diff -Nru cryptsetup-2.2.2/configure.ac cryptsetup-2.3.1/configure.ac
--- cryptsetup-2.2.2/configure.ac	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/configure.ac	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.2.2])
+AC_INIT([cryptsetup],[2.3.1])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
-LIBCRYPTSETUP_VERSION_INFO=17:0:5
+LIBCRYPTSETUP_VERSION_INFO=18:0:6
 
 AM_SILENT_RULES([yes])
 AC_CONFIG_SRCDIR(src/cryptsetup.c)
@@ -33,6 +33,7 @@
 AC_ENABLE_STATIC(no)
 LT_INIT
 PKG_PROG_PKG_CONFIG
+AM_ICONV
 
 dnl ==========================================================================
 dnl define PKG_CHECK_VAR for old pkg-config <= 0.28
@@ -59,6 +60,12 @@
 AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
 	sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
+AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
+[[
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+]])
 
 AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([You need the uuid library.])])
 AC_CHECK_HEADER(libdevmapper.h,,[AC_MSG_ERROR([You need the device-mapper library.])])
@@ -348,6 +355,7 @@
 AC_CHECK_DECLS([dm_task_deferred_remove], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([dm_device_has_mounted_fs], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([dm_device_has_holders], [], [], [#include <libdevmapper.h>])
+AC_CHECK_DECLS([dm_device_get_name], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([DM_DEVICE_GET_TARGET_VERSION], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include <libdevmapper.h>])
 if test "x$enable_udev" = xyes; then
diff -Nru cryptsetup-2.2.2/debian/bash_completion/cryptdisks cryptsetup-2.3.1/debian/bash_completion/cryptdisks
--- cryptsetup-2.2.2/debian/bash_completion/cryptdisks	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/bash_completion/cryptdisks	1970-01-01 00:00:00.000000000 +0000
@@ -1,42 +0,0 @@
-# cryptdisks_{start,stop} completion by first column of crypttab
-#
-# Copyright 2013 Claudius Hubig <cl_crds@chubig.net>, 2-clause BSD
-
-_cryptdisks() {
-    local action="$1" t
-    for t in $( mawk -vt="${COMP_WORDS[COMP_CWORD]}" \
-                '($1 !~ /^#/ && index($1,t) == 1) {print $1}' \
-                "${TABFILE-"/etc/crypttab"}" ); do
-        if [ "$action" = start -a ! -e "/dev/mapper/$t" ] ||
-           [ "$action" = stop  -a   -e "/dev/mapper/$t" ]; then
-           COMPREPLY+=( "$t" )
-        fi
-    done
-    return 0;
-}
-
-_cryptdisks_start() {
-    local i include_options=y
-    COMPREPLY=()
-    for (( i=0; i < COMP_CWORD-1; i++ )); do
-        if [ "${COMP_WORDS[i]}" = "--" ] || [[ "${COMP_WORDS[i]}" != -* ]]; then
-            include_options=n
-            break
-        fi
-    done
-    if [ "$include_options" = "y" ]; then
-        for i in "-r" "--readonly" "--"; do
-            if [[ "$i" == "${COMP_WORDS[COMP_CWORD]}"* ]]; then
-                COMPREPLY+=( "$i" )
-            fi
-        done
-    fi
-    _cryptdisks start "$@"
-}
-_cryptdisks_stop()  {
-    COMPREPLY=()
-    _cryptdisks stop  "$@";
-}
-
-complete -F _cryptdisks_start cryptdisks_start
-complete -F _cryptdisks_stop cryptdisks_stop
diff -Nru cryptsetup-2.2.2/debian/bash_completion/cryptdisks_start cryptsetup-2.3.1/debian/bash_completion/cryptdisks_start
--- cryptsetup-2.2.2/debian/bash_completion/cryptdisks_start	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/debian/bash_completion/cryptdisks_start	2020-03-24 01:07:07.000000000 +0000
@@ -0,0 +1,42 @@
+# cryptdisks_{start,stop} completion by first column of crypttab
+#
+# Copyright 2013 Claudius Hubig <cl_crds@chubig.net>, 2-clause BSD
+
+_cryptdisks() {
+    local action="$1" t
+    for t in $( mawk -vt="${COMP_WORDS[COMP_CWORD]}" \
+                '($1 !~ /^#/ && index($1,t) == 1) {print $1}' \
+                "${TABFILE-"/etc/crypttab"}" ); do
+        if [ "$action" = start -a ! -e "/dev/mapper/$t" ] ||
+           [ "$action" = stop  -a   -e "/dev/mapper/$t" ]; then
+           COMPREPLY+=( "$t" )
+        fi
+    done
+    return 0;
+}
+
+_cryptdisks_start() {
+    local i include_options=y
+    COMPREPLY=()
+    for (( i=0; i < COMP_CWORD-1; i++ )); do
+        if [ "${COMP_WORDS[i]}" = "--" ] || [[ "${COMP_WORDS[i]}" != -* ]]; then
+            include_options=n
+            break
+        fi
+    done
+    if [ "$include_options" = "y" ]; then
+        for i in "-r" "--readonly" "--"; do
+            if [[ "$i" == "${COMP_WORDS[COMP_CWORD]}"* ]]; then
+                COMPREPLY+=( "$i" )
+            fi
+        done
+    fi
+    _cryptdisks start "$@"
+}
+_cryptdisks_stop()  {
+    COMPREPLY=()
+    _cryptdisks stop  "$@";
+}
+
+complete -F _cryptdisks_start cryptdisks_start
+complete -F _cryptdisks_stop cryptdisks_stop
diff -Nru cryptsetup-2.2.2/debian/changelog cryptsetup-2.3.1/debian/changelog
--- cryptsetup-2.2.2/debian/changelog	2020-02-27 06:16:14.000000000 +0000
+++ cryptsetup-2.3.1/debian/changelog	2020-05-01 14:07:58.000000000 +0000
@@ -1,3 +1,48 @@
+cryptsetup (2:2.3.1-1ubuntu1) groovy; urgency=low
+
+  * Merge from Debian unstable.  Remaining changes:
+    - debian/control:
+      + Recommend plymouth.
+      + Depend on busybox-initramfs instead of busybox | busybox-static.
+    - Fix cryptroot-unlock for busybox compatibility.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 01 May 2020 07:07:58 -0700
+
+cryptsetup (2:2.3.1-1) unstable; urgency=medium
+
+  * New upstream release.
+  * d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 24 Mar 2020 02:07:07 +0100
+
+cryptsetup (2:2.3.0-1) unstable; urgency=low
+
+  * New upstream release, introducing support for BitLocker-compatible
+    devices (BITLK format) used in Windows systems.
+    WARNING: crypttab(5) support for these devices is currently *experimental*
+    and requires blkid from util-linux >=2.33 (i.e., Buster or later).  These
+    devices currently have no keyword to use in the 4th field (unlike 'luks'
+    or 'plain'), the device type is inferred from the signature instead.
+  * crypttab(5): Make the 4th field (options) optional so we don't have to
+    introduce a new keyword for each new device type.  (That field is also
+    optional in the systemd implementation.)  Other fields (dm target name,
+    source device, and key file) remain required.
+  * Install cryptdisks_{start,stop} bash completion scripts to the right
+    path/name so they are loaded automatically. This was no longer the case
+    since 2:1.7.0-1.  (Closes: #949623)
+  * d/*.install: Replace tabs with spaces.
+  * d/cryptdisks-functions: Fix broken $FORCE_START handling.  Since
+    2:2.0.3-2 the SysV init scripts' "force-start" option was no longer
+    overriding noauto/noearly.  (Closes: #933142)
+  * Move some functions to d/function from the initramfs hook.
+  * SysV init scripts: skip devices holding the root FS and/or /usr during the
+    shutdown phase; these file systems are still mounted at this point so any
+    attempt to gracefully close the underlying device(s) is bound to fail.
+    (Closes: #916649, #918008)
+  * Bump Standards-Version to 4.5.0 (no changes necessary).
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 04 Mar 2020 00:48:19 +0100
+
 cryptsetup (2:2.2.2-3ubuntu2) focal; urgency=medium
 
   * Depend on cryptsetup from cryptsetup-initramfs instead of the dummy
@@ -18,7 +63,8 @@
 cryptsetup (2:2.2.2-3) unstable; urgency=high
 
   * initramfs hook: Workaround fix for the libgcc_s's source location.
-    (Closes: #950628, #939766.)  See #950254 for the proper fix.
+    (Closes: #950628, #939766.)  Fixing #950254 will provide a better
+    solution.
 
  -- Guilhem Moulin <guilhem@debian.org>  Tue, 04 Feb 2020 14:11:12 +0100
 
diff -Nru cryptsetup-2.2.2/debian/control cryptsetup-2.3.1/debian/control
--- cryptsetup-2.2.2/debian/control	2020-02-27 06:15:43.000000000 +0000
+++ cryptsetup-2.3.1/debian/control	2020-03-24 21:20:08.000000000 +0000
@@ -31,7 +31,7 @@
                uuid-dev,
                xsltproc,
                xxd
-Standards-Version: 4.4.1
+Standards-Version: 4.5.0
 Homepage: https://gitlab.com/cryptsetup/cryptsetup
 Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup
 Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git
diff -Nru cryptsetup-2.2.2/debian/cryptdisks-functions cryptsetup-2.3.1/debian/cryptdisks-functions
--- cryptsetup-2.2.2/debian/cryptdisks-functions	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/cryptdisks-functions	2020-03-24 21:20:09.000000000 +0000
@@ -85,13 +85,12 @@
         loud="yes"
     fi
 
-    if [ -n "${CRYPTTAB_OPTION_noearly+x}" ] && [ "$INITSTATE" = "early" ]; then
-        [ -z "${FORCE_START-}" ] || device_msg "ignored"
-        return 0
-    fi
-    if [ -n "${CRYPTTAB_OPTION_noauto+x}" ] && [ "$INITSTATE" != "manual" ]; then
-        [ -z "${FORCE_START-}" ] || device_msg "ignored"
-        return 0
+    if [ -z "${FORCE_START-}" ]; then
+        if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] ||
+                [ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then
+            device_msg "ignored"
+            return 0
+        fi
     fi
 
     if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
@@ -111,13 +110,12 @@
     device_msg "starting"
 
     local out tmpdev
-    get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device
-    if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+    if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then
+        # fail if the device has a filesystem and the disk encryption format doesn't
+        # verify the key digest (unlike LUKS); unless it's swap, otherwise people can't
+        # easily convert an existing plainttext swap partition to an encrypted one
         if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" 2>/dev/null)" &&
                 ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap >/dev/null; then
-            # fail if the device has a filesystem; unless it's swap,
-            # otherwise people can't easily convert an existing
-            # plainttext swap partition to an encrypted one
             log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out"
             return 1
         fi
@@ -177,25 +175,44 @@
     return 1
 }
 
