
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Nu s-au putea analiza metadatele de validare BITLK FVE din %s."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "Tip de criptare necunoscut sau neacceptat."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "Nu s-au putut citi intrările de metadate BITLK de la %s."
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Nu s-au putut verifica intrările de metadate BITLK citite anterior din %s."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "Nu s-a putut converti descrierea volumului BITLK"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Tip neașteptat de intrare de metadate „%u” găsit la analizarea cheii externe."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "GUID-ul fișierului BEK „%s”, nu se potrivește cu GUID-ul volumului."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Valoare neașteptată a intrării metadatelor „%u”, a fost găsită la analizarea cheii externe."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Versiune neacceptată de metadate BEK %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Dimensiune neașteptată a metadatelor BEK %<PRIu32>, nu se potrivește cu lungimea fișierului BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Intrare neașteptată de metadate găsită la analizarea cheii de pornire."
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "Această operație nu este acceptată."
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "Dimensiune neașteptată a datelor cheii."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Acest dispozitiv BITLK este într-o stare neacceptată și nu poate fi activat."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Dispozitivele BITLK de tip „%s” nu pot fi activate."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Activarea dispozitivului BITLK parțial decriptat nu este acceptată."
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "AVERTISMENT: dimensiunea volumului BitLocker %<PRIu64> nu se potrivește cu dimensiunea dispozitivului subiacent %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Nu se poate activa dispozitivul, modulul nucleului «dm-crypt» nu are suport pentru BITLK IV."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Dispozitivul nu poate fi activat, modulul nucleului «dm-crypt» nu are suport pentru difuzorul BITLK Elephant."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Dispozitivul nu poate fi activat, nucleul dm-crypt nu are suport pentru dimensiune mare a sectorului."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Dispozitivul nu se poate activa, modulul nucleului, «dm-zero», lipsește."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Nu s-au putut citi %u octeți din antetul volumului."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Versiune FVAULT2 neacceptată %<PRIu16>."
@@ -1390,24 +1461,24 @@ msgstr "Verificarea semnăturii sumei de verificare(hash) rădăcină nu este ac
 msgid "Root hash signature required."
 msgstr "Este necesară semnătura de sumă de control rădăcină."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Erorile nu pot fi reparate cu dispozitivul FEC."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "S-au găsit %u erori reparabile cu dispozitivul FEC."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Nucleul nu acceptă asocierea dm-verity."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Nucleul nu acceptă opțiunea de semnătură dm-verity."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Dispozitivul verity a detectat corupție după activare."
 
@@ -1430,23 +1501,23 @@ msgstr "Verificarea a eșuat la poziția %<PRIu64>."
 msgid "Hash area overflow."
 msgstr "Debordare a zonei sumei de control(hash)."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Verificarea zonei de date a eșuat."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Verificarea sumei de control(hash) rădăcină a eșuat."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Eroare de intrare/ieșire la crearea zonei de sumă de control(hash)."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Crearea zonei de sumă de control(hash) a eșuat."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "AVERTISMENT: Nucleul nu poate activa dispozitivul dacă dimensiunea blocului de date depășește dimensiunea paginii (%u)."
@@ -1496,34 +1567,38 @@ msgstr "Lungimea segmentului FEC nu este validă."
 msgid "Failed to determine size for device %s."
 msgstr "Nu s-a putut determina dimensiunea pentru dispozitivul %s."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Metadate incompatibile cu modulul nucleului «dm-integrity» (versiunea %u) detectate pe %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Nucleul nu acceptă asocierea dm-integrity."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Nucleul nu acceptă alinierea metadatelor fixe dm-integrity."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Nucleul refuză să activeze opțiunea de recalculare nesigură (consultați opțiunile de activare vechi pentru a le înlocui)."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Nucleul nu acceptă modul în linie „inline” dm-integrity."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Nu s-a putut obține blocarea la scriere pe dispozitivul %s."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "S-a detectat o încercare de actualizare concomitentă a metadatelor LUKS2. Se abandonează operația."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1531,59 +1606,63 @@ msgstr ""
 "Dispozitivul conține semnături ambigue, nu se poate recupera automat LUKS2.\n"
 "Rulați «cryptsetup repair» pentru recuperare."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "AVERTISMENT: zona sloturilor de chei (%<PRIu64> octeți) este foarte mică, numărul de sloturi de chei LUKS2 disponibil este foarte limitat.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Decalajul de date solicitat este prea mic."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "AVERTISMENT: dimensiunea metadatelor LUKS2 s-a schimbat la %<PRIu64> octeți.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "AVERTISMENT: dimensiunea zonei sloturilor de chei LUKS2 s-a schimbat la %<PRIu64> octeți.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Nu s-a putut obține blocarea pentru citire pe dispozitivul %s."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "Eticheta este prea lungă."
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Cerințe LUKS2 interzise detectate în copia de rezervă %s."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Decalajul datelor diferă între dispozitiv și copia de rezervă, restaurare eșuată."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Antetul binar cu dimensiunea zonelor sloturilor pentru chei diferă între dispozitiv și copia de rezervă, restaurare eșuată."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Dispozitiv %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "nu conține antetul LUKS2. Înlocuirea antetului poate distruge datele de pe acest dispozitiv."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "conține deja antetul LUKS2. Înlocuirea antetului va distruge sloturile de chei existente."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1593,7 +1672,7 @@ msgstr ""
 "AVERTISMENT: cerințe necunoscute LUKS2 detectate în antetul dispozitivului real!\n"
 "Înlocuirea antetului cu copia de rezervă poate deteriora datele de pe acest dispozitiv!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1603,111 +1682,111 @@ msgstr ""
 "AVERTISMENT: Recriptare „offline” nefinalizată detectată pe dispozitiv!\n"
 "Înlocuirea antetului cu copia de rezervă poate deteriora datele."
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "S-a ignorat fanionul necunoscut %s."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Lipsește cheia pentru segmentul dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "Nu s-a putut definii segmentul dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "Nu s-a putut definii segmentul dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "Nu s-a detectat niciun model de specificație de cifrare cunoscut în antetul LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "Dispozitivul OPAL trebuie să aibă dimensiunea dispozitivului statică."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Dispozitivul OPAL criptat cu integritate trebuie să fie mai mic decât intervalul de blocare."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "Dispozitivul OPAL trebuie să aibă aceeași dimensiune ca și intervalul de blocare."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Dispozitivul OPAL %s este deja deblocat.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "Configurație de integritate a dispozitivului neacceptată."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Dispozitiv dm-integrity subiacent cu sectoare de date neașteptate furnizate."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Recriptare în curs. Nu se poate dezactiva dispozitivul."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Nu s-a putut înlocui dispozitivul suspendat %s cu ținta dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Dispozitivul %s a fost dezactivat, dar dispozitivul hardware OPAL nu poate fi blocat."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Nu s-au putut citi cerințele LUKS2."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Au fost detectate cerințe LUKS2 neîndeplinite."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare învechită. Se abandonează."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Operație incompatibilă cu dispozitivul marcat pentru recriptare LUKS2. Se abandonează."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Operație incompatibilă cu dispozitivul care utilizează OPAL. Se abandonează."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Operație incompatibilă cu dispozitivul care utilizează etichete HW în linie. Se abandonează."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Nu există suficientă memorie disponibilă pentru a deschide un slot de cheie."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Deschiderea slotului de cheie a eșuat."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Nu se poate utiliza cifrul %s-%s pentru criptarea slotului de cheie."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Memorie insuficientă pentru derivarea cheilor slotului de chei."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Algoritmul sumei de control(hash) %s nu este disponibil."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Avertisment: operația pe slotul de chei poate eșua, deoarece necesită mai mult decât memoria disponibilă.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "Nu există spațiu pentru noul slot de cheie."
 
@@ -1733,428 +1812,438 @@ msgstr "Nu se poate verifica starea dispozitivului cu uuid: %s."
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Nu s-a putut converti antetul cu metadate suplimentare LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Nu se poate utiliza specificația de cifrare %s-%s pentru LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Nu se poate utiliza specificația de cifrare %s-%s pentru slotul de chei LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Nu se poate muta zona slotului pentru chei. Spațiu insuficient."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Nu se poate converti în format LUKS2 - metadate nevalide."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Nu se poate muta zona slotului pentru chei. Zona sloturilor pentru chei LUKS2 este prea mică."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Nu se poate muta zona slotului pentru chei."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Nu se poate converti în format LUKS1 - dimensiunea implicită a sectorului de criptare al segmentului nu este de 512 octeți."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Nu se poate converti în formatul LUKS1 - calcularea sumelor de control ale slotului de cheie nu este compatibilă cu LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul folosește cifrul de cheie încapsulat %s."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Nu se poate converti în formatul LUKS1 - dispozitivul utilizează mai multe segmente."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Nu se poate converti în formatul LUKS1 - antetul LUKS2 conține %u jetoane(tokens)."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Nu se poate converti în formatul LUKS1 - nu există sloturi de chei active."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u este într-o stare nevalidă."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u nu este legat."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Nu se poate converti în formatul LUKS1 - slotul %u (peste sloturile maxime) este încă activ."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Nu se poate converti în formatul LUKS1 - slotul de cheie %u nu este compatibil cu LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Dimensiunea zonei „fierbinți” (active) trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al alinierii zonei calculate (%zu octeți)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Nu s-a putut inițializa vechea încapsulare de stocare a segmentului."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Nu s-a putut inițializa noua încapsulare de stocare a segmentului."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr "Nu s-a putut inițializa protecția zonei „fierbinți” (active)."
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr "Nu s-au putut citii sumele de control pentru zona „fierbinte” (activă) actuală."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Nu s-a putut citi zona „fierbinte” (activă) începând cu %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Nu s-a putut decripta sectorul %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Nu s-a putut recupera sectorul %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Dimensiunile dispozitivelor sursă și țintă nu se potrivesc. Sursa %<PRIu64>, ținta: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Nu s-a putut activa zona „fierbinte” (activă) a dispozitivului %s."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Nu s-a putut aloca dispozitivul de zonă „fierbinte” (hotzone) %s."
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Nu s-a putut activa dispozitivul de suprapunere %s cu tabelul de origine actual."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Nu s-a putut încărca noua asociere pentru dispozitivul %s."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Nu s-a putut reîmprospăta stiva de dispozitive de recriptare."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "Nu s-a putut definii dimensiunea zonei noilor sloturi pentru chei."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Valoarea deplasării datelor nu este aliniată la dimensiunea sectorului de criptare (%<PRIu32> octeți)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Modul de adaptabilitate neacceptat %s"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Dimensiunea segmentului mutat nu poate fi mai mare decât valoarea deplasării de date."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "Parametri de adaptabilitate de recriptare nevalizi."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Segmentul mutat este prea mare. Dimensiunea solicitată este de %<PRIu64>, iar spațiul disponibil pentru aceasta este de: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "Nu s-a putut șterge tabelul."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Deplasarea datelor (%<PRIu64> sectoare) este mai mică decât decalajul viitor al datelor (%<PRIu64> sectoare)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "Dimensiunea redusă a datelor este mai mare decât dimensiunea dispozitivului real."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Dispozitivul de date nu este aliniat la dimensiunea sectorului de criptare (%<PRIu32> octeți)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Deplasarea datelor (%<PRIu64> sectoare) este mai mică decât decalajul viitor al datelor (%<PRIu64> sectoare)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Nu s-a putut deschide %s în modul exclusiv (deja cartografiat sau montat)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Dispozitivul nu este marcat pentru recriptarea LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Nu s-a putut încărca contextul de recriptare LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Nu s-a putut obține stadiul recriptării."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "Dispozitivul nu se află în recriptare."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "Procesul de recriptare rulează deja."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "Nu s-a putut obține blocarea pentru recriptare."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Nu se poate continua cu recriptarea. Rulați mai întâi recuperarea recriptării."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Dimensiunea dispozitivului activ și dimensiunea de recriptare solicitată nu se potrivesc."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Dimensiunea dispozitivului solicitată în parametrii de recriptare este incorectă."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Recriptare în curs. Nu se poate efectua recuperarea."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Recuperarea recriptării LUKS2 a eșuat."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Nu s-a putut inițializa stiva dispozitivului de recriptare."
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Recriptare LUKS2 deja inițializată în metadate."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Nu s-a putut inițializa recriptarea LUKS2 în metadate."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Recriptarea nu este acceptată pentru dispozitivele DAX (memorie persistentă)."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Nu s-a putut citi expresia de acces din inelul de chei."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Nu s-au putut definii segmentele dispozitivului pentru următoarea zonă „fierbinte” (activă) de recriptare."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Nu s-au putut scrie metadatele adaptabilității recriptării."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "Decriptarea a eșuat."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Nu s-a putut scrie zona „fierbinte” (activă) începând de la %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "Nu s-au putut sincroniza datele."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Nu s-au putut actualiza metadatele după finalizarea zonei „fierbinți” (active) de recriptare actuală."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "Nu s-au putut scrie metadatele LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr "Nu s-a putut șterge zona nefolosită a dispozitivului de date."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Nu s-a putut elimina slotul de cheie neutilizat (neasociat) %d."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "Nu s-a putut elimina slotul de cheie de recriptare."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Eroare fatală la recriptarea porțiunii începând de la %<PRIu64>, %<PRIu64> sectoare lungi."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "Recriptarea «online» a eșuat."
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Nu reluați dispozitivul decât dacă este înlocuit manual cu ținta erorii."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Nu se poate continua cu recriptarea. Stare neașteptată a recriptării."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "Context de recriptare lipsă sau nevalid."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Nu s-a putut inițializa stiva dispozitivului de recriptare."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "Nu s-a putut actualiza contextul de recriptare."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Metadatele de recriptare sunt nevalide."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "Intervalul OPAL %d poziția %<PRIu64> nu se potrivește cu valorile așteptate %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "Intervalul OPAL %d lungime %<PRIu64> nu se potrivește cu lungimea dispozitivului %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "Intervalul OPAL %d de blocare este dezactivat."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Stare de blocare neașteptată a intervalului OPAL %d."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametrii de criptare a slotului de cheie pot fi stabiliți numai pentru dispozitivul LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Introduceți codul PIN al jetonului: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Introduceți codul PIN al jetonului(token) %d: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Parametrii de criptare a slotului de chei nu sunt compatibili cu criptarea slotului de chei LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Nu s-a detectat niciun model de specificație de cifrare cunoscut."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "AVERTISMENT: Se utilizează opțiunile implicite pentru cifrare (%s-%s, dimensiunea cheii %u biți) care ar putea fi incompatibile cu versiunile mai vechi."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "AVERTISMENT: Se utilizează opțiunile implicite pentru suma de control „hash” (%s) care ar putea fi incompatibile cu versiunile mai vechi."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "Pentru modul simplu, utilizați întotdeauna opțiunile „--cipher”, „--key-size” și dacă nu este folosit fișierul de chei, atunci și opțiunea „--hash”."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Pentru modul simplu, utilizați întotdeauna opțiunile „--cipher”, „--key-size” și dacă nu este folosit fișierul de chei sau inelul de chei, atunci și opțiunea „--hash”."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "AVERTISMENT: Parametrul „--hash” este ignorat în modul simplu, cu fișierul de cheie specificat.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "AVERTISMENT: Opțiunea „--keyfile-size” este ignorată, dimensiunea de citire este aceeași cu dimensiunea cheii de criptare.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "Scanarea «blkid» a eșuat pentru %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "S-au detectat semnături de dispozitiv pe %s. Continuarea operației, riscă să deterioreze datele existente."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Operația se întrerupe.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Opțiunea „--key-file” este necesară."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Introduceți PIM-ul VeraCrypt: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Valoare PIM nevalidă: eroare de analizare."
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Valoare PIM nevalidă: 0."
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Valoare PIM nevalidă: în afara intervalului."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Nu a fost detectat niciun antet de dispozitiv cu această frază de acces."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Dispozitivul %s nu este un dispozitiv BITLK valid."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Nu se poate determina dimensiunea cheii de volum pentru BITLK; utilizați opțiunea „--key-size” pentru a o furniza."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2164,7 +2253,7 @@ msgstr ""
 "care permite accesul la partiția criptată fără fraza de acces.\n"
 "Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2174,110 +2263,110 @@ msgstr ""
 "care permite accesul la partiția criptată fără fraza de acces.\n"
 "Acest conținut ar trebui să fie întotdeauna stocat criptat într-un loc sigur."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Dispozitivul %s nu este un dispozitiv FVAULT2 valid."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Nu se poate determina dimensiunea cheii de volum pentru FVAULT2; utilizați opțiunea „--key-size” pentru a o furniza."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Dispozitivul %s este încă activ și programat pentru eliminare temporizată.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Nu s-a putut definii ruta jetoanelor(tokens) externe %s."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Redimensionarea dispozitivului activ necesită cheia de volum în inelul de chei, dar opțiunea „--disable-keyring” este furnizată."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "Testarea pentru evaluarea performanței a fost întreruptă."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     (neaplicabil)\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iterații pe secundă pentru cheia %zu-bit\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s (neaplicabil)\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iterații, %5u memorie, %1u fire paralele (CPU-uri) pentru cheia %zu-bit (timpul necesitat %u ms)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "Rezultatul testului de evaluare a performanței nu este fiabil."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Testele sunt aproximative folosind doar memoria (fără In/Ieș de stocare).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algoritm |     Cheie |        Criptare |      Decriptare\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Cifrarea %s (cu cheie de %i biți) nu este disponibilă."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algoritm |     Cheie |        Criptare |      Decriptare\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "nedisponibil"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
 msgstr "Au fost detectate metadate neprotejate de recriptare LUKS2. Verificați că operațiunea de recriptare este de dorit (consultați ieșirea luksDump) și continuați (să actualizați metadatele) numai dacă recunoașteți operația ca fiind autentică."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Introduceți fraza de acces pentru a proteja și actualiza metadatele de recriptare: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Continuați cu adevărat cu recuperarea recriptării LUKS2?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Introduceți fraza de acces pentru a verifica calcularea sumele de control a metadatelor de recriptare: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Introduceți fraza de acces pentru recuperarea recriptării: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "Încercați cu adevărat să reparați antetul dispozitivului LUKS?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2285,7 +2374,7 @@ msgstr ""
 "\n"
 "Ștergere întreruptă."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2293,156 +2382,167 @@ msgstr ""
 "Se șterge dispozitivul pentru a inițializa calcularea sumei de control a integrității.\n"
 "Puteți întrerupe acest lucru apăsând CTRL+c (restul dispozitivului care nu este șters va conține o sumă de control nevalidă).\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Nu se poate dezactiva dispozitivul temporar %s."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "Criptarea OPAL hw-only nu acceptă „--cipher” și „--key-size”, opțiunile sunt ignorate."
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Opțiunea de integritate poate fi utilizată numai pentru formatul LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Opțiuni de dimensiune a metadatelor LUKS2 neacceptate."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "OPAL este acceptat numai pentru formatul LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Etichetele hw în linie „inline” sunt acceptate numai pentru formatul LUKS2."
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Fișierul antet nu există, doriți să îl creați?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Nu se poate crea fișierul antet %s."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Nu a fost detectat niciun model de specificație de integritate cunoscut."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Nu se poate utiliza dimensiunea specificată a cheii de integritate."
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Nu se poate folosi %s ca antet pe disc."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Acest lucru va suprascrie datele de pe %s în mod irevocabil."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "Parola de administrator OPAL nu poate fi goală."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Nu s-au putut definii parametrii pbkdf."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "Specificația tipului din specificația pentru inelul de chei „--link-vk-to-keyring” este ignorată."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Tipurile de chei trebuie să fie aceleași pentru ambele chei de volum."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Ambele chei de volum trebuie să fie conectate la același inel de chei."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Trebuie să furnizați mai multe nume de chei."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Valoare nevalidă a opțiunii „--link-vk-to-keyring”."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Decalajul redus de date este permis numai pentru antetul LUKS detașat."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Containerul de fișiere LUKS %s este prea mic pentru activare, nu mai rămâne spațiu pentru date."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Nu se poate determina dimensiunea cheii de volum pentru LUKS fără sloturi de chei; folosiți opțiunea „--key-size” pentru a furniza aceste date."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Dispozitivul necesită două chei de volum."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Unii parametri de activare specificați au fost ignorați cu criptarea OPAL hw-only."
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "Dispozitivul a fost activat, dar nu se poate face ca fanioanele să fie persistente."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Slotul de cheie %d este selectat pentru ștergere."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Acesta este ultimul slot de cheie. Dispozitivul va deveni inutilizabil după eliminarea acestei chei."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "Introduceți orice frază de acces rămasă: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operația a fost întreruptă, slotul de cheie NU a fost șters.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "Introduceți fraza de acces pentru a fi ștearsă: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Dispozitivul %s nu este un dispozitiv LUKS2 valid."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "Introduceți noua frază de acces pentru slotul de cheie: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Introduceți codul PIN al jetonului: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Introduceți codul PIN al jetonului(token) %d: "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "AVERTISMENT: Parametrul „--key-slot” este utilizat pentru noul număr de slot de cheie.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Introduceți orice frază de acces existentă: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "Introduceți fraza de acces pentru a fi schimbată: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Introduceți nouă frază de acces: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Introduceți fraza de acces pentru slotul de cheie care urmează să fie convertit: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Doar un singur dispozitiv este admis ca argument pentru operația isLuks."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Slotul de cheie %d nu conține o cheie neasociată."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2450,52 +2550,52 @@ msgstr ""
 "Conținutul antetului cu cheia neasociată este o informație sensibilă.\n"
 "Acest conținut ar trebui să fie stocat criptat într-un loc sigur."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s nu este numele dispozitivului activ %s."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s nu este numele unui dispozitiv LUKS activ sau antetul lipsește."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "Este necesară opțiunea „--header-backup-file”."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s nu este un dispozitiv gestionat de «cryptsetup»."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Reîmprospătarea nu este disponibilă pentru tipul de dispozitiv %s"
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Tip de dispozitiv de metadate nerecunoscut %s."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "Comanda necesită un dispozitiv și numele asociat acestuia ca argumente."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "Introduceți PSID OPAL: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "Introduceți parola de administrator OPAL: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "AVERTISMENT: ÎNTREGUL disc va fi reinițializat la valorile din fabrică și toate datele se vor pierde! Continuați?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2504,351 +2604,363 @@ msgstr ""
 "Această operație va șterge toate sloturile de chei de pe dispozitivul %s.\n"
 "Dispozitivul va deveni inutilizabil după această operație."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operația a fost întreruptă, sloturile de chei NU au fost șterse.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Tip LUKS nevalid, numai luks1 și luks2 sunt acceptate."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "Dispozitivul este deja de tip %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Această operație va converti %s în formatul %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operația a fost întreruptă, dispozitivul NU a fost convertit.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Opțiunea „--priority”, „--label” sau „--subsystem” lipsește."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Jetonul(token) %d nu este valid."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "Jetonul(token) %d este în uz."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Nu s-a putut adăuga jetonul(token) %d la inelul de chei luks2."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Nu s-a putut atribui jetonul(token) %d slotului pentru cheie %d."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Jetonul %d nu este în uz."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "Nu s-a putut importa jetonul din fișier."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Nu s-a putut obține jetonul %d pentru export."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Jetonul %d nu este alocat slotului de cheie %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Nu s-a putut anula atribuirea jetonului %d din slotul de cheie %d."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Opțiunea „--tcrypt-hidden”, „--tcrypt-system” sau „--tcrypt-backup” este acceptată doar pentru dispozitivele TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Opțiunea „--veracrypt” sau „--disable-veracrypt” este acceptată numai pentru tipul de dispozitiv TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Opțiunea „--veracrypt-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Opțiunea „--veracrypt-query-pim” este acceptată numai pentru dispozitivele compatibile cu VeraCrypt."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Opțiunile „--veracrypt-pim” și „--veracrypt-query-pim” se exclud reciproc."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Opțiunea „--persistent” nu este permisă cu opțiunea „--test-passphrase”."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Opțiunile „--refresh” și „--test-passphrase” se exclud reciproc."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Opțiunea „--shared” este permisă numai pentru deschiderea unui dispozitiv simplu."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Opțiunea „--skip” este acceptată numai pentru deschiderea dispozitivelor simple și a dispozitivelor loopaes."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Opțiunea „--offset” cu acțiune de deschidere este acceptată numai pentru dispozitivele simple și dispozitivele loopaes."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Opțiunea „--tcrypt-hidden” nu poate fi combinată cu opțiunea „--allow-discards”."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Opțiunea de dimensiune a sectorului cu acțiune de deschidere este acceptată numai pentru dispozitivele simple."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Opțiunea sectoare IV (vector de inițializare) mari este acceptată numai pentru deschiderea dispozitivelor de tip simplu, cu dimensiunea sectorului mai mare de 512 de octeți."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Opțiunea „--test-passphrase” este permisă numai pentru deschiderea dispozitivelor LUKS, TCRYPT, BITLK și FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Opțiunile „--device-size” și „--size” nu pot fi combinate."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Opțiunea „--unbound” este permisă numai pentru deschiderea dispozitivelor luks."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Opțiunea „--unbound” nu poate fi utilizată fără opțiunea „--test-passphrase”."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Opțiunea „--volume-key-keyring” nu poate fi combinată cu opțiunea „--hash” sau cu opțiunea „--volume-key-file”."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Ambele opțiuni „--volume-key-file” trebuie să fie asociate cu opțiunile „--key-size” respective."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Opțiunile „--cancel-deferred” și „--deferred” nu pot fi utilizate în același timp."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Opțiunile „--reduce-device-size” și „--device-size” nu pot fi combinate."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Opțiunea „--active-name” poate fi utilizată numai pentru dispozitivele LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Opțiunile „--active-name” și „--force-offline-reencrypt” nu pot fi combinate."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Opțiunile „--new-volume-key-file” și „--keep-key” nu pot fi combinate."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Opțiunile „--new-volume-key-keyring” și „--keep-key” nu pot fi combinate."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "Este necesară specificarea slotului de cheie."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Opțiunile „--align-payload” și „--offset” nu pot fi combinate."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Opțiunea „--integrity-no-wipe” poate fi utilizată numai pentru acțiuni de formatare cu extensie de integritate."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Numai una dintre opțiunile „--use-[u]random” este permisă."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "Dimensiunea cheii este necesară cu opțiunea „--unbound”."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "Operație cu jeton(token) nevalidă."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Parametrul „--key-description” este obligatoriu pentru acțiunea de adăugare a jetonului."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Acțiunea necesită un jeton(token)l specific. Utilizați parametrul „--token-id”."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "Opțiunea „--unbound” este validă numai cu acțiunea de adăugare a jetonului."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Opțiunile „--key-slot” și „--unbound” nu pot fi combinate."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Acțiunea necesită un slot de cheie specific. Utilizați parametrul „--key-slot”."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<dispozitiv> [--type <tip>] [<nume>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "deschide dispozitivul ca <nume>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<nume>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "închide dispozitivul (elimină asocierea)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "redimensionează dispozitivul activ"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "afișează starea dispozitivului"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <cifrarea>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "evaluează performanța cifrului"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<dispozitiv>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "încearcă să repare metadatele de pe disc"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "recriptează dispozitivul LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "șterge toate sloturile de chei (elimină cheia de criptare)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "convertește LUKS din/în formatul LUKS2"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "definește opțiunile permanente de configurare pentru LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<dispozitiv> [<fișier cheie nou>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "formatează un dispozitiv LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "adaugă o cheie la dispozitivul LUKS"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<dispozitiv> [<fișier cheie>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "elimină cheia sau fișierul cheie furnizat de pe dispozitivul LUKS"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "modifică cheia furnizată sau fișierul cheie al dispozitivului LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "convertește o cheie în noii parametri pbkdf"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<dispozitiv> <slot cheie>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "șterge cheia cu numărul <slot cheie> de pe dispozitivul LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "afișează UUID-ul dispozitivului LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "testează <dispozitivul> pentru antetul partiției LUKS"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "afișează informațiile despre partiția LUKS"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "afișează informațiile despre dispozitivul TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "afișează informațiile despre dispozitivul BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "afișează informațiile despre dispozitivul FVAULT2"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspendă dispozitivul LUKS și șterge cheia (toate In/Ieșirile sunt înghețate)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "Repune în funcțiune dispozitivul LUKS suspendat"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "Face copie de rezervă pentru antetul dispozitivului LUKS și pentru sloturile de chei"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "Restaurează antetul dispozitivului LUKS și sloturile de chei"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <dispozitiv>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipulează jetoanele LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2863,7 +2975,7 @@ msgstr ""
 # nume, sau alias pentru primele.
 # A se vedea ieșirea comenzii:
 # «cryptsetup -?|--help»
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2875,7 +2987,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2890,7 +3002,7 @@ msgstr ""
 "<slot cheie> este numărul slotului de cheie LUKS de modificat\n"
 "<fișier cheie> fișier cheie opțional pentru noua cheie pentru acțiunea luksAddKey\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2899,7 +3011,7 @@ msgstr ""
 "\n"
 "Formatul implicit de metadate compilate este %s (pentru acțiunea luksFormat).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2907,12 +3019,12 @@ msgstr ""
 "\n"
 "Suportul pentru modulul de jeton(token) extern LUKS2 este activat.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Ruta modulului pentru jetonul(token) extern LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2920,7 +3032,7 @@ msgstr ""
 "\n"
 "Suportul pentru modulul de jeton(token) extern LUKS2 este dezactivat.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2937,7 +3049,7 @@ msgstr ""
 "PBKDF implicit pentru LUKS2: %s\n"
 "\tTimp de iterare: %d, Memorie necesară: %dko, Fire de execuție paralele: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2952,110 +3064,122 @@ msgstr ""
 "\tsimplu: %s, Cheie: %d biți, Suma de control a parolei: %s\n"
 "\tLUKS: %s, Cheie: %d biți, Suma de control a antetului LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Dimensiunea implicită a cheii cu modul XTS (două chei interne) va fi dublată.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: necesită %s ca argumente"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Slotul de cheie nu este valid."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Dimensiunea dispozitivului trebuie să fie multiplu al sectorului de 512 octeți."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Specificația pentru dimensiunea zonei fierbinți(active) pentru recriptare maximă nu este validă."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Dimensiunea cheii trebuie să fie multiplu de 8 biți"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Pot fi furnizate cel mult 2 specificații privind dimensiunea cheii."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Pot fi furnizate cel mult %d specificații ale cheilor de volum."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Pot fi furnizate cel mult %d specificații de legătură a inelului de chei."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Dimensiunea maximă de reducere a dispozitivului este de 1 GiB."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Dimensiunea redusă trebuie să fie multiplu al sectorului de 512 octeți."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Argumentul opțiuni „--priority” poate fi doar «ignore/normal/prefer»."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Afișează acest mesaj de ajutor"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Afișează modul de utilizare pe scurt"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Afișează versiunea pachetului"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Opțiuni de ajutor:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPȚIUNE...] <acțiune> <parametri_acțiune>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Argumentul <acțiune> lipsește."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Acțiune necunoscută."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Opțiunea „--key-file” are prioritate față de argumentul specificat pentru fișierul cheie."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "Numai un argument „--key-file” este permis."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Funcția de derivare a unei chei bazată pe parolă (PBKDF=Password-Based Key Derivation Function) poate fi doar pbkdf2 sau argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Iterațiile forțate PBKDF nu pot fi combinate cu opțiunea de timp de iterație."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Nu se poate lega cheia de volum la un inel de chei când este dezactivat."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Nu se poate utiliza descrierea cheii pentru inelul de chei atunci când inelul de chei este dezactivat."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Integritatea în linie trebuie utilizată împreună cu opțiunea „--integrity”."
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Opțiunile „--keyslot-cipher” și „--keyslot-key-size” trebuie să fie folosite împreună."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Nu s-a executat nicio acțiune. Programul a fost invocat cu opțiunea „--test-args”.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "Nu se poate dezactiva blocarea metadatelor."
 
@@ -3083,72 +3207,72 @@ msgstr "Nu s-a putut crea fișierul sumei de control(hash) rădăcină %s pentru
 msgid "Cannot write to root hash file %s."
 msgstr "Nu se poate scrie în fișierul sumei de control (hash) rădăcină %s."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Dispozitivul %s nu este un dispozitiv VERITY valid."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Nu se poate citii din fișierul sumei de control (hash) rădăcină %s."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Fișierul sumei de control (hash) rădăcină %s nu este valid."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "S-a specificat un șir de sumă de control (hash) rădăcină nevalid."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Fișierul de semnătură %s nu este valid."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Nu se poate citi fișierul de semnătură %s."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Comanda necesită ca argument opțiunea <suma-de-control(hash)_rădăcină> sau „--root-hash-file”."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<dispozitiv_date> <dispozitiv_sumă-de-control(hash)>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "formatează dispozitivul"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<dispozitiv_date> <dispozitiv_sumă-de-control(hash)> [<sumă-de-control(hash)_rădăcină>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "verifică dispozitivul"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<dispozitiv_date> <nume> <dispozitiv_sumă-de-control(hash)> [<sumă-de-control(hash)_rădăcină>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "afișează starea dispozitivului activ"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<dispozitiv_sumă-de-control(hash)>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "afișează informațiile de pe disc"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3163,7 +3287,7 @@ msgstr ""
 "<dispozitiv_sumă-de-control(hash)> este dispozitivul care conține datele de verificare\n"
 "<sumă-de-control(hash)_rădăcină> suma-de-control(hash) a nodului rădăcină de pe <dispozitiv_sumă-de-control(hash)>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3175,15 +3299,19 @@ msgstr ""
 "\tAlgoritmul sumei de control(hash): %s, Bloc de date (octeți): %u, Bloc sumă de control(hash) (octeți): %u,\n"
 "\tDimensiune date «salt»: %u, Formatul sumei de control(hash): %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Opțiunile „--ignore-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Opțiunile „--panic-on-corruption” și „--restart-on-corruption” nu pot fi utilizate împreună."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Opțiunea „--error-as-corruption” trebuie să fie utilizată cu „--panic-on-corruption” sau „--restart-on-corruption”."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3192,29 +3320,33 @@ msgstr ""
 "Acest lucru va suprascrie datele de pe %s și %s în mod irevocabil.\n"
 "Pentru a păstra datele dispozitivului de date, utilizați opțiunea „--no-wipe” (și apoi activați-l cu „--integrity-recalculate”)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Formatat cu dimensiunea etichetei %u, integritate internă %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Formatat cu dimensiunea etichetei %u%s, integritate internă %s.\n"
+
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (etichete hw în linie „inline”)"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Utilizarea fanionului pentru recalculare(...-recalculate) nu este acceptată, luați în considerare utilizarea opțiunii „--wipe” în schimb."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Dispozitivul %s nu este un dispozitiv INTEGRITY valid."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<dispozitiv_integritate>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<dispozitiv_integritate> <nume>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3225,7 +3357,7 @@ msgstr ""
 "<nume> este dispozitivul de creat sub %s\n"
 "<dispozitiv_integritate> este dispozitivul care conține date cu etichete de integritate\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3238,43 +3370,51 @@ msgstr ""
 "\tAlgoritmul sumei de control: %s\n"
 "\tDimensiunea maximă a fișierului cheie: %dko\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Dimensiune nevalidă --%s. Maximul este de %u octeți."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Trebuie specificată atât opțiunea pentru fișierul cheie, cât și opțiunea pentru dimensiunea cheii."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de integritate a jurnalului, cât și opțiunea pentru dimensiunea cheii."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Algoritmul de integritate a jurnalului trebuie să fie specificat dacă este utilizată cheia de integritate a jurnalului."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Trebuie specificată atât opțiunea pentru fișierul cheii de criptare a jurnalului, cât și opțiunea pentru dimensiunea cheii."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Algoritmul de criptare a jurnalului trebuie să fie specificat dacă este utilizată cheia de criptare a jurnalului."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Opțiunile de recuperare și modul de hartă de biți(bitmap) se exclud reciproc."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Opțiunile jurnalului nu pot fi utilizate în modul de hartă de biți(bitmap)."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Opțiunile de hartă de biți(bitmap) pot fi utilizate numai în modul de hartă de biți(bitmap)."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Modul în linie nu poate fi combinat cu opțiunile de jurnal sau de hartă de biți."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Modul în linie nu poate fi combinat cu un dispozitiv de date separat."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3422,6 +3562,14 @@ msgstr "Nu se poate deschide fișierul de chei %s pentru scriere."
 msgid "Cannot write to keyfile %s."
 msgstr "Nu se poate scrie în fișierul de chei %s."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Numele este prea lung."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Numele nu trebuie să conțină caracterul „/”."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3483,37 +3631,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Verificarea calității parolei a eșuat: frază de acces greșită (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Citirea se oprește la lungimea maximă de intrare interactivă, fraza de acces poate fi scurtată."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Eroare la citirea frazei de acces de la terminal."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Verifică fraza de acces: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Frazele de acces nu se potrivesc."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Nu se poate utiliza decalajul cu intrarea terminalului."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Introduceți fraza de acces: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Introduceți fraza de acces pentru %s: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Nu este disponibilă nicio cheie cu această frază de acces."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Nu este disponibil niciun slot de cheie utilizabil."
 
@@ -3521,20 +3673,20 @@ msgstr "Nu este disponibil niciun slot de cheie utilizabil."
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Nu se poate face verificarea frazei de acces pe intrări non-tty."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Nu s-a putut deschide fișierul %s în modul numai-pentru-citire."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Furnizați un jeton(token) JSON LUKS2 valid:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Nu s-a putut citi fișierul JSON."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3542,12 +3694,12 @@ msgstr ""
 "\n"
 "Citire întreruptă."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Nu s-a putut deschide fișierul %s în modul de scriere."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3555,11 +3707,11 @@ msgstr ""
 "\n"
 "Scriere întreruptă."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Nu s-a putut scrie fișierul JSON."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Dispozitiv dm activ „%s” detectat automat pentru dispozitivul de date %s.\n"
@@ -3573,17 +3725,17 @@ msgstr "Dispozitiv dm activ „%s” detectat automat pentru dispozitivul de dat
 # date normale, fișiere de antete de...,
 # fișiere de chei, fișiere de sume
 # de control, fișiere de draci și laci....
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Nu s-au putut detecta automat deținătorii dispozitivului %s."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Dispozitivul %s nu este un dispozitiv de blocuri.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3596,7 +3748,7 @@ msgstr ""
 "Poate duce la coruperea datelor dacă dispozitivul este activat în acest moment.\n"
 "Pentru a rula recriptarea în modul online, utilizați în schimb parametrul „--active-name”.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3605,45 +3757,49 @@ msgstr ""
 "Dispozitivul %s nu este un dispozitiv de blocuri. Nu se poate detecta automat dacă este activ sau nu.\n"
 "Utilizați „--force-offline-reencrypt” pentru a ocoli verificarea și rulați în modul offline (periculos!)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Opțiunea „--resilience” solicitată nu poate fi aplicată operațiunii curente de recriptare."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Dispozitivul nu este în criptare LUKS2. Opțiune în conflict „--encrypt”."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Dispozitivul nu este în decriptare LUKS2. Opțiune în conflict „--decrypt”."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Dispozitivul este în recriptare folosind adaptabilitatea la transferul de date. Opțiunea „--resilience” solicitată nu poate fi aplicată."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Nu se poate determina dimensiunea cheii de volum pentru LUKS fără sloturi de chei; folosiți opțiunea „--new-key-size” pentru a furniza aceste date."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Dispozitivul necesită recuperarea recriptării. Rulați mai întâi operația de reparare."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Dispozitivul %s este deja în recriptare LUKS2. Doriți să reluați operația inițializată anterior?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Recriptarea veche LUKS2 nu mai este acceptată."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Nu se poate recripta dispozitivul LUKS2 configurat să utilizeze OPAL."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Recriptarea dispozitivului cu profil de integritate nu este acceptată."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3652,103 +3808,110 @@ msgstr ""
 "Solicitarea făcută cu opțiunea „--sector-size %<PRIu32>” este incompatibilă cu superblocul %s\n"
 "(dimensiunea blocului: %<PRIu32> octeți) detectat pe dispozitivul %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Criptarea fără antet detașat (--header) nu este posibilă fără reducerea dimensiunii dispozitivului de date (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Decalajul de date solicitat trebuie să fie mai mic sau egal cu jumătate din parametrul opțiunii „--reduce-device-size”."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Ajustarea valorii „--reduce-device-size” la de două ori față de „--offset %<PRIu64> (sectoare)”.\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Fișierul antet temporar %s există deja. Se abandonează."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Nu se poate crea fișierul antet temporar %s."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Dimensiunea metadatelor LUKS2 este mai mare decât valoarea decalajului de date."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Nu s-a putut plasa antetul nou la începutul dispozitivului %s."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s este acum activ și pregătit pentru criptarea online.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Dispozitivul activ %s nu este LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Se restabilește antetul LUKS2 original."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Restaurarea antetului LUKS2 original a eșuat."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Fișierul antet %s nu există. Doriți să inițializați decriptarea LUKS2 a dispozitivului %s și să exportați antetul LUKS2 în fișierul %s?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Nu s-au putut adăuga permisiuni de citire/scriere la fișierul antet exportat."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Inițializarea recriptării a eșuat. Copia de rezervă a antetului este disponibilă în %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Decriptarea LUKS2 este acceptată numai cu dispozitivul antet detașat (cu decalajul de date fixat la 0)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Niciun jeton(token) nu a putut debloca dispozitivul."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
-msgstr "Nu sunt suficiente sloturi de chei liberee pentru recriptare."
+msgstr "Nu sunt suficiente sloturi de chei libere pentru recriptare."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Fișierul de cheie poate fi utilizat numai cu opțiunea „--key-slot” sau cu exact un slot de cheie activ."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Fișierul de chei sau descrierea cheii inelului de chei pot fi utilizate numai cu opțiunea „--key-slot” sau cu exact un slot de cheie activ."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Introduceți fraza de acces pentru slotul de cheie %d: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Introduceți fraza de acces pentru slotul de cheie %u: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Se comută cifrul de criptare a datelor la %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Utilizați „--force-no-keyslots” pentru a re-cripta dispozitivul cu sloturi de chei active prin pasarea directă a cheilor de volum."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Opțiunea „--new-volume-key-file” trebuie să fie combinată cu opțiunea „--new-key-size”"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Nu s-au modificat parametrii de segment de date. Recriptarea a fost abandonată."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3756,8 +3919,8 @@ msgstr ""
 "Creșterea dimensiunii sectorului de criptare pe dispozitivul offline nu este acceptată.\n"
 "Activați mai întâi dispozitivul sau utilizați opțiunea „--force-offline-reencrypt” (periculos!)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3765,67 +3928,67 @@ msgstr ""
 "\n"
 "Recriptarea a fost întreruptă."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Reluarea recriptării LUKS în modul offline forțat.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Dispozitivul %s conține metadate LUKS deteriorate. Se abandonează operația."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Dispozitivul %s este deja un dispozitiv LUKS. Se abandonează operația."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Dispozitivul %s este deja în recriptare LUKS. Se abandonează operația."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "Decriptarea LUKS2 necesită opțiunea „--header”."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "Comanda necesită un dispozitiv ca argument."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Versiuni în conflict. Dispozitivul %s este LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Versiuni în conflict. Dispozitivul %s este LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Versiuni în conflict. Dispozitivul %s este în recriptare LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Recriptarea LUKS2 a fost deja inițializată. Se abandonează operația."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "Recriptarea dispozitivului nu este în curs de desfășurare."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Nu se poate deschide exclusiv %s, dispozitiv în uz."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Alocarea memoriei aliniate a eșuat."
 
@@ -3848,11 +4011,11 @@ msgstr "Nu se poate scrie dispozitivul %s."
 msgid "Cannot write reencryption log file."
 msgstr "Nu se poate scrie fișierul jurnalului de recriptare."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Nu se poate citii fișierul jurnalului de recriptare."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Format de jurnal greșit."
 
@@ -3861,130 +4024,134 @@ msgstr "Format de jurnal greșit."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Fișierul jurnal %s există, reluând recriptarea.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Se activează dispozitivul temporar folosind antetul LUKS vechi."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Se activează dispozitivul temporar folosind antetul LUKS nou."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Activarea dispozitivelor temporare a eșuat."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Nu s-a putut definii decalajul de date."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Nu s-a putut definii dimensiunea metadatelor."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "A fost creat un nou antet LUKS pentru dispozitivul %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "A fost creată o copie de rezervă a antetului %s pentru dispozitivul %s."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Crearea antetelor de rezervă LUKS a eșuat."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Nu se poate restabili antetul %s pe dispozitivul %s."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Antetul %s de pe dispozitivul %s a fost restaurat."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Nu se poate deschide dispozitivul LUKS temporar."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Nu se poate obține dimensiunea dispozitivului."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Eroare de In/Ieș în timpul recriptării."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "UUID-ul furnizat nu este valid."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Fișierul de cheie poate fi utilizat numai cu opțiunea „--key-slot” sau cu exact un slot de cheie activ."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Nu se poate deschide fișierul jurnalului de recriptare."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Nicio decriptare nu este în curs de desfășurare, UUID-ul furnizat poată să fie utilizat doar pentru a relua procesul de decriptare suspendat."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Recriptarea se va modifica: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "cheia de volum"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "stabilește suma de control(hash) la "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", stabilește cifrarea la "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură de partiție „%s”.\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "AVERTISMENT: Dispozitivul %s conține deja o semnătură superbloc „%s”.\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Nu s-au inițializat probele de semnătură a dispozitivului."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Nu s-a putut obține starea dispozitivului %s."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Nu s-a putut deschide fișierul %s în modul citire/scriere."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Semnătura partiției „%s” existentă pe dispozitivul %s va fi ștearsă."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Semnătura superblocului „%s” existentă pe dispozitivul %s va fi ștearsă."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Nu s-a putut șterge semnătura dispozitivului."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Nu s-a putut verifica dispozitivul %s pentru o semnătură."
@@ -3999,6 +4166,50 @@ msgstr "Specificație de dimensiune nevalidă în parametrul „--%s”."
 msgid "Option --%s is not allowed with %s action."
 msgstr "Opțiunea „--%s” nu este permisă cu acțiunea %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Specificația tipului din specificația pentru inelul de chei „--link-vk-to-keyring” este ignorată."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Tipurile de chei trebuie să fie aceleași pentru ambele chei de volum."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Ambele chei de volum trebuie să fie conectate la același inel de chei."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Trebuie să furnizați mai multe nume de chei."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Valoare nevalidă a opțiunii „--link-vk-to-keyring”."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Datele binare ale slotului de chei %d ar putea fi corupte.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Decalaj suspectaat: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Decalajele suspecte ulterioare sunt suprimate.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Slotul de chei %d nu poate fi citit de pe dispozitiv."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Puteți utiliza «hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\"» pentru a inspecta datele.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Nu s-a putut scrie jetonul ssh în format JSON."
@@ -4166,6 +4377,37 @@ msgstr "Metoda de autentificare cu cheie publică nu este permisă pe gazdă.\n"
 msgid "Public key authentication error: "
 msgstr "Eroare la autentificarea cu cheia publică: "
 
+#~ msgid "Activation of BITLK device with clear key protection is not supported."
+#~ msgstr "Activarea dispozitivului BITLK cu protecție de cheie în clar nu este acceptată."
+
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Nu s-au putut lega cheile de volum la inelul de chei specificat de utilizator."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Nu s-a putut dezlega cheia de la inelul de chei al firului."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Activarea dispozitivului BITLK parțial decriptat nu este acceptată."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Nu s-au putut citi cerințele LUKS2."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Avertisment: operația pe slotul de chei poate eșua, deoarece necesită mai mult decât memoria disponibilă.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Nu s-a putut obține stadiul recriptării."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Nu s-a putut citi expresia de acces din inelul de chei."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Opțiunile „--reduce-device-size” și „--device-size” nu pot fi combinate."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Introduceți fraza de acces pentru slotul de cheie %u: "
+
 #~ msgid "compiled-in"
 #~ msgstr "integrat în compilare"
 
diff --git a/po/ru.po b/po/ru.po
index d32901f..18d03a9 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -4,13 +4,13 @@
 #
 # Rosetta Contributors and Canonical Ltd <EMAIL@ADDRESS>, 2007.
 # Eugene Roskin <Unknown>, 2016.
-# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019, 2020, 2021, 2022, 2023.
+# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019, 2020, 2021, 2022, 2023, 2025.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.6.1-rc0\n"
+"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2023-02-01 15:58+0100\n"
-"PO-Revision-Date: 2023-11-02 21:04+0300\n"
+"POT-Creation-Date: 2024-06-06 22:11+0200\n"
+"PO-Revision-Date: 2025-04-05 10:49+0300\n"
 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
 "Language-Team: Russian <gnu@d07.ru>\n"
 "Language: ru\n"
@@ -19,74 +19,78 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "X-Launchpad-Export-Date: 2018-12-03 15:52+0000\n"
-"X-Generator: Lokalize 22.12.3\n"
+"X-Generator: Lokalize 24.12.0\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 
-#: lib/libdevmapper.c:419
+#: lib/libdevmapper.c:406
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Не удалось инициализировать device-mapper, выполняется без прав суперпользователя."
 
-#: lib/libdevmapper.c:422
+#: lib/libdevmapper.c:409
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Не удалось инициализировать device-mapper. Загружен ли модуль ядра dm_mod?"
 
-#: lib/libdevmapper.c:1102
+#: lib/libdevmapper.c:1090
 msgid "Requested deferred flag is not supported."
 msgstr "Запрошенный флаг отсрочки не поддерживается."
 
-#: lib/libdevmapper.c:1171
+#: lib/libdevmapper.c:1159
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "У устройства %s был обрезан DM-UUID."
 
-#: lib/libdevmapper.c:1501
+#: lib/libdevmapper.c:1497
 msgid "Unknown dm target type."
 msgstr "Неизвестный тип цели dm."
 
-#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
-#: lib/libdevmapper.c:1727
+#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
+#: lib/libdevmapper.c:1728
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Запрошенные параметры производительности dm-crypt не поддерживаются."
 
-#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
+#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Запрошенные параметры обработки повреждённых данных dm-verify не поддерживаются."
 
-#: lib/libdevmapper.c:1641
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Запрошенный параметр tasklets dm-verify не поддерживается."
 
-#: lib/libdevmapper.c:1653
+#: lib/libdevmapper.c:1649
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Запрошенные параметры FEC dm-verify не поддерживаются."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1655
 msgid "Requested data integrity options are not supported."
 msgstr "Запрошенные параметры целостности данных не поддерживаются."
 
-#: lib/libdevmapper.c:1663
+#: lib/libdevmapper.c:1659
 msgid "Requested sector_size option is not supported."
 msgstr "Запрошенный параметр sector_size не поддерживается."
 
-#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
+#: lib/libdevmapper.c:1664
+msgid "The device size is not multiple of the requested sector size."
+msgstr "Размер устройства не кратен запрошенному размеру сектора."
+
+#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Запрошенный автоматический пересчёт тегов целостности не поддерживается."
 
-#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
-#: lib/luks2/luks2_json_metadata.c:2620
+#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
+#: lib/luks2/luks2_json_metadata.c:2741
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM не поддерживается."
 
-#: lib/libdevmapper.c:1688
+#: lib/libdevmapper.c:1689
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Запрошенный режим битовой карты dm-integrity не поддерживается."
 
-#: lib/libdevmapper.c:2724
+#: lib/libdevmapper.c:2725
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Ошибка при запросе сегмента dm-%s."
 
-#: lib/random.c:73
+#: lib/random.c:60
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -94,698 +98,813 @@ msgstr ""
 "При генерации ключа тома в системе закончились данные энтропии.\n"
 "Подвигайте мышь или наберите любой текст в другом окне, чтобы возникли случайные события.\n"
 
-#: lib/random.c:77
+#: lib/random.c:64
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Генерация ключа (выполнена на %d%%).\n"
 
-#: lib/random.c:163
+#: lib/random.c:150
 msgid "Running in FIPS mode."
 msgstr "Выполнение в режиме FIPS."
 
-#: lib/random.c:169
+#: lib/random.c:156
 msgid "Fatal error during RNG initialisation."
 msgstr "При инициализации RNG возникла критическая ошибка."
 
-#: lib/random.c:207
+#: lib/random.c:194
 msgid "Unknown RNG quality requested."
 msgstr "Запрошено неизвестное качество RNG."
 
-#: lib/random.c:212
+#: lib/random.c:199
 msgid "Error reading from RNG."
 msgstr "Ошибка чтения из RNG."
 
-#: lib/setup.c:231
+#: lib/setup.c:249
+msgid "OPAL support is disabled in libcryptsetup."
+msgstr "Поддержка OPAL в libcryptsetup выключена."
+
+#: lib/setup.c:251
+#, c-format
+msgid "Device %s or kernel does not support OPAL encryption."
+msgstr "Устройство %s или ядро не поддерживает шифрование OPAL."
+
+#: lib/setup.c:267
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Невозможно инициализировать внутренний интерфейс crypto RNG."
 
-#: lib/setup.c:237
+#: lib/setup.c:273
 msgid "Cannot initialize crypto backend."
 msgstr "Невозможно инициализировать внутренний интерфейс crypto."
 
-#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
+#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Алгоритм хэширования %s не поддерживается."
 
-#: lib/setup.c:271 lib/loopaes/loopaes.c:90
+#: lib/setup.c:308 lib/loopaes/loopaes.c:77
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Ошибка обработки ключа (используется хэш %s)."
 
-#: lib/setup.c:342 lib/setup.c:369
+#: lib/setup.c:379 lib/setup.c:416
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Невозможно определить тип устройства. Несовместимая активация устройства?"
 
-#: lib/setup.c:348 lib/setup.c:3320
+#: lib/setup.c:385 lib/setup.c:3981
 msgid "This operation is supported only for LUKS device."
 msgstr "Эта операция поддерживается только для устройства LUKS."
 
-#: lib/setup.c:375
+#: lib/setup.c:422
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Эта операция поддерживается только для устройства LUKS2."
 
-#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
+#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
 msgid "All key slots full."
 msgstr "Заполнены все слоты ключей."
 
-#: lib/setup.c:438
+#: lib/setup.c:490
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Некорректный слот ключа %d, укажите значение между 0 и %d."
 
-#: lib/setup.c:444
+#: lib/setup.c:496
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Слот ключа %d заполнен, выберите другой."
 
-#: lib/setup.c:529 lib/setup.c:3042
+#: lib/setup.c:607 lib/setup.c:3681
 msgid "Device size is not aligned to device logical block size."
 msgstr "Размер устройства не выровнен к размеру логического блока устройства."
 
-#: lib/setup.c:627
+#: lib/setup.c:705
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Обнаружен заголовок, но устройство %s слишком маленькое."
 
-#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
-#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
+#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
+#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
 msgid "This operation is not supported for this device type."
 msgstr "Эта операция не поддерживается для этого типа устройств."
 
-#: lib/setup.c:673
+#: lib/setup.c:751
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Недопустимая операция во время работы перешифрования."
 
-#: lib/setup.c:802
+#: lib/setup.c:883
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Не удалось откатиться на метаданные LUKS2 в памяти."
 
-#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
-#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
-#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
-#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
-#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
-#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
+#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
+#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
+#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
+#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Устройство %s не является корректным устройством LUKS."
 
-#: lib/setup.c:892 lib/luks1/keymanage.c:530
+#: lib/setup.c:973 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Неподдерживаемая версия LUKS %d."
 
-#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
-#: lib/setup.c:2952 lib/setup.c:4764
+#: lib/setup.c:1346
+#, c-format
+msgid "No known cipher specification pattern detected for active device %s."
+msgstr "Для активного устройства %s обнаружено указание неизвестного шаблона шифра."
+
+#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
+#: lib/setup.c:3590 lib/setup.c:6004
 #, c-format
 msgid "Device %s is not active."
 msgstr "Устройство %s не активно."
 
-#: lib/setup.c:1508
+#: lib/setup.c:1609
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Исчезло нижележащее устройство у устройства crypt %s."
 
-#: lib/setup.c:1590
+#: lib/setup.c:1691
 msgid "Invalid plain crypt parameters."
 msgstr "Неверные параметры plain crypt."
 
-#: lib/setup.c:1595 lib/setup.c:2054
+#: lib/setup.c:1696 lib/setup.c:2689
 msgid "Invalid key size."
 msgstr "Неверный размер ключа."
 
-#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
+#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
 msgid "UUID is not supported for this crypt type."
 msgstr "Для данного типа crypt UUID не поддерживается."
 
-#: lib/setup.c:1605 lib/setup.c:2064
+#: lib/setup.c:1706 lib/setup.c:2699
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Устройство с отсоединёнными метаданными не поддерживается для этого типа crypt."
 
-#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
-#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
+#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
+#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
 msgid "Unsupported encryption sector size."
 msgstr "Неподдерживаемый размер сектора шифрования."
 
-#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
+#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
 msgid "Device size is not aligned to requested sector size."
 msgstr "Размер устройства не выровнен к запрошенному размеру сектора."
 
-#: lib/setup.c:1675 lib/setup.c:1799
+#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
 msgid "Can't format LUKS without device."
 msgstr "Невозможно отформатировать LUKS без устройства."
 
-#: lib/setup.c:1681 lib/setup.c:1805
+#: lib/setup.c:1781 lib/setup.c:2024
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr "Зонированное устройство %s нельзя использовать в заголовке LUKS."
+
+#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Запрошенный тип выравнивания данных не совместим со смещением данных."
 
-#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
+#: lib/setup.c:1828 lib/setup.c:2049
+msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: устройство DAX может повредить данные, так как оно не гарантирует атомарное изменение секторов.\n"
+
+#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
+#: lib/setup.c:2596 lib/setup.c:2909
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "невозможно затереть заголовок на устройстве %s."
 
-#: lib/setup.c:1769 lib/setup.c:2036
+#: lib/setup.c:1879 lib/setup.c:2204
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Устройство %s слишком маленькое для активации, не хватает места для данных.\n"
 
-#: lib/setup.c:1840
-msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr "ПРЕДУПРЕЖДЕНИЕ: Активация устройства завершится ошибкой, так как отсутствует поддержка dm-crypt для запрошенного размера сектора шифрования.\n"
-
-#: lib/setup.c:1863
+#: lib/setup.c:1919
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Ключ тома слишком мал для шифрования с целостными расширениями."
 
-#: lib/setup.c:1923
+#: lib/setup.c:1928
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Шифр %s-%s (размер ключа %zd бит) недоступен."
 
-#: lib/setup.c:1949
-#, c-format
-msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
-msgstr "ПРЕДУПРЕЖДЕНИЕ: размер метаданных LUKS2 изменился и стал %<PRIu64> байт.\n"
-
-#: lib/setup.c:1953
-#, c-format
-msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
-msgstr "ПРЕДУПРЕЖДЕНИЕ: размер слотов ключа LUKS2 изменился и стал %<PRIu64> байт.\n"
+#: lib/setup.c:1967
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: активация устройства завершится ошибкой, так как отсутствует поддержка dm-crypt для запрошенного размера сектора шифрования.\n"
 
-#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
+#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
+#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
+#: lib/luks2/luks2_reencrypt.c:4367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Устройство %s слишком маленькое."
 
-#: lib/setup.c:1990 lib/setup.c:2016
+#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Невозможно отформатировать устройство %s, которое используется."
 
-#: lib/setup.c:1993 lib/setup.c:2019
+#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Невозможно отформатировать устройство %s, недостаточно прав."
 
-#: lib/setup.c:2005 lib/setup.c:2334
+#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Невозможно отформатировать целостность для устройства %s."
 
-#: lib/setup.c:2023
+#: lib/setup.c:2191 lib/setup.c:2646
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Невозможно отформатировать устройство %s."
 
-#: lib/setup.c:2049
+#: lib/setup.c:2234
+msgid "Cannot get OPAL alignment parameters."
+msgstr "Невозможно получить параметры выравнивания OPAL."
+
+#: lib/setup.c:2246
+msgid "Bogus OPAL logical block size."
+msgstr "Фиктивный размер логического блока OPAL."
+
+#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr "Фиктивный размер логического блока OPAL отличается от размера блока устройства."
+
+#: lib/setup.c:2257
+msgid "Requested data offset is not compatible with OPAL block size."
+msgstr "Запрошенное смещение данных не совместимо с размером блока OPAL."
+
+#: lib/setup.c:2264
+msgid "Requested data alignment is not compatible with OPAL alignment."
+msgstr "Запрошенное смещение данных не совместимо с выравниванием OPAL."
+
+#: lib/setup.c:2284
+msgid "Data offset does not satisfy OPAL alignment requirements."
+msgstr "Смещение данных не удовлетворяет требованиям по выравниванию OPAL."
+
+#: lib/setup.c:2297
+msgid "Requested data alignment does not satisfy locking range alignment requirements."
+msgstr "Запрошенное смещение данных не удовлетворяет требованиям по выравниванию диапазона блокировок."
+
+#: lib/setup.c:2502
+#, c-format
+msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
+msgstr "Компенсируем размер устройства на %<PRIu64> секторов для выравнивания со степенью дробления OPAL."
+
+#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
+#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
+msgstr "Не удалось захватить блокировку OPAL на устройстве %s."
+
+#: lib/setup.c:2570
+msgid "Incorrect OPAL Admin key."
+msgstr "Некорректный ключ OPAL Admin."
+
+#: lib/setup.c:2572
+msgid "Cannot setup OPAL segment."
+msgstr "Не удалось настроить сегмент OPAL."
+
+#: lib/setup.c:2642
+#, c-format
+msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
+msgstr "Невозможно отформатировать устройство %s, вероятно, всё устройство OPAL сейчас защищено от записи."
+
+#: lib/setup.c:2644
+msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
+msgstr "Вероятно, это дефект прошивки. Выполните сброс OPAL PSID и переподключите для восстановления."
+
+#: lib/setup.c:2664
+#, c-format
+msgid "Locking range %d reset on device %s failed."
+msgstr "Не удалось сбросить диапазон блокировок %d на устройстве %s."
+
+#: lib/setup.c:2684
 msgid "Can't format LOOPAES without device."
 msgstr "Невозможно отформатировать LOOPAES без устройства."
 
-#: lib/setup.c:2094
+#: lib/setup.c:2729
 msgid "Can't format VERITY without device."
 msgstr "Невозможно отформатировать VERITY без устройства."
 
-#: lib/setup.c:2105 lib/verity/verity.c:101
+#: lib/setup.c:2740 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Неподдерживаемый тип хэша %d для VERITY."
 
-#: lib/setup.c:2111 lib/verity/verity.c:109
+#: lib/setup.c:2746 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Неподдерживаемый размер блока для VERITY."
 
-#: lib/setup.c:2116 lib/verity/verity.c:74
+#: lib/setup.c:2751 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Неподдерживаемое смещение хэша для VERITY."
 
-#: lib/setup.c:2121
+#: lib/setup.c:2756
 msgid "Unsupported VERITY FEC offset."
 msgstr "Неподдерживаемое смещение FEC для VERITY."
 
-#: lib/setup.c:2145
+#: lib/setup.c:2780
 msgid "Data area overlaps with hash area."
 msgstr "Область данных перекрывает области хэша."
 
-#: lib/setup.c:2170
+#: lib/setup.c:2805
 msgid "Hash area overlaps with FEC area."
 msgstr "Область хэша перекрывает область FEC."
 
-#: lib/setup.c:2177
+#: lib/setup.c:2812
 msgid "Data area overlaps with FEC area."
 msgstr "Область данных перекрывает область FEC."
 
-#: lib/setup.c:2313
+#: lib/setup.c:2948
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: запрошенный размер тега в %d байт отличается от выходного размера %s (%d байт).\n"
 
-#: lib/setup.c:2392
+#: lib/setup.c:3027
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Запрошен неизвестный тип устройства crypt %s."
 
-#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
+#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Неподдерживаемые параметры для устройства %s."
 
-#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
-#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
+#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Несовпадение параметров для устройства %s."
 
-#: lib/setup.c:2822
+#: lib/setup.c:3457
 msgid "Crypt devices mismatch."
 msgstr "Несоответствие устройств crypt."
 
-#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
-#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
+#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
+#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Ошибка при перезагрузке устройства %s."
 
-#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
-#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
+#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
+#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Ошибка при приостановке устройства %s."
 
-#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
-#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
-#: lib/luks2/luks2_reencrypt.c:4036
+#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
+#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Ошибка при возобновлении работы устройства %s."
 
-#: lib/setup.c:2897
+#: lib/setup.c:3532
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Критическая ошибка при перезагрузке устройства %s (поверх устройства %s)."
 
-#: lib/setup.c:2900 lib/setup.c:2902
+#: lib/setup.c:3535 lib/setup.c:3537
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Ошибка при переключении устройства %s на dm-error."
 
-#: lib/setup.c:2984
+#: lib/setup.c:3577
+msgid "Can not resize LUKS2 device with static size."
+msgstr "Невозможно изменить размер устройства LUKS2 со статическим размером."
+
+#: lib/setup.c:3622
 msgid "Cannot resize loop device."
 msgstr "Невозможно изменить размер закольцованного (loop) устройства."
 
-#: lib/setup.c:3027
+#: lib/setup.c:3666
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: максимальный размер уже задан или ядро не поддерживает изменение размера.\n"
 
-#: lib/setup.c:3088
+#: lib/setup.c:3732
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Изменение размера невозможно, не поддерживается ядром."
 
-#: lib/setup.c:3120
+#: lib/setup.c:3764
 msgid "Do you really want to change UUID of device?"
 msgstr "Вы действительно хотите изменить UUID устройства?"
 
-#: lib/setup.c:3212
+#: lib/setup.c:3856
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Файл резервного заголовка не содержит заголовка совместимого с LUKS."
 
-#: lib/setup.c:3328
+#: lib/setup.c:3966
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Том %s не активен."
 
-#: lib/setup.c:3339
+#: lib/setup.c:4032
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Том %s уже приостановлен."
 
-#: lib/setup.c:3352
+#: lib/setup.c:4060
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Приостановка не поддерживается устройством %s."
 
-#: lib/setup.c:3354
+#: lib/setup.c:4062 lib/setup.c:4070
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Ошибка во время приостановки устройства %s."
 
-#: lib/setup.c:3389
+#: lib/setup.c:4084
+#, c-format
+msgid "Device %s was suspended but hardware OPAL device cannot be locked."
+msgstr "Устройство %s было приостановлено, но аппаратное устройство OPAL заблокировать не удалось."
+
+#: lib/setup.c:4116 lib/setup.c:4288
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Возобновление не поддерживается устройством %s."
 
-#: lib/setup.c:3391
+#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Ошибка во время возобновления устройства %s."
 
-#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
-#: src/cryptsetup.c:2479
+#: lib/setup.c:4137
+msgid "Failed to unlink volume key from user specified keyring."
+msgstr "Не удалось удалить ключ тома из указанной пользователем связки ключей."
+
+#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+msgid "Failed to link volume key in user defined keyring."
+msgstr "Не удалось добавить ключ тома в указанную пользователем связку ключей."
+
+#: lib/setup.c:4353 src/cryptsetup.c:2848
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Том %s не приостановлен."
 
-#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
-#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
-#: src/cryptsetup.c:2011
+#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
+#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
 msgid "Volume key does not match the volume."
 msgstr "Ключ тома не подходит к тому."
 
-#: lib/setup.c:3737
+#: lib/setup.c:4608
 msgid "Failed to swap new key slot."
 msgstr "Ошибка при переключении на новый слот ключа."
 
-#: lib/setup.c:3835
+#: lib/setup.c:4706
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Некорректный слот ключа %d."
 
-#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
-#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
+#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
+#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Слот ключа %d не активен."
 
-#: lib/setup.c:3860
+#: lib/setup.c:4731
 msgid "Device header overlaps with data area."
 msgstr "Заголовок устройства перекрывает область данных."
 
-#: lib/setup.c:4165
+#: lib/setup.c:5084 lib/setup.c:5184
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Выполняется перешифрование. Невозможно активировать устройство."
 
-#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
-#: lib/luks2/luks2_reencrypt.c:3590
+#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
+#: lib/luks2/luks2_reencrypt.c:3648
 msgid "Failed to get reencryption lock."
 msgstr "Ошибка при получении блокировки перешифрования."
 
-#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
+#: lib/setup.c:5098
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
+msgstr "Ошибка восстановления перешифрования LUKS2 при использовании ключа(ей) тома."
+
+#: lib/setup.c:5150 lib/setup.c:5240
+msgid "Failed to link volume keys in user defined keyring."
+msgstr "Не удалось добавить ключи тома в указанную пользователем связку ключей."
+
+#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Ошибка восстановления перешифрования LUKS2."
 
-#: lib/setup.c:4352 lib/setup.c:4618
+#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
 msgid "Device type is not properly initialized."
 msgstr "Тип устройства инициализирован неправильно."
 
-#: lib/setup.c:4400
+#: lib/setup.c:5503
 #, c-format
 msgid "Device %s already exists."
 msgstr "Устройство %s уже существует."
 
-#: lib/setup.c:4407
+#: lib/setup.c:5510
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Невозможно использовать устройство %s, некорректное имя или оно всё ещё используется."
 
-#: lib/setup.c:4527
+#: lib/setup.c:5528
 msgid "Incorrect volume key specified for plain device."
 msgstr "Для устройства plain указан некорректный ключ тома."
 
-#: lib/setup.c:4644
-msgid "Incorrect root hash specified for verity device."
-msgstr "Некорректный корневой хэш для указанного устройства verity."
+#: lib/setup.c:5542
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Ключи перешифрования тома не подходят к тому."
 
-#: lib/setup.c:4654
-msgid "Root hash signature required."
-msgstr "Требуется подпись корневого хэша."
+#: lib/setup.c:5655
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Связка ключей ядра не поддерживается ядром."
 
-#: lib/setup.c:4663
+#: lib/setup.c:5659
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Отсутствует связка ключей ядра: требуется для передачи подписи в ядро."
 
-#: lib/setup.c:4680 lib/setup.c:6423
-msgid "Failed to load key in kernel keyring."
-msgstr "Ошибка при загрузке ключа в связку ключей ядра."
+#: lib/setup.c:5917
+msgid "Incorrect root hash specified for verity device."
+msgstr "Некорректный корневой хэш для указанного устройства verity."
+
+#: lib/setup.c:5960
+msgid "OPAL does not support deferred deactivation."
+msgstr "OPAL не поддерживает отложенную деактивацию."
 
-#: lib/setup.c:4736
+#: lib/setup.c:5976
 #, c-format
 msgid "Could not cancel deferred remove from device %s."
 msgstr "Не удалось отменить отложенное удаление с устройства %s."
 
-#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
-#: src/utils_reencrypt.c:116
+#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Устройство %s всё ещё используется."
 
-#: lib/setup.c:4768
+#: lib/setup.c:6008
 #, c-format
 msgid "Invalid device %s."
 msgstr "Неверное устройство %s."
 
-#: lib/setup.c:4908
+#: lib/setup.c:6148
 msgid "Volume key buffer too small."
 msgstr "Буфер ключа тома слишком мал."
 
-#: lib/setup.c:4925
+#: lib/setup.c:6165
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Невозможно получить ключ тома для устройства LUKS2."
 
-#: lib/setup.c:4934
+#: lib/setup.c:6174
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Невозможно получить ключ тома для устройства LUKS1."
 
-#: lib/setup.c:4944
+#: lib/setup.c:6184
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Невозможно получить ключ тома для устройства plain."
 
-#: lib/setup.c:4952
+#: lib/setup.c:6192
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Невозможно получить корневой хэш для устройства verity."
 
-#: lib/setup.c:4959
+#: lib/setup.c:6199
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Невозможно получить ключ тома для устройства BITLK."
 
-#: lib/setup.c:4964
+#: lib/setup.c:6204
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Невозможно получить ключ тома для устройства FVAULT2."
 
-#: lib/setup.c:4966
+#: lib/setup.c:6206
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Эта операция не поддерживается для устройства crypt %s."
 
-#: lib/setup.c:5147 lib/setup.c:5158
+#: lib/setup.c:6390 lib/setup.c:6401
 msgid "Dump operation is not supported for this device type."
 msgstr "Операция дампа не поддерживается для устройства этого типа."
 
-#: lib/setup.c:5500
+#: lib/setup.c:6760
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Смещение данных не кратно %u байтам."
 
-#: lib/setup.c:5788
+#: lib/setup.c:7068
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Невозможно преобразовать устройство %s, которое всё ещё используется."
 
-#: lib/setup.c:6098 lib/setup.c:6237
+#: lib/setup.c:7366 lib/setup.c:7505
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Ошибка при назначении слота ключа %u в качестве нового ключа тома."
 
-#: lib/setup.c:6122
+#: lib/setup.c:7390
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Ошибка при инициализации параметров слота ключа по умолчанию LUKS2."
 
-#: lib/setup.c:6128
+#: lib/setup.c:7396
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Ошибка при назначении слота ключа %d дайджесту."
 
-#: lib/setup.c:6353
+#: lib/setup.c:7621
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Невозможно добавить слот ключа, все слоты отключены и не предоставлен ключ тома."
 
-#: lib/setup.c:6490
-msgid "Kernel keyring is not supported by the kernel."
-msgstr "Связка ключей ядра не поддерживается ядром."
+#: lib/setup.c:7690 lib/verity/verity.c:330
+msgid "Failed to load key in kernel keyring."
+msgstr "Ошибка при загрузке ключа в связку ключей ядра."
 
-#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
+#: lib/setup.c:7808
+msgid "Failed to unlink volume key from thread keyring."
+msgstr "Не удалось удалить ключ тома из связки ключей нити."
+
+#: lib/setup.c:7852
 #, c-format
-msgid "Failed to read passphrase from keyring (error %d)."
-msgstr "Не удалось прочитать парольную фразу из связки ключей (ошибка %d)."
+msgid "Could not find keyring described by \"%s\"."
+msgstr "Не удалось найти связку ключей, описанную в «%s»."
 
-#: lib/setup.c:6523
+#: lib/setup.c:7917
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Не удалось захватить глобальную блокировку сериализации доступа на скорости памяти (memory-hard)."
 
-#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
+#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Не удалось открыть файл ключа."
 
-#: lib/utils.c:163
+#: lib/utils.c:207
 msgid "Cannot read keyfile from a terminal."
 msgstr "Невозможно прочитать файл ключа с терминала."
 
-#: lib/utils.c:179
+#: lib/utils.c:223
 msgid "Failed to stat key file."
 msgstr "Не удалось выполнить stat для файла ключа."
 
-#: lib/utils.c:187 lib/utils.c:208
+#: lib/utils.c:231 lib/utils.c:252
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Невозможно переместиться по запрошенному смещению в файле ключа."
 
-#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
-#: src/utils_password.c:237
+#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
+#: src/utils_password.c:228
 msgid "Out of memory while reading passphrase."
 msgstr "Не хватило памяти при чтении парольной фразы."
 
-#: lib/utils.c:237
+#: lib/utils.c:281
 msgid "Error reading passphrase."
 msgstr "Ошибка чтения парольной фразы."
 
-#: lib/utils.c:254
+#: lib/utils.c:298
 msgid "Nothing to read on input."
 msgstr "Нет ничего для чтения со стандартного ввода."
 
-#: lib/utils.c:261
+#: lib/utils.c:305
 msgid "Maximum keyfile size exceeded."
 msgstr "Превышен максимальный размер файла ключа."
 
-#: lib/utils.c:266
+#: lib/utils.c:310
 msgid "Cannot read requested amount of data."
 msgstr "невозможно прочитать запрошенное количество данных."
 
-#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
+#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Устройство %s не существует или отказано в доступе."
 
-#: lib/utils_device.c:217
+#: lib/utils_device.c:210
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Устройство %s несовместимо."
 
-#: lib/utils_device.c:561
+#: lib/utils_device.c:554
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Игнорируется фиктивный размер optimal-io для устройства данных (%u байт)."
 
-#: lib/utils_device.c:722
+#: lib/utils_device.c:715
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Устройство %s слишком маленькое. Требуется не менее %<PRIu64> байт."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:796
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Невозможно использовать устройство %s, которое используется (отображено или примонтировано)."
 
-#: lib/utils_device.c:807
+#: lib/utils_device.c:800
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Невозможно использовать устройство %s, недостаточно прав."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:803
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Невозможно получить информацию об устройстве %s."
 
-#: lib/utils_device.c:833
+#: lib/utils_device.c:826
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Невозможно использовать закольцованное устройство, выполняется без прав суперпользователя."
 
-#: lib/utils_device.c:844
+#: lib/utils_device.c:837
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Ошибка при присоединении закольцованного устройства (требуется закольцованное устройство с флагом autoclear)."
 
-#: lib/utils_device.c:892
+#: lib/utils_device.c:885
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Запрошенный размер вне реального размера устройства %s."
 
-#: lib/utils_device.c:900
+#: lib/utils_device.c:893
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Устройство %s имеет нулевой размер."
 
-#: lib/utils_pbkdf.c:100
+#: lib/utils_pbkdf.c:103
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Запрошенное время цели PBKDF не может быть нулевым."
 
-#: lib/utils_pbkdf.c:106
+#: lib/utils_pbkdf.c:109
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Неизвестный тип PBKDF %s."
 
-#: lib/utils_pbkdf.c:111
+#: lib/utils_pbkdf.c:114
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Запрошенный хэш %s не поддерживается."
 
-#: lib/utils_pbkdf.c:122
+#: lib/utils_pbkdf.c:125
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Запрошенный тип PBKDF %s не поддерживается в LUKS1."
 
-#: lib/utils_pbkdf.c:128
+#: lib/utils_pbkdf.c:131
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Максимальный размер памяти PBKDF или количество параллельных потоков нельзя задавать вместе с pbkdf2."
 
-#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Навязанный счётчик итераций слишком мал для %s (минимальное значение равно %u)."
 
-#: lib/utils_pbkdf.c:148
+#: lib/utils_pbkdf.c:151
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Навязанная стоимость памяти слишком мала для %s (минимальное значение равно %u килобайт)."
 
-#: lib/utils_pbkdf.c:155
+#: lib/utils_pbkdf.c:158
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Запрошенная максимальная стоимость памяти PBKDF слишком высока (максимальное значение равно %d килобайт)."
 
-#: lib/utils_pbkdf.c:160
+#: lib/utils_pbkdf.c:163
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Запрошенная максимальная стоимость памяти PBKDF не может быть равна нулю."
 
-#: lib/utils_pbkdf.c:164
+#: lib/utils_pbkdf.c:167
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Запрошенное количество параллельных потоков PBKDF не может быть нулевым."
 
-#: lib/utils_pbkdf.c:184
+#: lib/utils_pbkdf.c:187
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "В режиме FIPS поддерживается только PBKDF2."
 
-#: lib/utils_benchmark.c:175
+#: lib/utils_benchmark.c:171
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr "Оценка производительности PBKDF выключена, но не задано количество итераций."
 
-#: lib/utils_benchmark.c:194
+#: lib/utils_benchmark.c:190
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr "Несовместимые параметры PBKDF2 (используется алгоритм хэширования %s)."
 
-#: lib/utils_benchmark.c:214
+#: lib/utils_benchmark.c:210
 msgid "Not compatible PBKDF options."
 msgstr "Несовместимые параметры PBKDF."
 
-#: lib/utils_device_locking.c:101
+#: lib/utils_device_locking.c:88
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Блокировка прервана. Путь блокировки %s/%s использовать невозможно (не является каталогом или отсутствует)."
 
-#: lib/utils_device_locking.c:118
+#: lib/utils_device_locking.c:105
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Блокировка прервана. Путь блокировки %s/%s использовать невозможно (%s не является каталогом)."
 
-#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
-#: src/utils_reencrypt_luks1.c:832
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
+#: src/utils_reencrypt_luks1.c:795
 msgid "Cannot seek to device offset."
 msgstr "Невозможно перемещаться по устройству."
 
-#: lib/utils_wipe.c:247
+#: lib/utils_wipe.c:236
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Ошибка затирания устройства, смещение %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:39
+#: lib/utils_wipe.c:331
+msgid "Incorrect OPAL PSID."
+msgstr "Некорректный OPAL PSID."
+
+#: lib/utils_wipe.c:333
+msgid "Cannot erase OPAL device."
+msgstr "Невозможно стереть устройство OPAL."
+
+#: lib/luks1/keyencryption.c:26
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -794,110 +913,110 @@ msgstr ""
 "Ошибка при настройке отображения ключей dm-crypt для устройства %s.\n"
 "Убедитесь, что ядро поддерживает шифр %s (подробности смотрите в syslog)."
 
-#: lib/luks1/keyencryption.c:44
+#: lib/luks1/keyencryption.c:31
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Размер ключа в режиме XTS должен быть 256 или 512 бит."
 
-#: lib/luks1/keyencryption.c:46
+#: lib/luks1/keyencryption.c:33
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Шифр должен указываться в формате [шифр]-[режим]-[iv]."
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
-#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
-#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
+#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
+#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Невозможно записать на устройство %s, недостаточно прав."
 
-#: lib/luks1/keyencryption.c:120
+#: lib/luks1/keyencryption.c:107
 msgid "Failed to open temporary keystore device."
 msgstr "Не удалось открыть временное устройство keystore."
 
-#: lib/luks1/keyencryption.c:127
+#: lib/luks1/keyencryption.c:114
 msgid "Failed to access temporary keystore device."
 msgstr "Не удалось получить доступ к временному устройству keystore."
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
-#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
+#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Ошибка ввода-вывода при шифровании слота ключа."
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
-#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
-#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
-#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
-#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
-#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
-#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
-#: src/utils_reencrypt_luks1.c:133
+#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
+#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Невозможно открыть устройство %s."
 
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
 msgid "IO error while decrypting keyslot."
 msgstr "Ошибка ввода-вывода при расшифровке слота ключа."
 
-#: lib/luks1/keymanage.c:130
+#: lib/luks1/keymanage.c:117
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Устройство %s слишком маленькое (для LUKS1 требуется не менее %<PRIu64> байт)."
 
-#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
-#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
-#: lib/luks1/keymanage.c:194
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "Некорректный слот ключа LUKS %u."
 
-#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Запрошенный файл резервного заголовка %s уже существует."
 
-#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Невозможно создать файл резервного заголовка %s."
 
-#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Невозможно записать файл резервного заголовка %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Резервный файл не содержит корректный заголовок LUKS."
 
-#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
-#: lib/luks2/luks2_json_metadata.c:1420
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1445
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Невозможно открыть файл резервного заголовка %s."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Невозможно прочитать файл резервного заголовка %s."
 
-#: lib/luks1/keymanage.c:339
+#: lib/luks1/keymanage.c:326
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Смещение данных или размер ключа различаются на устройстве и в резервной копии, восстановление невозможно."
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:334
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Устройство %s %s%s"
 
-#: lib/luks1/keymanage.c:348
+#: lib/luks1/keymanage.c:335
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "не содержит заголовка LUKS. Замена заголовка может уничтожить данные на этом устройстве."
 
-#: lib/luks1/keymanage.c:349
+#: lib/luks1/keymanage.c:336
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "уже содержит заголовок LUKS. Замена заголовка уничтожит существующие слоты ключей."
 
-#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -905,493 +1024,497 @@ msgstr ""
 "\n"
 "ПРЕДУПРЕЖДЕНИЕ: заголовок устройства и резервная копия содержат разные UUID!"
 
-#: lib/luks1/keymanage.c:398
+#: lib/luks1/keymanage.c:385
 msgid "Non standard key size, manual repair required."
 msgstr "Нестандартный размер ключа, требуется исправление вручную."
 
-#: lib/luks1/keymanage.c:408
+#: lib/luks1/keymanage.c:395
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Нестандартное выравнивание слотов ключей, требуется исправление вручную."
 
-#: lib/luks1/keymanage.c:417
+#: lib/luks1/keymanage.c:404
 #, c-format
 msgid "Cipher mode repaired (%s -> %s)."
 msgstr "Исправлен режим шифра (%s -> %s)."
 
-#: lib/luks1/keymanage.c:428
+#: lib/luks1/keymanage.c:415
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Хэш шифра приведён к нижнему регистру (%s)."
 
-#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
-#: lib/luks1/keymanage.c:792
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:779
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Запрошенный хэш LUKS %s не поддерживается."
 
-#: lib/luks1/keymanage.c:444
+#: lib/luks1/keymanage.c:431
 msgid "Repairing keyslots."
 msgstr "Исправление слотов ключей."
 
-#: lib/luks1/keymanage.c:463
+#: lib/luks1/keymanage.c:450
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Слот ключа %i: исправлено смещение (%u -> %u)."
 
-#: lib/luks1/keymanage.c:471
+#: lib/luks1/keymanage.c:458
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Слот ключа %i: исправлены полосы (%u -> %u)."
 
-#: lib/luks1/keymanage.c:480
+#: lib/luks1/keymanage.c:467
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Слот ключа %i: фиктивная подпись раздела."
 
-#: lib/luks1/keymanage.c:485
+#: lib/luks1/keymanage.c:472
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Слот ключа %i: соль затёрта."
 
-#: lib/luks1/keymanage.c:502
+#: lib/luks1/keymanage.c:489
 msgid "Writing LUKS header to disk."
 msgstr "Запись заголовка LUKS на диск."
 
-#: lib/luks1/keymanage.c:507
+#: lib/luks1/keymanage.c:494
 msgid "Repair failed."
 msgstr "Ошибка при исправлении."
 
-#: lib/luks1/keymanage.c:562
+#: lib/luks1/keymanage.c:549
 #, c-format
 msgid "LUKS cipher mode %s is invalid."
 msgstr "Некорректный режим шифра LUKS %s."
 
-#: lib/luks1/keymanage.c:567
+#: lib/luks1/keymanage.c:554
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr "Некорректный хэш LUKS %s."
 
-#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
 msgid "No known problems detected for LUKS header."
 msgstr "Известных неполадок в заголовке LUKS не обнаружено."
 
-#: lib/luks1/keymanage.c:702
+#: lib/luks1/keymanage.c:689
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Ошибка при обновлении заголовка LUKS на устройстве %s."
 
-#: lib/luks1/keymanage.c:710
+#: lib/luks1/keymanage.c:697
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Ошибка при повторном считывании заголовка LUKS после обновления на устройстве %s."
 
-#: lib/luks1/keymanage.c:786
+#: lib/luks1/keymanage.c:773
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Смещение данных заголовка LUKS должно быть равно 0 или быть больше размера заголовка."
 
-#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
-#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
-#: src/utils_reencrypt.c:539
+#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:541
 msgid "Wrong LUKS UUID format provided."
 msgstr "Указан неправильный формат LUKS UUID."
 
-#: lib/luks1/keymanage.c:819
+#: lib/luks1/keymanage.c:806
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Невозможно создать заголовок LUKS: ошибка при чтении случайной соли."
 
-#: lib/luks1/keymanage.c:845
+#: lib/luks1/keymanage.c:832
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Невозможно создать заголовок LUKS: ошибка подсчёта дайджеста заголовка (используйте хэш %s)."
 
-#: lib/luks1/keymanage.c:889
+#: lib/luks1/keymanage.c:876
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Активен слот ключа %d, сначала нужна вычистка."
 
-#: lib/luks1/keymanage.c:895
+#: lib/luks1/keymanage.c:882
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Данный слота ключа %d содержат несколько полос. Подделка заголовка?"
 
-#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
 msgid "PBKDF2 iteration value overflow."
 msgstr "Переполнение значения итерации PBKDF2."
 
-#: lib/luks1/keymanage.c:1040
+#: lib/luks1/keymanage.c:1027
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Невозможно открыть слот ключа (используется хэш %s)."
 
-#: lib/luks1/keymanage.c:1118
+#: lib/luks1/keymanage.c:1105
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Некорректный слот ключа %d, значение слота ключа должно быть между 0 и %d."
 
-#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
+#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Невозможно затереть устройство %s."
 
-#: lib/loopaes/loopaes.c:146
+#: lib/loopaes/loopaes.c:133
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Обнаружен пока не поддерживаемый зашифрованный файл ключа GPG."
 
-#: lib/loopaes/loopaes.c:147
+#: lib/loopaes/loopaes.c:134
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Используйте gpg --decrypt <ФАЙЛ_КЛЮЧА> | cryptsetup --keyfile=- …\n"
 
-#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Обнаружен несовместимый файл ключа loop-AES."
 
-#: lib/loopaes/loopaes.c:245
+#: lib/loopaes/loopaes.c:232
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Ядро не поддерживает совместимое отображение loop-AES."
 
-#: lib/tcrypt/tcrypt.c:508
+#: lib/tcrypt/tcrypt.c:497
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Ошибка при чтении файла ключа %s."
 
-#: lib/tcrypt/tcrypt.c:558
+#: lib/tcrypt/tcrypt.c:547
 #, c-format
 msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
 msgstr "Превышена максимальная длина парольной фразы TCRYPT (%zu)."
 
-#: lib/tcrypt/tcrypt.c:600
+#: lib/tcrypt/tcrypt.c:589
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Алгоритм хэширования PBKDF2 %s недоступен, пропускается."
 
-#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
 msgid "Required kernel crypto interface not available."
 msgstr "Требуемый интерфейс ядра crypto недоступен."
 
-#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Убедитесь, что загружен ядерный модуль algif_skcipher."
 
-#: lib/tcrypt/tcrypt.c:762
+#: lib/tcrypt/tcrypt.c:751
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Активация не поддерживается при размере сектора %d."
 
-#: lib/tcrypt/tcrypt.c:768
+#: lib/tcrypt/tcrypt.c:757
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Ядро не поддерживает активацию для данного устаревшего режима TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:799
+#: lib/tcrypt/tcrypt.c:788
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Активируется система шифрования TCRYPT для раздела %s."
 
-#: lib/tcrypt/tcrypt.c:882
+#: lib/tcrypt/tcrypt.c:871
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Ядро не поддерживает совместимое отображение TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1095
+#: lib/tcrypt/tcrypt.c:1090
 msgid "This function is not supported without TCRYPT header load."
 msgstr "эта функция не поддерживается без загрузки заголовка TCRYPT."
 
-#: lib/bitlk/bitlk.c:278
+#: lib/bitlk/bitlk.c:265
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "При анализе поддерживаемого главного ключа тома обнаружен неожиданный тип элемента метаданных «%u»."
 
-#: lib/bitlk/bitlk.c:337
+#: lib/bitlk/bitlk.c:327
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "При анализе поддерживаемого главного ключа тома обнаружена некорректная строка."
 
-#: lib/bitlk/bitlk.c:341
+#: lib/bitlk/bitlk.c:331
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "При анализе поддерживаемого главного ключа тома обнаружена неожиданная строка («%s»)."
 
-#: lib/bitlk/bitlk.c:358
+#: lib/bitlk/bitlk.c:351
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "При анализе поддерживаемого главного ключа тома обнаружено неожиданное значение элемента метаданных «%u»."
 
-#: lib/bitlk/bitlk.c:460
+#: lib/bitlk/bitlk.c:453
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK версии 1 пока не поддерживается."
 
-#: lib/bitlk/bitlk.c:466
+#: lib/bitlk/bitlk.c:459
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Некорректная или неизвестная подпись загрузчика устройства BITLK."
 
-#: lib/bitlk/bitlk.c:478
+#: lib/bitlk/bitlk.c:471
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Неподдерживаемый размер сектора %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:486
+#: lib/bitlk/bitlk.c:479
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Ошибка чтения заголовка BITLK из %s."
 
-#: lib/bitlk/bitlk.c:511
+#: lib/bitlk/bitlk.c:504
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr "Ошибка чтения метаданных BITLK FVE из %s."
 
-#: lib/bitlk/bitlk.c:562
+#: lib/bitlk/bitlk.c:555
 msgid "Unknown or unsupported encryption type."
 msgstr "Неизвестный или неподдерживаемый тип шифрования."
 
-#: lib/bitlk/bitlk.c:602
+#: lib/bitlk/bitlk.c:595
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr "Ошибка чтения элементов метаданных BITLK из %s."
 
-#: lib/bitlk/bitlk.c:719
+#: lib/bitlk/bitlk.c:712
 msgid "Failed to convert BITLK volume description"
 msgstr "Ошибка преобразования описания тома BITLK"
 
-#: lib/bitlk/bitlk.c:882
+#: lib/bitlk/bitlk.c:877
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "При анализе внешнего ключа обнаружен неожиданный тип элемента метаданных «%u»."
 
-#: lib/bitlk/bitlk.c:905
+#: lib/bitlk/bitlk.c:900
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "GUID «%s» BEK-файла не совпадает с GUID тома."
 
-#: lib/bitlk/bitlk.c:909
+#: lib/bitlk/bitlk.c:904
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "При анализе внешнего ключа обнаружено неожиданное значение элемента метаданных «%u»."
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Неподдерживаемая версия %<PRIu32> метаданных BEK"
 
-#: lib/bitlk/bitlk.c:953
+#: lib/bitlk/bitlk.c:948
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Неожиданный размер %<PRIu32> метаданных BEK не совпадает с длиной файла BEK"
 
-#: lib/bitlk/bitlk.c:979
+#: lib/bitlk/bitlk.c:974
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "При анализе ключа запуска обнаружен неожиданный элемент метаданных."
 
-#: lib/bitlk/bitlk.c:1075
+#: lib/bitlk/bitlk.c:1069
 msgid "This operation is not supported."
 msgstr "Эта операция не поддерживается."
 
-#: lib/bitlk/bitlk.c:1083
+#: lib/bitlk/bitlk.c:1077
 msgid "Unexpected key data size."
 msgstr "Неожиданный размер ключа данных."
 
-#: lib/bitlk/bitlk.c:1209
+#: lib/bitlk/bitlk.c:1203
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Данное устройство BITLK находится в неподдерживаемом состоянии и не может быть включено."
 
-#: lib/bitlk/bitlk.c:1214
+#: lib/bitlk/bitlk.c:1208
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Устройства BITLK с типом «%s» не могут быть включены."
 
-#: lib/bitlk/bitlk.c:1221
+#: lib/bitlk/bitlk.c:1215
 msgid "Activation of partially decrypted BITLK device is not supported."
 msgstr "Активация частично расширенного устройства BITLK не поддерживается."
 
-#: lib/bitlk/bitlk.c:1262
+#: lib/bitlk/bitlk.c:1256
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: размер тома BitLocker %<PRIu64> не совпадает с размером нижележащего устройства %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1389
+#: lib/bitlk/bitlk.c:1383
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK IV."
 
-#: lib/bitlk/bitlk.c:1393
+#: lib/bitlk/bitlk.c:1387
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK Elephant diffuser."
 
-#: lib/bitlk/bitlk.c:1397
+#: lib/bitlk/bitlk.c:1391
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка секторов большого размера."
 
-#: lib/bitlk/bitlk.c:1401
+#: lib/bitlk/bitlk.c:1395
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Невозможно активировать устройство, отсутствует модуль ядра dm-zero."
 
-#: lib/fvault2/fvault2.c:542
+#: lib/fvault2/fvault2.c:529
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Невозможно прочитать %u байт из заголовка тома."
 
-#: lib/fvault2/fvault2.c:554
+#: lib/fvault2/fvault2.c:541
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Неподдерживаемая версия FVAULT2 %<PRIu16>."
 
-#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
 #, c-format
 msgid "Verity device %s does not use on-disk header."
 msgstr "Устройство verity %s не использует заголовок на диске."
 
-#: lib/verity/verity.c:96
+#: lib/verity/verity.c:83
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Неподдерживаемая версия VERITY %d."
 
-#: lib/verity/verity.c:131
+#: lib/verity/verity.c:118
 msgid "VERITY header corrupted."
 msgstr "Повреждён заголовок VERITY."
 
-#: lib/verity/verity.c:176
+#: lib/verity/verity.c:163
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Указан неправильный формат VERITY UUID на устройстве %s."
 
-#: lib/verity/verity.c:220
+#: lib/verity/verity.c:207
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Ошибка при обновлении заголовка verity на устройстве %s."
 
-#: lib/verity/verity.c:278
+#: lib/verity/verity.c:261
 msgid "Root hash signature verification is not supported."
 msgstr "Проверка подписи корневого хэша не поддерживается."
 
-#: lib/verity/verity.c:290
+#: lib/verity/verity.c:266
+msgid "Root hash signature required."
+msgstr "Требуется подпись корневого хэша."
+
+#: lib/verity/verity.c:281
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Невозможно исправить ошибки с устройством FEC."
 
-#: lib/verity/verity.c:292
+#: lib/verity/verity.c:283
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Найдено %u исправимых ошибок с устройством FEC."
 
-#: lib/verity/verity.c:335
+#: lib/verity/verity.c:364
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Ядро не поддерживает отображение dm-verity."
 
-#: lib/verity/verity.c:339
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Ядро не поддерживает параметр подписи dm-verity."
 
-#: lib/verity/verity.c:350
+#: lib/verity/verity.c:379
 msgid "Verity device detected corruption after activation."
 msgstr "После активации обнаружено повреждение устройства verity."
 
-#: lib/verity/verity_hash.c:66
+#: lib/verity/verity_hash.c:53
 #, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Резервная область не заполнена нулями по адресу %<PRIu64>."
 
-#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
-#: lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
 msgid "Device offset overflow."
 msgstr "Переполнение смещения устройства."
 
-#: lib/verity/verity_hash.c:218
+#: lib/verity/verity_hash.c:205
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Ошибка при проверке по адресу %<PRIu64>."
 
-#: lib/verity/verity_hash.c:307
+#: lib/verity/verity_hash.c:294
 msgid "Hash area overflow."
 msgstr "Переполнение области хэша."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:367
 msgid "Verification of data area failed."
 msgstr "Ошибка при сверке области данных."
 
-#: lib/verity/verity_hash.c:385
+#: lib/verity/verity_hash.c:372
 msgid "Verification of root hash failed."
 msgstr "Ошибка при сверке корневого хэша."
 
-#: lib/verity/verity_hash.c:391
+#: lib/verity/verity_hash.c:378
 msgid "Input/output error while creating hash area."
 msgstr "Ошибка ввода-вывода при создании области хэша."
 
-#: lib/verity/verity_hash.c:393
+#: lib/verity/verity_hash.c:380
 msgid "Creation of hash area failed."
 msgstr "Ошибка при создании области хэша."
 
-#: lib/verity/verity_hash.c:428
+#: lib/verity/verity_hash.c:415
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ПРЕДУПРЕЖДЕНИЕ: ядро не сможет активировать устройство, если размер блока данных превышает размер страницы (%u)."
 
-#: lib/verity/verity_fec.c:131
+#: lib/verity/verity_fec.c:118
 msgid "Failed to allocate RS context."
 msgstr "Ошибка при выделении контекста RS."
 
-#: lib/verity/verity_fec.c:149
+#: lib/verity/verity_fec.c:136
 msgid "Failed to allocate buffer."
 msgstr "Ошибка при выделении буфера."
 
-#: lib/verity/verity_fec.c:159
+#: lib/verity/verity_fec.c:146
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Не удалось прочитать блок RS %<PRIu64>, байт %d."
 
-#: lib/verity/verity_fec.c:172
+#: lib/verity/verity_fec.c:159
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Не удалось прочитать чётность для блока RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:180
+#: lib/verity/verity_fec.c:167
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Не удалось исправить чётность для блока %<PRIu64>."
 
-#: lib/verity/verity_fec.c:192
+#: lib/verity/verity_fec.c:179
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Не удалось записать чётность для блока RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:208
+#: lib/verity/verity_fec.c:195
 msgid "Block sizes must match for FEC."
 msgstr "Для FEC размеры блока должны совпадать."
 
-#: lib/verity/verity_fec.c:214
+#: lib/verity/verity_fec.c:201
 msgid "Invalid number of parity bytes."
 msgstr "Неверное количество байт чётности."
 
-#: lib/verity/verity_fec.c:248
+#: lib/verity/verity_fec.c:235
 msgid "Invalid FEC segment length."
 msgstr "Неправильная длина сегмента FEC."
 
-#: lib/verity/verity_fec.c:316
+#: lib/verity/verity_fec.c:303
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Не удалось определить размер устройства %s."
 
-#: lib/integrity/integrity.c:57
+#: lib/integrity/integrity.c:44
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "На %2$s обнаружены несовместимые с ядерным dm-integrity метаданные (версия %1$u)."
 
-#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Ядро не поддерживает отображение dm-integrity."
 
-#: lib/integrity/integrity.c:283
+#: lib/integrity/integrity.c:270
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Ядро не поддерживает выравнивание фиксированных метаданных dm-integrity."
 
-#: lib/integrity/integrity.c:292
+#: lib/integrity/integrity.c:279
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Ядро не позволяет задействовать небезопасный параметр пересчёта (для отключения ищите параметры включения старого режима)."
 
-#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
-#: lib/luks2/luks2_json_metadata.c:1482
+#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1507
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Не удалось захватить блокировку на запись на устройстве %s."
 
-#: lib/luks2/luks2_disk_metadata.c:400
+#: lib/luks2/luks2_disk_metadata.c:388
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Обнаружена попытка одновременного обновления метаданных LUKS2. Отмена операции."
 
-#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1399,49 +1522,59 @@ msgstr ""
 "Устройство содержит двусмысленные подписи, невозможно провести автоматическое\n"
 "восстановление LUKS2. Для восстановления запустите «cryptsetup repair»."
 
-#: lib/luks2/luks2_json_format.c:229
+#: lib/luks2/luks2_json_format.c:218
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: очень маленькая область слотов ключа (%<PRIu64> байт), количество доступных слотов ключа LUKS2 очень ограничено.\n"
+
+#: lib/luks2/luks2_json_format.c:417
 msgid "Requested data offset is too small."
 msgstr "Запрошенное смещение данных слишком мало."
 
-#: lib/luks2/luks2_json_format.c:274
+#: lib/luks2/luks2_json_format.c:458
 #, c-format
-msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
-msgstr "ПРЕДУПРЕЖДЕНИЕ: очень маленькая область слотов ключа (%<PRIu64> байт), количество доступных слотов ключа LUKS2 очень ограничено.\n"
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: размер метаданных LUKS2 изменился и стал %<PRIu64> байт.\n"
+
+#: lib/luks2/luks2_json_format.c:462
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: размер слотов ключа LUKS2 изменился и стал %<PRIu64> байт.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
-#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
-#: lib/luks2/luks2_keyslot_luks2.c:116
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:103
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Не удалось захватить блокировку устройства %s на чтение."
 
-#: lib/luks2/luks2_json_metadata.c:1405
+#: lib/luks2/luks2_json_metadata.c:1430
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "В резервной копии %s обнаружены запрещённые требования LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:1446
+#: lib/luks2/luks2_json_metadata.c:1471
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Смещение данных различается на устройстве и в резервной копии, восстановление невозможно."
 
-#: lib/luks2/luks2_json_metadata.c:1452
+#: lib/luks2/luks2_json_metadata.c:1477
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Двоичный заголовок с областями слота ключа различается на устройстве и в резервной копии, восстановление невозможно."
 
-#: lib/luks2/luks2_json_metadata.c:1459
+#: lib/luks2/luks2_json_metadata.c:1484
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Устройство %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1460
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "не содержит заголовка LUKS2. Замена заголовка может уничтожить данные на этом устройстве."
 
-#: lib/luks2/luks2_json_metadata.c:1461
+#: lib/luks2/luks2_json_metadata.c:1486
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "уже содержит заголовок LUKS2. Замена заголовка уничтожит существующие слоты ключей."
 
-#: lib/luks2/luks2_json_metadata.c:1463
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1452,7 +1585,7 @@ msgstr ""
 "действующего устройства! Замена заголовка из резервной копии может повредить\n"
 "данные на этом устройстве!"
 
-#: lib/luks2/luks2_json_metadata.c:1465
+#: lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1462,471 +1595,558 @@ msgstr ""
 "ПРЕДУПРЕЖДЕНИЕ: на устройстве обнаружено незаконченное отложенное (offline)\n"
 "перешифрование! Замена заголовка из резервной копии может повредить данные."
 
-#: lib/luks2/luks2_json_metadata.c:1562
+#: lib/luks2/luks2_json_metadata.c:1587
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Неизвестный флаг %s игнорируется."
 
-#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
+#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Отсутствует ключ для сегмента dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
+#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
 msgid "Failed to set dm-crypt segment."
 msgstr "Ошибка при задании сегмента dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
+#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
 msgid "Failed to set dm-linear segment."
 msgstr "Ошибка при задании сегмента dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2615
+#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+msgid "No known cipher specification pattern detected in LUKS2 header."
+msgstr "Обнаружено указание неизвестного шаблона шифра в заголовке LUKS2."
+
+#: lib/luks2/luks2_json_metadata.c:2657
+msgid "OPAL device must have static device size."
+msgstr "Устройство OPAL должно иметь статический размер устройства."
+
+#: lib/luks2/luks2_json_metadata.c:2677
+msgid "Encrypted OPAL device with integrity must be smaller than locking range."
+msgstr "Зашифрованное устройство OPAL с проверкой целостности должно быть меньше диапазона блокировки."
+
+#: lib/luks2/luks2_json_metadata.c:2682
+msgid "OPAL device must have same size as locking range."
+msgstr "Размер устройства OPAL должен совпадать с размером диапазона блокировки."
+
+#: lib/luks2/luks2_json_metadata.c:2702
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "Устройство OPAL %s уже разблокировано.\n"
+
+#: lib/luks2/luks2_json_metadata.c:2735
 msgid "Unsupported device integrity configuration."
 msgstr "Неподдерживаемые настройки целостности устройства."
 
-#: lib/luks2/luks2_json_metadata.c:2701
+#: lib/luks2/luks2_json_metadata.c:2751
+msgid "Underlying dm-integrity device with unexpected provided data sectors."
+msgstr "Нижеежащее устройство dm-integrity предоставило неожиданные сектора данных."
+
+#: lib/luks2/luks2_json_metadata.c:2846
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Выполняется перешифрование. Невозможно деактивировать устройство."
 
-#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
+#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Не удалось заменить приостановленное устройство %s на цель dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2792
+#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#, c-format
+msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
+msgstr "Устройство %s было диактивировано, но аппаратное устройство OPAL заблокировать не удалось."
+
+#: lib/luks2/luks2_json_metadata.c:2967
 msgid "Failed to read LUKS2 requirements."
 msgstr "Ошибка при чтении требований LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2799
+#: lib/luks2/luks2_json_metadata.c:2974
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Обнаружены неудовлетворяемые требования LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2807
+#: lib/luks2/luks2_json_metadata.c:2982
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Операция не совместима с устройством, отмеченным для устаревшего перешифрования. Прерываемся."
 
-#: lib/luks2/luks2_json_metadata.c:2809
+#: lib/luks2/luks2_json_metadata.c:2984
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Операция не совместима с устройством, отмеченным для перешифрования LUKS2. Прерываемся."
 
-#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+#: lib/luks2/luks2_json_metadata.c:2986
+msgid "Operation incompatible with device using OPAL. Aborting."
+msgstr "Операция не совместима с устройством, использующим OPAL. Прерываемся."
+
+#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
 msgid "Not enough available memory to open a keyslot."
 msgstr "Недостаточно памяти для открытия слота ключа."
 
-#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
 msgid "Keyslot open failed."
 msgstr "Ошибка открытия слота ключа."
 
-#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Невозможно использовать шифр %s-%s для шифрования слота ключа."
 
-#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
-#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Алгоритм хэширования %s недоступен."
 
-#: lib/luks2/luks2_keyslot_luks2.c:510
+#: lib/luks2/luks2_keyslot_luks2.c:358
+msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+msgstr "Предупреждение: операция со слотом ключа завершилась ошибкой, так как требует больше памяти, чем доступно.\n"
+
+#: lib/luks2/luks2_keyslot_luks2.c:507
 msgid "No space for new keyslot."
 msgstr "Нет места для нового слота ключа."
 
-#: lib/luks2/luks2_keyslot_reenc.c:593
+#: lib/luks2/luks2_keyslot_reenc.c:583
 msgid "Invalid reencryption resilience mode change requested."
 msgstr "Запрошена некорректная смена режима устойчивости перешифрования."
 
-#: lib/luks2/luks2_keyslot_reenc.c:714
+#: lib/luks2/luks2_keyslot_reenc.c:704
 #, c-format
 msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
 msgstr "Невозможно обновить тип устойчивости. Новый тип предоставляет только %<PRIu64> байт, требуемое место: %<PRIu64> байт."
 
-#: lib/luks2/luks2_keyslot_reenc.c:724
+#: lib/luks2/luks2_keyslot_reenc.c:714
 msgid "Failed to refresh reencryption verification digest."
 msgstr "Ошибка при обновлении сверки дайджеста перешифрования."
 
-#: lib/luks2/luks2_luks1_convert.c:512
+#: lib/luks2/luks2_luks1_convert.c:532
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Невозможно определить состояние устройства с uuid: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:538
+#: lib/luks2/luks2_luks1_convert.c:558
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Невозможно преобразовать заголовок с дополнительными метаданными LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Невозможно использовать шаблон шифра %s-%s для LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:584
+#: lib/luks2/luks2_luks1_convert.c:604
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Невозможно переместить область слота ключа. Недостаточно места."
 
-#: lib/luks2/luks2_luks1_convert.c:619
+#: lib/luks2/luks2_luks1_convert.c:643
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Невозможно преобразовать в формат LUKS2 — некорректные метаданные."
 
-#: lib/luks2/luks2_luks1_convert.c:636
+#: lib/luks2/luks2_luks1_convert.c:660
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Невозможно переместить область слота ключа. Слишком маленькие слоты ключа LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
 msgid "Unable to move keyslot area."
 msgstr "Невозможно переместить область слота ключа."
 
-#: lib/luks2/luks2_luks1_convert.c:732
+#: lib/luks2/luks2_luks1_convert.c:756
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Невозможно преобразовать в формат LUKS1 — размер сектора шифрования сегмента по умолчанию не равно 512 байтам."
 
-#: lib/luks2/luks2_luks1_convert.c:740
+#: lib/luks2/luks2_luks1_convert.c:764
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Невозможно преобразовать в формат LUKS1 — дайджесты слота ключа несовместимы с LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:752
+#: lib/luks2/luks2_luks1_convert.c:776
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Невозможно преобразовать в формат LUKS1 — устройство использует шифр %s с обёрточным ключом."
 
-#: lib/luks2/luks2_luks1_convert.c:757
+#: lib/luks2/luks2_luks1_convert.c:781
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Невозможно преобразовать в формат LUKS1 — устройство использует несколько сегментов."
 
-#: lib/luks2/luks2_luks1_convert.c:765
+#: lib/luks2/luks2_luks1_convert.c:789
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Невозможно преобразовать в формат LUKS1 — заголовок LUKS2 содержит %u токенов."
 
-#: lib/luks2/luks2_luks1_convert.c:779
+#: lib/luks2/luks2_luks1_convert.c:803
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Невозможно преобразовать в формат LUKS1 — слот ключа %u находится в некорректном состоянии."
 
-#: lib/luks2/luks2_luks1_convert.c:784
+#: lib/luks2/luks2_luks1_convert.c:808
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Невозможно преобразовать в формат LUKS1 — слот %u (больше максимального количества слотов) всё ещё активен."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Невозможно преобразовать в формат LUKS1 — слот ключа %u несовместим с LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1152
+#: lib/luks2/luks2_reencrypt.c:1183
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Размер hotzone должен быть кратен вычисленному выравниванию зоны (%zu байт)."
 
-#: lib/luks2/luks2_reencrypt.c:1157
+#: lib/luks2/luks2_reencrypt.c:1188
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Размер устройства должен быть кратен вычисленному выравниванию зоны (%zu байт)."
 
-#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
-#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
-#: lib/luks2/luks2_reencrypt.c:3877
+#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
+#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
+#: lib/luks2/luks2_reencrypt.c:3956
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Ошибка при инициализации старой сегментной обёртки хранилища."
 
-#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
+#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Ошибка при инициализации новой сегментной обёртки хранилища."
 
-#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
 msgid "Failed to initialize hotzone protection."
 msgstr "Ошибка при инициализации защиты hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1578
+#: lib/luks2/luks2_reencrypt.c:1609
 msgid "Failed to read checksums for current hotzone."
 msgstr "Ошибка чтения контрольных сумм текущей hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
+#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Не удалось прочитать область hotzone начиная с %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1604
+#: lib/luks2/luks2_reencrypt.c:1635
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Не удалось расшифровать сектор %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1610
+#: lib/luks2/luks2_reencrypt.c:1641
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Не удалось восстановить сектор %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2174
+#: lib/luks2/luks2_reencrypt.c:2205
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Размеры устройств источника и назначения не совпадают. Источник %<PRIu64>, назначение: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2272
+#: lib/luks2/luks2_reencrypt.c:2303
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Ошибка при активации устройства hotzone %s."
 
-#: lib/luks2/luks2_reencrypt.c:2289
+#: lib/luks2/luks2_reencrypt.c:2320
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Ошибка при активации оверлейного устройства %s с действительной исходной таблицей."
 
-#: lib/luks2/luks2_reencrypt.c:2296
+#: lib/luks2/luks2_reencrypt.c:2327
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Ошибка при загрузке нового отображения устройства %s."
 
-#: lib/luks2/luks2_reencrypt.c:2367
+#: lib/luks2/luks2_reencrypt.c:2398
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Ошибка при обновлении стека устройств перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:2550
+#: lib/luks2/luks2_reencrypt.c:2598
 msgid "Failed to set new keyslots area size."
 msgstr "Ошибка при задании нового размера области слотов ключей."
 
-#: lib/luks2/luks2_reencrypt.c:2686
+#: lib/luks2/luks2_reencrypt.c:2734
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Значение сдвига данных не выровнено к размеру сектора шифрования (%<PRIu32> байт)."
 
-#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Неподдерживаемый режим устойчивости %s."
 
-#: lib/luks2/luks2_reencrypt.c:2760
+#: lib/luks2/luks2_reencrypt.c:2808
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Размер перемещаемого сегмента не может быть больше значения сдвига данных."
 
-#: lib/luks2/luks2_reencrypt.c:2802
+#: lib/luks2/luks2_reencrypt.c:2850
 msgid "Invalid reencryption resilience parameters."
 msgstr "Некорректные параметры устойчивости перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:2824
+#: lib/luks2/luks2_reencrypt.c:2872
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Слишком большой перемещаемый сегмент. Запрошенный размер %<PRIu64>, доступно место: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2911
+#: lib/luks2/luks2_reencrypt.c:2959
 msgid "Failed to clear table."
 msgstr "Ошибка очистки таблицы."
 
-#: lib/luks2/luks2_reencrypt.c:2997
+#: lib/luks2/luks2_reencrypt.c:3045
 msgid "Reduced data size is larger than real device size."
 msgstr "Размер сокращённых данных больше размера устройства."
 
-#: lib/luks2/luks2_reencrypt.c:3004
+#: lib/luks2/luks2_reencrypt.c:3052
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Устройство данных не выровнено к размеру сектора шифрования (%<PRIu32> байт)."
 
-#: lib/luks2/luks2_reencrypt.c:3038
+#: lib/luks2/luks2_reencrypt.c:3086
 #, c-format
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Сдвиг данных (%<PRIu64> секторов) меньше чем будущее смещение данных (%<PRIu64> секторов)."
 
-#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
-#: lib/luks2/luks2_reencrypt.c:3554
+#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
+#: lib/luks2/luks2_reencrypt.c:3612
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Ошибка при открытии %s в монопольном режиме (уже отображено или примонтировано)."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3282
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Устройство не отмечено для перешифрования LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
+#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Ошибка при загрузке контекста перешифрования LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3331
+#: lib/luks2/luks2_reencrypt.c:3389
 msgid "Failed to get reencryption state."
 msgstr "Ошибка при получении состояния перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
+#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
 msgid "Device is not in reencryption."
 msgstr "Устройство не перешифровывается."
 
-#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
+#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
 msgid "Reencryption process is already running."
 msgstr "Процесс перешифрования уже запущен."
 
-#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
+#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
 msgid "Failed to acquire reencryption lock."
 msgstr "Ошибка при захвате блокировки перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3362
+#: lib/luks2/luks2_reencrypt.c:3420
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Невозможно продолжить с перешифрованием. Сначала запустите восстановление перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3497
+#: lib/luks2/luks2_reencrypt.c:3555
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Активный размер устройства и запрошенный размер перешифрования не совпадают."
 
-#: lib/luks2/luks2_reencrypt.c:3511
+#: lib/luks2/luks2_reencrypt.c:3569
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "В параметрах перешифрования запрошен некорректный размер устройства."
 
-#: lib/luks2/luks2_reencrypt.c:3588
+#: lib/luks2/luks2_reencrypt.c:3646
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Выполняется перешифрование. Восстановление выполнить невозможно."
 
-#: lib/luks2/luks2_reencrypt.c:3757
+#: lib/luks2/luks2_reencrypt.c:3814
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Перешифрование LUKS2 уже инициализировано в метаданных."
 
-#: lib/luks2/luks2_reencrypt.c:3764
+#: lib/luks2/luks2_reencrypt.c:3821
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Не удалось инициализировать перешифрование LUKS2 в метаданных."
 
-#: lib/luks2/luks2_reencrypt.c:3859
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+msgid "Reencryption is not supported for DAX (persistent memory) devices."
+msgstr "Перешифрование не поддерживается устройствами DAX (энергостойкая память)."
+
+#: lib/luks2/luks2_reencrypt.c:3881
+msgid "Failed to read passphrase from keyring."
+msgstr "Не удалось прочитать парольную фразу из связки ключей."
+
+#: lib/luks2/luks2_reencrypt.c:3938
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Ошибка при назначении сегментов устройства для следующей hotzone перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3911
+#: lib/luks2/luks2_reencrypt.c:3990
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Ошибка при записи метаданных устойчивости перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3918
+#: lib/luks2/luks2_reencrypt.c:3997
 msgid "Decryption failed."
 msgstr "Не удалось расшифровать."
 
-#: lib/luks2/luks2_reencrypt.c:3923
+#: lib/luks2/luks2_reencrypt.c:4002
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Не удалось записать область hotzone начиная с %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3928
+#: lib/luks2/luks2_reencrypt.c:4007
 msgid "Failed to sync data."
 msgstr "Ошибка синхронизации данных."
 
-#: lib/luks2/luks2_reencrypt.c:3936
+#: lib/luks2/luks2_reencrypt.c:4015
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Ошибка при обновлении метаданных после завершения текущей hotzone перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:4025
+#: lib/luks2/luks2_reencrypt.c:4104
 msgid "Failed to write LUKS2 metadata."
 msgstr "Ошибка при записи метаданных LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:4048
+#: lib/luks2/luks2_reencrypt.c:4127
 msgid "Failed to wipe unused data device area."
 msgstr "Ошибка при затирании неиспользуемой области данных устройства."
 
-#: lib/luks2/luks2_reencrypt.c:4054
+#: lib/luks2/luks2_reencrypt.c:4133
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Ошибка при удалении неиспользуемого (непривязанного) слота ключа %d."
 
-#: lib/luks2/luks2_reencrypt.c:4064
+#: lib/luks2/luks2_reencrypt.c:4143
 msgid "Failed to remove reencryption keyslot."
 msgstr "Ошибка при удалении слота ключа перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:4074
+#: lib/luks2/luks2_reencrypt.c:4153
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Критическая ошибка при перешифровании куска начиная с %<PRIu64>, длиной в %<PRIu64> секторов."
 
-#: lib/luks2/luks2_reencrypt.c:4078
+#: lib/luks2/luks2_reencrypt.c:4157
 msgid "Online reencryption failed."
 msgstr "Оперативное перешифрование завершилось ошибкой."
 
-#: lib/luks2/luks2_reencrypt.c:4083
+#: lib/luks2/luks2_reencrypt.c:4162
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Устройство не возобновит работу пока не будет заменено вручную с целью error."
 
-#: lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4214
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Невозможно продолжить с перешифрованием. Неожиданное состояние перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4220
 msgid "Missing or invalid reencrypt context."
 msgstr "Контекст перешифрования отсутствует или неверен."
 
-#: lib/luks2/luks2_reencrypt.c:4150
+#: lib/luks2/luks2_reencrypt.c:4227
 msgid "Failed to initialize reencryption device stack."
 msgstr "Ошибка при инициализации стека устройства перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
+#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
 msgid "Failed to update reencryption context."
 msgstr "Ошибка при обновлении контекста перешифрования."
 
-#: lib/luks2/luks2_reencrypt_digest.c:405
+#: lib/luks2/luks2_reencrypt_digest.c:408
 msgid "Reencryption metadata is invalid."
 msgstr "Некорректные метаданные перешифрования."
 
-#: src/cryptsetup.c:85
+#: lib/luks2/hw_opal/hw_opal.c:328
+#, c-format
+msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
+msgstr "Диапазон OPAL %d со смещением %<PRIu64> не совпадает с ожидаемыми значениями %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:335
+#, c-format
+msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
+msgstr "Диапазон OPAL %d размером %<PRIu64> не совпадает с размером устройства %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:341
+#, c-format
+msgid "OPAL range %d locking is disabled."
+msgstr "Блокировка диапазона OPAL %d выключена."
+
+#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#, c-format
+msgid "Unexpected OPAL range %d lock state."
+msgstr "Неожиданное состояние блокировки диапазона OPAL %d."
+
+#: src/cryptsetup.c:80
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Параметры шифрования слота ключа могут задаваться только для устройства LUKS2."
 
-#: src/cryptsetup.c:108 src/cryptsetup.c:1901
+#: src/cryptsetup.c:123 src/cryptsetup.c:2238
 #, c-format
 msgid "Enter token PIN: "
 msgstr "Введите PIN токена: "
 
-#: src/cryptsetup.c:110 src/cryptsetup.c:1903
+#: src/cryptsetup.c:125 src/cryptsetup.c:2240
 #, c-format
 msgid "Enter token %d PIN: "
 msgstr "Введите %d PIN токена: "
 
-#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
-#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
-#: src/utils_reencrypt_luks1.c:580
+#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
+#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
+#: src/utils_reencrypt_luks1.c:567
 msgid "No known cipher specification pattern detected."
 msgstr "Обнаружено указание неизвестного шаблона шифра."
 
-#: src/cryptsetup.c:167
+#: src/cryptsetup.c:193
+#, c-format
+msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
+msgstr "ПРЕДУПРЕЖДЕНИЕ: для шифра используются параметры по умолчанию (%s-%s, размер ключа %u бит), которые могут быть несовместимы со старыми версиями."
+
+#: src/cryptsetup.c:198
+#, c-format
+msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
+msgstr "ПРЕДУПРЕЖДЕНИЕ: для хэша используются параметры по умолчанию (%s), которые могут быть несовместимы со старыми версиями."
+
+#: src/cryptsetup.c:202
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
+msgstr "Для обычного режима всегда используйте параметры --cipher, --key-size и --hash (если не используется файл ключа)."
+
+#: src/cryptsetup.c:208
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --hash игнорируется в режиме plain с указанным файлом ключа.\n"
 
-#: src/cryptsetup.c:175
+#: src/cryptsetup.c:216
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --keyfile-size игнорируется, размер для чтения приравнивается размеру ключа шифрования.\n"
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
+#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#, c-format
+msgid "Blkid scan failed for %s."
+msgstr "Ошибка сканирования blkid на %s."
+
+#: src/cryptsetup.c:259
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Обнаружены подпись(и) устройства на %s. Продолжение работы может повредить существующие данные."
 
-#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
-#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
-#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
-#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
+#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
+#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
+#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
+#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
+#: src/utils_reencrypt.c:759
 msgid "Operation aborted.\n"
 msgstr "Операция прервана.\n"
 
-#: src/cryptsetup.c:294
+#: src/cryptsetup.c:338
 msgid "Option --key-file is required."
 msgstr "Параметр --key-file является обязательным."
 
-#: src/cryptsetup.c:345
+#: src/cryptsetup.c:389
 msgid "Enter VeraCrypt PIM: "
 msgstr "Введите VeraCrypt PIM: "
 
-#: src/cryptsetup.c:354
+#: src/cryptsetup.c:398
 msgid "Invalid PIM value: parse error."
 msgstr "Недопустимое значение PIM: ошибка при разборе."
 
-#: src/cryptsetup.c:357
+#: src/cryptsetup.c:401
 msgid "Invalid PIM value: 0."
 msgstr "Недопустимое значение PIM: 0."
 
-#: src/cryptsetup.c:360
+#: src/cryptsetup.c:404
 msgid "Invalid PIM value: outside of range."
 msgstr "Недопустимое значение PIM: вышло за границы диапазона."
 
-#: src/cryptsetup.c:383
+#: src/cryptsetup.c:427
 msgid "No device header detected with this passphrase."
 msgstr "С этой парольной фразой заголовка устройства не обнаружено."
 
-#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#: src/cryptsetup.c:500 src/cryptsetup.c:676
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Устройство %s не является корректным устройством BITLK."
 
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:508
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Невозможно определить размер ключа тома BITLK, укажите параметр --key-size."
 
-#: src/cryptsetup.c:506
+#: src/cryptsetup.c:550
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1936,7 +2156,7 @@ msgstr ""
 "обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
 "Этот дамп следует всегда хранить зашифрованным в надёжном месте."
 
-#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
+#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -1946,79 +2166,86 @@ msgstr ""
 "обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
 "Этот дамп нужно хранить зашифрованным в надёжном месте."
 
-#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#: src/cryptsetup.c:753 src/cryptsetup.c:783
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Устройство %s не является корректным устройством FVAULT2."
 
-#: src/cryptsetup.c:747
+#: src/cryptsetup.c:791
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Невозможно определить размер ключа тома FVAULT2, укажите параметр --key-size."
 
-#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
+#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Устройство %s всё ещё активно и запланировано к отложенному удалению.\n"
 
-#: src/cryptsetup.c:835
+#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
+#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
+#: src/cryptsetup.c:3382
+#, c-format
+msgid "Failed to set external tokens path %s."
+msgstr "Ошибка при задании пути к внешним токенам %s."
+
+#: src/cryptsetup.c:888
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Для изменения размера активного устройства требуется ключ тома в связке ключей, но указан параметр --disable-keyring."
 
-#: src/cryptsetup.c:982
+#: src/cryptsetup.c:1048
 msgid "Benchmark interrupted."
 msgstr "Оценка производительности прервана."
 
-#: src/cryptsetup.c:1003
+#: src/cryptsetup.c:1069
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     Н/Д\n"
 
-#: src/cryptsetup.c:1005
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u итераций в секунду для %zu-битного ключа\n"
 
-#: src/cryptsetup.c:1019
+#: src/cryptsetup.c:1085
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s Н/Д\n"
 
-#: src/cryptsetup.c:1021
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u итераций, %5u памяти, %1u параллельных потоков (ЦП) для %zu-битного ключа (запрашивался %u мс)\n"
 
-#: src/cryptsetup.c:1045
+#: src/cryptsetup.c:1111
 msgid "Result of benchmark is not reliable."
 msgstr "Результат оценки производительности ненадёжен."
 
-#: src/cryptsetup.c:1095
+#: src/cryptsetup.c:1161
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Тесты, использующие практически только память (без ввода-вывода на хранилище).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1115
+#: src/cryptsetup.c:1186
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s  Алгоритм |      Ключ |      Шифрование |     Расшифровка\n"
 
-#: src/cryptsetup.c:1119
+#: src/cryptsetup.c:1194
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Шифр %s (%i-битный ключ) недоступен."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1138
+#: src/cryptsetup.c:1213
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 "#     Algorithm |       Key |      Encryption |      Decryption\n"
 "#      Алгоритм |      Ключ |      Шифрование |     Расшифровка\n"
 
-#: src/cryptsetup.c:1149
+#: src/cryptsetup.c:1224
 msgid "N/A"
 msgstr "Н/Д"
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1249
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2027,27 +2254,27 @@ msgstr ""
 "что операция перешифрования желательна (смотрите вывод luksDump) и продолжайте\n"
 "(обновление метаданных) только, если это действительно ваше решение."
 
-#: src/cryptsetup.c:1180
+#: src/cryptsetup.c:1255
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Введите пароль защиты и обновления метаданных перешифрования: "
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1299
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Действительно продолжить восстановление перешифрования LUKS2?"
 
-#: src/cryptsetup.c:1233
+#: src/cryptsetup.c:1308
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Введите пароль проверки дайджеста перешифрования метаданных: "
 
-#: src/cryptsetup.c:1235
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Введите пароль восстановления перешифрования: "
 
-#: src/cryptsetup.c:1290
+#: src/cryptsetup.c:1370
 msgid "Really try to repair LUKS device header?"
 msgstr "Действительно попробовать восстановить заголовок устройства LUKS?"
 
-#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2055,7 +2282,7 @@ msgstr ""
 "\n"
 "Затирание прервано."
 
-#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
+#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2063,128 +2290,156 @@ msgstr ""
 "Затирается устройство для инициализации целостности контрольной суммы.\n"
 "Вы можете прервать процесс нажав CTRL+c (остаток незатёртого устройства будет содержать некорректную контрольную сумму).\n"
 
-#: src/cryptsetup.c:1341 src/integritysetup.c:116
+#: src/cryptsetup.c:1421 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Невозможно деактивировать временное устройство %s."
 
-#: src/cryptsetup.c:1392
+#: src/cryptsetup.c:1476
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Параметр целостности можно использовать только в формате LUKS2."
 
-#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
+#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Неподдерживаемый размер параметров метаданных LUKS2."
 
-#: src/cryptsetup.c:1406
+#: src/cryptsetup.c:1486
+msgid "OPAL is supported only for LUKS2 format."
+msgstr "OPAL поддерживается только для формата LUKS2."
+
+#: src/cryptsetup.c:1495
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Файл заголовка не существует, создать?"
 
-#: src/cryptsetup.c:1414
+#: src/cryptsetup.c:1503
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Невозможно создать файл заголовка %s."
 
-#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
-#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
-#: src/integritysetup.c:333
+#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
+#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
+#: src/integritysetup.c:329
 msgid "No known integrity specification pattern detected."
 msgstr "Обнаружено указание неизвестного шаблона целостности."
 
-#: src/cryptsetup.c:1450
+#: src/cryptsetup.c:1539
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Невозможно использовать %s в качестве заголовка для диска."
 
-#: src/cryptsetup.c:1474 src/integritysetup.c:181
+#: src/cryptsetup.c:1568 src/integritysetup.c:168
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Данные на %s будут перезаписаны без возможности восстановления."
 
-#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
-#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
+#: src/cryptsetup.c:1605
+msgid "OPAL Admin password cannot be empty."
+msgstr "Пароль OPAL Admin не может быть пустым."
+
+#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
+#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
 msgid "Failed to set pbkdf parameters."
 msgstr "Ошибка при задании параметров pbkdf."
 
-#: src/cryptsetup.c:1593
+#: src/cryptsetup.c:1751
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Указанный тип спецификации связки ключей --link-vk-to-keyring игнорируется."
+
+#: src/cryptsetup.c:1816
+msgid "Key types have to be the same for both volume keys."
+msgstr "Типы ключей должны быть одинаковыми для обоих ключей тома."
+
+#: src/cryptsetup.c:1821
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Оба ключа тома должны быть добавлены в одно связку ключей."
+
+#: src/cryptsetup.c:1831
+msgid "You need to supply more key names."
+msgstr "Требуется указать ещё несколько имён ключей."
+
+#: src/cryptsetup.c:1835
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Некорректное значение --link-vk-to-keyring."
+
+#: src/cryptsetup.c:1880
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Сокращение смещения данных допускается только для отсоединённого заголовка LUKS."
 
-#: src/cryptsetup.c:1600
+#: src/cryptsetup.c:1887
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Файл контейнера LUKS %s слишком мал для активации, не хватает места для данных."
 
-#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
+#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Невозможно определить размер ключа тома LUKS без слотов ключа, укажите параметр --key-size."
 
-#: src/cryptsetup.c:1658
+#: src/cryptsetup.c:1981
 msgid "Device activated but cannot make flags persistent."
 msgstr "Устройство активировано, но нельзя сделать флаги постоянными."
 
-#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
+#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Для удаления выбран слот ключа %d."
 
-#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Это последний слот ключа. Устройство станет неработоспособным после вычистки этого ключа."
 
-#: src/cryptsetup.c:1750
+#: src/cryptsetup.c:2078
 msgid "Enter any remaining passphrase: "
 msgstr "Введите любую оставшуюся парольную фразу: "
 
-#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
+#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Операция прервана, слот ключа НЕ затёрт.\n"
 
-#: src/cryptsetup.c:1787
+#: src/cryptsetup.c:2115
 msgid "Enter passphrase to be deleted: "
 msgstr "Введите удаляемую парольную фразу: "
 
-#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
-#: src/cryptsetup.c:2948
+#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
+#: src/cryptsetup.c:3373
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Устройство %s не является корректным устройством LUKS2."
 
-#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
+#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
 msgid "Enter new passphrase for key slot: "
 msgstr "Введите новую парольную фразу для слота ключа: "
 
-#: src/cryptsetup.c:1968
+#: src/cryptsetup.c:2306
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: для нового номера слота ключа используется параметр --key-slot.\n"
 
-#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
+#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Введите любую существующую парольную фразу: "
 
-#: src/cryptsetup.c:2152
+#: src/cryptsetup.c:2504
 msgid "Enter passphrase to be changed: "
 msgstr "Введите изменяемую парольную фразу: "
 
-#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
+#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
 msgid "Enter new passphrase: "
 msgstr "Введите новую парольную фразу: "
 
-#: src/cryptsetup.c:2218
+#: src/cryptsetup.c:2570
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Введите парольную фразу для преобразуемого слота ключа: "
 
-#: src/cryptsetup.c:2242
+#: src/cryptsetup.c:2594
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Только одно устройство можно указать для операции isLuks."
 
-#: src/cryptsetup.c:2350
+#: src/cryptsetup.c:2702
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Слот ключа %d не содержит непривязанного ключа."
 
-#: src/cryptsetup.c:2355
+#: src/cryptsetup.c:2707
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2193,40 +2448,52 @@ msgstr ""
 "обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
 "Этот дамп нужно хранить зашифрованным в надёжном месте."
 
-#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
+#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s не является именем активного устройства %s."
 
-#: src/cryptsetup.c:2465
+#: src/cryptsetup.c:2834
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s не является именем активного устройства LUKS или отсутствует заголовок."
 
-#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
+#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
 msgid "Option --header-backup-file is required."
 msgstr "Параметр --header-backup-file является обязательным."
 
-#: src/cryptsetup.c:2577
+#: src/cryptsetup.c:2962
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s не является управляемым устройством cryptsetup."
 
-#: src/cryptsetup.c:2588
+#: src/cryptsetup.c:2973
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Обновление не поддерживается для устройств типа %s"
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:3023
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Нераспознанный тип метаданных устройства %s."
 
-#: src/cryptsetup.c:2640
+#: src/cryptsetup.c:3025
 msgid "Command requires device and mapped name as arguments."
 msgstr "Для команды требуется задать устройство и имя отображения."
 
-#: src/cryptsetup.c:2661
+#: src/cryptsetup.c:3035
+msgid "Enter OPAL PSID: "
+msgstr "Введите OPAL PSID: "
+
+#: src/cryptsetup.c:3035
+msgid "Enter OPAL Admin password: "
+msgstr "Введите пароль OPAL Admin: "
+
+#: src/cryptsetup.c:3043
+msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: диск ПОЛНОСТЬЮ будет приведён к заводскому состоянию и все данные будут стёрты. Продолжить?"
+
+#: src/cryptsetup.c:3086
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2235,351 +2502,351 @@ msgstr ""
 "Эта операция сотрёт все слоты ключей на устройстве %s.\n"
 "Устройство станет неработоспособным после этой операции."
 
-#: src/cryptsetup.c:2668
+#: src/cryptsetup.c:3093
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Операция прервана, слоты ключа НЕ затёрты.\n"
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:3132
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Некорректный тип LUKS, поддерживаются только luks1 и luks2."
 
-#: src/cryptsetup.c:2723
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Device is already %s type."
 msgstr "Устройство уже имеет тип %s."
 
-#: src/cryptsetup.c:2730
+#: src/cryptsetup.c:3155
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Данная операция преобразует формат %s в %s.\n"
 
-#: src/cryptsetup.c:2733
+#: src/cryptsetup.c:3158
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Операция прервана, устройство НЕ преобразовано.\n"
 
-#: src/cryptsetup.c:2773
+#: src/cryptsetup.c:3198
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Отсутствует параметр --priority, --label или --subsystem."
 
-#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
+#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Некорректный токен %d."
 
-#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
+#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
 #, c-format
 msgid "Token %d in use."
 msgstr "Используется токен %d."
 
-#: src/cryptsetup.c:2822
+#: src/cryptsetup.c:3247
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Ошибка при добавлении токена luks2-keyring %d."
 
-#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
+#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Ошибка при назначении токена %d слоту ключа %d."
 
-#: src/cryptsetup.c:2850
+#: src/cryptsetup.c:3275
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Токен %d не используется."
 
-#: src/cryptsetup.c:2887
+#: src/cryptsetup.c:3312
 msgid "Failed to import token from file."
 msgstr "Ошибка при импорте токена из файла."
 
-#: src/cryptsetup.c:2912
+#: src/cryptsetup.c:3337
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Ошибка при получении токена %d для экспорта."
 
-#: src/cryptsetup.c:2925
+#: src/cryptsetup.c:3350
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Токен %d не назначен слоту ключа %d."
 
-#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Ошибка при отмене назначения токена %d слоту ключа %d."
 
-#: src/cryptsetup.c:2983
+#: src/cryptsetup.c:3418
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Параметр --tcrypt-hidden, --tcrypt-system или --tcrypt-backup поддерживается только для устройства TCRYPT."
 
-#: src/cryptsetup.c:2986
+#: src/cryptsetup.c:3421
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Параметр --veracrypt или --disable-veracrypt поддерживается только для устройств с типом TCRYPT."
 
-#: src/cryptsetup.c:2989
+#: src/cryptsetup.c:3424
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Параметр --veracrypt-pim поддерживается только для устройств, совместимых с VeraCrypt."
 
-#: src/cryptsetup.c:2993
+#: src/cryptsetup.c:3428
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Параметр --veracrypt-query-pim поддерживается только для устройств, совместимых с VeraCrypt."
 
-#: src/cryptsetup.c:2995
+#: src/cryptsetup.c:3430
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Параметры --veracrypt-pim и --veracrypt-query-pim взаимно исключают друг друга."
 
-#: src/cryptsetup.c:3004
+#: src/cryptsetup.c:3439
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Параметр --persistent не допускается одновременно указывать с --test-passphrase."
 
-#: src/cryptsetup.c:3007
+#: src/cryptsetup.c:3442
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Параметры --refresh и --test-passphrase взаимно исключают друг друга."
 
-#: src/cryptsetup.c:3010
+#: src/cryptsetup.c:3445
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Параметр --shared допускается только для открытия устройства plain."
 
-#: src/cryptsetup.c:3013
+#: src/cryptsetup.c:3448
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Параметр --skip поддерживается только для открытия устройств plain и loopaes."
 
-#: src/cryptsetup.c:3016
+#: src/cryptsetup.c:3451
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Параметр --offset с действием open поддерживается только для устройств plain и loopaes."
 
-#: src/cryptsetup.c:3019
+#: src/cryptsetup.c:3454
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Параметр --tcrypt-hidden нельзя указывать вместе с --allow-discards."
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:3458
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Параметр размера сектора с действием open поддерживается только для устройств plain."
 
-#: src/cryptsetup.c:3027
+#: src/cryptsetup.c:3462
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Параметр больших секторов IV поддерживается только для открытия устройств типа plain с размером сектора более 512 байт."
 
-#: src/cryptsetup.c:3032
+#: src/cryptsetup.c:3467
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Параметр --test-passphrase допускается только для открытия устройств LUKS, TCRYPT, BITLK и FVAULT2."
 
-#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Параметры --device-size и --size не допускается указывать вместе."
 
-#: src/cryptsetup.c:3038
+#: src/cryptsetup.c:3473
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Параметр --unbound допускается только для открытия устройства luks."
 
-#: src/cryptsetup.c:3041
+#: src/cryptsetup.c:3476
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Параметр --unbound не допускается одновременно указывать с --test-passphrase."
 
-#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Параметры --cancel-deferred и --deferred не могут быть использованы одновременно."
 
-#: src/cryptsetup.c:3066
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Параметры ---reduce-device-size и --data-size не допускается указывать вместе."
+#: src/cryptsetup.c:3501
+msgid "Options --reduce-device-size and --device-size cannot be combined."
+msgstr "Параметры ---reduce-device-size и --device-size не допускается указывать вместе."
 
-#: src/cryptsetup.c:3069
+#: src/cryptsetup.c:3504
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Параметр --active-name может задаваться только для устройства LUKS2."
 
-#: src/cryptsetup.c:3072
+#: src/cryptsetup.c:3507
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Параметры --active-name и --force-offline-reencrypt не допускается указывать вместе."
 
-#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
 msgid "Keyslot specification is required."
 msgstr "Требуется указать слот ключа."
 
-#: src/cryptsetup.c:3088
+#: src/cryptsetup.c:3523
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Параметры --align-payload и --offset не допускается указывать вместе."
 
-#: src/cryptsetup.c:3091
+#: src/cryptsetup.c:3526
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Параметр --integrity-no-wipe можно использовать только для действия format с расширением целостности."
 
-#: src/cryptsetup.c:3094
+#: src/cryptsetup.c:3529
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Разрешено использовать только один параметр --use-[u]random."
 
-#: src/cryptsetup.c:3102
+#: src/cryptsetup.c:3537
 msgid "Key size is required with --unbound option."
 msgstr "С параметром --unbound требуется задать размер ключа."
 
-#: src/cryptsetup.c:3122
+#: src/cryptsetup.c:3557
 msgid "Invalid token action."
 msgstr "Некорректный токен действия."
 
-#: src/cryptsetup.c:3125
+#: src/cryptsetup.c:3560
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Для добавления токена требуется параметр --key-description."
 
-#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Для действия требуется указать токен. Используйте параметр --token-id."
 
-#: src/cryptsetup.c:3133
+#: src/cryptsetup.c:3568
 msgid "Option --unbound is valid only with token add action."
 msgstr "Параметр --unbound можно использовать только при добавлении."
 
-#: src/cryptsetup.c:3135
+#: src/cryptsetup.c:3570
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Параметры --key-slot и --unbound не допускается указывать вместе."
 
-#: src/cryptsetup.c:3140
+#: src/cryptsetup.c:3575
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Для действия требуется указать слот ключа. Используйте параметр --key-slot."
 
-#: src/cryptsetup.c:3156
+#: src/cryptsetup.c:3591
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<устройство> [--type <тип>] [<имя>]"
 
-#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
+#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
 msgid "open device as <name>"
 msgstr "открыть устройство как <имя>"
 
-#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
-#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
-#: src/integritysetup.c:537 src/integritysetup.c:539
+#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
+#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
+#: src/integritysetup.c:533 src/integritysetup.c:535
 msgid "<name>"
 msgstr "<имя>"
 
-#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
+#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
 msgid "close device (remove mapping)"
 msgstr "закрыть устройство (удалить отображение)"
 
-#: src/cryptsetup.c:3158 src/integritysetup.c:539
+#: src/cryptsetup.c:3593 src/integritysetup.c:535
 msgid "resize active device"
 msgstr "изменить размер активного устройства"
 
-#: src/cryptsetup.c:3159
+#: src/cryptsetup.c:3594
 msgid "show device status"
 msgstr "показать состояние устройства"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3595
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <шифр>]"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3595
 msgid "benchmark cipher"
 msgstr "оценка производительности шифра"
 
-#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
-#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
-#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
-#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
-#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
+#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
+#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
+#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
+#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
+#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
 msgid "<device>"
 msgstr "<устройство>"
 
-#: src/cryptsetup.c:3161
+#: src/cryptsetup.c:3596
 msgid "try to repair on-disk metadata"
 msgstr "попытаться исправить метаданные на диске"
 
-#: src/cryptsetup.c:3162
+#: src/cryptsetup.c:3597
 msgid "reencrypt LUKS2 device"
 msgstr "перешифровать устройство LUKS2"
 
-#: src/cryptsetup.c:3163
+#: src/cryptsetup.c:3598
 msgid "erase all keyslots (remove encryption key)"
 msgstr "стереть все слоты ключей (удалить ключ шифрования)"
 
-#: src/cryptsetup.c:3164
+#: src/cryptsetup.c:3599
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "преобразовать LUKS из/в формат LUKS2"
 
-#: src/cryptsetup.c:3165
+#: src/cryptsetup.c:3600
 msgid "set permanent configuration options for LUKS2"
 msgstr "задать постоянные параметры настройки LUKS2"
 
-#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
+#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
 msgid "<device> [<new key file>]"
 msgstr "<устройство> [<новый файл ключа>]"
 
-#: src/cryptsetup.c:3166
+#: src/cryptsetup.c:3601
 msgid "formats a LUKS device"
 msgstr "форматировать устройство LUKS"
 
-#: src/cryptsetup.c:3167
+#: src/cryptsetup.c:3602
 msgid "add key to LUKS device"
 msgstr "добавить ключ к устройству LUKS"
 
-#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
+#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
 msgid "<device> [<key file>]"
 msgstr "<устройство> [<файл ключа>]"
 
-#: src/cryptsetup.c:3168
+#: src/cryptsetup.c:3603
 msgid "removes supplied key or key file from LUKS device"
 msgstr "удалить заданный ключ или файл ключа с устройства LUKS"
 
-#: src/cryptsetup.c:3169
+#: src/cryptsetup.c:3604
 msgid "changes supplied key or key file of LUKS device"
 msgstr "изменить заданный ключ или файл ключа устройства LUKS"
 
-#: src/cryptsetup.c:3170
+#: src/cryptsetup.c:3605
 msgid "converts a key to new pbkdf parameters"
 msgstr "преобразовать ключ в новые параметры pbkdf"
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3606
 msgid "<device> <key slot>"
 msgstr "<устройство> <слот ключа>"
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3606
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "затереть ключ с номером <слот ключа> с устройства LUKS"
 
-#: src/cryptsetup.c:3172
+#: src/cryptsetup.c:3607
 msgid "print UUID of LUKS device"
 msgstr "напечатать UUID устройства LUKS"
 
-#: src/cryptsetup.c:3173
+#: src/cryptsetup.c:3608
 msgid "tests <device> for LUKS partition header"
 msgstr "проверить <устройство> на наличие заголовка раздела LUKS"
 
-#: src/cryptsetup.c:3174
+#: src/cryptsetup.c:3609
 msgid "dump LUKS partition information"
 msgstr "выгрузить в дамп информацию о разделе LUKS"
 
-#: src/cryptsetup.c:3175
+#: src/cryptsetup.c:3610
 msgid "dump TCRYPT device information"
 msgstr "выгрузить в дамп информацию об устройстве TCRYPT"
 
-#: src/cryptsetup.c:3176
+#: src/cryptsetup.c:3611
 msgid "dump BITLK device information"
 msgstr "выгрузить в дамп информацию об устройстве BITLK"
 
-#: src/cryptsetup.c:3177
+#: src/cryptsetup.c:3612
 msgid "dump FVAULT2 device information"
 msgstr "выгрузить в дамп информацию об устройстве FVAULT2"
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3613
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Приостановить устройство LUKS и затереть ключ (заморозка операций ввода-вывода)"
 
-#: src/cryptsetup.c:3179
+#: src/cryptsetup.c:3614
 msgid "Resume suspended LUKS device"
 msgstr "Возобновить работу приостановленного устройства LUKS"
 
-#: src/cryptsetup.c:3180
+#: src/cryptsetup.c:3615
 msgid "Backup LUKS device header and keyslots"
 msgstr "Сделать резервную копию заголовка и слотов ключей устройства LUKS"
 
-#: src/cryptsetup.c:3181
+#: src/cryptsetup.c:3616
 msgid "Restore LUKS device header and keyslots"
 msgstr "Восстановить заголовок и слоты ключей устройства LUKS"
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3617
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <устройство>"
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3617
 msgid "Manipulate LUKS2 tokens"
 msgstr "Управление токенами LUKS2"
 
-#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
+#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2587,7 +2854,7 @@ msgstr ""
 "\n"
 "<действие> может быть:\n"
 
-#: src/cryptsetup.c:3207
+#: src/cryptsetup.c:3642
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2599,7 +2866,7 @@ msgstr ""
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3646
 #, c-format
 msgid ""
 "\n"
@@ -2614,7 +2881,7 @@ msgstr ""
 "<слот ключа> - номер слота ключа LUKS для изменения\n"
 "<файл ключа> - необязательный файл ключа для нового ключа для действия luksAddKey\n"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3653
 #, c-format
 msgid ""
 "\n"
@@ -2623,29 +2890,28 @@ msgstr ""
 "\n"
 "Встроенным форматом по умолчанию для метаданных является %s (для действия luksFormat).\n"
 
-#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
-#, c-format
+#: src/cryptsetup.c:3658
 msgid ""
 "\n"
-"LUKS2 external token plugin support is %s.\n"
+"LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 "\n"
-"Модуль поддержки внешнего токена LUKS2 %s.\n"
-
-#: src/cryptsetup.c:3223
-msgid "compiled-in"
-msgstr "скомпилирован"
+"Включена поддержка внешнего токена в модуле LUKS2.\n"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3659
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Путь к модулю поддержки внешнего токена LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3226
-msgid "disabled"
-msgstr "выключен"
+#: src/cryptsetup.c:3661
+msgid ""
+"\n"
+"LUKS2 external token plugin support is disabled.\n"
+msgstr ""
+"\n"
+"Выключена поддержка внешнего токена в модуле LUKS2.\n"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3665
 #, c-format
 msgid ""
 "\n"
@@ -2662,7 +2928,7 @@ msgstr ""
 "PBKDF по умолчанию для LUKS2: %s\n"
 "\tВремя итерации: %d, Требуемая память: %dКБ, Кол-во параллельных потоков: %d\n"
 
-#: src/cryptsetup.c:3241
+#: src/cryptsetup.c:3676
 #, c-format
 msgid ""
 "\n"
@@ -2677,189 +2943,203 @@ msgstr ""
 "\tplain: %s, Ключ: %d бит, хэширование пароля: %s\n"
 "\tLUKS: %s, Ключ: %d бит, хэширование заголовка LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3250
+#: src/cryptsetup.c:3685
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Размер ключа по умолчанию в режиме XTS (два внутренних ключа) будет удвоен.\n"
 
-#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
+#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: требуется %s в качестве аргументов"
 
-#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
+#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
 msgid "Key slot is invalid."
 msgstr "Некорректный слот ключа."
 
-#: src/cryptsetup.c:3335
+#: src/cryptsetup.c:3771
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Размер устройства должен быть кратен 512 байтовому сектору."
 
-#: src/cryptsetup.c:3340
+#: src/cryptsetup.c:3776
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Неправильный максимальный размер перешифрования hotzone."
 
-#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
+#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Размер ключа должен быть кратен 8-ми битам"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3809
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr "Можно задавать не более %d спецификации ключа тома."
+
+#: src/cryptsetup.c:3821
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr "Можно задавать не более %d спецификации связки ключей."
+
+#: src/cryptsetup.c:3830
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Максимальный размер сокращения устройства равен 1 ГиБ."
 
-#: src/cryptsetup.c:3374
+#: src/cryptsetup.c:3833
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Размер сокращения должен быть кратен 512 байтовому сектору."
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3850
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Значением параметра --priority может быть только ignore/normal/prefer."
 
-#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
+#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
 msgid "Show this help message"
 msgstr "Показать это сообщение"
 
-#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
+#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
 msgid "Display brief usage"
 msgstr "Показать краткие инструкции"
 
-#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
+#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
 msgid "Print package version"
 msgstr "Показать версию пакета"
 
-#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
+#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
 msgid "Help options:"
 msgstr "Параметры справки:"
 
-#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
+#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[ПАРАМЕТР…] <действие> <данные для действия>"
 
-#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
+#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
 msgid "Argument <action> missing."
 msgstr "Не задан параметр <действие>."
 
-#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
+#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
 msgid "Unknown action."
 msgstr "Неизвестное действие."
 
-#: src/cryptsetup.c:3546
+#: src/cryptsetup.c:4011
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Параметр --key-file имеет приоритет над указанным значением файла ключа."
 
-#: src/cryptsetup.c:3552
+#: src/cryptsetup.c:4017
 msgid "Only one --key-file argument is allowed."
 msgstr "Разрешено указывать только один параметр --key-file."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:4022
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Производной функцией на основе пароля для ключа (PBKDF) может быть только pbkdf2 или argon2i/argon2id."
 
-#: src/cryptsetup.c:3562
+#: src/cryptsetup.c:4027
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Принудительные итерации PBKDF нельзя объединять вместе с параметром времени итерации."
 
-#: src/cryptsetup.c:3573
+#: src/cryptsetup.c:4032
+msgid "Cannot link volume key to a keyring when keyring is disabled."
+msgstr "Невозможно добавить ключ тома в связку ключей, если она отключена."
+
+#: src/cryptsetup.c:4043
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Параметры --keyslot-cipher и --keyslot-key-size нельзя использовать вместе."
 
-#: src/cryptsetup.c:3581
+#: src/cryptsetup.c:4051
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Без выполнения. Вызвано с параметром --test-args.\n"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:4064
 msgid "Cannot disable metadata locking."
 msgstr "Невозможно выключить блокировку метаданных."
 
-#: src/veritysetup.c:54
+#: src/veritysetup.c:41
 msgid "Invalid salt string specified."
 msgstr "Указана недопустимая строка соли."
 
-#: src/veritysetup.c:87
+#: src/veritysetup.c:74
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Невозможно создать образ хэша %s для записи."
 
-#: src/veritysetup.c:97
+#: src/veritysetup.c:84
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Невозможно создать образ FEC %s для записи."
 
-#: src/veritysetup.c:136
+#: src/veritysetup.c:123
 #, c-format
 msgid "Cannot create root hash file %s for writing."
 msgstr "Невозможно создать файл корневого хэша %s для записи."
 
-#: src/veritysetup.c:143
+#: src/veritysetup.c:130
 #, c-format
 msgid "Cannot write to root hash file %s."
 msgstr "Невозможно записать файл корневого хэша %s."
 
-#: src/veritysetup.c:198 src/veritysetup.c:476
+#: src/veritysetup.c:185 src/veritysetup.c:463
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Устройство %s не является корректным устройством VERITY."
 
-#: src/veritysetup.c:215 src/veritysetup.c:232
+#: src/veritysetup.c:202 src/veritysetup.c:219
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Невозможно прочитать файл корневого хэша %s."
 
-#: src/veritysetup.c:220
+#: src/veritysetup.c:207
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Некорректный файл корневого хэша %s."
 
-#: src/veritysetup.c:241
+#: src/veritysetup.c:228
 msgid "Invalid root hash string specified."
 msgstr "Указана недопустимая строка корневого хэша."
 
-#: src/veritysetup.c:249
+#: src/veritysetup.c:236
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Неверный файл подписи %s."
 
-#: src/veritysetup.c:256
+#: src/veritysetup.c:243
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Невозможно прочитать файл подписи %s."
 
-#: src/veritysetup.c:279 src/veritysetup.c:293
+#: src/veritysetup.c:266 src/veritysetup.c:280
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Для параметра <корневой_хэш> или --root-hash-file требуется указать команду."
 
-#: src/veritysetup.c:489
+#: src/veritysetup.c:476
 msgid "<data_device> <hash_device>"
 msgstr "<устройство_данных> <устройство_хэша>"
 
-#: src/veritysetup.c:489 src/integritysetup.c:534
+#: src/veritysetup.c:476 src/integritysetup.c:530
 msgid "format device"
 msgstr "отформатировать устройство"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:477
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<устройство_данных> <устройство_хэша> [<корневой_хэш>]"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:477
 msgid "verify device"
 msgstr "проверить устройство"
 
-#: src/veritysetup.c:491
+#: src/veritysetup.c:478
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<устройство_данных> <имя> <устройство_хэша> [<корневой_хэш>]"
 
-#: src/veritysetup.c:493 src/integritysetup.c:537
+#: src/veritysetup.c:480 src/integritysetup.c:533
 msgid "show active device status"
 msgstr "показать состояние активного устройства"
 
-#: src/veritysetup.c:494
+#: src/veritysetup.c:481
 msgid "<hash_device>"
 msgstr "<устройство_хэша>"
 
-#: src/veritysetup.c:494 src/integritysetup.c:538
+#: src/veritysetup.c:481 src/integritysetup.c:534
 msgid "show on-disk information"
 msgstr "показать информацию на диске"
 
-#: src/veritysetup.c:513
+#: src/veritysetup.c:500
 #, c-format
 msgid ""
 "\n"
@@ -2874,7 +3154,7 @@ msgstr ""
 "<устройство_хэша> — устройство, содержащее проверочные данные\n"
 "<корневой_хэш> — хэш корневого узла на <устройстве_хэша>\n"
 
-#: src/veritysetup.c:520
+#: src/veritysetup.c:507
 #, c-format
 msgid ""
 "\n"
@@ -2885,15 +3165,15 @@ msgstr ""
 "Встроенные параметры dm-verity по умолчанию:\n"
 "\tХэш: %s, Блок данных (байт): %u, Блок хэша (байт): %u, Размер соли: %u, Формат хэша: %u\n"
 
-#: src/veritysetup.c:658
+#: src/veritysetup.c:648
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Параметры --ignore-corruption и --restart-on-corruption нельзя использовать вместе."
 
-#: src/veritysetup.c:663
+#: src/veritysetup.c:653
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Параметры ---panic-on-corruption и --restart-on-corruption нельзя использовать вместе."
 
-#: src/integritysetup.c:177
+#: src/integritysetup.c:164
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -2903,29 +3183,29 @@ msgstr ""
 "Чтобы сохранить данные на устройстве укажите параметр --no-wipe\n"
 "(и он включит --integrity-recalculate)."
 
-#: src/integritysetup.c:212
+#: src/integritysetup.c:204
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Отформатирован с размером тега %u, внутренняя целостность %s.\n"
 
-#: src/integritysetup.c:289
+#: src/integritysetup.c:285
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Задание флага пересчёта не поддерживается, вместо этого используйте параметр --wipe."
 
-#: src/integritysetup.c:364 src/integritysetup.c:521
+#: src/integritysetup.c:360 src/integritysetup.c:517
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Устройство %s не является корректным устройством INTEGRITY."
 
-#: src/integritysetup.c:534 src/integritysetup.c:538
+#: src/integritysetup.c:530 src/integritysetup.c:534
 msgid "<integrity_device>"
 msgstr "<устройство_целостности>"
 
-#: src/integritysetup.c:535
+#: src/integritysetup.c:531
 msgid "<integrity_device> <name>"
 msgstr "<устройство_целостности> <имя>"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:554
 #, c-format
 msgid ""
 "\n"
@@ -2936,7 +3216,7 @@ msgstr ""
 "<имя> — устройство, создаваемое на %s\n"
 "<устройство_целостности> — устройство, содержащее данные с тегами целостности\n"
 
-#: src/integritysetup.c:563
+#: src/integritysetup.c:559
 #, c-format
 msgid ""
 "\n"
@@ -2949,44 +3229,44 @@ msgstr ""
 "\tАлгоритм контрольной суммы: %s\n"
 "\tМаксимальный размер файла ключа: %dКБ\n"
 
-#: src/integritysetup.c:620
+#: src/integritysetup.c:616
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Неверный размер --%s. Максимальное значение (в байтах) равно %u."
 
-#: src/integritysetup.c:720
+#: src/integritysetup.c:719
 msgid "Both key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа и размер ключа одновременно."
 
-#: src/integritysetup.c:724
+#: src/integritysetup.c:723
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа целостности и размер ключа одновременно."
 
-#: src/integritysetup.c:727
+#: src/integritysetup.c:726
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Если используется ключ целостности журнала, то должен быть указан алгоритм целостности журнала."
 
-#: src/integritysetup.c:731
+#: src/integritysetup.c:730
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа шифрования и размер ключа одновременно."
 
-#: src/integritysetup.c:734
+#: src/integritysetup.c:733
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Если используется ключ шифрования журнала, то должен быть указан алгоритм шифрования журнала."
 
-#: src/integritysetup.c:738
+#: src/integritysetup.c:737
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Параметры восстановления и режима битовой карты взаимно исключают друг друга."
 
-#: src/integritysetup.c:745
+#: src/integritysetup.c:744
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Параметры журнала нельзя использовать в режиме битовой карты."
 
-#: src/integritysetup.c:750
+#: src/integritysetup.c:749
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Параметр битовой карты можно использовать только в режиме битовой карты."
 
-#: src/utils_tools.c:118
+#: src/utils_tools.c:105
 msgid ""
 "\n"
 "WARNING!\n"
@@ -2997,7 +3277,7 @@ msgstr ""
 "========\n"
 
 #. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:120
+#: src/utils_tools.c:107
 #, c-format
 msgid ""
 "%s\n"
@@ -3008,152 +3288,152 @@ msgstr ""
 "\n"
 "Вы уверены? (введите «yes» заглавными буквами): "
 
-#: src/utils_tools.c:126
+#: src/utils_tools.c:113
 msgid "Error reading response from terminal."
 msgstr "Ошибка чтения ответа с терминала."
 
-#: src/utils_tools.c:158
+#: src/utils_tools.c:145
 msgid "Command successful."
 msgstr "Команда выполнена успешно."
 
-#: src/utils_tools.c:166
+#: src/utils_tools.c:153
 msgid "wrong or missing parameters"
 msgstr "некорректные или отсутствующие параметры"
 
-#: src/utils_tools.c:168
+#: src/utils_tools.c:155
 msgid "no permission or bad passphrase"
 msgstr "нет прав или некорректная парольная фраза"
 
-#: src/utils_tools.c:170
+#: src/utils_tools.c:157
 msgid "out of memory"
 msgstr "недостаточно памяти"
 
-#: src/utils_tools.c:172
+#: src/utils_tools.c:159
 msgid "wrong device or file specified"
 msgstr "указано некорректное устройство или файл"
 
-#: src/utils_tools.c:174
+#: src/utils_tools.c:161
 msgid "device already exists or device is busy"
 msgstr "устройство уже существует или занято"
 
-#: src/utils_tools.c:176
+#: src/utils_tools.c:163
 msgid "unknown error"
 msgstr "неизвестная ошибка"
 
-#: src/utils_tools.c:178
+#: src/utils_tools.c:165
 #, c-format
 msgid "Command failed with code %i (%s)."
 msgstr "Сбой команды, код %i (%s)."
 
-#: src/utils_tools.c:256
+#: src/utils_tools.c:243
 #, c-format
 msgid "Key slot %i created."
 msgstr "Создан слот ключа %i."
 
-#: src/utils_tools.c:258
+#: src/utils_tools.c:245
 #, c-format
 msgid "Key slot %i unlocked."
 msgstr "Слот ключа %i разблокирован."
 
-#: src/utils_tools.c:260
+#: src/utils_tools.c:247
 #, c-format
 msgid "Key slot %i removed."
 msgstr "Слот ключа %i удалён."
 
-#: src/utils_tools.c:269
+#: src/utils_tools.c:256
 #, c-format
 msgid "Token %i created."
 msgstr "Создан токен %i."
 
-#: src/utils_tools.c:271
+#: src/utils_tools.c:258
 #, c-format
 msgid "Token %i removed."
 msgstr "Токен %i удалён."
 
-#: src/utils_tools.c:281
+#: src/utils_tools.c:268
 msgid "No token could be unlocked with this PIN."
 msgstr "С этим PIN невозможно разблокировать токен."
 
-#: src/utils_tools.c:283
+#: src/utils_tools.c:270
 #, c-format
 msgid "Token %i requires PIN."
 msgstr "Для токена %i требуется PIN."
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:272
 #, c-format
 msgid "Token (type %s) requires PIN."
 msgstr "Для токена (тип %s) требуется PIN."
 
-#: src/utils_tools.c:288
+#: src/utils_tools.c:275
 #, c-format
 msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Токен %i невозможно разблокировать назначенным слотом ключа (некорректная парольная фраза для слота ключа)."
 
-#: src/utils_tools.c:290
+#: src/utils_tools.c:277
 #, c-format
 msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Токен (тип %s) невозможно разблокировать назначенным слотом ключа (некорректная парольная фраза для слота ключа)."
 
-#: src/utils_tools.c:293
+#: src/utils_tools.c:280
 #, c-format
 msgid "Token %i requires additional missing resource."
 msgstr "Для токена %i дополнительно требуется отсутствующий ресурс."
 
-#: src/utils_tools.c:295
+#: src/utils_tools.c:282
 #, c-format
 msgid "Token (type %s) requires additional missing resource."
 msgstr "Для токена (тип %s) дополнительно требуется отсутствующий ресурс."
 
-#: src/utils_tools.c:298
+#: src/utils_tools.c:285
 #, c-format
 msgid "No usable token (type %s) is available."
 msgstr "Не найдено подходящего токена (тип %s)."
 
-#: src/utils_tools.c:300
+#: src/utils_tools.c:287
 msgid "No usable token is available."
 msgstr "Не найдено подходящего токена."
 
-#: src/utils_tools.c:393
+#: src/utils_tools.c:380
 #, c-format
 msgid "Cannot read keyfile %s."
 msgstr "Невозможно прочитать файл ключа %s."
 
-#: src/utils_tools.c:398
+#: src/utils_tools.c:385
 #, c-format
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Невозможно прочитать %d байт из файл ключа %s."
 
-#: src/utils_tools.c:423
+#: src/utils_tools.c:410
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr "Невозможно открыть файл ключа %s для записи."
 
-#: src/utils_tools.c:430
+#: src/utils_tools.c:417
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr "Невозможно записать в файл ключа %s."
 
-#: src/utils_progress.c:74
+#: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>м%02<PRIu64>с"
 
-#: src/utils_progress.c:76
+#: src/utils_progress.c:63
 #, c-format
 msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>ч%02<PRIu64>м%02<PRIu64>с"
 
-#: src/utils_progress.c:78
+#: src/utils_progress.c:65
 #, c-format
 msgid "%02<PRIu64> days"
 msgstr "%02<PRIu64> дней"
 
-#: src/utils_progress.c:105 src/utils_progress.c:138
+#: src/utils_progress.c:92 src/utils_progress.c:125
 #, c-format
 msgid "%4<PRIu64> %s written"
 msgstr "%4<PRIu64> %s записано"
 
-#: src/utils_progress.c:109 src/utils_progress.c:142
+#: src/utils_progress.c:96 src/utils_progress.c:129
 #, c-format
 msgid "speed %5.1f %s/s"
 msgstr "скорость %5.1f %s/с"
@@ -3162,7 +3442,7 @@ msgstr "скорость %5.1f %s/с"
 #. to get translated as well. 'eol' is always new-line or empty.
 #. See above.
 #.
-#: src/utils_progress.c:118
+#: src/utils_progress.c:105
 #, c-format
 msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
 msgstr "Ход выполнения: %5.1f%%, ОВЗ %s, %s, %s%s"
@@ -3170,17 +3450,17 @@ msgstr "Ход выполнения: %5.1f%%, ОВЗ %s, %s, %s%s"
 #. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
 #. to get translated as well. See above
 #.
-#: src/utils_progress.c:150
+#: src/utils_progress.c:137
 #, c-format
 msgid "Finished, time %s, %s, %s\n"
 msgstr "Выполнено, время %s, %s, %s\n"
 
-#: src/utils_password.c:41 src/utils_password.c:72
+#: src/utils_password.c:28 src/utils_password.c:59
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr "Невозможно проверить стойкость пароля: %s"
 
-#: src/utils_password.c:49
+#: src/utils_password.c:36
 #, c-format
 msgid ""
 "Password quality check failed:\n"
@@ -3189,63 +3469,63 @@ msgstr ""
 "Ошибка при проверке стойкости пароля:\n"
 " %s"
 
-#: src/utils_password.c:79
+#: src/utils_password.c:66
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Ошибка при проверке стойкости пароля: некорректная парольная фраза (%s)"
 
-#: src/utils_password.c:230 src/utils_password.c:244
+#: src/utils_password.c:221 src/utils_password.c:235
 msgid "Error reading passphrase from terminal."
 msgstr "Ошибка чтения парольной фразы с терминала."
 
-#: src/utils_password.c:242
+#: src/utils_password.c:233
 msgid "Verify passphrase: "
 msgstr "Парольная фраза повторно: "
 
-#: src/utils_password.c:249
+#: src/utils_password.c:240
 msgid "Passphrases do not match."
 msgstr "Парольные фразы не совпадают."
 
-#: src/utils_password.c:287
+#: src/utils_password.c:278
 msgid "Cannot use offset with terminal input."
 msgstr "Невозможно использовать смещение при вводе с терминала."
 
-#: src/utils_password.c:291
+#: src/utils_password.c:282
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Введите парольную фразу: "
 
-#: src/utils_password.c:294
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Введите парольную фразу для %s: "
 
-#: src/utils_password.c:328
+#: src/utils_password.c:319
 msgid "No key available with this passphrase."
 msgstr "Ключ недоступен с этой парольной фразой."
 
-#: src/utils_password.c:330
+#: src/utils_password.c:321
 msgid "No usable keyslot is available."
 msgstr "Не найдено подходящего слота ключа."
 
-#: src/utils_luks.c:67
+#: src/utils_luks.c:55
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Невозможно проверить парольную фразу не с входных tty."
 
-#: src/utils_luks.c:182
+#: src/utils_luks.c:173
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Ошибка при открытии файла %s в режиме только для чтения."
 
-#: src/utils_luks.c:195
+#: src/utils_luks.c:186
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Укажите корректный токен LUKS2 в формате JSON:\n"
 
-#: src/utils_luks.c:202
+#: src/utils_luks.c:193
 msgid "Failed to read JSON file."
 msgstr "Ошибка чтения файла JSON."
 
-#: src/utils_luks.c:207
+#: src/utils_luks.c:198
 msgid ""
 "\n"
 "Read interrupted."
@@ -3253,12 +3533,12 @@ msgstr ""
 "\n"
 "Чтение прервано."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:239
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Ошибка при открытии файла %s в режиме записи."
 
-#: src/utils_luks.c:257
+#: src/utils_luks.c:248
 msgid ""
 "\n"
 "Write interrupted."
@@ -3266,26 +3546,26 @@ msgstr ""
 "\n"
 "Запись прервана."
 
-#: src/utils_luks.c:261
+#: src/utils_luks.c:252
 msgid "Failed to write JSON file."
 msgstr "Ошибка записи в файл JSON."
 
-#: src/utils_reencrypt.c:120
+#: src/utils_reencrypt.c:107
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Автоматически обнаруженное активное устройство dm «%s» для устройства данных %s.\n"
 
-#: src/utils_reencrypt.c:124
+#: src/utils_reencrypt.c:111
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Не удалось автоматически обнаружить держателей устройства %s."
 
-#: src/utils_reencrypt.c:130
+#: src/utils_reencrypt.c:117
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Устройство %s не является блочным.\n"
 
-#: src/utils_reencrypt.c:132
+#: src/utils_reencrypt.c:119
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3298,7 +3578,7 @@ msgstr ""
 "Это может привести к потере данных, если устройство всё же активно.\n"
 "Для запуска перешифрования в оперативном режиме укажите параметр --active-name.\n"
 
-#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3308,41 +3588,45 @@ msgstr ""
 "оно или нет. Используйте --force-offline-reencrypt чтобы пропустить проверку и\n"
 "запустить отложенный режим (опасно!)."
 
-#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
-#: src/utils_reencrypt.c:231
+#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:218
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Запрошенный параметр --resilience не может быть применён к текущей операции перешифрования."
 
-#: src/utils_reencrypt.c:203
+#: src/utils_reencrypt.c:190
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Устройство зашифровывается не в LUKS2. Конфликт с параметром --encrypt."
 
-#: src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:195
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Устройство расшифровывается не в LUKS2. Конфликт с параметром --dencrypt."
 
-#: src/utils_reencrypt.c:215
+#: src/utils_reencrypt.c:202
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Устройство перешифровывается с использованием устойчивости datashift. Запрошенный параметр --resilience не может быть применён."
 
-#: src/utils_reencrypt.c:293
+#: src/utils_reencrypt.c:280
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Устройству требуется восстановление перешифрования. Сначала запустите ремонт."
 
-#: src/utils_reencrypt.c:307
+#: src/utils_reencrypt.c:294
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Устройство %s уже в режиме перешифрования LUKS2. Хотите продолжить предыдущую операцию инициализации?"
 
-#: src/utils_reencrypt.c:353
+#: src/utils_reencrypt.c:403
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Устаревшее перешифрование LUKS2 больше не поддерживается."
 
-#: src/utils_reencrypt.c:418
+#: src/utils_reencrypt.c:408
+msgid "Can not reencrypt LUKS2 device configured to use OPAL."
+msgstr "Невозможно перешифровать устройство LUKS2, когда оно использует OPAL."
+
+#: src/utils_reencrypt.c:414
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Перешифрование устройства с профилем целостности не поддерживается."
 
-#: src/utils_reencrypt.c:449
+#: src/utils_reencrypt.c:451
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3351,103 +3635,103 @@ msgstr ""
 "Запрошенный --sector-size %<PRIu32> несовместим с суперблоком %s\n"
 "(размер блока: %<PRIu32> байт), который обнаружен на устройстве %s."
 
-#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Шифрование без отсоединённого заголовка (--header) невозможно без сокращения размера устройства данных (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:525
+#: src/utils_reencrypt.c:527
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Запрошенное смещение данных должно быть меньше или равно половине значения параметра --reduce-device-size."
 
-#: src/utils_reencrypt.c:535
+#: src/utils_reencrypt.c:537
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Подгоняется значение --reduce-device-size под двукратный размер --offset %<PRIu64> (секторов).\n"
 
-#: src/utils_reencrypt.c:565
+#: src/utils_reencrypt.c:567
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Временный файл заголовка %s уже существует. Прекращение работы."
 
-#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Невозможно создать временный файл заголовка %s."
 
-#: src/utils_reencrypt.c:599
+#: src/utils_reencrypt.c:601
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Размер метаданных LUKS2 больше значения сдвига данных."
 
-#: src/utils_reencrypt.c:636
+#: src/utils_reencrypt.c:638
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Не удалось поместить новый заголовок в начало устройства %s."
 
-#: src/utils_reencrypt.c:646
+#: src/utils_reencrypt.c:648
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s теперь активен и готов для оперативного шифрования.\n"
 
-#: src/utils_reencrypt.c:682
+#: src/utils_reencrypt.c:684
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Активное устройство %s не является LUKS2."
 
-#: src/utils_reencrypt.c:710
+#: src/utils_reencrypt.c:712
 msgid "Restoring original LUKS2 header."
 msgstr "Восстановление первоначального заголовка LUKS2."
 
-#: src/utils_reencrypt.c:718
+#: src/utils_reencrypt.c:720
 msgid "Original LUKS2 header restore failed."
 msgstr "Не удалось восстановить первоначальный заголовок LUKS2."
 
-#: src/utils_reencrypt.c:744
+#: src/utils_reencrypt.c:752
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Файл заголовка %s не существует. Инициализировать расшифровку LUKS2 с устройства %s и экспортировать заголовок LUKS2 в файл %s?"
 
-#: src/utils_reencrypt.c:792
+#: src/utils_reencrypt.c:802
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Не удалось добавить/записать права в экспортируемый файл заголовка."
 
-#: src/utils_reencrypt.c:845
+#: src/utils_reencrypt.c:856
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Ошибка при инициализации перешифрования. Резервный заголовок доступен в %s."
 
-#: src/utils_reencrypt.c:873
+#: src/utils_reencrypt.c:884
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Расшифровка LUKS2 поддерживается только для устройства с отсоединённым заголовком (смещение данных равно 0)."
 
-#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
 msgid "Not enough free keyslots for reencryption."
 msgstr "Для шифрования недостаточно свободных слотов ключей."
 
-#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
+#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Файл ключа можно использовать только с --key-slot или только при одном активном слоте."
 
-#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
-#: src/utils_reencrypt_luks1.c:1158
+#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
+#: src/utils_reencrypt_luks1.c:1105
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Введите парольную фразу для слота ключа %d: "
 
-#: src/utils_reencrypt.c:1059
+#: src/utils_reencrypt.c:1070
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Введите парольную фразу для слота ключа %u: "
 
-#: src/utils_reencrypt.c:1111
+#: src/utils_reencrypt.c:1122
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Переходим на алгоритм шифрования данных %s.\n"
 
-#: src/utils_reencrypt.c:1165
+#: src/utils_reencrypt.c:1176
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Параметры сегмента данные не изменились. Перешифрование прервано."
 
-#: src/utils_reencrypt.c:1267
+#: src/utils_reencrypt.c:1278
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3455,8 +3739,8 @@ msgstr ""
 "Увеличение размера сектора шифрования на выключенном устройстве не поддерживается.\n"
 "Сначала включите устройство или используйте параметр --force-offline-reencrypt (опасно!)."
 
-#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
-#: src/utils_reencrypt_luks1.c:798
+#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
+#: src/utils_reencrypt_luks1.c:761
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3464,236 +3748,236 @@ msgstr ""
 "\n"
 "Перешифрование прервано."
 
-#: src/utils_reencrypt.c:1312
+#: src/utils_reencrypt.c:1323
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Продолжение перешифрования LUKS в принудительном отложенном режиме.\n"
 
-#: src/utils_reencrypt.c:1329
+#: src/utils_reencrypt.c:1346
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Устройство %s содержит повреждённые метаданные LUKS. Прерывание операции."
 
-#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Устройство %s уже является устройством LUKS. Прерывание операции."
 
-#: src/utils_reencrypt.c:1373
+#: src/utils_reencrypt.c:1390
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Устройство %s уже находится в режиме перешифрования LUKS. Прерывание операции."
 
-#: src/utils_reencrypt.c:1453
+#: src/utils_reencrypt.c:1473
 msgid "LUKS2 decryption requires --header option."
 msgstr "Для расшифровки LUKS2 требуется параметр --header."
 
-#: src/utils_reencrypt.c:1501
+#: src/utils_reencrypt.c:1521
 msgid "Command requires device as argument."
 msgstr "Для команды требуется в аргументе указать устройство."
 
-#: src/utils_reencrypt.c:1514
+#: src/utils_reencrypt.c:1534
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Конфликтующие версии. Устройство %s использует LUKS1."
 
-#: src/utils_reencrypt.c:1520
+#: src/utils_reencrypt.c:1540
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Конфликтующие версии. Устройство %s в режиме перешифрования LUKS1."
 
-#: src/utils_reencrypt.c:1526
+#: src/utils_reencrypt.c:1546
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Конфликтующие версии. Устройство %s использует LUKS2."
 
-#: src/utils_reencrypt.c:1532
+#: src/utils_reencrypt.c:1552
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Конфликтующие версии. Устройство %s в режиме перешифрования LUKS2."
 
-#: src/utils_reencrypt.c:1538
+#: src/utils_reencrypt.c:1558
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Перешифрование LUKS2 уже инициализировано. Прекращение работы."
 
-#: src/utils_reencrypt.c:1545
+#: src/utils_reencrypt.c:1565
 msgid "Device reencryption not in progress."
 msgstr "Перешифрование устройства в данный момент не выполняется."
 
-#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Невозможно монопольно открыть устройство %s, оно уже используется."
 
-#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
 msgid "Allocation of aligned memory failed."
 msgstr "Не удалось выделить выровненную память."
 
-#: src/utils_reencrypt_luks1.c:150
+#: src/utils_reencrypt_luks1.c:137
 #, c-format
 msgid "Cannot read device %s."
 msgstr "Невозможно прочитать с устройства %s."
 
-#: src/utils_reencrypt_luks1.c:161
+#: src/utils_reencrypt_luks1.c:148
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr "Отметка устройства LUKS1 %s бесполезна."
 
-#: src/utils_reencrypt_luks1.c:177
+#: src/utils_reencrypt_luks1.c:164
 #, c-format
 msgid "Cannot write device %s."
 msgstr "Невозможно записать на устройство %s."
 
-#: src/utils_reencrypt_luks1.c:226
+#: src/utils_reencrypt_luks1.c:213
 msgid "Cannot write reencryption log file."
 msgstr "Невозможно записать в файл протокола перешифрования."
 
-#: src/utils_reencrypt_luks1.c:282
+#: src/utils_reencrypt_luks1.c:269
 msgid "Cannot read reencryption log file."
 msgstr "Невозможно прочитать файл протокола перешифрования."
 
-#: src/utils_reencrypt_luks1.c:293
+#: src/utils_reencrypt_luks1.c:280
 msgid "Wrong log format."
 msgstr "Неверный формат журнала."
 
-#: src/utils_reencrypt_luks1.c:320
+#: src/utils_reencrypt_luks1.c:307
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Файл протокола %s существует, подразумевается перешифрование.\n"
 
-#: src/utils_reencrypt_luks1.c:369
+#: src/utils_reencrypt_luks1.c:356
 msgid "Activating temporary device using old LUKS header."
 msgstr "Активируется временное устройство, задействуется старый заголовок LUKS."
 
-#: src/utils_reencrypt_luks1.c:379
+#: src/utils_reencrypt_luks1.c:366
 msgid "Activating temporary device using new LUKS header."
 msgstr "Активируется временное устройство, задействуется новый заголовок LUKS."
 
-#: src/utils_reencrypt_luks1.c:389
+#: src/utils_reencrypt_luks1.c:376
 msgid "Activation of temporary devices failed."
 msgstr "Ошибка при активации временного устройства."
 
-#: src/utils_reencrypt_luks1.c:449
+#: src/utils_reencrypt_luks1.c:436
 msgid "Failed to set data offset."
 msgstr "Не удалось задать смещение данных."
 
-#: src/utils_reencrypt_luks1.c:455
+#: src/utils_reencrypt_luks1.c:442
 msgid "Failed to set metadata size."
 msgstr "Не удалось задать размер метаданных."
 
-#: src/utils_reencrypt_luks1.c:463
+#: src/utils_reencrypt_luks1.c:450
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Создан новый заголовок LUKS для устройства %s."
 
-#: src/utils_reencrypt_luks1.c:500
+#: src/utils_reencrypt_luks1.c:487
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Создана резервная копия заголовка %s для устройства %s."
 
-#: src/utils_reencrypt_luks1.c:556
+#: src/utils_reencrypt_luks1.c:543
 msgid "Creation of LUKS backup headers failed."
 msgstr "Ошибка при создании резервных копий заголовка LUKS."
 
-#: src/utils_reencrypt_luks1.c:685
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Невозможно восстановить заголовок %s устройства %s."
 
-#: src/utils_reencrypt_luks1.c:687
+#: src/utils_reencrypt_luks1.c:674
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Заголовок %s устройства %s восстановлен."
 
-#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
 msgid "Cannot open temporary LUKS device."
 msgstr "Невозможно открыть временное устройство LUKS."
 
-#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
 msgid "Cannot get device size."
 msgstr "Невозможно получить размер устройства."
 
-#: src/utils_reencrypt_luks1.c:968
+#: src/utils_reencrypt_luks1.c:915
 msgid "IO error during reencryption."
 msgstr "Ошибка ввода-вывода при перешифровании."
 
-#: src/utils_reencrypt_luks1.c:998
+#: src/utils_reencrypt_luks1.c:945
 msgid "Provided UUID is invalid."
 msgstr "Указан некорректный UUID."
 
-#: src/utils_reencrypt_luks1.c:1224
+#: src/utils_reencrypt_luks1.c:1171
 msgid "Cannot open reencryption log file."
 msgstr "Невозможно открыть файл протокола перешифрования."
 
-#: src/utils_reencrypt_luks1.c:1230
+#: src/utils_reencrypt_luks1.c:1177
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Расшифровка не выполняется, указанный UUID можно использовать только для возобновления приостановленного процесса расшифровки."
 
-#: src/utils_reencrypt_luks1.c:1286
+#: src/utils_reencrypt_luks1.c:1233
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Перешифрование изменит: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1287
+#: src/utils_reencrypt_luks1.c:1234
 msgid "volume key"
 msgstr "ключ тома"
 
-#: src/utils_reencrypt_luks1.c:1289
+#: src/utils_reencrypt_luks1.c:1236
 msgid "set hash to "
 msgstr "установить хэш равным"
 
-#: src/utils_reencrypt_luks1.c:1290
+#: src/utils_reencrypt_luks1.c:1237
 msgid ", set cipher to "
 msgstr ", установить шифр равным"
 
-#: src/utils_blockdev.c:189
+#: src/utils_blockdev.c:176
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: Устройство %s уже содержит подпись раздела «%s».\n"
 
-#: src/utils_blockdev.c:197
+#: src/utils_blockdev.c:184
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: Устройство %s уже содержит подпись суперблока «%s».\n"
 
-#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
 msgid "Failed to initialize device signature probes."
 msgstr "Ошибка при инициализации определения подписей устройства."
 
-#: src/utils_blockdev.c:274
+#: src/utils_blockdev.c:269
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Ошибка выполнения stat для устройства %s."
 
-#: src/utils_blockdev.c:289
+#: src/utils_blockdev.c:284
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Ошибка при открытии файла %s в режиме чтения-записи."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:304
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Существующая подпись раздела «%s» на устройстве %s будет затёрта."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Существующая подпись суперблока «%s» на устройстве %s будет затёрта."
 
-#: src/utils_blockdev.c:313
+#: src/utils_blockdev.c:310
 msgid "Failed to wipe device signature."
 msgstr "Ошибка при затирании подписи устройства."
 
-#: src/utils_blockdev.c:320
+#: src/utils_blockdev.c:317
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Ошибка при определении подписи устройства %s."
 
-#: src/utils_args.c:65
+#: src/utils_args.c:52
 #, c-format
 msgid "Invalid size specification in parameter --%s."
 msgstr "Неправильный формат размера в параметре --%s."
 
-#: src/utils_args.c:125
+#: src/utils_args.c:112
 #, c-format
 msgid "Option --%s is not allowed with %s action."
 msgstr "Параметр --%s не допускается одновременно указывать с действием %s."
@@ -3747,125 +4031,135 @@ msgstr "Путь к файлу ключа на удалённом сервере
 msgid "Path to the SSH key for connecting to the remote server"
 msgstr "Путь к ключу SSH для подключения к удалённому серверу"
 
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:147
+msgid "Path to directory containinig libcryptsetup external tokens"
+msgstr "Путь к каталогу с внешними токенами libcryptsetup"
+
+#: tokens/ssh/cryptsetup-ssh.c:148
 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
 msgstr "Слот ключа, назначаемого токену. Если не указан, то токен будет назначен в первый слот ключа, который соответствует парольной фразе."
 
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
 msgid "Generic options:"
 msgstr "Общие параметры:"
 
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
 msgid "Shows more detailed error messages"
 msgstr "Показывать подробные сообщения об ошибках"
 
-#: tokens/ssh/cryptsetup-ssh.c:150
+#: tokens/ssh/cryptsetup-ssh.c:152
 msgid "Show debug messages"
 msgstr "Показывать отладочные сообщения"
 
-#: tokens/ssh/cryptsetup-ssh.c:151
+#: tokens/ssh/cryptsetup-ssh.c:153
 msgid "Show debug messages including JSON metadata"
 msgstr "Показывать отладочные сообщения включая метаданные JSON"
 
-#: tokens/ssh/cryptsetup-ssh.c:262
+#: tokens/ssh/cryptsetup-ssh.c:268
 msgid "Failed to open and import private key:\n"
 msgstr "Ошибка при открытии и импорте закрытого ключа:\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:272
 msgid "Failed to import private key (password protected?).\n"
 msgstr "Ошибка при импорте закрытого ключа (защищён паролем?).\n"
 
 #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:268
+#: tokens/ssh/cryptsetup-ssh.c:274
 #, c-format
 msgid "%s@%s's password: "
 msgstr "Пароль к %s@%s: "
 
-#: tokens/ssh/cryptsetup-ssh.c:357
+#: tokens/ssh/cryptsetup-ssh.c:363
 #, c-format
 msgid "Failed to parse arguments.\n"
 msgstr "Не удалось разобрать аргументы.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:368
+#: tokens/ssh/cryptsetup-ssh.c:374
 #, c-format
 msgid "An action must be specified\n"
 msgstr "Должно быть указано действие\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:374
+#: tokens/ssh/cryptsetup-ssh.c:380
 #, c-format
 msgid "Device must be specified for '%s' action.\n"
 msgstr "Для действия «%s» должно быть указано устройство.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:379
+#: tokens/ssh/cryptsetup-ssh.c:385
 #, c-format
 msgid "SSH server must be specified for '%s' action.\n"
 msgstr "Для действия «%s» должен быть указан сервер SSH.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:384
+#: tokens/ssh/cryptsetup-ssh.c:390
 #, c-format
 msgid "SSH user must be specified for '%s' action.\n"
 msgstr "Для действия «%s» должен быть указан пользователь сервера SSH.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:389
+#: tokens/ssh/cryptsetup-ssh.c:395
 #, c-format
 msgid "SSH path must be specified for '%s' action.\n"
 msgstr "Для действия «%s» должен быть указан путь на сервере SSH.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:394
+#: tokens/ssh/cryptsetup-ssh.c:400
 #, c-format
 msgid "SSH key path must be specified for '%s' action.\n"
 msgstr "Для действия «%s» должен быть указан путь к ключу сервера SSH.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:401
+#: tokens/ssh/cryptsetup-ssh.c:407
 #, c-format
 msgid "Failed open %s using provided credentials.\n"
 msgstr "Не удалось открыть %s с помощью предоставленных идентификационных данных.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:417
+#: tokens/ssh/cryptsetup-ssh.c:424
 #, c-format
 msgid "Only 'add' action is currently supported by this plugin.\n"
 msgstr "В настоящее время этот модуль поддерживает только действие «add».\n"
 
-#: tokens/ssh/ssh-utils.c:46
+#: tokens/ssh/ssh-utils.c:33
 msgid "Cannot create sftp session: "
 msgstr "Не удалось создать сеанс sftp: "
 
-#: tokens/ssh/ssh-utils.c:53
+#: tokens/ssh/ssh-utils.c:40
 msgid "Cannot init sftp session: "
 msgstr "Не удалось инициализировать сеанс sftp: "
 
-#: tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
 msgid "Cannot open sftp session: "
 msgstr "Не удалось открыть сеанс sftp: "
 
-#: tokens/ssh/ssh-utils.c:66
+#: tokens/ssh/ssh-utils.c:53
 msgid "Cannot stat sftp file: "
 msgstr "Не удалось выполнить функцию stat для файла по sftp: "
 
-#: tokens/ssh/ssh-utils.c:74
+#: tokens/ssh/ssh-utils.c:61
 msgid "Not enough memory.\n"
 msgstr "Недостаточно памяти.\n"
 
-#: tokens/ssh/ssh-utils.c:81
+#: tokens/ssh/ssh-utils.c:68
 msgid "Cannot read remote key: "
 msgstr "Не удалось прочитать удалённый ключ: "
 
-#: tokens/ssh/ssh-utils.c:122
+#: tokens/ssh/ssh-utils.c:109
 msgid "Connection failed: "
 msgstr "Сбой подключения: "
 
-#: tokens/ssh/ssh-utils.c:132
+#: tokens/ssh/ssh-utils.c:119
 msgid "Server not known: "
 msgstr "Неизвестный сервер: "
 
-#: tokens/ssh/ssh-utils.c:160
+#: tokens/ssh/ssh-utils.c:147
 msgid "Public key auth method not allowed on host.\n"
 msgstr "Способ аутентификации по открытому ключу запрещён на узле.\n"
 
-#: tokens/ssh/ssh-utils.c:171
+#: tokens/ssh/ssh-utils.c:158
 msgid "Public key authentication error: "
 msgstr "Ошибка при аутентификации по открытому ключу: "
 
+#~ msgid "compiled-in"
+#~ msgstr "скомпилирован"
+
+#~ msgid "disabled"
+#~ msgstr "выключен"
+
 #~ msgid "WARNING: Data offset is outside of currently available data device.\n"
 #~ msgstr "ПРЕДУПРЕЖДЕНИЕ: смещение данных находится за пределами доступного в данный момент устройства данных.\n"
 
@@ -3890,9 +4184,6 @@ msgstr "Ошибка при аутентификации по открытому
 #~ msgid "Failed to disable reencryption requirement flag."
 #~ msgstr "Не удалось выключить флаг требования перешифрования."
 
-#~ msgid "Encryption is supported only for LUKS2 format."
-#~ msgstr "Шифрование поддерживается только для формата LUKS2."
-
 #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 #~ msgstr "На %s обнаружено устройство LUKS. Хотите снова зашифровать это устройство LUKS?"
 
@@ -3959,9 +4250,6 @@ msgstr "Ошибка при аутентификации по открытому
 #~ msgid "No free token slot."
 #~ msgstr "Нет свободного слота под токен."
 
-#~ msgid "Failed to create builtin token %s."
-#~ msgstr "Ошибка при создании встроенного токена %s."
-
 #~ msgid "Invalid LUKS device type."
 #~ msgstr "Неверный тип устройства LUKS."
 
