diff --git a/man/crypttab.xml b/man/crypttab.xml
index c048cd64c21..e98151ca75b 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -531,8 +531,9 @@
- If the encryption password is read from console, no asterisks will be shown
- while typing the password.
+ If an encryption password or security token PIN is
+ read from console, no asterisks will be shown while typing the pin or
+ password.
diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c
index 6e400e44e37..7e347f4bf05 100644
--- a/src/cryptsetup/cryptsetup-fido2.c
+++ b/src/cryptsetup/cryptsetup-fido2.c
@@ -26,9 +26,10 @@ int acquire_fido2_key(
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size) {
+ size_t *ret_decrypted_key_size,
+ bool silent) {
- AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
+ AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT);
_cleanup_strv_free_erase_ char **pins = NULL;
_cleanup_free_ void *loaded_salt = NULL;
const char *salt;
diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h
index 76ec28b3b18..a7623116816 100644
--- a/src/cryptsetup/cryptsetup-fido2.h
+++ b/src/cryptsetup/cryptsetup-fido2.h
@@ -26,7 +26,8 @@ int acquire_fido2_key(
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size);
+ size_t *ret_decrypted_key_size,
+ bool silent);
int find_fido2_auto_data(
struct crypt_device *cd,
@@ -56,7 +57,8 @@ static inline int acquire_fido2_key(
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size) {
+ size_t *ret_decrypted_key_size,
+ bool silent) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index f0826c47e56..024909f7334 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -809,7 +809,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
until,
arg_headless,
required,
- &decrypted_key, &decrypted_key_size);
+ &decrypted_key, &decrypted_key_size,
+ arg_silent);
if (r >= 0)
break;
if (r != -EAGAIN) /* EAGAIN means: token not found */