-# Removes all mappings in crypttab
+# Removes all mappings in crypttab, except the ones holding the root
+# file system or /usr
 do_stop() {
+    local devno_rootfs devno_usr
     dmsetup mknodes
     log_action_begin_msg "Stopping $INITSTATE crypto disks"
 
+    devno_rootfs="$(get_mnt_devno /)" || devno_rootfs=""
+    devno_usr="$(get_mnt_devno /usr)" || devno_usr=""
+
     crypttab_foreach_entry _do_stop_callback
     log_action_end_msg 0
 }
 _do_stop_callback() {
-    local i rv=0
-    for i in 1 2 4 8 16 32; do
-        remove_mapping "$CRYPTTAB_NAME" 3<&- && break || rv=$?
-        if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then
-            log_action_end_msg $rv
-            break
-        fi
-        log_action_cont_msg "$CRYPTTAB_NAME busy..."
-        sleep $i
-    done
+    local i rv=0 skip="n"
+
+    # traverse the device tree for each crypttab(5) entry, that's
+    # suboptimal but we can't use mapped device names as they might
+    # contain any character other than NUL.  shouldn't be much overhead
+    # anyway as the device tree is likely not that long
+    loop_cryptdevs _do_stop_skipped $devno_rootfs $devno_usr
+
+    if [ "$skip" = "n" ]; then
+        for i in 1 2 4 8 16 32; do
+            remove_mapping "$CRYPTTAB_NAME" 3<&- && break || rv=$?
+            if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then
+                log_action_end_msg $rv
+                break
+            fi
+            log_action_cont_msg "$CRYPTTAB_NAME busy..."
+            sleep $i
+        done
+    fi
+}
+_do_stop_skipped() {
+    if [ "$1" = "$CRYPTTAB_NAME" ]; then
+        skip="y"
+    fi
 }
 
 # device_msg([$name], $message)
diff -Nru cryptsetup-2.2.2/debian/cryptsetup-initramfs.install cryptsetup-2.3.1/debian/cryptsetup-initramfs.install
--- cryptsetup-2.2.2/debian/cryptsetup-initramfs.install	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/cryptsetup-initramfs.install	2020-03-24 21:20:09.000000000 +0000
@@ -1,9 +1,9 @@
-debian/initramfs/conf-hook				/etc/cryptsetup-initramfs/
-debian/initramfs/conf-hooks.d/cryptsetup		/usr/share/initramfs-tools/conf-hooks.d/
-debian/initramfs/cryptroot-unlock			/usr/share/cryptsetup/initramfs/bin/
-debian/initramfs/hooks/*				/usr/share/initramfs-tools/hooks/
-debian/initramfs/scripts/local-block/cryptroot		/usr/share/initramfs-tools/scripts/local-block/
-debian/initramfs/scripts/local-bottom/cryptgnupg-sc	/usr/share/initramfs-tools/scripts/local-bottom/
-debian/initramfs/scripts/local-bottom/cryptopensc	/usr/share/initramfs-tools/scripts/local-bottom/
-debian/initramfs/scripts/local-top/cryptopensc		/usr/share/initramfs-tools/scripts/local-top/
-debian/initramfs/scripts/local-top/cryptroot		/usr/share/initramfs-tools/scripts/local-top/
+debian/initramfs/conf-hook                          /etc/cryptsetup-initramfs/
+debian/initramfs/conf-hooks.d/cryptsetup            /usr/share/initramfs-tools/conf-hooks.d/
+debian/initramfs/cryptroot-unlock                   /usr/share/cryptsetup/initramfs/bin/
+debian/initramfs/hooks/*                            /usr/share/initramfs-tools/hooks/
+debian/initramfs/scripts/local-block/cryptroot      /usr/share/initramfs-tools/scripts/local-block/
+debian/initramfs/scripts/local-bottom/cryptgnupg-sc /usr/share/initramfs-tools/scripts/local-bottom/
+debian/initramfs/scripts/local-bottom/cryptopensc   /usr/share/initramfs-tools/scripts/local-bottom/
+debian/initramfs/scripts/local-top/cryptopensc      /usr/share/initramfs-tools/scripts/local-top/
+debian/initramfs/scripts/local-top/cryptroot        /usr/share/initramfs-tools/scripts/local-top/
diff -Nru cryptsetup-2.2.2/debian/cryptsetup.install cryptsetup-2.3.1/debian/cryptsetup.install
--- cryptsetup-2.2.2/debian/cryptsetup.install	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/cryptsetup.install	2020-03-24 21:20:08.000000000 +0000
@@ -1,9 +1,9 @@
-debian/askpass				/lib/cryptsetup/
-debian/bash_completion/cryptdisks	/usr/share/bash-completion/completions/
-debian/checks/*				/lib/cryptsetup/checks/
-debian/cryptdisks-functions		/lib/cryptsetup/
-debian/functions			/lib/cryptsetup/
-debian/scripts/cryptdisks_*		/sbin/
-debian/scripts/decrypt_*		/lib/cryptsetup/scripts/
-debian/scripts/luksformat		/usr/sbin/
-debian/scripts/passdev			/lib/cryptsetup/scripts/
+debian/askpass                          /lib/cryptsetup/
+debian/bash_completion/cryptdisks_start /usr/share/bash-completion/completions/
+debian/checks/*                         /lib/cryptsetup/checks/
+debian/cryptdisks-functions             /lib/cryptsetup/
+debian/functions                        /lib/cryptsetup/
+debian/scripts/cryptdisks_*             /sbin/
+debian/scripts/decrypt_*                /lib/cryptsetup/scripts/
+debian/scripts/luksformat               /usr/sbin/
+debian/scripts/passdev                  /lib/cryptsetup/scripts/
diff -Nru cryptsetup-2.2.2/debian/cryptsetup.links cryptsetup-2.3.1/debian/cryptsetup.links
--- cryptsetup-2.2.2/debian/cryptsetup.links	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/debian/cryptsetup.links	2020-03-24 01:07:07.000000000 +0000
@@ -0,0 +1 @@
+/usr/share/bash-completion/completions/cryptdisks_start /usr/share/bash-completion/completions/cryptdisks_stop
diff -Nru cryptsetup-2.2.2/debian/cryptsetup-udeb.install cryptsetup-2.3.1/debian/cryptsetup-udeb.install
--- cryptsetup-2.2.2/debian/cryptsetup-udeb.install	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/cryptsetup-udeb.install	2020-03-24 21:20:09.000000000 +0000
@@ -1,7 +1,7 @@
-debian/askpass				/lib/cryptsetup/
-debian/checks/*				/lib/cryptsetup/checks/
-debian/cryptdisks-functions		/lib/cryptsetup/
-debian/functions			/lib/cryptsetup/
-debian/scripts/decrypt_*		/lib/cryptsetup/scripts/
-debian/scripts/passdev			/lib/cryptsetup/scripts/
+debian/askpass              /lib/cryptsetup/
+debian/checks/*             /lib/cryptsetup/checks/
+debian/cryptdisks-functions /lib/cryptsetup/
+debian/functions            /lib/cryptsetup/
+debian/scripts/decrypt_*    /lib/cryptsetup/scripts/
+debian/scripts/passdev      /lib/cryptsetup/scripts/
 sbin/cryptsetup
diff -Nru cryptsetup-2.2.2/debian/doc/crypttab.xml cryptsetup-2.3.1/debian/doc/crypttab.xml
--- cryptsetup-2.2.2/debian/doc/crypttab.xml	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/doc/crypttab.xml	2020-03-24 21:20:09.000000000 +0000
@@ -76,23 +76,20 @@
    useful.
   </simpara>
   <simpara>
-   The fourth field, <emphasis>options</emphasis>, describes the cryptsetup
-   options associated with the encryption process. At minimum, the field should
-   contain either the string <emphasis>luks</emphasis> respectively
-   <emphasis>tcrypt</emphasis> or the <emphasis>cipher</emphasis>,
-   <emphasis>hash</emphasis> and <emphasis>size</emphasis> options.
-   Some options can be changed on active devices using
+   The fourth field, <emphasis>options</emphasis>, is an optional comma-separated
+   list of options and/or flags describing the device type (<emphasis>luks</emphasis>,
+   <emphasis>tcrypt</emphasis>, or <emphasis>plain</emphasis> which is also the default)
+   and cryptsetup options associated with the encryption process.  The supported options
+   are described below.
+   For plain dm-crypt devices the <emphasis>cipher</emphasis>, <emphasis>hash</emphasis>
+   and <emphasis>size</emphasis> options are required.
+   Some options can be changed on active mappings using
    <command>cryptsetup refresh [&lt;options&gt;] &lt;name&gt;</command>.
-   Moreover some options can be permanently written to the metada of LUKS2
-   headers using the <command>--persistent</command> option flag.
+   Furthermore some options can be permanently written into metadata of LUKS2
+   headers using cryptsetup's <emphasis>--persistent</emphasis> flag.
   </simpara>
   <simpara>
-   Options are in the format: <emphasis>key</emphasis>=<emphasis>value</emphasis>
-   [,<emphasis>key</emphasis>=<emphasis>value</emphasis> &#8230;]. The
-   supported options are described below.
-  </simpara>
-  <simpara>
-   Note that all four fields are mandatory and that a missing field will lead
+   Note that the first three fields are required and that a missing field will lead
    to unspecified behaviour.
   </simpara>
  </refsect1>
@@ -299,7 +296,7 @@
    </varlistentry>
 
    <varlistentry>
-       <term><emphasis>veracrypt</emphasis>, <emphasis>tcrypt-veracrypt</emphasis></term>
+    <term><emphasis>veracrypt</emphasis>, <emphasis>tcrypt-veracrypt</emphasis></term>
     <listitem>
      <simpara>
       Use VeraCrypt extension to TrueCrypt device. Only useful in
@@ -310,7 +307,7 @@
    </varlistentry>
 