@@ -4629,9 +4917,6 @@ msgstr "Ошибка при аутентификации по открытому
 #~ msgid "Device %s is too small.\n"
 #~ msgstr "Устройство %s слишком маленькое.\n"
 
-#~ msgid "Device %s already exists.\n"
-#~ msgstr "Устройство %s уже существует.\n"
-
 #~ msgid "Volume %s is not active.\n"
 #~ msgstr "Раздел %s не активен.\n"
 
diff --git a/po/sk.po b/po/sk.po
new file mode 100644
index 0000000..b27260c
--- /dev/null
+++ b/po/sk.po
@@ -0,0 +1,4388 @@
+# Slovak translation of cryptsetup
+# Copyright (C) 2025 Free Software Foundation, Inc.
+# This file is put in the public domain.
+# Marián Haburaj <hajkomajko5@gmail.com>, 2025.
+#
+# hash - hash
+# inline - inline
+# kernel - jadro
+# keyring - zväzok kľúčov
+# keyslot - miesto pre kľúč / miesto s kľúčom
+# log file - protokol
+# offset - odsadenie / miesto / pozícia
+# plain - plain
+# reencryption - prešifrovanie / opätovné šifrovanie
+# volume key - kľúč zväzku
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
+"Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-14 22:18+0100\n"
+"Last-Translator: Marián Haburaj <hajkomajko5@gmail.com>\n"
+"Language-Team: Slovak <sk-i18n@lists.linux.sk>\n"
+"Language: sk\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.8\n"
+
+#: lib/libdevmapper.c:419
+msgid "Cannot initialize device-mapper, running as non-root user."
+msgstr "Neviem inicializovať device-mapper, nie som spustený administrátorom."
+
+#: lib/libdevmapper.c:422
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
+msgstr "Neviem inicializovať device-mapper. Je modul jadra dm_mod načítaný?"
+
+#: lib/libdevmapper.c:1125
+msgid "Requested deferred flag is not supported."
+msgstr "Požadovaný príznak odloženia nie je podporovaný."
+
+#: lib/libdevmapper.c:1194
+#, c-format
+msgid "DM-UUID for device %s was truncated."
+msgstr "DM-UUID pre zariadenie %s bolo skrátené."
+
+#: lib/libdevmapper.c:1598
+msgid "Unknown dm target type."
+msgstr "Neznámy typ cieľa dm."
+
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
+msgid "Requested dm-crypt performance options are not supported."
+msgstr "Požadované výkonnostné možnosti dm-crypt nie sú podporované."
+
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
+msgid "Requested dm-verity data corruption handling options are not supported."
+msgstr "Požadované možnosti narábania s poškodenými údajmi dm-verity nie sú podporované."
+
+#: lib/libdevmapper.c:1752
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Požadované možnosti taskletu dm-verity nie sú podporované."
+
+#: lib/libdevmapper.c:1764
+msgid "Requested dm-verity FEC options are not supported."
+msgstr "Požadované možnosti FEC dm-verity nie sú podporované."
+
+#: lib/libdevmapper.c:1770
+msgid "Requested data integrity options are not supported."
+msgstr "Požadované možnosti integrity údajov nie sú podporované."
+
+#: lib/libdevmapper.c:1774
+msgid "Requested sector_size option is not supported."
+msgstr "Požadovaná možnosť sector_size nie je podporovaná."
+
+#: lib/libdevmapper.c:1779
+msgid "The device size is not multiple of the requested sector size."
+msgstr "Veľkosť zariadenia nie je násobkom požadovanej veľkosti sektoru."
+
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Požadovaná možnosť integrity_key_size nie je podporovaná."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
+msgid "Requested automatic recalculation of integrity tags is not supported."
+msgstr "Požadované automatické prepočítanie príznakov integrity nie je podporované."
+
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
+msgid "Discard/TRIM is not supported."
+msgstr "Zahadzovanie/TRIM nie je podporované."
+
+#: lib/libdevmapper.c:1808
+msgid "Requested dm-integrity bitmap mode is not supported."
+msgstr "Požadovaný dm-integrity režim bitmapy nie je podporovaný."
+
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Požadovaný dm-integrity režim inline nie je podporovaný."
+
+#: lib/libdevmapper.c:2870
+#, c-format
+msgid "Failed to query dm-%s segment."
+msgstr "Zlyhalo hľadanie segmentu dm-%s."
+
+#: lib/random.c:60
+msgid ""
+"System is out of entropy while generating volume key.\n"
+"Please move mouse or type some text in another window to gather some random events.\n"
+msgstr ""
+"Systému došla entropia počas generovania kľúča zväzku.\n"
+"Prosím pohýbte myšou alebo napíšte nejaký text do iného okna pre nazbieranie náhodných udalostí.\n"
+
+#: lib/random.c:64
+#, c-format
+msgid "Generating key (%d%% done).\n"
+msgstr "Vytváram kľúč (%d %% hotovo)\n"
+
+#: lib/random.c:150
+msgid "Running in FIPS mode."
+msgstr "Bežím v režime FIPS."
+
+#: lib/random.c:156
+msgid "Fatal error during RNG initialisation."
+msgstr "Fatálna chyba počas inicializácie generátoru náhodných čísel."
+
+#: lib/random.c:194
+msgid "Unknown RNG quality requested."
+msgstr "Je požadovaná neznáma kvalita generátoru náhodných čísel."
+
+#: lib/random.c:199
+msgid "Error reading from RNG."
+msgstr "Chyba pri čítaní z generátoru náhodných čísel."
+
+#: lib/setup.c:248
+msgid "OPAL support is disabled in libcryptsetup."
+msgstr "Podpora OPAL je vypnutá v libcryptsetup."
+
+#: lib/setup.c:250
+#, c-format
+msgid "Device %s or kernel does not support OPAL encryption."
+msgstr "Zariadenie %s alebo jadro nepodporuje šifrovanie OPAL."
+
+#: lib/setup.c:266
+msgid "Cannot initialize crypto RNG backend."
+msgstr "Neviem inicializovať implementáciu šifr generátora náhodných čísel."
+
+#: lib/setup.c:272
+msgid "Cannot initialize crypto backend."
+msgstr "Neviem inicializovať implementáciu šifrovania."
+
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
+#, c-format
+msgid "Hash algorithm %s not supported."
+msgstr "Hashovací algoritmus %s nie je podporovaný."
+
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
+#, c-format
+msgid "Key processing error (using hash %s)."
+msgstr "Chyba pri spracovaní kľúča (používa sa hash %s)."
+
+#: lib/setup.c:389 lib/setup.c:426
+msgid "Cannot determine device type. Incompatible activation of device?"
+msgstr "Neviem určiť typ zariadenia. Nekompatibilná aktivácia zariadenia?"
+
+#: lib/setup.c:395 lib/setup.c:4160
+msgid "This operation is supported only for LUKS device."
+msgstr "Táto operácie je podporované len pre LUKS zariadenie."
+
+#: lib/setup.c:432
+msgid "This operation is supported only for LUKS2 device."
+msgstr "Táto operácia je podporovaná len pre LUKS2 zariadenie."
+
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
+msgid "All key slots full."
+msgstr "Všetky miesta pre kľúče sú obsadené."
+
+#: lib/setup.c:500
+#, c-format
+msgid "Key slot %d is invalid, please select between 0 and %d."
+msgstr "Miesto pre kľúč %d je neplatné, prosím vyberte číslo medzi 0 a %d."
+
+#: lib/setup.c:506
+#, c-format
+msgid "Key slot %d is full, please select another one."
+msgstr "Miesto pre kľúč %d je obsadené, prosím vyberte iné."
+
+#: lib/setup.c:531 lib/setup.c:3875
+msgid "Device size is not aligned to device logical block size."
+msgstr "Veľkosť zariadenia nie je zarovnaná na veľkosť logického bloku zariadenia."
+
+#: lib/setup.c:628
+#, c-format
+msgid "Header detected but device %s is too small."
+msgstr "Hlavička bola nájdená, ale zariadenie %s je veľmi malé."
+
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
+msgid "This operation is not supported for this device type."
+msgstr "Táto operácie nie je podporovaná pre tento typ zariadenia."
+
+#: lib/setup.c:674
+msgid "Illegal operation with reencryption in-progress."
+msgstr "Zakázaná operácie počas prešifrovania."
+
+#: lib/setup.c:806
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Nahradenie pôvodných LUKS2 metadát v pamäti zlyhalo."
+
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
+#, c-format
+msgid "Device %s is not a valid LUKS device."
+msgstr "Zariadenie %s nie je platné LUKS zariadenie."
+
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
+#, c-format
+msgid "Unsupported LUKS version %d."
+msgstr "Nepodporovaná LUKS verzia %d."
+
+#: lib/setup.c:1270
+#, c-format
+msgid "No known cipher specification pattern detected for active device %s."
+msgstr "Žiadna známa špecifikácia šifry nebola nájdená pre aktívne zariadenie %s."
+
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
+#, c-format
+msgid "Device %s is not active."
+msgstr "Zariadenie %s nie je aktívne."
+
+#: lib/setup.c:1532
+#, c-format
+msgid "Underlying device for crypt device %s disappeared."
+msgstr "Zariadenie nižšej úrovne pre šifrované zariadenie %s zmizlo."
+
+#: lib/setup.c:1614
+msgid "Invalid plain crypt parameters."
+msgstr "Neplatné parametre plain šifrovania."
+
+#: lib/setup.c:1619 lib/setup.c:2669
+msgid "Invalid key size."
+msgstr "Neplatná veľkosť kľúča."
+
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
+msgid "UUID is not supported for this crypt type."
+msgstr "UUID nie je podporované pre tento typ šifrovania."
+
+#: lib/setup.c:1629 lib/setup.c:2679
+msgid "Detached metadata device is not supported for this crypt type."
+msgstr "Zariadenie s oddelenými metadátami nie je podporované pre tento typ šifrovania."
+
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
+msgid "Unsupported encryption sector size."
+msgstr "Nepodporovaná veľkosť šifrovaného sektoru."
+
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
+msgid "Device size is not aligned to requested sector size."
+msgstr "Veľkosť zariadenia nie je zarovnaná k vyžadovanej veľkosti sektoru."
+
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
+msgid "Can't format LUKS without device."
+msgstr "Nie je možné formátovať LUKS bez zariadenia."
+
+#: lib/setup.c:1704 lib/setup.c:1956
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr "Zónové zariadenie %s nemôže byť použité pre LUKS hlavičku."
+
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
+msgid "Requested data alignment is not compatible with data offset."
+msgstr "Požadované zarovnanie údajov nie je kompatibilné s odsadením údajov."
+
+#: lib/setup.c:1751 lib/setup.c:1981
+msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
+msgstr "VAROVANIE: DAX zariadenie môže poškodiť údaje, pretože nezaručuje atomické aktualizácie sektorov.\n"
+
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
+#, c-format
+msgid "Cannot wipe header on device %s."
+msgstr "Hlavička na zariadení %s nejde vymazať."
+
+#: lib/setup.c:1802 lib/setup.c:2161
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Zariadenie %s je príliš malé pre aktiváciu, nie je tam žiadne zvyšné miesto pre údaje.\n"
+
+#: lib/setup.c:1843
+msgid "Volume key is too small for encryption with integrity extensions."
+msgstr "Kľúč zväzku je príliš malý na šifrovanie s rozšíreniami pre integritu."
+
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Veľkosť kľúča integrity je príliš malá."
+
+#: lib/setup.c:1856
+#, c-format
+msgid "Cipher %s-%s (key size %zd bits) is not available."
+msgstr "Šifra %s-%s (veľkosť kľúča %zd bitov) nie je dostupná."
+
+#: lib/setup.c:1897
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr "VAROVANIE: Aktivácia zariadenia zlyhá, dm-crypt nepodporuje vyžadovanú veľkosť šifrovaného sektoru.\n"
+
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
+#, c-format
+msgid "Device %s is too small."
+msgstr "Zariadenie %s je príliš malé."
+
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
+#, c-format
+msgid "Cannot format device %s in use."
+msgstr "Nedá sa naformátovať používané zariadenie %s."
+
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
+#, c-format
+msgid "Cannot format device %s, permission denied."
+msgstr "Prístup odmietnutý, nedá sa naformátovať zariadenie %s."
+
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
+#, c-format
+msgid "Cannot format integrity for device %s."
+msgstr "Pre zariadenie %s sa nedá formátovať integrita."
+
+#: lib/setup.c:2148 lib/setup.c:2626
+#, c-format
+msgid "Cannot format device %s."
+msgstr "Nedá sa formátovať zariadenie %s."
+
+#: lib/setup.c:2191
+msgid "Cannot get OPAL alignment parameters."
+msgstr "Nedajú sa získať parametre zarovnania OPAL."
+
+#: lib/setup.c:2203
+msgid "Bogus OPAL logical block size."
+msgstr "Neplatná veľkosť logického bloku OPAL."
+
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr "Neplatná veľkosť logického bloku OPAL sa líši od veľkosti bloku zariadenia."
+
+#: lib/setup.c:2214
+msgid "Requested data offset is not compatible with OPAL block size."
+msgstr "Požadované odsadenie údajov nie je kompatibilné s veľkosťou bloku OPAL."
+
+#: lib/setup.c:2221
+msgid "Requested data alignment is not compatible with OPAL alignment."
+msgstr "Požadované zarovnanie údajov nie je kompatibilné so zarovnaním OPAL."
+
+#: lib/setup.c:2241
+msgid "Data offset does not satisfy OPAL alignment requirements."
+msgstr "Odsadenie údajov nespĺňa požiadavky zarovnania OPAL."
+
+#: lib/setup.c:2254
+msgid "Requested data alignment does not satisfy locking range alignment requirements."
+msgstr "Požadované zarovnanie údajov nespĺňa požiadavky na zarovnanie uzamykateľnej oblasti."
+
+#: lib/setup.c:2468
+#, c-format
+msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
+msgstr "Kompenzovanie veľkosti zariadenia o %<PRIu64> sektorov na jeho zarovnanie s granualitou zarovnania OPAL."
+
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
+msgstr "Zlyhalo získanie zámku OPAL na zariadení %s."
+
+#: lib/setup.c:2538
+msgid "Incorrect OPAL Admin key."
+msgstr "Nesprávny kľúč správcu OPAL."
+
+#: lib/setup.c:2540
+msgid "Cannot setup OPAL segment."
+msgstr "Nedá sa nastaviť segment OPAL."
+
+#: lib/setup.c:2622
+#, c-format
+msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
+msgstr "Nedá sa formátovať zariadenie %s, zariadenie OPAL sa teraz zdá byť úplne chránené voči zápisu."
+
+#: lib/setup.c:2624
+msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
+msgstr "Toto je možno chyba vo firmvéri. Spustite resetovanie OPAL PSID a znova sa pripojte pre obnovu."
+
+#: lib/setup.c:2644
+#, c-format
+msgid "Locking range %d reset on device %s failed."
+msgstr "Reset uzamykateľnej oblasti %d na zariadení %s zlyhal."
+
+#: lib/setup.c:2664
+msgid "Can't format LOOPAES without device."
+msgstr "Nie je možné formátovať LOOPAES bez zariadenia."
+
+#: lib/setup.c:2709
+msgid "Can't format VERITY without device."
+msgstr "Nie je možné formátovať VERITY bez zariadenia."
+
+#: lib/setup.c:2720 lib/verity/verity.c:88
+#, c-format
+msgid "Unsupported VERITY hash type %d."
+msgstr "Nepodporovaný typ hashu VERITY %d."
+
+#: lib/setup.c:2726 lib/verity/verity.c:96
+msgid "Unsupported VERITY block size."
+msgstr "Nepodporovaná veľkosť bloku VERITY."
+
+#: lib/setup.c:2731 lib/verity/verity.c:61
+msgid "Unsupported VERITY hash offset."
+msgstr "Nepodporované odsadenie hashu VERITY."
+
+#: lib/setup.c:2736
+msgid "Unsupported VERITY FEC offset."
+msgstr "Nepodporované odsadenie VERITY FEC."
+
+#: lib/setup.c:2760
+msgid "Data area overlaps with hash area."
+msgstr "Oblasť údajov presahuje do oblasti hashu."
+
+#: lib/setup.c:2785
+msgid "Hash area overlaps with FEC area."
+msgstr "Oblasť hashu presahuje do oblasti FEC."
+
+#: lib/setup.c:2792
+msgid "Data area overlaps with FEC area."
+msgstr "Oblasť údajov presahuje do oblasti FEC."
+
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Nesúlad vo veľkosti kľúča integrity."
+
+#: lib/setup.c:2935
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "VAROVANIE: Požadovaná veľkosť príznaku %d bajtov sa líši od %s veľkosti výstupu (%d bajtov).\n"
+
+#: lib/setup.c:3048 lib/setup.c:3150
+#, c-format
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Vyžadovaný neznámy alebo nepodporovaný typ šifrovaného zariadenia %s."
+
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Zariadenie %s neposkytuje dátové polia pre inline integritu."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Veľkosť príznaku inline %<PRIu32> [bajtov] je väčšia ako %<PRIu32> poskytnutá zariadením %s."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Sektor musí byť rovnaký ako hardvérový sektor zariadenia (%zu bajtov)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
+#, c-format
+msgid "Unsupported parameters on device %s."
+msgstr "Nepodporované parametre na zariadení %s."
+
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
+#, c-format
+msgid "Mismatching parameters on device %s."
+msgstr "Neodpovedajúce parametre na zariadení %s."
+
+#: lib/setup.c:3647
+msgid "Crypt devices mismatch."
+msgstr "Nesúlad v šifrovaných zariadeniach."
+
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
+#, c-format
+msgid "Failed to reload device %s."
+msgstr "Nepodarilo sa znovu načítať zariadenie %s."
+
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
+#, c-format
+msgid "Failed to suspend device %s."
+msgstr "Zlyhalo pozastavenie zariadenia %s."
+
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
+#, c-format
+msgid "Failed to resume device %s."
+msgstr "Zlyhalo prebudenie zariadenia %s."
+
+#: lib/setup.c:3717
+#, c-format
+msgid "Fatal error while reloading device %s (on top of device %s)."
+msgstr "Fatálna chyba počas opätovného načítavania zariadenia %s (nad zariadením %s)."
+
+#: lib/setup.c:3720 lib/setup.c:3722
+#, c-format
+msgid "Failed to switch device %s to dm-error."
+msgstr "Zlyhalo prepnutie zariadenia %s na dm-error."
+
+#: lib/setup.c:3765
+msgid "Can not resize LUKS2 device with static size."
+msgstr "Nedá sa zmeniť veľkosť LUKS2 zariadenia so statickou veľkosťou."
+
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Zmena veľkosti zariadenia s ochranou integrity nie je podporovaná."
+
+#: lib/setup.c:3816
+msgid "Cannot resize loop device."
+msgstr "Nie je možné zmeniť veľkosť loop zariadenia."
+
+#: lib/setup.c:3860
+msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
+msgstr "VAROVANIE: Maximálna veľkosť je už dosiahnutá alebo jadro nepodporuje zmenu veľkosti.\n"
+
+#: lib/setup.c:3926
+msgid "Resize failed, the kernel doesn't support it."
+msgstr "Zmena veľkosti zlyhala, jadro toto nepodporuje."
+
+#: lib/setup.c:3958
+msgid "Do you really want to change UUID of device?"
+msgstr "Naozaj chcete zmeniť UUID zariadenia?"
+
+#: lib/setup.c:4050
+msgid "Header backup file does not contain compatible LUKS header."
+msgstr "Záložný súbor s hlavičkou neobsahuje kompatibilnú LUKS hlavičku."
+
+#: lib/setup.c:4143
+#, c-format
+msgid "Volume %s is not active."
+msgstr "Zväzok %s nie je aktívny."
+
+#: lib/setup.c:4198
+#, c-format
+msgid "Volume %s is already suspended."
+msgstr "Zväzok %s už je pozastavený."
+
+#: lib/setup.c:4224
+#, c-format
+msgid "Suspend is not supported for device %s."
+msgstr "Pozastavenie nie je podporované pre zariadenie %s."
+
+#: lib/setup.c:4226 lib/setup.c:4234
+#, c-format
+msgid "Error during suspending device %s."
+msgstr "Chyba počas pozastavovania zariadenia %s."
+
+#: lib/setup.c:4249
+#, c-format
+msgid "Device %s was suspended but hardware OPAL device cannot be locked."
+msgstr "Zariadenie %s bolo pozastavené, ale hardvérové zariadenie OPAL nemôže byť uzamknuté."
+
+#: lib/setup.c:4280 lib/setup.c:4457
+#, c-format
+msgid "Resume is not supported for device %s."
+msgstr "Prebudenie nie je podporované pre zariadenie %s."
+
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
+#, c-format
+msgid "Error during resuming device %s."
+msgstr "Chyba počas prebúdzania zariadenia %s."
+
+#: lib/setup.c:4301
+msgid "Failed to unlink volume key from user specified keyring."
+msgstr "Zlyhalo odpojenie kľúča zväzku od používateľom zadaného zväzku kľúčov."
+
+#: lib/setup.c:4423 lib/setup.c:5592
+msgid "Failed to link volume key in user defined keyring."
+msgstr "Zlyhalo pripojenie kľúča zväzku do používateľom zadaného zväzku kľúčov."
+
+#: lib/setup.c:4521 src/cryptsetup.c:2723
+#, c-format
+msgid "Volume %s is not suspended."
+msgstr "Zväzok %s nie je pozastavený."
+
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
+msgid "Volume key does not match the volume."
+msgstr "Kľúč zväzku nezodpovedá zväzku."
+
+#: lib/setup.c:4776
+msgid "Failed to swap new key slot."
+msgstr "Zlyhala výmena nového miesta pre kľúč."
+
+#: lib/setup.c:4874
+#, c-format
+msgid "Key slot %d is invalid."
+msgstr "Miesto pre kľúč %d je neplatné."
+
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
+#, c-format
+msgid "Keyslot %d is not active."
+msgstr "Miesto pre kľúč %d nie je aktívne."
+
+#: lib/setup.c:4899
+msgid "Device header overlaps with data area."
+msgstr "Hlavička zariadenia zasahuje do oblasti údajov."
+
+#: lib/setup.c:5120
+msgid "Reencryption in-progress. Cannot activate device."
+msgstr "Prebieha prešifrovanie. Nie je možné aktivovať zariadenie."
+
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
+msgid "Failed to get reencryption lock."
+msgstr "Zlyhalo získanie zámku pre prešifrovanie."
+
+#: lib/setup.c:5144
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
+msgstr "Obnova prešifrovaním LUKS2 s použitím kľúču(ov) zväzku zlyhala."
+
+#: lib/setup.c:5280
+#, c-format
+msgid "Device %s already exists."
+msgstr "Zariadenie %s už existuje."
+
+#: lib/setup.c:5287
+#, c-format
+msgid "Cannot use device %s, name is invalid or still in use."
+msgstr "Nie je možné použiť zariadenie %s, názov je neplatný alebo sa stále používa."
+
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Kľúče zväzku na prešifrovanie sa líšia od zväzku."
+
+#: lib/setup.c:5316
+msgid "Incorrect volume key specified for plain device."
+msgstr "Zadaný nesprávny kľúč zväzku pre plain zariadenie."
+
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Typ zariadenia nie je riadne inicializovaný."
+
+#: lib/setup.c:5441
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Zväzok kľúčov jadra nie je jadrom podporovaný."
+
+#: lib/setup.c:5445
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Zväzok kľúčov jadra chýba: vyžadované pre odovzdanie podpisu jadru."
+
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Nedá sa použiť kľúč %s zo zväzku kľúčov."
+
+#: lib/setup.c:5713
+msgid "Incorrect root hash specified for verity device."
+msgstr "Nesprávny koreňový hash zadaný pre verity zariadenie."
+
+#: lib/setup.c:5754 lib/setup.c:5779
+msgid "OPAL does not support deferred deactivation."
+msgstr "OPAL nepodporuje odloženú deaktiváciu."
+
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
+#, c-format
+msgid "Device %s is still in use."
+msgstr "Zariadenie %s sa stále používa."
+
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Nedá sa zrušiť odložené odstránenie zo zariadenia %s."
+
+#: lib/setup.c:5809
+#, c-format
+msgid "Invalid device %s."
+msgstr "Neplatné zariadenie %s."
+
+#: lib/setup.c:5956
+msgid "Volume key buffer too small."
+msgstr "Vyhradená pamäť pre kľúč zväzku je príliš malá."
+
+#: lib/setup.c:5967
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Nedá sa získať kľúč zväzku pre LUKS2 zariadenie."
+
+#: lib/setup.c:5976
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Nedá sa získať kľúč zväzku pre LUKS1 zariadenie."
+
+#: lib/setup.c:5990
+msgid "Cannot retrieve volume key for plain device."
+msgstr "Nedá sa získať kľúč zväzku pre plain zariadenie."
+
+#: lib/setup.c:5998
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Nedá sa získať koreňový hash pre verity zariadenie."
+
+#: lib/setup.c:6007
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Nedá sa získať kľúč zväzku pre BITLK zariadenie."
+
+#: lib/setup.c:6012
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Nedá sa získať kľúč zväzku pre FVAULT2 zariadenie."
+
+#: lib/setup.c:6014
+#, c-format
+msgid "This operation is not supported for %s crypt device."
+msgstr "Táto operácia nie je podporovaná pre %s šifrované zariadenie."
+
+#: lib/setup.c:6199 lib/setup.c:6210
+msgid "Dump operation is not supported for this device type."
+msgstr "Operácia výpisu nie je podporovaná pre tento typ zariadenia."
+
+#: lib/setup.c:6590
+#, c-format
+msgid "Data offset is not multiple of %u bytes."
+msgstr "Odsadenie údajov nie je násobkom %u bajtov."
+
+#: lib/setup.c:6898
+#, c-format
+msgid "Cannot convert device %s which is still in use."
+msgstr "Nedá sa konvertovať zariadenie %s, ktoré sa stále používa."
+
+#: lib/setup.c:7206 lib/setup.c:7350
+#, c-format
+msgid "Failed to assign keyslot %u as the new volume key."
+msgstr "Za nový kľúč zväzku sa nepodarilo priradiť miesto s kľúčom %u."
+
+#: lib/setup.c:7230
+msgid "Failed to initialize default LUKS2 keyslot parameters."
+msgstr "Zlyhala inicializácia predvolených parametrov LUKS2 miesta na kľúč."
+
+#: lib/setup.c:7236
+#, c-format
+msgid "Failed to assign keyslot %d to digest."
+msgstr "Zlyhalo priradenie miesta pre kľúč %d k otlačku (digest)."
+
+#: lib/setup.c:7467
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Nedá sa pridať miesto pre kľúč, všetky miesta sú vypnuté a nie je poskytnutý žiaden kľúč zväzku."
+
+#: lib/setup.c:7540 lib/verity/verity.c:333
+msgid "Failed to load key in kernel keyring."
+msgstr "Zlyhalo načítanie kľúča zo zväzku kľúčov jadra."
+
+#: lib/setup.c:7731
+#, c-format
+msgid "Could not find keyring described by \"%s\"."
+msgstr "Nedá sa nájsť zväzok kľúčov opísaný podľa \"%s\"."
+
+#: lib/setup.c:7796
+msgid "Failed to acquire global memory-hard access serialization lock."
+msgstr "Zlyhalo získanie zámku pre tvrdý prístup ku globálnej pamäti."
+
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
+msgid "Failed to open key file."
+msgstr "Zlyhalo otvorenie súboru s kľúčom."
+
+#: lib/utils.c:212
+msgid "Cannot read keyfile from a terminal."
+msgstr "Nedá sa prečítať súbor s kľúčom z terminálu."
+
+#: lib/utils.c:228
+msgid "Failed to stat key file."
+msgstr "Nepodarilo sa získať informácie o súbore s kľúčom."
+
+#: lib/utils.c:236 lib/utils.c:257
+msgid "Cannot seek to requested keyfile offset."
+msgstr "Nedá sa posunúť na požadované miesto v súbore s kľúčom."
+
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
+msgid "Out of memory while reading passphrase."
+msgstr "Počas čítania hesla došla pamäť."
+
+#: lib/utils.c:286
+msgid "Error reading passphrase."
+msgstr "Chyba pri čítaní hesla."
+
+#: lib/utils.c:303
+msgid "Nothing to read on input."
+msgstr "Na vstupe nie je nič na prečítanie."
+
+#: lib/utils.c:310
+msgid "Maximum keyfile size exceeded."
+msgstr "Maximálna veľkosť súboru s kľúčom presiahnutá."
+
+#: lib/utils.c:315
+msgid "Cannot read requested amount of data."
+msgstr "Nedá sa prečítať požadované množstvo údajov."
+
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
+#, c-format
+msgid "Device %s does not exist or access denied."
+msgstr "Zariadenie %s neexistuje alebo bol prístup odmietnutý."
+
+#: lib/utils_device.c:217
+#, c-format
+msgid "Device %s is not compatible."
+msgstr "Zariadenie %s nie je kompatibilné."
+
+#: lib/utils_device.c:546
+#, c-format
+msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
+msgstr "Ignoruje sa chybná optimálna I/O veľkosť pre zariadenie s údajmi (%u bajtov)."
+
+#: lib/utils_device.c:707
+#, c-format
+msgid "Device %s is too small. Need at least %<PRIu64> bytes."
+msgstr "Zariadenie %s je príliš malé. Potrebuje aspoň %<PRIu64> bajtov."
+
+#: lib/utils_device.c:788
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted)."
+msgstr "Nedá sa použiť zariadenie %s, ktoré sa používa (už je namapované alebo pripojené)."
+
+#: lib/utils_device.c:792
+#, c-format
+msgid "Cannot use device %s, permission denied."
+msgstr "Nedá sa použiť zariadenie %s, prístup odmietnutý."
+
+#: lib/utils_device.c:795
+#, c-format
+msgid "Cannot get info about device %s."
+msgstr "Nedajú sa získať informácie o zariadení %s."
+
+#: lib/utils_device.c:818
+msgid "Cannot use a loopback device, running as non-root user."
+msgstr "Nedá sa použiť zariadenie spätnej slučky, nebežím ako administrátor."
+
+#: lib/utils_device.c:829
+msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
+msgstr "Pripájanie zariadenia spätnej slučky zlyhalo (je požadované zariadenie slučky s príznakom autoclear)."
+
+#: lib/utils_device.c:877
+#, c-format
+msgid "Requested offset is beyond real size of device %s."
+msgstr "Požadovaná pozícia je za hranicami reálnej veľkosti zariadenia %s."
+
+#: lib/utils_device.c:885
+#, c-format
+msgid "Device %s has zero size."
+msgstr "Zariadenie %s má nulovú veľkosť."
+
+#: lib/utils_pbkdf.c:105
+msgid "Requested PBKDF target time cannot be zero."
+msgstr "Požadovaný cieľový čas PBKDF nemôže byť nula."
+
+#: lib/utils_pbkdf.c:111
+#, c-format
+msgid "Unknown PBKDF type %s."
+msgstr "Neznámy typ PBKDF %s."
+
+#: lib/utils_pbkdf.c:116
+#, c-format
+msgid "Requested hash %s is not supported."
+msgstr "Požadovaný hash %s nie je podporovaný."
+
+#: lib/utils_pbkdf.c:127
+msgid "Requested PBKDF type is not supported for LUKS1."
+msgstr "Požadovaný typ PBKDF nie je podporovaný pre LUKS1."
+
+#: lib/utils_pbkdf.c:133
+msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
+msgstr "Pre pbkdf2 nesmie byť nastavená maximálna pamäť PBKDF alebo paralelné vlákna."
+
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
+#, c-format
+msgid "Forced iteration count is too low for %s (minimum is %u)."
+msgstr "Vynútený počet iterácií je príliš nízky pre %s (minimum je %u)."
+
+#: lib/utils_pbkdf.c:153
+#, c-format
+msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
+msgstr "Vynútené náklady na pamäť sú príliš nízke pre %s (minimum je %u kilobajtov)."
+
+#: lib/utils_pbkdf.c:160
+#, c-format
+msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
+msgstr "Požadované maximálne náklady na pamäť PBKDF sú veľmi vysoké (maximum je %d kilobajtov)."
+
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Požadované maximálne náklady na pamäť PBKDF sú veľmi vysoké (limitované max. veľkosťou údajového typu integer)."
+
+#: lib/utils_pbkdf.c:169
+msgid "Requested maximum PBKDF memory cannot be zero."
+msgstr "Požadovaná maximálna pamäť PBKDF nemôže byť nula."
+
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Požadovaný maximálny počet paralelných vlákien PBKDF je veľmi vysoký (maximum je %d)."
+
+#: lib/utils_pbkdf.c:178
+msgid "Requested PBKDF parallel threads cannot be zero."
+msgstr "Požadovaný počet paralelných vlákien PBKDF nemôže byť nula."
+
+#: lib/utils_pbkdf.c:198
+msgid "Only PBKDF2 is supported in FIPS mode."
+msgstr "Iba PBKDF2 je podporavané v režime FIPS."
+
+#: lib/utils_benchmark.c:171
+msgid "PBKDF benchmark disabled but iterations not set."
+msgstr "Porovnanie výkonov PBKDF je vypnuté, ale iterácie nie sú nastavené."
+
+#: lib/utils_benchmark.c:190
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
+msgstr "Nekompatibilná možnosť PBKDF2 (používa sa hash algoritmus %s)."
+
+#: lib/utils_benchmark.c:210
+msgid "Not compatible PBKDF options."
+msgstr "Nekompatibilná možnosť PBKDF."
+
+#: lib/utils_device_locking.c:88
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
+msgstr "Zamykanie zrušené. Cesta na zamykanie %s/%s je nepoužiteľná (nie je to priečinok alebo neexistuje)."
+
+#: lib/utils_device_locking.c:105
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
+msgstr "Zamykanie zrušené. Cesta na zamykanie %s/%s je nepoužiteľná (%s nie je priečinok)."
+
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
+msgid "Cannot seek to device offset."
+msgstr "Nedá sa posunúť na pozíciu v zariadení."
+
+#: lib/utils_wipe.c:240
+#, c-format
+msgid "Device wipe error, offset %<PRIu64>."
+msgstr "Chyba pri mazaní zariadenia, pozícia %<PRIu64>."
+
+#: lib/utils_wipe.c:332
+msgid "Incorrect OPAL PSID."
+msgstr "Nesprávne OPAL PSID."
+
+#: lib/utils_wipe.c:334
+msgid "Cannot erase OPAL device."
+msgstr "Nedá sa vymazať zariadenie OPAL."
+
+#: lib/luks1/keyencryption.c:27
+#, c-format
+msgid ""
+"Failed to setup dm-crypt key mapping for device %s.\n"
+"Check that kernel supports %s cipher (check syslog for more info)."
+msgstr ""
+"Zlyhalo nastavenie mapovania kľúča dm-crypt pre zariadenie %s.\n"
+"Skontrolujte, či jadro podporuje šifru %s (pozri syslog pre viac informácií)."
+
+#: lib/luks1/keyencryption.c:32
+msgid "Key size in XTS mode must be 256 or 512 bits."
+msgstr "Veľkosť kľúča v režime XTS musí byť 256 alebo 512 bitov."
+
+#: lib/luks1/keyencryption.c:34
+msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
+msgstr "Špecifikácia šifry musí byť vo formáte [šifra]-[režim]-[iv]."
+
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
+#, c-format
+msgid "Cannot write to device %s, permission denied."
+msgstr "Nemožno zapisovať na zariadenie %s, prístup odmietnutý."
+
+#: lib/luks1/keyencryption.c:108
+msgid "Failed to open temporary keystore device."
+msgstr "Zlyhalo otvorenie dočasného zariadenia s úložiskom kľúča."
+
+#: lib/luks1/keyencryption.c:115
+msgid "Failed to access temporary keystore device."
+msgstr "Zlyhal prístup k dočasnému zariadeniu s úložiskom kľúča."
+
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
+msgid "IO error while encrypting keyslot."
+msgstr "Chyba vstupu/výstupu počas šifrovania miesta pre kľúč."
+
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
+#, c-format
+msgid "Cannot open device %s."
+msgstr "Nedá sa otvoriť zariadenie %s."
+
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
+msgid "IO error while decrypting keyslot."
+msgstr "Chyba vstupu/výstupu počas dešifrovania miesta pre kľúč."
+
+#: lib/luks1/keymanage.c:117
+#, c-format
+msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
+msgstr "Zariadenie %s je príliš malé. (LUKS1 požaduje aspoň %<PRIu64> bajtov.)"
+
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
+#, c-format
+msgid "LUKS keyslot %u is invalid."
+msgstr "LUKS miesto pre kľúč %u je neplatné."
+
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
+#, c-format
+msgid "Requested header backup file %s already exists."
+msgstr "Požadovaný súbor so zálohou hlavičky %s už existuje."
+
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
+#, c-format
+msgid "Cannot create header backup file %s."
+msgstr "Nedá sa vytvoriť súbor so zálohou hlavičky %s."
+
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
+#, c-format
+msgid "Cannot write header backup file %s."
+msgstr "Nedá sa zapísať súbor so zálohou hlavičky %s."
+
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
+msgid "Backup file does not contain valid LUKS header."
+msgstr "Súbor so zálohou neobsahuje platnú LUKS hlavičku."
+
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1450
+#, c-format
+msgid "Cannot open header backup file %s."
+msgstr "Nedá sa otvoriť súbor so zálohou hlavičky %s."
+
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
+#, c-format
+msgid "Cannot read header backup file %s."
+msgstr "Nedá sa čítať súbor so zálohou hlavičky %s."
+
+#: lib/luks1/keymanage.c:326
+msgid "Data offset or key size differs on device and backup, restore failed."
+msgstr "Odsadenie údajov alebo veľkosť kľúča sa líši na zariadení a v zálohe, obnova zlyhala."
+
+#: lib/luks1/keymanage.c:334
+#, c-format
+msgid "Device %s %s%s"
+msgstr "Zariadenie %s %s%s"
+
+#: lib/luks1/keymanage.c:335
+msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+msgstr "neobsahuje LUKS hlavičku. Nahradenie hlavičky môže zničiť údaje na tomto zariadení."
+
+#: lib/luks1/keymanage.c:336
+msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+msgstr "už obsahuje LUKS hlavičku. Nahradenie hlavičky zničí existujúce miesta s kľúčmi."
+
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
+msgid ""
+"\n"
+"WARNING: real device header has different UUID than backup!"
+msgstr ""
+"\n"
+"VAROVANIE: hlavička skutočného zariadenia má iné UUID ako záloha!"
+
+#: lib/luks1/keymanage.c:385
+msgid "Non standard key size, manual repair required."
+msgstr "Neštandardná veľkosť kľúča, manuálna oprava je vyžadovaná."
+
+#: lib/luks1/keymanage.c:395
+msgid "Non standard keyslots alignment, manual repair required."
+msgstr "Neštandardné odsadenie miest pre kľúče, manuálna oprava je vyžadovaná."
+
+#: lib/luks1/keymanage.c:404
+#, c-format
+msgid "Cipher mode repaired (%s -> %s)."
+msgstr "Režim šifry opravený (%s -> %s)."
+
+#: lib/luks1/keymanage.c:415
+#, c-format
+msgid "Cipher hash repaired to lowercase (%s)."
+msgstr "Hash šifry opravený na malé písmená (%s)."
+
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:777
+#, c-format
+msgid "Requested LUKS hash %s is not supported."
+msgstr "Požadovaný LUKS hash %s nie je podporovaný."
+
+#: lib/luks1/keymanage.c:431
+msgid "Repairing keyslots."
+msgstr "Opravujú sa miesta s kľúčmi."
+
+#: lib/luks1/keymanage.c:450
+#, c-format
+msgid "Keyslot %i: offset repaired (%u -> %u)."
+msgstr "Miesto pre kľúč %i: odsadenie opravené (%u -> %u)."
+
+#: lib/luks1/keymanage.c:458
+#, c-format
+msgid "Keyslot %i: stripes repaired (%u -> %u)."
+msgstr "Miesto pre kľúč %i: počet prúžkov AF opravený (%u -> %u)."
+
+#: lib/luks1/keymanage.c:467
+#, c-format
+msgid "Keyslot %i: bogus partition signature."
+msgstr "Miesto pre kľúč %i: chybný podpis oddielu."
+
+#: lib/luks1/keymanage.c:472
+#, c-format
+msgid "Keyslot %i: salt wiped."
+msgstr "Miesto pre kľúč %i: soľ vymazaná."
+
+#: lib/luks1/keymanage.c:489
+msgid "Writing LUKS header to disk."
+msgstr "Zapisovanie hlavičky LUKS na disk."
+
+#: lib/luks1/keymanage.c:494
+msgid "Repair failed."
+msgstr "Oprava zlyhala."
+
+#: lib/luks1/keymanage.c:549
+#, c-format
+msgid "LUKS cipher mode %s is invalid."
+msgstr "LUKS šifrovací režim %s je neplatný."
+
+#: lib/luks1/keymanage.c:554
+#, c-format
+msgid "LUKS hash %s is invalid."
+msgstr "LUKS hash %s je neplatný."
+
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
+msgid "No known problems detected for LUKS header."
+msgstr "Žiadne známe problémy neboli zistené pre hlavičku LUKS."
+
+#: lib/luks1/keymanage.c:689
+#, c-format
+msgid "Error during update of LUKS header on device %s."
+msgstr "Chyba počas aktualizácie hlavičky LUKS na zariadení %s."
+
+#: lib/luks1/keymanage.c:697
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s."
+msgstr "Chyba pri opätovnom čítaní hlavičky LUKS po aktualizácií na zariadení %s."
+
+#: lib/luks1/keymanage.c:771
+msgid "Data offset for LUKS header must be either 0 or higher than header size."
+msgstr "Odsadenie údajov pre LUKS hlavičku musí byť 0 alebo číslo väčšie ako veľkosť hlavičky."
+
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
+msgid "Wrong LUKS UUID format provided."
+msgstr "Poskytnutý nesprávny formát LUKS UUID."
+
+#: lib/luks1/keymanage.c:804
+msgid "Cannot create LUKS header: reading random salt failed."
+msgstr "Nedá sa vytvoriť hlavička LUKS: zlyhalo čítanie náhodnej soli."
+
+#: lib/luks1/keymanage.c:832
+#, c-format
+msgid "Cannot create LUKS header: header digest failed (using hash %s)."
+msgstr "Nedá sa vytvoriť hlavička LUKS: zlyhal otlačok (digest) hlavičky (používa sa hash %s)."
+
+#: lib/luks1/keymanage.c:877
+#, c-format
+msgid "Key slot %d active, purge first."
+msgstr "Miesto pre kľúč %d aktívne, najprv ho vymažte."
+
+#: lib/luks1/keymanage.c:883
+#, c-format
+msgid "Key slot %d material includes too few stripes. Header manipulation?"
+msgstr "Miesto pre kľúč %d obsahuje príliš málo prúžkov. Manipulácia s hlavičkou?"
+
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
+msgid "PBKDF2 iteration value overflow."
+msgstr "PBKDF2 hodnota iterácií pretečená."
+
+#: lib/luks1/keymanage.c:1040
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Nedá sa otvoriť miesto pre kľúč (používa sa hash %s)."
+
+#: lib/luks1/keymanage.c:1136
+#, c-format
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
+msgstr "Miesto pre kľúč %d je neplatné, prosím vyberte miesto pre kľúč medzi 0 a %d."
+
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
+#, c-format
+msgid "Cannot wipe device %s."
+msgstr "Nedá sa vymazať zariadenie %s."
+
+#: lib/loopaes/loopaes.c:140
+msgid "Detected not yet supported GPG encrypted keyfile."
+msgstr "Zaznamenaný ešte nepodporovaný GPG šifrovaný súbor s kľúčom."
+
+#: lib/loopaes/loopaes.c:141
+msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
+msgstr "Prosím použite gpg --decrypt <SÚBOR_S_KĽÚČOM> | cryptsetup --keyfile=-...\n"
+
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
+msgid "Incompatible loop-AES keyfile detected."
+msgstr "Nekompatibilný loop-AES súbor s kľúčom bol zaznamenaný."
+
+#: lib/loopaes/loopaes.c:238
+msgid "Kernel does not support loop-AES compatible mapping."
+msgstr "Jadro nepodporuje mapovanie kompatibilné s loop-AES."
+
+#: lib/tcrypt/tcrypt.c:497
+#, c-format
+msgid "Error reading keyfile %s."
+msgstr "Chyba pri čítaní súboru s kľúčom %s."
+
+#: lib/tcrypt/tcrypt.c:547
+#, c-format
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Maximálna dĺžka TCRYPT hesla (%zu) bola prekročená."
+
+#: lib/tcrypt/tcrypt.c:589
+#, c-format
+msgid "PBKDF2 hash algorithm %s not available, skipping."
+msgstr "PBKDF2 hash algoritmus %s nie je dostupný, vynecháva sa."
+
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
+msgid "Required kernel crypto interface not available."
+msgstr "Vyžadované kryptografické rozhranie jadra nie je dostupné."
+
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
+msgid "Ensure you have algif_skcipher kernel module loaded."
+msgstr "Uistite sa, že máte načítaný modul jadra algif_skcipher."
+
+#: lib/tcrypt/tcrypt.c:752
+#, c-format
+msgid "Activation is not supported for %d sector size."
+msgstr "Aktivácia nie je podporovaná pre veľkosť sektoru %d."
+
+#: lib/tcrypt/tcrypt.c:758
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
+msgstr "Jadro nepodporuje aktiváciu pre tento zastaralý režim TCRYPT."
+
+#: lib/tcrypt/tcrypt.c:813
+#, c-format
+msgid "Activating TCRYPT system encryption for partition %s."
+msgstr "Aktivuje sa TCRYPT systémové šifrovanie pre oddiel %s."
+
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Nedá sa zistiť odsadenie systémového oddielu TCRYPT, aktivuje sa celá šifrovaná oblasť."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Nedá sa zistiť odsadenie systémového oddielu TCRYPT, aktivuje sa zariadenie ako systémový oddiel."
+
+#: lib/tcrypt/tcrypt.c:917
+msgid "Kernel does not support TCRYPT compatible mapping."
+msgstr "Jadro nepodporuje mapovanie kompatibilné s TCRYPT."
+
+#: lib/tcrypt/tcrypt.c:1146
+msgid "This function is not supported without TCRYPT header load."
+msgstr "Táto funkcia nie je podporovaná bez načítania hlavičky TCRYPT."
+
+#: lib/bitlk/bitlk.c:293
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Neočakávaný typ záznamu metadát \"%u\" nájdený počas rozboru podporovaného hlavného kľúča zväzku."
+
+#: lib/bitlk/bitlk.c:351
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Neplatný textový reťazec nájdený počas rozboru hlavného kľúča zväzku."
+
+#: lib/bitlk/bitlk.c:355
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Neočakávaný textový reťazec (\"%s\") nájdený počas rozboru hlavného kľúča zväzku."
+
+#: lib/bitlk/bitlk.c:375
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Neočakávaná hodnota záznamu metadát \"%u\" nájdená počas rozboru podporovaného hlavného kľúča zväzku."
+
+#: lib/bitlk/bitlk.c:528
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK verzia 1 nie je aktuálne podporovaná."
+
+#: lib/bitlk/bitlk.c:534
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Neplatný alebo neznámy podpis zavádzača pre BITLK zariadenie."
+
+#: lib/bitlk/bitlk.c:546
+#, c-format
+msgid "Unsupported sector size %<PRIu16>."
+msgstr "Nepodporovaná veľkosť sektora %<PRIu16>."
+
+#: lib/bitlk/bitlk.c:554
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Zlyhalo čítanie hlavičky BITLK z %s."
+
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Zlyhalo čítanie alebo overenie kópie metadát BITLK FVE #%d z %s."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Zlyhalo čítanie alebo overenie metadát BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Zlyhalo overenie umiestnenia metadát BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Metadáta BITLK FVE sa zmenili medzi čítaniami z %s."
+
+#: lib/bitlk/bitlk.c:628
+#, c-format
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Zlyhalo hashovanie metadát BITLK FVE, prečítaných z %s."
+
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Zlyhal rozbor overovacích metadát BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:695
+msgid "Unknown or unsupported encryption type."
+msgstr "Neznámy alebo nepodporovaný typ šifrovania."
+
+#: lib/bitlk/bitlk.c:733
+#, c-format
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Zlyhala kontrola záznamov metadát BITLK, ktoré boli prečítané z %s."
+
+#: lib/bitlk/bitlk.c:853
+msgid "Failed to convert BITLK volume description"
+msgstr "Premena popisu BITLK zväzku zlyhala"
+
+#: lib/bitlk/bitlk.c:1018
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing external key."
+msgstr "Neočakávaný typ záznamu metadát \"%u\" nájdený počas rozboru externého kľúča."
+
+#: lib/bitlk/bitlk.c:1041
+#, c-format
+msgid "BEK file GUID '%s' does not match GUID of the volume."
+msgstr "GUID súboru BEK \"%s\" sa nezhoduje s GUID zväzku."
+
+#: lib/bitlk/bitlk.c:1045
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing external key."
+msgstr "Neočakávaná hodnota záznamu metadát \"%u\" nájdená počas rozboru externého kľúča."
+
+#: lib/bitlk/bitlk.c:1084
+#, c-format
+msgid "Unsupported BEK metadata version %<PRIu32>"
+msgstr "Nepodporovaná verzia BEK metadát %<PRIu32>"
+
+#: lib/bitlk/bitlk.c:1089
+#, c-format
+msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
+msgstr "Neočakávaná veľkosť BEK metadát %<PRIu32> sa nezhoduje s veľkosťou BEK súboru"
+
+#: lib/bitlk/bitlk.c:1115
+msgid "Unexpected metadata entry found when parsing startup key."
+msgstr "Neočakávaný záznam metadát nájdený počas rozboru kľúča pri spúšťaní."
+
+#: lib/bitlk/bitlk.c:1218
+msgid "This operation is not supported."
+msgstr "Táto operácia nie je podporovaná."
+
+#: lib/bitlk/bitlk.c:1226
+msgid "Unexpected key data size."
+msgstr "Neočakávaná veľkosť údajov o kľúči."
+
+#: lib/bitlk/bitlk.c:1431
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Toto zariadenie BITLK je v nepodporovanom stave a nemôže byť aktivované."
+
+#: lib/bitlk/bitlk.c:1436
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Zariadenie BITLK s typom \"%s\" nemôže byť aktivované."
+
+#: lib/bitlk/bitlk.c:1475
+#, c-format
+msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
+msgstr "VAROVANIE: Veľkosť zväzku BitLocker %<PRIu64> sa nezhoduje s veľkosťou prislúchajúceho zariadenia %<PRIu64>"
+
+#: lib/bitlk/bitlk.c:1602
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre BITLK IV."
+
+#: lib/bitlk/bitlk.c:1606
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre difuzér BITLK Elephant."
+
+#: lib/bitlk/bitlk.c:1610
+msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
+msgstr "Nedá sa aktivovať zariadenie, jadru dm-crypt chýba podpora pre veľké veľkosti sektorov."
+
+#: lib/bitlk/bitlk.c:1614
+msgid "Cannot activate device, kernel dm-zero module is missing."
+msgstr "Nedá sa aktivovať zariadenie, modul jadra dm-zero chýba."
+
+#: lib/fvault2/fvault2.c:530
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Nedá sa prečítať %u bajtov z hlavičky zväzku."
+
+#: lib/fvault2/fvault2.c:542
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Nepodporovaná FVAULT2 verzia %<PRIu16>."
+
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
+#, c-format
+msgid "Verity device %s does not use on-disk header."
+msgstr "Zariadenie verity %s nepoužíva hlavičku na disku."
+
+#: lib/verity/verity.c:83
+#, c-format
+msgid "Unsupported VERITY version %d."
+msgstr "Nepodporovaná VERITY verzia %d."
+
+#: lib/verity/verity.c:118
+msgid "VERITY header corrupted."
+msgstr "Hlavičky VERITY poškodená."
+
+#: lib/verity/verity.c:163
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s."
+msgstr "Zlý formát VERITY UUID poskytnutý na zariadení %s."
+
+#: lib/verity/verity.c:207
+#, c-format
+msgid "Error during update of verity header on device %s."
+msgstr "Chyba počas aktualizácie hlavičky verity na zariadení %s."
+
+#: lib/verity/verity.c:261
+msgid "Root hash signature verification is not supported."
+msgstr "Overovanie podpisu koreňového hashu nie je podporované."
+
+#: lib/verity/verity.c:266
+msgid "Root hash signature required."
+msgstr "Podpis koreňového hashu vyžadovaný."
+
+#: lib/verity/verity.c:282
+msgid "Errors cannot be repaired with FEC device."
+msgstr "Chyby nemôžu byť opravené vo FEC zariadení."
+
+#: lib/verity/verity.c:284
+#, c-format
+msgid "Found %u repairable errors with FEC device."
+msgstr "Nájdených %u opraviteľných chýb vo FEC zariadení."
+
+#: lib/verity/verity.c:368
+msgid "Kernel does not support dm-verity mapping."
+msgstr "Jadro nepodporuje mapovanie dm-verity."
+
+#: lib/verity/verity.c:372
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Jadro nepodporuje možnosti podpisu dm-verity."
+
+#: lib/verity/verity.c:383
+msgid "Verity device detected corruption after activation."
+msgstr "Verity zariadenie po aktivácií zaznamenalo poškodenie."
+
+#: lib/verity/verity_hash.c:53
+#, c-format
+msgid "Spare area is not zeroed at position %<PRIu64>."
+msgstr "Voľná oblasť nie je vynulovaná na pozícií %<PRIu64>."
+
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
+msgid "Device offset overflow."
+msgstr "Pretečenie pozície na zariadení."
+
+#: lib/verity/verity_hash.c:205
+#, c-format
+msgid "Verification failed at position %<PRIu64>."
+msgstr "Overovanie zlyhalo na pozícií %<PRIu64>."
+
+#: lib/verity/verity_hash.c:294
+msgid "Hash area overflow."
+msgstr "Pretečenie hash oblasti."
+
+#: lib/verity/verity_hash.c:372
+msgid "Verification of data area failed."
+msgstr "Overovanie oblasti údajov zlyhalo."
+
+#: lib/verity/verity_hash.c:377
+msgid "Verification of root hash failed."
+msgstr "Overovanie koreňového hashu zlyhalo."
+
+#: lib/verity/verity_hash.c:383
+msgid "Input/output error while creating hash area."
+msgstr "Chyba na vstupe/výstupe počas vytvárania hash oblasti."
+
+#: lib/verity/verity_hash.c:385
+msgid "Creation of hash area failed."
+msgstr "Vytvorenie hash oblasti zlyhalo."
+
+#: lib/verity/verity_hash.c:420
+#, c-format
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
+msgstr "VAROVANIE: Jadro nemôže aktivovať zariadenie, keď veľkosť bloku údajov prekračuje veľkosť stránky (%u)."
+
+#: lib/verity/verity_fec.c:118
+msgid "Failed to allocate RS context."
+msgstr "Zlyhala alokácia kontextu RS."
+
+#: lib/verity/verity_fec.c:136
+msgid "Failed to allocate buffer."
+msgstr "Zlyhala alokácia vyrovnávacej pamäte."
+
+#: lib/verity/verity_fec.c:146
+#, c-format
+msgid "Failed to read RS block %<PRIu64> byte %d."
+msgstr "Zlyhalo čítanie RS bloku %<PRIu64> bajt %d."
+
+#: lib/verity/verity_fec.c:159
+#, c-format
+msgid "Failed to read parity for RS block %<PRIu64>."
+msgstr "Zlyhalo čítanie parity pre RS blok %<PRIu64>."
+
+#: lib/verity/verity_fec.c:167
+#, c-format
+msgid "Failed to repair parity for block %<PRIu64>."
+msgstr "Zlyhalo opravenie parity pre blok %<PRIu64>."
+
+#: lib/verity/verity_fec.c:179
+#, c-format
+msgid "Failed to write parity for RS block %<PRIu64>."
+msgstr "Zlyhal zápis parity pre RS blok %<PRIu64>."
+
+#: lib/verity/verity_fec.c:195
+msgid "Block sizes must match for FEC."
+msgstr "Veľkosti blokov musí zodpovedať FEC."
+
+#: lib/verity/verity_fec.c:201
+msgid "Invalid number of parity bytes."
+msgstr "Neplatný počet bajtov parity."
+
+#: lib/verity/verity_fec.c:235
+msgid "Invalid FEC segment length."
+msgstr "Neplatná dĺžka segmentu FEC."
+
+#: lib/verity/verity_fec.c:303
+#, c-format
+msgid "Failed to determine size for device %s."
+msgstr "Zlyhalo určenie veľkosti zariadenia %s."
+
+#: lib/integrity/integrity.c:50
+#, c-format
+msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
+msgstr "Nekompatibilné metadáta (verzia %u) jadra dm-integrity zachytené na %s."
+
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
+msgid "Kernel does not support dm-integrity mapping."
+msgstr "Jadro nepodporuje mapovanie dm-integrity."
+
+#: lib/integrity/integrity.c:310
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Jadro nepodporuje pevné zarovnanie metadát dm-integrity."
+
+#: lib/integrity/integrity.c:319
+msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
+msgstr "Jadro odmieta aktivovať nezabezpečenú možnosť prepočtu (na prepnutie pozri zastaralé možnosti aktivácie)."
+
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Jadro nepodporuje dm-integrity režim inline."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
+#, c-format
+msgid "Failed to acquire write lock on device %s."
+msgstr "Zlyhalo získanie zámky zápisu na zariadenie %s."
+
+#: lib/luks2/luks2_disk_metadata.c:391
+msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
+msgstr "Zaznamenaný pokus o súbežnú aktualizáciu LUKS2 metadát. Ruší sa operácia."
+
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
+msgid ""
+"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
+"Please run \"cryptsetup repair\" for recovery."
+msgstr ""
+"Zariadenie obsahuje nejednoznačné podpisy, nedá sa automaticky obnoviť LUKS2.\n"
+"Prosím spustite \"cryptsetup repair\" pre obnovu."
+
+#: lib/luks2/luks2_json_format.c:219
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr "VAROVANIE: oblasť pre kľúče (%<PRIu64> bajtov) je príliš malá, dostupné množstvo miest pre kľúče LUKS2 je veľmi limitované.\n"
+
+#: lib/luks2/luks2_json_format.c:418
+msgid "Requested data offset is too small."
+msgstr "Požadovaná pozícia údajov je príliš malá."
+
+#: lib/luks2/luks2_json_format.c:459
+#, c-format
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "VAROVANIE: veľkosť LUKS2 metadát sa zmenila na %<PRIu64> bajtov.\n"
+
+#: lib/luks2/luks2_json_format.c:463
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "VAROVANIE: veľkosť LUKS2 oblasti pre kľúče sa zmenila na %<PRIu64> bajtov.\n"
+
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
+#, c-format
+msgid "Failed to acquire read lock on device %s."
+msgstr "Zlyhalo získanie zámku čítania na zariadení %s."
+
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "Menovka je príliš dlhá."
+
+#: lib/luks2/luks2_json_metadata.c:1435
+#, c-format
+msgid "Forbidden LUKS2 requirements detected in backup %s."
+msgstr "Zistené zakázané požiadavky LUKS2 v zálohe %s."
+
+#: lib/luks2/luks2_json_metadata.c:1474
+msgid "Data offset differ on device and backup, restore failed."
+msgstr "Pozícia údajov sa líši na zariadení a v zálohe, obnova zlyhala."
+
+#: lib/luks2/luks2_json_metadata.c:1480
+msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
+msgstr "Binárna hlavička s oblasťou pre kľúče sa líši na zariadení a v zálohe, obnova zlyhala."
+
+#: lib/luks2/luks2_json_metadata.c:1487
+#, c-format
+msgid "Device %s %s%s%s%s"
+msgstr "Zariadenie %s %s%s%s%s"
+
+#: lib/luks2/luks2_json_metadata.c:1488
+msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
+msgstr "neobsahuje hlavičku LUKS2. Výmena hlavičky môže zničiť údaje na tomto zariadení."
+
+#: lib/luks2/luks2_json_metadata.c:1489
+msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
+msgstr "už obsahuje hlavičku LUKS2. Výmena hlavičky zničí existujúcu oblasť s kľúčmi."
+
+#: lib/luks2/luks2_json_metadata.c:1491
+msgid ""
+"\n"
+"WARNING: unknown LUKS2 requirements detected in real device header!\n"
+"Replacing header with backup may corrupt the data on that device!"
+msgstr ""
+"\n"
+"VAROVANIE: neznáme požiadavky LUKS2 zistené na hlavičke skutočného zariadenia!\n"
+"Výmena hlavičky za záložnú môže poškodiť údaje na tomto zariadení!"
+
+#: lib/luks2/luks2_json_metadata.c:1493
+msgid ""
+"\n"
+"WARNING: Unfinished offline reencryption detected on the device!\n"
+"Replacing header with backup may corrupt data."
+msgstr ""
+"\n"
+"VAROVANIE: Nedokončené offline prešifrovanie zaznamenané na zariadení!\n"
+"Výmena hlavičky za záložnú môže poškodiť údaje na tomto zariadení."
+
+#: lib/luks2/luks2_json_metadata.c:1591
+#, c-format
+msgid "Ignored unknown flag %s."
+msgstr "Ignorovaný neznámy príznak %s."
+
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
+#, c-format
+msgid "Missing key for dm-crypt segment %u"
+msgstr "Chýbajúci kľúč pre dm-crypt segment %u"
+
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
+msgid "Failed to set dm-crypt segment."
+msgstr "Zlyhalo nastavenie dm-crypt segmentu."
+
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
+msgid "Failed to set dm-linear segment."
+msgstr "Zlyhalo nastavenie dm-linear segmentu."
+
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
+msgid "No known cipher specification pattern detected in LUKS2 header."
+msgstr "Nebol nájdený žiaden známy vzor špecifikácie šifry v hlavičke LUKS2."
+
+#: lib/luks2/luks2_json_metadata.c:2691
+msgid "OPAL device must have static device size."
+msgstr "Zariadenie OPAL musí mať statickú veľkosť zariadenia."
+
+#: lib/luks2/luks2_json_metadata.c:2711
+msgid "Encrypted OPAL device with integrity must be smaller than locking range."
+msgstr "Šifrované zariadenie OPAL s integritou musí byť menšie ako uzamykateľná oblasť."
+
+#: lib/luks2/luks2_json_metadata.c:2716
+msgid "OPAL device must have same size as locking range."
+msgstr "Zariadenie OPAL musí mať rovnakú veľkosť ako uzamykateľná oblasť."
+
+#: lib/luks2/luks2_json_metadata.c:2736
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "Zariadenie OPAL je %s už odomknuté.\n"
+
+#: lib/luks2/luks2_json_metadata.c:2775
+msgid "Unsupported device integrity configuration."
+msgstr "Nepodporovaná konfigurácia integrity zariadenia."
+
+#: lib/luks2/luks2_json_metadata.c:2791
+msgid "Underlying dm-integrity device with unexpected provided data sectors."
+msgstr "Prislúchajúce zariadenie dm-integrity neočakávane poskytlo sektory s údajmi."
+
+#: lib/luks2/luks2_json_metadata.c:2886
+msgid "Reencryption in-progress. Cannot deactivate device."
+msgstr "Prebieha opätovné šifrovanie. Nedá sa deaktivovať zariadenie."
+
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
+#, c-format
+msgid "Failed to replace suspended device %s with dm-error target."
+msgstr "Zlyhala výmena pozastaveného zariadenia %s za cieľ dm-error."
+
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
+#, c-format
+msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
+msgstr "Zariadenie %s bolo deaktivované, ale hardvérové zariadenie OPAL nemôže byť uzamknuté."
+
+#: lib/luks2/luks2_json_metadata.c:3020
+msgid "Unmet LUKS2 requirements detected."
+msgstr "Zistené nesplnené požiadavky LUKS2."
+
+#: lib/luks2/luks2_json_metadata.c:3028
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operácia je nekompatibilná so zariadením, ktoré je označené pre zastaralé prešifrovanie. Operácia sa ruší."
+
+#: lib/luks2/luks2_json_metadata.c:3030
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operácia je nekompatibilná so zariadením, ktoré je označené pre LUKS2 prešifrovanie. Operácia sa ruší."
+
+#: lib/luks2/luks2_json_metadata.c:3032
+msgid "Operation incompatible with device using OPAL. Aborting."
+msgstr "Operácia je nekompatibilná so zariadením, ktoré používa OPAL. Operácia sa ruší."
+
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Operácia je nekompatibilná so zariadením, ktoré používa hardvérové inline príznaky. Operácia sa ruší."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
+msgid "Not enough available memory to open a keyslot."
+msgstr "Nie je dostupné dostatočné množstvo pamäte na otvorenie miesta s kľúčom."
+
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
+msgid "Keyslot open failed."
+msgstr "Zlyhalo otvorenie miesta s kľúčom."
+
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
+#, c-format
+msgid "Cannot use %s-%s cipher for keyslot encryption."
+msgstr "Nedá sa použiť šifra %s-%s pre šifrovanie miesta s kľúčom."
+
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Nie je dosť pamäte pre odvodenie kľúču od miesta s kľúčom."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
+#, c-format
+msgid "Hash algorithm %s is not available."
+msgstr "Hashovací algoritmus %s nie je dostupný."
+
+#: lib/luks2/luks2_keyslot_luks2.c:522
+msgid "No space for new keyslot."
+msgstr "Žiadne miesto pre nový kľúč."
+
+#: lib/luks2/luks2_keyslot_reenc.c:583
+msgid "Invalid reencryption resilience mode change requested."
+msgstr "Neplatná zmena režimu odolnosti prešifrovania vyžiadaná."
+
+#: lib/luks2/luks2_keyslot_reenc.c:704
+#, c-format
+msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
+msgstr "Nedá sa aktualizovať typ odolnosti. Nový typ poskytuje len %<PRIu64> bajtov, požadovaný priestor je: %<PRIu64> bajtov."
+
+#: lib/luks2/luks2_keyslot_reenc.c:714
+msgid "Failed to refresh reencryption verification digest."
+msgstr "Zlyhalo obnovenie otlačku (digest) overenia prešifrovania."
+
+#: lib/luks2/luks2_luks1_convert.c:532
+#, c-format
+msgid "Cannot check status of device with uuid: %s."
+msgstr "Nedá sa skontrolovať stav zariadenia s uuid: %s."
+
+#: lib/luks2/luks2_luks1_convert.c:558
+msgid "Unable to convert header with LUKSMETA additional metadata."
+msgstr "Nedá sa zmeniť hlavička s dodatočnými metadátami LUKSMETA."
+
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2."
+msgstr "Nedá sa použiť špecifikácia šifry %s-%s pre LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Nedá sa použiť špecifikácia šifry %s-%s pre LUKS2 miesto s kľúčom."
+
+#: lib/luks2/luks2_luks1_convert.c:614
+msgid "Unable to move keyslot area. Not enough space."
+msgstr "Nedá sa presunúť oblasť s kľúčmi. Nie je dostatok miesta."
+
+#: lib/luks2/luks2_luks1_convert.c:653
+msgid "Cannot convert to LUKS2 format - invalid metadata."
+msgstr "Nedá sa zmeniť formát na LUKS2 - neplatné metadáta."
+
+#: lib/luks2/luks2_luks1_convert.c:670
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Nedá sa presunúť oblasť s kľúčmi. LUKS2 oblasť s kľúčmi je príliš malá."
+
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
+msgid "Unable to move keyslot area."
+msgstr "Nedá sa presunúť oblasť s kľúčmi."
+
+#: lib/luks2/luks2_luks1_convert.c:791
+msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
+msgstr "Nedá sa zmeniť formát na LUKS1 - predvolená veľkosť sektora šifrovania segmentov nie je 512 bajtov."
+
+#: lib/luks2/luks2_luks1_convert.c:799
+msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
+msgstr "Nedá sa zmeniť formát na LUKS1 - otlačok (digest) miesta pre kľúč nie je kompatibilný s LUKS1."
+
+#: lib/luks2/luks2_luks1_convert.c:813
+#, c-format
+msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
+msgstr "Nedá sa zmeniť formát na LUKS1 - zariadenie používa šifru so zabaleným kľúčom %s."
+
+#: lib/luks2/luks2_luks1_convert.c:818
+msgid "Cannot convert to LUKS1 format - device uses more segments."
+msgstr "Nedá sa zmeniť formát na LUKS1 - zariadenie používa viac segmentov."
+
+#: lib/luks2/luks2_luks1_convert.c:826
+#, c-format
+msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
+msgstr "Nedá sa zmeniť formát na LUKS1 - hlavička LUKS2 obsahuje %u token(y)."
+
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Nedá sa zmeniť formát na LUKS1 - nie sú žiadne aktívne miesta s kľúčmi."
+
+#: lib/luks2/luks2_luks1_convert.c:844
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
+msgstr "Nedá sa zmeniť formát na LUKS1 - miesto pre kľúč %u je v neplatnom stave."
+
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Nedá sa zmeniť formát na LUKS1 - miesto pre kľúč %u je neviazané."
+
+#: lib/luks2/luks2_luks1_convert.c:854
+#, c-format
+msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
+msgstr "Nedá sa zmeniť formát na LUKS1 - miesto %u (nad max. množstvom miest) je stále aktívne."
+
+#: lib/luks2/luks2_luks1_convert.c:859
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
+msgstr "Nedá sa zmeniť formát na LUKS1 - miesto pre kľúč %u nie je kompatibilné s LUKS1."
+
+#: lib/luks2/luks2_reencrypt.c:1198
+#, c-format
+msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Veľkosť horúcej zóny musí byť násobkom vypočítaného zarovnania zóny (%zu bajtov)."
+
+#: lib/luks2/luks2_reencrypt.c:1203
+#, c-format
+msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Veľkosť zariadenia musí byť násobkom vypočítaného zarovnania zóny (%zu bajtov)."
+
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
+msgid "Failed to initialize old segment storage wrapper."
+msgstr "Zlyhala inicializácia obalu úložiska pre staré segmenty."
+
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
+msgid "Failed to initialize new segment storage wrapper."
+msgstr "Zlyhala inicializácia obalu úložiska pre nové segmenty."
+
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
+msgid "Failed to initialize hotzone protection."
+msgstr "Zlyhala inicializácia ochrany horúcej zóny."
+
+#: lib/luks2/luks2_reencrypt.c:1623
+msgid "Failed to read checksums for current hotzone."
+msgstr "Zlyhalo čítanie kontrolných súčtov pre aktuálnu horúcu zónu."
+
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
+#, c-format
+msgid "Failed to read hotzone area starting at %<PRIu64>."
+msgstr "Zlyhalo čítanie oblasti horúcej zóny začínajúcej na %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:1649
+#, c-format
+msgid "Failed to decrypt sector %zu."
+msgstr "Zlyhalo dešifrovanie sektoru %zu."
+
+#: lib/luks2/luks2_reencrypt.c:1655
+#, c-format
+msgid "Failed to recover sector %zu."
+msgstr "Zlyhalo obnovenie sektoru %zu."
+
+#: lib/luks2/luks2_reencrypt.c:2208
+#, c-format
+msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
+msgstr "Veľkosti zdrojového a cieľového zariadenia sa nezhodujú. Zdroj: %<PRIu64>, cieľ: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2310
+#, c-format
+msgid "Failed to activate hotzone device %s."
+msgstr "Zlyhalo aktivovanie zariadenia horúcej zóny %s."
+
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Zlyhala alokácia zariadenia horúcej zóny %s."
+
+#: lib/luks2/luks2_reencrypt.c:2339
+#, c-format
+msgid "Failed to activate overlay device %s with actual origin table."
+msgstr "Zlyhalo aktivovanie prekrývajúceho zariadenia %s s aktuálnou tabuľkou pôvodu."
+
+#: lib/luks2/luks2_reencrypt.c:2346
+#, c-format
+msgid "Failed to load new mapping for device %s."
+msgstr "Zlyhalo načítanie nového mapovania pre zariadenie %s."
+
+#: lib/luks2/luks2_reencrypt.c:2418
+msgid "Failed to refresh reencryption devices stack."
+msgstr "Zlyhalo obnovenie zásobníka zariadení k prešifrovaniu."
+
+#: lib/luks2/luks2_reencrypt.c:2615
+msgid "Failed to set new keyslots area size."
+msgstr "Zlyhalo nastavenie novej veľkosti oblasti s kľúčmi."
+
+#: lib/luks2/luks2_reencrypt.c:2751
+#, c-format
+msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Hodnota posunu údajov nie je zarovnaná s veľkosťou šifrovaného sektoru (%<PRIu32> bajtov)."
+
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
+#, c-format
+msgid "Unsupported resilience mode %s"
+msgstr "Nepodporovaný režim odolnosti %s"
+
+#: lib/luks2/luks2_reencrypt.c:2824
+msgid "Moved segment size can not be greater than data shift value."
+msgstr "Veľkosť posunutého segmentu nemôže byť väčšia ako hodnota posunu údajov."
+
+#: lib/luks2/luks2_reencrypt.c:2866
+msgid "Invalid reencryption resilience parameters."
+msgstr "Neplatné parametre odolnosti prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:2888
+#, c-format
+msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
+msgstr "Presunutý segment príliš veľký. Požadovaná veľkosť %<PRIu64>, dostupné miesto pre: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:2977
+msgid "Failed to clear table."
+msgstr "Zlyhalo vyčistenie tabuľky."
+
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Posun údajov (%<PRIu64> sektorov) je menší než budúce odsadenie údajov (%<PRIu64> sektorov)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
+msgid "Reduced data size is larger than real device size."
+msgstr "Zmenšená veľkosť údajov je väčšia ako skutočná veľkosť zariadenia."
+
+#: lib/luks2/luks2_reencrypt.c:3095
+#, c-format
+msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
+msgstr "Zariadenie s údajmi nie je zarovnané k veľkosti šifrovaného sektoru (%<PRIu32> bajtov)."
+
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
+#, c-format
+msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
+msgstr "Zlyhalo otvorenie %s vo výlučnom režime (už mapované alebo pripojené)."
+
+#: lib/luks2/luks2_reencrypt.c:3332
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Zariadenie nie je označené pre LUKS2 prešifrovanie."
+
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
+msgid "Failed to load LUKS2 reencryption context."
+msgstr "Zlyhalo načítanie kontextu LUKS2 prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
+msgid "Device is not in reencryption."
+msgstr "Zariadenie nie je opätovne šifrované."
+
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
+msgid "Reencryption process is already running."
+msgstr "Proces prešifrovania už beží."
+
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
+msgid "Failed to acquire reencryption lock."
+msgstr "Zlyhalo získanie zámku prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:3468
+msgid "Cannot proceed with reencryption. Run reencryption recovery first."
+msgstr "Nedá sa pokračovať v prešifrovaní. Spustite najprv obnovu prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:3604
+msgid "Active device size and requested reencryption size don't match."
+msgstr "Veľkosť aktívneho zariadenia a požadovaná veľkosť prešifrovania sa nezhoduje."
+
+#: lib/luks2/luks2_reencrypt.c:3618
+msgid "Illegal device size requested in reencryption parameters."
+msgstr "V parametroch prešifrovania je požadovaná nedovolená veľkosť zariadenia."
+
+#: lib/luks2/luks2_reencrypt.c:3720
+msgid "Reencryption in-progress. Cannot perform recovery."
+msgstr "Prebieha prešifrovanie. Nedá sa vykonať obnova."
+
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Obnova prešifrovaním LUKS2 zlyhala."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Zlyhala inicializácia zásobníka zariadenia k prešifrovaniu."
+
+#: lib/luks2/luks2_reencrypt.c:3907
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr "LUKS2 prešifrovanie je už inicializované v metadátach."
+
+#: lib/luks2/luks2_reencrypt.c:3915
+msgid "Failed to initialize LUKS2 reencryption in metadata."
+msgstr "Zlyhala inicializácia LUKS2 prešifrovania v metadátach."
+
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
+msgid "Reencryption is not supported for DAX (persistent memory) devices."
+msgstr "Prešifrovanie nie je podporované na DAX (trvalá pamäť) zariadeniach."
+
+#: lib/luks2/luks2_reencrypt.c:4059
+msgid "Failed to set device segments for next reencryption hotzone."
+msgstr "Zlyhalo nastavenie segmentov zariadenia pre ďalšiu horúcu zónu prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4112
+msgid "Failed to write reencryption resilience metadata."
+msgstr "Zlyhal zápis odolných metadát prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4119
+msgid "Decryption failed."
+msgstr "Dešifrovanie zlyhalo."
+
+#: lib/luks2/luks2_reencrypt.c:4124
+#, c-format
+msgid "Failed to write hotzone area starting at %<PRIu64>."
+msgstr "Zlyhal zápis oblasti s horúcou zónou začínajúci na %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:4129
+msgid "Failed to sync data."
+msgstr "Zlyhala synchronizácia údajov."
+
+#: lib/luks2/luks2_reencrypt.c:4137
+msgid "Failed to update metadata after current reencryption hotzone completed."
+msgstr "Zlyhalo aktualizovanie metadát po dokončení aktuálnej horúcej zóny prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4226
+msgid "Failed to write LUKS2 metadata."
+msgstr "Zlyhal zápis LUKS2 metadát."
+
+#: lib/luks2/luks2_reencrypt.c:4249
+msgid "Failed to wipe unused data device area."
+msgstr "Zlyhalo vymazanie oblasti zariadenia s nepoužívanými údajmi."
+
+#: lib/luks2/luks2_reencrypt.c:4255
+#, c-format
+msgid "Failed to remove unused (unbound) keyslot %d."
+msgstr "Zlyhalo odstránenie nepoužívaného (neviazaného) miesta pre kľúč %d."
+
+#: lib/luks2/luks2_reencrypt.c:4265
+msgid "Failed to remove reencryption keyslot."
+msgstr "Zlyhalo odstránenie miesta pre kľúč prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4275
+#, c-format
+msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
+msgstr "Fatálna chyba počas prešifrovania časti začínajúcej na %<PRIu64>, dlhej %<PRIu64> sektorov."
+
+#: lib/luks2/luks2_reencrypt.c:4279
+msgid "Online reencryption failed."
+msgstr "Zlyhalo prešifrovanie za behu."
+
+#: lib/luks2/luks2_reencrypt.c:4284
+msgid "Do not resume the device unless replaced with error target manually."
+msgstr "Zariadenie neprebuďte pokiaľ ho manuálne nenahradíte s chybovým cieľom."
+
+#: lib/luks2/luks2_reencrypt.c:4336
+msgid "Cannot proceed with reencryption. Unexpected reencryption status."
+msgstr "Nedá sa pokračovať v prešifrovaní. Neočakávaný stav prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4342
+msgid "Missing or invalid reencrypt context."
+msgstr "Chýbajúci alebo neplatný kontext prešifrovania."
+
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
+msgid "Failed to update reencryption context."
+msgstr "Zlyhala aktualizácia kontextu prešifrovania."
+
+#: lib/luks2/luks2_reencrypt_digest.c:401
+msgid "Reencryption metadata is invalid."
+msgstr "Metadáta prešifrovania sú neplatné."
+
+#: lib/luks2/hw_opal/hw_opal.c:335
+#, c-format
+msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
+msgstr "OPAL oblasť %d na mieste %<PRIu64> sa líši od očakávaných hodnôt %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:342
+#, c-format
+msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
+msgstr "OPAL oblasť %d dĺžky %<PRIu64> sa líši od veľkosti zariadenia %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:348
+#, c-format
+msgid "OPAL range %d locking is disabled."
+msgstr "Uzamykanie OPAL oblasti %d je vypnuté."
+
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
+#, c-format
+msgid "Unexpected OPAL range %d lock state."
+msgstr "Neočakávaný stav uzamknutia OPAL oblasti %d."
+
+#: src/cryptsetup.c:87
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr "Parametre šifrovania miesta pre kľúč môžu byť nastavené len pre LUKS2 zariadenie."
+
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Parametre šifrovania miesta pre kľúč nie sú kompatibilné so šifrovaním miesta pre kľúč LUKS2."
+
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
+msgid "No known cipher specification pattern detected."
+msgstr "Nebol nájdený žiaden známy vzor špecifikácie šifry."
+
+#: src/cryptsetup.c:160
+#, c-format
+msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
+msgstr "VAROVANIE: Používajú sa predvolené možnosti pre šifru (%s-%s, veľkosť kľúča %u bitov), ktoré môžu byť nekompatibilné so staršími verziami."
+
+#: src/cryptsetup.c:165
+#, c-format
+msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
+msgstr "VAROVANIE: Používajú sa predvolené možnosti pre hash (%s), ktoré môžu byť nekompatibilné so staršími verziami."
+
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Pre režim plain, vždy použite možnosti --cipher, --key-size a ak žiaden súbor s kľúčom alebo zväzok kľúčov nie je použitý, potom tiež --hash."
+
+#: src/cryptsetup.c:175
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "VAROVANIE: Parameter --hash je ignorovaný v režime plain so zadaným súborom s kľúčom.\n"
+
+#: src/cryptsetup.c:189
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "VAROVANIE: Možnosť --keyfile-size je ignorovaná, veľkosť čítania je rovnaká ako veľkosť kľúča šifrovania.\n"
+
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
+#, c-format
+msgid "Blkid scan failed for %s."
+msgstr "Skenovanie blkid zlyhalo pre %s."
+
+#: src/cryptsetup.c:232
+#, c-format
+msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
+msgstr "Zaznamenané podpis(y) zariadenia na %s. Pokračovanie ďalej môže poškodiť existujúce údaje."
+
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
+msgid "Operation aborted.\n"
+msgstr "Operácia zrušená.\n"
+
+#: src/cryptsetup.c:323
+msgid "Option --key-file is required."
+msgstr "Možnosť --key-file je požadovaná."
+
+#: src/cryptsetup.c:377
+msgid "Enter VeraCrypt PIM: "
+msgstr "Zadajte VeraCrypt PIM: "
+
+#: src/cryptsetup.c:386
+msgid "Invalid PIM value: parse error."
+msgstr "Neplatná hodnota PIM: chyba pri rozbore."
+
+#: src/cryptsetup.c:389
+msgid "Invalid PIM value: 0."
+msgstr "Neplatná hodnota PIM: 0."
+
+#: src/cryptsetup.c:392
+msgid "Invalid PIM value: outside of range."
+msgstr "Neplatná hodnota PIM: mimo rozsahu."
+
+#: src/cryptsetup.c:415
+msgid "No device header detected with this passphrase."
+msgstr "Žiadna hlavička zariadenia nebola rozpoznaná pre toto heslo."
+
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Zariadenie %s nie je platné BITLK zariadenie."
+
+#: src/cryptsetup.c:500
+msgid "Cannot determine volume key size for BITLK, please use --key-size option."
+msgstr "Nedá sa určiť veľkosť kľúča zväzku pre BITLK, prosím použite možnosť --key-size."
+
+#: src/cryptsetup.c:546
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Výpis hlavičky s kľúčom zväzku je citlivý údaj,\n"
+"ktorý povoľuje prístup k zašifrovaným oddielom bez hesla.\n"
+"Tento výpis by mal byť vždy uložený zašifrovaný na bezpečnom mieste."
+
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
+msgid ""
+"The header dump with volume key is sensitive information\n"
+"that allows access to encrypted partition without a passphrase.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+"Výpis hlavičky s kľúčom zväzku je citlivý údaj,\n"
+"ktorý povoľuje prístup k zašifrovaným oddielom bez hesla.\n"
+"Tento výpis by mal byť uložený zašifrovaný na bezpečnom mieste."
+
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Zariadenie %s nie je platné FVAULT2 zariadenie."
+
+#: src/cryptsetup.c:794
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Nedá sa určiť veľkosť kľúča zväzku pre FVAULT2, prosím použite možnosť --key-size."
+
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
+#, c-format
+msgid "Device %s is still active and scheduled for deferred removal.\n"
+msgstr "Zariadenie %s je stále aktívne a naplánované pre odložené odstránenie.\n"
+
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
+#, c-format
+msgid "Failed to set external tokens path %s."
+msgstr "Zlyhalo nastavenie cesty k externým tokenom %s."
+
+#: src/cryptsetup.c:890
+msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
+msgstr "Zmena veľkosti aktívneho zariadenia vyžaduje kľúč zväzku vo zväzku kľúčov, ale možnosť --disable-keyring je nastavená."
+
+#: src/cryptsetup.c:1059
+msgid "Benchmark interrupted."
+msgstr "Hodnotenie výkonu prerušené."
+
+#: src/cryptsetup.c:1080
+#, c-format
+msgid "PBKDF2-%-9s     N/A\n"
+msgstr "PBKDF2-%-9s     –\n"
+
+#: src/cryptsetup.c:1082
+#, c-format
+msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
+msgstr "PBKDF2-%-9s %7u iterácií za sekundu pre %zu-bitový kľúč\n"
+
+#: src/cryptsetup.c:1096
+#, c-format
+msgid "%-10s N/A\n"
+msgstr "%-10s –\n"
+
+#: src/cryptsetup.c:1098
+#, c-format
+msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
+msgstr "%-10s %4u iterácií, %5u pamäte, %1u paralelných vlákien (CPU) pre %zu-bitový kľúč (vyžadovaný čas %u ms)\n"
+
+#: src/cryptsetup.c:1122
+msgid "Result of benchmark is not reliable."
+msgstr "Výsledok hodnotenia výkonu nie je spoľahlivý."
+
+#: src/cryptsetup.c:1172
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Testy sú len približné a používajú iba pamäť (žiadne vstupno-výstupné úložisko).\n"
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1197
+#, c-format
+msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
+msgstr "#%*s Algoritmus|      Kľúč |      Šifrovanie |    Dešifrovanie\n"
+
+#: src/cryptsetup.c:1205
+#, c-format
+msgid "Cipher %s (with %i bits key) is not available."
+msgstr "Šifra %s (s %i bitovým kľúčom) nie je dostupná."
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1224
+msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
+msgstr "#     Algoritmus|      Kľúč |      Šifrovanie |    Dešifrovanie\n"
+
+#: src/cryptsetup.c:1235
+msgid "N/A"
+msgstr "–"
+
+#: src/cryptsetup.c:1260
+msgid ""
+"Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
+"and continue (upgrade metadata) only if you acknowledge the operation as genuine."
+msgstr ""
+"Zaznamenané nechránené metadáta LUKS2 prešifrovania. Prosím overte, či je operácia prešifrovania žiadúca (pozri výstup luksDump)\n"
+"a pokračujte (aktualizujte metadáta) iba keď operáciu uznáte za žiadúcu."
+
+#: src/cryptsetup.c:1266
+msgid "Enter passphrase to protect and upgrade reencryption metadata: "
+msgstr "Zadajte heslo na ochránenie a aktualizáciu metadát prešifrovania: "
+
+#: src/cryptsetup.c:1310
+msgid "Really proceed with LUKS2 reencryption recovery?"
+msgstr "Naozaj pokračovať s obnovou LUKS2 prešifrovania?"
+
+#: src/cryptsetup.c:1319
+msgid "Enter passphrase to verify reencryption metadata digest: "
+msgstr "Zadajte heslo na overenie otlačku (digest) metadát prešifrovania: "
+
+#: src/cryptsetup.c:1321
+msgid "Enter passphrase for reencryption recovery: "
+msgstr "Zadajte heslo pre obnovu prešifrovania: "
+
+#: src/cryptsetup.c:1383
+msgid "Really try to repair LUKS device header?"
+msgstr "Naozaj sa pokúsiť opraviť hlavičku LUKS zariadenia?"
+
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Mazanie prerušené."
+
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
+msgid ""
+"Wiping device to initialize integrity checksum.\n"
+"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
+msgstr ""
+"Mazanie zariadenia na inicializáciu kontrolného súčtu integrity.\n"
+"Môžete to prerušiť stlačením CTRL+c (zvyšok nevymazaného zariadenia bude obsahovať neplatný kontrolný súčet).\n"
+
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
+#, c-format
+msgid "Cannot deactivate temporary device %s."
+msgstr "Nedá sa deaktivovať dočasné zariadenie %s."
+
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "Iba hardvérové šifrovanie OPAL nepodporuje --cipher a --key-size, možnosti sa ignorujú."
+
+#: src/cryptsetup.c:1499
+msgid "Integrity option can be used only for LUKS2 format."
+msgstr "Možnosti integrity môžu byť použité len pre formát LUKS2."
+
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
+msgid "Unsupported LUKS2 metadata size options."
+msgstr "Nepodporovaná možnosť veľkosti LUKS2 metadát."
+
+#: src/cryptsetup.c:1509
+msgid "OPAL is supported only for LUKS2 format."
+msgstr "OPAL je podporovaný len pre formát LUKS2."
+
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Hardvérové inline príznaky sú podporované len pre LUKS2 formát."
+
+#: src/cryptsetup.c:1523
+msgid "Header file does not exist, do you want to create it?"
+msgstr "Súbor s hlavičkou neexistuje, chcete ho vytvoriť?"
+
+#: src/cryptsetup.c:1531
+#, c-format
+msgid "Cannot create header file %s."
+msgstr "Nedá sa vytvoriť súbor s hlavičkou %s."
+
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
+msgid "No known integrity specification pattern detected."
+msgstr "Nebol rozpoznaný žiaden známy vzor špecifikácie integrity."
+
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Nedá sa použiť zadaná veľkosť kľúča integrity."
+
+#: src/cryptsetup.c:1577
+#, c-format
+msgid "Cannot use %s as on-disk header."
+msgstr "Nedá sa použiť %s ako hlavička na disku."
+
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Toto prepíše údaje na %s nenávratne."
+
+#: src/cryptsetup.c:1643
+msgid "OPAL Admin password cannot be empty."
+msgstr "OPAL heslo administrátora nemôže byť prázdne."
+
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
+msgid "Failed to set pbkdf parameters."
+msgstr "Zlyhalo nastavenie pbkdf parametrov."
+
+#: src/cryptsetup.c:1788
+msgid "Reduced data offset is allowed only for detached LUKS header."
+msgstr "Znížené odsadenie údajov je povolené len pre oddelenú hlavičku LUKS."
+
+#: src/cryptsetup.c:1795
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "Kontajnerový súbor LUKS %s je príliš malý na aktiváciu, nie je tam žiadne zvyšné miesto pre údaje."
+
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
+msgstr "Nedá sa zistiť veľkosť kľúču zväzku pre LUKS bez miest pre kľúče, prosím použite voľbu --key-size."
+
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Zariadenie vyžaduje dve kľúče zväzku."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Niektoré zadané aktivačné parametre boli ignorované s len hardvérovým šifrovaním OPAL."
+
+#: src/cryptsetup.c:1896
+msgid "Device activated but cannot make flags persistent."
+msgstr "Zariadenie aktivované, ale nedajú sa urobiť príznaky trvalými."
+
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
+#, c-format
+msgid "Keyslot %d is selected for deletion."
+msgstr "Miesto pre kľúč %d je vybrané pre vymazanie."
+
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Toto je posledné miesto pre kľúč. Zariadenie sa stane nepoužiteľné po odstránení tohto kľúča."
+
+#: src/cryptsetup.c:1989
+msgid "Enter any remaining passphrase: "
+msgstr "Zadajte akékoľvek zvyšné heslo: "
+
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
+msgid "Operation aborted, the keyslot was NOT wiped.\n"
+msgstr "Operácia zrušená, miesto pre kľúč NEBOLO zmazané.\n"
+
+#: src/cryptsetup.c:2026
+msgid "Enter passphrase to be deleted: "
+msgstr "Zadajte heslo, ktoré má byť vymazané: "
+
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
+#, c-format
+msgid "Device %s is not a valid LUKS2 device."
+msgstr "Zariadenie %s nie je platné LUKS2 zariadenie."
+
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
+msgid "Enter new passphrase for key slot: "
+msgstr "Zadajte nové heslo k miestu pre kľúč: "
+
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Zadaj PIN k tokenu: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Zadaj PIN k tokenu %d: "
+
+#: src/cryptsetup.c:2210
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "VAROVANIE: Parameter --key-slot je použitý pre nové číslo miesta pre kľúč.\n"
+
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Zadajte akékoľvek existujúce heslo: "
+
+#: src/cryptsetup.c:2383
+msgid "Enter passphrase to be changed: "
+msgstr "Zadajte heslo, ktoré sa má zmeniť: "
+
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
+msgid "Enter new passphrase: "
+msgstr "Zadajte nové heslo: "
+
+#: src/cryptsetup.c:2449
+msgid "Enter passphrase for keyslot to be converted: "
+msgstr "Zadajte heslo k miestu pre kľúč, ktoré má byť konvertované: "
+
+#: src/cryptsetup.c:2473
+msgid "Only one device argument for isLuks operation is supported."
+msgstr "Iba jeden argument so zariadením pre operáciu isLuks je podporovaný."
+
+#: src/cryptsetup.c:2578
+#, c-format
+msgid "Keyslot %d does not contain unbound key."
+msgstr "Miesto pre kľúč %d neobsahuje neviazaný kľúč."
+
+#: src/cryptsetup.c:2583
+msgid ""
+"The header dump with unbound key is sensitive information.\n"
+"This dump should be stored encrypted in a safe place."
+msgstr ""
+"Výpis hlavičky s neviazaným kľúčom je citlivý údaj.\n"
+"Tento výpis by mal byť uložený šifrovaný na bezpečnom mieste."
+
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
+#, c-format
+msgid "%s is not active %s device name."
+msgstr "%s nie je názov aktívneho zariadenia %s."
+
+#: src/cryptsetup.c:2709
+#, c-format
+msgid "%s is not active LUKS device name or header is missing."
+msgstr "%s nie je názov aktívneho LUKS zariadenia alebo chýba hlavička."
+
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
+msgid "Option --header-backup-file is required."
+msgstr "Možnosť --header-backup-file je vyžadovaná."
+
+#: src/cryptsetup.c:2836
+#, c-format
+msgid "%s is not cryptsetup managed device."
+msgstr "%s nie je zariadenie spravované cryptsetup-om."
+
+#: src/cryptsetup.c:2847
+#, c-format
+msgid "Refresh is not supported for device type %s"
+msgstr "Obnovenie nie je podporované pre typ zariadenia %s"
+
+#: src/cryptsetup.c:2897
+#, c-format
+msgid "Unrecognized metadata device type %s."
+msgstr "Nerozpoznaný typ zariadenia %s v metadátach."
+
+#: src/cryptsetup.c:2899
+msgid "Command requires device and mapped name as arguments."
+msgstr "Príkaz požaduje zariadenie a mapovaný názov ako argumenty."
+
+#: src/cryptsetup.c:2917
+msgid "Enter OPAL PSID: "
+msgstr "Zadajte OPAL PSID: "
+
+#: src/cryptsetup.c:2917
+msgid "Enter OPAL Admin password: "
+msgstr "Zadajte OPAL heslo administrátora: "
+
+#: src/cryptsetup.c:2925
+msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
+msgstr "VAROVANIE: CELÝ disk bude obnovený do továrenských nastavení a všetky údaje budú stratené! Pokračovať?"
+
+#: src/cryptsetup.c:2968
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Táto operácia vymaže všetky miesta s kľúčmi na zariadení %s.\n"
+"Zariadenie sa stane nepoužiteľné po tejto operácií."
+
+#: src/cryptsetup.c:2975
+msgid "Operation aborted, keyslots were NOT wiped.\n"
+msgstr "Operácia zrušená, miesta s kľúčmi NEBOLI vymazané.\n"
+
+#: src/cryptsetup.c:3014
+msgid "Invalid LUKS type, only luks1 and luks2 are supported."
+msgstr "Neplatný typ LUKS, iba luks1 a luks2 sú podporované."
+
+#: src/cryptsetup.c:3030
+#, c-format
+msgid "Device is already %s type."
+msgstr "Zariadenie je už typom %s."
+
+#: src/cryptsetup.c:3037
+#, c-format
+msgid "This operation will convert %s to %s format.\n"
+msgstr "Táto operácia premení %s na formát %s.\n"
+
+#: src/cryptsetup.c:3040
+msgid "Operation aborted, device was NOT converted.\n"
+msgstr "Operácia zrušená, zariadenie NEBOLO premenené.\n"
+
+#: src/cryptsetup.c:3080
+msgid "Option --priority, --label or --subsystem is missing."
+msgstr "Možnosť --priority, --label alebo --subsystem chýba."
+
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
+#, c-format
+msgid "Token %d is invalid."
+msgstr "Token %d je neplatný."
+
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
+#, c-format
+msgid "Token %d in use."
+msgstr "Token %d je používaný."
+
+#: src/cryptsetup.c:3129
+#, c-format
+msgid "Failed to add luks2-keyring token %d."
+msgstr "Zlyhalo pridanie tokenu luks2-keyring %d."
+
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
+#, c-format
+msgid "Failed to assign token %d to keyslot %d."
+msgstr "Zlyhalo priradenie tokenu %d k miestu pre kľúč %d."
+
+#: src/cryptsetup.c:3157
+#, c-format
+msgid "Token %d is not in use."
+msgstr "Token %d sa nepoužíva."
+
+#: src/cryptsetup.c:3194
+msgid "Failed to import token from file."
+msgstr "Zlyhalo importovanie tokenu zo súboru."
+
+#: src/cryptsetup.c:3219
+#, c-format
+msgid "Failed to get token %d for export."
+msgstr "Zlyhalo získanie tokenu %d pre export."
+
+#: src/cryptsetup.c:3232
+#, c-format
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Token %d nie je priradený k miestu pre kľúč %d."
+
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
+#, c-format
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Zlyhalo zrušenie priradenia tokenu %d z miesta pre kľúč %d."
+
+#: src/cryptsetup.c:3300
+msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
+msgstr "Možnosť --tcrypt-hidden, --tcrypt-system alebo --tcrypt-backup je podporovaná len pre TCRYPT zariadenie."
+
+#: src/cryptsetup.c:3303
+msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
+msgstr "Možnosť --veracrypt alebo --disable-veracrypt je podporovaná len pre zariadenie typu TCRYPT."
+
+#: src/cryptsetup.c:3306
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
+msgstr "Možnosť --veracrypt-pim je podporovaná len pre zariadenia kompatibilné s VeraCrypt."
+
+#: src/cryptsetup.c:3310
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
+msgstr "Možnosť --veracrypt-query-pim je podporovaná len pre zariadenia kompatibilné s VeraCrypt."
+
+#: src/cryptsetup.c:3312
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
+msgstr "Možnosti --veracrypt-pim a --veracrypt-query-pim sa vzájomne vylučujú."
+
+#: src/cryptsetup.c:3321
+msgid "Option --persistent is not allowed with --test-passphrase."
+msgstr "Možnosť --persistent nie je povolené s --test-passphrase."
+
+#: src/cryptsetup.c:3324
+msgid "Options --refresh and --test-passphrase are mutually exclusive."
+msgstr "Možnosti --refresh a --test-passphrase sa navzájom vylučujú."
+
+#: src/cryptsetup.c:3327
+msgid "Option --shared is allowed only for open of plain device."
+msgstr "Možnosť --shared je povolená len pre otvorenie zariadenia plain."
+
+#: src/cryptsetup.c:3330
+msgid "Option --skip is supported only for open of plain and loopaes devices."
+msgstr "Možnosť --skip je podporovaná len pre otvorenie zariadení plain a loopaes."
+
+#: src/cryptsetup.c:3333
+msgid "Option --offset with open action is only supported for plain and loopaes devices."
+msgstr "Možnosť --offset s akciou otvorenia je podporovaná len pre zariadenia plain a loopaes."
+
+#: src/cryptsetup.c:3336
+msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
+msgstr "Možnosť --tcrypt-hidden nemôže byť kombinovaná s --allow-discards."
+
+#: src/cryptsetup.c:3340
+msgid "Sector size option with open action is supported only for plain devices."
+msgstr "Možnosť veľkosti sektora s akciou otvorenia je podporovaná len pre zariadenia plain."
+
+#: src/cryptsetup.c:3344
+msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
+msgstr "Možnosť veľkých IV sektorov je podporovaná len pre otváranie zariadenia typu plain s veľkosťou sektora väčšou než 512 bajtov."
+
+#: src/cryptsetup.c:3349
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Možnosť --test-passphrase je povolená len pre otvorenie LUKS, TCRYPT, BITLK a FVAULT2 zariadení."
+
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Možnosť --device-size a --size nemôžu byť kombinované."
+
+#: src/cryptsetup.c:3355
+msgid "Option --unbound is allowed only for open of luks device."
+msgstr "Možnosť --unbound je povolená len pre otvorenie zariadení luks."
+
+#: src/cryptsetup.c:3358
+msgid "Option --unbound cannot be used without --test-passphrase."
+msgstr "Možnosť --unbound nemôže byť použitá bez --test-passphrase."
+
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Možnosť --volume-key-keyring nemôže byť kombinovaná s --hash alebo --volume-key-file."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Obe možnosti --volume-key-file musia byť zadané spolu s príslušnými možnosťami --key-size."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
+msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
+msgstr "Možnosti --cancal-deferred a --deferred nemôžu byť použité naraz."
+
+#: src/cryptsetup.c:3390
+msgid "Option --active-name can be set only for LUKS2 device."
+msgstr "Možnosť --active-name možno nastaviť len pre zariadenie LUKS2."
+
+#: src/cryptsetup.c:3393
+msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
+msgstr "Možnosti --active-name a --force-offline-reencrypt nemožno kombinovať."
+
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Možnosti --new-volume-key-file a --keep-key nemožno kombinovať."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Možnosti --new-volume-key-keyring a --keep-key nemožno kombinovať."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
+msgid "Keyslot specification is required."
+msgstr "Vyžaduje sa zadanie miesta pre kľúč."
+
+#: src/cryptsetup.c:3415
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Možnosti --align-payload a --offset nemožno kombinovať."
+
+#: src/cryptsetup.c:3418
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
+msgstr "Možnosť --integrity-no-wipe môže byť použitá len pre formátovanie s rozšírením integrity."
+
+#: src/cryptsetup.c:3421
+msgid "Only one of --use-[u]random options is allowed."
+msgstr "Iba jedna z možností --use-[u]random je povolená."
+
+#: src/cryptsetup.c:3429
+msgid "Key size is required with --unbound option."
+msgstr "Veľkosť kľúča sa vyžaduje s možnosťou --unbound."
+
+#: src/cryptsetup.c:3449
+msgid "Invalid token action."
+msgstr "Neplatná operácia s tokenom."
+
+#: src/cryptsetup.c:3452
+msgid "--key-description parameter is mandatory for token add action."
+msgstr "Parameter --key-description je povinný pre pridanie tokenu."
+
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr "Akcia vyžaduje špecifický token. Použite --token-id parameter."
+
+#: src/cryptsetup.c:3460
+msgid "Option --unbound is valid only with token add action."
+msgstr "Možnosť --unbound je platná len pri pridávaní tokenu."
+
+#: src/cryptsetup.c:3462
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Možnosti --key-slot a --unbound nemožno kombinovať."
+
+#: src/cryptsetup.c:3467
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Akcia vyžaduje špecifický token. Použite --key-slot parameter."
+
+#: src/cryptsetup.c:3483
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<zariadenie> [--type <typ>] [<názov>]"
+
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
+msgid "open device as <name>"
+msgstr "otvorí zariadenie ako <názov>"
+
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
+msgid "<name>"
+msgstr "<názov>"
+
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
+msgid "close device (remove mapping)"
+msgstr "zatvorí zariadenie (odstráni mapovanie)"
+
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
+msgid "resize active device"
+msgstr "zmení veľkosť aktívneho zariadenia"
+
+#: src/cryptsetup.c:3486
+msgid "show device status"
+msgstr "zobrazí stav zariadenia"
+
+#: src/cryptsetup.c:3487
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <šifra>]"
+
+#: src/cryptsetup.c:3487
+msgid "benchmark cipher"
+msgstr "zhodnotí výkon šifry"
+
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
+msgid "<device>"
+msgstr "<zariadenie>"
+
+#: src/cryptsetup.c:3488
+msgid "try to repair on-disk metadata"
+msgstr "pokúsi sa opraviť metadáta uložené na disku"
+
+#: src/cryptsetup.c:3489
+msgid "reencrypt LUKS2 device"
+msgstr "prešifruje zariadenie LUKS2"
+
+#: src/cryptsetup.c:3490
+msgid "erase all keyslots (remove encryption key)"
+msgstr "vymaže všetky miesta s kľúčmi (odstráni šifrovací kľúč)"
+
+#: src/cryptsetup.c:3491
+msgid "convert LUKS from/to LUKS2 format"
+msgstr "prevedie LUKS z/na LUKS2 formát(u)"
+
+#: src/cryptsetup.c:3492
+msgid "set permanent configuration options for LUKS2"
+msgstr "nastaví trvalé možnosti konfigurácie pre LUKS2"
+
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
+msgid "<device> [<new key file>]"
+msgstr "<zariadenie> [<nový súbor s kľúčom>]"
+
+#: src/cryptsetup.c:3493
+msgid "formats a LUKS device"
+msgstr "naformátuje zariadenie LUKS"
+
+#: src/cryptsetup.c:3494
+msgid "add key to LUKS device"
+msgstr "pridá kľúč do zariadenia LUKS"
+
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
+msgid "<device> [<key file>]"
+msgstr "<zariadenie> [<súbor s kľúčom>]"
+
+#: src/cryptsetup.c:3495
+msgid "removes supplied key or key file from LUKS device"
+msgstr "odstráni poskytnutý kľúč alebo súbor s kľúčom zo zariadenia LUKS"
+
+#: src/cryptsetup.c:3496
+msgid "changes supplied key or key file of LUKS device"
+msgstr "zmení poskytnutý kľúč alebo súbor s kľúčom na zariadení LUKS"
+
+#: src/cryptsetup.c:3497
+msgid "converts a key to new pbkdf parameters"
+msgstr "prevedie kľúč na nové parametre pbkdf"
+
+#: src/cryptsetup.c:3498
+msgid "<device> <key slot>"
+msgstr "<zariadenie> <miesto pre kľúč>"
+
+#: src/cryptsetup.c:3498
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "vymaže kľúč s číslom <miesto pre kľúč> zo zariadenia LUKS"
+
+#: src/cryptsetup.c:3499
+msgid "print UUID of LUKS device"
+msgstr "vypíše UUID zariadení LUKS"
+
+#: src/cryptsetup.c:3500
+msgid "tests <device> for LUKS partition header"
+msgstr "otestuje <zariadenie> na hlavičku diskového oddielu LUKS"
+
+#: src/cryptsetup.c:3501
+msgid "dump LUKS partition information"
+msgstr "vypíše informácie o oddiely LUKS"
+
+#: src/cryptsetup.c:3502
+msgid "dump TCRYPT device information"
+msgstr "vypíše informácie o zariadení TCRYPT"
+
+#: src/cryptsetup.c:3503
+msgid "dump BITLK device information"
+msgstr "vypíše informácie o zariadení BITLK"
+
+#: src/cryptsetup.c:3504
+msgid "dump FVAULT2 device information"
+msgstr "vypíše informácie o zariadení FVAULT2"
+
+#: src/cryptsetup.c:3505
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
+msgstr "Pozastaví zariadenie LUKS a vymaže kľúč (všetky vstupno-výstupné operácie budú zmrazené)"
+
+#: src/cryptsetup.c:3506
+msgid "Resume suspended LUKS device"
+msgstr "Prebudí pozastavené zariadenie LUKS"
+
+#: src/cryptsetup.c:3507
+msgid "Backup LUKS device header and keyslots"
+msgstr "Zálohuje hlavičku a miesta s kľúčmi zariadenia LUKS"
+
+#: src/cryptsetup.c:3508
+msgid "Restore LUKS device header and keyslots"
+msgstr "Obnoví hlavičku a miesta s kľúčmi zariadenia LUKS"
+
+#: src/cryptsetup.c:3509
+msgid "<add|remove|import|export> <device>"
+msgstr "<add|remove|import|export> <zariadenie>"
+
+#: src/cryptsetup.c:3509
+msgid "Manipulate LUKS2 tokens"
+msgstr "Manipuluje s tokenmi LUKS2"
+
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<akcia> je jedna z:\n"
+
+#: src/cryptsetup.c:3534
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
+msgstr ""
+"\n"
+"Môžete tiež použiť aliasy so starým zápisom <akcia>:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
+
+#: src/cryptsetup.c:3538
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<názov> je zariadenie vytvorené pod %s\n"
+"<zariadenie> je šifrované zariadenie\n"
+"<miesto pre kľúč> je číslo miesta pre kľúč LUKS na upravovanie\n"
+"<súbor s kľúčom> je voliteľný súbor s kľúčom pre nový kľúč pre akciu luksAddKey\n"
+
+#: src/cryptsetup.c:3545
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in metadata format is %s (for luksFormat action).\n"
+msgstr ""
+"\n"
+"Predvolené zakompilovaný formát metadát je %s (pre akciu luksFormat).\n"
+
+#: src/cryptsetup.c:3550
+msgid ""
+"\n"
+"LUKS2 external token plugin support is enabled.\n"
+msgstr ""
+"\n"
+"LUKS2 podpora zásuvného modulu externého tokenu je zapnutá.\n"
+
+#: src/cryptsetup.c:3551
+#, c-format
+msgid "LUKS2 external token plugin path: %s.\n"
+msgstr "Cesta k zásuvnému modulu externého tokenu LUKS2: %s.\n"
+
+#: src/cryptsetup.c:3553
+msgid ""
+"\n"
+"LUKS2 external token plugin support is disabled.\n"
+msgstr ""
+"\n"
+"LUKS2 podpora zásuvného modulu externého tokenu je vypnutá.\n"
+
+#: src/cryptsetup.c:3557
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF for LUKS1: %s, iteration time: %d (ms)\n"
+"Default PBKDF for LUKS2: %s\n"
+"\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
+msgstr ""
+"\n"
+"Predvolené zakompilované parametre kľúča a hesla:\n"
+"\tMaximálna veľkosť súboru s kľúčom: %d kB, Maximálna dĺžka interaktívneho hesla %d (znakov)\n"
+"Predvolený PBKDF pre LUKS1: %s, čas iterácie: %d (ms)\n"
+"Predvolené PBKDF pre LUKS2: %s\n"
+"\tČas iterácie: %d, Pamäť potrebná: %d kB, Paralelné vlákna: %d\n"
+
+#: src/cryptsetup.c:3568
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Predvolené zakompilované parametre šifry zariadenia:\n"
+"\tloop-AES: %s, Kľúč %d bitov\n"
+"\tplain: %s, Kľúč: %d bitov, Hashovanie hesla: %s\n"
+"\tLUKS: %s, Kľúč: %d bitov, Hashovanie LUKS hlavičky: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:3577
+msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
+msgstr "\tLUKS: Predvolená veľkosť kľúča s režimom XTS (dva interné kľúče) bude zdvojnásobená.\n"
+
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: požaduje %s ako argumenty"
+
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
+msgid "Key slot is invalid."
+msgstr "Miesto pre kľúč je neplatné."
+
+#: src/cryptsetup.c:3663
+msgid "Device size must be multiple of 512 bytes sector."
+msgstr "Veľkosť zariadenie musí byť násobkom 512-bajtového sektora."
+
+#: src/cryptsetup.c:3668
+msgid "Invalid max reencryption hotzone size specification."
+msgstr "Zadaná neplatná maximálna veľkosť horúcej zóny prešifrovania."
+
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
+msgid "Key size must be a multiple of 8 bits"
+msgstr "Veľkosť kľúča musí byť násobkom 8 bitov"
+
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Najviac dve veľkosti kľúčov môžu byť zadané."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr "Najviac %d špecifikácií kľúča zväzku môže byť zadaných."
+
+#: src/cryptsetup.c:3741
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr "Najviac %d zväzkov kľúčov môže byť zadaných."
+
+#: src/cryptsetup.c:3750
+msgid "Maximum device reduce size is 1 GiB."
+msgstr "Maximálna veľkosť zmenšenia zariadenia je 1 GiB."
+
+#: src/cryptsetup.c:3753
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Veľkosť zmenšenia musí byť násobkom 512-bajtového sektora."
+
+#: src/cryptsetup.c:3770
+msgid "Option --priority can be only ignore/normal/prefer."
+msgstr "Možnosť --priority môže byť len ignore/normal/prefer."
+
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
+msgid "Show this help message"
+msgstr "Zobrazí túto pomocnú správu"
+
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
+msgid "Display brief usage"
+msgstr "Zobrazí stručný návod na použitie"
+
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
+msgid "Print package version"
+msgstr "Vypíše verziu balíka"
+
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
+msgid "Help options:"
+msgstr "Možnosti pomoci:"
+
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
+msgid "[OPTION...] <action> <action-specific>"
+msgstr "[MOŽNOSŤ...] <akcia> <špecifikácia akcie>"
+
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
+msgid "Argument <action> missing."
+msgstr "Chýba argument <akcia>."
+
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
+msgid "Unknown action."
+msgstr "Neznáma akcia."
+
+#: src/cryptsetup.c:3931
+msgid "Option --key-file takes precedence over specified key file argument."
+msgstr "Možnosť --key-file má prednosť pred zadaným argumentom súboru s kľúčom."
+
+#: src/cryptsetup.c:3937
+msgid "Only one --key-file argument is allowed."
+msgstr "Iba jeden argument --key-file je dovolený."
+
+#: src/cryptsetup.c:3942
+msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
+msgstr "Funkcia na odvodenie kľúča na základe hesla (PBKDF) môže byť iba pbkdf2 alebo argon2i/argon2id."
+
+#: src/cryptsetup.c:3947
+msgid "PBKDF forced iterations cannot be combined with iteration time option."
+msgstr "Vynútené iterácie PBKDF nemôžu byť kombinované s možnosťou času iterácie."
+
+#: src/cryptsetup.c:3952
+msgid "Cannot link volume key to a keyring when keyring is disabled."
+msgstr "Nedá sa prepojiť kľúč zväzku na zväzok kľúčov, keď je zväzok kľúčov vypnutý."
+
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Nedá sa použiť popis kľúča zo zväzku kľúčov, keď je zväzok kľúčov vypnutý."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Inline integrita musí byť použitá spolu s možnosťou --integrity."
+
+#: src/cryptsetup.c:3973
+msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
+msgstr "Možnosti --keyslot-cipher a --keyslot-key-size musia byť použité spolu."
+
+#: src/cryptsetup.c:3981
+msgid "No action taken. Invoked with --test-args option.\n"
+msgstr "Žiadna akcia sa nevykonala. Zavolané s možnosťou --test-args.\n"
+
+#: src/cryptsetup.c:3994
+msgid "Cannot disable metadata locking."
+msgstr "Nedá sa vypnúť zamykanie metadát."
+
+#: src/veritysetup.c:41
+msgid "Invalid salt string specified."
+msgstr "Zadaný neplatný reťazec soli."
+
+#: src/veritysetup.c:74
+#, c-format
+msgid "Cannot create hash image %s for writing."
+msgstr "Nedá sa vytvoriť obraz hashu %s určený pre zápis."
+
+#: src/veritysetup.c:84
+#, c-format
+msgid "Cannot create FEC image %s for writing."
+msgstr "Nedá sa vytvoriť obraz FEC %s určený pre zápis."
+
+#: src/veritysetup.c:123
+#, c-format
+msgid "Cannot create root hash file %s for writing."
+msgstr "Nedá sa vytvoriť súbor koreňového hashu %s určený pre zápis."
+
+#: src/veritysetup.c:130
+#, c-format
+msgid "Cannot write to root hash file %s."
+msgstr "Nedá sa zapisovať na súbor koreňového hashu %s."
+
+#: src/veritysetup.c:189 src/veritysetup.c:472
+#, c-format
+msgid "Device %s is not a valid VERITY device."
+msgstr "Zariadenie %s nie je platné VERITY zariadenie."
+
+#: src/veritysetup.c:206 src/veritysetup.c:223
+#, c-format
+msgid "Cannot read root hash file %s."
+msgstr "Nedá sa prečítať súbor koreňového hashu %s."
+
+#: src/veritysetup.c:211
+#, c-format
+msgid "Invalid root hash file %s."
+msgstr "Neplatný súbor koreňového hashu %s."
+
+#: src/veritysetup.c:232
+msgid "Invalid root hash string specified."
+msgstr "Zadaný neplatný reťazec koreňového hashu."
+
+#: src/veritysetup.c:240
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Neplatný súbor s podpisom %s."
+
+#: src/veritysetup.c:247
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Nedá sa prečítať súbor s podpisom %s."
+
+#: src/veritysetup.c:270 src/veritysetup.c:287
+msgid "Command requires <root_hash> or --root-hash-file option as argument."
+msgstr "Príkaz vyžaduje <koreňový_hash> alebo možnosť --root-hash-file ako argument."
+
+#: src/veritysetup.c:485
+msgid "<data_device> <hash_device>"
+msgstr "<zariadenie_s_údajmi> <hash_zariadenie>"
+
+#: src/veritysetup.c:485 src/integritysetup.c:550
+msgid "format device"
+msgstr "formátuje zariadenie"
+
+#: src/veritysetup.c:486
+msgid "<data_device> <hash_device> [<root_hash>]"
+msgstr "<zariadenie_s_údajmi> <hash_zariadenie> [<koreňový_hash>]"
+
+#: src/veritysetup.c:486
+msgid "verify device"
+msgstr "overí zariadenie"
+
+#: src/veritysetup.c:487
+msgid "<data_device> <name> <hash_device> [<root_hash>]"
+msgstr "<zariadenie_s_údajmi> <názov> <hash_zariadenie> [<koreňový_hash>]"
+
+#: src/veritysetup.c:489 src/integritysetup.c:553
+msgid "show active device status"
+msgstr "zobrazí stav aktívneho zariadenia"
+
+#: src/veritysetup.c:490
+msgid "<hash_device>"
+msgstr "<hash_zariadenie>"
+
+#: src/veritysetup.c:490 src/integritysetup.c:554
+msgid "show on-disk information"
+msgstr "zobrazí informácie na disku"
+
+#: src/veritysetup.c:509
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<názov> je zariadenie na vytvorenie pod %s\n"
+"<zariadenie_s_údajmi> je zariadenie, na ktorom sú uložené údaje\n"
+"<hash_zariadenie> je zariadenie, ktoré obsahuje overovacie údaje\n"
+"<koreňový_hash> hash koreňového uzla na <hash_zariadenie>\n"
+
+#: src/veritysetup.c:516
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Predvolené zakompilované parametre dm-verity:\n"
+"\tHash: %s, Blok dát (v bajtoch): %u, Blok hashu (v bajtoch): %u, Veľkosť soli: %u, Hash formát: %u\n"
+
+#: src/veritysetup.c:657
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
+msgstr "Možnosť --ignore-corruption a --restart-on-corruption nemôžu byť použité spolu."
+
+#: src/veritysetup.c:662
+msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
+msgstr "Možnosť --panic-on-corruption a --restart-on-corruption nemôžu byť použité spolu."
+
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Možnosť --error-as-corruption musí byť použitá spolu s --panic-on-corruption alebo --restart-on-corruption."
+
+#: src/integritysetup.c:168
+#, c-format
+msgid ""
+"This will overwrite data on %s and %s irrevocably.\n"
+"To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
+msgstr ""
+"Toto nenávratne prepíše údaje na %s a %s.\n"
+"Na zachovanie zariadenia s údajmi použite možnosť --no-wipe (a potom ho aktivujte s --integrity-recalculate)."
+
+#: src/integritysetup.c:213
+#, c-format
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Naformátované s veľkosťou príznaku %u %s, interná integrita %s.\n"
+
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (hardvérové inline príznaky)"
+
+#: src/integritysetup.c:297
+msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
+msgstr "Nastavenie príznaku prepočítania nie je podporované, môžete zvážiť použitie --wipe namiesto toho."
+
+#: src/integritysetup.c:374 src/integritysetup.c:537
+#, c-format
+msgid "Device %s is not a valid INTEGRITY device."
+msgstr "Zariadenie %s nie je platné INTEGRITY zariadenie."
+
+#: src/integritysetup.c:550 src/integritysetup.c:554
+msgid "<integrity_device>"
+msgstr "<zariadenie_integrity>"
+
+#: src/integritysetup.c:551
+msgid "<integrity_device> <name>"
+msgstr "<zariadenie_integrity> <názov>"
+
+#: src/integritysetup.c:574
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<integrity_device> is the device containing data with integrity tags\n"
+msgstr ""
+"\n"
+"<názov> je zariadenie na vytvorenie pod %s\n"
+"<zariadenie_integrity> je zariadenie obsahujúce údaje s príznakmi integrity\n"
+
+#: src/integritysetup.c:579
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-integrity parameters:\n"
+"\tChecksum algorithm: %s\n"
+"\tMaximum keyfile size: %dkB\n"
+msgstr ""
+"\n"
+"Predvolené zakompilované parametre dm-integrity:\n"
+"\tAlgoritmus kontrolného súčtu: %s\n"
+"\tMaximálna veľkosť súboru s kľúčom: %d kB\n"
+
+#: src/integritysetup.c:636
+#, c-format
+msgid "Invalid --%s size. Maximum is %u bytes."
+msgstr "Neplatná veľkosť --%s. Maximum je %u bajtov."
+
+#: src/integritysetup.c:739
+msgid "Both key file and key size options must be specified."
+msgstr "Obe možnosti musia byť zadané, súbor s kľúčom aj veľkosť kľúča."
+
+#: src/integritysetup.c:743
+msgid "Both journal integrity key file and key size options must be specified."
+msgstr "Obe možnosti musia byť zadané, súbor s kľúčom pre integritu denníka aj veľkosť kľúča."
+
+#: src/integritysetup.c:746
+msgid "Journal integrity algorithm must be specified if journal integrity key is used."
+msgstr "Algoritmus integrity denníka musí byť zadaný, keď sa používa kľúč pre integritu denníka."
+
+#: src/integritysetup.c:750
+msgid "Both journal encryption key file and key size options must be specified."
+msgstr "Obe možnosti musia byť zadané, súbor s kľúčom na šifrovanie denníka aj veľkosť kľúča."
+
+#: src/integritysetup.c:753
+msgid "Journal encryption algorithm must be specified if journal encryption key is used."
+msgstr "Algoritmus šifrovania denníka musí byť zadaný, keď sa používa kľúč na šifrovanie denníka."
+
+#: src/integritysetup.c:757
+msgid "Recovery and bitmap mode options are mutually exclusive."
+msgstr "Možnosti režimu obnovenia a bitmapy sa vzájomne vylučujú."
+
+#: src/integritysetup.c:764
+msgid "Journal options cannot be used in bitmap mode."
+msgstr "Možnosti denníka nemôžu byť použité v bitmapovom režime."
+
+#: src/integritysetup.c:769
+msgid "Bitmap options can be used only in bitmap mode."
+msgstr "Možnosti bitmapy môžu byť použité len v bitmapovom režime."
+
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Režim inline nemôže byť kombinovaný s možnosťami režimu denníka alebo bitmapy."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Režim inline nemôže byť kombinovaný s oddeleným zariadením s údajmi."
+
+#: src/utils_tools.c:105
+msgid ""
+"\n"
+"WARNING!\n"
+"========\n"
+msgstr ""
+"\n"
+"VAROVANIE!\n"
+"==========\n"
+
+#. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
+#: src/utils_tools.c:107
+#, c-format
+msgid ""
+"%s\n"
+"\n"
+"Are you sure? (Type 'yes' in capital letters): "
+msgstr ""
+"%s\n"
+"\n"
+"Ste si istý? (Napíšte \"yes\" veľkými písmenami): "
+
+#: src/utils_tools.c:113
+msgid "Error reading response from terminal."
+msgstr "Chyba pri čítaní odpovede z terminálu."
+
+#: src/utils_tools.c:145
+msgid "Command successful."
+msgstr "Príkaz úspešne vykonaný."
+
+#: src/utils_tools.c:153
+msgid "wrong or missing parameters"
+msgstr "nesprávne alebo chýbajúce parametre"
+
+#: src/utils_tools.c:155
+msgid "no permission or bad passphrase"
+msgstr "žiadne oprávnenia alebo zlé heslo"
+
+#: src/utils_tools.c:157
+msgid "out of memory"
+msgstr "nedostatok pamäte"
+
+#: src/utils_tools.c:159
+msgid "wrong device or file specified"
+msgstr "zadané nesprávne zariadenie alebo súbor"
+
+#: src/utils_tools.c:161
+msgid "device already exists or device is busy"
+msgstr "zariadenie už existuje alebo zariadenie je zaneprázdnené"
+
+#: src/utils_tools.c:163
+msgid "unknown error"
+msgstr "neznáma chyba"
+
+#: src/utils_tools.c:165
+#, c-format
+msgid "Command failed with code %i (%s)."
+msgstr "Príkaz zlyhal s kódom %i (%s)."
+
+#: src/utils_tools.c:243
+#, c-format
+msgid "Key slot %i created."
+msgstr "Miesto pre kľúč %i vytvorené."
+
+#: src/utils_tools.c:245
+#, c-format
+msgid "Key slot %i unlocked."
+msgstr "Miesto pre kľúč %i odomknuté."
+
+#: src/utils_tools.c:247
+#, c-format
+msgid "Key slot %i removed."
+msgstr "Miesto pre kľúč %i odstránené."
+
+#: src/utils_tools.c:256
+#, c-format
+msgid "Token %i created."
+msgstr "Token %i vytvorený."
+
+#: src/utils_tools.c:258
+#, c-format
+msgid "Token %i removed."
+msgstr "Token %i odstránený."
+
+#: src/utils_tools.c:268
+msgid "No token could be unlocked with this PIN."
+msgstr "Žiaden token nemôže byť odomknutý s týmto PIN-nom."
+
+#: src/utils_tools.c:270
+#, c-format
+msgid "Token %i requires PIN."
+msgstr "Token %i vyžaduje PIN."
+
+#: src/utils_tools.c:272
+#, c-format
+msgid "Token (type %s) requires PIN."
+msgstr "Token (typ %s) vyžaduje PIN."
+
+#: src/utils_tools.c:275
+#, c-format
+msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr "Token %i nemôže odomknúť priradené miesto(a) s kľúčom (zlé heslo miesta s kľúčom)."
+
+#: src/utils_tools.c:277
+#, c-format
+msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
+msgstr "Token (typ %s) nemôže odomknúť priradené miesto(a) s kľúčom (zlé heslo miesta s kľúčom)."
+
+#: src/utils_tools.c:280
+#, c-format
+msgid "Token %i requires additional missing resource."
+msgstr "Token %i vyžaduje dodatočný chýbajúci prostriedok."
+
+#: src/utils_tools.c:282
+#, c-format
+msgid "Token (type %s) requires additional missing resource."
+msgstr "Token (typ %s) vyžaduje dodatočný chýbajúci prostriedok."
+
+#: src/utils_tools.c:285
+#, c-format
+msgid "No usable token (type %s) is available."
+msgstr "Žiaden použiteľný token (typ %s) nie je dostupný."
+
+#: src/utils_tools.c:287
+msgid "No usable token is available."
+msgstr "Žiaden použiteľný token nie je dostupný."
+
+#: src/utils_tools.c:380
+#, c-format
+msgid "Cannot read keyfile %s."
+msgstr "Nedá sa čítať súbor s kľúčom %s."
+
+#: src/utils_tools.c:385
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s."
+msgstr "Nedá sa prečítať %d bajtov zo súboru s kľúčom %s."
+
+#: src/utils_tools.c:410
+#, c-format
+msgid "Cannot open keyfile %s for write."
+msgstr "Nedá sa otvoriť súbor s kľúčom %s na zápis."
+
+#: src/utils_tools.c:417
+#, c-format
+msgid "Cannot write to keyfile %s."
+msgstr "Nedá sa zapísať do súboru s kľúčom %s."
+
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Názov je príliš dlhý."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Názov nemôže obsahovať znak \"/\"."
+
+#: src/utils_progress.c:61
+#, c-format
+msgid "%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>m %02<PRIu64>s"
+
+#: src/utils_progress.c:63
+#, c-format
+msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
+msgstr "%02<PRIu64>h %02<PRIu64>m %02<PRIu64>s"
+
+#: src/utils_progress.c:65
+#, c-format
+msgid "%02<PRIu64> days"
+msgstr "%02<PRIu64> dní"
+
+#: src/utils_progress.c:92 src/utils_progress.c:125
+#, c-format
+msgid "%4<PRIu64> %s written"
+msgstr "%4<PRIu64> %s zapísaných"
+
+#: src/utils_progress.c:96 src/utils_progress.c:129
+#, c-format
+msgid "speed %5.1f %s/s"
+msgstr "rýchlosť %5.1f %s/s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. 'eol' is always new-line or empty.
+#. See above.
+#.
+#: src/utils_progress.c:105
+#, c-format
+msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
+msgstr "Priebeh: %5.1f%%, zostáva %s, %s, %s%s"
+
+#. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
+#. to get translated as well. See above
+#.
+#: src/utils_progress.c:137
+#, c-format
+msgid "Finished, time %s, %s, %s\n"
+msgstr "Dokončené, čas %s, %s, %s\n"
+
+#: src/utils_password.c:28 src/utils_password.c:59
+#, c-format
+msgid "Cannot check password quality: %s"
+msgstr "Nedá sa skontrolovať kvalita hesla: %s"
+
+#: src/utils_password.c:36
+#, c-format
+msgid ""
+"Password quality check failed:\n"
+" %s"
+msgstr ""
+"Zlyhala kontrola kvality hesla:\n"
+"%s"
+
+#: src/utils_password.c:66
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)"
+msgstr "Zlyhala kontrola kvality hesla: Zlé heslo (%s)"
+
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Čítanie sa zastavilo na maximálnej dĺžke interaktívneho vstupu, heslo môže byť orezané."
+
+#: src/utils_password.c:224 src/utils_password.c:238
+msgid "Error reading passphrase from terminal."
+msgstr "Chyba pri čítaní hesla z termínálu."
+
+#: src/utils_password.c:236
+msgid "Verify passphrase: "
+msgstr "Overte heslo: "
+
+#: src/utils_password.c:243
+msgid "Passphrases do not match."
+msgstr "Heslá sa nezhodujú."
+
+#: src/utils_password.c:281
+msgid "Cannot use offset with terminal input."
+msgstr "Nedá sa použiť odsadenie so vstupom z terminálu."
+
+#: src/utils_password.c:285
+#, c-format
+msgid "Enter passphrase: "
+msgstr "Zadajte heslo: "
+
+#: src/utils_password.c:288
+#, c-format
+msgid "Enter passphrase for %s: "
+msgstr "Zadajte heslo pre %s: "
+
+#: src/utils_password.c:322
+msgid "No key available with this passphrase."
+msgstr "Žiaden kľúč nie je dostupný s týmto heslom."
+
+#: src/utils_password.c:324
+msgid "No usable keyslot is available."
+msgstr "Nie je dostupné žiadne použiteľné miesto pre kľúč."
+
+#: src/utils_luks.c:55
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Nedá sa overiť heslo na vstupoch mimo terminálu."
+
+#: src/utils_luks.c:179
+#, c-format
+msgid "Failed to open file %s in read-only mode."
+msgstr "Zlyhalo otvorenie súboru %s v režime iba na čítanie."
+
+#: src/utils_luks.c:193
+msgid "Provide valid LUKS2 token JSON:\n"
+msgstr "Poskytnite JSON s platným tokenom LUKS2:\n"
+
+#: src/utils_luks.c:200
+msgid "Failed to read JSON file."
+msgstr "Zlyhalo čítanie súboru JSON."
+
+#: src/utils_luks.c:205
+msgid ""
+"\n"
+"Read interrupted."
+msgstr ""
+"\n"
+"Čítanie prerušené."
+
+#: src/utils_luks.c:246
+#, c-format
+msgid "Failed to open file %s in write mode."
+msgstr "Zlyhalo otvorenie súboru %s v režime na zápis."
+
+#: src/utils_luks.c:255
+msgid ""
+"\n"
+"Write interrupted."
+msgstr ""
+"\n"
+"Zápis prerušený."
+
+#: src/utils_luks.c:259
+msgid "Failed to write JSON file."
+msgstr "Zápis súboru JSON zlyhal."
+
+#: src/utils_reencrypt.c:93
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Automaticky zistené aktívne zariadenie dm \"%s\" pre zariadenie s údajmi %s.\n"
+
+#: src/utils_reencrypt.c:97
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Nepodarilo sa automaticky zistiť držiteľov zariadenia %s."
+
+#: src/utils_reencrypt.c:103
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Zariadenie %s nie je blokové zariadenie.\n"
+
+#: src/utils_reencrypt.c:105
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Nie je možné rozhodnúť, či je zariadenie %s aktivované alebo nie.\n"
+"Ste si istý, že chcete prejsť na prešifrovanie v offline režime?\n"
+"Toto môže spôsobiť poškodenie dát, ak je zariadenie naozaj aktivované.\n"
+"Na spustenie prešifrovania v online režime použite namiesto toho parameter --active-name.\n"
+
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Zariadenie %s nie je blokové zariadenie. Nedá sa automaticky zistiť, či je zariadenie aktívne alebo nie.\n"
+"Použite --force-offline-reencrypt na obídenie kontroly a spustenie v offline režime (nebezpečné!)."
+
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Požadovaná možnosť --resilience nemôže byť aplikovaná na aktuálnu operáciu prešifrovania."
+
+#: src/utils_reencrypt.c:176
+msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
+msgstr "Zariadenie nie je v stave šifrovania LUKS2. Konfliktná možnosť --encrypt."
+
+#: src/utils_reencrypt.c:181
+msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
+msgstr "Zariadenie nie je v stave dešifrovania LUKS2. Konfliktná možnosť --decrypt."
+
+#: src/utils_reencrypt.c:188
+msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
+msgstr "Zariadenie je v stave prešifrovania s odolnosťou posunu dát. Požadovaná možnosť --resilience nemôže byť aplikovaná."
+
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Nedá sa zistiť veľkosť kľúču zväzku pre LUKS bez miest pre kľúče, prosím použite možnosť --new-key-size."
+
+#: src/utils_reencrypt.c:436
+msgid "Device requires reencryption recovery. Run repair first."
+msgstr "Zariadenie požaduje obnovu prešifrovania. Spustite najprv opravu."
+
+#: src/utils_reencrypt.c:450
+#, c-format
+msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
+msgstr "Zariadenie %s je už v stave LUKS2 prešifrovania. Želáte si obnoviť už predtým inicializovanú operáciu?"
+
+#: src/utils_reencrypt.c:561
+msgid "Legacy LUKS2 reencryption is no longer supported."
+msgstr "Zastaralé LUKS2 prešifrovanie už nie je podporované."
+
+#: src/utils_reencrypt.c:566
+msgid "Can not reencrypt LUKS2 device configured to use OPAL."
+msgstr "Nedá sa prešifrovať zariadenie LUKS2, ktoré je nakonfigurované na používanie OPAL."
+
+#: src/utils_reencrypt.c:572
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Prešifrovanie zariadenia s profilom integrity nie je podporované."
+
+#: src/utils_reencrypt.c:609
+#, c-format
+msgid ""
+"Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
+"(block size: %<PRIu32> bytes) detected on device %s."
+msgstr ""
+"Požadovaná --sector-size %<PRIu32> nie je kompatibilná so superblokom %s\n"
+"(veľkosť bloku: %<PRIu32> bajtov) rozpoznaným na zariadení %s."
+
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Šifrovanie bez oddelenej hlavičky (--header) nie je možné bez zmenšenia veľkosti zariadenia s údajmi (--reduce-device-size)."
+
+#: src/utils_reencrypt.c:687
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Vyžadované odsadenie údajov musí byť menšie alebo rovné polovici parametra --reduce-device-size."
+
+#: src/utils_reencrypt.c:697
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Upravuje sa hodnota --reduce-device-size na dvojnásobok --offset %<PRIu64> (sektorov).\n"
+
+#: src/utils_reencrypt.c:727
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Dočasný súbor hlavičky %s už existuje. Operácia sa ruší."
+
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Nedá sa vytvoriť dočasný súbor s hlavičkou %s."
+
+#: src/utils_reencrypt.c:761
+msgid "LUKS2 metadata size is larger than data shift value."
+msgstr "Veľkosť metadát LUKS2 je väčšia ako hodnota posunu údajov."
+
+#: src/utils_reencrypt.c:800
+#, c-format
+msgid "Failed to place new header at head of device %s."
+msgstr "Zlyhalo umiestnenie novej hlavičky na začiatok zariadenia %s."
+
+#: src/utils_reencrypt.c:813
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s je teraz aktívne a pripravené na online prešifrovanie.\n"
+
+#: src/utils_reencrypt.c:850
+#, c-format
+msgid "Active device %s is not LUKS2."
+msgstr "Aktívne zariadenie %s nie je typu LUKS2."
+
+#: src/utils_reencrypt.c:878
+msgid "Restoring original LUKS2 header."
+msgstr "Obnovuje sa pôvodná hlavička LUKS2."
+
+#: src/utils_reencrypt.c:886
+msgid "Original LUKS2 header restore failed."
+msgstr "Obnova pôvodnej hlavičky LUKS2 zlyhala."
+
+#: src/utils_reencrypt.c:918
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Súbor s hlavičkou %s neexistuje. Chcete začať LUKS2 dešifrovanie zariadenia %s a exportovať hlavičku LUKS2 do súboru %s?"
+
+#: src/utils_reencrypt.c:961
+msgid "Failed to add read/write permissions to exported header file."
+msgstr "Zlyhalo priradenie oprávnení čítania/zápisu k exportovanému súboru s hlavičkou."
+
+#: src/utils_reencrypt.c:1015
+#, c-format
+msgid "Reencryption initialization failed. Header backup is available in %s."
+msgstr "Inicializácia prešifrovania zlyhala. Záložná hlavička je dostupná v %s."
+
+#: src/utils_reencrypt.c:1043
+msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
+msgstr "Dešifrovanie LUKS2 je podporované iba s oddelenou hlavičkou (s odsadením údajov nastaveným na 0)."
+
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Žiaden token nemôže odomknúť zariadenie."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
+msgid "Not enough free keyslots for reencryption."
+msgstr "Nie je dostatok voľných miest pre kľúč na prešifrovanie."
+
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Súbor s kľúčom alebo kľúč zo zväzku kľúčov môže byť použitý iba s --key-slot alebo s práve jedným aktívnym miestom pre kľúč."
+
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Zadajte heslo miesta pre kľúč %d: "
+
+#: src/utils_reencrypt.c:1876
+#, c-format
+msgid "Switching data encryption cipher to %s.\n"
+msgstr "Mení sa algoritmus šifrovanie údajov na %s.\n"
+
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Použite --force-no-keyslots na prešifrovanie zariadenia s aktívnymi miestami pre kľúč priamo odovzdaním kľúčov zväzku."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Možnosť --new-volume-key-file musí byť použitá spolu s --new-key-size"
+
+#: src/utils_reencrypt.c:2035
+msgid "No data segment parameters changed. Reencryption aborted."
+msgstr "Žiaden parameter údajových segmentov nezmenený. Prešifrovanie sa ruší."
+
+#: src/utils_reencrypt.c:2072
+msgid ""
+"Encryption sector size increase on offline device is not supported.\n"
+"Activate the device first or use --force-offline-reencrypt option (dangerous!)."
+msgstr ""
+"Zväčšenie veľkosti šifrovaného sektora na offline zariadení nie je podporované.\n"
+"Aktivujte najprv zariadenie alebo použite možnosť --force-offline-reencrypt (nebezpečné!)."
+
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Prešifrovanie prerušené."
+
+#: src/utils_reencrypt.c:2119
+msgid "Resuming LUKS reencryption in forced offline mode.\n"
+msgstr "Obnovovanie LUKS prešifrovania vo vynútenom režime offline.\n"
+
+#: src/utils_reencrypt.c:2142
+#, c-format
+msgid "Device %s contains broken LUKS metadata. Aborting operation."
+msgstr "Zariadenie %s obsahuje chybné LUKS metadáta. Operácia sa ruší."
+
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
+#, c-format
+msgid "Device %s is already LUKS device. Aborting operation."
+msgstr "Zariadenie %s už je LUKS zariadenie. Operácia sa ruší."
+
+#: src/utils_reencrypt.c:2186
+#, c-format
+msgid "Device %s is already in LUKS reencryption. Aborting operation."
+msgstr "Zariadenie %s je už v stave prešifrovania LUKS. Operácia sa ruší."
+
+#: src/utils_reencrypt.c:2269
+msgid "LUKS2 decryption requires --header option."
+msgstr "LUKS2 dešifrovanie požaduje možnosť --header."
+
+#: src/utils_reencrypt.c:2317
+msgid "Command requires device as argument."
+msgstr "Príkaz vyžaduje zariadenie ako argument."
+
+#: src/utils_reencrypt.c:2330
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS1."
+msgstr "Konfliktné verzie. Zariadenie %s je LUKS1."
+
+#: src/utils_reencrypt.c:2336
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
+msgstr "Konfliktné verzie. Zariadenie %s je v stave prešifrovania LUKS1."
+
+#: src/utils_reencrypt.c:2342
+#, c-format
+msgid "Conflicting versions. Device %s is LUKS2."
+msgstr "Konfliktné verzie. Zariadenie %s je LUKS2."
+
+#: src/utils_reencrypt.c:2348
+#, c-format
+msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
+msgstr "Konfliktné verzie. Zariadenie %s je v stave prešifrovania LUKS2."
+
+#: src/utils_reencrypt.c:2354
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "LUKS2 prešifrovanie je už inicializované. Operácia sa ruší."
+
+#: src/utils_reencrypt.c:2361
+msgid "Device reencryption not in progress."
+msgstr "Opätovné šifrovanie zariadenia neprebieha."
+
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Nedá sa výlučne otvoriť %s, zariadenie sa používa."
+
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
+msgid "Allocation of aligned memory failed."
+msgstr "Zlyhala alokácia zarovnanej pamäte."
+
+#: src/utils_reencrypt_luks1.c:137
+#, c-format
+msgid "Cannot read device %s."
+msgstr "Nedá sa prečítať zariadenie %s."
+
+#: src/utils_reencrypt_luks1.c:148
+#, c-format
+msgid "Marking LUKS1 device %s unusable."
+msgstr "LUKS1 zariadenie %s sa označuje ako nepoužiteľné."
+
+#: src/utils_reencrypt_luks1.c:164
+#, c-format
+msgid "Cannot write device %s."
+msgstr "Nedá sa zapísať zariadenie %s."
+
+#: src/utils_reencrypt_luks1.c:213
+msgid "Cannot write reencryption log file."
+msgstr "Nedá sa zapísať protokol o prešifrovaní."
+
+#: src/utils_reencrypt_luks1.c:268
+msgid "Cannot read reencryption log file."
+msgstr "Nedá sa prečítať protokol o prešifrovaní."
+
+#: src/utils_reencrypt_luks1.c:279
+msgid "Wrong log format."
+msgstr "Zlý formát protokolu."
+
+#: src/utils_reencrypt_luks1.c:307
+#, c-format
+msgid "Log file %s exists, resuming reencryption.\n"
+msgstr "Protokol %s už existuje, obnovovanie prešifrovania.\n"
+
+#: src/utils_reencrypt_luks1.c:354
+msgid "Activating temporary device using old LUKS header."
+msgstr "Aktivujem dočasné zariadenie s použitím starej LUKS hlavičky."
+
+#: src/utils_reencrypt_luks1.c:364
+msgid "Activating temporary device using new LUKS header."
+msgstr "Aktivujem dočasné zariadenie s použitím novej LUKS hlavičky."
+
+#: src/utils_reencrypt_luks1.c:374
+msgid "Activation of temporary devices failed."
+msgstr "Aktivácia dočasného zariadenia zlyhala."
+
+#: src/utils_reencrypt_luks1.c:434
+msgid "Failed to set data offset."
+msgstr "Zlyhalo nastavenie odsadenia údajov."
+
+#: src/utils_reencrypt_luks1.c:440
+msgid "Failed to set metadata size."
+msgstr "Zlyhalo nastavenie veľkosti metadát."
+
+#: src/utils_reencrypt_luks1.c:448
+#, c-format
+msgid "New LUKS header for device %s created."
+msgstr "Nová LUKS hlavička pre zariadenie %s bola vytvorená."
+
+#: src/utils_reencrypt_luks1.c:485
+#, c-format
+msgid "%s header backup of device %s created."
+msgstr "%s záložná hlavička zariadenia %s bola vytvorená."
+
+#: src/utils_reencrypt_luks1.c:541
+msgid "Creation of LUKS backup headers failed."
+msgstr "Zlyhalo vytvorenie záložnej LUKS hlavičky."
+
+#: src/utils_reencrypt_luks1.c:670
+#, c-format
+msgid "Cannot restore %s header on device %s."
+msgstr "Nedá sa obnoviť %s hlavička na zariadení %s."
+
+#: src/utils_reencrypt_luks1.c:672
+#, c-format
+msgid "%s header on device %s restored."
+msgstr "%s hlavička na zariadení %s bola obnovená."
+
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
+msgid "Cannot open temporary LUKS device."
+msgstr "Nedá sa otvoriť dočasné LUKS zariadenie."
+
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
+msgid "Cannot get device size."
+msgstr "Nedá sa zistiť veľkosť zariadenia."
+
+#: src/utils_reencrypt_luks1.c:913
+msgid "IO error during reencryption."
+msgstr "Chyba vstupu/výstupu počas prešifrovania."
+
+#: src/utils_reencrypt_luks1.c:943
+msgid "Provided UUID is invalid."
+msgstr "Poskytnuté UUID je neplatné."
+
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Súbor s kľúčom môže byť použitý iba s --key-slot alebo s práve jedným aktívnym miestom pre kľúč."
+
+#: src/utils_reencrypt_luks1.c:1169
+msgid "Cannot open reencryption log file."
+msgstr "Nedá sa otvoriť protokol prešifrovania."
+
+#: src/utils_reencrypt_luks1.c:1175
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Neprebieha žiadne dešifrovanie, poskytnuté UUID môže byť použité len na obnovenie pozastaveného procesu dešifrovania."
+
+#: src/utils_reencrypt_luks1.c:1231
+#, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
+msgstr "Prešifrovanie zmení: %s%s%s%s%s%s."
+
+#: src/utils_reencrypt_luks1.c:1232
+msgid "volume key"
+msgstr "kľúč zväzku"
+
+#: src/utils_reencrypt_luks1.c:1234
+msgid "set hash to "
+msgstr "nastaviť hash na "
+
+#: src/utils_reencrypt_luks1.c:1235
+msgid ", set cipher to "
+msgstr ", nastaviť šifru na "
+
+#: src/utils_blockdev.c:179
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
+msgstr "VAROVANIE: Zariadenie %s už obsahuje podpis zväzku \"%s\".\n"
+
+#: src/utils_blockdev.c:187
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
+msgstr "VAROVANIE: Zariadenie %s už obsahuje podpis superbloku \"%s\".\n"
+
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
+msgid "Failed to initialize device signature probes."
+msgstr "Zlyhala inicializácia podpisových sond zariadenia."
+
+#: src/utils_blockdev.c:272
+#, c-format
+msgid "Failed to stat device %s."
+msgstr "Nepodarilo sa získať informácie o zariadení %s."
+
+#: src/utils_blockdev.c:287
+#, c-format
+msgid "Failed to open file %s in read/write mode."
+msgstr "Zlyhalo otvorenie súboru %s v režime na čítanie/zápis."
+
+#: src/utils_blockdev.c:307
+#, c-format
+msgid "Existing '%s' partition signature on device %s will be wiped."
+msgstr "Súčasný podpis zväzku \"%s\" na zariadení %s bude vymazaný."
+
+#: src/utils_blockdev.c:310
+#, c-format
+msgid "Existing '%s' superblock signature on device %s will be wiped."
+msgstr "Súčasný podpis superbloku \"%s\" na zariadení %s bude vymazaný."
+
+#: src/utils_blockdev.c:313
+msgid "Failed to wipe device signature."
+msgstr "Zlyhalo vymazanie podpisu zariadenia."
+
+#: src/utils_blockdev.c:320
+#, c-format
+msgid "Failed to probe device %s for a signature."
+msgstr "Nepodarilo sa preskúmať zariadenie %s na podpis."
+
+#: src/utils_args.c:52
+#, c-format
+msgid "Invalid size specification in parameter --%s."
+msgstr "Zadaná neplatná veľkosť v parametri --%s."
+
+#: src/utils_args.c:112
+#, c-format
+msgid "Option --%s is not allowed with %s action."
+msgstr "Možnosť --%s nie je povolená spolu s akciou %s."
+
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Špecifikácia typu --link-vk-to-keyring v zväzku kľúčov sa ignoruje."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Typy kľúčov majú byť rovnaké pre oba kľúče zväzku."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Oba kľúče zväzku majú byť pripojené k rovnakému zväzku kľúčov."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Musíte zadať ďalšie názvy kľúčov."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Neplatná hodnota --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Binárne dáta miesta pre kľúč %d môžu byť poškodené.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Podozrivé pozície: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Ďalšie podozrivé pozície sú potlačené.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Miesto pre kľúč %d nemôže byť prečítané zo zariadenia."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Na preskúmanie údajov môžete použiť: hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:110
+msgid "Failed to write ssh token json."
+msgstr "Zlyhal zápis JSON s SSH tokenom."
+
+#: tokens/ssh/cryptsetup-ssh.c:128
+msgid ""
+"Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
+"\n"
+"Specified SSH server must contain a key file on the specified path with a passphrase for an existing key slot on the device.\n"
+"Provided credentials will be used by cryptsetup to get the password when opening the device using the token.\n"
+"\n"
+"Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext."
+msgstr ""
+"Experimentálny zásuvný modul cryptsetup pre odomykanie LUKS2 zariadení s tokenom pripojených na SSH server\vTento modul aktuálne umožňuje len pridanie tokenu na existujúce miesto s kľúčom.\n"
+"\n"
+"Špecifikovaný SSH server musí obsahovať na zadanej ceste súbor s kľúčom spolu s heslom pre existujúce miesto s kľúčom na zariadení.\n"
+"Poskytnuté prihlasovacie údaje použije cryptsetup na získanie hesla, keď bude otvárať zariadenie pomocou tokenu.\n"
+"\n"
+"Poznámka: Informácie poskytnuté pri pridávaní tokenu (adresa SSH servera, používateľ a cesty) budú uložené v LUKS2 hlavičke ako čistý text (nešifrovane)."
+
+#: tokens/ssh/cryptsetup-ssh.c:138
+msgid "<action> <device>"
+msgstr "<akcia> <zariadenie>"
+
+#: tokens/ssh/cryptsetup-ssh.c:141
+msgid "Options for the 'add' action:"
+msgstr "Možnosti pre akciu \"add\":"
+
+#: tokens/ssh/cryptsetup-ssh.c:142
+msgid "IP address/URL of the remote server for this token"
+msgstr "IP adresa/URL vzdialeného servera pre tento token"
+
+#: tokens/ssh/cryptsetup-ssh.c:143
+msgid "Username used for the remote server"
+msgstr "Používateľské meno použité pre vzdialený server"
+
+#: tokens/ssh/cryptsetup-ssh.c:144
+msgid "Path to the key file on the remote server"
+msgstr "Cesta k súboru s kľúčom na vzdialenom serveri"
+
+#: tokens/ssh/cryptsetup-ssh.c:145
+msgid "Path to the SSH key for connecting to the remote server"
+msgstr "Cesta k SSH kľúču pre pripojenie na vzdialený server"
+
+#: tokens/ssh/cryptsetup-ssh.c:147
+msgid "Path to directory containinig libcryptsetup external tokens"
+msgstr "Cesta k priečinku, ktorý obsahuje externé tokeny libcryptsetup"
+
+#: tokens/ssh/cryptsetup-ssh.c:148
+msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
+msgstr "Miesto s kľúčom na priradenie tokenu. Keď nie je zadané, tak sa token priradí k prvému miestu, ktoré sa odomkne so zadaným heslom."
+
+#: tokens/ssh/cryptsetup-ssh.c:150
+msgid "Generic options:"
+msgstr "Všeobecné možnosti:"
+
+#: tokens/ssh/cryptsetup-ssh.c:151
+msgid "Shows more detailed error messages"
+msgstr "Zobrazí detailnejšie chybové hlášky"
+
+#: tokens/ssh/cryptsetup-ssh.c:152
+msgid "Show debug messages"
+msgstr "Zobrazí správy pre ladenie"
+
+#: tokens/ssh/cryptsetup-ssh.c:153
+msgid "Show debug messages including JSON metadata"
+msgstr "Zobrazí správy pre ladenie aj s metadátami JSON"
+
+#: tokens/ssh/cryptsetup-ssh.c:268
+msgid "Failed to open and import private key:\n"
+msgstr "Zlyhalo otvorenie a importovanie súkromného kľúča:\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:272
+msgid "Failed to import private key (password protected?).\n"
+msgstr "Zlyhalo importovanie súkromného kľúča (chránené heslom?).\n"
+
+#. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
+#: tokens/ssh/cryptsetup-ssh.c:274
+#, c-format
+msgid "%s@%s's password: "
+msgstr "heslo pre %s@%s: "
+
+#: tokens/ssh/cryptsetup-ssh.c:363
+#, c-format
+msgid "Failed to parse arguments.\n"
+msgstr "Zlyhal rozbor argumentov.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:374
+#, c-format
+msgid "An action must be specified\n"
+msgstr "Akcia musí byť zadaná\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:380
+#, c-format
+msgid "Device must be specified for '%s' action.\n"
+msgstr "Zariadenie musí byť zadané pre akciu \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:385
+#, c-format
+msgid "SSH server must be specified for '%s' action.\n"
+msgstr "SSH server musí byť zadaný pre akciu \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:390
+#, c-format
+msgid "SSH user must be specified for '%s' action.\n"
+msgstr "SSH používateľ musí byť zadaný pre akciu \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:395
+#, c-format
+msgid "SSH path must be specified for '%s' action.\n"
+msgstr "SSH cesta musí byť zadaná pre akciu \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:400
+#, c-format
+msgid "SSH key path must be specified for '%s' action.\n"
+msgstr "SSH cesta ku kľúču musí byť zadaná pre akciu \"%s\".\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:407
+#, c-format
+msgid "Failed open %s using provided credentials.\n"
+msgstr "Zlyhalo otvorenie %s s použitím poskytnutých prihlasovacích údajov.\n"
+
+#: tokens/ssh/cryptsetup-ssh.c:424
+#, c-format
+msgid "Only 'add' action is currently supported by this plugin.\n"
+msgstr "Iba akcia \"add\" je aktuálne podporovaná týmto zásuvným modulom.\n"
+
+#: tokens/ssh/ssh-utils.c:33
+msgid "Cannot create sftp session: "
+msgstr "Nedá sa vytvoriť SFTP relácia: "
+
+#: tokens/ssh/ssh-utils.c:40
+msgid "Cannot init sftp session: "
+msgstr "Nedá sa inicializovať SFTP relácia: "
+
+#: tokens/ssh/ssh-utils.c:46
+msgid "Cannot open sftp session: "
+msgstr "Nedá sa otvoriť SFTP relácia: "
+
+#: tokens/ssh/ssh-utils.c:53
+msgid "Cannot stat sftp file: "
+msgstr "Nepodarilo sa získať informácie o súbore SFTP: "
+
+#: tokens/ssh/ssh-utils.c:61
+msgid "Not enough memory.\n"
+msgstr "Nie je dosť pamäte.\n"
+
+#: tokens/ssh/ssh-utils.c:68
+msgid "Cannot read remote key: "
+msgstr "Nedá sa čítať vzdialený kľúč: "
+
+#: tokens/ssh/ssh-utils.c:109
+msgid "Connection failed: "
+msgstr "Spojenie zlyhalo: "
+
+#: tokens/ssh/ssh-utils.c:119
+msgid "Server not known: "
+msgstr "Server nie je známy: "
+
+#: tokens/ssh/ssh-utils.c:147
+msgid "Public key auth method not allowed on host.\n"
+msgstr "Pre hostiteľa nie je povolená autentifikačný metóda s verejným kľúčom.\n"
+
+#: tokens/ssh/ssh-utils.c:158
+msgid "Public key authentication error: "
+msgstr "Chyba autentifikácie s verejným kľúčom: "
+
+#~ msgid "Activation of BITLK device with clear key protection is not supported."
+#~ msgstr "Aktivácia zariadenia BITLK s ochranou čistého kľúča nie je podporovaná."
+
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Zlyhalo pridanie kľúčov zväzku do používateľom určeného zväzku kľúčov."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Zlyhalo odpojenie kľúča zväzku od zväzku kľúčov vlákna."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Aktivácia čiastočne dešifrovaného zariadenia BITLK nie je podporovaná."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Zlyhalo čítanie požiadaviek LUKS2."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Varovanie: operácia s miestom pre kľúč môže zlyhať, lebo vyžaduje viac pamäte než je dostupnej.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Zlyhalo získanie stavu prešifrovania."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Zlyhalo prečítanie hesla zo zväzku kľúčov."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Možnosti --reduce-device-size a --device-size nemôžu byť kombinované."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Zadajte heslo miesta pre kľúč %u: "
diff --git a/po/sr.po b/po/sr.po
index 2b821fe..20702ab 100644
--- a/po/sr.po
+++ b/po/sr.po
@@ -1,14 +1,14 @@
 # Serbian translation for cryptsetup.
 # Copyright © 2014 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Мирослав Николић <miroslavnikolic@rocketmail.com>, 2014–2023.
+# Мирослав Николић <miroslavnikolic@rocketmail.com>, 2014–2025.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup-2.6.1-rc0\n"
+"Project-Id-Version: cryptsetup-2.8.1-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2023-02-01 15:58+0100\n"
-"PO-Revision-Date: 2023-02-19 11:50+0100\n"
+"POT-Creation-Date: 2025-08-13 13:45+0200\n"
+"PO-Revision-Date: 2025-08-31 08:03+0200\n"
 "Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
 "Language-Team: Serbian <(nothing)>\n"
 "Language: sr\n"
@@ -17,72 +17,85 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.5\n"
 
 #: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
-msgstr "Не могу да покренем мапера уређаја, радим као обичан корисник."
+msgstr "Не могу да покренем мапер уређаја, радим као обичан корисник."
 
 #: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
-msgstr "Не могу да покренем мапера уређаја. Да ли је учитан модул кернела „dm_mod“?"
+msgstr "Не могу да покренем мапер уређаја. Да ли је модул кернела „dm_mod“ учитан?"
 
-#: lib/libdevmapper.c:1102
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Затражена одложена заставица није подржана."
 
-#: lib/libdevmapper.c:1171
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "ДМ-УЈИБ за уређај „%s“ је скраћен."
 
-#: lib/libdevmapper.c:1501
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Непозната врста „dm“ мете."
 
-#: lib/libdevmapper.c:1620 lib/libdevmapper.c:1626 lib/libdevmapper.c:1724
-#: lib/libdevmapper.c:1727
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Затражене опције перформанси дм-шифровања нису подржане."
 
-#: lib/libdevmapper.c:1635 lib/libdevmapper.c:1647
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Затражене опције рада оштећених података дм-веритија нису подржане."
 
-#: lib/libdevmapper.c:1641
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Затражене „dm-verity“ опција без задатка није подржана."
 
-#: lib/libdevmapper.c:1653
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Затражене „dm-verity FEC“ опције нису подржане."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Затражене опције целовитости података нису подржане."
 
-#: lib/libdevmapper.c:1663
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "Затражене опције величине одељка нису подржане."
 
-#: lib/libdevmapper.c:1670 lib/libdevmapper.c:1676
+#: lib/libdevmapper.c:1779
+msgid "The device size is not multiple of the requested sector size."
+msgstr "Величина уређаја није умножитељ затражене величине одељка."
+
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Затражена опција „integrity_key_size“ није подржана."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Затражене опције самосталног прерачунавања ознака целовитости нису подржане."
 
-#: lib/libdevmapper.c:1682 lib/libdevmapper.c:1730 lib/libdevmapper.c:1733
-#: lib/luks2/luks2_json_metadata.c:2620
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2777
 msgid "Discard/TRIM is not supported."
 msgstr "Одбацивање/ОДСЕЦАЊЕ није подржано."
 
-#: lib/libdevmapper.c:1688
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
-msgstr "Затражени режим битмапе дм-целовитости није подржан."
+msgstr "Затражени режим битмапе „dm-integrity“ није подржан."
+
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Затражени режим унутарње „dm-integrity“ није подржан."
 
-#: lib/libdevmapper.c:2724
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Нисам успео да пропитам „dm-%s“ подеок."
 
-#: lib/random.c:73
+#: lib/random.c:60
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -90,565 +103,693 @@ msgstr ""
 "Систем је ван ентропије приликом стварања кључа волумена.\n"
 "Померите миша или откуцајте неки текст у другом прозору да прикупите неке насумичне догађаје.\n"
 
-#: lib/random.c:77
+#: lib/random.c:64
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Стварам кључ (%d %% је урађено).\n"
 
-#: lib/random.c:163
+#: lib/random.c:150
 msgid "Running in FIPS mode."
 msgstr "Ради у „FIPS“ режиму."
 
-#: lib/random.c:169
+#: lib/random.c:156
 msgid "Fatal error during RNG initialisation."
 msgstr "Кобна грешка за време покретања „RNG“-а."
 
-#: lib/random.c:207
+#: lib/random.c:194
 msgid "Unknown RNG quality requested."
 msgstr "Затражен је непознат квалитет „RNG“-а."
 
-#: lib/random.c:212
+#: lib/random.c:199
 msgid "Error reading from RNG."
 msgstr "Грешка читања из „RNG“-а."
 
-#: lib/setup.c:231
+#: lib/setup.c:248
+msgid "OPAL support is disabled in libcryptsetup."
+msgstr "OPAL подршка је искључена у „libcryptsetup“."
+
+#: lib/setup.c:250
+#, c-format
+msgid "Device %s or kernel does not support OPAL encryption."
+msgstr "Уређај „%s“ или кернел не подржавају OPAL шифровање."
+
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Не могу да покренем „RNG“ позадинца криптографије."
 
-#: lib/setup.c:237
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Не могу да покренем позадинца криптографије."
 
-#: lib/setup.c:268 lib/setup.c:2151 lib/verity/verity.c:122
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Хеш алгоритам „%s“ није подржан."
 
-#: lib/setup.c:271 lib/loopaes/loopaes.c:90
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Грешка обраде кључа (користим хеш %s)."
 
-#: lib/setup.c:342 lib/setup.c:369
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Не могу да одредим врсту уређаја. Несагласно покретање уређаја?"
 
-#: lib/setup.c:348 lib/setup.c:3320
+#: lib/setup.c:395 lib/setup.c:4145
 msgid "This operation is supported only for LUKS device."
 msgstr "Ова радња је подржана само за ЛУКС уређај."
 
-#: lib/setup.c:375
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Ова радња је подржана само за ЛУКС2 уређај."
 
-#: lib/setup.c:427 lib/luks2/luks2_reencrypt.c:3010
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3093
 msgid "All key slots full."
 msgstr "Сви утори кључева су пуни."
 
-#: lib/setup.c:438
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Утор кључа %d није исправан, изаберите између 0 и %d."
 
-#: lib/setup.c:444
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Утор кључа %d је пун, изаберите неки други."
 
-#: lib/setup.c:529 lib/setup.c:3042
+#: lib/setup.c:531 lib/setup.c:3860
 msgid "Device size is not aligned to device logical block size."
 msgstr "Величина уређаја није поравната на величину логичког блока уређаја."
 
-#: lib/setup.c:627
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Заглавље је откривено али уређај „%s“ је премали."
 
-#: lib/setup.c:668 lib/setup.c:2942 lib/setup.c:4287
-#: lib/luks2/luks2_reencrypt.c:3782 lib/luks2/luks2_reencrypt.c:4184
+#: lib/setup.c:669 lib/setup.c:3745 lib/setup.c:5212
+#: lib/luks2/luks2_reencrypt.c:3937 lib/luks2/luks2_reencrypt.c:4425
 msgid "This operation is not supported for this device type."
 msgstr "Ова радња није подржана за ову врсту уређаја."
 
-#: lib/setup.c:673
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Неисправна радња са поновним шифровањем је у току."
 
-#: lib/setup.c:802
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Нисам успео да повратим ЛУКС2 метаподатке у меморију."
 
-#: lib/setup.c:889 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
-#: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
-#: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
-#: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
-#: src/cryptsetup.c:2716 src/utils_reencrypt.c:1465
-#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:77
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1773
+#: src/cryptsetup.c:1957 src/cryptsetup.c:2012 src/cryptsetup.c:2210
+#: src/cryptsetup.c:2355 src/cryptsetup.c:2633 src/cryptsetup.c:2946
+#: src/cryptsetup.c:3014 src/utils_reencrypt.c:2280
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Уређај „%s“ није исправан ЛУКС уређај."
 
-#: lib/setup.c:892 lib/luks1/keymanage.c:530
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Неподржано ЛУКС издање %d."
 
-#: lib/setup.c:1491 lib/setup.c:2691 lib/setup.c:2773 lib/setup.c:2785
-#: lib/setup.c:2952 lib/setup.c:4764
+#: lib/setup.c:1270
+#, c-format
+msgid "No known cipher specification pattern detected for active device %s."
+msgstr "Није откривен познат образац одреднице шифрера за активан уређај „%s“."
+
+#: lib/setup.c:1515 lib/setup.c:3492 lib/setup.c:3584 lib/setup.c:3596
+#: lib/setup.c:3768 lib/setup.c:5787
 #, c-format
 msgid "Device %s is not active."
 msgstr "Уређај „%s“ није радан."
 
-#: lib/setup.c:1508
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Основни уређај за криптографски уређај „%s“ је нестао."
 
-#: lib/setup.c:1590
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Неисправни параметри обичне криптографије."
 
-#: lib/setup.c:1595 lib/setup.c:2054
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Неисправна величина кључа."
 
-#: lib/setup.c:1600 lib/setup.c:2059 lib/setup.c:2262
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "УЈИБ није подржан за ову врсту криптографије."
 
-#: lib/setup.c:1605 lib/setup.c:2064
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Откачени уређај метаподатака није подржан за ову врсту криптографије."
 
-#: lib/setup.c:1615 lib/setup.c:1831 lib/luks2/luks2_reencrypt.c:2966
-#: src/cryptsetup.c:1387 src/cryptsetup.c:3383
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3026
+#: src/cryptsetup.c:1485 src/cryptsetup.c:3753
 msgid "Unsupported encryption sector size."
 msgstr "Неподржана величина одељка шифровања."
 
-#: lib/setup.c:1623 lib/setup.c:1959 lib/setup.c:3036
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3854
 msgid "Device size is not aligned to requested sector size."
 msgstr "Величина уређаја није поравната на затражену величину одељка."
 
-#: lib/setup.c:1675 lib/setup.c:1799
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Не могу да обликујем ЛУКС без уређаја."
 
-#: lib/setup.c:1681 lib/setup.c:1805
+#: lib/setup.c:1704 lib/setup.c:1956
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr "Зониран уређај „%s“ се не може користити за LUKS заглавље."
+
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Затражено поравнање података није сагласно са померајем података."
 
-#: lib/setup.c:1756 lib/setup.c:1976 lib/setup.c:1997 lib/setup.c:2274
+#: lib/setup.c:1751 lib/setup.c:1981
+msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
+msgstr "УПОЗОРЕЊЕ: DAX уређај може да оштети податке јер не гарантује атомска ажурирања сектора.\n"
+
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Не могу да обришем заглавље на уређају „%s“."
 
-#: lib/setup.c:1769 lib/setup.c:2036
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Уређај „%s“ је премали за активирање, није преостао простор за податке.\n"
 
-#: lib/setup.c:1840
-msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr "УПОЗОРЕЊЕ: Покретање уређаја неће успети, „dm-crypt“-у недостаје подршка за затражену величину одељка шифровања.\n"
-
-#: lib/setup.c:1863
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Кључ волумена је премали за шифровање са проширењима целовитости."
 
-#: lib/setup.c:1923
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Величина кључа целовитости је премала."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Шифрер %s-%s (величина кључа %zd бита) није доступан."
 
-#: lib/setup.c:1949
-#, c-format
-msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
-msgstr "УПОЗОРЕЊЕ: Величина ЛУКС2 метаподатака је промењена на %<PRIu64> бајта.\n"
-
-#: lib/setup.c:1953
-#, c-format
-msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
-msgstr "УПОЗОРЕЊЕ: Величина области ЛУКС2 утора кључева је промењена на %<PRIu64> бајта.\n"
+#: lib/setup.c:1897
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr "УПОЗОРЕЊЕ: Покретање уређаја неће успети, „dm-crypt“-у недостаје подршка за затражену величину одељка шифровања.\n"
 
-#: lib/setup.c:1979 lib/utils_device.c:911 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:3034 lib/luks2/luks2_reencrypt.c:4279
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_reencrypt.c:3065
+#: lib/luks2/luks2_reencrypt.c:4485
 #, c-format
 msgid "Device %s is too small."
 msgstr "Уређај „%s“ је премали."
 
-#: lib/setup.c:1990 lib/setup.c:2016
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Не могу да обликујем уређај „%s“ у употреби."
 
-#: lib/setup.c:1993 lib/setup.c:2019
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Не могу да обликујем уређај „%s“, овлашћење је одбијено."
 
-#: lib/setup.c:2005 lib/setup.c:2334
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Не могу да обликујем целовитост за уређај „%s“."
 
-#: lib/setup.c:2023
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Не могу да обликујем уређај „%s“."
 
-#: lib/setup.c:2049
+#: lib/setup.c:2191
+msgid "Cannot get OPAL alignment parameters."
+msgstr "Не могу да добавим параметре OPAL поравнања."
+
+#: lib/setup.c:2203
+msgid "Bogus OPAL logical block size."
+msgstr "Привидна величина OPAL логичког блока."
+
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:303
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr "Привидна величина OPAL логичког блока се разликује величине блока уређаја."
+
+#: lib/setup.c:2214
+msgid "Requested data offset is not compatible with OPAL block size."
+msgstr "Затражен померај података није сагласан са OPAL величином блока."
+
+#: lib/setup.c:2221
+msgid "Requested data alignment is not compatible with OPAL alignment."
+msgstr "Затражено поравнање података није сагласно са OPAL поравнањем."
+
+#: lib/setup.c:2241
+msgid "Data offset does not satisfy OPAL alignment requirements."
+msgstr "Померај података не задовољава захтеве OPAL поравнања."
+
+#: lib/setup.c:2254
+msgid "Requested data alignment does not satisfy locking range alignment requirements."
+msgstr "Затражено поравнање података не задовољава захтеве поравнања опсега закључавања."
+
+#: lib/setup.c:2468
+#, c-format
+msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
+msgstr "Ндокнађујем величину уређаја за %<PRIu64> сектора да га поравнам са ситношћу OPAL поравнања."
+
+#: lib/setup.c:2528 lib/setup.c:4228 lib/setup.c:4417 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2720 lib/luks2/luks2_json_metadata.c:2988
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
+msgstr "Нисам успео да остварим OPAL закључавање на уређају „%s“."
+
+#: lib/setup.c:2538
+msgid "Incorrect OPAL Admin key."
+msgstr "Нетачан кључ OPAL админа."
+
+#: lib/setup.c:2540
+msgid "Cannot setup OPAL segment."
+msgstr "Не могу да поставим OPAL подеок."
+
+#: lib/setup.c:2622
+#, c-format
+msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
+msgstr "Не могу да обликујем уређај „%s“, OPAL уређај изгледа да је сада потпуно заштићен од писања."
+
+#: lib/setup.c:2624
+msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
+msgstr "Ово је можда грешка у фирмверу. Покрените OPAL PSID ресет и поново се повежите за опоравак."
+
+#: lib/setup.c:2644
+#, c-format
+msgid "Locking range %d reset on device %s failed."
+msgstr "Поновно постављање опсега закључавања %d на уређају „%s“ није успело."
+
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Не могу да обликујем „LOOPAES“ без уређаја."
 
-#: lib/setup.c:2094
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Не могу да обликујем „VERITY“ без уређаја."
 
-#: lib/setup.c:2105 lib/verity/verity.c:101
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Неподржана врста „VERITY“ хеша %d."
 
-#: lib/setup.c:2111 lib/verity/verity.c:109
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Неподржана величина блока „VERITY“."
 
-#: lib/setup.c:2116 lib/verity/verity.c:74
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Неподржан померај хеша „VERITY“."
 
-#: lib/setup.c:2121
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Неподржан „VERITY FEC“ померај."
 
-#: lib/setup.c:2145
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Област података се преклапа са облашћу хеша."
 
-#: lib/setup.c:2170
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Област хеша се преклапа са „FEC“ облашћу."
 
-#: lib/setup.c:2177
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Област података се преклапа са „FEC“ облашћу."
 
-#: lib/setup.c:2313
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Величина кључа целовитости није одговарајућа."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "УПОЗОРЕЊЕ: Затражена величина ознаке %d бајта се разликује од излаза величине „%s“ (%d бајта).\n"
 
-#: lib/setup.c:2392
+#: lib/setup.c:3037 lib/setup.c:3135
+#, c-format
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Затражена је непозната или неподржана врста уређаја „%s“."
+
+#: lib/setup.c:3049
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "Уређај „%s“ не обезбеђује унутарња поља података целовитости."
+
+#: lib/setup.c:3055
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Унутарња величина ознаке %<PRIu32> [бајта] је већа од %<PRIu32> коју доставља уређај „%s“."
+
+#: lib/setup.c:3070
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Затражена је непозната врста „%s“ криптографског уређаја."
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Сектор мора бити исти као сектор хардвера уређаја (%zu бајта)."
 
-#: lib/setup.c:2699 lib/setup.c:2778 lib/setup.c:2791
+#: lib/setup.c:3500 lib/setup.c:3589 lib/setup.c:3602
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Неподржани параметри на уређају „%s“."
 
-#: lib/setup.c:2705 lib/setup.c:2798 lib/luks2/luks2_reencrypt.c:2862
-#: lib/luks2/luks2_reencrypt.c:3099 lib/luks2/luks2_reencrypt.c:3484
+#: lib/setup.c:3506 lib/setup.c:3609 lib/luks2/luks2_reencrypt.c:2920
+#: lib/luks2/luks2_reencrypt.c:3189 lib/luks2/luks2_reencrypt.c:3583
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Неодговарајући параметри на уређају „%s“."
 
-#: lib/setup.c:2822
+#: lib/setup.c:3632
 msgid "Crypt devices mismatch."
 msgstr "Криптографски уређаји се не поклапају."
 
-#: lib/setup.c:2859 lib/setup.c:2864 lib/luks2/luks2_reencrypt.c:2361
-#: lib/luks2/luks2_reencrypt.c:2878 lib/luks2/luks2_reencrypt.c:4032
+#: lib/setup.c:3664 lib/setup.c:3669 lib/luks2/luks2_reencrypt.c:2404
+#: lib/luks2/luks2_reencrypt.c:2936 lib/luks2/luks2_reencrypt.c:4224
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Нисам успео поново да учитам уређај „%s“."
 
-#: lib/setup.c:2870 lib/setup.c:2876 lib/luks2/luks2_reencrypt.c:2332
-#: lib/luks2/luks2_reencrypt.c:2339 lib/luks2/luks2_reencrypt.c:2892
+#: lib/setup.c:3675 lib/setup.c:3681 lib/luks2/luks2_reencrypt.c:2375
+#: lib/luks2/luks2_reencrypt.c:2382 lib/luks2/luks2_reencrypt.c:2950
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Нисам успео да обуставим уређај „%s“."
 
-#: lib/setup.c:2882 lib/luks2/luks2_reencrypt.c:2346
-#: lib/luks2/luks2_reencrypt.c:2913 lib/luks2/luks2_reencrypt.c:3945
-#: lib/luks2/luks2_reencrypt.c:4036
+#: lib/setup.c:3687 lib/luks2/luks2_reencrypt.c:2389
+#: lib/luks2/luks2_reencrypt.c:2971 lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4228
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Нисам успео да наставим са уређајем „%s“."
 
-#: lib/setup.c:2897
+#: lib/setup.c:3702
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Кобна грешка приликом поновног учитавања уређаја „%s“ (на врху уређаја „%s“)."
 
-#: lib/setup.c:2900 lib/setup.c:2902
+#: lib/setup.c:3705 lib/setup.c:3707
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Нисам успео да променим уређај „%s“ на дм-грешку."
 
-#: lib/setup.c:2984
+#: lib/setup.c:3750
+msgid "Can not resize LUKS2 device with static size."
+msgstr "Не могу да променим величину LUKS2 уређаја са статичком величином."
+
+#: lib/setup.c:3755
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Промена величине LUKS2 уређаја са заштитом целовитости није подржана."
+
+#: lib/setup.c:3801
 msgid "Cannot resize loop device."
 msgstr "Не могу да променим величину уређаја петље."
 
-#: lib/setup.c:3027
+#: lib/setup.c:3845
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr ""
 "УПОЗОРЕЊЕ: Највећа величина је већ постављена или кернел не подржава промену величине.\n"
 "\n"
 
-#: lib/setup.c:3088
+#: lib/setup.c:3911
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Промена величине није успела, кернел је не подржава."
 
-#: lib/setup.c:3120
+#: lib/setup.c:3943
 msgid "Do you really want to change UUID of device?"
 msgstr "Да ли стварно желите да измените УЈИБ уређаја?"
 
-#: lib/setup.c:3212
+#: lib/setup.c:4035
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Датотека резерве заглавља не садржи сагласно ЛУКС заглавље."
 
-#: lib/setup.c:3328
+#: lib/setup.c:4128
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Волумен „%s“ није радан."
 
-#: lib/setup.c:3339
+#: lib/setup.c:4183
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Волумен „%s“ је већ обустављен."
 
-#: lib/setup.c:3352
+#: lib/setup.c:4209
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Обустављање није подржано за уређај „%s“."
 
-#: lib/setup.c:3354
+#: lib/setup.c:4211 lib/setup.c:4219
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Грешка за време обустављања уређаја „%s“."
 
-#: lib/setup.c:3389
+#: lib/setup.c:4234
+#, c-format
+msgid "Device %s was suspended but hardware OPAL device cannot be locked."
+msgstr "Уређај „%s“ је обустављен али хардверски OPAL уређај се не може закључати."
+
+#: lib/setup.c:4265 lib/setup.c:4442
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Настављање није подржано за уређај „%s“."
 
-#: lib/setup.c:3391
+#: lib/setup.c:4267 lib/setup.c:4432 lib/setup.c:4444
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Грешка за време настављања уређаја „%s“."
 
-#: lib/setup.c:3425 lib/setup.c:3473 lib/setup.c:3544 lib/setup.c:3589
-#: src/cryptsetup.c:2479
+#: lib/setup.c:4286
+msgid "Failed to unlink volume key from user specified keyring."
+msgstr "Нисам успео да развежем кључ волумена од привеска кључева које је навео корисник."
+
+#: lib/setup.c:4408 lib/setup.c:5574
+msgid "Failed to link volume key in user defined keyring."
+msgstr "Нисам успео да свежем кључ волумена у привезак кључева који је корисник одредио."
+
+#: lib/setup.c:4506 src/cryptsetup.c:2714
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Волумен „%s“ није обустављен."
 
-#: lib/setup.c:3559 lib/setup.c:4540 lib/setup.c:4553 lib/setup.c:4561
-#: lib/setup.c:4574 lib/setup.c:6157 lib/setup.c:6179 lib/setup.c:6228
-#: src/cryptsetup.c:2011
+#: lib/setup.c:4607 lib/setup.c:7239 lib/setup.c:7261 lib/setup.c:7315
+#: src/cryptsetup.c:1849 src/cryptsetup.c:2253 src/cryptsetup.c:2271
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1965
 msgid "Volume key does not match the volume."
 msgstr "Кључ волумена не одговара волумену."
 
-#: lib/setup.c:3737
+#: lib/setup.c:4761
 msgid "Failed to swap new key slot."
 msgstr "Нисам успео да разменим нови утор кључа."
 
-#: lib/setup.c:3835
+#: lib/setup.c:4859
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Утор кључа „%d“ није исправан."
 
-#: lib/setup.c:3841 src/cryptsetup.c:1740 src/cryptsetup.c:2208
-#: src/cryptsetup.c:2816 src/cryptsetup.c:2876
+#: lib/setup.c:4865 src/cryptsetup.c:1970 src/cryptsetup.c:2430
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3174
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Утор кључа „%d“ није радан."
 
-#: lib/setup.c:3860
+#: lib/setup.c:4884
 msgid "Device header overlaps with data area."
 msgstr "Заглавље уређаја се преклапа са облашћу података."
 
-#: lib/setup.c:4165
+#: lib/setup.c:5105
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Поновно шифровање је у току. Не могу да активирам уређај."
 
-#: lib/setup.c:4167 lib/luks2/luks2_json_metadata.c:2703
-#: lib/luks2/luks2_reencrypt.c:3590
+#: lib/setup.c:5107 lib/luks2/luks2_json_metadata.c:2884
+#: lib/luks2/luks2_reencrypt.c:3714
 msgid "Failed to get reencryption lock."
 msgstr "Нисам успео да добавим закључавање поновног шифровања."
 
-#: lib/setup.c:4180 lib/luks2/luks2_reencrypt.c:3609
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Опоравак ЛУКС2 поновног шифровања није успело."
-
-#: lib/setup.c:4352 lib/setup.c:4618
-msgid "Device type is not properly initialized."
-msgstr "Врста уређаја није исправно покренута."
+#: lib/setup.c:5129
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
+msgstr "Опоравак LUKS2 поновног шифровања коришћењем кључ(ев)а није успело."
 
-#: lib/setup.c:4400
+#: lib/setup.c:5265
 #, c-format
 msgid "Device %s already exists."
 msgstr "Већ постоји уређај „%s“."
 
-#: lib/setup.c:4407
+#: lib/setup.c:5272
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Не могу да користим уређај „%s“, назив није исправан или је још у употреби."
 
-#: lib/setup.c:4527
+#: lib/setup.c:5284
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Кључ волумена поновног шифровања не одговара волумену."
+
+#: lib/setup.c:5301
 msgid "Incorrect volume key specified for plain device."
 msgstr "Наведен је неисправан кључ волумена за обичан уређај."
 
-#: lib/setup.c:4644
-msgid "Incorrect root hash specified for verity device."
-msgstr "Наведен је неисправан хеш корена за уређај тачности."
+#: lib/setup.c:5327 lib/setup.c:5388
+msgid "Device type is not properly initialized."
+msgstr "Врста уређаја није исправно покренута."
 
-#: lib/setup.c:4654
-msgid "Root hash signature required."
-msgstr "Потпис хеша корена је потребан."
+#: lib/setup.c:5426
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Привезак кључева кернела није подржан кернелом."
 
-#: lib/setup.c:4663
+#: lib/setup.c:5430
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Привезак кључева кернела недостаје: потребан је за прослеђивање потписа кернелу."
 
-#: lib/setup.c:4680 lib/setup.c:6423
-msgid "Failed to load key in kernel keyring."
-msgstr "Нисам успео да учитам кључ у привеску кључева кернела."
-
-#: lib/setup.c:4736
+#: lib/setup.c:5482
 #, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Не могу да откажем различно уклањање из уређаја „%s“."
+msgid "Cannot use keyring key %s."
+msgstr "Не могу да користим кључ привеска „%s“."
+
+#: lib/setup.c:5695
+msgid "Incorrect root hash specified for verity device."
+msgstr "Наведен је неисправан хеш корена за уређај тачности."
 
-#: lib/setup.c:4743 lib/setup.c:4759 lib/luks2/luks2_json_metadata.c:2756
-#: src/utils_reencrypt.c:116
+#: lib/setup.c:5736 lib/setup.c:5761
+msgid "OPAL does not support deferred deactivation."
+msgstr "OPAL не подржава опцију одложену деактивацију."
+
+#: lib/setup.c:5751 lib/setup.c:5782 lib/luks2/luks2_json_metadata.c:2949
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Уређај „%s“ је још увеку употреби."
 
-#: lib/setup.c:4768
+#: lib/setup.c:5769
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Не могу да откажем различно уклањање из уређаја „%s“."
+
+#: lib/setup.c:5791
 #, c-format
 msgid "Invalid device %s."
 msgstr "Неисправан уређај „%s“."
 
-#: lib/setup.c:4908
+#: lib/setup.c:5932
 msgid "Volume key buffer too small."
 msgstr "Међумеморија кључа волумена је премала."
 
-#: lib/setup.c:4925
+#: lib/setup.c:5943
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Не могу да довучем кључ волумена за ЛУКС2 уређај."
 
-#: lib/setup.c:4934
+#: lib/setup.c:5952
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Не могу да довучем кључ волумена за ЛУКС1 уређај."
 
-#: lib/setup.c:4944
+#: lib/setup.c:5966
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Не могу да довучем кључ волумена за обичан уређај."
 
-#: lib/setup.c:4952
+#: lib/setup.c:5974
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Не могу да довучем хеш корена за уређај тачности."
 
-#: lib/setup.c:4959
+#: lib/setup.c:5981
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Не могу да довучем кључ волумена за BITLK уређај."
 
-#: lib/setup.c:4964
+#: lib/setup.c:5986
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Не могу да довучем кључ волумена за FVAULT2 уређај."
 
-#: lib/setup.c:4966
+#: lib/setup.c:5988
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Ова радња није подржана за криптографски уређај „%s“."
 
-#: lib/setup.c:5147 lib/setup.c:5158
+#: lib/setup.c:6173 lib/setup.c:6184
 msgid "Dump operation is not supported for this device type."
 msgstr "Радња исписа није подржана за ову врсту уређаја."
 
-#: lib/setup.c:5500
+#: lib/setup.c:6564
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Померај података није умножак %u бајта."
 
-#: lib/setup.c:5788
+#: lib/setup.c:6872
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Не могу да преобратим уређај „%s“ који је још увек у употреби."
 
-#: lib/setup.c:6098 lib/setup.c:6237
+#: lib/setup.c:7180 lib/setup.c:7324
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Нисам успео да доделим утор кључа „%u“ као нови кључ волумена."
 
-#: lib/setup.c:6122
+#: lib/setup.c:7204
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Нисам успео да покренем основне параметре ЛУКС2 утора кључа."
 
-#: lib/setup.c:6128
+#: lib/setup.c:7210
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Нисам успео да доделим утор кључа „%d“ за преглед."
 
-#: lib/setup.c:6353
+#: lib/setup.c:7441
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Не могу да додам утор кључа, сви утори су искључени а није обезбеђен ниједан кључ волумена."
 
-#: lib/setup.c:6490
-msgid "Kernel keyring is not supported by the kernel."
-msgstr "Привезак кључева кернела није подржан кернелом."
+#: lib/setup.c:7514 lib/verity/verity.c:333
+msgid "Failed to load key in kernel keyring."
+msgstr "Нисам успео да учитам кључ у привеску кључева кернела."
 
-#: lib/setup.c:6500 lib/luks2/luks2_reencrypt.c:3807
+#: lib/setup.c:7705
 #, c-format
-msgid "Failed to read passphrase from keyring (error %d)."
-msgstr "Нисам успео да прочитам пропусну реч из привеска кључа (грешка %d)."
+msgid "Could not find keyring described by \"%s\"."
+msgstr "Не могу да нађем привезак описан са „%s“."
 
-#: lib/setup.c:6523
+#: lib/setup.c:7770
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Нисам успео да остварим опште закључавање серијализације приступа чврстој меморији."
 
-#: lib/utils.c:158 lib/tcrypt/tcrypt.c:501
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Нисам успео да отворим датотеку кључа."
 
-#: lib/utils.c:163
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Не могу да прочитам датотеку кључа из терминала."
 
-#: lib/utils.c:179
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Нисам успео да добавим податке датотеке кључа."
 
-#: lib/utils.c:187 lib/utils.c:208
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Не могу да премотам на затражени померај датотеке кључа."
 
-#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
-#: src/utils_password.c:237
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Нестало је меморије приликом читања пропусне речи."
 
-#: lib/utils.c:237
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Грешка читања пропусне речи."
 
-#: lib/utils.c:254
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Нема ничега за читање на улазу."
 
-#: lib/utils.c:261
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Премашена је највећа величина датотеке кључа."
 
-#: lib/utils.c:266
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Не могу да прочитам затражену количину података."
 
-#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1440
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:2253
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Уређај „%s“ не постоји или је приступ одбијен."
@@ -658,132 +799,149 @@ msgstr "Уређај „%s“ не постоји или је приступ о
 msgid "Device %s is not compatible."
 msgstr "Уређај „%s“ није сагласан."
 
-#: lib/utils_device.c:561
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Занемарујем лажну оптималну-уи величину за уређај података (%u бајта)."
 
-#: lib/utils_device.c:722
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Уређај „%s“ је премали. Захтева барем %<PRIu64> бајта."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Не могу да користим уређај „%s“ који је у употреби (већ мапиран или прикачен)."
 
-#: lib/utils_device.c:807
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Не могу да користим уређај „%s“, овлашћење је одбијено."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Не могу да добавим податке о уређају „%s“."
 
-#: lib/utils_device.c:833
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Не могу да користим уређај повратне петље, радим као обичан корисник."
 
-#: lib/utils_device.c:844
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Прикачињање уређаја повратне петље није успело (потребан је уређај петље са опцијом самочишћења)."
 
-#: lib/utils_device.c:892
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Захтевани померај је изван стварне величине уређаја „%s“."
 
-#: lib/utils_device.c:900
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Уређај „%s“ има нулту величину."
 
-#: lib/utils_pbkdf.c:100
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Затражено време „PBKDF“ мете не може бити нула."
 
-#: lib/utils_pbkdf.c:106
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Непозната „PBKDF“ врста „%s“."
 
-#: lib/utils_pbkdf.c:111
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Затражени хеш „%s“ није подржан."
 
-#: lib/utils_pbkdf.c:122
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Затражена „PBKDF“ врста није подржана за ЛУКС1."
 
-#: lib/utils_pbkdf.c:128
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Највећа „PBKDF“ меморија или паралелне нити не смеју бити подешене са „pbkdf2“."
 
-#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Присиљени број понављања је премали за „%s“ (минимум је %u)."
 
-#: lib/utils_pbkdf.c:148
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Присиљени трошак меморије је премали за „%s“ (минимум је %u килобајта)."
 
-#: lib/utils_pbkdf.c:155
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Затражени највећи трошак „PBKDF“ меморије је превисок (максимум је %d килобајта)."
 
-#: lib/utils_pbkdf.c:160
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Затражени највећи трошак „PBKDF“ меморије је превисок (ограничен највећом величином целог броја)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Затражени максимум „PBKDF“ меморије не може бити нула."
 
-#: lib/utils_pbkdf.c:164
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Затражени највећи „PBKDF“ паралелни трошак је превисок (максимум је %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Затражене „PBKDF“ паралелне нити не могу бити нула."
 
-#: lib/utils_pbkdf.c:184
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Само „PBKDF2“ је подржано у „FIPS“ режиму."
 
-#: lib/utils_benchmark.c:175
+#: lib/utils_benchmark.c:171
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr "„PBKDF“ оцењивање је искључено али понављања нису постављена."
 
-#: lib/utils_benchmark.c:194
+#: lib/utils_benchmark.c:190
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr "Нису сагласне „PBKDF2“ опције (користим хеш алгоритам %s)."
 
-#: lib/utils_benchmark.c:214
+#: lib/utils_benchmark.c:210
 msgid "Not compatible PBKDF options."
 msgstr "Несагласне „PBKDF“ опције."
 
-#: lib/utils_device_locking.c:101
+#: lib/utils_device_locking.c:88
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Закључавање је прекинуто. Путања закључавања „%s/%s“ је неискористива (није директоријум или недостаје)."
 
-#: lib/utils_device_locking.c:118
+#: lib/utils_device_locking.c:105
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Закључавање је прекинуто. Путања закључавања „%s/%s“ је неискористива („%s“ није директоријум)."
 
-#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
-#: src/utils_reencrypt_luks1.c:832
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Не могу да премотам на померај уређаја."
 
-#: lib/utils_wipe.c:247
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Грешка брисања уређаја, померај %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:39
+#: lib/utils_wipe.c:332
+msgid "Incorrect OPAL PSID."
+msgstr "Нетачан OPAL PSID."
+
+#: lib/utils_wipe.c:334
+msgid "Cannot erase OPAL device."
+msgstr "Не могу да обришем OPAL уређај."
+
+#: lib/luks1/keyencryption.c:26
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -792,110 +950,110 @@ msgstr ""
 "Нисам успео да подесим мапирање кључа „dm-crypt“ за уређај %s.\n"
 "Проверите да ли кернел подржава „%s“ шифрера (проверите дневник система за више података)."
 
-#: lib/luks1/keyencryption.c:44
+#: lib/luks1/keyencryption.c:31
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Величина кључа у „XTS“ режиму мора да буде 256 или 512 бита."
 
-#: lib/luks1/keyencryption.c:46
+#: lib/luks1/keyencryption.c:33
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Спецификација шифрера треба бити у запису „[шифрер]-[режим]-[ив]“."
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
-#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
-#: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
+#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1514 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Не могу да пишем на уређај „%s“, овлашћење је одбијено."
 
-#: lib/luks1/keyencryption.c:120
+#: lib/luks1/keyencryption.c:107
 msgid "Failed to open temporary keystore device."
 msgstr "Нисам успео да отворим привремени уређај смештаја кључа."
 
-#: lib/luks1/keyencryption.c:127
+#: lib/luks1/keyencryption.c:114
 msgid "Failed to access temporary keystore device."
 msgstr "Нисам успео да приступм привременом уређају смештаја кључа."
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
-#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:192
+#: lib/luks1/keyencryption.c:188 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Грешка УИ приликом шифровања утора кључа."
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
-#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:679
-#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
-#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
-#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
-#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
-#: lib/luks2/luks2_json_metadata.c:1493 src/utils_reencrypt_luks1.c:121
-#: src/utils_reencrypt_luks1.c:133
+#: lib/luks1/keyencryption.c:235 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1517 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Не могу да отворим уређај „%s“."
 
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
+#: lib/luks1/keyencryption.c:246 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Грешка УИ приликом дешифровања утора кључа."
 
-#: lib/luks1/keymanage.c:130
+#: lib/luks1/keymanage.c:117
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Уређај „%s“ је премали. (ЛУКС1 захтева барем %<PRIu64> бајта.)"
 
-#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
-#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
-#: lib/luks1/keymanage.c:194
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "ЛУКС утор кључа „%u“ није исправан."
 
-#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Затражена датотека резерве заглавља „%s“ већ постоји."
 
-#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1355
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Не могу да направим резервну датотеку заглавља „%s“."
 
-#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1362
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Не могу да запишем резервну датотеку заглавља „%s“."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1399
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Датотека резерве не садржи исправно ЛУКС заглавље."
 
-#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
-#: lib/luks2/luks2_json_metadata.c:1420
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1446
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Не могу да отворим резервну датотеку заглавља „%s“."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1428
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1454
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Не могу да прочитам резервну датотеку заглавља „%s“."
 
-#: lib/luks1/keymanage.c:339
+#: lib/luks1/keymanage.c:326
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Померај датума или величина кључа се разликују на уређају и резерви, враћање није успело."
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:334
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Уређај %s %s%s"
 
-#: lib/luks1/keymanage.c:348
+#: lib/luks1/keymanage.c:335
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "не садржи ЛУКС заглавље. Замена заглавља може да уништи податке на том уређају."
 
-#: lib/luks1/keymanage.c:349
+#: lib/luks1/keymanage.c:336
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "већ садржи ЛУКС заглавље. Замена заглавља ће уништити постојеће уторе кључева."
 
-#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1462
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1486
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -903,116 +1061,116 @@ msgstr ""
 "\n"
 "УПОЗОРЕЊЕ: право заглавље уређаја има другачији УЈИБ од резерве!"
 
-#: lib/luks1/keymanage.c:398
+#: lib/luks1/keymanage.c:385
 msgid "Non standard key size, manual repair required."
 msgstr "Неуобичајена величина кључа, потребна је ручна поправка."
 
-#: lib/luks1/keymanage.c:408
+#: lib/luks1/keymanage.c:395
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Неуобичајено поравнање утора кључева, потребна је ручна поправка."
 
-#: lib/luks1/keymanage.c:417
+#: lib/luks1/keymanage.c:404
 #, c-format
 msgid "Cipher mode repaired (%s -> %s)."
 msgstr "Режим шифрера је оправљен (%s → %s)."
 
-#: lib/luks1/keymanage.c:428
+#: lib/luks1/keymanage.c:415
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Хеш шифрера је преправљен на мала слова (%s)."
 
-#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
-#: lib/luks1/keymanage.c:792
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Затражени ЛУКС хеш „%s“ није подржан."
 
-#: lib/luks1/keymanage.c:444
+#: lib/luks1/keymanage.c:431
 msgid "Repairing keyslots."
 msgstr "Поправљам уторе кључева."
 
-#: lib/luks1/keymanage.c:463
+#: lib/luks1/keymanage.c:450
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Утор кључа %i: померај је оправљен (%u —> %u)."
 
-#: lib/luks1/keymanage.c:471
+#: lib/luks1/keymanage.c:458
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Утор кључа %i: траке су оправљене (%u —> %u)."
 
-#: lib/luks1/keymanage.c:480
+#: lib/luks1/keymanage.c:467
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Утор кључа %i: лажан потпис партиције."
 
-#: lib/luks1/keymanage.c:485
+#: lib/luks1/keymanage.c:472
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Утор кључа %i: присолак је обрисан."
 
-#: lib/luks1/keymanage.c:502
+#: lib/luks1/keymanage.c:489
 msgid "Writing LUKS header to disk."
 msgstr "Записујем ЛУКС заглавље на диск."
 
-#: lib/luks1/keymanage.c:507
+#: lib/luks1/keymanage.c:494
 msgid "Repair failed."
 msgstr "Поправка није успела."
 
-#: lib/luks1/keymanage.c:562
+#: lib/luks1/keymanage.c:549
 #, c-format
 msgid "LUKS cipher mode %s is invalid."
 msgstr "Режим ЛУКС шифрера „%s“ није исправан."
 
-#: lib/luks1/keymanage.c:567
+#: lib/luks1/keymanage.c:554
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr "ЛУКС хеш „%s“ није исправан."
 
-#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1281
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1360
 msgid "No known problems detected for LUKS header."
 msgstr "Нису откривени познати проблеми за ЛУКС заглавље."
 
-#: lib/luks1/keymanage.c:702
+#: lib/luks1/keymanage.c:689
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Грешка приликом освежавања ЛУКС заглавља на уређају „%s“."
 
-#: lib/luks1/keymanage.c:710
+#: lib/luks1/keymanage.c:697
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Грешка поновног читања ЛУКС заглавља након освежења на уређају „%s“."
 
-#: lib/luks1/keymanage.c:786
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Померај података за ЛУКС заглавље мора бити или 0 или већи од величине заглавља."
 
-#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
-#: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
-#: src/utils_reencrypt.c:539
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Достављен је погрешан запис ЛУКС УЈИБ-а."
 
-#: lib/luks1/keymanage.c:819
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Не могу да направим ЛУКС заглавље: није успело читање насумичног присолка."
 
-#: lib/luks1/keymanage.c:845
+#: lib/luks1/keymanage.c:832
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Не могу да направим ЛУКС заглавље: није успео преглед заглавља (користим хеш „%s“)."
 
-#: lib/luks1/keymanage.c:889
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Утор кључа „%d“ је радан, прво прочистите."
 
-#: lib/luks1/keymanage.c:895
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Материјал утора кључа „%d“ обухвата премало трака. Да управљам заглављем?"
 
-#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Прекорачење вредности ПБКДФ2 понављања."
 
@@ -1021,375 +1179,391 @@ msgstr "Прекорачење вредности ПБКДФ2 понављања
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Не могу да отворим утор кључа (користим хеш %s)."
 