    <varlistentry>
-       <term><emphasis>tcrypthidden</emphasis>, <emphasis>tcrypt-hidden</emphasis></term>
+    <term><emphasis>tcrypthidden</emphasis>, <emphasis>tcrypt-hidden</emphasis></term>
     <listitem>
      <simpara>
        Use hidden TCRYPT header (ignored for non-TCRYPT devices).
diff -Nru cryptsetup-2.2.2/debian/functions cryptsetup-2.3.1/debian/functions
--- cryptsetup-2.2.2/debian/functions	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/functions	2020-03-24 21:20:08.000000000 +0000
@@ -36,6 +36,7 @@
 #   For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY)
 #   should be set to the (unmangled) mapped device name (resp. key
 #   file).
+#   Moreover CRYPTTAB_TYPE is set the device type.
 #   Return 1 on parsing error, 0 otherwise (incl. if unknown options
 #   were encountered).
 crypttab_parse_options() {
@@ -104,12 +105,18 @@
     done
     IFS=" "
 
-    if [ "$quiet" = "n" ] &&
-            [ -z "${CRYPTTAB_OPTION_luks+x}" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
-        cryptsetup_message "WARNING: Option 'luks' missing in crypttab for target $CRYPTTAB_NAME." \
-                           "Headers are only supported for LUKS devices."
+    if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device
+        CRYPTTAB_TYPE="plain"
+        if [ "$quiet" = "n" ]; then
+            cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \
+                               "assuming default ($CRYPTTAB_TYPE)."
+        fi
+    fi
+
+    if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then
+        cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices."
     fi
-    if [ -z "${CRYPTTAB_OPTION_luks+x}" ] && [ -z "${CRYPTTAB_OPTION_tcrypt+x}" ]; then
+    if [ "$CRYPTTAB_TYPE" = "plain" ]; then
         # the compiled-in default for these are subject to change
         options='cipher size'
         if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
@@ -240,7 +247,7 @@
     [ ! -f "$CRYPTTAB_SOURCE" ] || return 0
     # otherwise resolve the block device specification
     local dev="$CRYPTTAB_SOURCE"
-    dev="$(resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
+    dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
 }
 
 # run_keyscript($keyscriptarg, $tried_count)
@@ -272,21 +279,34 @@
     exec "$keyscript" "$keyscriptarg"
 }
 
-# get_crypt_type()
+# _get_crypt_type()
 #    Set CRYPTTAB_TYPE to the mapping type, depending on its
 #    $CRYPTTAB_OPTION_<option> values
-get_crypt_type() {
-    if [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
-        CRYPTTAB_TYPE="tcrypt"
+#    Return a non-zero status if the mapping couldn't be determined
+_get_crypt_type() {
+    local s="$CRYPTTAB_SOURCE" t="" blk_t
+
+    if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then
+        t="luks"
+    elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
+        t="tcrypt"
     elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
-        CRYPTTAB_TYPE="plain"
-    elif [ "${CRYPTTAB_OPTION_luks-}" = "yes" ] ||
-            /sbin/cryptsetup isLuks -- "${CRYPTTAB_OPTION_header-$CRYPTTAB_SOURCE}"; then
-        CRYPTTAB_TYPE="luks"
-    else
-        # assume plain dm-crypt device by default
-        CRYPTTAB_TYPE="plain"
+        t="plain"
+    elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
+        # detached headers are only supported for LUKS devices
+        if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
+            t="luks"
+        fi
+    elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then
+        if /sbin/cryptsetup isLuks -- "$s"; then
+            t="luks"
+        elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then
+            t="bitlk"
+        fi
     fi
+
+    [ -n "$t" ] || return 1
+    CRYPTTAB_TYPE="$t"
 }
 
 # unlock_mapping([$keyfile])
@@ -365,12 +385,12 @@
     fi
 }
 
-# resolve_device_spec($spec)
+# _resolve_device_spec($spec)
 #   Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and
 #   PARTLABEL=<partlabel> to a block special device.  If $spec is
 #   already a (link to a block special device) then it is echoed as is.
 #   Return 1 if $spec doesn't correspond to a block special device.
-resolve_device_spec() {
+_resolve_device_spec() {
     local spec="$1"
     case "$spec" in
         UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*)
@@ -419,7 +439,7 @@
 
             # unmangle names
             CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
-            if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ] || [ -z "$_CRYPTTAB_OPTIONS" ]; then
+            if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
                 cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
                 continue
             elif [ "$CRYPTTAB_NAME" = "$target" ]; then
@@ -442,7 +462,7 @@
 #   entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY
 #   and CRYPTTAB_OPTIONS are set accordingly and available to the
 #   $callback.  (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE,
-#   _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the unmangled values
+#   _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values
 #   before decoding the escape sequence.)
 #   Return 0 if a match is found, and 1 otherwise.
 crypttab_foreach_entry() {
@@ -458,18 +478,128 @@
         fi
 
         # unmangle names
-        CRYPTTAB_NAME="$(   printf '%b' "$_CRYPTTAB_NAME"   )"
-        CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
-        CRYPTTAB_KEY="$(    printf '%b' "$_CRYPTTAB_KEY"    )"
-        CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+        CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
 
-        if [ -z "$CRYPTTAB_SOURCE" ] || [ -z "$CRYPTTAB_KEY" ] || [ -z "$CRYPTTAB_OPTIONS" ]; then
+        if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
             cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
             continue
         fi
 
+        CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
+        CRYPTTAB_KEY="$(    printf '%b' "$_CRYPTTAB_KEY"    )"
+        CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+
         "$callback" 9<&-
     done 9<"$TABFILE"
 }
 
+# _device_uuid($device)
+#   Print the UUID attribute of given block special $device.  Return 0
+#   on success, 1 on error.
+_device_uuid() {
+    local device="$1" uuid
+    if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
+        printf '%s\n' "$uuid"
+    else
+        return 1
+    fi
+}
+
+# _resolve_device({$device | $spec})
+#   Take a path to (or spec for) a block special device, and set DEV to
+#   the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
+#   (resp. minor ID) decimal value.  On error these variables are not
+#   changed and 1 is returned.
+_resolve_device() {
+    local spec="$1" dev devno maj min
+    if dev="$(_resolve_device_spec "$spec")" &&
+            devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
+            maj="${devno%:*}" && min="${devno#*:}" &&
+            [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+            maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
+        DEV="$dev"
+        MAJ="$maj"
+        MIN="$min"
+        return 0
+    else
+        cryptsetup_message "ERROR: Couldn't resolve device $spec"
+    fi
+    return 1
+}
+
+# get_mnt_devno($mountpoint)
+#   Print the major:minor device ID(s) holding the file system currently
+#   mounted currenty mounted on $mountpoint.
+#   Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
+get_mnt_devno() {
+    local wantmount="$1" devnos="" uuid dev IFS
+    local spec mountpoint fstype _ DEV MAJ MIN
+
+    while IFS=" 	" read -r spec mountpoint fstype _; do
+        # treat lines starting with '#' as comments; /proc/mounts
+        # doesn't seem to contain these but per procfs(5) the format of
+        # that file is analogous to fstab(5)'s
+        if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] &&
+                [ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then
+            # take the last mountpoint if used several times (shadowed)
+            unset -v devnos
+            spec="$(printf '%b' "$spec")"
+            _resolve_device "$spec" || continue # _resolve_device() already warns on error
+            fstype="$(printf '%b' "$fstype")"
+            if [ "$fstype" = "btrfs" ]; then
+                # btrfs can span over multiple devices
+                if uuid="$(_device_uuid "$DEV")"; then
+                    for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
+                        devnos="${devnos:+$devnos }$(cat "$dev")"
+                    done
+                else
+                    cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
+                fi
+            elif [ -n "$fstype" ]; then
+                devnos="$MAJ:$MIN"
+            fi
+        fi
+    done </proc/mounts
+
+    if [ -z "${devnos:+x}" ]; then
+        return 1 # not found
+    else
+        printf '%s' "$devnos"
+    fi
+}
+
+# foreach_cryptdev($callback, $maj:$min, [$maj:$min ..])
+#   Run $callback on the (unmangled) name of each dm-crypt device
+#   recursively holding $maj:$min (typically corresponding to an md,
+#   linear, or dm-crypt device).  Slaves that aren't dm-crypt devices
+#   are ignored.
+foreach_cryptdev() {
+    local callback="$1" devno base
+    shift
+    for devno in "$@"; do
+        base="/sys/dev/block/$devno"
+        if [ ! -d "$base" ]; then
+            cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
+            return 1
+        fi
+        _foreach_cryptdev "$callback" "$base"
+    done
+}
+_foreach_cryptdev() {
+    local callback="$1" d="$2" devno maj min name slave
+    [ -d "$d/slaves" ] || return 0
+    if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
+            maj="${devno%:*}" && min="${devno#*:}" &&
+            [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+            [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
+            name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
+        "$callback" "$name"
+    fi
+    for slave in "$d/slaves"/*; do
+        if [ -d "$slave" ] && slave="$(realpath -e -- "$slave")"; then
+            _foreach_cryptdev "$callback" "$slave"
+        fi
+    done
+}
+
 # vim: set filetype=sh :
diff -Nru cryptsetup-2.2.2/debian/initramfs/hooks/cryptroot cryptsetup-2.3.1/debian/initramfs/hooks/cryptroot
--- cryptsetup-2.2.2/debian/initramfs/hooks/cryptroot	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/initramfs/hooks/cryptroot	2020-03-24 21:20:09.000000000 +0000
@@ -19,104 +19,6 @@
 TABFILE="/etc/crypttab"
 
 
-# device_uuid($device)
-#   Print the UUID attribute of given block special $device.  Return 0
-#   on success, 1 on error.
-device_uuid() {
-    local device="$1" uuid
-    if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
-        printf '%s\n' "$uuid"
-    else
-        return 1
-    fi
-}
-
-# resolve_device({$device | $spec})
-#   Take a path to (or spec for) a block special device, and set DEV to
-#   the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
-#   (resp. minor ID) decimal value.  On error these variables are not
-#   changed and 1 is returned.
-resolve_device() {
-    local spec="$1" dev devno maj min
-    if dev="$(resolve_device_spec "$spec")" &&
-            devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
-            maj="${devno%:*}" && min="${devno#*:}" &&
-            [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
-            maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
-        DEV="$dev"
-        MAJ="$maj"
-        MIN="$min"
-        return 0
-    else
-        cryptsetup_message "ERROR: Couldn't resolve device $spec"
-    fi
-    return 1
-}
-
-# get_mnt_devno($mountpoint)
-#   Print the major:minor device ID(s) holding the file system currently
-#   mounted currenty mounted on $mountpoint.
-#   Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
-get_mnt_devno() {
-    local wantmount="$1" devnos="" uuid dev IFS
-    local spec mountpoint fstype _ DEV MAJ MIN
-
-    while IFS=" 	" read -r spec mountpoint fstype _; do
-        # treat lines starting with '#' as comments; /proc/mounts
-        # doesn't seem to contain these but per procfs(5) the format of
-        # that file is analogous to fstab(5)'s
-        if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] &&
-                [ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then
-            # take the last mountpoint if used several times (shadowed)
-            unset -v devnos
-            spec="$(printf '%b' "$spec")"
-            resolve_device "$spec" || continue # resolve_device() already warns on error
-            fstype="$(printf '%b' "$fstype")"
-            if [ "$fstype" = "btrfs" ]; then
-                # btrfs can span over multiple devices
-                if uuid="$(device_uuid "$DEV")"; then
-                    for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
-                        devnos="${devnos:+$devnos }$(cat "$dev")"
-                    done
-                else
-                    cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
-                fi
-            elif [ -n "$fstype" ]; then
-                devnos="$MAJ:$MIN"
-            fi
-        fi
-    done </proc/mounts
-
-    if [ -z "${devnos:+x}" ]; then
-        return 1 # not found
-    else
-        printf '%s' "$devnos"
-    fi
-}
-
-# get_dmcrypt_slaves({/sys/dev/block/$maj:$min | /sys/devices/...})
-#   Recursively print the crypttab(5) entries to FD nr. 3, for each
-#   dm-crypt device holding $maj:$min (typically corresponding to an md,
-#   lv, or dm-crypt device).  Slaves that aren't dm-crypt devices are
-#   NOT printed.
-get_dmcrypt_slaves() {
-    local d="$1" devno maj min name slave
-    [ -d "$d/slaves" ] || return 0
-    if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
-            maj="${devno%:*}" && min="${devno#*:}" &&
-            [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
-            [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
-            name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
-        # search for a crypttab entry with the given unmangled name
-        crypttab_find_and_print_entry "$name"
-    fi
-    for slave in "$d/slaves"/*; do
-        if [ -d "$slave" ] && slave="$(realpath -e -- "$slave")"; then
-            get_dmcrypt_slaves "$slave"
-        fi
-    done
-}
-
 # crypttab_find_and_print_entry($target)
 #   Find the crypttab(5) entry for the given (unmangled) $target and
 #   print it - preserving the mangling - to FD nr. 3; but only if the
@@ -149,7 +51,7 @@
 #   Return 0 on success, 1 on error.
 crypttab_print_entry() {
     local DEV MAJ MIN sourcename uuid keyfile
-    if resolve_device "$CRYPTTAB_SOURCE"; then
+    if _resolve_device "$CRYPTTAB_SOURCE"; then
         if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
             cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
         elif sourcename="$(dmsetup info -c --noheadings -o mangled_name -j "$MAJ" -m "$MIN" 2>/dev/null)" &&
@@ -157,11 +59,11 @@
             # for mapped sources, use the dm name as the lvm
             # local-block script doesn't work with UUIDs (#902943)
             _CRYPTTAB_SOURCE="/dev/mapper/$sourcename"
-        elif uuid="$(device_uuid "$DEV")"; then
+        elif uuid="$(_device_uuid "$DEV")"; then
             # otherwise, use its UUID if possible (eg. for LUKS)
             _CRYPTTAB_SOURCE="UUID=$uuid"
         fi
-        # on failure resolve_device() prints a warning and we try our
+        # on failure _resolve_device() prints a warning and we try our
         # luck with the unchanged _CRYPTTAB_SOURCE value
     fi
 
@@ -215,22 +117,6 @@
         "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3
 }
 
-# get_cryptdevs($maj:$min, [$maj:$min ..])
-#   Print the list of crypttab(5) entries to FD nr. 3, for dm-crypt
-#   devices holding any of the given devices (which can be an md, a lv,
-#   a mapped device, or a regular block device).
-get_cryptdevs() {
-    local devno base
-    for devno in "$@"; do
-        base="/sys/dev/block/$devno"
-        if [ ! -d "$base" ]; then
-            cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
-            return 1
-        fi
-        get_dmcrypt_slaves "$base"
-    done
-}
-
 # get_resume_devno()
 #   Return the device ID(s) used for system suspend/hibernate.
 get_resume_devno() {
@@ -243,14 +129,14 @@
         if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then
             # trim quotes
             dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")"
-            print_devno "$(printf '%b' "$dev")" # unmangle
+            _print_devno "$(printf '%b' "$dev")" # unmangle
         fi
     done
 
     # regular swsusp
     dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)"
     dev="$(printf '%b' "$dev")" # unmangle
-    print_devno "$(printf '%b' "$dev")" # unmangle
+    _print_devno "$(printf '%b' "$dev")" # unmangle
 
     # initramfs-tools >=0.129
     dev="${RESUME:-auto}"
@@ -259,12 +145,12 @@
             # next line from /usr/share/initramfs-tools/hooks/resume
             dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)"
         fi
-        print_devno "$(printf '%b' "$dev")" # unmangle
+        _print_devno "$(printf '%b' "$dev")" # unmangle
     fi
 }
-print_devno() {
-    local DEV MAJ MIN # locally scope the 3 variables resolve_device() sets
-    if [ -n "$1" ] && resolve_device "$1"; then
+_print_devno() {
+    local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets
+    if [ -n "$1" ] && _resolve_device "$1"; then
         printf '%d:%d\n' "$MAJ" "$MIN"
     fi
 }
@@ -293,17 +179,17 @@
 
     {
         if devnos="$(get_mnt_devno /)"; then
-            usage=rootfs get_cryptdevs $devnos
+            usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
         else
             cryptsetup_message "WARNING: Couldn't determine root device"
         fi
 
         if devnos="$(get_resume_devno)"; then
-            usage=resume get_cryptdevs $devnos
+            usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
         fi
 
         if devnos="$(get_mnt_devno /usr)"; then
-            usage="" get_cryptdevs $devnos
+            usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
         fi
 
         # add crypttab entries with the 'initramfs' option set
@@ -412,7 +298,6 @@
 copy_exec /lib/cryptsetup/askpass
 
 # libargon2 uses pthread_cancel
-LIBC_DIR="$(ldd /sbin/cryptsetup | sed -nr 's#.* => (/lib.*)/libc\.so\.[0-9.-]+ \(0x[[:xdigit:]]+\)$#\1#p')"
 for so in $(ldconfig -p | sed -nr 's/^\s*libgcc_s\.so.*=>\s*//p'); do
     copy_exec "$so"
 done
diff -Nru cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot cryptsetup-2.3.1/debian/initramfs/scripts/local-top/cryptroot
--- cryptsetup-2.2.2/debian/initramfs/scripts/local-top/cryptroot	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/initramfs/scripts/local-top/cryptroot	2020-03-24 21:20:09.000000000 +0000
@@ -123,7 +123,6 @@
         fi
     fi
 