-#: lib/luks1/keymanage.c:1118
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Утор кључа %d није исправан, изаберите га између 0 и %d."
 
-#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:718
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Не могу да обришем уређај „%s“."
 
-#: lib/loopaes/loopaes.c:146
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Откривена је још увек неподржана ГПГ-ом шифрована датотека кључа."
 
-#: lib/loopaes/loopaes.c:147
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Користите „gpg --decrypt <ДАТОТЕКА_КЉУЧА> | cryptsetup --keyfile=- ...“\n"
 
-#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Откривена је несагласна датотека кључа „AES“ петље."
 
-#: lib/loopaes/loopaes.c:245
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Језгро не подржава мапирање сагласно са „AES“ петљом."
 
-#: lib/tcrypt/tcrypt.c:508
+#: lib/tcrypt/tcrypt.c:497
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Грешка читања датотеке кључа „%s“."
 
-#: lib/tcrypt/tcrypt.c:558
+#: lib/tcrypt/tcrypt.c:547
 #, c-format
 msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
 msgstr "Премашена је највећа дужина „TCRYPT“ пропусне речи (%zu)."
 
-#: lib/tcrypt/tcrypt.c:600
+#: lib/tcrypt/tcrypt.c:589
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "„PBKDF2“ алгоритам хеша „%s“ није доступан, прескачем."
 
-#: lib/tcrypt/tcrypt.c:619 src/cryptsetup.c:1156
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1233
 msgid "Required kernel crypto interface not available."
 msgstr "Није доступно затражено сучеље криптографије језгра."
 
-#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1158
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1235
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Уверите се да је учитан модул кернела „algif_skcipher“."
 
-#: lib/tcrypt/tcrypt.c:762
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Покретање није подржано за величину %d области."
 
-#: lib/tcrypt/tcrypt.c:768
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Језгро не подржава покретање за овај стари „TCRYPT“ режим."
 
-#: lib/tcrypt/tcrypt.c:799
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Покрећем „TCRYPT“ систем шифровања за партицију „%s“."
 
-#: lib/tcrypt/tcrypt.c:882
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Не могу да одредим померај TCRYPT системске партиције, активираћу читаву шифровану област."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Не могу да одредим померај TCRYPT системске партиције, активирам уређај као системску партицију."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Кернел не подржава мапирање сагласно са „TCRYPT“-ом."
 
-#: lib/tcrypt/tcrypt.c:1095
+#: lib/tcrypt/tcrypt.c:1144
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Ова функција није подржана без учитавања „TCRYPT“ заглавља."
 
-#: lib/bitlk/bitlk.c:278
+#: lib/bitlk/bitlk.c:265
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена."
 
-#: lib/bitlk/bitlk.c:337
+#: lib/bitlk/bitlk.c:327
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Нађох неисправну ниску приликом обраде главног кључа волумена."
 
-#: lib/bitlk/bitlk.c:341
+#: lib/bitlk/bitlk.c:331
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Нађох неочекивану ниску („%s“) приликом обраде подржаног главног кључа волумена."
 
-#: lib/bitlk/bitlk.c:358
+#: lib/bitlk/bitlk.c:351
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде подржаног главног кључа волумена."
 
-#: lib/bitlk/bitlk.c:460
+#: lib/bitlk/bitlk.c:450
 msgid "BITLK version 1 is currently not supported."
 msgstr "„BITLK“ издање 1 тренутно није подржано."
 
-#: lib/bitlk/bitlk.c:466
+#: lib/bitlk/bitlk.c:456
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Неисправан или непознат потпис учитавања за „BITLK“ уређај."
 
-#: lib/bitlk/bitlk.c:478
+#: lib/bitlk/bitlk.c:468
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Неподржана величина одељка „%<PRIu16>“."
 
-#: lib/bitlk/bitlk.c:486
+#: lib/bitlk/bitlk.c:476
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Нисам успео да прочитам „BITLK“ заглавље из „%s“."
 
-#: lib/bitlk/bitlk.c:511
+#: lib/bitlk/bitlk.c:501
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr "Нисам успео да прочитам „BITLK FVE“ метаподатаке из „%s“."
 
-#: lib/bitlk/bitlk.c:562
+#: lib/bitlk/bitlk.c:552
 msgid "Unknown or unsupported encryption type."
 msgstr "Непозната или неподржана врста криптографије."
 
-#: lib/bitlk/bitlk.c:602
+#: lib/bitlk/bitlk.c:592
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr "Нисам успео да прочитам уносе „BITLK“ метаподатака из „%s“."
 
-#: lib/bitlk/bitlk.c:719
+#: lib/bitlk/bitlk.c:709
 msgid "Failed to convert BITLK volume description"
 msgstr "Нисам успео да претворим опис „BITLK“ волумена"
 
-#: lib/bitlk/bitlk.c:882
+#: lib/bitlk/bitlk.c:872
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Нађох неочекивану врсту уноса метаподатака „%u“ приликом обраде спољног кључа."
 
-#: lib/bitlk/bitlk.c:905
+#: lib/bitlk/bitlk.c:895
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "ГУИД „%s“ датотеке „BEK“ не одговара ГУИД-у волумена."
 
-#: lib/bitlk/bitlk.c:909
+#: lib/bitlk/bitlk.c:899
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Нађох неочекивану вредност уноса метаподатака „%u“ приликом обраде спољног кључа."
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:938
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Неподржани „BEK“ метаподаци издање %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:953
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Неочекивана величина „BEK“ метаподатака %<PRIu32> не одговара величини „BEK“ датотеке"
 
-#: lib/bitlk/bitlk.c:979
+#: lib/bitlk/bitlk.c:969
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Нађох неочекивану врсту уноса метаподатака приликом обраде кључа почретања."
 
-#: lib/bitlk/bitlk.c:1075
+#: lib/bitlk/bitlk.c:1069
 msgid "This operation is not supported."
 msgstr "Радња није подржана."
 
-#: lib/bitlk/bitlk.c:1083
+#: lib/bitlk/bitlk.c:1077
 msgid "Unexpected key data size."
 msgstr "Неочекивана величина података кључа."
 
-#: lib/bitlk/bitlk.c:1209
+#: lib/bitlk/bitlk.c:1205
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Овај „BITLK“ уређај је у неподржаном стању и не може бити активиран."
 
-#: lib/bitlk/bitlk.c:1214
+#: lib/bitlk/bitlk.c:1210
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "„BITLK“ уређај са врстом „%s“ се не може активирати."
 
-#: lib/bitlk/bitlk.c:1221
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Активирање делимично дешифрованог „BITLK“ уређаја није подржано."
+#: lib/bitlk/bitlk.c:1217
+msgid "Activation of BITLK device with clear key protection is not supported."
+msgstr "Активирање BITLK уређаја са јасном заштитом тастера није подржано."
 
-#: lib/bitlk/bitlk.c:1262
+#: lib/bitlk/bitlk.c:1258
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "УПОЗОРЕЊЕ: Величина волумена закључавача бита %<PRIu64> не одговара величини садржаног уређаја %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1389
+#: lib/bitlk/bitlk.c:1385
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK IV“."
 
-#: lib/bitlk/bitlk.c:1393
+#: lib/bitlk/bitlk.c:1389
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за „BITLK Elephant“ дифузера."
 
-#: lib/bitlk/bitlk.c:1397
+#: lib/bitlk/bitlk.c:1393
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Не могу да активирам уређај, „dm-crypt“-у кернела недостаје подршка за велику величину сектора."
 
-#: lib/bitlk/bitlk.c:1401
+#: lib/bitlk/bitlk.c:1397
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Не могу да активирам уређај, недостаје „dm-zero“ модул кернела."
 
-#: lib/fvault2/fvault2.c:542
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Не могу да прочитам %u бајта заглавља волумена."
 
-#: lib/fvault2/fvault2.c:554
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Неподржано FVAULT2 издање „%<PRIu16>“."
 
-#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
 #, c-format
 msgid "Verity device %s does not use on-disk header."
 msgstr "Уређај тачности %s не користи заглавље на-диску."
 
-#: lib/verity/verity.c:96
+#: lib/verity/verity.c:83
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Неподржано издање „VERITY“ %d."
 
-#: lib/verity/verity.c:131
+#: lib/verity/verity.c:118
 msgid "VERITY header corrupted."
 msgstr "Заглавље „VERITY“ је оштећено."
 
-#: lib/verity/verity.c:176
+#: lib/verity/verity.c:163
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Достављен је погрешан УЈИБ „VERITY“ запис на уређају „%s“."
 
-#: lib/verity/verity.c:220
+#: lib/verity/verity.c:207
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Грешка приликом освежавања заглавља тачности на уређају „%s“."
 
-#: lib/verity/verity.c:278
+#: lib/verity/verity.c:261
 msgid "Root hash signature verification is not supported."
 msgstr "Провера хеш потписа корена није подржана."
 
-#: lib/verity/verity.c:290
+#: lib/verity/verity.c:266
+msgid "Root hash signature required."
+msgstr "Потпис хеша корена је потребан."
+
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Грешке се не могу поправити са „FEC“ уређајем."
 
-#: lib/verity/verity.c:292
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Нађох поправљиве грешке (%u) са „FEC“ уређајем."
 
-#: lib/verity/verity.c:335
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Кернел не подржава мапирање дм-тачности."
 
-#: lib/verity/verity.c:339
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Кернел не подржава опцију потписа дм-тачности."
 
-#: lib/verity/verity.c:350
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Уређај тачности је открио оштећење након покретања."
 
-#: lib/verity/verity_hash.c:66
+#: lib/verity/verity_hash.c:53
 #, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Сувишна област није нулирана на положају %<PRIu64>."
 
-#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
-#: lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
 msgid "Device offset overflow."
 msgstr "Прекорачење помераја уређаја."
 
-#: lib/verity/verity_hash.c:218
+#: lib/verity/verity_hash.c:205
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Провера није успела на положају %<PRIu64>."
 
-#: lib/verity/verity_hash.c:307
+#: lib/verity/verity_hash.c:294
 msgid "Hash area overflow."
 msgstr "Прекорачење области хеша."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Провера области података није успела."
 
-#: lib/verity/verity_hash.c:385
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Провера хеша корена није успела."
 
-#: lib/verity/verity_hash.c:391
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Улазно/излазна грешка приликом стварања области хеша."
 
-#: lib/verity/verity_hash.c:393
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Стварање области хеша није успело."
 
-#: lib/verity/verity_hash.c:428
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "УПОЗОРЕЊЕ: Језгро не може да покрене уређајако величина блока података премашује величину странице (%u)."
 
-#: lib/verity/verity_fec.c:131
+#: lib/verity/verity_fec.c:118
 msgid "Failed to allocate RS context."
 msgstr "Нисам успео да доделим „RS“ контекст."
 
-#: lib/verity/verity_fec.c:149
+#: lib/verity/verity_fec.c:136
 msgid "Failed to allocate buffer."
 msgstr "Нисам успео да доделим међумеморију."
 
-#: lib/verity/verity_fec.c:159
+#: lib/verity/verity_fec.c:146
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Нисам успео да прочитам „RS“ блок %<PRIu64> бајта %d."
 
-#: lib/verity/verity_fec.c:172
+#: lib/verity/verity_fec.c:159
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Нисам успео да прочитам паритет „RS“ блока %<PRIu64>."
 
-#: lib/verity/verity_fec.c:180
+#: lib/verity/verity_fec.c:167
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Нисам успео да поправим паритет за блок %<PRIu64>."
 
-#: lib/verity/verity_fec.c:192
+#: lib/verity/verity_fec.c:179
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Нисам успео да запишем паритет „RS“ блока %<PRIu64>."
 
-#: lib/verity/verity_fec.c:208
+#: lib/verity/verity_fec.c:195
 msgid "Block sizes must match for FEC."
 msgstr "Величине блокова морају одговарати за „FEC“."
 
-#: lib/verity/verity_fec.c:214
+#: lib/verity/verity_fec.c:201
 msgid "Invalid number of parity bytes."
 msgstr "Неисправан број бајтова паритета."
 
-#: lib/verity/verity_fec.c:248
+#: lib/verity/verity_fec.c:235
 msgid "Invalid FEC segment length."
 msgstr "Неисправна дужина „FEC“ сегмента."
 
-#: lib/verity/verity_fec.c:316
+#: lib/verity/verity_fec.c:303
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Нисам успео да одредим величину за уређај „%s“."
 
-#: lib/integrity/integrity.c:57
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Недоследни „dm-integrity“ метаподаци кернела (издање %u) су откривени на „%s“."
 
-#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+#: lib/integrity/integrity.c:290 lib/integrity/integrity.c:474
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Кернел не подржава мапирање дм-целовитости."
 
-#: lib/integrity/integrity.c:283
+#: lib/integrity/integrity.c:296
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Кернел не подржава поравнање фиксних метаподатака дм-целовитости."
 
-#: lib/integrity/integrity.c:292
+#: lib/integrity/integrity.c:305
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Кернел одбија да покрене небезбедну опцију поновног израчунавања (видите старе опције покретања да избегнете ово)."
 
-#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1159
-#: lib/luks2/luks2_json_metadata.c:1482
+#: lib/integrity/integrity.c:311
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "Кернел не подржава унутарњи режим дм-целовитости."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1506
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Нисам успео да остварим закључавање писања на уређају „%s“."
 
-#: lib/luks2/luks2_disk_metadata.c:400
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Открих покушај истовременог ажурирања ЛУКС2 метаподатака. Прекидам."
 
-#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1397,49 +1571,59 @@ msgstr ""
 "Уређај садржи нејасне потписе, не могу сам да поправим ЛУКС2.\n"
 "Покрените „cryptsetup repair“ за опорављање."
 
-#: lib/luks2/luks2_json_format.c:229
+#: lib/luks2/luks2_json_format.c:219
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr "УПОЗОРЕЊЕ: област утора кључа (%<PRIu64> бајта) је врло мала, доступан број ЛУКС2 утора кључа врло ограничен.\n"
+
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Затражени померај података је премали."
 
-#: lib/luks2/luks2_json_format.c:274
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
-msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
-msgstr "УПОЗОРЕЊЕ: област утора кључа (%<PRIu64> бајта) је врло мала, доступан број ЛУКС2 утора кључа врло ограничен.\n"
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "УПОЗОРЕЊЕ: Величина ЛУКС2 метаподатака је промењена на %<PRIu64> бајта.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1146 lib/luks2/luks2_json_metadata.c:1328
-#: lib/luks2/luks2_json_metadata.c:1388 lib/luks2/luks2_keyslot_luks2.c:94
-#: lib/luks2/luks2_keyslot_luks2.c:116
+#: lib/luks2/luks2_json_format.c:463
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "УПОЗОРЕЊЕ: Величина области ЛУКС2 утора кључева је промењена на %<PRIu64> бајта.\n"
+
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Нисам успео да остварим закључавање читања на уређају „%s“."
 
-#: lib/luks2/luks2_json_metadata.c:1405
+#: lib/luks2/luks2_json_metadata.c:1431
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Забрањени ЛУКС2 захтеви су откривени у резерви „%s“."
 
-#: lib/luks2/luks2_json_metadata.c:1446
+#: lib/luks2/luks2_json_metadata.c:1470
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Померај података се разликује на уређају и резерви, враћање није успело."
 
-#: lib/luks2/luks2_json_metadata.c:1452
+#: lib/luks2/luks2_json_metadata.c:1476
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Бинарно заглавље са областима утора кључа се разликује на уређају и резерви, враћање није успело."
 
-#: lib/luks2/luks2_json_metadata.c:1459
+#: lib/luks2/luks2_json_metadata.c:1483
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Уређај %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1460
+#: lib/luks2/luks2_json_metadata.c:1484
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "не садржи ЛУКС2 заглавље. Замена заглавља може да уништи податке на том уређају."
 
-#: lib/luks2/luks2_json_metadata.c:1461
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "већ садржи „LUKS2“ заглавље. Замена заглавља ће уништити постојеће уторе кључева."
 
-#: lib/luks2/luks2_json_metadata.c:1463
+#: lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1449,7 +1633,7 @@ msgstr ""
 "УПОЗОРЕЊЕ: непознати ЛУКС2 захтеви су откривени у стварном заглављу уређаја!\n"
 "Замена заглавља резервом може оштетити податке на том уређају!"
 
-#: lib/luks2/luks2_json_metadata.c:1465
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1459,471 +1643,563 @@ msgstr ""
 "УПОЗОРЕЊЕ: Недовршено ван мрежно поновно шифровање је откривено на уређају!\n"
 "Замена заглавља резервом може оштетити податке."
 
-#: lib/luks2/luks2_json_metadata.c:1562
+#: lib/luks2/luks2_json_metadata.c:1587
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Занемарена непозната заставица „%s“."
 
-#: lib/luks2/luks2_json_metadata.c:2470 lib/luks2/luks2_reencrypt.c:2061
+#: lib/luks2/luks2_json_metadata.c:2541 lib/luks2/luks2_reencrypt.c:2105
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Недостаје кључ за „dm-crypt“ подеок %u"
 
-#: lib/luks2/luks2_json_metadata.c:2482 lib/luks2/luks2_reencrypt.c:2075
+#: lib/luks2/luks2_json_metadata.c:2553 lib/luks2/luks2_reencrypt.c:2118
 msgid "Failed to set dm-crypt segment."
 msgstr "Нисам успео да подесим „dm-crypt“ подеок."
 
-#: lib/luks2/luks2_json_metadata.c:2488 lib/luks2/luks2_reencrypt.c:2081
+#: lib/luks2/luks2_json_metadata.c:2559 lib/luks2/luks2_reencrypt.c:2124
 msgid "Failed to set dm-linear segment."
 msgstr "Нисам успео да подесим „dm-linear“ подеок."
 
-#: lib/luks2/luks2_json_metadata.c:2615
+#: lib/luks2/luks2_json_metadata.c:2679 src/utils_reencrypt.c:578
+msgid "No known cipher specification pattern detected in LUKS2 header."
+msgstr "Није откривен познат образац одреднице шифрера у LUKS2 заглављу."
+
+#: lib/luks2/luks2_json_metadata.c:2687
+msgid "OPAL device must have static device size."
+msgstr "OPAL уређај мора имати статичку величину уређаја."
+
+#: lib/luks2/luks2_json_metadata.c:2707
+msgid "Encrypted OPAL device with integrity must be smaller than locking range."
+msgstr "Шифровани OPAL уређај са целовитошћу мора бити мањи од опсега закључавања."
+
+#: lib/luks2/luks2_json_metadata.c:2712
+msgid "OPAL device must have same size as locking range."
+msgstr "OPAl уређај мора имати исту величину као опсег закључавања."
+
+#: lib/luks2/luks2_json_metadata.c:2732
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "OPAL уређај je „%s“ već otkqučan.\n"
+
+#: lib/luks2/luks2_json_metadata.c:2771
 msgid "Unsupported device integrity configuration."
 msgstr "Неподржано подешавање целовитости уређаја."
 
-#: lib/luks2/luks2_json_metadata.c:2701
+#: lib/luks2/luks2_json_metadata.c:2787
+msgid "Underlying dm-integrity device with unexpected provided data sectors."
+msgstr "Основни „dm-integrity“ уређај са неочекивано достављеним секторима података."
+
+#: lib/luks2/luks2_json_metadata.c:2882
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Поновно шифровање је у току. Не могу да деактивирам уређај."
 
-#: lib/luks2/luks2_json_metadata.c:2712 lib/luks2/luks2_reencrypt.c:4082
+#: lib/luks2/luks2_json_metadata.c:2893 lib/luks2/luks2_reencrypt.c:4274
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Нисам успео да заменим обустављени уређај „%s“ са метом „dm-error“."
 
-#: lib/luks2/luks2_json_metadata.c:2792
-msgid "Failed to read LUKS2 requirements."
-msgstr "Нисам успео да прочитам ЛУКС2 захтеве."
+#: lib/luks2/luks2_json_metadata.c:2972 lib/luks2/luks2_json_metadata.c:2994
+#, c-format
+msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
+msgstr "Уређај „%s“ је искључен али хардверски OPAL уређај се не може закључати."
 
-#: lib/luks2/luks2_json_metadata.c:2799
+#: lib/luks2/luks2_json_metadata.c:3016
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Неоствариви ЛУКС2 захтеви су откривени."
 
-#: lib/luks2/luks2_json_metadata.c:2807
+#: lib/luks2/luks2_json_metadata.c:3024
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Радња је несагласна са уређајем означеним за старо поновно шифровање. Прекидам."
 
-#: lib/luks2/luks2_json_metadata.c:2809
+#: lib/luks2/luks2_json_metadata.c:3026
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Радња је несагласна са уређајем означеним за ЛУКС2 поновно шифровање. Прекидам."
 
-#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+#: lib/luks2/luks2_json_metadata.c:3028
+msgid "Operation incompatible with device using OPAL. Aborting."
+msgstr "Радња је несагласна са уређајем који користи OPAL. Прекидам."
+
+#: lib/luks2/luks2_json_metadata.c:3030
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Радња је несагласна са уређајем који користи унутарње HW ознаке. Прекидам."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Нема довољно доступне меморије за отварање утора кључа."
 
-#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Отварање утора кључа није успело."
 
-#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Не могу користити шифрер „%s-%s“ за шифровање утора кључа."
 
-#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:394
-#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2668
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Нема довољно меморије за изведбу кључа утора кључа."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:401
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2725
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Алгоритам хеша „%s“ није доступан."
 
-#: lib/luks2/luks2_keyslot_luks2.c:510
+#: lib/luks2/luks2_keyslot_luks2.c:518
 msgid "No space for new keyslot."
 msgstr "Нема простора за нови утор кључа."
 
-#: lib/luks2/luks2_keyslot_reenc.c:593
+#: lib/luks2/luks2_keyslot_reenc.c:583
 msgid "Invalid reencryption resilience mode change requested."
 msgstr "Затражена је неисправна промена режима гипкости поновног шифровања."
 
-#: lib/luks2/luks2_keyslot_reenc.c:714
+#: lib/luks2/luks2_keyslot_reenc.c:704
 #, c-format
 msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
 msgstr "Не могу да освежим врсту гипкости. Нова врста обезбеђује само %<PRIu64> бајт(а), захтеван простор је: %<PRIu64> бајт(а)."
 
-#: lib/luks2/luks2_keyslot_reenc.c:724
+#: lib/luks2/luks2_keyslot_reenc.c:714
 msgid "Failed to refresh reencryption verification digest."
 msgstr "Нисам успео да освежим упит потврђивања поновног шифровања."
 
-#: lib/luks2/luks2_luks1_convert.c:512
+#: lib/luks2/luks2_luks1_convert.c:532
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Не могу да проверим стање уређаја са ујиб-ом: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:538
+#: lib/luks2/luks2_luks1_convert.c:558
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Не могу да претворим заглавље са „LUKSMETA“ додатним метаподацима."
 
-#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3740
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3882
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Не могу да користим спецификацију шифрера „%s-%s“ за ЛУКС2."
 
-#: lib/luks2/luks2_luks1_convert.c:584
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Не могу да користим спецификацију шифрера „%s-%s“ за LUKS2 утор кључа."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Не могу да преместим област утора кључа. Нема довољно простора."
 
-#: lib/luks2/luks2_luks1_convert.c:619
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Не могу да претворим у ЛУКС2 запис – неисправни метаподаци."
 
-#: lib/luks2/luks2_luks1_convert.c:636
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Не могу да преместим област утора кључа. Област ЛУКС2 утора кључа је премала."
 
-#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Не могу да преместим област утора кључа."
 
-#: lib/luks2/luks2_luks1_convert.c:732
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Не могу да претворим у ЛУКС1 запис – основна величина подеока 512 bytes."
 
-#: lib/luks2/luks2_luks1_convert.c:740
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Не могу да претворим у ЛУКС1 запис – прегледи утора кључа нису ЛУКС1 сагласни."
 
-#: lib/luks2/luks2_luks1_convert.c:752
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Не могу да претворим у ЛУКС1 запис – уређај користи умотаног шифрера кључа „%s“."
 
-#: lib/luks2/luks2_luks1_convert.c:757
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Не могу да претворим у ЛУКС2 запис – уређај користи више подеока."
 
-#: lib/luks2/luks2_luks1_convert.c:765
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Не могу да претворим у ЛУКС1 запис – ЛУКС2 заглавље садржи %u скупину(е)."
 
-#: lib/luks2/luks2_luks1_convert.c:779
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Не могу да претворим у ЛУКС2 запис – нема више активних утора кључа."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u је у неисправном стању."
 
-#: lib/luks2/luks2_luks1_convert.c:784
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u је несвезан."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Не могу да претворим у ЛУКС1 запис – утор %u (преко максимума утора) је још активан."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Не могу да претворим у ЛУКС1 запис – утор кључа %u није ЛУКС1 сагласан."
 
-#: lib/luks2/luks2_reencrypt.c:1152
+#: lib/luks2/luks2_reencrypt.c:1194
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Величина вруће зоне мора бити умножак прорачунатог поравнања зоне (%zu бајта)."
 
-#: lib/luks2/luks2_reencrypt.c:1157
+#: lib/luks2/luks2_reencrypt.c:1199
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Величина уређаја мора бити производ прорачунатог поравнања зоне (%zu бајта)."
 
-#: lib/luks2/luks2_reencrypt.c:1364 lib/luks2/luks2_reencrypt.c:1551
-#: lib/luks2/luks2_reencrypt.c:1634 lib/luks2/luks2_reencrypt.c:1676
-#: lib/luks2/luks2_reencrypt.c:3877
+#: lib/luks2/luks2_reencrypt.c:1406 lib/luks2/luks2_reencrypt.c:1592
+#: lib/luks2/luks2_reencrypt.c:1675 lib/luks2/luks2_reencrypt.c:1717
+#: lib/luks2/luks2_reencrypt.c:4069
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Нисам успео да покренем старог увијача смештаја подеока."
 
-#: lib/luks2/luks2_reencrypt.c:1378 lib/luks2/luks2_reencrypt.c:1529
+#: lib/luks2/luks2_reencrypt.c:1420 lib/luks2/luks2_reencrypt.c:1570
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Нисам успео да покренем новог увијача смештаја подеока."
 
-#: lib/luks2/luks2_reencrypt.c:1505 lib/luks2/luks2_reencrypt.c:3889
+#: lib/luks2/luks2_reencrypt.c:1546 lib/luks2/luks2_reencrypt.c:4081
 msgid "Failed to initialize hotzone protection."
 msgstr "Нисам успео да покренем заштиту вруће зоне."
 
-#: lib/luks2/luks2_reencrypt.c:1578
+#: lib/luks2/luks2_reencrypt.c:1619
 msgid "Failed to read checksums for current hotzone."
 msgstr "Нисам успео да прочитам суму провере за текућу врућу зону."
 
-#: lib/luks2/luks2_reencrypt.c:1585 lib/luks2/luks2_reencrypt.c:3903
+#: lib/luks2/luks2_reencrypt.c:1626 lib/luks2/luks2_reencrypt.c:4095
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Нисам успео да прочитам област вруће зоне са почетком на %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1604
+#: lib/luks2/luks2_reencrypt.c:1645
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Нисам успео да дешифрујем област %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1610
+#: lib/luks2/luks2_reencrypt.c:1651
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Нисам успео да опоравим област %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2174
+#: lib/luks2/luks2_reencrypt.c:2217
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Величине изворног и циљног уређаја не одговарају. Извор %<PRIu64>, мета: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2272
+#: lib/luks2/luks2_reencrypt.c:2315
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Нисам успео да активирам уређај вруће зоне „%s“."
 
-#: lib/luks2/luks2_reencrypt.c:2289
+#: lib/luks2/luks2_reencrypt.c:2332
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Нисам успео да активирам уређај преклапања „%s“ са стварном табелом порекла."
 
-#: lib/luks2/luks2_reencrypt.c:2296
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Нисам успео да учитам ново мапирање за уређај „%s“."
 
-#: lib/luks2/luks2_reencrypt.c:2367
+#: lib/luks2/luks2_reencrypt.c:2410
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Нисам успео да освежим спремник уређаја поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:2550
+#: lib/luks2/luks2_reencrypt.c:2607
 msgid "Failed to set new keyslots area size."
 msgstr "Нисам успео да подесим нову величину области утора кључа."
 
-#: lib/luks2/luks2_reencrypt.c:2686
+#: lib/luks2/luks2_reencrypt.c:2743
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Вредност помака података није поравната на величину одељка шифровања (%<PRIu32> бајта)."
 
-#: lib/luks2/luks2_reencrypt.c:2723 src/utils_reencrypt.c:189
+#: lib/luks2/luks2_reencrypt.c:2780 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Неподржан режим гипкости „%s“"
 
-#: lib/luks2/luks2_reencrypt.c:2760
+#: lib/luks2/luks2_reencrypt.c:2816
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Величина премештеног подеока не може бити већа од вредности помака података."
 
-#: lib/luks2/luks2_reencrypt.c:2802
+#: lib/luks2/luks2_reencrypt.c:2858
 msgid "Invalid reencryption resilience parameters."
 msgstr "Неисправни параметри гипкости поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:2824
+#: lib/luks2/luks2_reencrypt.c:2880
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Премештени подеок је превелик. Захтевана величина је %<PRIu64>, доступан простор за: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2911
+#: lib/luks2/luks2_reencrypt.c:2969
 msgid "Failed to clear table."
 msgstr "Нисам успео да очистим табелу."
 
-#: lib/luks2/luks2_reencrypt.c:2997
+#: lib/luks2/luks2_reencrypt.c:3055
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Помак података (%<PRIu64> одељка) је мањи од будућег помераја података (%<PRIu64> одељка)."
+
+#: lib/luks2/luks2_reencrypt.c:3070 lib/luks2/luks2_reencrypt.c:3077
 msgid "Reduced data size is larger than real device size."
 msgstr "Величина умањених података је већа од стварне величине уређаја."
 
-#: lib/luks2/luks2_reencrypt.c:3004
+#: lib/luks2/luks2_reencrypt.c:3087
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Уређај података није поравнат на величину одељка шифровања (%<PRIu32> бајта)."
 
-#: lib/luks2/luks2_reencrypt.c:3038
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Помак података (%<PRIu64> одељка) је мањи од будућег помераја података (%<PRIu64> одељка)."
-
-#: lib/luks2/luks2_reencrypt.c:3045 lib/luks2/luks2_reencrypt.c:3533
-#: lib/luks2/luks2_reencrypt.c:3554
+#: lib/luks2/luks2_reencrypt.c:3117 lib/luks2/luks2_reencrypt.c:3632
+#: lib/luks2/luks2_reencrypt.c:3653
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Нисам успео да отворим „%s“ у искључивом режиму (већ мапиран или прикачен)."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3324
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Уређај није означен за ЛУКС2 поновно шифровање."
 
-#: lib/luks2/luks2_reencrypt.c:3251 lib/luks2/luks2_reencrypt.c:4206
+#: lib/luks2/luks2_reencrypt.c:3341 lib/luks2/luks2_reencrypt.c:4391
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Нисам успео да учитам контекст ЛУКС2 поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3331
-msgid "Failed to get reencryption state."
-msgstr "Нисам успео да добавим стање поновног шифровања."
-
-#: lib/luks2/luks2_reencrypt.c:3335 lib/luks2/luks2_reencrypt.c:3649
+#: lib/luks2/luks2_reencrypt.c:3433 lib/luks2/luks2_reencrypt.c:3773
 msgid "Device is not in reencryption."
 msgstr "Уређај није у поновном шифровању."
 
-#: lib/luks2/luks2_reencrypt.c:3342 lib/luks2/luks2_reencrypt.c:3656
+#: lib/luks2/luks2_reencrypt.c:3440 lib/luks2/luks2_reencrypt.c:3780
 msgid "Reencryption process is already running."
 msgstr "Процес поновног шифровања је већ покренут."
 
-#: lib/luks2/luks2_reencrypt.c:3344 lib/luks2/luks2_reencrypt.c:3658
+#: lib/luks2/luks2_reencrypt.c:3442 lib/luks2/luks2_reencrypt.c:3782
 msgid "Failed to acquire reencryption lock."
 msgstr "Нисам успео да остварим закључавање поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3362
+#: lib/luks2/luks2_reencrypt.c:3460
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Не могу да наставим са поновним шифровањем. Прво покрените опоравак поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3497
+#: lib/luks2/luks2_reencrypt.c:3596
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Активна величина уређаја и величина затраженог поновног шифровања не одговарају."
 
-#: lib/luks2/luks2_reencrypt.c:3511
+#: lib/luks2/luks2_reencrypt.c:3610
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Неисправна величина уређаја је затражена у параметрима поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3588
+#: lib/luks2/luks2_reencrypt.c:3712
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Поновно шифровање је у току. Не могу да обавим опоравак."
 
-#: lib/luks2/luks2_reencrypt.c:3757
+#: lib/luks2/luks2_reencrypt.c:3733
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Опоравак ЛУКС2 поновног шифровања није успело."
+
+#: lib/luks2/luks2_reencrypt.c:3866 lib/luks2/luks2_reencrypt.c:4344
+msgid "Failed to initialize reencryption device stack."
+msgstr "Нисам успео да покренем поновно шифровање спремника уређаја."
+
+#: lib/luks2/luks2_reencrypt.c:3899
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "ЛУКС2 поновно шифровање је већ покренуто у метаподацима."
 
-#: lib/luks2/luks2_reencrypt.c:3764
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Нисам успео да покренем ЛУКС2 поновно шифровање у метаподацима."
 
-#: lib/luks2/luks2_reencrypt.c:3859
+#: lib/luks2/luks2_reencrypt.c:3960 lib/luks2/luks2_reencrypt.c:3992
+#: lib/luks2/luks2_reencrypt.c:4022
+msgid "Reencryption is not supported for DAX (persistent memory) devices."
+msgstr "Поновно шифровање није подржано за DAX (сталне меморије) уређаје."
+
+#: lib/luks2/luks2_reencrypt.c:4051
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Нисам успео да поставим подеоке уређаја за следећу врућу зону поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3911
+#: lib/luks2/luks2_reencrypt.c:4103
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Нисам успео да запишем метаподатаке гипкости поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:3918
+#: lib/luks2/luks2_reencrypt.c:4110
 msgid "Decryption failed."
 msgstr "Дешифровање није успело."
 
-#: lib/luks2/luks2_reencrypt.c:3923
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Нисам успео да запишем област вруће зоне са почетком на %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3928
+#: lib/luks2/luks2_reencrypt.c:4120
 msgid "Failed to sync data."
 msgstr "Нисам успео да усагласим податке."
 
-#: lib/luks2/luks2_reencrypt.c:3936
+#: lib/luks2/luks2_reencrypt.c:4128
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Нисам успео да освежим метаподатке након тренутно завршеног поновног шифровања вруће зоне."
 
-#: lib/luks2/luks2_reencrypt.c:4025
+#: lib/luks2/luks2_reencrypt.c:4217
 msgid "Failed to write LUKS2 metadata."
 msgstr "Нисам успео да запишем ЛУКС2 метаподатке."
 
-#: lib/luks2/luks2_reencrypt.c:4048
+#: lib/luks2/luks2_reencrypt.c:4240
 msgid "Failed to wipe unused data device area."
 msgstr "Нисам успео да обришем област уређаја података."
 
-#: lib/luks2/luks2_reencrypt.c:4054
+#: lib/luks2/luks2_reencrypt.c:4246
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Нисам успео да уклоним некоришћени (несвезани) утор кључа %d."
 
-#: lib/luks2/luks2_reencrypt.c:4064
+#: lib/luks2/luks2_reencrypt.c:4256
 msgid "Failed to remove reencryption keyslot."
 msgstr "Нисам успео да уклоним утор кључа поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:4074
+#: lib/luks2/luks2_reencrypt.c:4266
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Кобна грешка приликом поновног шифровања комада који почиње на %<PRIu64>, %<PRIu64> подеока дуг."
 
-#: lib/luks2/luks2_reencrypt.c:4078
+#: lib/luks2/luks2_reencrypt.c:4270
 msgid "Online reencryption failed."
 msgstr "Поновно шифровање на мрежи није успело."
 
-#: lib/luks2/luks2_reencrypt.c:4083
+#: lib/luks2/luks2_reencrypt.c:4275
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Не наставља са уређајем осим ако није ручно замењен метом грешке."
 
-#: lib/luks2/luks2_reencrypt.c:4137
+#: lib/luks2/luks2_reencrypt.c:4327
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Не могу да наставим са поновним шифровањем. Неочекивано стање поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4333
 msgid "Missing or invalid reencrypt context."
 msgstr "Недостаје или неисправан контекст поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt.c:4150
-msgid "Failed to initialize reencryption device stack."
-msgstr "Нисам успео да покренем поновно шифровање спремника уређаја."
-
-#: lib/luks2/luks2_reencrypt.c:4172 lib/luks2/luks2_reencrypt.c:4219
+#: lib/luks2/luks2_reencrypt.c:4367 lib/luks2/luks2_reencrypt.c:4404
 msgid "Failed to update reencryption context."
 msgstr "Нисам успео да освежим контекст поновног шифровања."
 
-#: lib/luks2/luks2_reencrypt_digest.c:405
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Метаподаци поновног шифровања нису исправни."
 
-#: src/cryptsetup.c:85
-msgid "Keyslot encryption parameters can be set only for LUKS2 device."
-msgstr "Параметри шифровања утора кључа се могу поставити само за ЛУКС2 уређај."
+#: lib/luks2/hw_opal/hw_opal.c:333
+#, c-format
+msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
+msgstr "OPAL опсега %d померај %<PRIu64> не одговара очекиваним вредностима %<PRIu64>."
 
-#: src/cryptsetup.c:108 src/cryptsetup.c:1901
+#: lib/luks2/hw_opal/hw_opal.c:340
 #, c-format
-msgid "Enter token PIN: "
-msgstr "Унесите ПИН скупине: "
+msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
+msgstr "OPAL опсега %d величина %<PRIu64> не одговара величини уређаја %<PRIu64>."
 
-#: src/cryptsetup.c:110 src/cryptsetup.c:1903
+#: lib/luks2/hw_opal/hw_opal.c:346
 #, c-format
-msgid "Enter token %d PIN: "
-msgstr "Унесите %d ПИН скупине: "
+msgid "OPAL range %d locking is disabled."
+msgstr "Закључавање OPAL опсега %d је искључено."
+
+#: lib/luks2/hw_opal/hw_opal.c:356 lib/luks2/hw_opal/hw_opal.c:363
+#, c-format
+msgid "Unexpected OPAL range %d lock state."
+msgstr "Неочекиваностање закључавања OPAL опсега %d."
 
-#: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
-#: src/utils_reencrypt.c:1122 src/utils_reencrypt_luks1.c:517
-#: src/utils_reencrypt_luks1.c:580
+#: src/cryptsetup.c:87
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr "Параметри шифровања утора кључа се могу поставити само за ЛУКС2 уређај."
+
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Параметри шифровања утора кључа нису сагласни са шифровањем LUKS2 утора кључа."
+
+#: src/cryptsetup.c:150 src/cryptsetup.c:1171 src/cryptsetup.c:1538
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Није откривен познат образац одреднице шифрера."
 
-#: src/cryptsetup.c:167
+#: src/cryptsetup.c:160
+#, c-format
+msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
+msgstr "УПОЗОРЕЊЕ: Користим основне опције за шифрере (%s-%s, величина кључа %u бита) које могу бити несагласне са старијим издањима."
+
+#: src/cryptsetup.c:165
+#, c-format
+msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
+msgstr "УПОЗОРЕЊЕ: Користим основне опције за хеш (%s) које могу бити несагласне са старијим издањима."
+
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "За обичан режим, увек користите опције „--cipher“, „--key-size“ и ако се не користи датотека кључа или привезак, тада такође „--hash„."
+
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "УПОЗОРЕЊЕ: Параметар „--hash“ је занемарен у обичном режиму са наведеном кључном датотеком.\n"
 
-#: src/cryptsetup.c:175
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "УПОЗОРЕЊЕ: Опција „--keyfile-size“ је занемарена, величина читања је иста као величина кључа шифровања.\n"
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:226 src/cryptsetup.c:1368 src/cryptsetup.c:1591
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2137
+#, c-format
+msgid "Blkid scan failed for %s."
+msgstr "Скенирање ид-а блока није успело за „%s“."
+
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Открих потпис(е) уређаја на „%s“. Даље настављање може оштетити постојеће податке."
 
-#: src/cryptsetup.c:221 src/cryptsetup.c:1177 src/cryptsetup.c:1225
-#: src/cryptsetup.c:1291 src/cryptsetup.c:1407 src/cryptsetup.c:1480
-#: src/cryptsetup.c:2266 src/integritysetup.c:187 src/utils_reencrypt.c:138
-#: src/utils_reencrypt.c:314 src/utils_reencrypt.c:749
+#: src/cryptsetup.c:238 src/cryptsetup.c:1254 src/cryptsetup.c:1302
+#: src/cryptsetup.c:1375 src/cryptsetup.c:1515 src/cryptsetup.c:1603
+#: src/cryptsetup.c:2488 src/cryptsetup.c:2917 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Радња је обустављена.\n"
 
-#: src/cryptsetup.c:294
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Захтевана је опција „--key-file“."
 
-#: src/cryptsetup.c:345
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Унесите „VeraCrypt PIM“: "
 
-#: src/cryptsetup.c:354
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Неисправна „PIM“ вредност: грешка обраде."
 
-#: src/cryptsetup.c:357
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Неисправна „PIM“ вредност: 0."
 
-#: src/cryptsetup.c:360
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Неисправна „PIM“ вредност: изван опсега."
 
-#: src/cryptsetup.c:383
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Није откривено заглавље уређаја са овом пропусном речи."
 
-#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#: src/cryptsetup.c:492 src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Уређај „%s“ није исправан „BITLK“ уређај."
 
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Не могу да одредим величину кључа за „BITLK“, користите „--key-size“ опцију."
 
-#: src/cryptsetup.c:506
+#: src/cryptsetup.c:542
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1933,7 +2209,7 @@ msgstr ""
 "који омогућава приступ шифрованој партицији без лозинке.\n"
 "Овај избачај треба увек бити смештен шифрован на безбедном месту."
 
-#: src/cryptsetup.c:573 src/cryptsetup.c:654 src/cryptsetup.c:2291
+#: src/cryptsetup.c:609 src/cryptsetup.c:690 src/cryptsetup.c:2513
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -1943,77 +2219,84 @@ msgstr ""
 "који омогућава приступ шифрованој партицији без лозинке.\n"
 "Овај избачај треба бити смештен шифрован на безбедном месту."
 
-#: src/cryptsetup.c:709 src/cryptsetup.c:739
+#: src/cryptsetup.c:745 src/cryptsetup.c:777
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Уређај „%s“ није исправан FVAULT2 уређај."
 
-#: src/cryptsetup.c:747
+#: src/cryptsetup.c:785
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Не могу да одредим величину кључа волумена за FVAULT2, користите „--key-size“ опцију."
 
-#: src/cryptsetup.c:801 src/veritysetup.c:323 src/integritysetup.c:400
+#: src/cryptsetup.c:839 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Уређај „%s“ је још увек активан и заказан за одложено уклањање.\n"
 
-#: src/cryptsetup.c:835
+#: src/cryptsetup.c:872 src/cryptsetup.c:1801 src/cryptsetup.c:2075
+#: src/cryptsetup.c:2222 src/cryptsetup.c:2641 src/cryptsetup.c:2722
+#: src/cryptsetup.c:3255
+#, c-format
+msgid "Failed to set external tokens path %s."
+msgstr "Нисам успео да поставим спољну путању скупина „%s“."
+
+#: src/cryptsetup.c:881
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Сразмеравање активног уређаја захтева кључ волумена у привеску кључева али је постављена „--disable-keyring“ опција."
 
-#: src/cryptsetup.c:982
+#: src/cryptsetup.c:1050
 msgid "Benchmark interrupted."
 msgstr "Оцењивање је прекинуто."
 
-#: src/cryptsetup.c:1003
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "„PBKDF2-%-9s“     Н/Д\n"
 
-#: src/cryptsetup.c:1005
+#: src/cryptsetup.c:1073
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "„PBKDF2-%-9s“ %7u понављања у секунди за %zu-битни кључ\n"
 
-#: src/cryptsetup.c:1019
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s Н/Д\n"
 
-#: src/cryptsetup.c:1021
+#: src/cryptsetup.c:1089
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u понављања, %5u меморије, %1u паралелних нити (процесора) за %zu-битни кључ (захтева се %u ms време)\n"
 
-#: src/cryptsetup.c:1045
+#: src/cryptsetup.c:1113
 msgid "Result of benchmark is not reliable."
 msgstr "Резултат оцењивања није поуздан."
 
-#: src/cryptsetup.c:1095
+#: src/cryptsetup.c:1163
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Пробе су приближне користећи само меморију (без УИ смештаја).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1115
+#: src/cryptsetup.c:1188
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s  Алгоритам |     Кључ |      Шифровање |      Дешифровање\n"
 
-#: src/cryptsetup.c:1119
+#: src/cryptsetup.c:1196
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Шифрер „%s“ (са %i битним кључем) није доступан."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1138
+#: src/cryptsetup.c:1215
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Алгоритам |      Кључ |       Шифровање |      Дешифровање\n"
 
-#: src/cryptsetup.c:1149
+#: src/cryptsetup.c:1226
 msgid "N/A"
 msgstr "Недоступно"
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1251
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2021,27 +2304,27 @@ msgstr ""
 "Откривени су незаштићени ЛУКС2 метаподаци поновног шифровања. Проверите да ли је радња поновног шифровања пожељна (видите „luksDump“ излаз)\n"
 "и наставите (са надоградњом метаподатака само ако знате да је радња безопасна."
 
-#: src/cryptsetup.c:1180
+#: src/cryptsetup.c:1257
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Унесите пропусну реч да заштитите и надоградите метаподатке поновног шифровања: "
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1301
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Да наставим са опоравком ЛУКС2 поновног шифровања?"
 
-#: src/cryptsetup.c:1233
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Унесите пропусну реч да проверите упит метаподатака поновног шифровања: "
 
-#: src/cryptsetup.c:1235
+#: src/cryptsetup.c:1312
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Унесите пропусну реч за опоравак поновног шифровања: "
 
-#: src/cryptsetup.c:1290
+#: src/cryptsetup.c:1374
 msgid "Really try to repair LUKS device header?"
 msgstr "Стварно да покушам да поправим заглавље ЛУКС уређаја?"
 
-#: src/cryptsetup.c:1314 src/integritysetup.c:89 src/integritysetup.c:238
+#: src/cryptsetup.c:1402 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2049,7 +2332,7 @@ msgstr ""
 "\n"
 "Брисање је прекинуто."
 
-#: src/cryptsetup.c:1319 src/integritysetup.c:94 src/integritysetup.c:275
+#: src/cryptsetup.c:1407 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2057,128 +2340,167 @@ msgstr ""
 "Бришем уређај да бих започео суму провере целовитости.\n"
 "Можете прекинути ово притиском на „CTRL+c“ (остатак необрисаног уређаја садржаће неисправну суму провере).\n"
 
-#: src/cryptsetup.c:1341 src/integritysetup.c:116
+#: src/cryptsetup.c:1429 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Не могу да деактивирам привремени уређај „%s“."
 
-#: src/cryptsetup.c:1392
+#: src/cryptsetup.c:1477
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "OPAL hw-only шифровање не подржава „--cipher“ и „--key-size“, опције су занемарене."
+
+#: src/cryptsetup.c:1490
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Опција целовитости се може користити само за ЛУКС2 запис."
 
-#: src/cryptsetup.c:1397 src/cryptsetup.c:1457
+#: src/cryptsetup.c:1495 src/cryptsetup.c:1575
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Неподржана опција величине ЛУКС2 метаподатака."
 
-#: src/cryptsetup.c:1406
+#: src/cryptsetup.c:1500
+msgid "OPAL is supported only for LUKS2 format."
+msgstr "OPAL је подржано само за LUKS2 запис."
+
+#: src/cryptsetup.c:1505
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Унутарње хардверске ознаке су подржане само за LUKS2 запис."
+
+#: src/cryptsetup.c:1514
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Датотека заглавља не постоји, да ли желите да је направите?"
 
-#: src/cryptsetup.c:1414
+#: src/cryptsetup.c:1522
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Не могу да направим датотеку заглавља „%s“."
 
-#: src/cryptsetup.c:1437 src/integritysetup.c:144 src/integritysetup.c:152
-#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
-#: src/integritysetup.c:333
+#: src/cryptsetup.c:1548 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Није откривен познат образац одреднице целовитости."
 
-#: src/cryptsetup.c:1450
+#: src/cryptsetup.c:1550
+msgid "Cannot use specified integrity key size."
+msgstr "Не могу да користим наведену величину кључа целовитости."
+
+#: src/cryptsetup.c:1568
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Не могу да користим „%s“ као заглавље на-диску."
 
-#: src/cryptsetup.c:1474 src/integritysetup.c:181
+#: src/cryptsetup.c:1597 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Ово ће неповратно да препише податке на „%s“."
 
-#: src/cryptsetup.c:1507 src/cryptsetup.c:1853 src/cryptsetup.c:1993
-#: src/cryptsetup.c:2148 src/cryptsetup.c:2214 src/utils_reencrypt_luks1.c:443
+#: src/cryptsetup.c:1634
+msgid "OPAL Admin password cannot be empty."
+msgstr "Лозинка OPAL админа не може бити празна."
+
+#: src/cryptsetup.c:1648 src/cryptsetup.c:2092 src/cryptsetup.c:2235
+#: src/cryptsetup.c:2370 src/cryptsetup.c:2436 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Нисам успео да подесим „pbkdf“ параметре."
 
-#: src/cryptsetup.c:1593
+#: src/cryptsetup.c:1779
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Смањени померај података је допуштен само за откачена ЛУКС заглавља."
 
-#: src/cryptsetup.c:1600
+#: src/cryptsetup.c:1786
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Садржалац ЛУКС датотеке „%s“ је премали за активирање, није преостао простор за податке."
 
-#: src/cryptsetup.c:1612 src/cryptsetup.c:1999
+#: src/cryptsetup.c:1828 src/cryptsetup.c:2241 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Не могу да одредим величину кључа за ЛУКС без утора кључа, користите „--key-size“ опцију."
 
-#: src/cryptsetup.c:1658
+#: src/cryptsetup.c:1847 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Уређај захтева два кључа волумена."
+
+#: src/cryptsetup.c:1882
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Неки наведени параметри активирања су занемарени са „OPAL hw-only“ шифровањем."
+
+#: src/cryptsetup.c:1887
 msgid "Device activated but cannot make flags persistent."
 msgstr "Уређај је активиран али не могу да учиним заставице трајним."
 
-#: src/cryptsetup.c:1737 src/cryptsetup.c:1805
+#: src/cryptsetup.c:1967 src/cryptsetup.c:2035
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Утор кључа „%d“ је изабран за брисање."
 
-#: src/cryptsetup.c:1749 src/cryptsetup.c:1809
+#: src/cryptsetup.c:1979 src/cryptsetup.c:2039
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Ово је последњи утор кључа. Уређај ће постати неупотребљив након чишћења овог кључа."
 
-#: src/cryptsetup.c:1750
+#: src/cryptsetup.c:1980
 msgid "Enter any remaining passphrase: "
 msgstr "Унесите неку преосталу пропусну реч: "
 
-#: src/cryptsetup.c:1751 src/cryptsetup.c:1811
+#: src/cryptsetup.c:1981 src/cryptsetup.c:2041
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Радња је прекинута, утор кључа НИЈЕ обрисан.\n"
 
-#: src/cryptsetup.c:1787
+#: src/cryptsetup.c:2017
 msgid "Enter passphrase to be deleted: "
 msgstr "Унесите пропусну реч за брисање: "
 
-#: src/cryptsetup.c:1837 src/cryptsetup.c:2197 src/cryptsetup.c:2781
-#: src/cryptsetup.c:2948
+#: src/cryptsetup.c:2067 src/cryptsetup.c:2419 src/cryptsetup.c:3079
+#: src/cryptsetup.c:3246
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Уређај „%s“ није исправан ЛУКС2 уређај."
 
-#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
+#: src/cryptsetup.c:2106 src/cryptsetup.c:2305
 msgid "Enter new passphrase for key slot: "
 msgstr "Унесите нову пропусну реч за утор кључа: "
 
-#: src/cryptsetup.c:1968
+#: src/cryptsetup.c:2140 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Унесите ПИН скупине: "
+
+#: src/cryptsetup.c:2142 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Унесите %d ПИН скупине: "
+
+#: src/cryptsetup.c:2201
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "УПОЗОРЕЊЕ: Параметар „--key-slot“ се користи за нови број утора кључа.\n"
 
-#: src/cryptsetup.c:2028 src/utils_reencrypt_luks1.c:1149
+#: src/cryptsetup.c:2278 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Унесите неку постојећу пропусну реч: "
 
-#: src/cryptsetup.c:2152
+#: src/cryptsetup.c:2374
 msgid "Enter passphrase to be changed: "
 msgstr "Унесите пропусну реч за мењање: "
 
-#: src/cryptsetup.c:2168 src/utils_reencrypt_luks1.c:1135
+#: src/cryptsetup.c:2390 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Унесите нову пропусну реч: "
 
-#: src/cryptsetup.c:2218
+#: src/cryptsetup.c:2440
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Унесите пропусну реч за утор кључа за претварање: "
 
-#: src/cryptsetup.c:2242
+#: src/cryptsetup.c:2464
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Подржан је само један аргумент уређаја за радњу „isLuks“."
 
-#: src/cryptsetup.c:2350
+#: src/cryptsetup.c:2569
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Утор кључа %d не садржи несвезани кључ."
 
-#: src/cryptsetup.c:2355
+#: src/cryptsetup.c:2574
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2186,40 +2508,52 @@ msgstr ""
 "Избачај заглавља са кључем волумена је осетљив податак\n"
 "Овај избачај треба увек бити смештен шифрован на безбедном месту."
 
-#: src/cryptsetup.c:2441 src/cryptsetup.c:2470
+#: src/cryptsetup.c:2669 src/cryptsetup.c:2705
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "„%s“ није назив активног „%s“ уређаја."
 
-#: src/cryptsetup.c:2465
+#: src/cryptsetup.c:2700
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "„%s“ није назив активног ЛУКС уређаја или недостаје заглавље."
 
-#: src/cryptsetup.c:2527 src/cryptsetup.c:2546
+#: src/cryptsetup.c:2777 src/cryptsetup.c:2796
 msgid "Option --header-backup-file is required."
 msgstr "Захтевана је опција „--header-backup-file“."
 
-#: src/cryptsetup.c:2577
+#: src/cryptsetup.c:2827
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "„%s“ није уређај управљан криптоподешавањем."
 
-#: src/cryptsetup.c:2588
+#: src/cryptsetup.c:2838
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Освежавање није подржано за врсту уређаја „%s“"
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2888
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Непозната врста уређаја метаподатака „%s“."
 
-#: src/cryptsetup.c:2640
+#: src/cryptsetup.c:2890
 msgid "Command requires device and mapped name as arguments."
 msgstr "Наредба захтева уређај и мапирани назив као аргумент."
 
-#: src/cryptsetup.c:2661
+#: src/cryptsetup.c:2908
+msgid "Enter OPAL PSID: "
+msgstr "Унесите OPAL ПСИД: "
+
+#: src/cryptsetup.c:2908
+msgid "Enter OPAL Admin password: "
+msgstr "Унесите лозинку OPAL админа: "
+
+#: src/cryptsetup.c:2916
+msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
+msgstr "УПОЗОРЕЊЕ: ЧИТАВ диск биће враћен на фабричка подешавања и сви подаци биће изгубљени! Да наставим?"
+
+#: src/cryptsetup.c:2959
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2228,351 +2562,363 @@ msgstr ""
 "Ова радња ће обрисати све уторе кључева на уређају „%s“.\n"
 "Уређај ће постати неупотребљив након ове радње."
 
-#: src/cryptsetup.c:2668
+#: src/cryptsetup.c:2966
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Радња је прекинута, утори кључева НИСУ обрисани.\n"
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:3005
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Неисправна ЛУКС врста, само „luks1“ и „luks2“ су подржане."
 
-#: src/cryptsetup.c:2723
+#: src/cryptsetup.c:3021
 #, c-format
 msgid "Device is already %s type."
 msgstr "Уређај је већ „%s“ врсте."
 
-#: src/cryptsetup.c:2730
+#: src/cryptsetup.c:3028
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Ова радња ће претворити „%s“ у „%s“ запис.\n"
 
-#: src/cryptsetup.c:2733
+#: src/cryptsetup.c:3031
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Радња је прекинута, уређај НИЈЕ претворен.\n"
 
-#: src/cryptsetup.c:2773
+#: src/cryptsetup.c:3071
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Недостаје опција „--priority“, „--label“ или „--subsystem“."
 
-#: src/cryptsetup.c:2807 src/cryptsetup.c:2847 src/cryptsetup.c:2867
+#: src/cryptsetup.c:3105 src/cryptsetup.c:3145 src/cryptsetup.c:3165
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Скупина „%d“ није исправна."
 
-#: src/cryptsetup.c:2810 src/cryptsetup.c:2870
+#: src/cryptsetup.c:3108 src/cryptsetup.c:3168
 #, c-format
 msgid "Token %d in use."
 msgstr "Скупина „%d“ је у употреби."
 
-#: src/cryptsetup.c:2822
+#: src/cryptsetup.c:3120
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Нисам успео да додам „luks2-keyring“ скупину „%d“."
 
-#: src/cryptsetup.c:2833 src/cryptsetup.c:2896
+#: src/cryptsetup.c:3131 src/cryptsetup.c:3194
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Нисам успео да доделим скупину „%d“ утору кључа %d."
 
-#: src/cryptsetup.c:2850
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Скупина „%d“ није у употреби."
 
-#: src/cryptsetup.c:2887
+#: src/cryptsetup.c:3185
 msgid "Failed to import token from file."
 msgstr "Нисам успео да увезем скупину из датотеке."
 
-#: src/cryptsetup.c:2912
+#: src/cryptsetup.c:3210
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Нисам успео да добавим скупину „%d“ за извоз."
 
-#: src/cryptsetup.c:2925
+#: src/cryptsetup.c:3223
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Скупина „%d“ није додељена утору кључа %d."
 
-#: src/cryptsetup.c:2927 src/cryptsetup.c:2934
+#: src/cryptsetup.c:3225 src/cryptsetup.c:3232
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Нисам успео да поништим доделу скупине „%d“ из утора кључа %d."
 
-#: src/cryptsetup.c:2983
+#: src/cryptsetup.c:3291
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Опција „--tcrypt-hidden“, „--tcrypt-system“ или „--tcrypt-backup“ је подржана само за ТКРИПТ уређај."
 
-#: src/cryptsetup.c:2986
+#: src/cryptsetup.c:3294
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Опција „--veracrypt“ или „--disable-veracrypt“ је подржана само за ТКРИПТ врсту уређаја."
 
-#: src/cryptsetup.c:2989
+#: src/cryptsetup.c:3297
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Опција „--veracrypt-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
 
-#: src/cryptsetup.c:2993
+#: src/cryptsetup.c:3301
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Опција „--veracrypt-query-pim“ је подржана само за „VeraCrypt“ сагласне уређаје."
 
-#: src/cryptsetup.c:2995
+#: src/cryptsetup.c:3303
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Опције „--veracrypt-pim“ и „--veracrypt-query-pim“ се узајамно искључују."
 
-#: src/cryptsetup.c:3004
+#: src/cryptsetup.c:3312
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Опција „--persistent“ није допуштена са опцијом „--test-passphrase“."
 
-#: src/cryptsetup.c:3007
+#: src/cryptsetup.c:3315
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Опције „--refresh“ и „--test-passphrase“ се узајамно искључују."
 
-#: src/cryptsetup.c:3010
+#: src/cryptsetup.c:3318
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Опција „--shared“ је допуштена само за отварање обичног уређаја."
 
-#: src/cryptsetup.c:3013
+#: src/cryptsetup.c:3321
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Опција „--skip“ је подржана само за отварање обичних и упетљаних уређаја."
 
-#: src/cryptsetup.c:3016
+#: src/cryptsetup.c:3324
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Опција „--offset“ са отвореном радњом је подржана само за обичне и упетљане уређаје."
 
-#: src/cryptsetup.c:3019
+#: src/cryptsetup.c:3327
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Опција „--tcrypt-hidden“ не може бити обједињена са „--allow-discards“."
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:3331
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Опција величине одељка са отвореном радњом је подржана само за обичне уређаје."
 
-#: src/cryptsetup.c:3027
+#: src/cryptsetup.c:3335
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Опција великих IV одељака је подржана само за отварање обичних уређаја са величином одељка већом од 512 бајта."
 
-#: src/cryptsetup.c:3032
+#: src/cryptsetup.c:3340
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Опција „--test-passphrase“ је допуштена само за отварање LUKS, TCRYPT, BITLK и FVAULT2 уређаја."
 
-#: src/cryptsetup.c:3035 src/cryptsetup.c:3058
+#: src/cryptsetup.c:3343 src/cryptsetup.c:3373
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Опције „--device-size“ и „--size“ се не могу комбиновати."
 
-#: src/cryptsetup.c:3038
+#: src/cryptsetup.c:3346
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Опција „--unbound“ је допуштена само за отварање лукс уређаја."
 
-#: src/cryptsetup.c:3041
+#: src/cryptsetup.c:3349
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Опција „--unbound“ се не може користити без „--test-passphrase“."
 
-#: src/cryptsetup.c:3050 src/veritysetup.c:668 src/integritysetup.c:755
+#: src/cryptsetup.c:3353
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Опција „--volume-key-keyring“ не може бити обједињена са „--hash“ или „--volume-key-file“."
+
+#: src/cryptsetup.c:3356
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Обе „--volume-key-file“ опције се морају упарити са одговарајућим „--key-size“ опцијама."
+
+#: src/cryptsetup.c:3365 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Опције „--cancel-deferred“ и „--deferred“ се не могу користити у исто време."
 
-#: src/cryptsetup.c:3066
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Опције „--reduce-device-size“ и „--data-size“ се не могу комбиновати."
-
-#: src/cryptsetup.c:3069
+#: src/cryptsetup.c:3381
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Опција „--active-name“ се може поставити само за ЛУКС2 уређај."
 
-#: src/cryptsetup.c:3072
+#: src/cryptsetup.c:3384
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Опције „--active-name“ и „--force-offline-reencrypt“ се не могу комбиновати."
 
-#: src/cryptsetup.c:3080 src/cryptsetup.c:3110
+#: src/cryptsetup.c:3387
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Опције „--new-volume-key-file“ и „--keep-key“ се не могу комбиновати."
+
+#: src/cryptsetup.c:3390
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Опције „--new-volume-key-keyring“ и „--keep-key“ се не могу комбиновати."
+
+#: src/cryptsetup.c:3398 src/cryptsetup.c:3428
 msgid "Keyslot specification is required."
 msgstr "Одредба утора кључа је потребна."
 
-#: src/cryptsetup.c:3088
+#: src/cryptsetup.c:3406
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Опције „--align-payload“ и „--offset“ се не могу комбиновати."
 
-#: src/cryptsetup.c:3091
+#: src/cryptsetup.c:3409
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Опција „--integrity-no-wipe“ се може користити само за радњу форматирања са проширењем целовитости."
 
-#: src/cryptsetup.c:3094
+#: src/cryptsetup.c:3412
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Дозвољена је само једна опција „--use-[u]random“."
 
-#: src/cryptsetup.c:3102
+#: src/cryptsetup.c:3420
 msgid "Key size is required with --unbound option."
 msgstr "Величина кључа је потребна са опцијом „--unbound“."
 
-#: src/cryptsetup.c:3122
+#: src/cryptsetup.c:3440
 msgid "Invalid token action."
 msgstr "Неисправна радња скупине."
 
-#: src/cryptsetup.c:3125
+#: src/cryptsetup.c:3443
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "„--key-description“ параметар је обавезан за радњу додавања скупине."
 
-#: src/cryptsetup.c:3129 src/cryptsetup.c:3142
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3460
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Радња захтева нарочиту скупину. Користите параметар „--token-id“."
 
-#: src/cryptsetup.c:3133
+#: src/cryptsetup.c:3451
 msgid "Option --unbound is valid only with token add action."
 msgstr "Опција „--unbound“ је исправна само са радњом додавања скупине."
 
-#: src/cryptsetup.c:3135
+#: src/cryptsetup.c:3453
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Опције „--key-slot“ и „--unbound“ се не могу комбиновати."
 
-#: src/cryptsetup.c:3140
+#: src/cryptsetup.c:3458
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Радња захтева нарочити утор кључа. Користите параметар „--key-slot“."
 
-#: src/cryptsetup.c:3156
+#: src/cryptsetup.c:3474
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<уређај> [--type <врста>] [<назив>]"
 
-#: src/cryptsetup.c:3156 src/veritysetup.c:491 src/integritysetup.c:535
+#: src/cryptsetup.c:3474 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "отвара уређај као <назив>"
 
-#: src/cryptsetup.c:3157 src/cryptsetup.c:3158 src/cryptsetup.c:3159
-#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:536
-#: src/integritysetup.c:537 src/integritysetup.c:539
+#: src/cryptsetup.c:3475 src/cryptsetup.c:3476 src/cryptsetup.c:3477
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<назив>"
 
-#: src/cryptsetup.c:3157 src/veritysetup.c:492 src/integritysetup.c:536
+#: src/cryptsetup.c:3475 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "затвара уређај (уклања мапирање)"
 
-#: src/cryptsetup.c:3158 src/integritysetup.c:539
+#: src/cryptsetup.c:3476 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "мења величину радног уређаја"
 
-#: src/cryptsetup.c:3159
+#: src/cryptsetup.c:3477
 msgid "show device status"
 msgstr "показује стање уређаја"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3478
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <шифрер>]"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3478
 msgid "benchmark cipher"
 msgstr "шифрер оцењивања"
 
-#: src/cryptsetup.c:3161 src/cryptsetup.c:3162 src/cryptsetup.c:3163
-#: src/cryptsetup.c:3164 src/cryptsetup.c:3165 src/cryptsetup.c:3172
-#: src/cryptsetup.c:3173 src/cryptsetup.c:3174 src/cryptsetup.c:3175
-#: src/cryptsetup.c:3176 src/cryptsetup.c:3177 src/cryptsetup.c:3178
-#: src/cryptsetup.c:3179 src/cryptsetup.c:3180 src/cryptsetup.c:3181
+#: src/cryptsetup.c:3479 src/cryptsetup.c:3480 src/cryptsetup.c:3481
+#: src/cryptsetup.c:3482 src/cryptsetup.c:3483 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3494 src/cryptsetup.c:3495 src/cryptsetup.c:3496
+#: src/cryptsetup.c:3497 src/cryptsetup.c:3498 src/cryptsetup.c:3499
 msgid "<device>"
 msgstr "<уређај>"
 
-#: src/cryptsetup.c:3161
+#: src/cryptsetup.c:3479
 msgid "try to repair on-disk metadata"
 msgstr "покушава да поправи метаподатке на-диску"
 
-#: src/cryptsetup.c:3162
+#: src/cryptsetup.c:3480
 msgid "reencrypt LUKS2 device"
-msgstr "ЛУКС2 уређај поновног шифровања"
+msgstr "поново шифрујем ЛУКС2 уређај"
 
-#: src/cryptsetup.c:3163
+#: src/cryptsetup.c:3481
 msgid "erase all keyslots (remove encryption key)"
 msgstr "брише све уторе кључева (уклања кључ шифровања)"
 
-#: src/cryptsetup.c:3164
+#: src/cryptsetup.c:3482
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "претвара ЛУКС из/у ЛУКС2 запис"
 
-#: src/cryptsetup.c:3165
+#: src/cryptsetup.c:3483
 msgid "set permanent configuration options for LUKS2"
 msgstr "поставља трајне опције подешавања за ЛУКС2"
 
-#: src/cryptsetup.c:3166 src/cryptsetup.c:3167
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485
 msgid "<device> [<new key file>]"
 msgstr "<уређај> [<нова датотека кључа>]"
 
-#: src/cryptsetup.c:3166
+#: src/cryptsetup.c:3484
 msgid "formats a LUKS device"
 msgstr "форматира ЛУКС уређај"
 
-#: src/cryptsetup.c:3167
+#: src/cryptsetup.c:3485
 msgid "add key to LUKS device"
 msgstr "додаје кључ у ЛУКС уређај"
 
-#: src/cryptsetup.c:3168 src/cryptsetup.c:3169 src/cryptsetup.c:3170
+#: src/cryptsetup.c:3486 src/cryptsetup.c:3487 src/cryptsetup.c:3488
 msgid "<device> [<key file>]"
 msgstr "<уређај> [<датотека кључа>]"
 
-#: src/cryptsetup.c:3168
+#: src/cryptsetup.c:3486
 msgid "removes supplied key or key file from LUKS device"
 msgstr "уклања достављени кључ или датотеку кључа из ЛУКС уређаја"
 
-#: src/cryptsetup.c:3169
+#: src/cryptsetup.c:3487
 msgid "changes supplied key or key file of LUKS device"
 msgstr "мења достављени кључ или датотеку кључа ЛУКС уређаја"
 
-#: src/cryptsetup.c:3170
+#: src/cryptsetup.c:3488
 msgid "converts a key to new pbkdf parameters"
 msgstr "претвара кључ у нове „pbkdf“ параметре"
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3489
 msgid "<device> <key slot>"
 msgstr "<уређај> <утор кључа>"
 
-#: src/cryptsetup.c:3171
+#: src/cryptsetup.c:3489
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "брише кључ са бројем <утор кључа> са ЛУКС уређаја"
 
-#: src/cryptsetup.c:3172
+#: src/cryptsetup.c:3490
 msgid "print UUID of LUKS device"
 msgstr "исписује УЈИБ ЛУКС уређаја"
 
-#: src/cryptsetup.c:3173
+#: src/cryptsetup.c:3491
 msgid "tests <device> for LUKS partition header"
 msgstr "испробава <уређај> за заглављем ЛУКС партиције"
 
-#: src/cryptsetup.c:3174
+#: src/cryptsetup.c:3492
 msgid "dump LUKS partition information"
 msgstr "исписује податке ЛУКС партиције"
 
-#: src/cryptsetup.c:3175
+#: src/cryptsetup.c:3493
 msgid "dump TCRYPT device information"
 msgstr "исписује податке ТКРИПТ уређаја"
 
-#: src/cryptsetup.c:3176
+#: src/cryptsetup.c:3494
 msgid "dump BITLK device information"
 msgstr "исписује податке „BITLK“ уређаја"
 
-#: src/cryptsetup.c:3177
+#: src/cryptsetup.c:3495
 msgid "dump FVAULT2 device information"
 msgstr "исписује податке „FVAULT2“ уређаја"
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3496
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Обуставља ЛУКС уређај и брише кључ (сви УИ су замрзнути)"
 
-#: src/cryptsetup.c:3179
+#: src/cryptsetup.c:3497
 msgid "Resume suspended LUKS device"
 msgstr "Наставља са обустављеним ЛУКС уређајем"
 
-#: src/cryptsetup.c:3180
+#: src/cryptsetup.c:3498
 msgid "Backup LUKS device header and keyslots"
 msgstr "Прави резерву заглавља „LUKS“ уређаја и утора кључева"
 
-#: src/cryptsetup.c:3181
+#: src/cryptsetup.c:3499
 msgid "Restore LUKS device header and keyslots"
 msgstr "Враћа заглавље „LUKS“ уређаја и уторе кључева"
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3500
 msgid "<add|remove|import|export> <device>"
 msgstr "<додај|уклони|увези|извези> <уређај>"
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3500
 msgid "Manipulate LUKS2 tokens"
 msgstr "Управља ЛУКС2 скупинама"
 
-#: src/cryptsetup.c:3201 src/veritysetup.c:509 src/integritysetup.c:554
+#: src/cryptsetup.c:3519 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2580,7 +2926,7 @@ msgstr ""
 "\n"
 "<радња> је једна од следећих:\n"
 
-#: src/cryptsetup.c:3207
+#: src/cryptsetup.c:3525
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2592,7 +2938,7 @@ msgstr ""
 "\tотвори: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tзатвори: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3529
 #, c-format
 msgid ""
 "\n"
@@ -2607,7 +2953,7 @@ msgstr ""
 "<утор кључа> је број ЛУКС утора кључа за мењање\n"
 "<датотека кључа> изборна датотека кључа за нови кључ за радњу „luksAddKey“\n"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3536
 #, c-format
 msgid ""
 "\n"
@@ -2616,29 +2962,28 @@ msgstr ""
 "\n"
 "Основни уграђени запис метаподатака је „%s“ (за „luksFormat“ радњу).\n"
 
-#: src/cryptsetup.c:3223 src/cryptsetup.c:3226
-#, c-format
+#: src/cryptsetup.c:3541
 msgid ""
 "\n"
-"LUKS2 external token plugin support is %s.\n"
+"LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 "\n"
-"Подршка прикључка спољне скупине за „LUKS2“ је „%s“.\n"
-
-#: src/cryptsetup.c:3223
-msgid "compiled-in"
-msgstr "преведено"
+"Подршка прикључка спољне скупине за LUKS2 је укључена.\n"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3542
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Путања прикључка спољне скупине за „LUKS2“: %s.\n"
 
-#: src/cryptsetup.c:3226
-msgid "disabled"
-msgstr "искључено"
+#: src/cryptsetup.c:3544
+msgid ""
+"\n"
+"LUKS2 external token plugin support is disabled.\n"
+msgstr ""
+"\n"
+"Подршка прикључка спољне скупине за LUKS2 је искључена.\n"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3548
 #, c-format
 msgid ""
 "\n"
@@ -2655,7 +3000,7 @@ msgstr ""
 "Основни „PBKDF“ за ЛУКС2: %s\n"
 "\tВреме понављања: %d, Захтевана меморија: %dkB, Паралелне нити: %d\n"
 
-#: src/cryptsetup.c:3241
+#: src/cryptsetup.c:3559
 #, c-format
 msgid ""
 "\n"
@@ -2670,189 +3015,215 @@ msgstr ""
 "\tобично: %s, Кључ: %d бита, Хеширање лозинке: %s\n"
 "\tЛУКС: %s, Кључ: %d бита, Хеширање ЛУКС заглавља: %s, РНГ: %s\n"
 
-#: src/cryptsetup.c:3250
+#: src/cryptsetup.c:3568
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tЛУКС: Основна величина кључа са „XTS“ режимом (два унутрашња кључа) биће удвостручена.\n"
 
-#: src/cryptsetup.c:3268 src/veritysetup.c:648 src/integritysetup.c:711
+#: src/cryptsetup.c:3586 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: захтева „%s“ као аргумент"
 
-#: src/cryptsetup.c:3308 src/utils_reencrypt_luks1.c:1198
+#: src/cryptsetup.c:3626 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Утор кључа није исправан."
 
-#: src/cryptsetup.c:3335
+#: src/cryptsetup.c:3654
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Величина уређаја мора бити умножак одељка од 512 бајта."
 
-#: src/cryptsetup.c:3340
+#: src/cryptsetup.c:3659
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Неисправна одредба највеће величине вруће зоне поновног шифровања."
 
-#: src/cryptsetup.c:3354 src/cryptsetup.c:3366
+#: src/cryptsetup.c:3673 src/cryptsetup.c:3690 src/cryptsetup.c:3702
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Величина кључа мора бити умножак од 8 бита"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3680
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Могу се доставити одредбе величине највише 2 кључа."
+
+#: src/cryptsetup.c:3709 src/cryptsetup.c:3720
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr "Највише %d одредбе кључа волумена се могу доставити."
+
+#: src/cryptsetup.c:3732
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr "Највише %d одредбе везе привеска кључева се могу доставити."
+
+#: src/cryptsetup.c:3741
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Највећа величина смањења уређаја је 1 GiB."
 
-#: src/cryptsetup.c:3374
+#: src/cryptsetup.c:3744
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Величина смањивања мора бити умножак одељка од 512 бајта."
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3761
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Опција „--priority“ може бити само „ignore/normal/prefer“."
 
-#: src/cryptsetup.c:3410 src/veritysetup.c:572 src/integritysetup.c:634
+#: src/cryptsetup.c:3780 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Приказује ову поруку помоћи"
 
-#: src/cryptsetup.c:3411 src/veritysetup.c:573 src/integritysetup.c:635
+#: src/cryptsetup.c:3781 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Прикажите кратку поруку о коришћењу"
 
-#: src/cryptsetup.c:3412 src/veritysetup.c:574 src/integritysetup.c:636
+#: src/cryptsetup.c:3782 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Исписује издање пакета"
 
-#: src/cryptsetup.c:3423 src/veritysetup.c:585 src/integritysetup.c:647
+#: src/cryptsetup.c:3793 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Опције помоћи:"
 
-#: src/cryptsetup.c:3443 src/veritysetup.c:603 src/integritysetup.c:664
+#: src/cryptsetup.c:3816 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[ОПЦИЈА...] <радња> <посебност-радње>"
 
-#: src/cryptsetup.c:3452 src/veritysetup.c:612 src/integritysetup.c:675
+#: src/cryptsetup.c:3825 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Недостаје аргумент <радња>."
 
-#: src/cryptsetup.c:3528 src/veritysetup.c:643 src/integritysetup.c:706
+#: src/cryptsetup.c:3904 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Непозната радња."
 
-#: src/cryptsetup.c:3546
+#: src/cryptsetup.c:3922
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Опција „--key-file“ има првенство над наведеним аргументом датотеке кључа."
 
-#: src/cryptsetup.c:3552
+#: src/cryptsetup.c:3928
 msgid "Only one --key-file argument is allowed."
 msgstr "Дозвољен је само један аргумент „--key-file“."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3933
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Функција произилажења кључа заснованог на пропусној речи (PBKDF) може бити само „pbkdf2“ или „argon2i/argon2id“."
 
-#: src/cryptsetup.c:3562
+#: src/cryptsetup.c:3938
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "„PBKDF“ присиљена понављања се не могу комбиновати са опцијом времена понављања."
 
-#: src/cryptsetup.c:3573
+#: src/cryptsetup.c:3943
+msgid "Cannot link volume key to a keyring when keyring is disabled."
+msgstr "Не могу да свежем кључ волумена на привезак кључева када је привезак искључен."
+
+#: src/cryptsetup.c:3948
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Не могу да користим опис кључа привеска када је привезак искључен."
+
+#: src/cryptsetup.c:3953
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Унутарња целовитост се мора користити заједно са опцијом „--integrity“."
+
+#: src/cryptsetup.c:3964
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Опције „--keyslot-cipher“ и „--keyslot-key-size“ се морају користити заједно."
 
-#: src/cryptsetup.c:3581
+#: src/cryptsetup.c:3972
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Није предузета никаква радња. Призвана опцијом „--test-args“.\n"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3985
 msgid "Cannot disable metadata locking."
 msgstr "Не могу да искључим закључавање метаподатака."
 
-#: src/veritysetup.c:54
+#: src/veritysetup.c:41
 msgid "Invalid salt string specified."
 msgstr "Наведена је неисправна ниска присолка."
 
-#: src/veritysetup.c:87
+#: src/veritysetup.c:74
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Не могу да направим хеш слику „%s“ ради уписа."
 
-#: src/veritysetup.c:97
+#: src/veritysetup.c:84
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Не могу да направим „FEC“ слику „%s“ ради уписа."
 
-#: src/veritysetup.c:136
+#: src/veritysetup.c:123
 #, c-format
 msgid "Cannot create root hash file %s for writing."
 msgstr "Не могу да направим корену хеш датотеку „%s“ ради уписа."
 
-#: src/veritysetup.c:143
+#: src/veritysetup.c:130
 #, c-format
 msgid "Cannot write to root hash file %s."
 msgstr "Не могу да пишем у корену хеш датотеку „%s“."
 
-#: src/veritysetup.c:198 src/veritysetup.c:476
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Уређај „%s“ није исправан „VERITY“ уређај."
 
-#: src/veritysetup.c:215 src/veritysetup.c:232
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Не могу да читам корену хеш датотеку „%s“."
 
-#: src/veritysetup.c:220
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Неисправна корена хеш датотека „%s“."
 
-#: src/veritysetup.c:241
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Наведена је неисправна ниска хеша корена."
 
-#: src/veritysetup.c:249
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Неисправна датотека потписа „%s“."
 
-#: src/veritysetup.c:256
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Не могу да прочитам датотеку потписа „%s“."
 
-#: src/veritysetup.c:279 src/veritysetup.c:293
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Наредба захтева „<root_hash>“ или „--root-hash-file“ опцију као аргумент."
 
-#: src/veritysetup.c:489
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<уређај_података> <уређај_хеша>"
 
-#: src/veritysetup.c:489 src/integritysetup.c:534
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "форматира уређај"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<уређај_података> <уређај_хеша> [<хеш_корена>]"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "проверава уређај"
 
-#: src/veritysetup.c:491
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<уређај_података> <назив> <уређај_хеша> [<хеш_корена>]"
 
-#: src/veritysetup.c:493 src/integritysetup.c:537
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "показује стање радног уређаја"
 
-#: src/veritysetup.c:494
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<уређај_хеша>"
 
-#: src/veritysetup.c:494 src/integritysetup.c:538
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "приказује податке на-диску"
 
-#: src/veritysetup.c:513
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -2867,7 +3238,7 @@ msgstr ""
 "<уређај_хеша> јесте уређај који садржи податке проверавања\n"
 "<хеш_корена> хеш кореног чвора на <уређају_хеша>\n"
 
-#: src/veritysetup.c:520
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -2878,15 +3249,19 @@ msgstr ""
 "Основни преведени параметри дм-тачности:\n"
 "\tХеш: %s, Блок података (бајта): %u, Блок хеша (бајта): %u, Величина присолка: %u, Запис хеша: %u\n"
 
-#: src/veritysetup.c:658
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Опције „--ignore-corruption“ и „--restart-on-corruption“ се не могу користити заједно."
 
-#: src/veritysetup.c:663
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Опције „--panic-on-corruption“ и „--restart-on-corruption“ се не могу користити заједно."
 
-#: src/integritysetup.c:177
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Опција „--error-as-corruption“ мора да се користи са „--panic-on-corruption“ или „--restart-on-corruption“."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -2895,29 +3270,33 @@ msgstr ""
 "Ово ће неповратно преписати податке на „%s“ и „%s“.\n"
 "Да задржите уређај података користите опцију „--no-wipe“ (а затим активирајте са „--integrity-recalculate“)."
 
-#: src/integritysetup.c:212
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Форматирано ознаком величине %u, унутрашња целовитост „%s“.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Форматирано ознаком величине %u%s, унутрашња целовитост „%s“.\n"
 
-#: src/integritysetup.c:289
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (унутарње hw ознаке)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Постављање заставице поновног рачунањ није подржано, можете узети у обзир коришћење опције „--wipe“."
 
-#: src/integritysetup.c:364 src/integritysetup.c:521
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Уређај „%s“ није исправан „INTEGRITY“ уређај."
 
-#: src/integritysetup.c:534 src/integritysetup.c:538
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<уређај_целовитости>"
 
-#: src/integritysetup.c:535
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<уређај_целовитости> <назив>"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -2928,7 +3307,7 @@ msgstr ""
 "<назив> јесте уређај за стварање под „%s“\n"
 "<уређај_целовитости> јесте уређај који садржи податке са ознакама целовитости\n"
 
-#: src/integritysetup.c:563
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -2941,44 +3320,52 @@ msgstr ""
 "\tАлгоритам провере суме: %s\n"
 "        Највећа величина датотеке кључа: %dkB\n"
 
-#: src/integritysetup.c:620
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Неисправна величина „--%s“. Највећа је %u бајта."
 
-#: src/integritysetup.c:720
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Мора бити наведена и опција датотеке кључа и опција величине кључа."
 
-#: src/integritysetup.c:724
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Мора бити наведена и опција датотеке кључа целовитости журнала и опција величине кључа."
 
-#: src/integritysetup.c:727
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Алгоритам целовитости журнала мора бити наведен ако се користи кључ целовитости журнала."
 
-#: src/integritysetup.c:731
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Мора бити наведена и опција датотеке кључа шифровања журнала и опција величине кључа."
 
-#: src/integritysetup.c:734
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Алгоритам шифровања журнала мора бити наведен ако се користи кључ шифровања журнала."
 
-#: src/integritysetup.c:738
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Опције режима опоравка и битмапе се узајамно искључују."
 
-#: src/integritysetup.c:745
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Опције журнала се не могу користити у режиму битмапе."
 
-#: src/integritysetup.c:750
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Опције битмапе се могу користити само у режиму битмапе."
 
-#: src/utils_tools.c:118
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Унутарњи режим се не може комбиновати са опцијама „journal“ или „bitmap“."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Унутарњи режим се не може комбиновати са одвојеним уређајем података."
+
+#: src/utils_tools.c:105
 msgid ""
 "\n"
 "WARNING!\n"
@@ -2989,7 +3376,7 @@ msgstr ""
 "========\n"
 
 #. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:120
+#: src/utils_tools.c:107
 #, c-format
 msgid ""
 "%s\n"
@@ -3000,152 +3387,160 @@ msgstr ""
 "\n"
 "Да ли сте сигурни? (Упишите „yes“ великим словима): "
 
-#: src/utils_tools.c:126
+#: src/utils_tools.c:113
 msgid "Error reading response from terminal."
 msgstr "Грешка читања одговора из терминала."
 
-#: src/utils_tools.c:158
+#: src/utils_tools.c:145
 msgid "Command successful."
 msgstr "Наредба је успела."
 
-#: src/utils_tools.c:166
+#: src/utils_tools.c:153
 msgid "wrong or missing parameters"
 msgstr "погрешни или недостајући параметри"
 
-#: src/utils_tools.c:168
+#: src/utils_tools.c:155
 msgid "no permission or bad passphrase"
 msgstr "нема овлашћења или је лоша пропусна реч"
 
-#: src/utils_tools.c:170
+#: src/utils_tools.c:157
 msgid "out of memory"
 msgstr "нема више меморије"
 
-#: src/utils_tools.c:172
+#: src/utils_tools.c:159
 msgid "wrong device or file specified"
 msgstr "наведен је погрешан уређај или датотека"
 
-#: src/utils_tools.c:174
+#: src/utils_tools.c:161
 msgid "device already exists or device is busy"
 msgstr "уређај већ постоји или је заузет"
 
-#: src/utils_tools.c:176
+#: src/utils_tools.c:163
 msgid "unknown error"
 msgstr "непозната грешка"
 
-#: src/utils_tools.c:178
+#: src/utils_tools.c:165
 #, c-format
 msgid "Command failed with code %i (%s)."
 msgstr "Наредба није успела са кодом %i (%s)."
 
-#: src/utils_tools.c:256
+#: src/utils_tools.c:243
 #, c-format
 msgid "Key slot %i created."
 msgstr "Утор кључа „%i“ је направљен."
 
-#: src/utils_tools.c:258
+#: src/utils_tools.c:245
 #, c-format
 msgid "Key slot %i unlocked."
 msgstr "Утор кључа „%i“ је откључан."
 
-#: src/utils_tools.c:260
+#: src/utils_tools.c:247
 #, c-format
 msgid "Key slot %i removed."
 msgstr "Утор кључа „%i“ је уклоњен."
 
-#: src/utils_tools.c:269
+#: src/utils_tools.c:256
 #, c-format
 msgid "Token %i created."
 msgstr "Скупина „%i“ је направљена."
 
-#: src/utils_tools.c:271
+#: src/utils_tools.c:258
 #, c-format
 msgid "Token %i removed."
 msgstr "Скупина „%i“ је уклоњена."
 
-#: src/utils_tools.c:281
+#: src/utils_tools.c:268
 msgid "No token could be unlocked with this PIN."
 msgstr "Ниједна скупина неће бити откључана овим ПИН-ом."
 
-#: src/utils_tools.c:283
+#: src/utils_tools.c:270
 #, c-format
 msgid "Token %i requires PIN."
 msgstr "Скупина „%i“ захтева ПИН."
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:272
 #, c-format
 msgid "Token (type %s) requires PIN."
 msgstr "Скупина (врста „%s“) захтева ПИН."
 
-#: src/utils_tools.c:288
+#: src/utils_tools.c:275
 #, c-format
 msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Скупина „%i“ не може да откључа додељени утор кључа (погрешна лозинка)."
 
-#: src/utils_tools.c:290
+#: src/utils_tools.c:277
 #, c-format
 msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Скупина (врста „%s“) не може да откључа додељени утор кључа (погрешна лозинка)."
 
-#: src/utils_tools.c:293
+#: src/utils_tools.c:280
 #, c-format
 msgid "Token %i requires additional missing resource."
 msgstr "Скупина „%i“ захтева додтни ресурс који недостаје."
 
-#: src/utils_tools.c:295
+#: src/utils_tools.c:282
 #, c-format
 msgid "Token (type %s) requires additional missing resource."
 msgstr "Скупина (врста „%s“) захтева додтни ресурс који недостаје."
 
-#: src/utils_tools.c:298
+#: src/utils_tools.c:285
 #, c-format
 msgid "No usable token (type %s) is available."
 msgstr "Нема доступне употребљиве скупине (врста „%s“)."
 
-#: src/utils_tools.c:300
+#: src/utils_tools.c:287
 msgid "No usable token is available."
 msgstr "Нема доступне употребљиве скупине."
 
-#: src/utils_tools.c:393
+#: src/utils_tools.c:380
 #, c-format
 msgid "Cannot read keyfile %s."
 msgstr "Не могу да прочитам датотеку кључа „%s“."
 
-#: src/utils_tools.c:398
+#: src/utils_tools.c:385
 #, c-format
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Не могу да прочитам %d бајта из датотеке кључа „%s“."
 
-#: src/utils_tools.c:423
+#: src/utils_tools.c:410
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr "Не могу да отворим датотеку кључа „%s“ за упис."
 
-#: src/utils_tools.c:430
+#: src/utils_tools.c:417
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr "Не могу да пишем у датотеку кључа „%s“."
 
-#: src/utils_progress.c:74
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Назив је предуг."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "Назив не сме да садржи знак /."
+
+#: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>m%02<PRIu64>s"
 
-#: src/utils_progress.c:76
+#: src/utils_progress.c:63
 #, c-format
 msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 
-#: src/utils_progress.c:78
+#: src/utils_progress.c:65
 #, c-format
 msgid "%02<PRIu64> days"
 msgstr "%02<PRIu64> дана"
 
-#: src/utils_progress.c:105 src/utils_progress.c:138
+#: src/utils_progress.c:92 src/utils_progress.c:125
 #, c-format
 msgid "%4<PRIu64> %s written"
 msgstr "%4<PRIu64> „%s“ је записано"
 
-#: src/utils_progress.c:109 src/utils_progress.c:142
+#: src/utils_progress.c:96 src/utils_progress.c:129
 #, c-format
 msgid "speed %5.1f %s/s"
 msgstr "брзина %5.1f %s/s"
@@ -3154,7 +3549,7 @@ msgstr "брзина %5.1f %s/s"
 #. to get translated as well. 'eol' is always new-line or empty.
 #. See above.
 #.
-#: src/utils_progress.c:118
+#: src/utils_progress.c:105
 #, c-format
 msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
 msgstr "Напредовање: %5.1f%%, ETA %s, %s, %s%s"
@@ -3162,17 +3557,17 @@ msgstr "Напредовање: %5.1f%%, ETA %s, %s, %s%s"
 #. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
 #. to get translated as well. See above
 #.
-#: src/utils_progress.c:150
+#: src/utils_progress.c:137
 #, c-format
 msgid "Finished, time %s, %s, %s\n"
 msgstr "Завршено, време %s, %s, %s\n"
 
-#: src/utils_password.c:41 src/utils_password.c:72
+#: src/utils_password.c:28 src/utils_password.c:59
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr "Не могу да проверим квалитет лозинке: %s"
 
-#: src/utils_password.c:49
+#: src/utils_password.c:36
 #, c-format
 msgid ""
 "Password quality check failed:\n"
@@ -3181,63 +3576,67 @@ msgstr ""
 "Провера квалитета лозинке није успела:\n"
 " %s"
 
-#: src/utils_password.c:79
+#: src/utils_password.c:66
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Провера квалитета лозинке није успела: Лоша шифра (%s)"
 
-#: src/utils_password.c:230 src/utils_password.c:244
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Читање је заустављено на највећој међудејственој дужини улаза, лозинка се може скратити."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Грешка читања пропусне речи из терминала."
 
-#: src/utils_password.c:242
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Провери пропусну реч: "
 
-#: src/utils_password.c:249
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Пропусне речи се не подударају."
 
-#: src/utils_password.c:287
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Не могу да користим померај са улазом терминала."
 
-#: src/utils_password.c:291
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Унесите пропусну реч: "
 
-#: src/utils_password.c:294
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Унесите пропусну реч за „%s“: "
 
-#: src/utils_password.c:328
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Нема доступног кључа са овом пропусном речју."
 
-#: src/utils_password.c:330
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Нема доступног употребљивог утора кључа."
 
-#: src/utils_luks.c:67
+#: src/utils_luks.c:55
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Не могу да одрадим проверу пропусне речи на не-конзолним улазима."
 
-#: src/utils_luks.c:182
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Нисам успео да отворим датотеку „%s“ у режиму само за читање."
 
-#: src/utils_luks.c:195
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Обезбеђује исправан „JSON“ ЛУКС2 скупине:\n"
 
-#: src/utils_luks.c:202
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Нисам успео да прочитам „JSON“ датотеку."
 
-#: src/utils_luks.c:207
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3245,12 +3644,12 @@ msgstr ""
 "\n"
 "Читање је прекинуто."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Нисам успео да отворим датотеку „%s“ у режиму писања."
 
-#: src/utils_luks.c:257
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3258,26 +3657,26 @@ msgstr ""
 "\n"
 "Писање је прекинуто."
 
-#: src/utils_luks.c:261
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Нисам успео да упишем „JSON“ датотеку."
 
-#: src/utils_reencrypt.c:120
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Самооткривени активан дм уређај „%sд за уређај података „%s“.\n"
 
-#: src/utils_reencrypt.c:124
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Нисам успео да самооткријем држаче „%s“ уређаја."
 
-#: src/utils_reencrypt.c:130
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Уређај „%s“ није блок уређај.\n"
 
-#: src/utils_reencrypt.c:132
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3290,7 +3689,7 @@ msgstr ""
 "То може довести до оштећења података ако је уређај заправо активиран.\n"
 "Да покренете поновно шифровање у режиму на мрежи, користите параметар „--active-name“.\n"
 
-#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3299,41 +3698,49 @@ msgstr ""
 "Уређај „%s“ није блок уређај. Не могу да само-откријем да ли је активан или није.\n"
 "Користите „--force-offline-reencrypt“ да заобиђете проверу и да радите у режиму ван мреже (опасно!)."
 
-#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
-#: src/utils_reencrypt.c:231
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Захтевана опција „--resilience“ се не може применити на текућој радњи поновног шифровања."
 
-#: src/utils_reencrypt.c:203
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--encrypt“."
 
-#: src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Уређај није у ЛУКС2 шифровању. Сукобљавајућа опција „--decrypt“."
 
-#: src/utils_reencrypt.c:215
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Уређај је у поновном шифровању користећи гипкост помака података. Захтевана опција „--resilience“ се не може применити."
 
-#: src/utils_reencrypt.c:293
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1923
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Не могу да одредим величину кључа за ЛУКС без утора кључа, користите опцију „--new-key-size“."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Уређај захтева опоравак поновног шифровања. Прво покрените поправку."
 
-#: src/utils_reencrypt.c:307
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Да ли желите да наставите са претходно започетом радњом?"
 
-#: src/utils_reencrypt.c:353
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Старо ЛУКС2 поновно шифровања више није подржано."
 
-#: src/utils_reencrypt.c:418
+#: src/utils_reencrypt.c:566
+msgid "Can not reencrypt LUKS2 device configured to use OPAL."
+msgstr "Не могу поново да шифрујем LUKS2 уређај подешен да користи OPAL."
+
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Поновно шифровање уређаја са профилом целовитости није подржано."
 
-#: src/utils_reencrypt.c:449
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3342,103 +3749,110 @@ msgstr ""
 "Захтевано „--sector-size“ %<PRIu32> је несагласно са „%s“ суперблоком\n"
 "(величина блока: %<PRIu32> бајта) је откривено на уређају „%s“."
 
-#: src/utils_reencrypt.c:518 src/utils_reencrypt.c:1391
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2203
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Шифровање без откаченог заглавља (--header) није могуће без смањења величине уређаја података (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:525
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Затражени померај података мора бити мањи или једнак половини параметра „--reduce-device-size“."
 
-#: src/utils_reencrypt.c:535
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Подешавам „--reduce-device-size“ вредност на двоструко од „--offset“ %<PRIu64> (подеока).\n"
 
-#: src/utils_reencrypt.c:565
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Привремена датотека заглавља „%s“ већ постоји. Прекидам."
 
-#: src/utils_reencrypt.c:567 src/utils_reencrypt.c:574
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Не могу да направим привремену датотеку заглавља „%s“."
 
-#: src/utils_reencrypt.c:599
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Величина ЛУКС2 метаподатака је већа од вредности помака података."
 
-#: src/utils_reencrypt.c:636
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Нисам успео да ставим ново заглавље на главу уређаја „%s“."
 
-#: src/utils_reencrypt.c:646
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "„%s/%s“ је сада активно и спремно за шифровање на мрежи.\n"
 
-#: src/utils_reencrypt.c:682
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Радни уређај „%s“ није ЛУКС2."
 
-#: src/utils_reencrypt.c:710
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Враћам изворно ЛУКС2 заглавље."
 
-#: src/utils_reencrypt.c:718
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Враћање изворног ЛУКС2 заглавља није успело."
 
-#: src/utils_reencrypt.c:744
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Датотека заглавља „%s“ не постоји. Да ли желите да покренете LUKS2 дешифровање уређаја „%s“ и да извезете LUKS2 заглавље у датотеку „%s“?"
 
-#: src/utils_reencrypt.c:792
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Нисам успео да додам дозволе за читање/писање у извезену датотеку заглавља."
 
-#: src/utils_reencrypt.c:845
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Покретање поновног шифровања није успело. Резерва заглавља је доступна у „%s“."
 
-#: src/utils_reencrypt.c:873
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "ЛУКС2 дешифровање је подржано само са откаченим уређајем заглавља (са померајем података постављеним на 0)."
 
-#: src/utils_reencrypt.c:1008 src/utils_reencrypt.c:1017
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Ниједна скупина не може да откључа уређај."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Нема довољно слободних утора кључева за поновно шифровање."
 
-#: src/utils_reencrypt.c:1038 src/utils_reencrypt_luks1.c:1100
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним активним утором кључа."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Датотека кључа или опис кључа привеска се може користити само са „--key-slot“ или са тачно једним активним утором кључа."
 
-#: src/utils_reencrypt.c:1047 src/utils_reencrypt_luks1.c:1147
-#: src/utils_reencrypt_luks1.c:1158
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Унесите пропусну реч за утор кључа %d: "
 
-#: src/utils_reencrypt.c:1059
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Унесите пропусну реч за утор кључа %u: "
-
-#: src/utils_reencrypt.c:1111
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Пребацујем шифрера података на „%s“.\n"
 
-#: src/utils_reencrypt.c:1165
+#: src/utils_reencrypt.c:1976 src/utils_reencrypt.c:1997
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Користите „--force-no-keyslots“ да поново шифрујете уређај са активним уторима кључа проследивши директно кључеве волумена."
+
+#: src/utils_reencrypt.c:1992
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Опција „--new-volume-key-file“ мора бити упарена са „--new-key-size“"
+
+#: src/utils_reencrypt.c:2034
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Никакви параметри подеока података нису измењени. Поновно шифровање је прекинуто."
 
-#: src/utils_reencrypt.c:1267
+#: src/utils_reencrypt.c:2071
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3446,8 +3860,8 @@ msgstr ""
 "Повећање величине одељка шифровања на не прикљученом уређају није подржано.\n"
 "Прво покрените уређај или користите опцију „--force-offline-reencrypt“ (опасно, вруће!!)."
 
-#: src/utils_reencrypt.c:1307 src/utils_reencrypt_luks1.c:726
-#: src/utils_reencrypt_luks1.c:798
+#: src/utils_reencrypt.c:2113 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3455,207 +3869,211 @@ msgstr ""
 "\n"
 "Поновно шифровање је прекинуто."
 
-#: src/utils_reencrypt.c:1312
+#: src/utils_reencrypt.c:2118
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Настављам са ЛУКС2 поновним шифровањем у насилном ванмрежном режиму.\n"
 
-#: src/utils_reencrypt.c:1329
+#: src/utils_reencrypt.c:2141
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Уређај „%s“ садржи оштећене ЛУКС2 метаподатке. Прекидам радњу."
 
-#: src/utils_reencrypt.c:1345 src/utils_reencrypt.c:1367
+#: src/utils_reencrypt.c:2157 src/utils_reencrypt.c:2179
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Уређај „%s“ већ јесте ЛУКС уређај. Прекидам радњу."
 
-#: src/utils_reencrypt.c:1373
+#: src/utils_reencrypt.c:2185
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Уређај „%s“ је већ у ЛУКС2 поновном шифровању. Прекидам радњу."
 
-#: src/utils_reencrypt.c:1453
+#: src/utils_reencrypt.c:2268
 msgid "LUKS2 decryption requires --header option."
 msgstr "ЛУКС2 дешифровање захтева опцију „--header“."
 
-#: src/utils_reencrypt.c:1501
+#: src/utils_reencrypt.c:2316
 msgid "Command requires device as argument."
 msgstr "Наредба захтева уређај као аргумент."
 
-#: src/utils_reencrypt.c:1514
+#: src/utils_reencrypt.c:2329
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС1."
 
-#: src/utils_reencrypt.c:1520
+#: src/utils_reencrypt.c:2335
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС1 поновном шифровању."
 
-#: src/utils_reencrypt.c:1526
+#: src/utils_reencrypt.c:2341
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Сукобљавајућа издања. Уређај „%s“ је ЛУКС2."
 
-#: src/utils_reencrypt.c:1532
+#: src/utils_reencrypt.c:2347
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Сукобљавајућа издања. Уређај „%s“ је у ЛУКС2 поновном шифровању."
 
-#: src/utils_reencrypt.c:1538
+#: src/utils_reencrypt.c:2353
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "ЛУКС2 поновно шифровање је већ покренуто. Прекидам радњу."
 
-#: src/utils_reencrypt.c:1545
+#: src/utils_reencrypt.c:2360
 msgid "Device reencryption not in progress."
 msgstr "Поновно шифровање уређаја није у току."
 
-#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Не могу изричито да отворим „%s“, уређај је у употреби."
 
-#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Додела поређане меморије није успела."
 
-#: src/utils_reencrypt_luks1.c:150
+#: src/utils_reencrypt_luks1.c:137
 #, c-format
 msgid "Cannot read device %s."
 msgstr "Не могу да читам уређај „%s“."
 
-#: src/utils_reencrypt_luks1.c:161
+#: src/utils_reencrypt_luks1.c:148
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr "Означавам ЛУКС1 уређај „%s“ неупотребљивим."
 
-#: src/utils_reencrypt_luks1.c:177
+#: src/utils_reencrypt_luks1.c:164
 #, c-format
 msgid "Cannot write device %s."
 msgstr "Не могу да пишем на уређају „%s“."
 
-#: src/utils_reencrypt_luks1.c:226
+#: src/utils_reencrypt_luks1.c:213
 msgid "Cannot write reencryption log file."
 msgstr "Не могу да запишем датотеку дневника поновног шифровања."
 
-#: src/utils_reencrypt_luks1.c:282
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Не могу да прочитам датотеку дневника поновног шифровања."
 
-#: src/utils_reencrypt_luks1.c:293
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Погрешан формат дневника."
 
-#: src/utils_reencrypt_luks1.c:320
+#: src/utils_reencrypt_luks1.c:307
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Датотека дневника „%s“ постоји, настављам поновно шифровање.\n"
 
-#: src/utils_reencrypt_luks1.c:369
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Покрећем привремени уређај користећи старо ЛУКС заглавље."
 
-#: src/utils_reencrypt_luks1.c:379
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Покрећем привремени уређај користећи ново ЛУКС заглавље."
 
-#: src/utils_reencrypt_luks1.c:389
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Покретање привременог уређаја није успело."
 
-#: src/utils_reencrypt_luks1.c:449
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Нисам успео да поставим померај података."
 
-#: src/utils_reencrypt_luks1.c:455
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Нисам успео да поставим величину метаподатака."
 
-#: src/utils_reencrypt_luks1.c:463
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Направљено је ново ЛУКС заглавље за уређај „%s“."
 
-#: src/utils_reencrypt_luks1.c:500
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Направљена је резерва „%s“ заглавља за уређај „%s“."
 
-#: src/utils_reencrypt_luks1.c:556
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Није успело прављење резерве ЛУКС заглавља."
 
-#: src/utils_reencrypt_luks1.c:685
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Не могу да повратим „%s“ заглавље на уређају „%s“."
 
-#: src/utils_reencrypt_luks1.c:687
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Повраћено је „%s“ заглавље на уређају „%s“."
 
-#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Не могу да отворим привремени ЛУКС уређај."
 
-#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Не могу да добавим величину уређаја."
 
-#: src/utils_reencrypt_luks1.c:968
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "УИ грешка за време поновног шифровања."
 
-#: src/utils_reencrypt_luks1.c:998
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Достављени УУИД није исправан."
 
-#: src/utils_reencrypt_luks1.c:1224
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Датотека кључа може бити коришћена само са „--key-slot“ или са тачно једним активним утором кључа."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Не могу да отворим датотеку дневника поновног шифровања."
 
-#: src/utils_reencrypt_luks1.c:1230
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Нема описа у напретку, достављени УУИД се може користити само за настављање заустављеног процеса дешифровања."
 
-#: src/utils_reencrypt_luks1.c:1286
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Поновно шифровање ће изменити: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1287
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "кључ волумена"
 
-#: src/utils_reencrypt_luks1.c:1289
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "поставља хеш на "
 
-#: src/utils_reencrypt_luks1.c:1290
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", поставља шифрера на "
 
-#: src/utils_blockdev.c:189
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "УПОЗОРЕЊЕ: Уређај „%s“ већ садржи „%s“ потпис партиције.\n"
 
-#: src/utils_blockdev.c:197
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "УПОЗОРЕЊЕ: Уређај „%s“ већ садржи „%s“ потпис суперблока.\n"
 
-#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Нисам успео да покренем пробе потписа уређаја."
 
-#: src/utils_blockdev.c:274
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Нисам успео да добавим податке уређаја „%s“."
 
-#: src/utils_blockdev.c:289
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Нисам успео да отворим датотеку „%s“ у режиму читања/писања."
@@ -3679,16 +4097,60 @@ msgstr "Нисам успео да обришем потпис уређаја."
 msgid "Failed to probe device %s for a signature."
 msgstr "Нисам успео да испробам уређај „%s“ за потписом."
 
-#: src/utils_args.c:65
+#: src/utils_args.c:52
 #, c-format
 msgid "Invalid size specification in parameter --%s."
 msgstr "Неисправна одредба величине у параметру „--%s“."
 
-#: src/utils_args.c:125
+#: src/utils_args.c:112
 #, c-format
 msgid "Option --%s is not allowed with %s action."
 msgstr "Опција „--%s“ није дозвољена са радњом „%s“."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Одредба врсте у „--link-vk-to-keyring“ одредби привеска је занемарена."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Врсте кључа морају бити исте за оба кључа волумена."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Оба кључа волумена морају бити свезана на исти привезак кључева."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Треба да доставите још назива кључева."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Неисправна вредност „--link-vk-to-keyring“."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Бинарни подаци утора кључа %d су можда оштећени.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Очекивани померај: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr " Надовезани очекивани помераји су потиснути.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Утор кључа %d се не може прочитати са уређаја."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "Можете да користите „hexdump -v -C -n 128 -s <offset_0xXXXX> „%s“ да проверите поддатке.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Нисам успео да запишем „json“ скупине безбедне шкољке."
@@ -3733,125 +4195,163 @@ msgstr "Путања до датотеке кључа на удаљеном се
 msgid "Path to the SSH key for connecting to the remote server"
 msgstr "Путања до кључа безбедне шкољке за повезивање на удаљени сервер"
 
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:147
+msgid "Path to directory containinig libcryptsetup external tokens"
+msgstr "Путања до директоријума који садржи „libcryptsetup“ спољне скупине"
+
+#: tokens/ssh/cryptsetup-ssh.c:148
 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
 msgstr "Утор кључа коме се додељује скупина. Ако није наведено, скупина ће бити додељена првом утору кључа који поклопи достављену лозинку."
 
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
 msgid "Generic options:"
 msgstr "Опште опције:"
 
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
 msgid "Shows more detailed error messages"
 msgstr "Приказује опширније поруке о грешкама"
 
-#: tokens/ssh/cryptsetup-ssh.c:150
+#: tokens/ssh/cryptsetup-ssh.c:152
 msgid "Show debug messages"
 msgstr "Приказује поруке прочишћавања"
 
-#: tokens/ssh/cryptsetup-ssh.c:151
+#: tokens/ssh/cryptsetup-ssh.c:153
 msgid "Show debug messages including JSON metadata"
 msgstr "Приказује поруке прочишћавања укључујући „JSON“ метаподатке"
 
-#: tokens/ssh/cryptsetup-ssh.c:262
+#: tokens/ssh/cryptsetup-ssh.c:268
 msgid "Failed to open and import private key:\n"
 msgstr "Нисам успео да отворим и увезем приватни кључ:\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:272
 msgid "Failed to import private key (password protected?).\n"
 msgstr "Нисам успео да увезем приватни кључ (заштићен лозинком?).\n"
 
 #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:268
+#: tokens/ssh/cryptsetup-ssh.c:274
 #, c-format
 msgid "%s@%s's password: "
 msgstr "„%s@%s“ лозинка: "
 
-#: tokens/ssh/cryptsetup-ssh.c:357
+#: tokens/ssh/cryptsetup-ssh.c:363
 #, c-format
 msgid "Failed to parse arguments.\n"
 msgstr "Нисам успео да обрадим аргументе.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:368
+#: tokens/ssh/cryptsetup-ssh.c:374
 #, c-format
 msgid "An action must be specified\n"
 msgstr "Мора бити наведена радња\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:374
+#: tokens/ssh/cryptsetup-ssh.c:380
 #, c-format
 msgid "Device must be specified for '%s' action.\n"
 msgstr "Уређај мора бити наведен за радњу „%s“.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:379
+#: tokens/ssh/cryptsetup-ssh.c:385
 #, c-format
 msgid "SSH server must be specified for '%s' action.\n"
 msgstr "Сервер безбедне шкољке мора бити наведен за радњу „%s“.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:384
+#: tokens/ssh/cryptsetup-ssh.c:390
 #, c-format
 msgid "SSH user must be specified for '%s' action.\n"
 msgstr "Корисник безбедне шкољке мора бити наведен за радњу „%s“.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:389
+#: tokens/ssh/cryptsetup-ssh.c:395
 #, c-format
 msgid "SSH path must be specified for '%s' action.\n"
 msgstr "Путања безбедне шкољке мора бити наведена за радњу „%s“.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:394
+#: tokens/ssh/cryptsetup-ssh.c:400
 #, c-format
 msgid "SSH key path must be specified for '%s' action.\n"
 msgstr "Путања кључа безбедне шкољке мора бити наведена за радњу „%s“.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:401
+#: tokens/ssh/cryptsetup-ssh.c:407
 #, c-format
 msgid "Failed open %s using provided credentials.\n"
 msgstr "Нисам успео да отворим „%s“ користећи достављена уверења.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:417
+#: tokens/ssh/cryptsetup-ssh.c:424
 #, c-format
 msgid "Only 'add' action is currently supported by this plugin.\n"
 msgstr "Само радња „add“ (додај) је тренутно подржана овим прикључком.\n"
 
-#: tokens/ssh/ssh-utils.c:46
+#: tokens/ssh/ssh-utils.c:33
 msgid "Cannot create sftp session: "
 msgstr "Не могу да направим сфтп сесију: "
 
-#: tokens/ssh/ssh-utils.c:53
+#: tokens/ssh/ssh-utils.c:40
 msgid "Cannot init sftp session: "
 msgstr "Не могу да покренем сфтп сесију: "
 
-#: tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
 msgid "Cannot open sftp session: "
 msgstr "Не могу да отворим сфтп сесију: "
 
-#: tokens/ssh/ssh-utils.c:66
+#: tokens/ssh/ssh-utils.c:53
 msgid "Cannot stat sftp file: "
 msgstr "Не могу да добавим податке сфтп датотеке: "
 
-#: tokens/ssh/ssh-utils.c:74
+#: tokens/ssh/ssh-utils.c:61
 msgid "Not enough memory.\n"
 msgstr "Нема довољно меморије.\n"
 
-#: tokens/ssh/ssh-utils.c:81
+#: tokens/ssh/ssh-utils.c:68
 msgid "Cannot read remote key: "
 msgstr "Не могу да прочитам удаљени кључ: "
 
-#: tokens/ssh/ssh-utils.c:122
+#: tokens/ssh/ssh-utils.c:109
 msgid "Connection failed: "
 msgstr "Повезивање није успело: "
 
-#: tokens/ssh/ssh-utils.c:132
+#: tokens/ssh/ssh-utils.c:119
 msgid "Server not known: "
 msgstr "Сервер није познат: "
 
-#: tokens/ssh/ssh-utils.c:160
+#: tokens/ssh/ssh-utils.c:147
 msgid "Public key auth method not allowed on host.\n"
 msgstr "Метода потврђивања идентитета јавног кључа није допуштена на домаћину.\n"
 
-#: tokens/ssh/ssh-utils.c:171
+#: tokens/ssh/ssh-utils.c:158
 msgid "Public key authentication error: "
 msgstr "Грешка потврђивања идентитета јавног кључа: "
 
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Нисам успео да свежем кључеве волумена у привезак кључева који је корисник одредио."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Нисам успео да развежем кључ волумена од привеска кључева нити."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Активирање делимично дешифрованог „BITLK“ уређаја није подржано."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Нисам успео да прочитам ЛУКС2 захтеве."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Упозорење: рдња утора кључа може да не успе јер захтева више од доступне меморије.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Нисам успео да добавим стање поновног шифровања."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Нисам успео да прочитам пропусну реч из привеска кључева."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Опције „--reduce-device-size“ и „--dевице-size“ се не могу комбиновати."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Унесите пропусну реч за утор кључа %u: "
+
+#~ msgid "compiled-in"
+#~ msgstr "преведено"
+
+#~ msgid "disabled"
+#~ msgstr "искључено"
+
 #~ msgid "WARNING: Data offset is outside of currently available data device.\n"
 #~ msgstr "УПОЗОРЕЊЕ: Померај података је ван тренутно доступног уређаја података.\n"
 
@@ -3876,9 +4376,6 @@ msgstr "Грешка потврђивања идентитета јавног к
 #~ msgid "Failed to disable reencryption requirement flag."
 #~ msgstr "Нисам успео да искључим заставицу захтева поновног шифровања."
 
-#~ msgid "Encryption is supported only for LUKS2 format."
-#~ msgstr "Шифровање је подржано само за ЛУКС2 запис."
-
 #~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 #~ msgstr "Откривен је ЛУКС уређај на „%s“. Да ли желите опет да шифрујете тај ЛУКС уређај?"
 
@@ -3924,9 +4421,6 @@ msgstr "Грешка потврђивања идентитета јавног к
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "Опција „--keep-key“ може да се користи само са „--hash“, „--iter-time“ или „--pbkdf-force-iterations“."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "Опција „--new“ не може да се користи са „--decrypt“."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "Опција „--decrypt“ није сагласна са наведеним параметрима."
 
@@ -4017,9 +4511,6 @@ msgstr "Грешка потврђивања идентитета јавног к
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Напредак освежења реда (у секундама)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Колико често унос лозинке може бити покушан"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Поравнава утовар на границе <n> одељка — за „luksFormat“"
 
@@ -4471,9 +4962,6 @@ msgstr "Грешка потврђивања идентитета јавног к
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Неисправни параметри величине за уређај тачности."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "Алгоритам целовитости мора бити наведен ако се користи кључ целовитости."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Погрешна величина кључа."
 
diff --git a/po/sv.po b/po/sv.po
index 69eb18e..2d4861f 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -3,84 +3,92 @@
 # This file is distributed under the same license as the cryptsetup package.
 #
 # Daniel Nylander <po@danielnylander.se>, 2009.
-# Josef Andersson <l10nl18nsweja@gmail.com>, 2016-2022.
+# Josef Andersson <janderssonse@proton.me>, 2016-2025.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.5.0-rc1\n"
+"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2022-07-14 14:04+0200\n"
-"PO-Revision-Date: 2022-11-11 12:23+0100\n"
-"Last-Translator: Josef Andersson <l10nl18nsweja@gmail.com>\n"
+"POT-Creation-Date: 2024-06-06 22:11+0200\n"
+"PO-Revision-Date: 2025-04-18 09:55+0200\n"
+"Last-Translator: Josef Andersson <janderssonse@proton.me>\n"
 "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
 "Language: sv\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Lokalize 22.08.3\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Poedit 3.4.2\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
 
-#: lib/libdevmapper.c:417
+#: lib/libdevmapper.c:406
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Det går inte att initiera device-mapper, kör som icke-root-användare."
 
-#: lib/libdevmapper.c:420
+#: lib/libdevmapper.c:409
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Det går inte att initiera device-mapper. Är kärnmodulen dm_mod inläst?"
 
-#: lib/libdevmapper.c:1171
+#: lib/libdevmapper.c:1090
 msgid "Requested deferred flag is not supported."
 msgstr "Begärd flagga deferred stöds inte."
 
-#: lib/libdevmapper.c:1240
+#: lib/libdevmapper.c:1159
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID för enheten %s förkortades."
 
-#: lib/libdevmapper.c:1570
+#: lib/libdevmapper.c:1497
 msgid "Unknown dm target type."
 msgstr "Okänd måltyp dm."
 
-#: lib/libdevmapper.c:1694 lib/libdevmapper.c:1699 lib/libdevmapper.c:1763
-#: lib/libdevmapper.c:1766
+#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
+#: lib/libdevmapper.c:1728
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Begärd flagga för dm-crypt-prestanda stöds inte."
 
-#: lib/libdevmapper.c:1706 lib/libdevmapper.c:1710
+#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Begärd flagga för dm-verity-dataintegritet stöds inte."
 
-#: lib/libdevmapper.c:1714
+#: lib/libdevmapper.c:1637
+msgid "Requested dm-verity tasklets option is not supported."
+msgstr "Begärd flagga dm-verity tasklets stöds inte."
+
+#: lib/libdevmapper.c:1649
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Begärd flagga dm-verity FEC stöds inte."
 
-#: lib/libdevmapper.c:1718
+#: lib/libdevmapper.c:1655
 msgid "Requested data integrity options are not supported."
 msgstr "Begärd flagga för dataintegritet stöds inte."
 
-#: lib/libdevmapper.c:1720
+#: lib/libdevmapper.c:1659
 msgid "Requested sector_size option is not supported."
 msgstr "Begärd flagga sector_size stöds inte."
 
-#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1729
+#: lib/libdevmapper.c:1664
+msgid "The device size is not multiple of the requested sector size."
+msgstr "Storleken på enheten är inte en multipel av begärd sektorstorlek."
+
+#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Begärd automatisk beräkning av integritetstaggar stöds inte."
 
-#: lib/libdevmapper.c:1733 lib/libdevmapper.c:1769 lib/libdevmapper.c:1772
-#: lib/luks2/luks2_json_metadata.c:2552
+#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
+#: lib/luks2/luks2_json_metadata.c:2741
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM stöds inte."
 
-#: lib/libdevmapper.c:1737
+#: lib/libdevmapper.c:1689
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Begärt dm-integrity bitmap-läge stöds inte."
 
-#: lib/libdevmapper.c:2763
+#: lib/libdevmapper.c:2725
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Misslyckades med att läsa dm-%s-segment."
 
-#: lib/random.c:74
+#: lib/random.c:60
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -88,689 +96,813 @@ msgstr ""
 "Systemet fick slut på entropi under generering av volymnyckeln.\n"
 "Rör på musen eller skriv in text i ett annat fönster för att samla in slumpmässiga händelser.\n"
 
-#: lib/random.c:78
+#: lib/random.c:64
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Genererar nyckel (%d%% done).\n"
 
-#: lib/random.c:164
+#: lib/random.c:150
 msgid "Running in FIPS mode."
 msgstr "Kör i FIPS-läge."
 
-#: lib/random.c:170
+#: lib/random.c:156
 msgid "Fatal error during RNG initialisation."
 msgstr "Ödesdigert fel under RNG-initiering."
 
-#: lib/random.c:207
+#: lib/random.c:194
 msgid "Unknown RNG quality requested."
 msgstr "Okänd RNG-kvalitet begärd."
 
-#: lib/random.c:212
+#: lib/random.c:199
 msgid "Error reading from RNG."
 msgstr "Fel vid läsning från RNG."
 
-#: lib/setup.c:226
+#: lib/setup.c:249
+msgid "OPAL support is disabled in libcryptsetup."
+msgstr "OPAL-stöd är inaktiverat i libcryptsetup."
+
+#: lib/setup.c:251
+#, c-format
+msgid "Device %s or kernel does not support OPAL encryption."
+msgstr "Kärnan eller enheten %s stöder inte OPAL-kryptering."
+
+#: lib/setup.c:267
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Det går inte att initiera RNG-krypteringsbakände."
 
-#: lib/setup.c:232
+#: lib/setup.c:273
 msgid "Cannot initialize crypto backend."
 msgstr "Det går inte att initiera krypteringsbakände."
 
-#: lib/setup.c:263 lib/setup.c:2080 lib/verity/verity.c:122
+#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hashalgoritmen %s stöds inte."
 
-#: lib/setup.c:266 lib/loopaes/loopaes.c:90
+#: lib/setup.c:308 lib/loopaes/loopaes.c:77
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Fel vid nyckelbearbetning (använder hash %s)."
 
-#: lib/setup.c:332 lib/setup.c:359
+#: lib/setup.c:379 lib/setup.c:416
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Det går inte att avgöra enhetstyp. Inkompatibel aktivering av enhet?"
 
-#: lib/setup.c:338 lib/setup.c:3221
+#: lib/setup.c:385 lib/setup.c:3981
 msgid "This operation is supported only for LUKS device."
 msgstr "Denna åtgärd stöds endast av LUKS-enheter."
 
-#: lib/setup.c:365
+#: lib/setup.c:422
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Denna åtgärd stöds endast av LUKS2-enheter."
 
-#: lib/setup.c:420 lib/luks2/luks2_reencrypt.c:2985
+#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
 msgid "All key slots full."
 msgstr "Alla nyckelplatser är upptagna."
 
-#: lib/setup.c:431
+#: lib/setup.c:490
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Nyckelplats %d är ogiltig. Välj mellan 0 och %d."
 
-#: lib/setup.c:437
+#: lib/setup.c:496
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Nyckelplats %d är full. Välj en annan."
 
-#: lib/setup.c:522 lib/setup.c:2946
+#: lib/setup.c:607 lib/setup.c:3681
 msgid "Device size is not aligned to device logical block size."
 msgstr "Storlek på enhet är inte justerad till enhetens logiska blockstorlek."
 
-#: lib/setup.c:620
+#: lib/setup.c:705
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Huvud identifierat men enheten %s är för liten."
 
-#: lib/setup.c:661 lib/setup.c:2851 lib/setup.c:4335
-#: lib/luks2/luks2_reencrypt.c:3757 lib/luks2/luks2_reencrypt.c:4159
+#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
+#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
 msgid "This operation is not supported for this device type."
 msgstr "Denna åtgärd stöds inte för denna enhetstyp."
 
-#: lib/setup.c:666
+#: lib/setup.c:751
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Ogiltig åtgärd under pågående omkryptering."
 
-#: lib/setup.c:833 lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:524
-#: lib/luks2/luks2_json_metadata.c:1267 src/cryptsetup.c:1449
-#: src/cryptsetup.c:1581 src/cryptsetup.c:1636 src/cryptsetup.c:1756
-#: src/cryptsetup.c:1861 src/cryptsetup.c:2142 src/cryptsetup.c:2380
-#: src/cryptsetup.c:2440 src/utils_reencrypt.c:1378
-#: src/utils_reencrypt_luks1.c:1188 tokens/ssh/cryptsetup-ssh.c:77
+#: lib/setup.c:883
+msgid "Failed to rollback LUKS2 metadata in memory."
+msgstr "Misslyckades med att återställa LUKS2-metadata i minnet."
+
+#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
+#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
+#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
+#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
+#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Enheten %s är inte en giltig LUKS-enhet."
 
-#: lib/setup.c:836 lib/luks1/keymanage.c:527
+#: lib/setup.c:973 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "LUKS-versionen %d stöds inte."
 
-#: lib/setup.c:1431 lib/setup.c:2602 lib/setup.c:2682 lib/setup.c:2694
-#: lib/setup.c:2859 lib/setup.c:4807
+#: lib/setup.c:1346
+#, c-format
+msgid "No known cipher specification pattern detected for active device %s."
+msgstr "Inget känt chifferspecifikationsmönster kunde identifieras för den aktiva enheten %s."
+
+#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
+#: lib/setup.c:3590 lib/setup.c:6004
 #, c-format
 msgid "Device %s is not active."
 msgstr "Enheten %s är inte aktiv."
 
-#: lib/setup.c:1448
+#: lib/setup.c:1609
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Underliggande enhet för krypteringsenhet %s försvann."
 
-#: lib/setup.c:1528
+#: lib/setup.c:1691
 msgid "Invalid plain crypt parameters."
 msgstr "Ogiltiga parametrar för plain-kryptering."
 
-#: lib/setup.c:1533 lib/setup.c:1983
+#: lib/setup.c:1696 lib/setup.c:2689
 msgid "Invalid key size."
 msgstr "Ogiltig nyckelstorlek."
 
-#: lib/setup.c:1538 lib/setup.c:1988 lib/setup.c:2191
+#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID stöds inte för denna krypteringstyp."
 
-#: lib/setup.c:1543 lib/setup.c:1993
+#: lib/setup.c:1706 lib/setup.c:2699
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Frånkopplad metadataenhet stöds ej av denna crypt-typ."
 
-#: lib/setup.c:1553 lib/setup.c:1765 lib/luks2/luks2_reencrypt.c:2941
-#: src/cryptsetup.c:1250 src/cryptsetup.c:3072
+#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
+#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
 msgid "Unsupported encryption sector size."
 msgstr "Stöder inte sektorstorleken för kryptering."
 
-#: lib/setup.c:1561 lib/setup.c:1896 lib/setup.c:2940
+#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
 msgid "Device size is not aligned to requested sector size."
 msgstr "Storlek på enhet är inte justerad till begärd sektorstorlek."
 
-#: lib/setup.c:1613 lib/setup.c:1733
+#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
 msgid "Can't format LUKS without device."
 msgstr "Det går inte att formatera LUKS utan enhet."
 
-#: lib/setup.c:1619 lib/setup.c:1739
+#: lib/setup.c:1781 lib/setup.c:2024
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr "Zoned-enheten %s kan inte användas för LUKS2-huvud."
+
+#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Begärd datajustering är inte kompatibel med dataoffset."
 
-#: lib/setup.c:1687 lib/setup.c:1883
-msgid "WARNING: Data offset is outside of currently available data device.\n"
-msgstr "VARNING: Dataoffset ligger utanför aktuell dataenhet.\n"
+#: lib/setup.c:1828 lib/setup.c:2049
+msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
+msgstr "VARNING: DAX-enheten kan korrumpera data eftersom den inte garanterar atomiska sektoruppdateringar.\n"
 
-#: lib/setup.c:1697 lib/setup.c:1913 lib/setup.c:1934 lib/setup.c:2203
+#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
+#: lib/setup.c:2596 lib/setup.c:2909
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Det går inte att rensa huvudet på enheten %s."
 
-#: lib/setup.c:1774
-msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr "VARNING: Enhetsaktiveringen kommer att misslyckas, dm-crypt saknar stöd för begärd krypteringsektorstorlek.\n"
+#: lib/setup.c:1879 lib/setup.c:2204
+#, c-format
+msgid "Device %s is too small for activation, there is no remaining space for data.\n"
+msgstr "Enheten %s är för liten för aktivering, det finns inget utrymme kvar för data.\n"
 
-#: lib/setup.c:1797
+#: lib/setup.c:1919
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Volymnyckeln är för liten för kryptering med integritetstillägg."
 
-#: lib/setup.c:1857
+#: lib/setup.c:1928
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Chiffret %s-%s (nyckelstorlek %zd bitar) är inte tillgängligt."
 
-#: lib/setup.c:1886
-#, c-format
-msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
-msgstr "VARNING: storlek på LUKS2-metadata ändrades till %<PRIu64> byte.\n"
-
-#: lib/setup.c:1890
-#, c-format
-msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
-msgstr "VARNING: storlek på LUKS2-nyckelplatsområde ändrades till %<PRIu64> byte.\n"
+#: lib/setup.c:1967
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr "VARNING: Enhetsaktiveringen kommer att misslyckas, dm-crypt saknar stöd för begärd krypteringsektorstorlek.\n"
 
-#: lib/setup.c:1916 lib/utils_device.c:909 lib/luks1/keyencryption.c:255
-#: lib/luks2/luks2_reencrypt.c:3009 lib/luks2/luks2_reencrypt.c:4254
+#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
+#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
+#: lib/luks2/luks2_reencrypt.c:4367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Enheten %s är för liten."
 
-#: lib/setup.c:1927 lib/setup.c:1953
+#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Det går inte att formatera enheten %s då den används."
 
-#: lib/setup.c:1930 lib/setup.c:1956
+#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Det går inte att formatera enheten %s, behörighet nekad."
 
-#: lib/setup.c:1942 lib/setup.c:2263
+#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Det går inte att formatera integritet för enheten %s."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2191 lib/setup.c:2646
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Det går inte att formatera enheten %s."
 
-#: lib/setup.c:1978
+#: lib/setup.c:2234
+msgid "Cannot get OPAL alignment parameters."
+msgstr "Kan inte hämta OPAL-inriktningsparametrar."
+
+#: lib/setup.c:2246
+msgid "Bogus OPAL logical block size."
+msgstr "Felaktig logisk blockstorlek i OPAL."
+
+#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr "Felaktig OPAL logisk blockstorlek skiljer sig från enhetens blockstorlek."
+
+#: lib/setup.c:2257
+msgid "Requested data offset is not compatible with OPAL block size."
+msgstr "Begärd data-offset är inte kompatibel med OPAL-blockstorlek."
+
+#: lib/setup.c:2264
+msgid "Requested data alignment is not compatible with OPAL alignment."
+msgstr "Begärd datajustering är inte kompatibel med OPAL-justering."
+
+#: lib/setup.c:2284
+msgid "Data offset does not satisfy OPAL alignment requirements."
+msgstr "Dataförskjutningen uppfyller inte OPAL:s krav på anpassning."
+
+#: lib/setup.c:2297
+msgid "Requested data alignment does not satisfy locking range alignment requirements."
+msgstr "Begärd datajustering är inte kompatibel med locking range-justeringskraven."
+
+#: lib/setup.c:2502
+#, c-format
+msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
+msgstr "Kompenserar enhetens storlek med %<PRIu64> sektorer för att anpassa den till OPAL:s anpassningsgranularitet."
+
+#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
+#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
+msgstr "Misslyckades med att erhålla OPAL-lås på enheten %s."
+
+#: lib/setup.c:2570
+msgid "Incorrect OPAL Admin key."
+msgstr "Felaktig OPAL Admin-nyckel."
+
+#: lib/setup.c:2572
+msgid "Cannot setup OPAL segment."
+msgstr "Det går inte att konfigurera OPAL-segmentet."
+
+#: lib/setup.c:2642
+#, c-format
+msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
+msgstr "Det går inte att formatera enheten %s, OPAL-enheten verkar skrivskyddad nu."
+
+#: lib/setup.c:2644
+msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
+msgstr "Detta är kanske en bugg i den fasta programvaran. Kör OPAL PSID reset och återanslut för återhämtning."
+
+#: lib/setup.c:2664
+#, c-format
+msgid "Locking range %d reset on device %s failed."
+msgstr "Misslyckades med återställning av locking range %d på enheten %s."
+
+#: lib/setup.c:2684
 msgid "Can't format LOOPAES without device."
 msgstr "Kan inte formatera LOOPAES utan enhet."
 
-#: lib/setup.c:2023
+#: lib/setup.c:2729
 msgid "Can't format VERITY without device."
 msgstr "Det går inte att formatera VERITY utan enhet."
 
-#: lib/setup.c:2034 lib/verity/verity.c:101
+#: lib/setup.c:2740 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "VERITY-hashtyp %d stöds inte."
 
-#: lib/setup.c:2040 lib/verity/verity.c:109
+#: lib/setup.c:2746 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "VERITY-blockstorlek som inte stöds."
 
-#: lib/setup.c:2045 lib/verity/verity.c:74
+#: lib/setup.c:2751 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "VERITY-hashoffset som inte stöds."
 
-#: lib/setup.c:2050
+#: lib/setup.c:2756
 msgid "Unsupported VERITY FEC offset."
 msgstr "VERITY-FEC-offset som inte stöds."
 
-#: lib/setup.c:2074
+#: lib/setup.c:2780
 msgid "Data area overlaps with hash area."
 msgstr "Dataområde spiller över på hashområdet."
 
-#: lib/setup.c:2099
+#: lib/setup.c:2805
 msgid "Hash area overlaps with FEC area."
 msgstr "Hashområde spiller över på FEC-mrådet."
 
-#: lib/setup.c:2106
+#: lib/setup.c:2812
 msgid "Data area overlaps with FEC area."
 msgstr "Dataområde spiller över på FEC-mrådet."
 
-#: lib/setup.c:2242
+#: lib/setup.c:2948
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "VARNING: Begärd taggstorlek på %d byte skiljer sig från %s utdatastorlek (%d byte).\n"
 
-#: lib/setup.c:2321
+#: lib/setup.c:3027
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Okänd typ av krypteringsenhet %s begärd."
 
-#: lib/setup.c:2608 lib/setup.c:2687 lib/setup.c:2700
+#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Parametrar som inte stöds på enheten %s."
 
-#: lib/setup.c:2614 lib/setup.c:2707 lib/luks2/luks2_reencrypt.c:2837
-#: lib/luks2/luks2_reencrypt.c:3074 lib/luks2/luks2_reencrypt.c:3459
+#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Kan inte rensa huvudet på enheten %s."
 
-#: lib/setup.c:2731
+#: lib/setup.c:3457
 msgid "Crypt devices mismatch."
 msgstr "Krypteringsenheter har matchningsfel."
 
-#: lib/setup.c:2768 lib/setup.c:2773 lib/luks2/luks2_reencrypt.c:2315
-#: lib/luks2/luks2_reencrypt.c:2853 lib/luks2/luks2_reencrypt.c:4007
+#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
+#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Misslyckades med att läsa om enhet %s."
 
-#: lib/setup.c:2779 lib/setup.c:2785 lib/luks2/luks2_reencrypt.c:2286
-#: lib/luks2/luks2_reencrypt.c:2293 lib/luks2/luks2_reencrypt.c:2867
+#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
+#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Misslyckades med att försätta enhet %s i vänteläge."
 
-#: lib/setup.c:2791 lib/luks2/luks2_reencrypt.c:2300
-#: lib/luks2/luks2_reencrypt.c:2888 lib/luks2/luks2_reencrypt.c:3920
-#: lib/luks2/luks2_reencrypt.c:4011
+#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
+#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
+#: lib/luks2/luks2_reencrypt.c:4115
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Misslyckades med att återuppta enhet %s."
 
-#: lib/setup.c:2806
+#: lib/setup.c:3532
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Ödesdigert fel vid omläsning av enhet %s (ovanpå enhet %s)."
 
-#: lib/setup.c:2809 lib/setup.c:2811
+#: lib/setup.c:3535 lib/setup.c:3537
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Misslyckades med att växla enhet %s till dm-error."
 
-#: lib/setup.c:2891
+#: lib/setup.c:3577
+msgid "Can not resize LUKS2 device with static size."
+msgstr "Det går inte att ändra storlek på LUKS2-enhet med statisk storlek."
+
+#: lib/setup.c:3622
 msgid "Cannot resize loop device."
 msgstr "Det går inte att ändra storlek på loop-enhet."
 
-#: lib/setup.c:2931
+#: lib/setup.c:3666
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "VARNING: Maximal storlek redan satt eller så stöder inte kärnan storleksändring.\n"
 
-#: lib/setup.c:2989
+#: lib/setup.c:3732
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Misslyckades med storleksändring, kärnan stöder inte detta."
 
-#: lib/setup.c:3021
+#: lib/setup.c:3764
 msgid "Do you really want to change UUID of device?"
 msgstr "Vill du verkligen ändra UUID för en enhet?"
 
-#: lib/setup.c:3113
+#: lib/setup.c:3856
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Säkerhetskopian för huvud innehåller inte något giltigt LUKS-huvud."
 
-#: lib/setup.c:3229
+#: lib/setup.c:3966
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Volymen %s är inte aktiv."
 
-#: lib/setup.c:3240
+#: lib/setup.c:4032
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Volymen %s är redan i vänteläge."
 
-#: lib/setup.c:3253
+#: lib/setup.c:4060
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Vänteläge stöds inte för enhet %s."
 
-#: lib/setup.c:3255
+#: lib/setup.c:4062 lib/setup.c:4070
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Fel då enheten %s försattes i vänteläge."
 
-#: lib/setup.c:3290
+#: lib/setup.c:4084
+#, c-format
+msgid "Device %s was suspended but hardware OPAL device cannot be locked."
+msgstr "Enheten %s var suspenderad men hårdvaran OPAL-enheten kan inte låsas."
+
+#: lib/setup.c:4116 lib/setup.c:4288
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Att återuppta stöds inte för enhet %s."
 
-#: lib/setup.c:3292
+#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Fel då enheten %s återupptogs."
 
-#: lib/setup.c:3326 lib/setup.c:3374 lib/setup.c:3444 lib/setup.c:3489
-#: src/cryptsetup.c:2207
+#: lib/setup.c:4137
+msgid "Failed to unlink volume key from user specified keyring."
+msgstr "Misslyckades med att avlänka volymnyckeln från användarspecificerad nyckelring."
+
+#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+msgid "Failed to link volume key in user defined keyring."
+msgstr "Misslyckades med att sammankoppla volymnyckeln i den användardefinierade nyckelringen."
+
+#: lib/setup.c:4353 src/cryptsetup.c:2848
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Volymen %s är inte i vänteläge."
 
-#: lib/setup.c:3459 lib/setup.c:3862 lib/setup.c:4584 lib/setup.c:4597
-#: lib/setup.c:4605 lib/setup.c:4618 lib/setup.c:6142 src/cryptsetup.c:1790
+#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
+#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
 msgid "Volume key does not match the volume."
 msgstr "Volymnyckeln stämmer inte överens med volymen."
 
-#: lib/setup.c:3540 lib/setup.c:3745
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
-msgstr "Det går inte att lägga till nyckelplats. Alla platser är inaktiverade och ingen volymnyckel har angivits."
-
-#: lib/setup.c:3697
+#: lib/setup.c:4608
 msgid "Failed to swap new key slot."
 msgstr "Misslyckades med att byta ny nyckelplats."
 
-#: lib/setup.c:3883
+#: lib/setup.c:4706
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Nyckelplats %d är ogiltig."
 
-#: lib/setup.c:3889 src/cryptsetup.c:1594 src/cryptsetup.c:1936
-#: src/cryptsetup.c:2540 src/cryptsetup.c:2597
+#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
+#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Nyckelplats %d är inte aktiv."
 
-#: lib/setup.c:3908
+#: lib/setup.c:4731
 msgid "Device header overlaps with data area."
 msgstr "Dataområde spiller över på hashområdet."
 
-#: lib/setup.c:4213
+#: lib/setup.c:5084 lib/setup.c:5184
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Omkryptering pågår. Det går inte att aktivera enheten."
 
-#: lib/setup.c:4215 lib/luks2/luks2_json_metadata.c:2635
-#: lib/luks2/luks2_reencrypt.c:3565
+#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
+#: lib/luks2/luks2_reencrypt.c:3648
 msgid "Failed to get reencryption lock."
 msgstr "Misslyckades med att erhålla omkrypteringslås."
 
-#: lib/setup.c:4228 lib/luks2/luks2_reencrypt.c:3584
+#: lib/setup.c:5098
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
+msgstr "Misslyckades med återställning av LUKS2-omkryptering med volymnyckel/ar."
+
+#: lib/setup.c:5150 lib/setup.c:5240
+msgid "Failed to link volume keys in user defined keyring."
+msgstr "Misslyckades med att sammankoppla volymnycklar i den användardefinierade nyckelringen."
+
+#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Misslyckades med återhämtning av LUKS2-omkryptering."
 
-#: lib/setup.c:4396 lib/setup.c:4661
+#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
 msgid "Device type is not properly initialized."
 msgstr "Enhetstypen är inte korrekt initierad."
 
-#: lib/setup.c:4444
+#: lib/setup.c:5503
 #, c-format
 msgid "Device %s already exists."
 msgstr "Enheten %s finns redan."
 
-#: lib/setup.c:4451
+#: lib/setup.c:5510
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Det går inte att använda enheten %s som fortfarande används eller har ett ogiltigt namn."
 
-#: lib/setup.c:4571
+#: lib/setup.c:5528
 msgid "Incorrect volume key specified for plain device."
 msgstr "Felaktig volymnyckel för plain-enhet."
 
-#: lib/setup.c:4687
-msgid "Incorrect root hash specified for verity device."
-msgstr "Felaktig rothash angiven för verity-enhet."
+#: lib/setup.c:5542
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Nycklarna för omkrypteringsvolymen stämmer inte överens med volymen."
 
-#: lib/setup.c:4697
-msgid "Root hash signature required."
-msgstr "Root-hashsignatur krävs."
+#: lib/setup.c:5655
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Kärnans nyckelring stöds inte av kärnan."
 
-#: lib/setup.c:4706
+#: lib/setup.c:5659
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Kärnans nyckelring saknas: krävs för att skicka signatur till kärnan."
 
-#: lib/setup.c:4723 lib/setup.c:6218
-msgid "Failed to load key in kernel keyring."
-msgstr "Misslyckades med att öppna nyckelringen för kärnan."
+#: lib/setup.c:5917
+msgid "Incorrect root hash specified for verity device."
+msgstr "Felaktig rothash angiven för verity-enhet."
+
+#: lib/setup.c:5960
+msgid "OPAL does not support deferred deactivation."
+msgstr "OPAL stöder inte fördröjd inaktivering."
 
-#: lib/setup.c:4779
+#: lib/setup.c:5976
 #, c-format
 msgid "Could not cancel deferred remove from device %s."
 msgstr "Misslyckades med att avbryta fördröjd borttagning från enheten %s."
 
-#: lib/setup.c:4786 lib/setup.c:4802 lib/luks2/luks2_json_metadata.c:2688
-#: src/utils_reencrypt.c:116
+#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Enheten %s används fortfarande."
 
-#: lib/setup.c:4811
+#: lib/setup.c:6008
 #, c-format
 msgid "Invalid device %s."
 msgstr "Ogiltig enhet %s."
 
-#: lib/setup.c:4927
+#: lib/setup.c:6148
 msgid "Volume key buffer too small."
 msgstr "Buffert för volymnyckelen är för liten."
 
-#: lib/setup.c:4935
+#: lib/setup.c:6165
+msgid "Cannot retrieve volume key for LUKS2 device."
+msgstr "Det går inte att hämta volymnyckel för LUKS2-enhet."
+
+#: lib/setup.c:6174
+msgid "Cannot retrieve volume key for LUKS1 device."
+msgstr "Det går inte att hämta volymnyckel för LUKS1-enhet."
+
+#: lib/setup.c:6184
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Kan inte hämta volymnyckel för plain-enhet."
 
-#: lib/setup.c:4952
+#: lib/setup.c:6192
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Det går inte att hämta root-hash för verity-enhet."
 
-#: lib/setup.c:4956
+#: lib/setup.c:6199
+msgid "Cannot retrieve volume key for BITLK device."
+msgstr "Det går inte hämta volymnyckel för BITLK-enhet."
+
+#: lib/setup.c:6204
+msgid "Cannot retrieve volume key for FVAULT2 device."
+msgstr "Det går inte att hämta volymnyckel för FVAULT2-enhet."
+
+#: lib/setup.c:6206
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Denna åtgärd stöds inte för krypteringsenheter av typen %s."
 
-#: lib/setup.c:5130 lib/setup.c:5141
+#: lib/setup.c:6390 lib/setup.c:6401
 msgid "Dump operation is not supported for this device type."
 msgstr "Utskriftsåtgärden stöds inte för denna enhetstyp."
 
-#: lib/setup.c:5471
+#: lib/setup.c:6760
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Dataförskjutning är inte en multipel av %u byte."
 
-#: lib/setup.c:5756
+#: lib/setup.c:7068
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Det går inte konvertera enheten %s som fortfarande används."
 
-#: lib/setup.c:6075
+#: lib/setup.c:7366 lib/setup.c:7505
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Misslyckades med att tilldela nyckelplats %u som ny volymnyckel."
 
-#: lib/setup.c:6148
+#: lib/setup.c:7390
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Misslyckades med att initiera standardnyckelplats för LUKS2-parametrar."
 
-#: lib/setup.c:6154
+#: lib/setup.c:7396
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Misslyckades med att tilldela nyckelplats %d till kontrollsummor."
 
-#: lib/setup.c:6285
-msgid "Kernel keyring is not supported by the kernel."
-msgstr "Kärnans nyckelring stöds inte av kärnan."
+#: lib/setup.c:7621
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Det går inte att lägga till nyckelplats. Alla platser är inaktiverade och ingen volymnyckel har angivits."
 
-#: lib/setup.c:6295 lib/luks2/luks2_reencrypt.c:3782
+#: lib/setup.c:7690 lib/verity/verity.c:330
+msgid "Failed to load key in kernel keyring."
+msgstr "Misslyckades med att öppna nyckelringen för kärnan."
+
+#: lib/setup.c:7808
+msgid "Failed to unlink volume key from thread keyring."
+msgstr "Misslyckades med frånkoppla nyckelringen för trådnyckelringen."
+
+#: lib/setup.c:7852
 #, c-format
-msgid "Failed to read passphrase from keyring (error %d)."
-msgstr "Misslyckades med att läsa lösenfras från nyckelringsnyckel (fel %d)."
+msgid "Could not find keyring described by \"%s\"."
+msgstr "Kunde inte hitta nyckelringen som beskrivs av \"%s\"."
 
-#: lib/setup.c:6319
+#: lib/setup.c:7917
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Misslyckades med att inhämta globalt minneshårt serialiseringslås."
 
-#: lib/utils.c:80
-msgid "Cannot get process priority."
-msgstr "Det går inte att få processprioritet."
-
-#: lib/utils.c:94
-msgid "Cannot unlock memory."
-msgstr "Det går inte att låsa upp minne."
-
-#: lib/utils.c:168 lib/tcrypt/tcrypt.c:502
+#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Misslyckades med att öppna nyckelfilen."
 
-#: lib/utils.c:173
+#: lib/utils.c:207
 msgid "Cannot read keyfile from a terminal."
 msgstr "Det går inte läsa nyckelfilen från en terminal."
 
-#: lib/utils.c:189
+#: lib/utils.c:223
 msgid "Failed to stat key file."
 msgstr "Misslyckades med att ta stat på nyckelfilen."
 
-#: lib/utils.c:197 lib/utils.c:218
+#: lib/utils.c:231 lib/utils.c:252
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Det går inte att söka till begärd nyckelfilsoffset."
 
-#: lib/utils.c:212 lib/utils.c:227 src/utils_password.c:226
-#: src/utils_password.c:238
+#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
+#: src/utils_password.c:228
 msgid "Out of memory while reading passphrase."
 msgstr "Slut på minne vid läsning av lösenfras."
 
-#: lib/utils.c:247
+#: lib/utils.c:281
 msgid "Error reading passphrase."
 msgstr "Fel vid läsning av lösenfras."
 
-#: lib/utils.c:264
+#: lib/utils.c:298
 msgid "Nothing to read on input."
 msgstr "Ingenting att läsa vid inmating."
 
-#: lib/utils.c:271
+#: lib/utils.c:305
 msgid "Maximum keyfile size exceeded."
 msgstr "Högsta nyckelfilsstorlek överskriden."
 
-#: lib/utils.c:276
+#: lib/utils.c:310
 msgid "Cannot read requested amount of data."
 msgstr "Det går inte läsa begärd mängd data."
 
-#: lib/utils_device.c:208 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1353
+#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Enheten %s finns inte eller åtkomst nekas."
 
-#: lib/utils_device.c:218
+#: lib/utils_device.c:210
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Enheten %s är inte aktiv."
 
-#: lib/utils_device.c:562
+#: lib/utils_device.c:554
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Ignorerar falsk optimal-io-storlek för dataenheten (%u byte)."
 
-#: lib/utils_device.c:720
+#: lib/utils_device.c:715
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Enhet %s är för liten. Behöver minst %<PRIu64> byte."
 
-#: lib/utils_device.c:801
+#: lib/utils_device.c:796
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Det går inte att använda enheten %s som redan används (redan mappad eller monterad)."
 
-#: lib/utils_device.c:805
+#: lib/utils_device.c:800
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Det går inte att använda enhet %s, behörighet nekad."
 
-#: lib/utils_device.c:808
+#: lib/utils_device.c:803
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Kan inte hämta information om enheten %s."
 
-#: lib/utils_device.c:831
+#: lib/utils_device.c:826
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Kan inte använda en loopback-enhet, kör som icke-root-användare."
 
-#: lib/utils_device.c:842
+#: lib/utils_device.c:837
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Misslyckades med att fästa loopback-enhet (kräver loop-enhet med flaggan autoclear)."
 
-#: lib/utils_device.c:890
+#: lib/utils_device.c:885
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Begärd offset är bortom faktiska enhetsstorleken för %s."
 
-#: lib/utils_device.c:898
+#: lib/utils_device.c:893
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Enheten %s har noll storlek."
 
-#: lib/utils_pbkdf.c:100
+#: lib/utils_pbkdf.c:103
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Begärd måltid för PBKDF kan inte vara noll."
 
-#: lib/utils_pbkdf.c:106
+#: lib/utils_pbkdf.c:109
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Okänd PBKDF-typ %s."
 
-#: lib/utils_pbkdf.c:111
+#: lib/utils_pbkdf.c:114
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Begärd hash %s stöds inte."
 
-#: lib/utils_pbkdf.c:122
+#: lib/utils_pbkdf.c:125
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Begärd PBKDF-typ stöds inte för LUKS1."
 
-#: lib/utils_pbkdf.c:128
+#: lib/utils_pbkdf.c:131
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Högsta minne för PBKDF eller parallella trådar får inte sättas med pbkdf2."
 
-#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
+#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Tvingad iterationsuppräkning är för liten för %s (minsta är %u)."
 
-#: lib/utils_pbkdf.c:148
+#: lib/utils_pbkdf.c:151
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Tvingad minneskostnad är för låg för %s (minimum är %u kilobyte)."
 
-#: lib/utils_pbkdf.c:155
+#: lib/utils_pbkdf.c:158
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Kostnaden för det begärda högsta minnet för PBKDF är för högt (maximum är %d kilobyte)."
 
-#: lib/utils_pbkdf.c:160
+#: lib/utils_pbkdf.c:163
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Högst begärt minne för PBKDF kan inte vara noll."
 
-#: lib/utils_pbkdf.c:164
+#: lib/utils_pbkdf.c:167
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Begärda parallella trådar för PBKDF kan inte vara noll."
 
-#: lib/utils_pbkdf.c:184
+#: lib/utils_pbkdf.c:187
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "Stöder endast PBKDF2 i FIPS-läge."
 
-#: lib/utils_benchmark.c:172
+#: lib/utils_benchmark.c:171
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr "Prestandamätning för PBKDF är inaktiverad men iterationer är inte satt."
 
-#: lib/utils_benchmark.c:191
+#: lib/utils_benchmark.c:190
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr "Ej kompatibla PBKDF2-flaggor (använder hash-algoritmen %s)."
 
-#: lib/utils_benchmark.c:211
+#: lib/utils_benchmark.c:210
 msgid "Not compatible PBKDF options."
 msgstr "Ej kompatibla PBKDF2-flaggor."
 
-#: lib/utils_device_locking.c:102
+#: lib/utils_device_locking.c:88
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Låsningen avbruten. Låsningsökvägen %s/%s oanvändbar (inte en katalog eller saknas)."
 
-#: lib/utils_device_locking.c:109
-#, c-format
-msgid "Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr "Rättigheterna för låskatalogen %s/%s kommer att skapas med inkompilerade standardvärden."
-
-#: lib/utils_device_locking.c:119
+#: lib/utils_device_locking.c:105
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Låsningen avbruten. Låsningsökvägen %s/%s oanvändbar (%s är inte en katalog)."
 
-#: lib/utils_wipe.c:154 lib/utils_wipe.c:225 src/utils_reencrypt_luks1.c:734
-#: src/utils_reencrypt_luks1.c:832
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
+#: src/utils_reencrypt_luks1.c:795
 msgid "Cannot seek to device offset."
 msgstr "Det går inte att söka till enhetsoffset."
 
-#: lib/utils_wipe.c:247
+#: lib/utils_wipe.c:236
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Fel vid radering av enhet, förskjutning %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:39
+#: lib/utils_wipe.c:331
+msgid "Incorrect OPAL PSID."
+msgstr "Felaktig OPAL PSID."
+
+#: lib/utils_wipe.c:333
+msgid "Cannot erase OPAL device."
+msgstr "Det går inte att radera OPAL-enhet."
+
+#: lib/luks1/keyencryption.c:26
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -779,109 +911,110 @@ msgstr ""
 "Misslyckades med att konfigurera nyckelmappning för dm-crypt för enheten %s. \n"
 "Kontrollera att kärnan har stöd för chiffret %s (kontrollera syslog för mer information)."
 
-#: lib/luks1/keyencryption.c:44
+#: lib/luks1/keyencryption.c:31
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Nyckelstorlek i XTS-läge måste vara en multipel av 256 eller 512 bitar."
 
-#: lib/luks1/keyencryption.c:46
+#: lib/luks1/keyencryption.c:33
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Chifferspecifikation ska vara i formatet [chiffer] - [läge] - [iv]."
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:674 lib/luks1/keymanage.c:1125
-#: lib/luks2/luks2_json_metadata.c:1421 lib/luks2/luks2_keyslot.c:714
+#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
+#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Kan inte skriva till enhet %s, behörighet nekad."
 
-#: lib/luks1/keyencryption.c:120
+#: lib/luks1/keyencryption.c:107
 msgid "Failed to open temporary keystore device."
 msgstr "Misslyckades med att öppna temporär nyckellagringsenhet."
 
-#: lib/luks1/keyencryption.c:127
+#: lib/luks1/keyencryption.c:114
 msgid "Failed to access temporary keystore device."
 msgstr "Misslyckades med att komma åt temporär nyckellagringsenhet."
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
-#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:192
+#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "In-/utfel vid kryptering av nyckelplats."
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:627 lib/luks1/keymanage.c:677 lib/tcrypt/tcrypt.c:680
-#: lib/verity/verity.c:80 lib/verity/verity.c:196 lib/verity/verity_hash.c:320
-#: lib/verity/verity_hash.c:329 lib/verity/verity_hash.c:349
-#: lib/verity/verity_fec.c:260 lib/verity/verity_fec.c:272
-#: lib/verity/verity_fec.c:277 lib/luks2/luks2_json_metadata.c:1424
-#: src/utils_reencrypt_luks1.c:121 src/utils_reencrypt_luks1.c:133
+#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
+#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Det går inte att öppna enheten %s."
 
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
 msgid "IO error while decrypting keyslot."
 msgstr "In-/utfel vid dekryptering av nyckelplats."
 
-#: lib/luks1/keymanage.c:130
+#: lib/luks1/keymanage.c:117
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Enhet %s är för liten. (LUKS1 kräver minst %<PRIu64> byte.)"
 
-#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
-#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
-#: lib/luks1/keymanage.c:194
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS-nyckelplats %u är ogiltig."
 
-#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1284
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Begärd säkerhetskopia %s av huvud finns redan."
 
-#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1286
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Det går inte att skapa säkerhetskopia för huvud %s."
 
-#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1293
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Det går inte skriva säkerhetskopia för huvud %s."
 
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1330
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Säkerhetskopian innehåller inte något giltigt LUKS-huvud."
 
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:590
-#: lib/luks2/luks2_json_metadata.c:1351
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1445
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Det går inte att öppna säkerhetskopia för huvud %s."
 
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1359
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Det går inte att läsa säkerhetskopia för huvud %s."
 
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:326
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Dataoffset eller nyckelstorlek skiljer sig åt på enhet och säkerhetskopia. Återställningen misslyckades."
 
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:334
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Enhet %s %s%s"
 
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:335
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "innehåller inget LUKS-huvud. Ersättning av huvud kan förstöra data på enheten."
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:336
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "innehåller redan LUKS-huvud. Ersättningen av huvud kommer att förstöra befintliga nyckelplatser."
 
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1393
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -889,479 +1022,497 @@ msgstr ""
 "\n"
 "VARNING: verkligt enhetshuvud har annat UUID än säkerhetskopian!"
 
-#: lib/luks1/keymanage.c:395
+#: lib/luks1/keymanage.c:385
 msgid "Non standard key size, manual repair required."
 msgstr "Ej standardstorlek på nyckel, manuell reparation krävs."
 
-#: lib/luks1/keymanage.c:405
+#: lib/luks1/keymanage.c:395
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Ej standardjustering på nyckelplatser, manuell reparation krävs."
 
-#: lib/luks1/keymanage.c:414
+#: lib/luks1/keymanage.c:404
 #, c-format
 msgid "Cipher mode repaired (%s -> %s)."
 msgstr "Chifferläge reparerat (%s -> %s)."
 
-#: lib/luks1/keymanage.c:425
+#: lib/luks1/keymanage.c:415
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Chifferhash reparerad till gemener (%s)."
 
-#: lib/luks1/keymanage.c:427 lib/luks1/keymanage.c:533
-#: lib/luks1/keymanage.c:789
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:779
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Begärd LUKS-hash %s stöds inte."
 
-#: lib/luks1/keymanage.c:441
+#: lib/luks1/keymanage.c:431
 msgid "Repairing keyslots."
 msgstr "Reparerar nyckelplatser."
 
-#: lib/luks1/keymanage.c:460
+#: lib/luks1/keymanage.c:450
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Nyckelplats %i: reparerad offset (%u -> %u)."
 
-#: lib/luks1/keymanage.c:468
+#: lib/luks1/keymanage.c:458
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Nyckelplats %i: reparerade remsor (%u -> %u)."
 
-#: lib/luks1/keymanage.c:477
+#: lib/luks1/keymanage.c:467
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Nyckelplats %i: fejkpartitionssignatur."
 
-#: lib/luks1/keymanage.c:482
+#: lib/luks1/keymanage.c:472
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Nyckelplats %i: salt borttaget."
 
-#: lib/luks1/keymanage.c:499
+#: lib/luks1/keymanage.c:489
 msgid "Writing LUKS header to disk."
 msgstr "Skriver LUKS-huvud till disk."
 
-#: lib/luks1/keymanage.c:504
+#: lib/luks1/keymanage.c:494
 msgid "Repair failed."
 msgstr "Reparation misslyckades."
 
-#: lib/luks1/keymanage.c:559
+#: lib/luks1/keymanage.c:549
 #, c-format
 msgid "LUKS cipher mode %s is invalid."
 msgstr "LUKS-chifferläge %s är ogiltigt."
 
-#: lib/luks1/keymanage.c:564
+#: lib/luks1/keymanage.c:554
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr "LUKS-hash %s är ogiltig."
 
-#: lib/luks1/keymanage.c:571 src/cryptsetup.c:1144
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
 msgid "No known problems detected for LUKS header."
 msgstr "Inga kända problem identifierade för LUKS-huvud."
 
-#: lib/luks1/keymanage.c:699
+#: lib/luks1/keymanage.c:689
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Fel vid uppdatering av LUKS-huvud på enheten %s."
 
-#: lib/luks1/keymanage.c:707
+#: lib/luks1/keymanage.c:697
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Fel vid omläsning av LUKS-huvud efter uppdatering på enheten %s."
 
-#: lib/luks1/keymanage.c:783
+#: lib/luks1/keymanage.c:773
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Data-offset för fristående LUKS-huvud måste vara antingen 0 eller större än huvudstorleken."
 
-#: lib/luks1/keymanage.c:794 lib/luks1/keymanage.c:863
-#: lib/luks2/luks2_json_format.c:287 lib/luks2/luks2_json_metadata.c:1175
-#: src/utils_reencrypt.c:475
+#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:541
 msgid "Wrong LUKS UUID format provided."
 msgstr "Felaktigt LUKS-UUID-format angavs."
 
-#: lib/luks1/keymanage.c:816
+#: lib/luks1/keymanage.c:806
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Kan inte skapa LUKS-huvud: läsning av slumpmässigt salt misslyckades."
 
-#: lib/luks1/keymanage.c:842
+#: lib/luks1/keymanage.c:832
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Kan inte skapa LUKS-huvud: kontrollsumma för huvud misslyckades (använder hashen %s)."
 
-#: lib/luks1/keymanage.c:886
+#: lib/luks1/keymanage.c:876
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Nyckelplats %d är aktiv, rensa först."
 
-#: lib/luks1/keymanage.c:892
+#: lib/luks1/keymanage.c:882
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Nyckelplats %d material inkluderar för få remsor. Har huvudet manipulerats?"
 
-#: lib/luks1/keymanage.c:1033
+#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+msgid "PBKDF2 iteration value overflow."
+msgstr "PBKDF2-iterationsvärde spillde över."
+
+#: lib/luks1/keymanage.c:1027
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Det går inte att öppna nyckeplats (använder hash %s)."
 
-#: lib/luks1/keymanage.c:1111
+#: lib/luks1/keymanage.c:1105
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Nyckelplats %d är ogiltig. Välj en nyckelplats mellan 0 och %d."
 
-#: lib/luks1/keymanage.c:1129 lib/luks2/luks2_keyslot.c:718
+#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Kan inte rensa enheten %s."
 
-#: lib/loopaes/loopaes.c:146
+#: lib/loopaes/loopaes.c:133
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Identifierade en GPG-krypterad nyckelfil som ännu inte stöds."
 
-#: lib/loopaes/loopaes.c:147
+#: lib/loopaes/loopaes.c:134
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Använd gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- …\n"
 
-#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Identifierade inkompatibel loop-AES-nyckelfil."
 
-#: lib/loopaes/loopaes.c:245
+#: lib/loopaes/loopaes.c:232
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Kärnan stöder inte loop-AES-kompatibel mappning."
 
-#: lib/tcrypt/tcrypt.c:509
+#: lib/tcrypt/tcrypt.c:497
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Fel vid läsning av nyckelfil %s."
 
-#: lib/tcrypt/tcrypt.c:559
+#: lib/tcrypt/tcrypt.c:547
 #, c-format
 msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
 msgstr "Högsta TCRYPT-lösenfraslängd (%zu) överskriden."
 
-#: lib/tcrypt/tcrypt.c:601
+#: lib/tcrypt/tcrypt.c:589
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "PBKDF2-hashalgoritm %s ej tillgänglig, hoppar över."
 
-#: lib/tcrypt/tcrypt.c:620 src/cryptsetup.c:1019
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
 msgid "Required kernel crypto interface not available."
 msgstr "Begärt kryptogränssnitt för kärnan inte tillgängligt."
 
-#: lib/tcrypt/tcrypt.c:622 src/cryptsetup.c:1021
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Försäkra dig om att kärnmodulen algif_skcipher är inläst."
 
-#: lib/tcrypt/tcrypt.c:763
+#: lib/tcrypt/tcrypt.c:751
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivering stöds inte för sektorstorlek %d."
 
-#: lib/tcrypt/tcrypt.c:769
+#: lib/tcrypt/tcrypt.c:757
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Kärnan stöder inte aktivering för detta föråldrade TCRYPT-läge."
 
-#: lib/tcrypt/tcrypt.c:800
+#: lib/tcrypt/tcrypt.c:788
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Aktiverar TCRYPT-systemkryptering för partition %s."
 
-#: lib/tcrypt/tcrypt.c:883
+#: lib/tcrypt/tcrypt.c:871
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Kärnan stöder inte TCRYPT-kompatibel mappning."
 
-#: lib/tcrypt/tcrypt.c:1096
+#: lib/tcrypt/tcrypt.c:1090
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Denna funktion stöds inte utan inläsning av TCRYPT-huvud."
 
-#: lib/bitlk/bitlk.c:275
+#: lib/bitlk/bitlk.c:265
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av volymhuvudnyckel."
 
-#: lib/bitlk/bitlk.c:328
+#: lib/bitlk/bitlk.c:327
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Ogiltig sträng funnen vid tolkning av volymhuvudnyckel."
 
-#: lib/bitlk/bitlk.c:332
+#: lib/bitlk/bitlk.c:331
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Oväntad sträng (”%s”) funnen vid tolkning av volymhuvudnycklar som stöds."
 
-#: lib/bitlk/bitlk.c:349
+#: lib/bitlk/bitlk.c:351
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Oväntad metadatapostvärde av typ ”%u” funnen vid tolkning av volymhuvudnycklar som stöds."
 
-#: lib/bitlk/bitlk.c:451
+#: lib/bitlk/bitlk.c:453
 msgid "BITLK version 1 is currently not supported."
 msgstr "BITLK version 1 stöds ej för närvarande."
 
-#: lib/bitlk/bitlk.c:457
+#: lib/bitlk/bitlk.c:459
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Ogiltig eller okänd boot-signatur för BITLK-enhet."
 
-#: lib/bitlk/bitlk.c:469
+#: lib/bitlk/bitlk.c:471
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Stöder inte sektorstorleken %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:477
+#: lib/bitlk/bitlk.c:479
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Misslyckades med att läsa BITLK-huvud från %s."
 
-#: lib/bitlk/bitlk.c:502
+#: lib/bitlk/bitlk.c:504
 #, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
 msgstr "Misslyckades med att läsa BITLK FVE-metadata från %s."
 
-#: lib/bitlk/bitlk.c:554
+#: lib/bitlk/bitlk.c:555
 msgid "Unknown or unsupported encryption type."
 msgstr "Krypteringstypen är okänd eller stöds ej."
 
-#: lib/bitlk/bitlk.c:587
+#: lib/bitlk/bitlk.c:595
 #, c-format
 msgid "Failed to read BITLK metadata entries from %s."
 msgstr "Misslyckades med att läsa BITLK -metadataposter från %s."
 
-#: lib/bitlk/bitlk.c:681
+#: lib/bitlk/bitlk.c:712
 msgid "Failed to convert BITLK volume description"
 msgstr "Misslyckades med att konvertera BITLK-volymbeskrivning"
 
-#: lib/bitlk/bitlk.c:841
+#: lib/bitlk/bitlk.c:877
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av extern nyckel."
 
-#: lib/bitlk/bitlk.c:860
+#: lib/bitlk/bitlk.c:900
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "BEK-filens GUID '%s' stämmer inte överens med GUID för volymen."
 
-#: lib/bitlk/bitlk.c:864
+#: lib/bitlk/bitlk.c:904
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Oväntad metadatapostvärde av typ ”%u” funnen vid tolkning av extern nyckel."
 
-#: lib/bitlk/bitlk.c:903
+#: lib/bitlk/bitlk.c:943
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Inget stöd för BEK metadata-version %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:908
+#: lib/bitlk/bitlk.c:948
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Oväntad BEK-metadatastorlek %<PRIu32> matchar inte BEK-fillängd"
 
-#: lib/bitlk/bitlk.c:933
+#: lib/bitlk/bitlk.c:974
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Oväntad metadatapost av typ ”%u” funnen vid tolkning av uppstartsnyckel."
 
-#: lib/bitlk/bitlk.c:1029
+#: lib/bitlk/bitlk.c:1069
 msgid "This operation is not supported."
 msgstr "Denna åtgärd stöds ej."
 
-#: lib/bitlk/bitlk.c:1037
+#: lib/bitlk/bitlk.c:1077
 msgid "Unexpected key data size."
 msgstr "Oväntad nyckeldatastorlek."
 
-#: lib/bitlk/bitlk.c:1163
+#: lib/bitlk/bitlk.c:1203
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Denna BITLK-enhet är i tillstånd som inte stöds och kan inte aktiveras."
 
-#: lib/bitlk/bitlk.c:1168
+#: lib/bitlk/bitlk.c:1208
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Det går inte att aktivera BITLK-enheter av typen ”%s”."
 
-#: lib/bitlk/bitlk.c:1175
+#: lib/bitlk/bitlk.c:1215
 msgid "Activation of partially decrypted BITLK device is not supported."
 msgstr "Aktivering av delvis avkrypterade BITLK-enheter stöds ej."
 
-#: lib/bitlk/bitlk.c:1216
+#: lib/bitlk/bitlk.c:1256
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "VARNING: BitLocker-volymstorlek %<PRIu64> överensstämmer inte med underliggande enhetstorlek %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1343
+#: lib/bitlk/bitlk.c:1383
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för BITLK IV."
 
-#: lib/bitlk/bitlk.c:1347
+#: lib/bitlk/bitlk.c:1387
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för BITLK Elephant diffuser."
 
-#: lib/bitlk/bitlk.c:1351
+#: lib/bitlk/bitlk.c:1391
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Det går inte att aktivera enheten, kärnan dm-crypt saknar stöd för stor sektorstorlek."
 
-#: lib/bitlk/bitlk.c:1355
+#: lib/bitlk/bitlk.c:1395
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Det går inte att aktivera enheten, kärnmodulen dm-zero saknas."
 
-#: lib/verity/verity.c:68 lib/verity/verity.c:182
+#: lib/fvault2/fvault2.c:529
+#, c-format
+msgid "Could not read %u bytes of volume header."
+msgstr "Det går inte att läsa %u byte från volymhuvudet."
+
+#: lib/fvault2/fvault2.c:541
+#, c-format
+msgid "Unsupported FVAULT2 version %<PRIu16>."
+msgstr "Stöder inte FVAULT2-version %<PRIu16>."
+
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
 #, c-format
 msgid "Verity device %s does not use on-disk header."
 msgstr "Verity-enheten %s använder inte huvud på disk."
 
-#: lib/verity/verity.c:96
+#: lib/verity/verity.c:83
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "VERITY-versionen %d stöds inte."
 
-#: lib/verity/verity.c:131
+#: lib/verity/verity.c:118
 msgid "VERITY header corrupted."
 msgstr "VERITY-huvud är skadat."
 
-#: lib/verity/verity.c:176
+#: lib/verity/verity.c:163
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Felaktigt VERITY-UUID-format angivet på enhet %s."
 
-#: lib/verity/verity.c:220
+#: lib/verity/verity.c:207
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Fel vid uppdatering av verity-huvud på enheten %s."
 
-#: lib/verity/verity.c:278
+#: lib/verity/verity.c:261
 msgid "Root hash signature verification is not supported."
 msgstr "Begärd hashsignaturverifiering %s stöds inte."
 
-#: lib/verity/verity.c:290
+#: lib/verity/verity.c:266
+msgid "Root hash signature required."
+msgstr "Root-hashsignatur krävs."
+
+#: lib/verity/verity.c:281
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Det går inte reparera fel med FEC-enhet."
 
-#: lib/verity/verity.c:292
+#: lib/verity/verity.c:283
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Fann %u reparerbara fel med FEC-enhet."
 
-#: lib/verity/verity.c:335
+#: lib/verity/verity.c:364
 msgid "Kernel does not support dm-verity mapping."
 msgstr "Kärnan stöder inte dm-verity-mappning."
 
-#: lib/verity/verity.c:339
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity signature option."
 msgstr "Kärnan stöder inte flaggan för dm-verity-signatur."
 
-#: lib/verity/verity.c:350
+#: lib/verity/verity.c:379
 msgid "Verity device detected corruption after activation."
 msgstr "Verity-enhet identifierades som skadad efter aktivering."
 
-#: lib/verity/verity_hash.c:66
+#: lib/verity/verity_hash.c:53
 #, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Ledigt utrymme är inte nollställt vid position %<PRIu64>."
 
-#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
-#: lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
 msgid "Device offset overflow."
 msgstr "Enhets-offset spillde över."
 
-#: lib/verity/verity_hash.c:218
+#: lib/verity/verity_hash.c:205
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Verifiering misslyckades vid %<PRIu64>."
 
-#: lib/verity/verity_hash.c:307
+#: lib/verity/verity_hash.c:294
 msgid "Hash area overflow."
 msgstr "Hash-området spillde över."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:367
 msgid "Verification of data area failed."
 msgstr "Misslyckades med verifiering av dataområde."
 
-#: lib/verity/verity_hash.c:385
+#: lib/verity/verity_hash.c:372
 msgid "Verification of root hash failed."
 msgstr "Misslyckades med verifiering av rot-hash."
 
-#: lib/verity/verity_hash.c:391
+#: lib/verity/verity_hash.c:378
 msgid "Input/output error while creating hash area."
 msgstr "In-/utdatafel vid skapandet av hashområde."
 
-#: lib/verity/verity_hash.c:393
+#: lib/verity/verity_hash.c:380
 msgid "Creation of hash area failed."
 msgstr "Misslyckades med skapandet av hashområde."
 
-#: lib/verity/verity_hash.c:428
+#: lib/verity/verity_hash.c:415
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "VARNING: Kärnan kan inte aktivera enhet om datablockstorleken överskrider sidstorlek (%u)."
 
-#: lib/verity/verity_fec.c:131
+#: lib/verity/verity_fec.c:118
 msgid "Failed to allocate RS context."
 msgstr "Misslyckades med att öppna RS-kontext."
 
-#: lib/verity/verity_fec.c:149
+#: lib/verity/verity_fec.c:136
 msgid "Failed to allocate buffer."
 msgstr "Misslyckades med att allokera buffert."
 
-#: lib/verity/verity_fec.c:159
+#: lib/verity/verity_fec.c:146
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Misslyckades med att läsa RS block %<PRIu64> byte %d."
 
-#: lib/verity/verity_fec.c:172
+#: lib/verity/verity_fec.c:159
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Misslyckades med att skriva paritet för RS block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:180
+#: lib/verity/verity_fec.c:167
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Misslyckades med att skriva paritet för RS block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:192
+#: lib/verity/verity_fec.c:179
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Misslyckades med att skriva paritet för RS block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:208
+#: lib/verity/verity_fec.c:195
 msgid "Block sizes must match for FEC."
 msgstr "Blockstorlekar måste matcha för FEC."
 
-#: lib/verity/verity_fec.c:214
+#: lib/verity/verity_fec.c:201
 msgid "Invalid number of parity bytes."
 msgstr "Ogiltigt antal paritet-byte."
 
-#: lib/verity/verity_fec.c:248
+#: lib/verity/verity_fec.c:235
 msgid "Invalid FEC segment length."
 msgstr "Ogiltig FEC-segmentlängd."
 
-#: lib/verity/verity_fec.c:316
+#: lib/verity/verity_fec.c:303
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Misslyckades med att bestämma storlek för enhet %s."
 
-#: lib/integrity/integrity.c:57
+#: lib/integrity/integrity.c:44
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Inkompatibel kärnmetadata dm-integrity (version %u) identifierad på %s."
 
-#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:379
+#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "Kärnan stöder inte dm-integrity-mappning."
 
-#: lib/integrity/integrity.c:283
+#: lib/integrity/integrity.c:270
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "Kärnan stöder inte fast metadataförskjutning för dm-integrity."
 
-#: lib/integrity/integrity.c:292
+#: lib/integrity/integrity.c:279
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Kärnan tillåter inte att den osäkra flaggan recalculate aktiveras (se föråldrade aktiveringsflaggor för att åsidosätta)."
 
-#: lib/luks2/luks2_disk_metadata.c:393 lib/luks2/luks2_json_metadata.c:1133
-#: lib/luks2/luks2_json_metadata.c:1413
+#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1507
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Misslyckades med att få skrivlås på enheten %s."
 
-#: lib/luks2/luks2_disk_metadata.c:402
+#: lib/luks2/luks2_disk_metadata.c:388
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Identifierade samtidiga försök att uppdatera LUKS2-metadata. Avbryter åtgärden."
 
-#: lib/luks2/luks2_disk_metadata.c:701 lib/luks2/luks2_disk_metadata.c:722
+#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1369,49 +1520,59 @@ msgstr ""
 "Enheten innehåller tvetydiga signaturer, det går inte att automatiskt återhämta LUKS2.\n"
 "Kör ”cryptsetup repair” för återhämtning."
 
-#: lib/luks2/luks2_json_format.c:230
+#: lib/luks2/luks2_json_format.c:218
+#, c-format
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr "VARNING: nyckelplatsområdet (%<PRIu64> byte) är väldigt liten, tillgängligt LUKS2-nyckelplatsantal är väldigt begränsat.\n"
+
+#: lib/luks2/luks2_json_format.c:417
 msgid "Requested data offset is too small."
 msgstr "Begärd dataoff för liten."
 
-#: lib/luks2/luks2_json_format.c:275
+#: lib/luks2/luks2_json_format.c:458
 #, c-format
-msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
-msgstr "VARNING: nyckelplatsområdet (%<PRIu64> byte) är väldigt liten, tillgängligt LUKS2-nyckelplatsantal är väldigt begränsat.\n"
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "VARNING: storlek på LUKS2-metadata ändrades till %<PRIu64> byte.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1120 lib/luks2/luks2_json_metadata.c:1258
-#: lib/luks2/luks2_json_metadata.c:1319 lib/luks2/luks2_keyslot_luks2.c:92
-#: lib/luks2/luks2_keyslot_luks2.c:114
+#: lib/luks2/luks2_json_format.c:462
+#, c-format
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "VARNING: storlek på LUKS2-nyckelplatsområde ändrades till %<PRIu64> byte.\n"
+
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:103
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Misslyckades med att erhålla läslås på enheten %s."
 
-#: lib/luks2/luks2_json_metadata.c:1336
+#: lib/luks2/luks2_json_metadata.c:1430
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Förbjudna LUKS2-krav identifierade i säkerhetskopian %s."
 
-#: lib/luks2/luks2_json_metadata.c:1377
+#: lib/luks2/luks2_json_metadata.c:1471
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Dataoffset skiljer sig på enhet och säkerhetskopia. Återställningen misslyckades."
 
-#: lib/luks2/luks2_json_metadata.c:1383
+#: lib/luks2/luks2_json_metadata.c:1477
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Binärhuvud med nyckelstorlek skiljer sig på enhet och säkerhetskopia. Återställningen misslyckades."
 
-#: lib/luks2/luks2_json_metadata.c:1390
+#: lib/luks2/luks2_json_metadata.c:1484
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Enhet %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1391
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "innehåller inget LUKS2-huvud. Ersättning av huvud kan förstöra data på enheten."
 
-#: lib/luks2/luks2_json_metadata.c:1392
+#: lib/luks2/luks2_json_metadata.c:1486
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "innehåller redan LUKS2-huvud. Ersättningen av huvud kommer att förstöra befintliga nyckelplatser."
 
-#: lib/luks2/luks2_json_metadata.c:1394
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1421,7 +1582,7 @@ msgstr ""
 "VARNING:okända LUKS2-krav identifierade i huvudet för riktig enhet!\n"
 "Att ersätta huvudet med en säkerhetskopia kan göra data korrupt på enheten!"
 
-#: lib/luks2/luks2_json_metadata.c:1396
+#: lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1431,466 +1592,558 @@ msgstr ""
 "VARNING:Oavslutad frånkopplade kryptering identifierad på enheten!\n"
 "Att ersätta huvudet med en säkerhetskopia kan orsaka korrupt data."
 
-#: lib/luks2/luks2_json_metadata.c:1494
+#: lib/luks2/luks2_json_metadata.c:1587
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Ignorerade okänd flagga %s."
 
-#: lib/luks2/luks2_json_metadata.c:2402 lib/luks2/luks2_reencrypt.c:2015
+#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Saknar nyckel för dm-crypt-segmentet %u"
 
-#: lib/luks2/luks2_json_metadata.c:2414 lib/luks2/luks2_reencrypt.c:2029
+#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
 msgid "Failed to set dm-crypt segment."
 msgstr "Misslyckades med att läsa dm-crypt-segment."
 
-#: lib/luks2/luks2_json_metadata.c:2420 lib/luks2/luks2_reencrypt.c:2035
+#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
 msgid "Failed to set dm-linear segment."
 msgstr "Misslyckades med att läsa dm-linear-segment."
 
-#: lib/luks2/luks2_json_metadata.c:2547
+#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+msgid "No known cipher specification pattern detected in LUKS2 header."
+msgstr "Inget känt chifferspecifikationsmönster kunde identifieras i LUKS2-huvudet."
+
+#: lib/luks2/luks2_json_metadata.c:2657
+msgid "OPAL device must have static device size."
+msgstr "OPAL-enheten måste ha en statisk enhetsstorlek."
+
+#: lib/luks2/luks2_json_metadata.c:2677
+msgid "Encrypted OPAL device with integrity must be smaller than locking range."
+msgstr "Krypterad OPAL-enhet med integritet måste vara mindre än låsområdet."
+
+#: lib/luks2/luks2_json_metadata.c:2682
+msgid "OPAL device must have same size as locking range."
+msgstr "OPAL-enheten måste ha samma storlek som låsområdet."
+
+#: lib/luks2/luks2_json_metadata.c:2702
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "OPAL-enheten %s är redan upplåst.\n"
+
+#: lib/luks2/luks2_json_metadata.c:2735
 msgid "Unsupported device integrity configuration."
 msgstr "Integritetskonfiguration som ej stöds på enheten."
 
-#: lib/luks2/luks2_json_metadata.c:2633
+#: lib/luks2/luks2_json_metadata.c:2751
+msgid "Underlying dm-integrity device with unexpected provided data sectors."
+msgstr "Underliggande dm-integrity-enhet med oväntade tillhandahållna datasektorer."
+
+#: lib/luks2/luks2_json_metadata.c:2846
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Omkryptering pågår. Det går inte att inaktivera enhet."
 
-#: lib/luks2/luks2_json_metadata.c:2644 lib/luks2/luks2_reencrypt.c:4057
+#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Misslyckades med att ersätta inaktiverad enhet %s med målet dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2724
+#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#, c-format
+msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
+msgstr "Enheten %s avaktiverades men hårdvaran OPAL-enheten kan inte låsas."
+
+#: lib/luks2/luks2_json_metadata.c:2967
 msgid "Failed to read LUKS2 requirements."
 msgstr "Misslyckades med att läsa LUKS2-krav."
 
-#: lib/luks2/luks2_json_metadata.c:2731
+#: lib/luks2/luks2_json_metadata.c:2974
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Ej uppfyllt LUKS2-krav identifierat."
 
-#: lib/luks2/luks2_json_metadata.c:2739
+#: lib/luks2/luks2_json_metadata.c:2982
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Åtgärden inkompatibel med enhet markerad för föråldrad omkryptering. Avbryter."
 
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/luks2/luks2_json_metadata.c:2984
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Åtgärden inkompatibel med enhet markerad för LUKS2-omkryptering. Avbryter."
 
-#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:600
+#: lib/luks2/luks2_json_metadata.c:2986
+msgid "Operation incompatible with device using OPAL. Aborting."
+msgstr "Åtgärden inkompatibel med enhet som använder OPAL. Avbryter."
+
+#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
 msgid "Not enough available memory to open a keyslot."
 msgstr "Inte nog med minne för att öppna en nyckelplats."
 
-#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:602
+#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
 msgid "Keyslot open failed."
 msgstr "Misslyckades med att öppna nyckelplats."
 
-#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Det går inte att använda %s-%s-chiffer för nyckelplatskryptering."
 
-#: lib/luks2/luks2_keyslot_luks2.c:496
-msgid "No space for new keyslot."
-msgstr "Inget utrymme för ny nyckelplats."
-
-#: lib/luks2/luks2_keyslot_reenc.c:443 lib/luks2/luks2_reencrypt.c:2615
+#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Hashalgoritm %s är inte tillgänglig."
 
-#: lib/luks2/luks2_keyslot_reenc.c:593
+#: lib/luks2/luks2_keyslot_luks2.c:358
+msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+msgstr "Varning: keyslot-operationen kan misslyckas eftersom den kräver mer än tillgängligt minne.\n"
+
+#: lib/luks2/luks2_keyslot_luks2.c:507
+msgid "No space for new keyslot."
+msgstr "Inget utrymme för ny nyckelplats."
+
+#: lib/luks2/luks2_keyslot_reenc.c:583
 msgid "Invalid reencryption resilience mode change requested."
 msgstr "Begärde ogiltigt återhämtningsläge för omkryptering."
 
-#: lib/luks2/luks2_keyslot_reenc.c:714
+#: lib/luks2/luks2_keyslot_reenc.c:704
 #, c-format
 msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
 msgstr "Det går inte att uppdatera återhämtningstup. Ny typ tillhandahåller %<PRIu64> byte,  begärt utrymme är: %<PRIu64> byte."
 
-#: lib/luks2/luks2_keyslot_reenc.c:724
+#: lib/luks2/luks2_keyslot_reenc.c:714
 msgid "Failed to refresh reencryption verification digest."
 msgstr "Misslyckades med att sammandrag för omkrypteringsverifikation."
 
-#: lib/luks2/luks2_luks1_convert.c:512
+#: lib/luks2/luks2_luks1_convert.c:532
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Det går inte kontrollera status för enheten med uuid: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:538
+#: lib/luks2/luks2_luks1_convert.c:558
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Det går inte att konvertera huvud med ytterligare metadata för LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:569 lib/luks2/luks2_reencrypt.c:3715
+#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Det går inte att använda chiffer-spefikationen %s-%s för LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:584
+#: lib/luks2/luks2_luks1_convert.c:604
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Kunde inte flytta nyckelplatsområde. Inte nog med utrymme."
 
-#: lib/luks2/luks2_luks1_convert.c:619
+#: lib/luks2/luks2_luks1_convert.c:643
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Det går inte att konvertera till LUKS2-format - ogiltig metadata."
 
-#: lib/luks2/luks2_luks1_convert.c:636
+#: lib/luks2/luks2_luks1_convert.c:660
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Kunde inte flytta nyckelplatsområde. Området för LUKS2-nyckelplatser är för litet."
 
-#: lib/luks2/luks2_luks1_convert.c:642 lib/luks2/luks2_luks1_convert.c:936
+#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
 msgid "Unable to move keyslot area."
 msgstr "Kunde inte flytta nyckelplatsområde."
 
-#: lib/luks2/luks2_luks1_convert.c:732
+#: lib/luks2/luks2_luks1_convert.c:756
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Det går inte att konvertera till LUKS1-format - standardkrypteringstorleken är inte 512 byte."
 
-#: lib/luks2/luks2_luks1_convert.c:740
+#: lib/luks2/luks2_luks1_convert.c:764
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Det går inte att konvertera till LUKS1-format - kontrollsummor för nyckelplatser är inte LUKS1-kompatibla."
 
-#: lib/luks2/luks2_luks1_convert.c:752
+#: lib/luks2/luks2_luks1_convert.c:776
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Det går inte att konvertera till LUKS1-format - enheterna använder inbäddat nyckelchiffer %s."
 
-#: lib/luks2/luks2_luks1_convert.c:757
+#: lib/luks2/luks2_luks1_convert.c:781
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Det går inte att konvertera till LUKS1-format - enheten använder flera segment."
 
-#: lib/luks2/luks2_luks1_convert.c:765
+#: lib/luks2/luks2_luks1_convert.c:789
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Det går inte att konvertera till LUKS1-format - LUKS2-huvud innehåller %u token."
 
-#: lib/luks2/luks2_luks1_convert.c:779
+#: lib/luks2/luks2_luks1_convert.c:803
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Det går inte att konvertera till LUKS1-format - nyckelplats %u är i ogiltigt tillstånd."
 
-#: lib/luks2/luks2_luks1_convert.c:784
+#: lib/luks2/luks2_luks1_convert.c:808
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Det går inte att konvertera till LUKS1-format - plats %u (av maximalt antal platser) är fortfarande aktiv."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Det går inte att konvertera till LUKS1-format - nyckelplats %u är inte LUKS1-kompatibel."
 
-#: lib/luks2/luks2_reencrypt.c:1107
+#: lib/luks2/luks2_reencrypt.c:1183
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Hotzone-storleken måste vara en multipel av beräknad zonjustering (%zu-byte)."
 
-#: lib/luks2/luks2_reencrypt.c:1112
+#: lib/luks2/luks2_reencrypt.c:1188
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Enhetsstorleken måste vara en multipel av beräknad zonstorlek (%zu byte)."
 
-#: lib/luks2/luks2_reencrypt.c:1319 lib/luks2/luks2_reencrypt.c:1505
-#: lib/luks2/luks2_reencrypt.c:1588 lib/luks2/luks2_reencrypt.c:1630
-#: lib/luks2/luks2_reencrypt.c:3852
+#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
+#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
+#: lib/luks2/luks2_reencrypt.c:3956
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Misslyckades med att initiera gammal segmentlagringsinbäddning."
 
-#: lib/luks2/luks2_reencrypt.c:1333 lib/luks2/luks2_reencrypt.c:1483
+#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Misslyckades med att initiera ny segmentlagringsinbäddning."
 
-#: lib/luks2/luks2_reencrypt.c:1460 lib/luks2/luks2_reencrypt.c:3864
+#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
 msgid "Failed to initialize hotzone protection."
 msgstr "Misslyckades med att initiera skydd av hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1532
+#: lib/luks2/luks2_reencrypt.c:1609
 msgid "Failed to read checksums for current hotzone."
 msgstr "Misslyckades med att läsa kontrollsummor från aktuell varm zon."
 
-#: lib/luks2/luks2_reencrypt.c:1539 lib/luks2/luks2_reencrypt.c:3878
+#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Misslyckades med att läsa område för varm zon med början %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1558
+#: lib/luks2/luks2_reencrypt.c:1635
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Misslyckades med att dekryptera sektor %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1564
+#: lib/luks2/luks2_reencrypt.c:1641
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Misslyckades med återhämta sektor %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2128
+#: lib/luks2/luks2_reencrypt.c:2205
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Käll- och målenhetstorlekar stämmer inte överens. Källa %<PRIu64>, mål: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2226
+#: lib/luks2/luks2_reencrypt.c:2303
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Misslyckades med att aktivera varm zon-enhet %s."
 
-#: lib/luks2/luks2_reencrypt.c:2243
+#: lib/luks2/luks2_reencrypt.c:2320
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Misslyckades med att aktivera överlagringsenheten %s med aktuell ursprungstabell."
 
-#: lib/luks2/luks2_reencrypt.c:2250
+#: lib/luks2/luks2_reencrypt.c:2327
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Misslyckades med att läsa in ny mappning för enhet %s."
 
-#: lib/luks2/luks2_reencrypt.c:2321
+#: lib/luks2/luks2_reencrypt.c:2398
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Misslyckades med att uppdatera listan över omkrypteringsenheter."
 
-#: lib/luks2/luks2_reencrypt.c:2497
+#: lib/luks2/luks2_reencrypt.c:2598
 msgid "Failed to set new keyslots area size."
 msgstr "Misslyckades med att sätta en ny storlek på nyckelplatsområdet."
 
-#: lib/luks2/luks2_reencrypt.c:2633
+#: lib/luks2/luks2_reencrypt.c:2734
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Dataskiftning är inte justerad till krypteringssektorstorlek (%<PRIu32> byte)."
 
-#: lib/luks2/luks2_reencrypt.c:2664
+#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Stöder inte motståndsläge %s"
 
-#: lib/luks2/luks2_reencrypt.c:2741
+#: lib/luks2/luks2_reencrypt.c:2808
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Flyttat segmentstorlek kan inte vara större än dataskift-värdet."
 
-#: lib/luks2/luks2_reencrypt.c:2799
+#: lib/luks2/luks2_reencrypt.c:2850
+msgid "Invalid reencryption resilience parameters."
+msgstr "Ogiltiga parametrar för omkrypteringsmotstånd."
+
+#: lib/luks2/luks2_reencrypt.c:2872
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Flyttat segment för stor. Begärd storlek %<PRIu64>, tillgänglig storlek för: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2886
+#: lib/luks2/luks2_reencrypt.c:2959
 msgid "Failed to clear table."
 msgstr "Misslyckades med att rensa tabellen."
 
-#: lib/luks2/luks2_reencrypt.c:2972
+#: lib/luks2/luks2_reencrypt.c:3045
 msgid "Reduced data size is larger than real device size."
 msgstr "Minskad datastorlek är större än den riktiga enhetsstorleken."
 
-#: lib/luks2/luks2_reencrypt.c:2979
+#: lib/luks2/luks2_reencrypt.c:3052
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Dataenhet är inte justerad till krypteringssektorstorlek (%<PRIu32> byte)."
 
-#: lib/luks2/luks2_reencrypt.c:3013
+#: lib/luks2/luks2_reencrypt.c:3086
 #, c-format
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Dataskiftning (%<PRIu64> sektorer) är mindre än framtida dataförskjutning (%<PRIu64> sektorer)."
 
-#: lib/luks2/luks2_reencrypt.c:3020 lib/luks2/luks2_reencrypt.c:3508
-#: lib/luks2/luks2_reencrypt.c:3529
+#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
+#: lib/luks2/luks2_reencrypt.c:3612
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Misslyckades med att öppna %s i exklusivt läge (redan mappad eller monterad)."
 
-#: lib/luks2/luks2_reencrypt.c:3209
+#: lib/luks2/luks2_reencrypt.c:3282
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Enheten är inte markerad för LUKS2-omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3226 lib/luks2/luks2_reencrypt.c:4181
+#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Misslyckades med att läsa in LUKS2-omkrypteringskontext."
 
-#: lib/luks2/luks2_reencrypt.c:3306
+#: lib/luks2/luks2_reencrypt.c:3389
 msgid "Failed to get reencryption state."
 msgstr "Misslyckades med att erhålla status för omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3310 lib/luks2/luks2_reencrypt.c:3624
+#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
 msgid "Device is not in reencryption."
 msgstr "Enheten är inte i omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3317 lib/luks2/luks2_reencrypt.c:3631
+#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
 msgid "Reencryption process is already running."
 msgstr "Omkrypteringsprocessen pågår redan."
 
-#: lib/luks2/luks2_reencrypt.c:3319 lib/luks2/luks2_reencrypt.c:3633
+#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
 msgid "Failed to acquire reencryption lock."
 msgstr "Misslyckades med att erhålla skrivlås för omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3337
+#: lib/luks2/luks2_reencrypt.c:3420
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Det går inte att fortsätta med omkryptering. Kör återställning av omkryptering först."
 
-#: lib/luks2/luks2_reencrypt.c:3472
+#: lib/luks2/luks2_reencrypt.c:3555
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Aktiv enhetsstorlek och begärd omkrypteringsstorlek skiljer sig åt."
 
-#: lib/luks2/luks2_reencrypt.c:3486
+#: lib/luks2/luks2_reencrypt.c:3569
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Ogiltig enhetsstorlek begärd i omkrypteringsparametrarna."
 
-#: lib/luks2/luks2_reencrypt.c:3563
+#: lib/luks2/luks2_reencrypt.c:3646
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Omkryptering pågår redan. Det går inte att utföra återhämtning."
 
-#: lib/luks2/luks2_reencrypt.c:3732
+#: lib/luks2/luks2_reencrypt.c:3814
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "LUKS2-omkryptering är redan initierad i metadata."
 
-#: lib/luks2/luks2_reencrypt.c:3739
+#: lib/luks2/luks2_reencrypt.c:3821
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Misslyckades med att initiera LUKS2-omkryptering i metadata."
 