-    get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device
     local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
     while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
         if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
diff -Nru cryptsetup-2.2.2/debian/libcryptsetup12.symbols cryptsetup-2.3.1/debian/libcryptsetup12.symbols
--- cryptsetup-2.2.2/debian/libcryptsetup12.symbols	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/libcryptsetup12.symbols	2020-03-24 21:20:09.000000000 +0000
@@ -6,6 +6,7 @@
  crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0
  crypt_activate_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
  crypt_activate_by_passphrase@CRYPTSETUP_2.0 2:1.4
+ crypt_activate_by_signed_key@CRYPTSETUP_2.0 2:2.3
  crypt_activate_by_token@CRYPTSETUP_2.0 2:2.0
  crypt_activate_by_volume_key@CRYPTSETUP_2.0 2:1.4
  crypt_keyslot_add_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
@@ -21,6 +22,7 @@
  crypt_get_active_integrity_failures@CRYPTSETUP_2.0 2:2.0.3
  crypt_get_cipher@CRYPTSETUP_2.0 2:1.4
  crypt_get_cipher_mode@CRYPTSETUP_2.0 2:1.4
+ crypt_get_compatibility@CRYPTSETUP_2.0 2:2.3
  crypt_get_data_offset@CRYPTSETUP_2.0 2:1.4
  crypt_get_default_type@CRYPTSETUP_2.0 2:2.1
  crypt_get_device_name@CRYPTSETUP_2.0 2:1.4
@@ -78,6 +80,12 @@
  crypt_resume_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1
  crypt_resume_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
  crypt_resume_by_passphrase@CRYPTSETUP_2.0 2:1.4
+ crypt_resume_by_volume_key@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_alloc@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_free@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_memzero@CRYPTSETUP_2.0 2:2.3
+ crypt_safe_realloc@CRYPTSETUP_2.0 2:2.3
+ crypt_set_compatibility@CRYPTSETUP_2.0 2:2.3
  crypt_set_confirm_callback@CRYPTSETUP_2.0 2:1.4
  crypt_set_data_device@CRYPTSETUP_2.0 2:1.4
  crypt_set_data_offset@CRYPTSETUP_2.0 2:2.1
diff -Nru cryptsetup-2.2.2/debian/libcryptsetup-dev.install cryptsetup-2.3.1/debian/libcryptsetup-dev.install
--- cryptsetup-2.2.2/debian/libcryptsetup-dev.install	2020-02-04 13:11:12.000000000 +0000
+++ cryptsetup-2.3.1/debian/libcryptsetup-dev.install	2020-03-24 21:20:08.000000000 +0000
@@ -1,4 +1,4 @@
 #!/usr/bin/dh-exec
-debian/tmp/lib/${DEB_HOST_MULTIARCH}/*.so		/usr/lib/${DEB_HOST_MULTIARCH}/
-debian/tmp/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc	/usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/
+debian/tmp/lib/${DEB_HOST_MULTIARCH}/*.so           /usr/lib/${DEB_HOST_MULTIARCH}/
+debian/tmp/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc /usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/
 usr/include/*.h
diff -Nru cryptsetup-2.2.2/docs/examples/crypt_log_usage.c cryptsetup-2.3.1/docs/examples/crypt_log_usage.c
--- cryptsetup-2.2.2/docs/examples/crypt_log_usage.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/docs/examples/crypt_log_usage.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * libcryptsetup API log example
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/docs/examples/crypt_luks_usage.c cryptsetup-2.3.1/docs/examples/crypt_luks_usage.c
--- cryptsetup-2.2.2/docs/examples/crypt_luks_usage.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/docs/examples/crypt_luks_usage.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  *  libcryptsetup API - using LUKS device example
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/docs/v2.3.0-ReleaseNotes cryptsetup-2.3.1/docs/v2.3.0-ReleaseNotes
--- cryptsetup-2.2.2/docs/v2.3.0-ReleaseNotes	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/docs/v2.3.0-ReleaseNotes	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,209 @@
+Cryptsetup 2.3.0 Release Notes
+==============================
+Stable release with new experimental features and bug fixes.
+
+Cryptsetup 2.3 version introduces support for BitLocker-compatible
+devices (BITLK format). This format is used in Windows systems,
+and in combination with a filesystem driver, cryptsetup now provides
+native read-write access to BitLocker Full Disk Encryption devices.
+
+The BITLK implementation is based on publicly available information
+and it is an independent and opensource implementation that allows
+to access this proprietary disk encryption.
+
+Changes since version 2.2.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* BITLK (Windows BitLocker compatible) device access
+
+  BITLK userspace implementation is based on the master thesis and code
+  provided by Vojtech Trefny. Also, thanks to other opensource projects
+  like libbde (that provide alternative approach to decode this format)
+  we were able to verify cryptsetup implementation.
+
+  NOTE: Support for the BITLK device is EXPERIMENTAL and will require
+  a lot of testing. If you get some error message (mainly unsupported
+  metadata in the on-disk header), please help us by submitting an issue
+  to cryptsetup project, so we can fix it. Thank you!
+
+  Cryptsetup supports BITLK activation through passphrase or recovery
+  passphrase for existing devices (BitLocker and Bitlocker to Go).
+
+  Activation through TPM, SmartCard, or any other key protector
+  is not supported. And in some situations, mainly for TPM bind to some
+  PCR registers, it could be even impossible on Linux in the future.
+
+  All metadata (key protectors) are handled read-only, cryptsetup cannot
+  create or modify them. Except for old devices (created in old Vista
+  systems), all format variants should be recognized.
+
+  Data devices can be activated read-write (followed by mounting through
+  the proper filesystem driver). To access filesystem on the decrypted device
+  you need properly installed driver (vfat, NTFS or exFAT).
+
+  Foe AES-XTS, activation is supported on all recent Linux kernels.
+
+  For older AES-CBC encryption, Linux Kernel version 5.3 is required
+  (support for special IV variant); for AES-CBC with Elephant diffuser,
+  Linux Kernel 5.6 is required.
+
+  Please note that CBC variants are legacy, and we provide it only
+  for backward compatibility (to be able to access old drives).
+
+  Cryptsetup command now supports the new "bitlk" format and implement dump,
+  open, status, and close actions.
+
+  To activate a BITLK device, use
+
+    # cryptsetup open --type bitlk <device> <name>
+      or with alias
+    # cryptsetup bitlkOpen <device> <name>
+
+  Then with properly installed fs driver (usually NTFS, vfat or exFAT),
+  you can mount the plaintext device /dev/mapper<name> device as a common
+  filesystem.
+
+ To print metadata information about BITLK device, use
+   # crypotsetup bitlkDump <device>
+
+ To print information about the active device, use
+   # cryptsetup status <name>
+
+ Example (activation of disk image):
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  # Recent blkid recognizes BitLocker device,just to verity
+  # blkid bitlocker_xts_ntfs.img
+    bitlocker_xts_ntfs.img: TYPE="BitLocker"
+
+  # Print visible metadata information (on-disk, form the image)
+  # cryptsetup bitlkDump bitlocker_xts_ntfs.img
+    Info for BITLK device bitlocker_xts_ntfs.img.
+    Version:        2
+    GUID:           ...
+    Created:        Wed Oct 23 17:38:15 2019
+    Description:    DESKTOP-xxxxxxx E: 23.10.2019
+    Cipher name:    aes
+    Cipher mode:    xts-plain64
+    Cipher key:     128 bits
+
+    Keyslots:
+     0: VMK
+            GUID:           ...
+            Protection:     VMK protected with passphrase
+            Salt:           ...
+            Key data size:  44 [bytes]
+     1: VMK
+            GUID:           ...
+            Protection:     VMK protected with recovery passphrase
+            Salt:           ...
+            Key data size:  44 [bytes]
+     2: FVEK
+           Key data size:  44 [bytes]
+
+  # Activation (recovery passphrase works the same as password)
+  # cryptsetup bitlkOpen bitlocker_xts_ntfs.img test -v
+    Enter passphrase for bitlocker_xts_ntfs.img:
+    Command successful.
+
+  # Information about the active device
+  # cryptsetup status test
+    /dev/mapper/test is active.
+    type:    BITLK
+    cipher:  aes-xts-plain64
+    keysize: 128 bits
+    ...
+
+  # Plaintext device should now contain decrypted NTFS filesystem
+  # blkid /dev/mapper/test
+    /dev/mapper/test: UUID="..." TYPE="ntfs"
+
+  # And can be mounted
+  # mount /dev/mapper/test /mnt/tst
+
+  # Deactivation
+  # umount /mnt/tst
+  # cryptsetup close test
+
+* Veritysetup now supports activation with additional PKCS7 signature
+  of root hash through --root-hash-signature option.
+  The signature uses an in-kernel trusted key to validate the signature
+  of the root hash during activation. This option requires Linux kernel
+  5.4 with DM_VERITY_VERIFY_ROOTHASH_SIG option.
+
+  Verity devices activated with signature now has a special flag
+  (with signature) active in device status (veritysetup status <name>).
+
+  Usage:
+  # veritysetup open <data_device> name <hash_device> <root_hash> \
+    --root-hash-signature=<roothash_p7_sig_file>
+
+* Integritysetup now calculates hash integrity size according to algorithm
+  instead of requiring an explicit tag size.
+
+  Previously, when integritysetup formats a device with hash or
+  HMAC integrity checksums, it required explicitly tag size entry from
+  a user (or used default value).
+  This led to confusion and unexpected shortened tag sizes.
+
+  Now, libcryptsetup calculates tag size according to real hash output.
+  Tag size can also be specified, then it warns if these values differ.
+
+* Integritysetup now supports fixed padding for dm-integrity devices.
+
+  There was an in-kernel bug that wasted a lot of space when using metadata
+  areas for integrity-protected devices if a larger sector size than
+  512 bytes was used.
+  This problem affects both stand-alone dm-integrity and also LUKS2 with