-#: lib/luks2/luks2_reencrypt.c:3834
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+msgid "Reencryption is not supported for DAX (persistent memory) devices."
+msgstr "Omkryptering stöds inte för DAX-enheter (persistent minne)."
+
+#: lib/luks2/luks2_reencrypt.c:3881
+msgid "Failed to read passphrase from keyring."
+msgstr "Misslyckades med att läsa lösenfras från nyckelring."
+
+#: lib/luks2/luks2_reencrypt.c:3938
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Misslyckades med sätta enhetssegment för nästa varm zon-omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3886
+#: lib/luks2/luks2_reencrypt.c:3990
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Misslyckades med att skriva motståndsmetadata för omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:3893
+#: lib/luks2/luks2_reencrypt.c:3997
 msgid "Decryption failed."
 msgstr "Avkryptering misslyckades."
 
-#: lib/luks2/luks2_reencrypt.c:3898
+#: lib/luks2/luks2_reencrypt.c:4002
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Misslyckades med att skriva område för varm zon med början vid %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3903
+#: lib/luks2/luks2_reencrypt.c:4007
 msgid "Failed to sync data."
 msgstr "Misslyckades med att synkronisera data."
 
-#: lib/luks2/luks2_reencrypt.c:3911
+#: lib/luks2/luks2_reencrypt.c:4015
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Misslyckades med att uppdatera metadata efter aktuell varm zon för omkrypteringär färdigställd."
 
-#: lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4104
 msgid "Failed to write LUKS2 metadata."
 msgstr "Misslyckades med att skriva LUKS2-metadata."
 
-#: lib/luks2/luks2_reencrypt.c:4023
+#: lib/luks2/luks2_reencrypt.c:4127
 msgid "Failed to wipe unused data device area."
 msgstr "Misslyckades med att radera oanvänt område på dataenheten."
 
-#: lib/luks2/luks2_reencrypt.c:4029
+#: lib/luks2/luks2_reencrypt.c:4133
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Misslyckades med att ta bort oanvänd (obunden) nyckelplats %d."
 
-#: lib/luks2/luks2_reencrypt.c:4039
+#: lib/luks2/luks2_reencrypt.c:4143
 msgid "Failed to remove reencryption keyslot."
 msgstr "Misslyckades med att ta bort nyckelplats för omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:4049
+#: lib/luks2/luks2_reencrypt.c:4153
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Ödesdigert fel vid omkrypteringschunk med start vid %<PRIu64>, %<PRIu64> sektorer lång."
 
-#: lib/luks2/luks2_reencrypt.c:4053
+#: lib/luks2/luks2_reencrypt.c:4157
 msgid "Online reencryption failed."
 msgstr "Misslyckades med omkryptering."
 
-#: lib/luks2/luks2_reencrypt.c:4058
+#: lib/luks2/luks2_reencrypt.c:4162
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Återuppta inte enheten om inte den ersatts med felmål manuellt."
 
-#: lib/luks2/luks2_reencrypt.c:4112
+#: lib/luks2/luks2_reencrypt.c:4214
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Det går inte att fortsätta med omkryptering. Oväntat omkrypteringsläge."
 
-#: lib/luks2/luks2_reencrypt.c:4118
+#: lib/luks2/luks2_reencrypt.c:4220
 msgid "Missing or invalid reencrypt context."
 msgstr "Saknat eller ogiltigt omkrypteringskontext."
 
-#: lib/luks2/luks2_reencrypt.c:4125
+#: lib/luks2/luks2_reencrypt.c:4227
 msgid "Failed to initialize reencryption device stack."
 msgstr "Misslyckades med att initiera listan för omkrypteringsenheter."
 
-#: lib/luks2/luks2_reencrypt.c:4147 lib/luks2/luks2_reencrypt.c:4194
+#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
 msgid "Failed to update reencryption context."
 msgstr "Misslyckades med att uppdatera omkrypteringskontext."
 
-#: lib/luks2/luks2_reencrypt_digest.c:406
+#: lib/luks2/luks2_reencrypt_digest.c:408
 msgid "Reencryption metadata is invalid."
 msgstr "Omkryperingsmetadata är ogiltigt."
 
-#: src/cryptsetup.c:85
+#: lib/luks2/hw_opal/hw_opal.c:328
+#, c-format
+msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
+msgstr "OPAL-omfång %d förskjutning %<PRIu64> överensstämmer inte förväntade värden %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:335
+#, c-format
+msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
+msgstr "OPAL-omfång %d längd %<PRIu64> överensstämmer inte med underliggande enhetslängd %<PRIu64>."
+
+#: lib/luks2/hw_opal/hw_opal.c:341
+#, c-format
+msgid "OPAL range %d locking is disabled."
+msgstr "OPAL range %d låsning är inaktiverad."
+
+#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#, c-format
+msgid "Unexpected OPAL range %d lock state."
+msgstr "Oväntat låsstatus för OPAL-område %d."
+
+#: src/cryptsetup.c:80
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Krypteringsparametrar för nyckelplatser stöds endast av LUKS2-enheter."
 
-#: src/cryptsetup.c:108
+#: src/cryptsetup.c:123 src/cryptsetup.c:2238
 #, c-format
-msgid "Enter token PIN:"
-msgstr "Ange token-PIN:"
+msgid "Enter token PIN: "
+msgstr "Ange token-PIN: "
 
-#: src/cryptsetup.c:110
+#: src/cryptsetup.c:125 src/cryptsetup.c:2240
 #, c-format
-msgid "Enter token %d PIN:"
-msgstr "Ange token-PIN %d :"
+msgid "Enter token %d PIN: "
+msgstr "Ange token-PIN %d : "
 
-#: src/cryptsetup.c:159 src/cryptsetup.c:966 src/cryptsetup.c:1293
-#: src/utils_reencrypt.c:1048 src/utils_reencrypt_luks1.c:517
-#: src/utils_reencrypt_luks1.c:580
+#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
+#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
+#: src/utils_reencrypt_luks1.c:567
 msgid "No known cipher specification pattern detected."
 msgstr "Inget känt chifferspecifikationsmönster kunde identifieras."
 
-#: src/cryptsetup.c:167
+#: src/cryptsetup.c:193
+#, c-format
+msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
+msgstr "VARNING: Använder standardalternativ för chiffer (%s-%s, nyckelstorlek %u bitar) som kan vara inkompatibla med äldre versioner."
+
+#: src/cryptsetup.c:198
+#, c-format
+msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
+msgstr "VARNING: Använder standardalternativ för hash (%s) som kan vara inkompatibla med äldre versioner."
+
+#: src/cryptsetup.c:202
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
+msgstr "I vanligt läge ska du alltid använda alternativen --cipher, --key-size och om ingen nyckelfil används, även --hash."
+
+#: src/cryptsetup.c:208
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "VARNING: parametern --hash ignoreras i plain-läge med specificerad nyckelfil.\n"
 
-#: src/cryptsetup.c:175
+#: src/cryptsetup.c:216
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "VARNING: flaggan --keyfile-size ignoreras, lässtorleken är densamma som storleken för krypteringsnyckeln.\n"
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
+#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#, c-format
+msgid "Blkid scan failed for %s."
+msgstr "Blkid-sökning misslyckades för %s."
+
+#: src/cryptsetup.c:259
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Identfierar enhetssignatur(er) på %s. Att fortsätta kan skada befintlig data."
 
-#: src/cryptsetup.c:221 src/cryptsetup.c:1040 src/cryptsetup.c:1088
-#: src/cryptsetup.c:1154 src/cryptsetup.c:1270 src/cryptsetup.c:1343
-#: src/cryptsetup.c:1994 src/integritysetup.c:187 src/utils_reencrypt.c:138
-#: src/utils_reencrypt.c:275
+#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
+#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
+#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
+#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
+#: src/utils_reencrypt.c:759
 msgid "Operation aborted.\n"
 msgstr "Åtgärd avbruten.\n"
 
-#: src/cryptsetup.c:294
+#: src/cryptsetup.c:338
 msgid "Option --key-file is required."
 msgstr "Flaggan --key-file krävs."
 
-#: src/cryptsetup.c:345
+#: src/cryptsetup.c:389
 msgid "Enter VeraCrypt PIM: "
 msgstr "Ange VeraCrypt PIM: "
 
-#: src/cryptsetup.c:354
+#: src/cryptsetup.c:398
 msgid "Invalid PIM value: parse error."
 msgstr "Ogiltigt PIM-värde:tolkningsfel."
 
-#: src/cryptsetup.c:357
+#: src/cryptsetup.c:401
 msgid "Invalid PIM value: 0."
 msgstr "Ogiltigt PIM-värde: 0."
 
-#: src/cryptsetup.c:360
+#: src/cryptsetup.c:404
 msgid "Invalid PIM value: outside of range."
 msgstr "Ogiltigt PIM-värde:utanför intervallet."
 
-#: src/cryptsetup.c:383
+#: src/cryptsetup.c:427
 msgid "No device header detected with this passphrase."
 msgstr "Inget enhetshuvud finns tillgängligt med denna lösenfras."
 
-#: src/cryptsetup.c:456 src/cryptsetup.c:632
+#: src/cryptsetup.c:500 src/cryptsetup.c:676
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Enheten %s är inte en giltig BITLK-enhet."
 
-#: src/cryptsetup.c:464
+#: src/cryptsetup.c:508
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Det går inte att avgöra volymens nyckelstorlek för BTLK, använd flaggan --key-size."
 
-#: src/cryptsetup.c:506
+#: src/cryptsetup.c:550
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1900,7 +2153,7 @@ msgstr ""
 "som tillåter åtkomst till krypterad partition utan lösenfras.\n"
 "Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
 
-#: src/cryptsetup.c:573 src/cryptsetup.c:2019
+#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -1910,68 +2163,84 @@ msgstr ""
 "som tillåter åtkomst till krypterad partition utan lösenfras.\n"
 "Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
 
-#: src/cryptsetup.c:664 src/veritysetup.c:321 src/integritysetup.c:400
+#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#, c-format
+msgid "Device %s is not a valid FVAULT2 device."
+msgstr "Enheten %s är inte en giltig FVULT2-enhet."
+
+#: src/cryptsetup.c:791
+msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
+msgstr "Det går inte att avgöra volymens nyckelstorlek för FAVULT2, använd flaggan --key-size."
+
+#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Enheten %s är fortfarande aktiv och schemalagd för uppskjuten borttagning.\n"
 
-#: src/cryptsetup.c:698
+#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
+#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
+#: src/cryptsetup.c:3382
+#, c-format
+msgid "Failed to set external tokens path %s."
+msgstr "Misslyckades med att sätta extern sökväg till tokens %s."
+
+#: src/cryptsetup.c:888
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Att ändra storlek på aktiv enhet kräver volymnyckel i nyckelringen, men -flaggan --disable-keyring är angiven."
 
-#: src/cryptsetup.c:845
+#: src/cryptsetup.c:1048
 msgid "Benchmark interrupted."
 msgstr "Prestandamätning avbruten."
 
-#: src/cryptsetup.c:866
+#: src/cryptsetup.c:1069
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:868
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iterationer per sekund för %zu-bitnyckel\n"
 
-#: src/cryptsetup.c:882
+#: src/cryptsetup.c:1085
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:884
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iterationer, %5u minne, %1u parallella trådar (CPU:er) för %zu-bitnyckelplats (begärde %u ms)\n"
 
-#: src/cryptsetup.c:908
+#: src/cryptsetup.c:1111
 msgid "Result of benchmark is not reliable."
 msgstr "Resultat från prestandamätningen är inte pålitligt."
 
-#: src/cryptsetup.c:958
+#: src/cryptsetup.c:1161
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Tester är ungefärliga och använder endast minne (ingen lagrings-IO).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:978
+#: src/cryptsetup.c:1186
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algoritm |       Nyckel |      Kryptering |      Avkryptering\n"
 
-#: src/cryptsetup.c:982
+#: src/cryptsetup.c:1194
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Chiffret %s (med nyckel av %i bitar) är inte tillgängligt."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1001
+#: src/cryptsetup.c:1213
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algoritm |       Nyckel |      Kryptering |      AVkryptering\n"
 
-#: src/cryptsetup.c:1012
+#: src/cryptsetup.c:1224
 msgid "N/A"
 msgstr "N/A"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1249
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -1979,27 +2248,27 @@ msgstr ""
 "Oskyddad LUKS2-omkryperingsmetadata identiferad. Vänligen verifiera att  omkryperingsåtgärden behövs (se luksDump-utdata)\n"
 "och fortsätt (uppgradera metadata) endast om du anser åtgärden som behövd."
 
-#: src/cryptsetup.c:1043
+#: src/cryptsetup.c:1255
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
-msgstr "Ange lösenfras för att skydda och uppgradera omkrypteringmetadata:"
+msgstr "Ange lösenfras för att skydda och uppgradera omkrypteringmetadata: "
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1299
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Vill du verkligen fortsätta med LUKS2-omkrypteringsåterställning?"
 
-#: src/cryptsetup.c:1096
+#: src/cryptsetup.c:1308
 msgid "Enter passphrase to verify reencryption metadata digest: "
-msgstr "Ange lösenfras för att verifiera sammandrag för metadata-omkryptering:"
+msgstr "Ange lösenfras för att verifiera sammandrag för metadata-omkryp: "
 
-#: src/cryptsetup.c:1098
+#: src/cryptsetup.c:1310
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Ange lösenfras för omkrypteringsåterhämtning: "
 
-#: src/cryptsetup.c:1153
+#: src/cryptsetup.c:1370
 msgid "Really try to repair LUKS device header?"
 msgstr "Vill du verkligen försöka att reparera LUKS-enhetshuvud?"
 
-#: src/cryptsetup.c:1177 src/integritysetup.c:89 src/integritysetup.c:238
+#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2007,7 +2276,7 @@ msgstr ""
 "\n"
 "Skrivning avbruten."
 
-#: src/cryptsetup.c:1182 src/integritysetup.c:94 src/integritysetup.c:275
+#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2015,119 +2284,156 @@ msgstr ""
 "Rensar enheten för att initialisera kontrollsumma för integritet.\n"
 "Du kan avbryta detta genom att trycka ned CTRL+c (resten av den ej rensade enheten kommer att innehålla en ogiltigt kontrollsumma).\n"
 
-#: src/cryptsetup.c:1204 src/integritysetup.c:116
+#: src/cryptsetup.c:1421 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Det går inte att inaktivera temporär enhet %s."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1476
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Flaggan för integritet kan endast användas för formatet LUKS2."
 
-#: src/cryptsetup.c:1260 src/cryptsetup.c:1320
+#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Flaggorna för storlekar på LUKS2-metadata stöds inte."
 
-#: src/cryptsetup.c:1269
+#: src/cryptsetup.c:1486
+msgid "OPAL is supported only for LUKS2 format."
+msgstr "OPAL stöds endast för formatet LUKS2."
+
+#: src/cryptsetup.c:1495
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Deklarationsfilen existerar inte, vill du skapa den?"
 
-#: src/cryptsetup.c:1277
+#: src/cryptsetup.c:1503
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Det går inte att skapa huvudfil %s."
 
-#: src/cryptsetup.c:1300 src/integritysetup.c:144 src/integritysetup.c:152
-#: src/integritysetup.c:161 src/integritysetup.c:315 src/integritysetup.c:323
-#: src/integritysetup.c:333
+#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
+#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
+#: src/integritysetup.c:329
 msgid "No known integrity specification pattern detected."
 msgstr "Inga kända integritetspecifikationsmönster identifierat."
 
-#: src/cryptsetup.c:1313
+#: src/cryptsetup.c:1539
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Det går inte att använda %s som diskhuvud."
 
-#: src/cryptsetup.c:1337 src/integritysetup.c:181
+#: src/cryptsetup.c:1568 src/integritysetup.c:168
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Detta kommer att skriva över data på %s och går inte att ångra."
 
-#: src/cryptsetup.c:1370 src/cryptsetup.c:1707 src/cryptsetup.c:1772
-#: src/cryptsetup.c:1876 src/cryptsetup.c:1942 src/utils_reencrypt_luks1.c:443
+#: src/cryptsetup.c:1605
+msgid "OPAL Admin password cannot be empty."
+msgstr "OPAL Admin-lösenordet kan inte vara tomt."
+
+#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
+#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
 msgid "Failed to set pbkdf parameters."
 msgstr "Misslyckades med att sätta pbkdf-parametrar."
 
-#: src/cryptsetup.c:1455
+#: src/cryptsetup.c:1751
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Typspecifikationen i --link-vk-to-keyring keyring-specifikationen ignoreras."
+
+#: src/cryptsetup.c:1816
+msgid "Key types have to be the same for both volume keys."
+msgstr "Tangenttyperna måste vara desamma för båda volymknapparna."
+
+#: src/cryptsetup.c:1821
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Båda volymnycklarna måste vara kopplade till samma nyckelring."
+
+#: src/cryptsetup.c:1831
+msgid "You need to supply more key names."
+msgstr "Du måste ange fler nyckelnamn."
+
+#: src/cryptsetup.c:1835
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Ogiltigt värde för --link-vk-to-keyring."
+
+#: src/cryptsetup.c:1880
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Förminskad dataoffset endast tillåtet för fristående LUKS-huvuden."
 
-#: src/cryptsetup.c:1466 src/cryptsetup.c:1778
+#: src/cryptsetup.c:1887
+#, c-format
+msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
+msgstr "LUKS file container %s är för liten för att kunna aktiveras, det finns inget kvarvarande utrymme för data."
+
+#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Det går inte att avgöra volymens nyckelstorlek för LUKS utan nyckelplatser, använd flaggen --key-size."
 
-#: src/cryptsetup.c:1512
+#: src/cryptsetup.c:1981
 msgid "Device activated but cannot make flags persistent."
 msgstr "Enheten aktiverad men kan inte spara undan flaggorna."
 
-#: src/cryptsetup.c:1591 src/cryptsetup.c:1659
+#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Nyckelplats %d markerad för borttagning."
 
-#: src/cryptsetup.c:1603 src/cryptsetup.c:1663
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Detta är sista nyckelplatsen. Enheten kommer att bli oanvändbar efter att denna nyckel tagits bort."
 
-#: src/cryptsetup.c:1604
+#: src/cryptsetup.c:2078
 msgid "Enter any remaining passphrase: "
 msgstr "Ange eventuell återstående lösenfras: "
 
-#: src/cryptsetup.c:1605 src/cryptsetup.c:1665
+#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Åtgärden avbröts, nyckelplatsen raderades INTE.\n"
 
-#: src/cryptsetup.c:1641
+#: src/cryptsetup.c:2115
 msgid "Enter passphrase to be deleted: "
 msgstr "Ange lösenfras att ta bort: "
 
-#: src/cryptsetup.c:1691 src/cryptsetup.c:1925 src/cryptsetup.c:2505
-#: src/cryptsetup.c:2649
+#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
+#: src/cryptsetup.c:3373
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Enheten %s är inte en giltig LUKS2-enhet."
 
-#: src/cryptsetup.c:1721 src/cryptsetup.c:1795 src/cryptsetup.c:1829
+#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
 msgid "Enter new passphrase for key slot: "
 msgstr "Ange ny lösenfras för nyckelplats: "
 
-#: src/cryptsetup.c:1812 src/utils_reencrypt_luks1.c:1149
+#: src/cryptsetup.c:2306
+msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
+msgstr "VARNING: parametern --key-slot används för nytt nyckelplatstal.\n"
+
+#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Ange valfri existerande lösenfras: "
 
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:2504
 msgid "Enter passphrase to be changed: "
 msgstr "Ange lösenfras att ändra: "
 
-#: src/cryptsetup.c:1896 src/utils_reencrypt_luks1.c:1135
+#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
 msgid "Enter new passphrase: "
 msgstr "Ange ny lösenfras: "
 
-#: src/cryptsetup.c:1946
+#: src/cryptsetup.c:2570
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Ange lösenfras för nyckelplats att konvertera: "
 
-#: src/cryptsetup.c:1970
+#: src/cryptsetup.c:2594
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Endast ett enhetsargument för operationen isLuks stöds."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:2702
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Nyckelplats %d innehåller inte obunden nyckel."
 
-#: src/cryptsetup.c:2083
+#: src/cryptsetup.c:2707
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2135,40 +2441,52 @@ msgstr ""
 "Utskrift av huvudet med obunden nyckel är känslig information.\n"
 "Denna utskrift bör alltid lagras krypterad på ett säkert ställe."
 
-#: src/cryptsetup.c:2169 src/cryptsetup.c:2198
+#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s är inte ett aktivt %s-enhetsnamn."
 
-#: src/cryptsetup.c:2193
+#: src/cryptsetup.c:2834
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s är inte ett aktivt LUKS-enhetsnamn eller så saknas deklaration."
 
-#: src/cryptsetup.c:2255 src/cryptsetup.c:2274
+#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
 msgid "Option --header-backup-file is required."
 msgstr "Flaggan --header-backup-file krävs."
 
-#: src/cryptsetup.c:2305
+#: src/cryptsetup.c:2962
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s är inte en cryptsetup-hanterad enhet."
 
-#: src/cryptsetup.c:2316
+#: src/cryptsetup.c:2973
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Att uppdatera stöds inte för enhetstypen %s"
 
-#: src/cryptsetup.c:2362
+#: src/cryptsetup.c:3023
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Okänd metadata för enhetstypen %s."
 
-#: src/cryptsetup.c:2364
+#: src/cryptsetup.c:3025
 msgid "Command requires device and mapped name as arguments."
 msgstr "Kommandot kräver enhet och mappat namn som argument."
 
-#: src/cryptsetup.c:2385
+#: src/cryptsetup.c:3035
+msgid "Enter OPAL PSID: "
+msgstr "Ange OPAL PSID: "
+
+#: src/cryptsetup.c:3035
+msgid "Enter OPAL Admin password: "
+msgstr "Ange lösenord för OPAL Admin: "
+
+#: src/cryptsetup.c:3043
+msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
+msgstr "VARNING: HELA disken kommer att fabriksåterställas och alla data kommer att gå förlorade! Fortsätta?"
+
+#: src/cryptsetup.c:3086
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2177,325 +2495,351 @@ msgstr ""
 "Denna åtgärd kommer att ta bort alla nyckelplatser på enhet %s.\n"
 "Enheten kommer att bli oanvändbar efter denna åtgärd."
 
-#: src/cryptsetup.c:2392
+#: src/cryptsetup.c:3093
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Åtgärden avbryten, nyckelplatser raderades EJ.\n"
 
-#: src/cryptsetup.c:2431
+#: src/cryptsetup.c:3132
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Ogiltig LUKS-typ, endast luks1 och luks2 stöds."
 
-#: src/cryptsetup.c:2447
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Device is already %s type."
 msgstr "Enheten är redan av %s-typ."
 
-#: src/cryptsetup.c:2454
+#: src/cryptsetup.c:3155
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Denna åtgärd kommer att konvertera %s till %s-format.\n"
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:3158
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Åtgärden avbröts, enheten konverterades INTE.\n"
 
-#: src/cryptsetup.c:2497
+#: src/cryptsetup.c:3198
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Saknar flaggan --priority, --label eller --subsystem."
 
-#: src/cryptsetup.c:2531 src/cryptsetup.c:2568 src/cryptsetup.c:2588
+#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d är ogiltig."
 
-#: src/cryptsetup.c:2534 src/cryptsetup.c:2591
+#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d används."
 
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:3247
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Misslyckades med att lägga till luks2-nyckelringsstoken %d."
 
-#: src/cryptsetup.c:2554 src/cryptsetup.c:2617
+#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Misslyckades med att tilldela token %d till nyckelplats %d."
 
-#: src/cryptsetup.c:2571
+#: src/cryptsetup.c:3275
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d används ej."
 
-#: src/cryptsetup.c:2608
+#: src/cryptsetup.c:3312
 msgid "Failed to import token from file."
 msgstr "Misslyckades med att importera token från fil."
 
-#: src/cryptsetup.c:2633
+#: src/cryptsetup.c:3337
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Misslyckades med att hämta token %d för export."
 
-#: src/cryptsetup.c:2682
+#: src/cryptsetup.c:3350
+#, c-format
+msgid "Token %d is not assigned to keyslot %d."
+msgstr "Token %d är inte tilldelad till nyckelplats %d."
+
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#, c-format
+msgid "Failed to unassign token %d from keyslot %d."
+msgstr "Misslyckades med att ta bort tilldelningen av token %d från nyckelplats %d."
+
+#: src/cryptsetup.c:3418
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Flaggorna --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup stöds endast på TCRYPT-enhet."
 
-#: src/cryptsetup.c:2685
+#: src/cryptsetup.c:3421
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Flaggan --veracrypt eller --disable-veracrypt stöds endast för TCRYPT-enhetstyper."
 
-#: src/cryptsetup.c:2688
+#: src/cryptsetup.c:3424
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Flaggan --veracrypt-pim stöds endast för VeraCrypt-kompatibla enheter."
 
-#: src/cryptsetup.c:2692
+#: src/cryptsetup.c:3428
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Flaggan --veracrypt-query-pim stöds endast för VeraCrypt-kompatibla enheter."
 
-#: src/cryptsetup.c:2694
+#: src/cryptsetup.c:3430
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Flaggorna --veracrypt-pim och --veracrypt-query-pim är ömsesidigt uteslutande."
 
-#: src/cryptsetup.c:2703
+#: src/cryptsetup.c:3439
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Flaggan --persistent är ej tillåtet med --test-passphrase."
 
-#: src/cryptsetup.c:2706
+#: src/cryptsetup.c:3442
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Flaggorna --refresh och --test-passphrase är ömsesidigt uteslutande."
 
-#: src/cryptsetup.c:2709
+#: src/cryptsetup.c:3445
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Flaggan --shared är endast tillåten för öppning av plain-enhet."
 
-#: src/cryptsetup.c:2712
+#: src/cryptsetup.c:3448
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Flaggan --skip stöds endast för öppning av plain-enheter och loopaes-enheter."
 
-#: src/cryptsetup.c:2715
+#: src/cryptsetup.c:3451
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Flaggan --offset med åtgärden öppna stöds endast för öppning av plain-enheter och loopaes-enheter."
 
-#: src/cryptsetup.c:2718
+#: src/cryptsetup.c:3454
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Flaggan --tcrypt-hidden kan inte kombineras med --allow-discards."
 
-#: src/cryptsetup.c:2722
+#: src/cryptsetup.c:3458
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Flaggan för sektorstorlek med åtgärden öppna stöds endast för plain-enheter."
 
-#: src/cryptsetup.c:2726
+#: src/cryptsetup.c:3462
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Flaggan för stora IV-sektorer stöds endast för att öppna enheter av plain-typ med sektorstorlek större än 512 byte."
 
-#: src/cryptsetup.c:2730
-msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices."
-msgstr "Flaggan --test-passphrase är endast tillåten för open för LUKS-, TCRYPT-, och BITLK-enheter."
+#: src/cryptsetup.c:3467
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
+msgstr "Flaggan --test-passphrase är endast tillåten för open för LUKS-, TCRYPT-, BITLK- och FVAULT2-enheter."
 
-#: src/cryptsetup.c:2733 src/cryptsetup.c:2756
+#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Flaggan  --device-size och --size kan inte kombineras."
 
-#: src/cryptsetup.c:2736
+#: src/cryptsetup.c:3473
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Flaggan --unbound är endast tillåten för öppning av luks-enhet."
 
-#: src/cryptsetup.c:2739
+#: src/cryptsetup.c:3476
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Flaggan --unbound kan inte användas utan --test-passphrase."
 
-#: src/cryptsetup.c:2748 src/veritysetup.c:664 src/integritysetup.c:755
+#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Flaggorna --cancel-deferred och --deferred går inte att använda samtidigt."
 
-#: src/cryptsetup.c:2764
-msgid "Options --reduce-device-size and --data-size cannot be combined."
-msgstr "Flaggan  --reduce-device-size och --data-size kan inte kombineras."
+#: src/cryptsetup.c:3501
+msgid "Options --reduce-device-size and --device-size cannot be combined."
+msgstr "Flaggan --reduce-device-size och --data-size kan inte kombineras."
 
-#: src/cryptsetup.c:2767
+#: src/cryptsetup.c:3504
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Flaggan --active-name kan endast anges för LUKS2-enheter."
 
-#: src/cryptsetup.c:2770
+#: src/cryptsetup.c:3507
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Flaggan --active-name och --force-offline-reencrypt kan inte kombineras."
 
-#: src/cryptsetup.c:2778 src/cryptsetup.c:2808
+#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
 msgid "Keyslot specification is required."
 msgstr "Specifikation för nyckelplats krävs."
 
-#: src/cryptsetup.c:2786
+#: src/cryptsetup.c:3523
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Flaggan --align-payload och --offset kan inte kombineras."
 
-#: src/cryptsetup.c:2789
+#: src/cryptsetup.c:3526
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Flaggan --integrity-no-wipe kan endast användas för åtgärden formatera med integritetsutökningar."
 
-#: src/cryptsetup.c:2792
+#: src/cryptsetup.c:3529
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Endast en av flaggorna --use-[u]random är tillåten."
 
-#: src/cryptsetup.c:2800
+#: src/cryptsetup.c:3537
 msgid "Key size is required with --unbound option."
 msgstr "Nyckelstorlek krävs med flaggan --unbound."
 
-#: src/cryptsetup.c:2819
+#: src/cryptsetup.c:3557
 msgid "Invalid token action."
 msgstr "Ogiltig tokenåtgärd."
 
-#: src/cryptsetup.c:2822
+#: src/cryptsetup.c:3560
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "parametern --key-description krävs för åtgärden lägg till token."
 
-#: src/cryptsetup.c:2826
+#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Åtgärden kräver specifik token. Använd parametern --token-id."
 
-#: src/cryptsetup.c:2840
+#: src/cryptsetup.c:3568
+msgid "Option --unbound is valid only with token add action."
+msgstr "Flaggan --unbound kan endast användas tillsammans med åtgärden att lägga till token."
+
+#: src/cryptsetup.c:3570
+msgid "Options --key-slot and --unbound cannot be combined."
+msgstr "Flaggan --key-slot och --unbound kan inte kombineras."
+
+#: src/cryptsetup.c:3575
+msgid "Action requires specific keyslot. Use --key-slot parameter."
+msgstr "Åtgärden kräver specifik nyckelplats. Använd parametern --key-slot."
+
+#: src/cryptsetup.c:3591
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<enhet> [--type <typ>] [<namn>]"
 
-#: src/cryptsetup.c:2840 src/veritysetup.c:487 src/integritysetup.c:535
+#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
 msgid "open device as <name>"
 msgstr "öppna enhet som <namn>"
 
-#: src/cryptsetup.c:2841 src/cryptsetup.c:2842 src/cryptsetup.c:2843
-#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:536
-#: src/integritysetup.c:537 src/integritysetup.c:539
+#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
+#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
+#: src/integritysetup.c:533 src/integritysetup.c:535
 msgid "<name>"
 msgstr "<namn>"
 
-#: src/cryptsetup.c:2841 src/veritysetup.c:488 src/integritysetup.c:536
+#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
 msgid "close device (remove mapping)"
 msgstr "stäng enhet (ta bort mappning)"
 
-#: src/cryptsetup.c:2842 src/integritysetup.c:539
+#: src/cryptsetup.c:3593 src/integritysetup.c:535
 msgid "resize active device"
 msgstr "ändra storlek på aktiv enhet"
 
-#: src/cryptsetup.c:2843
+#: src/cryptsetup.c:3594
 msgid "show device status"
 msgstr "visa enhetsstatus"
 
-#: src/cryptsetup.c:2844
+#: src/cryptsetup.c:3595
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <chiffer>]"
 
-#: src/cryptsetup.c:2844
+#: src/cryptsetup.c:3595
 msgid "benchmark cipher"
 msgstr "prestandamät chiffer"
 
-#: src/cryptsetup.c:2845 src/cryptsetup.c:2846 src/cryptsetup.c:2847
-#: src/cryptsetup.c:2848 src/cryptsetup.c:2849 src/cryptsetup.c:2856
-#: src/cryptsetup.c:2857 src/cryptsetup.c:2858 src/cryptsetup.c:2859
-#: src/cryptsetup.c:2860 src/cryptsetup.c:2861 src/cryptsetup.c:2862
-#: src/cryptsetup.c:2863 src/cryptsetup.c:2864
+#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
+#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
+#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
+#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
+#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
 msgid "<device>"
 msgstr "<enhet>"
 
-#: src/cryptsetup.c:2845
+#: src/cryptsetup.c:3596
 msgid "try to repair on-disk metadata"
 msgstr "försök att reparera metadata på disken"
 
-#: src/cryptsetup.c:2846
+#: src/cryptsetup.c:3597
 msgid "reencrypt LUKS2 device"
 msgstr "omkryptering av LUKS2-enhet"
 
-#: src/cryptsetup.c:2847
+#: src/cryptsetup.c:3598
 msgid "erase all keyslots (remove encryption key)"
 msgstr "ta bort alla nyckelplatser (ta bort krypteringsnyckeln)"
 
-#: src/cryptsetup.c:2848
+#: src/cryptsetup.c:3599
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "konvertera LUKS från/till LUKS2-format"
 
-#: src/cryptsetup.c:2849
+#: src/cryptsetup.c:3600
 msgid "set permanent configuration options for LUKS2"
 msgstr "ange permanenta konfigurationsflaggor för LUKS2"
 
-#: src/cryptsetup.c:2850 src/cryptsetup.c:2851
+#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
 msgid "<device> [<new key file>]"
 msgstr "<enhet> [<ny nyckelfil>]"
 
-#: src/cryptsetup.c:2850
+#: src/cryptsetup.c:3601
 msgid "formats a LUKS device"
 msgstr "formaterar en LUKS-enhet"
 
-#: src/cryptsetup.c:2851
+#: src/cryptsetup.c:3602
 msgid "add key to LUKS device"
 msgstr "lägg till nyckel till LUKS-enhet"
 
-#: src/cryptsetup.c:2852 src/cryptsetup.c:2853 src/cryptsetup.c:2854
+#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
 msgid "<device> [<key file>]"
 msgstr "<enhet> [<nyckelfil>]"
 
-#: src/cryptsetup.c:2852
+#: src/cryptsetup.c:3603
 msgid "removes supplied key or key file from LUKS device"
 msgstr "tar bort angiven nyckel eller nyckelfil från LUKS-enhet"
 
-#: src/cryptsetup.c:2853
+#: src/cryptsetup.c:3604
 msgid "changes supplied key or key file of LUKS device"
 msgstr "ändrar angiven nyckel eller nyckelfil för LUKS-enhet"
 
-#: src/cryptsetup.c:2854
+#: src/cryptsetup.c:3605
 msgid "converts a key to new pbkdf parameters"
 msgstr "konverterar en nyckel till nya pbkdf-parametrar"
 
-#: src/cryptsetup.c:2855
+#: src/cryptsetup.c:3606
 msgid "<device> <key slot>"
 msgstr "<enhet> <nyckelplats>"
 
-#: src/cryptsetup.c:2855
+#: src/cryptsetup.c:3606
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "rensar nyckeln med nummer <nyckelplats> från LUKS-enhet"
 
-#: src/cryptsetup.c:2856
+#: src/cryptsetup.c:3607
 msgid "print UUID of LUKS device"
 msgstr "skriv ut UUID för LUKS-enhet"
 
-#: src/cryptsetup.c:2857
+#: src/cryptsetup.c:3608
 msgid "tests <device> for LUKS partition header"
 msgstr "testar <enhet> för LUKS-partitionshuvud"
 
-#: src/cryptsetup.c:2858
+#: src/cryptsetup.c:3609
 msgid "dump LUKS partition information"
 msgstr "skriver ut information om LUKS-partition"
 
-#: src/cryptsetup.c:2859
+#: src/cryptsetup.c:3610
 msgid "dump TCRYPT device information"
 msgstr "skriver ut information om TCRYPT-partition"
 
-#: src/cryptsetup.c:2860
+#: src/cryptsetup.c:3611
 msgid "dump BITLK device information"
 msgstr "skriv ut BITLK-enhetsinformation"
 
-#: src/cryptsetup.c:2861
+#: src/cryptsetup.c:3612
+msgid "dump FVAULT2 device information"
+msgstr "skriv ut FVAULT2-enhetsinformation"
+
+#: src/cryptsetup.c:3613
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Försätt LUKS-enhet i vänteläge och rensa nyckel (alla in-/ut-åtgärder är frusna)"
 
-#: src/cryptsetup.c:2862
+#: src/cryptsetup.c:3614
 msgid "Resume suspended LUKS device"
 msgstr "Återuppta LUKS-enhet i vänteläge"
 
-#: src/cryptsetup.c:2863
+#: src/cryptsetup.c:3615
 msgid "Backup LUKS device header and keyslots"
 msgstr "Säkerhetskopiera huvud och nyckelplatser från LUKS-enhet"
 
-#: src/cryptsetup.c:2864
+#: src/cryptsetup.c:3616
 msgid "Restore LUKS device header and keyslots"
 msgstr "Återställ huvud och nyckelplatser för LUKS-enhet"
 
-#: src/cryptsetup.c:2865
+#: src/cryptsetup.c:3617
 msgid "<add|remove|import|export> <device>"
 msgstr "<läggtill|tabort|importera|exportera> <enhet>"
 
-#: src/cryptsetup.c:2865
+#: src/cryptsetup.c:3617
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipulera LUKS2-token"
 
-#: src/cryptsetup.c:2884 src/veritysetup.c:505 src/integritysetup.c:554
+#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2503,19 +2847,19 @@ msgstr ""
 "\n"
 "<åtgärd> är en av:\n"
 
-#: src/cryptsetup.c:2890
+#: src/cryptsetup.c:3642
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 msgstr ""
 "\n"
-"Du kan också använda gamla <åtgärd> syntaxalias:\n"
+"Du kan också använda gamla <action> syntaxalias:\n"
 "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
 "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkOpen\n"
 
-#: src/cryptsetup.c:2894
+#: src/cryptsetup.c:3646
 #, c-format
 msgid ""
 "\n"
@@ -2530,7 +2874,7 @@ msgstr ""
 "<nyckelplats> är numret för LUKS-nyckelplatsen att ändra\n"
 "<nyckelfil> valfri nyckelfil för den nya nyckeln för luksAddKey-åtgärden\n"
 
-#: src/cryptsetup.c:2901
+#: src/cryptsetup.c:3653
 #, c-format
 msgid ""
 "\n"
@@ -2539,29 +2883,28 @@ msgstr ""
 "\n"
 "Inkompilerat standardmetadataformat är %s (för luksFormat-åtgärd).\n"
 
-#: src/cryptsetup.c:2906 src/cryptsetup.c:2909
-#, c-format
+#: src/cryptsetup.c:3658
 msgid ""
 "\n"
-"LUKS2 external token plugin support is %s.\n"
+"LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 "\n"
-"Stöd för externa LUKS2-insticksmoduler är %s.\n"
+"Stödet för externa LUKS2-insticksmoduler är aktiverat.\n"
 
-#: src/cryptsetup.c:2906
-msgid "compiled-in"
-msgstr "inkompilerad"
-
-#: src/cryptsetup.c:2907
+#: src/cryptsetup.c:3659
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Sökväg för externa LUKS2-insticksmoduler är %s.\n"
 
-#: src/cryptsetup.c:2909
-msgid "disabled"
-msgstr "inaktiverad"
+#: src/cryptsetup.c:3661
+msgid ""
+"\n"
+"LUKS2 external token plugin support is disabled.\n"
+msgstr ""
+"\n"
+"Stödet för externa LUKS2-insticksmoduler är inaktiverat.\n"
 
-#: src/cryptsetup.c:2913
+#: src/cryptsetup.c:3665
 #, c-format
 msgid ""
 "\n"
@@ -2578,7 +2921,7 @@ msgstr ""
 "Standard-PBKDF för LUKS2: %s\n"
 "\tIterationstid: %d, Minne: %dkB, Parallella trådar: %d\n"
 
-#: src/cryptsetup.c:2924
+#: src/cryptsetup.c:3676
 #, c-format
 msgid ""
 "\n"
@@ -2593,189 +2936,203 @@ msgstr ""
 "\tplain: %s, Nyckel: %d bitar, Lösenordshashning: %s\n"
 "\tLUKS1: %s, Nyckel: %d bitar, LUKS-huvudhashning %s, RNG: %s\n"
 
-#: src/cryptsetup.c:2933
+#: src/cryptsetup.c:3685
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Standardnyckelstorlek med XTS-läge (två interna nycklar) kommer att dubbleras.\n"
 
-#: src/cryptsetup.c:2951 src/veritysetup.c:644 src/integritysetup.c:711
+#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: kräver %s som argument"
 
-#: src/cryptsetup.c:2997 src/utils_reencrypt_luks1.c:1194
+#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
 msgid "Key slot is invalid."
 msgstr "Nyckelplatsen är ogiltig."
 
-#: src/cryptsetup.c:3024
+#: src/cryptsetup.c:3771
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Enhetsstorlek måste vara en multipel av sektor på 512-byte."
 
-#: src/cryptsetup.c:3029
+#: src/cryptsetup.c:3776
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Ogiltig högsta storlekspecifikation för varm zon-omkryptering."
 
-#: src/cryptsetup.c:3043 src/cryptsetup.c:3055
+#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Nyckelstorlek måste vara en multipel av 8 bitar"
 
-#: src/cryptsetup.c:3060
+#: src/cryptsetup.c:3809
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr "Högst %d specifikationer för volymnycklar kan anges."
+
+#: src/cryptsetup.c:3821
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr "Högst %d specifikationer för nyckelringslänkar kan anges."
+
+#: src/cryptsetup.c:3830
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Högsta förminskningsstorlek för enhet är 1 GiB."
 
-#: src/cryptsetup.c:3063
+#: src/cryptsetup.c:3833
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Minskningsstorlek måste vara en multipel av 512-bytesektor."
 
-#: src/cryptsetup.c:3080
+#: src/cryptsetup.c:3850
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Flaggan --priority kan endast vara ignore/normal/prefer."
 
-#: src/cryptsetup.c:3099 src/veritysetup.c:568 src/integritysetup.c:634
+#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
 msgid "Show this help message"
 msgstr "Visa detta hjälpmeddelande"
 
-#: src/cryptsetup.c:3100 src/veritysetup.c:569 src/integritysetup.c:635
+#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
 msgid "Display brief usage"
 msgstr "Visa kort information om användning"
 
-#: src/cryptsetup.c:3101 src/veritysetup.c:570 src/integritysetup.c:636
+#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
 msgid "Print package version"
 msgstr "Skriv ut paketversion"
 
-#: src/cryptsetup.c:3112 src/veritysetup.c:581 src/integritysetup.c:647
+#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
 msgid "Help options:"
 msgstr "Hjälpflaggor:"
 
-#: src/cryptsetup.c:3132 src/veritysetup.c:599 src/integritysetup.c:664
+#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[FLAGGA…] <åtgärd> <åtgärdsspecifik>"
 
-#: src/cryptsetup.c:3141 src/veritysetup.c:608 src/integritysetup.c:675
+#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
 msgid "Argument <action> missing."
 msgstr "Argumentet <åtgärd> saknas."
 
-#: src/cryptsetup.c:3211 src/veritysetup.c:639 src/integritysetup.c:706
+#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
 msgid "Unknown action."
 msgstr "Okänd åtgärd."
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:4011
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Flaggan --key-file åsidosätter specificerade nyckelfilsargument."
 
-#: src/cryptsetup.c:3235
+#: src/cryptsetup.c:4017
 msgid "Only one --key-file argument is allowed."
 msgstr "Endast ett argument för --key-file är tillåtet."
 
-#: src/cryptsetup.c:3240
+#: src/cryptsetup.c:4022
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Password-based key derivation function (PBKDF) kan endast vara pbkdf2 eller argon2i/argon2id."
 
-#: src/cryptsetup.c:3245
+#: src/cryptsetup.c:4027
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Tvingade PBKDF-iterationer går inte att kombinera med flaggan iteration time."
 
-#: src/cryptsetup.c:3256
+#: src/cryptsetup.c:4032
+msgid "Cannot link volume key to a keyring when keyring is disabled."
+msgstr "Det går inte att länka volymnyckeln till en nyckelring när nyckelringen är inaktiverad."
+
+#: src/cryptsetup.c:4043
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Flaggorna --keyslot-cipher och --keyslot-key-size måste användas tillsammans."
 
-#: src/cryptsetup.c:3264
+#: src/cryptsetup.c:4051
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Ingen åtgärd utfördes. Startades med flaggan --test-args\n"
 
-#: src/cryptsetup.c:3277
+#: src/cryptsetup.c:4064
 msgid "Cannot disable metadata locking."
 msgstr "Det går inte att inaktivera metadatalås."
 
-#: src/veritysetup.c:54
+#: src/veritysetup.c:41
 msgid "Invalid salt string specified."
 msgstr "Angav ogiltig saltsträng."
 
-#: src/veritysetup.c:87
+#: src/veritysetup.c:74
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Kan inte skapa hashavbild %s för skrivning."
 
-#: src/veritysetup.c:97
+#: src/veritysetup.c:84
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Det går inte att skapa FEC-avbild %s för skrivning."
 
-#: src/veritysetup.c:136
+#: src/veritysetup.c:123
 #, c-format
 msgid "Cannot create root hash file %s for writing."
 msgstr "Kan inte skapa root-hashfil %s för skrivning."
 
-#: src/veritysetup.c:143
+#: src/veritysetup.c:130
 #, c-format
 msgid "Cannot write to root hash file %s."
 msgstr "Det går inte att skriva till root-hash-filen %s."
 
-#: src/veritysetup.c:196 src/veritysetup.c:472
+#: src/veritysetup.c:185 src/veritysetup.c:463
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Enheten %s är inte en giltig VERITY-enhet."
 
-#: src/veritysetup.c:213 src/veritysetup.c:230
+#: src/veritysetup.c:202 src/veritysetup.c:219
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Det går inte att läsa rot-hash-filen %s."
 
-#: src/veritysetup.c:218
+#: src/veritysetup.c:207
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Ogiltig rothashsträng %s."
 
-#: src/veritysetup.c:239
+#: src/veritysetup.c:228
 msgid "Invalid root hash string specified."
 msgstr "Angav ogiltig rothashsträng."
 
-#: src/veritysetup.c:247
+#: src/veritysetup.c:236
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Ogiltig signaturfil %s."
 
-#: src/veritysetup.c:254
+#: src/veritysetup.c:243
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Det går inte att läsa signaturfilen %s."
 
-#: src/veritysetup.c:277 src/veritysetup.c:291
+#: src/veritysetup.c:266 src/veritysetup.c:280
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Kommandot kräver <root-hash> eller flaggan --root-hash-file som argument."
 
-#: src/veritysetup.c:485
+#: src/veritysetup.c:476
 msgid "<data_device> <hash_device>"
 msgstr "<dataenhet> <hashenhet>"
 
-#: src/veritysetup.c:485 src/integritysetup.c:534
+#: src/veritysetup.c:476 src/integritysetup.c:530
 msgid "format device"
 msgstr "formatera enhet"
 
-#: src/veritysetup.c:486
+#: src/veritysetup.c:477
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<dataenhet> <hashenhet> <root_hash>"
 
-#: src/veritysetup.c:486
+#: src/veritysetup.c:477
 msgid "verify device"
 msgstr "verifiera enhet"
 
-#: src/veritysetup.c:487
+#: src/veritysetup.c:478
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<dataenhet> <namn> <hashenhet> [<root_hash>]"
 
-#: src/veritysetup.c:489 src/integritysetup.c:537
+#: src/veritysetup.c:480 src/integritysetup.c:533
 msgid "show active device status"
 msgstr "visa statistik för aktiv enhet"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:481
 msgid "<hash_device>"
 msgstr "<hash_enhet>"
 
-#: src/veritysetup.c:490 src/integritysetup.c:538
+#: src/veritysetup.c:481 src/integritysetup.c:534
 msgid "show on-disk information"
 msgstr "visa information från disk"
 
-#: src/veritysetup.c:509
+#: src/veritysetup.c:500
 #, c-format
 msgid ""
 "\n"
@@ -2790,7 +3147,7 @@ msgstr ""
 "<hashenhet> är enheten som innehåller verifieringsdata\n"
 "<rothash> hash för rotnoden på <hashenhet>\n"
 
-#: src/veritysetup.c:516
+#: src/veritysetup.c:507
 #, c-format
 msgid ""
 "\n"
@@ -2801,46 +3158,46 @@ msgstr ""
 "Inkompilerade standardparametrar för dm-verity:\n"
 "\tHash: %s, Datablock (byte): %u, Hashblock (byte): %u, Saltstorlek: %u, Hashformat: %u\n"
 
-#: src/veritysetup.c:654
+#: src/veritysetup.c:648
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Flaggorna --ignore-corruption och --restart-on-corruption kan inte användas tillsammans."
 
-#: src/veritysetup.c:659
+#: src/veritysetup.c:653
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Det går inte att använda flaggorna --panic-on-corruption och --restart-on-corruption tillsammans."
 
-#: src/integritysetup.c:177
+#: src/integritysetup.c:164
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
 "To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
 msgstr ""
 "Det här kommer oåterkalligen tatt skriva över data på %s och %s.\n"
-"För att bevara dataenheten använd flaggan --no-wipe (och aktivera sedan med --integrity-recalculate).:w "
+"För att bevara dataenheten använd flaggan --no-wipe (och aktivera sedan med --integrity-recalculate)."
 
-#: src/integritysetup.c:212
+#: src/integritysetup.c:204
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formaterad med taggstorlek %u, intern integritet %s.\n"
 
-#: src/integritysetup.c:289
+#: src/integritysetup.c:285
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Att sätta flaggan för att räkna om stöds ej, överväg att använda --wipe istället."
 
-#: src/integritysetup.c:364 src/integritysetup.c:521
+#: src/integritysetup.c:360 src/integritysetup.c:517
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Enheten %s är inte en giltig INTEGRITY-enhet."
 
-#: src/integritysetup.c:534 src/integritysetup.c:538
+#: src/integritysetup.c:530 src/integritysetup.c:534
 msgid "<integrity_device>"
 msgstr "<integrity_enhet>"
 
-#: src/integritysetup.c:535
+#: src/integritysetup.c:531
 msgid "<integrity_device> <name>"
 msgstr "<integritet_enhet> <namn>"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:554
 #, c-format
 msgid ""
 "\n"
@@ -2851,7 +3208,7 @@ msgstr ""
 "<namn> är enheten att skapa under %s\n"
 "<integritetsenhet> är enheten som innehåller data med integritetstaggar\n"
 
-#: src/integritysetup.c:563
+#: src/integritysetup.c:559
 #, c-format
 msgid ""
 "\n"
@@ -2865,44 +3222,44 @@ msgstr ""
 "\tMaximal nyckelfilstorlek: %dkB\n"
 "\n"
 
-#: src/integritysetup.c:620
+#: src/integritysetup.c:616
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Ogiltig --%s-storlek. Maximal storlek är %u byte."
 
-#: src/integritysetup.c:720
+#: src/integritysetup.c:719
 msgid "Both key file and key size options must be specified."
 msgstr "Både flaggor för nyckelfil och nyckelstorlek måste specifiiceras."
 
-#: src/integritysetup.c:724
+#: src/integritysetup.c:723
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Både flaggor för nyckelfil för journalintegritet och nyckelstorlek måste specificeras."
 
-#: src/integritysetup.c:727
+#: src/integritysetup.c:726
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Integritetsalgoritm för journal måste anges om integritetsnyckel för journal används."
 
-#: src/integritysetup.c:731
+#: src/integritysetup.c:730
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Både flaggor för nyckelfil för journalkryptering och nyckelstorlek måste specificeras."
 
-#: src/integritysetup.c:734
+#: src/integritysetup.c:733
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Krypteringsalgoritm för journal måste anges om integritetsnyckel för journal används."
 
-#: src/integritysetup.c:738
+#: src/integritysetup.c:737
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Flaggorna för återställning- och bitmap-läge är ömsesidigt uteslutande."
 
-#: src/integritysetup.c:745
+#: src/integritysetup.c:744
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Det går inte att använda journalflaggor i bitmap-läge."
 
-#: src/integritysetup.c:750
+#: src/integritysetup.c:749
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Flaggan för integritet kan endast användas i bitmap-läge."
 
-#: src/utils_tools.c:118
+#: src/utils_tools.c:105
 msgid ""
 "\n"
 "WARNING!\n"
@@ -2913,7 +3270,7 @@ msgstr ""
 "========\n"
 
 #. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:120
+#: src/utils_tools.c:107
 #, c-format
 msgid ""
 "%s\n"
@@ -2924,152 +3281,152 @@ msgstr ""
 "\n"
 "Är du säker (Ange 'yes' i versaler): "
 
-#: src/utils_tools.c:126
+#: src/utils_tools.c:113
 msgid "Error reading response from terminal."
 msgstr "Fel vid läsning av svar från terminal."
 
-#: src/utils_tools.c:158
+#: src/utils_tools.c:145
 msgid "Command successful."
 msgstr "Kommandot lyckades."
 
-#: src/utils_tools.c:166
+#: src/utils_tools.c:153
 msgid "wrong or missing parameters"
 msgstr "fel eller saknar parametrar"
 
-#: src/utils_tools.c:168
+#: src/utils_tools.c:155
 msgid "no permission or bad passphrase"
 msgstr "ingen behörighet eller dålig lösenfras"
 
-#: src/utils_tools.c:170
+#: src/utils_tools.c:157
 msgid "out of memory"
 msgstr "slut på minne"
 
-#: src/utils_tools.c:172
+#: src/utils_tools.c:159
 msgid "wrong device or file specified"
 msgstr "angav fel enhet eller fil"
 
-#: src/utils_tools.c:174
+#: src/utils_tools.c:161
 msgid "device already exists or device is busy"
 msgstr "enheten existerar redan eller så är enheten upptagen"
 
-#: src/utils_tools.c:176
+#: src/utils_tools.c:163
 msgid "unknown error"
 msgstr "okänt fel"
 
-#: src/utils_tools.c:178
+#: src/utils_tools.c:165
 #, c-format
 msgid "Command failed with code %i (%s)."
 msgstr "Kommandot misslyckades med kod %i (%s)."
 
-#: src/utils_tools.c:256
+#: src/utils_tools.c:243
 #, c-format
 msgid "Key slot %i created."
 msgstr "Nyckelplats %i är ändrad."
 
-#: src/utils_tools.c:258
+#: src/utils_tools.c:245
 #, c-format
 msgid "Key slot %i unlocked."
 msgstr "Nyckelplats %i är upplåst."
 
-#: src/utils_tools.c:260
+#: src/utils_tools.c:247
 #, c-format
 msgid "Key slot %i removed."
 msgstr "Nyckelplats %i är upplåst."
 
-#: src/utils_tools.c:269
+#: src/utils_tools.c:256
 #, c-format
 msgid "Token %i created."
 msgstr "Token %i används."
 
-#: src/utils_tools.c:271
+#: src/utils_tools.c:258
 #, c-format
 msgid "Token %i removed."
 msgstr "Token %i används."
 
-#: src/utils_tools.c:281
+#: src/utils_tools.c:268
 msgid "No token could be unlocked with this PIN."
 msgstr "Ingen token kunde låsas upp med denna PIN."
 
-#: src/utils_tools.c:283
+#: src/utils_tools.c:270
 #, c-format
 msgid "Token %i requires PIN."
 msgstr "Token %i kräver PIN."
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:272
 #, c-format
 msgid "Token (type %s) requires PIN."
 msgstr "Token (type %s) kräver PIN."
 
-#: src/utils_tools.c:288
+#: src/utils_tools.c:275
 #, c-format
 msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Token %i kan inte låsa upp tilldelade nyckelplatser (felaktigt lösenord)."
 
-#: src/utils_tools.c:290
+#: src/utils_tools.c:277
 #, c-format
 msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr "Token (typ %s) kan inte låsa upp tilldelade nyckelplatser (felaktigt lösenord)."
 
-#: src/utils_tools.c:293
+#: src/utils_tools.c:280
 #, c-format
 msgid "Token %i requires additional missing resource."
 msgstr "Token %i kräver en saknad resurs."
 
-#: src/utils_tools.c:295
+#: src/utils_tools.c:282
 #, c-format
 msgid "Token (type %s) requires additional missing resource."
 msgstr "Token (typ %s) kräver en saknad resurs."
 
-#: src/utils_tools.c:298
+#: src/utils_tools.c:285
 #, c-format
 msgid "No usable token (type %s) is available."
 msgstr "Ingen användbar token (typ %s) tillgänglig."
 
-#: src/utils_tools.c:300
+#: src/utils_tools.c:287
 msgid "No usable token is available."
 msgstr "Ingen användbar token tillgänglig."
 
-#: src/utils_tools.c:393
+#: src/utils_tools.c:380
 #, c-format
 msgid "Cannot read keyfile %s."
 msgstr "Det går inte att läsa nyckelfilen %s."
 
-#: src/utils_tools.c:398
+#: src/utils_tools.c:385
 #, c-format
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Det går inte att läsa %d byte från nyckelfilen %s."
 
-#: src/utils_tools.c:423
+#: src/utils_tools.c:410
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr "Det går inte att öppna nyckelfilen %s för skrivning."
 
-#: src/utils_tools.c:430
+#: src/utils_tools.c:417
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr "Det går inte att skriva till nyckelfilen %s."
 
-#: src/utils_progress.c:74
+#: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>m%02<PRIu64>s"
 
-#: src/utils_progress.c:76
+#: src/utils_progress.c:63
 #, c-format
 msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 msgstr "%02<PRIu64>t%02<PRIu64>m%02<PRIu64>s"
 
-#: src/utils_progress.c:78
+#: src/utils_progress.c:65
 #, c-format
 msgid "%02<PRIu64> days"
 msgstr "%02<PRIu64> dagar"
 
-#: src/utils_progress.c:105 src/utils_progress.c:138
+#: src/utils_progress.c:92 src/utils_progress.c:125
 #, c-format
 msgid "%4<PRIu64> %s written"
 msgstr "skrev %4<PRIu64> %s"
 
-#: src/utils_progress.c:109 src/utils_progress.c:142
+#: src/utils_progress.c:96 src/utils_progress.c:129
 #, c-format
 msgid "speed %5.1f %s/s"
 msgstr "hastighet %5.1f %s/s"
@@ -3078,7 +3435,7 @@ msgstr "hastighet %5.1f %s/s"
 #. to get translated as well. 'eol' is always new-line or empty.
 #. See above.
 #.
-#: src/utils_progress.c:118
+#: src/utils_progress.c:105
 #, c-format
 msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
 msgstr "Förlopp: %5.1f%%, ETA %s, %s, %s%s"
@@ -3086,17 +3443,17 @@ msgstr "Förlopp: %5.1f%%, ETA %s, %s, %s%s"
 #. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
 #. to get translated as well. See above
 #.
-#: src/utils_progress.c:150
+#: src/utils_progress.c:137
 #, c-format
 msgid "Finished, time %s, %s, %s\n"
 msgstr "Avslutad, tid %s, %s, %s\n"
 
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_password.c:28 src/utils_password.c:59
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr "Det går inte att kontrollera lösenordskvalitet: %s"
 
-#: src/utils_password.c:49
+#: src/utils_password.c:36
 #, c-format
 msgid ""
 "Password quality check failed:\n"
@@ -3105,63 +3462,63 @@ msgstr ""
 "Misslyckades med kvalitetskontroll av lösenord:\n"
 "%s"
 
-#: src/utils_password.c:81
+#: src/utils_password.c:66
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Misslyckades med kvalitetskontroll av lösenord: Dålig lösenfras (%s)"
 
-#: src/utils_password.c:231 src/utils_password.c:245
+#: src/utils_password.c:221 src/utils_password.c:235
 msgid "Error reading passphrase from terminal."
 msgstr "Fel vid läsning av lösenfras från terminal."
 
-#: src/utils_password.c:243
+#: src/utils_password.c:233
 msgid "Verify passphrase: "
 msgstr "Verifiera lösenfras: "
 
-#: src/utils_password.c:250
+#: src/utils_password.c:240
 msgid "Passphrases do not match."
 msgstr "Lösenfraserna stämmer inte överens."
 
-#: src/utils_password.c:288
+#: src/utils_password.c:278
 msgid "Cannot use offset with terminal input."
 msgstr "Det går inte att använda offset med terminalinmatning."
 
-#: src/utils_password.c:292
+#: src/utils_password.c:282
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Ange lösenfras: "
 
-#: src/utils_password.c:295
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Ange lösenfras för %s: "
 
-#: src/utils_password.c:329
+#: src/utils_password.c:319
 msgid "No key available with this passphrase."
 msgstr "Ingen nyckel finns tillgänglig med denna lösenfras."
 
-#: src/utils_password.c:331
+#: src/utils_password.c:321
 msgid "No usable keyslot is available."
 msgstr "Ingen tillgänglig användbar nyckelplats."
 
-#: src/utils_luks.c:67
+#: src/utils_luks.c:55
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Kan inte verifiera lösenfras på icke-tty-ingångar."
 
-#: src/utils_luks.c:182
+#: src/utils_luks.c:173
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Misslyckades med att öppna filen %s i skrivskyddat läge."
 
-#: src/utils_luks.c:195
+#: src/utils_luks.c:186
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Tillhandahåll giltig JSON för LUKS2-token:\n"
 
-#: src/utils_luks.c:202
+#: src/utils_luks.c:193
 msgid "Failed to read JSON file."
 msgstr "Misslyckades med att läsa in JSON-filen."
 
-#: src/utils_luks.c:207
+#: src/utils_luks.c:198
 msgid ""
 "\n"
 "Read interrupted."
@@ -3169,12 +3526,12 @@ msgstr ""
 "\n"
 "Läsning avbryten."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:239
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Misslyckades med att öppna filen %s in skrivläge."
 
-#: src/utils_luks.c:257
+#: src/utils_luks.c:248
 msgid ""
 "\n"
 "Write interrupted."
@@ -3182,26 +3539,26 @@ msgstr ""
 "\n"
 "Skrivning avbruten."
 
-#: src/utils_luks.c:261
+#: src/utils_luks.c:252
 msgid "Failed to write JSON file."
 msgstr "Misslyckades med att skriva JSON-fil."
 
-#: src/utils_reencrypt.c:120
+#: src/utils_reencrypt.c:107
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Auto-identifierade aktiv dm-enhet ”%s” för dataenheten %s.\n"
 
-#: src/utils_reencrypt.c:124
+#: src/utils_reencrypt.c:111
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Misslyckades med att identifiera kopplingarna till enhet %s."
 
-#: src/utils_reencrypt.c:130
+#: src/utils_reencrypt.c:117
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Enheten %s är inte en giltig blockenhet.\n"
 
-#: src/utils_reencrypt.c:132
+#: src/utils_reencrypt.c:119
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3214,41 +3571,54 @@ msgstr ""
 "Det kan leda till datakorruption om enheten är aktiverad.\n"
 "För att kryptera om i uppkopplat läge, använd istället flaggan --active-name.\n"
 
-#: src/utils_reencrypt.c:175
+#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#, c-format
+msgid ""
+"Device %s is not a block device. Can not auto-detect if it is active or not.\n"
+"Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
+msgstr ""
+"Enheten %s är inte en blockenhet. Kan inte automatiskt upptäcka om den är aktiv eller inte.\n"
+"Använd --force-offline-reencrypt för att kringgå kontrollen och köra i offline-läge (farligt!)."
+
+#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:218
+msgid "Requested --resilience option cannot be applied to current reencryption operation."
+msgstr "Begärd flagga --resilience kan inte tillämpas på aktuell omkrypteringsåtgärd."
+
+#: src/utils_reencrypt.c:190
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Enheten är inte under LUKS2-omkryptering.  Motsägelsefull flagga --encrypt."
 
-#: src/utils_reencrypt.c:180
+#: src/utils_reencrypt.c:195
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Enheten är inte i LUKS2-dekryptering. Motsägelsefull flagga --decrypt."
 
-#: src/utils_reencrypt.c:187
+#: src/utils_reencrypt.c:202
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Enheten är under omkryptering med dataskiftåterhämtning. Begärd flagga --resillence kan inte tillämpas."
 
-#: src/utils_reencrypt.c:193 src/utils_reencrypt.c:199
-#: src/utils_reencrypt.c:205 src/utils_reencrypt.c:681
-msgid "Requested --resilience option cannot be applied to current reencryption operation."
-msgstr "Begärd flagga --resilience kan inte tillämpas på aktuell omkrypteringsåtgärd."
-
-#: src/utils_reencrypt.c:258
+#: src/utils_reencrypt.c:280
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Enheten kräver omkrypteringsåterställning. Starta repair först."
 
-#: src/utils_reencrypt.c:268
+#: src/utils_reencrypt.c:294
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Enheten %s är redan under LUKS2-omkryptering. Vill du återuppta tidigare  intierad åtgärd?"
 
-#: src/utils_reencrypt.c:314
+#: src/utils_reencrypt.c:403
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Stöder inte längre föråldrad LUKS2-omkryptering."
 
-#: src/utils_reencrypt.c:379
+#: src/utils_reencrypt.c:408
+msgid "Can not reencrypt LUKS2 device configured to use OPAL."
+msgstr "Kan inte återkryptera LUKS2-enhet som konfigurerats för att använda OPAL."
+
+#: src/utils_reencrypt.c:414
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Kryptering för enhet med integritetsprofil stöds ej."
 
-#: src/utils_reencrypt.c:410
+#: src/utils_reencrypt.c:451
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3257,98 +3627,103 @@ msgstr ""
 "Begärde --sector-size %<PRIu32> är inkompatibel med superblock %s\n"
 "(blockstorlek: %<PRIu32> byte) identifierad på enheten %s."
 
-#: src/utils_reencrypt.c:455
+#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Kryptering utan frånkopplat huvud (--header) är inte möjligt utan att minska datastorleken på enheten (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:461
+#: src/utils_reencrypt.c:527
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Begärd dataförskjutning måste vara mindre än, eller lika med halva av parametern --reduce-device-size."
 
-#: src/utils_reencrypt.c:471
+#: src/utils_reencrypt.c:537
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Justera värdet av --reduce-device-size-värdet till dubbla --offset %<PRIu64> (sektorer).\n"
 
-#: src/utils_reencrypt.c:501
+#: src/utils_reencrypt.c:567
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Tillfällig huvudfil %s finns redan. Avbryter."
 
-#: src/utils_reencrypt.c:503 src/utils_reencrypt.c:510
+#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Det går inte att skapa tillfällig huvudfil %s."
 
-#: src/utils_reencrypt.c:535
+#: src/utils_reencrypt.c:601
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "LUKS2-metadatastorleken är större än dataskift-värdet."
 
-#: src/utils_reencrypt.c:572
+#: src/utils_reencrypt.c:638
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Misslyckades med att placera ny header i början på enheten %s."
 
-#: src/utils_reencrypt.c:582
+#: src/utils_reencrypt.c:648
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s är nu aktiv och redo för uppkopplad kryptering.\n"
 
-#: src/utils_reencrypt.c:618
+#: src/utils_reencrypt.c:684
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Aktiva enheten: %s är inte LUKS2."
 
-#: src/utils_reencrypt.c:646
+#: src/utils_reencrypt.c:712
 msgid "Restoring original LUKS2 header."
 msgstr "Återställer ursprungligt LUKS2-huvud."
 
-#: src/utils_reencrypt.c:654
+#: src/utils_reencrypt.c:720
 msgid "Original LUKS2 header restore failed."
 msgstr "Misslyckades med återställning av ursprungligt LUKS2-huvud."
 
-#: src/utils_reencrypt.c:722
+#: src/utils_reencrypt.c:752
+#, c-format
+msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
+msgstr "Header-filen %s finns inte. Vill du initiera LUKS2-dekryptering av enheten %s och exportera LUKS2-huvudet till filen %s?"
+
+#: src/utils_reencrypt.c:802
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Misslyckades med att läsa/skriva behörighetsflaggor till exporterad huvudfil."
 
-#: src/utils_reencrypt.c:775
+#: src/utils_reencrypt.c:856
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Misslyckades med initiering av omkryptering. Säkerhetskopian av huvudet är tillgänglig i %s."
 
-#: src/utils_reencrypt.c:803
+#: src/utils_reencrypt.c:884
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "LUKS2-dekryptering stöds endast för enheter med fristående header (med data-offset satt till 0)."
 
-#: src/utils_reencrypt.c:934 src/utils_reencrypt.c:943
+#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
 msgid "Not enough free keyslots for reencryption."
 msgstr "Inte nog med fria nyckelplatser för omkryptering."
 
-#: src/utils_reencrypt.c:964 src/utils_reencrypt_luks1.c:1100
+#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Nyckelfil kan endast användas med --key-slot eller precis en aktiv nyckelplats."
 
-#: src/utils_reencrypt.c:973 src/utils_reencrypt_luks1.c:1147
-#: src/utils_reencrypt_luks1.c:1158
+#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
+#: src/utils_reencrypt_luks1.c:1105
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Ange lösenfras för nyckelplats %d: "
 
-#: src/utils_reencrypt.c:985
+#: src/utils_reencrypt.c:1070
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Ange lösenfras för nyckelplats %u: "
 
-#: src/utils_reencrypt.c:1037
+#: src/utils_reencrypt.c:1122
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Byter krypteringschiffer till %s.\n"
 
-#: src/utils_reencrypt.c:1091
+#: src/utils_reencrypt.c:1176
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Inga parametrar för datasegment ändrades. Omkryptering avbruten."
 
-#: src/utils_reencrypt.c:1187
+#: src/utils_reencrypt.c:1278
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3356,8 +3731,8 @@ msgstr ""
 "Ökning av sektorstorlek för kryptering på en frånkopplad enhet stöds ej.\n"
 "Aktivera enheten för eller använd flaggan --force-offline-reencrypt  (farligt!)."
 
-#: src/utils_reencrypt.c:1227 src/utils_reencrypt_luks1.c:726
-#: src/utils_reencrypt_luks1.c:798
+#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
+#: src/utils_reencrypt_luks1.c:761
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3365,236 +3740,236 @@ msgstr ""
 "\n"
 "Omkryptering avbryten."
 
-#: src/utils_reencrypt.c:1232
+#: src/utils_reencrypt.c:1323
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Återupptar LUKS-omkryptering i tvingat frånkopplat läge.\n"
 
-#: src/utils_reencrypt.c:1249
+#: src/utils_reencrypt.c:1346
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "Enheten %s innehåller felaktig LUKS-metadata. Avbryter åtgärden."
 
-#: src/utils_reencrypt.c:1265 src/utils_reencrypt.c:1287
+#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Enheten %s är redan en LUKS-enhet. Avbryter åtgärd."
 
-#: src/utils_reencrypt.c:1293
+#: src/utils_reencrypt.c:1390
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Enheten %s är redan i LUKS-omkryptering. Avbryter åtgärd."
 
-#: src/utils_reencrypt.c:1366
+#: src/utils_reencrypt.c:1473
 msgid "LUKS2 decryption requires --header option."
 msgstr "LUKS2-dekryptering kräver flaggan --header."
 
-#: src/utils_reencrypt.c:1414
+#: src/utils_reencrypt.c:1521
 msgid "Command requires device as argument."
 msgstr "Kommandot kräver en enhet som argument."
 
-#: src/utils_reencrypt.c:1427
+#: src/utils_reencrypt.c:1534
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Versionskonflikt. Enheten %s är LUKS1."
 
-#: src/utils_reencrypt.c:1433
+#: src/utils_reencrypt.c:1540
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Versionskonflikt. Enheten %s är under LUKS2-omkryptering."
 
-#: src/utils_reencrypt.c:1439
+#: src/utils_reencrypt.c:1546
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Versionskonflikt. Enheten %s är LUKS2."
 
-#: src/utils_reencrypt.c:1445
+#: src/utils_reencrypt.c:1552
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Versionskonflikt: Enheten %s är under LUKS2-omkryptering."
 
-#: src/utils_reencrypt.c:1451
+#: src/utils_reencrypt.c:1558
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "LUKS2-omkryptering är redan initierad. Avbryter åtgärd."
 
-#: src/utils_reencrypt.c:1458
+#: src/utils_reencrypt.c:1565
 msgid "Device reencryption not in progress."
-msgstr "Enhetsomkryptering pågår ej"
+msgstr "Enhetsomkryptering pågår ej."
 
-#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:287
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Kan inte öppna %s exklusivt, enheten används."
 
-#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
 msgid "Allocation of aligned memory failed."
 msgstr "Misslyckades med allokering av justerat minne."
 
-#: src/utils_reencrypt_luks1.c:150
+#: src/utils_reencrypt_luks1.c:137
 #, c-format
 msgid "Cannot read device %s."
 msgstr "Det går inte att läsa enheten %s."
 
-#: src/utils_reencrypt_luks1.c:161
+#: src/utils_reencrypt_luks1.c:148
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr "Markerar LUKS1-enhet %s som oanvändbar."
 
-#: src/utils_reencrypt_luks1.c:177
+#: src/utils_reencrypt_luks1.c:164
 #, c-format
 msgid "Cannot write device %s."
 msgstr "Det går inte att skriva till enheten %s."
 
-#: src/utils_reencrypt_luks1.c:226
+#: src/utils_reencrypt_luks1.c:213
 msgid "Cannot write reencryption log file."
 msgstr "Det går inte att skriva loggfil för omkryptering."
 
-#: src/utils_reencrypt_luks1.c:282
+#: src/utils_reencrypt_luks1.c:269
 msgid "Cannot read reencryption log file."
 msgstr "Det går inte att läsa loggfil för omkryptering."
 
-#: src/utils_reencrypt_luks1.c:293
+#: src/utils_reencrypt_luks1.c:280
 msgid "Wrong log format."
 msgstr "Fel loggformat."
 
-#: src/utils_reencrypt_luks1.c:320
+#: src/utils_reencrypt_luks1.c:307
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Loggfilen %s existerar, återupptar kryptering.\n"
 
-#: src/utils_reencrypt_luks1.c:369
+#: src/utils_reencrypt_luks1.c:356
 msgid "Activating temporary device using old LUKS header."
 msgstr "Aktiverar temporär enhet användandes gammalt LUKS-huvud."
 
-#: src/utils_reencrypt_luks1.c:379
+#: src/utils_reencrypt_luks1.c:366
 msgid "Activating temporary device using new LUKS header."
 msgstr "Aktiverar temporär enhet användandes nytt LUKS-huvud."
 
-#: src/utils_reencrypt_luks1.c:389
+#: src/utils_reencrypt_luks1.c:376
 msgid "Activation of temporary devices failed."
 msgstr "Aktivering av temporära enheter misslyckades."
 
-#: src/utils_reencrypt_luks1.c:449
+#: src/utils_reencrypt_luks1.c:436
 msgid "Failed to set data offset."
 msgstr "Misslyckades med att sätta dataoffset."
 
-#: src/utils_reencrypt_luks1.c:455
+#: src/utils_reencrypt_luks1.c:442
 msgid "Failed to set metadata size."
 msgstr "Misslyckades med att sätta metadatastorlek."
 
-#: src/utils_reencrypt_luks1.c:463
+#: src/utils_reencrypt_luks1.c:450
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Skapade nytt LUKS-huvud för enhet %s."
 
-#: src/utils_reencrypt_luks1.c:500
+#: src/utils_reencrypt_luks1.c:487
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Skapade säkerhetskopia av %s-huvud på enhet %s."
 
-#: src/utils_reencrypt_luks1.c:556
+#: src/utils_reencrypt_luks1.c:543
 msgid "Creation of LUKS backup headers failed."
 msgstr "Misslyckades med att skapa en säkerhetskopia av LUKS-huvuden."
 
-#: src/utils_reencrypt_luks1.c:685
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Det går inte återställa %s-huvudet på enheten %s."
 
-#: src/utils_reencrypt_luks1.c:687
+#: src/utils_reencrypt_luks1.c:674
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Återställde %s-huvudet på enheten %s."
 
-#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
 msgid "Cannot open temporary LUKS device."
 msgstr "Misslyckades med att öppna temporär LUKS-enhet."
 
-#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
 msgid "Cannot get device size."
 msgstr "Det går inte att hämta enhetsstorlek."
 
-#: src/utils_reencrypt_luks1.c:968
+#: src/utils_reencrypt_luks1.c:915
 msgid "IO error during reencryption."
 msgstr "In-/utfel under återkryptering."
 
-#: src/utils_reencrypt_luks1.c:998
+#: src/utils_reencrypt_luks1.c:945
 msgid "Provided UUID is invalid."
 msgstr "Angivet UUID är ogiltigt."
 
-#: src/utils_reencrypt_luks1.c:1220
+#: src/utils_reencrypt_luks1.c:1171
 msgid "Cannot open reencryption log file."
 msgstr "Det går inte att öppna loggfilen för omkryptering."
 
-#: src/utils_reencrypt_luks1.c:1226
+#: src/utils_reencrypt_luks1.c:1177
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Ingen dekryptering pågår, givet UUID kan endast användas för att återuppta vilande dekrypteringsprocess."
 
-#: src/utils_reencrypt_luks1.c:1280
+#: src/utils_reencrypt_luks1.c:1233
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Omkryptering kommer att ändra: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1281
+#: src/utils_reencrypt_luks1.c:1234
 msgid "volume key"
 msgstr "volymnyckeln"
 
-#: src/utils_reencrypt_luks1.c:1283
+#: src/utils_reencrypt_luks1.c:1236
 msgid "set hash to "
 msgstr "sätt hash till "
 
-#: src/utils_reencrypt_luks1.c:1284
+#: src/utils_reencrypt_luks1.c:1237
 msgid ", set cipher to "
 msgstr ", sätt chiffer till "
 
-#: src/utils_blockdev.c:189
+#: src/utils_blockdev.c:176
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "VARNING: Enheten %s innehåller redan en ”%s”-partitionssignatur.\n"
 
-#: src/utils_blockdev.c:197
+#: src/utils_blockdev.c:184
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "VARNING: Enheten %s innehåller redan en ”%s”-superblocksignatur.\n"
 
-#: src/utils_blockdev.c:219 src/utils_blockdev.c:294 src/utils_blockdev.c:344
+#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
 msgid "Failed to initialize device signature probes."
 msgstr "Misslyckades med att initiera identifiering av enhetssignatur."
 
-#: src/utils_blockdev.c:274
+#: src/utils_blockdev.c:269
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Misslyckades med att ta status på enhet %s."
 
-#: src/utils_blockdev.c:289
+#: src/utils_blockdev.c:284
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Misslyckades med att öppna filen %s i läs-/skrivläge."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:304
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Kommer att rensa befintlig ”%s” på enheten %s."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Kommer att rensa befintlig ”%s” på enheten %s."
 
-#: src/utils_blockdev.c:313
+#: src/utils_blockdev.c:310
 msgid "Failed to wipe device signature."
 msgstr "Misslyckades med att radera enhetssignatur."
 
-#: src/utils_blockdev.c:320
+#: src/utils_blockdev.c:317
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Misslyckades med söka av enheten %s efter en signatur."
 
-#: src/utils_args.c:65
+#: src/utils_args.c:52
 #, c-format
 msgid "Invalid size specification in parameter --%s."
 msgstr "Ogiltig datastorlekspecifikation i flaggan --%s."
 
-#: src/utils_args.c:125
+#: src/utils_args.c:112
 #, c-format
 msgid "Option --%s is not allowed with %s action."
 msgstr "Flaggan --%s tillåts inte med åtgärden --%s."
@@ -3612,7 +3987,7 @@ msgid ""
 "\n"
 "Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext."
 msgstr ""
-"Experimentell cryptsetup-insticksmodul för att låsa upp LUKS2-enheter med token ansluten via SSH-server. Den tillåter för närvarande endast att lägga till en token till en existerande nyckelplats.\n"
+"Experimentell cryptsetup-insticksmodul för att låsa upp LUKS2-enheter med token ansluten via SSH-server.\vDen tillåter för närvarande endast att lägga till en token till en existerande nyckelplats.\n"
 "\n"
 "Angiven SSH-server måste innehålla en nyckelfil på den angivna sökvägen med ett lösenord för en befintlig nyckelplats på enheten.\n"
 "Inloggningsuppgifter kommer att användas av cryptsetup för att att hämta lösenordet genom att använda token när enheten öppnas.\n"
@@ -3643,885 +4018,125 @@ msgstr "Sökvägen till nyckelfilen på fjärrservern"
 msgid "Path to the SSH key for connecting to the remote server"
 msgstr "Sökväg till SSH-nyckeln för anslutning till fjärrservern"
 
-#: tokens/ssh/cryptsetup-ssh.c:146
+#: tokens/ssh/cryptsetup-ssh.c:147
+msgid "Path to directory containinig libcryptsetup external tokens"
+msgstr "Sökväg till katalog som innehåller libcryptsetup external tokens"
+
+#: tokens/ssh/cryptsetup-ssh.c:148
 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
 msgstr "Nyckelplats att ange token till. Om ej angiven så kommer token att tilldelas till den första nyckelplats som matchar angivet lösenfras."
 
-#: tokens/ssh/cryptsetup-ssh.c:148
+#: tokens/ssh/cryptsetup-ssh.c:150
 msgid "Generic options:"
 msgstr "Allmänna flaggor:"
 
-#: tokens/ssh/cryptsetup-ssh.c:149
+#: tokens/ssh/cryptsetup-ssh.c:151
 msgid "Shows more detailed error messages"
 msgstr "Visar mer detaljerade felmeddelanden"
 
-#: tokens/ssh/cryptsetup-ssh.c:150
+#: tokens/ssh/cryptsetup-ssh.c:152
 msgid "Show debug messages"
 msgstr "Visa felsökningsmeddelanden"
 
-#: tokens/ssh/cryptsetup-ssh.c:151
+#: tokens/ssh/cryptsetup-ssh.c:153
 msgid "Show debug messages including JSON metadata"
 msgstr "Visa felsökningsmeddelanden inklusive JSON-metadata"
 
-#: tokens/ssh/cryptsetup-ssh.c:262
+#: tokens/ssh/cryptsetup-ssh.c:268
 msgid "Failed to open and import private key:\n"
 msgstr "Misslyckades med att öppna och importera privat nyckel:\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:266
+#: tokens/ssh/cryptsetup-ssh.c:272
 msgid "Failed to import private key (password protected?).\n"
 msgstr "Misslyckades med att importera privat nyckel (lösenordskyddad?).\n"
 
 #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:268
+#: tokens/ssh/cryptsetup-ssh.c:274
 #, c-format
 msgid "%s@%s's password: "
 msgstr "%s@%s's lösenord: "
 
-#: tokens/ssh/cryptsetup-ssh.c:357
+#: tokens/ssh/cryptsetup-ssh.c:363
 #, c-format
 msgid "Failed to parse arguments.\n"
 msgstr "Misslyckades med att tolka argument.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:368
+#: tokens/ssh/cryptsetup-ssh.c:374
 #, c-format
 msgid "An action must be specified\n"
 msgstr "En åtgärd måste anges\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:374
+#: tokens/ssh/cryptsetup-ssh.c:380
 #, c-format
 msgid "Device must be specified for '%s' action.\n"
 msgstr "En enhet måste anges för åtgärden ”%s”.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:379
+#: tokens/ssh/cryptsetup-ssh.c:385
 #, c-format
 msgid "SSH server must be specified for '%s' action.\n"
 msgstr "SSH-servern måste anges för åtgärden ”%s”.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:384
+#: tokens/ssh/cryptsetup-ssh.c:390
 #, c-format
 msgid "SSH user must be specified for '%s' action.\n"
 msgstr "SSH-användare måste anges för åtgärden ”%s”.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:389
+#: tokens/ssh/cryptsetup-ssh.c:395
 #, c-format
 msgid "SSH path must be specified for '%s' action.\n"
 msgstr "SSH-sökväg måste anges för åtgärden ”%s”.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:394
+#: tokens/ssh/cryptsetup-ssh.c:400
 #, c-format
 msgid "SSH key path must be specified for '%s' action.\n"
 msgstr "SSH-nyckelplats måste anges för åtgärden ”%s”.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:401
+#: tokens/ssh/cryptsetup-ssh.c:407
 #, c-format
 msgid "Failed open %s using provided credentials.\n"
 msgstr "Misslyckades med att öppna %s med tillhandahållna autentiseringsuppgifter.\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:417
+#: tokens/ssh/cryptsetup-ssh.c:424
 #, c-format
 msgid "Only 'add' action is currently supported by this plugin.\n"
 msgstr "Endast åtgärden ”add” stöds för närvarande av denna insticksmodul.\n"
 
-#: tokens/ssh/ssh-utils.c:46
+#: tokens/ssh/ssh-utils.c:33
 msgid "Cannot create sftp session: "
 msgstr "Det går inte att skapa sftp-sessionen: "
 
-#: tokens/ssh/ssh-utils.c:53
+#: tokens/ssh/ssh-utils.c:40
 msgid "Cannot init sftp session: "
 msgstr "Det går inte att initiera sftp-sessionen: "
 
-#: tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
 msgid "Cannot open sftp session: "
-msgstr "Det går inte att öppna sftp-sessionen:"
+msgstr "Det går inte att öppna sftp-sessionen: "
 
-#: tokens/ssh/ssh-utils.c:66
+#: tokens/ssh/ssh-utils.c:53
 msgid "Cannot stat sftp file: "
 msgstr "Det går inte att stat sftp-filen: "
 
-#: tokens/ssh/ssh-utils.c:74
+#: tokens/ssh/ssh-utils.c:61
 msgid "Not enough memory.\n"
 msgstr "Inte tillräckligt med minne.\n"
 
-#: tokens/ssh/ssh-utils.c:81
+#: tokens/ssh/ssh-utils.c:68
 msgid "Cannot read remote key: "
 msgstr "Det går inte att läsa fjärrnyckeln: "
 
-#: tokens/ssh/ssh-utils.c:122
+#: tokens/ssh/ssh-utils.c:109
 msgid "Connection failed: "
 msgstr "Anslutning misslyckades: "
 
-#: tokens/ssh/ssh-utils.c:132
+#: tokens/ssh/ssh-utils.c:119
 msgid "Server not known: "
 msgstr "Okänd server: "
 
-#: tokens/ssh/ssh-utils.c:160
+#: tokens/ssh/ssh-utils.c:147
 msgid "Public key auth method not allowed on host.\n"
 msgstr "Den öppna nyckelns auth-metod tills inte på värddatorn.\n"
 
-#: tokens/ssh/ssh-utils.c:171
+#: tokens/ssh/ssh-utils.c:158
 msgid "Public key authentication error: "
 msgstr "Autentiseringsfel för öppen nyckel: "
-
-#~ msgid "Failed to read BITLK signature from %s."
-#~ msgstr "Misslyckades med att läsa BITLK-signatur från %s."
-
-#~ msgid "Invalid or unknown signature for BITLK device."
-#~ msgstr "Ogiltig eller okänd signatur för BITLK-enhet."
-
-#~ msgid "Failed to wipe backup segment data."
-#~ msgstr "Misslyckades med att radera säkerhetskopia av segmentdata."
-
-#~ msgid "Failed to disable reencryption requirement flag."
-#~ msgstr "Misslyckades med att inaktivera flaggan för omkrypteringskrav."
-
-#~ msgid "Encryption is supported only for LUKS2 format."
-#~ msgstr "Kryptering stöds endast för formatet LUKS2."
-
-#~ msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
-#~ msgstr "Identifierade LUKS-enhet på %s. Vill du kryptera LUKS-enheten igen?"
-
-#~ msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
-#~ msgstr "Stödjer endast LUKS2-formatet. Använd verktyget cryptsetup-reencrypt för LUKS1."
-
-#~ msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
-#~ msgstr "Föråldrad frånkopplad omkryptering pågår redan. Använd verktyget cryptsetup-reencrypt."
-
-#~ msgid "LUKS2 device is not in reencryption."
-#~ msgstr "LUKS2-enheten är inte i omkryptering."
-
-#~ msgid "Setting LUKS2 offline reencrypt flag on device %s."
-#~ msgstr "Sätter LUKS2-flaggan för att kryptera om på enheten %s."
-
-#~ msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
-#~ msgstr "Denna version av cryptsetup-reencrypt kan inte hantera ny interna tokentypen %s."
-
-#~ msgid "Failed to read activation flags from backup header."
-#~ msgstr "Misslyckades med att läsa aktiveringsflaggor från säkerhetskopia av huvud."
-
-#~ msgid "Failed to read requirements from backup header."
-#~ msgstr "Misslyckades med att läsa krav från säkerhetskopiehuvud."
-
-#~ msgid "Changed pbkdf parameters in keyslot %i."
-#~ msgstr "Ändrade pbkdf-parametrarna i nyckelplatsen %i."
-
-#~ msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
-#~ msgstr "Endast värden mellan 1 MiB och 64 MiB är tillåtna som blockstorlek för omkryptering."
-
-#~ msgid "Maximum device reduce size is 64 MiB."
-#~ msgstr "Högsta förminskningsstorlek för enhet är 64 MiB."
-
-#~ msgid "[OPTION...] <device>"
-#~ msgstr "[FLAGGA…] <enhet>"
-
-#~ msgid "Argument required."
-#~ msgstr "Kräver argument."
-
-#~ msgid "Option --new must be used together with --reduce-device-size or --header."
-#~ msgstr "Flaggan --new måste användas tillsammans med --reduce-device-size eller --header."
-
-#~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
-#~ msgstr "Flaggan --keep-key kan endast användas med --hash, --iter-time eller --pbkdf-force-iterations."
-
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "Flaggan --new kan inte användas tillsammans med --decrypt."
-
-#~ msgid "Option --decrypt is incompatible with specified parameters."
-#~ msgstr "Flaggan --decrypt är inkompatibel med specificerade parametrar."
-
-#~ msgid "Option --uuid is allowed only together with --decrypt."
-#~ msgstr "Flaggan --uuid är endast tillåten tillsammans med --decrypt."
-
-#~ msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
-#~ msgstr "Ogiltig luks-typ. Använd en av dessa: 'luks', 'luks1' or 'luks2'."
-
-#~ msgid "Device %s is in use. Cannot proceed with format operation."
-#~ msgstr "Enheten %s används. Det går inte att fortsätta med formateringsåtgärden."
-
-#~ msgid "No free token slot."
-#~ msgstr "Ingen fri plats för token."
-
-#~ msgid "Invalid LUKS device type."
-#~ msgstr "Ogiltig LUKS-enhetstyp."
-
-#~ msgid "The cipher used to encrypt the disk (see /proc/crypto)"
-#~ msgstr "Chiffret som används för att kryptera disken (se /proc/crypto)"
-
-#~ msgid "The hash used to create the encryption key from the passphrase"
-#~ msgstr "Hashen som används för att skapa krypteringsnyckel från lösenfras"
-
-#~ msgid "Verifies the passphrase by asking for it twice"
-#~ msgstr "Verifierar lösenfrasen genom att fråga efter den två gånger"
-
-#~ msgid "Read the key from a file"
-#~ msgstr "Läs nyckeln från en fil"
-
-#~ msgid "Read the volume (master) key from file."
-#~ msgstr "Läs volymnyckeln (master) från fil."
-
-#~ msgid "Dump volume (master) key instead of keyslots info"
-#~ msgstr "Skriv ut volymnyckel (master) istället för nyckelplatsinfo"
-
-#~ msgid "The size of the encryption key"
-#~ msgstr "Storleken för krypteringsnyckeln"
-
-#~ msgid "BITS"
-#~ msgstr "BITAR"
-
-#~ msgid "Limits the read from keyfile"
-#~ msgstr "Begränsa läsningen från nyckelfil"
-
-#~ msgid "bytes"
-#~ msgstr "byte"
-
-#~ msgid "Number of bytes to skip in keyfile"
-#~ msgstr "Antal byte att hoppa över i nyckelfil"
-
-#~ msgid "Limits the read from newly added keyfile"
-#~ msgstr "Begränsa läsningen från nyligen tillagd nyckelfil"
-
-#~ msgid "Number of bytes to skip in newly added keyfile"
-#~ msgstr "Antal byte att hoppa över i nyligen tillagd nyckelfil"
-
-#~ msgid "Slot number for new key (default is first free)"
-#~ msgstr "Platsnummer för ny nyckel (standard är första lediga)"
-
-#~ msgid "The size of the device"
-#~ msgstr "Storleken för enheten"
-
-#~ msgid "SECTORS"
-#~ msgstr "SEKTORER"
-
-#~ msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
-#~ msgstr "Använd endast specificerad enhetsstorlek (ignorera resten av enheten). FARLIGT!"
-
-#~ msgid "The start offset in the backend device"
-#~ msgstr "Startoffset i bakändesenheten"
-
-#~ msgid "How many sectors of the encrypted data to skip at the beginning"
-#~ msgstr "Hur många sektorer av krypterat data som ska hoppas över i början"
-
-#~ msgid "Create a readonly mapping"
-#~ msgstr "Skapa en skrivskyddad mappning"
-
-#~ msgid "Do not ask for confirmation"
-#~ msgstr "Fråga inte efter bekräftelse"
-
-#~ msgid "Timeout for interactive passphrase prompt (in seconds)"
-#~ msgstr "Tidsgräns för interaktiv lösenfrasprompt (i sekunder)"
-
-#~ msgid "secs"
-#~ msgstr "sek"
-
-#~ msgid "Progress line update (in seconds)"
-#~ msgstr "Uppdatering av förloppslinje (i sekunder)"
-
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Hur många inmatningsförsök av lösenfrasen som kan göras"
-
-#~ msgid "Align payload at <n> sector boundaries - for luksFormat"
-#~ msgstr "Justera nyttolast i <n> sektorgränser - för luksFormat"
-
-#~ msgid "File with LUKS header and keyslots backup"
-#~ msgstr "Fil med säkerhetskopior av LUKS-huvud och nyckelplatser"
-
-#~ msgid "Use /dev/random for generating volume key"
-#~ msgstr "Använd /dev/random för att generera volymnyckel"
-
-#~ msgid "Use /dev/urandom for generating volume key"
-#~ msgstr "Använd /dev/urandom för att generera volymnyckel"
-
-#~ msgid "Share device with another non-overlapping crypt segment"
-#~ msgstr "Dela enhet med ett annat ej överlappande krypteringssegment"
-
-#~ msgid "UUID for device to use"
-#~ msgstr "UUID för enheten att använda"
-
-#~ msgid "Allow discards (aka TRIM) requests for device"
-#~ msgstr "Tillåt avvisningsbegäran (TRIM) för enhet"
-
-#~ msgid "Device or file with separated LUKS header"
-#~ msgstr "Enhet eller fil med separerat LUKS-huvud"
-
-#~ msgid "Do not activate device, just check passphrase"
-#~ msgstr "Aktivera inte enhet, kontrollera endast lösenfrasen"
-
-#~ msgid "Use hidden header (hidden TCRYPT device)"
-#~ msgstr "Använd dolt huvud (gömd TCRYPT-enhet)"
-
-#~ msgid "Device is system TCRYPT drive (with bootloader)"
-#~ msgstr "Enheten är system-TCRYPT-disk (med starthanterare)"
-
-#~ msgid "Use backup (secondary) TCRYPT header"
-#~ msgstr "Använd säkerhetskopia (sekundär) för TCRYPT-huvud"
-
-#~ msgid "Scan also for VeraCrypt compatible device"
-#~ msgstr "Sök också efter VeraCrypt-kompatibel enhet"
-
-#~ msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
-#~ msgstr "Personlig iteration för VeraCrypt-kompatibel enhet"
-
-#~ msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
-#~ msgstr "Query Personal Iteration Multiplier för VeraCrypt-kompatibel enhet"
-
-#~ msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
-#~ msgstr "Typer av enhetsmetadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
-
-#~ msgid "Disable password quality check (if enabled)"
-#~ msgstr "Inaktivera kvalitetskontroll av lösenord (om aktiverat)"
-
-#~ msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
-#~ msgstr "Använd flaggan dm-crypt same_cpu_crypt för prestandakompatibilitet"
-
-#~ msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
-#~ msgstr "Använd flaggan dm-crypt submit_from_crypt_cpus för prestandakompatibilitet"
-
-#~ msgid "Bypass dm-crypt workqueue and process read requests synchronously"
-#~ msgstr "Förbigå dm-crypt's arbetskö och bearbeta läsbegäran synkront"
-
-#~ msgid "Bypass dm-crypt workqueue and process write requests synchronously"
-#~ msgstr "Förbigå dm-crypt's arbetskö och bearbeta skrivbegäran synkront"
-
-#~ msgid "Device removal is deferred until the last user closes it"
-#~ msgstr "Enhetsborttagning är förskjuten tills den sista användaren stänger den"
-
-#~ msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
-#~ msgstr "Använder globalt lås för att serialisera minneshård PBKDF (OOM-lösning)"
-
-#~ msgid "PBKDF iteration time for LUKS (in ms)"
-#~ msgstr "PBKDF-iterationstid för LUKS (i ms)"
-
-#~ msgid "msecs"
-#~ msgstr "ms"
-
-#~ msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
-#~ msgstr "PBKDF-algoritm (för LUKS2) (argon2i/argon2id/pbkdf2)"
-
-#~ msgid "PBKDF memory cost limit"
-#~ msgstr "Minneskostnadsgräns för PBKDF"
-
-#~ msgid "kilobytes"
-#~ msgstr "kilobyte"
-
-#~ msgid "PBKDF parallel cost"
-#~ msgstr "Parallellkostnad för PBKDF"
-
-#~ msgid "threads"
-#~ msgstr "trådar"
-
-#~ msgid "PBKDF iterations cost (forced, disables benchmark)"
-#~ msgstr "Iterationskostnad för PBKDF (tvingad, inaktiverar prestandamätning)"
-
-#~ msgid "Keyslot priority: ignore, normal, prefer"
-#~ msgstr "Nyckelplats-prioritet: ignore,normal,prefer"
-
-#~ msgid "Disable locking of on-disk metadata"
-#~ msgstr "Inaktivera låsning av metadata på disk"
-
-#~ msgid "Disable loading volume keys via kernel keyring"
-#~ msgstr "Inaktivera att läsa in volymnycklar via kärnans nyckelring"
-
-#~ msgid "Data integrity algorithm (LUKS2 only)"
-#~ msgstr "Algoritm för dataintegritet (endast LUKS2)"
-
-#~ msgid "Disable journal for integrity device"
-#~ msgstr "Inaktivera journal för integritetsenhet"
-
-#~ msgid "Do not wipe device after format"
-#~ msgstr "Rensa inte enhet efter formatering"
-
-#~ msgid "Use inefficient legacy padding (old kernels)"
-#~ msgstr "Använd ineffektiv föråldrad padding (gamla kärnor)"
-
-#~ msgid "Do not ask for passphrase if activation by token fails"
-#~ msgstr "Fråga inte efter lösenfras om aktivering med token misslyckas"
-
-#~ msgid "Token number (default: any)"
-#~ msgstr "Tokenantal (standardvärde: any)"
-
-#~ msgid "Key description"
-#~ msgstr "Nyckelbeskrivning"
-
-#~ msgid "Encryption sector size (default: 512 bytes)"
-#~ msgstr "Sektorstorlek för kryptering (standardvärde 512 byte)"
-
-#~ msgid "Use IV counted in sector size (not in 512 bytes)"
-#~ msgstr "Använd IV-räkning i sektorstorlek (ej i 512 byte)"
-
-#~ msgid "Set activation flags persistent for device"
-#~ msgstr "Sätt och spara undan aktiveringsflaggorna för enheten"
-
-#~ msgid "Set label for the LUKS2 device"
-#~ msgstr "Ange etikett för LUKS2-enhet"
-
-#~ msgid "Set subsystem label for the LUKS2 device"
-#~ msgstr "Ange undersystemsetikett för LUKS2-enheten"
-
-#~ msgid "Create or dump unbound (no assigned data segment) LUKS2 keyslot"
-#~ msgstr "Skapa eller skriv ut obunden (inget tilldelat datasegment) LUKS2-nyckelplats"
-
-#~ msgid "Read or write the json from or to a file"
-#~ msgstr "Läs eller skriv json från eller till en fil"
-
-#~ msgid "LUKS2 header metadata area size"
-#~ msgstr "Områdesstorlek för metadata på LUKS2-huvudet"
-
-#~ msgid "LUKS2 header keyslots area size"
-#~ msgstr "Storlek på nyckelplatsområdet för LUKS2-huvud"
-
-#~ msgid "Refresh (reactivate) device with new parameters"
-#~ msgstr "Uppdatera (återaktivera) enhet med nya parametrar"
-
-#~ msgid "LUKS2 keyslot: The size of the encryption key"
-#~ msgstr "LUKS2-nyckelplats: Storleken för krypteringsnyckeln"
-
-#~ msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
-#~ msgstr "LUKS2-nyckelplats: Chiffret används krypering av nyckelplats"
-
-#~ msgid "Encrypt LUKS2 device (in-place encryption)."
-#~ msgstr "Kryptera LUKS2-enheten permanent (direktkryptering)."
-
-#~ msgid "Decrypt LUKS2 device (remove encryption)."
-#~ msgstr "Dekryptera LUKS2-enheten (ta bort kryptering)"
-
-#~ msgid "Initialize LUKS2 reencryption in metadata only."
-#~ msgstr "Initiera LUKS2-omkryptering endast i metadata."
-
-#~ msgid "Resume initialized LUKS2 reencryption only."
-#~ msgstr "Återupptog endast initierad LUKS2-omkryptering."
-
-#~ msgid "Reduce data device size (move data offset). DANGEROUS!"
-#~ msgstr "Förminska dataenhetsstorleken (flytta dataoffset). FARLIGT!"
-
-#~ msgid "Maximal reencryption hotzone size."
-#~ msgstr "Maximal storlek på omkryptering av varm zon."
-
-#~ msgid "Reencryption hotzone resilience type (checksum,journal,none)"
-#~ msgstr "Återhämtningstyp för omkrypteringszon (checksumma,journal,ingen)"
-
-#~ msgid "Reencryption hotzone checksums hash"
-#~ msgstr "Hashkontrollsumma för omkryptering av varm zon"
-
-#~ msgid "Override device autodetection of dm device to be reencrypted"
-#~ msgstr "Överlagra automatisk identifiering av dm-enhet för omkryptering"
-
-#~ msgid "Option --deferred is allowed only for close command."
-#~ msgstr "Flaggan --deferred är endast tillåten för kommandot close."
-
-#~ msgid "Option --allow-discards is allowed only for open operation."
-#~ msgstr "Flaggan --allow-discards är endast tillåten för åtgärden open."
-
-#~ msgid "Option --persistent is allowed only for open operation."
-#~ msgstr "Flaggan --persistent är endast tillåten för åtgärden open."
-
-#~ msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation."
-#~ msgstr "Flaggan --allow-discards är endast tillåten för åtgärden open."
-
-#~ msgid ""
-#~ "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
-#~ "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
-#~ msgstr ""
-#~ "Flaggan --key-size är endast tillåten för åtgärderna luksFormat, luksAddKey,\n"
-#~ "open och benchmark. För att begränsa läsning från nyckelfil, använd --keyfile-size=(byte)."
-
-#~ msgid "Option --integrity is allowed only for luksFormat (LUKS2)."
-#~ msgstr "Flaggan --integrity är endast tillåten för luksFormat (LUKS2)."
-
-#~ msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations."
-#~ msgstr "Flaggorna --label och --subsystem är endast tillåtna för luksFormat och konfiguration av LUKS2-åtgärder."
-
-#~ msgid "Negative number for option not permitted."
-#~ msgstr "Negativt tal för flagga ej tillåtet."
-
-#~ msgid "Option --use-[u]random is allowed only for luksFormat."
-#~ msgstr "Flaggan --use-[u]random är endast tillåten för luksFormat."
-
-#~ msgid "Option --uuid is allowed only for luksFormat and luksUUID."
-#~ msgstr "Flaggan --uuid är endast tillåten för luksFormat och luksUUID."
-
-#~ msgid "Option --align-payload is allowed only for luksFormat."
-#~ msgstr "Flaggan --align-payload är endast tillåten för luksFormat."
-
-#~ msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
-#~ msgstr "Flaggorna --luks2-metadata-size och --opt-luks2-keyslots-size tillåts endast för luksFormat med LUKS2."
-
-#~ msgid "Invalid LUKS2 metadata size specification."
-#~ msgstr "Ogiltig storlekspecifikation för LUKS2-metadata på enhet."
-
-#~ msgid "Invalid LUKS2 keyslots size specification."
-#~ msgstr "Ogiltig storlekspecifikation för LUKS2-nyckelplats på enhet."
-
-#~ msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption."
-#~ msgstr "Flaggan --offset stöds endast för öppning av vanliga och loopaes-enheter, luksFormat och omkrypteringsenheter."
-
-#~ msgid "Invalid argument for parameter --veracrypt-pim supplied."
-#~ msgstr "Angav ett ogiltigt argument för parametern --veracrypt-pim."
-
-#~ msgid "Sector size option is not supported for this command."
-#~ msgstr "Flaggan för sektorstorlek stöds inte för detta kommando."
-
-#~ msgid "Option --unbound may be used only with luksAddKey and luksDump actions."
-#~ msgstr "Flaggan --unbound kan endast användas tillsammans med ätgärderna luksAddKey och luksDump."
-
-#~ msgid "Option --refresh may be used only with open action."
-#~ msgstr "Flaggan --refresh är endast tillåten för åtgärden open."
-
-#~ msgid "Invalid device size specification."
-#~ msgstr "Ogiltig storlekspecifikation på enhet."
-
-#~ msgid "Reduce size overflow."
-#~ msgstr "Minska storleksöverspill."
-
-#~ msgid "Do not use verity superblock"
-#~ msgstr "Använd inte verity superblock"
-
-#~ msgid "Format type (1 - normal, 0 - original Chrome OS)"
-#~ msgstr "Formattyp (1 - normal, 0 - ursprungliga Chrome OS)"
-
-#~ msgid "number"
-#~ msgstr "antal"
-
-#~ msgid "Block size on the data device"
-#~ msgstr "Blockstorlek på dataenheten"
-
-#~ msgid "Block size on the hash device"
-#~ msgstr "Blockstorlek på hashenheten"
-
-#~ msgid "FEC parity bytes"
-#~ msgstr "FEC paritetsbyte"
-
-#~ msgid "The number of blocks in the data file"
-#~ msgstr "Antalet block i datafilen"
-
-#~ msgid "blocks"
-#~ msgstr "block"
-
-#~ msgid "Path to device with error correction data"
-#~ msgstr "Sökväg till enhet med felkorrigeringsdata"
-
-#~ msgid "path"
-#~ msgstr "sökväg"
-
-#~ msgid "Starting offset on the hash device"
-#~ msgstr "Startoffset på hashenheten"
-
-#~ msgid "Starting offset on the FEC device"
-#~ msgstr "Startoffset på FEC-enheten"
-
-#~ msgid "Hash algorithm"
-#~ msgstr "Hashalgoritm"
-
-#~ msgid "string"
-#~ msgstr "sträng"
-
-#~ msgid "Salt"
-#~ msgstr "Salt"
-
-#~ msgid "hex string"
-#~ msgstr "hexsträng"
-
-#~ msgid "Path to root hash signature file"
-#~ msgstr "Sökväg till root-hashsignaturfilen"
-
-#~ msgid "Restart kernel if corruption is detected"
-#~ msgstr "Starta om kärna om något skadat identifieras"
-
-#~ msgid "Panic kernel if corruption is detected"
-#~ msgstr "Sätt kärnan i Panic-läge om korruption identifieras"
-
-#~ msgid "Ignore corruption, log it only"
-#~ msgstr "Ignorera om något är skadat, logga endast"
-
-#~ msgid "Do not verify zeroed blocks"
-#~ msgstr "Verifiera inte nollställda block"
-
-#~ msgid "Verify data block only the first time it is read"
-#~ msgstr "Verifiera datablock endast första gången det läses in"
-
-#~ msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation."
-#~ msgstr "Flaggorna --ignore-corruption, --restart-on-corruption eller --ignore-zero-blocks är endast tillåtna för åtgärden open."
-
-#~ msgid "Option --root-hash-signature can be used only for open operation."
-#~ msgstr "Flaggan --root-hash-signature kan användas endast för åtgärden open."
-
-#~ msgid "Path to data device (if separated)"
-#~ msgstr "Sökvägen till dataenhet (om separat)"
-
-#~ msgid "Journal size"
-#~ msgstr "Journalstorlek"
-
-#~ msgid "Interleave sectors"
-#~ msgstr "Infoga sektorer"
-
-#~ msgid "Journal watermark"
-#~ msgstr "Journalvattenmärke"
-
-#~ msgid "percent"
-#~ msgstr "procent"
-
-#~ msgid "Journal commit time"
-#~ msgstr "Journalincheckningstid"
-
-#~ msgid "ms"
-#~ msgstr "ms"
-
-#~ msgid "Number of 512-byte sectors per bit (bitmap mode)."
-#~ msgstr "Antal 512-byte sektorer per bit (bitmap-läge)."
-
-#~ msgid "Bitmap mode flush time"
-#~ msgstr "Renstid för bitmap-läge"
-
-#~ msgid "Tag size (per-sector)"
-#~ msgstr "Taggstorlek (per sektor)"
-
-#~ msgid "Sector size"
-#~ msgstr "Sektorstorlek"
-
-#~ msgid "Buffers size"
-#~ msgstr "Bufferstorlek"
-
-#~ msgid "Data integrity algorithm"
-#~ msgstr "Dataintegritetsalgoritm"
-
-#~ msgid "The size of the data integrity key"
-#~ msgstr "Storleken för dataintegritetsnyckeln"
-
-#~ msgid "Read the integrity key from a file"
-#~ msgstr "Läs integritetsnyckeln från en fil"
-
-#~ msgid "Journal integrity algorithm"
-#~ msgstr "Integritetsalgoritm för journal"
-
-#~ msgid "The size of the journal integrity key"
-#~ msgstr "Storleken för journalens integritetssnyckel"
-
-#~ msgid "Read the journal integrity key from a file"
-#~ msgstr "Läs journalens integritetsnyckel från en fil"
-
-#~ msgid "Journal encryption algorithm"
-#~ msgstr "Krypteringsalgoritm för journal"
-
-#~ msgid "The size of the journal encryption key"
-#~ msgstr "Storleken för journalens krypteringsnyckel"
-
-#~ msgid "Read the journal encryption key from a file"
-#~ msgstr "Läs journalens krypteringsnyckel från en fil"
-
-#~ msgid "Recovery mode (no journal, no tag checking)"
-#~ msgstr "Återhämtningsläge (ingen journal, ingen taggkontroll)"
-
-#~ msgid "Use bitmap to track changes and disable journal for integrity device"
-#~ msgstr "Använd bitmap för att spåra ändringar och inaktivera journal för integritetsenhet"
-
-#~ msgid "Recalculate initial tags automatically."
-#~ msgstr "Räkna automatiskt initiala taggar."
-
-#~ msgid "Do not protect superblock with HMAC (old kernels)"
-#~ msgstr "Skydda inte superblock md HMAC (gamla kärnor)"
-
-#~ msgid "Allow recalculating of volumes with HMAC keys (old kernels)"
-#~ msgstr "Tillåt recalculating (omräkning) av volymer med HMAC-nycklar (äldre kärnor)"
-
-#~ msgid "Option --integrity-recalculate can be used only for open action."
-#~ msgstr "Flaggan --integrity-recalculate kan användas endast för öppen åtgärd."
-
-#~ msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action."
-#~ msgstr "Flaggorna --journal-size, --interleave-sectors, --sector-size, --tag-size och --no-wipe kan endast användas för åtgärden formatera."
-
-#~ msgid "Invalid journal size specification."
-#~ msgstr "Ogiltig storlekspecifikation på journal."
-
-#~ msgid "Reencryption block size"
-#~ msgstr "Blockstorlek för omkryptering"
-
-#~ msgid "MiB"
-#~ msgstr "MiB"
-
-#~ msgid "Do not change key, no data area reencryption"
-#~ msgstr "Ändra inte nyckel, ingen omkryptering av dataområde"
-
-#~ msgid "Read new volume (master) key from file"
-#~ msgstr "Läs volymnyckeln (master) från fil"
-
-#~ msgid "PBKDF2 iteration time for LUKS (in ms)"
-#~ msgstr "PBKDF2-iterationstid för LUKS (i ms)"
-
-#~ msgid "Use direct-io when accessing devices"
-#~ msgstr "Använd direct-io vid enhetsåtkomst"
-
-#~ msgid "Use fsync after each block"
-#~ msgstr "Använd fsync efter varje block"
-
-#~ msgid "Update log file after every block"
-#~ msgstr "Uppdatera loggfilen efter varje block"
-
-#~ msgid "Use only this slot (others will be disabled)"
-#~ msgstr "Använd endast denna plats (andra kommer att inaktiveras)"
-
-#~ msgid "Create new header on not encrypted device"
-#~ msgstr "Skapa nytt huvud på icke-krypterad enhet"
-
-#~ msgid "Permanently decrypt device (remove encryption)"
-#~ msgstr "Avkoda enheten permanent (ta bort kryptering)"
-
-#~ msgid "The UUID used to resume decryption"
-#~ msgstr "Det UUID som används för att återuppta kryptering"
-
-#~ msgid "Type of LUKS metadata: luks1, luks2"
-#~ msgstr "Typ av LUKS-metadata: luks1, luks2"
-
-#~ msgid "WARNING: Locking directory %s/%s is missing!\n"
-#~ msgstr "VARNING:Låskatalog %s/%s saknas!\n"
-
-#~ msgid "Invalid size parameters for verity device."
-#~ msgstr "Ogiltig storlek på parametrar för verity-enhet."
-
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "Integritetsalgoritm måste specificieras om integritetsnyckel används."
-
-#~ msgid "Wrong key size."
-#~ msgstr "Fel nyckelstorlek."
-
-#~ msgid "Requested dmcrypt performance options are not supported."
-#~ msgstr "Begärda flaggor för dmcrypt-prestanda stöds inte."
-
-#~ msgid "Cannot format device %s which is still in use."
-#~ msgstr "Det går inte att formatera enheten %s då den används."
-
-#~ msgid "Key slot %d is not used."
-#~ msgstr "Nyckelplats %d används inte."
-
-#~ msgid "Function not available in FIPS mode."
-#~ msgstr "Funktionen är inte tillgänglig i FIPS-läge."
-
-#~ msgid "Key slot %d selected for deletion."
-#~ msgstr "Nyckelplats %d markerad för borttagning."
-
-#~ msgid "open device as mapping <name>"
-#~ msgstr "öppna enhet som mappning <namn>"
-
-#, fuzzy
-#~ msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
-#~ msgstr "Flaggan --refresh är endast tillåten för kommandona open eller refresh."
-
-#~ msgid "Unsupported encryption sector size.\n"
-#~ msgstr "Stöder inte sektorstorlek för kryptering.\n"
-
-#~ msgid "close device (deactivate and remove mapping)"
-#~ msgstr "stäng enhet (inaktivera och ta bort mappning)"
-
-#~ msgid "Failed to set PBKDF parameters."
-#~ msgstr "Misslyckades med att sätta PBKDF-parametrar."
-
-#~ msgid "Cannot seek to device offset.\n"
-#~ msgstr "Kan inte söka till enhetsoffset.\n"
-
-#~ msgid "Interrupted by a signal."
-#~ msgstr "Avbruten av en signal."
-
-#~ msgid "Replaced with key slot %d.\n"
-#~ msgstr "Ersätt med nyckelplats %d.\n"
-
-#~ msgid "Device %s is too small. (LUKS2 requires at least %<PRIu64> bytes.)\n"
-#~ msgstr "Enhet %s är för liten. (LUKS2 kräver minst  %<PRIu64> bytes.)\n"
-
-#~ msgid "memory allocation error in action_luksFormat"
-#~ msgstr "minnesallokeringsfel i action_luksFormat"
-
-#~ msgid "Missing LUKS target type, option --type is required.\n"
-#~ msgstr "Saknar måltyp för LUKS, flaggan -type krävs.\n"
-
-#~ msgid "Missing --token option specifying token for removal.\n"
-#~ msgstr ""
-#~ "Saknad flagga --token för att ange token att ta bort.\n"
-#~ " \n"
-
-#~ msgid "Add or remove keyring token"
-#~ msgstr "Lägg till eller ta bort token för nyckelring"
-
-#~ msgid "Activated keyslot %i.\n"
-#~ msgstr "Aktiverade nyckelplats %i.\n"
-
-#~ msgid "Using default pbkdf parameters for new LUKS2 header.\n"
-#~ msgstr "Använder pbkdf-standardparametrar för nya LUKS2-huvuden.\n"
-
-#~ msgid "Too many tree levels for verity volume.\n"
-#~ msgstr "För många trädnivåer för verity-volym.\n"
-
-#~ msgid "Key %d not active. Can't wipe.\n"
-#~ msgstr "Nyckel %d är inte aktiv. Kan inte rensa.\n"
-
-#~ msgid "<name> <data_device> <hash_device> <root_hash>"
-#~ msgstr "<namn> <dataenhet> <hashenhet> <rothash>"
-
-#~ msgid "create active device"
-#~ msgstr "skapa aktiv enhet"
-
-#~ msgid "remove (deactivate) device"
-#~ msgstr "ta bort (inaktivera) enhet"
-
-#~ msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
-#~ msgstr "Förlopp: %5.1f%%, ETA %02llu:%02llu, %4llu MiB skrivna, hastighet %5.1f MiB/s%s"
-
-#~ msgid "Cannot find a free loopback device.\n"
-#~ msgstr "Kan inte hitta en ledig loopback-enhet.\n"
-
-#~ msgid "Cannot open device %s\n"
-#~ msgstr "Kan inte öppna enheten %s\n"
-
-#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
-#~ msgstr "Kan inte använda insänt UUID om inte dekryptering pågår.\n"
-
-#~ msgid "Enter LUKS passphrase: "
-#~ msgstr "Ange LUKS-lösenfras: "
-
-#~ msgid "Warning: exhausting read requested, but key file %s is not a regular file, function might never return.\n"
-#~ msgstr "Varning: utförlig läsning begärd men nyckelfilen %s är inte en vanlig fil, funktionen kanske aldrig avslutas.\n"
-
-#~ msgid "exclusive "
-#~ msgstr "exklusiv"
-
-#~ msgid "read-only"
-#~ msgstr "skrivskyddad"
-
-#~ msgid "Cannot open device: %s\n"
-#~ msgstr "Kan inte öppna enheten: %s\n"
-
-#~ msgid "BLKROGET failed on device %s.\n"
-#~ msgstr "BLKROGET misslyckades på enheten %s.\n"
-
-#~ msgid "BLKGETSIZE failed on device %s.\n"
-#~ msgstr "BLKGETSIZE misslyckades på enheten %s.\n"
-
-#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
-#~ msgstr "VARNING!!! Potentiellt osäkert minne. Är du root?\n"
-
-#~ msgid "Unable to obtain sector size for %s"
-#~ msgstr "Kunde inte läsa av sektorstorlek för %s"
-
-#~ msgid "Backup file %s doesn't exist.\n"
-#~ msgstr "Säkerhetskopian %s finns inte.\n"
-
-#~ msgid "remove LUKS mapping"
-#~ msgstr "ta bort LUKS-mappning"
-
-#~ msgid "identical to luksKillSlot - DEPRECATED - see man page"
-#~ msgstr "identisk med luksKillSlot - FÖRÅLDRAD - se manualsida"
-
-#~ msgid "modify active device - DEPRECATED - see man page"
-#~ msgstr "ändra aktiv enhet - FÖRÅLDRAD - se manualsida"
-
-#~ msgid ""
-#~ "The reload action is deprecated. Please use \"dmsetup reload\" in case you really need this functionality.\n"
-#~ "WARNING: do not use reload to touch LUKS devices. If that is the case, hit Ctrl-C now.\n"
-#~ msgstr ""
-#~ "Omläsningsåtgärden är föråldrad. Använd ”dmsetup reload” om du verkligen behöver denna funktion.\n"
-#~ "VARNING: använd inte omläsning för ”touch” på LUKS-enheter. Om så är fallet, tryck Ctrl-C nu.\n"
-
-#~ msgid "Obsolete option --non-exclusive is ignored.\n"
-#~ msgstr "Föråldrad flagga --non-exclusive ignoreras.\n"
-
-#~ msgid "Read the key from a file (can be /dev/random)"
-#~ msgstr "Läs nyckeln från en fil (kan vara /dev/random)"
-
-#~ msgid "(Obsoleted, see man page.)"
-#~ msgstr "(Föråldrad, se manualsida)"
diff --git a/po/uk.po b/po/uk.po
index 4a5c4fa..66918f7 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -2,13 +2,13 @@
 # Copyright (C) 2012 Free Software Foundation, Inc.
 # This file is put in the public domain.
 #
-# Yuri Chornoivan <yurchor@ukr.net>, 2012-2023, 2024.
+# Yuri Chornoivan <yurchor@ukr.net>, 2012-2023, 2024, 2025.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
+"Project-Id-Version: cryptsetup 2.8.2-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2024-06-06 22:11+0200\n"
-"PO-Revision-Date: 2024-06-07 21:22+0300\n"
+"POT-Creation-Date: 2025-12-12 18:51+0100\n"
+"PO-Revision-Date: 2025-12-13 14:52+0200\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
 "Language: uk\n"
@@ -19,70 +19,78 @@ msgstr ""
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Generator: Lokalize 23.04.3\n"
 
-#: lib/libdevmapper.c:406
+#: lib/libdevmapper.c:419
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Не можна ініціалізувати device-mapper, якщо програму запущено не від імені адміністратора (root)."
 
-#: lib/libdevmapper.c:409
+#: lib/libdevmapper.c:422
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Не вдалося ініціалізувати device-mapper. Чи завантажено модуль ядра dm_mod?"
 
-#: lib/libdevmapper.c:1090
+#: lib/libdevmapper.c:1125
 msgid "Requested deferred flag is not supported."
 msgstr "Підтримки бажаного прапорця відкладення, %s, не передбачено."
 
-#: lib/libdevmapper.c:1159
+#: lib/libdevmapper.c:1194
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID для пристрою %s було обрізано."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1598
 msgid "Unknown dm target type."
 msgstr "Невідомий тип призначення dm."
 
-#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
-#: lib/libdevmapper.c:1728
+#: lib/libdevmapper.c:1725 lib/libdevmapper.c:1731 lib/libdevmapper.c:1850
+#: lib/libdevmapper.c:1853
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Підтримки вказаних параметрів швидкодії dm-crypt не передбачено."
 
-#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
+#: lib/libdevmapper.c:1740 lib/libdevmapper.c:1746 lib/libdevmapper.c:1758
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Підтримки вказаних параметрів обробки пошкоджених даних за допомогою dm-verity не передбачено."
 
-#: lib/libdevmapper.c:1637
+#: lib/libdevmapper.c:1752
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "Підтримки вказаного параметра завдань dm-verity не передбачено."
 
-#: lib/libdevmapper.c:1649
+#: lib/libdevmapper.c:1764
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Підтримки вказаних параметрів FEC за допомогою dm-verity не передбачено."
 
-#: lib/libdevmapper.c:1655
+#: lib/libdevmapper.c:1770
 msgid "Requested data integrity options are not supported."
 msgstr "Підтримки вказаних параметрів цілісності даних не передбачено."
 
-#: lib/libdevmapper.c:1659
+#: lib/libdevmapper.c:1774
 msgid "Requested sector_size option is not supported."
 msgstr "Підтримки вказаного параметра sector_size не передбачено."
 
-#: lib/libdevmapper.c:1664
+#: lib/libdevmapper.c:1779
 msgid "The device size is not multiple of the requested sector size."
 msgstr "Розмір пристрою не є кратним до розміру сектора у запиті."
 
-#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
+#: lib/libdevmapper.c:1783
+msgid "Requested integrity_key_size option is not supported."
+msgstr "Підтримки вказаного параметра integrity_key_size не передбачено."
+
+#: lib/libdevmapper.c:1790 lib/libdevmapper.c:1796
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Підтримки потрібного вам автоматичного повторного обчислення міток цілісності не передбачено."
 
-#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
-#: lib/luks2/luks2_json_metadata.c:2741
+#: lib/libdevmapper.c:1802 lib/libdevmapper.c:1856 lib/libdevmapper.c:1859
+#: lib/luks2/luks2_json_metadata.c:2781
 msgid "Discard/TRIM is not supported."
 msgstr "Підтримки відкидання або обрізання не передбачено."
 
-#: lib/libdevmapper.c:1689
+#: lib/libdevmapper.c:1808
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Підтримки вказаного режиму бітової карти цілісності dm не передбачено."
 
-#: lib/libdevmapper.c:2725
+#: lib/libdevmapper.c:1814
+msgid "Requested dm-integrity inline mode is not supported."
+msgstr "Підтримки вбудованого режиму dm-integrity не передбачено."
+
+#: lib/libdevmapper.c:2870
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Не вдалося опитати сегмент dm-%s."
@@ -116,747 +124,777 @@ msgstr "Надійшов запит щодо невідомої якості п
 msgid "Error reading from RNG."
 msgstr "Помилка читання з генератора псевдовипадкових чисел."
 
-#: lib/setup.c:249
+#: lib/setup.c:248
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "Підтримку OPAL у libcryptsetup вимкнено."
 
-#: lib/setup.c:251
+#: lib/setup.c:250
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "Для пристрою %s або ядра не передбачено підтримки шифрування OPAL."
 
-#: lib/setup.c:267
+#: lib/setup.c:266
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Не вдалося ініціалізувати допоміжну програму шифрування генератора псевдовипадкових чисел."
 
-#: lib/setup.c:273
+#: lib/setup.c:272
 msgid "Cannot initialize crypto backend."
 msgstr "Не вдалося ініціалізувати допоміжну програму шифрування."
 
-#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
+#: lib/setup.c:305 lib/setup.c:2766 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Підтримки алгоритму хешування %s не передбачено."
 
-#: lib/setup.c:308 lib/loopaes/loopaes.c:77
+#: lib/setup.c:308 lib/loopaes/loopaes.c:78
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Помилка під час обробки ключа (на основі хешу %s)."
 
-#: lib/setup.c:379 lib/setup.c:416
+#: lib/setup.c:389 lib/setup.c:426
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Не вдалося визначити тип пристрою. Несумісна дія з активації пристрою?"
 
-#: lib/setup.c:385 lib/setup.c:3981
+#: lib/setup.c:395 lib/setup.c:4160
 msgid "This operation is supported only for LUKS device."
 msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS."
 
-#: lib/setup.c:422
+#: lib/setup.c:432
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS2."
 
-#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
+#: lib/setup.c:489 lib/luks2/luks2_reencrypt.c:3101
 msgid "All key slots full."
 msgstr "Заповнено всі слоти ключів."
 
-#: lib/setup.c:490
+#: lib/setup.c:500
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Слот ключа %d є некоректним, будь ласка, виберіть число від 0 до %d."
 
-#: lib/setup.c:496
+#: lib/setup.c:506
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Слот ключа %d заповнено, будь ласка, виберіть інший."
 
-#: lib/setup.c:607 lib/setup.c:3681
+#: lib/setup.c:531 lib/setup.c:3875
 msgid "Device size is not aligned to device logical block size."
 msgstr "Розмір пристрою не вирівняно за розміром логічного блоку пристрою."
 
-#: lib/setup.c:705
+#: lib/setup.c:628
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Виявлено заголовок, але об’єм пристрою %s є надто малим."
 
-#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
-#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
+#: lib/setup.c:669 lib/setup.c:3760 lib/setup.c:5227
+#: lib/luks2/luks2_reencrypt.c:3945 lib/luks2/luks2_reencrypt.c:4434
 msgid "This operation is not supported for this device type."
 msgstr "Підтримки цієї дії для цього типу пристроїв не передбачено."
 
-#: lib/setup.c:751
+#: lib/setup.c:674
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Виконуємо заборонену дію із повторного шифрування."
 
-#: lib/setup.c:883
+#: lib/setup.c:806
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr "Не вдалося відкотити метадані LUKS2 у пам'яті."
 
-#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
-#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
-#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
-#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
-#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
-#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
+#: lib/setup.c:893 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1365 src/cryptsetup.c:1782
+#: src/cryptsetup.c:1966 src/cryptsetup.c:2021 src/cryptsetup.c:2219
+#: src/cryptsetup.c:2364 src/cryptsetup.c:2642 src/cryptsetup.c:2955
+#: src/cryptsetup.c:3023 src/utils_reencrypt.c:2281
+#: src/utils_reencrypt_luks1.c:1137 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Пристрій %s не є коректним пристроєм LUKS."
 
-#: lib/setup.c:973 lib/luks1/keymanage.c:517
+#: lib/setup.c:896 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Непідтримувана версія LUKS, %d."
 
-#: lib/setup.c:1346
+#: lib/setup.c:1270
 #, c-format
 msgid "No known cipher specification pattern detected for active device %s."
 msgstr "Не виявлено жодного відомого зразка специфікації шифрування для активного пристрою %s."
 
-#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
-#: lib/setup.c:3590 lib/setup.c:6004
+#: lib/setup.c:1515 lib/setup.c:3507 lib/setup.c:3599 lib/setup.c:3611
+#: lib/setup.c:3783 lib/setup.c:5805
 #, c-format
 msgid "Device %s is not active."
 msgstr "Пристрій %s є неактивним."
 
-#: lib/setup.c:1609
+#: lib/setup.c:1532
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Зник основний пристрій для пристрою для шифрування %s."
 
-#: lib/setup.c:1691
+#: lib/setup.c:1614
 msgid "Invalid plain crypt parameters."
 msgstr "Некоректні параметри звичайного шифрування."
 
-#: lib/setup.c:1696 lib/setup.c:2689
+#: lib/setup.c:1619 lib/setup.c:2669
 msgid "Invalid key size."
 msgstr "Некоректний розмір ключа."
 
-#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
+#: lib/setup.c:1624 lib/setup.c:2674 lib/setup.c:2879
 msgid "UUID is not supported for this crypt type."
 msgstr "Підтримки UUID для цього типу шифрування не передбачено."
 
-#: lib/setup.c:1706 lib/setup.c:2699
+#: lib/setup.c:1629 lib/setup.c:2679
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Підтримки пристрою від'єднаних метаданих для цього типу шифрування не передбачено."
 
-#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
-#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
+#: lib/setup.c:1639 lib/setup.c:1887 lib/luks2/luks2_reencrypt.c:3034
+#: src/cryptsetup.c:1494 src/cryptsetup.c:3762
 msgid "Unsupported encryption sector size."
 msgstr "Непідтримуваний розмір сектора шифрування."
 
-#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
+#: lib/setup.c:1647 lib/setup.c:1916 lib/setup.c:3869
 msgid "Device size is not aligned to requested sector size."
 msgstr "Розмір пристрою не вирівняно за вказаним розміром сектора."
 
-#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
+#: lib/setup.c:1699 lib/setup.c:1951 lib/setup.c:2328
 msgid "Can't format LUKS without device."
 msgstr "Форматування LUKS без пристрою неможливе."
 
-#: lib/setup.c:1781 lib/setup.c:2024
+#: lib/setup.c:1704 lib/setup.c:1956
 #, c-format
 msgid "Zoned device %s cannot be used for LUKS header."
 msgstr "Зонований пристрій %s не можна використовувати для заголовка LUKS."
 
-#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
+#: lib/setup.c:1711 lib/setup.c:1963 lib/setup.c:2334
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Потрібне вам вирівнювання даних є несумісним із відступом у даних."
 
-#: lib/setup.c:1828 lib/setup.c:2049
+#: lib/setup.c:1751 lib/setup.c:1981
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
 msgstr "УВАГА: пристрій DAX може пошкодити дані, оскільки для нього не гарантовано атомарні оновлення секторів.\n"
 
-#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
-#: lib/setup.c:2596 lib/setup.c:2909
+#: lib/setup.c:1789 lib/setup.c:2088 lib/setup.c:2109 lib/setup.c:2517
+#: lib/setup.c:2564 lib/setup.c:2896
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Не можна витирати заголовок на пристрої %s."
 
-#: lib/setup.c:1879 lib/setup.c:2204
+#: lib/setup.c:1802 lib/setup.c:2161
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
 msgstr "Пристрій %s є надто малим для активації, на ньому не лишиться місця для даних.\n"
 
-#: lib/setup.c:1919
+#: lib/setup.c:1843
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Ключ тому є надто малим для шифрування із розширеннями цілісності."
 
-#: lib/setup.c:1928
+#: lib/setup.c:1847
+msgid "Integrity key size is too small."
+msgstr "Розмір ключа цілісності є надто малим."
+
+#: lib/setup.c:1856
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Шифрування  %s-%s (розмір ключа — %zd бітів) є недоступним."
 
-#: lib/setup.c:1967
+#: lib/setup.c:1897
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "Увага: спроба активувати пристрій завершиться невдало, у dm-crypt не передбачено підтримки для вказаного розміру сектора шифрування.\n"
 
-#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
-#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
-#: lib/luks2/luks2_reencrypt.c:4367
+#: lib/setup.c:2091 lib/setup.c:2458 lib/setup.c:2520 lib/utils_device.c:896
+#: lib/luks1/keyencryption.c:245 lib/luks2/luks2_reencrypt.c:3073
+#: lib/luks2/luks2_reencrypt.c:4494
 #, c-format
 msgid "Device %s is too small."
 msgstr "Об’єм пристрою %s є надто малим."
 
-#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
+#: lib/setup.c:2102 lib/setup.c:2141 lib/setup.c:2557 lib/setup.c:2615
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні."
 
-#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
+#: lib/setup.c:2105 lib/setup.c:2144 lib/setup.c:2560 lib/setup.c:2618
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Не можна форматувати пристрій %s, недостатні права доступу."
 
-#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#: lib/setup.c:2129 lib/setup.c:2587 lib/setup.c:2969
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Не вдалося форматувати цілісність для пристрою %s."
 
-#: lib/setup.c:2191 lib/setup.c:2646
+#: lib/setup.c:2148 lib/setup.c:2626
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Не вдалося форматувати пристрій %s."
 
-#: lib/setup.c:2234
+#: lib/setup.c:2191
 msgid "Cannot get OPAL alignment parameters."
 msgstr "Не вдалося отримати параметри вирівнювання OPAL."
 
-#: lib/setup.c:2246
+#: lib/setup.c:2203
 msgid "Bogus OPAL logical block size."
 msgstr "Фіктивний розмір логічного блоку OPAL."
 
-#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+#: lib/setup.c:2208 lib/luks2/hw_opal/hw_opal.c:305
 msgid "Bogus OPAL logical block size differs from device block size."
 msgstr "Фіктивний розмір логічного блоку OPAL відрізняється від розміру блоку пристрою."
 
-#: lib/setup.c:2257
+#: lib/setup.c:2214
 msgid "Requested data offset is not compatible with OPAL block size."
 msgstr "Потрібний вам відступ даних є несумісним із розміром блоку OPAL."
 
-#: lib/setup.c:2264
+#: lib/setup.c:2221
 msgid "Requested data alignment is not compatible with OPAL alignment."
 msgstr "Потрібне вам вирівнювання даних є несумісним із вирівнюванням OPAL."
 
-#: lib/setup.c:2284
+#: lib/setup.c:2241
 msgid "Data offset does not satisfy OPAL alignment requirements."
 msgstr "Відступ даних не відповідає вимогам вирівнювання OPAL."
 
-#: lib/setup.c:2297
+#: lib/setup.c:2254
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
 msgstr "Потрібне вам вирівнювання даних не відповідає вимогам щодо вирівнювання заблокованого діапазону."
 
-#: lib/setup.c:2502
+#: lib/setup.c:2468
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
 msgstr "Компенсуємо розмір пристрою на %<PRIu64> секторів для вирівнювання його за рівнем розбиття вирівнювання OPAL."
 
-#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
-#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#: lib/setup.c:2528 lib/setup.c:4243 lib/setup.c:4432 lib/utils_wipe.c:356
+#: lib/luks2/luks2_json_metadata.c:2724 lib/luks2/luks2_json_metadata.c:2992
 #, c-format
 msgid "Failed to acquire OPAL lock on device %s."
 msgstr "Не вдалося отримати блокування OPAL на пристрої %s."
 
-#: lib/setup.c:2570
+#: lib/setup.c:2538
 msgid "Incorrect OPAL Admin key."
 msgstr "Неправильний адміністративний ключ OPAL."
 
-#: lib/setup.c:2572
+#: lib/setup.c:2540
 msgid "Cannot setup OPAL segment."
 msgstr "Не вдалося налаштувати сегмент OPAL."
 
-#: lib/setup.c:2642
+#: lib/setup.c:2622
 #, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
 msgstr "Не вдалося форматувати пристрій %s, здається, пристрій OPAL тепер повністю захищено від запису."
 
-#: lib/setup.c:2644
+#: lib/setup.c:2624
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
 msgstr "Можливо, це вада у мікропрограмі. Виконайте скидання PSID OPAL і повторно з'єднайте пристрій для відновлення."
 
-#: lib/setup.c:2664
+#: lib/setup.c:2644
 #, c-format
 msgid "Locking range %d reset on device %s failed."
 msgstr "Помилка під час спроби скидання діапазону блокування %d на пристрої %s."
 
-#: lib/setup.c:2684
+#: lib/setup.c:2664
 msgid "Can't format LOOPAES without device."
 msgstr "Не можна форматувати LOOPAES без пристрою."
 
-#: lib/setup.c:2729
+#: lib/setup.c:2709
 msgid "Can't format VERITY without device."
 msgstr "Форматування VERITY без пристрою неможливе."
 
-#: lib/setup.c:2740 lib/verity/verity.c:88
+#: lib/setup.c:2720 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Непідтримуваний тип хешування VERITY, %d."
 
-#: lib/setup.c:2746 lib/verity/verity.c:96
+#: lib/setup.c:2726 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "Непідтримуваний розмір блоку VERITY."
 
-#: lib/setup.c:2751 lib/verity/verity.c:61
+#: lib/setup.c:2731 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "Непідтримуваний відступ хешу VERITY."
 
-#: lib/setup.c:2756
+#: lib/setup.c:2736
 msgid "Unsupported VERITY FEC offset."
 msgstr "Непідтримуваний зсув FEC VERITY."
 
-#: lib/setup.c:2780
+#: lib/setup.c:2760
 msgid "Data area overlaps with hash area."
 msgstr "Область даних перекривається із областю хешу."
 
-#: lib/setup.c:2805
+#: lib/setup.c:2785
 msgid "Hash area overlaps with FEC area."
 msgstr "Область хешування перекриваються з областю FEC."
 
-#: lib/setup.c:2812
+#: lib/setup.c:2792
 msgid "Data area overlaps with FEC area."
 msgstr "Область даних перекривається із областю FEC."
 
-#: lib/setup.c:2948
+#: lib/setup.c:2884
+msgid "Integrity key size mismatch."
+msgstr "Невідповідність розмірів ключів цілісності."
+
+#: lib/setup.c:2935
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
 msgstr "Увага: бажаний розмір мітки у %d байтів відрізняється від розміру у результаті %s (%d байтів).\n"
 
-#: lib/setup.c:3027
+#: lib/setup.c:3048 lib/setup.c:3150
 #, c-format
-msgid "Unknown crypt device type %s requested."
-msgstr "Надіслано запит щодо невідомого типу пристрою шифрування, %s."
+msgid "Unknown or unsupported device type %s requested."
+msgstr "Надіслано запит щодо невідомого або непідтримуваного типу пристрою %s."
 
-#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#: lib/setup.c:3064
+#, c-format
+msgid "Device %s does not provide inline integrity data fields."
+msgstr "На пристрої %s не надається вбудованих полів даних цілісності."
+
+#: lib/setup.c:3070
+#, c-format
+msgid "Inline tag size %<PRIu32> [bytes] is larger than %<PRIu32> provided by device %s."
+msgstr "Розмір вбудованої мітки %<PRIu32> [байтів] перевищує %<PRIu32>, який надано пристроєм %s."
+
+#: lib/setup.c:3085
+#, c-format
+msgid "Sector must be the same as device hardware sector (%zu bytes)."
+msgstr "Сектор має збігатися із апаратним сектором пристрою (%zu байтів)."
+
+#: lib/setup.c:3515 lib/setup.c:3604 lib/setup.c:3617
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Непідтримувані параметри на пристрої %s."
 
-#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
-#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#: lib/setup.c:3521 lib/setup.c:3624 lib/luks2/luks2_reencrypt.c:2928
+#: lib/luks2/luks2_reencrypt.c:3197 lib/luks2/luks2_reencrypt.c:3591
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Невідповідність параметрів на пристрої %s."
 
-#: lib/setup.c:3457
+#: lib/setup.c:3647
 msgid "Crypt devices mismatch."
 msgstr "Невідповідність пристроїв шифрування."
 
-#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
-#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
+#: lib/setup.c:3679 lib/setup.c:3684 lib/luks2/luks2_reencrypt.c:2412
+#: lib/luks2/luks2_reencrypt.c:2944 lib/luks2/luks2_reencrypt.c:4233
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Не вдалося перезавантажити пристрій %s."
 
-#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
-#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#: lib/setup.c:3690 lib/setup.c:3696 lib/luks2/luks2_reencrypt.c:2382
+#: lib/luks2/luks2_reencrypt.c:2389 lib/luks2/luks2_reencrypt.c:2958
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Не вдалося приспати пристрій %s."
 
-#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
-#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
-#: lib/luks2/luks2_reencrypt.c:4115
+#: lib/setup.c:3702 lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2979 lib/luks2/luks2_reencrypt.c:4146
+#: lib/luks2/luks2_reencrypt.c:4237
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Не вдалося відновити роботу пристрою %s."
 
-#: lib/setup.c:3532
+#: lib/setup.c:3717
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Критична помилка під час перезавантаження пристрої %s (над пристроєм %s)."
 
-#: lib/setup.c:3535 lib/setup.c:3537
+#: lib/setup.c:3720 lib/setup.c:3722
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Не вдалося перемкнути пристрій %s у режим dm-error."
 
-#: lib/setup.c:3577
+#: lib/setup.c:3765
 msgid "Can not resize LUKS2 device with static size."
 msgstr "Неможливо змінити розмір пристрою LUKS2 зі статичним розміром."
 
-#: lib/setup.c:3622
+#: lib/setup.c:3770
+msgid "Resize of LUKS2 device with integrity protection is not supported."
+msgstr "Підтримки зміни розмірів пристрою LUKS2 із захистом цілісності не передбачено."
+
+#: lib/setup.c:3816
 msgid "Cannot resize loop device."
 msgstr "Неможливо змінити розмір петльового пристрою."
 
-#: lib/setup.c:3666
+#: lib/setup.c:3860
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
 msgstr "УВАГА: уже вказано максимальний розмір або у ядрі не передбачено можливості зміни розміру.\n"
 
-#: lib/setup.c:3732
+#: lib/setup.c:3926
 msgid "Resize failed, the kernel doesn't support it."
 msgstr "Не вдалося змінити розмір, у ядрі не передбачено підтримки такої дії."
 
-#: lib/setup.c:3764
+#: lib/setup.c:3958
 msgid "Do you really want to change UUID of device?"
 msgstr "Ви справді хочете змінити UUID пристрою?"
 
-#: lib/setup.c:3856
+#: lib/setup.c:4050
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Файл резервної копії заголовка не містить сумісного із LUKS заголовка."
 
-#: lib/setup.c:3966
+#: lib/setup.c:4143
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Том %s не є активним."
 
-#: lib/setup.c:4032
+#: lib/setup.c:4198
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Том %s вже приспано."
 
-#: lib/setup.c:4060
+#: lib/setup.c:4224
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Підтримки присипляння для пристрою %s не передбачено."
 
-#: lib/setup.c:4062 lib/setup.c:4070
+#: lib/setup.c:4226 lib/setup.c:4234
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Помилка під час спроби приспати пристрій %s."
 
-#: lib/setup.c:4084
+#: lib/setup.c:4249
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
 msgstr "Роботу пристрою %s було призупинено, але апаратний пристрій OPAL не може бути заблоковано."
 
-#: lib/setup.c:4116 lib/setup.c:4288
+#: lib/setup.c:4280 lib/setup.c:4457
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Підтримки дії з пробудження для пристрою %s не передбачено."
 
-#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
+#: lib/setup.c:4282 lib/setup.c:4447 lib/setup.c:4459
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Помилка під час спроби пробудити пристрій %s."
 
-#: lib/setup.c:4137
+#: lib/setup.c:4301
 msgid "Failed to unlink volume key from user specified keyring."
 msgstr "Не вдалося скасувати прив'язку ключа тому до вказаного користувачем сховища ключів."
 
-#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
+#: lib/setup.c:4423 lib/setup.c:5592
 msgid "Failed to link volume key in user defined keyring."
 msgstr "Не вдалося пов'язати ключ тому із визначеним користувачем сховищем ключів."
 
-#: lib/setup.c:4353 src/cryptsetup.c:2848
+#: lib/setup.c:4521 src/cryptsetup.c:2723
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Том %s не приспано."
 
-#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
-#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
+#: lib/setup.c:4622 lib/setup.c:7265 lib/setup.c:7287 lib/setup.c:7341
+#: src/cryptsetup.c:1858 src/cryptsetup.c:2262 src/cryptsetup.c:2280
+#: src/utils_reencrypt.c:305 src/utils_reencrypt.c:1966
 msgid "Volume key does not match the volume."
 msgstr "Ключ тому не відповідає тому."
 
-#: lib/setup.c:4608
+#: lib/setup.c:4776
 msgid "Failed to swap new key slot."
 msgstr "Не вдалося зарезервувати новий слот ключа."
 
-#: lib/setup.c:4706
+#: lib/setup.c:4874
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Слот ключа %d є некоректним."
 
-#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
-#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#: lib/setup.c:4880 src/cryptsetup.c:1979 src/cryptsetup.c:2439
+#: src/cryptsetup.c:3123 src/cryptsetup.c:3183
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Слот ключа %d не є активним."
 
-#: lib/setup.c:4731
+#: lib/setup.c:4899
 msgid "Device header overlaps with data area."
 msgstr "Заголовок пристрою перекривається із областю даних."
 
-#: lib/setup.c:5084 lib/setup.c:5184
+#: lib/setup.c:5120
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Виконуємо повторне шифрування. Не можна активувати пристрій."
 
-#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
-#: lib/luks2/luks2_reencrypt.c:3648
+#: lib/setup.c:5122 lib/luks2/luks2_json_metadata.c:2888
+#: lib/luks2/luks2_reencrypt.c:3722
 msgid "Failed to get reencryption lock."
 msgstr "Не вдалося отримати стан блокування для повторного шифрування."
 
-#: lib/setup.c:5098
+#: lib/setup.c:5144
 msgid "LUKS2 reencryption recovery using volume key(s) failed."
 msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2 з використанням ключів тому."
 
-#: lib/setup.c:5150 lib/setup.c:5240
-msgid "Failed to link volume keys in user defined keyring."
-msgstr "Не вдалося пов'язати ключі тому із визначеним користувачем сховищем ключів."
-
-#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
-msgid "LUKS2 reencryption recovery failed."
-msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2."
-
-#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
-msgid "Device type is not properly initialized."
-msgstr "Тип пристрою не ініціалізовано належним чином."
-
-#: lib/setup.c:5503
+#: lib/setup.c:5280
 #, c-format
 msgid "Device %s already exists."
 msgstr "Пристрій %s вже існує."
 
-#: lib/setup.c:5510
+#: lib/setup.c:5287
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Неможливо скористатися пристроєм %s, некоректна назва або пристрій усе ще використовується."
 
-#: lib/setup.c:5528
+#: lib/setup.c:5299
+msgid "Reencryption volume keys do not match the volume."
+msgstr "Ключі повторного шифрування тому не відповідають тому."
+
+#: lib/setup.c:5316
 msgid "Incorrect volume key specified for plain device."
 msgstr "Для пристрою зі звичайним шифруванням вказано помилковий ключ тому."
 
-#: lib/setup.c:5542
-msgid "Reencryption volume keys do not match the volume."
-msgstr "Ключі повторного шифрування тому не відповідають тому."
+#: lib/setup.c:5342 lib/setup.c:5403
+msgid "Device type is not properly initialized."
+msgstr "Тип пристрою не ініціалізовано належним чином."
 
-#: lib/setup.c:5655
+#: lib/setup.c:5441
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "У ядрі не передбачено підтримки сховища ключів ядра."
 
-#: lib/setup.c:5659
+#: lib/setup.c:5445
 msgid "Kernel keyring missing: required for passing signature to kernel."
 msgstr "Немає сховища ключів ядра: це сховище потрібне для передавання підпису ядру."
 
-#: lib/setup.c:5917
+#: lib/setup.c:5500
+#, c-format
+msgid "Cannot use keyring key %s."
+msgstr "Не можна використовувати ключ сховища ключів %s."
+
+#: lib/setup.c:5713
 msgid "Incorrect root hash specified for verity device."
 msgstr "Для пристрою перевірки вказано помилковий кореневий хеш."
 
-#: lib/setup.c:5960
+#: lib/setup.c:5754 lib/setup.c:5779
 msgid "OPAL does not support deferred deactivation."
 msgstr "В OPAL не передбачено підтримки відкладеної деактивації."
 
-#: lib/setup.c:5976
-#, c-format
-msgid "Could not cancel deferred remove from device %s."
-msgstr "Не вдалося скасувати відкладене вилучення з пристрою %s."
-
-#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
-#: src/utils_reencrypt.c:103
+#: lib/setup.c:5769 lib/setup.c:5800 lib/luks2/luks2_json_metadata.c:2953
+#: src/utils_reencrypt.c:89
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Пристрій %s все ще використовується."
 
-#: lib/setup.c:6008
+#: lib/setup.c:5787
+#, c-format
+msgid "Could not cancel deferred remove from device %s."
+msgstr "Не вдалося скасувати відкладене вилучення з пристрою %s."
+
+#: lib/setup.c:5809
 #, c-format
 msgid "Invalid device %s."
 msgstr "Некоректний пристрій %s."
 
-#: lib/setup.c:6148
+#: lib/setup.c:5956
 msgid "Volume key buffer too small."
 msgstr "Буфер ключів тому є занадто малим."
 
-#: lib/setup.c:6165
+#: lib/setup.c:5967
 msgid "Cannot retrieve volume key for LUKS2 device."
 msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS2."
 
-#: lib/setup.c:6174
+#: lib/setup.c:5976
 msgid "Cannot retrieve volume key for LUKS1 device."
 msgstr "Неможливо отримати ключ тому для пристрою із шифруванням LUKS1."
 
-#: lib/setup.c:6184
+#: lib/setup.c:5990
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Неможливо отримати ключ тому для пристрою зі звичайним шифруванням."
 
-#: lib/setup.c:6192
+#: lib/setup.c:5998
 msgid "Cannot retrieve root hash for verity device."
 msgstr "Не вдалося отримати кореневий хеш для пристрою VERITY."
 
-#: lib/setup.c:6199
+#: lib/setup.c:6007
 msgid "Cannot retrieve volume key for BITLK device."
 msgstr "Неможливо отримати ключ тому для пристрою BITLK."
 
-#: lib/setup.c:6204
+#: lib/setup.c:6012
 msgid "Cannot retrieve volume key for FVAULT2 device."
 msgstr "Неможливо отримати ключ тому для пристрою FVAULT2."
 
-#: lib/setup.c:6206
+#: lib/setup.c:6014
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Підтримки цієї дії для шифрованого пристрою %s не передбачено."
 
-#: lib/setup.c:6390 lib/setup.c:6401
+#: lib/setup.c:6199 lib/setup.c:6210
 msgid "Dump operation is not supported for this device type."
 msgstr "Підтримки дії зі створення дампу для цього типу пристроїв не передбачено."
 
-#: lib/setup.c:6760
+#: lib/setup.c:6590
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Зсув у даних не є кратним до %u байтів."
 
-#: lib/setup.c:7068
+#: lib/setup.c:6898
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Не можна перетворити пристрій %s, який перебуває у користуванні."
 
-#: lib/setup.c:7366 lib/setup.c:7505
+#: lib/setup.c:7206 lib/setup.c:7350
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Не вдалося прив'язати слот ключа %u як новий ключ тому."
 
-#: lib/setup.c:7390
+#: lib/setup.c:7230
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Не вдалося ініціалізувати типові параметри слоту ключів LUKS2."
 
-#: lib/setup.c:7396
+#: lib/setup.c:7236
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Не вдалося прив'язати слот ключа %d до контрольної суми."
 
-#: lib/setup.c:7621
+#: lib/setup.c:7467
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому."
 
-#: lib/setup.c:7690 lib/verity/verity.c:330
+#: lib/setup.c:7540 lib/verity/verity.c:333
 msgid "Failed to load key in kernel keyring."
 msgstr "Не вдалося завантажити ключ до сховища ключів ядра."
 
-#: lib/setup.c:7808
-msgid "Failed to unlink volume key from thread keyring."
-msgstr "Не вдалося скасувати прив'язку ключа тому до сховища ключів потоку обробки."
-
-#: lib/setup.c:7852
+#: lib/setup.c:7731
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
 msgstr "Не вдалося знайти сховище ключів, яке описано «%s»."
 
-#: lib/setup.c:7917
+#: lib/setup.c:7796
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Не вдалося створити загальне блокування серіалізації доступу до пам'яті."
 
-#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
+#: lib/utils.c:204 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "Не вдалося відкрити файл ключа."
 
-#: lib/utils.c:207
+#: lib/utils.c:212
 msgid "Cannot read keyfile from a terminal."
 msgstr "Не вдалося прочитати файл ключа з термінала."
 
-#: lib/utils.c:223
+#: lib/utils.c:228
 msgid "Failed to stat key file."
 msgstr "Не вдалося отримати статистичні дані щодо файла ключа."
 
-#: lib/utils.c:231 lib/utils.c:252
+#: lib/utils.c:236 lib/utils.c:257
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Не вдалося встановити потрібну позицію у файлі ключа."
 
-#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
-#: src/utils_password.c:228
+#: lib/utils.c:251 lib/utils.c:266 src/utils_password.c:219
+#: src/utils_password.c:231
 msgid "Out of memory while reading passphrase."
 msgstr "Під час читання пароля вичерпано пам’ять."
 
-#: lib/utils.c:281
+#: lib/utils.c:286
 msgid "Error reading passphrase."
 msgstr "Помилка під час читання пароля."
 
-#: lib/utils.c:298
+#: lib/utils.c:303
 msgid "Nothing to read on input."
 msgstr "Нічого читати з вхідних даних."
 
-#: lib/utils.c:305
+#: lib/utils.c:310
 msgid "Maximum keyfile size exceeded."
 msgstr "Перевищено максимальний розмір файла ключа."
 
-#: lib/utils.c:310
+#: lib/utils.c:315
 msgid "Cannot read requested amount of data."
 msgstr "Не вдалося прочитати бажаний об’єм даних."
 
-#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
-#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#: lib/utils_device.c:207 lib/utils_storage_wrappers.c:99
+#: lib/luks1/keyencryption.c:79 src/utils_reencrypt.c:2254
 #, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "Пристрою %s не існує або доступ до цього пристрою заборонено."
 
-#: lib/utils_device.c:210
+#: lib/utils_device.c:217
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Пристрій %s є сумісним."
 
-#: lib/utils_device.c:554
+#: lib/utils_device.c:546
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
 msgstr "Ігноруємо фіктивний розмір optimal-io для пристрою даних (%u байтів)."
 
-#: lib/utils_device.c:715
+#: lib/utils_device.c:707
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Обсяг пристрою %s є надто малим. Потрібно принаймні %<PRIu64> байтів."
 
-#: lib/utils_device.c:796
+#: lib/utils_device.c:788
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Не можна використовувати пристрій %s, оскільки його вже використано (призначено або змонтовано)."
 
-#: lib/utils_device.c:800
+#: lib/utils_device.c:792
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Не можна скористатися пристроєм %s, недостатні права доступу."
 
-#: lib/utils_device.c:803
+#: lib/utils_device.c:795
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Не вдалося отримати дані щодо пристрою %s."
 
-#: lib/utils_device.c:826
+#: lib/utils_device.c:818
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Не можна використовувати петльовий пристрій, програму запущено не від імені адміністративного користувача (root)."
 
-#: lib/utils_device.c:837
+#: lib/utils_device.c:829
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Спроба долучення петльового пристрою зазнала невдачі (потрібен петльовий пристрій з встановленим прапорцем автоматичного спорожнення)."
 
-#: lib/utils_device.c:885
+#: lib/utils_device.c:877
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Бажана точка відступу перебуває за межами об’єму пристрою %s."
 
-#: lib/utils_device.c:893
+#: lib/utils_device.c:885
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Об’єм пристрою %s є нульовим."
 
-#: lib/utils_pbkdf.c:103
+#: lib/utils_pbkdf.c:105
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Вказаний час PBKDF не може бути нульовим."
 
-#: lib/utils_pbkdf.c:109
+#: lib/utils_pbkdf.c:111
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "Невідомий тип PBKDF, %s."
 
-#: lib/utils_pbkdf.c:114
+#: lib/utils_pbkdf.c:116
 #, c-format
 msgid "Requested hash %s is not supported."
 msgstr "Підтримки бажаного хешування, %s, не передбачено."
 
-#: lib/utils_pbkdf.c:125
+#: lib/utils_pbkdf.c:127
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "Підтримки бажаного типу PBKDF для LUKS1 не передбачено."
 
-#: lib/utils_pbkdf.c:131
+#: lib/utils_pbkdf.c:133
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
 msgstr "Максимальний об'єм пам'яті PBKDF або кількість паралельних потоків обробки не можна встановлювати разом із pbkdf2."
 
-#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
+#: lib/utils_pbkdf.c:138 lib/utils_pbkdf.c:148
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
 msgstr "Задане значення кількості ітерацій для %s є надто низьким (мінімальним є %u)."
 
-#: lib/utils_pbkdf.c:151
+#: lib/utils_pbkdf.c:153
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
 msgstr "Задане значення об'єму пам'яті для %s є надто низьким (мінімальним є %u кілобайтів)."
 
-#: lib/utils_pbkdf.c:158
+#: lib/utils_pbkdf.c:160
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "Бажана максимальна вартість пам'яті PBKDF є надто високою (максимальною є %d кілобайтів)."
 
-#: lib/utils_pbkdf.c:163
+#: lib/utils_pbkdf.c:165
+msgid "Requested maximum PBKDF memory cost is too high (limited by the integer maximal size)."
+msgstr "Бажана максимальна вартість пам'яті PBKDF є надто високою (обмежено максимальним розміром цілого числа)."
+
+#: lib/utils_pbkdf.c:169
 msgid "Requested maximum PBKDF memory cannot be zero."
 msgstr "Бажаний максимальний обсяг пам'яті PBKDF не може бути нульовим."
 
-#: lib/utils_pbkdf.c:167
+#: lib/utils_pbkdf.c:173
+#, c-format
+msgid "Requested maximum PBKDF parallel cost is too high (maximum is %d)."
+msgstr "Бажана максимальна вартість паралельних обчислень PBKDF є надто високою (максимальною є %d)."
+
+#: lib/utils_pbkdf.c:178
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Вказана кількість паралельних потоків обробки PBKDF не може бути нульовою."
 
-#: lib/utils_pbkdf.c:187
+#: lib/utils_pbkdf.c:198
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr "У режимі FIPS передбачено підтримку лише PBKDF2."
 
@@ -883,25 +921,25 @@ msgstr "Блокування перервано. Шлях блокування %
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Блокування перервано Шлях блокування %s/%s є непридатним для користування (%s не є каталогом)."
 
-#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
-#: src/utils_reencrypt_luks1.c:795
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:218 src/utils_reencrypt_luks1.c:700
+#: src/utils_reencrypt_luks1.c:793
 msgid "Cannot seek to device offset."
 msgstr "Не вдалося встановити вказану позицію на пристрої."
 
-#: lib/utils_wipe.c:236
+#: lib/utils_wipe.c:240
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Помилка витирання пристрою, зсув %<PRIu64>."
 
-#: lib/utils_wipe.c:331
+#: lib/utils_wipe.c:332
 msgid "Incorrect OPAL PSID."
 msgstr "Помилковий PSID OPAL."
 
-#: lib/utils_wipe.c:333
+#: lib/utils_wipe.c:334
 msgid "Cannot erase OPAL device."
 msgstr "Не вдалося витерти пристрій OPAL."
 
-#: lib/luks1/keyencryption.c:26
+#: lib/luks1/keyencryption.c:27
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -910,47 +948,47 @@ msgstr ""
 "Не вдалося визначити призначення ключа dm-crypt для пристрою %s.\n"
 "Перевірте, чи передбачено у ядрі підтримку шифрування %s (докладніші дані можна знайти у журналі системи (syslog))."
 
-#: lib/luks1/keyencryption.c:31
+#: lib/luks1/keyencryption.c:32
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Розмір ключа у режимі XTS має бути рівним 256 або 512 бітів."
 
-#: lib/luks1/keyencryption.c:33
+#: lib/luks1/keyencryption.c:34
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Специфікацію шифрування слід вказувати так: [алгоритм]-[режим]-[iv]."
 
-#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
-#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
-#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
+#: lib/luks1/keyencryption.c:85 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1150
+#: lib/luks2/luks2_json_metadata.c:1518 lib/luks2/luks2_keyslot.c:711
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Не вдалося виконати запис на пристрій %s, недостатні права доступу."
 
-#: lib/luks1/keyencryption.c:107
+#: lib/luks1/keyencryption.c:108
 msgid "Failed to open temporary keystore device."
 msgstr "Не вдалося відкрити пристрій тимчасового сховища ключів."
 
-#: lib/luks1/keyencryption.c:114
+#: lib/luks1/keyencryption.c:115
 msgid "Failed to access temporary keystore device."
 msgstr "Не вдалося отримати доступ до пристрою тимчасового сховища ключів."
 
-#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks1/keyencryption.c:189 lib/luks2/luks2_keyslot_luks2.c:49
 #: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "Помилка введення-виведення під час шифрування слоту ключів."
 
-#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keyencryption.c:236 lib/luks1/keymanage.c:356
 #: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
-#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
-#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
-#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/fvault2/fvault2.c:870 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:312 lib/verity/verity_hash.c:321
+#: lib/verity/verity_hash.c:341 lib/verity/verity_fec.c:247
 #: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
-#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: lib/luks2/luks2_json_metadata.c:1521 src/utils_reencrypt_luks1.c:108
 #: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Не вдалося відкрити пристрій %s."
 
-#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
+#: lib/luks1/keyencryption.c:247 lib/luks2/luks2_keyslot_luks2.c:128
 msgid "IO error while decrypting keyslot."
 msgstr "Помилка введення-виведення під час розшифрування слоту ключів."
 
@@ -966,32 +1004,32 @@ msgstr "Обсяг пристрою %s є надто малим. (LUKS1 потр
 msgid "LUKS keyslot %u is invalid."
 msgstr "Слот ключа LUKS %u є некоректним."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1382
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Потрібний вам файл резервної копії заголовка, %s, вже існує."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1384
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Не вдалося створити файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1391
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Не вдалося записати файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1428
 msgid "Backup file does not contain valid LUKS header."
 msgstr "Файл резервної копії не містить коректного заголовка LUKS."
 
 #: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
-#: lib/luks2/luks2_json_metadata.c:1445
+#: lib/luks2/luks2_json_metadata.c:1450
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Не вдалося відкрити файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1458
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Не вдалося прочитати дані з файла резервної копії заголовка, %s."
@@ -1013,7 +1051,7 @@ msgstr "не містить заголовка LUKS. Заміна заголов
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "вже містить заголовок LUKS. Заміна заголовка призведе до руйнування вже створених слотів ключів."
 
-#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1040,7 +1078,7 @@ msgid "Cipher hash repaired to lowercase (%s)."
 msgstr "Виправлений хеш шифрування малими літерами (%s)."
 
 #: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:777
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Підтримки бажаного хешування LUKS, %s, не передбачено."
@@ -1087,7 +1125,7 @@ msgstr "Режим шифрування LUKS %s є некоректним."
 msgid "LUKS hash %s is invalid."
 msgstr "Хеш-сума LUKS %s є некоректною."
 
-#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1369
 msgid "No known problems detected for LUKS header."
 msgstr "У заголовку LUKS не виявлено жодних проблем."
 
@@ -1101,17 +1139,17 @@ msgstr "Помилка під час оновлення заголовка LUKS
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Помилка під час спроби повторного читання заголовка LUKS після оновлення на пристрої %s."
 
-#: lib/luks1/keymanage.c:773
+#: lib/luks1/keymanage.c:771
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Відступ даних для заголовка LUKS має бути або рівним нулеві, або перевищувати розмір заголовка."
 
-#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
-#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
-#: src/utils_reencrypt.c:541
+#: lib/luks1/keymanage.c:782 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:231 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:701
 msgid "Wrong LUKS UUID format provided."
 msgstr "Вказано UUID LUKS у помилковому форматі."
 
-#: lib/luks1/keymanage.c:806
+#: lib/luks1/keymanage.c:804
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Не вдалося створити заголовок LUKS: помилка читання випадкових даних для ініціалізації."
 
@@ -1120,48 +1158,48 @@ msgstr "Не вдалося створити заголовок LUKS: помил
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Не вдалося створити заголовок LUKS: помилка під час обчислення контрольної суми заголовка (з використанням хешу %s)."
 
-#: lib/luks1/keymanage.c:876
+#: lib/luks1/keymanage.c:877
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Слот ключа %d є активним. Його слід спочатку спорожнити."
 
-#: lib/luks1/keymanage.c:882
+#: lib/luks1/keymanage.c:883
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Ентропія даних слота ключа %d є надто низькою. Маніпуляції з заголовком?"
 
-#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
+#: lib/luks1/keymanage.c:921 lib/luks2/luks2_keyslot_luks2.c:260
 msgid "PBKDF2 iteration value overflow."
 msgstr "Переповнення значення ітерації PBKDF2."
 
-#: lib/luks1/keymanage.c:1027
+#: lib/luks1/keymanage.c:1040
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "Не вдалося відкрити слот ключа (за допомогою хешу %s)."
 
-#: lib/luks1/keymanage.c:1105
+#: lib/luks1/keymanage.c:1136
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Слот ключа %d є некоректним, будь ласка, виберіть слот ключа з номером від 0 до %d."
 
-#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
+#: lib/luks1/keymanage.c:1154 lib/luks2/luks2_keyslot.c:715
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Не вдалося витерти пристрій %s."
 
-#: lib/loopaes/loopaes.c:133
+#: lib/loopaes/loopaes.c:140
 msgid "Detected not yet supported GPG encrypted keyfile."
 msgstr "Виявлено файл ключа, підтримки шифрування GPG у якому ще не передбачено."
 
-#: lib/loopaes/loopaes.c:134
+#: lib/loopaes/loopaes.c:141
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Будь ласка, скористайтеся командою gpg --decrypt <ФАЙЛ_КЛЮЧА> | cryptsetup --keyfile=- ...\n"
 
-#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
+#: lib/loopaes/loopaes.c:162 lib/loopaes/loopaes.c:182
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "Виявлено несумісний з loop-AES файл ключа."
 
-#: lib/loopaes/loopaes.c:232
+#: lib/loopaes/loopaes.c:238
 msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "У ядрі не передбачено підтримки призначення, сумісного з loop-AES."
 
@@ -1180,168 +1218,197 @@ msgstr "Перевищено максимальну можливу довжин
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Засіб створення хешів PBKDF2 за алгоритмом %s недоступний, пропускаємо."
 
-#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1242
 msgid "Required kernel crypto interface not available."
 msgstr "Потрібний для роботи інтерфейс ядра для шифрування недоступний."
 
-#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1244
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Переконайтеся, що завантажено модуль ядра algif_skcipher."
 
-#: lib/tcrypt/tcrypt.c:751
+#: lib/tcrypt/tcrypt.c:752
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Підтримки активації для розміру сектора %d не передбачено."
 
-#: lib/tcrypt/tcrypt.c:757
+#: lib/tcrypt/tcrypt.c:758
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "У ядрі не передбачено підтримки вмикання цього застарілого режиму TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:788
+#: lib/tcrypt/tcrypt.c:813
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Активуємо шифрування системи за допомогою TCRYPT для розділу %s."
 
-#: lib/tcrypt/tcrypt.c:871
+#: lib/tcrypt/tcrypt.c:828
+msgid "Cannot determine TCRYPT system partition offset, activating whole encrypted area."
+msgstr "Не вдалося визначити зсу розділу системи TCRYPT, активуємо усю зашифровану область."
+
+#: lib/tcrypt/tcrypt.c:837
+msgid "Cannot determine TCRYPT system partition offset, activating device as a system partition."
+msgstr "Не вдалося визначити зсу розділу системи TCRYPT, активуємо пристрій як системний розділ."
+
+#: lib/tcrypt/tcrypt.c:917
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "У ядрі не передбачено підтримки призначення, сумісного з TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1090
+#: lib/tcrypt/tcrypt.c:1146
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Підтримки цієї дії без завантаження заголовка TCRYPT."
 
-#: lib/bitlk/bitlk.c:265
+#: lib/bitlk/bitlk.c:293
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
 msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний тип запису метаданих «%u»."
 
-#: lib/bitlk/bitlk.c:327
+#: lib/bitlk/bitlk.c:351
 msgid "Invalid string found when parsing Volume Master Key."
 msgstr "Під час обробки основного ключа тому виявлено некоректний рядок."
 
-#: lib/bitlk/bitlk.c:331
+#: lib/bitlk/bitlk.c:355
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
 msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний рядок («%s»)."
 
-#: lib/bitlk/bitlk.c:351
+#: lib/bitlk/bitlk.c:375
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
 msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуване значення запису метаданих «%u»."
 
-#: lib/bitlk/bitlk.c:453
+#: lib/bitlk/bitlk.c:528
 msgid "BITLK version 1 is currently not supported."
 msgstr "Підтримки BITLK версії 1 у поточній версії не передбачено."
 
-#: lib/bitlk/bitlk.c:459
+#: lib/bitlk/bitlk.c:534
 msgid "Invalid or unknown boot signature for BITLK device."
 msgstr "Некоректний або невідомий підпис завантаження для пристрою BITLK."
 
-#: lib/bitlk/bitlk.c:471
+#: lib/bitlk/bitlk.c:546
 #, c-format
 msgid "Unsupported sector size %<PRIu16>."
 msgstr "Непідтримуваний розмір сектора %<PRIu16>."
 
-#: lib/bitlk/bitlk.c:479
+#: lib/bitlk/bitlk.c:554
 #, c-format
 msgid "Failed to read BITLK header from %s."
 msgstr "Не вдалося прочитати заголовок BITLK з %s."
 
-#: lib/bitlk/bitlk.c:504
+#: lib/bitlk/bitlk.c:593
+#, c-format
+msgid "Failed to read or validate BITLK FVE metadata copy #%d from %s."
+msgstr "Не вдалося прочитати або перевірити копію метаданих FVE BITLK %d з %s."
+
+#: lib/bitlk/bitlk.c:603
+#, c-format
+msgid "Failed to read and validate BITLK FVE metadata from %s."
+msgstr "Не вдалося прочитати і перевірити метадані FVE BITLK з %s."
+
+#: lib/bitlk/bitlk.c:610
+#, c-format
+msgid "Failed to validate the location of BITLK FVE metadata from %s."
+msgstr "Не вдалося перевірити розташування метаданих FVE BITLK з %s."
+
+#: lib/bitlk/bitlk.c:621
+#, c-format
+msgid "BITLK FVE metadata changed between reads from %s."
+msgstr "Між читаннями з %s до метаданих BITLK FVE було внесено зміни."
+
+#: lib/bitlk/bitlk.c:628
 #, c-format
-msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "Не вдалося прочитати метадані FVE BITLK з %s."
+msgid "Failed to hash BITLK FVE metadata read from %s."
+msgstr "Не вдалося створити хеш читання метаданих FVE BITLK з %s."
 
-#: lib/bitlk/bitlk.c:555
+#: lib/bitlk/bitlk.c:644
+#, c-format
+msgid "Failed to parse BITLK FVE validation metadata from %s."
+msgstr "Не вдалося обробити метадані перевірки FVE BITLK з %s."
+
+#: lib/bitlk/bitlk.c:695
 msgid "Unknown or unsupported encryption type."
 msgstr "Невідомий або непідтримуваний тип шифрування."
 
-#: lib/bitlk/bitlk.c:595
+#: lib/bitlk/bitlk.c:733
 #, c-format
-msgid "Failed to read BITLK metadata entries from %s."
-msgstr "Не вдалося прочитати записи метаданих BITLK з %s."
+msgid "Failed to check BITLK metadata entries previously read from %s."
+msgstr "Не вдалося перевірити записи метаданих BITLK, які було раніше прочитано з %s."
 
-#: lib/bitlk/bitlk.c:712
+#: lib/bitlk/bitlk.c:853
 msgid "Failed to convert BITLK volume description"
 msgstr "Не вдалося перетворити опис тому BITLK"
 
-#: lib/bitlk/bitlk.c:877
+#: lib/bitlk/bitlk.c:1018
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
 msgstr "Під час обробки зовнішнього ключа виявлено неочікуваний тип запису метаданих «%u»."
 
-#: lib/bitlk/bitlk.c:900
+#: lib/bitlk/bitlk.c:1041
 #, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
 msgstr "Файл GUID BEK «%s» не відповідає GUID тому."
 
-#: lib/bitlk/bitlk.c:904
+#: lib/bitlk/bitlk.c:1045
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
 msgstr "Під час обробки зовнішнього ключа виявлено неочікуване значення запису метаданих «%u»."
 
-#: lib/bitlk/bitlk.c:943
+#: lib/bitlk/bitlk.c:1084
 #, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
 msgstr "Непідтримувана версія метаданих BEK, %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:948
+#: lib/bitlk/bitlk.c:1089
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
 msgstr "Неочікуваний розмір метаданих BEK, %<PRIu32>, не відповідає довжині файла BEK"
 
-#: lib/bitlk/bitlk.c:974
+#: lib/bitlk/bitlk.c:1115
 msgid "Unexpected metadata entry found when parsing startup key."
 msgstr "Під час обробки ключа запуску виявлено неочікуваний запис метаданих."
 
-#: lib/bitlk/bitlk.c:1069
+#: lib/bitlk/bitlk.c:1218
 msgid "This operation is not supported."
 msgstr "Підтримки цієї дії не передбачено."
 
-#: lib/bitlk/bitlk.c:1077
+#: lib/bitlk/bitlk.c:1226
 msgid "Unexpected key data size."
 msgstr "Неочікуваний розмір даних ключа."
 
-#: lib/bitlk/bitlk.c:1203
+#: lib/bitlk/bitlk.c:1431
 msgid "This BITLK device is in an unsupported state and cannot be activated."
 msgstr "Цей пристрій BITLK перебуває у непідтримуваному стані — його неможливо активувати."
 
-#: lib/bitlk/bitlk.c:1208
+#: lib/bitlk/bitlk.c:1436
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
 msgstr "Пристрої BITLK типу «%s» неможливо активувати."
 
-#: lib/bitlk/bitlk.c:1215
-msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "Активації частково розшифрованого пристрою BITLK не передбачено."
-
-#: lib/bitlk/bitlk.c:1256
+#: lib/bitlk/bitlk.c:1475
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
 msgstr "УВАГА: розмір тому BitLocker %<PRIu64> не відповідає розміру базового пристрою %<PRIu64>"
 
-#: lib/bitlk/bitlk.c:1383
+#: lib/bitlk/bitlk.c:1602
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
 msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки BITLK IV."
 
-#: lib/bitlk/bitlk.c:1387
+#: lib/bitlk/bitlk.c:1606
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
 msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки дифузера Elephant BITLK."
 
-#: lib/bitlk/bitlk.c:1391
+#: lib/bitlk/bitlk.c:1610
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
 msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки великого розміру секторів."
 
-#: lib/bitlk/bitlk.c:1395
+#: lib/bitlk/bitlk.c:1614
 msgid "Cannot activate device, kernel dm-zero module is missing."
 msgstr "Не вдалося активувати пристрій — немає модуля ядра dm-zero."
 
-#: lib/fvault2/fvault2.c:529
+#: lib/fvault2/fvault2.c:530
 #, c-format
 msgid "Could not read %u bytes of volume header."
 msgstr "Не вдалося прочитати %u байтів заголовка тому."
 
-#: lib/fvault2/fvault2.c:541
+#: lib/fvault2/fvault2.c:542
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr "Непідтримувана версія FVAULT2 %<PRIu16>."
@@ -1378,24 +1445,24 @@ msgstr "Підтримки перевірки підпису кореневог
 msgid "Root hash signature required."
 msgstr "Потрібен хеш-підпис кореневої теки."
 
-#: lib/verity/verity.c:281
+#: lib/verity/verity.c:282
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Помилки не може бути виправлено за допомогою пристрою FEC."
 
-#: lib/verity/verity.c:283
+#: lib/verity/verity.c:284
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "За допомогою пристрою FEC виявлено %u придатних до виправлення помилок."
 
-#: lib/verity/verity.c:364
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity mapping."
 msgstr "У ядрі не передбачено підтримки прив'язки dm-verity."
 
-#: lib/verity/verity.c:368
+#: lib/verity/verity.c:372
 msgid "Kernel does not support dm-verity signature option."
 msgstr "У ядрі не передбачено підтримки параметра підпису dm-verity."
 
-#: lib/verity/verity.c:379
+#: lib/verity/verity.c:383
 msgid "Verity device detected corruption after activation."
 msgstr "Виявлено пошкодження даних на пристрої перевірки після активації."
 
@@ -1418,23 +1485,23 @@ msgstr "Помилка під час перевірки за позицією %<
 msgid "Hash area overflow."
 msgstr "Переповнення області хешу."
 
-#: lib/verity/verity_hash.c:367
+#: lib/verity/verity_hash.c:372
 msgid "Verification of data area failed."
 msgstr "Не вдалося перевірити область даних."
 
-#: lib/verity/verity_hash.c:372
+#: lib/verity/verity_hash.c:377
 msgid "Verification of root hash failed."
 msgstr "Не вдалося перевірити кореневий хеш."
 
-#: lib/verity/verity_hash.c:378
+#: lib/verity/verity_hash.c:383
 msgid "Input/output error while creating hash area."
 msgstr "Під час створення області хешу сталася помилка введення або виведення даних."
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:385
 msgid "Creation of hash area failed."
 msgstr "Не вдалося створити область хешу."
 
-#: lib/verity/verity_hash.c:415
+#: lib/verity/verity_hash.c:420
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "Попередження: ядро не зможе задіяти пристрій, якщо розмір блоку перевищуватиме розмір сторінки (%u)."
@@ -1484,34 +1551,38 @@ msgstr "Некоректна довжина сегмента FEC."
 msgid "Failed to determine size for device %s."
 msgstr "Не вдалося визначити розмір для пристрою %s."
 
-#: lib/integrity/integrity.c:44
+#: lib/integrity/integrity.c:50
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
 msgstr "Виявлено несумісні метадані dm-integrity ядра (версія %u) у %s."
 
-#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
+#: lib/integrity/integrity.c:304 lib/integrity/integrity.c:488
 msgid "Kernel does not support dm-integrity mapping."
 msgstr "У ядрі не передбачено підтримки прив'язки dm-integrity."
 
-#: lib/integrity/integrity.c:270
+#: lib/integrity/integrity.c:310
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr "У ядрі не передбачено підтримки вирівнювання фіксованих метаданих dm-integrity."
 
-#: lib/integrity/integrity.c:279
+#: lib/integrity/integrity.c:319
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
 msgstr "Ядром відмовлено у активації небезпечного параметра повторного обчислення (див. застарілі параметри активації, щоб скористатися обчисленням попри це)."
 
-#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
-#: lib/luks2/luks2_json_metadata.c:1507
+#: lib/integrity/integrity.c:325
+msgid "Kernel does not support dm-integrity inline mode."
+msgstr "У ядрі не передбачено підтримки вбудованого режиму dm-integrity."
+
+#: lib/luks2/luks2_disk_metadata.c:382 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1510
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Не вдалося отримати блокування запису на пристрої %s."
 
-#: lib/luks2/luks2_disk_metadata.c:388
+#: lib/luks2/luks2_disk_metadata.c:391
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
 msgstr "Виявлено спробу конкурентного оновлення метаданих LUKS2. Перериваємо виконання дії."
 
-#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
+#: lib/luks2/luks2_disk_metadata.c:726 lib/luks2/luks2_disk_metadata.c:747
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1519,59 +1590,63 @@ msgstr ""
 "Пристрій містить неоднозначні підписи. Автоматичне відновлення LUKS2 неможливе.\n"
 "Будь ласка, запустіть «cryptsetup repair» для відновлення."
 
-#: lib/luks2/luks2_json_format.c:218
+#: lib/luks2/luks2_json_format.c:219
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "Увага: область слоту ключів є надто малою (%<PRIu64> байтів), доступна кількість слотів ключів LUKS2 буде дуже обмеженою.\n"
 
-#: lib/luks2/luks2_json_format.c:417
+#: lib/luks2/luks2_json_format.c:418
 msgid "Requested data offset is too small."
 msgstr "Вказаний відступ у даних є надто малим."
 
-#: lib/luks2/luks2_json_format.c:458
+#: lib/luks2/luks2_json_format.c:459
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "Увага: розмір метаданих LUKS2 змінено до %<PRIu64> байтів.\n"
 
-#: lib/luks2/luks2_json_format.c:462
+#: lib/luks2/luks2_json_format.c:463
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "Увага: розмір області слотів ключів LUKS2 змінено до %<PRIu64> байтів.\n"
 
-#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
-#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
-#: lib/luks2/luks2_keyslot_luks2.c:103
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1357
+#: lib/luks2/luks2_json_metadata.c:1417 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:105
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Не вдалося отримати блокування читання на пристрої %s."
 
-#: lib/luks2/luks2_json_metadata.c:1430
+#: lib/luks2/luks2_json_metadata.c:1277
+msgid "Label is too long."
+msgstr "Мітка є надто довгою."
+
+#: lib/luks2/luks2_json_metadata.c:1435
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "У резервній копії %s виявлено заборонені вимоги щодо LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:1471
+#: lib/luks2/luks2_json_metadata.c:1474
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Зсуви даних на пристрої і на резервній копії різняться, не вдалося відновити."
 
-#: lib/luks2/luks2_json_metadata.c:1477
+#: lib/luks2/luks2_json_metadata.c:1480
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Двійкові заголовки із розмірами областей слотів ключів на пристрої і у резервній копії різняться, не вдалося відновити копію."
 
-#: lib/luks2/luks2_json_metadata.c:1484
+#: lib/luks2/luks2_json_metadata.c:1487
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Пристрій %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1485
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "не містить заголовка LUKS2. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
 
-#: lib/luks2/luks2_json_metadata.c:1486
+#: lib/luks2/luks2_json_metadata.c:1489
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "вже містить заголовок LUKS2. Заміна заголовка призведе до руйнування вже створених слотів ключів."
 
-#: lib/luks2/luks2_json_metadata.c:1488
+#: lib/luks2/luks2_json_metadata.c:1491
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1581,7 +1656,7 @@ msgstr ""
 "ПОПЕРЕДЖЕННЯ: виявлено невідомі вимоги LUKS2 у справжньому заголовку пристрою!\n"
 "Заміна заголовка резервною копією може пошкодити дані на пристрої!"
 
-#: lib/luks2/luks2_json_metadata.c:1490
+#: lib/luks2/luks2_json_metadata.c:1493
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1591,111 +1666,111 @@ msgstr ""
 "ПОПЕРЕДЖЕННЯ: на пристрої виявлено дані незавершеного повторного шифрування!\n"
 "Заміна заголовка заголовком із резервної копії може пошкодити дані."
 
-#: lib/luks2/luks2_json_metadata.c:1587
+#: lib/luks2/luks2_json_metadata.c:1591
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Проігноровано невідомий прапорець %s."
 
-#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
+#: lib/luks2/luks2_json_metadata.c:2545 lib/luks2/luks2_reencrypt.c:2109
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Не вистачає ключа для сегмента dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
+#: lib/luks2/luks2_json_metadata.c:2557 lib/luks2/luks2_reencrypt.c:2122
 msgid "Failed to set dm-crypt segment."
 msgstr "Не вдалося встановити сегмент dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
+#: lib/luks2/luks2_json_metadata.c:2563 lib/luks2/luks2_reencrypt.c:2128
 msgid "Failed to set dm-linear segment."
 msgstr "Не вдалося встановити сегмент dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
+#: lib/luks2/luks2_json_metadata.c:2683 src/utils_reencrypt.c:578
 msgid "No known cipher specification pattern detected in LUKS2 header."
 msgstr "Не виявлено жодного відомого зразка специфікації шифрування у заголовку LUKS."
 
-#: lib/luks2/luks2_json_metadata.c:2657
+#: lib/luks2/luks2_json_metadata.c:2691
 msgid "OPAL device must have static device size."
 msgstr "Пристій OPAL повинен мати статичний розмір пристрою."
 
-#: lib/luks2/luks2_json_metadata.c:2677
+#: lib/luks2/luks2_json_metadata.c:2711
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
 msgstr "Зашифрований пристрій OPAL із механізмами цілісності має бути меншим за діапазон блокування."
 
-#: lib/luks2/luks2_json_metadata.c:2682
+#: lib/luks2/luks2_json_metadata.c:2716
 msgid "OPAL device must have same size as locking range."
 msgstr "Пристрій OPAL повинен мати той самий розмір, що і діапазон блокування."
 
-#: lib/luks2/luks2_json_metadata.c:2702
+#: lib/luks2/luks2_json_metadata.c:2736
 #, c-format
 msgid "OPAL device is %s already unlocked.\n"
 msgstr "Пристрій OPAL %s вже розблоковано.\n"
 
-#: lib/luks2/luks2_json_metadata.c:2735
+#: lib/luks2/luks2_json_metadata.c:2775
 msgid "Unsupported device integrity configuration."
 msgstr "Непідтримувані налаштування цілісності даних на пристрої."
 
-#: lib/luks2/luks2_json_metadata.c:2751
+#: lib/luks2/luks2_json_metadata.c:2791
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
 msgstr "Базовий пристрій dm-integrity із неочікуваними наданими секторами даних."
 
-#: lib/luks2/luks2_json_metadata.c:2846
+#: lib/luks2/luks2_json_metadata.c:2886
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Виконуємо повторне шифрування. Не можна деактивувати пристрій."
 
-#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
+#: lib/luks2/luks2_json_metadata.c:2897 lib/luks2/luks2_reencrypt.c:4283
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Не вдалося замінити пристрій %s, роботу якого призупинено, ціллю dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
+#: lib/luks2/luks2_json_metadata.c:2976 lib/luks2/luks2_json_metadata.c:2998
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
 msgstr "Пристрій %s було деактивовано, але апаратний пристрій OPAL не може бути заблоковано."
 
-#: lib/luks2/luks2_json_metadata.c:2967
-msgid "Failed to read LUKS2 requirements."
-msgstr "Не вдалося прочитати вимоги LUKS2."
-
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:3020
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Виявлено невідповідність вимог LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2982
+#: lib/luks2/luks2_json_metadata.c:3028
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування застарілого варіанта. Перериваємо дію."
 
-#: lib/luks2/luks2_json_metadata.c:2984
+#: lib/luks2/luks2_json_metadata.c:3030
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування LUKS2. Перериваємо дію."
 
-#: lib/luks2/luks2_json_metadata.c:2986
+#: lib/luks2/luks2_json_metadata.c:3032
 msgid "Operation incompatible with device using OPAL. Aborting."
 msgstr "Дія є несумісною із пристроєм з використанням OPAL. Перериваємо дію."
 
-#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
+#: lib/luks2/luks2_json_metadata.c:3034
+msgid "Operation incompatible with device using inline HW tags. Aborting."
+msgstr "Дія є несумісною із пристроєм з використанням вбудованих апаратних міток. Перериваємо дію."
+
+#: lib/luks2/luks2_keyslot.c:543 lib/luks2/luks2_keyslot.c:601
 msgid "Not enough available memory to open a keyslot."
 msgstr "Недостатньо пам'яті для відкриття слоту ключів."
 
-#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
+#: lib/luks2/luks2_keyslot.c:545 lib/luks2/luks2_keyslot.c:603
 msgid "Keyslot open failed."
 msgstr "Не вдалося відкрити слот ключів."
 
-#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:99
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
 msgstr "Не можна використовувати шифрування %s-%s для слотів ключів."
 
-#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
-#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
+#: lib/luks2/luks2_keyslot_luks2.c:262
+msgid "Not enough memory for keyslot key derivation."
+msgstr "Недостатньо пам'яті для визначення ключа слоту ключів."
+
+#: lib/luks2/luks2_keyslot_luks2.c:276 lib/luks2/luks2_keyslot_luks2.c:405
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2733
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "Алгоритм хешування %s є недоступним."
 
-#: lib/luks2/luks2_keyslot_luks2.c:358
-msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr "Попередження: дія зі слотом ключа може завершитися помилкою, оскільки потребує більшого за доступний розміру пам'яті.\n"
-
-#: lib/luks2/luks2_keyslot_luks2.c:507
+#: lib/luks2/luks2_keyslot_luks2.c:522
 msgid "No space for new keyslot."
 msgstr "Немає простору для нового слоту ключа."
 
@@ -1721,428 +1796,438 @@ msgstr "Не вдалося перевірити стан пристрою з uu
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Не вдалося перетворити заголовок з додатковими метаданими LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_reencrypt.c:3890
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
 msgstr "Не вдалося використати специфікацію шифрування %s-%s для LUKS2."
 
-#: lib/luks2/luks2_luks1_convert.c:604
+#: lib/luks2/luks2_luks1_convert.c:599
+#, c-format
+msgid "Unable to use cipher specification %s-%s for LUKS2 keyslot."
+msgstr "Не вдалося використати специфікацію шифрування %s-%s для слоту ключів LUKS2."
+
+#: lib/luks2/luks2_luks1_convert.c:614
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Не вдалося пересунути область слотів ключів. Недостатньо місця."
 
-#: lib/luks2/luks2_luks1_convert.c:643
+#: lib/luks2/luks2_luks1_convert.c:653
 msgid "Cannot convert to LUKS2 format - invalid metadata."
 msgstr "Не вдалося перетворити до формату LUKS2 - некоректні метадані."
 
-#: lib/luks2/luks2_luks1_convert.c:660
+#: lib/luks2/luks2_luks1_convert.c:670
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
 msgstr "Не вдалося пересунути область слотів ключів. Область слотів ключів LUKS2 є надто малою."
 
-#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
+#: lib/luks2/luks2_luks1_convert.c:676 lib/luks2/luks2_luks1_convert.c:1006
 msgid "Unable to move keyslot area."
 msgstr "Не вдалося пересунути область слотів ключів."
 
-#: lib/luks2/luks2_luks1_convert.c:756
+#: lib/luks2/luks2_luks1_convert.c:791
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Не вдалося перетворити на формат LUKS1 — типовий розмір сектору шифрування сегмента не дорівнює 512 байтам."
 
-#: lib/luks2/luks2_luks1_convert.c:764
+#: lib/luks2/luks2_luks1_convert.c:799
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Не вдалося перетворити до формату LUKS1 — контрольні суми слотів ключів не сумісні з LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:776
+#: lib/luks2/luks2_luks1_convert.c:813
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується загорнуте шифрування ключів %s."
 
-#: lib/luks2/luks2_luks1_convert.c:781
+#: lib/luks2/luks2_luks1_convert.c:818
 msgid "Cannot convert to LUKS1 format - device uses more segments."
 msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується більше сегментів."
 
-#: lib/luks2/luks2_luks1_convert.c:789
+#: lib/luks2/luks2_luks1_convert.c:826
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Не вдалося перетворити до формату LUKS1 - заголовок LUKS2 містить %u жетонів."
 
-#: lib/luks2/luks2_luks1_convert.c:803
+#: lib/luks2/luks2_luks1_convert.c:832
+msgid "Cannot convert to LUKS1 format - there are no active keyslots."
+msgstr "Не вдалося перетворити до формату LUKS1 — немає активних слотів ключів."
+
+#: lib/luks2/luks2_luks1_convert.c:844
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Не вдалося перетворити до формату LUKS1 - слот ключа %u перебуває у некоректному стані."
 
-#: lib/luks2/luks2_luks1_convert.c:808
+#: lib/luks2/luks2_luks1_convert.c:849
+#, c-format
+msgid "Cannot convert to LUKS1 format - keyslot %u is unbound."
+msgstr "Не вдалося перетворити до формату LUKS1 - слот ключів %u є неприв'язаним."
+
+#: lib/luks2/luks2_luks1_convert.c:854
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Не вдалося перетворити до формату LUKS1 — слот %u (перевищує максимальну кількість слотів) усе ще є активним."
 
-#: lib/luks2/luks2_luks1_convert.c:813
+#: lib/luks2/luks2_luks1_convert.c:859
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "не вдалося перетворити до формату LUKS1 — слот ключів %u є несумісним з LUKS1."
 
-#: lib/luks2/luks2_reencrypt.c:1183
+#: lib/luks2/luks2_reencrypt.c:1198
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Розмір «гарячої» ділянки має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)."
 
-#: lib/luks2/luks2_reencrypt.c:1188
+#: lib/luks2/luks2_reencrypt.c:1203
 #, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
 msgstr "Розмір пристрою має бути кратним до обчисленого вирівнювання ділянки (%zu байтів)."
 
-#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
-#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
-#: lib/luks2/luks2_reencrypt.c:3956
+#: lib/luks2/luks2_reencrypt.c:1410 lib/luks2/luks2_reencrypt.c:1596
+#: lib/luks2/luks2_reencrypt.c:1679 lib/luks2/luks2_reencrypt.c:1721
+#: lib/luks2/luks2_reencrypt.c:4077
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Не вдалося ініціалізувати обгортку старого сховища сегментів."
 
-#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
+#: lib/luks2/luks2_reencrypt.c:1424 lib/luks2/luks2_reencrypt.c:1574
 msgid "Failed to initialize new segment storage wrapper."
 msgstr "Не вдалося ініціалізувати обгортку нового сховища сегментів."
 
-#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
+#: lib/luks2/luks2_reencrypt.c:1550 lib/luks2/luks2_reencrypt.c:4089
 msgid "Failed to initialize hotzone protection."
 msgstr "Не вдалося ініціалізувати захист «гарячої» зони"
 
-#: lib/luks2/luks2_reencrypt.c:1609
+#: lib/luks2/luks2_reencrypt.c:1623
 msgid "Failed to read checksums for current hotzone."
 msgstr "Не вдалося прочитати контрольні суми для поточної «гарячої» ділянки."
 
-#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#: lib/luks2/luks2_reencrypt.c:1630 lib/luks2/luks2_reencrypt.c:4104
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Не вдалося прочитати «гарячу» ділянку, починаючи з %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:1635
+#: lib/luks2/luks2_reencrypt.c:1649
 #, c-format
 msgid "Failed to decrypt sector %zu."
 msgstr "Не вдалося розшифрувати сектор %zu."
 
-#: lib/luks2/luks2_reencrypt.c:1641
+#: lib/luks2/luks2_reencrypt.c:1655
 #, c-format
 msgid "Failed to recover sector %zu."
 msgstr "Не вдалося відновити сектор %zu."
 
-#: lib/luks2/luks2_reencrypt.c:2205
+#: lib/luks2/luks2_reencrypt.c:2208
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
 msgstr "Розміри пристроїв джерела та призначення не збігаються. Розмір джерела — %<PRIu64>, розмір призначення — %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2303
+#: lib/luks2/luks2_reencrypt.c:2310
 #, c-format
 msgid "Failed to activate hotzone device %s."
 msgstr "Не вдалося задіяти пристрій «гарячої» ділянки %s."
 
-#: lib/luks2/luks2_reencrypt.c:2320
+#: lib/luks2/luks2_reencrypt.c:2322
+#, c-format
+msgid "Failed to allocate hotzone device %s."
+msgstr "Не вдалося розмістити у пам'яті дані пристрою «гарячої» ділянки %s."
+
+#: lib/luks2/luks2_reencrypt.c:2339
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr "Не вдалося задіяти пристрій-накладку %s зі справжньою таблицею походження."
 
-#: lib/luks2/luks2_reencrypt.c:2327
+#: lib/luks2/luks2_reencrypt.c:2346
 #, c-format
 msgid "Failed to load new mapping for device %s."
 msgstr "Не вдалося завантажити нову прив'язку для пристрою %s."
 