+  authenticated encryption and larger sector size.
+
+  The new extension to dm-integrity superblock is needed, so devices
+  with the new optimal padding cannot be activated on older systems.
+
+  Integritysetup/Cryptsetup will use new padding automatically if it
+  detects the proper kernel. To create a compatible device with
+  the old padding, use --integrity-legacy-padding option.
+
+* A lot of fixes to online LUKS2 reecryption.
+
+* Add crypt_resume_by_volume_key() function to libcryptsetup.
+  If a user has a volume key available, the LUKS device can be resumed
+  directly using the provided volume key.
+  No keyslot derivation is needed, only the key digest is checked.
+
+* Implement active device suspend info.
+  Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
+  that informs the caller that device is suspended (luksSuspend).
+
+* Allow --test-passphrase for a detached header.
+  Before this fix, we required a data device specified on the command
+  line even though it was not necessary for the passphrase check.
+
+* Allow --key-file option in legacy offline encryption.
+  The option was ignored for LUKS1 encryption initialization.
+
+* Export memory safe functions.
+  To make developing of some extensions simpler, we now export
+  functions to handle memory with proper wipe on deallocation.
+
+* Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
+
+Libcryptsetup API extensions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The libcryptsetup API is backward compatible for existing symbols.
+
+New symbols
+ crypt_set_compatibility
+ crypt_get_compatibility;
+ crypt_resume_by_volume_key;
+ crypt_activate_by_signed_key;
+ crypt_safe_alloc;
+ crypt_safe_realloc;
+ crypt_safe_free;
+ crypt_safe_memzero;
+
+New defines introduced :
+  CRYPT_BITLK "BITLK" - BITLK (BitLocker-compatible mode
+  CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING - dm-integrity legacy padding
+  CRYPT_VERITY_ROOT_HASH_SIGNATURE - dm-verity root hash signature
+  CRYPT_ACTIVATE_SUSPENDED - device suspended info flag
diff -Nru cryptsetup-2.2.2/docs/v2.3.1-ReleaseNotes cryptsetup-2.3.1/docs/v2.3.1-ReleaseNotes
--- cryptsetup-2.2.2/docs/v2.3.1-ReleaseNotes	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/docs/v2.3.1-ReleaseNotes	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,45 @@
+Cryptsetup 2.3.1 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.x should upgrade to this version.
+
+Changes since version 2.3.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Support VeraCrypt 128 bytes passwords.
+  VeraCrypt now allows passwords of maximal length 128 bytes
+  (compared to legacy TrueCrypt where it was limited by 64 bytes).
+
+* Strip extra newline from BitLocker recovery keys
+  There might be a trailing newline added by the text editor when
+  the recovery passphrase was passed using the --key-file option.
+
+* Detect separate libiconv library.
+  It should fix compilation issues on distributions with iconv
+  implemented in a separate library.
+
+* Various fixes and workarounds to build on old Linux distributions.
+
+* Split lines with hexadecimal digest printing for large key-sizes.
+
+* Do not wipe the device with no integrity profile.
+  With --integrity none we performed useless full device wipe.
+
+* Workaround for dm-integrity kernel table bug.
+  Some kernels show an invalid dm-integrity mapping table
+  if superblock contains the "recalculate" bit. This causes
+  integritysetup to not recognize the dm-integrity device.
+  Integritysetup now specifies kernel options such a way that
+  even on unpatched kernels mapping table is correct.
+
+* Print error message if LUKS1 keyslot cannot be processed.
+  If the crypto backend is missing support for hash algorithms
+  used in PBKDF2, the error message was not visible.
+
+* Properly align LUKS2 keyslots area on conversion.
+  If the LUKS1 payload offset (data offset) is not aligned
+  to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
+
+* Validate LUKS2 earlier on conversion to not corrupt the device
+  if binary keyslots areas metadata are not correct.
diff -Nru cryptsetup-2.2.2/lib/bitlk/bitlk.c cryptsetup-2.3.1/lib/bitlk/bitlk.c
--- cryptsetup-2.2.2/lib/bitlk/bitlk.c	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/lib/bitlk/bitlk.c	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,1204 @@
+/*
+ * BITLK (BitLocker-compatible) volume handling
+ *
+ * Copyright (C) 2019-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Milan Broz
+ * Copyright (C) 2019-2020 Vojtech Trefny
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <errno.h>
+#include <string.h>
+#include <uuid/uuid.h>
+#include <time.h>
+#include <iconv.h>
+#include <limits.h>
+
+#include "bitlk.h"
+#include "internal.h"
+
+#define BITLK_BOOTCODE_V1 "\xeb\x52\x90"
+#define BITLK_BOOTCODE_V2 "\xeb\x58\x90"
+#define BITLK_SIGNATURE "-FVE-FS-"
+#define BITLK_SIGNATURE_TOGO "MSWIN4.1"
+#define BITLK_HEADER_METADATA_OFFSET 160
+#define BITLK_HEADER_METADATA_OFFSET_TOGO 424
+
+/* FVE metadata header is split into two parts */
+#define BITLK_FVE_METADATA_BLOCK_HEADER_LEN 64
+#define BITLK_FVE_METADATA_HEADER_LEN 48
+#define BITLK_FVE_METADATA_HEADERS_LEN BITLK_FVE_METADATA_BLOCK_HEADER_LEN + BITLK_FVE_METADATA_HEADER_LEN
+
+/* total size of the FVE area (64 KiB) */
+#define BITLK_FVE_METADATA_SIZE 64 * 1024
+
+#define BITLK_ENTRY_HEADER_LEN 8
+#define BITLK_VMK_HEADER_LEN 28
+
+#define BITLK_OPEN_KEY_METADATA_LEN 12
+
+#define BITLK_RECOVERY_KEY_LEN 55
+#define BITLK_RECOVERY_PARTS 8
+#define BITLK_RECOVERY_PART_LEN 6
+
+#define BITLK_KDF_HASH "sha256"
+#define BITLK_KDF_ITERATION_COUNT 0x100000
+
+/* maximum number of segments for the DM device */
+#define MAX_BITLK_SEGMENTS 10
+
+/* January 1, 1970 as MS file time */
+#define EPOCH_AS_FILETIME 116444736000000000
+#define HUNDREDS_OF_NANOSECONDS 10000000
+
+/* not available in older version of libuuid */
+#ifndef UUID_STR_LEN
+#define UUID_STR_LEN	37
+#endif
+
+/* known types of GUIDs from the BITLK superblock */
+const uint8_t BITLK_GUID_NORMAL[16] = { 0x3b, 0xd6, 0x67, 0x49, 0x29, 0x2e, 0xd8, 0x4a,
+					0x83, 0x99, 0xf6, 0xa3, 0x39, 0xe3, 0xd0, 0x01 };
+const uint8_t BITLK_GUID_EOW[16] = { 0x3b, 0x4d, 0xa8, 0x92, 0x80, 0xdd, 0x0e, 0x4d,
+				     0x9e, 0x4e, 0xb1, 0xe3, 0x28, 0x4e, 0xae, 0xd8 };
+
+/* taken from libfdisk gpt.c -- TODO: this is a good candidate for adding to libuuid */
+struct bitlk_guid {
+	uint32_t   time_low;
+	uint16_t   time_mid;
+	uint16_t   time_hi_and_version;
+	uint8_t    clock_seq_hi;
+	uint8_t    clock_seq_low;
+	uint8_t    node[6];
+} __attribute__ ((packed));
+
+static void swap_guid(struct bitlk_guid *guid) {
+	guid->time_low = swab32(guid->time_low);
+	guid->time_mid = swab16(guid->time_mid);
+	guid->time_hi_and_version = swab16(guid->time_hi_and_version);
+}
+
+static void guid_to_string(struct bitlk_guid *guid, char *out) {
+	swap_guid(guid);
+	uuid_unparse((unsigned char *) guid, out);
+}
+
+typedef enum {
+	BITLK_SEGTYPE_CRYPT,
+	BITLK_SEGTYPE_ZERO,
+} BitlkSegmentType;
+
+struct segment {
+	uint64_t offset;
+	uint64_t length;
+	uint64_t iv_offset;
+	BitlkSegmentType type;
+};
+
+struct bitlk_signature {
+	uint8_t boot_code[3];
+	uint8_t signature[8];
+} __attribute__ ((packed));
+
+struct bitlk_superblock {
+	struct bitlk_guid guid;
+	uint64_t fve_offset[3];
+} __attribute__ ((packed));
+
+struct bitlk_fve_metadata {
+	/* FVE metadata block header */
+	uint8_t signature[8];
+	uint16_t fve_size;
+	uint16_t fve_version;
+	uint16_t curr_state;
+	uint16_t next_state;
+	uint64_t volume_size;
+	uint32_t unknown2;
+	uint32_t volume_header_size;
+	uint64_t fve_offset[3];
+	uint64_t volume_header_offset;
+	/* FVE metadata header */
+	uint32_t metadata_size;
+	uint32_t metadata_version;
+	uint32_t metadata_header_size;
+	uint32_t metada_size_copy;
+	struct bitlk_guid guid;
+	uint32_t next_nonce;
+	uint16_t encryption;
+	uint16_t unknown3;
+	uint64_t creation_time;
+} __attribute__ ((packed));
+
+struct bitlk_entry_header_block {
+	uint64_t offset;
+	uint64_t size;
+} __attribute__ ((packed));
+
+struct bitlk_entry_vmk {
+	struct bitlk_guid guid;
+	uint8_t modified[8];
+	uint16_t _unknown;
+	uint16_t protection;
+} __attribute__ ((packed));
+
+struct bitlk_kdf_data {
+	char last_sha256[32];
+	char initial_sha256[32];
+	char salt[16];
+	uint64_t count;
+};
+
+static BITLKVMKProtection get_vmk_protection(uint16_t protection)
+{
+	switch (protection) {
+	case 0x0000:
+		return BITLK_PROTECTION_CLEAR_KEY;
+	case 0x0100:
+		return BITLK_PROTECTION_TPM;
+	case 0x0200:
+		return BITLK_PROTECTION_STARTUP_KEY;
+	case 0x0500:
+		return BITLK_PROTECTION_TPM_PIN;
+	case 0x0800:
+		return BITLK_PROTECTION_RECOVERY_PASSPHRASE;
+	case 0x1000:
+		return BITLK_PROTECTION_SMART_CARD;
+	case 0x2000:
+		return BITLK_PROTECTION_PASSPHRASE;
+	default:
+		return BITLK_PROTECTION_UNKNOWN;
+	}
+}
+
+static const char* get_vmk_protection_string(BITLKVMKProtection protection)
+{
+	switch (protection) {
+	case BITLK_PROTECTION_CLEAR_KEY:
+		return "VMK protected with clear key";
+	case BITLK_PROTECTION_TPM:
+		return "VMK protected with TPM";
+	case BITLK_PROTECTION_STARTUP_KEY:
+		return "VMK protected with startup key";
+	case BITLK_PROTECTION_TPM_PIN:
+		return "VMK protected with TPM and PIN";
+	case BITLK_PROTECTION_PASSPHRASE:
+		return "VMK protected with passphrase";
+	case BITLK_PROTECTION_RECOVERY_PASSPHRASE:
+		return "VMK protected with recovery passphrase";
+	case BITLK_PROTECTION_SMART_CARD:
+		return "VMK protected with smart card";
+	default:
+		return "VMK with unknown protection";
+	}
+}
+
+static const char* get_bitlk_type_string(BITLKEncryptionType type)
+{
+	switch (type)
+	{
+	case BITLK_ENCRYPTION_TYPE_NORMAL:
+		return "normal";
+	case BITLK_ENCRYPTION_TYPE_EOW:
+		return "encrypt-on-write";
+	default:
+		return "unknown";
+	}
+}
+
+/* TODO -- move to some utils file */
+static void hexprint(struct crypt_device *cd, const char *d, int n, const char *sep)
+{
+	int i;
+	for(i = 0; i < n; i++)
+		log_std(cd, "%02hhx%s", (const char)d[i], sep);
+}
+
+static uint64_t filetime_to_unixtime(uint64_t time)
+{
+	return (time - EPOCH_AS_FILETIME) / HUNDREDS_OF_NANOSECONDS;
+}
+
+static int convert_to_utf8(struct crypt_device *cd, uint8_t *input, size_t inlen, char **out)
+{
+	char *outbuf = NULL;
+	iconv_t ic;
+	size_t ic_inlen = inlen;
+	size_t ic_outlen = inlen;
+	char *ic_outbuf = NULL;
+	size_t r = 0;
+
+	outbuf = malloc(inlen);
+	if (outbuf == NULL)
+		return -ENOMEM;
+
+	memset(outbuf, 0, inlen);
+	ic_outbuf = outbuf;
+
+	ic = iconv_open("UTF-8", "UTF-16LE");
+	r = iconv(ic, (char **) &input, &ic_inlen, &ic_outbuf, &ic_outlen);
+	iconv_close(ic);
+
+	if (r == 0)
+		*out = strdup(outbuf);
+	else {
+		*out = NULL;
+		log_dbg(cd, "Failed to convert volume description: %s", strerror(errno));
+		r = 0;
+	}
+
+	free(outbuf);
+	return r;
+}
+
+static int passphrase_to_utf16(struct crypt_device *cd, char *input, size_t inlen, char **out)
+{
+	char *outbuf = NULL;
+	iconv_t ic;
+	size_t ic_inlen = inlen;
+	size_t ic_outlen = inlen * 2;
+	char *ic_outbuf = NULL;
+	size_t r = 0;
+
+	if (inlen == 0)
+		return r;
+
+	outbuf = crypt_safe_alloc(inlen * 2);
+	if (outbuf == NULL)
+		return -ENOMEM;
+
+	memset(outbuf, 0, inlen * 2);
+	ic_outbuf = outbuf;
+
+	ic = iconv_open("UTF-16LE", "UTF-8");
+	r = iconv(ic, &input, &ic_inlen, &ic_outbuf, &ic_outlen);
+	iconv_close(ic);
+
+	if (r == 0) {
+		*out = outbuf;
+	} else {
+		*out = NULL;
+		free(outbuf);
+		log_dbg(cd, "Failed to convert passphrase: %s", strerror(errno));
+		r = -errno;
+	}
+
+	return r;
+}
+
+static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, int end, struct bitlk_vmk **vmk)
+{
+	uint16_t key_entry_size = 0;
+	uint16_t key_entry_type = 0;
+	uint16_t key_entry_value = 0;
+	size_t key_size = 0;
+	char *string = NULL;
+	const char *key = NULL;
+	struct volume_key *vk = NULL;
+	bool supported = false;
+
+	/* only passphrase or recovery passphrase vmks are supported (can be used to activate) */
+	supported = (*vmk)->protection == BITLK_PROTECTION_PASSPHRASE || (*vmk)->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE;
+
+	while (end - start > 2) {
+		/* size of this entry */
+		memcpy(&key_entry_size, data + start, sizeof(key_entry_size));
+		key_entry_size = le16_to_cpu(key_entry_size);
+		if (key_entry_size == 0)
+			break;
+
+		/* type and value of this entry */
+		memcpy(&key_entry_type, data + start + sizeof(key_entry_size), sizeof(key_entry_type));
+		memcpy(&key_entry_value,
+		       data + start + sizeof(key_entry_size) + sizeof(key_entry_type),
+		       sizeof(key_entry_value));
+		key_entry_type = le16_to_cpu(key_entry_type);
+		key_entry_value = le16_to_cpu(key_entry_value);
+
+		if (key_entry_type != BITLK_ENTRY_TYPE_PROPERTY) {
+			if (supported) {
+				log_err(cd, _("Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."), key_entry_type);
+				return -EINVAL;
+			} else {
+				log_dbg(cd, "Unexpected metadata entry type '%u' found when parsing unsupported VMK.", key_entry_type);
+			}
+		}
+
+		/* stretch key with salt, skip 4 B (encryption method of the stretch key) */
+		if (key_entry_value == BITLK_ENTRY_VALUE_STRETCH_KEY)
+			memcpy((*vmk)->salt,
+			       data + start + BITLK_ENTRY_HEADER_LEN + 4,
+			       sizeof((*vmk)->salt));
+		/* AES-CCM encrypted key */
+		else if (key_entry_value == BITLK_ENTRY_VALUE_ENCRYPTED_KEY) {
+			/* nonce */
+			memcpy((*vmk)->nonce,
+			       data + start + BITLK_ENTRY_HEADER_LEN,
+			       sizeof((*vmk)->nonce));
+			/* MAC tag */
+			memcpy((*vmk)->mac_tag,
+			       data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
+			       sizeof((*vmk)->mac_tag));
+			/* AES-CCM encrypted key */
+			key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
+			key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
+			vk = crypt_alloc_volume_key(key_size, key);
+			if (vk == NULL)
+				return -ENOMEM;
+			crypt_volume_key_add_next(&((*vmk)->vk), vk);
+		/* clear key for a partially decrypted volume */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_KEY) {
+			/* We currently don't want to support opening a partially decrypted
+			 * device so we don't need to store this key.
+			 *
+			 * key_size = key_entry_size - (BITLK_ENTRY_HEADER_LEN + 4);
+			 * key = (const char *) data + start + BITLK_ENTRY_HEADER_LEN + 4;
+			 * vk = crypt_alloc_volume_key(key_size, key);
+			 * if (vk == NULL)
+			 * 	return -ENOMEM;
+			 * crypt_volume_key_add_next(&((*vmk)->vk), vk);
+			 */
+			log_dbg(cd, "Skipping clear key metadata entry.");
+		/* unknown timestamps in recovery protected VMK */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
+			;
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
+			if (convert_to_utf8(cd, data + start + BITLK_ENTRY_HEADER_LEN, key_entry_size - BITLK_ENTRY_HEADER_LEN, &string) < 0) {
+				log_err(cd, _("Invalid string found when parsing Volume Master Key."));
+				free(string);
+				return -EINVAL;
+			} else if ((*vmk)->name != NULL) {
+				if (supported) {
+					log_err(cd, _("Unexpected string ('%s') found when parsing supported Volume Master Key."), string);
+					free(string);
+					return -EINVAL;
+				}
+				log_dbg(cd, "Unexpected string ('%s') found when parsing unsupported VMK.", string);
+				free(string);
+				string = NULL;
+			} else {
+				/* Assume that strings in VMK are the name of the VMK */
+				(*vmk)->name = string;
+				string = NULL;
+			}
+		} else {
+			if (supported) {
+				log_err(cd, _("Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."), key_entry_value);
+				return -EINVAL;
+			} else {
+				log_dbg(cd, "Unexpected metadata entry value '%u' found when parsing unsupported VMK.", key_entry_value);
+			}
+		}
+
+		start += key_entry_size;
+	}
+
+	return 0;
+}
+
+void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek)
+{
+	if (!fvek)
+		return;
+
+	crypt_free_volume_key(fvek->vk);
+}
+
+void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk)
+{
+	struct bitlk_vmk *vmk_next = NULL;
+
+	while (vmk) {
+		if (vmk->guid)
+			free(vmk->guid);
+		if (vmk->name)
+			free(vmk->name);
+		crypt_free_volume_key(vmk->vk);
+		vmk_next = vmk->next;
+		free(vmk);
+		vmk = vmk_next;
+	}
+}
+
+void BITLK_bitlk_metadata_free(struct bitlk_metadata *metadata)
+{
+	free(metadata->guid);
+	if (metadata->description)
+		free(metadata->description);
+	BITLK_bitlk_vmk_free(metadata->vmks);
+	BITLK_bitlk_fvek_free(metadata->fvek);
+}
+
+int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params)
+{
+	int devfd;
+	struct device *device = crypt_metadata_device(cd);
+	struct bitlk_signature sig = {};
+	struct bitlk_superblock sb = {};
+	struct bitlk_fve_metadata fve = {};
+	struct bitlk_entry_vmk entry_vmk = {};
+	uint8_t *fve_entries = NULL;
+	uint32_t fve_metadata_size = 0;
+	int fve_offset = 0;
+	char guid_buf[UUID_STR_LEN] = {0};
+	uint16_t entry_size = 0;
+	uint16_t entry_type = 0;
+	int i = 0;
+	int r = 0;
+	int start = 0;
+	int end = 0;
+	size_t key_size = 0;
+	const char *key = NULL;
+
+	struct bitlk_vmk *vmk = NULL;
+	struct bitlk_vmk *vmk_p = params->vmks;
+
+	devfd = device_open(cd, crypt_data_device(cd), O_RDONLY);
+	if (devfd < 0) {
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* read and check the signature */
+	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
+		device_alignment(device), &sig, sizeof(sig), 0) != sizeof(sig)) {
+		log_err(cd, _("Failed to read BITLK signature from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	if (memcmp(sig.boot_code, BITLK_BOOTCODE_V1, sizeof(sig.boot_code)) == 0) {
+		log_err(cd, _("BITLK version 1 is currently not supported."));
+		r = -ENOTSUP;
+		goto out;
+	} else if (memcmp(sig.boot_code, BITLK_BOOTCODE_V2, sizeof(sig.boot_code)) == 0)
+		;
+	else {
+		log_err(cd, _("Invalid or unknown boot signature for BITLK device."));
+		r = -EINVAL;
+		goto out;
+	}
+
+	if (memcmp(sig.signature, BITLK_SIGNATURE, sizeof(sig.signature)) == 0) {
+		params->togo = false;
+		fve_offset = BITLK_HEADER_METADATA_OFFSET;
+	} else if (memcmp(sig.signature, BITLK_SIGNATURE_TOGO, sizeof(sig.signature)) == 0) {
+		params->togo = true;
+		fve_offset = BITLK_HEADER_METADATA_OFFSET_TOGO;
+	} else {
+		log_err(cd, _("Invalid or unknown signature for BITLK device."));
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* read GUID and FVE metadata offsets */
+	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
+		device_alignment(device), &sb, sizeof(sb), fve_offset) != sizeof(sb)) {
+		log_err(cd, _("Failed to read BITLK header from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* get encryption "type" based on the GUID from BITLK superblock */
+	if (memcmp(&sb.guid, BITLK_GUID_NORMAL, 16) == 0)
+		params->type = BITLK_ENCRYPTION_TYPE_NORMAL;
+	else if (memcmp(&sb.guid, BITLK_GUID_EOW, 16) == 0)
+		params->type = BITLK_ENCRYPTION_TYPE_EOW;
+	else
+		params->type = BITLK_ENCRYPTION_TYPE_UNKNOWN;
+	log_dbg(cd, "BITLK type from GUID: %s.", get_bitlk_type_string(params->type));
+
+	for (i = 0; i < 3; i++)
+		params->metadata_offset[i] = le64_to_cpu(sb.fve_offset[i]);
+
+	log_dbg(cd, "Reading BITLK FVE metadata of size %zu on device %s, offset %" PRIu64 ".",
+		sizeof(fve), device_path(device), params->metadata_offset[0]);
+
+	/* read FVE metadata from the first metadata area */
+	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
+		device_alignment(device), &fve, sizeof(fve), params->metadata_offset[0]) != sizeof(fve) ||
+		memcmp(fve.signature, BITLK_SIGNATURE, sizeof(fve.signature)) ||
+		le16_to_cpu(fve.fve_version) != 2) {
+		log_err(cd, _("Failed to read BITLK FVE metadata from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	/* check encryption state for the device */
+	params->state = true;
+	if (le16_to_cpu(fve.curr_state) != BITLK_STATE_NORMAL || le16_to_cpu(fve.next_state) != BITLK_STATE_NORMAL) {
+		params->state = false;