-#: lib/luks2/luks2_reencrypt.c:2398
+#: lib/luks2/luks2_reencrypt.c:2418
 msgid "Failed to refresh reencryption devices stack."
 msgstr "Не вдалося освіжити тек пристрої для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2598
+#: lib/luks2/luks2_reencrypt.c:2615
 msgid "Failed to set new keyslots area size."
 msgstr "Не вдалося встановити розмір області нових слотів ключів."
 
-#: lib/luks2/luks2_reencrypt.c:2734
+#: lib/luks2/luks2_reencrypt.c:2751
 #, c-format
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Значення зміщення даних не вирівняно до розміру сектора для шифрування (%<PRIu32> байтів)."
 
-#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
+#: lib/luks2/luks2_reencrypt.c:2788 src/utils_reencrypt.c:162
 #, c-format
 msgid "Unsupported resilience mode %s"
 msgstr "Непідтримуваний режим стійкості %s"
 
-#: lib/luks2/luks2_reencrypt.c:2808
+#: lib/luks2/luks2_reencrypt.c:2824
 msgid "Moved segment size can not be greater than data shift value."
 msgstr "Розмір пересунутого сегмента не може перевищувати значення зсуву даних."
 
-#: lib/luks2/luks2_reencrypt.c:2850
+#: lib/luks2/luks2_reencrypt.c:2866
 msgid "Invalid reencryption resilience parameters."
 msgstr "Некоректні параметри стійкості для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2872
+#: lib/luks2/luks2_reencrypt.c:2888
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr "Пересунутий сегмент є надто великим. Потрібний розмір %<PRIu64>, доступне місце: %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:2959
+#: lib/luks2/luks2_reencrypt.c:2977
 msgid "Failed to clear table."
 msgstr "Не вдалося очистити таблицю."
 
-#: lib/luks2/luks2_reencrypt.c:3045
+#: lib/luks2/luks2_reencrypt.c:3063
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Зміщення даних (%<PRIu64> секторів) є меншим за майбутній зсув даних (%<PRIu64> секторів)."
+
+#: lib/luks2/luks2_reencrypt.c:3078 lib/luks2/luks2_reencrypt.c:3085
 msgid "Reduced data size is larger than real device size."
 msgstr "Зменшений розмір даних перевищує справжній розмір пристрою."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3095
 #, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "Пристрій зберігання даних не вирівняно до розміру сектора для шифрування (%<PRIu32> байтів)."
 
-#: lib/luks2/luks2_reencrypt.c:3086
-#, c-format
-msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
-msgstr "Зміщення даних (%<PRIu64> секторів) є меншим за майбутній зсув даних (%<PRIu64> секторів)."
-
-#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
-#: lib/luks2/luks2_reencrypt.c:3612
+#: lib/luks2/luks2_reencrypt.c:3125 lib/luks2/luks2_reencrypt.c:3640
+#: lib/luks2/luks2_reencrypt.c:3661
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Не вдалося відкрити %s в ексклюзивному режимі (вже пов'язано або змонтовано)."
 
-#: lib/luks2/luks2_reencrypt.c:3282
+#: lib/luks2/luks2_reencrypt.c:3332
 msgid "Device not marked for LUKS2 reencryption."
 msgstr "Пристрій не позначено для повторного шифрування LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
+#: lib/luks2/luks2_reencrypt.c:3349 lib/luks2/luks2_reencrypt.c:4400
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Не вдалося завантажити контекст повторного шифрування LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3389
-msgid "Failed to get reencryption state."
-msgstr "Не вдалося отримати стан повторного шифрування."
-
-#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
+#: lib/luks2/luks2_reencrypt.c:3441 lib/luks2/luks2_reencrypt.c:3781
 msgid "Device is not in reencryption."
 msgstr "Пристрій не перебуває у повторному шифруванні."
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3448 lib/luks2/luks2_reencrypt.c:3788
 msgid "Reencryption process is already running."
 msgstr "Процес повторного шифрування вже виконується."
 
-#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
+#: lib/luks2/luks2_reencrypt.c:3450 lib/luks2/luks2_reencrypt.c:3790
 msgid "Failed to acquire reencryption lock."
 msgstr "Не вдалося створити блокування для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3420
+#: lib/luks2/luks2_reencrypt.c:3468
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Продовження повторного шифрування неможливе. Спочатку слід виконати відновлення повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3555
+#: lib/luks2/luks2_reencrypt.c:3604
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Не збігаються розмір активного пристрою і запитаний розмір повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3569
+#: lib/luks2/luks2_reencrypt.c:3618
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "У параметрах повторного шифрування вказано некоректний розмір пристрою."
 
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/luks2/luks2_reencrypt.c:3720
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Виконується повторне шифрування. Неможливо виконати відновлення."
 
-#: lib/luks2/luks2_reencrypt.c:3814
+#: lib/luks2/luks2_reencrypt.c:3741
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2."
+
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:4353
+msgid "Failed to initialize reencryption device stack."
+msgstr "Не вдалося ініціалізувати стос пристроїв повторного шифрування."
+
+#: lib/luks2/luks2_reencrypt.c:3907
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Повторне шифрування LUKS2 вже ініційовано у метаданих."
 
-#: lib/luks2/luks2_reencrypt.c:3821
+#: lib/luks2/luks2_reencrypt.c:3915
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Не вдалося ініціалізувати повторне шифрування LUKS2 лише у метаданих."
 
-#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
+#: lib/luks2/luks2_reencrypt.c:3968 lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4030
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "Для пристроїв DAX (сталої пам'яті) не передбачено підтримки повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3881
-msgid "Failed to read passphrase from keyring."
-msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів."
-
-#: lib/luks2/luks2_reencrypt.c:3938
+#: lib/luks2/luks2_reencrypt.c:4059
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Не вдалося встановити сегменти пристрою для наступної «гарячої» ділянки повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3990
+#: lib/luks2/luks2_reencrypt.c:4112
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Не вдалося записати метадані стійкості для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3997
+#: lib/luks2/luks2_reencrypt.c:4119
 msgid "Decryption failed."
 msgstr "Помилка розшифрування."
 
-#: lib/luks2/luks2_reencrypt.c:4002
+#: lib/luks2/luks2_reencrypt.c:4124
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Не вдалося записати «гарячу» ділянку, починаючи з %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:4007
+#: lib/luks2/luks2_reencrypt.c:4129
 msgid "Failed to sync data."
 msgstr "Не вдалося синхронізувати дані."
 
-#: lib/luks2/luks2_reencrypt.c:4015
+#: lib/luks2/luks2_reencrypt.c:4137
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Не вдалося оновити метадані після завершення обробки поточної «гарячої» зони повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:4104
+#: lib/luks2/luks2_reencrypt.c:4226
 msgid "Failed to write LUKS2 metadata."
 msgstr "Не вдалося записати метадані LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:4127
+#: lib/luks2/luks2_reencrypt.c:4249
 msgid "Failed to wipe unused data device area."
 msgstr "Не вдалося витерти область невикористаних даних пристрою."
 
-#: lib/luks2/luks2_reencrypt.c:4133
+#: lib/luks2/luks2_reencrypt.c:4255
 #, c-format
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "Не вдалося вилучити невикористаний (непов'язаний) слот ключа %d."
 
-#: lib/luks2/luks2_reencrypt.c:4143
+#: lib/luks2/luks2_reencrypt.c:4265
 msgid "Failed to remove reencryption keyslot."
 msgstr "Не вдалося вилучити слот ключа для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:4153
+#: lib/luks2/luks2_reencrypt.c:4275
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Критична помилка під час повторного шифрування фрагмента, починаючи з %<PRIu64>, довжиною у %<PRIu64> секторів."
 
-#: lib/luks2/luks2_reencrypt.c:4157
+#: lib/luks2/luks2_reencrypt.c:4279
 msgid "Online reencryption failed."
 msgstr "Не вдалося виконати інтерактивне повторне шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:4162
+#: lib/luks2/luks2_reencrypt.c:4284
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Не відновлюйте пристрій, якщо не заміните вручну пристрій призначення для помилок."
 
-#: lib/luks2/luks2_reencrypt.c:4214
+#: lib/luks2/luks2_reencrypt.c:4336
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Не вдалося виконати повторне шифрування. Неочікуваний стан засобу повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:4220
+#: lib/luks2/luks2_reencrypt.c:4342
 msgid "Missing or invalid reencrypt context."
 msgstr "Не вказано контекст повторного шифрування або вказано некоректний контекст."
 
-#: lib/luks2/luks2_reencrypt.c:4227
-msgid "Failed to initialize reencryption device stack."
-msgstr "Не вдалося ініціалізувати стос пристроїв повторного шифрування."
-
-#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
+#: lib/luks2/luks2_reencrypt.c:4376 lib/luks2/luks2_reencrypt.c:4413
 msgid "Failed to update reencryption context."
 msgstr "Не вдалося оновити контекст повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt_digest.c:408
+#: lib/luks2/luks2_reencrypt_digest.c:401
 msgid "Reencryption metadata is invalid."
 msgstr "Метадані повторного шифрування є некоректними."
 
-#: lib/luks2/hw_opal/hw_opal.c:328
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr "Відступ діапазону OPAL %d %<PRIu64> не відповідає очікуваним значенням %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:335
+#: lib/luks2/hw_opal/hw_opal.c:342
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr "Довжина діапазону OPAL %d %<PRIu64> не відповідає розміру пристрою %<PRIu64>."
 
-#: lib/luks2/hw_opal/hw_opal.c:341
+#: lib/luks2/hw_opal/hw_opal.c:348
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr "Вимкнено діапазон блокування %d OPAL."
 
-#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
+#: lib/luks2/hw_opal/hw_opal.c:358 lib/luks2/hw_opal/hw_opal.c:365
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr "Неочікуваний стан блокування діапазону OPAL %d."
 
-#: src/cryptsetup.c:80
+#: src/cryptsetup.c:87
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Параметри шифрування слоту ключів можна встановлювати лише для пристроїв LUKS2."
 
-#: src/cryptsetup.c:123 src/cryptsetup.c:2238
-#, c-format
-msgid "Enter token PIN: "
-msgstr "Введіть пінкод жетона: "
-
-#: src/cryptsetup.c:125 src/cryptsetup.c:2240
-#, c-format
-msgid "Enter token %d PIN: "
-msgstr "Введіть пінкод жетона %d: "
+#: src/cryptsetup.c:93
+msgid "Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."
+msgstr "Параметри шифрування слоту ключів є несумісними із шифруванням слотів ключів LUKS2."
 
-#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
-#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
-#: src/utils_reencrypt_luks1.c:567
+#: src/cryptsetup.c:150 src/cryptsetup.c:1180 src/cryptsetup.c:1547
+#: src/utils_reencrypt.c:1887 src/utils_reencrypt_luks1.c:502
+#: src/utils_reencrypt_luks1.c:565
 msgid "No known cipher specification pattern detected."
 msgstr "Не виявлено жодного відомого зразка специфікації шифрування."
 
-#: src/cryptsetup.c:193
+#: src/cryptsetup.c:160
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
 msgstr "УВАГА: використовуємо типові параметри шифрування (%s-%s, розмір ключа — %u бітів), що може бути несумісним із застарілими версіями."
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:165
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
 msgstr "УВАГА: використовуємо типові параметри хешування (%s), що може бути несумісним із застарілими версіями."
 
-#: src/cryptsetup.c:202
-msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr "Для простого режиму завжди використовувати параметри --cipher, --key-size і, якщо не використано файл ключа, також --hash."
+#: src/cryptsetup.c:169
+msgid "For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."
+msgstr "Для простого режиму завжди використовувати параметри --cipher, --key-size і, якщо не використано файл ключа або сховище ключів, також --hash."
 
-#: src/cryptsetup.c:208
+#: src/cryptsetup.c:175
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "Попередження: параметр --hash у простому режимі із вказаним файлом ключа ігнорується.\n"
 
-#: src/cryptsetup.c:216
+#: src/cryptsetup.c:189
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "Попередження: параметр --keyfile-size проігноровано, розмір прочитаних даних збігається із розміром ключа шифрування.\n"
 
-#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
-#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
+#: src/cryptsetup.c:226 src/cryptsetup.c:1377 src/cryptsetup.c:1600
+#: src/integritysetup.c:188 src/utils_reencrypt.c:2138
 #, c-format
 msgid "Blkid scan failed for %s."
 msgstr "Помилка сканування Blkid для %s."
 
-#: src/cryptsetup.c:259
+#: src/cryptsetup.c:232
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "На %s виявлено підписи пристроїв. Подальша обробка може пошкодити наявні дані."
 
-#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
-#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
-#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
-#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
-#: src/utils_reencrypt.c:759
+#: src/cryptsetup.c:238 src/cryptsetup.c:1263 src/cryptsetup.c:1311
+#: src/cryptsetup.c:1384 src/cryptsetup.c:1524 src/cryptsetup.c:1612
+#: src/cryptsetup.c:2497 src/cryptsetup.c:2926 src/integritysetup.c:178
+#: src/utils_reencrypt.c:111 src/utils_reencrypt.c:457
+#: src/utils_reencrypt.c:925
 msgid "Operation aborted.\n"
 msgstr "Дію перервано.\n"
 
-#: src/cryptsetup.c:338
+#: src/cryptsetup.c:323
 msgid "Option --key-file is required."
 msgstr "Слід вказати параметр --key-file."
 
-#: src/cryptsetup.c:389
+#: src/cryptsetup.c:377
 msgid "Enter VeraCrypt PIM: "
 msgstr "Введіть PIM VeraCrypt: "
 
-#: src/cryptsetup.c:398
+#: src/cryptsetup.c:386
 msgid "Invalid PIM value: parse error."
 msgstr "Некоректне значення PIM: помилка обробки."
 
-#: src/cryptsetup.c:401
+#: src/cryptsetup.c:389
 msgid "Invalid PIM value: 0."
 msgstr "Некоректне значення PIM: 0."
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:392
 msgid "Invalid PIM value: outside of range."
 msgstr "Некоректне значення PIM: поза межами діапазону."
 
-#: src/cryptsetup.c:427
+#: src/cryptsetup.c:415
 msgid "No device header detected with this passphrase."
 msgstr "Для цього пароля не виявлено заголовка пристрою."
 
-#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#: src/cryptsetup.c:492 src/cryptsetup.c:677
 #, c-format
 msgid "Device %s is not a valid BITLK device."
 msgstr "Пристрій %s не є коректним пристроєм BITLK."
 
-#: src/cryptsetup.c:508
+#: src/cryptsetup.c:500
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
 msgstr "Неможливо визначити розмір ключа тому для BITLK. Будь ласка, скористайтеся параметром --key-size."
 
-#: src/cryptsetup.c:550
+#: src/cryptsetup.c:546
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -2153,7 +2238,7 @@ msgstr ""
 "без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
 "у безпечному місці."
 
-#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
+#: src/cryptsetup.c:613 src/cryptsetup.c:699 src/cryptsetup.c:2522
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
@@ -2164,84 +2249,84 @@ msgstr ""
 "без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
 "у безпечному місці."
 
-#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#: src/cryptsetup.c:754 src/cryptsetup.c:786
 #, c-format
 msgid "Device %s is not a valid FVAULT2 device."
 msgstr "Пристрій %s не є коректним пристроєм FVAULT2."
 
-#: src/cryptsetup.c:791
+#: src/cryptsetup.c:794
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
 msgstr "Неможливо визначити розмір ключа тому для FVAULT2. Будь ласка, скористайтеся параметром --key-size."
 
-#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
+#: src/cryptsetup.c:848 src/veritysetup.c:317 src/integritysetup.c:410
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Пристрій %s усе ще є активним, його заплановано для відкладеного вилучення.\n"
 
-#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
-#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:881 src/cryptsetup.c:1810 src/cryptsetup.c:2084
+#: src/cryptsetup.c:2231 src/cryptsetup.c:2650 src/cryptsetup.c:2731
+#: src/cryptsetup.c:3264
 #, c-format
 msgid "Failed to set external tokens path %s."
 msgstr "Не вдалося встановити шлях до зовнішніх жетонів %s."
 
-#: src/cryptsetup.c:888
+#: src/cryptsetup.c:890
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Зміна розмірів активного пристрою потребує наявності ключа тому у сховищі ключів, але вказано параметр --disable-keyring."
 
-#: src/cryptsetup.c:1048
+#: src/cryptsetup.c:1059
 msgid "Benchmark interrupted."
 msgstr "Тестування перервано."
 
-#: src/cryptsetup.c:1069
+#: src/cryptsetup.c:1080
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     н/д\n"
 
-#: src/cryptsetup.c:1071
+#: src/cryptsetup.c:1082
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u ітерацій за секунду для %zu-бітового ключа\n"
 
-#: src/cryptsetup.c:1085
+#: src/cryptsetup.c:1096
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s н/д\n"
 
-#: src/cryptsetup.c:1087
+#: src/cryptsetup.c:1098
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u ітерацій, пам'ять: %5u, %1u паралельних потоків (процесорів) для %zu-бітового ключа (запит на %u мс часу)\n"
 
-#: src/cryptsetup.c:1111
+#: src/cryptsetup.c:1122
 msgid "Result of benchmark is not reliable."
 msgstr "Результат тестування є ненадійним."
 
-#: src/cryptsetup.c:1161
+#: src/cryptsetup.c:1172
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Наближені значення під час перевірки визначаються лише за допомогою оперативної пам’яті (без запису на диск).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1186
+#: src/cryptsetup.c:1197
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "№%*s Алгоритм |      Ключ |      Шифрування |   Розшифрування\n"
 
-#: src/cryptsetup.c:1194
+#: src/cryptsetup.c:1205
 #, c-format
 msgid "Cipher %s (with %i bits key) is not available."
 msgstr "Шифрування  %s (розмір ключа — %i бітів) є недоступним."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1213
+#: src/cryptsetup.c:1224
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "№      Алгоритм |      Ключ |      Шифрування |   Розшифрування\n"
 
-#: src/cryptsetup.c:1224
+#: src/cryptsetup.c:1235
 msgid "N/A"
 msgstr "н/д"
 
-#: src/cryptsetup.c:1249
+#: src/cryptsetup.c:1260
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
@@ -2249,27 +2334,27 @@ msgstr ""
 "Виявлено незахищені метадані повторного шифрування LUKS2. Будь ласка, перевірте, чи бажаною є дія з повторного шифрування\n"
 "(див. виведення luksDump), і продовжуйте (оновлення метаданих), лише якщо впевнені, що дія є бажаною."
 
-#: src/cryptsetup.c:1255
+#: src/cryptsetup.c:1266
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "Вкажіть пароль для захисту і оновлення метаданих повторного шифрування: "
 
-#: src/cryptsetup.c:1299
+#: src/cryptsetup.c:1310
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Ви справді хочете продовжити процедуру відновлення повторного шифрування LUKS2?"
 
-#: src/cryptsetup.c:1308
+#: src/cryptsetup.c:1319
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "Вкажіть пароль для перевірки контрольної суми метаданих повторного шифрування: "
 
-#: src/cryptsetup.c:1310
+#: src/cryptsetup.c:1321
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Вкажіть пароль для відновлення повторного шифрування: "
 
-#: src/cryptsetup.c:1370
+#: src/cryptsetup.c:1383
 msgid "Really try to repair LUKS device header?"
 msgstr "Спробувати відновити заголовок пристрою LUKS?"
 
-#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
+#: src/cryptsetup.c:1411 src/integritysetup.c:76 src/integritysetup.c:244
 msgid ""
 "\n"
 "Wipe interrupted."
@@ -2277,7 +2362,7 @@ msgstr ""
 "\n"
 "Витирання перервано."
 
-#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
+#: src/cryptsetup.c:1416 src/integritysetup.c:81 src/integritysetup.c:283
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -2285,156 +2370,167 @@ msgstr ""
 "Витираємо пристрій для ініціалізації контрольних сум для цілісності.\n"
 "Ви можете перервати цей процес натисканням комбінації клавіш CTRL+C (решта невитертого пристрою міститиме некоректну контрольну суму).\n"
 
-#: src/cryptsetup.c:1421 src/integritysetup.c:103
+#: src/cryptsetup.c:1438 src/integritysetup.c:103
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Не можна скасувати активацію тимчасового пристрою %s."
 
-#: src/cryptsetup.c:1476
+#: src/cryptsetup.c:1486
+msgid "OPAL hw-only encryption does not support --cipher and --key-size, options ignored."
+msgstr "У апаратному шифрування OPAL не передбачено підтримки параметрів --cipher і --key-size, параметри проігноровано."
+
+#: src/cryptsetup.c:1499
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Параметр цілісності може бути використано лише для формату LUKS2."
 
-#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
+#: src/cryptsetup.c:1504 src/cryptsetup.c:1584
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Непідтримувані параметри розміру метаданих LUKS2."
 
-#: src/cryptsetup.c:1486
+#: src/cryptsetup.c:1509
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "Підтримку OPAL передбачено лише для формату LUKS2."
 
-#: src/cryptsetup.c:1495
+#: src/cryptsetup.c:1514
+msgid "Inline hw tags are supported only for LUKS2 format."
+msgstr "Підтримку вбудованих апаратних міток передбачено лише для формату LUKS2."
+
+#: src/cryptsetup.c:1523
 msgid "Header file does not exist, do you want to create it?"
 msgstr "Файла заголовка не існує. Хочете його створити?"
 
-#: src/cryptsetup.c:1503
+#: src/cryptsetup.c:1531
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Не вдалося створити файл заголовка %s."
 
-#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
-#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
-#: src/integritysetup.c:329
+#: src/cryptsetup.c:1557 src/integritysetup.c:126 src/integritysetup.c:141
+#: src/integritysetup.c:150 src/integritysetup.c:322 src/integritysetup.c:330
+#: src/integritysetup.c:340
 msgid "No known integrity specification pattern detected."
 msgstr "Не виявлено жодного відомого зразка специфікації цілісності."
 
-#: src/cryptsetup.c:1539
+#: src/cryptsetup.c:1559
+msgid "Cannot use specified integrity key size."
+msgstr "Не можна використовувати вказаний розмір ключа цілісності."
+
+#: src/cryptsetup.c:1577
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Не можна використовувати %s як заголовок на диску."
 
-#: src/cryptsetup.c:1568 src/integritysetup.c:168
+#: src/cryptsetup.c:1606 src/integritysetup.c:172
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Дані на %s буде перезаписано без можливості відновлення."
 
-#: src/cryptsetup.c:1605
+#: src/cryptsetup.c:1643
 msgid "OPAL Admin password cannot be empty."
 msgstr "Пароль адміністратора OPAL не може бути порожнім."
 
-#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
-#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
+#: src/cryptsetup.c:1657 src/cryptsetup.c:2101 src/cryptsetup.c:2244
+#: src/cryptsetup.c:2379 src/cryptsetup.c:2445 src/utils_reencrypt_luks1.c:428
 msgid "Failed to set pbkdf parameters."
 msgstr "Не вдалося встановити параметри pbkdf."
 
-#: src/cryptsetup.c:1751
-msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
-msgstr "Специфікацію типу у специфікації сховища ключів --link-vk-to-keyring проігноровано."
-
-#: src/cryptsetup.c:1816
-msgid "Key types have to be the same for both volume keys."
-msgstr "Типи ключів мають бути однаковими для обох ключів тому."
-
-#: src/cryptsetup.c:1821
-msgid "Both volume keys have to be linked to the same keyring."
-msgstr "Обидва ключі томів мають бути пов'язані із одним сховищем ключів."
-
-#: src/cryptsetup.c:1831
-msgid "You need to supply more key names."
-msgstr "Вам слід вказати більше назв ключів."
-
-#: src/cryptsetup.c:1835
-msgid "Invalid --link-vk-to-keyring value."
-msgstr "Некоректне значення --link-vk-to-keyring."
-
-#: src/cryptsetup.c:1880
+#: src/cryptsetup.c:1788
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Зменшений відступ даних можна використовувати лише для від’єднаних заголовків LUKS."
 
-#: src/cryptsetup.c:1887
+#: src/cryptsetup.c:1795
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr "Контейнер файлів LUKS %s є надто малим для активації, на ньому не лишиться місця для даних."
 
-#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
+#: src/cryptsetup.c:1837 src/cryptsetup.c:2250 src/utils_reencrypt.c:277
+#: src/utils_reencrypt.c:369 src/utils_reencrypt.c:1907
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Неможливо визначити розмір ключа тому для LUKS без слотів ключів. Будь ласка, скористайтеся параметром --key-size."
 
-#: src/cryptsetup.c:1981
+#: src/cryptsetup.c:1856 src/utils_reencrypt.c:303
+msgid "Device requires two volume keys."
+msgstr "Для пристрою потрібні два ключі тому."
+
+#: src/cryptsetup.c:1891
+msgid "Some specified activation parameters were ignored with OPAL hw-only encryption."
+msgstr "Деякі із вказаних параметрів активації було проігноровано через апаратне шифрування OPAL."
+
+#: src/cryptsetup.c:1896
 msgid "Device activated but cannot make flags persistent."
 msgstr "Пристрій задіяно, але не вдалося зробити прапорці сталими."
 
-#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
+#: src/cryptsetup.c:1976 src/cryptsetup.c:2044
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Слот ключа %d позначено для вилучення."
 
-#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
+#: src/cryptsetup.c:1988 src/cryptsetup.c:2048
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Це останній слот ключа. Пристрій стане непридатним для використання після спорожнення цього ключа."
 
-#: src/cryptsetup.c:2078
+#: src/cryptsetup.c:1989
 msgid "Enter any remaining passphrase: "
 msgstr "Введіть будь-який інший пароль: "
 
-#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
+#: src/cryptsetup.c:1990 src/cryptsetup.c:2050
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Дію перервано, слот ключів НЕ витерто.\n"
 
-#: src/cryptsetup.c:2115
+#: src/cryptsetup.c:2026
 msgid "Enter passphrase to be deleted: "
 msgstr "Введіть пароль, який слід вилучити: "
 
-#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:2076 src/cryptsetup.c:2428 src/cryptsetup.c:3088
+#: src/cryptsetup.c:3255
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "Пристрій %s не є коректним пристроєм LUKS2."
 
-#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
+#: src/cryptsetup.c:2115 src/cryptsetup.c:2314
 msgid "Enter new passphrase for key slot: "
 msgstr "Введіть новий пароль для слота ключа: "
 
-#: src/cryptsetup.c:2306
+#: src/cryptsetup.c:2149 src/utils_luks.c:342
+#, c-format
+msgid "Enter token PIN: "
+msgstr "Введіть пінкод жетона: "
+
+#: src/cryptsetup.c:2151 src/utils_luks.c:344
+#, c-format
+msgid "Enter token %d PIN: "
+msgstr "Введіть пінкод жетона %d: "
+
+#: src/cryptsetup.c:2210
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "Попередження: параметр --key-slot використано для нового числа слоту ключа.\n"
 
-#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
+#: src/cryptsetup.c:2287 src/utils_reencrypt_luks1.c:1094
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Введіть будь-який пароль: "
 
-#: src/cryptsetup.c:2504
+#: src/cryptsetup.c:2383
 msgid "Enter passphrase to be changed: "
 msgstr "Введіть пароль, який слід змінити: "
 
-#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
+#: src/cryptsetup.c:2399 src/utils_reencrypt_luks1.c:1080
 msgid "Enter new passphrase: "
 msgstr "Введіть новий пароль: "
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:2449
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Вкажіть пароль для слоту ключа, який буде перетворено: "
 
-#: src/cryptsetup.c:2594
+#: src/cryptsetup.c:2473
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "У команді isLuks можна використовувати лише один аргумент назви пристрою."
 
-#: src/cryptsetup.c:2702
+#: src/cryptsetup.c:2578
 #, c-format
 msgid "Keyslot %d does not contain unbound key."
 msgstr "Слот ключа %d не містить непов'язаного ключа."
 
-#: src/cryptsetup.c:2707
+#: src/cryptsetup.c:2583
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
@@ -2442,52 +2538,52 @@ msgstr ""
 "Дамп заголовка з непов'язаним ключем є конфіденційними даними.\n"
 "Цей дамп слід зберігати у зашифрованому форматі у безпечному місці."
 
-#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
+#: src/cryptsetup.c:2678 src/cryptsetup.c:2714
 #, c-format
 msgid "%s is not active %s device name."
 msgstr "%s не є назвою активного пристрою %s."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:2709
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr "%s не є назвою активного пристрою LUKS або пропущено заголовок."
 
-#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
+#: src/cryptsetup.c:2786 src/cryptsetup.c:2805
 msgid "Option --header-backup-file is required."
 msgstr "Слід вказати параметр --header-backup-file."
 
-#: src/cryptsetup.c:2962
+#: src/cryptsetup.c:2836
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s не є керованим cryptsetup пристроєм."
 
-#: src/cryptsetup.c:2973
+#: src/cryptsetup.c:2847
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Підтримки дії з оновлення для пристрою типу %s не передбачено."
 
-#: src/cryptsetup.c:3023
+#: src/cryptsetup.c:2897
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Нерозпізнаний тип пристрою метаданих, %s."
 
-#: src/cryptsetup.c:3025
+#: src/cryptsetup.c:2899
 msgid "Command requires device and mapped name as arguments."
 msgstr "Аргументами команди мають бути назва пристрою та призначена до нього назва."
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL PSID: "
 msgstr "Введіть PSID OPAL: "
 
-#: src/cryptsetup.c:3035
+#: src/cryptsetup.c:2917
 msgid "Enter OPAL Admin password: "
 msgstr "Введіть пароль адміністратора OPAL: "
 
-#: src/cryptsetup.c:3043
+#: src/cryptsetup.c:2925
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr "УВАГА: УВЕСЬ диск буде повернуто до початкових параметрів, а усі дані на ньому буде втрачено! Виконати дію?"
 
-#: src/cryptsetup.c:3086
+#: src/cryptsetup.c:2968
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2496,351 +2592,363 @@ msgstr ""
 "У результаті виконання цієї операції буде витерто усі слоти ключів на пристрої %s.\n"
 "Після виконання цієї дії пристроєм не можна буде скористатися."
 
-#: src/cryptsetup.c:3093
+#: src/cryptsetup.c:2975
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Дію перервано, слоти ключів НЕ витерто.\n"
 
-#: src/cryptsetup.c:3132
+#: src/cryptsetup.c:3014
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Некоректний тип LUKS. Передбачено підтримку лише luks1 і luks2."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3030
 #, c-format
 msgid "Device is already %s type."
 msgstr "Пристрій вже належить до типу %s."
 
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3037
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Ця дія перетворить %s до формату %s.\n"
 
-#: src/cryptsetup.c:3158
+#: src/cryptsetup.c:3040
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Дію перервано, дані пристрою НЕ перетворено.\n"
 
-#: src/cryptsetup.c:3198
+#: src/cryptsetup.c:3080
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Пропущено параметр --priority, --label або --subsystem."
 
-#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3114 src/cryptsetup.c:3154 src/cryptsetup.c:3174
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Жетон %d є некоректним."
 
-#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3117 src/cryptsetup.c:3177
 #, c-format
 msgid "Token %d in use."
 msgstr "Жетон %d використовується."
 
-#: src/cryptsetup.c:3247
+#: src/cryptsetup.c:3129
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Не вдалося додати жетон %d зі сховища ключів luks2."
 
-#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
+#: src/cryptsetup.c:3140 src/cryptsetup.c:3203
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Не вдалося прив'язати жетон %d до слоту ключа %d."
 
-#: src/cryptsetup.c:3275
+#: src/cryptsetup.c:3157
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Жетон %d не використовується."
 
-#: src/cryptsetup.c:3312
+#: src/cryptsetup.c:3194
 msgid "Failed to import token from file."
 msgstr "Не вдалося імпортувати жетон з файла."
 
-#: src/cryptsetup.c:3337
+#: src/cryptsetup.c:3219
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Не вдалося отримати жетон %d для експортування."
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3232
 #, c-format
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "Жетон %d не пов'язано зі слотом ключа %d."
 
-#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
+#: src/cryptsetup.c:3234 src/cryptsetup.c:3241
 #, c-format
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "Не вдалося відв'язати жетон %d від слоту ключа %d."
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3300
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
 msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT."
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3303
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
 msgstr "Підтримку параметра --veracrypt або --disable-veracrypt передбачено лише для пристроїв TCRYPT."
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3306
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
 msgstr "Параметр --veracrypt-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
 
-#: src/cryptsetup.c:3428
+#: src/cryptsetup.c:3310
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
 msgstr "Параметр --veracrypt-query-pim можна використовувати лише для сумісних із VeraCrypt пристроїв."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3312
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
 msgstr "Не можна поєднувати параметри --veracrypt-pim і --veracrypt-query-pim."
 
-#: src/cryptsetup.c:3439
+#: src/cryptsetup.c:3321
 msgid "Option --persistent is not allowed with --test-passphrase."
 msgstr "Параметр --persistent не можна використовувати разом із --test-passphrase."
 
-#: src/cryptsetup.c:3442
+#: src/cryptsetup.c:3324
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
 msgstr "Не можна поєднувати параметри --refresh і --test-passphrase."
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3327
 msgid "Option --shared is allowed only for open of plain device."
 msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою."
 
-#: src/cryptsetup.c:3448
+#: src/cryptsetup.c:3330
 msgid "Option --skip is supported only for open of plain and loopaes devices."
 msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes."
 
-#: src/cryptsetup.c:3451
+#: src/cryptsetup.c:3333
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
 msgstr "Підтримку параметра --offset разом із дією з відкриття передбачено лише для незашифрованих пристроїв та пристроїв loopaes."
 
-#: src/cryptsetup.c:3454
+#: src/cryptsetup.c:3336
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
 msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards."
 
-#: src/cryptsetup.c:3458
+#: src/cryptsetup.c:3340
 msgid "Sector size option with open action is supported only for plain devices."
 msgstr "Підтримку параметра розміру сектора разом із дією з відкриття передбачено лише для незашифрованих пристроїв."
 
-#: src/cryptsetup.c:3462
+#: src/cryptsetup.c:3344
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
 msgstr "Підтримку можливості використання великих секторів IV передбачено лише для відкриття пристроїв простого типу з розміром сектора, який перевищує 512 байтів."
 
-#: src/cryptsetup.c:3467
+#: src/cryptsetup.c:3349
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
 msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS, TCRYPT, BITLK та FVAULT2."
 
-#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3382
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Не можна одночасно використовувати параметри --device-size і --size."
 
-#: src/cryptsetup.c:3473
+#: src/cryptsetup.c:3355
 msgid "Option --unbound is allowed only for open of luks device."
 msgstr "Параметр --sunbound можна використовувати лише для відкриття пристрою LUKS."
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3358
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "Параметр --unbound не можна використовувати без --test-passphrase."
 
-#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
+#: src/cryptsetup.c:3362
+msgid "Option --volume-key-keyring cannot be combined with --hash or --volume-key-file."
+msgstr "Параметр --volume-key-keyring не можна поєднувати з --hash і --volume-key-file."
+
+#: src/cryptsetup.c:3365
+msgid "Both --volume-key-file options must be paired with respective --key-size options."
+msgstr "Обидва параметри --volume-key-file має бути поєднано із відповідними параметрами --key-size."
+
+#: src/cryptsetup.c:3374 src/veritysetup.c:673 src/integritysetup.c:784
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr "Не можна одночасно використовувати параметр --cancel-deferred і --deferred."
 
-#: src/cryptsetup.c:3501
-msgid "Options --reduce-device-size and --device-size cannot be combined."
-msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --device-size."
-
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3390
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "Параметр --active-name можна встановлювати лише для пристроїв LUKS2."
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3393
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr "Не можна одночасно використовувати параметри ---active-name і --force-offline-reencrypt."
 
-#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
+#: src/cryptsetup.c:3396
+msgid "Options --new-volume-key-file and --keep-key cannot be combined."
+msgstr "Не можна поєднувати параметри --new-volume-key-file і --keep-key."
+
+#: src/cryptsetup.c:3399
+msgid "Options --new-volume-key-keyring and --keep-key cannot be combined."
+msgstr "Не можна поєднувати параметри --new-volume-key-keyring і --keep-key."
+
+#: src/cryptsetup.c:3407 src/cryptsetup.c:3437
 msgid "Keyslot specification is required."
 msgstr "Слід вказати специфікація слотів ключів."
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3415
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Не можна одночасно використовувати параметри --align-payload і --offset."
 
-#: src/cryptsetup.c:3526
+#: src/cryptsetup.c:3418
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr "Параметром --integrity-no-wipe можна користуватися лише для дії з форматування із розширенням забезпечення цілісності."
 
-#: src/cryptsetup.c:3529
+#: src/cryptsetup.c:3421
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Можна використовувати лише один з параметрів --use-[u]random."
 
-#: src/cryptsetup.c:3537
+#: src/cryptsetup.c:3429
 msgid "Key size is required with --unbound option."
 msgstr "Разом із параметром --unbound слід вказувати розмір ключа."
 
-#: src/cryptsetup.c:3557
+#: src/cryptsetup.c:3449
 msgid "Invalid token action."
 msgstr "Некоректна дія з жетоном."
 
-#: src/cryptsetup.c:3560
+#: src/cryptsetup.c:3452
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Параметр --key-description є обов'язковим для дій із додавання жетонів."
 
-#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
+#: src/cryptsetup.c:3456 src/cryptsetup.c:3469
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Для виконання дії потрібен специфічний жетон. Скористайтеся параметром --token-id."
 
-#: src/cryptsetup.c:3568
+#: src/cryptsetup.c:3460
 msgid "Option --unbound is valid only with token add action."
 msgstr "Параметр --unbound можна використовувати лише разом із дією з додавання жетона."
 
-#: src/cryptsetup.c:3570
+#: src/cryptsetup.c:3462
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr "Не можна поєднувати параметри --key-slot і --unbound."
 
-#: src/cryptsetup.c:3575
+#: src/cryptsetup.c:3467
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr "Дія потребує зазначення слоту ключа. Скористайтеся параметром --key-slot."
 
-#: src/cryptsetup.c:3591
+#: src/cryptsetup.c:3483
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<пристрій> [--type <тип>] [<назва>]"
 
-#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
+#: src/cryptsetup.c:3483 src/veritysetup.c:487 src/integritysetup.c:551
 msgid "open device as <name>"
 msgstr "відкрити пристрій як <назва>"
 
-#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
-#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
-#: src/integritysetup.c:533 src/integritysetup.c:535
+#: src/cryptsetup.c:3484 src/cryptsetup.c:3485 src/cryptsetup.c:3486
+#: src/veritysetup.c:488 src/veritysetup.c:489 src/integritysetup.c:552
+#: src/integritysetup.c:553 src/integritysetup.c:555
 msgid "<name>"
 msgstr "<назва>"
 
-#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
+#: src/cryptsetup.c:3484 src/veritysetup.c:488 src/integritysetup.c:552
 msgid "close device (remove mapping)"
 msgstr "закрити пристрій (вилучити призначення)"
 
-#: src/cryptsetup.c:3593 src/integritysetup.c:535
+#: src/cryptsetup.c:3485 src/integritysetup.c:555
 msgid "resize active device"
 msgstr "змінити розмір активного пристрою"
 
-#: src/cryptsetup.c:3594
+#: src/cryptsetup.c:3486
 msgid "show device status"
 msgstr "показати стан пристрою"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <шифр>]"
 
-#: src/cryptsetup.c:3595
+#: src/cryptsetup.c:3487
 msgid "benchmark cipher"
 msgstr "перевірити швидкодію шифрування"
 
-#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
-#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
-#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
-#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
-#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
+#: src/cryptsetup.c:3488 src/cryptsetup.c:3489 src/cryptsetup.c:3490
+#: src/cryptsetup.c:3491 src/cryptsetup.c:3492 src/cryptsetup.c:3499
+#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/cryptsetup.c:3503 src/cryptsetup.c:3504 src/cryptsetup.c:3505
+#: src/cryptsetup.c:3506 src/cryptsetup.c:3507 src/cryptsetup.c:3508
 msgid "<device>"
 msgstr "<пристрій>"
 
-#: src/cryptsetup.c:3596
+#: src/cryptsetup.c:3488
 msgid "try to repair on-disk metadata"
 msgstr "спробувати виправити метадані на диску"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3489
 msgid "reencrypt LUKS2 device"
 msgstr "повторно зашифрувати пристрій LUKS2"
 
-#: src/cryptsetup.c:3598
+#: src/cryptsetup.c:3490
 msgid "erase all keyslots (remove encryption key)"
 msgstr "витерти усі слоти ключів (вилучити ключ шифрування)"
 
-#: src/cryptsetup.c:3599
+#: src/cryptsetup.c:3491
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "перетворити LUKS із формату LUKS2 або навпаки"
 
-#: src/cryptsetup.c:3600
+#: src/cryptsetup.c:3492
 msgid "set permanent configuration options for LUKS2"
 msgstr "встановити сталі параметри налаштування для LUKS2"
 
-#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3494
 msgid "<device> [<new key file>]"
 msgstr "<пристрій> [<новий файл ключа>]"
 
-#: src/cryptsetup.c:3601
+#: src/cryptsetup.c:3493
 msgid "formats a LUKS device"
 msgstr "форматує пристрій LUKS"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3494
 msgid "add key to LUKS device"
 msgstr "додати ключ до пристрою LUKS"
 
-#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
+#: src/cryptsetup.c:3495 src/cryptsetup.c:3496 src/cryptsetup.c:3497
 msgid "<device> [<key file>]"
 msgstr "<пристрій> [<файл ключа>]"
 
-#: src/cryptsetup.c:3603
+#: src/cryptsetup.c:3495
 msgid "removes supplied key or key file from LUKS device"
 msgstr "вилучає наданий ключ або файл ключа з пристрою LUKS"
 
-#: src/cryptsetup.c:3604
+#: src/cryptsetup.c:3496
 msgid "changes supplied key or key file of LUKS device"
 msgstr "змінює наданий ключ або файл ключа пристрою LUKS"
 
-#: src/cryptsetup.c:3605
+#: src/cryptsetup.c:3497
 msgid "converts a key to new pbkdf parameters"
 msgstr "перетворює ключ до нових параметрів pbkdf"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "<device> <key slot>"
 msgstr "<пристрій> <слот ключа>"
 
-#: src/cryptsetup.c:3606
+#: src/cryptsetup.c:3498
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "вилучає ключ з номером <слот ключа> з пристрою LUKS"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3499
 msgid "print UUID of LUKS device"
 msgstr "вивести UUID пристрою LUKS"
 
-#: src/cryptsetup.c:3608
+#: src/cryptsetup.c:3500
 msgid "tests <device> for LUKS partition header"
 msgstr "виконати спробу виявлення заголовка розділу LUKS на пристрої <пристрій>"
 
-#: src/cryptsetup.c:3609
+#: src/cryptsetup.c:3501
 msgid "dump LUKS partition information"
 msgstr "створити дамп даних щодо розділу LUKS"
 
-#: src/cryptsetup.c:3610
+#: src/cryptsetup.c:3502
 msgid "dump TCRYPT device information"
 msgstr "створити дамп даних пристрою TCRYPT"
 
-#: src/cryptsetup.c:3611
+#: src/cryptsetup.c:3503
 msgid "dump BITLK device information"
 msgstr "створити дамп даних пристрою BITLK"
 
-#: src/cryptsetup.c:3612
+#: src/cryptsetup.c:3504
 msgid "dump FVAULT2 device information"
 msgstr "створити дамп даних пристрою FVAULT2"
 
-#: src/cryptsetup.c:3613
+#: src/cryptsetup.c:3505
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Приспати пристрій LUKS і витерти ключ (роботу всіх каналів введення-виведення буде заморожено)"
 
-#: src/cryptsetup.c:3614
+#: src/cryptsetup.c:3506
 msgid "Resume suspended LUKS device"
 msgstr "Відновити роботу приспаного пристрою LUKS"
 
-#: src/cryptsetup.c:3615
+#: src/cryptsetup.c:3507
 msgid "Backup LUKS device header and keyslots"
 msgstr "Створити резервну копію заголовка пристрою LUKS і слотів ключів"
 
-#: src/cryptsetup.c:3616
+#: src/cryptsetup.c:3508
 msgid "Restore LUKS device header and keyslots"
 msgstr "Відновити заголовок пристрою LUKS і слоти ключів"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <пристрій>"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3509
 msgid "Manipulate LUKS2 tokens"
 msgstr "Керування жетонами LUKS2"
 
-#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
+#: src/cryptsetup.c:3528 src/veritysetup.c:505 src/integritysetup.c:570
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2848,7 +2956,7 @@ msgstr ""
 "\n"
 "<дія> є однією з таких:\n"
 
-#: src/cryptsetup.c:3642
+#: src/cryptsetup.c:3534
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -2861,7 +2969,7 @@ msgstr ""
 "\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
 "\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3646
+#: src/cryptsetup.c:3538
 #, c-format
 msgid ""
 "\n"
@@ -2876,7 +2984,7 @@ msgstr ""
 "<слот ключа> — номер слота ключа LUKS, який слід змінити\n"
 "<файл ключа> — необов’язковий файл ключа для нового ключа для дії luksAddKey\n"
 
-#: src/cryptsetup.c:3653
+#: src/cryptsetup.c:3545
 #, c-format
 msgid ""
 "\n"
@@ -2885,7 +2993,7 @@ msgstr ""
 "\n"
 "Типовий укомпільований формат метаданих — %s (для дії luksFormat).\n"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3550
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
@@ -2893,12 +3001,12 @@ msgstr ""
 "\n"
 "Підтримку додатків зовнішніх жетонів LUKS2 увімкнено.\n"
 
-#: src/cryptsetup.c:3659
+#: src/cryptsetup.c:3551
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr "Шлях до теки додатків зовнішніх жетонів LUKS2: %s.\n"
 
-#: src/cryptsetup.c:3661
+#: src/cryptsetup.c:3553
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
@@ -2906,7 +3014,7 @@ msgstr ""
 "\n"
 "Підтримку додатків зовнішніх жетонів LUKS2 вимкнено.\n"
 
-#: src/cryptsetup.c:3665
+#: src/cryptsetup.c:3557
 #, c-format
 msgid ""
 "\n"
@@ -2923,7 +3031,7 @@ msgstr ""
 "Типовий PBKDF для LUKS2: %s\n"
 "\tЧас ітерації: %d, потрібний обсяг пам'яті: %d кБ, паралельних потоків: %d\n"
 
-#: src/cryptsetup.c:3676
+#: src/cryptsetup.c:3568
 #, c-format
 msgid ""
 "\n"
@@ -2938,110 +3046,122 @@ msgstr ""
 "\tзвичайне: %s, ключ: %d-бітовий, хешування пароля: %s\n"
 "\tLUKS: %s, ключ: %d-бітовий, хешування заголовка LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3577
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: типовий розмір ключа у режимі XTS (два вбудованих ключа) буде подвоєно.\n"
 
-#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
+#: src/cryptsetup.c:3595 src/veritysetup.c:647 src/integritysetup.c:730
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: слід вказати у параметрах %s"
 
-#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
+#: src/cryptsetup.c:3635 src/utils_reencrypt_luks1.c:1143
 msgid "Key slot is invalid."
 msgstr "Некоректний слот ключа."
 
-#: src/cryptsetup.c:3771
+#: src/cryptsetup.c:3663
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Розмір пристрою має бути кратним до 512-байтового сектора."
 
-#: src/cryptsetup.c:3776
+#: src/cryptsetup.c:3668
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Некоректна специфікація розміру «гарячої» ділянки повторного шифрування."
 
-#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
+#: src/cryptsetup.c:3682 src/cryptsetup.c:3699 src/cryptsetup.c:3711
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Розмір ключа має бути кратним 8 бітам"
 
-#: src/cryptsetup.c:3809
+#: src/cryptsetup.c:3689
+msgid "At most 2 key size specifications can be supplied."
+msgstr "Можна надати не більше 2 специфікацій розмірів ключів."
+
+#: src/cryptsetup.c:3718 src/cryptsetup.c:3729
 #, c-format
 msgid "At most %d volume key specifications can be supplied."
 msgstr "Можна надати не більше %d специфікацій ключів томів."
 
-#: src/cryptsetup.c:3821
+#: src/cryptsetup.c:3741
 #, c-format
 msgid "At most %d keyring link specifications can be supplied."
 msgstr "Можна надати не більше %d специфікацій посилань на сховище ключів."
 
-#: src/cryptsetup.c:3830
+#: src/cryptsetup.c:3750
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 1 ГіБ."
 
-#: src/cryptsetup.c:3833
+#: src/cryptsetup.c:3753
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Розмір зменшення має бути кратним до 512-байтового сектора."
 
-#: src/cryptsetup.c:3850
+#: src/cryptsetup.c:3770
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr "Значенням для параметра --priority може бути лише один з таких рядків: ignore, normal або prefer."
 
-#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
+#: src/cryptsetup.c:3789 src/veritysetup.c:568 src/integritysetup.c:650
 msgid "Show this help message"
 msgstr "Показати цю довідку"
 
-#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
+#: src/cryptsetup.c:3790 src/veritysetup.c:569 src/integritysetup.c:651
 msgid "Display brief usage"
 msgstr "Показати короткі настанови щодо користування"
 
-#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
+#: src/cryptsetup.c:3791 src/veritysetup.c:570 src/integritysetup.c:652
 msgid "Print package version"
 msgstr "Вивести дані щодо версії пакунка"
 
-#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3802 src/veritysetup.c:581 src/integritysetup.c:663
 msgid "Help options:"
 msgstr "Пункти довідки:"
 
-#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
+#: src/cryptsetup.c:3825 src/veritysetup.c:602 src/integritysetup.c:683
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[ПАРАМЕТР...] <дія> <параметри_дії>"
 
-#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
+#: src/cryptsetup.c:3834 src/veritysetup.c:611 src/integritysetup.c:694
 msgid "Argument <action> missing."
 msgstr "Не вказано аргумент <дія>."
 
-#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
+#: src/cryptsetup.c:3913 src/veritysetup.c:642 src/integritysetup.c:725
 msgid "Unknown action."
 msgstr "Невідома дія."
 
-#: src/cryptsetup.c:4011
+#: src/cryptsetup.c:3931
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Параметр --key-file має пріоритет над вказаним параметром файла ключа."
 
-#: src/cryptsetup.c:4017
+#: src/cryptsetup.c:3937
 msgid "Only one --key-file argument is allowed."
 msgstr "Можна використовувати лише один аргумент --key-file."
 
-#: src/cryptsetup.c:4022
+#: src/cryptsetup.c:3942
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr "Функцією отримання ключа на основі пароля (PBKDF) може бути лише pbkdf2 або argon2i/argon2id."
 
-#: src/cryptsetup.c:4027
+#: src/cryptsetup.c:3947
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr "Примусові ітерації PBKDF не можна поєднувати із параметром тривалості ітерацій."
 
-#: src/cryptsetup.c:4032
+#: src/cryptsetup.c:3952
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr "Неможливо пов'язати ключ тому зі сховищем ключів, якщо сховище ключів вимкнено."
 
-#: src/cryptsetup.c:4043
+#: src/cryptsetup.c:3957
+msgid "Cannot use keyring key description when keyring is disabled."
+msgstr "Не можна скористатися описом ключа сховища ключів, якщо сховище ключів вимкнено."
+
+#: src/cryptsetup.c:3962
+msgid "Inline integrity must be used together with --integrity option."
+msgstr "Вбудовану цілісність має бути використано разом із параметром --integrity."
+
+#: src/cryptsetup.c:3973
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr "Параметри --keyslot-cipher і --keyslot-key-size має бути використано разом."
 
-#: src/cryptsetup.c:4051
+#: src/cryptsetup.c:3981
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr "Дій не виконано. Викликано із параметром --test-args.\n"
 
-#: src/cryptsetup.c:4064
+#: src/cryptsetup.c:3994
 msgid "Cannot disable metadata locking."
 msgstr "Не вдалося вимкнути блокування метаданих."
 
@@ -3069,72 +3189,72 @@ msgstr "Не вдалося створити файл кореневого хе
 msgid "Cannot write to root hash file %s."
 msgstr "Не вдалося записати файл кореневого хешу %s."
 
-#: src/veritysetup.c:185 src/veritysetup.c:463
+#: src/veritysetup.c:189 src/veritysetup.c:472
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Пристрій %s не є коректним пристроєм VERITY."
 
-#: src/veritysetup.c:202 src/veritysetup.c:219
+#: src/veritysetup.c:206 src/veritysetup.c:223
 #, c-format
 msgid "Cannot read root hash file %s."
 msgstr "Не вдалося прочитати файл кореневого хешу %s."
 
-#: src/veritysetup.c:207
+#: src/veritysetup.c:211
 #, c-format
 msgid "Invalid root hash file %s."
 msgstr "Некоректний файл кореневого хешу %s."
 
-#: src/veritysetup.c:228
+#: src/veritysetup.c:232
 msgid "Invalid root hash string specified."
 msgstr "Вказано некоректний рядок кореневого хешу."
 
-#: src/veritysetup.c:236
+#: src/veritysetup.c:240
 #, c-format
 msgid "Invalid signature file %s."
 msgstr "Некоректний файл підпису %s."
 
-#: src/veritysetup.c:243
+#: src/veritysetup.c:247
 #, c-format
 msgid "Cannot read signature file %s."
 msgstr "Не вдалося прочитати файл підпису %s."
 
-#: src/veritysetup.c:266 src/veritysetup.c:280
+#: src/veritysetup.c:270 src/veritysetup.c:287
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr "Для виконання команди потрібен <кореневий_хеш> або параметр --root-hash-file як аргумент."
 
-#: src/veritysetup.c:476
+#: src/veritysetup.c:485
 msgid "<data_device> <hash_device>"
 msgstr "<пристрій_даних> <пристрій_хешу>"
 
-#: src/veritysetup.c:476 src/integritysetup.c:530
+#: src/veritysetup.c:485 src/integritysetup.c:550
 msgid "format device"
 msgstr "форматувати пристрій"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "<data_device> <hash_device> [<root_hash>]"
 msgstr "<пристрій_даних> <пристрій_хешу> [<кореневий_хеш>]"
 
-#: src/veritysetup.c:477
+#: src/veritysetup.c:486
 msgid "verify device"
 msgstr "перевірити пристрій"
 
-#: src/veritysetup.c:478
+#: src/veritysetup.c:487
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
 msgstr "<пристрій_даних> <назва> <пристрій_хешу> [<кореневий_хеш>]"
 
-#: src/veritysetup.c:480 src/integritysetup.c:533
+#: src/veritysetup.c:489 src/integritysetup.c:553
 msgid "show active device status"
 msgstr "показати стан активного пристрою"
 
-#: src/veritysetup.c:481
+#: src/veritysetup.c:490
 msgid "<hash_device>"
 msgstr "<пристрій_хешу>"
 
-#: src/veritysetup.c:481 src/integritysetup.c:534
+#: src/veritysetup.c:490 src/integritysetup.c:554
 msgid "show on-disk information"
 msgstr "показати вбудовані дані"
 
-#: src/veritysetup.c:500
+#: src/veritysetup.c:509
 #, c-format
 msgid ""
 "\n"
@@ -3149,7 +3269,7 @@ msgstr ""
 "<пристрій_хешу> — пристрій, на якому зберігаються дані для перевірки\n"
 "<кореневий_хеш> — хеш кореневого вузла на пристрої <пристрій_хешу>\n"
 
-#: src/veritysetup.c:507
+#: src/veritysetup.c:516
 #, c-format
 msgid ""
 "\n"
@@ -3160,15 +3280,19 @@ msgstr ""
 "Типові вбудовані параметри dm-verity:\n"
 "\tхеш: %s, блок даних (у байтах): %u, блок хешу (у байтах): %u, розмір солі: %u, формат хешування: %u\n"
 
-#: src/veritysetup.c:648
+#: src/veritysetup.c:657
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "Параметри --ignore-corruption і --restart-on-corruption не можна використовувати одночасно."
 
-#: src/veritysetup.c:653
+#: src/veritysetup.c:662
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "Параметри --panic-on-corruption і --restart-on-corruption не можна використовувати одночасно."
 
-#: src/integritysetup.c:164
+#: src/veritysetup.c:668
+msgid "Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."
+msgstr "Параметр --error-as-corruption має бути використано з --panic-on-corruption або --restart-on-corruption."
+
+#: src/integritysetup.c:168
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
@@ -3177,29 +3301,33 @@ msgstr ""
 "Дані на %s і %s буде перезаписано без можливості відновлення.\n"
 "Щоб зберегти пристрій даних, скористайтеся параметром --no-wipe (а потім активуйте за допомогою --integrity-recalculate)."
 
-#: src/integritysetup.c:204
+#: src/integritysetup.c:213
 #, c-format
-msgid "Formatted with tag size %u, internal integrity %s.\n"
-msgstr "Форматовано із розміром мітки %u, внутрішня цілісність %s.\n"
+msgid "Formatted with tag size %u%s, internal integrity %s.\n"
+msgstr "Форматовано із розміром мітки %u%s, внутрішня цілісність %s.\n"
 
-#: src/integritysetup.c:285
+#: src/integritysetup.c:214
+msgid " (inline hw tags)"
+msgstr " (вбудовані апаратні мітки)"
+
+#: src/integritysetup.c:297
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr "Підтримки встановлення прапорця повторного обчислення не передбачено. Вам варто розглянути можливість використання --wipe."
 
-#: src/integritysetup.c:360 src/integritysetup.c:517
+#: src/integritysetup.c:374 src/integritysetup.c:537
 #, c-format
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "Пристрій %s не є коректним пристроєм INTEGRITY."
 
-#: src/integritysetup.c:530 src/integritysetup.c:534
+#: src/integritysetup.c:550 src/integritysetup.c:554
 msgid "<integrity_device>"
 msgstr "<пристрій_цілісності>"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:551
 msgid "<integrity_device> <name>"
 msgstr "<пристрій_цілісності> <назва>"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:574
 #, c-format
 msgid ""
 "\n"
@@ -3210,7 +3338,7 @@ msgstr ""
 "<назва> є пристроєм, який слід створити у %s\n"
 "<пристрій_цілісності> є пристроєм, на якому зберігаються дані із мітками цілісності\n"
 
-#: src/integritysetup.c:559
+#: src/integritysetup.c:579
 #, c-format
 msgid ""
 "\n"
@@ -3223,43 +3351,51 @@ msgstr ""
 "\tАлгоритм обчислення контрольної суми: %s\n"
 "\tМаксимальний розмір файла ключа: %d кБ\n"
 
-#: src/integritysetup.c:616
+#: src/integritysetup.c:636
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr "Некоректний розмір --%s. Максимальний розмір дорівнює %u байтів."
 
-#: src/integritysetup.c:719
+#: src/integritysetup.c:739
 msgid "Both key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа і розміру ключа."
 
-#: src/integritysetup.c:723
+#: src/integritysetup.c:743
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа цілісності журналу і розміру ключа."
 
-#: src/integritysetup.c:726
+#: src/integritysetup.c:746
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Якщо використано ключ цілісності журналу, має бути вказано алгоритм забезпечення цілісності журналу."
 
-#: src/integritysetup.c:730
+#: src/integritysetup.c:750
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа шифрування журналу і розміру ключа."
 
-#: src/integritysetup.c:733
+#: src/integritysetup.c:753
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Якщо використано ключ шифрування журналу, має бути вказано алгоритм забезпечення шифрування журналу."
 
-#: src/integritysetup.c:737
+#: src/integritysetup.c:757
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Не можна поєднувати параметри відновлення і бітової карти."
 
-#: src/integritysetup.c:744
+#: src/integritysetup.c:764
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Параметри журналу у режимі бітової карти використовувати не можна."
 
-#: src/integritysetup.c:749
+#: src/integritysetup.c:769
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Параметри бітової карти можна використовувати лише у режимі бітового карти."
 
+#: src/integritysetup.c:775
+msgid "Inline mode cannot be combined with journal or bitmap options."
+msgstr "Вбудований режим не може бути поєднано із параметрами журналу або бітової карти."
+
+#: src/integritysetup.c:779
+msgid "Inline mode cannot be combined with separate data device."
+msgstr "Вбудований режим не можна поєднувати із окремим пристроєм даних."
+
 #: src/utils_tools.c:105
 msgid ""
 "\n"
@@ -3407,6 +3543,14 @@ msgstr "Не вдалося відкрити файл ключа %s для за
 msgid "Cannot write to keyfile %s."
 msgstr "Не вдалося виконати запису до файла ключа %s."
 
+#: src/utils_tools.c:468
+msgid "Name is too long."
+msgstr "Назва занадто довга."
+
+#: src/utils_tools.c:471
+msgid "Name must not contain '/' character."
+msgstr "У назві не має бути символу «/»."
+
 #: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
@@ -3468,37 +3612,41 @@ msgstr ""
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "Помилка під час спроби оцінити якість пароля: некоректний пароль (%s)"
 
-#: src/utils_password.c:221 src/utils_password.c:235
+#: src/utils_password.c:197
+msgid "Read stopped at maximal interactive input length, passphrase can be trimmed."
+msgstr "Читання зупинено на максимальній довжині інтерактивного введення даних, пароль може бути обрізано."
+
+#: src/utils_password.c:224 src/utils_password.c:238
 msgid "Error reading passphrase from terminal."
 msgstr "Помилка під час читання пароля з термінала."
 
-#: src/utils_password.c:233
+#: src/utils_password.c:236
 msgid "Verify passphrase: "
 msgstr "Перевірка пароля: "
 
-#: src/utils_password.c:240
+#: src/utils_password.c:243
 msgid "Passphrases do not match."
 msgstr "Паролі не збігаються."
 
-#: src/utils_password.c:278
+#: src/utils_password.c:281
 msgid "Cannot use offset with terminal input."
 msgstr "Не можна використовувати відступ у даних, що надходять з термінала."
 
-#: src/utils_password.c:282
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase: "
 msgstr "Введіть пароль: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:288
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Введіть пароль до %s: "
 
-#: src/utils_password.c:319
+#: src/utils_password.c:322
 msgid "No key available with this passphrase."
 msgstr "Для цього пароля немає відповідного ключа."
 
-#: src/utils_password.c:321
+#: src/utils_password.c:324
 msgid "No usable keyslot is available."
 msgstr "Немає доступних придатних до користування слотів ключів."
 
@@ -3506,20 +3654,20 @@ msgstr "Немає доступних придатних до користува
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty."
 
-#: src/utils_luks.c:173
+#: src/utils_luks.c:179
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "Не вдалося відкрити файл %s у режимі лише читання."
 
-#: src/utils_luks.c:186
+#: src/utils_luks.c:193
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr "Надайте коректний жетон JSON LUKS2:\n"
 
-#: src/utils_luks.c:193
+#: src/utils_luks.c:200
 msgid "Failed to read JSON file."
 msgstr "Не вдалося прочитати файл JSON."
 
-#: src/utils_luks.c:198
+#: src/utils_luks.c:205
 msgid ""
 "\n"
 "Read interrupted."
@@ -3527,12 +3675,12 @@ msgstr ""
 "\n"
 "Читання перервано."
 
-#: src/utils_luks.c:239
+#: src/utils_luks.c:246
 #, c-format
 msgid "Failed to open file %s in write mode."
 msgstr "Не вдалося відкрити файл %s у режимі запису."
 
-#: src/utils_luks.c:248
+#: src/utils_luks.c:255
 msgid ""
 "\n"
 "Write interrupted."
@@ -3540,26 +3688,26 @@ msgstr ""
 "\n"
 "Запис перервано."
 
-#: src/utils_luks.c:252
+#: src/utils_luks.c:259
 msgid "Failed to write JSON file."
 msgstr "Не вдалося записати файл JSON."
 
-#: src/utils_reencrypt.c:107
+#: src/utils_reencrypt.c:93
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Автоматично виявлено активний пристрій dm «%s» для пристрою даних %s.\n"
 
-#: src/utils_reencrypt.c:111
+#: src/utils_reencrypt.c:97
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Не вдалося автоматично визначити утримувачів пристрою %s."
 
-#: src/utils_reencrypt.c:117
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Пристрій %s не є блоковим пристроєм.\n"
 
-#: src/utils_reencrypt.c:119
+#: src/utils_reencrypt.c:105
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3572,7 +3720,7 @@ msgstr ""
 "Таке шифрування може призвести до пошкодження даних, якщо пристрій задіяно.\n"
 "Щоб запустити повторне шифрування у режимі без від'єднання, скористайтеся параметром --active-name.\n"
 
-#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
+#: src/utils_reencrypt.c:114 src/utils_reencrypt.c:247
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
@@ -3581,45 +3729,49 @@ msgstr ""
 "Пристрій %s не є блоковим пристроєм. Не можна визначити, чи є він активним.\n"
 "Скористайтеся --force-offline-reencrypt для обходу перевірки та запуску в автономному режимі (небезпечно!)."
 
-#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
-#: src/utils_reencrypt.c:218
+#: src/utils_reencrypt.c:151 src/utils_reencrypt.c:194
+#: src/utils_reencrypt.c:204
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr "Вказаний параметр --resilience не може бути застосовано до поточної дії з повторного шифрування."
 
-#: src/utils_reencrypt.c:190
+#: src/utils_reencrypt.c:176
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr "Пристрій не у шифруванні LUKS2. Конфліктний параметр --encrypt."
 
-#: src/utils_reencrypt.c:195
+#: src/utils_reencrypt.c:181
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr "Пристрій не у розшифруванні LUKS2. Конфліктний параметр --decrypt."
 
-#: src/utils_reencrypt.c:202
+#: src/utils_reencrypt.c:188
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr "Пристрій перебуває у повторному шифруванні з використанням стійкості зсуву даних. Вказаний параметр --resilience не може бути застосовано."
 
-#: src/utils_reencrypt.c:280
+#: src/utils_reencrypt.c:282 src/utils_reencrypt.c:1924
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."
+msgstr "Неможливо визначити розмір ключа тому для LUKS без слотів ключів. Будь ласка, скористайтеся параметром --new-key-size."
+
+#: src/utils_reencrypt.c:436
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr "Пристрій потребує відновлення повторного шифрування. Спочатку виконайте відновлення."
 
-#: src/utils_reencrypt.c:294
+#: src/utils_reencrypt.c:450
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS2. Хочете відновити раніше ініціалізовану дію?"
 
-#: src/utils_reencrypt.c:403
+#: src/utils_reencrypt.c:561
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr "Підтримки застарілого повторного шифрування LUKS2 більше не передбачено."
 
-#: src/utils_reencrypt.c:408
+#: src/utils_reencrypt.c:566
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr "Неможливо повторно зашифрувати пристрій LUKS2, який налаштовано на використання OPAL."
 
-#: src/utils_reencrypt.c:414
+#: src/utils_reencrypt.c:572
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Підтримки повторного шифрування пристрою із профілем цілісності не передбачено."
 
-#: src/utils_reencrypt.c:451
+#: src/utils_reencrypt.c:609
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
@@ -3628,103 +3780,110 @@ msgstr ""
 "Вказаний --sector-size %<PRIu32> є несумісним із суперблоком %s\n"
 "(розмір блоку: %<PRIu32> байтів), який виявлено на пристрої %s."
 
-#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
+#: src/utils_reencrypt.c:678 src/utils_reencrypt.c:2204
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Шифрування без від'єднаного заголовка (--header) є неможливим без зменшення розміру пристрою зберігання даних (--reduce-device-size)."
 
-#: src/utils_reencrypt.c:527
+#: src/utils_reencrypt.c:687
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Вказаний зсув даних має бути меншим або рівним половині значення параметра --reduce-device-size."
 
-#: src/utils_reencrypt.c:537
+#: src/utils_reencrypt.c:697
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Коригуємо значення --reduce-device-size до подвійного значення --offset %<PRIu64> (у секторах).\n"
 
-#: src/utils_reencrypt.c:567
+#: src/utils_reencrypt.c:727
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Файл тимчасового заголовка %s вже існує. Перериваємо обробку."
 
-#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
+#: src/utils_reencrypt.c:729 src/utils_reencrypt.c:736
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Не вдалося створити файл тимчасового заголовка %s."
 
-#: src/utils_reencrypt.c:601
+#: src/utils_reencrypt.c:761
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr "Розмір метаданих LUKS2 перевищує значення зсуву даних."
 
-#: src/utils_reencrypt.c:638
+#: src/utils_reencrypt.c:800
 #, c-format
 msgid "Failed to place new header at head of device %s."
 msgstr "Не вдалося розмістити новий заголовок на початку пристрою %s."
 
-#: src/utils_reencrypt.c:648
+#: src/utils_reencrypt.c:813
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr "%s/%s задіяно, система готова до інтерактивного шифрування.\n"
 
-#: src/utils_reencrypt.c:684
+#: src/utils_reencrypt.c:850
 #, c-format
 msgid "Active device %s is not LUKS2."
 msgstr "Активний пристрій %s не є пристроєм LUKS2."
 
-#: src/utils_reencrypt.c:712
+#: src/utils_reencrypt.c:878
 msgid "Restoring original LUKS2 header."
 msgstr "Відновлюємо початковий заголовок LUKS2."
 
-#: src/utils_reencrypt.c:720
+#: src/utils_reencrypt.c:886
 msgid "Original LUKS2 header restore failed."
 msgstr "Спроба відновлення початкового заголовка LUKS2 зазнала невдачі."
 
-#: src/utils_reencrypt.c:752
+#: src/utils_reencrypt.c:918
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr "Файла заголовка %s не існує. Хочете ініціалізувати розшифрування LUKS2 пристрою %s і експортувати заголовок LUKS2 до файла %s?"
 
-#: src/utils_reencrypt.c:802
+#: src/utils_reencrypt.c:961
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "Не вдалося додати права доступу для читання-запису до експортованого файла заголовка."
 
-#: src/utils_reencrypt.c:856
+#: src/utils_reencrypt.c:1015
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr "Не вдалося ініціалізувати повторне шифрування. Резервна копія заголовка перебуває у %s."
 
-#: src/utils_reencrypt.c:884
+#: src/utils_reencrypt.c:1043
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr "Підтримку розшифровування LUKS2 передбачено лише для пристроїв із від'єднаним заголовком (із встановленим нульовим відступом даних)."
 
-#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
+#: src/utils_reencrypt.c:1487
+msgid "No token could unlock the device."
+msgstr "Жоден жетон не змін розблокувати пристрій."
+
+#: src/utils_reencrypt.c:1519 src/utils_reencrypt.c:1528
 msgid "Not enough free keyslots for reencryption."
 msgstr "Недостатньо вільних слотів ключів для повторного шифрування."
 
-#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
+#: src/utils_reencrypt.c:1559
+msgid "Key file or keyring key description can be used only with --key-slot or with exactly one key slot active."
+msgstr "Файлом ключа або описом ключа у сховищі ключів можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
 
-#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
-#: src/utils_reencrypt_luks1.c:1105
+#: src/utils_reencrypt.c:1566 src/utils_reencrypt.c:1579
+#: src/utils_reencrypt_luks1.c:1092 src/utils_reencrypt_luks1.c:1103
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Вкажіть пароль для слоту ключа %d: "
 
-#: src/utils_reencrypt.c:1070
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Вкажіть пароль для слоту ключа %u: "
-
-#: src/utils_reencrypt.c:1122
+#: src/utils_reencrypt.c:1876
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
 msgstr "Перемикаємося на шифрування даних %s.\n"
 
-#: src/utils_reencrypt.c:1176
+#: src/utils_reencrypt.c:1977 src/utils_reencrypt.c:1998
+msgid "Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."
+msgstr "Скористайтеся --force-no-keyslots, щоб повторно зашифрувати пристрій із активними слотами ключів, передавши ключі тому безпосередньо."
+
+#: src/utils_reencrypt.c:1993
+msgid "Option --new-volume-key-file must be paired with --new-key-size"
+msgstr "Параметр --new-volume-key-file має бути поєднано з --new-key-size"
+
+#: src/utils_reencrypt.c:2035
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr "Не змінено параметри сегмента даних. Повторне шифрування перервано."
 
-#: src/utils_reencrypt.c:1278
+#: src/utils_reencrypt.c:2072
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
@@ -3732,8 +3891,8 @@ msgstr ""
 "Підтримки збільшення розміру сектора шифрування на вимкненому пристрої не передбачено.\n"
 "Спочатку активуйте пристрій або скористайтеся параметром --force-offline-reencrypt (небезпечно!)."
 
-#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
-#: src/utils_reencrypt_luks1.c:761
+#: src/utils_reencrypt.c:2114 src/utils_reencrypt_luks1.c:688
+#: src/utils_reencrypt_luks1.c:759
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -3741,67 +3900,67 @@ msgstr ""
 "\n"
 "Повторне шифрування перервано."
 
-#: src/utils_reencrypt.c:1323
+#: src/utils_reencrypt.c:2119
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
 msgstr "Відновлюємо повторне шифрування LUKS у примусовому вимкненому режимі.\n"
 
-#: src/utils_reencrypt.c:1346
+#: src/utils_reencrypt.c:2142
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
 msgstr "На пристрої %s містяться пошкоджені метадані LUKS. Перериваємо дію."
 
-#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#: src/utils_reencrypt.c:2158 src/utils_reencrypt.c:2180
 #, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
 msgstr "Пристрій %s вже є пристроєм LUKS. Перериваємо дію."
 
-#: src/utils_reencrypt.c:1390
+#: src/utils_reencrypt.c:2186
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
 msgstr "Пристрій %s вже перебуває у стані повторного шифрування LUKS. Перериваємо дію."
 
-#: src/utils_reencrypt.c:1473
+#: src/utils_reencrypt.c:2269
 msgid "LUKS2 decryption requires --header option."
 msgstr "Для розшифровування LUKS2 потрібен параметр --header."
 
-#: src/utils_reencrypt.c:1521
+#: src/utils_reencrypt.c:2317
 msgid "Command requires device as argument."
 msgstr "Комарні слід передати аргумент пристрою."
 
-#: src/utils_reencrypt.c:1534
+#: src/utils_reencrypt.c:2330
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
 msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS1."
 
-#: src/utils_reencrypt.c:1540
+#: src/utils_reencrypt.c:2336
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
 msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS1."
 
-#: src/utils_reencrypt.c:1546
+#: src/utils_reencrypt.c:2342
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
 msgstr "Конфлікт версій. Пристрій %s є пристроєм LUKS2."
 
-#: src/utils_reencrypt.c:1552
+#: src/utils_reencrypt.c:2348
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
 msgstr "Конфлікт версій. Пристрій %s перебуває у стані повторного шифрування LUKS2."
 
-#: src/utils_reencrypt.c:1558
+#: src/utils_reencrypt.c:2354
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Вже ініційовано повторне шифрування LUKS2. Перериваємо виконання дії."
 
-#: src/utils_reencrypt.c:1565
+#: src/utils_reencrypt.c:2361
 msgid "Device reencryption not in progress."
 msgstr "Повторне шифрування пристрою не виконується."
 
-#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:285
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується."
 
-#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:883
 msgid "Allocation of aligned memory failed."
 msgstr "Спроба розподілу вирівняних ділянок пам’яті зазнала невдачі."
 
@@ -3824,11 +3983,11 @@ msgstr "Не вдалося виконати запис на пристрій %s
 msgid "Cannot write reencryption log file."
 msgstr "Не вдалося записати файл журналу повторного шифрування."
 
-#: src/utils_reencrypt_luks1.c:269
+#: src/utils_reencrypt_luks1.c:268
 msgid "Cannot read reencryption log file."
 msgstr "Не вдалося прочитати файл журналу повторного шифрування."
 
-#: src/utils_reencrypt_luks1.c:280
+#: src/utils_reencrypt_luks1.c:279
 msgid "Wrong log format."
 msgstr "Помилкове форматування журналу."
 
@@ -3837,130 +3996,134 @@ msgstr "Помилкове форматування журналу."
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Файл журналу %s вже існує, поновлюємо повторне шифрування.\n"
 
-#: src/utils_reencrypt_luks1.c:356
+#: src/utils_reencrypt_luks1.c:354
 msgid "Activating temporary device using old LUKS header."
 msgstr "Спроба задіяти тимчасовий пристрій за допомогою старого заголовка LUKS."
 
-#: src/utils_reencrypt_luks1.c:366
+#: src/utils_reencrypt_luks1.c:364
 msgid "Activating temporary device using new LUKS header."
 msgstr "Спроба задіяти тимчасовий пристрій за допомогою нового заголовка LUKS."
 
-#: src/utils_reencrypt_luks1.c:376
+#: src/utils_reencrypt_luks1.c:374
 msgid "Activation of temporary devices failed."
 msgstr "Спроба задіяти тимчасові пристрої зазнала невдачі."
 
-#: src/utils_reencrypt_luks1.c:436
+#: src/utils_reencrypt_luks1.c:434
 msgid "Failed to set data offset."
 msgstr "Не вдалося встановити відступ у даних."
 
-#: src/utils_reencrypt_luks1.c:442
+#: src/utils_reencrypt_luks1.c:440
 msgid "Failed to set metadata size."
 msgstr "Не вдалося встановити розмір метаданих."
 
-#: src/utils_reencrypt_luks1.c:450
+#: src/utils_reencrypt_luks1.c:448
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Створено новий заголовок LUKS для пристрою %s."
 
-#: src/utils_reencrypt_luks1.c:487
+#: src/utils_reencrypt_luks1.c:485
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Створено резервну копію заголовка %s пристрою %s."
 
-#: src/utils_reencrypt_luks1.c:543
+#: src/utils_reencrypt_luks1.c:541
 msgid "Creation of LUKS backup headers failed."
 msgstr "Спроба створення заголовків резервних копій LUKS зазнала невдачі."
 
-#: src/utils_reencrypt_luks1.c:672
+#: src/utils_reencrypt_luks1.c:670
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Не вдалося відновити заголовок %s на пристрої %s."
 
-#: src/utils_reencrypt_luks1.c:674
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Відновлено заголовок %s на пристрої %s."
 
-#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
+#: src/utils_reencrypt_luks1.c:855 src/utils_reencrypt_luks1.c:861
 msgid "Cannot open temporary LUKS device."
 msgstr "Неможливо відкрити тимчасовий пристрій LUKS."
 
-#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
+#: src/utils_reencrypt_luks1.c:866 src/utils_reencrypt_luks1.c:871
 msgid "Cannot get device size."
 msgstr "Не вдалося отримати дані щодо розміру пристрою."
 
-#: src/utils_reencrypt_luks1.c:915
+#: src/utils_reencrypt_luks1.c:913
 msgid "IO error during reencryption."
 msgstr "Помилка введення-виведення під час повторного шифрування."
 
-#: src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:943
 msgid "Provided UUID is invalid."
 msgstr "Наданий UUID є некоректним."
 
-#: src/utils_reencrypt_luks1.c:1171
+#: src/utils_reencrypt_luks1.c:1045
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
+
+#: src/utils_reencrypt_luks1.c:1169
 msgid "Cannot open reencryption log file."
 msgstr "Не вдалося відкрити файл журналу повторного шифрування."
 
-#: src/utils_reencrypt_luks1.c:1177
+#: src/utils_reencrypt_luks1.c:1175
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Розшифровування не виконується. Наданий UUID можна використовувати лише для відновлення призупиненого процесу розшифровування."
 
-#: src/utils_reencrypt_luks1.c:1233
+#: src/utils_reencrypt_luks1.c:1231
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Повторне шифрування призведе до зміни: %s%s%s%s%s%s."
 
-#: src/utils_reencrypt_luks1.c:1234
+#: src/utils_reencrypt_luks1.c:1232
 msgid "volume key"
 msgstr "ключ тому"
 
-#: src/utils_reencrypt_luks1.c:1236
+#: src/utils_reencrypt_luks1.c:1234
 msgid "set hash to "
 msgstr "встановити хеш у значення "
 
-#: src/utils_reencrypt_luks1.c:1237
+#: src/utils_reencrypt_luks1.c:1235
 msgid ", set cipher to "
 msgstr ", встановити шифрування "
 
-#: src/utils_blockdev.c:176
+#: src/utils_blockdev.c:179
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "Попередження: пристрій %s вже містить підпис розділу «%s».\n"
 
-#: src/utils_blockdev.c:184
+#: src/utils_blockdev.c:187
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "Попередження: пристрій %s вже містить підпис суперблоку «%s».\n"
 
-#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
+#: src/utils_blockdev.c:209 src/utils_blockdev.c:292 src/utils_blockdev.c:344
 msgid "Failed to initialize device signature probes."
 msgstr "Не вдалося ініціалізувати зондування підписів пристроїв."
 
-#: src/utils_blockdev.c:269
+#: src/utils_blockdev.c:272
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Не вдалося зібрати статистичні дані щодо пристрою %s."
 
-#: src/utils_blockdev.c:284
+#: src/utils_blockdev.c:287
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Не вдалося відкрити файл %s у режимі читання-запису."
 
-#: src/utils_blockdev.c:304
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr "Наявний підпис розділу «%s» на пристрої %s буде витерто."
 
-#: src/utils_blockdev.c:307
+#: src/utils_blockdev.c:310
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr "Наявний підпис суперблоку «%s» на пристрої %s буде витерто."
 
-#: src/utils_blockdev.c:310
+#: src/utils_blockdev.c:313
 msgid "Failed to wipe device signature."
 msgstr "Не вдалося витерти підпис пристрою."
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:320
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Не вдалося виконати зондування пристрою %s з метою виявлення підпису."
@@ -3975,6 +4138,50 @@ msgstr "Некоректна специфікація розміру у пара
 msgid "Option --%s is not allowed with %s action."
 msgstr "Параметр --%s не можна використовувати разом із дією %s."
 
+#: src/utils_key_description.c:66
+msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
+msgstr "Специфікацію типу у специфікації сховища ключів --link-vk-to-keyring проігноровано."
+
+#: src/utils_key_description.c:131
+msgid "Key types have to be the same for both volume keys."
+msgstr "Типи ключів мають бути однаковими для обох ключів тому."
+
+#: src/utils_key_description.c:136
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "Обидва ключі томів мають бути пов'язані із одним сховищем ключів."
+
+#: src/utils_key_description.c:146
+msgid "You need to supply more key names."
+msgstr "Вам слід вказати більше назв ключів."
+
+#: src/utils_key_description.c:150
+msgid "Invalid --link-vk-to-keyring value."
+msgstr "Некоректне значення --link-vk-to-keyring."
+
+#: src/utils_keyslot_check.c:114
+#, c-format
+msgid "Keyslot %d binary data could be corrupted.\n"
+msgstr "Двійкові дані слоту ключа %d може бути пошкоджено.\n"
+
+#: src/utils_keyslot_check.c:124
+#, c-format
+msgid "  Suspected offset: 0x%<PRIx64>\n"
+msgstr "  Прогнозований зсув: 0x%<PRIx64>\n"
+
+#: src/utils_keyslot_check.c:127
+msgid "  Subsequent suspected offsets are suppressed.\n"
+msgstr "  Наступні прогнозовані зсуви придушено.\n"
+
+#: src/utils_keyslot_check.c:178 src/utils_keyslot_check.c:183
+#, c-format
+msgid "Keyslot %d cannot be read from the device."
+msgstr "Не вдалося прочитати слот ключів %d з пристрою."
+
+#: src/utils_keyslot_check.c:194
+#, c-format
+msgid "You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"
+msgstr "ви можете скористатися командою hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" для вивчення даних.\n"
+
 #: tokens/ssh/cryptsetup-ssh.c:110
 msgid "Failed to write ssh token json."
 msgstr "Не вдалося записати JSON жетона ssh."
@@ -4142,6 +4349,37 @@ msgstr "На вузлі заборонено спосіб розпізнаван
 msgid "Public key authentication error: "
 msgstr "Помилка розпізнавання за відкритим ключем: "
 
+#~ msgid "Activation of BITLK device with clear key protection is not supported."
+#~ msgstr "Підтримки активації пристрою BITLK із прозорим захистом ключем не передбачено."
+
+#~ msgid "Failed to link volume keys in user defined keyring."
+#~ msgstr "Не вдалося пов'язати ключі тому із визначеним користувачем сховищем ключів."
+
+#~ msgid "Failed to unlink volume key from thread keyring."
+#~ msgstr "Не вдалося скасувати прив'язку ключа тому до сховища ключів потоку обробки."
+
+#~ msgid "Activation of partially decrypted BITLK device is not supported."
+#~ msgstr "Активації частково розшифрованого пристрою BITLK не передбачено."
+
+#~ msgid "Failed to read LUKS2 requirements."
+#~ msgstr "Не вдалося прочитати вимоги LUKS2."
+
+#~ msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
+#~ msgstr "Попередження: дія зі слотом ключа може завершитися помилкою, оскільки потребує більшого за доступний розміру пам'яті.\n"
+
+#~ msgid "Failed to get reencryption state."
+#~ msgstr "Не вдалося отримати стан повторного шифрування."
+
+#~ msgid "Failed to read passphrase from keyring."
+#~ msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів."
+
+#~ msgid "Options --reduce-device-size and --device-size cannot be combined."
+#~ msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --device-size."
+
+#, c-format
+#~ msgid "Enter passphrase for key slot %u: "
+#~ msgstr "Вкажіть пароль для слоту ключа %u: "
+
 #~ msgid "compiled-in"
 #~ msgstr "вбудована"
 
@@ -4217,9 +4455,6 @@ msgstr "Помилка розпізнавання за відкритим клю
 #~ msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 #~ msgstr "Параметр --keep-key можна використовувати лише разом з параметром --hash --iter-time або --pbkdf-force-iterations."
 
-#~ msgid "Option --new cannot be used together with --decrypt."
-#~ msgstr "Параметр --new не можна використовувати разом з --decrypt."
-
 #~ msgid "Option --decrypt is incompatible with specified parameters."
 #~ msgstr "Параметр --decrypt є несумісним із вказаними параметрами."
 
@@ -4310,9 +4545,6 @@ msgstr "Помилка розпізнавання за відкритим клю
 #~ msgid "Progress line update (in seconds)"
 #~ msgstr "Оновлення лінії поступу (у секундах)"
 
-#~ msgid "How often the input of the passphrase can be retried"
-#~ msgstr "Частота повторень спроб отримання вхідних даних пароля"
-
 #~ msgid "Align payload at <n> sector boundaries - for luksFormat"
 #~ msgstr "Вирівняти дані за областями у <n> секторів, для luksFormat"
 
@@ -4764,8 +4996,5 @@ msgstr "Помилка розпізнавання за відкритим клю
 #~ msgid "Invalid size parameters for verity device."
 #~ msgstr "Некоректні параметри розміру для пристрою перевірки."
 
-#~ msgid "Integrity algorithm must be specified if integrity key is used."
-#~ msgstr "Якщо використано ключ цілісності, має бути вказано алгоритм забезпечення цілісності."
-
 #~ msgid "Wrong key size."
 #~ msgstr "Помилковий розмір ключа."
diff --git a/po/zh_CN.po b/po/zh_CN.po
index c6c5d98..391a876 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -7,97 +7,89 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.7.0-rc0\n"
+"Project-Id-Version: cryptsetup 2.7.3-rc0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2023-11-29 09:21+0100\n"
-"PO-Revision-Date: 2023-12-01 10:37-0500\n"
-"Last-Translator: Boyuan Yang <073plan@gmail.com>\n"
+"POT-Creation-Date: 2024-06-06 22:11+0200\n"
+"PO-Revision-Date: 2024-09-21 10:41+0800\n"
+"Last-Translator: Mingye Wang (Artoria2e5) <arthur200126@gmail.com>\n"
 "Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
 "Language: zh_CN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 2.4.3\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
+"X-Bugs: Report translation errors to the Language-Team address.\n"
+"X-Generator: Poedit 3.5\n"
 
-#: lib/libdevmapper.c:419
+#: lib/libdevmapper.c:406
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "无法初始化设备映射器，正作为非 root 用户运行。"
 
-#: lib/libdevmapper.c:422
+#: lib/libdevmapper.c:409
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "无法初始化设备映射器。dm_mod 内核模块装载了吗？"
 
-#: lib/libdevmapper.c:1103
+#: lib/libdevmapper.c:1090
 msgid "Requested deferred flag is not supported."
 msgstr "不支持请求的推迟（deferred）标记。"
 
-#: lib/libdevmapper.c:1172
+#: lib/libdevmapper.c:1159
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "设备 %s 的 DM-UUID 被截断。"
 
-#: lib/libdevmapper.c:1510
+#: lib/libdevmapper.c:1497
 msgid "Unknown dm target type."
 msgstr "未知的 dm 目标类型。"
 
-#: lib/libdevmapper.c:1629 lib/libdevmapper.c:1635 lib/libdevmapper.c:1738
-#: lib/libdevmapper.c:1741
+#: lib/libdevmapper.c:1616 lib/libdevmapper.c:1622 lib/libdevmapper.c:1725
+#: lib/libdevmapper.c:1728
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "不支持请求的 dm-crypt 性能选项。"
 
-#: lib/libdevmapper.c:1644 lib/libdevmapper.c:1656
+#: lib/libdevmapper.c:1631 lib/libdevmapper.c:1643
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "不支持请求的 dm-verity 数据损坏处理选项。"
 
-#: lib/libdevmapper.c:1650
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-verity tasklets option is not supported."
 msgstr "不支持请求的 dm-verity FEC 选项。"
 
-#: lib/libdevmapper.c:1662
+#: lib/libdevmapper.c:1649
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "不支持请求的 dm-verity FEC 选项。"
 
-#: lib/libdevmapper.c:1668
+#: lib/libdevmapper.c:1655
 msgid "Requested data integrity options are not supported."
 msgstr "不支持请求的数据完整性选项。"
 
-#: lib/libdevmapper.c:1672
+#: lib/libdevmapper.c:1659
 msgid "Requested sector_size option is not supported."
 msgstr "不支持请求的 sector_size 选项。"
 
-#: lib/libdevmapper.c:1677
-#, fuzzy
-#| msgid "Device %s size is not aligned to requested sector size (%u bytes)."
+#: lib/libdevmapper.c:1664
 msgid "The device size is not multiple of the requested sector size."
-msgstr "设备 %s 的大小没有和请求的扇区大小对齐（%u 字节）。"
+msgstr "设备大小不是请求的扇区大小的倍数。"
 
-#: lib/libdevmapper.c:1684 lib/libdevmapper.c:1690
-#, fuzzy
-#| msgid "Requested data integrity options are not supported."
+#: lib/libdevmapper.c:1671 lib/libdevmapper.c:1677
 msgid "Requested automatic recalculation of integrity tags is not supported."
-msgstr "不支持请求的数据完整性选项。"
+msgstr "不支持请求的自动重新计算完整性标记。"
 
-#: lib/libdevmapper.c:1696 lib/libdevmapper.c:1744 lib/libdevmapper.c:1747
-#: lib/luks2/luks2_json_metadata.c:2742
-#, fuzzy
-#| msgid "Hash algorithm %s not supported."
+#: lib/libdevmapper.c:1683 lib/libdevmapper.c:1731 lib/libdevmapper.c:1734
+#: lib/luks2/luks2_json_metadata.c:2741
 msgid "Discard/TRIM is not supported."
-msgstr "不支持哈希算法 %s。"
+msgstr "不支持 Discard/TRIM。"
 
-#: lib/libdevmapper.c:1702
-#, fuzzy
-#| msgid "Requested data integrity options are not supported."
+#: lib/libdevmapper.c:1689
 msgid "Requested dm-integrity bitmap mode is not supported."
-msgstr "不支持请求的数据完整性选项。"
+msgstr "不支持请求的 dm-integrity 位图模式。"
 
-#: lib/libdevmapper.c:2738
+#: lib/libdevmapper.c:2725
 #, c-format
 msgid "Failed to query dm-%s segment."
-msgstr ""
+msgstr "未能查询 dm-%s 段。"
 
-#: lib/random.c:73
+#: lib/random.c:60
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -105,849 +97,814 @@ msgstr ""
 "系统在生成卷密钥时熵不足。\n"
 "请随意移动鼠标或是在别的窗口打字，以便生成随机事件让系统使用。\n"
 
-#: lib/random.c:77
+#: lib/random.c:64
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "正生成密钥（%d%% 已完成）\n"
 
-#: lib/random.c:163
+#: lib/random.c:150
 msgid "Running in FIPS mode."
 msgstr "在 FIPS 模式下运行。"
 
-#: lib/random.c:169
+#: lib/random.c:156
 msgid "Fatal error during RNG initialisation."
 msgstr "随机数生成器初始化时发生致命错误。"
 
-#: lib/random.c:207
+#: lib/random.c:194
 msgid "Unknown RNG quality requested."
 msgstr "未知的随机数生成器质量请求。"
 
-#: lib/random.c:212
+#: lib/random.c:199
 msgid "Error reading from RNG."
 msgstr "从随机数生成器（RNG）读取时出错。"
 
-#: lib/setup.c:261
+#: lib/setup.c:249
 msgid "OPAL support is disabled in libcryptsetup."
 msgstr "OPAL 支持在 libcryptsetup 中被禁用。"
 
-#: lib/setup.c:263
+#: lib/setup.c:251
 #, c-format
 msgid "Device %s or kernel does not support OPAL encryption."
 msgstr "设备 %s 或内核不支持 OPAL 加密。"
 
-#: lib/setup.c:279
+#: lib/setup.c:267
 msgid "Cannot initialize crypto RNG backend."
 msgstr "无法初始化加密随机数生成器后端。"
 
-#: lib/setup.c:285
+#: lib/setup.c:273
 msgid "Cannot initialize crypto backend."
 msgstr "无法初始化加密后端。"
 
-#: lib/setup.c:316 lib/setup.c:2766 lib/verity/verity.c:122
+#: lib/setup.c:305 lib/setup.c:2786 lib/verity/verity.c:109
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "不支持哈希算法 %s。"
 
-#: lib/setup.c:319 lib/loopaes/loopaes.c:90
+#: lib/setup.c:308 lib/loopaes/loopaes.c:77
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "密钥处理错误（使用散列 %s）。"
 
-#: lib/setup.c:390 lib/setup.c:427
+#: lib/setup.c:379 lib/setup.c:416
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "无法确定设备类型。不兼容的设备激活？"
 
-#: lib/setup.c:396 lib/setup.c:3959
+#: lib/setup.c:385 lib/setup.c:3981
 msgid "This operation is supported only for LUKS device."
 msgstr "此操作只适用 LUKS 设备。"
 
-#: lib/setup.c:433
+#: lib/setup.c:422
 msgid "This operation is supported only for LUKS2 device."
 msgstr "此操作只适用 LUKS2 设备。"
 
-#: lib/setup.c:490 lib/luks2/luks2_reencrypt.c:3056
+#: lib/setup.c:479 lib/luks2/luks2_reencrypt.c:3058
 msgid "All key slots full."
 msgstr "密钥槽全都满了。"
 
-#: lib/setup.c:501
+#: lib/setup.c:490
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "密钥槽 %d 无效，请选择 0 到 %d 间的数字。"
 
-#: lib/setup.c:507
+#: lib/setup.c:496
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "密钥槽 %d 满了，请选择另一个。"
 
-#: lib/setup.c:618 lib/setup.c:3661
+#: lib/setup.c:607 lib/setup.c:3681
 msgid "Device size is not aligned to device logical block size."
 msgstr "设备的大小没有和设备逻辑块大小对齐。"
 
-#: lib/setup.c:716
+#: lib/setup.c:705
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "检测到标头但设备 %s 太小。"
 
-#: lib/setup.c:757 lib/setup.c:3552 lib/setup.c:5134
-#: lib/luks2/luks2_reencrypt.c:3848 lib/luks2/luks2_reencrypt.c:4305
+#: lib/setup.c:746 lib/setup.c:3572 lib/setup.c:5360 lib/setup.c:5380
+#: lib/luks2/luks2_reencrypt.c:3850 lib/luks2/luks2_reencrypt.c:4307
 msgid "This operation is not supported for this device type."
 msgstr "不支持在这类设备上执行此操作。"
 
-#: lib/setup.c:762
+#: lib/setup.c:751
 msgid "Illegal operation with reencryption in-progress."
 msgstr "正在进行重加密中的非法操作。"
 
-#: lib/setup.c:894
-#, fuzzy
-#| msgid "Failed to read LUKS2 requirements."
+#: lib/setup.c:883
 msgid "Failed to rollback LUKS2 metadata in memory."
-msgstr "读取 LUKS2 需求时失败。"
+msgstr "未能回滚内存中的 LUKS2 元数据。"
 
-#: lib/setup.c:981 lib/luks1/keymanage.c:249 lib/luks1/keymanage.c:527
-#: lib/luks2/luks2_json_metadata.c:1374 src/cryptsetup.c:1799
-#: src/cryptsetup.c:1962 src/cryptsetup.c:2017 src/cryptsetup.c:2222
-#: src/cryptsetup.c:2392 src/cryptsetup.c:2673 src/cryptsetup.c:2981
-#: src/cryptsetup.c:3049 src/utils_reencrypt.c:1488
-#: src/utils_reencrypt_luks1.c:1192 tokens/ssh/cryptsetup-ssh.c:85
+#: lib/setup.c:970 lib/luks1/keymanage.c:236 lib/luks1/keymanage.c:514
+#: lib/luks2/luks2_json_metadata.c:1361 src/cryptsetup.c:1874
+#: src/cryptsetup.c:2055 src/cryptsetup.c:2110 src/cryptsetup.c:2315
+#: src/cryptsetup.c:2485 src/cryptsetup.c:2766 src/cryptsetup.c:3073
+#: src/cryptsetup.c:3141 src/utils_reencrypt.c:1485
+#: src/utils_reencrypt_luks1.c:1139 tokens/ssh/cryptsetup-ssh.c:72
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "%s 不是有效的 LUKS 设备。"
 
-#: lib/setup.c:984 lib/luks1/keymanage.c:530
+#: lib/setup.c:973 lib/luks1/keymanage.c:517
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "不支持的 LUKS 版本 %d。"
 
-#: lib/setup.c:1357
-#, fuzzy, c-format
-#| msgid "No known cipher specification pattern detected.\n"
+#: lib/setup.c:1346
+#, c-format
 msgid "No known cipher specification pattern detected for active device %s."
-msgstr "未探测到已知的密文特征。\n"
+msgstr "未在活动设备 %s 上探测到已知的加密方法标记特征。"
 
-#: lib/setup.c:1603 lib/setup.c:3306 lib/setup.c:3388 lib/setup.c:3400
-#: lib/setup.c:3570 lib/setup.c:5721
+#: lib/setup.c:1592 lib/setup.c:3326 lib/setup.c:3408 lib/setup.c:3420
+#: lib/setup.c:3590 lib/setup.c:6004
 #, c-format
 msgid "Device %s is not active."
 msgstr "设备 %s 未激活。"
 
-#: lib/setup.c:1620
+#: lib/setup.c:1609
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "加密设备 %s 下层的设备消失了。"
 
-#: lib/setup.c:1702
+#: lib/setup.c:1691
 msgid "Invalid plain crypt parameters."
 msgstr "无效的纯加密选项。"
 
-#: lib/setup.c:1707 lib/setup.c:2669
+#: lib/setup.c:1696 lib/setup.c:2689
 msgid "Invalid key size."
 msgstr "无效的密钥大小。"
 
-#: lib/setup.c:1712 lib/setup.c:2674 lib/setup.c:2877
+#: lib/setup.c:1701 lib/setup.c:2694 lib/setup.c:2897
 msgid "UUID is not supported for this crypt type."
 msgstr "此加密类型不支持 UUID。"
 
-#: lib/setup.c:1717 lib/setup.c:2679
-#, fuzzy
-#| msgid "UUID is not supported for this crypt type."
+#: lib/setup.c:1706 lib/setup.c:2699
 msgid "Detached metadata device is not supported for this crypt type."
-msgstr "此加密类型不支持 UUID。"
+msgstr "此 crypt 类型不支持分开的元数据设备。"
 
-#: lib/setup.c:1727 lib/setup.c:1962 lib/luks2/luks2_reencrypt.c:3012
-#: src/cryptsetup.c:1467 src/cryptsetup.c:3726
+#: lib/setup.c:1716 lib/setup.c:1957 lib/luks2/luks2_reencrypt.c:3014
+#: src/cryptsetup.c:1471 src/cryptsetup.c:3842
 msgid "Unsupported encryption sector size."
 msgstr "不支持的加密扇区大小。"
 
-#: lib/setup.c:1735 lib/setup.c:1991 lib/setup.c:3655
-#, fuzzy
-#| msgid "Device %s size is not aligned to requested sector size (%u bytes)."
+#: lib/setup.c:1724 lib/setup.c:1986 lib/setup.c:3675
 msgid "Device size is not aligned to requested sector size."
-msgstr "设备 %s 的大小没有和请求的扇区大小对齐（%u 字节）。"
+msgstr "设备的大小没有和请求的扇区大小对齐。"
 
-#: lib/setup.c:1787 lib/setup.c:2024 lib/setup.c:2355
+#: lib/setup.c:1776 lib/setup.c:2019 lib/setup.c:2365
 msgid "Can't format LUKS without device."
 msgstr "无法在没有设备的情况下格式化 LUKS。"
 
-#: lib/setup.c:1793 lib/setup.c:2030 lib/setup.c:2361
+#: lib/setup.c:1781 lib/setup.c:2024
+#, c-format
+msgid "Zoned device %s cannot be used for LUKS header."
+msgstr "分区 zoned 设备 %s 不能用于 LUKS 标头。"
+
+#: lib/setup.c:1788 lib/setup.c:2031 lib/setup.c:2371
 msgid "Requested data alignment is not compatible with data offset."
-msgstr ""
+msgstr "请求的数据对齐量与数据偏移量不兼容。"
 
-#: lib/setup.c:1833 lib/setup.c:2048
+#: lib/setup.c:1828 lib/setup.c:2049
 msgid "WARNING: DAX device can corrupt data as it does not guarantee atomic sector updates.\n"
-msgstr ""
+msgstr "警告：DAX 设备可能会损坏数据，因为它不保证原子扇区更新。\n"
 
-#: lib/setup.c:1871 lib/setup.c:2143 lib/setup.c:2164 lib/setup.c:2539
-#: lib/setup.c:2579 lib/setup.c:2889
+#: lib/setup.c:1866 lib/setup.c:2144 lib/setup.c:2165 lib/setup.c:2549
+#: lib/setup.c:2596 lib/setup.c:2909
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "无法将设备 %s 上的标头擦除。"
 
-#: lib/setup.c:1884 lib/setup.c:2203
+#: lib/setup.c:1879 lib/setup.c:2204
 #, c-format
 msgid "Device %s is too small for activation, there is no remaining space for data.\n"
-msgstr ""
+msgstr "设备%s太小而无法激活：没有剩下空间给数据。\n"
 
-#: lib/setup.c:1924
+#: lib/setup.c:1919
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "卷密钥对于带完整性校验扩展的加密而言过小。"
 
-#: lib/setup.c:1933
-#, fuzzy, c-format
-#| msgid "Cipher %s is not available.\n"
+#: lib/setup.c:1928
+#, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
-msgstr "密文 %s 不可用。\n"
+msgstr "加密方法 %s-%s（%zd 位密钥）不可用。"
 
-#: lib/setup.c:1972
+#: lib/setup.c:1967
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr ""
+msgstr "警告：设备激活将会失败，dm-crypt 不支持请求的加密扇区大小。\n"
 
-#: lib/setup.c:2146 lib/setup.c:2482 lib/setup.c:2542 lib/utils_device.c:917
-#: lib/luks1/keyencryption.c:255 lib/luks2/luks2_reencrypt.c:3080
-#: lib/luks2/luks2_reencrypt.c:4364
+#: lib/setup.c:2147 lib/setup.c:2492 lib/setup.c:2552 lib/utils_device.c:904
+#: lib/luks1/keyencryption.c:242 lib/luks2/luks2_reencrypt.c:3082
+#: lib/luks2/luks2_reencrypt.c:4367
 #, c-format
 msgid "Device %s is too small."
 msgstr "设备 %s 太小。"
 
-#: lib/setup.c:2157 lib/setup.c:2183 lib/setup.c:2572 lib/setup.c:2618
+#: lib/setup.c:2158 lib/setup.c:2184 lib/setup.c:2589 lib/setup.c:2635
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "无法格式化正在使用的设备 %s。"
 
-#: lib/setup.c:2160 lib/setup.c:2186 lib/setup.c:2575 lib/setup.c:2621
+#: lib/setup.c:2161 lib/setup.c:2187 lib/setup.c:2592 lib/setup.c:2638
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "无法格式化设备 %s，权限被拒绝。"
 
-#: lib/setup.c:2172 lib/setup.c:2592 lib/setup.c:2949
-#, fuzzy, c-format
-#| msgid "Cannot write device %s.\n"
+#: lib/setup.c:2173 lib/setup.c:2609 lib/setup.c:2969
+#, c-format
 msgid "Cannot format integrity for device %s."
-msgstr "无法写入设备 %s。\n"
+msgstr "无法格式化设备 %s 的完整性。"
 
-#: lib/setup.c:2190 lib/setup.c:2629
+#: lib/setup.c:2191 lib/setup.c:2646
 #, c-format
 msgid "Cannot format device %s."
 msgstr "无法格式化设备 %s。"
 
-#: lib/setup.c:2233
+#: lib/setup.c:2234
 msgid "Cannot get OPAL alignment parameters."
-msgstr ""
+msgstr "无法获取 OPAL 对齐参数。"
 
-#: lib/setup.c:2242
+#: lib/setup.c:2246
 msgid "Bogus OPAL logical block size."
-msgstr ""
+msgstr "伪造的 OPAL 逻辑块大小。"
+
+#: lib/setup.c:2251 lib/luks2/hw_opal/hw_opal.c:299
+msgid "Bogus OPAL logical block size differs from device block size."
+msgstr "伪造的 OPAL 逻辑块大小与设备块大小不同。"
 
-#: lib/setup.c:2248
+#: lib/setup.c:2257
 msgid "Requested data offset is not compatible with OPAL block size."
-msgstr ""
+msgstr "请求的数据偏移量与 OPAL 块大小不兼容。"
 
-#: lib/setup.c:2255
+#: lib/setup.c:2264
 msgid "Requested data alignment is not compatible with OPAL alignment."
-msgstr ""
+msgstr "请求的数据对齐量与 OPAL 对齐量不兼容。"
 
-#: lib/setup.c:2275
+#: lib/setup.c:2284
 msgid "Data offset does not satisfy OPAL alignment requirements."
-msgstr ""
+msgstr "数据偏移量不满足 OPAL 对齐要求。"
 
-#: lib/setup.c:2288
+#: lib/setup.c:2297
 msgid "Requested data alignment does not satisfy locking range alignment requirements."
-msgstr ""
+msgstr "请求的数据对齐量不满足锁定范围对齐要求。"
 
-#: lib/setup.c:2492
+#: lib/setup.c:2502
 #, c-format
 msgid "Compensating device size by %<PRIu64> sectors to align it with OPAL alignment granularity."
-msgstr ""
+msgstr "将设备大小补偿%<PRIu64>，以和OPAL对齐量达成一致。"
+
+#: lib/setup.c:2560 lib/setup.c:4078 lib/setup.c:4261 lib/utils_wipe.c:355
+#: lib/luks2/luks2_json_metadata.c:2690 lib/luks2/luks2_json_metadata.c:2942
+#, c-format
+msgid "Failed to acquire OPAL lock on device %s."
+msgstr "未能获取设备 %s 上的 OPAL 锁。"
 
-#: lib/setup.c:2553
+#: lib/setup.c:2570
 msgid "Incorrect OPAL Admin key."
-msgstr "OPAL 管理密钥不正确。"
+msgstr "OPAL 管理员密钥不正确。"
 
-#: lib/setup.c:2555
+#: lib/setup.c:2572
 msgid "Cannot setup OPAL segment."
-msgstr ""
+msgstr "无法设置 OPAL 段。"
 
-#: lib/setup.c:2625
-#, fuzzy, c-format
-#| msgid "Cannot format device %s, permission denied."
+#: lib/setup.c:2642
+#, c-format
 msgid "Cannot format device %s, OPAL device seems to be fully write-protected now."
-msgstr "无法格式化设备 %s，权限被拒绝。"
+msgstr "无法格式化设备%s。OPAL 设备现在似乎完全写保护。"
 
-#: lib/setup.c:2627
+#: lib/setup.c:2644
 msgid "This is perhaps a bug in firmware. Run OPAL PSID reset and reconnect for recovery."
-msgstr ""
+msgstr "这可能是固件中的一个设计错误。运行 OPAL PSID reset（重置）并重新连接以进行恢复。"
 
-#: lib/setup.c:2645
+#: lib/setup.c:2664
 #, c-format
 msgid "Locking range %d reset on device %s failed."
-msgstr ""
+msgstr "在设备 %2$s 上重置锁定范围 %1$d 失败。"
 
-#: lib/setup.c:2664
+#: lib/setup.c:2684
 msgid "Can't format LOOPAES without device."
 msgstr "无法在没有设备的情况下格式化 LOOPAES。"
 
-#: lib/setup.c:2709
+#: lib/setup.c:2729
 msgid "Can't format VERITY without device."
 msgstr "无法在没有设备的情况下格式化 VERIFY。"
 
-#: lib/setup.c:2720 lib/verity/verity.c:101
+#: lib/setup.c:2740 lib/verity/verity.c:88
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "不支持的 VERITY 哈希类型 %d。"
 
-#: lib/setup.c:2726 lib/verity/verity.c:109
+#: lib/setup.c:2746 lib/verity/verity.c:96
 msgid "Unsupported VERITY block size."
 msgstr "不支持的 VERITY 块大小。"
 
-#: lib/setup.c:2731 lib/verity/verity.c:74
+#: lib/setup.c:2751 lib/verity/verity.c:61
 msgid "Unsupported VERITY hash offset."
 msgstr "不支持的 VERITY 哈希偏移量。"
 
-#: lib/setup.c:2736
+#: lib/setup.c:2756
 msgid "Unsupported VERITY FEC offset."
 msgstr "不支持的 VERITY 哈希偏移量。"
 
-#: lib/setup.c:2760
+#: lib/setup.c:2780
 msgid "Data area overlaps with hash area."
 msgstr "数据区域重叠覆盖了哈希区域。"
 
-#: lib/setup.c:2785
+#: lib/setup.c:2805
 msgid "Hash area overlaps with FEC area."
 msgstr "哈希区域重叠覆盖了 FEC 区域。"
 
-#: lib/setup.c:2792
+#: lib/setup.c:2812
 msgid "Data area overlaps with FEC area."
 msgstr "数据区域重叠覆盖了 FEC 区域。"
 
-#: lib/setup.c:2928
+#: lib/setup.c:2948
 #, c-format
 msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
-msgstr ""
+msgstr "警告：请求的标签大小 %d 字节与 %s 大小输出（%d 字节）不同。\n"
 
-#: lib/setup.c:3007
+#: lib/setup.c:3027
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "请求了未知的加密设备类型 %s。"
 
-#: lib/setup.c:3314 lib/setup.c:3393 lib/setup.c:3406
-#, fuzzy, c-format
-#| msgid "Cannot wipe header on device %s."
+#: lib/setup.c:3334 lib/setup.c:3413 lib/setup.c:3426
+#, c-format
 msgid "Unsupported parameters on device %s."
-msgstr "无法将设备 %s 上的标头擦除。"
+msgstr "不支持设备 %s 上的参数。"
 
-#: lib/setup.c:3320 lib/setup.c:3413 lib/luks2/luks2_reencrypt.c:2908
-#: lib/luks2/luks2_reencrypt.c:3145 lib/luks2/luks2_reencrypt.c:3540
-#, fuzzy, c-format
-#| msgid "Cannot wipe header on device %s."
+#: lib/setup.c:3340 lib/setup.c:3433 lib/luks2/luks2_reencrypt.c:2910
+#: lib/luks2/luks2_reencrypt.c:3147 lib/luks2/luks2_reencrypt.c:3542
+#, c-format
 msgid "Mismatching parameters on device %s."
-msgstr "无法将设备 %s 上的标头擦除。"
+msgstr "设备 %s 上的参数不匹配。"
 
-#: lib/setup.c:3437
+#: lib/setup.c:3457
 msgid "Crypt devices mismatch."
-msgstr ""
+msgstr "Crypt（加密）设备不匹配。"
 
-#: lib/setup.c:3474 lib/setup.c:3479 lib/luks2/luks2_reencrypt.c:2390
-#: lib/luks2/luks2_reencrypt.c:2924 lib/luks2/luks2_reencrypt.c:4109
+#: lib/setup.c:3494 lib/setup.c:3499 lib/luks2/luks2_reencrypt.c:2392
+#: lib/luks2/luks2_reencrypt.c:2926 lib/luks2/luks2_reencrypt.c:4111
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "重新加载设备 %s 失败。"
 
-#: lib/setup.c:3485 lib/setup.c:3491 lib/luks2/luks2_reencrypt.c:2361
-#: lib/luks2/luks2_reencrypt.c:2368 lib/luks2/luks2_reencrypt.c:2938
-#, fuzzy, c-format
-#| msgid "Failed to acquire read lock on device %s."
+#: lib/setup.c:3505 lib/setup.c:3511 lib/luks2/luks2_reencrypt.c:2363
+#: lib/luks2/luks2_reencrypt.c:2370 lib/luks2/luks2_reencrypt.c:2940
+#, c-format
 msgid "Failed to suspend device %s."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "挂起设备 %s 失败。"
 
-#: lib/setup.c:3497 lib/luks2/luks2_reencrypt.c:2375
-#: lib/luks2/luks2_reencrypt.c:2959 lib/luks2/luks2_reencrypt.c:4022
-#: lib/luks2/luks2_reencrypt.c:4113
-#, fuzzy, c-format
-#| msgid "Failed to open temporary keystore device.\n"
+#: lib/setup.c:3517 lib/luks2/luks2_reencrypt.c:2377
+#: lib/luks2/luks2_reencrypt.c:2961 lib/luks2/luks2_reencrypt.c:4024
+#: lib/luks2/luks2_reencrypt.c:4115
+#, c-format
 msgid "Failed to resume device %s."
-msgstr "打开临时密钥存储设备失败。\n"
+msgstr "恢复设备 %s 失败。"
 
-#: lib/setup.c:3512
+#: lib/setup.c:3532
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
-msgstr ""
+msgstr "重新加载设备 %s（在设备 %s 之上）时出现致命错误。"
 
-#: lib/setup.c:3515 lib/setup.c:3517
-#, fuzzy, c-format
-#| msgid "Failed to acquire write lock on device %s."
+#: lib/setup.c:3535 lib/setup.c:3537
+#, c-format
 msgid "Failed to switch device %s to dm-error."
-msgstr "无法获取设备 %s 上的写入锁。"
+msgstr "未能将设备 %s 切换到 dm-error。"
 
-#: lib/setup.c:3557
-#, fuzzy
-#| msgid "Cannot check password quality: %s\n"
+#: lib/setup.c:3577
 msgid "Can not resize LUKS2 device with static size."
-msgstr "无法检查密码质量：%s\n"
+msgstr "无法用静态大小改变 LUKS2 设备的大小。"
 
-#: lib/setup.c:3602
+#: lib/setup.c:3622
 msgid "Cannot resize loop device."
 msgstr "无法改变回环设备大小。"
 
-#: lib/setup.c:3646
+#: lib/setup.c:3666
 msgid "WARNING: Maximum size already set or kernel doesn't support resize.\n"
-msgstr ""
+msgstr "警告：已设置到最大大小或内核不支持调整大小。\n"
 
-#: lib/setup.c:3712
+#: lib/setup.c:3732
 msgid "Resize failed, the kernel doesn't support it."
-msgstr ""
+msgstr "改变大小失败，内核不支持此操作。"
 
-#: lib/setup.c:3744
+#: lib/setup.c:3764
 msgid "Do you really want to change UUID of device?"
 msgstr "你真的想改变设备的 UUID 吗？"
 
-#: lib/setup.c:3836
+#: lib/setup.c:3856
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "标头备份文件不包含兼容的 LUKS 标头。"
 
-#: lib/setup.c:3944
+#: lib/setup.c:3966
 #, c-format
 msgid "Volume %s is not active."
 msgstr "卷 %s 未激活。"
 
-#: lib/setup.c:4010
+#: lib/setup.c:4032
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "卷 %s 已挂起。"
 
-#: lib/setup.c:4038
+#: lib/setup.c:4060
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "设备 %s 不支持挂起。"
 
-#: lib/setup.c:4040 lib/setup.c:4048
+#: lib/setup.c:4062 lib/setup.c:4070
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "挂起设备 %s 时出错。"
 
-#: lib/setup.c:4054
+#: lib/setup.c:4084
 #, c-format
 msgid "Device %s was suspended but hardware OPAL device cannot be locked."
-msgstr ""
+msgstr "设备 %s 已挂起，但无法锁定硬件 OPAL 设备。"
 
-#: lib/setup.c:4085 lib/setup.c:4222
+#: lib/setup.c:4116 lib/setup.c:4288
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "设备 %s 不支持恢复。"
 
-#: lib/setup.c:4087 lib/setup.c:4213 lib/setup.c:4224
+#: lib/setup.c:4118 lib/setup.c:4279 lib/setup.c:4290
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "恢复设备 %s 时出错。"
 
-#: lib/setup.c:4110
-#, fuzzy
-#| msgid "Failed to load key in kernel keyring."
-msgid "Failed to link key to the specified keyring."
-msgstr "在内核密钥环中加载密钥失败。"
-
-#: lib/setup.c:4129
-#, fuzzy
-#| msgid "Failed to load key in kernel keyring."
+#: lib/setup.c:4137
 msgid "Failed to unlink volume key from user specified keyring."
-msgstr "在内核密钥环中加载密钥失败。"
+msgstr "未能在用户指定的密钥环移除卷密钥链接。"
 
-#: lib/setup.c:4191 lib/setup.c:4905 lib/setup.c:5515
-#, fuzzy
-#| msgid "Failed to load key in kernel keyring."
+#: lib/setup.c:4252 lib/setup.c:4974 lib/setup.c:5796
 msgid "Failed to link volume key in user defined keyring."
-msgstr "在内核密钥环中加载密钥失败。"
+msgstr "未能在用户指定的密钥环链入卷密钥。"
 
-#: lib/setup.c:4284 src/cryptsetup.c:2755
+#: lib/setup.c:4353 src/cryptsetup.c:2848
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "卷 %s 未挂起。"
 
-#: lib/setup.c:4385 lib/setup.c:5281 lib/setup.c:5288 lib/setup.c:7142
-#: lib/setup.c:7164 lib/setup.c:7213 src/cryptsetup.c:2265
+#: lib/setup.c:4454 lib/setup.c:5114 lib/setup.c:5532 lib/setup.c:5551
+#: lib/setup.c:7425 lib/setup.c:7447 lib/setup.c:7496 src/cryptsetup.c:2358
 msgid "Volume key does not match the volume."
 msgstr "卷密钥与卷不匹配。"
 
-#: lib/setup.c:4539
+#: lib/setup.c:4608
 msgid "Failed to swap new key slot."
 msgstr "交换新密钥槽失败。"
 
-#: lib/setup.c:4637
+#: lib/setup.c:4706
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "密钥槽 %d 无效。"
 
-#: lib/setup.c:4643 src/cryptsetup.c:1975 src/cryptsetup.c:2467
-#: src/cryptsetup.c:3149 src/cryptsetup.c:3209
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: lib/setup.c:4712 src/cryptsetup.c:2068 src/cryptsetup.c:2560
+#: src/cryptsetup.c:3241 src/cryptsetup.c:3301
+#, c-format
 msgid "Keyslot %d is not active."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "密钥槽 %d 未激活。"
 
-#: lib/setup.c:4662
-#, fuzzy
-#| msgid "Data area overlaps with hash area."
+#: lib/setup.c:4731
 msgid "Device header overlaps with data area."
-msgstr "数据区域重叠覆盖了哈希区域。"
+msgstr "设备标头与数据区域重叠。"
 
-#: lib/setup.c:5012
-#, fuzzy
-#| msgid "Reencryption already in-progress."
+#: lib/setup.c:5084 lib/setup.c:5184
 msgid "Reencryption in-progress. Cannot activate device."
-msgstr "重加密已在进行中。"
+msgstr "正在重新加密。无法激活设备。"
 
-#: lib/setup.c:5014 lib/luks2/luks2_json_metadata.c:2847
-#: lib/luks2/luks2_reencrypt.c:3646
+#: lib/setup.c:5086 lib/setup.c:5186 lib/luks2/luks2_json_metadata.c:2848
+#: lib/luks2/luks2_reencrypt.c:3648
 msgid "Failed to get reencryption lock."
 msgstr "获取重加密锁失败。"
 
-#: lib/setup.c:5027 lib/luks2/luks2_reencrypt.c:3665
+#: lib/setup.c:5098
+msgid "LUKS2 reencryption recovery using volume key(s) failed."
+msgstr "使用卷密钥进行 LUKS2 重加密恢复失败。"
+
+#: lib/setup.c:5150 lib/setup.c:5240
+msgid "Failed to link volume keys in user defined keyring."
+msgstr "在内核密钥环中链入密钥失败。"
+
+#: lib/setup.c:5199 lib/luks2/luks2_reencrypt.c:3667
 msgid "LUKS2 reencryption recovery failed."
 msgstr "LUKS2 重加密恢复失败。"
 
-#: lib/setup.c:5199 lib/setup.c:5299 lib/setup.c:5357
+#: lib/setup.c:5448 lib/setup.c:5562 lib/setup.c:5619
 msgid "Device type is not properly initialized."
 msgstr "设备类型未正确初始化。"
 
-#: lib/setup.c:5254
+#: lib/setup.c:5503
 #, c-format
 msgid "Device %s already exists."
 msgstr "设备 %s 已存在。"
 
-#: lib/setup.c:5261
+#: lib/setup.c:5510
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "无法使用设备 %s，名称无效或它正被使用。"
 
-#: lib/setup.c:5277
+#: lib/setup.c:5528
 msgid "Incorrect volume key specified for plain device."
 msgstr "为普通设备指定的卷密钥有误。"
 
-#: lib/setup.c:5390
+#: lib/setup.c:5542
+msgid "Reencryption volume keys do not match the volume."
+msgstr "重新加密卷密钥与卷不匹配。"
+
+#: lib/setup.c:5655
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "该内核不支持内核密钥环。"
 
-#: lib/setup.c:5394
-#, fuzzy
-#| msgid "Kernel keyring is not supported by the kernel."
+#: lib/setup.c:5659
 msgid "Kernel keyring missing: required for passing signature to kernel."
-msgstr "该内核不支持内核密钥环。"
+msgstr "缺少内核密钥环：此为将签名传递给内核所必需。"
 
-#: lib/setup.c:5634
+#: lib/setup.c:5917
 msgid "Incorrect root hash specified for verity device."
 msgstr "为 verity 设备指定的根 hash 不正确。"
 
-#: lib/setup.c:5677
+#: lib/setup.c:5960
 msgid "OPAL does not support deferred deactivation."
-msgstr ""
+msgstr "OPAL 不支持延迟停用。"
 
-#: lib/setup.c:5693
-#, fuzzy, c-format
-#| msgid "Failed to acquire read lock on device %s."
+#: lib/setup.c:5976
+#, c-format
 msgid "Could not cancel deferred remove from device %s."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "无法取消从设备 %s 的延迟删除。"
 
-#: lib/setup.c:5700 lib/setup.c:5716 lib/luks2/luks2_json_metadata.c:2901
-#: src/utils_reencrypt.c:116
+#: lib/setup.c:5983 lib/setup.c:5999 lib/luks2/luks2_json_metadata.c:2902
+#: src/utils_reencrypt.c:103
 #, c-format
 msgid "Device %s is still in use."
 msgstr "设备 %s 仍在使用。"
 
-#: lib/setup.c:5725
+#: lib/setup.c:6008
 #, c-format
 msgid "Invalid device %s."
 msgstr "设备 %s 无效。"
 
-#: lib/setup.c:5865
+#: lib/setup.c:6148
 msgid "Volume key buffer too small."
 msgstr "卷密钥缓冲区太小。"
 
-#: lib/setup.c:5882
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: lib/setup.c:6165
 msgid "Cannot retrieve volume key for LUKS2 device."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法获取 LUKS2 设备的卷密钥。"
 
-#: lib/setup.c:5891
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: lib/setup.c:6174
 msgid "Cannot retrieve volume key for LUKS1 device."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法获取 LUKS1 普通设备的卷密钥。"
 
-#: lib/setup.c:5901
+#: lib/setup.c:6184
 msgid "Cannot retrieve volume key for plain device."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法获取普通（plain）设备的卷密钥。"
 
-#: lib/setup.c:5909
-#, fuzzy
-#| msgid "Incorrect root hash specified for verity device."
+#: lib/setup.c:6192
 msgid "Cannot retrieve root hash for verity device."
-msgstr "为 verity 设备指定的根 hash 不正确。"
+msgstr "无法获取 verity 设备的根哈希。"
 
-#: lib/setup.c:5916
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: lib/setup.c:6199
 msgid "Cannot retrieve volume key for BITLK device."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法获取 BITLK 设备的卷密钥。"
 
-#: lib/setup.c:5921
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: lib/setup.c:6204
 msgid "Cannot retrieve volume key for FVAULT2 device."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法获取 FVAULT2 设备的卷密钥。"
 
-#: lib/setup.c:5923
+#: lib/setup.c:6206
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "不支持在 %s 加密设备上执行此操作。"
 
-#: lib/setup.c:6107 lib/setup.c:6118
+#: lib/setup.c:6390 lib/setup.c:6401
 msgid "Dump operation is not supported for this device type."
 msgstr "不支持在此类设备上执行导出操作。"
 
-#: lib/setup.c:6477
+#: lib/setup.c:6760
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
-msgstr ""
+msgstr "数据偏移量不是 %u 个字节的倍数。"
 
-#: lib/setup.c:6785
+#: lib/setup.c:7068
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "无法转换正在使用的设备 %s。"
 
-#: lib/setup.c:7083 lib/setup.c:7222
+#: lib/setup.c:7366 lib/setup.c:7505
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "将密钥槽 %u 指定为新卷密钥的操作失败。"
 
-#: lib/setup.c:7107
-#, fuzzy
-#| msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:7390
 msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "初始化默认 LUKS2 密钥槽参数失败。"
 
-#: lib/setup.c:7113
-#, fuzzy, c-format
-#| msgid "Failed to swap new key slot.\n"
+#: lib/setup.c:7396
+#, c-format
 msgid "Failed to assign keyslot %d to digest."
-msgstr "交换新密钥槽失败。\n"
+msgstr "未能将密钥槽 %d 分配给摘要。"
 
-#: lib/setup.c:7338
+#: lib/setup.c:7621
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "无法添加密钥槽，所有密钥槽已禁用且未提供卷密钥。"
 
-#: lib/setup.c:7407 lib/verity/verity.c:343
+#: lib/setup.c:7690 lib/verity/verity.c:330
 msgid "Failed to load key in kernel keyring."
 msgstr "在内核密钥环中加载密钥失败。"
 
-#: lib/setup.c:7525
-#, fuzzy
-#| msgid "Failed to load key in kernel keyring."
+#: lib/setup.c:7808
 msgid "Failed to unlink volume key from thread keyring."
-msgstr "在内核密钥环中加载密钥失败。"
+msgstr "在内核密钥环中断联卷密钥失败。"
 
-#: lib/setup.c:7549
+#: lib/setup.c:7852
 #, c-format
 msgid "Could not find keyring described by \"%s\"."
-msgstr ""
+msgstr "找不到“%s”描述的密钥环。"
 
-#: lib/setup.c:7608
+#: lib/setup.c:7917
 msgid "Failed to acquire global memory-hard access serialization lock."
-msgstr ""
+msgstr "未能获取全局内存困难访问序列化锁。"
 
-#: lib/utils.c:205 lib/tcrypt/tcrypt.c:503
+#: lib/utils.c:202 lib/tcrypt/tcrypt.c:490
 msgid "Failed to open key file."
 msgstr "打开 (open) 密钥文件失败。"
 
-#: lib/utils.c:210
+#: lib/utils.c:207
 msgid "Cannot read keyfile from a terminal."
 msgstr "无法从终端读取密钥文件。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/utils.c:226
+#: lib/utils.c:223
 msgid "Failed to stat key file."
 msgstr "获取 (stat) 密钥文件信息失败。"
 
-#: lib/utils.c:234 lib/utils.c:255
+#: lib/utils.c:231 lib/utils.c:252
 msgid "Cannot seek to requested keyfile offset."
 msgstr "无法寻找 (seek) 到请求的密钥文件偏移量。"
 
-#: lib/utils.c:249 lib/utils.c:264 src/utils_password.c:226
-#: src/utils_password.c:238
+#: lib/utils.c:246 lib/utils.c:261 src/utils_password.c:216
+#: src/utils_password.c:228
 msgid "Out of memory while reading passphrase."
 msgstr "读取密码时内存耗尽。"
 
-#: lib/utils.c:284
+#: lib/utils.c:281
 msgid "Error reading passphrase."
 msgstr "读取口令出错。"
 
-#: lib/utils.c:301
+#: lib/utils.c:298
 msgid "Nothing to read on input."
-msgstr ""
+msgstr "输入上没有可读的内容。"
 
-#: lib/utils.c:308
+#: lib/utils.c:305
 msgid "Maximum keyfile size exceeded."
 msgstr "超出最大密钥文件大小。"
 
-#: lib/utils.c:313
+#: lib/utils.c:310
 msgid "Cannot read requested amount of data."
 msgstr "无法读取请求量的数据。"
 
-#: lib/utils_device.c:213 lib/utils_storage_wrappers.c:110
-#: lib/luks1/keyencryption.c:91 src/utils_reencrypt.c:1461
-#, fuzzy, c-format
-#| msgid "Device %s doesn't exist or access denied."
+#: lib/utils_device.c:200 lib/utils_storage_wrappers.c:97
+#: lib/luks1/keyencryption.c:78 src/utils_reencrypt.c:1458
+#, c-format
 msgid "Device %s does not exist or access denied."
 msgstr "设备 %s 不存在或访问被拒绝。"
 
-#: lib/utils_device.c:223
-#, fuzzy, c-format
-#| msgid "Device %s is not active."
+#: lib/utils_device.c:210
+#, c-format
 msgid "Device %s is not compatible."
-msgstr "设备 %s 未激活。"
+msgstr "设备 %s 不兼容。"
 
-#: lib/utils_device.c:567
+#: lib/utils_device.c:554
 #, c-format
 msgid "Ignoring bogus optimal-io size for data device (%u bytes)."
-msgstr ""
+msgstr "忽略数据设备的虚假最佳 IO 大小（%u 字节）。"
 
-#: lib/utils_device.c:728
-#, fuzzy, c-format
-#| msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
+#: lib/utils_device.c:715
+#, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
-msgstr "设备 %s 过小。（LUKS1 需要至少 %<PRIu64> 字节。）"
+msgstr "设备 %s 过小。（需要至少 %<PRIu64> 字节。）"
 
-#: lib/utils_device.c:809
+#: lib/utils_device.c:796
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "无法使用正被使用的设备 %s（已被映射或挂载）。"
 
-#: lib/utils_device.c:813
+#: lib/utils_device.c:800
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "无法使用设备 %s，权限被拒绝。"
 
-#: lib/utils_device.c:816
+#: lib/utils_device.c:803
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "无法获取有关设备 %s 的信息。"
 
-#: lib/utils_device.c:839
+#: lib/utils_device.c:826
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "无法使用回环设备，正作为非 root 用户运行。"
 
-#: lib/utils_device.c:850
+#: lib/utils_device.c:837
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "连接回环设备失败（需要有 autoclear 旗标的回环设备）。"
 
-#: lib/utils_device.c:898
+#: lib/utils_device.c:885
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "请求的偏移量超出设备 %s 的真实大小。"
 
-#: lib/utils_device.c:906
+#: lib/utils_device.c:893
 #, c-format
 msgid "Device %s has zero size."
 msgstr "设备 %s 大小为零。"
 
-#: lib/utils_pbkdf.c:116
-#, fuzzy
-#| msgid "Requested PBKDF target time can not be zero."
+#: lib/utils_pbkdf.c:103
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "请求的 PBKDF 目标时间不能为零。"
 
-#: lib/utils_pbkdf.c:122
+#: lib/utils_pbkdf.c:109
 #, c-format
 msgid "Unknown PBKDF type %s."
 msgstr "未知的 PBKDF 类型 %s。"
 
-#: lib/utils_pbkdf.c:127
-#, fuzzy, c-format
-#| msgid "Requested LUKS hash %s is not supported."
+#: lib/utils_pbkdf.c:114
+#, c-format
 msgid "Requested hash %s is not supported."
-msgstr "不支持请求的 LUKS 哈希 %s。"
+msgstr "不支持请求的哈希 %s。"
 
-#: lib/utils_pbkdf.c:138
+#: lib/utils_pbkdf.c:125
 msgid "Requested PBKDF type is not supported for LUKS1."
 msgstr "请求的 PBKDF 类型不被 LUKS1 支持。"
 
-#: lib/utils_pbkdf.c:144
+#: lib/utils_pbkdf.c:131
 msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
-msgstr ""
+msgstr "pbkdf2 不可以设置最大内存和并行线程。"
 
-#: lib/utils_pbkdf.c:149 lib/utils_pbkdf.c:159
+#: lib/utils_pbkdf.c:136 lib/utils_pbkdf.c:146
 #, c-format
 msgid "Forced iteration count is too low for %s (minimum is %u)."
-msgstr ""
+msgstr "强制迭代计数对于%s来说太低（最小值为 %u）。"
 
-#: lib/utils_pbkdf.c:164
+#: lib/utils_pbkdf.c:151
 #, c-format
 msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
-msgstr ""
+msgstr "强制内存成本对于%s来说太低（最小值为 %u KB）。"
 
-#: lib/utils_pbkdf.c:171
+#: lib/utils_pbkdf.c:158
 #, c-format
 msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
 msgstr "请求的最大 PBKDF 内存开销过大（最大为 %d 千字节）。"
 
-#: lib/utils_pbkdf.c:176
-#, fuzzy
-#| msgid "Requested maximum PBKDF memory can not be zero."
+#: lib/utils_pbkdf.c:163
 msgid "Requested maximum PBKDF memory cannot be zero."
-msgstr "请求的最大 PBKDF 内存使用量不能为零。"
+msgstr "请求的最大 PBKDF 内存不能为零。"
 
-#: lib/utils_pbkdf.c:180
-#, fuzzy
-#| msgid "Requested PBKDF parallel threads can not be zero."
+#: lib/utils_pbkdf.c:167
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "请求的 PBKDF 并行线程数不能为零。"
 
-#: lib/utils_pbkdf.c:200
+#: lib/utils_pbkdf.c:187
 msgid "Only PBKDF2 is supported in FIPS mode."
-msgstr ""
+msgstr "FIPS 模式仅支持 PBKDF2。"
 
-#: lib/utils_benchmark.c:184
+#: lib/utils_benchmark.c:171
 msgid "PBKDF benchmark disabled but iterations not set."
-msgstr ""
+msgstr "PBKDF 基准测试已禁用，但未设置迭代数。"
 
-#: lib/utils_benchmark.c:203
+#: lib/utils_benchmark.c:190
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr "PBKDF2 选项不兼容（正在使用哈希算法 %s）。"
 
-#: lib/utils_benchmark.c:223
+#: lib/utils_benchmark.c:210
 msgid "Not compatible PBKDF options."
 msgstr "PBKDF2 选项不兼容。"
 
-#: lib/utils_device_locking.c:101
+#: lib/utils_device_locking.c:88
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "锁定中止。锁定路径 %s/%s 不可用（不是一个目录或缺失）。"
 
-#: lib/utils_device_locking.c:118
+#: lib/utils_device_locking.c:105
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "锁定中止。锁定路径 %s/%s 不可用（%s 不是目录）。"
 
-#: lib/utils_wipe.c:156 lib/utils_wipe.c:227 src/utils_reencrypt_luks1.c:734
-#: src/utils_reencrypt_luks1.c:832
+#: lib/utils_wipe.c:143 lib/utils_wipe.c:214 src/utils_reencrypt_luks1.c:702
+#: src/utils_reencrypt_luks1.c:795
 msgid "Cannot seek to device offset."
 msgstr "无法寻找到设备偏移位置。"
 
-#: lib/utils_wipe.c:249
+#: lib/utils_wipe.c:236
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
-msgstr ""
+msgstr "设备擦除错误，偏移量%<PRIu64>。"
 
-#: lib/utils_wipe.c:343
+#: lib/utils_wipe.c:331
 msgid "Incorrect OPAL PSID."
 msgstr "不正确的 OPAL PSID。"
 
-#: lib/utils_wipe.c:345
-#, fuzzy
-#| msgid "Cannot resize loop device."
+#: lib/utils_wipe.c:333
 msgid "Cannot erase OPAL device."
-msgstr "无法改变回环设备大小。"
+msgstr "无法擦除 OPAL 设备。"
 
-#: lib/luks1/keyencryption.c:39
+#: lib/luks1/keyencryption.c:26
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -956,114 +913,110 @@ msgstr ""
 "为设备 %s 配置 dm-crypt 键映射失败。\n"
 "请确认内核支持 %s 加密（查看系统日志 (syslog) 以获取更多信息）。"
 
-#: lib/luks1/keyencryption.c:44
+#: lib/luks1/keyencryption.c:31
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "XTS 模式的密钥大小必须是 256 或 512 位。"
 
-#: lib/luks1/keyencryption.c:46
+#: lib/luks1/keyencryption.c:33
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
-msgstr ""
+msgstr "加密算法表示应采用 [cipher]-[mode]-[iv] 格式。"
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:366
-#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:1132
-#: lib/luks2/luks2_json_metadata.c:1528 lib/luks2/luks2_keyslot.c:712
+#: lib/luks1/keyencryption.c:84 lib/luks1/keymanage.c:353
+#: lib/luks1/keymanage.c:664 lib/luks1/keymanage.c:1119
+#: lib/luks2/luks2_json_metadata.c:1515 lib/luks2/luks2_keyslot.c:709
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "无法写入到设备 %s，访问被拒绝。"
 
-#: lib/luks1/keyencryption.c:120
+#: lib/luks1/keyencryption.c:107
 msgid "Failed to open temporary keystore device."
 msgstr "打开临时密钥存储设备失败。"
 
-#: lib/luks1/keyencryption.c:127
+#: lib/luks1/keyencryption.c:114
 msgid "Failed to access temporary keystore device."
 msgstr "访问临时密钥存储设备失败。"
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:62
-#: lib/luks2/luks2_keyslot_luks2.c:80 lib/luks2/luks2_keyslot_reenc.c:197
+#: lib/luks1/keyencryption.c:187 lib/luks2/luks2_keyslot_luks2.c:49
+#: lib/luks2/luks2_keyslot_luks2.c:67 lib/luks2/luks2_keyslot_reenc.c:184
 msgid "IO error while encrypting keyslot."
 msgstr "加密密钥槽时发生输入输出错误。"
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:369
-#: lib/luks1/keymanage.c:630 lib/luks1/keymanage.c:680 lib/tcrypt/tcrypt.c:681
-#: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
-#: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
-#: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
-#: lib/verity/verity_fec.c:272 lib/verity/verity_fec.c:277
-#: lib/luks2/luks2_json_metadata.c:1531 src/utils_reencrypt_luks1.c:121
-#: src/utils_reencrypt_luks1.c:133
+#: lib/luks1/keyencryption.c:233 lib/luks1/keymanage.c:356
+#: lib/luks1/keymanage.c:617 lib/luks1/keymanage.c:667 lib/tcrypt/tcrypt.c:668
+#: lib/fvault2/fvault2.c:864 lib/verity/verity.c:67 lib/verity/verity.c:183
+#: lib/verity/verity_hash.c:307 lib/verity/verity_hash.c:316
+#: lib/verity/verity_hash.c:336 lib/verity/verity_fec.c:247
+#: lib/verity/verity_fec.c:259 lib/verity/verity_fec.c:264
+#: lib/luks2/luks2_json_metadata.c:1518 src/utils_reencrypt_luks1.c:108
+#: src/utils_reencrypt_luks1.c:120
 #, c-format
 msgid "Cannot open device %s."
 msgstr "无法打开设备 %s。"
 
-#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:139
+#: lib/luks1/keyencryption.c:244 lib/luks2/luks2_keyslot_luks2.c:126
 msgid "IO error while decrypting keyslot."
 msgstr "解密密钥槽时发生输入输出错误。"
 
-#: lib/luks1/keymanage.c:130
+#: lib/luks1/keymanage.c:117
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "设备 %s 过小。（LUKS1 需要至少 %<PRIu64> 字节。）"
 
-#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:159
-#: lib/luks1/keymanage.c:171 lib/luks1/keymanage.c:182
-#: lib/luks1/keymanage.c:194
+#: lib/luks1/keymanage.c:138 lib/luks1/keymanage.c:146
+#: lib/luks1/keymanage.c:158 lib/luks1/keymanage.c:169
+#: lib/luks1/keymanage.c:181
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS 密钥槽 %u 无效。"
 
-#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1391
+#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1378
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "请求的标头备份文件 %s 已存在。"
 
-#: lib/luks1/keymanage.c:269 lib/luks2/luks2_json_metadata.c:1393
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1380
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "无法创建标头备份文件 %s。"
 
-#: lib/luks1/keymanage.c:276 lib/luks2/luks2_json_metadata.c:1400
+#: lib/luks1/keymanage.c:263 lib/luks2/luks2_json_metadata.c:1387
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "无法写入标头备份文件 %s。"
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1437
-#, fuzzy
-#| msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:295 lib/luks2/luks2_json_metadata.c:1424
 msgid "Backup file does not contain valid LUKS header."
 msgstr "备份文件不包含有效 LUKS 标头。"
 
-#: lib/luks1/keymanage.c:321 lib/luks1/keymanage.c:593
-#: lib/luks2/luks2_json_metadata.c:1458
+#: lib/luks1/keymanage.c:308 lib/luks1/keymanage.c:580
+#: lib/luks2/luks2_json_metadata.c:1445
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "无法打开备份标头文件 %s。"
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1466
+#: lib/luks1/keymanage.c:316 lib/luks2/luks2_json_metadata.c:1453
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "无法读取标头备份文件 %s。"
 
-#: lib/luks1/keymanage.c:339
-#, fuzzy
-#| msgid "Data offset or key size differs on device and backup, restore failed.\n"
+#: lib/luks1/keymanage.c:326
 msgid "Data offset or key size differs on device and backup, restore failed."
-msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。\n"
+msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。"
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:334
 #, c-format
 msgid "Device %s %s%s"
 msgstr "设备 %s %s%s"
 
-#: lib/luks1/keymanage.c:348
+#: lib/luks1/keymanage.c:335
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "不包含 LUKS 标头。替换标头可能损毁设备上的数据。"
 
-#: lib/luks1/keymanage.c:349
+#: lib/luks1/keymanage.c:336
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "已包含 LUKS 标头。替换标头将损毁已存在的密钥槽。"
 
-#: lib/luks1/keymanage.c:350 lib/luks2/luks2_json_metadata.c:1500
+#: lib/luks1/keymanage.c:337 lib/luks2/luks2_json_metadata.c:1487
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -1071,1651 +1024,1546 @@ msgstr ""
 "\n"
 "警告: 真实设备标头 UUID 和备份不符！"
 
-#: lib/luks1/keymanage.c:398
+#: lib/luks1/keymanage.c:385
 msgid "Non standard key size, manual repair required."
 msgstr "不标准的密钥大小，需要手动修复。"
 
-#: lib/luks1/keymanage.c:408
+#: lib/luks1/keymanage.c:395
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "不标准的密钥槽对齐，需要手动修复。"
 
-#: lib/luks1/keymanage.c:417
-#, fuzzy, c-format
-#| msgid "Keyslot %i: offset repaired (%u -> %u)."
+#: lib/luks1/keymanage.c:404
+#, c-format
 msgid "Cipher mode repaired (%s -> %s)."
-msgstr "密钥槽 %i: 偏移已修复 (%u -> %u)。"
+msgstr "密码模式已修复（%s -> %s）。"
 
-#: lib/luks1/keymanage.c:428
+#: lib/luks1/keymanage.c:415
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
-msgstr ""
+msgstr "密码哈希修复为小写（%s）。"
 
-#: lib/luks1/keymanage.c:430 lib/luks1/keymanage.c:536
-#: lib/luks1/keymanage.c:792
+#: lib/luks1/keymanage.c:417 lib/luks1/keymanage.c:523
+#: lib/luks1/keymanage.c:779
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "不支持请求的 LUKS 哈希 %s。"
 
-#: lib/luks1/keymanage.c:444
+#: lib/luks1/keymanage.c:431
 msgid "Repairing keyslots."
 msgstr "正在修复密钥槽。"
 
-#: lib/luks1/keymanage.c:463
+#: lib/luks1/keymanage.c:450
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
-msgstr "密钥槽 %i: 偏移已修复 (%u -> %u)。"
+msgstr "密钥槽 %i: 已修复偏移 (%u -> %u)。"
 
-#: lib/luks1/keymanage.c:471
+#: lib/luks1/keymanage.c:458
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "密钥槽 %i：已修复条带（%u -> %u）。"
 
-#: lib/luks1/keymanage.c:480
+#: lib/luks1/keymanage.c:467
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "密钥槽 %i：虚假的分区签名。"
 
-#: lib/luks1/keymanage.c:485
+#: lib/luks1/keymanage.c:472
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "密钥槽 %i: 已清除盐。"
 
-#: lib/luks1/keymanage.c:502
+#: lib/luks1/keymanage.c:489
 msgid "Writing LUKS header to disk."
 msgstr "正在将 LUKS 标头写入磁盘。"
 
-#: lib/luks1/keymanage.c:507
+#: lib/luks1/keymanage.c:494
 msgid "Repair failed."
 msgstr "修复失败。"
 
-#: lib/luks1/keymanage.c:562
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid."
+#: lib/luks1/keymanage.c:549
+#, c-format
 msgid "LUKS cipher mode %s is invalid."
-msgstr "LUKS 密钥槽 %u 无效。"
+msgstr "LUKS 加密模式 %s 无效。"
 
-#: lib/luks1/keymanage.c:567
+#: lib/luks1/keymanage.c:554
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr "LUKS 哈希值 %s 无效。"
 
-#: lib/luks1/keymanage.c:574 src/cryptsetup.c:1352
+#: lib/luks1/keymanage.c:561 src/cryptsetup.c:1356
 msgid "No known problems detected for LUKS header."
 msgstr "未在 LUKS 标头发现已知问题。"
 
-#: lib/luks1/keymanage.c:702
+#: lib/luks1/keymanage.c:689
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "更新设备 %s 上的 LUKS 标头时出错。"
 
-#: lib/luks1/keymanage.c:710
+#: lib/luks1/keymanage.c:697
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "在更新设备 %s 后重新读取 LUKS 标头失败。"
 
-#: lib/luks1/keymanage.c:786
-#, fuzzy
-#| msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors)."
+#: lib/luks1/keymanage.c:773
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
-msgstr "分离的 LUKS 标头的数据偏移量必须为零或高于标头大小（%d 扇区）。"
+msgstr "LUKS 标头的数据偏移量必须为 0 或大于标头大小。"
 
-#: lib/luks1/keymanage.c:797 lib/luks1/keymanage.c:866
-#: lib/luks2/luks2_json_format.c:243 lib/luks2/luks2_json_metadata.c:1274
-#: src/utils_reencrypt.c:554
+#: lib/luks1/keymanage.c:784 lib/luks1/keymanage.c:853
+#: lib/luks2/luks2_json_format.c:230 lib/luks2/luks2_json_metadata.c:1261
+#: src/utils_reencrypt.c:541
 msgid "Wrong LUKS UUID format provided."
 msgstr "提供了错误的 LUKS UUID 格式。"
 
-#: lib/luks1/keymanage.c:819
+#: lib/luks1/keymanage.c:806
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "无法创建 LUKS 标头：读取随机盐失败。"
 
-#: lib/luks1/keymanage.c:845
+#: lib/luks1/keymanage.c:832
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "无法创建 LUKS 标头：标头摘要失败（正在使用哈希 %s）。"
 
-#: lib/luks1/keymanage.c:889
+#: lib/luks1/keymanage.c:876
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "密钥槽 %d 已激活，请先清除。"
 
-#: lib/luks1/keymanage.c:895
-#, fuzzy, c-format
-#| msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
+#: lib/luks1/keymanage.c:882
+#, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
-msgstr "密钥槽 %d 条带数过少。标头修改？\n"
+msgstr "密钥槽 %d 条带数过少。标头被修改过？"
 
-#: lib/luks1/keymanage.c:931 lib/luks2/luks2_keyslot_luks2.c:270
+#: lib/luks1/keymanage.c:918 lib/luks2/luks2_keyslot_luks2.c:257
 msgid "PBKDF2 iteration value overflow."
 msgstr "PBKDF2 迭代值溢出。"
 
-#: lib/luks1/keymanage.c:1040
-#, fuzzy, c-format
-#| msgid "Key processing error (using hash %s)."
+#: lib/luks1/keymanage.c:1027
+#, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr "密钥处理错误（使用散列 %s）。"
 
-#: lib/luks1/keymanage.c:1118
-#, fuzzy, c-format
-#| msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
+#: lib/luks1/keymanage.c:1105
+#, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
-msgstr "密钥槽 %d 无效，请选择标号 0 到 %d 间的密钥槽。\n"
+msgstr "这是微软拼音中文模式的结果。密钥槽 %d 无效，请选择标号 0 到 %d 间的密钥槽。"
 
-#: lib/luks1/keymanage.c:1136 lib/luks2/luks2_keyslot.c:716
+#: lib/luks1/keymanage.c:1123 lib/luks2/luks2_keyslot.c:713
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "无法擦除设备 %s。"
 
-#: lib/loopaes/loopaes.c:146
-#, fuzzy
-#| msgid "Detected not yet supported GPG encrypted keyfile.\n"
+#: lib/loopaes/loopaes.c:133
 msgid "Detected not yet supported GPG encrypted keyfile."
-msgstr "探测到未支持的 GPG 加密密钥文件。\n"
+msgstr "探测到未支持的 GPG 加密密钥文件。"
 
-#: lib/loopaes/loopaes.c:147
+#: lib/loopaes/loopaes.c:134
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "请使用 gpg --decrypt <密钥文件> | cryptsetup --keyfile=- ...\n"
 
-#: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
+#: lib/loopaes/loopaes.c:155 lib/loopaes/loopaes.c:175
 msgid "Incompatible loop-AES keyfile detected."
 msgstr "探测到不兼容的 loop-AES 密钥文件。"
 
-#: lib/loopaes/loopaes.c:245
-#, fuzzy
-#| msgid "Kernel doesn't support loop-AES compatible mapping.\n"
+#: lib/loopaes/loopaes.c:232
 msgid "Kernel does not support loop-AES compatible mapping."
-msgstr "内核不支持 loop-AES 兼容映射。\n"
+msgstr "内核不支持 loop-AES 兼容映射。"
 
-#: lib/tcrypt/tcrypt.c:510
+#: lib/tcrypt/tcrypt.c:497
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "读取密钥文件 %s 出错。"
 
-#: lib/tcrypt/tcrypt.c:560
-#, fuzzy, c-format
-#| msgid "Maximum TCRYPT passphrase length (%d) exceeded."
+#: lib/tcrypt/tcrypt.c:547
+#, c-format
 msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
-msgstr "超出 TCRYPT 口令最大长度限制 (%d)。"
+msgstr "超出 TCRYPT 口令最大长度限制 (%zu)。"
 
-#: lib/tcrypt/tcrypt.c:602
+#: lib/tcrypt/tcrypt.c:589
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "PBKDF2 哈希算法 %s 不可用，将跳过。"
 
-#: lib/tcrypt/tcrypt.c:621 src/cryptsetup.c:1227
+#: lib/tcrypt/tcrypt.c:608 src/cryptsetup.c:1231
 msgid "Required kernel crypto interface not available."
-msgstr "无法找到所需的内核加密接口。"
+msgstr "未能找到所需的内核加密接口。"
 
-#: lib/tcrypt/tcrypt.c:623 src/cryptsetup.c:1229
+#: lib/tcrypt/tcrypt.c:610 src/cryptsetup.c:1233
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "请确定您已载入内核模块 algif_skcipher。"
 
-#: lib/tcrypt/tcrypt.c:764
+#: lib/tcrypt/tcrypt.c:751
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "扇区大小为 %d 时不支持激活。"
 
-#: lib/tcrypt/tcrypt.c:770
-#, fuzzy
-#| msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:757
 msgid "Kernel does not support activation for this TCRYPT legacy mode."
-msgstr "内核不支持激活此处的旧 TCRYPT 模式。"
+msgstr "内核不支持激活此种 TCRYPT 传统模式。"
 
-#: lib/tcrypt/tcrypt.c:801
+#: lib/tcrypt/tcrypt.c:788
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "正在为分区 %s 激活 TCRYPT 系统加密。"
 
-#: lib/tcrypt/tcrypt.c:884
-#, fuzzy
-#| msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:871
 msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "内核不支持 TCRYPT 兼容映射。"
 
-#: lib/tcrypt/tcrypt.c:1097
+#: lib/tcrypt/tcrypt.c:1090
 msgid "This function is not supported without TCRYPT header load."
 msgstr "未载入 TCRYPT 标头时不支持此功能。"
 
-#: lib/bitlk/bitlk.c:278
+#: lib/bitlk/bitlk.c:265
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
-msgstr ""
+msgstr "在解析支持的卷主密钥时发现意外的元数据条目类型“%u”。"
 
-#: lib/bitlk/bitlk.c:337
+#: lib/bitlk/bitlk.c:327
 msgid "Invalid string found when parsing Volume Master Key."
-msgstr ""
+msgstr "解析卷主密钥时发现无效字符串。"
 
-#: lib/bitlk/bitlk.c:341
+#: lib/bitlk/bitlk.c:331
 #, c-format
 msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
-msgstr ""
+msgstr "在解析支持的卷主密钥时发现意外字符串 （'%s'）。"
 
-#: lib/bitlk/bitlk.c:358
+#: lib/bitlk/bitlk.c:351
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
-msgstr ""
+msgstr "在解析支持的卷主密钥时发现意外的元数据条目值“%u”。"
 
-#: lib/bitlk/bitlk.c:460
+#: lib/bitlk/bitlk.c:453
 msgid "BITLK version 1 is currently not supported."
-msgstr ""
+msgstr "目前不支持 BITLK 版本 1。"
 
-#: lib/bitlk/bitlk.c:466
+#: lib/bitlk/bitlk.c:459
 msgid "Invalid or unknown boot signature for BITLK device."
-msgstr ""
+msgstr "BITLK 设备的启动签名无效或未知。"
 
-#: lib/bitlk/bitlk.c:478
-#, fuzzy, c-format
-#| msgid "Unsupported encryption sector size."
+#: lib/bitlk/bitlk.c:471
+#, c-format
 msgid "Unsupported sector size %<PRIu16>."
-msgstr "不支持的加密扇区大小。"
+msgstr "不支持的扇区大小 %<PRIu16>。"
 
-#: lib/bitlk/bitlk.c:486
-#, fuzzy, c-format
-#| msgid "Failed to read LUKS2 requirements."
+#: lib/bitlk/bitlk.c:479
+#, c-format
 msgid "Failed to read BITLK header from %s."
-msgstr "读取 LUKS2 需求时失败。"
+msgstr "未能从 %s 读取 BITLK 标头。"
 
-#: lib/bitlk/bitlk.c:511
-#, fuzzy, c-format
-#| msgid "Failed to read LUKS2 requirements."
+#: lib/bitlk/bitlk.c:504
+#, c-format
 msgid "Failed to read BITLK FVE metadata from %s."
-msgstr "读取 LUKS2 需求时失败。"
+msgstr "未能从 %s 读取 BITLK FVE 元数据。"
 
-#: lib/bitlk/bitlk.c:562
-#, fuzzy
-#| msgid "Unsupported encryption sector size."
+#: lib/bitlk/bitlk.c:555
 msgid "Unknown or unsupported encryption type."
-msgstr "不支持的加密扇区大小。"
+msgstr "未知或不支持的加密类型。"
 
-#: lib/bitlk/bitlk.c:602
-#, fuzzy, c-format
-#| msgid "Failed to read LUKS2 requirements."
+#: lib/bitlk/bitlk.c:595
+#, c-format
 msgid "Failed to read BITLK metadata entries from %s."
-msgstr "读取 LUKS2 需求时失败。"
+msgstr "未能从 %s 读取 BITLK 元数据条目。"
 
-#: lib/bitlk/bitlk.c:719
+#: lib/bitlk/bitlk.c:712
 msgid "Failed to convert BITLK volume description"
-msgstr ""
+msgstr "未能转换 BITLK 卷描述"
 
-#: lib/bitlk/bitlk.c:884
+#: lib/bitlk/bitlk.c:877
 #, c-format
 msgid "Unexpected metadata entry type '%u' found when parsing external key."
-msgstr ""
+msgstr "解析外部键时发现意外的元数据条目类型“%u”。"
 
-#: lib/bitlk/bitlk.c:907
-#, fuzzy, c-format
-#| msgid "Volume key does not match the volume."
+#: lib/bitlk/bitlk.c:900
+#, c-format
 msgid "BEK file GUID '%s' does not match GUID of the volume."
-msgstr "卷密钥与卷不匹配。"
+msgstr "BEK 文件 GUID“%s”与卷的 GUID 不匹配。"
 
-#: lib/bitlk/bitlk.c:911
+#: lib/bitlk/bitlk.c:904
 #, c-format
 msgid "Unexpected metadata entry value '%u' found when parsing external key."
-msgstr ""
+msgstr "解析外部键时发现意外的元数据条目值“%u”。"
 
-#: lib/bitlk/bitlk.c:950
-#, fuzzy, c-format
-#| msgid "Unsupported LUKS version %d."
+#: lib/bitlk/bitlk.c:943
+#, c-format
 msgid "Unsupported BEK metadata version %<PRIu32>"
-msgstr "不支持的 LUKS 版本 %d。"
+msgstr "不支持的 BEK 元数据版本 %<PRIu32>"
 
-#: lib/bitlk/bitlk.c:955
+#: lib/bitlk/bitlk.c:948
 #, c-format
 msgid "Unexpected BEK metadata size %<PRIu32> does not match BEK file length"
-msgstr ""
+msgstr "意外的 BEK 元数据大小 %<PRIu32> 与 BEK 文件长度不匹配"
 
-#: lib/bitlk/bitlk.c:981
+#: lib/bitlk/bitlk.c:974
 msgid "Unexpected metadata entry found when parsing startup key."
-msgstr ""
+msgstr "解析启动密钥时发现意外的元数据条目。"
 
-#: lib/bitlk/bitlk.c:1076
-#, fuzzy
-#| msgid "This operation is not supported for %s crypt device."
+#: lib/bitlk/bitlk.c:1069
 msgid "This operation is not supported."
-msgstr "不支持在 %s 加密设备上执行此操作。"
+msgstr "不支持此操作。"
 
-#: lib/bitlk/bitlk.c:1084
+#: lib/bitlk/bitlk.c:1077
 msgid "Unexpected key data size."
-msgstr ""
+msgstr "意外的密钥数据大小。"
 
-#: lib/bitlk/bitlk.c:1210
+#: lib/bitlk/bitlk.c:1203
 msgid "This BITLK device is in an unsupported state and cannot be activated."
-msgstr ""
+msgstr "此 BITLK 设备处于不受支持的状态，无法激活。"
 
-#: lib/bitlk/bitlk.c:1215
+#: lib/bitlk/bitlk.c:1208
 #, c-format
 msgid "BITLK devices with type '%s' cannot be activated."
-msgstr ""
+msgstr "未能激活类型为“%s”的 BITLK 设备。"
 
-#: lib/bitlk/bitlk.c:1222
-#, fuzzy
-#| msgid "Activation of temporary devices failed."
+#: lib/bitlk/bitlk.c:1215
 msgid "Activation of partially decrypted BITLK device is not supported."
-msgstr "激活临时设备失败。"
+msgstr "不支持激活部分解密的 BITLK 设备。"
 
-#: lib/bitlk/bitlk.c:1263
+#: lib/bitlk/bitlk.c:1256
 #, c-format
 msgid "WARNING: BitLocker volume size %<PRIu64> does not match the underlying device size %<PRIu64>"
-msgstr ""
+msgstr "警告：BitLocker 卷大小 %<PRIu64> 与下层设备大小 %<PRIu64> 不匹配"
 
-#: lib/bitlk/bitlk.c:1390
+#: lib/bitlk/bitlk.c:1383
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
-msgstr ""
+msgstr "无法激活设备，内核 dm-crypt 缺少对 BITLK IV 的支持。"
 
-#: lib/bitlk/bitlk.c:1394
+#: lib/bitlk/bitlk.c:1387
 msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
-msgstr ""
+msgstr "无法激活设备，内核 dm-crypt 缺少对 BITLK Elephant 扩散器（diffuser）的支持。"
 
-#: lib/bitlk/bitlk.c:1398
-#, fuzzy
-#| msgid "Activation is not supported for %d sector size."
+#: lib/bitlk/bitlk.c:1391
 msgid "Cannot activate device, kernel dm-crypt is missing support for large sector size."
-msgstr "扇区大小为 %d 时不支持激活。"
+msgstr "无法激活设备，内核 dm-crypt 缺少对大扇区大小的支持。"
 
-#: lib/bitlk/bitlk.c:1402
+#: lib/bitlk/bitlk.c:1395
 msgid "Cannot activate device, kernel dm-zero module is missing."
-msgstr ""
+msgstr "无法激活设备，内核 dm-zero 模块缺失。"
 
-#: lib/fvault2/fvault2.c:542
-#, fuzzy, c-format
-#| msgid "Cannot read %d bytes from keyfile %s.\n"
+#: lib/fvault2/fvault2.c:529
+#, c-format
 msgid "Could not read %u bytes of volume header."
-msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n"
+msgstr "未能读取卷头的 %u 字节。"
 
-#: lib/fvault2/fvault2.c:554
-#, fuzzy, c-format
-#| msgid "Unsupported VERITY version %d."
+#: lib/fvault2/fvault2.c:541
+#, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
-msgstr "不支持的 VERITY 版本 %d。"
+msgstr "不支持的 FVAULT2 版本 %<PRIu16>。"
 
-#: lib/verity/verity.c:68 lib/verity/verity.c:182
-#, fuzzy, c-format
-#| msgid "Verity device %s doesn't use on-disk header."
+#: lib/verity/verity.c:55 lib/verity/verity.c:169
+#, c-format
 msgid "Verity device %s does not use on-disk header."
 msgstr "Verity 设备 %s 未使用磁盘上的标头。"
 
-#: lib/verity/verity.c:96
+#: lib/verity/verity.c:83
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "不支持的 VERITY 版本 %d。"
 
-#: lib/verity/verity.c:131
+#: lib/verity/verity.c:118
 msgid "VERITY header corrupted."
 msgstr "VERITY 标头损坏。"
 
-#: lib/verity/verity.c:176
-#, fuzzy, c-format
-#| msgid "Wrong VERITY UUID format provided on device %s.\n"
+#: lib/verity/verity.c:163
+#, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
-msgstr "为设备 %s 提供的 VERITY UUID 错误。\n"
+msgstr "为设备 %s 提供的 VERITY UUID 错误。"
 
-#: lib/verity/verity.c:220
-#, fuzzy, c-format
-#| msgid "Error during update of verity header on device %s.\n"
+#: lib/verity/verity.c:207
+#, c-format
 msgid "Error during update of verity header on device %s."
-msgstr "更新设备 %s 上的 VERITY 标头时出错。\n"
+msgstr "更新设备 %s 上的 VERITY 标头时出错。"
 
-#: lib/verity/verity.c:274
-#, fuzzy
-#| msgid "Requested sector_size option is not supported."
+#: lib/verity/verity.c:261
 msgid "Root hash signature verification is not supported."
-msgstr "不支持请求的 sector_size 选项。"
+msgstr "不支持根哈希签名验证。"
 
-#: lib/verity/verity.c:279
+#: lib/verity/verity.c:266
 msgid "Root hash signature required."
-msgstr ""
+msgstr "需要根哈希签名。"
 
-#: lib/verity/verity.c:294
+#: lib/verity/verity.c:281
 msgid "Errors cannot be repaired with FEC device."
-msgstr ""
+msgstr "未能使用 FEC 设备修复错误。"
 
-#: lib/verity/verity.c:296
+#: lib/verity/verity.c:283
 #, c-format
 msgid "Found %u repairable errors with FEC device."
-msgstr ""
+msgstr "用 FEC 设备发现了 %u 个可修复的错误。"
 
-#: lib/verity/verity.c:377
-#, fuzzy
-#| msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:364
 msgid "Kernel does not support dm-verity mapping."
 msgstr "内核不支持 dm-verity 映射。"
 
-#: lib/verity/verity.c:381
-#, fuzzy
-#| msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:368
 msgid "Kernel does not support dm-verity signature option."
-msgstr "内核不支持 dm-verity 映射。"
+msgstr "内核不支持 dm-verity 签名选项。"
 
-#: lib/verity/verity.c:392
-#, fuzzy
-#| msgid "Verity device detected corruption after activation.\n"
+#: lib/verity/verity.c:379
 msgid "Verity device detected corruption after activation."
-msgstr "在 VERITY 设备激活后探测到损坏。\n"
+msgstr "在 VERITY 设备激活后探测到损坏。"
 
-#: lib/verity/verity_hash.c:66
-#, fuzzy, c-format
-#| msgid "Spare area is not zeroed at position %<PRIu64>.\n"
+#: lib/verity/verity_hash.c:53
+#, c-format
 msgid "Spare area is not zeroed at position %<PRIu64>."
-msgstr "备用区位置 %<PRIu64> 未清零。\n"
+msgstr "备用区位置 %<PRIu64> 未清零。"
 
-#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
-#: lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:154 lib/verity/verity_hash.c:287
+#: lib/verity/verity_hash.c:298
 msgid "Device offset overflow."
 msgstr "设备偏移量溢出。"
 
-#: lib/verity/verity_hash.c:218
-#, fuzzy, c-format
-#| msgid "Verification failed at position %<PRIu64>.\n"
+#: lib/verity/verity_hash.c:205
+#, c-format
 msgid "Verification failed at position %<PRIu64>."
-msgstr "在 %<PRIu64> 上发生检验错误。\n"
+msgstr "在 %<PRIu64> 上发生检验错误。"
 
-#: lib/verity/verity_hash.c:307
+#: lib/verity/verity_hash.c:294
 msgid "Hash area overflow."
 msgstr "哈希区域溢出。"
 
-#: lib/verity/verity_hash.c:380
+#: lib/verity/verity_hash.c:367
 msgid "Verification of data area failed."
 msgstr "数据区检验失败。"
 
-#: lib/verity/verity_hash.c:385
+#: lib/verity/verity_hash.c:372
 msgid "Verification of root hash failed."
 msgstr "根哈希值检验失败。"
 
-#: lib/verity/verity_hash.c:391
-#, fuzzy
-#| msgid "Input/output error while creating hash area.\n"
+#: lib/verity/verity_hash.c:378
 msgid "Input/output error while creating hash area."
-msgstr "创建哈希数据区时发生输入/输出错误。\n"
+msgstr "创建哈希数据区时发生输入/输出错误。"
 
-#: lib/verity/verity_hash.c:393
+#: lib/verity/verity_hash.c:380
 msgid "Creation of hash area failed."
 msgstr "创建哈希区失败。"
 
-#: lib/verity/verity_hash.c:428
-#, fuzzy, c-format
-#| msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
+#: lib/verity/verity_hash.c:415
+#, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
-msgstr "警告：如数据块大小超过内存分页大小，内核将无法激活设备 (%u)。\n"
+msgstr "警告：如数据块大小超过内存分页大小，内核将无法激活设备 (%u)。"
 
-#: lib/verity/verity_fec.c:131
-#, fuzzy
-#| msgid "Failed to open key file.\n"
+#: lib/verity/verity_fec.c:118
 msgid "Failed to allocate RS context."
-msgstr "打开 (open) 密钥文件失败。\n"
+msgstr "分配RS上下文失败。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/verity/verity_fec.c:149
-#, fuzzy
-#| msgid "Failed to stat key file.\n"
+#: lib/verity/verity_fec.c:136
 msgid "Failed to allocate buffer."
-msgstr "获取 (stat) 密钥文件统计数据失败。\n"
+msgstr "分配缓冲区失败。"
 
-#: lib/verity/verity_fec.c:159
-#, fuzzy, c-format
-#| msgid "Failed to access temporary keystore device.\n"
+#: lib/verity/verity_fec.c:146
+#, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能读取 RS 块 %<PRIu64> 字节 %d。"
 
-#: lib/verity/verity_fec.c:172
-#, fuzzy, c-format
-#| msgid "Failed to access temporary keystore device.\n"
+#: lib/verity/verity_fec.c:159
+#, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能读取 RS 块 %<PRIu64> 的奇偶校验。"
 
-#: lib/verity/verity_fec.c:180
-#, fuzzy, c-format
-#| msgid "Failed to access temporary keystore device.\n"
+#: lib/verity/verity_fec.c:167
+#, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能修复 RS 块 %<PRIu64> 的奇偶校验。"
 
-#: lib/verity/verity_fec.c:192
-#, fuzzy, c-format
-#| msgid "Failed to access temporary keystore device.\n"
+#: lib/verity/verity_fec.c:179
+#, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能写入 RS 块 %<PRIu64> 的奇偶校验。"
 
-#: lib/verity/verity_fec.c:208
+#: lib/verity/verity_fec.c:195
 msgid "Block sizes must match for FEC."
-msgstr ""
+msgstr "块大小必须与 FEC 匹配。"
 
-#: lib/verity/verity_fec.c:214
+#: lib/verity/verity_fec.c:201
 msgid "Invalid number of parity bytes."
-msgstr ""
+msgstr "奇偶校验字节数无效。"
 
-#: lib/verity/verity_fec.c:248
+#: lib/verity/verity_fec.c:235
 msgid "Invalid FEC segment length."
-msgstr ""
+msgstr "无效的 FEC 段长度。"
 
-#: lib/verity/verity_fec.c:316
-#, fuzzy, c-format
-#| msgid "Failed to open temporary keystore device.\n"
+#: lib/verity/verity_fec.c:303
+#, c-format
 msgid "Failed to determine size for device %s."
-msgstr "打开临时密钥存储设备失败。\n"
+msgstr "未能确定设备 %s 的大小。"
 
-#: lib/integrity/integrity.c:57
+#: lib/integrity/integrity.c:44
 #, c-format
 msgid "Incompatible kernel dm-integrity metadata (version %u) detected on %s."
-msgstr ""
+msgstr "在 %2$s 上检测到不兼容的内核 dm-integrity 元数据（版本 %1$u）。"
 
-#: lib/integrity/integrity.c:277 lib/integrity/integrity.c:454
-#, fuzzy
-#| msgid "Kernel doesn't support dm-verity mapping.\n"
+#: lib/integrity/integrity.c:264 lib/integrity/integrity.c:441
 msgid "Kernel does not support dm-integrity mapping."
-msgstr "内核不支持 dm-verity 映射。\n"
+msgstr "内核不支持 dm-integrity 映射。"
 
-#: lib/integrity/integrity.c:283
-#, fuzzy
-#| msgid "Kernel doesn't support dm-verity mapping.\n"
+#: lib/integrity/integrity.c:270
 msgid "Kernel does not support dm-integrity fixed metadata alignment."
-msgstr "内核不支持 dm-verity 映射。\n"
+msgstr "内核不支持 dm-integrity 固定元数据对齐。"
 
-#: lib/integrity/integrity.c:292
+#: lib/integrity/integrity.c:279
 msgid "Kernel refuses to activate insecure recalculate option (see legacy activation options to override)."
-msgstr ""
+msgstr "内核拒绝激活不安全的重新计算选项（请参阅“旧版激活选项”以强制激活）。"
 
-#: lib/luks2/luks2_disk_metadata.c:391 lib/luks2/luks2_json_metadata.c:1197
-#: lib/luks2/luks2_json_metadata.c:1520
+#: lib/luks2/luks2_disk_metadata.c:379 lib/luks2/luks2_json_metadata.c:1184
+#: lib/luks2/luks2_json_metadata.c:1507
 #, c-format
 msgid "Failed to acquire write lock on device %s."
-msgstr "无法获取设备 %s 上的写入锁。"
+msgstr "未能获取设备 %s 上的写入锁。"
 
-#: lib/luks2/luks2_disk_metadata.c:400
+#: lib/luks2/luks2_disk_metadata.c:388
 msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
-msgstr ""
+msgstr "检测到正在尝试并发更新 LUKS2 元数据。中止操作。"
 
-#: lib/luks2/luks2_disk_metadata.c:699 lib/luks2/luks2_disk_metadata.c:720
+#: lib/luks2/luks2_disk_metadata.c:697 lib/luks2/luks2_disk_metadata.c:718
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
 msgstr ""
+"设备包含不明确的签名，无法自动恢复 LUKS2。\n"
+"请运行 “cryptsetup repair” 进行恢复。"
 
-#: lib/luks2/luks2_json_format.c:231
+#: lib/luks2/luks2_json_format.c:218
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
-msgstr ""
+msgstr "警告：密钥槽区域（%<PRIu64> 字节）非常小，可用的 LUKS2 密钥槽数量非常有限。\n"
 
-#: lib/luks2/luks2_json_format.c:427
-#, fuzzy
-#| msgid "Device %s is too small."
+#: lib/luks2/luks2_json_format.c:417
 msgid "Requested data offset is too small."
-msgstr "设备 %s 太小。"
+msgstr "请求的数据偏移量太小。"
 
-#: lib/luks2/luks2_json_format.c:468
+#: lib/luks2/luks2_json_format.c:458
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
-msgstr ""
+msgstr "警告：LUKS2 元数据大小已更改为 %<PRIu64> 字节。\n"
 
-#: lib/luks2/luks2_json_format.c:472
+#: lib/luks2/luks2_json_format.c:462
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
-msgstr ""
+msgstr "警告：LUKS2 密钥槽区域大小已更改为 %<PRIu64> 字节。\n"
 
-#: lib/luks2/luks2_json_metadata.c:1184 lib/luks2/luks2_json_metadata.c:1366
-#: lib/luks2/luks2_json_metadata.c:1426 lib/luks2/luks2_keyslot_luks2.c:94
-#: lib/luks2/luks2_keyslot_luks2.c:116
+#: lib/luks2/luks2_json_metadata.c:1171 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks2/luks2_json_metadata.c:1413 lib/luks2/luks2_keyslot_luks2.c:81
+#: lib/luks2/luks2_keyslot_luks2.c:103
 #, c-format
 msgid "Failed to acquire read lock on device %s."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "未能获取设备 %s 的读取锁。"
 
-#: lib/luks2/luks2_json_metadata.c:1443
+#: lib/luks2/luks2_json_metadata.c:1430
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
-msgstr ""
+msgstr "在备份 %s 中检测到禁止的 LUKS2 要求。"
 
-#: lib/luks2/luks2_json_metadata.c:1484
-#, fuzzy
-#| msgid "Data offset or key size differs on device and backup, restore failed.\n"
+#: lib/luks2/luks2_json_metadata.c:1471
 msgid "Data offset differ on device and backup, restore failed."
-msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。\n"
+msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。"
 
-#: lib/luks2/luks2_json_metadata.c:1490
-#, fuzzy
-#| msgid "Data offset or key size differs on device and backup, restore failed.\n"
+#: lib/luks2/luks2_json_metadata.c:1477
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
-msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。\n"
+msgstr "源设备和备份上的数据偏移或密钥大小不符，恢复失败。"
 
-#: lib/luks2/luks2_json_metadata.c:1497
+#: lib/luks2/luks2_json_metadata.c:1484
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "设备 %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1498
-#, fuzzy
-#| msgid "does not contain LUKS header. Replacing header can destroy data on that device."
+#: lib/luks2/luks2_json_metadata.c:1485
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "不包含 LUKS 标头。替换标头可能损毁设备上的数据。"
 
-#: lib/luks2/luks2_json_metadata.c:1499
-#, fuzzy
-#| msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
+#: lib/luks2/luks2_json_metadata.c:1486
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "已包含 LUKS 标头。替换标头将损毁已存在的密钥槽。"
 
-#: lib/luks2/luks2_json_metadata.c:1501
+#: lib/luks2/luks2_json_metadata.c:1488
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
 "Replacing header with backup may corrupt the data on that device!"
 msgstr ""
+"\n"
+"警告：在实际设备标头中检测到未知的 LUKS2 要求！\n"
+"将标头替换为备份可能会损坏该设备上的数据！"
 
-#: lib/luks2/luks2_json_metadata.c:1503
+#: lib/luks2/luks2_json_metadata.c:1490
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
 "Replacing header with backup may corrupt data."
 msgstr ""
+"\n"
+"警告：在设备上检测到未完成的离线重新加密！\n"
+"将标头替换为备份可能会损坏数据。"
 
-#: lib/luks2/luks2_json_metadata.c:1600
+#: lib/luks2/luks2_json_metadata.c:1587
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "已忽略未知旗标 %s。"
 
-#: lib/luks2/luks2_json_metadata.c:2525 lib/luks2/luks2_reencrypt.c:2090
+#: lib/luks2/luks2_json_metadata.c:2512 lib/luks2/luks2_reencrypt.c:2092
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
-msgstr ""
+msgstr "缺少 dm-crypt 段 %u 的密钥"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/luks2/luks2_json_metadata.c:2537 lib/luks2/luks2_reencrypt.c:2104
-#, fuzzy
-#| msgid "Failed to set pbkdf parameters."
+#: lib/luks2/luks2_json_metadata.c:2524 lib/luks2/luks2_reencrypt.c:2106
 msgid "Failed to set dm-crypt segment."
-msgstr "设置 pbkdf 参数失败。"
+msgstr "设置 dm-crypt 段失败。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/luks2/luks2_json_metadata.c:2543 lib/luks2/luks2_reencrypt.c:2110
-#, fuzzy
-#| msgid "Failed to set pbkdf parameters."
+#: lib/luks2/luks2_json_metadata.c:2530 lib/luks2/luks2_reencrypt.c:2112
 msgid "Failed to set dm-linear segment."
-msgstr "设置 pbkdf 参数失败。"
+msgstr "设置 dm-linear 段失败。"
 
-#: lib/luks2/luks2_json_metadata.c:2661 src/utils_reencrypt.c:433
-#, fuzzy
-#| msgid "No known cipher specification pattern detected.\n"
+#: lib/luks2/luks2_json_metadata.c:2649 src/utils_reencrypt.c:420
 msgid "No known cipher specification pattern detected in LUKS2 header."
-msgstr "未探测到已知的密文特征。\n"
+msgstr "未探测到已知的加密方法特征。"
 
-#: lib/luks2/luks2_json_metadata.c:2669
+#: lib/luks2/luks2_json_metadata.c:2657
 msgid "OPAL device must have static device size."
-msgstr ""
+msgstr "OPAL 设备必须有静态大小。"
 
-#: lib/luks2/luks2_json_metadata.c:2689
+#: lib/luks2/luks2_json_metadata.c:2677
 msgid "Encrypted OPAL device with integrity must be smaller than locking range."
-msgstr ""
+msgstr "具有完整性的加密 OPAL 设备必须小于锁定范围。"
 
-#: lib/luks2/luks2_json_metadata.c:2694
+#: lib/luks2/luks2_json_metadata.c:2682
 msgid "OPAL device must have same size as locking range."
-msgstr ""
+msgstr "OPAL 设备必须与锁定范围相同。"
+
+#: lib/luks2/luks2_json_metadata.c:2702
+#, c-format
+msgid "OPAL device is %s already unlocked.\n"
+msgstr "OPAL 设备%s已解锁过。\n"
 
-#: lib/luks2/luks2_json_metadata.c:2736
+#: lib/luks2/luks2_json_metadata.c:2735
 msgid "Unsupported device integrity configuration."
-msgstr ""
+msgstr "不支持的设备完整性配置。"
 
-#: lib/luks2/luks2_json_metadata.c:2752
+#: lib/luks2/luks2_json_metadata.c:2751
 msgid "Underlying dm-integrity device with unexpected provided data sectors."
-msgstr ""
+msgstr "下层 dm-integrity 设备意外提供了数据扇区。"
 
-#: lib/luks2/luks2_json_metadata.c:2845
+#: lib/luks2/luks2_json_metadata.c:2846
 msgid "Reencryption in-progress. Cannot deactivate device."
-msgstr ""
+msgstr "正在重新加密。无法停用设备。"
 
-#: lib/luks2/luks2_json_metadata.c:2856 lib/luks2/luks2_reencrypt.c:4159
+#: lib/luks2/luks2_json_metadata.c:2857 lib/luks2/luks2_reencrypt.c:4161
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
-msgstr ""
+msgstr "无法用 dm-error 目标替换挂起的设备 %s。"
 
-#: lib/luks2/luks2_json_metadata.c:2925 lib/luks2/luks2_json_metadata.c:2939
+#: lib/luks2/luks2_json_metadata.c:2926 lib/luks2/luks2_json_metadata.c:2948
 #, c-format
 msgid "Device %s was deactivated but hardware OPAL device cannot be locked."
-msgstr ""
+msgstr "设备 %s 已停用，但无法锁定硬件 OPAL 设备。"
 
-#: lib/luks2/luks2_json_metadata.c:2957
+#: lib/luks2/luks2_json_metadata.c:2967
 msgid "Failed to read LUKS2 requirements."
 msgstr "读取 LUKS2 需求时失败。"
 
-#: lib/luks2/luks2_json_metadata.c:2964
+#: lib/luks2/luks2_json_metadata.c:2974
 msgid "Unmet LUKS2 requirements detected."
 msgstr "探测到未满足的 LUKS2 需求。"
 
-#: lib/luks2/luks2_json_metadata.c:2972
+#: lib/luks2/luks2_json_metadata.c:2982
 msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
-msgstr ""
+msgstr "操作与标记准备旧版重新加密的设备不兼容。中止。"
 
-#: lib/luks2/luks2_json_metadata.c:2974
+#: lib/luks2/luks2_json_metadata.c:2984
 msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
-msgstr ""
+msgstr "操作与标记准备 LUKS2 重新加密的设备不兼容。中止。"
 
-#: lib/luks2/luks2_json_metadata.c:2976
+#: lib/luks2/luks2_json_metadata.c:2986
 msgid "Operation incompatible with device using OPAL. Aborting."
-msgstr ""
+msgstr "操作与使用 OPAL 的设备不兼容。中止。"
 
-#: lib/luks2/luks2_keyslot.c:563 lib/luks2/luks2_keyslot.c:602
+#: lib/luks2/luks2_keyslot.c:560 lib/luks2/luks2_keyslot.c:599
 msgid "Not enough available memory to open a keyslot."
-msgstr ""
+msgstr "没有足够的可用内存来打开密钥槽。"
 
-#: lib/luks2/luks2_keyslot.c:565 lib/luks2/luks2_keyslot.c:604
-#, fuzzy
-#| msgid "Keyslot %i: salt wiped."
+#: lib/luks2/luks2_keyslot.c:562 lib/luks2/luks2_keyslot.c:601
 msgid "Keyslot open failed."
-msgstr "密钥槽 %i: 已清除盐。"
+msgstr "密钥槽打开失败。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:55 lib/luks2/luks2_keyslot_luks2.c:110
+#: lib/luks2/luks2_keyslot_luks2.c:42 lib/luks2/luks2_keyslot_luks2.c:97
 #, c-format
 msgid "Cannot use %s-%s cipher for keyslot encryption."
-msgstr ""
+msgstr "不能将 %s-%s 加密算法用于密钥槽加密。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:285 lib/luks2/luks2_keyslot_luks2.c:404
-#: lib/luks2/luks2_keyslot_reenc.c:447 lib/luks2/luks2_reencrypt.c:2714
+#: lib/luks2/luks2_keyslot_luks2.c:272 lib/luks2/luks2_keyslot_luks2.c:391
+#: lib/luks2/luks2_keyslot_reenc.c:434 lib/luks2/luks2_reencrypt.c:2716
 #, c-format
 msgid "Hash algorithm %s is not available."
 msgstr "哈希算法 %s 不可用。"
 
-#: lib/luks2/luks2_keyslot_luks2.c:371
+#: lib/luks2/luks2_keyslot_luks2.c:358
 msgid "Warning: keyslot operation could fail as it requires more than available memory.\n"
-msgstr ""
+msgstr "警告：密钥槽操作可能会失败，因为它需要的内存超过可用内存。\n"
 
-#: lib/luks2/luks2_keyslot_luks2.c:520
-#, fuzzy
-#| msgid "Failed to swap new key slot.\n"
+#: lib/luks2/luks2_keyslot_luks2.c:507
 msgid "No space for new keyslot."
-msgstr "交换新密钥槽失败。\n"
+msgstr "没有空间放置新的密钥槽。"
 
-#: lib/luks2/luks2_keyslot_reenc.c:596
+#: lib/luks2/luks2_keyslot_reenc.c:583
 msgid "Invalid reencryption resilience mode change requested."
-msgstr ""
+msgstr "请求的重新加密韧性（resilience）模式更改无效。"
 
-#: lib/luks2/luks2_keyslot_reenc.c:717
+#: lib/luks2/luks2_keyslot_reenc.c:704
 #, c-format
 msgid "Can not update resilience type. New type only provides %<PRIu64> bytes, required space is: %<PRIu64> bytes."
-msgstr ""
+msgstr "无法更新韧性（resilience）类型。新类型仅提供 %<PRIu64> 字节，所需空间为：%<PRIu64> 字节。"
 
-#: lib/luks2/luks2_keyslot_reenc.c:727
+#: lib/luks2/luks2_keyslot_reenc.c:714
 msgid "Failed to refresh reencryption verification digest."
-msgstr ""
+msgstr "无法刷新重新加密验证摘要。"
 
-#: lib/luks2/luks2_luks1_convert.c:545
-#, fuzzy, c-format
-#| msgid "Cannot check password quality: %s\n"
+#: lib/luks2/luks2_luks1_convert.c:532
+#, c-format
 msgid "Cannot check status of device with uuid: %s."
-msgstr "无法检查密码质量：%s\n"
+msgstr "无法检查 uuid 为 %s 的设备的状态。"
 
-#: lib/luks2/luks2_luks1_convert.c:571
+#: lib/luks2/luks2_luks1_convert.c:558
 msgid "Unable to convert header with LUKSMETA additional metadata."
-msgstr ""
+msgstr "无法转换有额外 LUKSMETA 元数据的标头。"
 
-#: lib/luks2/luks2_luks1_convert.c:602 lib/luks2/luks2_reencrypt.c:3795
+#: lib/luks2/luks2_luks1_convert.c:589 lib/luks2/luks2_reencrypt.c:3797
 #, c-format
 msgid "Unable to use cipher specification %s-%s for LUKS2."
-msgstr ""
+msgstr "无法对 LUKS2 使用加密算法规范 %s-%s。"
 
-#: lib/luks2/luks2_luks1_convert.c:617
+#: lib/luks2/luks2_luks1_convert.c:604
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "无法移动密钥槽区域。空间不足。"
 
-#: lib/luks2/luks2_luks1_convert.c:652
-#, fuzzy
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:643
 msgid "Cannot convert to LUKS2 format - invalid metadata."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS2 格式 - 元数据无效。"
 
-#: lib/luks2/luks2_luks1_convert.c:669
-#, fuzzy
-#| msgid "Unable to move keyslot area. Not enough space."
+#: lib/luks2/luks2_luks1_convert.c:660
 msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
-msgstr "无法移动密钥槽区域。空间不足。"
+msgstr "无法移动密钥槽区域。LUKS2 密钥槽区域太小。"
 
-#: lib/luks2/luks2_luks1_convert.c:675 lib/luks2/luks2_luks1_convert.c:969
+#: lib/luks2/luks2_luks1_convert.c:666 lib/luks2/luks2_luks1_convert.c:960
 msgid "Unable to move keyslot area."
 msgstr "无法移动密钥槽区域。"
 
-#: lib/luks2/luks2_luks1_convert.c:765
-#, fuzzy
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:756
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 默认段的加密扇区大小不是 512 字节。"
 
-#: lib/luks2/luks2_luks1_convert.c:773
-#, fuzzy
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:764
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 密钥槽摘要与 LUKS1 不兼容。"
 
-#: lib/luks2/luks2_luks1_convert.c:785
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:776
+#, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 设备的加密算法%s使用包装密钥。"
 
-#: lib/luks2/luks2_luks1_convert.c:790
-#, fuzzy
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:781
 msgid "Cannot convert to LUKS1 format - device uses more segments."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 设备使用更多段。"
 
-#: lib/luks2/luks2_luks1_convert.c:798
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:789
+#, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - LUKS2 标头包含 %u 个令牌。"
 
-#: lib/luks2/luks2_luks1_convert.c:812
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:803
+#, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 密钥槽 %u 处于无效状态。"
 
-#: lib/luks2/luks2_luks1_convert.c:817
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:808
+#, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 槽 %u（超过最大槽数）仍处于活动状态。"
 
-#: lib/luks2/luks2_luks1_convert.c:822
-#, fuzzy, c-format
-#| msgid "LUKS keyslot %u is invalid.\n"
+#: lib/luks2/luks2_luks1_convert.c:813
+#, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
-msgstr "LUKS 密钥槽 %u 无效。\n"
+msgstr "无法转换为 LUKS1 格式 - 密钥槽 %u 与 LUKS1 不兼容。"
 
-#: lib/luks2/luks2_reencrypt.c:1181
+#: lib/luks2/luks2_reencrypt.c:1183
 #, c-format
 msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
-msgstr ""
+msgstr "热区大小必须是计算出的区域对齐量（%zu 字节）的倍数。"
 
-#: lib/luks2/luks2_reencrypt.c:1186
-#, fuzzy, c-format
-#| msgid "Device %s size is not aligned to requested sector size (%u bytes)."
+#: lib/luks2/luks2_reencrypt.c:1188
+#, c-format
 msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
-msgstr "设备 %s 的大小没有和请求的扇区大小对齐（%u 字节）。"
+msgstr "设备大小必须是计算出的区域对齐量（%zu 字节）的倍数。"
 
-#: lib/luks2/luks2_reencrypt.c:1393 lib/luks2/luks2_reencrypt.c:1580
-#: lib/luks2/luks2_reencrypt.c:1663 lib/luks2/luks2_reencrypt.c:1705
-#: lib/luks2/luks2_reencrypt.c:3954
-#, fuzzy
-#| msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/luks2/luks2_reencrypt.c:1395 lib/luks2/luks2_reencrypt.c:1582
+#: lib/luks2/luks2_reencrypt.c:1665 lib/luks2/luks2_reencrypt.c:1707
+#: lib/luks2/luks2_reencrypt.c:3956
 msgid "Failed to initialize old segment storage wrapper."
-msgstr "初始化默认 LUKS2 密钥槽参数失败。"
+msgstr "未能初始化旧的 segment storage wrapper。"
 
-#: lib/luks2/luks2_reencrypt.c:1407 lib/luks2/luks2_reencrypt.c:1558
-#, fuzzy
-#| msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/luks2/luks2_reencrypt.c:1409 lib/luks2/luks2_reencrypt.c:1560
 msgid "Failed to initialize new segment storage wrapper."
-msgstr "初始化默认 LUKS2 密钥槽参数失败。"
+msgstr "未能初始化新的 segment storage wrapper。"
 
-#: lib/luks2/luks2_reencrypt.c:1534 lib/luks2/luks2_reencrypt.c:3966
-#, fuzzy
-#| msgid "Failed to open key file.\n"
+#: lib/luks2/luks2_reencrypt.c:1536 lib/luks2/luks2_reencrypt.c:3968
 msgid "Failed to initialize hotzone protection."
-msgstr "打开 (open) 密钥文件失败。\n"
+msgstr "未能初始化热区保护。"
 
-#: lib/luks2/luks2_reencrypt.c:1607
-#, fuzzy
-#| msgid "Failed to read requirements from backup header."
+#: lib/luks2/luks2_reencrypt.c:1609
 msgid "Failed to read checksums for current hotzone."
-msgstr "从备份标头读取需求失败。"
+msgstr "未能读取当前热区的校验和。"
 
-#: lib/luks2/luks2_reencrypt.c:1614 lib/luks2/luks2_reencrypt.c:3980
-#, fuzzy, c-format
-#| msgid "Failed to access temporary keystore device.\n"
+#: lib/luks2/luks2_reencrypt.c:1616 lib/luks2/luks2_reencrypt.c:3982
+#, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能读取从 %<PRIu64> 开始的热区区域。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/luks2/luks2_reencrypt.c:1633
-#, fuzzy, c-format
-#| msgid "Failed to stat key file.\n"
+#: lib/luks2/luks2_reencrypt.c:1635
+#, c-format
 msgid "Failed to decrypt sector %zu."
-msgstr "获取 (stat) 密钥文件统计数据失败。\n"
+msgstr "未能解密扇区 %zu。"
 
-#: lib/luks2/luks2_reencrypt.c:1639
-#, fuzzy, c-format
-#| msgid "Failed to open key file.\n"
+#: lib/luks2/luks2_reencrypt.c:1641
+#, c-format
 msgid "Failed to recover sector %zu."
-msgstr "打开 (open) 密钥文件失败。\n"
+msgstr "未能恢复扇区 %zu。"
 
-#: lib/luks2/luks2_reencrypt.c:2203
+#: lib/luks2/luks2_reencrypt.c:2205
 #, c-format
 msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
-msgstr ""
+msgstr "源设备和目标设备大小不匹配。源：%<PRIu64>，目标：%<PRIu64>。"
 
-#: lib/luks2/luks2_reencrypt.c:2301
-#, fuzzy, c-format
-#| msgid "Failed to acquire write lock on device %s."
+#: lib/luks2/luks2_reencrypt.c:2303
+#, c-format
 msgid "Failed to activate hotzone device %s."
-msgstr "无法获取设备 %s 上的写入锁。"
+msgstr "无法激活热区设备 %s。"
 
-#: lib/luks2/luks2_reencrypt.c:2318
+#: lib/luks2/luks2_reencrypt.c:2320
 #, c-format
 msgid "Failed to activate overlay device %s with actual origin table."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2325
-#, fuzzy, c-format
-#| msgid "Failed to open temporary keystore device.\n"
+#: lib/luks2/luks2_reencrypt.c:2327
+#, c-format
 msgid "Failed to load new mapping for device %s."
-msgstr "打开临时密钥存储设备失败。\n"
+msgstr "未能为设备 %s 加载新映射。"
 
-#: lib/luks2/luks2_reencrypt.c:2396
+#: lib/luks2/luks2_reencrypt.c:2398
 #, fuzzy
 #| msgid "Failed to acquire read lock on device %s."
 msgid "Failed to refresh reencryption devices stack."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "未能获取设备 %s 的读取锁。"
 
-#: lib/luks2/luks2_reencrypt.c:2596
+#: lib/luks2/luks2_reencrypt.c:2598
 #, fuzzy
 #| msgid "Failed to swap new key slot."
 msgid "Failed to set new keyslots area size."
 msgstr "交换新密钥槽失败。"
 
-#: lib/luks2/luks2_reencrypt.c:2732
+#: lib/luks2/luks2_reencrypt.c:2734
 #, fuzzy, c-format
 #| msgid "Device %s size is not aligned to requested sector size (%u bytes)."
 msgid "Data shift value is not aligned to encryption sector size (%<PRIu32> bytes)."
 msgstr "设备 %s 的大小没有和请求的扇区大小对齐（%u 字节）。"
 
-#: lib/luks2/luks2_reencrypt.c:2769 src/utils_reencrypt.c:189
+#: lib/luks2/luks2_reencrypt.c:2771 src/utils_reencrypt.c:176
 #, fuzzy, c-format
 #| msgid "Unsupported LUKS version %d."
 msgid "Unsupported resilience mode %s"
 msgstr "不支持的 LUKS 版本 %d。"
 
-#: lib/luks2/luks2_reencrypt.c:2806
+#: lib/luks2/luks2_reencrypt.c:2808
 msgid "Moved segment size can not be greater than data shift value."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2848
+#: lib/luks2/luks2_reencrypt.c:2850
 #, fuzzy
 #| msgid "Invalid plain crypt parameters."
 msgid "Invalid reencryption resilience parameters."
 msgstr "无效的纯加密选项。"
 
-#: lib/luks2/luks2_reencrypt.c:2870
+#: lib/luks2/luks2_reencrypt.c:2872
 #, c-format
 msgid "Moved segment too large. Requested size %<PRIu64>, available space for: %<PRIu64>."
 msgstr ""
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/luks2/luks2_reencrypt.c:2957
-#, fuzzy
-#| msgid "Failed to stat key file.\n"
+#: lib/luks2/luks2_reencrypt.c:2959
 msgid "Failed to clear table."
-msgstr "获取 (stat) 密钥文件统计数据失败。\n"
+msgstr "无法清除表。"
 
-#: lib/luks2/luks2_reencrypt.c:3043
+#: lib/luks2/luks2_reencrypt.c:3045
 msgid "Reduced data size is larger than real device size."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3050
-#, fuzzy, c-format
-#| msgid "Device %s size is not aligned to requested sector size (%u bytes)."
+#: lib/luks2/luks2_reencrypt.c:3052
+#, c-format
 msgid "Data device is not aligned to encryption sector size (%<PRIu32> bytes)."
-msgstr "设备 %s 的大小没有和请求的扇区大小对齐（%u 字节）。"
+msgstr "设备大小没有和请求的扇区大小对齐（%<PRIu32> 字节）。"
 
-#: lib/luks2/luks2_reencrypt.c:3084
+#: lib/luks2/luks2_reencrypt.c:3086
 #, c-format
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3091 lib/luks2/luks2_reencrypt.c:3589
-#: lib/luks2/luks2_reencrypt.c:3610
-#, fuzzy, c-format
-#| msgid "Cannot use device %s which is in use (already mapped or mounted)."
+#: lib/luks2/luks2_reencrypt.c:3093 lib/luks2/luks2_reencrypt.c:3591
+#: lib/luks2/luks2_reencrypt.c:3612
+#, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
-msgstr "无法使用正被使用的设备 %s（已被映射或挂载）。"
+msgstr "无法在独占模式下打开 %s（已映射或挂载）。"
 
-#: lib/luks2/luks2_reencrypt.c:3280
+#: lib/luks2/luks2_reencrypt.c:3282
 msgid "Device not marked for LUKS2 reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3297 lib/luks2/luks2_reencrypt.c:4271
+#: lib/luks2/luks2_reencrypt.c:3299 lib/luks2/luks2_reencrypt.c:4273
 #, fuzzy
 #| msgid "Failed to open key file.\n"
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "打开 (open) 密钥文件失败。\n"
 
-#: lib/luks2/luks2_reencrypt.c:3387
+#: lib/luks2/luks2_reencrypt.c:3389
 #, fuzzy
 #| msgid "Failed to open key file.\n"
 msgid "Failed to get reencryption state."
 msgstr "打开 (open) 密钥文件失败。\n"
 
-#: lib/luks2/luks2_reencrypt.c:3391 lib/luks2/luks2_reencrypt.c:3705
+#: lib/luks2/luks2_reencrypt.c:3393 lib/luks2/luks2_reencrypt.c:3707
 #, fuzzy
 #| msgid "Device %s is not active."
 msgid "Device is not in reencryption."
 msgstr "设备 %s 未激活。"
 
-#: lib/luks2/luks2_reencrypt.c:3398 lib/luks2/luks2_reencrypt.c:3712
+#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
 #, fuzzy
 #| msgid "Reencryption already in-progress."
 msgid "Reencryption process is already running."
 msgstr "重加密已在进行中。"
 
-#: lib/luks2/luks2_reencrypt.c:3400 lib/luks2/luks2_reencrypt.c:3714
+#: lib/luks2/luks2_reencrypt.c:3402 lib/luks2/luks2_reencrypt.c:3716
 #, fuzzy
 #| msgid "Failed to acquire write device lock."
 msgid "Failed to acquire reencryption lock."
-msgstr "无法获取写入设备锁。"
+msgstr "未能获取写入设备锁。"
 
-#: lib/luks2/luks2_reencrypt.c:3418
+#: lib/luks2/luks2_reencrypt.c:3420
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3553
+#: lib/luks2/luks2_reencrypt.c:3555
 msgid "Active device size and requested reencryption size don't match."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3567
+#: lib/luks2/luks2_reencrypt.c:3569
 msgid "Illegal device size requested in reencryption parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3644
+#: lib/luks2/luks2_reencrypt.c:3646
 #, fuzzy
 #| msgid "Reencryption already in-progress."
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "重加密已在进行中。"
 
-#: lib/luks2/luks2_reencrypt.c:3812
+#: lib/luks2/luks2_reencrypt.c:3814
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3819
+#: lib/luks2/luks2_reencrypt.c:3821
 #, fuzzy
 #| msgid "Failed to initialise default LUKS2 keyslot parameters."
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "初始化默认 LUKS2 密钥槽参数失败。"
 
-#: lib/luks2/luks2_reencrypt.c:3872 lib/luks2/luks2_reencrypt.c:3907
+#: lib/luks2/luks2_reencrypt.c:3874 lib/luks2/luks2_reencrypt.c:3909
 #, fuzzy
 #| msgid "This operation is not supported for %s crypt device."
 msgid "Reencryption is not supported for DAX (persistent memory) devices."
 msgstr "不支持在 %s 加密设备上执行此操作。"
 
-#: lib/luks2/luks2_reencrypt.c:3879
+#: lib/luks2/luks2_reencrypt.c:3881
 #, fuzzy
 #| msgid "Failed to read passphrase from keyring (error %d)."
 msgid "Failed to read passphrase from keyring."
 msgstr "从密钥环读取口令失败（错误 %d）。"
 
-#: lib/luks2/luks2_reencrypt.c:3936
+#: lib/luks2/luks2_reencrypt.c:3938
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3988
+#: lib/luks2/luks2_reencrypt.c:3990
 #, fuzzy
 #| msgid "Failed to write activation flags to new header."
 msgid "Failed to write reencryption resilience metadata."
 msgstr "向新表头写入活动旗标失败。"
 
-#: lib/luks2/luks2_reencrypt.c:3995
+#: lib/luks2/luks2_reencrypt.c:3997
 msgid "Decryption failed."
 msgstr "解密失败。"
 
-#: lib/luks2/luks2_reencrypt.c:4000
+#: lib/luks2/luks2_reencrypt.c:4002
 #, fuzzy, c-format
 #| msgid "Failed to access temporary keystore device.\n"
 msgid "Failed to write hotzone area starting at %<PRIu64>."
-msgstr "无法访问临时密钥存储设备。\n"
+msgstr "未能访问临时密钥存储设备。\n"
 
 # stat() 主要就是出来一个各种文件信息……
-#: lib/luks2/luks2_reencrypt.c:4005
+#: lib/luks2/luks2_reencrypt.c:4007
 #, fuzzy
 #| msgid "Failed to stat key file."
 msgid "Failed to sync data."
 msgstr "获取 (stat) 密钥文件信息失败。"
 
-#: lib/luks2/luks2_reencrypt.c:4013
+#: lib/luks2/luks2_reencrypt.c:4015
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4102
+#: lib/luks2/luks2_reencrypt.c:4104
 #, fuzzy
 #| msgid "Failed to read LUKS2 requirements."
 msgid "Failed to write LUKS2 metadata."
 msgstr "读取 LUKS2 需求时失败。"
 
-#: lib/luks2/luks2_reencrypt.c:4125
+#: lib/luks2/luks2_reencrypt.c:4127
 #, fuzzy
 #| msgid "Failed to open temporary keystore device.\n"
 msgid "Failed to wipe unused data device area."
 msgstr "打开临时密钥存储设备失败。\n"
 
-#: lib/luks2/luks2_reencrypt.c:4131
+#: lib/luks2/luks2_reencrypt.c:4133
 #, fuzzy, c-format
 #| msgid "Failed to open key file.\n"
 msgid "Failed to remove unused (unbound) keyslot %d."
 msgstr "打开 (open) 密钥文件失败。\n"
 
-#: lib/luks2/luks2_reencrypt.c:4141
+#: lib/luks2/luks2_reencrypt.c:4143
 #, fuzzy
 #| msgid "Failed to open key file.\n"
 msgid "Failed to remove reencryption keyslot."
 msgstr "打开 (open) 密钥文件失败。\n"
 
-#: lib/luks2/luks2_reencrypt.c:4151
+#: lib/luks2/luks2_reencrypt.c:4153
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4155
+#: lib/luks2/luks2_reencrypt.c:4157
 #, fuzzy
 #| msgid "Cannot read reencryption log file."
 msgid "Online reencryption failed."
-msgstr "无法读取重加密日志文件。"
+msgstr "未能读取重加密日志文件。"
 
-#: lib/luks2/luks2_reencrypt.c:4160
+#: lib/luks2/luks2_reencrypt.c:4162
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4212
+#: lib/luks2/luks2_reencrypt.c:4214
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4218
+#: lib/luks2/luks2_reencrypt.c:4220
 msgid "Missing or invalid reencrypt context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:4225
+#: lib/luks2/luks2_reencrypt.c:4227
 #, fuzzy
 #| msgid "Failed to acquire read lock on device %s."
 msgid "Failed to initialize reencryption device stack."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "未能获取设备 %s 的读取锁。"
 
-#: lib/luks2/luks2_reencrypt.c:4247 lib/luks2/luks2_reencrypt.c:4284
+#: lib/luks2/luks2_reencrypt.c:4249 lib/luks2/luks2_reencrypt.c:4286
 #, fuzzy
 #| msgid "Failed to open key file.\n"
 msgid "Failed to update reencryption context."
 msgstr "打开 (open) 密钥文件失败。\n"
 
-#: lib/luks2/luks2_reencrypt_digest.c:405
+#: lib/luks2/luks2_reencrypt_digest.c:408
 msgid "Reencryption metadata is invalid."
 msgstr "重加密元数据无效。"
 
-#: lib/luks2/hw_opal/hw_opal.c:327
+#: lib/luks2/hw_opal/hw_opal.c:328
 #, c-format
 msgid "OPAL range %d offset %<PRIu64> does not match expected values %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:334
+#: lib/luks2/hw_opal/hw_opal.c:335
 #, c-format
 msgid "OPAL range %d length %<PRIu64> does not match device length %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:340
+#: lib/luks2/hw_opal/hw_opal.c:341
 #, c-format
 msgid "OPAL range %d locking is disabled."
 msgstr ""
 
-#: lib/luks2/hw_opal/hw_opal.c:350 lib/luks2/hw_opal/hw_opal.c:357
+#: lib/luks2/hw_opal/hw_opal.c:351 lib/luks2/hw_opal/hw_opal.c:358
 #, c-format
 msgid "Unexpected OPAL range %d lock state."
 msgstr ""
 
-#: src/cryptsetup.c:85
+#: src/cryptsetup.c:80
 #, fuzzy
 #| msgid "This operation is supported only for LUKS2 device."
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "此操作只适用 LUKS2 设备。"
 
-#: src/cryptsetup.c:128 src/cryptsetup.c:2145
-#, fuzzy, c-format
-#| msgid "Enter VeraCrypt PIM: "
+#: src/cryptsetup.c:123 src/cryptsetup.c:2238
+#, c-format
 msgid "Enter token PIN: "
-msgstr "输入 VeraCrypt PIM: "
+msgstr "输入令牌 PIN："
 
-#: src/cryptsetup.c:130 src/cryptsetup.c:2147
+#: src/cryptsetup.c:125 src/cryptsetup.c:2240
 #, c-format
 msgid "Enter token %d PIN: "
-msgstr ""
+msgstr "输入令牌 %d PIN："
 
-#: src/cryptsetup.c:188 src/cryptsetup.c:1174 src/cryptsetup.c:1515
-#: src/utils_reencrypt.c:1137 src/utils_reencrypt_luks1.c:517
-#: src/utils_reencrypt_luks1.c:580
-#, fuzzy
-#| msgid "No known cipher specification pattern detected.\n"
+#: src/cryptsetup.c:183 src/cryptsetup.c:1169 src/cryptsetup.c:1519
+#: src/utils_reencrypt.c:1133 src/utils_reencrypt_luks1.c:504
+#: src/utils_reencrypt_luks1.c:567
 msgid "No known cipher specification pattern detected."
-msgstr "未探测到已知的密文特征。\n"
+msgstr "未探测到已知的加密方法特征。"
 
-#: src/cryptsetup.c:198
+#: src/cryptsetup.c:193
 #, c-format
 msgid "WARNING: Using default options for cipher (%s-%s, key size %u bits) that could be incompatible with older versions."
-msgstr ""
+msgstr "警告：给加密算法（%s-%s，密钥大小 %u 位）使用的默认选项可能与旧版本不兼容。"
 
-#: src/cryptsetup.c:203
+#: src/cryptsetup.c:198
 #, c-format
 msgid "WARNING: Using default options for hash (%s) that could be incompatible with older versions."
-msgstr ""
+msgstr "警告：给哈希算法（%s）使用的默认选项可能与旧版本不兼容。"
 
-#: src/cryptsetup.c:207
+#: src/cryptsetup.c:202
 msgid "For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."
-msgstr ""
+msgstr "对于纯模式，请始终使用选项 --cipher、--key-size；如果未使用密钥文件，请也使用 --hash。"
 
-#: src/cryptsetup.c:213
+#: src/cryptsetup.c:208
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "警告：在纯文本模式下指定密钥文件时将忽略参数 --hash。\n"
 
-#: src/cryptsetup.c:221
+#: src/cryptsetup.c:216
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "警告：将忽略参数 --keyfile-size，读取大小应与加密密钥大小一致。\n"
 
-#: src/cryptsetup.c:258 src/cryptsetup.c:1360 src/cryptsetup.c:1558
-#: src/integritysetup.c:197 src/utils_reencrypt.c:1346
+#: src/cryptsetup.c:253 src/cryptsetup.c:1364 src/cryptsetup.c:1562
+#: src/integritysetup.c:184 src/utils_reencrypt.c:1342
 #, c-format
 msgid "Blkid scan failed for %s."
-msgstr ""
+msgstr "%s 的 blkid 扫描失败。"
 
-#: src/cryptsetup.c:264
+#: src/cryptsetup.c:259
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
-msgstr ""
+msgstr "在 %s 上检测到设备签名。继续操作可能会损坏现有数据。"
 
-#: src/cryptsetup.c:270 src/cryptsetup.c:1248 src/cryptsetup.c:1296
-#: src/cryptsetup.c:1367 src/cryptsetup.c:1492 src/cryptsetup.c:1570
-#: src/cryptsetup.c:2525 src/cryptsetup.c:2952 src/integritysetup.c:187
-#: src/utils_reencrypt.c:138 src/utils_reencrypt.c:314
-#: src/utils_reencrypt.c:764
+#: src/cryptsetup.c:265 src/cryptsetup.c:1252 src/cryptsetup.c:1300
+#: src/cryptsetup.c:1371 src/cryptsetup.c:1496 src/cryptsetup.c:1574
+#: src/cryptsetup.c:2618 src/cryptsetup.c:3044 src/integritysetup.c:174
+#: src/utils_reencrypt.c:125 src/utils_reencrypt.c:301
+#: src/utils_reencrypt.c:759
 msgid "Operation aborted.\n"
 msgstr "操作中止。\n"
 
-#: src/cryptsetup.c:343
+#: src/cryptsetup.c:338
 msgid "Option --key-file is required."
 msgstr "需要选项 --key-file。"
 
-#: src/cryptsetup.c:394
+#: src/cryptsetup.c:389
 msgid "Enter VeraCrypt PIM: "
 msgstr "输入 VeraCrypt PIM: "
 
-#: src/cryptsetup.c:403
+#: src/cryptsetup.c:398
 msgid "Invalid PIM value: parse error."
 msgstr "无效的 PIM 值：解析错误。"
 
-#: src/cryptsetup.c:406
+#: src/cryptsetup.c:401
 msgid "Invalid PIM value: 0."
 msgstr "无效的 PIM 值：0。"
 
-#: src/cryptsetup.c:409
+#: src/cryptsetup.c:404
 msgid "Invalid PIM value: outside of range."
 msgstr "无效的 PIM 值：超出范围。"
 
-#: src/cryptsetup.c:432
-#, fuzzy
-#| msgid "No device header detected with this passphrase.\n"
+#: src/cryptsetup.c:427
 msgid "No device header detected with this passphrase."
-msgstr "未从此密码中探测到设备标头。\n"
+msgstr "未能用此密码探测到设备标头。"
 
-#: src/cryptsetup.c:505 src/cryptsetup.c:681
-#, fuzzy, c-format
-#| msgid "Device %s is not a valid LUKS device."
+#: src/cryptsetup.c:500 src/cryptsetup.c:676
+#, c-format
 msgid "Device %s is not a valid BITLK device."
-msgstr "%s 不是有效的 LUKS 设备。"
+msgstr "%s 不是有效的 BITLK 设备。"
 
-#: src/cryptsetup.c:513
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: src/cryptsetup.c:508
 msgid "Cannot determine volume key size for BITLK, please use --key-size option."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法确定 BITLK 的卷密钥大小，请使用 --key-size 选项。"
 
-#: src/cryptsetup.c:555
+#: src/cryptsetup.c:550
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
 "This dump should be always stored encrypted on safe place."
 msgstr ""
 
-#: src/cryptsetup.c:622 src/cryptsetup.c:703 src/cryptsetup.c:2550
+#: src/cryptsetup.c:617 src/cryptsetup.c:698 src/cryptsetup.c:2643
 msgid ""
 "The header dump with volume key is sensitive information\n"
 "that allows access to encrypted partition without a passphrase.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:758 src/cryptsetup.c:788
-#, fuzzy, c-format
-#| msgid "Device %s is not a valid VERITY device."
+#: src/cryptsetup.c:753 src/cryptsetup.c:783
+#, c-format
 msgid "Device %s is not a valid FVAULT2 device."
-msgstr "%s 不是有效的 VERITY 设备。"
+msgstr "%s 不是有效的 FVAULT2 设备。"
 
-#: src/cryptsetup.c:796
-#, fuzzy
-#| msgid "Cannot retrieve volume key for plain device."
+#: src/cryptsetup.c:791
 msgid "Cannot determine volume key size for FVAULT2, please use --key-size option."
-msgstr "无法获取普通设备的卷密钥。"
+msgstr "无法确定 FVAULT2 的卷密钥大小，请使用 --key-size 选项。"
 
-#: src/cryptsetup.c:850 src/veritysetup.c:323 src/integritysetup.c:409
+#: src/cryptsetup.c:845 src/veritysetup.c:310 src/integritysetup.c:396
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr ""
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/cryptsetup.c:884 src/cryptsetup.c:1824 src/cryptsetup.c:2080
-#: src/cryptsetup.c:2234 src/cryptsetup.c:2681 src/cryptsetup.c:2763
-#: src/cryptsetup.c:3290
+#: src/cryptsetup.c:879 src/cryptsetup.c:1899 src/cryptsetup.c:2173
+#: src/cryptsetup.c:2327 src/cryptsetup.c:2774 src/cryptsetup.c:2856
+#: src/cryptsetup.c:3382
 #, fuzzy, c-format
 #| msgid "Failed to stat key file.\n"
 msgid "Failed to set external tokens path %s."
 msgstr "获取 (stat) 密钥文件统计数据失败。\n"
 
-#: src/cryptsetup.c:893
+#: src/cryptsetup.c:888
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr ""
 
-#: src/cryptsetup.c:1053
-#, fuzzy
-#| msgid "benchmark cipher"
+#: src/cryptsetup.c:1048
 msgid "Benchmark interrupted."
-msgstr "测试密文"
+msgstr "基准测试已中断。"
 
-#: src/cryptsetup.c:1074
+#: src/cryptsetup.c:1069
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
-msgstr ""
+msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:1076
+#: src/cryptsetup.c:1071
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
-msgstr ""
+msgstr "PBKDF2-%-9s %7u 迭代/秒，对于 %zu 位密钥\n"
 
-#: src/cryptsetup.c:1090
+#: src/cryptsetup.c:1085
 #, c-format
 msgid "%-10s N/A\n"
-msgstr ""
+msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:1092
+#: src/cryptsetup.c:1087
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
-msgstr ""
+msgstr "%-10s %4u 次迭代、%5u 内存、%1u 并行线程（CPU），对于 %zu 位密钥（请求了 %u 毫秒时间）\n"
 
-#: src/cryptsetup.c:1116
+#: src/cryptsetup.c:1111
 msgid "Result of benchmark is not reliable."
-msgstr "测试结果不可靠。"
+msgstr "基准测试结果不可靠。"
 
-#: src/cryptsetup.c:1166
+#: src/cryptsetup.c:1161
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# 测试仅使用内存（无存储 IO）。\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
 #: src/cryptsetup.c:1186
-#, fuzzy, c-format
-#| msgid "#  Algorithm | Key |  Encryption |  Decryption\n"
+#, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
-msgstr "#  算法      | 密钥 | 加密         | 解密\n"
+msgstr "#%*s算法       |      密钥 | 加密            | 解密\n"
 
-#: src/cryptsetup.c:1190
-#, fuzzy, c-format
-#| msgid "Cipher %s is not available.\n"
+#: src/cryptsetup.c:1194
+#, c-format
 msgid "Cipher %s (with %i bits key) is not available."
-msgstr "密文 %s 不可用。\n"
+msgstr "加密方法 %s（%i 位密钥）不可用。"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:1209
-#, fuzzy
-#| msgid "#  Algorithm | Key |  Encryption |  Decryption\n"
+#: src/cryptsetup.c:1213
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
-msgstr "#  算法      | 密钥 | 加密         | 解密\n"
+msgstr "#     算法      |      密钥 |    加密         |      解密\n"
 
-#: src/cryptsetup.c:1220
+#: src/cryptsetup.c:1224
 msgid "N/A"
 msgstr "不可用"
 
-#: src/cryptsetup.c:1245
+#: src/cryptsetup.c:1249
 msgid ""
 "Unprotected LUKS2 reencryption metadata detected. Please verify the reencryption operation is desirable (see luksDump output)\n"
 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."
 msgstr ""
 
-#: src/cryptsetup.c:1251
+#: src/cryptsetup.c:1255
 #, fuzzy
 #| msgid "Enter passphrase to be deleted: "
 msgid "Enter passphrase to protect and upgrade reencryption metadata: "
 msgstr "输入要移除的口令: "
 
-#: src/cryptsetup.c:1295
+#: src/cryptsetup.c:1299
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr ""
 
-#: src/cryptsetup.c:1304
+#: src/cryptsetup.c:1308
 #, fuzzy
 #| msgid "Enter passphrase to be deleted: "
 msgid "Enter passphrase to verify reencryption metadata digest: "
 msgstr "输入要移除的口令: "
 
-#: src/cryptsetup.c:1306
+#: src/cryptsetup.c:1310
 #, fuzzy
 #| msgid "Enter passphrase for key slot %u: "
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "输入密钥槽 %u 的密码："
 
-#: src/cryptsetup.c:1366
+#: src/cryptsetup.c:1370
 msgid "Really try to repair LUKS device header?"
 msgstr "确定要尝试修复 LUKS 设备标头吗？"
 
-#: src/cryptsetup.c:1390 src/integritysetup.c:89 src/integritysetup.c:247
+#: src/cryptsetup.c:1394 src/integritysetup.c:76 src/integritysetup.c:234
 msgid ""
 "\n"
 "Wipe interrupted."
 msgstr ""
 "\n"
-"擦除被打断"
+"擦除被打断。"
 
-#: src/cryptsetup.c:1395 src/integritysetup.c:94 src/integritysetup.c:284
+#: src/cryptsetup.c:1399 src/integritysetup.c:81 src/integritysetup.c:271
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
 msgstr ""
 
-#: src/cryptsetup.c:1417 src/integritysetup.c:116
+#: src/cryptsetup.c:1421 src/integritysetup.c:103
 #, fuzzy, c-format
 #| msgid "Cannot open temporary LUKS device.\n"
 msgid "Cannot deactivate temporary device %s."
 msgstr "无法打开临时 LUKS 设备。\n"
 
-#: src/cryptsetup.c:1472
+#: src/cryptsetup.c:1476
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:1477 src/cryptsetup.c:1542
+#: src/cryptsetup.c:1481 src/cryptsetup.c:1546
 #, fuzzy
 #| msgid "Unsupported LUKS version %d."
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "不支持的 LUKS 版本 %d。"
 
-#: src/cryptsetup.c:1482
+#: src/cryptsetup.c:1486
 #, fuzzy
 #| msgid "This operation is supported only for LUKS2 device."
 msgid "OPAL is supported only for LUKS2 format."
 msgstr "此操作只适用 LUKS2 设备。"
 
-#: src/cryptsetup.c:1491
+#: src/cryptsetup.c:1495
 msgid "Header file does not exist, do you want to create it?"
-msgstr ""
+msgstr "标头文件不存在，是否要创建它？"
 
-#: src/cryptsetup.c:1499
+#: src/cryptsetup.c:1503
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "无法创建标头文件 %s。"
 
-#: src/cryptsetup.c:1522 src/integritysetup.c:144 src/integritysetup.c:152
-#: src/integritysetup.c:161 src/integritysetup.c:324 src/integritysetup.c:332
-#: src/integritysetup.c:342
+#: src/cryptsetup.c:1526 src/integritysetup.c:131 src/integritysetup.c:139
+#: src/integritysetup.c:148 src/integritysetup.c:311 src/integritysetup.c:319
+#: src/integritysetup.c:329
 #, fuzzy
 #| msgid "No known cipher specification pattern detected.\n"
 msgid "No known integrity specification pattern detected."
-msgstr "未探测到已知的密文特征。\n"
+msgstr "未探测到已知的加密方法特征。\n"
 
-#: src/cryptsetup.c:1535
+#: src/cryptsetup.c:1539
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "无法将 %s 作为磁盘上的标头使用。"
 
-#: src/cryptsetup.c:1564 src/integritysetup.c:181
+#: src/cryptsetup.c:1568 src/integritysetup.c:168
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "这将覆盖 %s 上的数据，该动作不可取消。"
 
-#: src/cryptsetup.c:1601
+#: src/cryptsetup.c:1605
 msgid "OPAL Admin password cannot be empty."
 msgstr ""
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/cryptsetup.c:1615 src/cryptsetup.c:2097 src/cryptsetup.c:2247
-#: src/cryptsetup.c:2407 src/cryptsetup.c:2473 src/utils_reencrypt_luks1.c:443
+#: src/cryptsetup.c:1619 src/cryptsetup.c:2190 src/cryptsetup.c:2340
+#: src/cryptsetup.c:2500 src/cryptsetup.c:2566 src/utils_reencrypt_luks1.c:430
 msgid "Failed to set pbkdf parameters."
 msgstr "设置 pbkdf 参数失败。"
 
-#: src/cryptsetup.c:1745
+#: src/cryptsetup.c:1751
 msgid "Type specification in --link-vk-to-keyring keyring specification is ignored."
 msgstr ""
 
-#: src/cryptsetup.c:1765
+#: src/cryptsetup.c:1816
+msgid "Key types have to be the same for both volume keys."
+msgstr ""
+
+#: src/cryptsetup.c:1821
+#, fuzzy
+#| msgid "Failed to load key in kernel keyring."
+msgid "Both volume keys have to be linked to the same keyring."
+msgstr "在内核密钥环中加载密钥失败。"
+
+#: src/cryptsetup.c:1831
+msgid "You need to supply more key names."
+msgstr ""
+
+#: src/cryptsetup.c:1835
 msgid "Invalid --link-vk-to-keyring value."
 msgstr ""
 
-#: src/cryptsetup.c:1805
+#: src/cryptsetup.c:1880
 #, fuzzy
 #| msgid "Reduced data offset is allowed only for detached LUKS header.\n"
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "仅已脱离的 LUKS 数据头可以使用缩减的数据偏移。\n"
 
-#: src/cryptsetup.c:1812
+#: src/cryptsetup.c:1887
 #, c-format
 msgid "LUKS file container %s is too small for activation, there is no remaining space for data."
 msgstr ""
 
-#: src/cryptsetup.c:1839 src/cryptsetup.c:2253
+#: src/cryptsetup.c:1914 src/cryptsetup.c:2346
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr ""
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1981
 msgid "Device activated but cannot make flags persistent."
 msgstr ""
 
-#: src/cryptsetup.c:1972 src/cryptsetup.c:2040
+#: src/cryptsetup.c:2065 src/cryptsetup.c:2133
 #, fuzzy, c-format
 #| msgid "Key slot %d selected for deletion.\n"
 msgid "Keyslot %d is selected for deletion."
 msgstr "已选中密钥槽 %d 以删除。\n"
 
-#: src/cryptsetup.c:1984 src/cryptsetup.c:2044
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2137
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "这是最后一个密钥槽。设备在清空此密钥后将不可用。"
 
-#: src/cryptsetup.c:1985
+#: src/cryptsetup.c:2078
 msgid "Enter any remaining passphrase: "
 msgstr "输入任意剩余的口令: "
 
-#: src/cryptsetup.c:1986 src/cryptsetup.c:2046
+#: src/cryptsetup.c:2079 src/cryptsetup.c:2139
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "操作中止，密钥槽【未被】擦除。\n"
 
-#: src/cryptsetup.c:2022
+#: src/cryptsetup.c:2115
 msgid "Enter passphrase to be deleted: "
 msgstr "输入要移除的口令: "
 
-#: src/cryptsetup.c:2072 src/cryptsetup.c:2456 src/cryptsetup.c:3114
-#: src/cryptsetup.c:3281
+#: src/cryptsetup.c:2165 src/cryptsetup.c:2549 src/cryptsetup.c:3206
+#: src/cryptsetup.c:3373
 #, c-format
 msgid "Device %s is not a valid LUKS2 device."
 msgstr "设备 %s 不是有效的 LUKS2 设备。"
 
-#: src/cryptsetup.c:2111 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2204 src/cryptsetup.c:2423
 msgid "Enter new passphrase for key slot: "
 msgstr "输入密钥槽的新口令: "
 
-#: src/cryptsetup.c:2213
+#: src/cryptsetup.c:2306
 #, fuzzy
 #| msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgid "WARNING: The --key-slot parameter is used for new keyslot number.\n"
 msgstr "警告：在纯文本模式下指定密钥文件时将忽略参数 --hash。\n"
 
-#: src/cryptsetup.c:2286 src/utils_reencrypt_luks1.c:1149
+#: src/cryptsetup.c:2379 src/utils_reencrypt_luks1.c:1096
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "输入任意已存在的口令: "
 
-#: src/cryptsetup.c:2411
+#: src/cryptsetup.c:2504
 msgid "Enter passphrase to be changed: "
 msgstr "输入要更改的口令: "
 
-#: src/cryptsetup.c:2427 src/utils_reencrypt_luks1.c:1135
+#: src/cryptsetup.c:2520 src/utils_reencrypt_luks1.c:1082
 msgid "Enter new passphrase: "
 msgstr "输入新口令: "
 
-#: src/cryptsetup.c:2477
+#: src/cryptsetup.c:2570
 #, fuzzy
 #| msgid "Enter passphrase for key slot %u: "
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "输入密钥槽 %u 的密码："
 
-#: src/cryptsetup.c:2501
+#: src/cryptsetup.c:2594
 #, fuzzy
 #| msgid "Only one device argument for isLuks operation is supported.\n"
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "isLuks 操作仅支持一个设备参数。\n"
 
-#: src/cryptsetup.c:2609
+#: src/cryptsetup.c:2702
 #, fuzzy, c-format
 #| msgid "Key slot %d is not used.\n"
 msgid "Keyslot %d does not contain unbound key."
 msgstr "密钥槽 %d 未使用。\n"
 
-#: src/cryptsetup.c:2614
+#: src/cryptsetup.c:2707
 msgid ""
 "The header dump with unbound key is sensitive information.\n"
 "This dump should be stored encrypted in a safe place."
 msgstr ""
 
-#: src/cryptsetup.c:2709 src/cryptsetup.c:2746
+#: src/cryptsetup.c:2802 src/cryptsetup.c:2839
 #, fuzzy, c-format
 #| msgid "show active device status"
 msgid "%s is not active %s device name."
 msgstr "显示已激活的设备信息"
 
-#: src/cryptsetup.c:2741
+#: src/cryptsetup.c:2834
 #, c-format
 msgid "%s is not active LUKS device name or header is missing."
 msgstr ""
 
-#: src/cryptsetup.c:2819 src/cryptsetup.c:2838
+#: src/cryptsetup.c:2912 src/cryptsetup.c:2931
 msgid "Option --header-backup-file is required."
 msgstr "必须指定 --header-backup-file 选项。"
 
-#: src/cryptsetup.c:2869
+#: src/cryptsetup.c:2962
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr ""
 
-#: src/cryptsetup.c:2880
+#: src/cryptsetup.c:2973
 #, fuzzy, c-format
 #| msgid "Resume is not supported for device %s."
 msgid "Refresh is not supported for device type %s"
 msgstr "设备 %s 不支持恢复。"
 
-#: src/cryptsetup.c:2930
+#: src/cryptsetup.c:3023
 #, fuzzy, c-format
 #| msgid "Unrecognized metadata device type %s.\n"
 msgid "Unrecognized metadata device type %s."
-msgstr "无法识别的元数据设备类型 %s。\n"
+msgstr "未能识别的元数据设备类型 %s。\n"
 
-#: src/cryptsetup.c:2932
+#: src/cryptsetup.c:3025
 #, fuzzy
 #| msgid "Command requires device and mapped name as arguments.\n"
 msgid "Command requires device and mapped name as arguments."
 msgstr "命令需要设备及映射名作为参数。\n"
 
-#: src/cryptsetup.c:2942
+#: src/cryptsetup.c:3035
 msgid "Enter OPAL PSID: "
 msgstr "输入 OPAL PSID："
 
-#: src/cryptsetup.c:2942
+#: src/cryptsetup.c:3035
 #, fuzzy
 #| msgid "Enter new passphrase: "
 msgid "Enter OPAL Admin password: "
 msgstr "输入新口令: "
 
-#: src/cryptsetup.c:2951
+#: src/cryptsetup.c:3043
 msgid "WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"
 msgstr ""
 
-#: src/cryptsetup.c:2994
+#: src/cryptsetup.c:3086
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -2724,406 +2572,373 @@ msgstr ""
 "该操作将清空设备 %s 上所有的密钥槽。\n"
 "设备在此操作后将不可用。"
 
-#: src/cryptsetup.c:3001
+#: src/cryptsetup.c:3093
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "操作已中止，密钥槽没有被擦除。\n"
 
-#: src/cryptsetup.c:3040
+#: src/cryptsetup.c:3132
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr ""
 
-#: src/cryptsetup.c:3056
+#: src/cryptsetup.c:3148
 #, c-format
 msgid "Device is already %s type."
 msgstr "设备已为 %s 类型。"
 
-#: src/cryptsetup.c:3063
+#: src/cryptsetup.c:3155
 #, fuzzy, c-format
 #| msgid "This operation is not supported for %s crypt device.\n"
 msgid "This operation will convert %s to %s format.\n"
 msgstr "不支持在 %s 加密设备上执行此操作。\n"
 
-#: src/cryptsetup.c:3066
+#: src/cryptsetup.c:3158
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3106
+#: src/cryptsetup.c:3198
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "选项 --priority、--label 或 --subsystem 缺失。"
 
-#: src/cryptsetup.c:3140 src/cryptsetup.c:3180 src/cryptsetup.c:3200
-#, fuzzy, c-format
-#| msgid "Key slot %d is invalid.\n"
+#: src/cryptsetup.c:3232 src/cryptsetup.c:3272 src/cryptsetup.c:3292
+#, c-format
 msgid "Token %d is invalid."
-msgstr "密钥槽 %d 无效。\n"
+msgstr "令牌 %d 无效。"
 
-#: src/cryptsetup.c:3143 src/cryptsetup.c:3203
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: src/cryptsetup.c:3235 src/cryptsetup.c:3295
+#, c-format
 msgid "Token %d in use."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "令牌 %d 正在使用中。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/cryptsetup.c:3155
+#: src/cryptsetup.c:3247
 #, fuzzy, c-format
 #| msgid "Failed to stat key file.\n"
 msgid "Failed to add luks2-keyring token %d."
 msgstr "获取 (stat) 密钥文件统计数据失败。\n"
 
-#: src/cryptsetup.c:3166 src/cryptsetup.c:3229
+#: src/cryptsetup.c:3258 src/cryptsetup.c:3321
 #, fuzzy, c-format
 #| msgid "Failed to swap new key slot.\n"
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "交换新密钥槽失败。\n"
 
-#: src/cryptsetup.c:3183
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: src/cryptsetup.c:3275
+#, c-format
 msgid "Token %d is not in use."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "令牌 %d 未使用。"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3312
 #, fuzzy
 #| msgid "Failed to open key file."
 msgid "Failed to import token from file."
 msgstr "打开 (open) 密钥文件失败。"
 
-#: src/cryptsetup.c:3245
+#: src/cryptsetup.c:3337
 #, fuzzy, c-format
 #| msgid "Failed to swap new key slot.\n"
 msgid "Failed to get token %d for export."
 msgstr "交换新密钥槽失败。\n"
 
-#: src/cryptsetup.c:3258
+#: src/cryptsetup.c:3350
 #, fuzzy, c-format
 #| msgid "Failed to swap new key slot.\n"
 msgid "Token %d is not assigned to keyslot %d."
 msgstr "交换新密钥槽失败。\n"
 
-#: src/cryptsetup.c:3260 src/cryptsetup.c:3267
+#: src/cryptsetup.c:3352 src/cryptsetup.c:3359
 #, fuzzy, c-format
 #| msgid "Failed to swap new key slot.\n"
 msgid "Failed to unassign token %d from keyslot %d."
 msgstr "交换新密钥槽失败。\n"
 
-#: src/cryptsetup.c:3326
-#, fuzzy
-#| msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
+#: src/cryptsetup.c:3418
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."
-msgstr "选项 --tcrypt-hidden, --tcrypt-system 或 --tcrypt-backup 只支持 TCRYPT 设备。\n"
+msgstr "选项 --tcrypt-hidden, --tcrypt-system 或 --tcrypt-backup 只支持 TCRYPT 设备。"
 
-#: src/cryptsetup.c:3329
-#, fuzzy
-#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+#: src/cryptsetup.c:3421
 msgid "Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."
-msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n"
+msgstr "选项 --veracrypt、--disable-veracrypt 只支持 TCRYPT 设备类型。"
 
-#: src/cryptsetup.c:3332
-#, fuzzy
-#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+#: src/cryptsetup.c:3424
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices."
-msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n"
+msgstr "选项 --veracrypt-pim 只支持兼容 VeraCrypt 的设备。"
 
-#: src/cryptsetup.c:3336
-#, fuzzy
-#| msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
+#: src/cryptsetup.c:3428
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."
-msgstr "选项 --veracrypt 只支持 TCRYPT 设备类型。\n"
+msgstr "选项 --veracrypt-query-pim 只支持兼容 VeraCrypt 的设备。"
 
-#: src/cryptsetup.c:3338
+#: src/cryptsetup.c:3430
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive."
-msgstr ""
+msgstr "选项 --veracrypt-pim、--veracrypt-query-pim 互斥。"
 
-#: src/cryptsetup.c:3347
-#, fuzzy
-#| msgid "Option --allow-discards is allowed only for open operation.\n"
+#: src/cryptsetup.c:3439
 msgid "Option --persistent is not allowed with --test-passphrase."
-msgstr "选项 --allow-discards 只适用于打开操作。\n"
+msgstr "不允许将选项 --persistent 与 --test-passphrase 一起使用。"
 
-#: src/cryptsetup.c:3350
+#: src/cryptsetup.c:3442
 msgid "Options --refresh and --test-passphrase are mutually exclusive."
-msgstr ""
+msgstr "选项 --refresh、--test-passphrase 互斥。"
 
-#: src/cryptsetup.c:3353
-#, fuzzy
-#| msgid "Option --shared is allowed only for open of plain device.\n"
+#: src/cryptsetup.c:3445
 msgid "Option --shared is allowed only for open of plain device."
-msgstr "选项 --shared 只适用于打开纯设备。\n"
+msgstr "选项 --shared 只适用于打开纯（plain）设备。"
 
-#: src/cryptsetup.c:3356
-#, fuzzy
-#| msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
+#: src/cryptsetup.c:3448
 msgid "Option --skip is supported only for open of plain and loopaes devices."
-msgstr "选项 --skip 只适用于打开纯设备和 loopaes 设备。\n"
+msgstr "选项 --skip 只适用于打开纯（plain）设备和 loopaes 设备。"
 
-#: src/cryptsetup.c:3359
-#, fuzzy
-#| msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+#: src/cryptsetup.c:3451
 msgid "Option --offset with open action is only supported for plain and loopaes devices."
-msgstr "选项 --offset 只适用于打开纯设备和 loopaes 设备。\n"
+msgstr "选项 --offset 只适用于打开纯（plain）设备和 loopaes 设备。"
 
-#: src/cryptsetup.c:3362
-#, fuzzy
-#| msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
+#: src/cryptsetup.c:3454
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards."
-msgstr "选项 --tcrypt-hidden 不能与 --allow-discards 共用。\n"
+msgstr "选项 --tcrypt-hidden 不能与 --allow-discards 共用。"
 
-#: src/cryptsetup.c:3366
-#, fuzzy
-#| msgid "This operation is supported only for LUKS device."
+#: src/cryptsetup.c:3458
 msgid "Sector size option with open action is supported only for plain devices."
-msgstr "此操作只适用 LUKS 设备。"
+msgstr "只有纯（plain）设备可以在打开时指定扇区大小。"
 
-#: src/cryptsetup.c:3370
+#: src/cryptsetup.c:3462
 msgid "Large IV sectors option is supported only for opening plain type device with sector size larger than 512 bytes."
-msgstr ""
+msgstr "只有扇区大小超过512字节的纯（plain）设备可以使用大IV扇区选项。"
 
-#: src/cryptsetup.c:3375
-#, fuzzy
-#| msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+#: src/cryptsetup.c:3467
 msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT, BITLK and FVAULT2 devices."
-msgstr "选项 --test-passphrase 只能用于打开 LUKS 和 TCRYPT 设备。\n"
+msgstr "选项 --test-passphrase 只能用于打开 LUKS、TCRYPT、BITLK、FVAULT2 设备。"
 
-#: src/cryptsetup.c:3378 src/cryptsetup.c:3401
+#: src/cryptsetup.c:3470 src/cryptsetup.c:3493
 msgid "Options --device-size and --size cannot be combined."
-msgstr ""
+msgstr "选项 --device-size 和 --size 不能组合使用。"
 
-#: src/cryptsetup.c:3381
+#: src/cryptsetup.c:3473
 #, fuzzy
 #| msgid "Option --shared is allowed only for open of plain device.\n"
 msgid "Option --unbound is allowed only for open of luks device."
-msgstr "选项 --shared 只适用于打开纯设备。\n"
+msgstr "选项 --shared 只适用于打开纯（plain）设备。\n"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3476
 #, fuzzy
 #| msgid "Option --new cannot be used together with --decrypt."
 msgid "Option --unbound cannot be used without --test-passphrase."
 msgstr "选项 --new 不可与 --decrypt 共用。"
 
-#: src/cryptsetup.c:3393 src/veritysetup.c:671 src/integritysetup.c:767
+#: src/cryptsetup.c:3485 src/veritysetup.c:658 src/integritysetup.c:754
 msgid "Options --cancel-deferred and --deferred cannot be used at the same time."
 msgstr ""
 
-#: src/cryptsetup.c:3409
+#: src/cryptsetup.c:3501
 msgid "Options --reduce-device-size and --device-size cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3504
 #, fuzzy
 #| msgid "This operation is supported only for LUKS2 device."
 msgid "Option --active-name can be set only for LUKS2 device."
 msgstr "此操作只适用 LUKS2 设备。"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3507
 msgid "Options --active-name and --force-offline-reencrypt cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3423 src/cryptsetup.c:3453
+#: src/cryptsetup.c:3515 src/cryptsetup.c:3545
 msgid "Keyslot specification is required."
 msgstr ""
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3523
 #, fuzzy
 #| msgid "Option --align-payload is allowed only for luksFormat."
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "选项 --align-payload 只允许用于 luksFormat。"
 
-#: src/cryptsetup.c:3434
+#: src/cryptsetup.c:3526
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension."
 msgstr ""
 
-#: src/cryptsetup.c:3437
+#: src/cryptsetup.c:3529
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "--use-[u]random 选项只能用一处。"
 
-#: src/cryptsetup.c:3445
+#: src/cryptsetup.c:3537
 msgid "Key size is required with --unbound option."
 msgstr ""
 
-#: src/cryptsetup.c:3465
+#: src/cryptsetup.c:3557
 #, fuzzy
 #| msgid "Invalid device %s.\n"
 msgid "Invalid token action."
 msgstr "设备 %s 无效。\n"
 
-#: src/cryptsetup.c:3468
+#: src/cryptsetup.c:3560
 msgid "--key-description parameter is mandatory for token add action."
 msgstr ""
 
-#: src/cryptsetup.c:3472 src/cryptsetup.c:3485
+#: src/cryptsetup.c:3564 src/cryptsetup.c:3577
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3476
+#: src/cryptsetup.c:3568
 #, fuzzy
 #| msgid "Option --new cannot be used together with --decrypt."
 msgid "Option --unbound is valid only with token add action."
 msgstr "选项 --new 不可与 --decrypt 共用。"
 
-#: src/cryptsetup.c:3478
+#: src/cryptsetup.c:3570
 msgid "Options --key-slot and --unbound cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3483
+#: src/cryptsetup.c:3575
 msgid "Action requires specific keyslot. Use --key-slot parameter."
 msgstr ""
 
-#: src/cryptsetup.c:3499
+#: src/cryptsetup.c:3591
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<设备> [--type <类型>] [<名称>]"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:491 src/integritysetup.c:544
+#: src/cryptsetup.c:3591 src/veritysetup.c:478 src/integritysetup.c:531
 msgid "open device as <name>"
 msgstr "以 <名称> 打开设备"
 
-#: src/cryptsetup.c:3500 src/cryptsetup.c:3501 src/cryptsetup.c:3502
-#: src/veritysetup.c:492 src/veritysetup.c:493 src/integritysetup.c:545
-#: src/integritysetup.c:546 src/integritysetup.c:548
+#: src/cryptsetup.c:3592 src/cryptsetup.c:3593 src/cryptsetup.c:3594
+#: src/veritysetup.c:479 src/veritysetup.c:480 src/integritysetup.c:532
+#: src/integritysetup.c:533 src/integritysetup.c:535
 msgid "<name>"
 msgstr "<名称>"
 
-#: src/cryptsetup.c:3500 src/veritysetup.c:492 src/integritysetup.c:545
+#: src/cryptsetup.c:3592 src/veritysetup.c:479 src/integritysetup.c:532
 msgid "close device (remove mapping)"
 msgstr "关闭设备（移除映射）"
 
-#: src/cryptsetup.c:3501 src/integritysetup.c:548
+#: src/cryptsetup.c:3593 src/integritysetup.c:535
 msgid "resize active device"
-msgstr "改变活动设备大小。"
+msgstr "改变活动设备大小"
 
-#: src/cryptsetup.c:3502
+#: src/cryptsetup.c:3594
 msgid "show device status"
 msgstr "显示设备状态"
 
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3595
 msgid "[--cipher <cipher>]"
 msgstr ""
 
-#: src/cryptsetup.c:3503
+#: src/cryptsetup.c:3595
 msgid "benchmark cipher"
-msgstr "测试密文"
+msgstr "基准测试加密方法"
 
-#: src/cryptsetup.c:3504 src/cryptsetup.c:3505 src/cryptsetup.c:3506
-#: src/cryptsetup.c:3507 src/cryptsetup.c:3508 src/cryptsetup.c:3515
-#: src/cryptsetup.c:3516 src/cryptsetup.c:3517 src/cryptsetup.c:3518
-#: src/cryptsetup.c:3519 src/cryptsetup.c:3520 src/cryptsetup.c:3521
-#: src/cryptsetup.c:3522 src/cryptsetup.c:3523 src/cryptsetup.c:3524
+#: src/cryptsetup.c:3596 src/cryptsetup.c:3597 src/cryptsetup.c:3598
+#: src/cryptsetup.c:3599 src/cryptsetup.c:3600 src/cryptsetup.c:3607
+#: src/cryptsetup.c:3608 src/cryptsetup.c:3609 src/cryptsetup.c:3610
+#: src/cryptsetup.c:3611 src/cryptsetup.c:3612 src/cryptsetup.c:3613
+#: src/cryptsetup.c:3614 src/cryptsetup.c:3615 src/cryptsetup.c:3616
 msgid "<device>"
 msgstr "<设备>"
 
-#: src/cryptsetup.c:3504
+#: src/cryptsetup.c:3596
 msgid "try to repair on-disk metadata"
 msgstr "尝试修复磁盘上的元数据"
 
-#: src/cryptsetup.c:3505
+#: src/cryptsetup.c:3597
 msgid "reencrypt LUKS2 device"
 msgstr "重加密 LUKS2 设备"
 
-#: src/cryptsetup.c:3506
+#: src/cryptsetup.c:3598
 msgid "erase all keyslots (remove encryption key)"
 msgstr "清空所有密钥槽（移除加密密钥）"
 
-#: src/cryptsetup.c:3507
+#: src/cryptsetup.c:3599
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "在 LUKS 和 LUKS2 格式之间转换"
 
-#: src/cryptsetup.c:3508
+#: src/cryptsetup.c:3600
 msgid "set permanent configuration options for LUKS2"
-msgstr ""
+msgstr "为 LUKS2 设置永久配置选项"
 
-#: src/cryptsetup.c:3509 src/cryptsetup.c:3510
+#: src/cryptsetup.c:3601 src/cryptsetup.c:3602
 msgid "<device> [<new key file>]"
 msgstr "<设备> [<新密钥文件>]"
 
-#: src/cryptsetup.c:3509
+#: src/cryptsetup.c:3601
 msgid "formats a LUKS device"
 msgstr "格式化一个 LUKS 设备"
 
-#: src/cryptsetup.c:3510
+#: src/cryptsetup.c:3602
 msgid "add key to LUKS device"
 msgstr "向 LUKS 设备添加密钥"
 
-#: src/cryptsetup.c:3511 src/cryptsetup.c:3512 src/cryptsetup.c:3513
+#: src/cryptsetup.c:3603 src/cryptsetup.c:3604 src/cryptsetup.c:3605
 msgid "<device> [<key file>]"
 msgstr "<设备> [<密钥文件>]"
 
-#: src/cryptsetup.c:3511
+#: src/cryptsetup.c:3603
 msgid "removes supplied key or key file from LUKS device"
 msgstr "移除 LUKS 设备中指定的密钥或密钥文件"
 
-#: src/cryptsetup.c:3512
+#: src/cryptsetup.c:3604
 msgid "changes supplied key or key file of LUKS device"
 msgstr "更改 LUKS 设备中指定的密钥或密钥文件"
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/cryptsetup.c:3513
-#, fuzzy
-#| msgid "Failed to stat key file.\n"
+#: src/cryptsetup.c:3605
 msgid "converts a key to new pbkdf parameters"
-msgstr "获取 (stat) 密钥文件统计数据失败。\n"
+msgstr "将密钥转换到新的 pbkdf 参数"
 
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3606
 msgid "<device> <key slot>"
 msgstr "<设备> <密钥槽>"
 
-#: src/cryptsetup.c:3514
+#: src/cryptsetup.c:3606
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "从 LUKS 设备清理标号为 <key slot> 的密钥"
 
-#: src/cryptsetup.c:3515
+#: src/cryptsetup.c:3607
 msgid "print UUID of LUKS device"
 msgstr "输出 LUKS 设备的 UUID（唯一标识符）"
 
-#: src/cryptsetup.c:3516
+#: src/cryptsetup.c:3608
 msgid "tests <device> for LUKS partition header"
-msgstr "从 <device> 探测 LUKS 分区标头"
+msgstr "从 <设备> 探测 LUKS 分区标头"
 
-#: src/cryptsetup.c:3517
+#: src/cryptsetup.c:3609
 msgid "dump LUKS partition information"
 msgstr "调出 LUKS 分区信息"
 
-#: src/cryptsetup.c:3518
+#: src/cryptsetup.c:3610
 msgid "dump TCRYPT device information"
 msgstr "调出 TCRYPT 设备信息"
 
-#: src/cryptsetup.c:3519
-#, fuzzy
-#| msgid "dump TCRYPT device information"
+#: src/cryptsetup.c:3611
 msgid "dump BITLK device information"
-msgstr "调出 TCRYPT 设备信息"
+msgstr "调出 BITLK 设备信息"
 
-#: src/cryptsetup.c:3520
-#, fuzzy
-#| msgid "dump TCRYPT device information"
+#: src/cryptsetup.c:3612
 msgid "dump FVAULT2 device information"
-msgstr "调出 TCRYPT 设备信息"
+msgstr "调出 FVAULT2 设备信息"
 
-#: src/cryptsetup.c:3521
-#, fuzzy
-#| msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
+#: src/cryptsetup.c:3613
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
-msgstr "挂起 LUKS 设备并清除密钥（冻结所有 IO 操作）。"
+msgstr "挂起 LUKS 设备并清除密钥（冻结所有 IO 操作）"
 
-#: src/cryptsetup.c:3522
+#: src/cryptsetup.c:3614
 msgid "Resume suspended LUKS device"
 msgstr "恢复已挂起的 LUKS 设备"
 
-#: src/cryptsetup.c:3523
+#: src/cryptsetup.c:3615
 msgid "Backup LUKS device header and keyslots"
 msgstr "备份 LUKS 设备标头和密钥槽"
 
-#: src/cryptsetup.c:3524
+#: src/cryptsetup.c:3616
 msgid "Restore LUKS device header and keyslots"
 msgstr "恢复 LUKS 设备标头和密钥槽"
 
-#: src/cryptsetup.c:3525
+#: src/cryptsetup.c:3617
 msgid "<add|remove|import|export> <device>"
-msgstr ""
+msgstr "<add|remove|import|export> <设备>"
 
-#: src/cryptsetup.c:3525
+#: src/cryptsetup.c:3617
 msgid "Manipulate LUKS2 tokens"
-msgstr ""
+msgstr "操作 LUKS2 令牌"
 
-#: src/cryptsetup.c:3544 src/veritysetup.c:509 src/integritysetup.c:563
+#: src/cryptsetup.c:3636 src/veritysetup.c:496 src/integritysetup.c:550
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -3131,13 +2946,7 @@ msgstr ""
 "\n"
 "<动作> 为其中之一：\n"
 
-#: src/cryptsetup.c:3550
-#, fuzzy
-#| msgid ""
-#| "\n"
-#| "You can also use old <action> syntax aliases:\n"
-#| "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-#| "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+#: src/cryptsetup.c:3642
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
@@ -3146,10 +2955,10 @@ msgid ""
 msgstr ""
 "\n"
 "你亦可使用老的 <动作> 语法别名：\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close\n"
 
-#: src/cryptsetup.c:3554
+#: src/cryptsetup.c:3646
 #, c-format
 msgid ""
 "\n"
@@ -3164,37 +2973,32 @@ msgstr ""
 "<key slot> 为需要更改的 LUKS 密钥槽\n"
 "<key file> 提供给 luksAddKey 动作的密钥文件\n"
 
-#: src/cryptsetup.c:3561
+#: src/cryptsetup.c:3653
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in metadata format is %s (for luksFormat action).\n"
 msgstr ""
 
-#: src/cryptsetup.c:3566
+#: src/cryptsetup.c:3658
 msgid ""
 "\n"
 "LUKS2 external token plugin support is enabled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3567
+#: src/cryptsetup.c:3659
 #, c-format
 msgid "LUKS2 external token plugin path: %s.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3569
+#: src/cryptsetup.c:3661
 msgid ""
 "\n"
 "LUKS2 external token plugin support is disabled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3573
-#, fuzzy, c-format
-#| msgid ""
-#| "\n"
-#| "Default compiled-in key and passphrase parameters:\n"
-#| "\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
-#| "Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+#: src/cryptsetup.c:3665
+#, c-format
 msgid ""
 "\n"
 "Default compiled-in key and passphrase parameters:\n"
@@ -3206,16 +3010,13 @@ msgstr ""
 "\n"
 "默认集成的密钥和密码参数：\n"
 "\t密钥文件的最大大小：%dkB, 交互式密码的最大长度：%d (字符)\n"
-"LUKS 的默认 PBKDF2 迭代时间：%d (毫秒)\n"
+"LUKS1 的默认 PBKDF：%s，迭代时间：%d (毫秒)\n"
+"LUKS2 的默认 PBKDF：%s\n"
+"\t迭代时间：%d，内存需求：%dkB，线程数：%d\n"
+"\n"
 
-#: src/cryptsetup.c:3584
-#, fuzzy, c-format
-#| msgid ""
-#| "\n"
-#| "Default compiled-in device cipher parameters:\n"
-#| "\tloop-AES: %s, Key %d bits\n"
-#| "\tplain: %s, Key: %d bits, Password hashing: %s\n"
-#| "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+#: src/cryptsetup.c:3676
+#, c-format
 msgid ""
 "\n"
 "Default compiled-in device cipher parameters:\n"
@@ -3224,222 +3025,211 @@ msgid ""
 "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
 msgstr ""
 "\n"
-"默认集成的设备密文参数：\n"
+"编译时集成的设备加密方法参数：\n"
 "\tloop-AES：%s, %d 位密钥\n"
 "\tplain：%s, 密钥：%d 位, 密码哈希：%s\n"
 "\tLUKS1：%s, 密钥：%d bits, LUKS 数据头哈希：%s, RNG：%s\n"
 
-#: src/cryptsetup.c:3593
+#: src/cryptsetup.c:3685
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3611 src/veritysetup.c:651 src/integritysetup.c:723
+#: src/cryptsetup.c:3703 src/veritysetup.c:638 src/integritysetup.c:710
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: 需要 %s 作为参数"
 
-#: src/cryptsetup.c:3651 src/utils_reencrypt_luks1.c:1198
+#: src/cryptsetup.c:3743 src/utils_reencrypt_luks1.c:1145
 msgid "Key slot is invalid."
 msgstr "密钥槽无效。"
 
-#: src/cryptsetup.c:3678
-#, fuzzy
-#| msgid "Reduce size must be multiple of 512 bytes sector."
+#: src/cryptsetup.c:3771
 msgid "Device size must be multiple of 512 bytes sector."
-msgstr "缩减大小必须为 512 字节扇区的倍数。"
+msgstr "设备大小必须为 512 字节扇区的倍数。"
 
-#: src/cryptsetup.c:3683
+#: src/cryptsetup.c:3776
 #, fuzzy
 #| msgid "Invalid device size specification."
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "无效的设备大小指标。"
 
-#: src/cryptsetup.c:3697 src/cryptsetup.c:3709
+#: src/cryptsetup.c:3790 src/cryptsetup.c:3802
 msgid "Key size must be a multiple of 8 bits"
 msgstr "密钥尺寸必须是 8 的倍数"
 
-#: src/cryptsetup.c:3714
-#, fuzzy
-#| msgid "Maximum device reduce size is 64 MiB."
+#: src/cryptsetup.c:3809
+#, c-format
+msgid "At most %d volume key specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3821
+#, c-format
+msgid "At most %d keyring link specifications can be supplied."
+msgstr ""
+
+#: src/cryptsetup.c:3830
 msgid "Maximum device reduce size is 1 GiB."
-msgstr "最大设备缩减大小为 64 MiB。"
+msgstr "最大设备缩减大小为 1 GiB。"
 
-#: src/cryptsetup.c:3717
+#: src/cryptsetup.c:3833
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "缩减大小必须为 512 字节扇区的倍数。"
 
-#: src/cryptsetup.c:3734
+#: src/cryptsetup.c:3850
 msgid "Option --priority can be only ignore/normal/prefer."
 msgstr ""
 
-#: src/cryptsetup.c:3753 src/veritysetup.c:572 src/integritysetup.c:643
+#: src/cryptsetup.c:3869 src/veritysetup.c:559 src/integritysetup.c:630
 msgid "Show this help message"
 msgstr "显示此帮助"
 
-#: src/cryptsetup.c:3754 src/veritysetup.c:573 src/integritysetup.c:644
+#: src/cryptsetup.c:3870 src/veritysetup.c:560 src/integritysetup.c:631
 msgid "Display brief usage"
 msgstr "显示简短用法"
 
-#: src/cryptsetup.c:3755 src/veritysetup.c:574 src/integritysetup.c:645
+#: src/cryptsetup.c:3871 src/veritysetup.c:561 src/integritysetup.c:632
 msgid "Print package version"
 msgstr "打印软件包版本"
 
-#: src/cryptsetup.c:3766 src/veritysetup.c:585 src/integritysetup.c:656
+#: src/cryptsetup.c:3882 src/veritysetup.c:572 src/integritysetup.c:643
 msgid "Help options:"
 msgstr "帮助选项："
 
-#: src/cryptsetup.c:3789 src/veritysetup.c:606 src/integritysetup.c:676
+#: src/cryptsetup.c:3905 src/veritysetup.c:593 src/integritysetup.c:663
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[选项…] <动作> <动作特定参数>"
 
-#: src/cryptsetup.c:3798 src/veritysetup.c:615 src/integritysetup.c:687
+#: src/cryptsetup.c:3914 src/veritysetup.c:602 src/integritysetup.c:674
 msgid "Argument <action> missing."
 msgstr "缺失参数 <动作>。"
 
-#: src/cryptsetup.c:3877 src/veritysetup.c:646 src/integritysetup.c:718
+#: src/cryptsetup.c:3993 src/veritysetup.c:633 src/integritysetup.c:705
 msgid "Unknown action."
 msgstr "未知动作。"
 
-#: src/cryptsetup.c:3895
+#: src/cryptsetup.c:4011
 #, fuzzy
-#| msgid "Option --key-file takes precedence over specified key file argument.\n"
 msgid "Option --key-file takes precedence over specified key file argument."
-msgstr "选项 --key-file 优先使用指定的密钥文件参数。\n"
+msgstr "选项 --key-file 优先使用指定的密钥文件参数。"
 
-#: src/cryptsetup.c:3901
+#: src/cryptsetup.c:4017
 msgid "Only one --key-file argument is allowed."
 msgstr "只允许存在一个 --key-file 选项。"
 
-#: src/cryptsetup.c:3906
+#: src/cryptsetup.c:4022
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id."
 msgstr ""
 
-#: src/cryptsetup.c:3911
+#: src/cryptsetup.c:4027
 msgid "PBKDF forced iterations cannot be combined with iteration time option."
 msgstr ""
 
-#: src/cryptsetup.c:3916
+#: src/cryptsetup.c:4032
 msgid "Cannot link volume key to a keyring when keyring is disabled."
 msgstr ""
 
-#: src/cryptsetup.c:3927
+#: src/cryptsetup.c:4043
 msgid "Options --keyslot-cipher and --keyslot-key-size must be used together."
 msgstr ""
 
-#: src/cryptsetup.c:3935
+#: src/cryptsetup.c:4051
 msgid "No action taken. Invoked with --test-args option.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3948
+#: src/cryptsetup.c:4064
 msgid "Cannot disable metadata locking."
 msgstr "无法禁用元数据锁定。"
 
-#: src/veritysetup.c:54
+#: src/veritysetup.c:41
 msgid "Invalid salt string specified."
 msgstr "指定了无效的盐字串。"
 
-#: src/veritysetup.c:87
-#, fuzzy, c-format
-#| msgid "Cannot create hash image %s for writing.\n"
+#: src/veritysetup.c:74
+#, c-format
 msgid "Cannot create hash image %s for writing."
-msgstr "无法为创建哈希映像 %s 以供写入。\n"
+msgstr "无法创建哈希映像 %s 以供写入。"
 
-#: src/veritysetup.c:97
-#, fuzzy, c-format
-#| msgid "Cannot create hash image %s for writing.\n"
+#: src/veritysetup.c:84
+#, c-format
 msgid "Cannot create FEC image %s for writing."
-msgstr "无法为创建哈希映像 %s 以供写入。\n"
+msgstr "无法创建 FEC 映像 %s 以供写入。"
 
-#: src/veritysetup.c:136
-#, fuzzy, c-format
-#| msgid "Cannot create hash image %s for writing.\n"
+#: src/veritysetup.c:123
+#, c-format
 msgid "Cannot create root hash file %s for writing."
-msgstr "无法为创建哈希映像 %s 以供写入。\n"
+msgstr "无法为创建根哈希文件 %s 以供写入。"
 
-#: src/veritysetup.c:143
-#, fuzzy, c-format
-#| msgid "Cannot write to keyfile %s."
+#: src/veritysetup.c:130
+#, c-format
 msgid "Cannot write to root hash file %s."
-msgstr "无法写入密钥文件 %s。"
+msgstr "无法写入根哈希文件 %s。"
 
-#: src/veritysetup.c:198 src/veritysetup.c:476
+#: src/veritysetup.c:185 src/veritysetup.c:463
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "%s 不是有效的 VERITY 设备。"
 
-#: src/veritysetup.c:215 src/veritysetup.c:232
-#, fuzzy, c-format
-#| msgid "Cannot create header file %s."
+#: src/veritysetup.c:202 src/veritysetup.c:219
+#, c-format
 msgid "Cannot read root hash file %s."
-msgstr "无法创建标头文件 %s。"
+msgstr "无法读取根哈希文件 %s。"
 
-#: src/veritysetup.c:220
-#, fuzzy, c-format
-#| msgid "Invalid root hash string specified.\n"
+#: src/veritysetup.c:207
+#, c-format
 msgid "Invalid root hash file %s."
-msgstr "指定了无效的根哈希值字串。\n"
+msgstr "无效的根哈希值文件 %s。"
 
-#: src/veritysetup.c:241
-#, fuzzy
-#| msgid "Invalid root hash string specified.\n"
+#: src/veritysetup.c:228
 msgid "Invalid root hash string specified."
-msgstr "指定了无效的根哈希值字串。\n"
+msgstr "指定了无效的根哈希值字串。"
 
-#: src/veritysetup.c:249
-#, fuzzy, c-format
-#| msgid "Invalid device %s."
+#: src/veritysetup.c:236
+#, c-format
 msgid "Invalid signature file %s."
-msgstr "设备 %s 无效。"
+msgstr "签名文件 %s 无效。"
 
-#: src/veritysetup.c:256
-#, fuzzy, c-format
-#| msgid "Cannot read keyfile %s.\n"
+#: src/veritysetup.c:243
+#, c-format
 msgid "Cannot read signature file %s."
-msgstr ""
-"无法读取密钥文件 %s。\n"
-"\n"
+msgstr "无法读取签名文件 %s。"
 
-#: src/veritysetup.c:279 src/veritysetup.c:293
+#: src/veritysetup.c:266 src/veritysetup.c:280
 msgid "Command requires <root_hash> or --root-hash-file option as argument."
 msgstr ""
 
-#: src/veritysetup.c:489
+#: src/veritysetup.c:476
 msgid "<data_device> <hash_device>"
 msgstr "<数据设备> <哈希设备>"
 
-#: src/veritysetup.c:489 src/integritysetup.c:543
+#: src/veritysetup.c:476 src/integritysetup.c:530
 msgid "format device"
 msgstr "格式化设备"
 
-#: src/veritysetup.c:490
-#, fuzzy
-#| msgid "<data_device> <hash_device> <root_hash>"
+#: src/veritysetup.c:477
 msgid "<data_device> <hash_device> [<root_hash>]"
-msgstr "<数据设备> <哈希设备> <根哈希值>"
+msgstr "<数据设备> <哈希设备> [<根哈希值>]"
 
-#: src/veritysetup.c:490
+#: src/veritysetup.c:477
 msgid "verify device"
 msgstr "验证设备"
 
-#: src/veritysetup.c:491
-#, fuzzy
-#| msgid "<data_device> <hash_device> <root_hash>"
+#: src/veritysetup.c:478
 msgid "<data_device> <name> <hash_device> [<root_hash>]"
-msgstr "<数据设备> <哈希设备> <根哈希值>"
+msgstr "<数据设备> <名称> <哈希设备> [<根哈希值>]"
 
-#: src/veritysetup.c:493 src/integritysetup.c:546
+#: src/veritysetup.c:480 src/integritysetup.c:533
 msgid "show active device status"
 msgstr "显示已激活的设备信息"
 
-#: src/veritysetup.c:494
+#: src/veritysetup.c:481
 msgid "<hash_device>"
 msgstr "<哈希设备>"
 
-#: src/veritysetup.c:494 src/integritysetup.c:547
+#: src/veritysetup.c:481 src/integritysetup.c:534
 msgid "show on-disk information"
 msgstr "显示磁盘上的信息"
 
-#: src/veritysetup.c:513
+#: src/veritysetup.c:500
 #, c-format
 msgid ""
 "\n"
@@ -3454,7 +3244,7 @@ msgstr ""
 "<哈希设备> 是含有验证信息的设备\n"
 "<根哈希值> 是 <哈希设备> 根节点的哈希值\n"
 
-#: src/veritysetup.c:520
+#: src/veritysetup.c:507
 #, c-format
 msgid ""
 "\n"
@@ -3465,51 +3255,51 @@ msgstr ""
 "编译时决定的默认 dm-verify 参数：\n"
 "\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n"
 
-#: src/veritysetup.c:661
+#: src/veritysetup.c:648
 #, fuzzy
 #| msgid "Option --allow-discards is allowed only for open operation.\n"
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together."
 msgstr "选项 --allow-discards 只适用于打开操作。\n"
 
-#: src/veritysetup.c:666
+#: src/veritysetup.c:653
 #, fuzzy
 #| msgid "Option --allow-discards is allowed only for open operation.\n"
 msgid "Option --panic-on-corruption and --restart-on-corruption cannot be used together."
 msgstr "选项 --allow-discards 只适用于打开操作。\n"
 
-#: src/integritysetup.c:177
+#: src/integritysetup.c:164
 #, c-format
 msgid ""
 "This will overwrite data on %s and %s irrevocably.\n"
 "To preserve data device use --no-wipe option (and then activate with --integrity-recalculate)."
 msgstr ""
 
-#: src/integritysetup.c:217
+#: src/integritysetup.c:204
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr ""
 
-#: src/integritysetup.c:298
+#: src/integritysetup.c:285
 msgid "Setting recalculate flag is not supported, you may consider using --wipe instead."
 msgstr ""
 
-#: src/integritysetup.c:373 src/integritysetup.c:530
+#: src/integritysetup.c:360 src/integritysetup.c:517
 #, fuzzy, c-format
 #| msgid "Device %s is not a valid VERITY device."
 msgid "Device %s is not a valid INTEGRITY device."
 msgstr "%s 不是有效的 VERITY 设备。"
 
-#: src/integritysetup.c:543 src/integritysetup.c:547
+#: src/integritysetup.c:530 src/integritysetup.c:534
 #, fuzzy
 #| msgid "verify device"
 msgid "<integrity_device>"
 msgstr "验证设备"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:531
 msgid "<integrity_device> <name>"
 msgstr ""
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:554
 #, fuzzy, c-format
 #| msgid ""
 #| "\n"
@@ -3528,7 +3318,7 @@ msgstr ""
 "<哈希设备> 是含有验证信息的设备\n"
 "<根哈希值> 是 <哈希设备> 根节点的哈希值\n"
 
-#: src/integritysetup.c:572
+#: src/integritysetup.c:559
 #, fuzzy, c-format
 #| msgid ""
 #| "\n"
@@ -3544,44 +3334,44 @@ msgstr ""
 "编译时决定的默认 dm-verify 参数：\n"
 "\t哈希: %s, 数据块 (字节): %u, 哈希块 (字节): %u, 盐大小: %u, 哈希格式: %u\n"
 
-#: src/integritysetup.c:629
+#: src/integritysetup.c:616
 #, c-format
 msgid "Invalid --%s size. Maximum is %u bytes."
 msgstr ""
 
-#: src/integritysetup.c:732
+#: src/integritysetup.c:719
 msgid "Both key file and key size options must be specified."
 msgstr "密钥文件和密钥大小选项均必须指定。"
 
-#: src/integritysetup.c:736
+#: src/integritysetup.c:723
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:739
+#: src/integritysetup.c:726
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "如果使用了日志加密密钥，则必须指定日志完整性校验算法。"
 
-#: src/integritysetup.c:743
+#: src/integritysetup.c:730
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "日志加密密钥文件和密钥大小选项均必须指定。"
 
-#: src/integritysetup.c:746
+#: src/integritysetup.c:733
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "如果使用了日志加密密钥，则必须指定日志加密算法。"
 
-#: src/integritysetup.c:750
+#: src/integritysetup.c:737
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr ""
 
-#: src/integritysetup.c:757
+#: src/integritysetup.c:744
 msgid "Journal options cannot be used in bitmap mode."
 msgstr ""
 
-#: src/integritysetup.c:762
+#: src/integritysetup.c:749
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr ""
 
-#: src/utils_tools.c:118
+#: src/utils_tools.c:105
 msgid ""
 "\n"
 "WARNING!\n"
@@ -3592,7 +3382,7 @@ msgstr ""
 "========\n"
 
 #. TRANSLATORS: User must type "YES" (in capital letters), do not translate this word.
-#: src/utils_tools.c:120
+#: src/utils_tools.c:107
 #, c-format
 msgid ""
 "%s\n"
@@ -3600,162 +3390,152 @@ msgid ""
 "Are you sure? (Type 'yes' in capital letters): "
 msgstr ""
 
-#: src/utils_tools.c:126
+#: src/utils_tools.c:113
 msgid "Error reading response from terminal."
 msgstr "从终端读取响应时失败。"
 
-#: src/utils_tools.c:158
+#: src/utils_tools.c:145
 msgid "Command successful."
 msgstr "命令成功。"
 
-#: src/utils_tools.c:166
+#: src/utils_tools.c:153
 msgid "wrong or missing parameters"
 msgstr "错误或缺失的参数"
 
-#: src/utils_tools.c:168
+#: src/utils_tools.c:155
 msgid "no permission or bad passphrase"
 msgstr "无权限或口令错误"
 
-#: src/utils_tools.c:170
+#: src/utils_tools.c:157
 msgid "out of memory"
 msgstr "内存耗尽"
 
-#: src/utils_tools.c:172
+#: src/utils_tools.c:159
 msgid "wrong device or file specified"
 msgstr "指定了错误的设备或文件"
 
-#: src/utils_tools.c:174
+#: src/utils_tools.c:161
 msgid "device already exists or device is busy"
 msgstr "设备已存在或设备正忙"
 
-#: src/utils_tools.c:176
+#: src/utils_tools.c:163
 msgid "unknown error"
 msgstr "未知错误"
 
-#: src/utils_tools.c:178
+#: src/utils_tools.c:165
 #, c-format
 msgid "Command failed with code %i (%s)."
 msgstr "命令失败，代码 %i（%s）。"
 
-#: src/utils_tools.c:256
-#, fuzzy, c-format
-#| msgid "Key slot %d changed."
+#: src/utils_tools.c:243
+#, c-format
 msgid "Key slot %i created."
-msgstr "密钥槽 %d 已改变。"
+msgstr "密钥槽 %i 已创建。"
 
-#: src/utils_tools.c:258
-#, fuzzy, c-format
-#| msgid "Key slot %d unlocked."
+#: src/utils_tools.c:245
+#, c-format
 msgid "Key slot %i unlocked."
-msgstr "密钥槽 %d 已解锁。"
+msgstr "密钥槽 %i 已解锁。"
 
-#: src/utils_tools.c:260
-#, fuzzy, c-format
-#| msgid "Key slot %d unlocked."
+#: src/utils_tools.c:247
+#, c-format
 msgid "Key slot %i removed."
-msgstr "密钥槽 %d 已解锁。"
+msgstr "密钥槽 %i 已移除。"
 
-#: src/utils_tools.c:269
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: src/utils_tools.c:256
+#, c-format
 msgid "Token %i created."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "令牌 %i 已创建。"
 
-#: src/utils_tools.c:271
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: src/utils_tools.c:258
+#, c-format
 msgid "Token %i removed."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "令牌 %i 已移除。"
 
-#: src/utils_tools.c:281
+#: src/utils_tools.c:268
 msgid "No token could be unlocked with this PIN."
 msgstr ""
 
-#: src/utils_tools.c:283
-#, fuzzy, c-format
-#| msgid "Key slot %d is not used.\n"
+#: src/utils_tools.c:270
+#, c-format
 msgid "Token %i requires PIN."
-msgstr "密钥槽 %d 未使用。\n"
+msgstr "令牌 %i 需要 PIN。"
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:272
 #, c-format
 msgid "Token (type %s) requires PIN."
 msgstr ""
 
-#: src/utils_tools.c:288
+#: src/utils_tools.c:275
 #, c-format
 msgid "Token %i cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr ""
 
-#: src/utils_tools.c:290
+#: src/utils_tools.c:277
 #, c-format
 msgid "Token (type %s) cannot unlock assigned keyslot(s) (wrong keyslot passphrase)."
 msgstr ""
 
-#: src/utils_tools.c:293
+#: src/utils_tools.c:280
 #, c-format
 msgid "Token %i requires additional missing resource."
 msgstr ""
 
-#: src/utils_tools.c:295
+#: src/utils_tools.c:282
 #, c-format
 msgid "Token (type %s) requires additional missing resource."
 msgstr ""
 
-#: src/utils_tools.c:298
+#: src/utils_tools.c:285
 #, c-format
 msgid "No usable token (type %s) is available."
 msgstr ""
 
-#: src/utils_tools.c:300
+#: src/utils_tools.c:287
 msgid "No usable token is available."
 msgstr ""
 
-#: src/utils_tools.c:393
-#, fuzzy, c-format
-#| msgid "Cannot read keyfile %s.\n"
+#: src/utils_tools.c:380
+#, c-format
 msgid "Cannot read keyfile %s."
-msgstr ""
-"无法读取密钥文件 %s。\n"
-"\n"
+msgstr "无法读取密钥文件 %s。"
 
-#: src/utils_tools.c:398
-#, fuzzy, c-format
-#| msgid "Cannot read %d bytes from keyfile %s.\n"
+#: src/utils_tools.c:385
+#, c-format
 msgid "Cannot read %d bytes from keyfile %s."
-msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。\n"
+msgstr "无法从密钥文件 %2$s 读取 %1$d 字节。"
 
-#: src/utils_tools.c:423
+#: src/utils_tools.c:410
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr "无法打开密钥文件 %s 以供写入。"
 
-#: src/utils_tools.c:430
+#: src/utils_tools.c:417
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr "无法写入密钥文件 %s。"
 
-#: src/utils_progress.c:74
+#: src/utils_progress.c:61
 #, c-format
 msgid "%02<PRIu64>m%02<PRIu64>s"
 msgstr ""
 
-#: src/utils_progress.c:76
+#: src/utils_progress.c:63
 #, c-format
 msgid "%02<PRIu64>h%02<PRIu64>m%02<PRIu64>s"
 msgstr ""
 
-#: src/utils_progress.c:78
+#: src/utils_progress.c:65
 #, c-format
 msgid "%02<PRIu64> days"
 msgstr ""
 
-#: src/utils_progress.c:105 src/utils_progress.c:138
+#: src/utils_progress.c:92 src/utils_progress.c:125
 #, c-format
 msgid "%4<PRIu64> %s written"
 msgstr ""
 
-#: src/utils_progress.c:109 src/utils_progress.c:142
+#: src/utils_progress.c:96 src/utils_progress.c:129
 #, c-format
 msgid "speed %5.1f %s/s"
 msgstr ""
@@ -3764,7 +3544,7 @@ msgstr ""
 #. to get translated as well. 'eol' is always new-line or empty.
 #. See above.
 #.
-#: src/utils_progress.c:118
+#: src/utils_progress.c:105
 #, c-format
 msgid "Progress: %5.1f%%, ETA %s, %s, %s%s"
 msgstr ""
@@ -3772,17 +3552,17 @@ msgstr ""
 #. TRANSLATORS: 'time', 'written' and 'speed' string are supposed
 #. to get translated as well. See above
 #.
-#: src/utils_progress.c:150
+#: src/utils_progress.c:137
 #, c-format
 msgid "Finished, time %s, %s, %s\n"
 msgstr ""
 
-#: src/utils_password.c:41 src/utils_password.c:72
+#: src/utils_password.c:28 src/utils_password.c:59
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr "无法检查密码质量：%s"
 
-#: src/utils_password.c:49
+#: src/utils_password.c:36
 #, c-format
 msgid ""
 "Password quality check failed:\n"
@@ -3791,65 +3571,63 @@ msgstr ""
 "密码质量检查失败：\n"
 " %s"
 
-#: src/utils_password.c:79
+#: src/utils_password.c:66
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr "密码质量检查失败：无效密码 (%s)"
 
-#: src/utils_password.c:231 src/utils_password.c:245
+#: src/utils_password.c:221 src/utils_password.c:235
 msgid "Error reading passphrase from terminal."
 msgstr "从终端读取口令时出错。"
 
-#: src/utils_password.c:243
+#: src/utils_password.c:233
 msgid "Verify passphrase: "
 msgstr "确认密码："
 
-#: src/utils_password.c:250
+#: src/utils_password.c:240
 msgid "Passphrases do not match."
 msgstr "口令不匹配。"
 
-#: src/utils_password.c:288
+#: src/utils_password.c:278
 msgid "Cannot use offset with terminal input."
 msgstr "不能将偏移量用于终端输入。"
 
-#: src/utils_password.c:292
+#: src/utils_password.c:282
 #, c-format
 msgid "Enter passphrase: "
 msgstr "输入口令："
 
-#: src/utils_password.c:295
+#: src/utils_password.c:285
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "输入 %s 的口令："
 
-#: src/utils_password.c:329
+#: src/utils_password.c:319
 msgid "No key available with this passphrase."
 msgstr "此口令无可用的密钥。"
 
-#: src/utils_password.c:331
+#: src/utils_password.c:321
 msgid "No usable keyslot is available."
 msgstr ""
 
-#: src/utils_luks.c:68
-#, fuzzy
-#| msgid "Can't do passphrase verification on non-tty inputs.\n"
+#: src/utils_luks.c:55
 msgid "Can't do passphrase verification on non-tty inputs."
-msgstr "无法从非 TTY 输入验证密码。\n"
+msgstr "无法从非 TTY 输入验证密码。"
 
-#: src/utils_luks.c:183
+#: src/utils_luks.c:173
 #, c-format
 msgid "Failed to open file %s in read-only mode."
 msgstr "以只读模式打开文件 %s 失败。"
 
-#: src/utils_luks.c:196
+#: src/utils_luks.c:186
 msgid "Provide valid LUKS2 token JSON:\n"
 msgstr ""
 
-#: src/utils_luks.c:203
+#: src/utils_luks.c:193
 msgid "Failed to read JSON file."
 msgstr "读取 JSON 文件失败。"
 
-#: src/utils_luks.c:208
+#: src/utils_luks.c:198
 msgid ""
 "\n"
 "Read interrupted."
@@ -3857,13 +3635,12 @@ msgstr ""
 "\n"
 "读取被打断。"
 
-#: src/utils_luks.c:249
-#, fuzzy, c-format
-#| msgid "Cannot open keyfile %s for write."
+#: src/utils_luks.c:239
+#, c-format
 msgid "Failed to open file %s in write mode."
-msgstr "无法打开密钥文件 %s 以供写入。"
+msgstr "未能打开文件 %s 以供写入。"
 
-#: src/utils_luks.c:258
+#: src/utils_luks.c:248
 msgid ""
 "\n"
 "Write interrupted."
@@ -3871,27 +3648,27 @@ msgstr ""
 "\n"
 "写入被打断。"
 
-#: src/utils_luks.c:262
+#: src/utils_luks.c:252
 msgid "Failed to write JSON file."
 msgstr "写入 JSON 文件失败。"
 
-#: src/utils_reencrypt.c:120
+#: src/utils_reencrypt.c:107
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:124
+#: src/utils_reencrypt.c:111
 #, fuzzy, c-format
 #| msgid "Failed to acquire write lock on device %s."
 msgid "Failed to auto-detect device %s holders."
-msgstr "无法获取设备 %s 上的写入锁。"
+msgstr "未能获取设备 %s 上的写入锁。"
 
-#: src/utils_reencrypt.c:130
+#: src/utils_reencrypt.c:117
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "设备 %s 不是块设备。\n"
 
-#: src/utils_reencrypt.c:132
+#: src/utils_reencrypt.c:119
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -3900,173 +3677,173 @@ msgid ""
 "To run reencryption in online mode, use --active-name parameter instead.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:141 src/utils_reencrypt.c:274
+#: src/utils_reencrypt.c:128 src/utils_reencrypt.c:261
 #, c-format
 msgid ""
 "Device %s is not a block device. Can not auto-detect if it is active or not.\n"
 "Use --force-offline-reencrypt to bypass the check and run in offline mode (dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:178 src/utils_reencrypt.c:221
-#: src/utils_reencrypt.c:231
+#: src/utils_reencrypt.c:165 src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:218
 msgid "Requested --resilience option cannot be applied to current reencryption operation."
 msgstr ""
 
-#: src/utils_reencrypt.c:203
+#: src/utils_reencrypt.c:190
 msgid "Device is not in LUKS2 encryption. Conflicting option --encrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:208
+#: src/utils_reencrypt.c:195
 msgid "Device is not in LUKS2 decryption. Conflicting option --decrypt."
 msgstr ""
 
-#: src/utils_reencrypt.c:215
+#: src/utils_reencrypt.c:202
 msgid "Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."
 msgstr ""
 
-#: src/utils_reencrypt.c:293
+#: src/utils_reencrypt.c:280
 msgid "Device requires reencryption recovery. Run repair first."
 msgstr ""
 
-#: src/utils_reencrypt.c:307
+#: src/utils_reencrypt.c:294
 #, c-format
 msgid "Device %s is already in LUKS2 reencryption. Do you wish to resume previously initialised operation?"
 msgstr ""
 
-#: src/utils_reencrypt.c:416
+#: src/utils_reencrypt.c:403
 msgid "Legacy LUKS2 reencryption is no longer supported."
 msgstr ""
 
-#: src/utils_reencrypt.c:421
+#: src/utils_reencrypt.c:408
 msgid "Can not reencrypt LUKS2 device configured to use OPAL."
 msgstr ""
 
-#: src/utils_reencrypt.c:427
+#: src/utils_reencrypt.c:414
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "不支持带有完整性 profile 信息的设备的重加密。"
 
-#: src/utils_reencrypt.c:464
+#: src/utils_reencrypt.c:451
 #, c-format
 msgid ""
 "Requested --sector-size %<PRIu32> is incompatible with %s superblock\n"
 "(block size: %<PRIu32> bytes) detected on device %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:533 src/utils_reencrypt.c:1412
+#: src/utils_reencrypt.c:520 src/utils_reencrypt.c:1408
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr ""
 
-#: src/utils_reencrypt.c:540
+#: src/utils_reencrypt.c:527
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr ""
 
-#: src/utils_reencrypt.c:550
+#: src/utils_reencrypt.c:537
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:580
+#: src/utils_reencrypt.c:567
 #, fuzzy, c-format
 #| msgid "Requested header backup file %s already exists."
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "请求的标头备份文件 %s 已存在。"
 
-#: src/utils_reencrypt.c:582 src/utils_reencrypt.c:589
+#: src/utils_reencrypt.c:569 src/utils_reencrypt.c:576
 #, fuzzy, c-format
 #| msgid "Cannot create header file %s."
 msgid "Cannot create temporary header file %s."
 msgstr "无法创建标头文件 %s。"
 
-#: src/utils_reencrypt.c:614
+#: src/utils_reencrypt.c:601
 msgid "LUKS2 metadata size is larger than data shift value."
 msgstr ""
 
-#: src/utils_reencrypt.c:651
+#: src/utils_reencrypt.c:638
 #, fuzzy, c-format
 #| msgid "Failed to acquire read lock on device %s."
 msgid "Failed to place new header at head of device %s."
-msgstr "无法获取设备 %s 的读取锁。"
+msgstr "未能获取设备 %s 的读取锁。"
 
-#: src/utils_reencrypt.c:661
+#: src/utils_reencrypt.c:648
 #, c-format
 msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr ""
 
-#: src/utils_reencrypt.c:697
+#: src/utils_reencrypt.c:684
 #, fuzzy, c-format
 #| msgid "Device %s is not active."
 msgid "Active device %s is not LUKS2."
 msgstr "设备 %s 未激活。"
 
-#: src/utils_reencrypt.c:725
+#: src/utils_reencrypt.c:712
 msgid "Restoring original LUKS2 header."
 msgstr ""
 
-#: src/utils_reencrypt.c:733
+#: src/utils_reencrypt.c:720
 #, fuzzy
 #| msgid "Writing LUKS header to disk."
 msgid "Original LUKS2 header restore failed."
 msgstr "正在将 LUKS 标头写入磁盘。"
 
-#: src/utils_reencrypt.c:759
+#: src/utils_reencrypt.c:752
 #, c-format
 msgid "Header file %s does not exist. Do you want to initialize LUKS2 decryption of device %s and export LUKS2 header to file %s?"
 msgstr ""
 
-#: src/utils_reencrypt.c:807
+#: src/utils_reencrypt.c:802
 #, fuzzy
 #| msgid "Failed to write activation flags to new header."
 msgid "Failed to add read/write permissions to exported header file."
 msgstr "向新表头写入活动旗标失败。"
 
-#: src/utils_reencrypt.c:860
+#: src/utils_reencrypt.c:856
 #, c-format
 msgid "Reencryption initialization failed. Header backup is available in %s."
 msgstr ""
 
-#: src/utils_reencrypt.c:888
+#: src/utils_reencrypt.c:884
 msgid "LUKS2 decryption is supported with detached header device only (with data offset set to 0)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1023 src/utils_reencrypt.c:1032
+#: src/utils_reencrypt.c:1019 src/utils_reencrypt.c:1028
 #, fuzzy
 #| msgid "Do not change key, no data area reencryption"
 msgid "Not enough free keyslots for reencryption."
 msgstr "不要更改密钥，无数据区重加密"
 
-#: src/utils_reencrypt.c:1053 src/utils_reencrypt_luks1.c:1100
+#: src/utils_reencrypt.c:1049 src/utils_reencrypt_luks1.c:1047
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "密钥文件只能在指定 --key-slot 时或有且只有一个槽启用时使用。"
 
-#: src/utils_reencrypt.c:1062 src/utils_reencrypt_luks1.c:1147
-#: src/utils_reencrypt_luks1.c:1158
+#: src/utils_reencrypt.c:1058 src/utils_reencrypt_luks1.c:1094
+#: src/utils_reencrypt_luks1.c:1105
 #, fuzzy, c-format
 #| msgid "Enter passphrase for key slot %u: "
 msgid "Enter passphrase for key slot %d: "
 msgstr "输入密钥槽 %u 的口令: "
 
-#: src/utils_reencrypt.c:1074
+#: src/utils_reencrypt.c:1070
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "输入密钥槽 %u 的口令: "
 
-#: src/utils_reencrypt.c:1126
+#: src/utils_reencrypt.c:1122
 #, c-format
 msgid "Switching data encryption cipher to %s.\n"
-msgstr ""
+msgstr "将数据加密方法切换为 %s。\n"
 
-#: src/utils_reencrypt.c:1180
+#: src/utils_reencrypt.c:1176
 msgid "No data segment parameters changed. Reencryption aborted."
 msgstr ""
 
-#: src/utils_reencrypt.c:1282
+#: src/utils_reencrypt.c:1278
 msgid ""
 "Encryption sector size increase on offline device is not supported.\n"
 "Activate the device first or use --force-offline-reencrypt option (dangerous!)."
 msgstr ""
 
-#: src/utils_reencrypt.c:1322 src/utils_reencrypt_luks1.c:726
-#: src/utils_reencrypt_luks1.c:798
+#: src/utils_reencrypt.c:1318 src/utils_reencrypt_luks1.c:690
+#: src/utils_reencrypt_luks1.c:761
 msgid ""
 "\n"
 "Reencryption interrupted."
@@ -4074,266 +3851,259 @@ msgstr ""
 "\n"
 "重加密被中断。"
 
-#: src/utils_reencrypt.c:1327
+#: src/utils_reencrypt.c:1323
 msgid "Resuming LUKS reencryption in forced offline mode.\n"
-msgstr ""
+msgstr "正在强制脱机模式下恢复 LUKS 重新加密。\n"
 
-#: src/utils_reencrypt.c:1350
+#: src/utils_reencrypt.c:1346
 #, c-format
 msgid "Device %s contains broken LUKS metadata. Aborting operation."
-msgstr ""
+msgstr "设备 %s 包含损坏的 LUKS 元数据。中止操作。"
 
-#: src/utils_reencrypt.c:1366 src/utils_reencrypt.c:1388
-#, fuzzy, c-format
-#| msgid "Device %s is not a valid LUKS device."
+#: src/utils_reencrypt.c:1362 src/utils_reencrypt.c:1384
+#, c-format
 msgid "Device %s is already LUKS device. Aborting operation."
-msgstr "%s 不是有效的 LUKS 设备。"
+msgstr "设备 %s 已经是 LUKS 设备。中止操作。"
 
-#: src/utils_reencrypt.c:1394
+#: src/utils_reencrypt.c:1390
 #, c-format
 msgid "Device %s is already in LUKS reencryption. Aborting operation."
-msgstr ""
+msgstr "设备 %s 已处于 LUKS 重新加密状态。中止操作。"
 
-#: src/utils_reencrypt.c:1476
+#: src/utils_reencrypt.c:1473
 msgid "LUKS2 decryption requires --header option."
-msgstr ""
+msgstr "LUKS2 解密需要 --header 选项。"
 
-#: src/utils_reencrypt.c:1524
-#, fuzzy
-#| msgid "Command requires device and mapped name as arguments.\n"
+#: src/utils_reencrypt.c:1521
 msgid "Command requires device as argument."
-msgstr "命令需要设备及映射名作为参数。\n"
+msgstr "命令需要设备及映射名作为参数。"
 
-#: src/utils_reencrypt.c:1537
+#: src/utils_reencrypt.c:1534
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS1."
-msgstr ""
+msgstr "版本冲突。设备 %s 为 LUKS1。"
 
-#: src/utils_reencrypt.c:1543
+#: src/utils_reencrypt.c:1540
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS1 reencryption."
-msgstr ""
+msgstr "版本冲突。设备 %s 处于 LUKS1 重新加密状态。"
 
-#: src/utils_reencrypt.c:1549
+#: src/utils_reencrypt.c:1546
 #, c-format
 msgid "Conflicting versions. Device %s is LUKS2."
-msgstr ""
+msgstr "版本冲突。设备 %s 是 LUKS2。"
 
-#: src/utils_reencrypt.c:1555
+#: src/utils_reencrypt.c:1552
 #, c-format
 msgid "Conflicting versions. Device %s is in LUKS2 reencryption."
-msgstr ""
+msgstr "版本冲突。设备 %s 处于 LUKS2 重新加密状态。"
 
-#: src/utils_reencrypt.c:1561
+#: src/utils_reencrypt.c:1558
 msgid "LUKS2 reencryption already initialized. Aborting operation."
-msgstr ""
+msgstr "LUKS2 重新加密过程已初始化。正在中止操作。"
 
-#: src/utils_reencrypt.c:1568
+#: src/utils_reencrypt.c:1565
 msgid "Device reencryption not in progress."
 msgstr "未在进行设备重加密。"
 
-#: src/utils_reencrypt_luks1.c:129 src/utils_blockdev.c:295
+#: src/utils_reencrypt_luks1.c:116 src/utils_blockdev.c:282
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "无法独占打开 %s，设备正在使用中。"
 
-#: src/utils_reencrypt_luks1.c:143 src/utils_reencrypt_luks1.c:945
+#: src/utils_reencrypt_luks1.c:130 src/utils_reencrypt_luks1.c:885
 msgid "Allocation of aligned memory failed."
 msgstr "分配对齐内存失败。"
 
-#: src/utils_reencrypt_luks1.c:150
+#: src/utils_reencrypt_luks1.c:137
 #, c-format
 msgid "Cannot read device %s."
 msgstr "无法读取设备 %s。"
 
-#: src/utils_reencrypt_luks1.c:161
+#: src/utils_reencrypt_luks1.c:148
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr "正在标记 LUKS1 设备 %s 为不可用状态。"
 
-#: src/utils_reencrypt_luks1.c:177
+#: src/utils_reencrypt_luks1.c:164
 #, c-format
 msgid "Cannot write device %s."
 msgstr "无法写入设备 %s。"
 
-#: src/utils_reencrypt_luks1.c:226
+#: src/utils_reencrypt_luks1.c:213
 msgid "Cannot write reencryption log file."
 msgstr "无法写入重加密日志文件。"
 
-#: src/utils_reencrypt_luks1.c:282
+#: src/utils_reencrypt_luks1.c:269
 msgid "Cannot read reencryption log file."
 msgstr "无法读取重加密日志文件。"
 
-#: src/utils_reencrypt_luks1.c:293
+#: src/utils_reencrypt_luks1.c:280
 msgid "Wrong log format."
 msgstr "错误的日志格式。"
 
-#: src/utils_reencrypt_luks1.c:320
+#: src/utils_reencrypt_luks1.c:307
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "日志文件 %s 存在，继续重加密。\n"
 
-#: src/utils_reencrypt_luks1.c:369
+#: src/utils_reencrypt_luks1.c:356
 msgid "Activating temporary device using old LUKS header."
 msgstr "正使用旧 LUKS 标头激活临时设备。"
 
-#: src/utils_reencrypt_luks1.c:379
+#: src/utils_reencrypt_luks1.c:366
 msgid "Activating temporary device using new LUKS header."
 msgstr "正使用新 LUKS 标头激活临时设备。"
 
-#: src/utils_reencrypt_luks1.c:389
+#: src/utils_reencrypt_luks1.c:376
 msgid "Activation of temporary devices failed."
 msgstr "激活临时设备失败。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/utils_reencrypt_luks1.c:449
-#, fuzzy
-#| msgid "Failed to stat key file."
+#: src/utils_reencrypt_luks1.c:436
 msgid "Failed to set data offset."
-msgstr "获取 (stat) 密钥文件信息失败。"
+msgstr "数据偏移设置失败。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/utils_reencrypt_luks1.c:455
-#, fuzzy
-#| msgid "Failed to stat key file."
+#: src/utils_reencrypt_luks1.c:442
 msgid "Failed to set metadata size."
-msgstr "获取 (stat) 密钥文件信息失败。"
+msgstr "元数据大小设置失败。"
 
-#: src/utils_reencrypt_luks1.c:463
+#: src/utils_reencrypt_luks1.c:450
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "已创建设备 %s 的新 LUKS 标头。"
 
-#: src/utils_reencrypt_luks1.c:500
+#: src/utils_reencrypt_luks1.c:487
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "已创建 %s 标头备份（对应设备 %s）。"
 
-#: src/utils_reencrypt_luks1.c:556
+#: src/utils_reencrypt_luks1.c:543
 msgid "Creation of LUKS backup headers failed."
 msgstr "LUKS 备份标头创建失败。"
 
-#: src/utils_reencrypt_luks1.c:685
+#: src/utils_reencrypt_luks1.c:672
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "无法恢复 %s 标头（在设备 %s 上）。"
 
-#: src/utils_reencrypt_luks1.c:687
+#: src/utils_reencrypt_luks1.c:674
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "已恢复 %s 标头（在设备 %s 上）。"
 
-#: src/utils_reencrypt_luks1.c:917 src/utils_reencrypt_luks1.c:923
+#: src/utils_reencrypt_luks1.c:857 src/utils_reencrypt_luks1.c:863
 msgid "Cannot open temporary LUKS device."
 msgstr "无法打开临时 LUKS 设备。"
 
-#: src/utils_reencrypt_luks1.c:928 src/utils_reencrypt_luks1.c:933
+#: src/utils_reencrypt_luks1.c:868 src/utils_reencrypt_luks1.c:873
 msgid "Cannot get device size."
 msgstr "无法获取设备大小。"
 
-#: src/utils_reencrypt_luks1.c:968
+#: src/utils_reencrypt_luks1.c:915
 msgid "IO error during reencryption."
 msgstr "重加密时发生 IO 错误。"
 
-#: src/utils_reencrypt_luks1.c:998
+#: src/utils_reencrypt_luks1.c:945
 msgid "Provided UUID is invalid."
 msgstr "提供的 UUID 无效。"
 
-#: src/utils_reencrypt_luks1.c:1224
+#: src/utils_reencrypt_luks1.c:1171
 msgid "Cannot open reencryption log file."
 msgstr "无法打开重加密日志文件。"
 
-#: src/utils_reencrypt_luks1.c:1230
+#: src/utils_reencrypt_luks1.c:1177
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "没有正在进行中的解密操作，提供的 UUID 仅能用于继续已挂起的解密操作。"
 
-#: src/utils_reencrypt_luks1.c:1286
+#: src/utils_reencrypt_luks1.c:1233
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "重加密会改变：%s%s%s%s%s%s。"
 
-#: src/utils_reencrypt_luks1.c:1287
+#: src/utils_reencrypt_luks1.c:1234
 msgid "volume key"
 msgstr "卷密钥"
 
-#: src/utils_reencrypt_luks1.c:1289
+#: src/utils_reencrypt_luks1.c:1236
 msgid "set hash to "
 msgstr "设置哈希值为 "
 
-#: src/utils_reencrypt_luks1.c:1290
+#: src/utils_reencrypt_luks1.c:1237
 msgid ", set cipher to "
-msgstr "，设定密文为 "
+msgstr "，设定加密方法为 "
 
-#: src/utils_blockdev.c:189
+#: src/utils_blockdev.c:176
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
-msgstr ""
+msgstr "警告：设备%s已包含“%s”分区签名。\n"
 
-#: src/utils_blockdev.c:197
+#: src/utils_blockdev.c:184
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
-msgstr ""
+msgstr "警告：设备%s已包含“%s”超级块签名。\n"
 
-#: src/utils_blockdev.c:219 src/utils_blockdev.c:302 src/utils_blockdev.c:354
+#: src/utils_blockdev.c:206 src/utils_blockdev.c:289 src/utils_blockdev.c:341
 #, fuzzy
 #| msgid "Failed to initialise default LUKS2 keyslot parameters."
 msgid "Failed to initialize device signature probes."
 msgstr "初始化默认 LUKS2 密钥槽参数失败。"
 
 # stat() 主要就是出来一个各种文件信息……
-#: src/utils_blockdev.c:282
+#: src/utils_blockdev.c:269
 #, fuzzy, c-format
 #| msgid "Failed to stat key file."
 msgid "Failed to stat device %s."
 msgstr "获取 (stat) 密钥文件信息失败。"
 
-#: src/utils_blockdev.c:297
+#: src/utils_blockdev.c:284
 #, fuzzy, c-format
 #| msgid "Cannot open keyfile %s for write."
 msgid "Failed to open file %s in read/write mode."
-msgstr "无法打开密钥文件 %s 以供写入。"
+msgstr "未能打开密钥文件 %s 以供写入。"
 
-#: src/utils_blockdev.c:317
+#: src/utils_blockdev.c:304
 #, c-format
 msgid "Existing '%s' partition signature on device %s will be wiped."
 msgstr ""
 
-#: src/utils_blockdev.c:320
+#: src/utils_blockdev.c:307
 #, c-format
 msgid "Existing '%s' superblock signature on device %s will be wiped."
 msgstr ""
 
-#: src/utils_blockdev.c:323
+#: src/utils_blockdev.c:310
 #, fuzzy
 #| msgid "Failed to acquire write device lock."
 msgid "Failed to wipe device signature."
-msgstr "无法获取写入设备锁。"
+msgstr "未能获取写入设备锁。"
 
-#: src/utils_blockdev.c:330
+#: src/utils_blockdev.c:317
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr ""
 
-#: src/utils_args.c:65
+#: src/utils_args.c:52
 #, fuzzy, c-format
 #| msgid "Invalid device size specification."
 msgid "Invalid size specification in parameter --%s."
 msgstr "无效的设备大小指标。"
 
-#: src/utils_args.c:125
+#: src/utils_args.c:112
 #, fuzzy, c-format
 #| msgid "Option --allow-discards is allowed only for open operation.\n"
 msgid "Option --%s is not allowed with %s action."
 msgstr "选项 --allow-discards 只适用于打开操作。\n"
 
 # stat() 主要就是出来一个各种文件信息……
-#: tokens/ssh/cryptsetup-ssh.c:123
+#: tokens/ssh/cryptsetup-ssh.c:110
 #, fuzzy
 #| msgid "Failed to stat key file.\n"
 msgid "Failed to write ssh token json."
 msgstr "获取 (stat) 密钥文件统计数据失败。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:141
+#: tokens/ssh/cryptsetup-ssh.c:128
 msgid ""
 "Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected to an SSH server\vThis plugin currently allows only adding a token to an existing key slot.\n"
 "\n"
@@ -4343,165 +4113,157 @@ msgid ""
 "Note: The information provided when adding the token (SSH server address, user and paths) will be stored in the LUKS2 header in plaintext."
 msgstr ""
 
-#: tokens/ssh/cryptsetup-ssh.c:151
-#, fuzzy
-#| msgid "<device>"
+#: tokens/ssh/cryptsetup-ssh.c:138
 msgid "<action> <device>"
-msgstr "<设备>"
+msgstr "<动作> <设备>"
 
-#: tokens/ssh/cryptsetup-ssh.c:154
+#: tokens/ssh/cryptsetup-ssh.c:141
 msgid "Options for the 'add' action:"
-msgstr ""
+msgstr "“add”操作的选项："
 
-#: tokens/ssh/cryptsetup-ssh.c:155
+#: tokens/ssh/cryptsetup-ssh.c:142
 msgid "IP address/URL of the remote server for this token"
-msgstr ""
+msgstr "此令牌的远程服务器的 IP 地址/URL"
 
-#: tokens/ssh/cryptsetup-ssh.c:156
+#: tokens/ssh/cryptsetup-ssh.c:143
 msgid "Username used for the remote server"
 msgstr "为远程服务器使用的用户名"
 
-#: tokens/ssh/cryptsetup-ssh.c:157
+#: tokens/ssh/cryptsetup-ssh.c:144
 msgid "Path to the key file on the remote server"
 msgstr "远程服务器上密钥文件的路径"
 
-#: tokens/ssh/cryptsetup-ssh.c:158
+#: tokens/ssh/cryptsetup-ssh.c:145
 msgid "Path to the SSH key for connecting to the remote server"
-msgstr ""
+msgstr "用于连接到远程服务器的 SSH 密钥的路径"
 
-#: tokens/ssh/cryptsetup-ssh.c:160
+#: tokens/ssh/cryptsetup-ssh.c:147
 msgid "Path to directory containinig libcryptsetup external tokens"
-msgstr ""
+msgstr "包含 libcryptsetup 外部令牌的目录路径"
 
-#: tokens/ssh/cryptsetup-ssh.c:161
+#: tokens/ssh/cryptsetup-ssh.c:148
 msgid "Keyslot to assign the token to. If not specified, token will be assigned to the first keyslot matching provided passphrase."
-msgstr ""
+msgstr "要把令牌分配给的密钥槽。如果未指定，则令牌将分配给与提供的密码匹配的第一个密钥槽。"
 
-#: tokens/ssh/cryptsetup-ssh.c:163
+#: tokens/ssh/cryptsetup-ssh.c:150
 msgid "Generic options:"
 msgstr "通用选项："
 
-#: tokens/ssh/cryptsetup-ssh.c:164
+#: tokens/ssh/cryptsetup-ssh.c:151
 msgid "Shows more detailed error messages"
 msgstr "显示更详细的错误信息"
 
-#: tokens/ssh/cryptsetup-ssh.c:165
+#: tokens/ssh/cryptsetup-ssh.c:152
 msgid "Show debug messages"
 msgstr "显示调试信息"
 
-#: tokens/ssh/cryptsetup-ssh.c:166
-#, fuzzy
-#| msgid "Show debug messages"
+#: tokens/ssh/cryptsetup-ssh.c:153
 msgid "Show debug messages including JSON metadata"
-msgstr "显示调试信息"
+msgstr "显示调试信息，包括JSON元数据"
 
-#: tokens/ssh/cryptsetup-ssh.c:281
-#, fuzzy
-#| msgid "Failed to open temporary keystore device."
+#: tokens/ssh/cryptsetup-ssh.c:268
 msgid "Failed to open and import private key:\n"
-msgstr "打开临时密钥存储设备失败。"
+msgstr "未能打开和导入私钥：\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:285
+#: tokens/ssh/cryptsetup-ssh.c:272
 msgid "Failed to import private key (password protected?).\n"
 msgstr "导入私钥失败（存在密码保护？）。\n"
 
 #. TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: "
-#: tokens/ssh/cryptsetup-ssh.c:287
+#: tokens/ssh/cryptsetup-ssh.c:274
 #, c-format
 msgid "%s@%s's password: "
 msgstr "%s@%s 的密码："
 
 # stat() 主要就是出来一个各种文件信息……
-#: tokens/ssh/cryptsetup-ssh.c:376
+#: tokens/ssh/cryptsetup-ssh.c:363
 #, c-format
 msgid "Failed to parse arguments.\n"
 msgstr "解析参数失败。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:387
+#: tokens/ssh/cryptsetup-ssh.c:374
 #, c-format
 msgid "An action must be specified\n"
 msgstr "必须指定一个操作\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:393
+#: tokens/ssh/cryptsetup-ssh.c:380
 #, c-format
 msgid "Device must be specified for '%s' action.\n"
-msgstr ""
+msgstr "必须为“%s”操作指定设备。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:398
+#: tokens/ssh/cryptsetup-ssh.c:385
 #, c-format
 msgid "SSH server must be specified for '%s' action.\n"
-msgstr ""
+msgstr "必须为“%s”操作指定 SSH 服务器。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:403
+#: tokens/ssh/cryptsetup-ssh.c:390
 #, c-format
 msgid "SSH user must be specified for '%s' action.\n"
-msgstr ""
+msgstr "必须为 “%s” 操作指定 SSH 用户。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:408
+#: tokens/ssh/cryptsetup-ssh.c:395
 #, c-format
 msgid "SSH path must be specified for '%s' action.\n"
-msgstr ""
+msgstr "必须为“%s”操作指定 SSH 路径。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:413
+#: tokens/ssh/cryptsetup-ssh.c:400
 #, c-format
 msgid "SSH key path must be specified for '%s' action.\n"
-msgstr ""
+msgstr "必须为“%s”操作指定 SSH 密钥路径。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:420
+#: tokens/ssh/cryptsetup-ssh.c:407
 #, c-format
 msgid "Failed open %s using provided credentials.\n"
-msgstr ""
+msgstr "使用提供的凭据打开 %s失败。\n"
 
-#: tokens/ssh/cryptsetup-ssh.c:437
+#: tokens/ssh/cryptsetup-ssh.c:424
 #, c-format
 msgid "Only 'add' action is currently supported by this plugin.\n"
-msgstr ""
+msgstr "此插件目前仅支持 'add' 操作。\n"
 
-#: tokens/ssh/ssh-utils.c:46
+#: tokens/ssh/ssh-utils.c:33
 msgid "Cannot create sftp session: "
 msgstr "无法创建 sftp 会话："
 
-#: tokens/ssh/ssh-utils.c:53
+#: tokens/ssh/ssh-utils.c:40
 msgid "Cannot init sftp session: "
 msgstr "无法初始化 sftp 会话："
 
-#: tokens/ssh/ssh-utils.c:59
+#: tokens/ssh/ssh-utils.c:46
 msgid "Cannot open sftp session: "
 msgstr "无法打开 sftp 会话："
 
-#: tokens/ssh/ssh-utils.c:66
-#, fuzzy
-#| msgid "Cannot write to keyfile %s."
+#: tokens/ssh/ssh-utils.c:53
 msgid "Cannot stat sftp file: "
-msgstr "无法写入密钥文件 %s。"
+msgstr "无法 stat（获取元数据）sftp 文件："
 
-#: tokens/ssh/ssh-utils.c:74
+#: tokens/ssh/ssh-utils.c:61
 msgid "Not enough memory.\n"
 msgstr "内存不足。\n"
 
-#: tokens/ssh/ssh-utils.c:81
+#: tokens/ssh/ssh-utils.c:68
 msgid "Cannot read remote key: "
 msgstr "无法读取密钥文件："
 
-#: tokens/ssh/ssh-utils.c:122
+#: tokens/ssh/ssh-utils.c:109
 msgid "Connection failed: "
 msgstr "连接失败："
 
-#: tokens/ssh/ssh-utils.c:132
+#: tokens/ssh/ssh-utils.c:119
 msgid "Server not known: "
 msgstr "服务器未知："
 
-#: tokens/ssh/ssh-utils.c:160
+#: tokens/ssh/ssh-utils.c:147
 msgid "Public key auth method not allowed on host.\n"
-msgstr ""
+msgstr "主机上不允许使用公钥身份验证方法。\n"
 
-#: tokens/ssh/ssh-utils.c:171
+#: tokens/ssh/ssh-utils.c:158
 msgid "Public key authentication error: "
 msgstr "公钥认证错误："
 
 #, c-format
 #~ msgid "Cannot format device %s which is still in use."
-#~ msgstr "无法格式化正在使用的设备 %s。"
+#~ msgstr "未能格式化正在使用的设备 %s。"
 
 #, c-format
 #~ msgid "Replaced with key slot %d."
@@ -4515,10 +4277,10 @@ msgstr "公钥认证错误："
 #~ msgstr "功能在 FIPS 模式无效。"
 
 #~ msgid "Cannot get process priority."
-#~ msgstr "无法获取进程优先级。"
+#~ msgstr "未能获取进程优先级。"
 
 #~ msgid "Cannot unlock memory."
-#~ msgstr "无法解锁内存。"
+#~ msgstr "未能解锁内存。"
 
 #, c-format
 #~ msgid "WARNING: Locking directory %s/%s is missing!\n"
@@ -4915,7 +4677,7 @@ msgstr "公钥认证错误："
 #~ msgstr "从备份标头读取活动旗标失败。"
 
 #~ msgid "Cannot seek to device offset.\n"
-#~ msgstr "无法寻找到设备偏移位置。\n"
+#~ msgstr "未能寻找到设备偏移位置。\n"
 
 #~ msgid "Interrupted by a signal."
 #~ msgstr "被信号中断。"
@@ -5002,7 +4764,7 @@ msgstr "公钥认证错误："
 #~ msgstr "VERITY 卷上的目录树层级过多。\n"
 
 #~ msgid "Key %d not active. Can't wipe.\n"
-#~ msgstr "无法清除未激活的密钥 %d。\n"
+#~ msgstr "未能清除未激活的密钥 %d。\n"
 
 #~ msgid "<name> <data_device> <hash_device> <root_hash>"
 #~ msgstr "<名称> <数据设备> <哈希设备> <根哈希值>"
@@ -5014,7 +4776,7 @@ msgstr "公钥认证错误："
 #~ msgstr "移除（禁用）设备"
 
 #~ msgid "Cannot open device %s\n"
-#~ msgstr "无法打开设备 %s。\n"
+#~ msgstr "未能打开设备 %s。\n"
 
 #~ msgid "Marking LUKS device %s usable.\n"
 #~ msgstr "正将 LUKS 设备 %s 标为可用。\n"
diff --git a/src/Makemodule.am b/src/Makemodule.am
index 57fff40..cbb3a3d 100644
--- a/src/Makemodule.am
+++ b/src/Makemodule.am
@@ -17,6 +17,8 @@ cryptsetup_SOURCES =		\
 	src/utils_reencrypt.c	\
 	src/utils_reencrypt_luks1.c	\
 	src/utils_progress.c	\
+	src/utils_key_description.c	\
+	src/utils_keyslot_check.c	\
 	src/cryptsetup.c	\
 	src/cryptsetup.h	\
 	src/cryptsetup_args.h	\
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 9e5ede2..d8b9e50 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <uuid/uuid.h>
@@ -17,11 +17,15 @@
 static char *keyfiles[MAX_KEYFILES];
 static char *keyring_links[MAX_KEYRING_LINKS];
 static char *vks_in_keyring[MAX_VK_IN_KEYRING];
+static char *vk_files[2];
 static char *keyfile_stdin = NULL;
+static uint32_t key_sizes[2];
 
 static int keyfiles_count = 0;
 static int keyring_links_count = 0;
 static int vks_in_keyring_count = 0;
+static int vk_files_count = 0;
+static int key_sizes_count = 0;
 int64_t data_shift = 0;
 
 const char *device_type = "luks";
@@ -52,6 +56,8 @@ void tools_cleanup(void)
 		free(keyring_links[--keyring_links_count]);
 	while (vks_in_keyring_count)
 		free(vks_in_keyring[--vks_in_keyring_count]);
+	while (vk_files_count)
+		free(vk_files[--vk_files_count]);
 
 	total_keyfiles = 0;
 }
@@ -72,6 +78,7 @@ static bool isLUKS(const char *type)
 static int _set_keyslot_encryption_params(struct crypt_device *cd)
 {
 	const char *type = crypt_get_type(cd);
+	int r;
 
 	if (!ARG_SET(OPT_KEYSLOT_KEY_SIZE_ID) && !ARG_SET(OPT_KEYSLOT_CIPHER_ID))
 		return 0;
@@ -81,79 +88,38 @@ static int _set_keyslot_encryption_params(struct crypt_device *cd)
 		return -EINVAL;
 	}
 
-	return crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8);
-}
-
-static int _try_token_unlock(struct crypt_device *cd,
-			     int keyslot,
-			     int token_id,
-			     const char *activated_name,
-			     const char *token_type,
-			     uint32_t activate_flags,
-			     int tries,
-			     bool activation,
-			     bool token_only)
-{
-	int r;
-	struct crypt_keyslot_context *kc;
-	size_t pin_len;
-	char msg[64], *pin = NULL;
-
-	assert(tries >= 1);
-	assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
-	assert(keyslot >= 0 || keyslot == CRYPT_ANY_SLOT);
-
-	r = crypt_keyslot_context_init_by_token(cd, token_id, token_type, NULL, 0, NULL, &kc);
+	r = crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8);
 	if (r < 0)
-		return r;
-
-	if (activation)
-		r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, NULL, activate_flags);
-	else
-		r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
+		log_err(_("Keyslot encryption parameters are not compatible with LUKS2 keyslot encryption."));
 
-	tools_keyslot_msg(r, UNLOCKED);
-	tools_token_error_msg(r, token_type, token_id, false);
-
-	/* Token requires PIN (-ENOANO). Ask for it if there is evident preference for tokens */
-	if (r != -ENOANO || (!token_only && !token_type && token_id == CRYPT_ANY_TOKEN))
-		goto out;
+	return r;
+}
 
-	if (token_id == CRYPT_ANY_TOKEN)
-		r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
-	else
-		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
-	if (r < 0 || (size_t)r >= sizeof(msg)) {
-		r = -EINVAL;
-		goto out;
-	}
+static int init_new_keyslot_context(struct crypt_device *cd,
+				const char *msg,
+				bool verify, bool pwquality,
+				struct crypt_keyslot_context **kc)
+{
+	char *password;
+	size_t passwordLen;
+	int r = -EINVAL;
 
-	do {
-		r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL,
-				ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+	if (ARG_SET(OPT_NEW_KEY_DESCRIPTION_ID))
+		r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_NEW_KEY_DESCRIPTION_ID), kc);
+	else if (ARG_SET(OPT_NEW_KEYFILE_ID) && !tools_is_stdin(ARG_STR(OPT_NEW_KEYFILE_ID)))
+		r = crypt_keyslot_context_init_by_keyfile(cd, ARG_STR(OPT_NEW_KEYFILE_ID),
+							  ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
+							  ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), kc);
+	else {
+		r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
+				  ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), ARG_STR(OPT_NEW_KEYFILE_ID),
+				  ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd);
 		if (r < 0)
-			break;
-
-		r = crypt_keyslot_context_set_pin(cd, pin, pin_len, kc);
-		if (r < 0) {
-			crypt_safe_free(pin);
-			break;
-		}
-
-		if (activation)
-			r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot,
-							      kc, CRYPT_ANY_SLOT, NULL, activate_flags);
-		else
-			r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
+			return r;
+		r = crypt_keyslot_context_init_by_passphrase(cd, password, passwordLen, kc);
+		crypt_safe_free(password);
+	}
 
-		crypt_safe_free(pin);
-		pin = NULL;
-		tools_keyslot_msg(r, UNLOCKED);
-		tools_token_error_msg(r, token_type, token_id, true);
-		check_signal(&r);
-	} while (r == -ENOANO && (--tries > 0));
-out:
-	crypt_keyslot_context_free(kc);
 	return r;
 }
 
@@ -169,7 +135,8 @@ static int action_open_plain(void)
 		.offset = ARG_UINT64(OPT_OFFSET_ID),
 		.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
 	};
-	char *password = NULL;
+	struct crypt_keyslot_context *kc = NULL;
+	char *password = NULL, *vk_description_activation = NULL;
 	const char *activated_name = NULL;
 	size_t passwordLen, key_size_max, signatures = 0,
 	       key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_PLAIN_KEYBITS) / 8;
@@ -194,12 +161,12 @@ static int action_open_plain(void)
 			cipher, cipher_mode, key_size * 8);
 		compat_warning = true;
 	}
-	if (!ARG_SET(OPT_HASH_ID) && !ARG_SET(OPT_KEY_FILE_ID)) {
+	if (!ARG_SET(OPT_HASH_ID) && !ARG_SET(OPT_KEY_FILE_ID) && !ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
 		log_err(_("WARNING: Using default options for hash (%s) that could be incompatible with older versions."), params.hash);
 		compat_warning = true;
 	}
 	if (compat_warning)
-		log_err(_("For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."));
+		log_err(_("For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."));
 
 	/* FIXME: temporary hack, no hashing for keyfiles in plain mode */
 	if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
@@ -209,6 +176,12 @@ static int action_open_plain(void)
 				 "in plain mode with keyfile specified.\n"));
 	}
 
+	if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		r = tools_parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description_activation);
+		if (r < 0)
+			goto out;
+	}
+
 	if (params.hash && !strcmp(params.hash, "plain"))
 		params.hash = NULL;
 
@@ -272,6 +245,9 @@ static int action_open_plain(void)
 		pmode = cipher_mode;
 	}
 
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
+
 	if (ARG_SET(OPT_DEVICE_SIZE_ID))
 		params.size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
 	else if (ARG_SET(OPT_SIZE_ID))
@@ -291,7 +267,14 @@ static int action_open_plain(void)
 
 	set_activation_flags(&activate_flags);
 
-	if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
+	if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation, &kc);
+		if (r < 0)
+			goto out;
+
+		r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT,
+			kc, CRYPT_ANY_SLOT, NULL, activate_flags | CRYPT_ACTIVATE_KEYRING_KEY);
+	} else if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
 		/* If no hash, key is read directly, read size is always key_size
 		 * (possible --keyfile_size is ignored.
 		 * If hash is specified, --keyfile_size is applied.
@@ -314,6 +297,8 @@ static int action_open_plain(void)
 			CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
 	}
 out:
+	free(vk_description_activation);
+	crypt_keyslot_context_free(kc);
 	crypt_free(cd);
 	crypt_free(cd1);
 	crypt_safe_free(password);
@@ -356,6 +341,9 @@ static int action_open_loopaes(void)
 			goto out;
 	}
 
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
+
 	set_activation_flags(&activate_flags);
 
 	r = crypt_activate_by_keyfile_device_offset(cd, activated_name, CRYPT_ANY_SLOT,
@@ -371,7 +359,7 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
 {
 	int r, tries, eperm = 0;
 
-	tries = set_tries_tty();
+	tries = set_tries_tty(false);
 	do {
 		/* TCRYPT header is encrypted, get passphrase now */
 		r = tools_get_key(NULL, CONST_CAST(char**)&params->passphrase,
@@ -460,6 +448,8 @@ static int action_open_tcrypt(void)
 	int r;
 
 	activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
 
 	r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0], action_argv[0]);
 	if (r < 0)
@@ -491,6 +481,8 @@ static int action_open_bitlk(void)
 	size_t passwordLen;
 
 	activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
 
 	if ((r = crypt_init(&cd, action_argv[0])))
 		goto out;
@@ -517,7 +509,11 @@ static int action_open_bitlk(void)
 		r = crypt_activate_by_volume_key(cd, activated_name,
 						 key, keysize, activate_flags);
 	} else {
-		tries = set_tries_tty();
+		r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT, NULL, 0, activate_flags);
+		if (r != -EPERM)
+			goto out;
+
+		tries = set_tries_tty(false);
 		do {
 			r = tools_get_key(NULL, &password, &passwordLen,
 					ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
@@ -625,14 +621,19 @@ static int bitlkDump_with_volume_key(struct crypt_device *cd)
 	if (!vk)
 		return -ENOMEM;
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			  ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			  ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
-	if (r < 0)
-		goto out;
-
 	r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
-				 password, passwordLen);
+					password, passwordLen);
+	if (r < 0) {
+		r = tools_get_key(NULL, &password, &passwordLen,
+					ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
+					ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
+		if (r < 0)
+			goto out;
+
+		r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
+						password, passwordLen);
+	}
+
 	tools_passphrase_msg(r);
 	check_signal(&r);
 	if (r < 0)
@@ -774,6 +775,8 @@ static int action_open_fvault2(void)
 	size_t passwordLen;
 
 	activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
 
 	if ((r = crypt_init(&cd, action_argv[0])))
 		goto out;
@@ -799,7 +802,7 @@ static int action_open_fvault2(void)
 			goto out;
 		r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags);
 	} else {
-		tries = set_tries_tty();
+		tries = set_tries_tty(false);
 		do {
 			r = tools_get_key(NULL, &password, &passwordLen,
 				ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
@@ -853,11 +856,10 @@ static int action_close(void)
 static int action_resize(void)
 {
 	int r;
-	size_t passwordLen;
 	struct crypt_active_device cad;
 	uint64_t dev_size = 0;
-	char *password = NULL;
 	struct crypt_device *cd = NULL;
+	struct crypt_keyslot_context *kc = NULL;
 
 	r = crypt_init_by_name_and_header(&cd, action_argv[0], ARG_STR(OPT_HEADER_ID));
 	if (r)
@@ -890,32 +892,36 @@ static int action_resize(void)
 				goto out;
 		}
 
-		/* try load VK in kernel keyring using token */
-		r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
-				      NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY,
-				      1, true, ARG_SET(OPT_TOKEN_ONLY_ID));
-
-		if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
-			goto out;
+		if (isLUKS2(crypt_get_type(cd))) {
+			/* try load VK in kernel keyring using token */
+			r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
+						  ARG_INT32(OPT_TOKEN_ID_ID),
+						  NULL, ARG_STR(OPT_TOKEN_TYPE_ID),
+						  CRYPT_ACTIVATE_KEYRING_KEY,
+						  1, true,
+						  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+						  NULL);
+
+			if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
+				goto out;
 
-		r = tools_get_key(NULL, &password, &passwordLen,
-				  ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-				  ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
-		if (r < 0)
-			goto out;
+			r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc);
+			if (r < 0)
+				goto out;
 
-		r = crypt_activate_by_passphrase(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
-						 password, passwordLen,
-						 CRYPT_ACTIVATE_KEYRING_KEY);
-		tools_passphrase_msg(r);
-		tools_keyslot_msg(r, UNLOCKED);
+			r = crypt_activate_by_keyslot_context(cd, NULL,ARG_INT32(OPT_KEY_SLOT_ID),
+							kc, CRYPT_ANY_SLOT, NULL,
+							CRYPT_ACTIVATE_KEYRING_KEY);
+			tools_passphrase_msg(r);
+			tools_keyslot_msg(r, UNLOCKED);
+		}
 	}
 
 out:
 	if (r >= 0)
 		r = crypt_resize(cd, action_argv[0], dev_size);
 
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
 	crypt_free(cd);
 	return r;
 }
@@ -930,6 +936,7 @@ static int action_status(void)
 	char *backing_file;
 	const char *device;
 	int path = 0, r = 0, hw_enc;
+	uint64_t sector_size;
 
 	/* perhaps a path, not a dm device name */
 	if (strchr(action_argv[0], '/'))
@@ -986,36 +993,38 @@ static int action_status(void)
 
 		if (hw_enc == CRYPT_SW_ONLY) {
 			log_std("  cipher:  %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
-			log_std("  keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
+			log_std("  keysize: %d [bits]\n", crypt_get_volume_key_size(cd) * 8);
 			log_std("  key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt");
 		} else if (hw_enc == CRYPT_OPAL_HW_ONLY) {
 			log_std("  encryption: HW OPAL only\n");
-			log_std("  OPAL keysize: %d bits\n", crypt_get_hw_encryption_key_size(cd) * 8);
+			log_std("  OPAL keysize: %d [bits]\n", crypt_get_hw_encryption_key_size(cd) * 8);
 		} else if (hw_enc == CRYPT_SW_AND_OPAL_HW) {
 			log_std("  encryption: dm-crypt over HW OPAL\n");
-			log_std("  OPAL keysize: %d bits\n", crypt_get_hw_encryption_key_size(cd) * 8);
+			log_std("  OPAL keysize: %d [bits]\n", crypt_get_hw_encryption_key_size(cd) * 8);
 			log_std("  cipher:  %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
-			log_std("  keysize: %d bits\n", (crypt_get_volume_key_size(cd) - crypt_get_hw_encryption_key_size(cd)) * 8);
+			log_std("  keysize: %d [bits]\n", (crypt_get_volume_key_size(cd) - crypt_get_hw_encryption_key_size(cd)) * 8);
 			log_std("  key location: %s\n", (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) ? "keyring" : "dm-crypt");
 		}
 
 		if (ip.integrity)
 			log_std("  integrity: %s\n", ip.integrity);
 		if (ip.integrity_key_size)
-			log_std("  integrity keysize: %d bits\n", ip.integrity_key_size * 8);
+			log_std("  integrity keysize: %d [bits]\n", ip.integrity_key_size * 8);
 		if (ip.tag_size)
-			log_std("  integrity tag size: %u bytes\n", ip.tag_size);
+			log_std("  integrity tag size: %u [bytes] %s\n", ip.tag_size,
+				(cad.flags & CRYPT_ACTIVATE_INLINE_MODE) ? " (inline HW tags)" : "");
 		device = crypt_get_device_name(cd);
 		log_std("  device:  %s\n", device);
 		if ((backing_file = crypt_loop_backing_file(device))) {
 			log_std("  loop:    %s\n", backing_file);
 			free(backing_file);
 		}
-		log_std("  sector size:  %d\n", crypt_get_sector_size(cd));
-		log_std("  offset:  %" PRIu64 " sectors\n", cad.offset);
-		log_std("  size:    %" PRIu64 " sectors\n", cad.size);
+		sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
+		log_std("  sector size:  %" PRIu64 " [bytes]\n", sector_size);
+		log_std("  offset:  %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size);
+		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
 		if (cad.iv_offset)
-			log_std("  skipped: %" PRIu64 " sectors\n", cad.iv_offset);
+			log_std("  skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset);
 		log_std("  mode:    %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
 					   "readonly" : "read/write",
 					   (cad.flags & CRYPT_ACTIVATE_SUSPENDED) ? " (suspended)" : "");
@@ -1023,13 +1032,15 @@ static int action_status(void)
 				 CRYPT_ACTIVATE_SAME_CPU_CRYPT|
 				 CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS|
 				 CRYPT_ACTIVATE_NO_READ_WORKQUEUE|
-				 CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE))
-			log_std("  flags:   %s%s%s%s%s\n",
+				 CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE|
+				 CRYPT_ACTIVATE_HIGH_PRIORITY))
+			log_std("  flags:   %s%s%s%s%s%s\n",
 				(cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "",
 				(cad.flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? "same_cpu_crypt " : "",
 				(cad.flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? "submit_from_crypt_cpus " : "",
 				(cad.flags & CRYPT_ACTIVATE_NO_READ_WORKQUEUE) ? "no_read_workqueue " : "",
-				(cad.flags & CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) ? "no_write_workqueue" : "");
+				(cad.flags & CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE) ? "no_write_workqueue" : "",
+				(cad.flags & CRYPT_ACTIVATE_HIGH_PRIORITY) ? "high_priority" : "");
 	}
 out:
 	crypt_free(cd);
@@ -1229,7 +1240,7 @@ static int action_benchmark(void)
 
 	if (r == -ENOTSUP) {
 		log_err(_("Required kernel crypto interface not available."));
-#ifdef ENABLE_AF_ALG
+#if ENABLE_AF_ALG
 		log_err( _("Ensure you have algif_skcipher kernel module loaded."));
 #endif
 	}
@@ -1339,10 +1350,12 @@ static int luks2_reencrypt_repair(struct crypt_device *cd)
 static int action_luksRepair(void)
 {
 	struct crypt_device *cd = NULL;
+	const char *header_device, *data_device = NULL;
 	int r;
 
-	if ((r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0],
-					action_argv[0])))
+	header_device = uuid_or_device_header(&data_device);
+
+	if ((r = crypt_init_data_device(&cd, header_device, data_device)))
 		goto out;
 
 	crypt_set_log_callback(cd, quiet_log, &log_parms);
@@ -1358,10 +1371,10 @@ static int action_luksRepair(void)
 	}
 
 	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
-		r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
+		r = tools_detect_signatures(header_device, PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
 		if (r < 0) {
 			if (r == -EIO)
-				log_err(_("Blkid scan failed for %s."), action_argv[0]);
+				log_err(_("Blkid scan failed for %s."), header_device);
 			goto out;
 		}
 	}
@@ -1377,6 +1390,10 @@ static int action_luksRepair(void)
 	if (!r && isLUKS2(crypt_get_type(cd)))
 		r = luks2_reencrypt_repair(cd);
 
+	/* Randomness analysis of LUKS keyslot binary data, this is only a hint */
+	if (r == 0)
+		luks_check_keyslots(cd, header_device);
+
 	crypt_free(cd);
 	return r;
 }
@@ -1431,15 +1448,15 @@ static int strcmp_or_null(const char *str, const char *expected)
 	return !str ? 0 : strcmp(str, expected);
 }
 
-int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
+int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc)
 {
 	bool wipe_signatures = false;
-	int encrypt_type, r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0;
+	int encrypt_type, r = -EINVAL, integrity_keysize = 0, required_integrity_key_size = 0, fd, created = 0;
 	struct stat st;
 	const char *header_device, *type;
-	char *msg = NULL, *key = NULL, *password = NULL;
+	char *msg = NULL, *key = NULL;
 	char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN];
-	size_t passwordLen = 0, signatures = 0;
+	size_t keysize, signatures = 0;
 	struct crypt_device *cd = NULL;
 	struct crypt_params_luks1 params1 = {
 		.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH,
@@ -1456,13 +1473,19 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	struct crypt_params_hw_opal opal_params = {
 		.user_key_size = DEFAULT_LUKS1_KEYBITS / 8
 	};
+	struct crypt_params_integrity integrity_params = {};
 	void *params;
+	struct crypt_keyslot_context *kc = NULL, *new_kc = NULL;
 
 	type = luksType(device_type);
 	if (!type)
 		type = crypt_get_default_type();
 
 	if (isLUKS2(type)) {
+		if (ARG_SET(OPT_HW_OPAL_ONLY_ID) && (ARG_SET(OPT_CIPHER_ID) || ARG_SET(OPT_KEY_SIZE_ID))) {
+			log_err(_("OPAL hw-only encryption does not support --cipher and --key-size, options ignored."));
+		}
+
 		params = &params2;
 	} else if (isLUKS1(type)) {
 		params = &params1;
@@ -1486,6 +1509,11 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 			log_err(_("OPAL is supported only for LUKS2 format."));
 			return -EINVAL;
 		}
+
+		if (ARG_SET(OPT_INTEGRITY_INLINE_ID)) {
+			log_err(_("Inline hw tags are supported only for LUKS2 format."));
+			return -EINVAL;
+		}
 	} else
 		return -EINVAL;
 
@@ -1521,13 +1549,23 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}
 
 	if (ARG_SET(OPT_INTEGRITY_ID)) {
-		r = crypt_parse_integrity_mode(ARG_STR(OPT_INTEGRITY_ID), integrity, &integrity_keysize);
+		if (ARG_SET(OPT_INTEGRITY_KEY_SIZE_ID))
+			required_integrity_key_size = ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID) / 8;
+		r = crypt_parse_integrity_mode(ARG_STR(OPT_INTEGRITY_ID), integrity,
+					       &integrity_keysize, required_integrity_key_size);
 		if (r < 0) {
 			log_err(_("No known integrity specification pattern detected."));
+			if (ARG_SET(OPT_INTEGRITY_KEY_SIZE_ID) && required_integrity_key_size != integrity_keysize)
+				log_err(_("Cannot use specified integrity key size."));
 			goto out;
 		}
+
 		params2.integrity = integrity;
-		/* FIXME: we use default integrity_params (set to NULL) */
+		/* FIXME: we use default integrity_params except key size */
+		if (required_integrity_key_size) {
+			params2.integrity_params = &integrity_params;
+			integrity_params.integrity_key_size = integrity_keysize;
+		}
 	}
 
 	/* Never call pwquality if using null cipher */
@@ -1577,7 +1615,8 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 			goto out;
 	}
 
-	keysize = get_adjusted_key_size(cipher_mode, DEFAULT_LUKS1_KEYBITS, integrity_keysize);
+	keysize = get_adjusted_key_size(cipher, cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),
+					DEFAULT_LUKS1_KEYBITS, integrity_keysize);
 
 	if (ARG_SET(OPT_HW_OPAL_ONLY_ID))
 		keysize = opal_params.user_key_size;
@@ -1589,9 +1628,8 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	else if (ARG_SET(OPT_USE_URANDOM_ID))
 		crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			  ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			  ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
+	r = luks_init_keyslot_context(cd, NULL, verify_passphrase(1),
+				      !ARG_SET(OPT_FORCE_PASSWORD_ID), &new_kc);
 	if (r < 0)
 		goto out;
 
@@ -1633,6 +1671,9 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 			 ARG_SET(OPT_HW_OPAL_ONLY_ID) ? NULL : cipher,
 			 ARG_SET(OPT_HW_OPAL_ONLY_ID) ? NULL : cipher_mode,
 			 ARG_STR(OPT_UUID_ID), key, keysize, params, &opal_params);
+	else if (ARG_SET(OPT_INTEGRITY_INLINE_ID))
+		r = crypt_format_inline(cd, type, cipher, cipher_mode,
+			 ARG_STR(OPT_UUID_ID), key, keysize, params);
 	else
 		r = crypt_format(cd, type, cipher, cipher_mode,
 			 ARG_STR(OPT_UUID_ID), key, keysize, params);
@@ -1644,9 +1685,27 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	if (r < 0)
 		goto out;
 
-	r = crypt_keyslot_add_by_volume_key(cd, ARG_INT32(OPT_KEY_SLOT_ID),
-					    key, keysize,
-					    password, passwordLen);
+	if (!key && r_kc) {
+		key = crypt_safe_alloc(keysize);
+		if (!key) {
+			r = -ENOMEM;
+			goto out;
+		}
+		/* Extract VK for LUKS2 encryption later */
+		r = crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key, &keysize, NULL);
+		if (r < 0)
+			goto out;
+	}
+
+	r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc);
+	if (r < 0)
+		goto out;
+
+	crypt_safe_free(key);
+	key = NULL;
+
+	r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc,
+						 ARG_INT32(OPT_KEY_SLOT_ID), new_kc, 0);
 	if (r < 0) {
 		wipe_signatures = true;
 		goto out;
@@ -1662,6 +1721,7 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}
 out:
 	crypt_safe_free(key);
+	crypt_keyslot_context_free(new_kc);
 
 	if (r < 0) {
 		encrypt_type = crypt_get_hw_encryption_type(cd);
@@ -1677,170 +1737,21 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 
 	crypt_safe_free(CONST_CAST(void *)opal_params.admin_key);
 
-	if (r >= 0 && r_cd && r_password && r_passwordLen) {
+	if (r >= 0 && r_cd && r_kc) {
 		*r_cd = cd;
-		*r_password = password;
-		*r_passwordLen = passwordLen;
+		*r_kc = kc;
 		return r;
 	}
 
+	crypt_keyslot_context_free(kc);
 	crypt_free(cd);
-	crypt_safe_free(password);
 
 	return r;
 }
 
 static int action_luksFormat(void)
 {
-	return luksFormat(NULL, NULL, NULL);
-}
-
-static int parse_vk_description(const char *key_description, char **ret_key_description)
-{
-	char *tmp;
-	int r;
-
-	assert(key_description);
-	assert(ret_key_description);
-
-	/* apply default key type */
-	if (*key_description != '%')
-		r = asprintf(&tmp, "%%user:%s", key_description) < 0 ? -EINVAL : 0;
-	else
-		r = (tmp = strdup(key_description)) ? 0 : -ENOMEM;
-	if (!r)
-		*ret_key_description = tmp;
-
-	return r;
-}
-
-static int parse_single_vk_and_keyring_description(
-		struct crypt_device *cd,
-		char *keyring_key_description, char **keyring_part_out, char
-		**key_part_out, char **type_part_out)
-{
-	int r = -EINVAL;
-	char *endp, *sep, *key_part, *type_part = NULL;
-	char *key_part_copy = NULL, *type_part_copy = NULL, *keyring_part = NULL;
-
-	if (!cd || !keyring_key_description)
-		return -EINVAL;
-
-	/* "::" is separator between keyring specification a key description */
-	key_part = strstr(keyring_key_description, "::");
-	if (!key_part)
-		goto out;
-
-	*key_part = '\0';
-	key_part = key_part + 2;
-
-	if (*key_part == '%') {
-		type_part = key_part + 1;
-		sep = strstr(type_part, ":");
-		if (!sep)
-			goto out;
-		*sep = '\0';
-
-		key_part = sep + 1;
-	}
-
-	if (*keyring_key_description == '%') {
-		keyring_key_description = strstr(keyring_key_description, ":");
-		if (!keyring_key_description)
-			goto out;
-		log_verbose(_("Type specification in --link-vk-to-keyring keyring specification is ignored."));
-		keyring_key_description++;
-	}
-
-	(void)strtol(keyring_key_description, &endp, 0);
-
-	r = 0;
-	if (*keyring_key_description == '@' || !*endp)
-		keyring_part = strdup(keyring_key_description);
-	else
-		r = asprintf(&keyring_part, "%%:%s", keyring_key_description);
-
-	if (!keyring_part || r < 0) {
-		r = -ENOMEM;
-		goto out;
-	}
-
-	if (!(key_part_copy = strdup(key_part))) {
-		r = -ENOMEM;
-		goto out;
-	}
-	if (type_part && !(type_part_copy = strdup(type_part)))
-		r = -ENOMEM;
-
-out:
-	if (r < 0) {
-		free(keyring_part);
-		free(key_part_copy);
-		free(type_part_copy);
-	} else {
-		*keyring_part_out = keyring_part;
-		*key_part_out = key_part_copy;
-		*type_part_out = type_part_copy;
-	}
-
-	return r;
-}
-
-static int parse_vk_and_keyring_description(
-		struct crypt_device *cd,
-		char **keyring_key_descriptions,
-		int keyring_key_links_count)
-{
-	int r = 0;
-
-	char *keyring_part_out1 = NULL, *key_part_out1 = NULL, *type_part_out1 = NULL;
-	char *keyring_part_out2 = NULL, *key_part_out2 = NULL, *type_part_out2 = NULL;
-
-	if (keyring_key_links_count > 0) {
-		r = parse_single_vk_and_keyring_description(cd,
-				keyring_key_descriptions[0],
-				&keyring_part_out1, &key_part_out1,
-				&type_part_out1);
-		if (r < 0)
-			goto out;
-	}
-	if (keyring_key_links_count > 1) {
-		r = parse_single_vk_and_keyring_description(cd,
-				keyring_key_descriptions[1],
-				&keyring_part_out2, &key_part_out2,
-				&type_part_out2);
-		if (r < 0)
-			goto out;
-
-		if ((type_part_out1 && type_part_out2) && strcmp(type_part_out1, type_part_out2)) {
-			log_err(_("Key types have to be the same for both volume keys."));
-			r = -EINVAL;
-			goto out;
-		}
-		if ((keyring_part_out1 && keyring_part_out2) && strcmp(keyring_part_out1, keyring_part_out2)) {
-			log_err(_("Both volume keys have to be linked to the same keyring."));
-			r = -EINVAL;
-			goto out;
-		}
-	}
-
-	if (keyring_key_links_count > 0) {
-		r = crypt_set_keyring_to_link(cd, key_part_out1, key_part_out2,
-				type_part_out1, keyring_part_out1);
-		if (r == -EAGAIN)
-			log_err(_("You need to supply more key names."));
-	}
-out:
-	if (r == -EINVAL)
-		log_err(_("Invalid --link-vk-to-keyring value."));
-	free(keyring_part_out1);
-	free(key_part_out1);
-	free(type_part_out1);
-	free(keyring_part_out2);
-	free(key_part_out2);
-	free(type_part_out2);
-
-	return r;
+	return luksFormat(NULL, NULL);
 }
 
 static int action_open_luks(void)
@@ -1848,11 +1759,8 @@ static int action_open_luks(void)
 	struct crypt_active_device cad;
 	struct crypt_device *cd = NULL;
 	const char *data_device, *header_device, *activated_name;
-	char *key = NULL, *vk_description_activation1 = NULL, *vk_description_activation2 = NULL;
 	uint32_t activate_flags = 0;
-	int r, keysize, tries;
-	char *password = NULL;
-	size_t passwordLen;
+	int r, tries, keysize = 0;
 	struct stat st;
 	struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL;
 
@@ -1891,6 +1799,9 @@ static int action_open_luks(void)
 		}
 	}
 
+	if ((r = tools_check_newname(activated_name)))
+		goto out;
+
 	set_activation_flags(&activate_flags);
 
 	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
@@ -1903,78 +1814,82 @@ static int action_open_luks(void)
 	}
 
 	if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) {
-		r = parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count);
+		r = tools_parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count);
 		if (r < 0)
 			goto out;
 	}
 
-	if (ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
-		keysize = crypt_get_volume_key_size(cd);
-		if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
-			log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
-			r = -EINVAL;
-			goto out;
-		} else if (!keysize)
-			keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
-
-		r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &key, keysize);
-		if (r < 0)
-			goto out;
-		r = crypt_activate_by_volume_key(cd, activated_name,
-						 key, keysize, activate_flags);
-	} else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
-		if (vks_in_keyring_count == 1) {
-			r = parse_vk_description(vks_in_keyring[0], &vk_description_activation1);
-			if (r < 0)
-				goto out;
-			r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation1, &kc1);
-			if (r)
-				goto out;
-			r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc1, CRYPT_ANY_SLOT, NULL, activate_flags);
-		} else if (vks_in_keyring_count == 2) {
-			r = parse_vk_description(vks_in_keyring[0], &vk_description_activation1);
-			if (r < 0)
-				goto out;
-			r = parse_vk_description(vks_in_keyring[1], &vk_description_activation2);
-			if (r < 0)
-				goto out;
-			r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation1, &kc1);
-			if (r)
-				goto out;
-			r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation2, &kc2);
-			if (r)
+	/*
+	 * When activating device in-reencryption with --volume-key-file or --volume-key-keyring
+	 * the ordering of parameters does not matter. This applies also if any parameter is used
+	 * twice. The library internal code tests both passed keys if they match old or new
+	 * volume key digests and assign them respectively.
+	 */
+	if (ARG_SET(OPT_VOLUME_KEY_FILE_ID) || ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		if (vk_files[0] && !vk_files[1]) {
+			keysize = key_sizes[0] / 8;
+			if (!keysize)
+				keysize = crypt_get_volume_key_size(cd);
+			if (!keysize) /* only in LUKS2 decryption or with no keyslots */
+				keysize = crypt_get_old_volume_key_size(cd);
+
+			if (!keysize) {
+				log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
+				r = -EINVAL;
 				goto out;
-			r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc1, CRYPT_ANY_SLOT, kc2, activate_flags);
-		}
-		if (r)
+			}
+		} else if (vk_files[0] && vk_files[1])
+			keysize = key_sizes[0] / 8;
+
+		r = luks_init_keyslot_contexts_by_volume_keys(cd, vk_files[0], vk_files[1],
+							      keysize, key_sizes[1] / 8,
+							      vks_in_keyring[0],
+							      vks_in_keyring[1],
+							      &kc1, &kc2);
+		if (r < 0)
 			goto out;
+
+		/* The ordering of kc1 or kc2 does not matter */
+		r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT,
+						      kc1, CRYPT_ANY_SLOT, kc2, activate_flags);
+		if (r == -ESRCH)
+			log_err(_("Device requires two volume keys."));
+		if (r == -EPERM)
+			log_err(_("Volume key does not match the volume."));
 	} else {
-		r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
-				      ARG_INT32(OPT_TOKEN_ID_ID), activated_name,
-				      ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags,
-				      set_tries_tty(), true, ARG_SET(OPT_TOKEN_ONLY_ID));
+		r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
+					  ARG_INT32(OPT_TOKEN_ID_ID), activated_name,
+					  ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags,
+					  set_tries_tty(false), true,
+					  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+					  NULL);
 
 		if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
 			goto out;
 
-		tries = set_tries_tty();
+		tries = set_tries_tty(true);
 		do {
-			r = tools_get_key(NULL, &password, &passwordLen,
-					ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-					ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+			crypt_keyslot_context_free(kc1);
+			kc1 = NULL;
+			r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc1);
 			if (r < 0)
 				goto out;
 
-			r = crypt_activate_by_passphrase(cd, activated_name,
-				ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags);
+			r = crypt_activate_by_keyslot_context(cd, activated_name, ARG_INT32(OPT_KEY_SLOT_ID),
+							      kc1, CRYPT_ANY_SLOT, kc1, activate_flags);
+
 			tools_keyslot_msg(r, UNLOCKED);
 			tools_passphrase_msg(r);
 			check_signal(&r);
-			crypt_safe_free(password);
-			password = NULL;
 		} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
 	}
 out:
+	if (r >= 0 && activated_name && activate_flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS |
+	    CRYPT_ACTIVATE_SAME_CPU_CRYPT | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS|
+	    CRYPT_ACTIVATE_NO_READ_WORKQUEUE | CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE|
+	    CRYPT_ACTIVATE_HIGH_PRIORITY) && crypt_get_hw_encryption_type(cd) == CRYPT_OPAL_HW_ONLY)
+		log_err(_("Some specified activation parameters were ignored with OPAL hw-only encryption."));
+
 	if (r >= 0 && ARG_SET(OPT_PERSISTENT_ID) &&
 	    (crypt_get_active_device(cd, activated_name, &cad) ||
 	     crypt_persistent_flags_set(cd, CRYPT_FLAGS_ACTIVATION, cad.flags & activate_flags)))
@@ -1982,11 +1897,7 @@ static int action_open_luks(void)
 
 	crypt_keyslot_context_free(kc1);
 	crypt_keyslot_context_free(kc2);
-	crypt_safe_free(key);
-	crypt_safe_free(password);
 	crypt_free(cd);
-	free(vk_description_activation1);
-	free(vk_description_activation2);
 
 	return r;
 }
@@ -2220,14 +2131,14 @@ static int luksAddUnboundKey(void)
 }
 
 static int _ask_for_pin(struct crypt_device *cd,
-	int token_id, char **r_pin, size_t *r_pin_size,
+	int token_id,
 	struct crypt_keyslot_context *kc)
 {
+	char *pin;
+	size_t pin_size;
 	int r;
 	char msg[64];
 
-	assert(r_pin);
-	assert(r_pin_size);
 	assert(kc);
 	assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
 
@@ -2241,18 +2152,13 @@ static int _ask_for_pin(struct crypt_device *cd,
 	if (r < 0 || (size_t)r >= sizeof(msg))
 		return -EINVAL;
 
-	r = tools_get_key(msg, r_pin, r_pin_size, 0, 0, NULL,
+	r = tools_get_key(msg, &pin, &pin_size, 0, 0, NULL,
 			ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
 	if (r < 0)
 		return r;
 
-	r = crypt_keyslot_context_set_pin(cd, *r_pin, *r_pin_size, kc);
-	if (r < 0) {
-		crypt_safe_free(*r_pin);
-		*r_pin = NULL;
-		*r_pin_size = 0;
-	}
-
+	r = crypt_keyslot_context_set_pin(cd, pin, pin_size, kc);
+	crypt_safe_free(pin);
 	return r;
 }
 
@@ -2278,11 +2184,9 @@ static int try_keyslot_add(struct crypt_device *cd,
 
 static int action_luksAddKey(void)
 {
+	bool pin_provided = false;
 	int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL;
-	const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
-	char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL,
-	     *vk_description = NULL;
-	size_t pin_size, pin_size_new, password_size = 0, password_new_size = 0;
+	char *key, *vk_description;
 	struct crypt_device *cd = NULL;
 	struct crypt_keyslot_context *p_kc_new = NULL, *kc = NULL, *kc_new = NULL;
 
@@ -2291,8 +2195,8 @@ static int action_luksAddKey(void)
 		return luksAddUnboundKey();
 
 	/* maintain backward compatibility of luksAddKey action positional parameter */
-	if (!new_key_file)
-		new_key_file = ARG_STR(OPT_NEW_KEYFILE_ID);
+	if (action_argc > 1)
+		ARG_SET_STR(OPT_NEW_KEYFILE_ID, strdup(action_argv[1]));
 
 	keyslot_old = ARG_INT32(OPT_KEY_SLOT_ID);
 	keyslot_new = ARG_INT32(OPT_NEW_KEY_SLOT_ID);
@@ -2357,60 +2261,47 @@ static int action_luksAddKey(void)
 		if (r == -EPERM)
 			log_err(_("Volume key does not match the volume."));
 		check_signal(&r);
-		if (r < 0)
+		if (r < 0) {
+			crypt_safe_free(key);
 			goto out;
+		}
 		r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc);
-	} else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
-		r = crypt_keyslot_context_init_by_keyfile(cd,
-				ARG_STR(OPT_KEY_FILE_ID),
-				ARG_UINT32(OPT_KEYFILE_SIZE_ID),
-				ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
-				&kc);
-	else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
-		r = parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description);
-		if (!r)
-			r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc);
+		crypt_safe_free(key);
+	} else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		r = tools_parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description);
+		if (r < 0)
+			goto out;
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc);
+		free(vk_description);
+		if (r < 0)
+			goto out;
+		r = crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0);
+		if (r == -EPERM)
+			log_err(_("Volume key does not match the volume."));
 	} else if (ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID) || ARG_SET(OPT_TOKEN_ONLY_ID)) {
 		r = crypt_keyslot_context_init_by_token(cd,
 				ARG_INT32(OPT_TOKEN_ID_ID),
 				ARG_STR(OPT_TOKEN_TYPE_ID),
 				NULL, 0, NULL, &kc);
 	} else {
-		r = tools_get_key(_("Enter any existing passphrase: "),
-			      &password, &password_size,
-			      ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			      ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
-
+		r = luks_init_keyslot_context(cd, _("Enter any existing passphrase: "),
+					      verify_passphrase(0), false, &kc);
 		if (r < 0)
 			goto out;
 
 		/* Check password before asking for new one */
-		r = crypt_activate_by_passphrase(cd, NULL, keyslot_old,
-						 password, password_size, 0);
+		r = crypt_activate_by_keyslot_context(cd, NULL, keyslot_old, kc, CRYPT_ANY_SLOT, NULL, 0);
 		check_signal(&r);
 		tools_passphrase_msg(r);
 		if (r < 0)
 			goto out;
 		tools_keyslot_msg(r, UNLOCKED);
-
-		r = crypt_keyslot_context_init_by_passphrase(cd, password, password_size, &kc);
 	}
 
 	if (r < 0)
 		goto out;
 
-	if (new_key_file && !tools_is_stdin(new_key_file)) {
-		if (ARG_SET(OPT_KEY_FILE_ID) && !strcmp(ARG_STR(OPT_KEY_FILE_ID), new_key_file))
-			p_kc_new = kc;
-		else {
-			r = crypt_keyslot_context_init_by_keyfile(cd,
-					new_key_file,
-					ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
-					ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
-					&kc_new);
-			p_kc_new = kc_new;
-		}
-	} else if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
+	if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
 		if (ARG_INT32(OPT_NEW_TOKEN_ID_ID) == ARG_INT32(OPT_TOKEN_ID_ID))
 			p_kc_new = kc;
 		else {
@@ -2419,53 +2310,41 @@ static int action_luksAddKey(void)
 					NULL, NULL, 0, NULL, &kc_new);
 			p_kc_new = kc_new;
 		}
-	} else {
-		r = tools_get_key(_("Enter new passphrase for key slot: "),
-			      &password_new, &password_new_size,
-			      ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
-			      ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
-
-		if (r < 0)
-			goto out;
-		r = crypt_keyslot_context_init_by_passphrase(cd, password_new, password_new_size, &kc_new);
-	}
-
+	} else
+		r = init_new_keyslot_context(cd, _("Enter new passphrase for key slot: "),
+					 verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), &kc_new);
 	if (r < 0)
 		goto out;
 
 	if (!p_kc_new)
 		p_kc_new = kc_new;
 
-	r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
+	r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, false, false);
 	if (r >= 0 || r != -ENOANO)
 		goto out;
 
 	if (crypt_keyslot_context_get_error(kc) == -ENOANO) {
-		r = _ask_for_pin(cd, ARG_INT32(OPT_TOKEN_ID_ID), &pin, &pin_size, kc);
+		r = _ask_for_pin(cd, ARG_INT32(OPT_TOKEN_ID_ID), kc);
 		if (r < 0)
 			goto out;
 
-		r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
+		pin_provided = true;
+
+		r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin_provided, false);
 		if (r >= 0 || r != -ENOANO)
 			goto out;
 	}
 
 	if (crypt_keyslot_context_get_error(p_kc_new) == -ENOANO) {
-		r = _ask_for_pin(cd, ARG_INT32(OPT_NEW_TOKEN_ID_ID), &pin_new, &pin_size_new, p_kc_new);
+		r = _ask_for_pin(cd, ARG_INT32(OPT_NEW_TOKEN_ID_ID), p_kc_new);
 		if (r < 0)
 			goto out;
-		r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin, pin_new);
+		r = try_keyslot_add(cd, keyslot_old, keyslot_new, kc, p_kc_new, pin_provided, true);
 	}
 out:
 	tools_keyslot_msg(r, CREATED);
-	free(vk_description);
 	crypt_keyslot_context_free(kc);
 	crypt_keyslot_context_free(kc_new);
-	crypt_safe_free(password);
-	crypt_safe_free(password_new);
-	crypt_safe_free(pin);
-	crypt_safe_free(pin_new);
-	crypt_safe_free(key);
 	crypt_free(cd);
 	return r;
 }
@@ -2634,8 +2513,8 @@ static int action_luksUUID(void)
 
 static int luksDump_with_volume_key(struct crypt_device *cd)
 {
-	char *vk = NULL, *password = NULL;
-	size_t passwordLen = 0;
+	char *vk = NULL;
+	struct crypt_keyslot_context *kc = NULL;
 	size_t vk_size;
 	int r;
 
@@ -2651,14 +2530,11 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
 	if (!vk)
 		return -ENOMEM;
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			  ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			  ARG_UINT32(OPT_TIMEOUT_ID), 0, 0, cd);
+	r = luks_init_keyslot_context(cd, NULL, false, false, &kc);
 	if (r < 0)
 		goto out;
 
-	r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
-				 password, passwordLen);
+	r = crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, vk, &vk_size, kc);
 	tools_passphrase_msg(r);
 	check_signal(&r);
 	if (r < 0)
@@ -2685,7 +2561,7 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
 	crypt_log_hex(NULL, vk, vk_size, " ", 16, "\n\t\t");
 	log_std("\n");
 out:
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
 	crypt_safe_free(vk);
 	return r;
 }
@@ -2809,8 +2685,7 @@ static int action_luksSuspend(void)
 static int action_luksResume(void)
 {
 	struct crypt_device *cd = NULL;
-	char *password = NULL, *vk_description_activation = NULL;
-	size_t passwordLen;
+	char *vk_description_activation = NULL;
 	int r, tries;
 	struct crypt_active_device cad;
 	const char *req_type = luksType(device_type);
@@ -2823,7 +2698,7 @@ static int action_luksResume(void)
 		return r;
 
 	if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) {
-		r = parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count);
+		r = tools_parse_vk_and_keyring_description(cd, keyring_links, keyring_links_count);
 		if (r < 0)
 			goto out;
 	}
@@ -2860,45 +2735,44 @@ static int action_luksResume(void)
 	}
 
 	/* try to resume LUKS2 device by token first */
-	r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
-			      action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
-			      set_tries_tty(), false, ARG_SET(OPT_TOKEN_ONLY_ID));
+	r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
+				  action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
+				  set_tries_tty(false), false,
+				  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+				  NULL);
 
 	if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
 		goto out;
 
 	if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
-		r = parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description_activation);
+		r = tools_parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description_activation);
 		if (r < 0)
 			goto out;
 		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation, &kc);
+		free(vk_description_activation);
 		if (r)
 			goto out;
 		r = crypt_resume_by_keyslot_context(cd, action_argv[0], CRYPT_ANY_SLOT, kc);
 		goto out;
 	}
 
-	tries = set_tries_tty();
+	tries = set_tries_tty(true);
 	do {
-		r = tools_get_key(NULL, &password, &passwordLen,
-			ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+		r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc);
 		if (r < 0)
 			goto out;
 
-		r = crypt_resume_by_passphrase(cd, action_argv[0], ARG_INT32(OPT_KEY_SLOT_ID),
-					       password, passwordLen);
+		r = crypt_resume_by_keyslot_context(cd, action_argv[0], ARG_INT32(OPT_KEY_SLOT_ID), kc);
+		crypt_keyslot_context_free(kc);
+		kc = NULL;
+
 		tools_passphrase_msg(r);
 		check_signal(&r);
 		tools_keyslot_msg(r, UNLOCKED);
 
-		crypt_safe_free(password);
-		password = NULL;
 	} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
 out:
 	crypt_keyslot_context_free(kc);
-	crypt_safe_free(password);
-	free(vk_description_activation);
 	crypt_free(cd);
 	return r;
 }
@@ -3029,12 +2903,20 @@ static int action_open(void)
 
 static int opal_erase(struct crypt_device *cd, bool factory_reset) {
 	char *password = NULL;
-	size_t password_size = 0;
+	size_t password_size = 0, keyfile_size_max;
 	int r;
 
+	/* limit PSID keyfile read if not set otherwise */
+	if (!factory_reset || ARG_SET(OPT_KEYFILE_SIZE_ID))
+		keyfile_size_max = ARG_UINT32(OPT_KEYFILE_SIZE_ID);
+	else {
+		log_dbg("Limiting PSID keyfile size to %d characters.", OPAL_PSID_LEN);
+		keyfile_size_max = OPAL_PSID_LEN;
+	}
+
 	r = tools_get_key(factory_reset ? _("Enter OPAL PSID: ") : _("Enter OPAL Admin password: "),
 				&password, &password_size, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
-				ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
+				keyfile_size_max, ARG_STR(OPT_KEY_FILE_ID),
 				ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
 	if (r < 0)
 		return r;
@@ -3433,7 +3315,7 @@ static const char *verify_tcryptdump(void)
 	return NULL;
 }
 
-static const char * verify_open(void)
+static const char *verify_open(void)
 {
 	if (ARG_SET(OPT_PERSISTENT_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
 		return _("Option --persistent is not allowed with --test-passphrase.");
@@ -3475,6 +3357,13 @@ static const char * verify_open(void)
 	if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
 		return _("Option --unbound cannot be used without --test-passphrase.");
 
+	if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID) && (ARG_SET(OPT_HASH_ID) ||
+		ARG_SET(OPT_VOLUME_KEY_FILE_ID)) && !strcmp_or_null(device_type, "plain"))
+		return _("Option --volume-key-keyring cannot be combined with --hash or --volume-key-file.");
+
+	if (vk_files[1] && !key_sizes[1])
+		return _("Both --volume-key-file options must be paired with respective --key-size options.");
+
 	/* "open --type tcrypt" and "tcryptDump" checks are identical */
 	return verify_tcryptdump();
 }
@@ -3497,15 +3386,18 @@ static const char *verify_resize(void)
 
 static const char *verify_reencrypt(void)
 {
-	if (ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID) && ARG_SET(OPT_DEVICE_SIZE_ID))
-		return _("Options --reduce-device-size and --device-size cannot be combined.");
-
 	if (isLUKS1(luksType(device_type)) && ARG_SET(OPT_ACTIVE_NAME_ID))
 		return _("Option --active-name can be set only for LUKS2 device.");
 
 	if (ARG_SET(OPT_ACTIVE_NAME_ID) && ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
 		return _("Options --active-name and --force-offline-reencrypt cannot be combined.");
 
+	if (ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) && ARG_SET(OPT_KEEP_KEY_ID))
+		return _("Options --new-volume-key-file and --keep-key cannot be combined.");
+
+	if (ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID) && ARG_SET(OPT_KEEP_KEY_ID))
+		return _("Options --new-volume-key-keyring and --keep-key cannot be combined.");
+
 	return NULL;
 }
 
@@ -3681,7 +3573,7 @@ static void help(poptContext popt_context,
 			 DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
 			 DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
 			 DEFAULT_RNG);
-#if defined(ENABLE_LUKS_ADJUST_XTS_KEYSIZE) && DEFAULT_LUKS1_KEYBITS != 512
+#if ENABLE_LUKS_ADJUST_XTS_KEYSIZE && DEFAULT_LUKS1_KEYBITS != 512
 		log_std(_("\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"));
 #endif
 		tools_cleanup();
@@ -3789,6 +3681,23 @@ static void basic_options_cb(poptContext popt_context,
 			usage(popt_context, EXIT_FAILURE,
 			      _("Key size must be a multiple of 8 bits"),
 			      poptGetInvocationName(popt_context));
+
+		if (key_sizes_count < 2)
+			key_sizes[key_sizes_count++] = ARG_UINT32(OPT_KEY_SIZE_ID);
+		else {
+			usage(popt_context, EXIT_FAILURE,
+			      _("At most 2 key size specifications can be supplied."),
+			      poptGetInvocationName(popt_context));
+		}
+		break;
+	case OPT_INTEGRITY_KEY_SIZE_ID:
+		if (ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID) == 0)
+			usage(popt_context, EXIT_FAILURE, poptStrerror(POPT_ERROR_BADNUMBER),
+			      poptGetInvocationName(popt_context));
+		if (ARG_UINT32(OPT_INTEGRITY_KEY_SIZE_ID) % 8)
+			usage(popt_context, EXIT_FAILURE,
+			      _("Key size must be a multiple of 8 bits"),
+			      poptGetInvocationName(popt_context));
 		break;
 	case OPT_KEY_SLOT_ID:
 		check_key_slot_value(popt_context);
@@ -3802,6 +3711,17 @@ static void basic_options_cb(poptContext popt_context,
 			      _("Key size must be a multiple of 8 bits"),
 			      poptGetInvocationName(popt_context));
 		break;
+	case OPT_VOLUME_KEY_FILE_ID:
+		if (vk_files_count < 2)
+			vk_files[vk_files_count++] = strdup(ARG_STR(OPT_VOLUME_KEY_FILE_ID));
+		else {
+			if (snprintf(buf, sizeof(buf), _("At most %d volume key specifications can be supplied."), 2) < 0)
+				buf[0] = '\0';
+			usage(popt_context, EXIT_FAILURE,
+			      buf,
+			      poptGetInvocationName(popt_context));
+		}
+		break;
 	case OPT_VOLUME_KEY_KEYRING_ID:
 		if (vks_in_keyring_count < MAX_VK_IN_KEYRING)
 			vks_in_keyring[vks_in_keyring_count++] = strdup(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID));
@@ -4032,6 +3952,16 @@ int main(int argc, const char **argv)
 		_("Cannot link volume key to a keyring when keyring is disabled."),
 		poptGetInvocationName(popt_context));
 
+	if (ARG_SET(OPT_DISABLE_KEYRING_ID) && (ARG_SET(OPT_KEY_DESCRIPTION_ID) || ARG_SET(OPT_NEW_KEY_DESCRIPTION_ID)))
+		usage(popt_context, EXIT_FAILURE,
+		_("Cannot use keyring key description when keyring is disabled."),
+		poptGetInvocationName(popt_context));
+
+	if (ARG_SET(OPT_INTEGRITY_INLINE_ID) && !ARG_SET(OPT_INTEGRITY_ID))
+		usage(popt_context, EXIT_FAILURE,
+		_("Inline integrity must be used together with --integrity option."),
+		poptGetInvocationName(popt_context));
+
 	if (ARG_SET(OPT_DEBUG_ID) || ARG_SET(OPT_DEBUG_JSON_ID)) {
 		crypt_set_debug_level(ARG_SET(OPT_DEBUG_JSON_ID)? CRYPT_DEBUG_JSON : CRYPT_DEBUG_ALL);
 		dbg_version_and_cmd(argc, argv);
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
index 1d21d02..c0cd88a 100644
--- a/src/cryptsetup.h
+++ b/src/cryptsetup.h
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #ifndef CRYPTSETUP_H
@@ -90,6 +90,7 @@ struct tools_progress_params {
 
 int tools_progress(uint64_t size, uint64_t offset, void *usrptr);
 const char *tools_get_device_name(const char *device, char **r_backing_file);
+int tools_check_newname(const char *name);
 
 int tools_read_vk(const char *file, char **key, int keysize);
 int tools_write_mk(const char *file, const char *key, int keysize);
@@ -116,6 +117,13 @@ int tools_lookup_crypt_device(struct crypt_device *cd, const char *type,
 /* each utility is required to implement it */
 void tools_cleanup(void);
 
+/* keyring helpers */
+int tools_parse_vk_description(const char *key_description, char **ret_key_description);
+int tools_parse_vk_and_keyring_description(
+	struct crypt_device *cd,
+	char **keyring_key_descriptions,
+	int keyring_key_links_count);
+
 /* Log */
 #define log_dbg(x...) crypt_logf(NULL, CRYPT_LOG_DEBUG, x)
 #define log_std(x...) crypt_logf(NULL, CRYPT_LOG_NORMAL, x)
diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h
index 18ba58e..eebe749 100644
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -2,8 +2,8 @@
 /*
  * Cryptsetup command line arguments list
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 /* long name, short name, popt type, help description, units, internal argument type, default value, allowed actions (empty=global) */
@@ -52,6 +52,8 @@ ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check
 
 ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)
 
+ARG(OPT_FORCE_NO_KEYSLOTS, '\0', POPT_ARG_NONE, N_("Force dangerous reencryption operation erasing all remaining keyslots"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_NO_KEYSLOTS_ACTIONS)
+
 ARG(OPT_HASH, 'h', POPT_ARG_STRING, N_("The hash used to create the encryption key from the passphrase"), NULL, CRYPT_ARG_STRING, {}, {})
 
 ARG(OPT_HEADER, '\0', POPT_ARG_STRING, N_("Device or file with separated LUKS header"), NULL, CRYPT_ARG_STRING, {}, {})
@@ -70,6 +72,10 @@ ARG(OPT_INIT_ONLY, '\0', POPT_ARG_NONE, N_("Initialize LUKS2 reencryption in met
 
 ARG(OPT_INTEGRITY, 'I', POPT_ARG_STRING, N_("Data integrity algorithm (LUKS2 only)"), NULL, CRYPT_ARG_STRING, {}, OPT_INTEGRITY_ACTIONS)
 
+ARG(OPT_INTEGRITY_INLINE, '\0', POPT_ARG_NONE, N_("Use inline mode (use HW integrity field)"), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_INLINE_ACTIONS)
+
+ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
+
 ARG(OPT_INTEGRITY_LEGACY_PADDING,'\0', POPT_ARG_NONE, N_("Use inefficient legacy padding (old kernels)"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_INTEGRITY_NO_JOURNAL, '\0', POPT_ARG_NONE, N_("Disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {})
@@ -84,7 +90,7 @@ ARG(OPT_JSON_FILE, '\0', POPT_ARG_STRING, N_("Read or write the json from or to
 
 ARG(OPT_KEEP_KEY, '\0', POPT_ARG_NONE, N_("Do not change volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_KEEP_KEY_ACTIONS)
 
-ARG(OPT_KEY_DESCRIPTION, '\0', POPT_ARG_STRING, N_("Key description"), NULL, CRYPT_ARG_STRING, {}, {})
+ARG(OPT_KEY_DESCRIPTION, '\0', POPT_ARG_STRING, N_("Keyring key description"), NULL, CRYPT_ARG_STRING, {}, OPT_KEY_DESCRIPTION_ACTIONS)
 
 ARG(OPT_KEY_FILE, 'd', POPT_ARG_STRING, N_("Read the key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
 
@@ -114,10 +120,18 @@ ARG(OPT_NEW_KEYFILE_OFFSET , '\0', POPT_ARG_STRING, N_("Number of bytes to skip
 
 ARG(OPT_NEW_KEYFILE_SIZE, '\0', POPT_ARG_STRING, N_("Limits the read from newly added keyfile"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
 
+ARG(OPT_NEW_KEY_DESCRIPTION, '\0', POPT_ARG_STRING, N_("Keyring new key description"), NULL, CRYPT_ARG_STRING, {}, OPT_NEW_KEY_DESCRIPTION_ACTIONS)
+
+ARG(OPT_NEW_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the new encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {}, OPT_NEW_KEY_SIZE_ACTIONS)
+
 ARG(OPT_NEW_KEY_SLOT, '\0', POPT_ARG_STRING, N_("Slot number for new key (default is first free)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_SLOT }, OPT_NEW_KEY_SLOT_ACTIONS)
 
 ARG(OPT_NEW_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT", CRYPT_ARG_INT32, { .i32_value = CRYPT_ANY_TOKEN }, OPT_NEW_TOKEN_ID_ACTIONS)
 
+ARG(OPT_NEW_VOLUME_KEY_FILE, '\0', POPT_ARG_STRING, N_("Use the new volume key from file"), NULL, CRYPT_ARG_STRING, {}, OPT_NEW_VOLUME_KEY_FILE_ACTIONS)
+
+ARG(OPT_NEW_VOLUME_KEY_KEYRING, '\0', POPT_ARG_STRING, N_("Use the specified keyring key as new volume key"), NULL, CRYPT_ARG_STRING, {}, OPT_NEW_VOLUME_KEY_KEYRING_ACTIONS)
+
 ARG(OPT_OFFSET, 'o', POPT_ARG_STRING, N_("The start offset in the backend device"), N_("SECTORS"), CRYPT_ARG_UINT64, {}, OPT_OFFSET_ACTIONS)
 
 ARG(OPT_PBKDF, '\0', POPT_ARG_STRING, N_("PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"), NULL, CRYPT_ARG_STRING, {}, OPT_PBKDF_ACTIONS)
@@ -128,6 +142,8 @@ ARG(OPT_PBKDF_MEMORY, '\0', POPT_ARG_STRING, N_("PBKDF memory cost limit"), N_("
 
 ARG(OPT_PBKDF_PARALLEL, '\0', POPT_ARG_STRING, N_("PBKDF parallel cost"), N_("threads"), CRYPT_ARG_UINT32, { .u32_value = DEFAULT_LUKS2_PARALLEL_THREADS }, {})
 
+ARG(OPT_PERF_HIGH_PRIORITY, '\0', POPT_ARG_NONE, N_("Set dm-crypt workqueues and the writer thread to high priority"), NULL, CRYPT_ARG_BOOL, {}, {})
+
 ARG(OPT_PERF_NO_READ_WORKQUEUE, '\0', POPT_ARG_NONE, N_("Bypass dm-crypt workqueue and process read requests synchronously"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_PERF_NO_WRITE_WORKQUEUE, '\0', POPT_ARG_NONE, N_("Bypass dm-crypt workqueue and process write requests synchronously"), NULL, CRYPT_ARG_BOOL, {}, {})
@@ -204,7 +220,7 @@ ARG(OPT_VERACRYPT, '\0', POPT_ARG_NONE, N_("Scan also for VeraCrypt compatible d
 
 ARG(OPT_VERACRYPT_PIM, '\0', POPT_ARG_STRING, N_("Personal Iteration Multiplier for VeraCrypt compatible device"), "INT", CRYPT_ARG_UINT32, {}, OPT_VERACRYPT_PIM_ACTIONS)
 
-ARG(OPT_VERACRYPT_QUERY_PIM, '\0', POPT_ARG_NONE, N_("Query Personal Iteration Multiplier for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, {})
+ARG(OPT_VERACRYPT_QUERY_PIM, '\0', POPT_ARG_NONE, N_("Query Personal Iteration Multiplier for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, OPT_VERACRYPT_QUERY_PIM_ACTIONS)
 
 ARG(OPT_VERBOSE, 'v', POPT_ARG_NONE, N_("Shows more detailed error messages"), NULL, CRYPT_ARG_BOOL, {}, {})
 
@@ -230,4 +246,4 @@ ARG(OPT_WRITE_LOG, '\0', POPT_ARG_NONE, N_("Update log file after every block"),
 
 ARG(OPT_DUMP_MASTER_KEY, '\0', POPT_ARG_NONE, N_("Alias for --dump-volume-key"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_DUMP_VOLUME_KEY_ID}, {})
 
-ARG(OPT_MASTER_KEY_FILE, '\0', POPT_ARG_STRING, N_("Alias for --dump-volume-key-file"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_VOLUME_KEY_FILE_ID}, {})
+ARG(OPT_MASTER_KEY_FILE, '\0', POPT_ARG_STRING, N_("Alias for --volume-key-file"), NULL, CRYPT_ARG_ALIAS, { .o.id = OPT_VOLUME_KEY_FILE_ID}, {})
diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h
index 89f8c47..43926f9 100644
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -2,8 +2,8 @@
 /*
  * Command line arguments helpers
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #ifndef CRYPTSETUP_ARGS_H
@@ -50,15 +50,17 @@
 #define OPT_ERASE_ACTIONS			{ ERASE_ACTION }
 #define OPT_EXTERNAL_TOKENS_PATH_ACTIONS	{ RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION }
 #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS	{ REENCRYPT_ACTION }
+#define OPT_FORCE_NO_KEYSLOTS_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_HOTZONE_SIZE_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_HW_OPAL_ACTIONS			{ FORMAT_ACTION }
 #define OPT_HW_OPAL_ONLY_ACTIONS		OPT_HW_OPAL_ACTIONS
 #define OPT_INTEGRITY_ACTIONS			{ FORMAT_ACTION }
+#define OPT_INTEGRITY_INLINE_ACTIONS		{ FORMAT_ACTION }
 #define OPT_INTEGRITY_NO_WIPE_ACTIONS		{ FORMAT_ACTION }
 #define OPT_ITER_TIME_ACTIONS			{ BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
 #define OPT_IV_LARGE_SECTORS_ACTIONS		{ OPEN_ACTION }
 #define OPT_KEEP_KEY_ACTIONS			{ REENCRYPT_ACTION }
-#define OPT_KEY_DESCRIPTION_ACTIONS		{ TOKEN_ACTION }
+#define OPT_KEY_DESCRIPTION_ACTIONS		{ TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION, RESUME_ACTION, ADDKEY_ACTION, REENCRYPT_ACTION }
 #define OPT_KEY_SIZE_ACTIONS			{ OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION }
 #define OPT_KEY_SLOT_ACTIONS			{ OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION }
 #define OPT_KEYSLOT_CIPHER_ACTIONS		{ FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION }
@@ -68,8 +70,12 @@
 #define OPT_LUKS2_KEYSLOTS_SIZE_ACTIONS		{ REENCRYPT_ACTION, FORMAT_ACTION }
 #define OPT_LUKS2_METADATA_SIZE_ACTIONS		{ REENCRYPT_ACTION, FORMAT_ACTION }
 #define OPT_NEW_KEYFILE_ACTIONS			{ ADDKEY_ACTION }
+#define OPT_NEW_KEY_DESCRIPTION_ACTIONS		{ ADDKEY_ACTION }
 #define OPT_NEW_KEY_SLOT_ACTIONS		{ ADDKEY_ACTION }
+#define OPT_NEW_KEY_SIZE_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_NEW_TOKEN_ID_ACTIONS		{ ADDKEY_ACTION }
+#define OPT_NEW_VOLUME_KEY_FILE_ACTIONS		{ REENCRYPT_ACTION }
+#define OPT_NEW_VOLUME_KEY_KEYRING_ACTIONS	{ REENCRYPT_ACTION }
 #define OPT_OFFSET_ACTIONS			{ OPEN_ACTION, REENCRYPT_ACTION, FORMAT_ACTION }
 #define OPT_PBKDF_ACTIONS			{ BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
 #define OPT_PBKDF_FORCE_ITERATIONS_ACTIONS	{ FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
diff --git a/src/integritysetup.c b/src/integritysetup.c
index f06bdc9..a1d7785 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -2,8 +2,8 @@
 /*
  * integritysetup - setup integrity protected volumes for dm-integrity
  *
- * Copyright (C) 2017-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2017-2024 Milan Broz
+ * Copyright (C) 2017-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2025 Milan Broz
  */
 
 #include <uuid/uuid.h>
@@ -112,11 +112,6 @@ static int action_format(void)
 {
 	struct crypt_device *cd = NULL;
 	struct crypt_params_integrity params = {
-		.journal_size = ARG_UINT64(OPT_JOURNAL_SIZE_ID),
-		.interleave_sectors = ARG_UINT32(OPT_INTERLEAVE_SECTORS_ID),
-		/* in bitmap mode we have to overload these values... */
-		.journal_watermark = ARG_SET(OPT_INTEGRITY_BITMAP_MODE_ID) ? ARG_UINT32(OPT_BITMAP_SECTORS_PER_BIT_ID) : ARG_UINT32(OPT_JOURNAL_WATERMARK_ID),
-		.journal_commit_time = ARG_SET(OPT_INTEGRITY_BITMAP_MODE_ID) ? ARG_UINT32(OPT_BITMAP_FLUSH_TIME_ID) : ARG_UINT32(OPT_JOURNAL_COMMIT_TIME_ID),
 		.buffer_sectors = ARG_UINT32(OPT_BUFFER_SECTORS_ID),
 		.tag_size = ARG_UINT32(OPT_TAG_SIZE_ID),
 		.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID),
@@ -133,22 +128,31 @@ static int action_format(void)
 	}
 	params.integrity = integrity;
 
-	if (ARG_SET(OPT_JOURNAL_INTEGRITY_ID)) {
-		r = crypt_parse_hash_integrity_mode(ARG_STR(OPT_JOURNAL_INTEGRITY_ID), journal_integrity);
-		if (r < 0) {
-			log_err(_("No known integrity specification pattern detected."));
-			return r;
+	if (!ARG_SET(OPT_INTEGRITY_INLINE_ID)) {
+		params.journal_size = ARG_UINT64(OPT_JOURNAL_SIZE_ID);
+		params.interleave_sectors = ARG_UINT32(OPT_INTERLEAVE_SECTORS_ID);
+		/* in bitmap mode we have to overload these values... */
+		params.journal_watermark = ARG_SET(OPT_INTEGRITY_BITMAP_MODE_ID) ? ARG_UINT32(OPT_BITMAP_SECTORS_PER_BIT_ID) : ARG_UINT32(OPT_JOURNAL_WATERMARK_ID);
+		params.journal_commit_time = ARG_SET(OPT_INTEGRITY_BITMAP_MODE_ID) ? ARG_UINT32(OPT_BITMAP_FLUSH_TIME_ID) : ARG_UINT32(OPT_JOURNAL_COMMIT_TIME_ID);
+
+		if (ARG_SET(OPT_JOURNAL_INTEGRITY_ID)) {
+			r = crypt_parse_hash_integrity_mode(ARG_STR(OPT_JOURNAL_INTEGRITY_ID), journal_integrity);
+			if (r < 0) {
+				log_err(_("No known integrity specification pattern detected."));
+				return r;
+			}
+			params.journal_integrity = journal_integrity;
 		}
-		params.journal_integrity = journal_integrity;
-	}
 
-	if (ARG_SET(OPT_JOURNAL_CRYPT_ID)) {
-		r = crypt_parse_hash_integrity_mode(ARG_STR(OPT_JOURNAL_CRYPT_ID), journal_crypt);
-		if (r < 0) {
-			log_err(_("No known integrity specification pattern detected."));
-			return r;
+		if (ARG_SET(OPT_JOURNAL_CRYPT_ID)) {
+			r = crypt_parse_hash_integrity_mode(ARG_STR(OPT_JOURNAL_CRYPT_ID), journal_crypt);
+			if (r < 0) {
+				log_err(_("No known integrity specification pattern detected."));
+				return r;
+			}
+			params.journal_crypt = journal_crypt;
 		}
-		params.journal_crypt = journal_crypt;
+
 	}
 
 	r = _read_keys(&integrity_key, &params);
@@ -196,13 +200,18 @@ static int action_format(void)
 	if (ARG_SET(OPT_INTEGRITY_LEGACY_HMAC_ID))
 		crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_HMAC);
 
-	r = crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params);
+	if (ARG_SET(OPT_INTEGRITY_INLINE_ID))
+		r = crypt_format_inline(cd, CRYPT_INTEGRITY, NULL, NULL, NULL,
+					integrity_key, params.integrity_key_size, &params);
+	else
+		r = crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL,
+				 integrity_key, params.integrity_key_size, &params);
 	if (r < 0) /* FIXME: call wipe signatures again */
 		goto out;
 
 	if (!ARG_SET(OPT_BATCH_MODE_ID) && !crypt_get_integrity_info(cd, &params2))
-		log_std(_("Formatted with tag size %u, internal integrity %s.\n"),
-			params2.tag_size, params2.integrity);
+		log_std(_("Formatted with tag size %u%s, internal integrity %s.\n"),
+			params2.tag_size, ARG_SET(OPT_INTEGRITY_INLINE_ID) ? _(" (inline hw tags)") : "", params2.integrity);
 
 	if (!ARG_SET(OPT_NO_WIPE_ID)) {
 		r = _wipe_data_device(cd, integrity_key);
@@ -227,6 +236,7 @@ static int action_resize(void)
 	uint64_t old_dev_size;
 	char path[PATH_MAX];
 	char *backing_file = NULL;
+	uint32_t reactivate_flags;
 	struct tools_progress_params prog_parms = {
 		.frequency = ARG_UINT32(OPT_PROGRESS_FREQUENCY_ID),
 		.batch_mode = ARG_SET(OPT_BATCH_MODE_ID),
@@ -256,12 +266,14 @@ static int action_resize(void)
 	if (r)
 		goto out;
 
-	if (!new_dev_size) {
-		r = crypt_get_active_device(cd, action_argv[0], &cad);
-		if (r)
-			goto out;
+	r = crypt_get_active_device(cd, action_argv[0], &cad);
+	if (r)
+		goto out;
+
+	reactivate_flags = CRYPT_ACTIVATE_REFRESH | (cad.flags & CRYPT_ACTIVATE_INLINE_MODE);
+
+	if (!new_dev_size)
 		new_dev_size = cad.size;
-	}
 
 	if (new_dev_size > old_dev_size) {
 		if (ARG_SET(OPT_WIPE_ID)) {
@@ -279,15 +291,14 @@ static int action_resize(void)
 			set_int_block(0);
 		} else {
 			log_dbg("Setting recalculate flag");
-			r = crypt_activate_by_volume_key(cd, action_argv[0], NULL, 0, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_RECALCULATE);
-
+			reactivate_flags |= CRYPT_ACTIVATE_RECALCULATE;
+			r = crypt_activate_by_volume_key(cd, action_argv[0], NULL, 0, reactivate_flags);
 			if (r == -ENOTSUP)
 				log_err(_("Setting recalculate flag is not supported, you may consider using --wipe instead."));
 		}
 	}
 out:
-	if (backing_file)
-		free(backing_file);
+	free(backing_file);
 	crypt_free(cd);
 	return r;
 }
@@ -348,6 +359,9 @@ static int action_open(void)
 	if (ARG_SET(OPT_ALLOW_DISCARDS_ID))
 		activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
 
+	if ((r = tools_check_newname(action_argv[1])))
+		goto out;
+
 	r = _read_keys(&integrity_key, &params);
 	if (r)
 		goto out;
@@ -410,6 +424,7 @@ static int action_status(void)
 	char *backing_file;
 	const char *device, *metadata_device;
 	int path = 0, r = 0;
+	uint64_t sector_size;
 
 	/* perhaps a path, not a dm device name */
 	if (strchr(action_argv[0], '/'))
@@ -451,7 +466,7 @@ static int action_status(void)
 		if (r < 0)
 			goto out;
 
-		log_std("  tag size: %u\n", ip.tag_size);
+		log_std("  tag size: %u [bytes]\n", ip.tag_size);
 		log_std("  integrity: %s\n", ip.integrity ?: "(none)");
 		device = crypt_get_device_name(cd);
 		metadata_device = crypt_get_metadata_device_name(cd);
@@ -467,9 +482,10 @@ static int action_status(void)
 				free(backing_file);
 			}
 		}
-		log_std("  sector size:  %u bytes\n", crypt_get_sector_size(cd));
+		sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
+		log_std("  sector size:  %" PRIu64 " [bytes]\n", sector_size);
 		log_std("  interleave sectors: %u\n", ip.interleave_sectors);
-		log_std("  size:    %" PRIu64 " sectors\n", cad.size);
+		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
 		log_std("  mode:    %s%s\n",
 			cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write",
 			cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : "");
@@ -477,13 +493,17 @@ static int action_status(void)
 			crypt_get_active_integrity_failures(cd, action_argv[0]));
 		if (cad.flags & CRYPT_ACTIVATE_NO_JOURNAL_BITMAP) {
 			log_std("  bitmap 512-byte sectors per bit: %u\n", ip.journal_watermark);
-			log_std("  bitmap flush interval: %u ms\n", ip.journal_commit_time);
-		} if (cad.flags & CRYPT_ACTIVATE_NO_JOURNAL) {
+			log_std("  bitmap flush interval: %u [ms]\n", ip.journal_commit_time);
+		}
+		if (cad.flags & CRYPT_ACTIVATE_INLINE_MODE) {
+			log_std("  inline mode\n");
+		}
+		if (cad.flags & CRYPT_ACTIVATE_NO_JOURNAL) {
 			log_std("  journal: not active\n");
 		} else {
-			log_std("  journal size: %" PRIu64 " bytes\n", ip.journal_size);
+			log_std("  journal size: %" PRIu64 " [bytes]\n", ip.journal_size);
 			log_std("  journal watermark: %u%%\n", ip.journal_watermark);
-			log_std("  journal commit time: %u ms\n", ip.journal_commit_time);
+			log_std("  journal commit time: %u [ms]\n", ip.journal_commit_time);
 			if (ip.journal_integrity)
 				log_std("  journal integrity MAC: %s\n", ip.journal_integrity);
 			if (ip.journal_crypt)
@@ -749,6 +769,16 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, _("Bitmap options can be used only in bitmap mode."),
 		      poptGetInvocationName(popt_context));
 
+	if (ARG_SET(OPT_INTEGRITY_INLINE_ID) && (ARG_SET(OPT_INTEGRITY_BITMAP_MODE_ID) ||
+	    ARG_SET(OPT_JOURNAL_INTEGRITY_ID) || ARG_SET(OPT_JOURNAL_CRYPT_ID) ||
+	    ARG_SET(OPT_JOURNAL_WATERMARK_ID) || ARG_SET(OPT_JOURNAL_COMMIT_TIME_ID)))
+		usage(popt_context, EXIT_FAILURE, _("Inline mode cannot be combined with journal or bitmap options."),
+		      poptGetInvocationName(popt_context));
+
+	if (ARG_SET(OPT_INTEGRITY_INLINE_ID) && ARG_SET(OPT_DATA_DEVICE_ID))
+		usage(popt_context, EXIT_FAILURE, _("Inline mode cannot be combined with separate data device."),
+		      poptGetInvocationName(popt_context));
+
 	if (ARG_SET(OPT_CANCEL_DEFERRED_ID) && ARG_SET(OPT_DEFERRED_ID))
 		usage(popt_context, EXIT_FAILURE,
 		      _("Options --cancel-deferred and --deferred cannot be used at the same time."),
diff --git a/src/integritysetup_arg_list.h b/src/integritysetup_arg_list.h
index 2483810..ada8e28 100644
--- a/src/integritysetup_arg_list.h
+++ b/src/integritysetup_arg_list.h
@@ -2,8 +2,8 @@
 /*
  * Integritysetup command line arguments list
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 /* long name, short name, popt type, help description, units, internal argument type, default value */
@@ -34,9 +34,11 @@ ARG(OPT_INTEGRITY, 'I', POPT_ARG_STRING, N_("Data integrity algorithm"), NULL, C
 
 ARG(OPT_INTEGRITY_BITMAP_MODE, 'B', POPT_ARG_NONE, N_("Use bitmap to track changes and disable journal for integrity device"), NULL, CRYPT_ARG_BOOL, {}, {})
 
+ARG(OPT_INTEGRITY_INLINE, '\0', POPT_ARG_NONE, N_("Use inline integrity mode (HW sector tags)"), NULL, CRYPT_ARG_BOOL, {}, OPT_INTEGRITY_INLINE_ACTIONS)
+
 ARG(OPT_INTEGRITY_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the integrity key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
 
-ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the data integrity key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
 
 ARG(OPT_INTEGRITY_LEGACY_PADDING, '\0', POPT_ARG_NONE, N_("Use inefficient legacy padding (old kernels)"), NULL, CRYPT_ARG_BOOL, {}, {})
 
@@ -58,7 +60,7 @@ ARG(OPT_JOURNAL_COMMIT_TIME, '\0', POPT_ARG_STRING, N_("Journal commit time"), N
 
 ARG(OPT_JOURNAL_INTEGRITY, '\0', POPT_ARG_STRING, N_("Journal integrity algorithm"), NULL, CRYPT_ARG_STRING, {}, {})
 
-ARG(OPT_JOURNAL_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal integrity key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_JOURNAL_INTEGRITY_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal integrity key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
 
 ARG(OPT_JOURNAL_INTEGRITY_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the journal integrity key from a file"), NULL, CRYPT_ARG_STRING, {}, {})
 
@@ -66,7 +68,7 @@ ARG(OPT_JOURNAL_CRYPT, '\0', POPT_ARG_STRING, N_("Journal encryption algorithm")
 
 ARG(OPT_JOURNAL_CRYPT_KEY_FILE, '\0', POPT_ARG_STRING, N_("Read the journal encryption key from a file"), NULL, CRYPT_ARG_STRING,{}, {})
 
-ARG(OPT_JOURNAL_CRYPT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal encryption key"), N_("BITS"), CRYPT_ARG_UINT32, {}, {})
+ARG(OPT_JOURNAL_CRYPT_KEY_SIZE, '\0', POPT_ARG_STRING, N_("The size of the journal encryption key"), N_("bytes"), CRYPT_ARG_UINT32, {}, {})
 
 ARG(OPT_JOURNAL_SIZE, 'j', POPT_ARG_STRING, N_("Journal size"), N_("bytes"), CRYPT_ARG_UINT64, {}, OPT_JOURNAL_SIZE_ACTIONS)
 
diff --git a/src/integritysetup_args.h b/src/integritysetup_args.h
index a11c279..ef5be64 100644
--- a/src/integritysetup_args.h
+++ b/src/integritysetup_args.h
@@ -2,8 +2,8 @@
 /*
  * Command line arguments helpers
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #ifndef INTEGRITYSETUP_ARGS_H
@@ -23,6 +23,7 @@
 #define OPT_DEFERRED_ACTIONS			{ CLOSE_ACTION }
 #define OPT_DEVICE_SIZE_ACTIONS			{ RESIZE_ACTION }
 #define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION }
+#define OPT_INTEGRITY_INLINE_ACTIONS		{ FORMAT_ACTION }
 #define OPT_INTEGRITY_RECALCULATE_ACTIONS	{ OPEN_ACTION }
 #define OPT_INTERLEAVE_SECTORS_ACTIONS		{ FORMAT_ACTION }
 #define OPT_JOURNAL_SIZE_ACTIONS		{ FORMAT_ACTION }
diff --git a/src/meson.build b/src/meson.build
index 3fd1ff5..ed0a2de 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -11,6 +11,8 @@ if get_option('cryptsetup')
         'utils_reencrypt.c',
         'utils_reencrypt_luks1.c',
         'utils_tools.c',
+        'utils_key_description.c',
+        'utils_keyslot_check.c',
     )
     cryptsetup_files += lib_tools_files
     cryptsetup_deps = [
@@ -23,6 +25,8 @@ if get_option('cryptsetup')
     cryptsetup = executable('cryptsetup',
         cryptsetup_files,
         dependencies: cryptsetup_deps,
+        install: true,
+        install_dir: get_option('sbindir'),
         link_with: libcryptsetup,
         link_args: link_args,
         include_directories: includes_tools)
@@ -43,6 +47,8 @@ if get_option('veritysetup')
     veritysetup = executable('veritysetup',
         veritysetup_files,
         dependencies: veritysetup_deps,
+        install: true,
+        install_dir: get_option('sbindir'),
         link_with: libcryptsetup,
         link_args: link_args,
         include_directories: includes_tools)
@@ -66,6 +72,8 @@ if get_option('integritysetup')
     integritysetup = executable('integritysetup',
         integritysetup_files,
         dependencies: integritysetup_deps,
+        install: true,
+        install_dir: get_option('sbindir'),
         link_with: libcryptsetup,
         link_args: link_args,
         include_directories: includes_tools)
diff --git a/src/utils_arg_macros.h b/src/utils_arg_macros.h
index 15f92ee..a92468b 100644
--- a/src/utils_arg_macros.h
+++ b/src/utils_arg_macros.h
@@ -2,8 +2,8 @@
 /*
  * Command line arguments parsing helpers
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #ifndef UTILS_ARG_MACROS_H
diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h
index 8bd1c4b..a01419d 100644
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -2,8 +2,8 @@
 /*
  * Command line arguments name list
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #ifndef UTILS_ARG_NAMES_H
@@ -37,12 +37,14 @@
 #define OPT_DUMP_MASTER_KEY		"dump-master-key"
 #define OPT_DUMP_VOLUME_KEY		"dump-volume-key"
 #define OPT_ENCRYPT			"encrypt"
+#define OPT_ERROR_AS_CORRUPTION		"error-as-corruption"
 #define OPT_EXTERNAL_TOKENS_PATH	"external-tokens-path"
 #define OPT_FEC_DEVICE			"fec-device"
 #define OPT_FEC_OFFSET			"fec-offset"
 #define OPT_FEC_ROOTS			"fec-roots"
 #define OPT_FORCE_PASSWORD		"force-password"
 #define OPT_FORCE_OFFLINE_REENCRYPT	"force-offline-reencrypt"
+#define OPT_FORCE_NO_KEYSLOTS		"force-no-keyslots"
 #define OPT_FORMAT			"format"
 #define OPT_HASH			"hash"
 #define OPT_HASH_BLOCK_SIZE		"hash-block-size"
@@ -60,6 +62,7 @@
 #define OPT_INTEGRITY_BITMAP_MODE	"integrity-bitmap-mode"
 #define OPT_INTEGRITY_KEY_FILE		"integrity-key-file"
 #define OPT_INTEGRITY_KEY_SIZE		"integrity-key-size"
+#define OPT_INTEGRITY_INLINE		"integrity-inline"
 #define OPT_INTEGRITY_LEGACY_PADDING	"integrity-legacy-padding"
 #define OPT_INTEGRITY_LEGACY_HMAC	"integrity-legacy-hmac"
 #define OPT_INTEGRITY_LEGACY_RECALC	"integrity-legacy-recalculate"
@@ -101,17 +104,22 @@
 #define OPT_VOLUME_KEY_FILE		"volume-key-file"
 #define OPT_VOLUME_KEY_KEYRING		"volume-key-keyring"
 #define OPT_NEW				"new"
+#define OPT_NEW_KEY_DESCRIPTION		"new-key-description"
+#define OPT_NEW_KEY_SIZE		"new-key-size"
 #define OPT_NEW_KEY_SLOT		"new-key-slot"
 #define OPT_NEW_KEYFILE			"new-keyfile"
 #define OPT_NEW_KEYFILE_OFFSET		"new-keyfile-offset"
 #define OPT_NEW_KEYFILE_SIZE		"new-keyfile-size"
 #define OPT_NEW_TOKEN_ID		"new-token-id"
+#define OPT_NEW_VOLUME_KEY_FILE		"new-volume-key-file"
+#define OPT_NEW_VOLUME_KEY_KEYRING	"new-volume-key-keyring"
 #define OPT_OFFSET			"offset"
 #define OPT_PANIC_ON_CORRUPTION		"panic-on-corruption"
 #define OPT_PBKDF			"pbkdf"
 #define OPT_PBKDF_FORCE_ITERATIONS	"pbkdf-force-iterations"
 #define OPT_PBKDF_MEMORY		"pbkdf-memory"
 #define OPT_PBKDF_PARALLEL		"pbkdf-parallel"
+#define OPT_PERF_HIGH_PRIORITY		"perf-high_priority"
 #define OPT_PERF_NO_READ_WORKQUEUE	"perf-no_read_workqueue"
 #define OPT_PERF_NO_WRITE_WORKQUEUE	"perf-no_write_workqueue"
 #define OPT_PERF_SAME_CPU_CRYPT		"perf-same_cpu_crypt"
diff --git a/src/utils_args.c b/src/utils_args.c
index 76ff82b..e2a6085 100644
--- a/src/utils_args.c
+++ b/src/utils_args.c
@@ -2,8 +2,8 @@
 /*
  * Command line arguments parsing helpers
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #include "cryptsetup.h"
diff --git a/src/utils_blockdev.c b/src/utils_blockdev.c
index 659eb89..dab541d 100644
--- a/src/utils_blockdev.c
+++ b/src/utils_blockdev.c
@@ -2,13 +2,13 @@
 /*
  * Linux block devices helpers
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #include "cryptsetup.h"
 #include <dirent.h>
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>     /* for major, minor */
 #endif
 #include <uuid/uuid.h>
@@ -51,7 +51,7 @@ static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char **r_dm_n
 	char dm_subpath[PATH_MAX], data_dev_dir[PATH_MAX], uuid[DM_UUID_LEN], dm_name[PATH_MAX] = {};
 	ssize_t s;
 	struct stat st;
-	int dmfd, fd, len, r = 0; /* not found */
+	int dmfd, fd, dfd, len, r = 0; /* not found */
 	DIR *dir;
 
 	if (!r_dm_name)
@@ -84,7 +84,10 @@ static int lookup_holder_dm_name(const char *dm_uuid, dev_t devno, char **r_dm_n
 		}
 
 		/* looking for dm-X/dm directory, symlinks are fine */
-		dmfd = openat(dirfd(dir), dm_subpath, O_DIRECTORY | O_RDONLY);
+		dfd = dirfd(dir);
+		if (dfd < 0)
+			continue;
+		dmfd = openat(dfd, dm_subpath, O_DIRECTORY | O_RDONLY);
 		if (dmfd < 0)
 			continue;
 
diff --git a/src/utils_key_description.c b/src/utils_key_description.c
new file mode 100644
index 0000000..610e578
--- /dev/null
+++ b/src/utils_key_description.c
@@ -0,0 +1,159 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Password quality check wrapper
+ *
+ * Copyright (C) 2023-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2023-2025 Ondrej Kozina
+ * Copyright (C) 2023-2025 Milan Broz
+ */
+
+#include "cryptsetup.h"
+#include <assert.h>
+
+int tools_parse_vk_description(const char *key_description, char **ret_key_description)
+{
+	char *tmp;
+	int r;
+
+	assert(key_description);
+	assert(ret_key_description);
+
+	/* apply default key type */
+	if (*key_description != '%')
+		r = asprintf(&tmp, "%%user:%s", key_description) < 0 ? -EINVAL : 0;
+	else
+		r = (tmp = strdup(key_description)) ? 0 : -ENOMEM;
+	if (!r)
+		*ret_key_description = tmp;
+
+	return r;
+}
+
+static int parse_single_vk_and_keyring_description(
+	struct crypt_device *cd,
+	char *keyring_key_description, char **keyring_part_out, char
+	**key_part_out, char **type_part_out)
+{
+	int r = -EINVAL;
+	char *endp, *sep, *key_part, *type_part = NULL;
+	char *key_part_copy = NULL, *type_part_copy = NULL, *keyring_part = NULL;
+
+	if (!cd || !keyring_key_description)
+		return -EINVAL;
+
+	/* "::" is separator between keyring specification a key description */
+	key_part = strstr(keyring_key_description, "::");
+	if (!key_part)
+		goto out;
+
+	*key_part = '\0';
+	key_part = key_part + 2;
+
+	if (*key_part == '%') {
+		type_part = key_part + 1;
+		sep = strstr(type_part, ":");
+		if (!sep)
+			goto out;
+		*sep = '\0';
+
+		key_part = sep + 1;
+	}
+
+	if (*keyring_key_description == '%') {
+		keyring_key_description = strstr(keyring_key_description, ":");
+		if (!keyring_key_description)
+			goto out;
+		log_verbose(_("Type specification in --link-vk-to-keyring keyring specification is ignored."));
+		keyring_key_description++;
+	}
+
+	(void)strtol(keyring_key_description, &endp, 0);
+
+	r = 0;
+	if (*keyring_key_description == '@' || !*endp)
+		keyring_part = strdup(keyring_key_description);
+	else
+		r = asprintf(&keyring_part, "%%:%s", keyring_key_description);
+
+	if (!keyring_part || r < 0) {
+		r = -ENOMEM;
+		goto out;
+	}
+
+	if (!(key_part_copy = strdup(key_part))) {
+		r = -ENOMEM;
+		goto out;
+	}
+	if (type_part && !(type_part_copy = strdup(type_part)))
+		r = -ENOMEM;
+
+out:
+	if (r < 0) {
+		free(keyring_part);
+		free(key_part_copy);
+		free(type_part_copy);
+	} else {
+		*keyring_part_out = keyring_part;
+		*key_part_out = key_part_copy;
+		*type_part_out = type_part_copy;
+	}
+
+	return r;
+}
+
+int tools_parse_vk_and_keyring_description(
+	struct crypt_device *cd,
+	char **keyring_key_descriptions,
+	int keyring_key_links_count)
+{
+	int r = 0;
+
+	char *keyring_part_out1 = NULL, *key_part_out1 = NULL, *type_part_out1 = NULL;
+	char *keyring_part_out2 = NULL, *key_part_out2 = NULL, *type_part_out2 = NULL;
+
+	if (keyring_key_links_count > 0) {
+		r = parse_single_vk_and_keyring_description(cd,
+				keyring_key_descriptions[0],
+				&keyring_part_out1, &key_part_out1,
+				&type_part_out1);
+		if (r < 0)
+			goto out;
+	}
+	if (keyring_key_links_count > 1) {
+		r = parse_single_vk_and_keyring_description(cd,
+				keyring_key_descriptions[1],
+				&keyring_part_out2, &key_part_out2,
+				&type_part_out2);
+		if (r < 0)
+			goto out;
+
+		if ((type_part_out1 && type_part_out2) && strcmp(type_part_out1, type_part_out2)) {
+			log_err(_("Key types have to be the same for both volume keys."));
+			r = -EINVAL;
+			goto out;
+		}
+		if ((keyring_part_out1 && keyring_part_out2) && strcmp(keyring_part_out1, keyring_part_out2)) {
+			log_err(_("Both volume keys have to be linked to the same keyring."));
+			r = -EINVAL;
+			goto out;
+		}
+	}
+
+	if (keyring_key_links_count > 0) {
+		r = crypt_set_keyring_to_link(cd, key_part_out1, key_part_out2,
+				type_part_out1, keyring_part_out1);
+		if (r == -EAGAIN)
+			log_err(_("You need to supply more key names."));
+	}
+out:
+	if (r == -EINVAL)
+		log_err(_("Invalid --link-vk-to-keyring value."));
+	free(keyring_part_out1);
+	free(key_part_out1);
+	free(type_part_out1);
+	free(keyring_part_out2);
+	free(key_part_out2);
+	free(type_part_out2);
+
+	return r;
+}
diff --git a/src/utils_keyslot_check.c b/src/utils_keyslot_check.c
new file mode 100644
index 0000000..7db6d60
--- /dev/null
+++ b/src/utils_keyslot_check.c
@@ -0,0 +1,199 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * cryptsetup - keyslot randomness check
+ *
+ * Copyright (C) 2024-2025 Milan Broz
+ */
+
+#include <math.h>
+#include "cryptsetup.h"
+#include "utils_luks.h"
+
+static uint64_t bitcount(uint64_t *p, uint64_t count64)
+{
+	uint64_t i, l, s = 0;
+
+	for (i = 0; i < count64; i++) {
+		l = *p++;
+
+		if (l == 0)
+			continue;
+
+		l = (l & 0x5555555555555555ULL) + ((l >>  1) & 0x5555555555555555ULL);
+		l = (l & 0x3333333333333333ULL) + ((l >>  2) & 0x3333333333333333ULL);
+		l = (l & 0x0f0f0f0f0f0f0f0fULL) + ((l >>  4) & 0x0f0f0f0f0f0f0f0fULL);
+		l = (l & 0x00ff00ff00ff00ffULL) + ((l >>  8) & 0x00ff00ff00ff00ffULL);
+		l = (l & 0x0000ffff0000ffffULL) + ((l >> 16) & 0x0000ffff0000ffffULL);
+		l = (l & 0x00000000ffffffffULL) + ((l >> 32) & 0x00000000ffffffffULL);
+
+		s += l;
+	}
+
+	return s;
+}
+
+static double chisquared_bits(void *b, uint64_t count)
+{
+	size_t i;
+	double f[2] = {0};
+	double tmp, t = 0, e = count * 8 / (double)ARRAY_SIZE(f);
+
+	f[1] = bitcount((uint64_t*)b, count / sizeof(uint64_t));
+	f[0] = (count * 8) - f[1];
+
+	for (i = 0; i < ARRAY_SIZE(f); i++) {
+		/* t += pow(f[i] - e, 2) / e; */
+		tmp = f[i] - e;
+		tmp = tmp * tmp;
+		tmp = tmp / e;
+		t += tmp;
+	}
+
+	return t;
+}
+
+static double chisquared_bytes(unsigned char *N, uint64_t count)
+{
+	size_t i;
+	double f[256] = {0};
+	double tmp, t = 0, e = count / (double)ARRAY_SIZE(f);
+
+	for (i = 0; i < count; i++)
+		f[N[i]]++;
+
+	for (i = 0; i < ARRAY_SIZE(f); i++) {
+		/* t += pow(f[i] - e, 2) / e; */
+		tmp = f[i] - e;
+		tmp = tmp * tmp;
+		tmp = tmp / e;
+		t += tmp;
+	}
+
+	return t;
+}
+
+/*
+ * The keyslot area is encrypted, it should contain pseudorandom data.
+ * This function performs randomness analysis to detect a possible overwrite
+ * with a low-entropy data  (causing keyslot corruption).
+ * To limit false positives, it performs these checks:
+ *    - splits the keyslot area to 4096-byte blocks
+ *    - if the last block is a partial, it uses the last 4096 bytes instead
+ *    - with 4096-byte blocks, run Chi-squared test (alpha 0.001 with right tail only)
+ *      that expects uniform bytes distribution
+ *    - if the test value is larger than the critical value,
+ *      it tries to search in 128-byte subblocks
+ *    - with 128-byte blocks, run Chi-squared test (alpha 0.0001 with right tail only)
+ *      that expects uniform bits distribution
+ *
+ * Note: this test cannot detect all corruptions and can produce false positives.
+ *       It is just a hint for the user.
+ */
+static void run_analysis(int keyslot, unsigned char *buffer,
+			 uint64_t length, uint64_t start,
+			 bool *hexdump_hint, int hint_max)
+{
+	const unsigned int BLOCK = 4096, SUBBLOCK = 128;
+	uint64_t ofs, ofs2;
+	bool suspected = false;
+	int hint_count;
+
+	log_dbg("Keyslot %d [0x%06" PRIx64 " - 0x%06" PRIx64 "] randomness analysis", keyslot, start, start + length);
+
+	for (ofs = 0, hint_count = 0; ofs < length; ofs += BLOCK) {
+
+		/* For the last incomplete block just use the last BLOCK bytes */
+		if ((ofs + BLOCK) > length)
+			ofs = length - BLOCK;
+
+		/* Chi-squared: 256 buckets (bytes), alpha 0.001, right tail */
+		if (chisquared_bytes(buffer + ofs, BLOCK) <= 330.5197)
+			continue;
+
+		if (!suspected)
+			log_std(_("Keyslot %d binary data could be corrupted.\n"),  keyslot);
+		suspected = true;
+
+		for (ofs2 = 0; ofs2 < BLOCK && hint_count < hint_max; ofs2 += SUBBLOCK) {
+
+			/* Chi-squared: 2 buckets (bits), alpha 0.0001, right tail */
+			if (chisquared_bits(buffer + ofs + ofs2, SUBBLOCK) <= 15.1367)
+				continue;
+
+			if (hint_count < hint_max)
+				log_std(_("  Suspected offset: 0x%" PRIx64 "\n"), start + ofs + ofs2);
+			*hexdump_hint = true;
+			if (++hint_count == hint_max)
+				log_std(_("  Subsequent suspected offsets are suppressed.\n"), start + ofs + ofs2);
+		}
+	}
+}
+
+void luks_check_keyslots(struct crypt_device *cd, const char *device)
+{
+	crypt_keyslot_info ki;
+	unsigned char *buffer = NULL;
+	uint64_t start, length, data_length;
+	int i, fd = -1, r = -EINVAL;
+	bool hexdump_hint = false;
+
+	if (crypt_reencrypt_status(cd, NULL) != CRYPT_REENCRYPT_NONE) {
+		log_dbg("In reencryption, skipping keyslots randomness test.");
+		return;
+	}
+
+	fd = open(device, O_RDONLY);
+	if (fd == -1)
+		return;
+
+	for (i = 0; i < crypt_keyslot_max(crypt_get_type(cd)); i++) {
+
+		ki = crypt_keyslot_status(cd, i);
+		if (ki <= CRYPT_SLOT_INACTIVE || ki == CRYPT_SLOT_UNBOUND)
+			continue;
+
+		r = crypt_keyslot_area(cd, i, &start, &length);
+		if (r < 0)
+			goto out;
+
+		r = crypt_keyslot_get_key_size(cd, i);
+		if (r < 0)
+			goto out;
+
+		/* unbound key or something we should not run randomness analysis */
+		if (r <= 1)
+			continue;
+
+		/*
+		 * data_length is the really used keyslot area
+		 * length = data_legth + padding_4096
+		 */
+		data_length = (uint64_t)r * LUKS_STRIPES;
+
+		buffer = malloc(data_length);
+		if (!buffer)
+			goto out;
+
+		if (lseek(fd, (off_t)start, SEEK_SET) == -1) {
+			log_err(_("Keyslot %d cannot be read from the device."), i);
+			goto out;
+		}
+
+		if (read_buffer(fd, buffer, data_length) != (ssize_t)data_length) {
+			log_err(_("Keyslot %d cannot be read from the device."), i);
+			goto out;
+		}
+
+		run_analysis(i, buffer, data_length, start, &hexdump_hint, 3);
+
+		free(buffer);
+		buffer = NULL;
+	}
+
+	if (hexdump_hint)
+		log_std(_("You can use hexdump -v -C -n 128 -s <offset_0xXXXX> \"%s\" to inspect the data.\n"), device);
+out:
+	if (fd != -1)
+		close(fd);
+	free(buffer);
+}
diff --git a/src/utils_luks.c b/src/utils_luks.c
index d6d7894..e9a2989 100644
--- a/src/utils_luks.c
+++ b/src/utils_luks.c
@@ -2,9 +2,9 @@
 /*
  * Helper utilities for LUKS2 features
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Milan Broz
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Milan Broz
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #include "cryptsetup.h"
@@ -79,6 +79,9 @@ void set_activation_flags(uint32_t *flags)
 	if (ARG_SET(OPT_PERF_NO_WRITE_WORKQUEUE_ID))
 		*flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
 
+	if (ARG_SET(OPT_PERF_HIGH_PRIORITY_ID))
+		*flags |= CRYPT_ACTIVATE_HIGH_PRIORITY;
+
 	if (ARG_SET(OPT_INTEGRITY_NO_JOURNAL_ID))
 		*flags |= CRYPT_ACTIVATE_NO_JOURNAL;
 
@@ -128,17 +131,19 @@ int set_pbkdf_params(struct crypt_device *cd, const char *dev_type)
 	return crypt_set_pbkdf_type(cd, &pbkdf);
 }
 
-int set_tries_tty(void)
+int set_tries_tty(bool keyring)
 {
+	if (keyring && ARG_SET(OPT_KEY_DESCRIPTION_ID))
+		return 1;
+
 	return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
 }
 
-int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize)
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
+			  uint32_t default_size_bits, int integrity_keysize)
 {
-	uint32_t keysize_bits = ARG_UINT32(OPT_KEY_SIZE_ID);
-
-#ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
-	if (!ARG_SET(OPT_KEY_SIZE_ID) && !strncmp(cipher_mode, "xts-", 4)) {
+#if ENABLE_LUKS_ADJUST_XTS_KEYSIZE
+	if (!keysize_bits && (!strncmp(cipher_mode, "xts-", 4) || !strncmp(cipher, "capi:xts(", 9))) {
 		if (default_size_bits == 128)
 			keysize_bits = 256;
 		else if (default_size_bits == 256)
@@ -265,3 +270,184 @@ int tools_write_json_file(const char *file, const char *json)
 		close(fd);
 	return r;
 }
+
+int luks_init_keyslot_context(struct crypt_device *cd,
+			      const char *msg,
+			      bool verify, bool pwquality,
+			      struct crypt_keyslot_context **r_kc)
+{
+	char *password;
+	size_t passwordLen;
+	int r = -EINVAL;
+
+	assert(cd);
+	assert(r_kc);
+
+	if (ARG_SET(OPT_KEY_DESCRIPTION_ID))
+		r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_KEY_DESCRIPTION_ID), r_kc);
+	else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
+		r = crypt_keyslot_context_init_by_keyfile(cd, ARG_STR(OPT_KEY_FILE_ID),
+							  ARG_UINT32(OPT_KEYFILE_SIZE_ID),
+							  ARG_UINT64(OPT_KEYFILE_OFFSET_ID), r_kc);
+	else {
+		r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
+				  ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
+				  ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd);
+		if (r < 0)
+			return r;
+		r = crypt_keyslot_context_init_by_passphrase(cd, password, passwordLen, r_kc);
+		crypt_safe_free(password);
+	}
+
+	return r;
+}
+
+int luks_try_token_unlock(struct crypt_device *cd,
+			  int keyslot,
+			  int token_id,
+			  const char *activated_name,
+			  const char *token_type,
+			  uint32_t activate_flags,
+			  int tries,
+			  bool activation,
+			  bool retry_with_pin,
+			  struct crypt_keyslot_context **r_kc)
+{
+	int r;
+	struct crypt_keyslot_context *kc;
+	size_t pin_len;
+	char msg[64], *pin = NULL;
+
+	assert(tries >= 1);
+	assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
+	assert(keyslot >= 0 || keyslot == CRYPT_ANY_SLOT);
+
+	r = crypt_keyslot_context_init_by_token(cd, token_id, token_type, NULL, 0, NULL, &kc);
+	if (r < 0)
+		return r;
+
+	if (activation)
+		r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, kc, activate_flags);
+	else
+		r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
+
+	tools_keyslot_msg(r, UNLOCKED);
+	tools_token_error_msg(r, token_type, token_id, false);
+
+	/* Token requires PIN (-ENOANO). */
+	if (r != -ENOANO || !retry_with_pin)
+		goto out;
+
+	if (token_id == CRYPT_ANY_TOKEN)
+		r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
+	else
+		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
+	if (r < 0 || (size_t)r >= sizeof(msg)) {
+		r = -EINVAL;
+		goto out;
+	}
+
+	do {
+		r = tools_get_key(msg, &pin, &pin_len, 0, 0, NULL,
+				ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
+		if (r < 0)
+			break;
+
+		r = crypt_keyslot_context_set_pin(cd, pin, pin_len, kc);
+		crypt_safe_free(pin);
+		if (r < 0)
+			break;
+
+		if (activation)
+			r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot,
+							      kc, CRYPT_ANY_SLOT, NULL, activate_flags);
+		else
+			r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
+
+		tools_keyslot_msg(r, UNLOCKED);
+		tools_token_error_msg(r, token_type, token_id, true);
+		check_signal(&r);
+	} while (r == -ENOANO && (--tries > 0));
+out:
+	if (r >= 0 && r_kc)
+		*r_kc = kc;
+	else
+		crypt_keyslot_context_free(kc);
+
+	return r;
+}
+
+/* Initiates keyslot context(s) based on non-interactive input only */
+int luks_init_keyslot_contexts_by_volume_keys(struct crypt_device *cd,
+					      const char *vk_file1,
+					      const char *vk_file2,
+					      int keysize1_bytes,
+					      int keysize2_bytes,
+					      const char *vk_in_keyring1,
+					      const char *vk_in_keyring2,
+					      struct crypt_keyslot_context **r_kc1,
+					      struct crypt_keyslot_context **r_kc2)
+{
+	int r = -EINVAL;
+	char *vk_description = NULL, *key = NULL;
+	struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL;
+
+	assert(cd);
+	assert(r_kc1);
+	assert(r_kc2);
+
+	if (vk_file1 && keysize1_bytes > 0) {
+		r = tools_read_vk(vk_file1, &key, keysize1_bytes);
+		if (r < 0)
+			return r;
+
+		r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize1_bytes, &kc1);
+		if (r < 0)
+			goto out;
+	}
+
+	/* volume key in file takes precedence */
+	if (vk_in_keyring1 && !kc1) {
+		r = tools_parse_vk_description(vk_in_keyring1, &vk_description);
+		if (r < 0)
+			goto out;
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc1);
+		if (r < 0)
+			goto out;
+	}
+
+	if (vk_file2 && keysize2_bytes > 0) {
+		crypt_safe_free(key);
+		key = NULL;
+		r = tools_read_vk(vk_file2, &key, keysize2_bytes);
+		if (r < 0)
+			goto out;
+
+		r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize2_bytes, &kc2);
+		if (r < 0)
+			goto out;
+	}
+
+	/* volume key in file takes precedence */
+	if (vk_in_keyring2 && !kc2) {
+		free(vk_description);
+		vk_description = NULL;
+		r = tools_parse_vk_description(vk_in_keyring2, &vk_description);
+		if (r < 0)
+			goto out;
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc2);
+	}
+out:
+	crypt_safe_free(key);
+	free(vk_description);
+
+	if (r) {
+		crypt_keyslot_context_free(kc1);
+		crypt_keyslot_context_free(kc2);
+	} else {
+		*r_kc1 = kc1;
+		*r_kc2 = kc2;
+	}
+
+	return r;
+}
diff --git a/src/utils_luks.h b/src/utils_luks.h
index a84d579..7ef5977 100644
--- a/src/utils_luks.h
+++ b/src/utils_luks.h
@@ -2,15 +2,18 @@
 /*
  * Helper utilities for LUKS in cryptsetup
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2024 Milan Broz
- * Copyright (C) 2018-2024 Ondrej Kozina
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Milan Broz
+ * Copyright (C) 2018-2025 Ondrej Kozina
  */
 
 #ifndef UTILS_LUKS_H
 #define UTILS_LUKS_H
 
 #include <stdint.h>
+#include <stdbool.h>
+
+struct crypt_device;
 
 const char *luksType(const char *type);
 
@@ -24,11 +27,12 @@ void set_activation_flags(uint32_t *flags);
 
 int set_pbkdf_params(struct crypt_device *cd, const char *dev_type);
 
-int set_tries_tty(void);
+int set_tries_tty(bool keyring);
 
-int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize);
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
+			  uint32_t default_size_bits, int integrity_keysize);
 
-int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen);
+int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc);
 
 int reencrypt(int action_argc, const char **action_argv);
 
@@ -36,4 +40,32 @@ int reencrypt_luks1(const char *device);
 
 int reencrypt_luks1_in_progress(const char *device);
 
+int luks_init_keyslot_context(struct crypt_device *cd,
+			      const char *msg,
+			      bool verify, bool pwquality,
+			      struct crypt_keyslot_context **r_kc);
+
+int luks_try_token_unlock(struct crypt_device *cd,
+			  int keyslot,
+			  int token_id,
+			  const char *activated_name,
+			  const char *token_type,
+			  uint32_t activate_flags,
+			  int tries,
+			  bool activation,
+			  bool retry_with_pin,
+			  struct crypt_keyslot_context **r_kc);
+
+int luks_init_keyslot_contexts_by_volume_keys(struct crypt_device *cd,
+					      const char *vk_file1,
+					      const char *vk_file2,
+					      int keysize1_bytes,
+					      int keysize2_bytes,
+					      const char *vk_in_keyring1,
+					      const char *vk_in_keyring2,
+					      struct crypt_keyslot_context **r_kc1,
+					      struct crypt_keyslot_context **r_kc2);
+
+void luks_check_keyslots(struct crypt_device *cd, const char *device);
+
 #endif /* UTILS_LUKS_H */
diff --git a/src/utils_password.c b/src/utils_password.c
index 1900f31..2e1178e 100644
--- a/src/utils_password.c
+++ b/src/utils_password.c
@@ -2,14 +2,14 @@
 /*
  * Password quality check wrapper
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include "cryptsetup.h"
 #include <termios.h>
 
-#if defined ENABLE_PWQUALITY
+#if ENABLE_PWQUALITY
 #include <pwquality.h>
 
 static int tools_check_pwquality(const char *password)
@@ -42,7 +42,7 @@ static int tools_check_pwquality(const char *password)
 	pwquality_free_settings(pwq);
 	return r;
 }
-#elif defined ENABLE_PASSWDQC
+#elif ENABLE_PASSWDQC
 #include <passwdqc.h>
 
 static int tools_check_passwdqc(const char *password)
@@ -80,9 +80,9 @@ static int tools_check_passwdqc(const char *password)
 /* coverity[ +tainted_string_sanitize_content : arg-0 ] */
 static int tools_check_password(const char *password)
 {
-#if defined ENABLE_PWQUALITY
+#if ENABLE_PWQUALITY
 	return tools_check_pwquality(password);
-#elif defined ENABLE_PASSWDQC
+#elif ENABLE_PASSWDQC
 	return tools_check_passwdqc(password);
 #else
 	UNUSED(password);
@@ -194,7 +194,7 @@ static int interactive_pass(const char *prompt, char *pass, size_t maxlen,
 	if (!failed && write(outfd, "\n", 1)) {};
 
 	if (realsize == maxlen)
-		log_dbg("Read stopped at maximal interactive input length, passphrase can be trimmed.");
+		log_err(_("Read stopped at maximal interactive input length, passphrase can be trimmed."));
 
 	if (close_fd)
 		close(infd);
diff --git a/src/utils_progress.c b/src/utils_progress.c
index 5477a44..26ba657 100644
--- a/src/utils_progress.c
+++ b/src/utils_progress.c
@@ -2,8 +2,8 @@
 /*
  * cryptsetup - progress output utilities
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <assert.h>
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
index 4155d01..c80c27c 100644
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -2,9 +2,9 @@
 /*
  * cryptsetup - action re-encryption utilities
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
- * Copyright (C) 2021-2024 Ondrej Kozina
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
+ * Copyright (C) 2021-2025 Ondrej Kozina
  */
 
 #include <uuid/uuid.h>
@@ -33,24 +33,10 @@ static void _set_reencryption_flags(uint32_t *flags)
 
 	if (ARG_SET(OPT_RESUME_ONLY_ID))
 		*flags |= CRYPT_REENCRYPT_RESUME_ONLY;
-}
-
-static int reencrypt_check_passphrase(struct crypt_device *cd,
-	int keyslot,
-	const char *passphrase,
-	size_t passphrase_len)
-{
-	int r;
-
-	assert(cd);
-
-	r = crypt_activate_by_passphrase(cd, NULL, keyslot,
-					 passphrase, passphrase_len, 0);
-	check_signal(&r);
-	tools_passphrase_msg(r);
-	tools_keyslot_msg(r, UNLOCKED);
 
-	return r;
+	if ((ARG_SET(OPT_VOLUME_KEY_FILE_ID) || ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) &&
+	    (ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) || ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID)))
+		*flags |= CRYPT_REENCRYPT_CREATE_NEW_DIGEST;
 }
 
 static int set_keyslot_params(struct crypt_device *cd, int keyslot)
@@ -266,14 +252,184 @@ static int reencrypt_hint_force_offline_reencrypt(const char *data_device)
 	return 0;
 }
 
+static int reencrypt_multi_key_unlock(struct crypt_device *cd,
+				       const struct crypt_params_reencrypt *params,
+				       struct crypt_keyslot_context **r_kc1,
+				       struct crypt_keyslot_context **r_kc2)
+{
+	int r, tries, keysize_bytes, new_keysize_bytes;
+	struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL;
+
+	assert(cd);
+	assert(params);
+	assert(r_kc1);
+	assert(r_kc2);
+
+	keysize_bytes = crypt_get_old_volume_key_size(cd);
+	new_keysize_bytes = crypt_get_volume_key_size(cd);
+
+	if (!keysize_bytes && ARG_SET(OPT_KEY_SIZE_ID))
+		keysize_bytes = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
+	if (!new_keysize_bytes && ARG_SET(OPT_NEW_KEY_SIZE_ID))
+		new_keysize_bytes = ARG_UINT32(OPT_NEW_KEY_SIZE_ID) / 8;
+
+	if (ARG_SET(OPT_VOLUME_KEY_FILE_ID) && !keysize_bytes) {
+		log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
+		return -EINVAL;
+	}
+
+	if (ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) && !new_keysize_bytes) {
+		log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."));
+		return -EINVAL;
+	}
+
+	if (ARG_SET(OPT_VOLUME_KEY_FILE_ID) ||
+	    ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID) ||
+	    ARG_SET(OPT_VOLUME_KEY_KEYRING_ID) ||
+	    ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID)) {
+		r = luks_init_keyslot_contexts_by_volume_keys(cd, ARG_STR(OPT_VOLUME_KEY_FILE_ID),
+							      ARG_STR(OPT_NEW_VOLUME_KEY_FILE_ID),
+							      keysize_bytes, new_keysize_bytes,
+							      ARG_STR(OPT_VOLUME_KEY_KEYRING_ID),
+							      ARG_STR(OPT_NEW_VOLUME_KEY_KEYRING_ID),
+							      &kc1, &kc2);
+		if (r < 0)
+			return r;
+
+		r = crypt_activate_by_keyslot_context(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
+						      kc1, ARG_INT32(OPT_NEW_KEY_SLOT_ID), kc2,
+						      0);
+		if (r == -ESRCH)
+			log_err(_("Device requires two volume keys."));
+		if (r == -EPERM)
+			log_err(_("Volume key does not match the volume."));
+	} else {
+		r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
+					  ARG_INT32(OPT_TOKEN_ID_ID), NULL,
+					  ARG_STR(OPT_TOKEN_TYPE_ID), 0,
+					  set_tries_tty(false), true,
+					  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+					  &kc1);
+
+		if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
+			goto out;
+
+		r = -ENOENT;
+
+		tries = set_tries_tty(true);
+		do {
+			crypt_keyslot_context_free(kc1);
+			kc1 = NULL;
+			r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc1);
+			if (r < 0)
+				goto out;
+
+			r = crypt_activate_by_keyslot_context(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
+							      kc1, ARG_INT32(OPT_NEW_KEY_SLOT_ID),
+							      kc1, 0);
+
+			tools_keyslot_msg(r, UNLOCKED);
+			tools_passphrase_msg(r);
+			check_signal(&r);
+		} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
+	}
+
+out:
+	if (r >= 0) {
+		*r_kc1 = kc1;
+		*r_kc2 = kc2;
+	} else {
+		crypt_keyslot_context_free(kc1);
+		crypt_keyslot_context_free(kc2);
+	}
+
+	return r;
+}
+
+static int reencrypt_single_key_unlock(struct crypt_device *cd,
+				       const struct crypt_params_reencrypt *params,
+				       struct crypt_keyslot_context **r_kc)
+{
+	int r, tries, keysize = 0;
+	struct crypt_keyslot_context *kc = NULL, *dummy = NULL;
+
+	assert(params);
+	assert(r_kc);
+
+	if (ARG_SET(OPT_VOLUME_KEY_FILE_ID) || ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		if (params->mode == CRYPT_REENCRYPT_DECRYPT)
+			keysize = crypt_get_old_volume_key_size(cd);
+		else if (params->mode == CRYPT_REENCRYPT_ENCRYPT)
+			keysize = crypt_get_volume_key_size(cd);
+
+		if (!keysize && ARG_SET(OPT_KEY_SIZE_ID))
+			keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
+
+		if (!keysize && !ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+			log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
+			return -EINVAL;
+		}
+
+		r = luks_init_keyslot_contexts_by_volume_keys(cd, ARG_STR(OPT_VOLUME_KEY_FILE_ID),
+							      NULL /* unused */,
+							      keysize,
+							      0 /* unused */,
+							      ARG_STR(OPT_VOLUME_KEY_KEYRING_ID),
+							      NULL /* unused */,
+							      &kc, &dummy);
+		if (r < 0)
+			goto out;
+		r = crypt_activate_by_keyslot_context(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
+						      kc, CRYPT_ANY_SLOT, NULL, 0);
+	} else {
+		r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
+					  ARG_INT32(OPT_TOKEN_ID_ID), NULL,
+					  ARG_STR(OPT_TOKEN_TYPE_ID), 0,
+					  set_tries_tty(false), true,
+					  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+					  &kc);
+
+		if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
+			goto out;
+
+		r = -ENOENT;
+
+		tries = set_tries_tty(true);
+		do {
+			crypt_keyslot_context_free(kc);
+			kc = NULL;
+			r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc);
+			if (r < 0)
+				goto out;
+
+			r = crypt_activate_by_keyslot_context(cd, NULL, ARG_INT32(OPT_KEY_SLOT_ID),
+							      kc, CRYPT_ANY_SLOT, NULL, 0);
+
+			tools_keyslot_msg(r, UNLOCKED);
+			tools_passphrase_msg(r);
+			check_signal(&r);
+		} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
+	}
+
+out:
+	if (r >= 0)
+		*r_kc = kc;
+	else
+		crypt_keyslot_context_free(kc);
+
+	crypt_keyslot_context_free(dummy); /* unused */
+
+	return r;
+}
+
 static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device)
 {
 	char *msg;
 	crypt_reencrypt_info ri;
 	int r;
-	size_t passwordLen;
-	char *active_name = NULL, *hash = NULL, *password = NULL;
+	char *active_name = NULL, *hash = NULL;
 	struct crypt_params_reencrypt params = {};
+	struct crypt_keyslot_context *kc = NULL, *kc2 = NULL;
 
 	ri = crypt_reencrypt_status(cd, &params);
 	if (ri == CRYPT_REENCRYPT_CRASH)
@@ -304,22 +460,24 @@ static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device
 			goto out;
 	}
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
-			ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
-			verify_passphrase(0), 0, cd);
+	if (params.mode == CRYPT_REENCRYPT_REENCRYPT)
+		r = reencrypt_multi_key_unlock(cd, &params, &kc, &kc2);
+	else
+		r = reencrypt_single_key_unlock(cd, &params, &kc);
 	if (r < 0)
 		goto out;
 
 	if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
 		r = reencrypt_get_active_name(cd, data_device, &active_name);
 	if (r >= 0)
-		r = crypt_reencrypt_init_by_passphrase(cd, active_name, password,
-				passwordLen, ARG_INT32(OPT_KEY_SLOT_ID),
-				ARG_INT32(OPT_KEY_SLOT_ID), NULL, NULL, &params);
+		r = crypt_reencrypt_init_by_keyslot_context(cd, active_name, kc, kc2 ?: kc,
+							    ARG_INT32(OPT_KEY_SLOT_ID),
+							    ARG_INT32(OPT_NEW_KEY_SLOT_ID),
+							    NULL, NULL, &params);
 out:
 	free(hash);
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
+	crypt_keyslot_context_free(kc2);
 	free(active_name);
 	return r;
 }
@@ -493,8 +651,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 {
 	int keyslot, r, fd;
 	uuid_t uuid;
-	size_t passwordLen;
-	char *tmp, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
+	char *tmp, uuid_str[37], header_file[PATH_MAX] = { 0 };
 	uint32_t activate_flags = 0;
 	const struct crypt_params_luks2 luks2_params = {
 		.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
@@ -509,6 +666,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 		.luks2 = &luks2_params,
 		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
 	};
+	struct crypt_keyslot_context *kc = NULL;
 
 	_set_reencryption_flags(&params.flags);
 
@@ -522,13 +680,15 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 		}
 	}
 
+	/* The --reduce-device-size has to be at least twice the size of first moved segment (LUKS2
+	 * data offset) */
 	if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
 	    data_shift && (ARG_UINT64(OPT_OFFSET_ID) > (uint64_t)(imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
 		log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
 		return -EINVAL;
 	}
 
-	/* TODO: ask user to confirm. It's useless to do data device reduction and than use smaller value */
+	/* It's useless to do data device reduction and than use smaller value */
 	if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
 	    data_shift && (ARG_UINT64(OPT_OFFSET_ID) < (uint64_t)(imaxabs(data_shift) / (2 * SECTOR_SIZE)))) {
 		data_shift = -(ARG_UINT64(OPT_OFFSET_ID) * 2 * SECTOR_SIZE);
@@ -603,7 +763,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 		}
 	}
 
-	r = luksFormat(cd, &password, &passwordLen);
+	r = luksFormat(cd, &kc);
 	if (r < 0)
 		goto out;
 
@@ -617,9 +777,11 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 		params.resilience = "datashift";
 	}
 	keyslot = !ARG_SET(OPT_KEY_SLOT_ID) ? 0 : ARG_INT32(OPT_KEY_SLOT_ID);
-	r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen,
-			CRYPT_ANY_SLOT, keyslot, crypt_get_cipher(*cd),
-			crypt_get_cipher_mode(*cd), &params);
+	r = crypt_reencrypt_init_by_keyslot_context(*cd, NULL, NULL, kc,
+						    CRYPT_ANY_SLOT, keyslot,
+						    crypt_get_cipher(*cd),
+						    crypt_get_cipher_mode(*cd),
+						    &params);
 	if (r < 0) {
 		crypt_keyslot_destroy(*cd, keyslot);
 		goto out;
@@ -643,7 +805,10 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 	/* activate device */
 	if (device_name) {
 		set_activation_flags(&activate_flags);
-		r = crypt_activate_by_passphrase(*cd, device_name, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags);
+		r = crypt_activate_by_keyslot_context(*cd, device_name,
+						      ARG_INT32(OPT_KEY_SLOT_ID), kc,
+						      CRYPT_ANY_SLOT, NULL,
+						      activate_flags);
 		if (r >= 0)
 			log_std(_("%s/%s is now active and ready for online encryption.\n"), crypt_get_dir(), device_name);
 	}
@@ -654,11 +819,12 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
 	/* just load reencryption context to continue reencryption */
 	if (!ARG_SET(OPT_INIT_ONLY_ID)) {
 		params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
-		r = crypt_reencrypt_init_by_passphrase(*cd, device_name, password, passwordLen,
-				CRYPT_ANY_SLOT, keyslot, NULL, NULL, &params);
+		r = crypt_reencrypt_init_by_keyslot_context(*cd, device_name, NULL, kc,
+							    CRYPT_ANY_SLOT, keyslot,
+							    NULL, NULL, &params);
 	}
 out:
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
 	if (*header_file)
 		unlink(header_file);
 	return r;
@@ -726,9 +892,8 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 	const char *expheader)
 {
 	int fd, r;
-	size_t passwordLen;
 	struct stat hdr_st;
-	char *msg, *data_device, *active_name = NULL, *password = NULL;
+	char *msg, *data_device, *active_name = NULL;
 	bool remove_header = false;
 	struct crypt_params_reencrypt params = {
 		.mode = CRYPT_REENCRYPT_DECRYPT,
@@ -739,6 +904,7 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 		.max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
 		.flags = CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
 	};
+	struct crypt_keyslot_context *kc = NULL;
 
 	assert(expheader);
 	assert(cd && *cd);
@@ -769,14 +935,7 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 	if (r < 0)
 		goto out;
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),
-			ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID),
-			verify_passphrase(0), 0, *cd);
-	if (r < 0)
-		goto out;
-
-	r = reencrypt_check_passphrase(*cd, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen);
+	r = reencrypt_single_key_unlock(*cd, &params, &kc);
 	if (r < 0)
 		goto out;
 
@@ -838,9 +997,9 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 
 	remove_header = false;
 
-	r = crypt_reencrypt_init_by_passphrase(*cd, active_name, password,
-			passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), CRYPT_ANY_SLOT,
-			NULL, NULL, &params);
+	r = crypt_reencrypt_init_by_keyslot_context(*cd, active_name, kc, NULL,
+						    ARG_INT32(OPT_KEY_SLOT_ID),
+						    CRYPT_ANY_SLOT, NULL, NULL, &params);
 
 	if (r < 0 && crypt_reencrypt_status(*cd, NULL) == CRYPT_REENCRYPT_NONE) {
 		/* if restore is successful we can remove header backup */
@@ -850,7 +1009,7 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 out:
 	free(active_name);
 	free(data_device);
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
 
 	if (r < 0 && !remove_header && !stat(expheader, &hdr_st) && S_ISREG(hdr_st.st_mode))
 		log_err(_("Reencryption initialization failed. Header backup is available in %s."),
@@ -864,8 +1023,7 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
 static int decrypt_luks2_init(struct crypt_device *cd, const char *data_device)
 {
 	int r;
-	size_t passwordLen;
-	char *active_name = NULL, *password = NULL;
+	char *active_name = NULL;
 	struct crypt_params_reencrypt params = {
 		.mode = CRYPT_REENCRYPT_DECRYPT,
 		.direction = data_shift > 0 ? CRYPT_REENCRYPT_FORWARD : CRYPT_REENCRYPT_BACKWARD,
@@ -875,6 +1033,7 @@ static int decrypt_luks2_init(struct crypt_device *cd, const char *data_device)
 		.device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE,
 		.max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
 	};
+	struct crypt_keyslot_context *kc = NULL;
 
 	if (!luks2_reencrypt_eligible(cd))
 		return -EINVAL;
@@ -891,111 +1050,445 @@ static int decrypt_luks2_init(struct crypt_device *cd, const char *data_device)
 
 	_set_reencryption_flags(&params.flags);
 
-	r = tools_get_key(NULL, &password, &passwordLen,
-			ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
-			ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
-	if (r < 0)
-		return r;
-
-	r = reencrypt_check_passphrase(cd, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen);
+	r = reencrypt_single_key_unlock(cd, &params, &kc);
 	if (r < 0)
 		goto out;
 
 	if (!ARG_SET(OPT_FORCE_OFFLINE_REENCRYPT_ID))
 		r = reencrypt_get_active_name(cd, data_device, &active_name);
 	if (r >= 0)
-		r = crypt_reencrypt_init_by_passphrase(cd, active_name, password,
-				passwordLen, ARG_INT32(OPT_KEY_SLOT_ID), CRYPT_ANY_SLOT, NULL, NULL, &params);
+		r = crypt_reencrypt_init_by_keyslot_context(cd, active_name, kc, NULL,
+							    ARG_INT32(OPT_KEY_SLOT_ID),
+							    CRYPT_ANY_SLOT, NULL, NULL,
+							    &params);
 
 out:
 	free(active_name);
-	crypt_safe_free(password);
+	crypt_keyslot_context_free(kc);
 	return r;
 }
 
-struct keyslot_passwords {
-	char *password;
-	size_t passwordLen;
-	int new;
+struct unlocked_token {
+	/* token keyslot context */
+	struct crypt_keyslot_context *p_kc;
+	int id;
+};
+
+struct unlocked_keyslot {
+	/* just pointer */
+	struct crypt_keyslot_context *p_kc;
+	int id;
+	int new_id;
+};
+
+struct keyslot_contexts {
+	struct unlocked_keyslot ks[16];
+	struct unlocked_token tkns[16];
+
+	/* available unlock methods linked in keyslot struct */
+	struct crypt_keyslot_context *kc[16];
+
+	/* contains pointer to context unlocking existing volume key */
+	struct crypt_keyslot_context *p_old_kc;
+	struct crypt_keyslot_context *p_new_kc;
+
+	/* contains new generated volume key in CRYPT_KC_TYPE_KEY context type */
+	struct crypt_keyslot_context *new_kc;
+
+	bool vk_generated;
+
+	/* contains new keyslot id for reencryption initialization */
+	int new_key_id;
+	int old_key_id;
+
+	unsigned last_ks;
+	unsigned last_kc;
+	unsigned last_tkn;
 };
 
-static struct keyslot_passwords *init_keyslot_passwords(size_t count)
+static struct crypt_keyslot_context *try_token(struct crypt_device *cd,
+					       struct keyslot_contexts *kcs,
+					       int keyslot)
 {
-	size_t i;
-	struct keyslot_passwords *tmp = calloc(count, sizeof(struct keyslot_passwords));
+	unsigned i;
+	struct crypt_keyslot_context *pkc;
 
-	if (!tmp)
-		return tmp;
+	assert(cd);
+	assert(kcs);
+	assert(kcs->last_tkn < ARRAY_SIZE(kcs->tkns));
+	assert(keyslot >= 0);
+
+	for (i = 0; i < kcs->last_tkn; i++) {
+		pkc = kcs->tkns[i].p_kc;
 
-	for (i = 0; i < count; i++)
-		tmp[i].new = -1;
+		if (crypt_token_is_assigned(cd, kcs->tkns[i].id, keyslot) == 0 &&
+		    crypt_activate_by_keyslot_context(cd, NULL, keyslot, pkc, CRYPT_ANY_SLOT, NULL, 0) == keyslot) {
+				tools_keyslot_msg(keyslot, UNLOCKED);
+				return pkc;
+		}
+	}
 
-	return tmp;
+	return NULL;
 }
 
-static int init_passphrase(struct keyslot_passwords *kp, size_t keyslot_passwords_length,
-			   struct crypt_device *cd, const char *msg, int slot_to_check)
+static bool reencrypt_keyslot_for_unlock(struct keyslot_contexts *kcs, int keyslot)
 {
-	crypt_keyslot_info ki;
-	char *password;
-	int r = -EINVAL, retry_count;
-	size_t passwordLen;
+	unsigned i;
 
-	if (slot_to_check != CRYPT_ANY_SLOT) {
-		ki = crypt_keyslot_status(cd, slot_to_check);
-		if (ki < CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_UNBOUND)
-			return -ENOENT;
+	for (i = 0; i < kcs->last_ks; i++) {
+		if (kcs->ks[i].id == keyslot)
+			return true;
 	}
 
-	retry_count = set_tries_tty();
+	return false;
+}
 
-	while (retry_count--) {
-		r = tools_get_key(msg,  &password, &passwordLen, 0, 0,
-				  ARG_STR(OPT_KEY_FILE_ID), 0, 0, 0 /*pwquality*/, cd);
-		if (r < 0)
-			return r;
-		if (quit) {
-			crypt_safe_free(password);
-			password = NULL;
-			passwordLen = 0;
-			return -EAGAIN;
+static bool reencrypt_keyslot_is_unlocked(struct keyslot_contexts *kcs, int keyslot)
+{
+	unsigned i;
+
+	for (i = 0; i < kcs->last_ks; i++) {
+		if (kcs->ks[i].id == keyslot)
+			return (kcs->ks[i].p_kc != NULL);
+	}
+
+	return false;
+}
+
+static bool reencrypt_token_for_unlock(struct keyslot_contexts *kcs, int token)
+{
+	unsigned i;
+
+	for (i = 0; i < kcs->last_tkn; i++) {
+		if (kcs->tkns[i].id == token)
+			return true;
+	}
+
+	return false;
+}
+
+static struct crypt_keyslot_context *reencrypt_get_token_context(struct keyslot_contexts *kcs,
+								 int token)
+{
+	unsigned i;
+
+	for (i = 0; i < kcs->last_tkn; i++) {
+		if (kcs->tkns[i].id == token)
+			return kcs->tkns[i].p_kc;
+	}
+
+	return NULL;
+}
+
+static void reencrypt_token_add_for_unlock(struct keyslot_contexts *kcs, int token)
+{
+	assert(kcs);
+	assert(token >= 0);
+
+	if (reencrypt_token_for_unlock(kcs, token))
+		return;
+
+	kcs->tkns[kcs->last_tkn++].id = token;
+
+	log_dbg("Token %d candidate for keyslot unlock.", token);
+}
+
+static void reencrypt_token_add(struct keyslot_contexts *kcs,
+				int token,
+				struct crypt_keyslot_context *token_kc)
+{
+	unsigned i;
+
+	assert(kcs);
+	assert(token >= 0);
+	assert(token_kc);
+
+	for (i = 0; i < kcs->last_tkn; i++) {
+		if (kcs->tkns[i].id == token) {
+			kcs->kc[kcs->last_kc++] = kcs->tkns[i].p_kc = token_kc;
+			return;
 		}
+	}
 
-		r = crypt_activate_by_passphrase(cd, NULL, slot_to_check,
-						 password, passwordLen, 0);
-		if (r < 0) {
-			crypt_safe_free(password);
-			password = NULL;
-			passwordLen = 0;
+	abort();
+}
+
+static void reencrypt_keyslot_unlocked_by_context(struct keyslot_contexts *kcs,
+						  int keyslot,
+						  struct crypt_keyslot_context *kc)
+{
+	unsigned i;
+
+	assert(kcs);
+	assert(kc);
+	assert(keyslot >= 0);
+
+	for (i = 0; i < kcs->last_ks; i++) {
+		if (kcs->ks[i].id == keyslot) {
+			kcs->ks[i].p_kc = kc;
+			kcs->ks[i].new_id = -1;
+			return;
+		}
+	}
+
+	abort();
+}
+
+/* Add keyslot in unlock candidates */
+static void reencrypt_keyslot_add_for_unlock(struct keyslot_contexts *kcs, int keyslot)
+{
+	assert(kcs);
+	assert(keyslot >= 0);
+
+	kcs->ks[kcs->last_ks].id = keyslot;
+	kcs->ks[kcs->last_ks++].new_id = -1;
+}
+
+static void reencrypt_token_unlocks_keyslot(struct keyslot_contexts *kcs,
+					    int token,
+					    int keyslot,
+					    struct crypt_keyslot_context *token_kc)
+{
+	assert(kcs);
+	assert(token_kc);
+
+	reencrypt_token_add(kcs, token, token_kc);
+	reencrypt_keyslot_unlocked_by_context(kcs, keyslot, token_kc);
+}
+
+static void reencrypt_keyslot_unlocked_by_context_new(struct keyslot_contexts *kcs,
+						      int keyslot,
+						      struct crypt_keyslot_context *kc)
+{
+	assert(kcs);
+	assert(kc);
+	assert(keyslot >= 0);
+
+	kcs->kc[kcs->last_kc++] = kc;
+	reencrypt_keyslot_unlocked_by_context(kcs, keyslot, kc);
+}
+
+/* returns unlocked keyslot id or negative errno */
+static int single_token(struct crypt_device *cd,
+			int token,
+			int slot_to_check,
+			struct keyslot_contexts *kcs)
+{
+	int r;
+	struct crypt_keyslot_context *kc;
+
+	r = crypt_token_is_assigned(cd, token, slot_to_check);
+	if (r != 0)
+		return r;
+
+	if (reencrypt_keyslot_is_unlocked(kcs, slot_to_check)) {
+		log_dbg("Keyslot %d already unlocked.", slot_to_check);
+		return slot_to_check;
+	}
+
+	kc = reencrypt_get_token_context(kcs, token);
+	if (kc) {
+		r = crypt_activate_by_keyslot_context(cd, NULL, slot_to_check, kc,
+						      CRYPT_ANY_SLOT, NULL, 0);
+		if (r == slot_to_check) {
+			log_dbg("Token %d unlocks keyslot %d", token, slot_to_check);
+			reencrypt_keyslot_unlocked_by_context(kcs, slot_to_check, kc);
 		}
-		if (r < 0 && r != -EPERM)
+
+		return r;
+	}
+
+	r = luks_try_token_unlock(cd, slot_to_check, token, NULL,
+				  ARG_STR(OPT_TOKEN_TYPE_ID), 0, /* FIXME: do we need any? */
+				  set_tries_tty(false), true, true, &kc);
+	if (r == slot_to_check) {
+		log_dbg("Token %d unlocks keyslot %d", token, slot_to_check);
+		reencrypt_token_unlocks_keyslot(kcs, token, slot_to_check, kc);
+	}
+
+	return r;
+}
+
+static int reencrypt_unlock_keyslot(struct keyslot_contexts *kcs,
+			   struct crypt_device *cd,
+			   const char *msg,
+			   int slot_to_check)
+{
+	struct crypt_keyslot_context *kc;
+	int retry_count, r = -EINVAL;
+
+	assert(cd);
+	assert(kcs);
+	assert(slot_to_check >= 0);
+
+	if (reencrypt_keyslot_is_unlocked(kcs, slot_to_check))
+		return slot_to_check;
+
+	/* try already initialized token kc */
+	kc = try_token(cd, kcs, slot_to_check);
+	if (kc) {
+		reencrypt_keyslot_unlocked_by_context(kcs, slot_to_check, kc);
+
+		return slot_to_check;
+	}
+
+	retry_count = set_tries_tty(false);
+	do {
+		r = luks_init_keyslot_context(cd, msg, verify_passphrase(0), false, &kc);
+		if (r < 0)
 			return r;
 
-		if (r >= 0) {
-			tools_keyslot_msg(r, UNLOCKED);
-			if ((size_t)r >= keyslot_passwords_length) {
-				crypt_safe_free(password);
-				return -EINVAL;
-			}
-			kp[r].password = password;
-			kp[r].passwordLen = passwordLen;
-			break;
+		r = crypt_activate_by_keyslot_context(cd, NULL, slot_to_check,
+						      kc, CRYPT_ANY_SLOT, NULL, 0);
+		tools_keyslot_msg(r, UNLOCKED);
+		if (r == slot_to_check) {
+			reencrypt_keyslot_unlocked_by_context_new(kcs, slot_to_check, kc);
+
+			return slot_to_check;
 		}
+		crypt_keyslot_context_free(kc);
 		tools_passphrase_msg(r);
+		check_signal(&r);
+	} while ((r == -EPERM || r == -ERANGE) && (--retry_count > 0));
+
+	return r;
+}
+
+/*
+ * Returns 1 if keyslot should be unlocked and it
+ * was not added in unlock queue yet.
+ *
+ * Return 0 if keyslot can not be used or
+ * already added in unlock queue.
+ *
+ * Negative errno on error.
+ */
+static int reencrypt_add_token_keyslot(struct crypt_device *cd,
+		struct keyslot_contexts *kcs,
+		int token,
+		int keyslot)
+{
+	assert(kcs);
+	assert(token >= 0);
+	assert(keyslot >= 0);
+
+	switch (crypt_keyslot_status(cd, keyslot)) {
+	case CRYPT_SLOT_INVALID:
+		return -EINVAL;
+	case CRYPT_SLOT_ACTIVE:
+	case CRYPT_SLOT_ACTIVE_LAST:
+		break;
+	default:
+		return 0;
 	}
 
-	password = NULL;
-	passwordLen = 0;
+	if (crypt_token_is_assigned(cd, token, keyslot))
+		return 0;
+
+	reencrypt_token_add_for_unlock(kcs, token);
 
-	return r;
+	/* continue if keyslot is already added in unlock queue */
+	if (reencrypt_keyslot_for_unlock(kcs, keyslot))
+		return 0;
+
+	log_dbg("Keyslot %d candidate for unlock.", keyslot);
+
+	reencrypt_keyslot_add_for_unlock(kcs, keyslot);
+	return 1;
 }
 
-static int _check_luks2_keyslots(struct crypt_device *cd, bool vk_change)
+static int reencrypt_add_single_token_keyslots(struct crypt_device *cd,
+		struct keyslot_contexts *kcs,
+		int token,
+		int keyslot,
+		const char *token_type)
 {
-	int i, new_vk_slot = (vk_change ? 1 : 0), max = crypt_keyslot_max(CRYPT_LUKS2), active = 0, unbound = 0;
+	int ks, r;
+	const char *type;
+	unsigned count = 0;
 
-	if (max < 0)
-		return max;
+	assert(token >= 0);
+
+	switch (crypt_token_status(cd, token, &type)) {
+	case CRYPT_TOKEN_INVALID:
+		return -EINVAL;
+	case CRYPT_TOKEN_INACTIVE:
+		return 0;
+	default:
+		break;
+	}
+
+	if (token_type && strcmp(token_type, type))
+		return 0;
+
+	if (keyslot != CRYPT_ANY_SLOT)
+		return reencrypt_add_token_keyslot(cd, kcs, token, keyslot);
+
+	for (ks = 0; ks < crypt_keyslot_max(CRYPT_LUKS2); ks++) {
+		r = reencrypt_add_token_keyslot(cd, kcs, token, ks);
+		if (r < 0)
+			return r;
+
+		if (r > 0)
+			count++;
+	}
+
+	return count;
+}
+
+static int reencrypt_add_token_keyslots_for_unlock(struct crypt_device *cd,
+						   struct keyslot_contexts *kcs,
+						   int token,
+						   const char *token_type,
+						   int keyslot)
+{
+	int r;
+	unsigned count = 0;
+
+	if (token != CRYPT_ANY_TOKEN)
+		return reencrypt_add_single_token_keyslots(cd, kcs, token, keyslot, token_type);
+
+	for (token = 0; token < crypt_token_max(CRYPT_LUKS2); token++) {
+		r = reencrypt_add_single_token_keyslots(cd, kcs, token, keyslot, token_type);
+		if (r < 0)
+			return r;
+
+		if (r > 0)
+			count++;
+	}
+
+	return count;
+}
+
+static int reencrypt_add_keyslots_for_unlock(struct crypt_device *cd,
+					   struct keyslot_contexts *kcs,
+					   bool vk_change,
+					   bool only_token_keyslots)
+{
+	int i, new_vk_slot = (vk_change ? 1 : 0), max = crypt_keyslot_max(CRYPT_LUKS2),
+	    unlocked, active = 0, unbound = 0;
+
+	/*
+	 * Returns negative errno on error or count of added candidate keyslots
+	 * suitable for device activation using the token based on input
+	 * parameters and token<->keyslot assignment.
+	 *
+	 * Every keyslot is counted at most once.
+	 */
+	i = reencrypt_add_token_keyslots_for_unlock(cd, kcs, ARG_INT32(OPT_TOKEN_ID_ID),
+						    ARG_STR(OPT_TOKEN_TYPE_ID),
+						    ARG_INT32(OPT_KEY_SLOT_ID));
+	if (i < 0)
+		return i;
+
+	/* token based reencryption preferred and no keyslot
+	 * could be used for reencryption */
+	if (!i && only_token_keyslots) {
+		log_err(_("No token could unlock the device."));
+		return -ENOENT;
+	}
+
+	unlocked = i;
 
 	for (i = 0; i < max; i++) {
 		switch (crypt_keyslot_status(cd, i)) {
@@ -1004,7 +1497,14 @@ static int _check_luks2_keyslots(struct crypt_device *cd, bool vk_change)
 		case CRYPT_SLOT_ACTIVE:
 			/* fall-through */
 		case CRYPT_SLOT_ACTIVE_LAST:
+			/* only count additional keyslots added in the loop */
 			active++;
+			if (!only_token_keyslots && !reencrypt_keyslot_for_unlock(kcs, i) &&
+			    (!ARG_SET(OPT_KEY_SLOT_ID) || ARG_INT32(OPT_KEY_SLOT_ID) == i)) {
+				reencrypt_keyslot_add_for_unlock(kcs, i);
+				unlocked++;
+				log_dbg("Keyslot %d candidate for unlock by passphrase prompt.", i);
+			}
 			break;
 		case CRYPT_SLOT_UNBOUND:
 			unbound++;
@@ -1024,7 +1524,7 @@ static int _check_luks2_keyslots(struct crypt_device *cd, bool vk_change)
 		return 0;
 
 	if ((ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) &&
-            (2 * active + unbound + 1 > max)) {
+            (2 * unlocked + unbound + 1 > max)) {
 		log_err(_("Not enough free keyslots for reencryption."));
 		return -EINVAL;
 	}
@@ -1032,46 +1532,56 @@ static int _check_luks2_keyslots(struct crypt_device *cd, bool vk_change)
 	return 0;
 }
 
-static int fill_keyslot_passwords(struct crypt_device *cd,
-		struct keyslot_passwords *kp, size_t kp_size,
-		bool vk_change)
+static int reencrypt_unlock_keyslots(struct crypt_device *cd,
+				     struct keyslot_contexts *kcs,
+				     bool vk_change)
 {
+	bool only_single_keyslot;
 	char msg[128];
 	crypt_keyslot_info ki;
 	int i, r = 0;
 
-	if (vk_change && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT && ARG_SET(OPT_KEY_FILE_ID)) {
-		for (i = 0; (size_t)i < kp_size; i++) {
-			ki = crypt_keyslot_status(cd, i);
-			if (ki == CRYPT_SLOT_INVALID)
-				return -EINVAL;
-			if (ki == CRYPT_SLOT_ACTIVE) {
-				log_err(_("Key file can be used only with --key-slot or with "
-					  "exactly one key slot active."));
-				return -EINVAL;
-			}
-		}
-	}
+	assert(cd);
+	assert(kcs);
+
+	only_single_keyslot = (vk_change && ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT &&
+			       (ARG_SET(OPT_KEY_FILE_ID) || ARG_SET(OPT_KEY_DESCRIPTION_ID)));
 
 	if (ARG_INT32(OPT_KEY_SLOT_ID) == CRYPT_ANY_SLOT) {
-		for (i = 0; (size_t)i < kp_size; i++) {
-			if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i) < 0)
-				return -EINVAL;
-			r = init_passphrase(kp, kp_size, cd, msg, i);
-			/* no need to initialize all keyslots with --keep-key */
-			if (r >= 0 && !vk_change)
+		for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++) {
+			ki = crypt_keyslot_status(cd, i);
+			switch (ki) {
+			case CRYPT_SLOT_INVALID:
+				r = -EINVAL;
+				goto out;
+			case CRYPT_SLOT_ACTIVE:
+				if (only_single_keyslot) {
+					log_err(_("Key file or keyring key description can be used only with "
+						  "--key-slot or with exactly one key slot active."));
+					r = -EINVAL;
+					goto out;
+				}
+				/* fall-through */
+			case CRYPT_SLOT_ACTIVE_LAST:
+				if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "), i) < 0)
+					return -EINVAL;
+				r = reencrypt_unlock_keyslot(kcs, cd, msg, i);
+				if (r < 0 || !vk_change)
+					goto out;
 				break;
-			if (r == -ENOENT)
+			case CRYPT_SLOT_INACTIVE:
+			case CRYPT_SLOT_UNBOUND:
 				r = 0;
-			if (r < 0)
 				break;
+			}
 		}
 	} else {
-		if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), ARG_INT32(OPT_KEY_SLOT_ID)) < 0)
+		if (snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %d: "),
+			     ARG_INT32(OPT_KEY_SLOT_ID)) < 0)
 			return -EINVAL;
-		r = init_passphrase(kp, kp_size, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID));
+		r = reencrypt_unlock_keyslot(kcs, cd, msg, ARG_INT32(OPT_KEY_SLOT_ID));
 	}
-
+out:
 	return r < 0 ? r : 0;
 }
 
@@ -1090,14 +1600,258 @@ static int assign_tokens(struct crypt_device *cd, int keyslot_old, int keyslot_n
 	return 0;
 }
 
+static void reencrypt_keyslot_contexts_destroy(struct keyslot_contexts *kcs)
+{
+	unsigned i;
+
+	if (!kcs)
+		return;
+
+	crypt_keyslot_context_free(kcs->new_kc);
+
+	for (i = 0; i < kcs->last_kc; i++)
+		crypt_keyslot_context_free(kcs->kc[i]);
+}
+
+static bool token_error_unavailable(int r)
+{
+	return (r == -ENOENT || r == -EPERM || r == -ENOANO || r == -EAGAIN);
+}
+
+/* returns count of unlocked keyslots or negative errno */
+static int init_token_keyslot_context(struct crypt_device *cd,
+				      int token,
+				      struct keyslot_contexts *kcs)
+{
+	int r;
+	unsigned i, count = 0;
+
+	assert(kcs);
+
+	for (i = 0; i < kcs->last_ks; i++) {
+		r = single_token(cd, token, kcs->ks[i].id, kcs);
+		if (r < 0 && !token_error_unavailable(r))
+			return r;
+		if (r >= 0)
+			count++;
+	}
+
+	return count ? 0 : -ENOENT;
+}
+
+static int reencrypt_unlock_keyslots_by_tokens(struct crypt_device *cd,
+					  struct keyslot_contexts *kcs)
+{
+	int r;
+	unsigned i, count = 0;
+
+	assert(kcs);
+
+	for (i = 0; i < kcs->last_tkn; i++) {
+		r = init_token_keyslot_context(cd, kcs->tkns[i].id, kcs);
+		if (r < 0 && !token_error_unavailable(r))
+			return r;
+		if (r >= 0)
+			count++;
+	}
+
+	return count;
+}
+
+static int reencrypt_initialize_keyslot_contexts(struct crypt_device *cd,
+		bool vk_generated,
+		bool prefer_token,
+		struct crypt_keyslot_context *old_kc,
+		struct crypt_keyslot_context *new_kc,
+		struct keyslot_contexts *kcs)
+{
+	int r;
+
+	assert(cd);
+	assert(kcs);
+
+	if (new_kc) {
+		kcs->vk_generated = vk_generated;
+		kcs->new_key_id = CRYPT_ANY_SLOT;
+		kcs->p_new_kc = new_kc;
+	}
+
+	if (old_kc) {
+		kcs->p_old_kc = old_kc;
+		if (!new_kc)
+			kcs->p_new_kc = old_kc;
+
+		kcs->old_key_id = CRYPT_ANY_SLOT;
+		return 0;
+	}
+
+	/* Based on input parameters (--token-id, --token-type, --keyslot, ...)
+	 * it will create a list of keyslots and tokens suitable for reencryption.
+	 * No keyslot or token is unlocked yet. First we need to establish if there
+	 * are enough free keyslots to proceed with the reencryption */
+	r = reencrypt_add_keyslots_for_unlock(cd, kcs, new_kc != NULL, prefer_token);
+	if (r)
+		return r;
+
+	/*  First unlock keyslots by tokens */
+	r = reencrypt_unlock_keyslots_by_tokens(cd, kcs);
+	if (r < 0)
+		return r;
+
+	/* if tokens were preferred and no keyslot
+	 * could be unlocked, abort */
+	if (!r && prefer_token)
+		return -ENOENT;
+
+	/* unlock remaining keyslots only if token
+	 * based reencryption was not requested */
+	if (!prefer_token) {
+		r = reencrypt_unlock_keyslots(cd, kcs, new_kc != NULL);
+		if (r < 0)
+			return r;
+	}
+
+	if (!kcs->p_old_kc) {
+		assert(kcs->ks[0].p_kc);
+		assert(kcs->ks[0].id >= 0);
+		kcs->p_old_kc = kcs->ks[0].p_kc;
+		kcs->old_key_id = kcs->ks[0].id;
+	}
+
+	return 0;
+}
+
+static int reencrypt_active_keyslots_count(struct crypt_device *cd)
+{
+	int i;
+	unsigned count = 0;
+
+	assert(cd);
+	assert(isLUKS2(crypt_get_type(cd)));
+
+	for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS2); i++) {
+		switch (crypt_keyslot_status(cd, i)) {
+		case CRYPT_SLOT_INVALID:
+			return -EINVAL;
+		case CRYPT_SLOT_ACTIVE: /* fall-through */
+		case CRYPT_SLOT_ACTIVE_LAST:
+			count++;
+			break;
+		case CRYPT_SLOT_INACTIVE: /* fall-through */
+		case CRYPT_SLOT_UNBOUND:
+			break;
+		}
+	}
+
+	return count;
+}
+
+static int reencrypt_add_new_keyslots(struct crypt_device *cd,
+				      bool prefer_token,
+				      struct keyslot_contexts *kcs)
+{
+	char *vk_new;
+	int r, new_key_size;
+	unsigned i;
+	uint32_t new_key_flags = CRYPT_VOLUME_KEY_NO_SEGMENT;
+
+	assert(cd);
+	assert(kcs);
+
+	if (!kcs->last_ks)
+		return -ENOENT;
+
+	for (i = 0; i < kcs->last_ks; i++) {
+		if (!kcs->ks[i].p_kc) {
+			/*
+			 * A token may be assigned to multiple
+			 * keyslots and not be able to open all
+			 */
+			if (!prefer_token)
+				return -EINVAL;
+			continue;
+		}
+
+		r = set_keyslot_params(cd, kcs->ks[i].id);
+		if (r < 0)
+			return r;
+
+		/* new volume key has no digest yet */
+		if (!(new_key_flags & CRYPT_VOLUME_KEY_DIGEST_REUSE)) {
+			r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kcs->p_new_kc,
+								 CRYPT_ANY_SLOT, kcs->ks[i].p_kc,
+								 new_key_flags);
+			tools_keyslot_msg(r, CREATED);
+			if (r < 0)
+				return r;
+
+			kcs->ks[i].new_id = r;
+
+			/* key was generated in crypt_keyslot_add_by_keyslot_context() above.
+			 * I need to extract actual new key for additional keyslots and reencrypt
+			 * init call later */
+			if (kcs->vk_generated) {
+				new_key_size = crypt_keyslot_get_key_size(cd, kcs->ks[i].new_id);
+				if (new_key_size <= 0)
+					return r;
+
+				vk_new = crypt_safe_alloc((size_t)new_key_size);
+				if (!vk_new)
+					return -ENOMEM;
+
+				r = crypt_volume_key_get_by_keyslot_context(cd, kcs->ks[i].new_id,
+									    vk_new,
+									    &(size_t){new_key_size},
+									    kcs->ks[i].p_kc);
+				if (r < 0) {
+					crypt_safe_free(vk_new);
+					return r;
+				}
+
+				r = crypt_keyslot_context_init_by_volume_key(cd, vk_new,
+									     (size_t)new_key_size,
+									     &kcs->new_kc);
+				crypt_safe_free(vk_new);
+				if (r < 0)
+					return r;
+				kcs->p_new_kc = kcs->new_kc;
+			}
+			r = assign_tokens(cd, kcs->ks[i].id, kcs->ks[i].new_id);
+			if (r < 0)
+				return r;
+
+			kcs->new_key_id = kcs->ks[i].new_id;
+			new_key_flags |= CRYPT_VOLUME_KEY_DIGEST_REUSE;
+		} else {
+			r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kcs->new_kc,
+					CRYPT_ANY_SLOT, kcs->ks[i].p_kc, new_key_flags);
+
+			tools_keyslot_msg(r, CREATED);
+			if (r < 0)
+				return r;
+
+			kcs->ks[i].new_id = r;
+			r = assign_tokens(cd, kcs->ks[i].id, kcs->ks[i].new_id);
+			if (r < 0)
+				return r;
+		}
+	}
+
+	return 0;
+}
+
 static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device)
 {
-	bool vk_size_change, sector_size_change, sector_size_increase, vk_change;
-	size_t i, vk_size, kp_size;
-	int r, keyslot_old = CRYPT_ANY_SLOT, keyslot_new = CRYPT_ANY_SLOT, key_size;
-	char cipher[MAX_CIPHER_LEN], mode[MAX_CIPHER_LEN], *vk = NULL, *active_name = NULL;
+	bool sector_size_change, sector_size_increase, vk_change, vk_generated = false,
+	     prefer_token = (ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID));
+	size_t i;
+	int r, new_key_size = 0, key_size = 0;
+	char cipher[MAX_CIPHER_LEN], mode[MAX_CIPHER_LEN], *vk, *vk_new, *vk_description,
+	     *active_name = NULL;
+	uint32_t active_slots;
 	const char *new_cipher = NULL;
-	struct keyslot_passwords *kp = NULL;
+	struct crypt_keyslot_context *old_key_kc = NULL, *new_key_kc = NULL;
+	struct keyslot_contexts kcs = {};
 	struct crypt_params_luks2 luks2_params = {};
 	struct crypt_params_reencrypt params = {
 		.mode = CRYPT_REENCRYPT_REENCRYPT,
@@ -1145,122 +1899,162 @@ static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device
 	sector_size_increase = luks2_params.sector_size > (uint32_t)crypt_get_sector_size(cd);
 
 	/* key size */
-	if (ARG_SET(OPT_KEY_SIZE_ID) || new_cipher)
-		key_size = get_adjusted_key_size(mode, DEFAULT_LUKS1_KEYBITS, 0);
-	else
-		key_size = crypt_get_volume_key_size(cd);
-
-	if (!key_size)
+	key_size = crypt_get_volume_key_size(cd);
+	if (!key_size && ARG_SET(OPT_KEY_SIZE_ID))
+		key_size = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
+	if (!key_size && !ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		/* No keyslot assigned to default segment */
+		log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --key-size option."));
 		return -EINVAL;
-	vk_size = key_size;
+	}
+
+	/* new key size */
+	if (!ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID)) {
+		if (ARG_SET(OPT_NEW_KEY_SIZE_ID))
+			new_key_size = ARG_UINT32(OPT_NEW_KEY_SIZE_ID);
+
+		if (new_key_size || new_cipher)
+			/* This will convert new key size to bytes from bits */
+			new_key_size = get_adjusted_key_size(cipher, mode, new_key_size,
+							 DEFAULT_LUKS1_KEYBITS, 0);
+		else
+			new_key_size = key_size;
+
+		if (new_key_size <= 0) {
+			log_err(_("Cannot determine volume key size for LUKS without keyslots, please use --new-key-size option."));
+			return -EINVAL;
+		}
+	}
 
-	vk_size_change = key_size != crypt_get_volume_key_size(cd);
+	/* get active slots count */
+	r = reencrypt_active_keyslots_count(cd);
+	if (r < 0)
+		return r;
+	active_slots = r;
 
 	/* volume key */
 	vk_change = !ARG_SET(OPT_KEEP_KEY_ID);
 
-	if (vk_change && ARG_SET(OPT_VOLUME_KEY_FILE_ID)) {
-		r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &vk, key_size);
+	/*
+	 * --volume-key-keyring must take precedence over --volume-key-file due
+	 * to possibly unset key_size
+	 */
+	if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
+		r = tools_parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description);
+		if (r < 0)
+			goto out;
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &old_key_kc);
+		free(vk_description);
 		if (r < 0)
 			goto out;
-
-		if (!crypt_volume_key_verify(cd, vk, key_size)) {
-			/* passed key was valid volume key */
-			vk_change = false;
-			crypt_safe_free(vk);
-			vk = NULL;
-		}
 	}
 
-	if (!vk_change && !vk_size_change && !new_cipher && !sector_size_change) {
-		log_err(_("No data segment parameters changed. Reencryption aborted."));
-		r = -EINVAL;
-		goto out;
+	if (!old_key_kc && ARG_SET(OPT_VOLUME_KEY_FILE_ID) && key_size > 0) {
+		r = tools_read_vk(ARG_STR(OPT_VOLUME_KEY_FILE_ID), &vk, key_size);
+		if (r < 0)
+			goto out;
+		r = crypt_keyslot_context_init_by_volume_key(cd, vk, (size_t)key_size, &old_key_kc);
+		crypt_safe_free(vk);
+		if (r < 0)
+			goto out;
 	}
 
-	if (!ARG_SET(OPT_INIT_ONLY_ID) || (tools_blkid_supported() && sector_size_increase)) {
-		r = reencrypt_hint_force_offline_reencrypt(data_device);
+	if (old_key_kc) {
+		r = crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, old_key_kc,
+						      CRYPT_ANY_SLOT, NULL, 0);
+		if (r == -EPERM)
+			log_err(_("Volume key does not match the volume."));
 		if (r < 0)
 			goto out;
 	}
 
-	r = _check_luks2_keyslots(cd, vk_change);
-	if (r)
-		goto out;
+	/*
+	 * --new-volume-key-keyring must take precedence over --new-volume-key-file due
+	 * to possibly unset new_key_size
+	 */
+	if (vk_change && ARG_SET(OPT_NEW_VOLUME_KEY_KEYRING_ID)) {
+		if (active_slots && old_key_kc && !ARG_SET(OPT_FORCE_NO_KEYSLOTS_ID)) {
+			log_err(_("Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."));
+			return -EINVAL;
+		}
 
-	r = crypt_keyslot_max(CRYPT_LUKS2);
-	if (r < 0)
-		goto out;
-	kp_size = r;
+		r = tools_parse_vk_description(ARG_STR(OPT_NEW_VOLUME_KEY_KEYRING_ID), &vk_description);
+		if (r < 0)
+			goto out;
 
-	kp = init_keyslot_passwords(kp_size);
-	if (!kp) {
-		r = -ENOMEM;
-		goto out;
+		r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &new_key_kc);
+		free(vk_description);
+		if (r < 0)
+			goto out;
 	}
 
-	/* coverity[overrun-call] */
-	r = fill_keyslot_passwords(cd, kp, kp_size, vk_change);
-	if (r)
-		goto out;
+	if (vk_change && !new_key_kc && ARG_SET(OPT_NEW_VOLUME_KEY_FILE_ID)) {
+		if (!ARG_SET(OPT_NEW_KEY_SIZE_ID)) {
+			log_err(_("Option --new-volume-key-file must be paired with --new-key-size"));
+			r = -EINVAL;
+			goto out;
+		}
+		if (active_slots && old_key_kc && !ARG_SET(OPT_FORCE_NO_KEYSLOTS_ID)) {
+			log_err(_("Use --force-no-keyslots to reencrypt device with active keyslots by passing volume keys directly."));
+			return -EINVAL;
+		}
 
-	r = -ENOENT;
+		r = tools_read_vk(ARG_STR(OPT_NEW_VOLUME_KEY_FILE_ID), &vk_new, new_key_size);
+		if (r < 0)
+			goto out;
 
-	for (i = 0; i < kp_size; i++) {
-		if (!vk_change) {
-			if (kp[i].password) {
-				r = keyslot_old = kp[i].new = i;
-				break;
-			}
-			continue;
+		r = crypt_keyslot_context_init_by_volume_key(cd, vk_new, (size_t)new_key_size,
+							     &new_key_kc);
+		crypt_safe_free(vk_new);
+		if (r < 0)
+			goto out;
+	}
+
+	/* verify if passed new volume key does not match already existing volume key */
+	if (new_key_kc) {
+		r = crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, new_key_kc,
+						      CRYPT_ANY_SLOT, NULL, 0);
+		if (r >= 0) {
+			/* passed key was valid volume key */
+			crypt_keyslot_context_free(new_key_kc);
+			new_key_kc = NULL;
+			vk_change = false;
 		}
+	}
 
-		if (kp[i].password && keyslot_new < 0) {
-			r = set_keyslot_params(cd, i);
-			if (r < 0)
-				break;
-			r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
-					kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT);
-			tools_keyslot_msg(r, CREATED);
-			if (r < 0)
-				break;
+	/* initialize 'empty' new keyslot context to get new volume key generated later */
+	if (vk_change && !new_key_kc) {
+		r = crypt_keyslot_context_init_by_volume_key(cd, NULL, (size_t)new_key_size,
+							     &new_key_kc);
+		if (r < 0)
+			goto out;
+		vk_generated = true;
+	}
 
-			kp[i].new = r;
-			keyslot_new = r;
-			keyslot_old = i;
-			if (!vk) {
-				/* key generated in crypt_keyslot_add_by_key() call above */
-				vk = crypt_safe_alloc(key_size);
-				if (!vk) {
-					r = -ENOMEM;
-					break;
-				}
-				r = crypt_volume_key_get(cd, keyslot_new, vk, &vk_size, kp[i].password, kp[i].passwordLen);
-				if (r < 0)
-					break;
-			}
-			r = assign_tokens(cd, i, r);
-			if (r < 0)
-				break;
-		} else if (kp[i].password) {
-			r = set_keyslot_params(cd, i);
-			if (r < 0)
-				break;
-			r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, vk, key_size,
-					kp[i].password, kp[i].passwordLen, CRYPT_VOLUME_KEY_NO_SEGMENT | CRYPT_VOLUME_KEY_DIGEST_REUSE);
-			tools_keyslot_msg(r, CREATED);
-			if (r < 0)
-				break;
-			kp[i].new = r;
-			r = assign_tokens(cd, i, r);
-			if (r < 0)
-				break;
-		}
+	if (!vk_change && !new_cipher && !sector_size_change) {
+		log_err(_("No data segment parameters changed. Reencryption aborted."));
+		r = -EINVAL;
+		goto out;
 	}
 
+	/* unlocks keyslots  */
+	r = reencrypt_initialize_keyslot_contexts(cd, vk_generated, prefer_token, old_key_kc,
+						  new_key_kc, &kcs);
 	if (r < 0)
 		goto out;
 
+	if (!ARG_SET(OPT_INIT_ONLY_ID) || (tools_blkid_supported() && sector_size_increase)) {
+		r = reencrypt_hint_force_offline_reencrypt(data_device);
+		if (r < 0)
+			goto out;
+	}
+
+	if (vk_change && active_slots && !ARG_SET(OPT_FORCE_NO_KEYSLOTS_ID)) {
+		r = reencrypt_add_new_keyslots(cd, prefer_token, &kcs);
+		if (r < 0)
+			goto out;
+	}
+
 	/*
 	 * with --init-only lookup active device only if
 	 * blkid probes are allowed and sector size increase
@@ -1287,22 +2081,24 @@ static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device
 			goto out;
 	}
 
-	r = crypt_reencrypt_init_by_passphrase(cd,
+	r = crypt_reencrypt_init_by_keyslot_context(cd,
 			ARG_SET(OPT_INIT_ONLY_ID) ? NULL : active_name,
-			kp[keyslot_old].password, kp[keyslot_old].passwordLen,
-			keyslot_old, kp[keyslot_old].new, cipher, mode, &params);
+			kcs.p_old_kc, kcs.p_new_kc,
+			kcs.old_key_id, kcs.new_key_id,
+			cipher, mode, &params);
+
 out:
-	crypt_safe_free(vk);
-	if (kp) {
-		for (i = 0; i < kp_size; i++) {
-			crypt_safe_free(kp[i].password);
-			if (r < 0 && kp[i].new >= 0 && kp[i].new != (int)i &&
-			    crypt_reencrypt_status(cd, NULL) == CRYPT_REENCRYPT_NONE &&
-			    crypt_keyslot_destroy(cd, kp[i].new))
-				log_dbg("Failed to remove keyslot %d with unbound key.", kp[i].new);
+	crypt_keyslot_context_free(old_key_kc);
+	crypt_keyslot_context_free(new_key_kc);
+	if (r < 0 && crypt_reencrypt_status(cd, NULL) == CRYPT_REENCRYPT_NONE) {
+		for (i = 0; i < kcs.last_ks; i++) {
+			if (kcs.ks[i].new_id >= 0 && kcs.ks[i].new_id != kcs.ks[i].id &&
+			    crypt_keyslot_destroy(cd, kcs.ks[i].new_id))
+				log_dbg("Failed to remove keyslot %d with unbound key.",
+					kcs.ks[i].new_id);
 		}
-		free(kp);
 	}
+	reencrypt_keyslot_contexts_destroy(&kcs);
 	free(active_name);
 	return r;
 }
diff --git a/src/utils_reencrypt_luks1.c b/src/utils_reencrypt_luks1.c
index 8599972..157f2b8 100644
--- a/src/utils_reencrypt_luks1.c
+++ b/src/utils_reencrypt_luks1.c
@@ -2,8 +2,8 @@
 /*
  * cryptsetup - LUKS1 utility for offline re-encryption
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include <sys/ioctl.h>
diff --git a/src/utils_tools.c b/src/utils_tools.c
index a2d61e0..d96d1d4 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -4,8 +4,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include "cryptsetup.h"
@@ -425,27 +425,27 @@ void tools_package_version(const char *name, bool use_pwlibs)
 	bool udev = false, blkid = false, keyring = false, fips = false,
 	     kernel_capi = false, pwquality = false, passwdqc = false,
 	     hw_opal = false;
-#ifdef USE_UDEV
+#if USE_UDEV
 	udev = true;
 #endif
-#ifdef HAVE_BLKID
+#if HAVE_BLKID
 	blkid = true;
 #endif
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	keyring = true;
 #endif
-#ifdef ENABLE_FIPS
+#if ENABLE_FIPS
 	fips = true;
 #endif
-#ifdef ENABLE_AF_ALG
+#if ENABLE_AF_ALG
 	kernel_capi = true;
 #endif
-#if defined(ENABLE_PWQUALITY)
+#if ENABLE_PWQUALITY
 	pwquality = true;
-#elif defined(ENABLE_PASSWDQC)
+#elif ENABLE_PASSWDQC
 	passwdqc = true;
 #endif
-#ifdef HAVE_HW_OPAL
+#if HAVE_HW_OPAL
 	hw_opal = true;
 #endif
 	log_std("%s %s flags: %s%s%s%s%s%s%s%s\n", name, PACKAGE_VERSION,
@@ -458,3 +458,19 @@ void tools_package_version(const char *name, bool use_pwlibs)
 		passwdqc && use_pwlibs ? "PASSWDQC " : "",
 		hw_opal ? "HW_OPAL " : "");
 }
+
+int tools_check_newname(const char *name)
+{
+	if (!name)
+		return 0;
+
+	if (strlen(name) >= DM_NAME_LEN) {
+		log_err(_("Name is too long."));
+		return -EINVAL;
+	} else if (strchr(name, '/')) {
+		log_err(_("Name must not contain '/' character."));
+		return -EINVAL;
+	}
+
+	return 0;
+}
diff --git a/src/veritysetup.c b/src/veritysetup.c
index 99431ef..d97c695 100644
--- a/src/veritysetup.c
+++ b/src/veritysetup.c
@@ -2,8 +2,8 @@
 /*
  * veritysetup - setup cryptographic volumes for dm-verity
  *
- * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2024 Milan Broz
+ * Copyright (C) 2012-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2025 Milan Broz
  */
 
 #include "cryptsetup.h"
@@ -167,6 +167,8 @@ static int _activate(const char *dm_device,
 		activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
 	if (ARG_SET(OPT_PANIC_ON_CORRUPTION_ID))
 		activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION;
+	if (ARG_SET(OPT_ERROR_AS_CORRUPTION_ID))
+		activate_flags |= CRYPT_ACTIVATE_ERROR_AS_CORRUPTION;
 	if (ARG_SET(OPT_IGNORE_ZERO_BLOCKS_ID))
 		activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
 	if (ARG_SET(OPT_CHECK_AT_MOST_ONCE_ID))
@@ -269,6 +271,9 @@ static int action_open(void)
 		return -EINVAL;
 	}
 
+	if (tools_check_newname(action_argv[1]))
+		return -EINVAL;
+
 	return _activate(action_argv[1],
 			 action_argv[0],
 			 action_argv[2],
@@ -374,8 +379,8 @@ static int action_status(void)
 			vp.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE ? " (with signature)" : "");
 
 		log_std("  hash type:   %u\n", vp.hash_type);
-		log_std("  data block:  %u\n", vp.data_block_size);
-		log_std("  hash block:  %u\n", vp.hash_block_size);
+		log_std("  data block:  %u [bytes]\n", vp.data_block_size);
+		log_std("  hash block:  %u [bytes]\n", vp.hash_block_size);
 		log_std("  hash name:   %s\n", vp.hash_name);
 		log_std("  salt:        ");
 		if (vp.salt_size)
@@ -389,7 +394,7 @@ static int action_status(void)
 			log_std("  data loop:   %s\n", backing_file);
 			free(backing_file);
 		}
-		log_std("  size:        %" PRIu64 " sectors\n", cad.size);
+		log_std("  size:        %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE);
 		log_std("  mode:        %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
 					   "readonly" : "read/write");
 
@@ -398,8 +403,8 @@ static int action_status(void)
 			log_std("  hash loop:   %s\n", backing_file);
 			free(backing_file);
 		}
-		log_std("  hash offset: %" PRIu64 " sectors\n",
-			vp.hash_area_offset * vp.hash_block_size / 512);
+		log_std("  hash offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n",
+			vp.hash_area_offset * vp.hash_block_size / SECTOR_SIZE, vp.hash_area_offset * vp.hash_block_size);
 
 		if (vp.fec_device) {
 			log_std("  FEC device:  %s\n", vp.fec_device);
@@ -407,8 +412,8 @@ static int action_status(void)
 				log_std("  FEC loop:    %s\n", backing_file);
 				free(backing_file);
 			}
-			log_std("  FEC offset:  %" PRIu64 " sectors\n",
-				vp.fec_area_offset * vp.hash_block_size / 512);
+			log_std("  FEC offset:  %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n",
+				vp.fec_area_offset * vp.hash_block_size / SECTOR_SIZE, vp.fec_area_offset * vp.hash_block_size);
 			log_std("  FEC roots:   %u\n", vp.fec_roots);
 		}
 
@@ -429,10 +434,12 @@ static int action_status(void)
 				 CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
 				 CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE|
 				 CRYPT_ACTIVATE_TASKLETS))
-			log_std("  flags:       %s%s%s%s%s%s\n",
+			log_std("  flags:       %s%s%s%s%s%s%s\n",
 				(cad.flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? "ignore_corruption " : "",
 				(cad.flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? "restart_on_corruption " : "",
 				(cad.flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? "panic_on_corruption " : "",
+				(cad.flags & CRYPT_ACTIVATE_ERROR_AS_CORRUPTION) ?
+				((cad.flags & CRYPT_ACTIVATE_PANIC_ON_CORRUPTION) ? "panic_on_error " : "restart_on_error") : "",
 				(cad.flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? "ignore_zero_blocks " : "",
 				(cad.flags & CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE) ? "check_at_most_once" : "",
 				(cad.flags & CRYPT_ACTIVATE_TASKLETS) ? "try_verify_in_tasklet" : "");
@@ -655,6 +662,12 @@ int main(int argc, const char **argv)
 		_("Option --panic-on-corruption and --restart-on-corruption cannot be used together."),
 		poptGetInvocationName(popt_context));
 
+	if (ARG_SET(OPT_ERROR_AS_CORRUPTION_ID) &&
+	    !(ARG_SET(OPT_RESTART_ON_CORRUPTION_ID) || ARG_SET(OPT_PANIC_ON_CORRUPTION_ID)))
+		usage(popt_context, EXIT_FAILURE,
+		_("Option --error-as-corruption must be used with --panic-on-corruption or --restart-on-corruption."),
+		poptGetInvocationName(popt_context));
+
 	if (ARG_SET(OPT_CANCEL_DEFERRED_ID) && ARG_SET(OPT_DEFERRED_ID))
 		usage(popt_context, EXIT_FAILURE,
 		      _("Options --cancel-deferred and --deferred cannot be used at the same time."),
diff --git a/src/veritysetup_arg_list.h b/src/veritysetup_arg_list.h
index 7e8dfb3..826044f 100644
--- a/src/veritysetup_arg_list.h
+++ b/src/veritysetup_arg_list.h
@@ -2,8 +2,8 @@
 /*
  * Veritysetup command line arguments list
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 /* long name, short name, popt type, help description, units, internal argument type, default value, allowed actions (empty=global) */
@@ -20,6 +20,8 @@ ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_B
 
 ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS)
 
+ARG(OPT_ERROR_AS_CORRUPTION, '\0', POPT_ARG_NONE, N_("Handle IO error as corruption."), NULL, CRYPT_ARG_BOOL, {}, OPT_ERROR_AS_CORRUPTION_ACTIONS)
+
 ARG(OPT_FEC_DEVICE, '\0', POPT_ARG_STRING, N_("Path to device with error correction data"), N_("path"), CRYPT_ARG_STRING, {}, {})
 
 ARG(OPT_FEC_OFFSET, '\0', POPT_ARG_STRING, N_("Starting offset on the FEC device"), N_("bytes"), CRYPT_ARG_UINT64, {}, {})
diff --git a/src/veritysetup_args.h b/src/veritysetup_args.h
index bb2e302..7b02ff4 100644
--- a/src/veritysetup_args.h
+++ b/src/veritysetup_args.h
@@ -2,8 +2,8 @@
 /*
  * Command line arguments helpers
  *
- * Copyright (C) 2020-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2020-2024 Ondrej Kozina
+ * Copyright (C) 2020-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2020-2025 Ondrej Kozina
  */
 
 #ifndef VERITYSETUP_ARGS_H
@@ -24,6 +24,7 @@
 #define OPT_IGNORE_ZERO_BLOCKS_ACTIONS		{ OPEN_ACTION }
 #define OPT_PANIC_ON_CORRUPTION_ACTIONS		{ OPEN_ACTION }
 #define OPT_RESTART_ON_CORRUPTION_ACTIONS	{ OPEN_ACTION }
+#define OPT_ERROR_AS_CORRUPTION_ACTIONS		{ OPEN_ACTION }
 #define OPT_ROOT_HASH_FILE_ACTIONS		{ FORMAT_ACTION, OPEN_ACTION, VERIFY_ACTION }
 #define OPT_ROOT_HASH_SIGNATURE_ACTIONS		{ OPEN_ACTION }
 #define OPT_USE_TASKLETS_ACTIONS		{ OPEN_ACTION }
diff --git a/tests/00modules-test b/tests/00modules-test
index e9876cd..20d4b7e 100755
--- a/tests/00modules-test
+++ b/tests/00modules-test
@@ -2,7 +2,7 @@
 
 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
 
-function pversion() {
+pversion() {
 	if [ ! -x $CRYPTSETUP_PATH/$1 ] ; then
 		return
 	fi
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6947daa..861cfd0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -16,6 +16,7 @@ TESTS = 00modules-test \
 	device-test \
 	keyring-test \
 	keyring-compat-test \
+	keyring-trusted-test \
 	luks2-validation-test \
 	luks2-integrity-test \
 	vectors-test \
@@ -86,6 +87,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
 	device-test \
 	keyring-test \
 	keyring-compat-test \
+	keyring-trusted-test \
 	integrity-compat-test \
 	cryptsetup-valg-supps valg.sh valg-api.sh \
 	blockwise-compat-test \
@@ -129,6 +131,12 @@ vectors_test_LDFLAGS = $(AM_LDFLAGS) -static
 vectors_test_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/lib @CRYPTO_CFLAGS@
 vectors_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
 
+crypto_check_SOURCES = crypto-check.c
+crypto_check_LDADD = ../libcrypto_backend.la @CRYPTO_LIBS@ @LIBARGON2_LIBS@
+crypto_check_LDFLAGS = $(AM_LDFLAGS) -static
+crypto_check_CFLAGS = $(AM_CFLAGS) -I$(top_srcdir)/lib @CRYPTO_CFLAGS@
+crypto_check_CPPFLAGS = $(AM_CPPFLAGS)
+
 unit_utils_io_SOURCES = unit-utils-io.c
 unit_utils_io_LDADD = ../libutils_io.la
 unit_utils_io_LDFLAGS = $(AM_LDFLAGS) -static
@@ -159,7 +167,7 @@ all_symbols_test_LDFLAGS = $(AM_LDFLAGS) -ldl
 all_symbols_test_CFLAGS = $(AM_CFLAGS)
 all_symbols_test_CPPFLAGS = $(AM_CPPFLAGS) -D_GNU_SOURCE
 
-check_PROGRAMS = api-test api-test-2 differ vectors-test unit-utils-io unit-utils-crypt-test unit-wipe all-symbols-test
+check_PROGRAMS = api-test api-test-2 differ crypto-check vectors-test unit-utils-io unit-utils-crypt-test unit-wipe all-symbols-test
 
 check-programs: test-symbols-list.h $(check_PROGRAMS) fake_systemd_tpm_path.so
 
diff --git a/tests/align-test b/tests/align-test
index 0c1e02a..aa7d79a 100755
--- a/tests/align-test
+++ b/tests/align-test
@@ -20,7 +20,7 @@ else
 fi
 
 
-function fips_mode()
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
@@ -48,6 +48,9 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	echo "TEST SKIPPED: $1"
@@ -55,7 +58,7 @@ skip()
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -65,12 +68,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function dm_crypt_features()
+dm_crypt_features()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
diff --git a/tests/align-test2 b/tests/align-test2
index 6ed82bc..22d5efc 100755
--- a/tests/align-test2
+++ b/tests/align-test2
@@ -42,6 +42,9 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	echo "TEST SKIPPED: $1"
@@ -49,7 +52,7 @@ skip()
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -59,12 +62,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function dm_crypt_features()
+dm_crypt_features()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
diff --git a/tests/all-symbols-test.c b/tests/all-symbols-test.c
index 5904e3b..14120ca 100644
--- a/tests/all-symbols-test.c
+++ b/tests/all-symbols-test.c
@@ -2,7 +2,7 @@
 /*
  * Test utility checking symbol versions in libcryptsetup.
  *
- * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2021-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <dlfcn.h>
@@ -57,7 +57,7 @@ static void test_logf(int level, const char *format, ...)
 
 static int check_dlvsym(void *h, const char *symbol, const char *version)
 {
-#ifdef HAVE_DLVSYM
+#if HAVE_DLVSYM
 	void *sym;
 	char *err;
 
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index 569227a..b188e5f 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -2,9 +2,9 @@
 /*
  * cryptsetup library LUKS2 API check functions
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include <stdbool.h>
@@ -17,7 +17,7 @@
 #include <sys/stat.h>
 #include <inttypes.h>
 #include <sys/types.h>
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 #include <linux/keyctl.h>
 #include <sys/syscall.h>
 #ifndef HAVE_KEY_SERIAL_T
@@ -143,7 +143,7 @@ static uint32_t default_luks2_iter_time = 0;
 static uint32_t default_luks2_memory_kb = 0;
 static uint32_t default_luks2_parallel_threads = 0;
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 static char keyring_in_user_str_id[32] = {0};
 #endif
 
@@ -415,7 +415,7 @@ static int set_fast_pbkdf(struct crypt_device *_cd)
 	return crypt_set_pbkdf_type(_cd, pbkdf);
 }
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 static key_serial_t add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t keyring)
 {
 	return syscall(__NR_add_key, type, description, payload, plen, keyring);
@@ -594,7 +594,7 @@ static void _cleanup(void)
 	free(DEVICE_5);
 	free(DEVICE_6);
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	char *end;
 	key_serial_t krid;
 
@@ -761,7 +761,7 @@ static void SuspendDevice(void)
 	OK_(suspend_status);
 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
 	EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	FAIL_(_volume_key_in_keyring(cd, 0), "");
 #endif
 	FAIL_(crypt_suspend(cd, CDEVICE_1), "already suspended");
@@ -865,8 +865,8 @@ static void AddDeviceLuks2(void)
 		pbkdf.max_memory_kb = 0;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key3, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key3, vk_hex2, key_size));
 
 	// init test devices
 	OK_(get_luks2_offsets(0, 0, 0, &r_header_size, &r_payload_offset));
@@ -1212,7 +1212,7 @@ static void Luks2MetadataSize(void)
 		pbkdf.iterations = 1000;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	// init test devices
 	OK_(get_luks2_offsets(0, 0, 0, &r_header_size, NULL));
@@ -1404,7 +1404,7 @@ static void Luks2HeaderRestore(void)
 		pbkdf.max_memory_kb = 0;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	OK_(get_luks2_offsets(0, params.data_alignment, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
@@ -1506,7 +1506,7 @@ static void Luks2HeaderLoad(void)
 		pbkdf.max_memory_kb = 0;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	// hardcoded values for existing image IMAGE1
 	img_size = 8192;
@@ -1641,7 +1641,7 @@ static void Luks2HeaderBackup(void)
 		pbkdf.max_memory_kb = 0;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	OK_(get_luks2_offsets(1, params.data_alignment, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -1736,7 +1736,7 @@ static void ResizeDeviceLuks2(void)
 		pbkdf.max_memory_kb = 0;
 	}
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	// prepare env
 	OK_(get_luks2_offsets(0, params.data_alignment, 0, NULL, &r_payload_offset));
@@ -1788,7 +1788,7 @@ static void ResizeDeviceLuks2(void)
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	CRYPT_FREE(cd);
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
 	// enable loading VKs in kernel keyring (default mode)
@@ -1885,7 +1885,7 @@ static void ResizeDeviceLuks2(void)
 
 static void TokenActivationByKeyring(void)
 {
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	key_serial_t kid, kid1;
 	struct crypt_active_device cad;
 
@@ -2149,8 +2149,12 @@ static void Tokens(void)
 	EQ_(crypt_token_json_get(cd, 2, &dummy), 2);
 
 	// exercise assign/unassign keyslots API
+	FAIL_(crypt_token_unassign_keyslot(cd, CRYPT_ANY_TOKEN, 1), "Token id must be specific.");
+	OK_(crypt_token_is_assigned(cd, 2, 1));
 	EQ_(crypt_token_unassign_keyslot(cd, 2, 1), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Token assigned to no keyslot");
+	FAIL_(crypt_token_assign_keyslot(cd, CRYPT_ANY_TOKEN, 0), "Token id must be specific.");
+	FAIL_(crypt_token_is_assigned(cd, 2, 0), "Token 2 must not be assigned to keyslot 0.");
 	EQ_(crypt_token_assign_keyslot(cd, 2, 0), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Wrong passphrase");
 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr, 0), 0);
@@ -2182,7 +2186,7 @@ static void Tokens(void)
 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr, 0), 0);
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	if (t_dm_crypt_keyring_support()) {
 		EQ_(crypt_activate_by_token(cd, NULL, 2, passptr, CRYPT_ACTIVATE_KEYRING_KEY), 0);
 		OK_(_volume_key_in_keyring(cd, 0));
@@ -2456,7 +2460,7 @@ static void LuksConvert(void)
 	OK_(strcmp(crypt_get_type(cd), CRYPT_LUKS1));
 	CRYPT_FREE(cd);
 
-	// exercice non-pbkdf2 LUKSv2 conversion
+	// exercise non-pbkdf2 LUKSv2 conversion
 	if (!_fips_mode) {
 		OK_(crypt_init(&cd, DEVICE_1));
 		OK_(crypt_set_data_offset(cd, offset));
@@ -2467,7 +2471,7 @@ static void LuksConvert(void)
 		CRYPT_FREE(cd);
 	}
 
-	// exercice non LUKS1 compatible keyslot
+	// exercise non LUKS1 compatible keyslot
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_set_data_offset(cd, offset));
 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2));
@@ -2477,7 +2481,7 @@ static void LuksConvert(void)
 	FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Unassigned keyslots are incompatible with LUKSv1 format");
 	CRYPT_FREE(cd);
 
-	// exercice LUKSv2 conversion with single pbkdf2 keyslot being active
+	// exercise LUKSv2 conversion with single pbkdf2 keyslot being active
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_set_data_offset(cd, offset));
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
@@ -3040,6 +3044,8 @@ static void Pbkdf(void)
 	// try to pass illegal values
 	argon2.parallel_threads = 0;
 	FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be 0");
+	argon2.parallel_threads = 99;
+	FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be higher than maximum");
 	argon2.parallel_threads = 1;
 	argon2.max_memory_kb = 0;
 	FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Memory can't be 0");
@@ -3126,7 +3132,7 @@ static void Pbkdf(void)
 	argon2.flags = CRYPT_PBKDF_NO_BENCHMARK;
 	argon2.max_memory_kb = 2 * 1024 * 1024;
 	argon2.iterations = 6;
-	argon2.parallel_threads = 8;
+	argon2.parallel_threads = 4;
 	OK_(crypt_set_pbkdf_type(cd, &argon2));
 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
 	EQ_(pbkdf->iterations, 6);
@@ -3176,8 +3182,8 @@ static void Luks2KeyslotAdd(void)
 		.sector_size = TST_SECTOR_SIZE
 	};
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key2, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key2, vk_hex2, key_size));
 
 	/* Cannot use Argon2 in FIPS */
 	if (_fips_mode) {
@@ -3197,6 +3203,10 @@ static void Luks2KeyslotAdd(void)
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
 	EQ_(crypt_keyslot_status(cd, 0), CRYPT_SLOT_ACTIVE_LAST);
 	EQ_(crypt_keyslot_status(cd, 1), CRYPT_SLOT_UNBOUND);
+	/* drop the generated volume key from device context cache */
+	CRYPT_FREE(cd);
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
 	/* must not activate volume with keyslot unassigned to a segment */
 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key2, key_size, 0), "Key doesn't match volume key digest");
 	FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, PASSPHRASE1, strlen(PASSPHRASE1), 0), "Keyslot not assigned to volume");
@@ -3209,19 +3219,20 @@ static void Luks2KeyslotAdd(void)
 	/* in general crypt_keyslot_add_by_key must allow any reasonable key size
 	 * even though such keyslot will not be usable for segment encryption */
 	EQ_(crypt_keyslot_add_by_key(cd, 2, key2, key_size-1, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 2);
-	EQ_(crypt_keyslot_add_by_key(cd, 3, key2, 13, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 3);
+	/* As per SP800-132 112 bits (14 bytes) is minimal key length */
+	EQ_(crypt_keyslot_add_by_key(cd, 3, key2, 14, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 3);
 
 	FAIL_(crypt_keyslot_get_key_size(cd, CRYPT_ANY_SLOT), "Bad keyslot specification.");
 	EQ_(crypt_get_volume_key_size(cd), key_size);
 	EQ_(crypt_keyslot_get_key_size(cd, 0), key_size);
 	EQ_(crypt_keyslot_get_key_size(cd, 1), key_size);
 	EQ_(crypt_keyslot_get_key_size(cd, 2), key_size-1);
-	EQ_(crypt_keyslot_get_key_size(cd, 3), 13);
+	EQ_(crypt_keyslot_get_key_size(cd, 3), 14);
 
 	key_ret_len = key_size - 1;
 	FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key_ret, &key_ret_len, PASSPHRASE1, strlen(PASSPHRASE1)), "Wrong size");
 
-	key_ret_len = 13;
+	key_ret_len = 14;
 	FAIL_(crypt_volume_key_get(cd, 2, key_ret, &key_ret_len, PASSPHRASE1, strlen(PASSPHRASE1)), "wrong size");
 	EQ_(crypt_volume_key_get(cd, 3, key_ret, &key_ret_len, PASSPHRASE1, strlen(PASSPHRASE1)), 3);
 	FAIL_(crypt_activate_by_volume_key(cd, NULL, key_ret, key_ret_len, 0), "Not a volume key");
@@ -3306,8 +3317,8 @@ static void Luks2KeyslotParams(void)
 	size_t key_size_ret, key_size = strlen(vk_hex) / 2, keyslot_key_size = 16;
 	uint64_t r_payload_offset;
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key2, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key2, vk_hex2, key_size));
 
 	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
 	OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
@@ -3434,7 +3445,7 @@ static void Luks2KeyslotParams(void)
 
 static void Luks2ActivateByKeyring(void)
 {
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 
 	key_serial_t kid, kid1;
 	uint64_t r_payload_offset;
@@ -3508,7 +3519,7 @@ static void Luks2Requirements(void)
 	char key[128];
 	size_t key_size = 128;
 	const struct crypt_pbkdf_type *pbkdf;
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	key_serial_t kid;
 #endif
 	uint32_t flags;
@@ -3643,7 +3654,7 @@ static void Luks2Requirements(void)
 	OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
 	OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	if (t_dm_crypt_keyring_support()) {
 		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
 		NOTFAIL_(kid, "Test or kernel keyring are broken.");
@@ -3738,7 +3749,7 @@ static void Luks2Requirements(void)
 	EQ_(r, -ETXTBSY);
 
 	/* crypt_activate_by_token (restricted for activation only) */
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	if (t_dm_crypt_keyring_support()) {
 		kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
 		NOTFAIL_(kid, "Test or kernel keyring are broken.");
@@ -3826,7 +3837,7 @@ static void Luks2Requirements(void)
 
 	/* crypt_get_active_device (unrestricted) */
 	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	if (t_dm_crypt_keyring_support())
 		EQ_(cad.flags & CRYPT_ACTIVATE_KEYRING_KEY, CRYPT_ACTIVATE_KEYRING_KEY);
 #endif
@@ -3907,8 +3918,8 @@ static void Luks2Refresh(void)
 	};
 	struct crypt_active_device cad = {};
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key1, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key1, vk_hex2, key_size));
 
 	OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000));
@@ -3954,7 +3965,7 @@ static void Luks2Refresh(void)
 	FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
 	cad.flags = 0;
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	if (t_dm_crypt_keyring_support()) {
 		OK_(crypt_volume_key_keyring(cd, 1));
 		OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
@@ -4048,6 +4059,7 @@ static void Luks2Refresh(void)
 static void Luks2Flags(void)
 {
 	uint32_t flags = 42;
+	const char *longlabel = "0123456789abcedf0123456789abcedf0123456789abcedf";
 
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
@@ -4078,6 +4090,9 @@ static void Luks2Flags(void)
 	OK_(strcmp("", crypt_get_label(cd)));
 	OK_(strcmp("", crypt_get_subsystem(cd)));
 
+	FAIL_(crypt_set_label(cd, longlabel, NULL), "long label");
+	FAIL_(crypt_set_label(cd, NULL, longlabel), "long subsystem");
+
 	CRYPT_FREE(cd);
 }
 
@@ -4119,12 +4134,19 @@ static void Luks2Reencryption(void)
 		.luks2 = &params2,
 	};
 	dev_t devno;
+	key_serial_t kid, kid1;
+	struct crypt_keyslot_context *kc_pass12 = NULL, *kc_pass21 = NULL, *kc_file12 = NULL, *kc_file21 = NULL,
+				     *kc_token12 = NULL, *kc_token21 = NULL, *kc_key = NULL, *kc_key2 = NULL;
 
-	const char *vk_hex = "bb21babe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
-	size_t key_size = strlen(vk_hex) / 2;
-	char key[128];
+	const char *vk_hex =  "bb21babe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a",
+		   *vk_hex2 = "bb21bebe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a" \
+			      "cc21cfcf733229347ce4f681891f213d94d685cf6b5b84818baf7b78b6df7b1b";
+	size_t key_size = strlen(vk_hex) / 2,
+	       key_size2 = strlen(vk_hex2) / 2;
+	char key[128], key2[64];
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key2, vk_hex2, key_size2));
 
 	/* reencryption currently depends on kernel keyring support in dm-crypt */
 	if (!t_dm_crypt_keyring_support())
@@ -4186,6 +4208,7 @@ static void Luks2Reencryption(void)
 	EQ_(getflags & CRYPT_REQUIREMENT_ONLINE_REENCRYPT, CRYPT_REQUIREMENT_ONLINE_REENCRYPT);
 
 	/* some parameters are expected to change immediately after reencryption initialization */
+	EQ_(crypt_get_old_volume_key_size(cd), 32);
 	EQ_(crypt_get_volume_key_size(cd), 64);
 	OK_(strcmp(crypt_get_cipher_mode(cd), "xts-plain64"));
 	EQ_(crypt_get_sector_size(cd), 4096);
@@ -4387,6 +4410,34 @@ static void Luks2Reencryption(void)
 	CRYPT_FREE(cd);
 	CRYPT_FREE(cd2);
 
+	/* same key size reencryption */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
+	EQ_(crypt_keyslot_add_by_key(cd, 10, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_REENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "none",
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
+	};
+	rparams.luks2 = &(struct crypt_params_luks2){ .sector_size = 512 };
+	NOTFAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, 10, "aes", "xts-plain64", &rparams), "Failed to initialize reencryption");
+	EQ_(crypt_get_volume_key_size(cd), 32);
+	EQ_(crypt_get_old_volume_key_size(cd), 32);
+	CRYPT_FREE(cd);
+
+	/* same key reencryption */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
+	NOTFAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, 0, "aes", "xts-plain64", &rparams), "Failed to initialize reencryption");
+	EQ_(crypt_get_volume_key_size(cd), 32);
+	EQ_(crypt_get_old_volume_key_size(cd), 32);
+	CRYPT_FREE(cd);
+
 	/* data shift related tests */
 	params2.sector_size = 512;
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
@@ -4394,12 +4445,13 @@ static void Luks2Reencryption(void)
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0);
 	EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.direction = CRYPT_REENCRYPT_BACKWARD;
-	rparams.resilience = "datashift";
-	rparams.data_shift = 8;
-	rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY;
-	rparams.luks2 = &params2;
+	rparams = (struct crypt_params_reencrypt) {
+		.direction = CRYPT_REENCRYPT_BACKWARD,
+		.resilience = "datashift",
+		.data_shift = 8,
+		.luks2 = &params2,
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
+	};
 	EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 0, 1, "aes", "xts-plain64", &rparams), 2);
 	EQ_(crypt_reencrypt_status(cd, &retparams), CRYPT_REENCRYPT_CLEAN);
 	EQ_(retparams.data_shift, 8);
@@ -4482,15 +4534,16 @@ static void Luks2Reencryption(void)
 
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
 
-	memset(&rparams, 0, sizeof(rparams));
 	params2.sector_size = 512;
 	params2.data_device = DMDIR L_DEVICE_OK;
-	rparams.mode = CRYPT_REENCRYPT_ENCRYPT;
-	rparams.direction = CRYPT_REENCRYPT_BACKWARD;
-	rparams.resilience = "datashift";
-	rparams.data_shift = 8192;
-	rparams.luks2 = &params2;
-	rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_ENCRYPT,
+		.direction = CRYPT_REENCRYPT_BACKWARD,
+		.resilience = "datashift",
+		.data_shift = 8192,
+		.luks2 = &params2,
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+	};
 	OK_(crypt_set_data_offset(cd, 8192));
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, &params2));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 30, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 30);
@@ -4502,6 +4555,8 @@ static void Luks2Reencryption(void)
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
 	EQ_(crypt_reencrypt_status(cd, &retparams), CRYPT_REENCRYPT_CLEAN);
+	/* With encryption there's no old volume key */
+	EQ_(crypt_get_old_volume_key_size(cd), 0);
 	EQ_(retparams.mode, CRYPT_REENCRYPT_ENCRYPT);
 	OK_(strcmp(retparams.resilience, "datashift"));
 	EQ_(retparams.data_shift, 8192);
@@ -4539,15 +4594,16 @@ static void Luks2Reencryption(void)
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
 
 	/* encryption with datashift and moved segment (data shift + data offset <= device size) */
-	memset(&rparams, 0, sizeof(rparams));
 	params2.sector_size = 512;
 	params2.data_device = DMDIR L_DEVICE_OK;
-	rparams.mode = CRYPT_REENCRYPT_ENCRYPT;
-	rparams.direction = CRYPT_REENCRYPT_BACKWARD;
-	rparams.resilience = "datashift";
-	rparams.data_shift = 8200;
-	rparams.luks2 = &params2;
-	rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_ENCRYPT,
+		.direction = CRYPT_REENCRYPT_BACKWARD,
+		.resilience = "datashift",
+		.data_shift = 8200,
+		.luks2 = &params2,
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
+	};
 	OK_(crypt_set_data_offset(cd, 8200));
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, &params2));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 30, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 30);
@@ -4560,14 +4616,15 @@ static void Luks2Reencryption(void)
 
 	/* offline in-place encryption with reserved space in the head of data device */
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
-	memset(&rparams, 0, sizeof(rparams));
 	params2.sector_size = 512;
-	rparams.mode = CRYPT_REENCRYPT_ENCRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "checksum";
-	rparams.hash = "sha256";
-	rparams.luks2 = &params2;
-	rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_ENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "checksum",
+		.hash = "sha256",
+		.luks2 = &params2,
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY
+	};
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, &params2));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 30, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 30);
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 30, "aes", "xts-plain64", &rparams));
@@ -4578,6 +4635,38 @@ static void Luks2Reencryption(void)
 	EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
 	CRYPT_FREE(cd);
 
+	/* wipe existing header from previous run */
+	_system("dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=4K count=5 2>/dev/null", 1);
+
+	/* offline in-place encryption with reserved space in the head of data device (using no keyslot, by volume key) */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_ENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "checksum",
+		.hash = "sha256",
+		.luks2 = &(struct crypt_params_luks2){ .sector_size = 512 },
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY | CRYPT_REENCRYPT_CREATE_NEW_DIGEST
+	};
+	/* key does not matter. the new one from encrypt will be used */
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, &params2));
+	CRYPT_FREE(cd);
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+	OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc_key));
+	OK_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, NULL, kc_key, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, "aes", "xts-plain64", &rparams));
+	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, NULL, 0));
+	FAIL_(crypt_reencrypt_run(cd, NULL, NULL), "context not initialized");
+	rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY | CRYPT_REENCRYPT_CREATE_NEW_DIGEST;
+	FAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, NULL, kc_key, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, "aes", "xts-plain64", &rparams), "Can not use direct key flag with resume only.");
+	rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY;
+	OK_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, NULL, kc_key, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_NONE);
+	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, NULL, 0));
+	crypt_keyslot_context_free(kc_key);
+	CRYPT_FREE(cd);
+
 	/* wipe existing header from previous run */
 	_system("dd if=/dev/zero of=" DMDIR L_DEVICE_OK " bs=4K count=5 2>/dev/null", 1);
 	/* open existing device from kernel (simulate active filesystem) */
@@ -4611,12 +4700,14 @@ static void Luks2Reencryption(void)
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
-	rparams.direction = CRYPT_REENCRYPT_BACKWARD;
-	rparams.resilience = "none";
-	rparams.max_hotzone_size = 2048;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_DECRYPT,
+		.direction = CRYPT_REENCRYPT_BACKWARD,
+		.resilience = "none",
+		.max_hotzone_size = 2048
+	};
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
+	EQ_(crypt_get_old_volume_key_size(cd), 32);
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 	CRYPT_FREE(cd);
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
@@ -4632,11 +4723,12 @@ static void Luks2Reencryption(void)
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "none";
-	rparams.max_hotzone_size = 2048;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_DECRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "none",
+		.max_hotzone_size = 2048
+	};
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 	CRYPT_FREE(cd);
@@ -4648,11 +4740,12 @@ static void Luks2Reencryption(void)
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "none";
-	rparams.max_hotzone_size = 2048;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_DECRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "none",
+		.max_hotzone_size = 2048
+	};
 	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_2, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 	CRYPT_FREE(cd);
@@ -4671,11 +4764,12 @@ static void Luks2Reencryption(void)
 	OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
 	EQ_(crypt_get_data_offset(cd), r_header_size);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "datashift";
-	rparams.data_shift = r_header_size;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_DECRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "datashift",
+		.data_shift = r_header_size
+	};
 	OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
 	EQ_(crypt_get_data_offset(cd), 0);
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
@@ -4703,11 +4797,12 @@ static void Luks2Reencryption(void)
 	OK_(crypt_init_data_device(&cd, BACKUP_FILE, DMDIR L_DEVICE_OK));
 	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
 	EQ_(crypt_get_data_offset(cd), r_header_size);
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "datashift";
-	rparams.data_shift = r_header_size;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_DECRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "datashift",
+		.data_shift = r_header_size
+	};
 	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_2, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
 	EQ_(crypt_get_data_offset(cd), 0);
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
@@ -4736,11 +4831,11 @@ static void Luks2Reencryption(void)
 	EQ_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
 	CRYPT_FREE(cd2);
 	EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
-
-	memset(&rparams, 0, sizeof(rparams));
-	rparams.resilience = "none";
-	rparams.max_hotzone_size = 16*2048;
-	rparams.luks2 = &params2;
+	rparams = (struct crypt_params_reencrypt) {
+		.resilience = "none",
+		.max_hotzone_size = 16*2048,
+		.luks2 = &params2
+	};
 
 	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "cbc-essiv:sha256", &rparams));
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
@@ -4807,12 +4902,13 @@ static void Luks2Reencryption(void)
 	OK_(crypt_volume_key_keyring(cd, 0)); /* disable keyring */
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 6, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_ALLOW_DISCARDS), 6);
 	OK_(crypt_volume_key_keyring(cd, 1));
-	rparams.mode = CRYPT_REENCRYPT_REENCRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD,
-	rparams.resilience = "none",
-	rparams.max_hotzone_size = 8;
-	rparams.luks2 = &params2;
-	rparams.flags = 0;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_REENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "none",
+		.max_hotzone_size = 8,
+		.luks2 = &params2
+	};
 	EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
 	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "xts-plain64", &rparams));
 	test_progress_steps = 2;
@@ -4835,15 +4931,12 @@ static void Luks2Reencryption(void)
 	_cleanup_dmdevices();
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 16));
 
-	rparams.mode = CRYPT_REENCRYPT_REENCRYPT;
-	rparams.direction = CRYPT_REENCRYPT_FORWARD;
-	rparams.resilience = "none";
-	rparams.hash = NULL;
-	rparams.data_shift = 0;
-	rparams.max_hotzone_size = 0;
-	rparams.device_size = 0;
-	rparams.luks2 = &params2;
-	rparams.flags = 0;
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_REENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.resilience = "none",
+		.luks2 = &params2
+	};
 
 	/* Test support for specific key reencryption */
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
@@ -5010,6 +5103,177 @@ static void Luks2Reencryption(void)
 
 	CRYPT_FREE(cd);
 	_cleanup_dmdevices();
+	_remove_keyfiles();
+
+	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
+	OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
+
+	OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
+	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 16));
+
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_REENCRYPT,
+		.direction = CRYPT_REENCRYPT_FORWARD,
+		.luks2 = &(struct crypt_params_luks2){ .sector_size = 512 },
+		.resilience = "none",
+	};
+
+	/* FIXME */
+	/* FIXME it breaks when params2.data_device == metadata device */
+	/* FIXME */
+
+	/* create device */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, key, key_size, &(struct crypt_params_luks2){ .sector_size = 512 }));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 21, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 21);
+
+	/* add unbound key */
+	EQ_(crypt_keyslot_add_by_key(cd, 12, key2, key_size2, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 12);
+	/* add unbound key that will not be used in reencryption */
+	EQ_(crypt_keyslot_add_by_key(cd, 13, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 13);
+
+	kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+	NOTFAIL_(kid, "Test or kernel keyring are broken.");
+	kid1 = add_key("user", KEY_DESC_TEST1, PASSPHRASE1, strlen(PASSPHRASE1), KEY_SPEC_THREAD_KEYRING);
+	NOTFAIL_(kid1, "Test or kernel keyring are broken.");
+
+	EQ_(crypt_token_luks2_keyring_set(cd, 21, &(const struct crypt_token_params_luks2_keyring){.key_description = KEY_DESC_TEST0}), 21);
+	EQ_(crypt_token_luks2_keyring_set(cd, 12, &(const struct crypt_token_params_luks2_keyring){.key_description = KEY_DESC_TEST1}), 12);
+
+	EQ_(crypt_token_assign_keyslot(cd, 21, 21), 21);
+	EQ_(crypt_token_assign_keyslot(cd, 12, 12), 12);
+
+	// key
+	OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc_key));
+	// key2
+	OK_(crypt_keyslot_context_init_by_volume_key(cd, key2, key_size2, &kc_key2));
+	// token 21, keyslot 21
+	OK_(crypt_keyslot_context_init_by_token(cd, 21, NULL, NULL, 0, NULL, &kc_token21));
+	// token 12, keyslot 12
+	OK_(crypt_keyslot_context_init_by_token(cd, 12, NULL, NULL, 0, NULL, &kc_token12));
+	// keyfile21
+	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc_file21));
+	// keyfile12
+	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE2, 0, 0, &kc_file12));
+	// passphrase21
+	OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc_pass21));
+	// passphrase12
+	OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE1, strlen(PASSPHRASE1), &kc_pass12));
+
+	// reencrypt by token
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_token21, kc_token12, CRYPT_ANY_SLOT, 12, "aes", "xts-plain64", &rparams), "Reencrypt init failed");
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_UNBOUND);
+
+	// add previous key as unbound key
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc_key, 21, kc_token21, CRYPT_VOLUME_KEY_NO_SEGMENT), 21);
+
+	EQ_(crypt_activate_by_keyslot_context(cd, NULL, 12, kc_pass12, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 12);
+	EQ_(crypt_activate_by_keyslot_context(cd, NULL, 12, kc_file12, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 12);
+	EQ_(crypt_activate_by_keyslot_context(cd, NULL, 21, kc_file21, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 21);
+
+	// reencrypt by keyfile
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_file12, kc_file21, CRYPT_ANY_SLOT, 21, "aes", "xts-plain64", &rparams), "Reencrypt init failed");
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_UNBOUND);
+
+	// reencrypt just by volume keys (new key is passed directly w/o being stored in any keyslot)
+	rparams.flags |= CRYPT_REENCRYPT_CREATE_NEW_DIGEST;
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_key, kc_key2, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, "aes", "xts-plain64", &rparams), "Reencrypt init failed");
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_UNBOUND);
+	rparams.flags &= ~CRYPT_REENCRYPT_CREATE_NEW_DIGEST;
+	// store new key in a keyslot
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc_key2, 12, kc_token12, 0), 12);
+
+	// add previous key as unbound key.
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc_key, 21, kc_token21, CRYPT_VOLUME_KEY_NO_SEGMENT), 21);
+
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_pass12, kc_token21, CRYPT_ANY_SLOT, 21, "aes", "xts-plain64", &rparams), "Reencrypt init failed");
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_UNBOUND);
+
+	// add previous key as unbound key.
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc_key2, 12, kc_token12, CRYPT_VOLUME_KEY_NO_SEGMENT), 12);
+
+	rparams.max_hotzone_size = 1;
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_key, kc_key2, CRYPT_ANY_SLOT, 12, "aes", "xts-plain64", &rparams), "Reencrypt init failed");
+	test_progress_steps = 2;
+	OK_(crypt_reencrypt_run(cd, &test_progress, NULL));
+	EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_CLEAN);
+
+	// test device activation via additional keyslot
+	// keys
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, NULL, 0), -ESRCH);
+	NOTFAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, kc_key2, 0), "Failed to activate device in reencryption");
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+	// tokens
+	NOTFAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc_token21, CRYPT_ANY_SLOT, kc_token12, 0), "Failed to activate device in reencryption");
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+	// files
+	NOTFAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc_file21, CRYPT_ANY_SLOT, kc_file12, 0), "Failed to activate device in reencryption");
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+	// passphrases
+	NOTFAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc_pass21, CRYPT_ANY_SLOT, kc_pass12, 0), "Failed to activate device in reencryption");
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
+
+	EQ_(crypt_keyslot_status(cd, 13), CRYPT_SLOT_UNBOUND);
+
+	crypt_keyslot_context_free(kc_pass21);
+	crypt_keyslot_context_free(kc_file12);
+	crypt_keyslot_context_free(kc_file21);
+	crypt_keyslot_context_free(kc_token12);
+	crypt_keyslot_context_free(kc_token21);
+
+	CRYPT_FREE(cd);
+
+	/* specifically test reencryption of device with no active keyslots */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, key, key_size, &(struct crypt_params_luks2){ .sector_size = 512 }));
+	FAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_key, kc_key2, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, "aes", "xts-plain64", &rparams), "Reencrypt init failed due to missing new key keyslot.");
+	rparams.flags |= CRYPT_REENCRYPT_CREATE_NEW_DIGEST;
+	NOTFAIL_(crypt_reencrypt_init_by_keyslot_context(cd, NULL, kc_key, kc_key2, CRYPT_ANY_SLOT, CRYPT_ANY_SLOT, "aes", "xts-plain64", &rparams), "Reencrypt init failed.");
+
+	FAIL_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, NULL, 0), "Missing key for device in reencryption.");
+	FAIL_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key2, CRYPT_ANY_SLOT, NULL, 0), "Missing key for device in reencryption.");
+
+	/* after reencryption gets initialized the order in which user provides keyslot contexts does not matter */
+	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, kc_key2, 0));
+	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key2, CRYPT_ANY_SLOT, kc_key, 0));
+
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	CRYPT_FREE(cd);
+
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
+
+	/* check digest was properly stored in mda */
+	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key2, CRYPT_ANY_SLOT, NULL, 0));
+	FAIL_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc_key, CRYPT_ANY_SLOT, NULL, 0), "Not valid volume key");
+
+	/* add keyslot by new volume key */
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc_key2, 12, kc_pass12, 0), 12);
+	EQ_(crypt_activate_by_keyslot_context(cd, NULL, 12, kc_pass12, CRYPT_ANY_SLOT, NULL, 0), 12);
+
+	crypt_keyslot_context_free(kc_pass12);
+	crypt_keyslot_context_free(kc_key);
+	crypt_keyslot_context_free(kc_key2);
+
+	CRYPT_FREE(cd);
+
+	NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+	NOTFAIL_(keyctl_unlink(kid1, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
+
+	_cleanup_dmdevices();
 }
 #endif
 
@@ -5019,7 +5283,7 @@ static void LuksKeyslotAdd(void)
 		.sector_size = 512
 	};
 	char key[128], key3[128];
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	int ks;
 	key_serial_t kid;
 #endif
@@ -5035,8 +5299,8 @@ static void LuksKeyslotAdd(void)
 	uint64_t r_payload_offset;
 	struct crypt_keyslot_context *um1, *um2;
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key3, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key3, vk_hex2, key_size));
 
 	// init test devices
 	OK_(get_luks2_offsets(0, 0, 0, NULL, &r_payload_offset));
@@ -5118,7 +5382,7 @@ static void LuksKeyslotAdd(void)
 	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
 	// passphrase not in keyring
 	FAIL_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 13, um2, 0), "No token available.");
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	// wrong passphrase in keyring
 	kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE1, strlen(PASSPHRASE1), KEY_SPEC_THREAD_KEYRING);
 	NOTFAIL_(kid, "Test or kernel keyring are broken.");
@@ -5161,8 +5425,8 @@ static void VolumeKeyGet(void)
 	struct crypt_params_luks2 params = {
 		.sector_size = 512
 	};
-	char key[256], key2[256];
-#ifdef KERNEL_KEYRING
+	char key[256], key2[256], key3[256];
+#if KERNEL_KEYRING
 	key_serial_t kid;
 	const struct crypt_token_params_luks2_keyring tparams = {
 		.key_description = KEY_DESC_TEST0
@@ -5170,18 +5434,21 @@ static void VolumeKeyGet(void)
 #endif
 
 	const char *vk_hex =  "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"
-			      "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1b";
+			      "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1b",
+		   *vk2_hex = "cb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"
+			      "cb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1c";
 	size_t key_size = strlen(vk_hex) / 2;
 	const char *cipher = "aes";
 	const char *cipher_mode = "xts-plain64";
 	uint64_t r_payload_offset;
 	struct crypt_keyslot_context *um1, *um2;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key3, vk2_hex, key_size));
 
 	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE1, strlen(PASSPHRASE1)));
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE1, strlen(PASSPHRASE1), KEY_SPEC_THREAD_KEYRING);
 	NOTFAIL_(kid, "Test or kernel keyring are broken.");
 #endif
@@ -5228,11 +5495,16 @@ static void VolumeKeyGet(void)
 	OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
 	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 1, um2, 0), 1);
 	crypt_keyslot_context_free(um2);
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	EQ_(crypt_token_luks2_keyring_set(cd, 0, &tparams), 0);
 	EQ_(crypt_token_assign_keyslot(cd, 0, 1), 0);
 #endif
 	crypt_keyslot_context_free(um1);
+	OK_(crypt_keyslot_context_init_by_volume_key(cd, key3, key_size, &um1));
+	OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE1, strlen(PASSPHRASE1), &um2));
+	EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 4, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 4);
+	crypt_keyslot_context_free(um1);
+	crypt_keyslot_context_free(um2);
 	CRYPT_FREE(cd);
 
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
@@ -5261,13 +5533,27 @@ static void VolumeKeyGet(void)
 	EQ_(crypt_volume_key_get_by_keyslot_context(cd, 1, key2, &key_size, um1), 1);
 	crypt_keyslot_context_free(um1);
 
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	// by token
 	OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &um1));
 	memset(key2, 0, key_size);
 	EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 1);
 	OK_(memcmp(key, key2, key_size));
 	crypt_keyslot_context_free(um1);
+
+	// unbound keyslot by passphrase in keyring
+	OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &um1));
+	memset(key2, 0, key_size);
+	EQ_(crypt_volume_key_get_by_keyslot_context(cd, 4, key2, &key_size, um1), 4);
+	OK_(memcmp(key3, key2, key_size));
+	crypt_keyslot_context_free(um1);
+
+	// by passphrase in keyring
+	OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &um1));
+	memset(key2, 0, key_size);
+	EQ_(crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key2, &key_size, um1), 1);
+	OK_(memcmp(key, key2, key_size));
+	crypt_keyslot_context_free(um1);
 #endif
 	CRYPT_FREE(cd);
 
@@ -5277,7 +5563,7 @@ static void VolumeKeyGet(void)
 
 static void KeyslotContextAndKeyringLink(void)
 {
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	const char *cipher = "aes";
 	const char *cipher_mode = "xts-plain64";
 	struct crypt_keyslot_context *kc, *kc2;
@@ -5627,7 +5913,7 @@ static void KeyslotContextAndKeyringLink(void)
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER2, keyring_in_user_id, "user"));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), "Failed to read key from kernel keyring");
 
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0);
 	NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring.");
@@ -5639,7 +5925,7 @@ static void KeyslotContextAndKeyringLink(void)
 	GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0);
 	vk_buf[0] = ~vk_buf[0];
 	OK_(keyctl_update(linked_kid, vk_buf, vk_len));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EPERM);
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER2, keyring_in_user_id, "user"));
@@ -5660,17 +5946,11 @@ static void KeyslotContextAndKeyringLink(void)
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
 	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0));
-	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0));
-	// lazy evaluation, if the first context supplies key and only one key is required, the second (invalid) context is not invoked
-	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0));
-	// first context takes precedence, if t fails, the second is not tried
-	EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, kc, 0), -EINVAL);
-
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0);
+	OK_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0));
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "Failed to read key from kernel keyring");
 
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1);
 	NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring.");
@@ -5682,7 +5962,8 @@ static void KeyslotContextAndKeyringLink(void)
 	GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0);
 	vk_buf[0] = ~vk_buf[0];
 	OK_(keyctl_update(linked_kid, vk_buf, vk_len));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0), -EPERM);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), -EPERM);
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
 	CRYPT_FREE(cd);
@@ -5694,14 +5975,15 @@ static void KeyslotContextAndKeyringLink(void)
 
 	OK_(crypt_init(&cd, DMDIR H_DEVICE));
 
-	memset(&rparams, 0, sizeof(rparams));
 	params2.sector_size = 512;
 	params2.data_device = DMDIR L_DEVICE_OK;
-	rparams.mode = CRYPT_REENCRYPT_ENCRYPT;
-	rparams.luks2 = &params2;
-	rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY;
-	rparams.resilience = "checksum";
-	rparams.hash = "sha256";
+	rparams = (struct crypt_params_reencrypt) {
+		.mode = CRYPT_REENCRYPT_ENCRYPT,
+		.resilience = "checksum",
+		.hash = "sha256",
+		.luks2 = &params2,
+		.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY,
+	};
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "xts-plain64", NULL, NULL, 64, &params2));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1);
 	EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ANY_SLOT, 1, "aes", "xts-plain64", &rparams), 0);
@@ -5714,28 +5996,25 @@ static void KeyslotContextAndKeyringLink(void)
 
 	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0));
 	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0));
-	// lazy evaluation, if the first context supplies key and only one key is required, the second (invalid) context is not invoked
-	OK_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0));
-	// first context takes precedence, if t fails, the second is not tried
-	EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, kc, 0), -EINVAL);
 
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0);
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "Failed to read key from kernel keyring");
 
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 1);
 	NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring.");
 	FAIL_((linked_kid2 = request_key("user", TEST_KEY_VK_USER2, NULL, 0)), "VK was not linked to custom keyring.");
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), 0);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0);
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0);
 	vk_buf[0] = ~vk_buf[0];
 	OK_(keyctl_update(linked_kid, vk_buf, vk_len));
-	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc2, 0), -EINVAL);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, kc, 0), -EPERM);
+	EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), -EPERM);
 
 	OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_user_id, "user"));
 	CRYPT_FREE(cd);
@@ -5751,7 +6030,7 @@ static void KeyslotContextAndKeyringLink(void)
 
 static int _crypt_load_check(struct crypt_device *_cd)
 {
-#ifdef HAVE_BLKID
+#if HAVE_BLKID
 	return crypt_load(_cd, CRYPT_LUKS, NULL);
 #else
 	return -ENOTSUP;
diff --git a/tests/api-test.c b/tests/api-test.c
index c9953c3..66fec00 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -2,9 +2,9 @@
 /*
  * cryptsetup library API check functions
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #include <stdlib.h>
@@ -323,7 +323,7 @@ static void AddDevicePlain(void)
 
 	uint64_t size, r_size;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 	FAIL_(crypt_init(&cd, ""), "empty device string");
 	FAIL_(crypt_init(&cd, DEVICE_WRONG), "nonexistent device name ");
 	FAIL_(crypt_init(&cd, DEVICE_CHAR), "character device as backing device");
@@ -806,8 +806,8 @@ static void AddDeviceLuks(void)
 	uint64_t r_payload_offset, r_header_size, r_size_1;
 	struct crypt_pbkdf_type pbkdf;
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key3, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key3, vk_hex2, key_size));
 
 	// init test devices
 	OK_(get_luks_offsets(1, key_size, 0, 0, &r_header_size, &r_payload_offset));
@@ -1139,7 +1139,7 @@ static void LuksHeaderRestore(void)
 	const char *cipher_mode = "cbc-essiv:sha256";
 	uint64_t r_payload_offset;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000));
@@ -1227,7 +1227,7 @@ static void LuksHeaderLoad(void)
 	uint64_t r_payload_offset, r_header_size;
 	uint64_t mdata_size, keyslots_size;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	// prepare test env
 	OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, &r_header_size, &r_payload_offset));
@@ -1340,7 +1340,7 @@ static void LuksHeaderBackup(void)
 
 	const char *passphrase = PASSPHRASE;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
 	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -1420,7 +1420,7 @@ static void ResizeDeviceLuks(void)
 	const char *cipher_mode = "cbc-essiv:sha256";
 	uint64_t r_payload_offset, r_header_size, r_size;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	// prepare env
 	OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
@@ -1517,7 +1517,7 @@ static void HashDevicePlain(void)
 	//         0 1 2 3 4 5 6 7 8 9 a b c d e f
 	vk_hex = "caffeecaffeecaffeecaffeecaffee88";
 	key_size = 16;
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 	OK_(prepare_keyfile(KEYFILE1, key, key_size));
 	OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
 	OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
@@ -1537,7 +1537,7 @@ static void HashDevicePlain(void)
 	//         0 1 2 3 4 5 6 7 8 9 a b c d e f
 	vk_hex = "caffeecaffeecaffeecaffeecaffee88babebabe";
 	key_size = 16;
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, strlen(vk_hex) / 2));
 	OK_(prepare_keyfile(KEYFILE1, key, strlen(vk_hex) / 2));
 	OK_(crypt_activate_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1, key_size, 0));
 	OK_(get_key_dm(CDEVICE_1, key, sizeof(key)));
@@ -1560,7 +1560,7 @@ static void HashDevicePlain(void)
 	//         0 1 2 3 4 5 6 7 8 9 a b c d e f
 	vk_hex = "aabbcaffeecaffeecaffeecaffeecaff";
 	key_size = 16;
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 	OK_(prepare_keyfile(KEYFILE1, key, strlen(vk_hex) / 2));
 	OK_(crypt_init(&cd, DEVICE_1));
 	OK_(crypt_format(cd, CRYPT_PLAIN, "aes", "cbc-essiv:sha256", NULL, NULL, 16, &params));
@@ -1631,8 +1631,8 @@ static void VerityTest(void)
 		.flags = CRYPT_VERITY_CREATE_HASH,
 	};
 
-	crypt_decode_key(salt, salt_hex, strlen(salt_hex) / 2);
-	crypt_decode_key(root_hash, root_hex, strlen(root_hex) / 2);
+	OK_(crypt_decode_key(salt, salt_hex, strlen(salt_hex) / 2));
+	OK_(crypt_decode_key(root_hash, root_hex, strlen(root_hex) / 2));
 
 	/* Format */
 	OK_(crypt_init(&cd, DEVICE_2));
@@ -1762,7 +1762,7 @@ static void TcryptTest(void)
 		"3979531d1cdc18af62757cf22286f16f8583d848524f128d7594ac2082668c73";
 	int r;
 
-	crypt_decode_key(key_def, key_hex, strlen(key_hex) / 2);
+	OK_(crypt_decode_key(key_def, key_hex, strlen(key_hex) / 2));
 
 	// First ensure we can use af_alg skcipher interface
 	r = crypt_benchmark(NULL, "aes", "xts", 512, 16, 1024, &enc_mbr, &dec_mbr);
@@ -1848,6 +1848,15 @@ static void TcryptTest(void)
 	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, CRYPT_ACTIVATE_READONLY));
 	CRYPT_FREE(cd);
 
+	// Check tcrypt can correctly parse parameters from active stacked cipher device
+	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+	OK_(strcmp(crypt_get_cipher(cd), "aes-twofish-serpent"));
+	OK_(strcmp(crypt_get_cipher_mode(cd), "xts-plain64"));
+	EQ_(crypt_get_volume_key_size(cd), 192);
+	/* just check if it correctly parsed data device down to a loopback device */
+	OK_(strncmp(crypt_get_device_name(cd) ?: "", "/dev/loop", 9));
+	CRYPT_FREE(cd);
+
 	// Deactivate the whole chain
 	EQ_(crypt_status(NULL, CDEVICE_1 "_1"), CRYPT_BUSY);
 	OK_(crypt_deactivate(NULL, CDEVICE_1));
@@ -1936,9 +1945,9 @@ static void ResizeIntegrityWithKey(void)
 	size_t journal_integrity_key_size = strlen(key_journal_integrity_hex) / 2;
 	size_t journal_crypt_key_size = strlen(key_journal_crypt_hex) / 2;
 
-	crypt_decode_key(integrity_key, key_integrity_hex, integrity_key_size);
-	crypt_decode_key(journal_integrity_key, key_journal_integrity_hex, journal_integrity_key_size);
-	crypt_decode_key(journal_crypt_key, key_journal_crypt_hex, journal_crypt_key_size);
+	OK_(crypt_decode_key(integrity_key, key_integrity_hex, integrity_key_size));
+	OK_(crypt_decode_key(journal_integrity_key, key_journal_integrity_hex, journal_integrity_key_size));
+	OK_(crypt_decode_key(journal_crypt_key, key_journal_crypt_hex, journal_crypt_key_size));
 
 	params.integrity_key_size = integrity_key_size;
 
@@ -2004,15 +2013,24 @@ static void IntegrityTest(void)
 		.tag_size = 4,
 		.integrity = "crc32c",
 		.sector_size = 4096,
-	}, ip = {};
+	}, ip = {}, params2 = {
+		.tag_size = 32,
+		.integrity = "hmac(sha256)",
+		.sector_size = 4096,
+	};
 	struct crypt_active_device cad;
 	int ret;
 
-	// FIXME: this should be more detailed
+	const char *key_integrity_hex = "e9668637426e277d126fe848e47417953701a511eee43b53c671342cec400d6e";
+	size_t integrity_key_size = strlen(key_integrity_hex) / 2;
+	char integrity_key[128];
+
+	OK_(crypt_decode_key(integrity_key, key_integrity_hex, integrity_key_size));
+	params2.integrity_key_size = integrity_key_size;
 
-	OK_(crypt_init(&cd,DEVICE_1));
-	FAIL_(crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,NULL), "params field required");
-	ret = crypt_format(cd,CRYPT_INTEGRITY,NULL,NULL,NULL,NULL,0,&params);
+	OK_(crypt_init(&cd, DEVICE_1));
+	FAIL_(crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, NULL), "params field required");
+	ret = crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params);
 	if (ret < 0) {
 		printf("WARNING: cannot format integrity device, skipping test.\n");
 		CRYPT_FREE(cd);
@@ -2027,7 +2045,7 @@ static void IntegrityTest(void)
 	EQ_(ip.journal_watermark, params.journal_watermark);
 	EQ_(ip.integrity_key_size, 0);
 	OK_(strcmp(ip.integrity,params.integrity));
-	FAIL_(crypt_set_uuid(cd,DEVICE_1_UUID),"can't set uuid to integrity device");
+	FAIL_(crypt_set_uuid(cd,DEVICE_1_UUID), "can't set uuid to integrity device");
 	CRYPT_FREE(cd);
 
 	OK_(crypt_init(&cd, DEVICE_1));
@@ -2047,8 +2065,8 @@ static void IntegrityTest(void)
 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
 	OK_(crypt_get_integrity_info(cd, &ip));
 	EQ_(ip.tag_size, params.tag_size);
-	OK_(strcmp(ip.integrity,params.integrity));
-	OK_(strcmp(CRYPT_INTEGRITY,crypt_get_type(cd)));
+	OK_(strcmp(ip.integrity, params.integrity));
+	OK_(strcmp(CRYPT_INTEGRITY, crypt_get_type(cd)));
 
 	if (t_dm_integrity_recalculate_support()) {
 		OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
@@ -2060,6 +2078,31 @@ static void IntegrityTest(void)
 
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	CRYPT_FREE(cd);
+
+	// legacy format with NULL
+	OK_(crypt_init(&cd, DEVICE_1));
+	OK_(crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params2));
+	OK_(crypt_get_integrity_info(cd, &ip));
+	EQ_(ip.tag_size, params2.tag_size);
+	EQ_(ip.integrity_key_size, integrity_key_size);
+	OK_(strcmp(ip.integrity, params2.integrity));
+	CRYPT_FREE(cd);
+
+	// provide specific key
+	OK_(crypt_init(&cd, DEVICE_1));
+	OK_(crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, integrity_key, integrity_key_size, &params2));
+	OK_(crypt_get_integrity_info(cd, &ip));
+	EQ_(ip.tag_size, params2.tag_size);
+	EQ_(ip.integrity_key_size, integrity_key_size);
+	OK_(strcmp(ip.integrity, params2.integrity));
+	CRYPT_FREE(cd);
+
+	OK_(crypt_init(&cd, DEVICE_1));
+	OK_(crypt_load(cd, CRYPT_INTEGRITY, NULL));
+	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, NULL, 0, 0));
+	GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	CRYPT_FREE(cd);
 }
 
 static void WipeTest(void)
@@ -2105,8 +2148,8 @@ static void LuksKeyslotAdd(void)
 	uint64_t r_payload_offset;
 	struct crypt_keyslot_context *um1, *um2;
 
-	crypt_decode_key(key, vk_hex, key_size);
-	crypt_decode_key(key3, vk_hex2, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
+	OK_(crypt_decode_key(key3, vk_hex2, key_size));
 
 	// init test devices
 	OK_(get_luks_offsets(0, key_size, params.data_alignment, 0, NULL, &r_payload_offset));
@@ -2211,7 +2254,7 @@ static void VolumeKeyGet(void)
 	uint64_t r_payload_offset;
 	struct crypt_keyslot_context *um1, *um2;
 
-	crypt_decode_key(key, vk_hex, key_size);
+	OK_(crypt_decode_key(key, vk_hex, key_size));
 
 	OK_(prepare_keyfile(KEYFILE1, PASSPHRASE1, strlen(PASSPHRASE1)));
 
diff --git a/tests/api_test.h b/tests/api_test.h
index a333da3..ec6abd4 100644
--- a/tests/api_test.h
+++ b/tests/api_test.h
@@ -2,9 +2,9 @@
 /*
  * cryptsetup library API check functions
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
- * Copyright (C) 2016-2024 Ondrej Kozina
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
+ * Copyright (C) 2016-2025 Ondrej Kozina
  */
 
 #ifndef API_TEST_H
@@ -101,36 +101,40 @@ void xlog(const char *msg, const char *tst, const char *func, int line, const ch
 #define DIV_ROUND_UP_MODULO(n,d) (DIV_ROUND_UP(n,d)*(d))
 
 /* Device mapper backend - kernel support flags */
-#define T_DM_KEY_WIPE_SUPPORTED (1 << 0)	/* key wipe message */
-#define T_DM_LMK_SUPPORTED      (1 << 1)	/* lmk mode */
-#define T_DM_SECURE_SUPPORTED   (1 << 2)	/* wipe (secure) buffer flag */
-#define T_DM_PLAIN64_SUPPORTED  (1 << 3)	/* plain64 IV */
-#define T_DM_DISCARDS_SUPPORTED (1 << 4)	/* discards/TRIM option is supported */
-#define T_DM_VERITY_SUPPORTED   (1 << 5)	/* dm-verity target supported */
-#define T_DM_TCW_SUPPORTED      (1 << 6)	/* tcw (TCRYPT CBC with whitening) */
-#define T_DM_SAME_CPU_CRYPT_SUPPORTED (1 << 7) /* same_cpu_crypt */
-#define T_DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (1 << 8) /* submit_from_crypt_cpus */
-#define T_DM_VERITY_ON_CORRUPTION_SUPPORTED (1 << 9) /* ignore/restart_on_corruption, ignore_zero_block */
-#define T_DM_VERITY_FEC_SUPPORTED (1 << 10) /* Forward Error Correction (FEC) */
-#define T_DM_KERNEL_KEYRING_SUPPORTED (1 << 11) /* dm-crypt allows loading kernel keyring keys */
-#define T_DM_INTEGRITY_SUPPORTED (1 << 12) /* dm-integrity target supported */
-#define T_DM_SECTOR_SIZE_SUPPORTED (1 << 13) /* support for sector size setting in dm-crypt/dm-integrity */
-#define T_DM_CAPI_STRING_SUPPORTED (1 << 14) /* support for cryptoapi format cipher definition */
-#define T_DM_DEFERRED_SUPPORTED (1 << 15) /* deferred removal of device */
-#define T_DM_INTEGRITY_RECALC_SUPPORTED (1 << 16) /* dm-integrity automatic recalculation supported */
-#define T_DM_INTEGRITY_BITMAP_SUPPORTED (1 << 17) /* dm-integrity bitmap mode supported */
-#define T_DM_GET_TARGET_VERSION_SUPPORTED (1 << 18) /* dm DM_GET_TARGET version ioctl supported */
-#define T_DM_INTEGRITY_FIX_PADDING_SUPPORTED (1 << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
-#define T_DM_BITLK_EBOIV_SUPPORTED (1 << 20) /* EBOIV for BITLK supported */
-#define T_DM_BITLK_ELEPHANT_SUPPORTED (1 << 21) /* Elephant diffuser for BITLK supported */
-#define T_DM_VERITY_SIGNATURE_SUPPORTED (1 << 22) /* Verity option root_hash_sig_key_desc supported */
-#define T_DM_INTEGRITY_DISCARDS_SUPPORTED (1 << 23) /* dm-integrity discards/TRIM option is supported */
-#define T_DM_INTEGRITY_RESIZE_SUPPORTED (1 << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
-#define T_DM_VERITY_PANIC_CORRUPTION_SUPPORTED (1 << 24) /* dm-verity panic on corruption  */
-#define T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED (1 << 25) /* dm-crypt support for bypassing workqueues  */
-#define T_DM_INTEGRITY_FIX_HMAC_SUPPORTED (1 << 26) /* hmac covers also superblock */
-#define T_DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */
-#define T_DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */
+#define T_DM_KEY_WIPE_SUPPORTED (UINT64_C(1) << 0)	/* key wipe message */
+#define T_DM_LMK_SUPPORTED      (UINT64_C(1) << 1)	/* lmk mode */
+#define T_DM_SECURE_SUPPORTED   (UINT64_C(1) << 2)	/* wipe (secure) buffer flag */
+#define T_DM_PLAIN64_SUPPORTED  (UINT64_C(1) << 3)	/* plain64 IV */
+#define T_DM_DISCARDS_SUPPORTED (UINT64_C(1) << 4)	/* discards/TRIM option is supported */
+#define T_DM_VERITY_SUPPORTED   (UINT64_C(1) << 5)	/* dm-verity target supported */
+#define T_DM_TCW_SUPPORTED      (UINT64_C(1) << 6)	/* tcw (TCRYPT CBC with whitening) */
+#define T_DM_SAME_CPU_CRYPT_SUPPORTED (UINT64_C(1) << 7) /* same_cpu_crypt */
+#define T_DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (UINT64_C(1) << 8) /* submit_from_crypt_cpus */
+#define T_DM_VERITY_ON_CORRUPTION_SUPPORTED (UINT64_C(1) << 9) /* ignore/restart_on_corruption, ignore_zero_block */
+#define T_DM_VERITY_FEC_SUPPORTED (UINT64_C(1) << 10) /* Forward Error Correction (FEC) */
+#define T_DM_KERNEL_KEYRING_SUPPORTED (UINT64_C(1) << 11) /* dm-crypt allows loading kernel keyring keys */
+#define T_DM_INTEGRITY_SUPPORTED (UINT64_C(1) << 12) /* dm-integrity target supported */
+#define T_DM_SECTOR_SIZE_SUPPORTED (UINT64_C(1) << 13) /* support for sector size setting in dm-crypt/dm-integrity */
+#define T_DM_CAPI_STRING_SUPPORTED (UINT64_C(1) << 14) /* support for cryptoapi format cipher definition */
+#define T_DM_DEFERRED_SUPPORTED (UINT64_C(1) << 15) /* deferred removal of device */
+#define T_DM_INTEGRITY_RECALC_SUPPORTED (UINT64_C(1) << 16) /* dm-integrity automatic recalculation supported */
+#define T_DM_INTEGRITY_BITMAP_SUPPORTED (UINT64_C(1) << 17) /* dm-integrity bitmap mode supported */
+#define T_DM_GET_TARGET_VERSION_SUPPORTED (UINT64_C(1) << 18) /* dm DM_GET_TARGET version ioctl supported */
+#define T_DM_INTEGRITY_FIX_PADDING_SUPPORTED (UINT64_C(1) << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
+#define T_DM_BITLK_EBOIV_SUPPORTED (UINT64_C(1) << 20) /* EBOIV for BITLK supported */
+#define T_DM_BITLK_ELEPHANT_SUPPORTED (UINT64_C(1) << 21) /* Elephant diffuser for BITLK supported */
+#define T_DM_VERITY_SIGNATURE_SUPPORTED (UINT64_C(1) << 22) /* Verity option root_hash_sig_key_desc supported */
+#define T_DM_INTEGRITY_DISCARDS_SUPPORTED (UINT64_C(1) << 23) /* dm-integrity discards/TRIM option is supported */
+#define T_DM_INTEGRITY_RESIZE_SUPPORTED (UINT64_C(1) << 23) /* dm-integrity resize of the integrity device supported (introduced in the same version as discards)*/
+#define T_DM_VERITY_PANIC_CORRUPTION_SUPPORTED (UINT64_C(1) << 24) /* dm-verity panic on corruption  */
+#define T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED (UINT64_C(1) << 25) /* dm-crypt support for bypassing workqueues  */
+#define T_DM_INTEGRITY_FIX_HMAC_SUPPORTED (UINT64_C(1) << 26) /* hmac covers also superblock */
+#define T_DM_INTEGRITY_RESET_RECALC_SUPPORTED (UINT64_C(1) << 27) /* dm-integrity automatic recalculation supported */
+#define T_DM_VERITY_TASKLETS_SUPPORTED (UINT64_C(1) << 28) /* dm-verity tasklets supported */
+#define T_DM_CRYPT_HIGH_PRIORITY_SUPPORTED (UINT64_C(1) << 29) /* dm-crypt high priority workqueue flag supported  */
+#define T_DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED (UINT64_C(1) << 30) /* dm-crypt support for integrity_key_size option */
+#define T_DM_VERITY_ERROR_AS_CORRUPTION_SUPPORTED (UINT64_C(1) << 31) /* dm-verity restart/panic on corruption supported */
+#define T_DM_INTEGRITY_INLINE_MODE_SUPPORTED (UINT64_C(1) << 32) /* dm-integrity inline mode supported */
 
 /* loop helpers */
 int loop_device(const char *loop);
diff --git a/tests/bitlk-compat-test b/tests/bitlk-compat-test
index aa4a71f..346e196 100755
--- a/tests/bitlk-compat-test
+++ b/tests/bitlk-compat-test
@@ -17,13 +17,13 @@ fi
 
 [ -z "$srcdir" ] && srcdir="."
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
 	rm -rf $TST_DIR
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo " [FAILED]"
@@ -33,7 +33,10 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "Test skipped."
@@ -41,23 +44,33 @@ function skip()
 	exit 77
 }
 
-function load_vars()
+load_vars()
 {
+	if echo "$1" | grep -q -e "two-recovery"; then
+		# 2 extra variables for image with 2 recovery passphrases
+		num_vars=10
+	elif echo "$1" | grep -q -e "clearkey"; then
+		# 1 extra variable for image with clearkey
+		num_vars=9
+	else
+		num_vars=8
+	fi
+
 	local file=$(echo $1 | sed -e s/^$TST_DIR\\/// | sed -e s/\.img$//)
-	source <(grep = <(grep -A8 "\[$file\]" $TST_DIR/images.conf))
+	eval $(grep -A$num_vars -Fx "[$file]" $TST_DIR/images.conf | grep =)
 }
 
-function check_dump()
+check_dump()
 {
 	dump=$1
 	file=$2
 
 	# load variables for this image from config file
-	load_vars $file
+	load_vars $file $num_vars
 
 	# volume size
 	dump_size=$(echo "$dump" | grep "Volume size:" | cut -d: -f2 | tr -d "\t\n ")
-	[ "$dump_size" = "104857600[bytes]" -o "$dump_size" = "134217728[bytes]"  ] || fail " volume size check from dump failed."
+	[ "$dump_size" = "104857600[bytes]" -o "$dump_size" = "134217728[bytes]" -o "$dump_size" = "105906176[bytes]" ] || fail " volume size check from dump failed."
 
 	# description
 	dump_desc=$(echo "$dump" | grep Description: | cut -d: -f2 | tr -d "\t\n ")
@@ -81,6 +94,15 @@ function check_dump()
 		# startup key protected VMK GUID
 		dump_sk_vmk=$(echo "$dump" | grep "VMK protected with startup key" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
 		[ ! -z "$SK_VMK_GUID" -a "$dump_sk_vmk" = "$SK_VMK_GUID" ] || fail " startup key protected VMK GUID check from dump failed."
+	elif echo "$file" | grep -q -e "two-recovery"; then
+		# second recovery passphrase protected VMK GUID
+		dump_rp2_vmk=$(echo "$dump" | grep "VMK protected with recovery passphrase" -B 1 | tail -2 | head -1 | cut -d: -f2 | tr -d "\t ")
+		[ ! -z "$RP2_VMK_GUID" -a "$dump_rp2_vmk" = "$RP2_VMK_GUID" ] || fail " second recovery passphrase protected VMK GUID check from dump failed."
+	elif echo "$file" | grep -q -e "clearkey"; then
+		# clearkey protected VMK GUID
+		dump_clearkey_guid=$(echo "$dump" | grep "VMK protected with clear key" -B 1 | tail -2 | head -1 | cut -d: -f2 | tr -d "\t ")
+		[ ! -z "$CLEARKEY_VMK_GUID" -a "$dump_clearkey_guid" = "$CLEARKEY_VMK_GUID" ] || fail " clear key protected VMK GUID check from dump failed."
+		return
 	else
 		# password protected VMK GUID
 		dump_pw_vmk=$(echo "$dump" | grep "VMK protected with passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
@@ -93,7 +115,7 @@ function check_dump()
 
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -103,7 +125,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -143,7 +165,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
 		ret=$?
 		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
 		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
-		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
+		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "partially-encrypted" ) && echo " [N/A]" && continue
 		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
 		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "-4k.img" ) && echo " [N/A]" && continue
 		[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
@@ -170,7 +192,7 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
 	ret=$?
 	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
-	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
+	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "partially-encrypted" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "-4k.img" ) && echo " [N/A]" && continue
 	[ $ret -eq 0 ] || fail " failed to open $file using volume key ($ret)"
@@ -204,6 +226,45 @@ for file in $(ls $TST_DIR/bitlk-*) ; do
 		echo " [OK]"
 
 	fi
+
+	# second recovery key
+	if echo "$file" | grep -q -e "two-recovery"; then
+		echo -n " $file"
+		echo $RP2 | $CRYPTSETUP bitlkOpen -r $file --test-passphrase >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 1 ] && echo " [N/A]" && continue
+		echo $RP2 | $CRYPTSETUP bitlkOpen -r $file $MAP >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
+		$CRYPTSETUP status $MAP >/dev/null || fail
+		$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
+		uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
+		sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
+		$CRYPTSETUP remove $MAP || fail
+		[ "$uuid" = "$UUID" ] || fail " UUID check failed."
+		[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
+		echo " [OK]"
+	fi
+
+	# clear key
+	if echo "$file" | grep -q -e "clearkey"; then
+		echo -n " $file"
+		echo $CRYPTSETUP bitlkOpen -r $file --test-passphrase >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 1 ] && echo " [N/A]" && continue
+		$CRYPTSETUP bitlkOpen -r $file $MAP >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
+		$CRYPTSETUP status $MAP >/dev/null || fail
+		$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
+		uuid=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
+		sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
+		$CRYPTSETUP remove $MAP || fail
+		[ "$uuid" = "$UUID" ] || fail " UUID check failed."
+		[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
+		echo " [OK]"
+	fi
+
 done
 
 remove_mapping
diff --git a/tests/bitlk-images.tar.xz b/tests/bitlk-images.tar.xz
index 845e9de..b0f4359 100644
Binary files a/tests/bitlk-images.tar.xz and b/tests/bitlk-images.tar.xz differ
diff --git a/tests/blockwise-compat-test b/tests/blockwise-compat-test
index 0672ca2..9ea10e0 100755
--- a/tests/blockwise-compat-test
+++ b/tests/blockwise-compat-test
@@ -40,6 +40,9 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 fail_count()
 {
 	echo "$MSG[FAIL]"
@@ -236,7 +239,7 @@ run_all() {
 	RUN "P" $1 read_lseek_blockwise $((2*BSIZE)) $BSIZE $((BSIZE+1))
 	RUN "P" $1 read_lseek_blockwise $((3*BSIZE-2)) $BSIZE $((BSIZE+1))
 
-	# hiting exactly the sector boundary
+	# hitting exactly the sector boundary
 	RUN "P" $1 read_lseek_blockwise $((BSIZE-1)) $BSIZE 1
 	RUN "P" $1 read_lseek_blockwise $((BSIZE-1)) $BSIZE $((BSIZE+1))
 	RUN "P" $1 read_lseek_blockwise $((BSIZE+1)) $BSIZE $((BSIZE-1))
@@ -290,7 +293,7 @@ run_all() {
 	RUN "P" $1 write_lseek_blockwise $((2*BSIZE)) $BSIZE $((BSIZE+1))
 	RUN "P" $1 write_lseek_blockwise $((3*BSIZE-2)) $BSIZE $((BSIZE+1))
 
-	# hiting exactly the sector boundary
+	# hitting exactly the sector boundary
 	RUN "P" $1 write_lseek_blockwise $((BSIZE-1)) $BSIZE 1
 	RUN "P" $1 write_lseek_blockwise $((BSIZE-1)) $BSIZE $((BSIZE+1))
 	RUN "P" $1 write_lseek_blockwise $((BSIZE+1)) $BSIZE $((BSIZE-1))
diff --git a/tests/compat-args-test b/tests/compat-args-test
index 788cc7c..f29afac 100755
--- a/tests/compat-args-test
+++ b/tests/compat-args-test
@@ -15,12 +15,12 @@ TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 TFILE=test-args.out
 
-function cleanup()
+cleanup()
 {
 	rm -f $TFILE 2> /dev/null
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -29,7 +29,10 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "Test skipped."
@@ -37,7 +40,7 @@ function skip()
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -47,12 +50,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function xxx()
+xxx()
 {
 	$CRYPTSETUP --test-args $@ > $TFILE 2>&1
 	local ret=$?
@@ -65,13 +68,13 @@ function xxx()
 	test $ret -ne 0 || fail
 }
 
-function exp_fail()
+exp_fail()
 {
 	# xxx $@
 	$CRYPTSETUP --test-args $@ 2>/dev/null && fail
 }
 
-function exp_pass()
+exp_pass()
 {
 	$CRYPTSETUP --test-args $@ >/dev/null || fail
 }
@@ -282,7 +285,6 @@ exp_fail reencrypt DEV --reduce-device-size 2G # max 1g
 exp_fail reencrypt DEV --reduce-device-size $((64*1024*1024+1))
 exp_fail reencrypt DEV --reduce-device-size -64m
 exp_pass reencrypt DEV --reduce-device-size 64m
-exp_fail reencrypt DEV --reduce-device-size 64m --device-size 100g
 # bugs
 # exp_fail open DEV --decrypt --header H
 # exp_fail open DEV --encrypt
diff --git a/tests/compat-test b/tests/compat-test
index 909b0a5..1a956b5 100755
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -52,7 +52,7 @@ TEST_UUID="12345678-1234-1234-1234-123456789abc"
 LOOPDEV=$(losetup -f 2>/dev/null)
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3 >/dev/null 2>&1
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 >/dev/null 2>&1
@@ -63,13 +63,13 @@ function remove_mapping()
 	scsi_debug_teardown $DEV
 }
 
-function force_uevent()
+force_uevent()
 {
 	DNAME=$(echo $LOOPDEV | cut -f3 -d /)
 	echo "change" >/sys/block/$DNAME/uevent
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
@@ -78,18 +78,21 @@ function fail()
 	exit 2
 }
 
-function fips_mode()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
 
-function can_fail_fips()
+can_fail_fips()
 {
 	# Ignore this fail if running in FIPS mode
 	fips_mode || fail $1
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
@@ -97,7 +100,7 @@ function skip()
 	exit 77
 }
 
-function prepare()
+prepare()
 {
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
 
@@ -153,14 +156,14 @@ function prepare()
 	[ -n "$1" ] && echo "CASE: $1"
 }
 
-function check()
+check()
 {
 	sync
 	[ -z "$1" ] && return
 	$DIFFER $ORIG_IMG $IMG $1 || fail
 }
 
-function check_exists()
+check_exists()
 {
 	[ -b /dev/mapper/$DEV_NAME ] || fail
 	check $1
@@ -181,7 +184,7 @@ scsi_debug_teardown() {
 	test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
 }
 
-function add_scsi_device() {
+add_scsi_device() {
 	scsi_debug_teardown $DEV
 	if [ -d /sys/module/scsi_debug ] ; then
 		echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
@@ -198,7 +201,7 @@ function add_scsi_device() {
 	[ -b $DEV ] || fail "Cannot find $DEV."
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	[ -n "$VALG" ] || return
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
@@ -211,13 +214,13 @@ function valgrind_setup()
 	CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}"
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
 	$CRYPTSETUP_RAW "$@"
 }
 
-function expect_run()
+expect_run()
 {
 	export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
 	expect "$@"
@@ -236,7 +239,9 @@ fi
 
 prepare "Image in file tests (root capabilities not required)" file
 echo "[1] format"
-echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 -c 'capi:xts(aes)-plain64' $IMG $FAST_PBKDF_OPT || fail
+echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $IMG $FAST_PBKDF_OPT --disable-blkid || fail
 echo "[2] open"
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
@@ -250,7 +255,7 @@ echo $PWD1 | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
 echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
 echo "[4] change key"
-echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
+echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey --force-password $FAST_PBKDF_OPT $IMG || fail
 echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail
 [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
 echo "[5] remove key"
@@ -555,23 +560,23 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
 prepare "[19] create & status & resize" wipe
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx --cipher aes-cbc-essiv:sha256 --key-size 256 2>/dev/null && fail
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV $PLAIN_OPT --offset 3 --skip 4 --readonly || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "offset:" | grep -q "3 \[512-byte units\]" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "skipped:" | grep -q "4 \[512-byte units\]" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "mode:" | grep -q "readonly" || fail
 $CRYPTSETUP -q resize  $DEV_NAME --size 100 || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP -q resize  $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "19997 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "19997 \[512-byte units\]" || fail
 $CRYPTSETUP -q resize  $DEV_NAME --device-size 1M || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 $CRYPTSETUP -q resize  $DEV_NAME --device-size 512k --size 1023 >/dev/null 2>&1 && fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 $CRYPTSETUP -q resize  $DEV_NAME --device-size 513 >/dev/null 2>&1 && fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 # Resize underlying loop device as well
 truncate -s 16M $IMG || fail
 $CRYPTSETUP -q resize  $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "32765 \[512-byte units\]" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME >/dev/null && fail
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $PLAIN_OPT $LOOPDEV || fail
@@ -579,18 +584,18 @@ $CRYPTSETUP -q remove  $DEV_NAME || fail
 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME $PLAIN_OPT $LOOPDEV || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME $PLAIN_OPT --size 100 $LOOPDEV || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail
 # 4k sector resize (if kernel supports it)
 echo $PWD1 | $CRYPTSETUP -q open --type plain $PLAIN_OPT $LOOPDEV $DEV_NAME --sector-size 4096 --size 8  >/dev/null 2>&1
 if [ $? -eq 0 ] ; then
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "8 \[512-byte units\]" || fail
 	$CRYPTSETUP -q resize  $DEV_NAME --size 16 || fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 \[512-byte units\]" || fail
 	$CRYPTSETUP -q resize  $DEV_NAME --size 9 2>/dev/null && fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 \[512-byte units\]" || fail
 	$CRYPTSETUP -q resize  $DEV_NAME --device-size 4608 2>/dev/null && fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 \[512-byte units\]" || fail
 	$CRYPTSETUP -q remove  $DEV_NAME || fail
 fi
 # Resize not aligned to logical block size
@@ -798,7 +803,7 @@ echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --head
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 0 || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --align-payload 8192 --offset 8192 >/dev/null 2>&1 && fail
-truncate -s 4096 $HEADER_IMG
+truncate -s 4096 $HEADER_IMG || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG -S7 >/dev/null 2>&1 || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 80000 >/dev/null 2>&1 || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --header $HEADER_IMG --offset 8192 || fail
@@ -806,9 +811,9 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV --h
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
 $CRYPTSETUP -q resize  $DEV_NAME --size 100 --header $HEADER_IMG || fail
-$CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "type:" | grep -q "n/a" || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
 $CRYPTSETUP luksSuspend $DEV_NAME || fail
@@ -868,6 +873,9 @@ else
 	$CRYPTSETUP close $DEV_NAME2 >/dev/null 2>&1
 	$CRYPTSETUP close $DEV_NAME >/dev/null 2>&1
 fi
+# Deferred remove of device without DM-UUID
+dmsetup create $DEV_NAME --table "0 8 crypt aes-xts-plain64 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 $LOOPDEV 0" || fail
+$CRYPTSETUP close --deferred $DEV_NAME || fail
 
 # Interactive tests
 # Do not remove sleep 0.1 below, the password query flushes TTY buffer (so the code is racy).
@@ -938,7 +946,7 @@ prepare "[35] Interactive format of device." wipe
 expect_run - >/dev/null <<EOF
 proc abort {} { send_error "Timeout. "; exit 2 }
 set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
+eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 --force-password $FAST_PBKDF_OPT -v $LOOPDEV
 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
@@ -968,7 +976,7 @@ expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Command successful."
 expect timeout abort eof
-eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
+eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 --force-password $FAST_PBKDF_OPT -v $LOOPDEV
 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
@@ -1102,7 +1110,7 @@ echo -n "$LONG_PWD" >$KEYE
 expect_run - >/dev/null <<EOF
 proc abort {} { send_error "Timeout. "; exit 2 }
 set timeout $EXPECT_TIMEOUT
-eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
+eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 --force-password $FAST_PBKDF_OPT -v $LOOPDEV
 expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
@@ -1148,5 +1156,14 @@ echo $PWD3 | $CRYPTSETUP open -q --test-passphrase -S5 $IMG || fail
 $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S6 --volume-key-file $VK_FILE --new-keyfile $KEY5 $IMG || fail
 $CRYPTSETUP open --test-passphrase -q -S6 -d $KEY5 $IMG || fail
 
+prepare "[40] Early check for active name." wipe
+DM_BAD_NAME=x/x
+DM_LONG_NAME=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+echo $PWD1 | $CRYPTSETUP open --type plain $LOOPDEV $DM_BAD_NAME --hash sha256 --cipher aes-cbc-essiv:sha256 --key-size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP open --type plain $LOOPDEV $DM_LONG_NAME --hash sha256 --cipher aes-cbc-essiv:sha256 --key-size 256 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_BAD_NAME 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_LONG_NAME 2>/dev/null && fail
+
 remove_mapping
 exit 0
diff --git a/tests/compat-test-opal b/tests/compat-test-opal
index 8ba164a..2422cc7 100755
--- a/tests/compat-test-opal
+++ b/tests/compat-test-opal
@@ -44,7 +44,7 @@ TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
@@ -58,7 +58,7 @@ function remove_mapping()
 	unset TEST_KEYRING
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
@@ -68,36 +68,39 @@ function fail()
 	exit 2
 }
 
-function fips_mode()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
 
-function can_fail_fips()
+can_fail_fips()
 {
 	# Ignore this fail if running in FIPS mode
 	fips_mode || fail $1
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function reset_device_psid()
+reset_device_psid()
 {
 	$CRYPTSETUP_RAW luksErase --hw-opal-factory-reset --key-file $OPAL2_PSID_FILE $OPAL2_DEV -q || \
 	fail "PSID reset fail, wrong device used?"
 }
 
-function reset_device_psid_nofail()
+reset_device_psid_nofail()
 {
 	$CRYPTSETUP_RAW luksErase --hw-opal-factory-reset --key-file $OPAL2_PSID_FILE $OPAL2_DEV -q 2>/dev/null
 }
 
-function prepare()
+prepare()
 {
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
 
@@ -146,12 +149,12 @@ function prepare()
 	[ -n "$1" ] && echo "CASE: $1"
 }
 
-function check_exists()
+check_exists()
 {
 	[ -b /dev/mapper/$DEV_NAME ] || fail
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -161,12 +164,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function dm_crypt_keyring_support()
+dm_crypt_keyring_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -183,7 +186,7 @@ function dm_crypt_keyring_support()
 	return 1
 }
 
-function dm_crypt_keyring_new_kernel()
+dm_crypt_keyring_new_kernel()
 {
 	KER_STR=$(uname -r)
 	[ -z "$KER_STR" ] && fail "Failed to parse kernel version."
@@ -195,7 +198,7 @@ function dm_crypt_keyring_new_kernel()
 	return 1
 }
 
-function test_and_prepare_keyring() {
+test_and_prepare_keyring() {
 	command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
 	keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
 	TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
@@ -208,12 +211,12 @@ function test_and_prepare_keyring() {
 # $2 description
 # $3 payload
 # $4 keyring
-function load_key()
+load_key()
 {
 	keyctl add $@ >/dev/null
 }
 
-function setup_luks2_env() {
+setup_luks2_env() {
 	echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $OPAL2_DEV || fail
 	$CRYPTSETUP luksDump $OPAL2_DEV >/dev/null || fail
 	echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME || fail
@@ -310,7 +313,7 @@ test_vk_link_and_reactivate() {
 	keyctl unlink $KEYCTL_KEY_NAME "$2" || fail
 }
 
-function test_reencryption_does_not_init()
+test_reencryption_does_not_init()
 {
 	local _hdr=""
 	local _hdrdev=$NO_HEADER_IMG
@@ -382,7 +385,7 @@ function test_reencryption_does_not_init()
 	$CRYPTSETUP close $DEV_NAME || fail
 }
 
-function test_device() #opal_mode, #format_params, #--integrity-no-wipe
+test_device() #opal_mode, #format_params, #--integrity-no-wipe
 {
 	echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 $1 $2 $3 -q $FAST_PBKDF_OPT $OPAL2_DEV || fail
 	echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME || fail
@@ -391,12 +394,14 @@ function test_device() #opal_mode, #format_params, #--integrity-no-wipe
 	dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail
 	echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
 	dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 || fail
+	$CRYPTSETUP close --cancel-deferred $DEV_NAME 2>/dev/null && fail
+	$CRYPTSETUP close --deferred $DEV_NAME 2>/dev/null && fail
 	$CRYPTSETUP close $DEV_NAME || fail
 	dd if=$OPAL2_DEV of=/dev/zero bs=1M skip=16 count=1 iflag=direct >/dev/null 2>&1 && fail
 	echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail
 }
 
-function test_device_detached_header() #hdr, #opal_mode, #format_params, #--integrity-no-wipe
+test_device_detached_header() #hdr, #opal_mode, #format_params, #--integrity-no-wipe
 {
 	echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat --type luks2 --header $1 $2 $3 $4 -q $FAST_PBKDF_OPT $OPAL2_DEV || fail
 	echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --header $1 || fail
@@ -406,9 +411,13 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte
 	echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 	echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $1 || fail
 	dd if=/dev/mapper/$DEV_NAME of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 || fail
+	$CRYPTSETUP close --cancel-deferred $DEV_NAME 2>/dev/null && fail
+	$CRYPTSETUP close --deferred $DEV_NAME 2>/dev/null && fail
 	$CRYPTSETUP close $DEV_NAME || fail
 	dd if=$OPAL2_DEV of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 && fail
 	echo $PWD1 | $CRYPTSETUP open $OPAL2_DEV $DEV_NAME --header $1 || fail
+	$CRYPTSETUP close $DEV_NAME --header $1 --cancel-deferred 2>/dev/null && fail
+	$CRYPTSETUP close $DEV_NAME --header $1 --deferred 2>/dev/null && fail
 	$CRYPTSETUP close $DEV_NAME --header $1 || fail
 	dd if=$OPAL2_DEV of=/dev/zero bs=1M count=1 iflag=direct >/dev/null 2>&1 && fail
 	echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q --header $1 || fail
@@ -416,7 +425,7 @@ function test_device_detached_header() #hdr, #opal_mode, #format_params, #--inte
 	rm -f $1
 }
 
-function run_token_tests() {
+run_token_tests() {
 	$CRYPTSETUP token add $OPAL2_DEV --key-description $TEST_TOKEN0 --token-id 3 || fail
 	$CRYPTSETUP luksDump $OPAL2_DEV | grep -q -e "3: luks2-keyring" || fail
 	# keyslot 5 is inactive
@@ -498,8 +507,7 @@ echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --typ
 
 prepare "[3] format" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail
-# FIXME: BUG (--hw-opal-only should reject --cipher, --key-size & co)
-#echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q $FAST_PBKDF_OPT --hw-opal-only -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 $OPAL2_DEV 2> /dev/null && fail
+
 prepare "[4] format using hash sha512" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP $FAST_PBKDF_OPT -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksFormat --type luks2 --hw-opal $OPAL2_DEV || fail
 $CRYPTSETUP -q luksDump  $OPAL2_DEV | grep "0: pbkdf2" -A2 | grep "Hash:" | grep -qe sha512 || fail
@@ -600,7 +608,7 @@ fi
 
 # format hw-opal-only
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --type luks2 --hw-opal-only $OPAL2_DEV || fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom -s 512 --uuid $TEST_UUID --type luks2 --hw-opal-only $OPAL2_DEV || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --volume-key-file /dev/urandom --uuid $TEST_UUID --type luks2 --hw-opal-only $OPAL2_DEV || fail
 $CRYPTSETUP luksOpen -d $KEY_PWD1 $OPAL2_DEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 # open by UUID
@@ -939,7 +947,7 @@ prepare "[26] LUKS convert" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 -s256 --hw-opal $OPAL2_DEV || fail
 $CRYPTSETUP -q convert --type luks1 $OPAL2_DEV >/dev/null 2>&1 && fail
 $CRYPTSETUP isLuks --type luks2 $OPAL2_DEV || fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 -s256 --hw-opal-only $OPAL2_DEV || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 --hw-opal-only $OPAL2_DEV || fail
 $CRYPTSETUP -q convert --type luks1 $OPAL2_DEV >/dev/null 2>&1 && fail
 $CRYPTSETUP isLuks --type luks2 $OPAL2_DEV || fail
 
@@ -1109,10 +1117,10 @@ $CRYPTSETUP luksDump $OPAL2_DEV | grep -q "3: luks2 (unbound)" && fail
 prepare "[34] LUKS2 metadata areas" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal $OPAL2_DEV 2> /dev/null || fail
 DEFAULT_OFFSET=$($CRYPTSETUP luksDump $OPAL2_DEV | grep "offset: " | cut -f 2 -d ' ')
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128M >/dev/null 2>&1 && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --luks2-metadata-size=128k --luks2-keyslots-size=129M >/dev/null 2>&1 && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
 echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail
@@ -1120,18 +1128,18 @@ echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "$((DEFAULT_OFFSET-2*131072)) \[bytes\]" || fail
 echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --luks2-keyslots-size=128k >/dev/null || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --luks2-keyslots-size=128k >/dev/null || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
 echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset 16384 || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --offset 16384 || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
 $CRYPTSETUP luksDump $OPAL2_DEV | grep "Keyslots area:" | grep -q "8355840 \[bytes\]" || fail
 echo $OPAL2_ADMIN_PIN | $CRYPTSETUP luksErase $OPAL2_DEV -q || fail
 # data offset vs area size
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset $((256+56)) >/dev/null 2>&1 && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --key-size 256 --offset $((256+64)) >/dev/null || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --offset 64 --luks2-keyslots-size=8192 >/dev/null 2>&1 && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --offset $((256+56)) >/dev/null 2>&1 && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV --offset $((256+64)) >/dev/null || fail
 
 prepare "[35] Per-keyslot encryption parameters" wipe
 KEYSLOT_CIPHER="aes-cbc-plain64"
@@ -1308,7 +1316,7 @@ prepare "[39] LUKS2 reencryption/decryption blocked" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV || fail
 test_reencryption_does_not_init
 
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV || fail
 test_reencryption_does_not_init
 
 prepare "[40] LUKS2 reencryption/decryption blocked (detached header)" wipe
@@ -1316,7 +1324,7 @@ prepare "[40] LUKS2 reencryption/decryption blocked (detached header)" wipe
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --header $HEADER_IMG --type luks2 -s256 --hw-opal $OPAL2_DEV || fail
 test_reencryption_does_not_init $HEADER_IMG
 
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --header $HEADER_IMG --type luks2 -s256 --hw-opal-only $OPAL2_DEV || fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --header $HEADER_IMG --type luks2 --hw-opal-only $OPAL2_DEV || fail
 test_reencryption_does_not_init $HEADER_IMG
 
 prepare "[41] LUKS2 encryption blocked" wipe
@@ -1328,12 +1336,12 @@ $CRYPTSETUP isLuks $OPAL2_DEV && fail
 test -b $DEV_NAME && fail
 echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal $OPAL2_DEV 2>/dev/null && fail
 $CRYPTSETUP isLuks $OPAL2_DEV && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail
 $CRYPTSETUP isLuks $OPAL2_DEV && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV $DEV_NAME 2>/dev/null && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV $DEV_NAME 2>/dev/null && fail
 $CRYPTSETUP isLuks $OPAL2_DEV && fail
 test -b $DEV_NAME && fail
-echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 -s256 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail
+echo -e "$PWD1\n$OPAL2_ADMIN_PIN" | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 32m $FAST_PBKDF_OPT --type luks2 --hw-opal-only $OPAL2_DEV 2>/dev/null && fail
 $CRYPTSETUP isLuks $OPAL2_DEV && fail
 fi
 
diff --git a/tests/compat-test2 b/tests/compat-test2
index d21fe04..77f075a 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -45,12 +45,20 @@ KEY_FILE1=test-key-file1
 
 FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 
+# 32 MiB + 1KiB to bypass minimal memory check (hardocoded)
+FAST_PBKDF_ARGON_OPT="--pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 32769 --pbkdf-parallel 1"
+
+# TODO: this is configurable
+LUKS2_LOCKING_DIR=/run/cryptsetup
+# hardcoded value
+MEMORY_HARD_LOCK_FILE=LN_memory-hard-access
+
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME3 ] && dmsetup remove --retry $DEV_NAME3
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
@@ -68,13 +76,13 @@ function remove_mapping()
 	scsi_debug_teardown $DEV
 }
 
-function force_uevent()
+force_uevent()
 {
 	DNAME=$(echo $LOOPDEV | cut -f3 -d /)
 	echo "change" >/sys/block/$DNAME/uevent
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
@@ -83,25 +91,28 @@ function fail()
 	exit 2
 }
 
-function fips_mode()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
 
-function can_fail_fips()
+can_fail_fips()
 {
 	# Ignore this fail if running in FIPS mode
 	fips_mode || fail $1
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function prepare()
+prepare()
 {
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
 
@@ -153,12 +164,12 @@ function prepare()
 	[ -n "$1" ] && echo "CASE: $1"
 }
 
-function check_exists()
+check_exists()
 {
 	[ -b /dev/mapper/$DEV_NAME ] || fail
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -168,12 +179,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function dm_crypt_capi_support()
+dm_crypt_capi_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -181,13 +192,14 @@ function dm_crypt_capi_support()
 	VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
 
+	[ $VER_MAJ -gt 1 ] && return 0
 	if [ $VER_MIN -ge 16 ]; then
 		return 0
 	fi
 	return 1
 }
 
-function dm_crypt_keyring_support()
+dm_crypt_keyring_support()
 {
 	$CRYPTSETUP --version | grep -q KEYRING || return 1
 
@@ -206,7 +218,7 @@ function dm_crypt_keyring_support()
 	return 1
 }
 
-function dm_crypt_keyring_flawed()
+dm_crypt_keyring_flawed()
 {
 	dm_crypt_keyring_support && return 1;
 
@@ -215,7 +227,7 @@ function dm_crypt_keyring_flawed()
 	return 1
 }
 
-function dm_crypt_keyring_new_kernel()
+dm_crypt_keyring_new_kernel()
 {
 	KER_STR=$(uname -r)
 	[ -z "$KER_STR" ] && fail "Failed to parse kernel version."
@@ -227,7 +239,7 @@ function dm_crypt_keyring_new_kernel()
 	return 1
 }
 
-function dm_crypt_sector_size_support()
+dm_crypt_sector_size_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -236,6 +248,7 @@ function dm_crypt_sector_size_support()
 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
 	VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
 
+	[ $VER_MAJ -gt 1 ] && return 0
 	if [ $VER_MIN -ge 17 -o \( $VER_MIN -eq 14 -a $VER_PTC -ge 5 \) ]; then
 		return 0
 	fi
@@ -243,7 +256,7 @@ function dm_crypt_sector_size_support()
 	return 1
 }
 
-function test_and_prepare_keyring() {
+test_and_prepare_keyring() {
 	command -v keyctl >/dev/null || skip "Cannot find keyctl, test skipped"
 	keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
 	TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
@@ -256,12 +269,13 @@ function test_and_prepare_keyring() {
 # $2 description
 # $3 payload
 # $4 keyring
-function load_key()
+load_key()
 {
+	[ -z "$4" ] && fail "Keyring not defined!"
 	keyctl add $@ >/dev/null
 }
 
-function setup_luks2_env() {
+setup_luks2_env() {
 	echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $LOOPDEV || fail
 	$CRYPTSETUP luksDump $LOOPDEV >/dev/null || fail
 	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail
@@ -294,7 +308,7 @@ scsi_debug_teardown() {
 	test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
 }
 
-function add_scsi_device() {
+add_scsi_device() {
 	scsi_debug_teardown $DEV
 	if [ -d /sys/module/scsi_debug ] ; then
 		echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
@@ -471,7 +485,7 @@ test_reencrypt_vk_link_and_reactivate() {
 	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-keyring "$KEY_DESC" --volume-key-keyring "$KEY_DESC2" > /dev/null 2>&1 && fail
 }
 
-function expect_run()
+expect_run()
 {
 	export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
 	expect "$@"
@@ -479,7 +493,7 @@ function expect_run()
 
 # expected unlocked keyslot id
 # command arguments
-function expect_unlocked_keyslot()
+expect_unlocked_keyslot()
 {
 	command -v expect >/dev/null || {
 		echo "WARNING: expect tool missing, interactive test will be skipped."
@@ -504,7 +518,7 @@ EOF
 # expected unlocked keyslot id
 # password
 # command arguments
-function expect_retried_unlocked_keyslot()
+expect_retried_unlocked_keyslot()
 {
 	command -v expect >/dev/null || {
 		echo "WARNING: expect tool missing, interactive test will be skipped."
@@ -552,7 +566,7 @@ echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --o
 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV -q --sector-size 1024 --offset 16384 >/dev/null || fail
 $CRYPTSETUP -q luksDump  $LOOPDEV | grep -q "offset: $((512 * 16384)) \[bytes\]" || fail
-truncate -s 4096 $HEADER_IMG
+truncate -s 4096 $HEADER_IMG || fail
 echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG -q --offset 80000 >/dev/null 2>&1 || fail
 
 prepare "[2] Sector size and old payload alignment" wipe
@@ -768,27 +782,31 @@ if dm_crypt_keyring_support; then
 		load_key user $TEST_KEY_DESC2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
 		$CRYPTSETUP token add $LOOPDEV --key-description $TEST_KEY_DESC2 --token-id 1 || fail
 		$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
-		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "99 sectors" || fail
+		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "99 \[512-byte units\]" || fail
 		#replace kernel key with wrong pass
 		load_key user $TEST_KEY_DESC2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
 		# must fail due to --token-only
 		echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
-		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" && fail
+		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" && fail
+		# resize with keyring description
+		load_key user $TEST_KEY_DESC1 $PWD1 "$TEST_KEYRING" || fail
+		$CRYPTSETUP -q resize --size 99 $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
+		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "99 \[512-byte units\]" || fail
 	fi
 fi
 echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 echo $PWD1 | $CRYPTSETUP -q resize --device-size 51200 $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 echo $PWD1 | $CRYPTSETUP -q resize --device-size 512k --size 1024 $DEV_NAME > /dev/null 2>&1 && fail
 echo $PWD1 | $CRYPTSETUP -q resize --device-size 4097 $DEV_NAME > /dev/null 2>&1 && fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 $CRYPTSETUP close $DEV_NAME || fail
 echo $PWD1 | $CRYPTSETUP luksOpen --disable-keyring $LOOPDEV $DEV_NAME || fail
 echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP close $DEV_NAME || fail
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 if dm_crypt_keyring_support; then
@@ -799,10 +817,10 @@ if dm_crypt_sector_size_support; then
 	echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 4096 $LOOPDEV > /dev/null || fail
 	echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 	echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 	echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
 	echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
 fi
 $CRYPTSETUP close $DEV_NAME || fail
 # Resize not aligned to logical block size
@@ -1007,9 +1025,9 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --h
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV-missing --header $HEADER_IMG $DEV_NAME 2>/dev/null && fail
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --header $HEADER_IMG $DEV_NAME || fail
 echo $PWD1 | $CRYPTSETUP -q resize  $DEV_NAME --size 100 --header $HEADER_IMG || fail
-$CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME --header $HEADER_IMG | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "type:" | grep -q "n/a" || fail
-$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 \[512-byte units\]" || fail
 $CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
 echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
 $CRYPTSETUP luksSuspend $DEV_NAME || fail
@@ -1036,7 +1054,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
 	$CRYPTSETUP isLuks --disable-locks --type luks2 $HEADER_LUKS2_PV && fail
 	$CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV && fail
 fi
-$CRYPTSETUP -q repair $HEADER_LUKS2_PV || fail
+$CRYPTSETUP -q repair $HEADER_LUKS2_PV >/dev/null || fail
 $CRYPTSETUP isLuks $HEADER_LUKS2_PV || fail
 $CRYPTSETUP isLuks --type luks2 $HEADER_LUKS2_PV || fail
 $CRYPTSETUP isLuks --type luks1 $HEADER_LUKS2_PV && fail
@@ -1268,6 +1286,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "(no label)" || fail
 $CRYPTSETUP config $LOOPDEV --subsystem SatelliteThree --label TheLabel
 $CRYPTSETUP luksDump $LOOPDEV | grep "Subsystem:" | grep -q "SatelliteThree" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep "Label:" | grep -q "TheLabel" || fail
+$CRYPTSETUP config $LOOPDEV --label 0123456789abcdef0123456789abcdef0123456789abcdef 2>/dev/null && fail
+$CRYPTSETUP config $LOOPDEV --subsystem 0123456789abcdef0123456789abcdef0123456789abcdef 2>/dev/null && fail
 
 prepare "[36] LUKS PBKDF setting" wipe
 echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf bla $LOOPDEV >/dev/null 2>&1 && fail
@@ -1276,6 +1296,7 @@ echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2   --pbkdf-force-
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf pbkdf2   --pbkdf-force-iterations 1234 $LOOPDEV || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep "Iterations:" | grep -q "1234" || fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 3 $LOOPDEV 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-parallel 99 $LOOPDEV 2>/dev/null && fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2id --pbkdf-force-iterations 4 --pbkdf-memory 100000 $LOOPDEV || can_fail_fips
 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "argon2id" || can_fail_fips
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --pbkdf argon2i  --pbkdf-force-iterations 4 \
@@ -1373,7 +1394,7 @@ DEFAULT_OFFSET=$($CRYPTSETUP luksDump $LOOPDEV | grep "offset: " | cut -f 2 -d '
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k 2> /dev/null && fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128M >/dev/null 2>&1 && fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=129M >/dev/null 2>&1 && fail
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k --luks2-keyslots-size=128k >/dev/null || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
@@ -1649,11 +1670,51 @@ if [ $? -eq 0 ] ; then
 	$CRYPTSETUP close $DEV_NAME || fail
 fi
 
-prepare "[49] Interactive retry keyslot test" wipe
+if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
+	prepare "[49] Keyring description use" wipe
+	test_and_prepare_keyring
+	load_key user $TEST_KEY_DESC1 $PWD1 "$TEST_KEYRING" || fail
+	load_key user $TEST_KEY_DESC2 $PWD2 "$TEST_KEYRING" || fail
+	$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --disable-keyring --key-description $TEST_KEY_DESC1 2>/dev/null && fail
+	$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-description $TEST_KEY_DESC1 || fail
+	$CRYPTSETUP -q luksDump $LOOPDEV --dump-volume-key --key-description $TEST_KEY_DESC1 >/dev/null || fail
+	$CRYPTSETUP -q open $LOOPDEV $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
+	$CRYPTSETUP luksSuspend $DEV_NAME || fail
+	$CRYPTSETUP luksResume $DEV_NAME --key-description $TEST_KEY_DESC1 || fail
+	$CRYPTSETUP -q close $DEV_NAME || fail
+	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --new-key-description $TEST_KEY_DESC2 $LOOPDEV --disable-keyring 2>/dev/null && fail
+	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --new-key-description $TEST_KEY_DESC2 $LOOPDEV --new-key-slot 1 || fail
+	$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
+	$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
+	echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-description $TEST_KEY_DESC1 $LOOPDEV --new-key-slot 1 || fail
+	$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
+	$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
+	$CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-description $TEST_KEY_DESC1 --new-key-description $TEST_KEY_DESC2 $LOOPDEV --new-key-slot 1 || fail
+	$CRYPTSETUP -q open $LOOPDEV --test-passphrase --key-description $TEST_KEY_DESC2 || fail
+	$CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail
+fi
+
+prepare "[50] Interactive retry keyslot test" wipe
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
 echo $PWD2 | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_OPT --unbound --key-size 256 $LOOPDEV || fail
 expect_retried_unlocked_keyslot 0 $PWD1 "open -v --test-passphrase --tries 2 $LOOPDEV" || fail
 expect_retried_unlocked_keyslot 1 $PWD2 "open -v --test-passphrase --tries 2 -S1 $LOOPDEV" || fail
 
+prepare "[51] Early check for active name." wipe
+DM_BAD_NAME=x/x
+DM_LONG_NAME=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+echo $PWD1 | $CRYPTSETUP luksFormat -q $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_BAD_NAME 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DM_LONG_NAME 2>/dev/null && fail
+
+if ! fips_mode -a -d $LUKS2_LOCKING_DIR; then
+	touch $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE
+	prepare "[52] Test pbkdf serialization flag." wipe
+	echo $PWD1 | $CRYPTSETUP luksFormat -q $FAST_PBKDF_ARGON_OPT --type luks2 $LOOPDEV || fail
+	test -f $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE || fail "The locking file disappeared unexpectedly"
+	echo $PWD1 | $CRYPTSETUP open --serialize-memory-hard-pbkdf --test-passphrase $LOOPDEV || fail
+	test -f $LUKS2_LOCKING_DIR/$MEMORY_HARD_LOCK_FILE && fail "The --serialize-memory-hard-pbkdf option did not remove the locking file (did not use the file)."
+fi
+
 remove_mapping
 exit 0
diff --git a/tests/crypto-check.c b/tests/crypto-check.c
new file mode 100644
index 0000000..43be252
--- /dev/null
+++ b/tests/crypto-check.c
@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+/*
+ * Test utility checking availability of crypto primitive in crypto backend.
+ *
+ * Copyright (C) 2024-2025 Milan Broz
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "crypto_backend/crypto_backend.h"
+
+static bool fips_mode(void)
+{
+	int fd;
+	char buf = 0;
+
+	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+	if (fd < 0)
+		return false;
+
+	if (read(fd, &buf, 1) != 1)
+		buf = '0';
+
+	close(fd);
+
+	return (buf == '1');
+}
+
+static int check_cipher(const char *alg, const char *mode, unsigned long key_bits)
+{
+	struct crypt_cipher *cipher;
+	char key[256];
+
+	if (key_bits % 8 || (key_bits / 8) > sizeof(key))
+		return EXIT_FAILURE;
+
+	/* Userspace crypto */
+	crypt_backend_rng(key, sizeof(key), CRYPT_RND_NORMAL, 0);
+	if (crypt_cipher_init(&cipher, alg, mode, key, key_bits / 8))
+		return EXIT_FAILURE;
+	crypt_cipher_destroy(cipher);
+
+	/* Kernel crypto */
+	if (crypt_cipher_check_kernel(alg, mode, NULL, key_bits / 8))
+		return EXIT_FAILURE;
+
+	return EXIT_SUCCESS;
+}
+
+static int check_hash(const char *hash)
+{
+	struct crypt_hash *h;
+
+	if (crypt_hash_size(hash) < 0)
+		return EXIT_FAILURE;
+
+	if (crypt_hash_init(&h, hash))
+		return EXIT_FAILURE;
+
+	crypt_hash_destroy(h);
+	return EXIT_SUCCESS;
+}
+
+static void __attribute__((noreturn)) exit_help(bool destroy_backend)
+{
+	printf("Use: crypto_check version | hash <alg> | cipher <alg> <mode> [key_bits]\n");
+	if (destroy_backend)
+		crypt_backend_destroy();
+	exit(EXIT_FAILURE);
+}
+
+int main(int argc, char *argv[])
+{
+	int r = EXIT_SUCCESS;
+
+	if (argc < 2)
+		exit_help(false);
+
+        if (crypt_backend_init(fips_mode())) {
+		printf("Crypto backend init error.");
+		return EXIT_FAILURE;
+	}
+
+	if (!strcmp(argv[1], "version")) {
+		printf("%s%s\n", crypt_backend_version(), fips_mode() ? " (FIPS mode)" : "" );
+	} else if (!strcmp(argv[1], "hash")) {
+		if (argc != 3)
+			exit_help(true);
+		r = check_hash(argv[2]);
+	} else if (!strcmp(argv[1], "cipher")) {
+		unsigned long ul = 256;
+		char *ptr;
+		if (argc < 4 || argc > 5)
+			exit_help(true);
+		if (argc == 5) {
+			ul = strtoul(argv[4], &ptr, 10);
+			if (*ptr)
+				exit_help(true);
+		}
+		r = check_cipher(argv[2], argv[3], ul);
+	}
+
+	crypt_backend_destroy();
+	return r;
+}
diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c
index 754653e..43ea688 100644
--- a/tests/crypto-vectors.c
+++ b/tests/crypto-vectors.c
@@ -2,7 +2,7 @@
 /*
  * cryptsetup crypto backend test vectors
  *
- * Copyright (C) 2018-2024 Milan Broz
+ * Copyright (C) 2018-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -18,6 +18,8 @@
 # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 #endif
 
+static bool fips_active = false;
+
 static void printhex(const char *s, const char *buf, size_t len)
 {
 	size_t i;
@@ -731,11 +733,11 @@ struct cipher_iv_test_vector {
 	const char *iv_name;
 	uint64_t iv_offset;
 	unsigned int data_length;
-	const char in_sha256[32];
+	const char *in_sha256;
 	struct {
 		size_t sector_size;
 		bool large_iv;
-		const char out_sha256[32];
+		const char *out_sha256;
 	} out[7];
 };
 
@@ -1508,6 +1510,57 @@ static int memcmp_test(void)
 	return EXIT_SUCCESS;
 }
 
+#if ENABLE_AF_ALG
+struct capi_test_vector {
+	const char *name;
+	const char *mode;
+	const char *integrity;
+	size_t key_length;
+	bool fips;
+};
+
+static struct capi_test_vector capi_test_vectors[] = {
+	{ "aes", "xts", NULL, 64, true },
+	{ "aes", "xts-plain64", NULL, 32, true },
+	{ "aes", "xts-plain64", NULL, 64, true },
+	{ "aes", "xts-plain64", "none", 64, true },
+	{ "aes", "gcm-random", "aead", 16, true },
+	{ "aes", "gcm-random", "aead", 32, true },
+	{ "aes", "ccm-random", "aead", 19, false },
+	{ "aes", "ccm-random", "aead", 35, false },
+	{ "chacha20", "random", "poly1305", 32, false },
+	{ "aegis128", "random", "aead", 16, false },
+};
+#endif
+
+static int kernel_capi_check_test(void)
+{
+#if ENABLE_AF_ALG
+	unsigned int i;
+	int r;
+
+	for (i = 0; i < ARRAY_SIZE(capi_test_vectors); i++) {
+		printf("CAPI %s/%s/%s/%zu ", capi_test_vectors[i].name,
+			capi_test_vectors[i].mode,
+			capi_test_vectors[i].integrity ?: "NULL",
+			capi_test_vectors[i].key_length);
+
+		r = crypt_cipher_check_kernel(capi_test_vectors[i].name,
+			capi_test_vectors[i].mode,
+			capi_test_vectors[i].integrity,
+			capi_test_vectors[i].key_length);
+		if (!r)
+			printf("[OK]\n");
+		else if (r == -ENOENT || r == -ENOTSUP ||
+			(fips_active && !capi_test_vectors[i].fips))
+			printf("[N/A]\n");
+		else
+			return EXIT_FAILURE;
+	}
+#endif
+	return EXIT_SUCCESS;
+}
+
 static void __attribute__((noreturn)) exit_test(const char *msg, int r)
 {
 	if (msg)
@@ -1527,7 +1580,9 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 	}
 #endif
 
-	if (crypt_backend_init(fips_mode()))
+	fips_active = fips_mode();
+
+	if (crypt_backend_init(fips_active))
 		exit_test("Crypto backend init error.", EXIT_FAILURE);
 
 	printf("Test vectors using %s crypto backend.\n", crypt_backend_version());
@@ -1556,6 +1611,9 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 	if (utf8_16_test())
 		exit_test("UTF8/16 test failed.", EXIT_FAILURE);
 
+	if (kernel_capi_check_test())
+		exit_test("Kernel CAPI test failed.", EXIT_FAILURE);
+
 	if (default_alg_test()) {
 		if (fips_mode())
 			printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
diff --git a/tests/device-test b/tests/device-test
index 9aaf03c..c6e745d 100755
--- a/tests/device-test
+++ b/tests/device-test
@@ -37,6 +37,9 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	echo "TEST SKIPPED: $1"
@@ -44,7 +47,7 @@ skip()
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -54,7 +57,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -77,7 +80,7 @@ add_image()
 	dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
 }
 
-function dm_crypt_features()
+dm_crypt_features()
 {
 	modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -106,6 +109,9 @@ function dm_crypt_features()
 
 	[ $VER_MIN -lt 22 ] && return
 	DM_PERF_NO_WORKQUEUE=1
+
+	[ $VER_MIN -lt 26 ] && return
+	DM_PERF_HIGH_PRIORITY=1
 }
 
 format() # format
@@ -183,12 +189,18 @@ else
 	$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
 	echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT $DEV $DEV_NAME2 2>/dev/null && fail
 	if [ -n "$DM_PERF_NO_WORKQUEUE" ]; then
-		echo -n "no_read_workqueue no_write_workqueue"
+		echo -n "no_read_workqueue no_write_workqueue "
 		echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME --perf-no_read_workqueue --perf-no_write_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail
 		check_io
 	fi
+	if [ -n "$DM_PERF_HIGH_PRIORITY" ]; then
+		echo -n "high_priority "
+		echo -e "$PWD1" | $CRYPTSETUP refresh $PLAIN_OPT -q $DEV_NAME --perf-high_priority || fail
+		$CRYPTSETUP status $DEV_NAME | grep -q high_priority || fail
+		check_io
+	fi
 	$CRYPTSETUP close $DEV_NAME || fail
 	echo
 
@@ -215,11 +227,16 @@ else
 	$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt && fail
 	echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail
 	if [ -n "$DM_PERF_NO_WORKQUEUE" ]; then
-		echo -n "no_read_workqueue no_write_workqueue"
+		echo -n "no_read_workqueue no_write_workqueue "
 		echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME  --perf-no_read_workqueue --perf-no_write_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail
 	fi
+	if [ -n "$DM_PERF_HIGH_PRIORITY" ]; then
+		echo -n "high_priority "
+		echo -e "$PWD1" | $CRYPTSETUP refresh $DEV_NAME  --perf-high_priority || fail
+		$CRYPTSETUP status $DEV_NAME | grep -q high_priority || fail
+	fi
 	$CRYPTSETUP close $DEV_NAME || fail
 	echo
 
@@ -280,7 +297,7 @@ else
 		fi
 	fi
 	if [ -n "$DM_PERF_NO_WORKQUEUE" ]; then
-		echo -n "no_read_workqueue no_write_workqueue"
+		echo -n "no_read_workqueue no_write_workqueue "
 		echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --perf-no_read_workqueue --perf-no_write_workqueue --persistent || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail
@@ -289,6 +306,14 @@ else
 		$CRYPTSETUP status $DEV_NAME | grep -q no_read_workqueue || fail
 		$CRYPTSETUP status $DEV_NAME | grep -q no_write_workqueue || fail
 	fi
+	if [ -n "$DM_PERF_HIGH_PRIORITY" ]; then
+		echo -n "high_priority "
+		echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME --perf-high_priority --persistent || fail
+		$CRYPTSETUP status $DEV_NAME | grep -q high_priority || fail
+		$CRYPTSETUP close $DEV_NAME || fail
+		echo -e "$PWD1" | $CRYPTSETUP open $DEV $DEV_NAME || fail
+		$CRYPTSETUP status $DEV_NAME | grep -q high_priority || fail
+	fi
 	echo -e "$PWD1" | $CRYPTSETUP refresh $DEV $DEV_NAME2 2>/dev/null && fail
 	$CRYPTSETUP close $DEV_NAME || fail
 	echo
diff --git a/tests/differ.c b/tests/differ.c
index 5d19745..a713893 100644
--- a/tests/differ.c
+++ b/tests/differ.c
@@ -2,7 +2,7 @@
 /*
  * cryptsetup file differ check (rewritten Clemens' fileDiffer in Python)
  *
- * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <stdio.h>
diff --git a/tests/discards-test b/tests/discards-test
index 27e5a5b..59c5922 100755
--- a/tests/discards-test
+++ b/tests/discards-test
@@ -28,13 +28,16 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -44,7 +47,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -68,7 +71,7 @@ add_device() {
 	[ -b $DEV ] || fail "Cannot find $DEV."
 }
 
-function check_version()
+check_version()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f 2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
diff --git a/tests/fuzz/LUKS2.proto b/tests/fuzz/LUKS2.proto
index 7ec017f..3e4c564 100644
--- a/tests/fuzz/LUKS2.proto
+++ b/tests/fuzz/LUKS2.proto
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 syntax = "proto2";
diff --git a/tests/fuzz/LUKS2_plain_JSON.proto b/tests/fuzz/LUKS2_plain_JSON.proto
index dc2bced..d825f74 100644
--- a/tests/fuzz/LUKS2_plain_JSON.proto
+++ b/tests/fuzz/LUKS2_plain_JSON.proto
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 syntax = "proto2";
diff --git a/tests/fuzz/crypt2_load_fuzz.cc b/tests/fuzz/crypt2_load_fuzz.cc
index 4e53c42..db365b6 100644
--- a/tests/fuzz/crypt2_load_fuzz.cc
+++ b/tests/fuzz/crypt2_load_fuzz.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 extern "C" {
diff --git a/tests/fuzz/crypt2_load_proto_fuzz.cc b/tests/fuzz/crypt2_load_proto_fuzz.cc
index e076938..def3cf0 100644
--- a/tests/fuzz/crypt2_load_proto_fuzz.cc
+++ b/tests/fuzz/crypt2_load_proto_fuzz.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include "LUKS2.pb.h"
diff --git a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc
index deb15e3..c1f0f43 100644
--- a/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc
+++ b/tests/fuzz/crypt2_load_proto_plain_json_fuzz.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include "LUKS2_plain_JSON.pb.h"
diff --git a/tests/fuzz/oss-fuzz-build.sh b/tests/fuzz/oss-fuzz-build.sh
index e883edd..b3c6e04 100755
--- a/tests/fuzz/oss-fuzz-build.sh
+++ b/tests/fuzz/oss-fuzz-build.sh
@@ -1,19 +1,24 @@
 #!/usr/bin/env bash
 
-function in_oss_fuzz()
+in_oss_fuzz()
 {
     test -n "$FUZZING_ENGINE"
 }
 
-echo "Running cryptsetup OSS-Fuzz build script."
-env
-set -ex
-PWD=$(pwd)
+last_commit()
+{
+    echo "$(git -C "$1" log --format="%h %s" -n 1) ($1)"
+}
+
+echo "Running cryptsetup OSS-Fuzz build script for ${SANITIZER:-address} sanitizer."
+#env ; set -x
+set -e
+XPWD="$(pwd)"
 
 export LC_CTYPE=C.UTF-8
 
-export SRC=${SRC:-$PWD/build}
-export OUT="${OUT:-$PWD/out}"
+export SRC="${SRC:-$XPWD/build}"
+export OUT="${OUT:-$XPWD/out}"
 export DEPS_PATH=$SRC/static_lib_deps
 
 export PKG_CONFIG_PATH="$DEPS_PATH"/lib/pkgconfig
@@ -36,28 +41,49 @@ mkdir -p $OUT
 mkdir -p $DEPS_PATH
 cd $SRC
 
-LIBFUZZER_PATCH="$PWD/unpoison-mutated-buffers-from-libfuzzer.patch"
-in_oss_fuzz && LIBFUZZER_PATCH="$PWD/cryptsetup/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch"
+echo "Installing dependencies"
+LIBFUZZER_PATCH="$XPWD/unpoison-mutated-buffers-from-libfuzzer.patch"
+in_oss_fuzz && LIBFUZZER_PATCH="$XPWD/cryptsetup/tests/fuzz/unpoison-mutated-buffers-from-libfuzzer.patch"
 
 in_oss_fuzz && apt-get update && apt-get install -y \
     make autoconf automake autopoint libtool pkg-config \
     sharutils gettext expect keyutils ninja-build \
     bison flex
 
-[ ! -d zlib ]   && git clone --depth 1 https://github.com/madler/zlib.git
+echo "Cloning git repositories"
+# FIXME: temporary use branch master instead of develop
+[ ! -d zlib ] && git clone -q --depth 1 --branch master https://github.com/madler/zlib.git
+last_commit zlib
+
 # Upstream repo has disabled cloning https://git.tukaani.org/xz.git
-[ ! -d xz ]     && git clone --depth 1 https://github.com/tukaani-project/xz
-[ ! -d json-c ] && git clone --depth 1 https://github.com/json-c/json-c.git
-[ ! -d lvm2 ]   && git clone --depth 1 https://gitlab.com/lvmteam/lvm2
-[ ! -d popt ]   && git clone --depth 1 https://github.com/rpm-software-management/popt.git
+[ ! -d xz ] && git clone -q --depth 1 https://github.com/tukaani-project/xz
+last_commit xz
+
+[ ! -d json-c ] && git clone -q --depth 1 https://github.com/json-c/json-c.git
+last_commit json-c
+
+[ ! -d lvm2 ] && git clone -q --depth 1 https://gitlab.com/lvmteam/lvm2
+last_commit lvm2
+
+[ ! -d popt ] && git clone -q --depth 1 https://github.com/rpm-software-management/popt.git
+last_commit popt
+
 # FIXME: temporary fix until libprotobuf stops shuffling C++ requirements
 # [ ! -d libprotobuf-mutator ] && git clone --depth 1 https://github.com/google/libprotobuf-mutator.git \
-[ ! -d libprotobuf-mutator ] && git clone --depth 1 --branch v1.1 https://github.com/google/libprotobuf-mutator.git \
-                             && [ "$SANITIZER" == "memory" ] && ( cd libprotobuf-mutator; patch -p1 < $LIBFUZZER_PATCH )
-[ ! -d openssl ]    && git clone --depth 1 https://github.com/openssl/openssl
-[ ! -d util-linux ] && git clone --depth 1 https://github.com/util-linux/util-linux
-[ ! -d cryptsetup_fuzzing ] && git clone --depth 1 https://gitlab.com/cryptsetup/cryptsetup_fuzzing.git
+[ ! -d libprotobuf-mutator ] && git clone -q --depth 1 --branch v1.1 -c advice.detachedHead=false \
+    https://github.com/google/libprotobuf-mutator.git &&
+    [ "$SANITIZER" == "memory" ] && ( cd libprotobuf-mutator; patch -p1 < $LIBFUZZER_PATCH )
+last_commit libprotobuf-mutator
+
+[ ! -d openssl ] && git clone -q --depth 1 https://github.com/openssl/openssl
+last_commit openssl
+
+[ ! -d util-linux ] && git clone -q --depth 1 https://github.com/util-linux/util-linux
+last_commit util-linux
+
+[ ! -d cryptsetup_fuzzing ] && git clone -q --depth 1 https://gitlab.com/cryptsetup/cryptsetup_fuzzing.git
 
+echo "Building libraries from git"
 cd openssl
 ./Configure --prefix="$DEPS_PATH" --libdir=lib no-shared no-module no-asm
 make build_generated
@@ -128,6 +154,7 @@ cd external.protobuf;
 cp -Rf bin lib include "$DEPS_PATH";
 cd ../../..
 
+echo "Building cryptsetup fuzzers"
 if in_oss_fuzz; then
     mkdir -p cryptsetup/tests/fuzz/build
     ln -s ../../../../static_lib_deps cryptsetup/tests/fuzz/build/static_lib_deps
@@ -140,6 +167,7 @@ fi
 make clean
 make -j fuzz-targets
 
+echo "Installing fuzzers"
 for fuzzer in $ENABLED_FUZZERS; do
     cp tests/fuzz/$fuzzer $OUT
     cp $SRC/cryptsetup_fuzzing/${fuzzer}_seed_corpus.zip $OUT
@@ -150,4 +178,4 @@ for fuzzer in $ENABLED_FUZZERS; do
     fi
 done
 
-cd $PWD
+cd $XPWD
diff --git a/tests/fuzz/plain_json_proto_to_luks2.cc b/tests/fuzz/plain_json_proto_to_luks2.cc
index f3a52c7..04d33f8 100644
--- a/tests/fuzz/plain_json_proto_to_luks2.cc
+++ b/tests/fuzz/plain_json_proto_to_luks2.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 protobuf to image converter
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <iostream>
diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.cc b/tests/fuzz/plain_json_proto_to_luks2_converter.cc
index d130461..60d2e1d 100644
--- a/tests/fuzz/plain_json_proto_to_luks2_converter.cc
+++ b/tests/fuzz/plain_json_proto_to_luks2_converter.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include "plain_json_proto_to_luks2_converter.h"
diff --git a/tests/fuzz/plain_json_proto_to_luks2_converter.h b/tests/fuzz/plain_json_proto_to_luks2_converter.h
index bba0df8..74aced5 100644
--- a/tests/fuzz/plain_json_proto_to_luks2_converter.h
+++ b/tests/fuzz/plain_json_proto_to_luks2_converter.h
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef LUKS2_PROTO_CONVERTER_H_
diff --git a/tests/fuzz/proto_to_luks2.cc b/tests/fuzz/proto_to_luks2.cc
index d6af21f..bd5ff79 100644
--- a/tests/fuzz/proto_to_luks2.cc
+++ b/tests/fuzz/proto_to_luks2.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 protobuf to image converter
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <iostream>
diff --git a/tests/fuzz/proto_to_luks2_converter.cc b/tests/fuzz/proto_to_luks2_converter.cc
index 1ae32c6..17a2cb4 100644
--- a/tests/fuzz/proto_to_luks2_converter.cc
+++ b/tests/fuzz/proto_to_luks2_converter.cc
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include "proto_to_luks2_converter.h"
diff --git a/tests/fuzz/proto_to_luks2_converter.h b/tests/fuzz/proto_to_luks2_converter.h
index 56156ba..873a28a 100644
--- a/tests/fuzz/proto_to_luks2_converter.h
+++ b/tests/fuzz/proto_to_luks2_converter.h
@@ -2,8 +2,8 @@
 /*
  * cryptsetup LUKS2 custom mutator fuzz target
  *
- * Copyright (C) 2022-2024 Daniel Zatovic <daniel.zatovic@gmail.com>
- * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022-2025 Daniel Zatovic <daniel.zatovic@gmail.com>
+ * Copyright (C) 2022-2025 Red Hat, Inc. All rights reserved.
  */
 
 #ifndef LUKS2_PROTO_CONVERTER_H_
diff --git a/tests/fvault2-compat-test b/tests/fvault2-compat-test
index 047798a..418009c 100755
--- a/tests/fvault2-compat-test
+++ b/tests/fvault2-compat-test
@@ -14,7 +14,7 @@ fi
 
 [ -z "$srcdir" ] && srcdir="."
 
-function create_mapping()
+create_mapping()
 {
 	local image=$1
 	local passphrase=$2
@@ -22,13 +22,13 @@ function create_mapping()
 		"$image" "$MAP"
 }
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b "/dev/mapper/$MAP" ] && dmsetup remove --retry "$MAP"
 	rm -rf $TST_DIR
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo " [FAILED]"
@@ -38,7 +38,10 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "Test skipped."
@@ -46,17 +49,17 @@ function skip()
 	exit 77
 }
 
-function produce_dump()
+produce_dump()
 {
 	"$CRYPTSETUP" fvault2Dump "$1" || fail
 }
 
-function produce_dump_key()
+produce_dump_key()
 {
 	echo "$2" | "$CRYPTSETUP" fvault2Dump "$1" --dump-volume-key || fail
 }
 
-function check_dump()
+check_dump()
 {
 	local dump=$1
 	local key=$2
@@ -67,7 +70,7 @@ function check_dump()
 		"$key check failed: expected \"$exp_value\", got \"$value\""
 }
 
-function check_uuid()
+check_uuid()
 {
 	local exp_uuid=$1
 	local uuid=$(blkid -po value -s UUID "/dev/mapper/$MAP")
@@ -75,7 +78,7 @@ function check_uuid()
 		"UUID check failed: expected \"$exp_uuid\", got \"$uuid\""
 }
 
-function check_sha256()
+check_sha256()
 {
 	local exp_sum=$1
 	local sum=$(sha256sum /dev/mapper/$MAP | head -c 64)
@@ -83,7 +86,7 @@ function check_sha256()
 		"SHA256 sum check failed: expected \"$exp_sum\", got \"$sum\""
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -93,7 +96,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
diff --git a/tests/generate-symbols-list b/tests/generate-symbols-list
index 33a2e23..8e88af5 100755
--- a/tests/generate-symbols-list
+++ b/tests/generate-symbols-list
@@ -1,12 +1,12 @@
 #!/bin/bash
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 2
 }
 
-function generate() {
+generate() {
 	local ver=
 
 	while IFS= read -r line; do
diff --git a/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh b/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
index a7d3147..b1f85a9 100755
--- a/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
+++ b/tests/generators/generate-luks2-area-in-json-hdr-space-json0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# make area 7 access the luks2 header space
 	OFFS=$((2*LUKS2_HDR_SIZE*512-1))
@@ -28,7 +28,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-argon2-leftover-params.img.sh b/tests/generators/generate-luks2-argon2-leftover-params.img.sh
index f0b74d7..a0d920c 100755
--- a/tests/generators/generate-luks2-argon2-leftover-params.img.sh
+++ b/tests/generators/generate-luks2-argon2-leftover-params.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# add keyslot 1 to second digest
 	obj_len=$(jq -c -M '.keyslots."1".kdf | length' $TMPDIR/json0)
@@ -26,7 +26,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-correct-full-json0.img.sh b/tests/generators/generate-luks2-correct-full-json0.img.sh
index 5cba271..c7ea781 100755
--- a/tests/generators/generate-luks2-correct-full-json0.img.sh
+++ b/tests/generators/generate-luks2-correct-full-json0.img.sh
@@ -15,7 +15,7 @@
 PATTERN="\"config\":{"
 KEY="\"config_key\":\""
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_len=${#json_str}
@@ -41,7 +41,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh b/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
index 1365e0c..6141433 100755
--- a/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
+++ b/tests/generators/generate-luks2-corrupted-hdr0-with-correct-chks.img.sh
@@ -11,7 +11,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_len=${#json_str}
@@ -27,7 +27,7 @@ function generate()
 	lib_mangle_json_hdr0
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 
diff --git a/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh b/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
index fcbbb1e..25132b9 100755
--- a/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
+++ b/tests/generators/generate-luks2-corrupted-hdr1-with-correct-chks.img.sh
@@ -11,7 +11,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json1
 	json_len=${#json_str}
@@ -27,7 +27,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_checksum || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh b/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
index 925763e..752142d 100755
--- a/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-both-hdrs.img.sh
@@ -11,7 +11,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	CHKS0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
 	CHKS1=$(echo "D'oh!: arbitrary chosen string" | calc_sha256_checksum_stdin)
@@ -20,7 +20,7 @@ function generate()
 	write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh b/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
index ae8c595..e87fbde 100755
--- a/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-hdr0.img.sh
@@ -11,13 +11,13 @@
 # 1 full target dir
 # 2 full source luks2 image
 
-function generate()
+generate()
 {
 	CHKS0=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
 	write_checksum $CHKS0 $TGT_IMG
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 }
diff --git a/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh b/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
index a56695d..67778e1 100755
--- a/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
+++ b/tests/generators/generate-luks2-invalid-checksum-hdr1.img.sh
@@ -11,14 +11,14 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	CHKS1=$(echo "Arbitrary chosen string: D'oh!" | calc_sha256_checksum_stdin)
 	write_checksum $CHKS1 $TMPDIR/hdr1
 	write_luks2_bin_hdr1 $TMPDIR/hdr1 $TGT_IMG
 }
 
-function check()
+check()
 {
 	lib_hdr1_checksum || exit 2
 }
diff --git a/tests/generators/generate-luks2-invalid-json-size-c0.img.sh b/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
index 13dea92..2991d87 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512+4096))
 	json_str=$(jq -c --arg js $JS '.config.json_size = ($js | tostring)' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-json-size-c1.img.sh b/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
index 5cdc7ce..dddf99a 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c1.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512-4096))
 	json_str=$(jq -c --arg js $JS '.config.json_size = ($js | tostring)' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-json-size-c2.img.sh b/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
index 4122338..4760618 100755
--- a/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
+++ b/tests/generators/generate-luks2-invalid-json-size-c2.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512))
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
@@ -34,7 +34,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0
 	local str_res1=$(head -c 4 $TMPDIR/hdr_res0)
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
index 8187b72..8d509db 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# make area 7 being included in area 6
 	OFFS=$((2*LUKS2_HDR_SIZE*512))
@@ -28,7 +28,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
index 2ba1a9b..c66ffcf 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c1.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c '.config.keyslots_size = (.config.keyslots_size | tonumber - 1 | tostring)' $TMPDIR/json0)
 	test -n "$json_str" || exit 2
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh b/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
index f983438..4f96ef8 100755
--- a/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
+++ b/tests/generators/generate-luks2-invalid-keyslots-size-c2.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq '.config.keyslots_size = ([.keyslots[].area.size] | map(tonumber) | add - 4096 | tostring )' $TMPDIR/json0)
 	test -n "$json_str" || exit 2
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-invalid-object-type-json0.img.sh b/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
index 616120b..3a99356 100755
--- a/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
+++ b/tests/generators/generate-luks2-invalid-object-type-json0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_str="[$json_str]" # make top level value an array
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh b/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
index 3f34692..9974227 100755
--- a/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
+++ b/tests/generators/generate-luks2-invalid-opening-char-json0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_str=" $json_str" # add useless opening whitespace
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-invalid-tokens.img.sh b/tests/generators/generate-luks2-invalid-tokens.img.sh
index 9719cf7..6475bd4 100755
--- a/tests/generators/generate-luks2-invalid-tokens.img.sh
+++ b/tests/generators/generate-luks2-invalid-tokens.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c 'del(.tokens) | .tokens = 42' $TMPDIR/json0)
 	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-invalid-top-objects.img.sh b/tests/generators/generate-luks2-invalid-top-objects.img.sh
index 174dc2c..cbb51f4 100755
--- a/tests/generators/generate-luks2-invalid-top-objects.img.sh
+++ b/tests/generators/generate-luks2-invalid-top-objects.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c 'del(.tokens) | .tokens = 42 |
 			  del(.digests) | .digests = 42 |
@@ -27,7 +27,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-invalid-af.img.sh b/tests/generators/generate-luks2-keyslot-invalid-af.img.sh
index 99f7679..1825780 100755
--- a/tests/generators/generate-luks2-keyslot-invalid-af.img.sh
+++ b/tests/generators/generate-luks2-keyslot-invalid-af.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c 'del(.keyslots."0".af.type) | .keyslots."0".af.type = 42' $TMPDIR/json0)
 	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh b/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh
index 723d58a..59bfd1e 100755
--- a/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh
+++ b/tests/generators/generate-luks2-keyslot-invalid-area-size.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c '.keyslots."0"."area".size = "18446744073709551615"' $TMPDIR/json0)
 	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-invalid-area.img.sh b/tests/generators/generate-luks2-keyslot-invalid-area.img.sh
index c41037e..5d14439 100755
--- a/tests/generators/generate-luks2-keyslot-invalid-area.img.sh
+++ b/tests/generators/generate-luks2-keyslot-invalid-area.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c 'del(.keyslots."0".area) | .keyslots."0".area = 42' $TMPDIR/json0)
 	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh b/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh
index 5fcfef2..46bedd5 100755
--- a/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh
+++ b/tests/generators/generate-luks2-keyslot-invalid-objects.img.sh
@@ -12,7 +12,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c 'del(.keyslots."0".kdf) | .keyslots."0".kdf = 42 |
 		  del(.keyslots."0".af) | .keyslots."0".af = 42' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr0_checksum || exit 2
 	lib_hdr1_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-missing-digest.img.sh b/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
index 49aeff1..c675783 100755
--- a/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
+++ b/tests/generators/generate-luks2-keyslot-missing-digest.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str_orig < $TMPDIR/json0
 	arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json0)
@@ -27,7 +27,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh b/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
index 5ba55f1..d86efce 100755
--- a/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
+++ b/tests/generators/generate-luks2-keyslot-too-many-digests.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# add keyslot 1 to second digest
 	json_str=$(jq -r -c -M '.digests."1" = .digests."0" | .digests."1".keyslots = ["1"]' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
index 2a44678..248db11 100755
--- a/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 128 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-128k.img.sh b/tests/generators/generate-luks2-metadata-size-128k.img.sh
index 79cccbd..8fa8c49 100755
--- a/tests/generators/generate-luks2-metadata-size-128k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-128k.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 128KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
index f0e6e8d..b053428 100755
--- a/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 16 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
index 25c19c1..61f7220 100755
--- a/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 1 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-1m.img.sh b/tests/generators/generate-luks2-metadata-size-1m.img.sh
index 9228fe5..baced6e 100755
--- a/tests/generators/generate-luks2-metadata-size-1m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-1m.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 1 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
index b4c1027..8d42cc5 100755
--- a/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 256 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-256k.img.sh b/tests/generators/generate-luks2-metadata-size-256k.img.sh
index 60ec878..d65d748 100755
--- a/tests/generators/generate-luks2-metadata-size-256k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-256k.img.sh
@@ -16,7 +16,7 @@
 # $2 full source luks2 image
 
 
-function generate()
+generate()
 {
 	# 256KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K
@@ -45,7 +45,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
index 0c68905..bc95c68 100755
--- a/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 2 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M
@@ -46,7 +46,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-2m.img.sh b/tests/generators/generate-luks2-metadata-size-2m.img.sh
index 0dbb521..9997bd4 100755
--- a/tests/generators/generate-luks2-metadata-size-2m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-2m.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 2 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
index effd244..fe95d3a 100755
--- a/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 32 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-32k.img.sh b/tests/generators/generate-luks2-metadata-size-32k.img.sh
index f970144..f862e4f 100755
--- a/tests/generators/generate-luks2-metadata-size-32k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-32k.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 32KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
index f423850..837aab6 100755
--- a/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 4 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M
@@ -46,7 +46,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-4m.img.sh b/tests/generators/generate-luks2-metadata-size-4m.img.sh
index b15ad4b..55ce0b2 100755
--- a/tests/generators/generate-luks2-metadata-size-4m.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-4m.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 4 MiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
index 4980816..8a46817 100755
--- a/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 512 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-512k.img.sh b/tests/generators/generate-luks2-metadata-size-512k.img.sh
index f3da37f..a9a002e 100755
--- a/tests/generators/generate-luks2-metadata-size-512k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-512k.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 512KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
index 3913f03..6b3a906 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 64KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
index b01f933..02eb7de 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 64KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
@@ -45,7 +45,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh b/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
index 5b8517a..4487296 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 64KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
@@ -45,7 +45,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
index 9635ab7..a2ee1ac 100755
--- a/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh
@@ -16,7 +16,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 64 KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
@@ -47,7 +47,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-64k.img.sh b/tests/generators/generate-luks2-metadata-size-64k.img.sh
index 50941b8..98285ac 100755
--- a/tests/generators/generate-luks2-metadata-size-64k.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-64k.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# 64KiB metadata
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
index d2ddd61..7eb41b5 100755
--- a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
 
@@ -46,7 +46,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE
 }
 
-function check()
+check()
 {
 	lib_hdr0_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
index 745fc5c..24113a1 100755
--- a/tests/generators/generate-luks2-metadata-size-invalid.img.sh
+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
@@ -15,7 +15,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
 
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr1 $TEST_MDA_SIZE $TEST_JSN_SIZE kill
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed $TEST_MDA_SIZE || exit 2
 
diff --git a/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh b/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
index a0ca53c..ae364ea 100755
--- a/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
+++ b/tests/generators/generate-luks2-missing-keyslot-referenced-in-digest.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str_orig < $TMPDIR/json0
 	arr_len=$(jq -c -M '.digests."0".keyslots | length' $TMPDIR/json0)
@@ -29,7 +29,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh b/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
index 84d7ed2..e5da89c 100755
--- a/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
+++ b/tests/generators/generate-luks2-missing-keyslot-referenced-in-token.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str_orig < $TMPDIR/json0
 	# add missing keyslot reference in keyslots array of token '0'
@@ -27,7 +27,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh b/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
index 300c2dc..0cbb3bc 100755
--- a/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
+++ b/tests/generators/generate-luks2-missing-segment-referenced-in-digest.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str_orig < $TMPDIR/json0
 	arr_len=$(jq -c -M '.digests."0".segments | length' $TMPDIR/json0)
@@ -29,7 +29,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh b/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
index 9c5ed0b..7d7220c 100755
--- a/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
+++ b/tests/generators/generate-luks2-missing-trailing-null-byte-json0.img.sh
@@ -17,7 +17,7 @@
 PATTERN="\"config\":{"
 KEY="\"config_key\":\""
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_len=${#json_str}
@@ -44,7 +44,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-non-compact-json-4k-token-0.img.sh b/tests/generators/generate-luks2-non-compact-json-4k-token-0.img.sh
new file mode 100755
index 0000000..abbaf5a
--- /dev/null
+++ b/tests/generators/generate-luks2-non-compact-json-4k-token-0.img.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate LUKS2 header with non compact (valid!)
+# json and additional token with id 0 with json
+# format aligned to 4K boundary.
+#
+# The image is tested for correct LUKS2 write optimization
+# where non compact json trailing bytes must not remain in LUKS2 json
+# area after write of shorter (e.g. compact) json.
+
+# $1 full target dir
+# $2 full source luks2 image
+
+generate()
+{
+	# add empty token
+	json_str=$(jq -c '.tokens."0" = {"type":"a", "keyslots":[]}' $TMPDIR/json0)
+	json_len_orig=${#json_str}
+	test $json_len_orig -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+	# align to 4k and full 4K of whitespace if already aligned
+	json_fill_len=$((4096-(json_len_orig%4096)))
+	fill=$(repeat_str " " $json_fill_len)
+	json_str_new=$(echo -e $json_str | sed -e "s/\(\"type\":\)\(\"luks2\"\)/\1""$fill""\2/")
+	json_len_new=${#json_str_new}
+
+	test $((json_len_new%4096)) -eq 0 || exit 2
+	test $json_len_new -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+	test $json_len_new -gt $json_len_orig || exit 2
+
+	printf '%s' "$json_str_new" | _dd of=$TMPDIR/json0 bs=4K conv=notrunc
+	printf '%s' "$json_str_new" | _dd of=$TMPDIR/json1 bs=4K conv=notrunc
+
+	lib_mangle_json_hdr0
+	lib_mangle_json_hdr1
+}
+
+check()
+{
+	lib_hdr0_checksum || exit 2
+	lib_hdr1_checksum || exit 2
+
+	read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+
+	read -r json_str_res < $TMPDIR/json_res0
+	test $((${#json_str_res}%4096)) -eq 0 || exit 2
+	test ${#json_str_res} -gt $json_len_orig || exit 2
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-non-compact-json-token-0.img.sh b/tests/generators/generate-luks2-non-compact-json-token-0.img.sh
new file mode 100755
index 0000000..e5f5208
--- /dev/null
+++ b/tests/generators/generate-luks2-non-compact-json-token-0.img.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate LUKS2 header with non compact (valid!)
+# json and additional token with id 0.
+#
+# The image is tested for correct LUKS2 write optimization
+# where non compact json trailing bytes must not remain in LUKS2 json
+# area after write of shorter (e.g. compact) json.
+
+# $1 full target dir
+# $2 full source luks2 image
+
+generate()
+{
+	# add empty token
+	json_str=$(jq -c '.tokens."0" = {"type":"a", "keyslots":[]}' $TMPDIR/json0)
+	json_len_orig=${#json_str}
+	test $json_len_orig -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+	json_str_new=$(echo -n $json_str | sed -e 's/\(\"type\":\)\(\"luks2\"\)/\1 \2/')
+	json_len_new=${#json_str_new}
+
+	test $json_len_new -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+	test $json_len_new -gt $json_len_orig || exit 2
+
+	printf '%s' "$json_str_new" | _dd of=$TMPDIR/json0 bs=1 conv=notrunc
+	printf '%s' "$json_str_new" | _dd of=$TMPDIR/json1 bs=1 conv=notrunc
+
+	lib_mangle_json_hdr0
+	lib_mangle_json_hdr1
+}
+
+check()
+{
+	lib_hdr0_checksum || exit 2
+	lib_hdr1_checksum || exit 2
+
+	read_luks2_json0 $TGT_IMG $TMPDIR/json_res0
+
+	read -r json_str_res < $TMPDIR/json_res0
+	test ${#json_str_res} -gt $json_len_orig || exit 2
+}
+
+lib_prepare $@
+generate
+check
+lib_cleanup
diff --git a/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh b/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
index 6f4aa7d..27406eb 100755
--- a/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
+++ b/tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_str="$json_str"X # add illegal 'X' beyond json format
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh b/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
index 18abf23..ec30c66 100755
--- a/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
+++ b/tests/generators/generate-luks2-non-null-bytes-beyond-json0.img.sh
@@ -17,7 +17,7 @@
 QUOTE="[Homer J. Simpson]: Keep looking shocked and move slowly towards the cake."
 SPACE=20
 
-function generate()
+generate()
 {
 	read -r json_str < $TMPDIR/json0
 	json_len_orig=${#json_str}
@@ -29,7 +29,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
index 23883bb..60cd23e 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c0-json0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# copy area 6 offset and length into area 7
 	json_str=$(jq -c '.keyslots."7".area.offset = .keyslots."6".area.offset |
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
index 0733627..19ca941 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# make area 7 being included in area 6
 	json_str=$(jq -c '.keyslots."7".area.offset = (.keyslots."6".area.offset | tonumber + 1 | tostring ) |
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh b/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
index 6699b38..cd62a73 100755
--- a/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
+++ b/tests/generators/generate-luks2-overlapping-areas-c2-json0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# make area 7 being included in area 6
 	json_str=$(jq -c '.keyslots."7".area.offset = ([ .keyslots."6".area.offset, .keyslots."6".area.size ] | map(tonumber) | add - 1 | tostring)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh b/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
index e035f94..296d18b 100755
--- a/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
+++ b/tests/generators/generate-luks2-pbkdf2-leftover-params-0.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# add keyslot 1 to second digest
 	obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json0)
@@ -26,7 +26,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh b/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
index d82c2bd..4e4f5bd 100755
--- a/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
+++ b/tests/generators/generate-luks2-pbkdf2-leftover-params-1.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# add keyslot 1 to second digest
 	obj_len=$(jq -c -M '.keyslots."2".kdf | length' $TMPDIR/json0)
@@ -26,7 +26,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 	lib_hdr0_checksum || exit 2
diff --git a/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh
index ca17aac..4e1aa9b 100755
--- a/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-empty-encryption.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".encryption = ""' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
index e92bc2a..cdd6216 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".encryption)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
index 77beb53..8c86ad5 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".iv_tweak)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh b/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
index 0609533..ab0b8ec 100755
--- a/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".sector_size)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
index 9d7e584..a9bac8d 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".encryption = {}' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
index 0830a16..6611c32 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".iv_tweak = "dynamic"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
index 069b6c0..d0d1449 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".sector_size = 1023' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
index c310ff1..d7fabe4 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".sector_size = "4096"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
index b4b8b39..14dd258 100755
--- a/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
+++ b/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".sector_size = -1024' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-missing-offset.img.sh b/tests/generators/generate-luks2-segment-missing-offset.img.sh
index 6d5811e..66562be 100755
--- a/tests/generators/generate-luks2-segment-missing-offset.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-offset.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".offset)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-missing-size.img.sh b/tests/generators/generate-luks2-segment-missing-size.img.sh
index 579858f..ccfc2dc 100755
--- a/tests/generators/generate-luks2-segment-missing-size.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-size.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".size)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-missing-type.img.sh b/tests/generators/generate-luks2-segment-missing-type.img.sh
index 5b74c5d..5cb0cf5 100755
--- a/tests/generators/generate-luks2-segment-missing-type.img.sh
+++ b/tests/generators/generate-luks2-segment-missing-type.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c 'del(.segments."0".type)' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-two.img.sh b/tests/generators/generate-luks2-segment-two.img.sh
index 798c5be..1ec0470 100755
--- a/tests/generators/generate-luks2-segment-two.img.sh
+++ b/tests/generators/generate-luks2-segment-two.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".size = "512" | .segments."1" = {type:"some", offset: (.segments."0".offset | tonumber + 512 | tostring), size: "dynamic"}' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-unknown-type.img.sh b/tests/generators/generate-luks2-segment-unknown-type.img.sh
index 814344a..653f4bd 100755
--- a/tests/generators/generate-luks2-segment-unknown-type.img.sh
+++ b/tests/generators/generate-luks2-segment-unknown-type.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0" = {type:"some_type", offset: .segments."0".offset, size: .segments."0".size, a_field:0}' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh b/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
index 3ba9d47..a5bf806 100755
--- a/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-backup-key-0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# create illegal backup segment key (used to be bug in 32bit implementations)
 	json_str=$(jq -c '.segments[(.segments | length + 1 | tostring)] = { "type" : "linear", "offset" : "512", "size" : "512", "flags":["backup-x"]}' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh b/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
index 11a94d7..084566d 100755
--- a/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-backup-key-1.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# create illegal backup segment key (used to be bug in 32bit implementations)
 	json_str=$(jq -c '(.segments."0".offset | tonumber) as $i | .segments[range(1;65) | tostring] = { "type" : "linear", "offset" : ($i + 512 | tostring), "size" : "512" } | .segments."268435472" = { "type":"linear","offset":"512","size":"512","flags":["backup-x"]}' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh b/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
index 72da1f1..39a1c38 100755
--- a/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".flags = [ "hello", 1 ]' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-flags.img.sh b/tests/generators/generate-luks2-segment-wrong-flags.img.sh
index 19d6340..22ac9f7 100755
--- a/tests/generators/generate-luks2-segment-wrong-flags.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-flags.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".flags = "hello"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-offset.img.sh b/tests/generators/generate-luks2-segment-wrong-offset.img.sh
index c9b1b50..69a7043 100755
--- a/tests/generators/generate-luks2-segment-wrong-offset.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-offset.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".offset = "-42"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-size-0.img.sh b/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
index b9227a7..0d9c1ae 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-0.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".size = 4096' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-size-1.img.sh b/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
index 6be5031..c3e8933 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-1.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".size = "automatic"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-size-2.img.sh b/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
index 311c0e8..83d9c2f 100755
--- a/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-size-2.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".size = "511"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-segment-wrong-type.img.sh b/tests/generators/generate-luks2-segment-wrong-type.img.sh
index c041157..0f7a18e 100755
--- a/tests/generators/generate-luks2-segment-wrong-type.img.sh
+++ b/tests/generators/generate-luks2-segment-wrong-type.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# remove mandatory encryption field
 	json_str=$(jq -c '.segments."0".type = 42' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-uint64-max-segment-size.img.sh b/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
index f966e1d..ac0c7ee 100755
--- a/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-max-segment-size.img.sh
@@ -14,7 +14,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# UINT64_MAX - 511 (so that it's sector aligned)
 	json_str=$(jq -c '.segments."0".size = "18446744073709551104"' $TMPDIR/json0)
@@ -25,7 +25,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh b/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
index 4e064e4..9a3ada6 100755
--- a/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-overflow-segment-size.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	json_str=$(jq -c '.segments."0".size = "18446744073709551616"' $TMPDIR/json0)
 	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
@@ -23,7 +23,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh b/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
index 6687f35..2f16e70 100755
--- a/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
+++ b/tests/generators/generate-luks2-uint64-signed-segment-size.img.sh
@@ -13,7 +13,7 @@
 # $1 full target dir
 # $2 full source luks2 image
 
-function generate()
+generate()
 {
 	# UINT64_MAX + 1 (it's 512 sector aligned)
 	json_str=$(jq -c '.segments."0".size = "-512"' $TMPDIR/json0)
@@ -24,7 +24,7 @@ function generate()
 	lib_mangle_json_hdr0_kill_hdr1
 }
 
-function check()
+check()
 {
 	lib_hdr1_killed || exit 2
 
diff --git a/tests/generators/lib.sh b/tests/generators/lib.sh
index c0e9cc1..07365d7 100644
--- a/tests/generators/lib.sh
+++ b/tests/generators/lib.sh
@@ -28,13 +28,13 @@ repeat_str() {
 	printf "$1"'%.0s' $(eval "echo {1.."$(($2))"}");
 }
 
-function strindex()
+strindex()
 {
 	local x="${1%%$2*}"
 	[[ $x = $1 ]] && echo -1 || echo ${#x}
 }
 
-function test_img_name()
+test_img_name()
 {
 	local str=$(basename $1)
 	str=${str#generate-}
@@ -44,14 +44,14 @@ function test_img_name()
 
 # read primary bin hdr
 # 1:from 2:to
-function read_luks2_bin_hdr0()
+read_luks2_bin_hdr0()
 {
 	_dd if=$1 of=$2 bs=512 count=$LUKS2_BIN_HDR_SIZE
 }
 
 # read primary json area
 # 1:from 2:to 3:[json only size (defaults to 12KiB)]
-function read_luks2_json0()
+read_luks2_json0()
 {
 	local _js=${4:-$LUKS2_JSON_SIZE}
 	local _js=$((_js*512/4096))
@@ -60,14 +60,14 @@ function read_luks2_json0()
 
 # read secondary bin hdr
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function read_luks2_bin_hdr1()
+read_luks2_bin_hdr1()
 {
 	_dd if=$1 of=$2 skip=${3:-$LUKS2_HDR_SIZE} bs=512 count=$LUKS2_BIN_HDR_SIZE
 }
 
 # read secondary json area
 # 1:from 2:to 3:[json only size (defaults to 12KiB)]
-function read_luks2_json1()
+read_luks2_json1()
 {
 	local _js=${3:-$LUKS2_JSON_SIZE}
 	_dd if=$1 of=$2 bs=512 skip=$((2*LUKS2_BIN_HDR_SIZE+_js)) count=$_js
@@ -75,7 +75,7 @@ function read_luks2_json1()
 
 # read primary metadata area (bin + json)
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function read_luks2_hdr_area0()
+read_luks2_hdr_area0()
 {
 	local _as=${3:-$LUKS2_HDR_SIZE}
 	local _as=$((_as*512))
@@ -84,7 +84,7 @@ function read_luks2_hdr_area0()
 
 # read secondary metadata area (bin + json)
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function read_luks2_hdr_area1()
+read_luks2_hdr_area1()
 {
 	local _as=${3:-$LUKS2_HDR_SIZE}
 	local _as=$((_as*512))
@@ -93,14 +93,14 @@ function read_luks2_hdr_area1()
 
 # write secondary bin hdr
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function write_luks2_bin_hdr1()
+write_luks2_bin_hdr1()
 {
 	_dd if=$1 of=$2 bs=512 seek=${3:-$LUKS2_HDR_SIZE} count=$LUKS2_BIN_HDR_SIZE conv=notrunc
 }
 
 # write primary metadata area (bin + json)
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function write_luks2_hdr0()
+write_luks2_hdr0()
 {
 	local _as=${3:-$LUKS2_HDR_SIZE}
 	local _as=$((_as*512))
@@ -109,7 +109,7 @@ function write_luks2_hdr0()
 
 # write secondary metadata area (bin + json)
 # 1:from 2:to 3:[metadata size (defaults to 16KiB)]
-function write_luks2_hdr1()
+write_luks2_hdr1()
 {
 	local _as=${3:-$LUKS2_HDR_SIZE}
 	local _as=$((_as*512))
@@ -118,7 +118,7 @@ function write_luks2_hdr1()
 
 # write json (includes padding)
 # 1:json_string 2:to 3:[json size (defaults to 12KiB)]
-function write_luks2_json()
+write_luks2_json()
 {
 	local _js=${3:-$LUKS2_JSON_SIZE}
 	local len=${#1}
@@ -126,23 +126,23 @@ function write_luks2_json()
 	truncate -s $((_js*512)) $2
 }
 
-function kill_bin_hdr()
+kill_bin_hdr()
 {
 	printf "VACUUM" | _dd of=$1 bs=1 conv=notrunc
 }
 
-function erase_checksum()
+erase_checksum()
 {
 	_dd if=/dev/zero of=$1 bs=1 seek=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) count=$LUKS2_BIN_HDR_CHKS_LENGTH conv=notrunc
 }
 
-function read_sha256_checksum()
+read_sha256_checksum()
 {
 	_dd if=$1 bs=1 skip=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) count=32 | xxd -c 32 -p
 }
 
 # 1 - string with checksum
-function write_checksum()
+write_checksum()
 {
 	test $# -eq 2 || return 1
 	test $((${#1}/2)) -le $LUKS2_BIN_HDR_CHKS_LENGTH || { echo "too long"; return 1; }
@@ -150,19 +150,19 @@ function write_checksum()
 	echo $1 | xxd -r -p | _dd of=$2 bs=1 seek=$(printf %d $LUKS2_BIN_HDR_CHKS_OFFSET) conv=notrunc
 }
 
-function calc_sha256_checksum_file()
+calc_sha256_checksum_file()
 {
 	sha256sum $1 | cut -d ' ' -f 1
 }
 
-function calc_sha256_checksum_stdin()
+calc_sha256_checksum_stdin()
 {
 	sha256sum - | cut -d ' ' -f 1
 }
 
 # merge bin hdr with json to form metadata area
 # 1:bin_hdr 2:json 3:to 4:[json size (defaults to 12KiB)]
-function merge_bin_hdr_with_json()
+merge_bin_hdr_with_json()
 {
 	local _js=${4:-$LUKS2_JSON_SIZE}
 	local _js=$((_js*512/4096))
@@ -170,16 +170,16 @@ function merge_bin_hdr_with_json()
 	_dd if=$2 of=$3 bs=4096 seek=1 count=$_js
 }
 
-function _dd()
+_dd()
 {
 	dd $@ status=none
 }
 
-function write_bin_hdr_size() {
+write_bin_hdr_size() {
 	printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=1 conv=notrunc
 }
 
-function write_bin_hdr_offset() {
+write_bin_hdr_offset() {
 	printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=32 conv=notrunc
 }
 
@@ -190,7 +190,7 @@ function write_bin_hdr_offset() {
 # $TMPDIR/hdr1  - bin hdr2
 
 # 1:target_dir 2:source_image
-function lib_prepare()
+lib_prepare()
 {
 	test $# -eq 2 || exit 1
 
@@ -209,13 +209,13 @@ function lib_prepare()
 	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
 }
 
-function lib_cleanup()
+lib_cleanup()
 {
 	rm -f $TMPDIR/*
 	rm -fd $TMPDIR
 }
 
-function lib_mangle_json_hdr0()
+lib_mangle_json_hdr0()
 {
 	local mda_sz=${1:-}
 	local jsn_sz=${2:-}
@@ -229,7 +229,7 @@ function lib_mangle_json_hdr0()
 	write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $mda_sz
 }
 
-function lib_mangle_json_hdr1()
+lib_mangle_json_hdr1()
 {
 	local mda_sz=${1:-}
 	local jsn_sz=${2:-}
@@ -243,7 +243,7 @@ function lib_mangle_json_hdr1()
 	write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $mda_sz
 }
 
-function lib_mangle_json_hdr0_kill_hdr1()
+lib_mangle_json_hdr0_kill_hdr1()
 {
 	lib_mangle_json_hdr0
 
@@ -251,7 +251,7 @@ function lib_mangle_json_hdr0_kill_hdr1()
 	write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG
 }
 
-function lib_hdr0_killed()
+lib_hdr0_killed()
 {
 	local mda_sz=${1:-}
 
@@ -260,7 +260,7 @@ function lib_hdr0_killed()
 	test "$str_res0" = "VACUUM"
 }
 
-function lib_hdr1_killed()
+lib_hdr1_killed()
 {
 	local mda_sz=${1:-}
 
@@ -269,13 +269,13 @@ function lib_hdr1_killed()
 	test "$str_res1" = "VACUUM"
 }
 
-function lib_hdr0_checksum()
+lib_hdr0_checksum()
 {
 	local chks_res0=$(read_sha256_checksum $TGT_IMG)
 	test "$CHKS0" = "$chks_res0"
 }
 
-function lib_hdr1_checksum()
+lib_hdr1_checksum()
 {
 	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1
 	local chks_res1=$(read_sha256_checksum $TMPDIR/hdr_res1)
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
index a2aae8d..c40218c 100755
--- a/tests/integrity-compat-test
+++ b/tests/integrity-compat-test
@@ -30,6 +30,7 @@ cleanup() {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmremove $DEV_NAME2
 	[ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
 	DEV_LOOP=""
+	IDEV=""
 	rm -f $DEV $DEV2 $KEY_FILE $KEY_FILE2 >/dev/null 2>&1
 }
 
@@ -42,13 +43,16 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function dm_integrity_features()
+dm_integrity_features()
 {
 	VER_STR=$(dmsetup targets | grep integrity | cut -f2 -dv)
 	[ -z "$VER_STR" ] && skip "Cannot find dm-integrity target, test skipped."
@@ -58,6 +62,17 @@ function dm_integrity_features()
 	VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
 
 	[ $VER_MAJ -lt 1 ] && return
+	[ $VER_MAJ -gt 1 ] && {
+		DM_INTEGRITY_META=1
+		DM_INTEGRITY_RECALC=1
+		DM_INTEGRITY_BITMAP=1
+		DM_INTEGRITY_RESIZE_SUPPORTED=1
+		DM_INTEGRITY_HMAC_FIX=1
+		DM_INTEGRITY_RESET=1
+		DM_INTEGRITY_INLINE=1
+		DM_INTEGRITY_RECALCULATE_INLINE=1
+		return
+	}
 	[ $VER_MIN -gt 1 ] && {
 		DM_INTEGRITY_META=1
 		DM_INTEGRITY_RECALC=1
@@ -74,6 +89,12 @@ function dm_integrity_features()
 	[ $VER_MIN -gt 7 ] && {
 		DM_INTEGRITY_RESET=1
 	}
+	[ $VER_MIN -ge 12 ] && {
+		DM_INTEGRITY_INLINE=1
+	}
+	[ $VER_MIN -ge 13 ] && {
+		DM_INTEGRITY_RECALCULATE_INLINE=1
+	}
 }
 
 add_device() {
@@ -82,7 +103,19 @@ add_device() {
 	dd if=/dev/urandom of=$KEY_FILE2 bs=1 count=32 >/dev/null 2>&1
 	dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
 	dd if=/dev/zero of=$DEV2 bs=1M count=32 >/dev/null 2>&1
-	sync
+	IDEV=$DEV
+	INLINE_PARAMS=""
+}
+
+add_device_inline() {
+	cleanup
+	add_device
+	DEV_LOOP=$(losetup -f $DEV --show)
+	[ -z "$DEV_LOOP" ] && fail
+	dmsetup create $DEV_NAME2 --table "0 32768 integrity $DEV_LOOP 0 64 J 2 block_size:4096 fix_padding"
+	[ ! -b /dev/mapper/$DEV_NAME2 ] && fail
+	IDEV=/dev/mapper/$DEV_NAME2
+	INLINE_PARAMS="--integrity-inline "
 }
 
 status_check() # name value
@@ -97,7 +130,7 @@ status_check() # name value
 
 dump_check() # name value
 {
-	X=$($INTSETUP dump $DEV | grep "$1" | cut -d' '  -f 2)
+	X=$($INTSETUP dump $IDEV | grep "$1" | sed 's/.*: //' | cut -d' '  -f 1)
 	if [ "$X" != "$2" ] ; then
 		echo "[dump FAIL]"
 		echo " Expecting $1:$2 got \"$X\"."
@@ -115,7 +148,7 @@ kernel_param_check() # number value
 	fi
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $INTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -125,7 +158,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${INTSETUP_VALGRIND} "$@"
 }
@@ -154,7 +187,7 @@ int_check_sum() # alg checksum [keyfile keysize]
 	dd if=/dev/zero of=/dev/mapper/$DEV_NAME bs=1M oflag=direct >/dev/null 2>&1
 	dmremove $DEV_NAME
 
-	$INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
+	$INTSETUP open $IDEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
 
 	int_check_sum_only $2
 }
@@ -176,7 +209,7 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 	echo -n "[INTEGRITY:$2:$4:$5]"
 	[ -n "$8" ] && echo -n "[KEYFILE:$8]"
 	echo -n "[FORMAT]"
-	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
+	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $INLINE_PARAMS $TAG_PARAMS --sector-size $5 $KEY_PARAMS $IDEV >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
 		if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then
 			fail "Cannot format device."
@@ -185,18 +218,18 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 		return
 	fi
 
-	dump_check "tag_size" $4
-	dump_check "sector_size" $5
+	dump_check "tag size" $4
+	dump_check "sector size" $5
 	echo -n "[ACTIVATE]"
-	$INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
+	$INTSETUP open $IDEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
 	if [ -n "$8" ]; then
 		KEY_HEX=$(xxd -c 4096 -l $8 -p $7)
 		[ -z "$KEY_HEX" ] && fail "Cannot decode key."
 		dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 	fi
-	status_check "tag size" $4
+	status_check "tag size" "$4 [bytes]"
 	status_check "integrity" $2
-	status_check "sector size" "$5 bytes"
+	status_check "sector size" "$5 [bytes]"
 	int_check_sum $1 $6 $7 $8
 	echo -n "[REMOVE]"
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
@@ -220,11 +253,11 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
 	else
 		TAG_PARAMS=""
 	fi
-	dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
+	dd if=/dev/zero of=$IDEV bs=1M count=32 >/dev/null 2>&1
 
 	echo -n "[INTEGRITY:$1:$2:$4:$5]"
 	echo -n "[FORMAT]"
-	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1
+	$INTSETUP format -q --integrity $2 $INLINE_PARAMS $TAG_PARAMS --sector-size $5 $KEY_PARAMS $IDEV $INT_MODE >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
 		if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then
 			fail "Cannot format device."
@@ -233,7 +266,7 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
 		return
 	fi
 	echo -n "[ACTIVATE]"
-	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
+	$INTSETUP open $IDEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 
 	if [ -n "$6" -a -n "$7" ]; then
 		echo -n "[KEYED HASH]"
@@ -247,15 +280,15 @@ int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_siz
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 
 	# find offset of data area
-	ARR=($(dd if=$DEV bs=512 2>/dev/null | hexdump -C | grep 'EXAMPLE TEXT'))
+	ARR=($(dd if=$IDEV bs=512 2>/dev/null | hexdump -C | grep 'EXAMPLE TEXT'))
 	OFF_HEX=${ARR[0]}
 	OFF_DEC=$((16#$OFF_HEX))
 
 	echo -n "[CORRUPT DATA:$OFF_DEC]"
-	echo -n "Z" | dd of=$DEV bs=1 seek=$OFF_DEC conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
+	echo -n "Z" | dd of=$IDEV bs=1 seek=$OFF_DEC conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
 
 	echo -n "[DETECT ERROR]"
-	$INTSETUP open $DEV $DEV_NAME --integrity $2 $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
+	$INTSETUP open $IDEV $DEV_NAME --integrity $2 $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 	dd if=/dev/mapper/$DEV_NAME  >/dev/null 2>&1 && fail "Error detection failed."
 	echo -n "[REMOVE]"
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
@@ -279,7 +312,7 @@ int_journal() # 1 alg, 2 tagsize, 3 sector_size, 4 watermark, 5 commit_time, 6 j
 	dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 
 	status_check "journal watermark" "${4}%"
-	status_check "journal commit time" "${5} ms"
+	status_check "journal commit time" "${5} [ms]"
 	status_check "journal integrity MAC" $9
 
 	echo -n "[REMOVE]"
@@ -404,7 +437,7 @@ test_resize() # description detached_metadata wipe args
 	check_device_size $DEV_NAME $WHOLE_DISK_SIZE "Resizing disk to maximum size failed"
 
 	echo -n "[EXPAND FIXED]"
-	fallocate $DEV --len 64M
+	truncate -s 64M $DEV || fail
 	$INTSETUP resize -q $wipe_flag $DEV_NAME --device-size 40MiB || fail "Failed to expand the device to a fixed size."
 	dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after expanding to a fixed size."
 	check_device_size $DEV_NAME $(( 40*1024*1024 / 512 )) "Resizing disk after expanding to a fixed size failed"
@@ -433,6 +466,7 @@ command -v xxd >/dev/null || skip "WARNING: xxd tool required."
 modprobe dm-integrity >/dev/null 2>&1
 dm_integrity_features
 
+echo "Integrity mode tests:"
 add_device
 intformat blake2s-256 blake2s-256    32 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
 intformat blake2b-256 blake2b-256    32 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
@@ -460,11 +494,31 @@ int_error_detection J sha1     0 20 4096
 int_error_detection J sha256   0 32  512
 int_error_detection J sha256   0 32 4096
 
-command -v xxd >/dev/null || skip "WARNING: xxd tool required."
 int_error_detection J hmac-sha256  0 32 512 $KEY_FILE 32
 int_error_detection J hmac-sha256  0 32 4096 $KEY_FILE 32
 
+if [ -n "$DM_INTEGRITY_INLINE" ] ; then
+	echo "Integrity mode tests (inline tags): "
+	add_device_inline
+	intformat crc32c      crc32c          0  4 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat crc32       crc32           0  4 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat xxhash64    xxhash64        0  8 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat sha1        sha1            0 20 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat sha1        sha1           16 16 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat sha256      sha256          0 32 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	intformat hmac-sha256 hmac\(sha256\)  0 32 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8 $KEY_FILE 32
+	intformat hmac-sha256 hmac\(sha256\)  0 32 4096 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8 $KEY_FILE 4096
+	echo "Error detection tests (inline tags):"
+	int_error_detection J crc32c   0  4 4096
+	int_error_detection J crc32    0  4 4096
+	int_error_detection J xxhash64 0  8 4096
+	int_error_detection J sha1     0 20 4096
+	int_error_detection J sha256   0 32 4096
+	int_error_detection J hmac-sha256  0 32 4096 $KEY_FILE 32
+fi
+
 echo "Journal parameters tests:"
+add_device
 # Watermark is calculated in kernel, so it can be rounded down/up
 int_journal crc32  4  512  66 1000 hmac-sha256 $KEY_FILE 32 hmac\(sha256\)
 int_journal sha256 32 4096 34 5000 hmac-sha1   $KEY_FILE 16 hmac\(sha1\)
@@ -485,26 +539,33 @@ int_mode sha256      32 512
 int_mode hmac-sha256 32 512  $KEY_FILE 32
 int_mode hmac-sha256 32 4096 $KEY_FILE 32
 
-echo -n "Recalculate tags in-kernel:"
-add_device
-if [ -n "$DM_INTEGRITY_RECALC" ] ; then
-	$INTSETUP format -q $DEV --no-wipe || fail "Cannot format device."
-	$INTSETUP open $DEV $DEV_NAME --integrity-recalculate || fail "Cannot activate device."
+recalc_test() # $1 checksum
+{
+	$INTSETUP format -q $IDEV $INLINE_PARAMS --sector-size 4096 --no-wipe || fail "Cannot format device."
+	$INTSETUP open $IDEV $DEV_NAME --integrity-recalculate || fail "Cannot activate device."
 	dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot recalculate tags in-kernel"
-	int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
+	int_check_sum_only $1
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 	echo -n "[OK]"
 	if [ -n "$DM_INTEGRITY_RESET" ] ; then
-		$INTSETUP open $DEV $DEV_NAME -I sha256 --integrity-recalculate-reset || fail "Cannot activate device."
+		$INTSETUP open $IDEV $DEV_NAME -I sha256 --integrity-recalculate-reset || fail "Cannot activate device."
 		dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=1M 2>/dev/null || fail "Cannot reset recalculate tags in-kernel"
-		int_check_sum_only 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
+		int_check_sum_only $1
 		$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 		echo "[RESET OK]"
 	else
 		echo "[RESET N/A]"
 	fi
-else
-	echo "[N/A]"
+}
+if [ -n "$DM_INTEGRITY_RECALC" ] ; then
+	echo -n "Recalculate tags in-kernel:"
+	add_device
+	recalc_test eab969b9d69b73dd20bf3f3d2a14936710595fd7ec61be6729690dde86cc7ba6
+	if [ -n "$DM_INTEGRITY_RECALCULATE_INLINE" ] ; then
+		echo -n "Recalculate tags in-kernel (inline tags):"
+		add_device_inline 65072
+		recalc_test 98abca7cb88f35f1944dface4c5040423a99886f4e5a716f061fd153d8661fe8
+	fi
 fi
 
 echo -n "Separate metadata device:"
@@ -526,7 +587,7 @@ if [ -n "$DM_INTEGRITY_BITMAP" ] ; then
 	$INTSETUP format -q $DEV --integrity-bitmap-mode $DEV2 || fail "Cannot format device."
 	$INTSETUP open $DEV --integrity-bitmap-mode --bitmap-sectors-per-bit 65536 --bitmap-flush-time 5000 $DEV_NAME || fail "Cannot activate device."
 	$INTSETUP status $DEV_NAME | grep -q 'bitmap 512-byte sectors per bit: 65536' || fail
-	$INTSETUP status $DEV_NAME | grep -q 'bitmap flush interval: 5000 ms' || fail
+	$INTSETUP status $DEV_NAME | grep -q 'bitmap flush interval: 5000 \[ms\]' || fail
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 	echo "[OK]"
 	echo "Bitmap error detection tests:"
@@ -551,7 +612,7 @@ EOF
 	[ ! -b /dev/mapper/$DEV_NAME2 ] && fail
 	$INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME2
 	$INTSETUP open /dev/mapper/$DEV_NAME2 $DEV_NAME || fail
-	D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME2 | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
+	D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME2 | grep "data size:" | cut -d' '  -f 3)
 	A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
 	# Compare strings (to avoid 64bit integers), not integers
 	[ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
@@ -626,12 +687,29 @@ $INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate
 echo -n "[SHRINK]"
 $INTSETUP resize $DEV_NAME --device-size 1MiB  >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB."
 check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
-dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize."
+dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after resize."
 echo "[OK]"
 
+if [ -n "$DM_INTEGRITY_INLINE" ] ; then
+	echo -n "[INTEGRITY BASIC RESIZE NOKEY (inline tags)]"
+	add_device_inline
+	ARGS="--integrity crc32"
+
+	echo -n "[FORMAT]"
+	$INTSETUP format -q $IDEV $INLINE_PARAMS --sector-size 4096 $ARGS || fail "Cannot format device."
+	echo -n "[ACTIVATE]"
+	$INTSETUP open -q $IDEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate device."
+	echo -n "[RESIZE]"
+	$INTSETUP resize $DEV_NAME --device-size 1MiB  >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB."
+	check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
+	$INTSETUP resize $DEV_NAME --device-size 8MiB >/dev/null 2>&1 || fail "Failed to resize the device to 8MiB."
+	check_device_size $DEV_NAME $(( 8*1024*1024 / 512 )) "Enlarging device failed"
+	dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after resize."
+	echo "[OK]"
+fi
+
 echo -n "[INTEGRITY BASIC RESIZE KEY]"
 add_device
-
 ARGS="--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
 
 echo -n "[FORMAT]"
@@ -641,7 +719,7 @@ $INTSETUP open -q $DEV $DEV_NAME $ARGS >/dev/null 2>&1 || fail "Cannot activate
 echo -n "[SHRINK]"
 $INTSETUP resize $DEV_NAME --device-size 1MiB >/dev/null 2>&1 || fail "Failed to resize the device to 1MiB."
 check_device_size $DEV_NAME $(( 1024*1024 / 512 )) "Shrinking device failed"
-dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detectied after resize."
+dd if=/dev/mapper/$DEV_NAME >/dev/null 2>&1 || fail "Errors detected after resize."
 echo "[OK]"
 
 test_resize "[INTEGRITY RESIZE NOKEY]" 0 0 "--integrity crc32"
@@ -655,4 +733,13 @@ if [ -n "$DM_INTEGRITY_HMAC_FIX" ] ; then
 	test_resize "[INTEGRITY RESIZE KEY DETACHED]" 1 1 "--integrity hmac-sha256 --integrity-key-size 128 --integrity-key-file $KEY_FILE --journal-integrity hmac-sha256 --journal-integrity-key-file $KEY_FILE --journal-integrity-key-size 128 --journal-crypt ctr-aes --journal-crypt-key-size 16 --journal-crypt-key-file $KEY_FILE"
 fi
 
+echo -n "Early check for active name:"
+add_device
+DM_BAD_NAME=x/x
+DM_LONG_NAME=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+$INTSETUP format -q $DEV --no-wipe || fail "Cannot format device."
+$INTSETUP open $DEV $DM_BAD_NAME 2>/dev/null && fail "Cannot activate device."
+$INTSETUP open $DEV $DM_LONG_NAME 2>/dev/null && fail "Cannot activate device."
+echo "[OK]"
+
 cleanup
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
index dc4787d..36658fc 100755
--- a/tests/keyring-compat-test
+++ b/tests/keyring-compat-test
@@ -35,7 +35,7 @@ fi
 
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
 
@@ -47,14 +47,14 @@ function remove_mapping()
 	rm -f $CHKS_DMCRYPT $CHKS_KEYRING
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -64,12 +64,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -78,18 +78,21 @@ function fail()
 	exit 2
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 # $1 hexbyte key
 # $2 type
 # $3 description
 # $4 keyring
-function load_key()
+load_key()
 {
 	local tmp="$1"
 	shift
 	echo -n "$tmp" | xxd -r -p | keyctl padd $@ >/dev/null
 }
 
-function dm_crypt_keyring_support()
+dm_crypt_keyring_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -104,7 +107,7 @@ function dm_crypt_keyring_support()
 	[ $VER_MIN -ge 15 ]
 }
 
-function test_and_prepare_keyring() {
+test_and_prepare_keyring() {
 	keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
 	TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
 	test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
@@ -112,7 +115,7 @@ function test_and_prepare_keyring() {
 	load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
 }
 
-function fips_mode()
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
diff --git a/tests/keyring-test b/tests/keyring-test
index 38abcfb..6d75813 100755
--- a/tests/keyring-test
+++ b/tests/keyring-test
@@ -20,7 +20,7 @@ HEXKEY_32="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
 HEXKEY_32_BAD="bb21158c733229347bd4e68189XXXX3d94c685be6a5b84818afe7a78a6de7a1a"
 HEXKEY_31="bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a"
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_CRYPT ] && dmsetup remove --retry $DEV_CRYPT
 	[ -b /dev/mapper/$DEV_ZERO ] && dmsetup remove --retry $DEV_ZERO
@@ -29,14 +29,14 @@ function remove_mapping()
 	[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -49,12 +49,12 @@ function fail()
 # $2 description
 # $3 payload
 # $4 keyring
-function load_key()
+load_key()
 {
 	keyctl add $@ >/dev/null
 }
 
-function dm_crypt_keyring_support()
+dm_crypt_keyring_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -67,7 +67,7 @@ function dm_crypt_keyring_support()
 	[ $VER_MIN -ge 15 ]
 }
 
-function test_and_prepare_keyring() {
+test_and_prepare_keyring() {
 	keyctl list "@s" > /dev/null || skip "Current session keyring is unreachable, test skipped"
 	TEST_KEYRING=$(keyctl newring $TEST_KEYRING_NAME "@u" 2> /dev/null)
 	test -n "$TEST_KEYRING" || skip "Failed to create keyring in user keyring"
diff --git a/tests/keyring-trusted-test b/tests/keyring-trusted-test
new file mode 100755
index 0000000..757dea2
--- /dev/null
+++ b/tests/keyring-trusted-test
@@ -0,0 +1,187 @@
+#!/bin/bash
+
+# Encrypted and trusted keyring test; trusted keys can be emulated by TPM2.
+# DO NOT use this in combination with a real TPM data, it can destroy them.
+#
+# Note that if trusted or tpm kernel module is built-in, emulated TPM2 cannot
+# provide trusted keys (only encrypted keys will be tested then).
+
+[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+
+IMG=keyring_trusted_test.img
+MAP="trusted_test"
+KEYNAME=testxxx
+
+bin_check()
+{
+    command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
+cleanup() {
+    clear_keys
+
+    [ -S $SWTPM_STATE_DIR/ctrl.sock ] && {
+        # shutdown TPM via control socket
+        swtpm_ioctl -s --unix $SWTPM_STATE_DIR/ctrl.sock
+        sleep 1
+    }
+
+    # if graceful shutdown was successful, pidfile should be deleted
+    # if it is still present, we forcefully kill the process
+    [ -f "$SWTPM_PIDFILE" ] && {
+        kill -9 $(cat $SWTPM_PIDFILE) >/dev/null 2>&1
+    }
+
+    [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
+
+    [ -n "$SWTPM_PIDFILE" ] && rm -f $SWTPM_PIDFILE >/dev/null 2>&1
+    [ -n "$SWTPM_STATE_DIR" ] && rm -rf $SWTPM_STATE_DIR >/dev/null 2>&1
+    rm -f $IMG >/dev/null 2>&1
+
+    cleanup_modules
+}
+
+cleanup_modules()
+{
+    [ -n "$SKIP_MODULE_UNLOAD" ] && return
+
+    # This is a hack to avoid linking trusted key to another TPM.
+    # Without clean load tests do not work reliably.
+    modprobe -r dm-crypt 2>/dev/null
+    modprobe -r encrypted-keys 2>/dev/null
+    modprobe -r trusted 2>/dev/null
+    modprobe -r tpm_vtpm_proxy 2>/dev/null
+    modprobe -r tpm 2>/dev/null
+}
+
+fail()
+{
+    echo "[FAILED]"
+    [ -n "$1" ] && echo "$1"
+    echo "FAILED backtrace:"
+    while caller $frame; do ((frame++)); done
+    cleanup
+    exit 2
+}
+
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
+{
+    [ -n "$1" ] && echo "$1"
+    cleanup
+    exit 77
+}
+
+prepare_tpm()
+{
+    SWTPM_STATE_DIR=$(mktemp -d /tmp/systemd_swtpm_state.XXXXXX)
+    SWTPM_SEAL_KEY="$SWTPM_STATE_DIR/sealkey.ctxt"
+    SWTPM_PERSISTENT_HANDLE=0x81000001
+
+if [ -z "$TPM_PATH" ]; then
+    bin_check swtpm
+    bin_check swtpm_ioctl
+
+    SWTPM_PIDFILE=$(mktemp /tmp/systemd_swtpm_pid.XXXXXX)
+
+    cleanup_modules
+    modprobe tpm_vtpm_proxy || fail "Failed to load tpm_vtpm_proxy kernel module, required for emulated TPM."
+
+    SWTPM_LOG=$(swtpm chardev --vtpm-proxy --tpm2 --tpmstate dir=$SWTPM_STATE_DIR -d --pid file=$SWTPM_PIDFILE --ctrl type=unixio,path=$SWTPM_STATE_DIR/ctrl.sock)
+    TPM_PATH=$(echo $SWTPM_LOG | grep -Eo /dev/tpm\([0-9]\)+ | sed s/tpm/tpmrm/)
+
+    [ -z "$TPM_PATH" ] && fail "No TPM_PATH set and swtpm failed, test skipped."
+
+    echo "Virtual TPM set up at $TPM_PATH"
+
+    # Trusted module needs to see TPM above.
+    sleep 1
+    modprobe trusted 2>/dev/null || echo "Failed to load trusted keys kernel module."
+else
+    SKIP_MODULE_UNLOAD=1
+    echo "Preconfigured TPM set up at $TPM_PATH"
+fi
+    # Create persistent store
+    tpm2_createprimary -Q -T device:$TPM_PATH --hierarchy o -G rsa2048 -c $SWTPM_SEAL_KEY || fail
+    tpm2_evictcontrol -Q -T device:$TPM_PATH -c $SWTPM_SEAL_KEY $SWTPM_PERSISTENT_HANDLE || fail
+}
+
+prepare_vk_keyring()
+{
+    local s_desc=$(keyctl rdescribe @s | cut -d';' -f5)
+    local us_desc=$(keyctl rdescribe @us | cut -d';' -f5)
+
+    if [ "$s_desc" = "$us_desc" -a -n "$s_desc" ]; then
+        echo "Session keyring is missing, initializing new one."
+        keyctl new_session > /dev/null || fail
+    fi
+}
+
+clear_keys()
+{
+    keyctl revoke %encrypted:$KEYNAME 2>/dev/null
+    keyctl revoke %user:$KEYNAME 2>/dev/null
+
+    if [ -n "$TRUSTED_SUPPORTED" ]; then
+        keyctl revoke %trusted:$KEYNAME 2>/dev/null
+        tpm2_evictcontrol -Q -T device:$TPM_PATH -C o -c $SWTPM_PERSISTENT_HANDLE 2>/dev/null
+    fi
+}
+
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+bin_check keyctl
+
+prepare_vk_keyring
+
+# Prevent using TPM by default
+if [ -n "$RUN_KEYRING_TRUSTED_TEST" ]; then
+    prepare_tpm
+    # Trusted keyring key
+    keyctl add trusted $KEYNAME "new 32 keyhandle=$SWTPM_PERSISTENT_HANDLE" @s >/dev/null 2>&1 && TRUSTED_SUPPORTED=1
+    if [ -n "$TRUSTED_SUPPORTED" ]; then
+        keyctl print %trusted:$KEYNAME >/dev/null || fail "Cannot read trusted key blob."
+    fi
+else
+    echo "WARNING: Variable RUN_KEYRING_TRUSTED_TEST must be defined, TPM trusted test skipped."
+    TRUSTED_SUPPORTED=
+fi
+
+# Prepare encrypted key
+modprobe encrypted-keys 2>/dev/null || skip "Failed to load encrypted keys kernel module."
+
+# Encrypted keyring key (encrypted with user key)
+# User key needed for encrypted key
+keyctl add -x user $KEYNAME bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a @s >/dev/null 2>&1 || skip "User key load failed, test skipped."
+keyctl print %user:$KEYNAME >/dev/null || fail "Cannot read user key."
+
+keyctl add encrypted $KEYNAME "new user:$KEYNAME 32" @s >/dev/null || fail "Encrypted keys are not supported."
+keyctl print %encrypted:$KEYNAME >/dev/null || fail "Cannot read encrypted key blob."
+
+dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
+
+echo -n "Plain with trusted volume key "
+if [ -n "$TRUSTED_SUPPORTED" ]; then
+    $CRYPTSETUP open --type plain $IMG $MAP --key-size=256 --cipher=aes-xts-plain64 --volume-key-keyring=%trusted:$KEYNAME || fail
+    dmsetup table --showkeys $MAP | grep -q ":32:trusted:$KEYNAME" || fail
+    $CRYPTSETUP status $MAP | grep -q "key location: keyring" || fail
+    $CRYPTSETUP close $MAP || fail
+    echo "[OK]"
+else
+    echo "[N/A]"
+fi
+
+echo -n "Plain with encrypted volume key "
+$CRYPTSETUP open --type plain $IMG $MAP --key-size=256 --cipher=aes-xts-plain64 --volume-key-keyring=%encrypted:$KEYNAME ||fail
+dmsetup table --showkeys $MAP | grep -q ":32:encrypted:$KEYNAME" || fail
+$CRYPTSETUP status $MAP | grep -q "key location: keyring" || fail
+$CRYPTSETUP resize $MAP --size 100 || fail
+$CRYPTSETUP status  $MAP | grep "size:" | grep -q "100 \[512-byte units\]" || fail
+$CRYPTSETUP resize  $MAP || fail
+$CRYPTSETUP close $MAP || fail
+echo "[OK]"
+
+cleanup
+exit 0
diff --git a/tests/loopaes-test b/tests/loopaes-test
index 62fe772..394fc4d 100755
--- a/tests/loopaes-test
+++ b/tests/loopaes-test
@@ -21,12 +21,12 @@ KEYv2=key_v2
 KEYv3=key_v3
 LOOPDEV=$(losetup -f 2>/dev/null)
 
-function dmremove() { # device
+dmremove() { # device
 	udevadm settle >/dev/null 2>&1
 	dmsetup remove --retry $1 >/dev/null 2>&1
 }
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmremove $DEV_NAME2
 	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
@@ -34,7 +34,7 @@ function remove_mapping()
 	rm -f $IMG $KEYv1 $KEYv2 $KEYv3 >/dev/null 2>&1
 }
 
-function fail()
+fail()
 {
 	echo "FAILED backtrace:"
 	while caller $frame; do ((frame++)); done
@@ -42,14 +42,17 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	remove_mapping
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -59,12 +62,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function prepare()
+prepare()
 {
 	remove_mapping
 	dd if=/dev/zero of=$IMG $LOOP_DD_PARAM >/dev/null 2>&1
@@ -80,12 +83,12 @@ function prepare()
 	[ -n "$1" ] && echo -n "$1 "
 }
 
-function check_exists()
+check_exists()
 {
 	[ -b /dev/mapper/$DEV_NAME ] || fail
 }
 
-function get_offset_params() # $offset
+get_offset_params() # $offset
 {
 	offset=$1
 	if [ "${offset:0:1}" = "@" ] ; then
@@ -95,7 +98,7 @@ function get_offset_params() # $offset
 	fi
 }
 
-function get_expsum() # $offset
+get_expsum() # $offset
 {
 	case $1 in
 	0)
@@ -112,7 +115,7 @@ function get_expsum() # $offset
 	esac
 }
 
-function check_sum() # $key $keysize $offset [stdin|keyfile]
+check_sum() # $key $keysize $offset [stdin|keyfile]
 {
 	$CRYPTSETUP close $DEV_NAME || fail
 
@@ -133,7 +136,7 @@ function check_sum() # $key $keysize $offset [stdin|keyfile]
 	fi
 }
 
-function check_sum_losetup() # $key $alg
+check_sum_losetup() # $key $alg
 {
 	[ ! -x $LOSETUP_AES ] && echo && return
 
@@ -153,7 +156,7 @@ function check_sum_losetup() # $key $alg
 	losetup -d $LOOPDEV >/dev/null 2>&1
 }
 
-function check_version()
+check_version()
 {
 	VER_STR=$(dmsetup version | grep Driver)
 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
diff --git a/tests/luks1-compat-test b/tests/luks1-compat-test
index c0de983..2ef2359 100755
--- a/tests/luks1-compat-test
+++ b/tests/luks1-compat-test
@@ -6,6 +6,8 @@ TST_DIR=luks1-images
 MAP=luks1tst
 KEYFILE=keyfile1
 
+CRYPTOCHECK=./crypto-check
+
 if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
 	CRYPTSETUP_VALGRIND=$CRYPTSETUP
 else
@@ -15,13 +17,13 @@ fi
 
 [ -z "$srcdir" ] && srcdir="."
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
 	rm -rf $TST_DIR
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo " [FAILED]"
@@ -31,14 +33,17 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -48,39 +53,38 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function remove_imgs()
+remove_imgs()
 {
 	echo "WARNING: $1 not available, not testing some images."
 	rm $(ls $TST_DIR/*$1*.img)
 }
 
-function test_one()
+test_one()
 {
-	$CRYPTSETUP benchmark -c "$1" -s "$2" | grep -v "#" || remove_imgs $1
+	$CRYPTOCHECK cipher $1 $2 $3 || remove_imgs "$1-$2"
 }
 
-function test_required()
+test_required()
 {
 	echo "REQUIRED KDF TEST"
-	$CRYPTSETUP benchmark -h whirlpool | grep "N/A" && remove_imgs whirlpool
+	$CRYPTOCHECK hash whirlpool || remove_imgs whirlpool
 
 	echo "REQUIRED CIPHERS TEST"
-	echo "#     Algorithm | Key |  Encryption |  Decryption"
-
-	test_one aes-xts 256
-	test_one twofish-xts 256
-	test_one serpent-xts 256
-	test_one aes-cbc 256
-	test_one aes-lrw 256
+	test_one aes xts 256
+	test_one twofish xts 256
+	test_one serpent xts 256
+	test_one aes cbc 256
+	test_one aes lrw 256
 }
 
 export LANG=C
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ ! -x "$CRYPTOCHECK" ] && skip "Cannot find $CRYPTOCHECK, test skipped."
 command -v blkid >/dev/null || skip "blkid tool required, test skipped."
 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
 [ ! -d $TST_DIR ] && tar xJf $srcdir/luks1-images.tar.xz --no-same-owner
diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test
index ff41ebf..09ec5b9 100755
--- a/tests/luks2-integrity-test
+++ b/tests/luks2-integrity-test
@@ -5,6 +5,7 @@
 [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
 CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
 DEV_NAME=dmi_test
+DEV_NAME2=dmi_test_xdif
 DEV=mode-test.img
 HEADER_IMG=mode-test-detached.img
 PWD1=nHjJHjI23JK
@@ -20,12 +21,15 @@ fi
 
 dmremove() { # device
 	udevadm settle >/dev/null 2>&1
-	dmsetup remove $1 >/dev/null 2>&1
+	dmsetup remove --retry $1 >/dev/null 2>&1
 }
 
 cleanup() {
 	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+	[ -b /dev/mapper/$DEV_NAME2 ] && dmremove $DEV_NAME2
 	[ -b /dev/mapper/"$DEV_NAME"_dif ] && dmremove "$DEV_NAME"_dif
+	[ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
+	DEV_LOOP=""
 	rm -f $DEV $KEY_FILE $HEADER_IMG >/dev/null 2>&1
 }
 
@@ -39,13 +43,16 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -55,16 +62,42 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
+dm_integrity_inline_support()
+{
+	VER_STR=$(dmsetup targets | grep integrity | cut -f2 -dv)
+	[ -z "$VER_STR" ] && fail "Failed to parse dm-integrity version."
+
+	VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
+
+	[ $VER_MAJ -gt 1 ] && return 0
+	if [ $VER_MIN -ge 12 ]; then
+		return 0
+	fi
+	return 1
+}
+
 add_device() {
 	cleanup
 	dd if=/dev/urandom of=$KEY_FILE bs=1 count=512 >/dev/null 2>&1
 	dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
-	sync
+	IDEV=$DEV
+	INLINE_PARAMS=""
+}
+
+add_device_inline() {
+	add_device
+	DEV_LOOP=$(losetup -f $DEV --show)
+	[ -z "$DEV_LOOP" ] && fail
+	dmsetup create $DEV_NAME2 --table "0 32768 integrity $DEV_LOOP 0 64 J 2 block_size:4096 fix_padding"
+	[ ! -b /dev/mapper/$DEV_NAME2 ] && fail
+	IDEV=/dev/mapper/$DEV_NAME2
+	INLINE_PARAMS="--integrity-inline "
 }
 
 set_LO_DEV() { # file
@@ -79,6 +112,7 @@ status_check() # name value [detached]
 	else
 		PARAMS="$DEV_NAME"
 	fi
+
 	X=$($CRYPTSETUP status $PARAMS | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
 	if [ "$X" != "$2" ] ; then
 		echo "[status FAIL]"
@@ -89,7 +123,7 @@ status_check() # name value [detached]
 
 dump_check() # name value
 {
-	X=$($CRYPTSETUP luksDump $DEV | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
+	X=$($CRYPTSETUP luksDump $IDEV | grep -m1 "$1" | sed -e 's/.*:[ \t]\+//' | cut -d' ' -f1)
 	if [ "$X" != "$2" ] ; then
 		echo "[dump FAIL]"
 		echo " Expecting $1:$2 got \"$X\"."
@@ -109,21 +143,33 @@ int_check_sum() # alg checksum
 	fi
 }
 
-int_error_detection() # alg int sector_size
+int_error_detection() # [test_hdr]
 {
 	echo -n "[DETECT_CORRUPTION]"
-	echo -n "XXXXX" | dd of=$DEV bs=1M seek=28 count=1 conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
-	$CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
+	echo -n "XXXXX" | dd of=$IDEV bs=1M seek=8 count=1 conv=notrunc >/dev/null 2>&1 || fail "Cannot write to device."
+	if [ -n "$1" ] ; then
+		$CRYPTSETUP open -d $KEY_FILE $IDEV --header $1 $DEV_NAME || fail "Cannot activate device."
+	else
+		$CRYPTSETUP open -d $KEY_FILE $IDEV $DEV_NAME || fail "Cannot activate device."
+	fi
 	dd if=/dev/mapper/$DEV_NAME  of=/dev/null >/dev/null 2>&1 && fail "Error detection failed."
 	$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 }
 
 intformat() # alg integrity integrity_out key_size int_key_size sector_size csum [test_hdr]
 {
-	echo -n "[$1:$2:$4:$6]"
+	echo -n "[$1:$2:$4:$6:$5]"
 	echo -n "[FORMAT]"
-	$CRYPTSETUP luksFormat --type luks2 -q -c $1 --integrity $2 --sector-size $6 -s $4 \
-		$FAST_PBKDF_OPT -d $KEY_FILE $DEV --offset 8192 --integrity-legacy-padding >/dev/null 2>&1
+
+	# just trick, if int key size is not multiple of 16, use explicit flag
+	if [ $(($5 % 16)) -eq 0 ]; then
+		INT_PARAMS="--integrity $2 --integrity-legacy-padding"
+	else
+		INT_PARAMS="--integrity $2 --integrity-key-size $5 --integrity-legacy-padding"
+	fi
+
+	$CRYPTSETUP luksFormat --type luks2 -q -c $1 $INT_PARAMS $INLINE_PARAMS --sector-size $6 -s $4 \
+		$FAST_PBKDF_OPT -d $KEY_FILE $IDEV --offset 8192 >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
 		echo "[N/A]"
 		return
@@ -133,8 +179,8 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
 	dump_check "integrity" $3
 	dump_check "Key:" $(($4 + $5))
 	echo -n "[ACTIVATE]"
-	$CRYPTSETUP open -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
-	set_LO_DEV $DEV
+	$CRYPTSETUP open -d $KEY_FILE $IDEV $DEV_NAME || fail "Cannot activate device."
+	set_LO_DEV $IDEV
 	status_check "cipher" $1
 	status_check "sector size" $6
 	status_check "integrity:" $3
@@ -142,16 +188,35 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
 	[ -n "$LO_DEV" ] && status_check "device:" $LO_DEV
 	[ $5 -gt 0 ] && status_check "integrity keysize:" $5
 	int_check_sum $1 $7
+	echo -n "[SUSPEND]"
+	$CRYPTSETUP luksSuspend $DEV_NAME || fail "Cannot suspend device."
+	dmsetup info $DEV_NAME | grep -q SUSPENDED || fail "Not suspended."
+	if [ -z "$INLINE_PARAMS" ]; then
+		dmsetup info "$DEV_NAME"_dif | grep -q SUSPENDED || fail "Not suspended."
+	else
+		# this hw-inline device must not be suspended
+		dmsetup info "$DEV_NAME2" | grep -q ACTIVE || fail
+		$CRYPTSETUP status $DEV_NAME | grep -q "(inline HW tags)" || fail "(inline hw tags) missing."
+	fi
+	echo -n "[RESUME]"
+	$CRYPTSETUP luksResume -d $KEY_FILE $DEV_NAME || fail "Cannot resume device."
+	dmsetup info $DEV_NAME | grep -q ACTIVE || fail "Not resumed."
+	if [ -z "$INLINE_PARAMS" ]; then
+		dmsetup info "$DEV_NAME"_dif | grep -q ACTIVE || fail "Not resumed."
+	fi
 	echo -n "[REMOVE]"
 	$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
+	[ -b /dev/mapper/"$DEV_NAME"_dif ] && fail
+	int_error_detection
 
 	# check detached header activation
 	if [ -n "$8" ] ; then
 		echo -n "[DETACHED_HDR]"
-		$CRYPTSETUP luksHeaderBackup -q --header-backup-file $HEADER_IMG $DEV || fail
-		wipefs -a $DEV >/dev/null 2>&1  || fail
-		$CRYPTSETUP open --header $HEADER_IMG -d $KEY_FILE $DEV $DEV_NAME || fail "Cannot activate device."
-		set_LO_DEV $DEV
+		wipefs -a $IDEV >/dev/null 2>&1  || fail
+		$CRYPTSETUP luksFormat --type luks2 -q -c $1 $INT_PARAMS $INLINE_PARAMS --sector-size $6 -s $4 \
+			$FAST_PBKDF_OPT -d $KEY_FILE $IDEV --header $HEADER_IMG --offset 8192 >/dev/null 2>&1
+		$CRYPTSETUP open --header $HEADER_IMG -d $KEY_FILE $IDEV $DEV_NAME || fail "Cannot activate device."
+		set_LO_DEV $IDEV
 		status_check "cipher" $1 1
 		status_check "sector size" $6 1
 		status_check "integrity:" $3 1
@@ -166,12 +231,15 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum
 		status_check "keysize:" $(($4 + $5))
 		[ -n "$LO_DEV" ] && status_check "device:" $LO_DEV
 		[ $5 -gt 0 ] && status_check "integrity keysize:" $5
+		if [ -n "$INLINE_PARAMS" ]; then
+		    $CRYPTSETUP status $DEV_NAME --header $HEADER_IMG | grep -q "(inline HW tags)" || fail "(inline hw tags) missing."
+		fi
 		$CRYPTSETUP close $DEV_NAME || fail "Cannot deactivate device."
-		$CRYPTSETUP luksHeaderRestore -q --header-backup-file $HEADER_IMG $DEV || fail
+		[ -b /dev/mapper/"$DEV_NAME"_dif ] && fail
+		int_error_detection $HEADER_IMG
 		rm -f $HEADER_IMG
 	fi
 
-	int_error_detection
 	echo "[OK]"
 }
 
@@ -182,6 +250,7 @@ modprobe dm-integrity >/dev/null 2>&1
 dmsetup targets | grep integrity >/dev/null 2>&1 || skip "Cannot find dm-integrity target, test skipped."
 command -v wipefs >/dev/null ||  skip "Cannot find wipefs, test skipped."
 
+echo "LUKS2 authenticated mode test"
 add_device
 
 intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 128 256  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c 1
@@ -206,6 +275,9 @@ intformat aes-xts-random       hmac-sha512 hmac\(sha512\) 512 512 4096 621f6c03f
 intformat aes-xts-plain64 hmac-sha1 hmac\(sha1\) 512 160 4096 7370c66a92708fb71b186931468be6aa9b26f4f88373b00b1c57360b9ee1304e
 intformat aes-xts-random  hmac-sha1 hmac\(sha1\) 512 160 4096 8c0463f5ac09613674bdf40b0ff6f985edbc3de04e51fdc688873cb333ef3cda
 
+intformat aes-xts-plain64 hmac-sha256 hmac\(sha256\) 512 264 512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
+intformat aes-xts-plain64 hmac-sha512 hmac\(sha512\) 512 792 512 9040d276d8bfab30bbc4bf389e152e08c13ac6fa84d49d11c1bee6e1638fd8f1
+
 intformat aes-gcm-random aead aead 128 0  512 5f6f3f6be03c74d9aaaeaf40dd310c99a20e2786045f78a1fc6a0b189d231f57
 intformat aes-gcm-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
 intformat aes-gcm-random aead aead 256 0  512 5f6f3f6be03c74d9aaaeaf40dd310c99a20e2786045f78a1fc6a0b189d231f57
@@ -224,4 +296,23 @@ intformat chacha20-random  poly1305 poly1305 256 0 4096 358d6beceddf593aff6b22c3
 intformat aegis128-random  aead aead 128 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c 1
 intformat aegis128-random  aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b 1
 
+if dm_integrity_inline_support; then
+	echo "LUKS2 authenticated mode test (inline tags)"
+	add_device_inline
+
+	intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 128 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+	intformat aes-xts-plain64      hmac-sha256 hmac\(sha256\) 256 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+	intformat aes-xts-plain64      hmac-sha256 hmac\(sha256\) 256 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723 1
+	intformat aes-xts-random       hmac-sha256 hmac\(sha256\) 256 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+	intformat aes-cbc-essiv:sha256 hmac-sha256 hmac\(sha256\) 256 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+	intformat aes-xts-plain64      hmac-sha256 hmac\(sha256\) 512 256 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+
+	intformat aes-gcm-random aead aead 128 0 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+
+	intformat chacha20-plain64 poly1305 poly1305 256 0 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+	intformat chacha20-random  poly1305 poly1305 256 0 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723
+
+	intformat aegis128-random  aead aead 128 0 4096 cfadd44a103cbd6d5726fa07b27d7aad2f67ed3930ff96901c486a5beaf7e723 1
+fi
+
 cleanup
diff --git a/tests/luks2-reencryption-mangle-test b/tests/luks2-reencryption-mangle-test
index 79b813d..afbce11 100755
--- a/tests/luks2-reencryption-mangle-test
+++ b/tests/luks2-reencryption-mangle-test
@@ -23,13 +23,13 @@ CS_PWPARAMS="--disable-keyring --key-file $KEY1"
 CS_PARAMS="-q --disable-locks $CS_PWPARAMS"
 JSON_MSIZE=16384
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
 	rm -f $IMG $IMG_HDR $IMG_HDR_BCP $IMG_JSON $KEY1 >/dev/null 2>&1
 }
 
-function fail()
+fail()
 {
 	local frame=0
 	[ -n "$1" ] && echo "$1"
@@ -39,19 +39,22 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function bin_check()
+bin_check()
 {
 	command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
 }
 
-function img_json_save()
+img_json_save()
 {
 	local _hdr=$IMG
 	[ -z "$1" ] || _hdr="$1"
@@ -59,24 +62,24 @@ function img_json_save()
 	$CRYPTSETUP luksDump --dump-json-metadata $_hdr | jq -c -M . | tr -d '\n' >$IMG_JSON
 }
 
-function img_json_dump()
+img_json_dump()
 {
 	img_json_save
 	jq . $IMG_JSON
 }
 
-function img_hash_save()
+img_hash_save()
 {
 	IMG_HASH=$(sha256sum $IMG | cut -d' ' -f 1)
 }
 
-function img_hash_unchanged()
+img_hash_unchanged()
 {
 	local IMG_HASH2=$(sha256sum $IMG | cut -d' ' -f 1)
 	[ "$IMG_HASH" != "$IMG_HASH2" ] && fail "Image changed!"
 }
 
-function img_prepare_raw() # $1 options
+img_prepare_raw() # $1 options
 {
 	remove_mapping
 
@@ -88,7 +91,7 @@ function img_prepare_raw() # $1 options
 	$CRYPTSETUP luksFormat $FAST_PBKDF2 $CS_PARAMS --luks2-metadata-size $JSON_MSIZE $IMG $1 || fail
 }
 
-function img_prepare() # $1 options
+img_prepare() # $1 options
 {
 	img_prepare_raw
 	$CRYPTSETUP reencrypt $IMG $CS_PARAMS -q --init-only --resilience none $1 >/dev/null 2>&1
@@ -97,13 +100,13 @@ function img_prepare() # $1 options
 	img_hash_save
 }
 
-function _dd()
+_dd()
 {
 	dd $@ status=none conv=notrunc bs=1
 }
 
 # header mangle functions
-function img_update_json()
+img_update_json()
 {
 	local _hdr="$IMG"
 	local LUKS2_BIN1_OFFSET=448
@@ -142,7 +145,7 @@ function img_update_json()
 	img_hash_save
 }
 
-function img_check_ok()
+img_check_ok()
 {
 	if [ $(id -u) == 0 ]; then
 		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME || fail
@@ -152,13 +155,13 @@ function img_check_ok()
 	$CRYPTSETUP repair $IMG $CS_PARAMS || fail
 }
 
-function img_check_dump_ok()
+img_check_dump_ok()
 {
 	$CRYPTSETUP luksDump $IMG >/dev/null || fail
 	img_check_fail
 }
 
-function img_check_fail()
+img_check_fail()
 {
 	if [ $(id -u) == 0 ]; then
 		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
@@ -168,23 +171,23 @@ function img_check_fail()
 	img_hash_unchanged
 }
 
-function img_run_reenc_ok()
+img_run_reenc_ok()
 {
 	$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt --resilience none || fail
 }
 
-function img_run_reenc_ok_data_shift()
+img_run_reenc_ok_data_shift()
 {
 	$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt || fail
 }
 
-function img_run_reenc_fail()
+img_run_reenc_fail()
 {
 $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --force-offline-reencrypt --disable-locks -q 2>/dev/null && fail "Reencryption passed (should have failed)."
 img_hash_unchanged
 }
 
-function img_check_fail_repair()
+img_check_fail_repair()
 {
 	if [ $(id -u) == 0 ]; then
 		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
@@ -198,19 +201,19 @@ function img_check_fail_repair()
 	img_check_ok
 }
 
-function img_check_fail_repair_ok()
+img_check_fail_repair_ok()
 {
 	img_check_fail_repair
 	img_run_reenc_ok
 }
 
-function img_check_fail_repair_ok_data_shift()
+img_check_fail_repair_ok_data_shift()
 {
 	img_check_fail_repair
 	img_run_reenc_ok_data_shift
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	bin_check valgrind
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -222,7 +225,7 @@ function valgrind_setup()
 	CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}"
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
 	$CRYPTSETUP_RAW "$@"
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index a5f020e..11823ee 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -26,21 +26,37 @@ HEADER_LUKS2_PV=blkid-luks2-pv.img
 IMG_FS=xfs_512_block_size.img
 KEY1=key1
 VKEY1=vkey1
+VKEY2=vkey2
+BACKUP_FILE=reenc_header_baseline.img
 PWD1="93R4P4pIqAH8"
 PWD2="1cND4319812f"
 PWD3="1-9Qu5Ejfnqv"
+PWD4="d54uVMKW-'7M"
+PWD5="oDe{yCiZ_';_"
+PWD6="T'E'Y_}<'9=q"
+PWD7="UR%]T;x*w{3V"
+
 DEV_LINK="reenc-test-link"
 KEYRING="luks2_reencryption_test_kr"
 KEY_TYPE="user"
 KEY_NAME1="luks2-reencryption-test1"
 KEY_NAME2="luks2-reencryption-test2"
+KEY_NAME3="luks2-reencryption-test3"
+KEY_NAME4="luks2-reencryption-test4"
+KEY_NAME5="luks2-reencryption-test5"
+KEY_NAME6="luks2-reencryption-test6"
+KEY_NAME7="luks2-reencryption-key-desc1"
+KEY_NAME_VK1="luks2-reencryption-test-vk1"
+KEY_NAME_VK2="luks2-reencryption-test-vk2"
 KEY_SPEC1="${KEYRING}::%${KEY_TYPE}:${KEY_NAME1}"
 KEY_SPEC2="${KEYRING}::%${KEY_TYPE}:${KEY_NAME2}"
 HAVE_KEYRING=0
+JSON_MSIZE=16384
+IMG_JSON=luks2-digest-1.json
 
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function dm_crypt_features()
+dm_crypt_features()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -63,7 +79,7 @@ function dm_crypt_features()
 	fi
 }
 
-function dm_delay_features()
+dm_delay_features()
 {
 	local _ver_str=$(dmsetup targets | grep delay | cut -f2 -dv)
 	[ -z "$_ver_str" ] && return 1
@@ -85,7 +101,7 @@ scsi_debug_teardown() {
 	test ! -b "$1" || rmmod scsi_debug >/dev/null 2>&1
 }
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME ] && {
 		dmsetup resume $DEV_NAME
@@ -111,19 +127,19 @@ function remove_mapping()
 	[ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
 	[ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
 	unset LOOPDEV
-	rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1
+	rm -f $IMG $IMG_JSON $IMG_HDR $KEY1 $VKEY1 $VKEY2 $BACKUP_FILE $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1
 	rmmod scsi_debug >/dev/null 2>&1
 	scsi_debug_teardown $DEV
 }
 
-function cleanup_keyring()
+cleanup_keyring()
 {
 	if [ $HAVE_KEYRING -eq 1 ]; then
 		keyctl unlink %:$KEYRING "@s" >/dev/null 2>&1 || echo "Failed to unlink test keyring."
 	fi
 }
 
-function fail()
+fail()
 {
 	local frame=0
 	[ -n "$1" ] && echo "$1"
@@ -134,7 +150,10 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
@@ -142,12 +161,12 @@ function skip()
 	exit 77
 }
 
-function fips_mode()
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
 
-function add_scsi_device() {
+add_scsi_device() {
 	scsi_debug_teardown $DEV
 	if [ -d /sys/module/scsi_debug ] ; then
 		echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
@@ -164,7 +183,7 @@ function add_scsi_device() {
 	[ -b $DEV ] || fail "Cannot find $DEV."
 }
 
-function open_crypt() # $1 pwd, $2 hdr
+open_crypt() # $1 pwd, $2 hdr
 {
 	if [ -n "$2" ] ; then
 		echo "$1" | $CRYPTSETUP luksOpen $DEV $DEV_NAME --header $2 || fail
@@ -175,12 +194,12 @@ function open_crypt() # $1 pwd, $2 hdr
 	fi
 }
 
-function wipe_dev_head() # $1 dev, $2 length (in MiBs)
+wipe_dev_head() # $1 dev, $2 length (in MiBs)
 {
 	dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
 }
 
-function wipe_dev() # $1 dev
+wipe_dev() # $1 dev
 {
 	if [ -b $1 ] ; then
 		blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
@@ -189,20 +208,20 @@ function wipe_dev() # $1 dev
 		fi
 	else
 		local size=$(stat --printf="%s" $1)
-		truncate -s 0 $1
+		truncate -s 0 $1 || fail
 		if [ $# -gt 2 ]; then
 			local diff=$((size-$2*1024*1024))
 			echo "size: $size, diff: $diff"
-			truncate -s $diff $1
+			truncate -s $diff $1 || fail
 			# wipe_dev_head $1 $((diff/(1024*1024)))
 			dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
 		else
-			truncate -s $size $1
+			truncate -s $size $1 || fail
 		fi
 	fi
 }
 
-function wipe() # $1 pass, $2 hdr
+wipe() # $1 pass, $2 hdr
 {
 	open_crypt $1 $2
 	wipe_dev /dev/mapper/$DEV_NAME
@@ -210,7 +229,7 @@ function wipe() # $1 pass, $2 hdr
 	$CRYPTSETUP luksClose $DEV_NAME || fail
 }
 
-function prepare() # $1 dev1_siz
+prepare() # $1 dev1_siz
 {
 	remove_mapping
 
@@ -223,10 +242,15 @@ function prepare() # $1 dev1_siz
 		echo -n $'\x9c\x03\xba\xbe\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc4'>>$VKEY1
 	fi
 
+#	if [ ! -e $VKEY2 ]; then
+#		echo -n $'\x41\xc6\x74\x4f\x41\x4e\x50\xc0\x79\xc2\x2d\x5b\x5f\x68\x84\x17' >$VKEY2
+#		echo -n $'\x9c\x03\xba\xbe\x4d\x0f\x9a\x75\xb3\x90\x70\x32\x0a\xf8\xae\xc5'>>$VKEY2
+#	fi
+
 	add_scsi_device $@
 }
 
-function preparebig() # $1 dev1_siz
+preparebig() # $1 dev1_siz
 {
 	remove_mapping
 
@@ -234,46 +258,68 @@ function preparebig() # $1 dev1_siz
 		dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
 	fi
 
-	truncate -s "$1"M $DEVBIG
+	truncate -s "$1"M $DEVBIG || fail
 	LOOPDEV=$(losetup -f)
 	losetup -f $DEVBIG || fail
 	DEV=$LOOPDEV
 }
 
-function check_hash_dev() # $1 dev, $2 hash
+check_hash_dev() # $1 dev, $2 hash
 {
 	HASH=$(sha1sum $1 | cut -d' ' -f 1)
 	[ $HASH != "$2" ] && fail "HASH differs (expected: $2) (result $HASH)"
 }
 
-function check_hash() # $1 pwd, $2 hash, $3 hdr
+check_hash() # $1 pwd, $2 hash, $3 hdr
 {
 	open_crypt $1 $3
 	check_hash_dev /dev/mapper/$DEV_NAME $2
 	$CRYPTSETUP remove $DEV_NAME || fail
 }
 
-function check_hash_dev_head() # $1 dev, $2 len, $3 hash
+check_hash_dev_head() # $1 dev, $2 len, $3 hash
 {
 	local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha1sum | cut -d' ' -f1)
 	[ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
 }
 
-function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
+check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
 {
 	open_crypt $1 $4
 	check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
 	$CRYPTSETUP remove $DEV_NAME || fail
 }
 
-function resize_file() # $1 dev, $2 shrink bytes
+resize_file() # $1 dev, $2 shrink bytes
 {
 	local size=$(stat --printf="%s" $1)
-	truncate -s $(($size + $2)) $1
+	truncate -s $(($size + $2)) $1 || fail
 	losetup -c $LOOPDEV
 }
 
-function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
+error_io() { # $1 dmdev, $2 data dev, $3 offset, $4 size
+	local _dev_size=$(blockdev --getsz /dev/mapper/$1)
+	local _offset=$(($3+$4))
+	local _size=$((_dev_size-_offset))
+	local _table=
+	dmsetup create $1-err --table "0 $_dev_size error" || fail
+
+	if [ $3 -ne 0 ]; then
+		_table="0 $3 linear $2 0\n"
+	fi
+
+	_table=$_table"$3 $4 error"
+
+	if [ $_size -ne 0 ]; then
+		_table="$_table\n$_offset $_size linear $2 $_offset"
+	fi
+
+	echo -e "$_table" | dmsetup load $1 || fail
+	dmsetup resume $1 || fail
+	blockdev --setra 0 /dev/mapper/$1
+}
+
+error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
 	local _dev_size=$(blockdev --getsz /dev/mapper/$1)
 	local _offset=$(($3+$4))
 	local _size=$((_dev_size-_offset))
@@ -297,14 +343,14 @@ function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
 	blockdev --setra 0 /dev/mapper/$_err
 }
 
-function fix_writes() { # $1 dmdev, $2 data dev
+fix_writes() { # $1 dmdev, $2 data dev
 	local _dev_size=$(blockdev --getsz /dev/mapper/$1)
 	dmsetup load $1 --table "0 $_dev_size linear $2 0" || fail
 	dmsetup resume $1 || fail
 	dmsetup remove --retry $1-err 2>/dev/null || fail
 }
 
-function prepare_linear_dev() {
+prepare_linear_dev() {
 	local _sizemb=$1
 	shift
 
@@ -320,7 +366,7 @@ function prepare_linear_dev() {
 	DEV=/dev/mapper/$OVRDEV
 }
 
-function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if omitted], $4 max offset
+get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [512 if omitted], $4 max offset
 {
 	local _devsize=$(($1*1024*2))
 	local _sector_size=${3:-512}
@@ -335,7 +381,7 @@ function get_error_offsets() # $1 devsize, $2 minimal offset, $3 sector_size [51
 	ERROFFSET=$(($ERROFFSET-($ERROFFSET%$_sector_size)))
 }
 
-function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
+reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
 	echo -n "resilience mode: $2 ..."
 	local _hdr=""
 	test -z "$4" || _hdr="--header $4"
@@ -354,7 +400,7 @@ function reencrypt_recover() { # $1 sector size, $2 resilience, $3 digest, [$4 h
 	echo "[OK]"
 }
 
-function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
+reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
 	echo -n "resilience mode: $2 ..."
 	local _hdr=""
 	test -z "$4" || _hdr="--header $4"
@@ -382,7 +428,7 @@ function reencrypt_recover_online() { # $1 sector size, $2 resilience, $3 digest
 	echo "[OK]"
 }
 
-function reencrypt_recover_online_vk() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
+reencrypt_recover_online_vk() { # $1 sector size, $2 resilience, $3 digest, [$4 header]
 	echo -n "resilience mode: $2 ..."
 	local _hdr=""
 	test -z "$4" || _hdr="--header $4"
@@ -414,7 +460,7 @@ function reencrypt_recover_online_vk() { # $1 sector size, $2 resilience, $3 dig
 	echo "[OK]"
 }
 
-function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
+encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
 	wipe_dev $DEV
 	check_hash_dev $DEV $5
 
@@ -439,7 +485,7 @@ function encrypt_recover() { # $1 sector size, $2 reduce size, $3 digest, $4 dev
 	echo "[OK]"
 }
 
-function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
+encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest, $4 device size in sectors, $5 origin digest
 	wipe_dev $DEV
 	check_hash_dev $DEV $5
 
@@ -470,7 +516,7 @@ function encrypt_recover_online() { # $1 sector size, $2 reduce size, $3 digest,
 	echo "[OK]"
 }
 
-function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
+encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
 	wipe_dev $DEV
 	check_hash_dev $DEV $3
 
@@ -492,7 +538,7 @@ function encrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest
 	echo "[OK]"
 }
 
-function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
+encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
 	wipe_dev $DEV
 	check_hash_dev $DEV $3
 
@@ -524,7 +570,7 @@ function encrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
 	echo "[OK]"
 }
 
-function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
+decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
 	echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
 	wipe $PWD1 $4
 	check_hash $PWD1 $3 $4
@@ -550,7 +596,7 @@ function decrypt_recover_detached() { # $1 sector size, $2 resilience, $3 digest
 	echo "[OK]"
 }
 
-function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
+decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3 digest, $4 hdr
 	echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --sector-size $1 --header $4 $FAST_PBKDF_ARGON $DEV || fail
 	echo $PWD1 | $CRYPTSETUP open $DEV --header $4 $DEV_NAME || fail
 	wipe_dev /dev/mapper/$DEV_NAME
@@ -582,7 +628,7 @@ function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
 	echo "[OK]"
 }
 
-function decrypt_recover() { # $1 hash, $2 hdr, $3 dev size, $4 resilience, $5 hotzone size
+decrypt_recover() { # $1 hash, $2 hdr, $3 dev size, $4 resilience, $5 hotzone size
 	local _res=""
 	local _maxhz=""
 	test -z "$4" || _res="--resilience $4"
@@ -610,7 +656,7 @@ function decrypt_recover() { # $1 hash, $2 hdr, $3 dev size, $4 resilience, $5 h
 	echo -n "[OK]"
 }
 
-function decrypt_recover_online() { # $1 hash, $2 hdr, $3 dev size
+decrypt_recover_online() { # $1 hash, $2 hdr, $3 dev size
 	local _res=""
 	local _maxhz=""
 	test -z "$4" || _res="--resilience $4"
@@ -639,7 +685,7 @@ function decrypt_recover_online() { # $1 hash, $2 hdr, $3 dev size
 	echo -n "[OK]"
 }
 
-function decrypt_recover_online_moved() { # $1 hash, $2 hdr, $3 dev size
+decrypt_recover_online_moved() { # $1 hash, $2 hdr, $3 dev size
 	local _res=""
 	local _maxhz=""
 	test -z "$4" || _res="--resilience $4"
@@ -672,7 +718,7 @@ function decrypt_recover_online_moved() { # $1 hash, $2 hdr, $3 dev size
 # orig size
 # orig size digest
 # hdr (optional)
-function reencrypt_offline_fixed_size() {
+reencrypt_offline_fixed_size() {
 	local _esz=$(($1>>9))
 	local _hdr=""
 	# round-up fixed size to megabytes
@@ -715,7 +761,7 @@ function reencrypt_offline_fixed_size() {
 # orig size
 # orig size digest
 # hdr
-function encrypt_offline_fixed_size() {
+encrypt_offline_fixed_size() {
 	local _esz=$(($1>>9))
 
 	# reencrypt with fixed device size
@@ -750,7 +796,7 @@ function encrypt_offline_fixed_size() {
 # orig size
 # orig size digest
 # hdr
-function decrypt_offline_fixed_size() {
+decrypt_offline_fixed_size() {
 	local _esz=$(($1>>9))
 
 	# decrypt with fixed device size
@@ -787,7 +833,7 @@ function decrypt_offline_fixed_size() {
 # orig size
 # orig size digest
 # hdr (optional)
-function reencrypt_online_fixed_size() {
+reencrypt_online_fixed_size() {
 	local _esz=$(($1>>9))
 	local _hdr=""
 	test -z "$7" || _hdr="--header $7"
@@ -803,7 +849,7 @@ function reencrypt_online_fixed_size() {
 	echo $PWD1 | $CRYPTSETUP open $DEV $_hdr $DEV_NAME || fail
 	echo $PWD1 | $CRYPTSETUP resize $DEV_NAME $_hdr --size $2 || fail
 	echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --resilience $4 || fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 \[512-byte units\]" || fail
 	$CRYPTSETUP close $DEV_NAME || fail
 	check_hash_head $PWD1 $2 $3 $7
 	wipe $PWD1 $7
@@ -814,7 +860,7 @@ function reencrypt_online_fixed_size() {
 	echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --sector-size $1 --init-only || fail
 	echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $(($2-_esz))s --resilience $4 2>/dev/null && fail
 	echo $PWD1 | $CRYPTSETUP reencrypt -q $FAST_PBKDF_ARGON $DEV $_hdr --device-size $2s --resilience $4 || fail
-	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 sectors" || fail
+	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "$2 \[512-byte units\]" || fail
 	$CRYPTSETUP close $DEV_NAME || fail
 	check_hash_head $PWD1 $2 $3 $7
 
@@ -839,7 +885,28 @@ function reencrypt_online_fixed_size() {
 	[ -n "$7" -a -f "$7" ] && rm -f $7
 }
 
-function prepare_vk_keyring()
+reformat_reencrypt_device() {
+	if [ ! -e $BACKUP_FILE ]; then
+		echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -S0 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksAddKey -S2 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey -S4 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD4" | $CRYPTSETUP -q luksAddKey -S6 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD5" | $CRYPTSETUP -q luksAddKey -S8 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD6" | $CRYPTSETUP -q luksAddKey -S10 $FAST_PBKDF_ARGON $DEV || fail
+		echo -e "$PWD1\n$PWD7" | $CRYPTSETUP -q luksAddKey -S12 $FAST_PBKDF_ARGON $DEV || fail
+
+		$CRYPTSETUP token add $DEV --token-id 1 --key-description $KEY_NAME3 -S6
+		$CRYPTSETUP token add $DEV --token-id 2 --key-description $KEY_NAME4 -S8
+		$CRYPTSETUP token add $DEV --token-id 3 --key-description $KEY_NAME5 -S10
+		echo -e "{\"type\":\"luks2-keyring\",\"keyslots\":[\"4\", \"12\"],\"key_description\":\"$KEY_NAME6\"}" | $CRYPTSETUP token import $DEV --token-id 4 --json-file -
+
+		$CRYPTSETUP -q luksHeaderBackup --header-backup-file $BACKUP_FILE $DEV || fail
+	else
+		$CRYPTSETUP -q luksHeaderRestore --header-backup-file $BACKUP_FILE $DEV || fail
+	fi
+}
+
+prepare_vk_keyring()
 {
 	local s_desc=$(keyctl rdescribe @s | cut -d';' -f5)
 	local us_desc=$(keyctl rdescribe @us | cut -d';' -f5)
@@ -851,9 +918,14 @@ function prepare_vk_keyring()
 
 	keyctl newring $KEYRING "@s" >/dev/null || fail "Failed to setup test keyring environment"
 	keyctl search "@s" keyring $KEYRING >/dev/null 2>&1 || fail "Could not find test keyring in a session keyring."
+
+	echo -n $PWD4 | keyctl padd user $KEY_NAME3 %:$KEYRING > /dev/null || fail
+	echo -n "wRonG_passFrejz" | keyctl padd user $KEY_NAME5 %:$KEYRING > /dev/null || fail
+	echo -n $PWD7 | keyctl padd user $KEY_NAME6 %:$KEYRING > /dev/null || fail
+	echo -n $PWD2 | keyctl padd user $KEY_NAME7 %:$KEYRING > /dev/null || fail
 }
 
-function setup_luks2_env() {
+setup_luks2_env() {
 	echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
 	echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
 	local check_keyring=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
@@ -867,7 +939,7 @@ function setup_luks2_env() {
 	$CRYPTSETUP close $DEV_NAME || fail
 }
 
-function check_blkid() {
+check_blkid() {
 	bin_check blkid
 	xz -dkf $HEADER_LUKS2_PV.xz
 	if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
@@ -881,7 +953,7 @@ function check_blkid() {
 	fi
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -891,16 +963,67 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function bin_check()
+bin_check()
 {
 	command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
 }
 
+_dd()
+{
+	dd $@ status=none conv=notrunc bs=1
+}
+
+img_json_save()
+{
+	local _hdr=$IMG
+	[ -z "$1" ] || _hdr="$1"
+	# FIXME: why --json-file cannot be used?
+	$CRYPTSETUP luksDump --dump-json-metadata $_hdr | jq -c -M . | tr -d '\n' >$IMG_JSON
+}
+
+# header mangle functions
+img_update_json()
+{
+	local _hdr="$IMG"
+	local LUKS2_BIN1_OFFSET=448
+	local LUKS2_BIN2_OFFSET=$((LUKS2_BIN1_OFFSET + $JSON_MSIZE))
+	local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
+
+	# if present jq script, mangle JSON
+	if [ -n "$1" ]; then
+		local JSON=$(cat $IMG_JSON)
+		echo $JSON | jq -M -c "$1" >$IMG_JSON || fail
+		local JSON=$(cat $IMG_JSON)
+		echo $JSON | tr -d '\n' >$IMG_JSON || fail
+	fi
+
+	[ -z "$2" ] || _hdr="$2"
+
+	# wipe JSON areas
+	_dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+	_dd if=/dev/zero of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+
+	# write JSON data
+	_dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=4096
+	_dd if=$IMG_JSON of=$_hdr count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+
+	# erase sha256 checksums
+	_dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN1_OFFSET
+	_dd if=/dev/zero of=$_hdr count=64 seek=$LUKS2_BIN2_OFFSET
+
+	# calculate sha256 and write chexksums
+	local SUM1_HEX=$(_dd if=$_hdr count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+	echo $SUM1_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN1_OFFSET count=64 || fail
+
+	local SUM2_HEX=$(_dd if=$_hdr skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+	echo $SUM2_HEX | xxd -r -p | _dd of=$_hdr seek=$LUKS2_BIN2_OFFSET count=64 || fail
+}
+
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
 fips_mode && skip "This test cannot be run in FIPS mode."
@@ -908,6 +1031,9 @@ modprobe --dry-run scsi_debug >/dev/null 2>&1 || skip "This kernel seems to not
 modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load"
 modprobe dm-delay > /dev/null 2>&1
 dm_crypt_features
+bin_check jq
+bin_check sha256sum
+bin_check xxd
 
 if [ -n "$DM_SECTOR_SIZE" ]; then
 	TEST_SECTORS="512 4096"
@@ -948,9 +1074,9 @@ prepare dev_size_mb=32
 setup_luks2_env
 
 # Check that we can use other ciphers than AES in userspace backend.
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c twofish-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c twofish-xts-plain64 $FAST_PBKDF_ARGON $DEV || skip "Cannot use Twofish cipher, test skipped"
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Twofish cipher, test skipped"
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c serpent-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -c serpent-xts-plain64 $FAST_PBKDF_ARGON $DEV || skip "Cannot use Serpent cipher, test skipped"
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>/dev/null || skip "Cannot use Serpent cipher, test skipped."
 wipe_dev $DEV
 
@@ -1102,6 +1228,50 @@ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --ini
 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
 check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
+$CRYPTSETUP close $DEV_NAME || fail
+
+# encryption with both data shift and reduced data size
+prepare_linear_dev 65
+
+# --reduce-device-size + --device-size (1MiB+512B) is larger than real device size
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only --device-size 2049s --reduce-device-size 64M -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
+$CRYPTSETUP isLuks --type luks2 $DEV && fail
+# no changes in data device
+check_hash_dev_head $DEV 2048 $HASH2
+
+# --reduce-device-size (1MiB+8KiB) + --device-size (64MiB - (8KiB-512B)) is larger than real device size
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only --device-size 131057s --reduce-device-size 2064s -q $FAST_PBKDF_ARGON >/dev/null 2>&1 && fail
+$CRYPTSETUP isLuks --type luks2 $DEV && fail
+# no changes in data device
+check_hash_dev_head $DEV 2048 $HASH2
+
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --device-size 1M --reduce-device-size 32M -q $FAST_PBKDF_ARGON || fail
+check_hash_head $PWD1 2048 $HASH2
+
+# test limit values (--device-size + --reduce-device-size = real device size)
+wipe_dev_head $DEV 43
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --device-size 43M --reduce-device-size 22M -q $FAST_PBKDF_ARGON || fail
+check_hash_head $PWD1 88064 $HASH6
+
+wipe_dev_head $DEV 1
+# check reencryption code does not touch data in-between --device-size and --reduce-device-size
+# data device: [ reduce-device-size / 2 ] [ device-size ] [ error minefield ] [ reduce-device-size / 2]
+ERROFFSET=34816
+ERRLENGTH=65536
+error_io $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --device-size 1M --reduce-device-size 32M -q $FAST_PBKDF_ARGON  || fail
+fix_writes $OVRDEV $OLD_DEV
+check_hash_head $PWD1 2048 $HASH2
+
+wipe_dev_head $DEV 43
+
+ERROFFSET=104448
+ERRLENGTH=12288
+# data device: [ reduce-device-size / 2 ] [ device-size ] [ error minefield ] [ reduce-device-size / 2]
+error_io $OVRDEV $OLD_DEV $ERROFFSET $ERRLENGTH
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --device-size 43M --reduce-device-size 16M -q $FAST_PBKDF_ARGON || fail
+fix_writes $OVRDEV $OLD_DEV
+check_hash_head $PWD1 88064 $HASH6
 
 echo "[3] Encryption with detached header"
 preparebig 256
@@ -1726,7 +1896,7 @@ prepare dev_size_mb=32
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 256 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 echo -e "$PWD1\n$PWD3" | $CRYPTSETUP -q luksAddKey $FAST_PBKDF_ARGON $DEV || fail
 wipe $PWD1
-echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -S0 $FAST_PBKDF_ARGON --new-volume-key-file $VKEY1 --new-key-size 128 || fail
 check_hash $PWD1 $HASH1
 $CRYPTSETUP luksErase -q $DEV || fail
 echo $PWD1 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_ARGON --volume-key-file $VKEY1 -s 128 $DEV || fail
@@ -1751,14 +1921,16 @@ if [ $HAVE_KEYRING -gt 0 ]; then
 fi
 $CRYPTSETUP close $DEV_NAME
 
-# simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
-$CRYPTSETUP convert -q --type luks2 $DEV || fail
-wipe $PWD1
-echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail
-check_hash $PWD1 $HASH1
-# both keyslot and segment cipher must not be null after reencryption with default params
-$CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
+# FIXME: Add test luks2 image with both keyslot and data using cipher_null and verify LUKS2 reencryption fixes this.
+
+## simulate LUKS2 device with cipher_null in both keyslot and segment (it can be created only by up conversion from LUKS1)
+#echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail
+#$CRYPTSETUP convert -q --type luks2 $DEV || fail
+#wipe $PWD1
+#echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail
+#check_hash $PWD1 $HASH1
+## both keyslot and segment cipher must not be null after reencryption with default params
+#$CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail
 
 # multistep reencryption with initial cipher_null
 preparebig 64
@@ -2160,6 +2332,17 @@ echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR --active-name
 check_hash_dev_head $DEV 2048 $HASH2
 rm -f $IMG_HDR
 
+# Regression test for decryption with detached header and digest id != 0
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
+img_json_save $DEV
+# replace digest id 0 with 1
+img_update_json '.digests."1" = .digests."0" | del(.digests."0")' $DEV
+wipe $PWD1
+check_hash $PWD1 $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --header $IMG_HDR $DEV || fail
+check_hash_dev_head $DEV 2048 $HASH2
+rm -f $IMG_HDR
+
 echo "[33] Decryption with datashift recovery (error in shift area)."
 prepare_linear_dev 32
 echo "sector size 512"
@@ -2316,6 +2499,212 @@ wipe_dev /dev/mapper/$DEV_NAME
 echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q || fail
 check_hash_dev_head $DEV 2048 $HASH2
 
+echo "[38] Reencrypt by keyslot context (new initialization and resume methods)"
+prepare dev_size_mb=32
+
+# keyslot0  - pass1
+# keyslot2  - pass2
+# keyslot4  - pass3, token4 (wrong pass)
+# keyslot6  - pass4, token1
+# keyslot8  - pass5, token2 (missing)
+# keyslot10 - pass6, token3 (wrong pass)
+# keyslot12 - pass7, token4
+reformat_reencrypt_device
+
+# tokens
+$CRYPTSETUP reencrypt -q --token-id 1 $DEV <&- || fail
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --token-only $DEV <&- || fail
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --token-type luks2-keyring $DEV <&- || fail
+
+reformat_reencrypt_device
+# keyslots 6 and 12 are unlocked by tokens 1 and 4
+echo -e "$PWD1\n$PWD2\n$PWD3\n$PWD5\n$PWD6" | $CRYPTSETUP reencrypt -q $DEV || fail
+
+# keyfile
+echo -n $PWD2 > $KEY1
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --key-file $KEY1 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --key-file $KEY1 -S4 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --key-file $KEY1 -S2 $DEV <&- || fail
+
+# passphrase in keyring
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --key-description $KEY_NAME7 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --key-description $KEY_NAME7 -S4 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --key-description $KEY_NAME7 -S2 $DEV <&- || fail
+
+# tokens
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --token-id 1 $DEV --init-only <&- || fail
+$CRYPTSETUP open --token-id 1 $DEV $DEV_NAME <&- || fail
+$CRYPTSETUP reencrypt -q --token-id 1 $DEV --resume-only <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --token-only --init-only $DEV <&- || fail
+$CRYPTSETUP open --token-only $DEV $DEV_NAME <&- || fail
+$CRYPTSETUP reencrypt -q --token-only --resume-only $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --token-type luks2-keyring --init-only $DEV <&- || fail
+$CRYPTSETUP open --token-type luks2-keyring $DEV $DEV_NAME <&- || fail
+$CRYPTSETUP reencrypt -q --token-type luks2-keyring --resume-only $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+reformat_reencrypt_device
+echo -e "$PWD1\n$PWD2\n$PWD3\n$PWD5\n$PWD6" | $CRYPTSETUP reencrypt --init-only -q $DEV || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+echo -e $PWD1 | $CRYPTSETUP reencrypt --resume-only -q $DEV || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# keyfile
+echo -n $PWD2 > $KEY1
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --init-only --key-file $KEY1 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --init-only --key-file $KEY1 -S4 $DEV 2>/dev/null <&- && fail
+
+$CRYPTSETUP reencrypt -q --init-only --key-file $KEY1 -S2 $DEV <&- || fail
+$CRYPTSETUP open --key-file $KEY1 $DEV $DEV_NAME <&- || fail
+$CRYPTSETUP reencrypt -q --resume-only --key-file $KEY1 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# passphrase in keyring
+reformat_reencrypt_device
+$CRYPTSETUP reencrypt -q --init-only --key-description $KEY_NAME7 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --init-only --key-description $KEY_NAME7 -S4 $DEV 2>/dev/null <&- && fail
+$CRYPTSETUP reencrypt -q --init-only --key-description $KEY_NAME7 -S2 $DEV <&- || fail
+$CRYPTSETUP open -q --key-description $KEY_NAME7 $DEV $DEV_NAME <&- || fail
+$CRYPTSETUP reencrypt -q --resume-only --key-description $KEY_NAME7 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# volume key
+reformat_reencrypt_device
+echo $PWD1 | $CRYPTSETUP luksDump --dump-volume-key --volume-key-file $VKEY2 $DEV >/dev/null || fail
+
+$CRYPTSETUP -q reencrypt --force-no-keyslots --volume-key-file $VKEY2 --new-volume-key-file $VKEY1 --new-key-size 256 $DEV <&- || fail
+
+# missing key size information (no active keyslot)
+$CRYPTSETUP open --test-passphrase --volume-key-file $VKEY1 $DEV <&- 2>/dev/null && fail
+$CRYPTSETUP open --test-passphrase --volume-key-file $VKEY1 --key-size 256 $DEV <&- || fail
+$CRYPTSETUP open --test-passphrase --volume-key-file $VKEY2 --key-size 512 $DEV 2>/dev/null <&- && fail
+
+echo $PWD1 | $CRYPTSETUP luksAddKey --volume-key-file $VKEY1 --key-size 256 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
+
+reformat_reencrypt_device
+$CRYPTSETUP -q reencrypt --init-only --force-no-keyslots --volume-key-file $VKEY2 --new-volume-key-file $VKEY1 --new-key-size 256 $DEV <&- || fail
+
+# For unlock operation we do not require specific --volume-key-file ordering (unlike in reencryption initialization)
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --key-size 256 --volume-key-file $VKEY2 --key-size 512 $DEV <&- || fail
+
+# with 2 --volume-key-files options --key-size must be also supplied twice
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --volume-key-file $VKEY2 --key-size 512 $DEV 2>/dev/null <&- && fail
+# Missing old volume key
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY2 --key-size 512 $DEV <&- 2>/dev/null && fail
+
+$CRYPTSETUP -q open --volume-key-file $VKEY2 --key-size 512 --volume-key-file $VKEY1 --key-size 256 $DEV $DEV_NAME <&- || fail
+
+$CRYPTSETUP -q reencrypt --resume-only --volume-key-file $VKEY2 --new-volume-key-file $VKEY1 --key-size 512 --new-key-size 256 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# wrong key size
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --key-size 512 $DEV <&- 2>/dev/null && fail
+# wrong key
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY2 --key-size 256 $DEV <&- 2>/dev/null && fail
+
+# missing key size
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 $DEV <&- 2>/dev/null && fail
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --key-size 256 $DEV <&- || fail
+
+# no remaining keyslots test (--force-no-keyslots is not needed)
+reformat_reencrypt_device
+$CRYPTSETUP -q luksErase $DEV || fail
+
+$CRYPTSETUP -q reencrypt --volume-key-file $VKEY2 -s 512 --new-volume-key-file $VKEY1 --new-key-size 256 $DEV <&- || fail
+$CRYPTSETUP open --test-passphrase --volume-key-file $VKEY1 --key-size 256 $DEV <&- || fail
+
+reformat_reencrypt_device
+$CRYPTSETUP -q luksErase $DEV || fail
+$CRYPTSETUP -q reencrypt --init-only --volume-key-file $VKEY2 -s 512 --new-volume-key-file $VKEY1 --new-key-size 256 $DEV <&- || fail
+
+# For unlock operation we do not require specific --volume-key-file ordering (unlike in reencryption initialization)
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --key-size 256 --volume-key-file $VKEY2 --key-size 512 $DEV <&- || fail
+
+# with 2 --volume-key-files options --key-size must be also supplied twice
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY1 --volume-key-file $VKEY2 --key-size 512 $DEV 2>/dev/null <&- && fail
+# Missing old volume key
+$CRYPTSETUP -q open --test-passphrase --volume-key-file $VKEY2 --key-size 512 $DEV <&- 2>/dev/null && fail
+
+$CRYPTSETUP -q open --volume-key-file $VKEY2 --key-size 512 --volume-key-file $VKEY1 --key-size 256 $DEV $DEV_NAME <&- || fail
+
+$CRYPTSETUP -q reencrypt --resume-only --volume-key-file $VKEY2 --new-volume-key-file $VKEY1 --key-size 512 --new-key-size 256 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# reencryption by volume key in kernel keyring
+reformat_reencrypt_device
+head -c 64 $VKEY2 | keyctl padd user $KEY_NAME_VK2 %:$KEYRING > /dev/null || fail
+head -c 32 $VKEY1 | keyctl padd user $KEY_NAME_VK1 %:$KEYRING > /dev/null || fail
+
+$CRYPTSETUP -q reencrypt --force-no-keyslots --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+
+# test unlock with key after reencryption
+$CRYPTSETUP open --test-passphrase --volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+$CRYPTSETUP open --test-passphrase --volume-key-keyring $KEY_NAME_VK2 $DEV <&- 2>/dev/null && fail
+
+reformat_reencrypt_device
+$CRYPTSETUP -q reencrypt --init-only --force-no-keyslots --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+
+# For unlock operation we do not require specific --volume-key-file ordering (unlike in reencryption initialization)
+$CRYPTSETUP -q open --test-passphrase --volume-key-keyring $KEY_NAME_VK1 --volume-key-keyring $KEY_NAME_VK2 $DEV <&- || fail
+
+# Missing old volume key
+$CRYPTSETUP -q open --test-passphrase --volume-key-keyring $KEY_NAME_VK1 $DEV <&- 2>/dev/null && fail
+
+$CRYPTSETUP -q open --volume-key-keyring $KEY_NAME_VK1 --volume-key-keyring $KEY_NAME_VK2 $DEV $DEV_NAME <&- || fail
+
+$CRYPTSETUP -q reencrypt --resume-only --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# no remaining keyslots test (--force-no-keyslots is not needed)
+reformat_reencrypt_device
+$CRYPTSETUP -q luksErase $DEV || fail
+
+$CRYPTSETUP -q reencrypt --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+
+reformat_reencrypt_device
+$CRYPTSETUP -q luksErase $DEV || fail
+$CRYPTSETUP -q reencrypt --init-only --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+
+# For unlock operation we do not require specific --volume-key-file ordering (unlike in reencryption initialization)
+$CRYPTSETUP -q open --test-passphrase --volume-key-keyring $KEY_NAME_VK1 --volume-key-keyring $KEY_NAME_VK2 $DEV <&- || fail
+
+# Missing old volume key
+$CRYPTSETUP -q open --test-passphrase --volume-key-keyring $KEY_NAME_VK2 $DEV <&- 2>/dev/null && fail
+
+$CRYPTSETUP -q open --volume-key-keyring $KEY_NAME_VK1 --volume-key-keyring $KEY_NAME_VK2 $DEV $DEV_NAME <&- || fail
+
+$CRYPTSETUP -q reencrypt --resume-only --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- || fail
+$CRYPTSETUP close $DEV_NAME || fail
+
+# test b0rked kernel keys
+reformat_reencrypt_device
+$CRYPTSETUP -q luksErase $DEV || fail
+
+head -c 63 $VKEY2 | keyctl padd user $KEY_NAME_VK2 %:$KEYRING > /dev/null || fail
+$CRYPTSETUP -q reencrypt --init-only --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- 2>/dev/null && fail
+$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail "Failed initialization with reencryption flag"
+
+head -c 64 $VKEY2 | keyctl padd user $KEY_NAME_VK2 %:$KEYRING > /dev/null || fail
+$CRYPTSETUP open --test-passphrase --volume-key-keyring $KEY_NAME_VK2 $DEV || fail
+
+# new key size incompatible with cipher
+head -c 31 $VKEY1 | keyctl padd user $KEY_NAME_VK1 %:$KEYRING > /dev/null || fail
+$CRYPTSETUP -q reencrypt --init-only --volume-key-keyring $KEY_NAME_VK2 --new-volume-key-keyring $KEY_NAME_VK1 $DEV <&- 2>/dev/null && fail
+$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail "Failed initialization with reencryption flag"
+
 remove_mapping
 cleanup_keyring
 exit 0
diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
index 545c38e..47e631f 100755
--- a/tests/luks2-validation-test
+++ b/tests/luks2-validation-test
@@ -25,12 +25,12 @@ FAILS=0
 
 [ -z "$srcdir" ] && srcdir="."
 
-function remove_mapping()
+remove_mapping()
 {
 	rm -rf $IMG $TST_IMGS >/dev/null 2>&1
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -40,19 +40,22 @@ function fail()
 	exit 2
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 fail_count()
 {
 	echo "$1"
 	FAILS=$((FAILS+1))
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function prepare() # $1 dev1_size
+prepare() # $1 dev1_size
 {
 	remove_mapping
 
@@ -63,13 +66,27 @@ function prepare() # $1 dev1_size
 	cp $ORIG_IMG $IMG
 }
 
-function test_load()
+test_load()
 {
 	local _debug=
 
 	test -z "$_DEBUG" || _debug="--debug"
 
 	case "$1" in
+	T)
+		if [ -n "$_debug" ]; then
+			$CRYPTSETUP token remove --token-id 0 $_debug $IMG
+		else
+			$CRYPTSETUP token remove --token-id 0 $IMG > /dev/null 2>&1
+		fi
+		test $? -eq 0 || return 1
+		if [ -n "$_debug" ]; then
+			$CRYPTSETUP luksDump $_debug $IMG
+		else
+			$CRYPTSETUP luksDump $IMG > /dev/null 2>&1
+		fi
+		test $? -eq 0 || return 1
+		;;
 	R)
 		if [ -n "$_debug" ]; then
 			$CRYPTSETUP luksDump $_debug $IMG
@@ -94,7 +111,7 @@ function test_load()
 	esac
 }
 
-function RUN()
+RUN()
 {
 	echo -n "Test image: $1..."
 	cp $TST_IMGS/$1 $IMG || fail "Missing test image"
@@ -106,7 +123,7 @@ function RUN()
 	fi
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -116,7 +133,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -125,6 +142,7 @@ function valgrind_run()
 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
 
 command -v jq >/dev/null || skip "Cannot find jq, test skipped."
+command -v xxd >/dev/null || skip "Cannot find xxd, test skipped."
 
 prepare
 
@@ -251,6 +269,10 @@ RUN luks2-keyslot-invalid-area-size.img			"F" "Invalid keyslot area size that ca
 RUN luks2-keyslot-invalid-objects.img			"F" "Invalid keyslot objects not rejected"
 RUN luks2-keyslot-invalid-af.img			"F" "Invalid keyslot objects types not rejected"
 
+echo "[8] Test non compact json does not break write optimization"
+RUN luks2-non-compact-json-token-0.img			"T" "Non compact json area corrupted after write"
+RUN luks2-non-compact-json-4k-token-0.img		"T" "Non compact 4K aligned json area corrupted after write"
+
 remove_mapping
 
 test $FAILS -eq 0 || fail "($FAILS wrong result(s) in total)"
diff --git a/tests/meson.build b/tests/meson.build
index f4aed61..f8e6a65 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -59,6 +59,17 @@ api_test_2 = executable('api-test-2',
     ],
     include_directories: includes_lib)
 
+crypto_check = executable('crypto-check',
+    [
+        'crypto-check.c',
+    ],
+    link_with: libcrypto_backend,
+    c_args: [
+        '-Wall',
+        '-O2',
+    ],
+    include_directories: includes_lib)
+
 vectors_test = executable('vectors-test',
     [
         'crypto-vectors.c',
@@ -354,6 +365,7 @@ if get_option('cryptsetup')
         is_parallel: false,
         depends: [
             cryptsetup,
+            crypto_check,
         ])
     test('luks1-compat-test',
         find_program('./luks1-compat-test'),
@@ -362,6 +374,7 @@ if get_option('cryptsetup')
         is_parallel: false,
         depends: [
             cryptsetup,
+            crypto_check,
         ])
     test('device-test',
         find_program('./device-test'),
@@ -379,6 +392,14 @@ if get_option('cryptsetup')
         depends: [
             cryptsetup,
         ])
+    test('keyring-trusted-test',
+        find_program('./keyring-trusted-test'),
+        workdir: meson.current_build_dir(),
+        timeout: 14400,
+        is_parallel: false,
+        depends: [
+            cryptsetup,
+        ])
     test('luks2-validation-test',
         find_program('./luks2-validation-test'),
         workdir: meson.current_build_dir(),
diff --git a/tests/mode-test b/tests/mode-test
index c9c8c05..fa483e5 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -46,13 +46,16 @@ fail()
 	exit 100
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function dm_crypt_capi_support()
+dm_crypt_capi_support()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-crypt version."
@@ -61,6 +64,7 @@ function dm_crypt_capi_support()
 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
 	VER_PTC=$(echo $VER_STR | cut -f 3 -d.)
 
+	[ $VER_MAJ -gt 1 ] && return 0
 	if [ $VER_MIN -ge 16 ]; then
 		return 0
 	fi
@@ -68,7 +72,7 @@ function dm_crypt_capi_support()
 	return 1
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -78,7 +82,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -143,33 +147,39 @@ dmcrypt()
 	[ -z "$OUT" ] && OUT=$1
 	printf "%-31s" "$1"
 
+	echo -n -e "PLAIN:"
 	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1
 	if [ $? -eq 0 ] ; then
-		echo -n -e "PLAIN:"
 		dmcrypt_check "$DEV_NAME"_tstdev $OUT
 	else
 		echo -n "[N/A]"
 	fi
 
+	echo -n -e " LUKS1:"
 	echo $PASSWORD | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF2 -c $1 -s 256 /dev/mapper/$DEV_NAME >/dev/null 2>&1
 	if [ $? -eq 0 ] ; then
-		echo -n -e " LUKS1:"
 		echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
 		dmcrypt_check "$DEV_NAME"_tstdev $OUT
+	else
+		echo -n "[N/A]"
 	fi
 
+	echo -n -e " LUKS2:"
 	echo $PASSWORD | $CRYPTSETUP luksFormat --type luks2 --pbkdf pbkdf2 $FAST_PBKDF2 -c $1 -s 256 --offset 8192 /dev/mapper/$DEV_NAME >/dev/null 2>&1
 	if [ $? -eq 0 ] ; then
-		echo -n -e " LUKS2:"
 		echo $PASSWORD | $CRYPTSETUP luksOpen /dev/mapper/$DEV_NAME "$DEV_NAME"_tstdev >/dev/null 2>&1 || fail
 		dmcrypt_check "$DEV_NAME"_tstdev $OUT
+	else
+		echo -n "[N/A]"
 	fi
 
 	# repeated device creation must return the same checksum
+	echo -n -e " CHECKSUM:"
 	echo $PASSWORD | $CRYPTSETUP create -h sha256 -c $1 -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME >/dev/null 2>&1
 	if [ $? -eq 0 ] ; then
-		echo -n -e " CHECKSUM:"
 		dmcrypt_check_sum "$1" "$DEV_NAME"_tstdev
+	else
+		echo -n "[N/A]"
 	fi
 	echo
 }
diff --git a/tests/password-hash-test b/tests/password-hash-test
index e777390..a1ca415 100755
--- a/tests/password-hash-test
+++ b/tests/password-hash-test
@@ -28,7 +28,7 @@ cleanup() {
 	exit $1
 }
 
-function fail()
+fail()
 {
 	echo " $1 [FAILED]"
 	echo "FAILED backtrace:"
@@ -36,13 +36,16 @@ function fail()
 	cleanup 2
 }
 
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
 skip()
 {
 	echo "TEST SKIPPED: $1"
 	cleanup 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -52,7 +55,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index 7a6301e..a14a5b4 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -32,18 +32,18 @@ MNT_DIR=./mnt_luks
 START_DIR=$(pwd)
 FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
-function fips_mode()
+fips_mode()
 {
 	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
 }
 
-function del_scsi_device()
+del_scsi_device()
 {
 	rmmod scsi_debug >/dev/null 2>&1
 	sleep 1
 }
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
@@ -55,7 +55,7 @@ function remove_mapping()
 	del_scsi_device
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -65,13 +65,16 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -81,12 +84,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function add_scsi_device() {
+add_scsi_device() {
 	del_scsi_device
 	if [ -d /sys/module/scsi_debug ] ; then
 		echo "Cannot use scsi_debug module (in use or compiled-in), test skipped."
@@ -103,7 +106,7 @@ function add_scsi_device() {
 	[ -b $SCSI_DEV ] || fail "Cannot find $SCSI_DEV."
 }
 
-function open_crypt() # $1 pwd, $2 hdr
+open_crypt() # $1 pwd, $2 hdr
 {
 	if [ -n "$2" ] ; then
 		echo "$1" | $CRYPTSETUP luksOpen $LOOPDEV1 $DEV_NAME --header $2 || fail
@@ -114,12 +117,12 @@ function open_crypt() # $1 pwd, $2 hdr
 	fi
 }
 
-function wipe_dev() # $1 dev
+wipe_dev() # $1 dev
 {
 	dd if=/dev/zero of=$1 bs=256k >/dev/null 2>&1
 }
 
-function wipe() # $1 pass
+wipe() # $1 pass
 {
 	open_crypt $1
 	wipe_dev /dev/mapper/$DEV_NAME
@@ -127,50 +130,52 @@ function wipe() # $1 pass
 	$CRYPTSETUP luksClose $DEV_NAME || fail
 }
 
-function prepare() # $1 dev1_siz
+prepare() # $1 dev1_siz
 {
 	remove_mapping
 
-	dd if=/dev/zero of=$IMG      bs=1k count=$1 >/dev/null 2>&1
+	dd if=/dev/zero of=$IMG bs=1k count=$1 >/dev/null 2>&1
 	LOOPDEV1=$(losetup -f 2>/dev/null)
 	[ -z "$LOOPDEV1" ] && fail "No free loop device"
-	losetup $LOOPDEV1 $IMG
+	losetup $LOOPDEV1 $IMG || fail
 
 	if [ ! -e $KEY1 ]; then
 		dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
 	fi
 }
 
-function check_hash_dev() # $1 dev, $2 hash
+check_hash_dev() # $1 dev, $2 hash
 {
 	HASH=$(sha256sum $1 | cut -d' ' -f 1)
 	[ $HASH != "$2" ] && fail "HASH differs ($HASH)"
 }
 
-function check_hash() # $1 pwd, $2 hash, $3 hdr
+check_hash() # $1 pwd, $2 hash, $3 hdr
 {
 	open_crypt $1 $3
 	check_hash_dev /dev/mapper/$DEV_NAME $2
 	$CRYPTSETUP remove $DEV_NAME || fail
 }
 
-function backup_orig()
+backup_orig()
 {
 	sync
 	losetup -d $LOOPDEV1
+	udevadm settle >/dev/null 2>&1
 	cp $IMG $ORIG_IMG
-	losetup $LOOPDEV1 $IMG
+	losetup $LOOPDEV1 $IMG || fail
 }
 
-function rollback()
+rollback()
 {
 	sync
 	losetup -d $LOOPDEV1
+	udevadm settle >/dev/null 2>&1
 	cp $ORIG_IMG $IMG
-	losetup $LOOPDEV1 $IMG
+	losetup $LOOPDEV1 $IMG || fail
 }
 
-function check_slot() #space separated list of ENABLED key slots
+check_slot() #space separated list of ENABLED key slots
 {
 	local _KS0=DISABLED
 	local _KS1=$_KS0 _KS2=$_KS0 _KS3=$_KS0 _KS4=$_KS0 _KS5=$_KS0 _KS6=$_KS0 _KS7=$_KS0
@@ -195,7 +200,7 @@ function check_slot() #space separated list of ENABLED key slots
 	return 0
 }
 
-function simple_scsi_reenc()
+simple_scsi_reenc()
 {
 	echo -n "$1"
 	echo $PWD1 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF $SCSI_DEV || fail
@@ -211,7 +216,7 @@ function simple_scsi_reenc()
 	$CRYPTSETUP luksClose $DEV_NAME || fail
 }
 
-function mount_and_test() {
+mount_and_test() {
 	test -d $MNT_DIR || mkdir -p $MNT_DIR
 	mount $@ $MNT_DIR 2>/dev/null || {
 		echo -n "[N/A]"
@@ -232,13 +237,13 @@ function mount_and_test() {
 	echo -n [OK]
 }
 
-function test_logging_tmpfs() {
+test_logging_tmpfs() {
 	echo -n "[tmpfs]"
 	mount_and_test -t tmpfs none -o size=$[25*1024*1024] || return 1
 	echo
 }
 
-function test_logging() {
+test_logging() {
 	echo -n "$1:"
 	for img in $(ls img_fs*img.xz) ; do
 		wipefs -a $SCSI_DEV > /dev/null
@@ -249,7 +254,7 @@ function test_logging() {
 	echo
 }
 
-function check_blkid() {
+check_blkid() {
 	xz -dkf $HEADER_LUKS2_PV.xz
 	if ! $($CRYPTSETUP --version | grep -q "BLKID"); then
 		HAVE_BLKID=0
diff --git a/tests/run-all-symbols b/tests/run-all-symbols
index 58a1ba6..53c10e8 100755
--- a/tests/run-all-symbols
+++ b/tests/run-all-symbols
@@ -3,13 +3,13 @@
 [ -z "$LIBCRYPTSETUP_DIR" ] && LIBCRYPTSETUP_DIR=../.libs
 FILE=$LIBCRYPTSETUP_DIR/libcryptsetup.so
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 2
 }
 
-function skip()
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
index 2475034..4587e8c 100755
--- a/tests/ssh-test-plugin
+++ b/tests/ssh-test-plugin
@@ -39,19 +39,19 @@ fi
 	CRYPTSETUP_SSH="$CRYPTSETUP_PATH/../tokens/ssh/cryptsetup-ssh"
 }
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
 	rm -f $IMG >/dev/null 2>&1
 }
 
-function remove_user()
+remove_user()
 {
 	id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
 	rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
 }
 
-function create_user()
+create_user()
 {
 	id -u $USER >/dev/null 2>&1
 	[ $? -eq 0 ] && skip "User account $USER exists, aborting."
@@ -63,18 +63,18 @@ function create_user()
 	[ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
 }
 
-function ssh_check()
+ssh_check()
 {
 	# try to use netcat to check port 22
 	nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
 }
 
-function bin_check()
+bin_check()
 {
 	command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
 }
 
-function ssh_setup()
+ssh_setup()
 {
 	# copy the ssh key
 	[ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh
@@ -93,7 +93,7 @@ function ssh_setup()
 	[ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH."
 }
 
-function fail()
+fail()
 {
 	echo "[FAILED]"
 	[ -n "$1" ] && echo "$1"
@@ -104,14 +104,17 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -121,12 +124,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function valgrind_run_ssh()
+valgrind_run_ssh()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@"
 }
diff --git a/tests/systemd-test-plugin b/tests/systemd-test-plugin
index 7515f76..9ddc4af 100755
--- a/tests/systemd-test-plugin
+++ b/tests/systemd-test-plugin
@@ -8,12 +8,12 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 IMG=systemd_token_test.img
 MAP="systemd_tpm2_test"
 
-function bin_check()
+bin_check()
 {
     command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
 }
 
-function cleanup() {
+cleanup() {
     [ -S $SWTPM_STATE_DIR/ctrl.sock ] && {
         # shutdown TPM via control socket
         swtpm_ioctl -s --unix $SWTPM_STATE_DIR/ctrl.sock
@@ -33,7 +33,7 @@ function cleanup() {
     rm -f $IMG >/dev/null 2>&1
 }
 
-function fail()
+fail()
 {
     echo "[FAILED]"
     [ -n "$1" ] && echo "$1"
@@ -43,7 +43,10 @@ function fail()
     exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
     [ -n "$1" ] && echo "$1"
     cleanup
@@ -153,9 +156,6 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
     echo "Virtual TPM set up at $TPM_PATH"
 }
 
-if [ -n "$SSH_BUILD_DIR" ]; then
-	CUSTOM_TOKENS_PATH="--external-tokens-path $SSH_BUILD_DIR"
-fi
 FAKE_TPM_PATH="$(pwd)/fake_systemd_tpm_path.so"
 [ ! -z "$CRYPTSETUP_TESTS_RUN_IN_MESON" ] && FAKE_TPM_PATH="$CRYPTSETUP_PATH/../tests/fake_systemd_tpm_path.so"
 [ -f $FAKE_TPM_PATH ] || skip "Please compile $FAKE_TPM_PATH."
@@ -164,29 +164,36 @@ export LD_PRELOAD="$LD_PRELOAD:$FAKE_TPM_PATH"
 export TPM_PATH=$TPM_PATH
 echo "TPM path is $TPM_PATH"
 
+if [ -z "$CRYPTSETUP_TOKENS_PATH" ]; then
+	echo "Running with system cryptsetup plugins path"
+	CRYPTSETUP_EXTERNAL_PATH_PARAM=
+else
+	CRYPTSETUP_EXTERNAL_PATH_PARAM="--external-tokens-path $CRYPTSETUP_TOKENS_PATH"
+fi
+
 dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
 echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
 
 echo "Enrolling the device to TPM 2 using systemd-cryptenroll.."
 LD_PRELOAD="$LD_PRELOAD:$CRYPTENROLL_LD_PRELOAD" PASSWORD="$PASSWD" $SYSTEMD_CRYPTENROLL $IMG --tpm2-device=$TPM_PATH >/dev/null 2>&1
 
-$CRYPTSETUP luksDump --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)."
+$CRYPTSETUP luksDump $CRYPTSETUP_EXTERNAL_PATH_PARAM $IMG | grep -q "tpm2-blob" || fail "Failed to dump $IMG using systemd_tpm2 token (no tpm2-blob in output)."
 echo "Activating the device via TPM2 external token.."
-$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token."
+$CRYPTSETUP open $CRYPTSETUP_EXTERNAL_PATH_PARAM --token-only $IMG $MAP >/dev/null 2>&1 || fail "Failed to open $IMG using systemd_tpm2 token."
 $CRYPTSETUP close $MAP >/dev/null 2>&1 || fail "Failed to close $MAP."
 
 echo "Adding passphrase via TPM2 token.."
-echo $PASSWD2 | $CRYPTSETUP luksAddKey --external-tokens-path $CRYPTSETUP_TOKENS_PATH $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token."
+echo $PASSWD2 | $CRYPTSETUP luksAddKey $CRYPTSETUP_EXTERNAL_PATH_PARAM $FAST_PBKDF_OPT $IMG --force-password -q --token-only >/dev/null 2>&1 || fail "Failed to add passphrase by tpm2 token."
 echo $PASSWD2 | $CRYPTSETUP open $IMG --test-passphrase --disable-external-tokens >/dev/null 2>&1 || fail "Failed to test passphrase added by tpm2 token."
 
 echo "Exporting and removing TPM2 token.."
 EXPORTED_TOKEN=$($CRYPTSETUP token export $IMG --token-id 0)
 $CRYPTSETUP token remove $IMG --token-id 0
-$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal."
+$CRYPTSETUP open $CRYPTSETUP_EXTERNAL_PATH_PARAM $IMG --test-passphrase --token-only >/dev/null 2>&1 && fail "Activating without passphrase should fail after TPM2 token removal."
 
 echo "Re-importing TPM2 token.."
 echo $EXPORTED_TOKEN | $CRYPTSETUP token import $IMG --token-id 0 || fail "Failed to re-import deleted token."
-$CRYPTSETUP open --external-tokens-path $CRYPTSETUP_TOKENS_PATH $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token."
+$CRYPTSETUP open $CRYPTSETUP_EXTERNAL_PATH_PARAM $IMG --test-passphrase --token-only >/dev/null 2>&1 || fail "Failed to activate after re-importing deleted token."
 
 cleanup
 exit 0
diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test
index 0708b32..d22d1a9 100755
--- a/tests/tcrypt-compat-test
+++ b/tests/tcrypt-compat-test
@@ -10,6 +10,10 @@ PASSWORD="aaaaaaaaaaaa"
 PASSWORD_HIDDEN="bbbbbbbbbbbb"
 PASSWORD_72C="aaaaaaaaaaaabbbbbbbbbbbbccccccccccccddddddddddddeeeeeeeeeeeeffffffffffff"
 PIM=1234
+LOOP_SYS=""
+PART_IMG=tctst-part-img
+
+CRYPTOCHECK=./crypto-check
 
 if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
 	CRYPTSETUP_VALGRIND=$CRYPTSETUP
@@ -20,15 +24,16 @@ fi
 
 [ -z "$srcdir" ] && srcdir="."
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
 	[ -b /dev/mapper/"$MAP"_1 ] && dmsetup remove --retry "$MAP"_1
 	[ -b /dev/mapper/"$MAP"_2 ] && dmsetup remove --retry "$MAP"_2
-	rm -rf $TST_DIR
+	[ -n "$LOOP_SYS" ] && losetup -d $LOOP_SYS
+	rm -rf $TST_DIR $PART_IMG
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo " [FAILED]"
@@ -38,29 +43,31 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	remove_mapping
 	exit 77
 }
 
-function test_one() # cipher mode keysize rm_pattern
+test_one() # cipher mode keysize rm_pattern
 {
-	$CRYPTSETUP benchmark -c "$1-$2" -s "$3" >/dev/null 2>&1
+	$CRYPTOCHECK cipher $1 $2 $3
 	if [ $? -ne 0 ] ; then
 		echo "$1-$2 [N/A]"
 		IMGS=$(ls $TST_DIR/[tv]c* | grep "$4")
 		[ -n "$IMGS" ] && rm $IMGS
-		#echo $IMGS
 	else
 		echo "$1-$2 [OK]"
 	fi
 }
 
-function test_kdf() # hash img_hash
+test_kdf() # hash img_hash
 {
-	$CRYPTSETUP benchmark -h "$1" >/dev/null 2>&1
+	$CRYPTOCHECK hash $1
 	if [ $? -ne 0 ] ; then
 		echo "pbkdf2-$1 [N/A]"
 		IMGS=$(ls $TST_DIR/[tv]c* | grep "$2")
@@ -70,16 +77,17 @@ function test_kdf() # hash img_hash
 	fi
 }
 
-function get_HASH_CIPHER() # filename
+get_HASH_CIPHER() # filename
 {
 	# speed up the test by limiting options for hash and (first) cipher
 	HASH=$(echo $file | cut -d'-' -f3)
 	CIPHER=$(echo $file | cut -d'-' -f5)
 }
 
-function test_required()
+test_required()
 {
 	command -v blkid >/dev/null || skip "blkid tool required, test skipped."
+	[ ! -x "$CRYPTOCHECK" ] && skip "Cannot find $CRYPTOCHECK, test skipped."
 
 	echo "REQUIRED KDF TEST"
 	test_kdf sha256      sha256
@@ -115,7 +123,13 @@ function test_required()
 	ls $TST_DIR/[tv]c* >/dev/null 2>&1 || skip "No remaining images, test skipped."
 }
 
-function valgrind_setup()
+check_uuid()
+{
+	UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
+	[ "$UUID" != "$1" ] && fail "UUID check failed."
+}
+
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
@@ -125,7 +139,7 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
@@ -184,7 +198,6 @@ for file in $(ls $TST_DIR/[tv]ck_*) ; do
 	echo " [OK]"
 done
 
-
 if [ $(id -u) != 0 ]; then
 	echo "WARNING: You must be root to run activation part of test, test skipped."
 	remove_mapping
@@ -192,23 +205,70 @@ if [ $(id -u) != 0 ]; then
 fi
 
 echo "ACTIVATION FS UUID CHECK"
-for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
+for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_*) ; do
 	echo -n " $file"
 	PIM_OPT=""
 	[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
-	SYS_OPT=""
-	[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
 	get_HASH_CIPHER $file
-	out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r -h $HASH -c $CIPHER $file $MAP 2>&1)
+	out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $PIM_OPT -r -h $HASH -c $CIPHER $file $MAP 2>&1)
 	ret=$?
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
 	[ $ret -ne 0 ] && fail
 	$CRYPTSETUP status $MAP >/dev/null || fail
 	$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
-	UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
-	$CRYPTSETUP remove $MAP || fail
-	[ "$UUID" != "DEAD-BABE" ] && fail "UUID check failed."
+	check_uuid DEAD-BABE
+	$CRYPTSETUP close $MAP || fail
+	echo " [OK]"
+done
+
+echo "ACTIVATION SYSTEM FS UUID CHECK"
+for file in $(ls $TST_DIR/sys_[tv]c_*) ; do
+	echo -n " $file"
+	LOOP_SYS=$(losetup -r -f --show -P $file)
+	if [ -z "$LOOP_SYS" ]; then
+		echo " [N/A]"
+		continue
+	fi
+	if [[ $file =~ _gpt_ ]]; then
+		LOOP_PART="$LOOP_SYS"p3
+	else
+		LOOP_PART="$LOOP_SYS"p1
+	fi
+	if [ ! -b "$LOOP_PART" ]; then
+		echo " [N/A]"
+		losetup -d $LOOP_SYS
+		LOOP_SYS=""
+		continue
+	fi
+	get_HASH_CIPHER $file
+	# map through partition name
+	echo -n " [PART]"
+	echo $PASSWORD | $CRYPTSETUP tcryptOpen --tcrypt-system -r -h $HASH -c $CIPHER $LOOP_PART $MAP || fail
+	check_uuid DEAD-BABE
+	$CRYPTSETUP close $MAP || fail
+	if [[ $file =~ _part ]]; then
+		# map through image only (TCRYPT hdr contains partition offset and size)
+		echo -n "[IMG]"
+		echo $PASSWORD | $CRYPTSETUP tcryptOpen --tcrypt-system -r -h $HASH -c $CIPHER $file $MAP 2>/dev/null || fail
+		check_uuid DEAD-BABE
+		$CRYPTSETUP close $MAP || fail
+		# map through full device (TCRYPT hdr contains partition offset and size)
+		echo -n "[DRIVE]"
+		echo $PASSWORD | $CRYPTSETUP tcryptOpen --tcrypt-system -r -h $HASH -c $CIPHER $LOOP_SYS $MAP || fail
+		check_uuid DEAD-BABE
+		$CRYPTSETUP close $MAP || fail
+	elif [[ $file =~ _full ]]; then
+		# map through image + header in real partition (whole system)
+		dd if=$LOOP_PART of=$PART_IMG bs=1M >/dev/null 2>&1
+		echo -n "[PART+IMG]"
+		echo $PASSWORD | $CRYPTSETUP tcryptOpen --tcrypt-system -r -h $HASH -c $CIPHER --header $LOOP_PART $PART_IMG $MAP || fail
+		check_uuid DEAD-BABE
+		$CRYPTSETUP close $MAP || fail
+		rm $PART_IMG
+	fi
+	losetup -d $LOOP_SYS
+	LOOP_SYS=""
 	echo " [OK]"
 done
 
@@ -221,9 +281,8 @@ for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
 	[ $ret -ne 0 ] && fail
-	UUID=$(blkid -p -o value -s UUID /dev/mapper/$MAP)
-	$CRYPTSETUP remove $MAP || fail
-	[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
+	check_uuid CAFE-BABE
+	$CRYPTSETUP close $MAP || fail
 	echo " [OK]"
 done
 
diff --git a/tests/tcrypt-images.tar.xz b/tests/tcrypt-images.tar.xz
index 5ccef08..388c142 100644
Binary files a/tests/tcrypt-images.tar.xz and b/tests/tcrypt-images.tar.xz differ
diff --git a/tests/test_utils.c b/tests/test_utils.c
index 142257b..ed3594b 100644
--- a/tests/test_utils.c
+++ b/tests/test_utils.c
@@ -2,8 +2,8 @@
 /*
  * cryptsetup library API test utilities
  *
- * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2024 Milan Broz
+ * Copyright (C) 2009-2025 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2025 Milan Broz
  */
 
 #include <assert.h>
@@ -17,11 +17,11 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 # include <linux/keyctl.h>
 # include <sys/syscall.h>
 #endif
-#ifdef HAVE_SYS_SYSMACROS_H
+#if HAVE_SYS_SYSMACROS_H
 # include <sys/sysmacros.h>
 #endif
 #include <linux/loop.h>
@@ -41,7 +41,7 @@ struct loop_config {
 
 static char last_error[256];
 static char global_log[4096];
-static uint32_t t_dm_crypt_flags = 0;
+static uint64_t t_dm_crypt_flags = 0;
 
 char *THE_LOOP_DEV = NULL;
 int _debug   = 0;
@@ -486,7 +486,7 @@ int _system(const char *command, int warn)
 
 static int _keyring_check(void)
 {
-#ifdef KERNEL_KEYRING
+#if KERNEL_KEYRING
 	return syscall(__NR_request_key, "logon", "dummy", NULL, 0) == -1l && errno != ENOSYS;
 #else
 	return 0;
@@ -555,6 +555,12 @@ static void t_dm_set_crypt_compat(const char *dm_version, unsigned crypt_maj,
 
 	if (t_dm_satisfies_version(1, 22, 0, crypt_maj, crypt_min, crypt_patch))
 		t_dm_crypt_flags |= T_DM_CRYPT_NO_WORKQUEUE_SUPPORTED;
+
+	if (t_dm_satisfies_version(1, 26, 0, crypt_maj, crypt_min, crypt_patch))
+		t_dm_crypt_flags |= T_DM_CRYPT_HIGH_PRIORITY_SUPPORTED;
+
+	if (t_dm_satisfies_version(1, 28, 0, crypt_maj, crypt_min, crypt_patch))
+		t_dm_crypt_flags |= T_DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED;
 }
 
 static void t_dm_set_verity_compat(const char *dm_version __attribute__((unused)),
@@ -585,6 +591,10 @@ static void t_dm_set_verity_compat(const char *dm_version __attribute__((unused)
 
 	if (t_dm_satisfies_version(1, 9, 0, verity_maj, verity_min, verity_patch))
 		t_dm_crypt_flags |= T_DM_VERITY_TASKLETS_SUPPORTED;
+
+	/* There is actually no correct version set, just use the last available */
+	if (t_dm_satisfies_version(1, 10, 0, verity_maj, verity_min, verity_patch))
+		t_dm_crypt_flags |= T_DM_VERITY_ERROR_AS_CORRUPTION_SUPPORTED;
 }
 
 static void t_dm_set_integrity_compat(const char *dm_version __attribute__((unused)),
@@ -612,6 +622,9 @@ static void t_dm_set_integrity_compat(const char *dm_version __attribute__((unus
 
 	if (t_dm_satisfies_version(1, 8, 0, integrity_maj, integrity_min, integrity_patch))
 		t_dm_crypt_flags |= T_DM_INTEGRITY_RESET_RECALC_SUPPORTED;
+
+	if (t_dm_satisfies_version(1, 12, 0, integrity_maj, integrity_min, integrity_patch))
+		t_dm_crypt_flags |= T_DM_INTEGRITY_INLINE_MODE_SUPPORTED;
 }
 
 int t_dm_check_versions(void)
diff --git a/tests/unit-utils-crypt.c b/tests/unit-utils-crypt.c
index bc17d6c..e2e9012 100644
--- a/tests/unit-utils-crypt.c
+++ b/tests/unit-utils-crypt.c
@@ -2,7 +2,7 @@
 /*
  * cryptsetup crypto name and hex conversion helper test vectors
  *
- * Copyright (C) 2022-2024 Milan Broz
+ * Copyright (C) 2022-2025 Milan Broz
  */
 
 #include <stdio.h>
@@ -108,7 +108,7 @@ static int test_parse_integrity_mode(void)
 		key_size = -1;
 		memset(integrity, 0, sizeof(integrity));
 		if (integrity_test_vectors[i].int_mode &&
-		    (crypt_parse_integrity_mode(integrity_test_vectors[i].input, integrity, &key_size) < 0 ||
+		    (crypt_parse_integrity_mode(integrity_test_vectors[i].input, integrity, &key_size, 0) < 0 ||
 			strcmp(integrity_test_vectors[i].integrity, integrity) ||
 			integrity_test_vectors[i].key_size != key_size)) {
 			printf("[FAILED (%s / %i)]\n", integrity, key_size);
diff --git a/tests/unit-utils-io.c b/tests/unit-utils-io.c
index 7390cc5..eaa7e8f 100644
--- a/tests/unit-utils-io.c
+++ b/tests/unit-utils-io.c
@@ -2,7 +2,7 @@
 /*
  * simple unit test for utils_io.c (blockwise low level functions)
  *
- * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2025 Red Hat, Inc. All rights reserved.
  */
 
 #include <errno.h>
diff --git a/tests/unit-wipe-test b/tests/unit-wipe-test
index a898354..82b32ed 100755
--- a/tests/unit-wipe-test
+++ b/tests/unit-wipe-test
@@ -9,13 +9,13 @@ DEVSIZE=$((DEVSIZEMB*$MB_BYTES))
 
 HASH_EMPTY=2daeb1f36095b44b318410b3f4e8b5d989dcc7bb023d1426c492dab0a3053e74
 
-function cleanup() {
+cleanup() {
 	rm -f $FILE $FILE_RAND 2> /dev/null
 	sleep 1
 	rmmod scsi_debug >/dev/null 2>&1
 }
 
-function fail()
+fail()
 {
 	if [ -n "$1" ] ; then echo "FAIL $1" ; else echo "FAIL" ; fi
 	echo "FAILED backtrace:"
@@ -24,14 +24,17 @@ function fail()
 	exit 100
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	echo "TEST SKIPPED: $1"
 	cleanup
 	exit 77
 }
 
-function add_device()
+add_device()
 {
 	rmmod scsi_debug >/dev/null 2>&1
 	if [ -d /sys/module/scsi_debug ] ; then
@@ -47,13 +50,13 @@ function add_device()
 	[ -b $DEV ] || fail "Cannot find $DEV."
 }
 
-function check_hash() # $1 dev, $2 hash
+check_hash() # $1 dev, $2 hash
 {
 	local HASH=$(sha256sum $1 | cut -d' ' -f 1)
 	[ $HASH == "$2" ]
 }
 
-function init_hash_dd() # $1 dev, $dev orig
+init_hash_dd() # $1 dev, $dev orig
 {
 	dd if=/dev/urandom of=$2 bs=1M count=$DEVSIZEMB conv=notrunc 2> /dev/null
 	dd if=$2 of=$1 bs=1M conv=notrunc 2> /dev/null
@@ -67,7 +70,7 @@ function init_hash_dd() # $1 dev, $dev orig
 	dd if=$2 of=$1 bs=1M conv=notrunc 2> /dev/null
 }
 
-function add_file()
+add_file()
 {
 	dd if=/dev/zero of=$FILE      bs=1M count=$DEVSIZEMB 2> /dev/null || fail
 	dd if=/dev/zero of=$FILE_RAND bs=1M count=$DEVSIZEMB 2> /dev/null || fail
@@ -76,7 +79,7 @@ function add_file()
 	dd if=$FILE of=/dev/null bs=4096 count=1 iflag=direct >/dev/null 2>&1 || FILE_NODIO=1
 }
 
-function test_wipe_full() # $1 dev, $2 block size, [$3 flags]
+test_wipe_full() # $1 dev, $2 block size, [$3 flags]
 {
 	# wipe random and back to zero
 	$WIPE_UNIT $1 random 0 $DEVSIZE $2 $3 || fail
@@ -86,7 +89,7 @@ function test_wipe_full() # $1 dev, $2 block size, [$3 flags]
 }
 
 # wipe MB blocks, with zero, random and special and back to original
-function test_wipe_blocks() # $1 dev $2 block sizem [$3 flags]
+test_wipe_blocks() # $1 dev $2 block sizem [$3 flags]
 {
 	init_hash_dd $1 $FILE_RAND
 	check_hash $1 $HASH_0 || fail
diff --git a/tests/unit-wipe.c b/tests/unit-wipe.c
index c246664..cd0fd37 100644
--- a/tests/unit-wipe.c
+++ b/tests/unit-wipe.c
@@ -2,7 +2,7 @@
 /*
  * unit test helper for crypt_wipe API call
  *
- * Copyright (C) 2022-2024 Milan Broz
+ * Copyright (C) 2022-2025 Milan Broz
  */
 
 #include <errno.h>
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
index d16dbb3..2856e90 100755
--- a/tests/verity-compat-test
+++ b/tests/verity-compat-test
@@ -21,7 +21,7 @@ FEC_DEV=tst_fec123
 DEV_SALT=9e7457222290f1bac0d42ad2de2d602a87bb871c22ab70ca040bad450578a436
 DEV_UUID=a60c98d2-ae9b-4865-bfcb-b4e3ace11033
 
-function remove_mapping()
+remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2 >/dev/null 2>&1
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME >/dev/null 2>&1
@@ -31,7 +31,7 @@ function remove_mapping()
 	LOOPDEV2=""
 }
 
-function fail()
+fail()
 {
 	[ -n "$1" ] && echo "$1"
 	echo "FAILED backtrace:"
@@ -41,13 +41,16 @@ function fail()
 	exit 2
 }
 
-function skip()
+_sigchld() { local c=$?; [ $c -eq 139 ] && fail "Segfault"; [ $c -eq 134 ] && fail "Aborted"; }
+trap _sigchld CHLD
+
+skip()
 {
 	[ -n "$1" ] && echo "$1"
 	exit 77
 }
 
-function prepare() # $1 dev1_siz [$2 dev2_size]
+prepare() # $1 dev1_siz [$2 dev2_size]
 {
 	remove_mapping
 
@@ -60,18 +63,18 @@ function prepare() # $1 dev1_siz [$2 dev2_size]
 	LOOPDEV2=$IMG_HASH
 }
 
-function wipe()
+wipe()
 {
 	dd if=/dev/zero of=$LOOPDEV1 bs=256k >/dev/null 2>&1
 	rm -f $IMG_HASH $DEV_OUT >/dev/null 2>&1
 }
 
-function check_exists()
+check_exists()
 {
 	[ -b /dev/mapper/$DEV_NAME ] || fail
 }
 
-function check_version() # MAJ MIN
+check_version() # MAJ MIN
 {
 	VER_STR=$(dmsetup targets | grep verity | cut -f 3 -dv)
 	[ -z "$VER_STR" ] && fail "Failed to parse dm-verity version."
@@ -80,18 +83,34 @@ function check_version() # MAJ MIN
 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
 
 	test $VER_MAJ -gt $1 && return 0
+	test $VER_MAJ -lt $1 && return 1
 	test $VER_MIN -ge $2 && return 0
+
+	return 1
+}
+
+check_version_kernel()
+{
+	KER_STR=$(uname -r)
+	[ -z "$KER_STR" ] && fail "Failed to parse kernel version."
+	KER_MAJ=$(echo $KER_STR | cut -f 1 -d.)
+	KER_MIN=$(echo $KER_STR | cut -f 2 -d.)
+
+	test $KER_MAJ -gt $1 && return 0
+	test $KER_MAJ -lt $1 && return 1
+	test $KER_MIN -ge $2 && return 0
+
 	return 1
 }
 
-function compare_out() # $1 what, $2 expected
+compare_out() # $1 what, $2 expected
 {
 	OPT=$(grep -v "^#" $DEV_OUT | grep -i "$1" | sed -e s/.*\:\ // )
 	[ -z "$OPT" ] && fail
 	[ $OPT != $2 ] && fail "$1 differs ($2)"
 }
 
-function check_root_hash_fail()
+check_root_hash_fail()
 {
 	echo -n "Root hash check "
 	ROOT_HASH=$($VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256 | grep -e "Root hash" | cut -d: -f2 | tr -d "\t\n ")
@@ -116,7 +135,7 @@ function check_root_hash_fail()
 	echo "[OK]"
 }
 
-function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
+check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
 {
 	local FORMAT_PARAMS
 	local VERIFY_PARAMS
@@ -206,7 +225,7 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
 	done
 }
 
-function corrupt_device() # $1 device, $2 device_size(in bytes), $3 #{corrupted_bytes}
+corrupt_device() # $1 device, $2 device_size(in bytes), $3 #{corrupted_bytes}
 {
 	# Repeatable magic corruption :-)
 	CORRUPT=$3
@@ -222,7 +241,7 @@ function corrupt_device() # $1 device, $2 device_size(in bytes), $3 #{corrupted_
 # $1 data_device, $2 hash_device, $3 fec_device, $4 data/hash_block_size(in bytes),
 # $5 data_size(in blocks), $6 device_size(in blocks), $7 hash_offset(in bytes),
 # $8 fec_offset(in bytes), $9 fec_roots, ${10} corrupted_bytes, [${11} superblock(y/n), ${12} salt]
-function check_fec()
+check_fec()
 {
 	INDEX=25
 	dd if=/dev/zero of=$1 bs=$4 count=$6 > /dev/null 2>&1
@@ -290,22 +309,22 @@ function check_fec()
 	return $RET
 }
 
-function check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 CLI option, $7 status option
+check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 status option, $7-$8 CLI options
 {
 	DEV_PARAMS="$LOOPDEV1 $LOOPDEV2"
 	FORMAT_PARAMS="--format=$4 --data-block-size=$1 --hash-block-size=$1 --hash=$5 --salt=$3"
 
-	echo -n "Option $6 "
+	echo -n "Option $7 / $6 "
 	$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >/dev/null 2>&1 || fail
-	$VERITYSETUP create $DEV_NAME $DEV_PARAMS $2 $6 >/dev/null 2>&1 || fail
+	$VERITYSETUP create $DEV_NAME $DEV_PARAMS $2 $7 $8 >/dev/null 2>&1 || fail
 	check_exists
-	$VERITYSETUP status $DEV_NAME 2>/dev/null | grep flags | grep -q $7 || fail
-	dmsetup table $DEV_NAME 2>/dev/null | grep -q $7 || fail
+	$VERITYSETUP status $DEV_NAME 2>/dev/null | grep flags | grep -q $6 || fail
+	dmsetup table $DEV_NAME 2>/dev/null | grep -q $6 || fail
 	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
 	echo "[OK]"
 }
 
-function valgrind_setup()
+valgrind_setup()
 {
 	command -v valgrind >/dev/null || fail "Cannot find valgrind."
 	[ ! -f $VERITYSETUP_VALGRIND ] && fail "Unable to get location of veritysetup executable."
@@ -315,12 +334,12 @@ function valgrind_setup()
 	fi
 }
 
-function valgrind_run()
+valgrind_run()
 {
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${VERITYSETUP_VALGRIND} "$@"
 }
 
-function checkOffsetBug() # $1 size, $2 hash-offset, $3 data-blocks
+checkOffsetBug() # $1 size, $2 hash-offset, $3 data-blocks
 {
 	echo -n "Size :: $1 B | Hash-offset :: $2 blocks | Data-blocks :: $3 "
 	dd if=/dev/zero of=$IMG bs=1 count=0 seek=$1 >/dev/null 2>&1
@@ -329,7 +348,7 @@ function checkOffsetBug() # $1 size, $2 hash-offset, $3 data-blocks
 	remove_mapping
 }
 
-function checkOverlapBug() # $1 size, $2 hash-offset, $3 data-blocks, $4 block_size, $5 fec_offset
+checkOverlapBug() # $1 size, $2 hash-offset, $3 data-blocks, $4 block_size, $5 fec_offset
 {
 	echo -n "Device-size :: $1 B | "
 	[ $# -ge 3 ] && echo -n "Data-blocks :: $3 blocks| "
@@ -372,7 +391,7 @@ function checkOverlapBug() # $1 size, $2 hash-offset, $3 data-blocks, $4 block_s
 # $1 size, $2 block size, $3 roots, $4 hash offset, $5 fec offset,
 # $6 one dev(1 - one device, 2 - one device for data and hash, one device for fec data, 3 - three separate devices),
 # $7 #{corrupted bytes}
-function checkUserSpaceRepair()
+checkUserSpaceRepair()
 {
 	BS=512
 	COUNT=50000
@@ -404,7 +423,7 @@ function checkUserSpaceRepair()
 	echo "[OK]"
 }
 
-function check_concurrent() # $1 hash
+check_concurrent() # $1 hash
 {
 	DEV_PARAMS="$LOOPDEV1 $LOOPDEV2"
 
@@ -424,6 +443,8 @@ function check_concurrent() # $1 hash
 	wait
 	grep -q "Command failed with code .* (wrong or missing parameters)" $DEV_OUT && fail
 	grep -q "Command failed with code .* (wrong device or file specified)." $DEV_OUT && fail
+	# Some distros have strange udev rules, settle here seems to be necessary
+	udevadm settle >/dev/null 2>&1
 	check_exists
 	rm $DEV_OUT
 	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
@@ -476,20 +497,24 @@ if check_version 1 3; then
 	SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
 	HASH=9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174
 	prepare 8192 1024
-	check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption" "ignore_corruption"
-	check_option 512 $HASH $SALT 1 sha256 "--restart-on-corruption" "restart_on_corruption"
-	check_option 512 $HASH $SALT 1 sha256 "--ignore-zero-blocks" "ignore_zero_blocks"
-	check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption --ignore-zero-blocks" "ignore_corruption"
+	check_option 512 $HASH $SALT 1 sha256 ignore_corruption --ignore-corruption
+	check_option 512 $HASH $SALT 1 sha256 restart_on_corruption --restart-on-corruption
+	check_option 512 $HASH $SALT 1 sha256 ignore_zero_blocks --ignore-zero-blocks
+	check_option 512 $HASH $SALT 1 sha256 ignore_corruption --ignore-corruption --ignore-zero-blocks
 	if check_version 1 4; then
-		check_option 512 $HASH $SALT 1 sha256 "--check-at-most-once" "check_at_most_once"
+		check_option 512 $HASH $SALT 1 sha256 check_at_most_once --check-at-most-once
 	fi
 	if check_version 1 7; then
-		check_option 512 $HASH $SALT 1 sha256 "--panic-on-corruption" "panic_on_corruption"
+		check_option 512 $HASH $SALT 1 sha256 panic_on_corruption --panic-on-corruption
+	fi
+	if check_version_kernel 6 12; then # dm-verity 1.10+ but they forget bump version
+		check_option 512 $HASH $SALT 1 sha256 panic_on_error --error-as-corruption --panic-on-corruption
+		check_option 512 $HASH $SALT 1 sha256 restart_on_error --error-as-corruption --restart-on-corruption
 	fi
 
 	if check_version 1 9; then
 		echo "Verity data performance options test."
-		check_option 512 $HASH $SALT 1 sha256 "--use-tasklets" "try_verify_in_tasklet"
+		check_option 512 $HASH $SALT 1 sha256 try_verify_in_tasklet --use-tasklets
 	fi
 fi
 
@@ -564,5 +589,14 @@ else
 	echo "[N/A]"
 fi
 
+echo -n "Early check for active name:"
+prepare 8192 1024
+DM_BAD_NAME=x/x
+DM_LONG_NAME=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+$VERITYSETUP format $LOOPDEV1 $IMG_HASH --format=1 --data-block-size=512 --hash-block-size=512 --hash=sha256 --salt=$SALT >/dev/null 2>&1 || fail "Cannot format device."
+$VERITYSETUP open $LOOPDEV1 $DM_BAD_NAME $DEV $IMG_HASH 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 2>/dev/null && fail
+$VERITYSETUP open $LOOPDEV1 $DM_LONG_NAME $DEV $IMG_HASH 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 2>/dev/null && fail
+echo "[OK]"
+
 remove_mapping
 exit 0
diff --git a/tokens/ssh/cryptsetup-ssh.c b/tokens/ssh/cryptsetup-ssh.c
index eb68ba6..dfb561d 100644
--- a/tokens/ssh/cryptsetup-ssh.c
+++ b/tokens/ssh/cryptsetup-ssh.c
@@ -2,8 +2,8 @@
 /*
  * Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE)
  *
- * Copyright (C) 2016-2024 Milan Broz
- * Copyright (C) 2021-2024 Vojtech Trefny
+ * Copyright (C) 2016-2025 Milan Broz
+ * Copyright (C) 2021-2025 Vojtech Trefny
  *
  * Use:
  *  - generate ssh example token
diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c
index 2b9ee0b..cb13e77 100644
--- a/tokens/ssh/libcryptsetup-token-ssh.c
+++ b/tokens/ssh/libcryptsetup-token-ssh.c
@@ -2,8 +2,8 @@
 /*
  * Example of LUKS2 ssh token handler (EXPERIMENTAL)
  *
- * Copyright (C) 2016-2024 Milan Broz
- * Copyright (C) 2020-2024 Vojtech Trefny
+ * Copyright (C) 2016-2025 Milan Broz
+ * Copyright (C) 2020-2025 Vojtech Trefny
  *
  * Use:
  *  - generate LUKS device
diff --git a/tokens/ssh/meson.build b/tokens/ssh/meson.build
index dba1d76..a090666 100644
--- a/tokens/ssh/meson.build
+++ b/tokens/ssh/meson.build
@@ -12,6 +12,8 @@ if get_option('ssh-token')
                 jsonc,
                 libssh,
             ],
+            install: true,
+            install_dir: luks2_external_tokens_path,
             link_with: libcryptsetup,
             link_args: token_link_args,
             include_directories: includes_tools + ['..'])
@@ -34,6 +36,8 @@ if get_option('ssh-token')
             popt,
             pwquality,
         ],
+        install: true,
+        install_dir: get_option('sbindir'),
         link_with: libcryptsetup,
         include_directories: includes_tools + ['..'])
 endif
diff --git a/tokens/ssh/ssh-utils.c b/tokens/ssh/ssh-utils.c
index df75e04..5005e52 100644
--- a/tokens/ssh/ssh-utils.c
+++ b/tokens/ssh/ssh-utils.c
@@ -2,8 +2,8 @@
 /*
  * ssh plugin utilities
  *
- * Copyright (C) 2016-2024 Milan Broz
- * Copyright (C) 2020-2024 Vojtech Trefny
+ * Copyright (C) 2016-2025 Milan Broz
+ * Copyright (C) 2020-2025 Vojtech Trefny
  */
 
 #include <stdio.h>
diff --git a/tokens/ssh/ssh-utils.h b/tokens/ssh/ssh-utils.h
index 2a7eb37..6c0a5e0 100644
--- a/tokens/ssh/ssh-utils.h
+++ b/tokens/ssh/ssh-utils.h
@@ -2,8 +2,8 @@
 /*
  * ssh plugin utilities
  *
- * Copyright (C) 2016-2024 Milan Broz
- * Copyright (C) 2020-2024 Vojtech Trefny
+ * Copyright (C) 2016-2025 Milan Broz
+ * Copyright (C) 2020-2025 Vojtech Trefny
  */
 
 #ifndef SSH_UTILS_H