+		log_dbg(cd, "Unknown/unsupported state detected. Current state: %"PRIu16", next state: %"PRIu16".",
+			le16_to_cpu(fve.curr_state), le16_to_cpu(fve.next_state));
+	}
+
+	params->metadata_version = le16_to_cpu(fve.fve_version);
+	fve_metadata_size = le32_to_cpu(fve.metadata_size);
+
+	switch (le16_to_cpu(fve.encryption)) {
+	/* AES-CBC with Elephant difuser */
+	case 0x8000:
+		params->key_size = 128;
+		params->cipher = "aes";
+		params->cipher_mode = "cbc-elephant";
+		break;
+	case 0x8001:
+		params->key_size = 256;
+		params->cipher = "aes";
+		params->cipher_mode = "cbc-elephant";
+		break;
+	/* AES-CBC */
+	case 0x8002:
+		params->key_size = 128;
+		params->cipher = "aes";
+		params->cipher_mode = "cbc-eboiv";
+		break;
+	case 0x8003:
+		params->key_size = 256;
+		params->cipher = "aes";
+		params->cipher_mode = "cbc-eboiv";
+		break;
+	/* AES-XTS */
+	case 0x8004:
+		params->key_size = 128;
+		params->cipher = "aes";
+		params->cipher_mode = "xts-plain64";
+		break;
+	case 0x8005:
+		params->key_size = 256;
+		params->cipher = "aes";
+		params->cipher_mode = "xts-plain64";
+		break;
+	default:
+		log_err(cd, _("Unknown or unsupported encryption type."));
+		params->key_size = 0;
+		params->cipher = NULL;
+		params->cipher_mode = NULL;
+		r = -ENOTSUP;
+		goto out;
+	};
+
+	/* device GUID */
+	guid_to_string(&fve.guid, guid_buf);
+	params->guid = strdup(guid_buf);
+	if (!params->guid) {
+		r = -ENOMEM;
+		goto out;
+	}
+
+	params->creation_time = filetime_to_unixtime(le64_to_cpu(fve.creation_time));
+
+	/* read and parse all FVE metadata entries */
+	fve_entries = malloc(fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN);
+	if (!fve_entries) {
+		r = -ENOMEM;
+		goto out;
+	}
+	memset(fve_entries, 0, (fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN));
+
+	log_dbg(cd, "Reading BITLK FVE metadata entries of size %" PRIu32 " on device %s, offset %" PRIu64 ".",
+		fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN, device_path(device),
+		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN);
+
+	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
+		device_alignment(device), fve_entries, fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN,
+		params->metadata_offset[0] + BITLK_FVE_METADATA_HEADERS_LEN) != fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN) {
+		log_err(cd, _("Failed to read BITLK metadata entries from %s."), device_path(device));
+		r = -EINVAL;
+		goto out;
+	}
+
+	end = fve_metadata_size - BITLK_FVE_METADATA_HEADER_LEN;
+	while (end - start > 2) {
+		/* size of this entry */
+		memcpy(&entry_size, fve_entries + start, sizeof(entry_size));
+		entry_size = le16_to_cpu(entry_size);
+		if (entry_size == 0)
+			break;
+
+		/* type of this entry */
+		memcpy(&entry_type, fve_entries + start + sizeof(entry_size), sizeof(entry_type));
+		entry_type = le16_to_cpu(entry_type);
+
+		/* VMK */
+		if (entry_type == BITLK_ENTRY_TYPE_VMK) {
+			/* skip first four variables in the entry (entry size, type, value and version) */
+			memcpy(&entry_vmk,
+			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
+			       sizeof(entry_vmk));
+
+			vmk = malloc(sizeof(struct bitlk_vmk));
+			memset(vmk, 0, sizeof(struct bitlk_vmk));
+
+			guid_to_string(&entry_vmk.guid, guid_buf);
+			vmk->guid = strdup (guid_buf);
+
+			vmk->name = NULL;
+
+			vmk->protection = get_vmk_protection(le16_to_cpu(entry_vmk.protection));
+
+			/* more data in another entry list */
+			r = parse_vmk_entry(cd, fve_entries,
+			                      start + BITLK_ENTRY_HEADER_LEN + BITLK_VMK_HEADER_LEN,
+					      start + entry_size, &vmk);
+			if (r < 0) {
+				BITLK_bitlk_vmk_free(vmk);
+				goto out;
+			}
+
+			if (params->vmks == NULL)
+				params->vmks = vmk;
+			else
+				vmk_p->next = vmk;
+
+			vmk_p = vmk;
+			vmk = vmk->next;
+		/* FVEK */
+		} else if (entry_type == BITLK_ENTRY_TYPE_FVEK) {
+			params->fvek = malloc(sizeof(struct bitlk_fvek));
+			memcpy(params->fvek->nonce,
+			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
+			       sizeof(params->fvek->nonce));
+			/* MAC tag */
+			memcpy(params->fvek->mac_tag,
+			       fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE,
+			       sizeof(params->fvek->mac_tag));
+			/* AES-CCM encrypted key */
+			key_size = entry_size - (BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE);
+			key = (const char *) fve_entries + start + BITLK_ENTRY_HEADER_LEN + BITLK_NONCE_SIZE + BITLK_VMK_MAC_TAG_SIZE;
+			params->fvek->vk = crypt_alloc_volume_key(key_size, key);
+			if (params->fvek->vk == NULL) {
+				r = -ENOMEM;
+				goto out;
+			}
+		/* volume header info (location and size) */
+		} else if (entry_type == BITLK_ENTRY_TYPE_VOLUME_HEADER) {
+			struct bitlk_entry_header_block entry_header;
+			memcpy(&entry_header,
+			       fve_entries + start + BITLK_ENTRY_HEADER_LEN,
+			       sizeof(entry_header));
+			params->volume_header_offset = le64_to_cpu(entry_header.offset);
+			params->volume_header_size = le64_to_cpu(entry_header.size);
+		/* volume description (utf-16 string) */
+		} else if (entry_type == BITLK_ENTRY_TYPE_DESCRIPTION) {
+			r = convert_to_utf8(cd, fve_entries + start + BITLK_ENTRY_HEADER_LEN,
+					    entry_size - BITLK_ENTRY_HEADER_LEN,
+					    &(params->description));
+			if (r < 0) {
+				BITLK_bitlk_vmk_free(vmk);
+				goto out;
+			}
+		}
+
+		start += entry_size;
+	}
+
+out:
+	if (fve_entries)
+		free(fve_entries);
+	return r;
+}
+
+int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_metadata *params)
+{
+	struct volume_key *vk_p;
+	struct bitlk_vmk *vmk_p;
+	int next_id = 0;
+	int i = 0;
+
+	log_std(cd, "Info for BITLK%s device %s.\n", params->togo ? " To Go" : "", device_path(device));
+	log_std(cd, "Version:      \t%u\n", params->metadata_version);
+	log_std(cd, "GUID:         \t%s\n", params->guid);
+	log_std(cd, "Created:      \t%s", ctime((time_t *)&(params->creation_time)));
+	log_std(cd, "Description:  \t%s\n", params->description);
+	log_std(cd, "Cipher name:  \t%s\n", params->cipher);
+	log_std(cd, "Cipher mode:  \t%s\n", params->cipher_mode);
+	log_std(cd, "Cipher key:   \t%u bits\n", params->key_size);
+
+	log_std(cd, "\n");
+
+	log_std(cd, "Keyslots:\n");
+	vmk_p = params->vmks;
+	while (vmk_p) {
+		log_std(cd, " %d: VMK\n", next_id);
+		if (vmk_p->name != NULL) {
+			log_std(cd, "\tName:       \t%s\n", vmk_p->name);
+		}
+		log_std(cd, "\tGUID:       \t%s\n", vmk_p->guid);
+		log_std(cd, "\tProtection: \t%s\n", get_vmk_protection_string (vmk_p->protection));
+		log_std(cd, "\tSalt:       \t");
+		hexprint(cd, (const char *) vmk_p->salt, 16, "");
+		log_std(cd, "\n");
+
+		vk_p = vmk_p->vk;
+		while (vk_p) {
+			log_std(cd, "\tKey data size:\t%zu [bytes]\n", vk_p->keylength);
+			vk_p = vk_p->next;
+		}
+		vmk_p = vmk_p->next;
+		next_id++;
+	}
+
+	log_std(cd, " %d: FVEK\n", next_id);
+	log_std(cd, "\tKey data size:\t%zu [bytes]\n", params->fvek->vk->keylength);
+
+	log_std(cd, "\n");
+
+	log_std(cd, "Metadata segments:\n");
+
+	for (i = 0; i < 3; i++) {
+		log_std(cd, " %d: FVE metadata area\n", i);
+		log_std(cd, "\tOffset: \t%" PRIu64 " [bytes]\n", params->metadata_offset[i]);
+		log_std(cd, "\tSize:   \t%d [bytes]\n", BITLK_FVE_METADATA_SIZE);
+	}
+
+	log_std(cd, " %d: Volume header\n", i);
+	log_std(cd, "\tOffset: \t%" PRIu64 " [bytes]\n", params->volume_header_offset);
+	log_std(cd, "\tSize:   \t%" PRIu64 " [bytes]\n", params->volume_header_size);
+	log_std(cd, "\tCipher: \t%s-%s\n", params->cipher, params->cipher_mode);
+
+	return 0;
+}
+
+/* check if given passphrase can be a recovery key (has right format) and convert it */
+static int get_recovery_key(struct crypt_device *cd,
+			    const char *password,
+			    size_t passwordLen,
+			    struct volume_key **rc_key)
+{
+	unsigned int i, j = 0;
+	uint16_t parts[BITLK_RECOVERY_PARTS] = {0};
+	char part_str[BITLK_RECOVERY_PART_LEN + 1] = {0};
+	long part_num = 0;
+
+	/* check the passphrase it should be:
+	    - 55 characters
+	    - 8 groups of 6 divided by '-'
+	    - each part is a number dividable by 11
+	*/
+	if (passwordLen != BITLK_RECOVERY_KEY_LEN) {
+                if (passwordLen == BITLK_RECOVERY_KEY_LEN + 1 && password[passwordLen - 1] == '\n') {
+                        /* looks like a recovery key with an extra newline, possibly from a key file */
+                        passwordLen--;
+                        log_dbg(cd, "Possible extra EOL stripped from the recovery key.");
+                } else
+                        return 0;
+        }
+
+	for (i = BITLK_RECOVERY_PART_LEN; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1) {
+		if (password[i] != '-')
+			return 0;
+	}
+
+	for (i = 0, j = 0; i < passwordLen; i += BITLK_RECOVERY_PART_LEN + 1, j++) {
+		strncpy(part_str, password + i, BITLK_RECOVERY_PART_LEN);
+
+		errno = 0;
+		part_num = strtol(part_str, NULL, 10);
+		if ((errno == ERANGE && (part_num == LONG_MAX || part_num == LONG_MIN)) ||
+		    (errno != 0 && part_num == 0))
+			return -errno;
+
+		if (part_num % 11 != 0)
+			return 0;
+		parts[j] = cpu_to_le16(part_num / 11);
+	}
+
+	*rc_key = crypt_alloc_volume_key(16, (const char*) parts);
+	if (*rc_key == NULL)
+		return -ENOMEM;
+
+	return 0;
+}
+
+static int bitlk_kdf(struct crypt_device *cd,
+		     const char *password,
+		     size_t passwordLen,
+		     bool recovery,
+		     const uint8_t *salt,
+		     struct volume_key **vk)
+{
+	struct bitlk_kdf_data kdf = {};
+	struct crypt_hash *hd = NULL;
+	int len = 0;
+	char *utf16Password = NULL;
+	int i = 0;
+	int r = 0;
+
+	memcpy(kdf.salt, salt, 16);
+
+	r = crypt_hash_init(&hd, BITLK_KDF_HASH);
+	if (r < 0)
+		return r;
+	len = crypt_hash_size(BITLK_KDF_HASH);
+	if (len < 0) {
+		crypt_hash_destroy(hd);
+		return len;
+	}
+
+	if (!recovery) {
+		/* passphrase: convert to UTF-16 first, then sha256(sha256(pw)) */
+		r = passphrase_to_utf16(cd, CONST_CAST(char*)password, passwordLen, &utf16Password);
+		if (r < 0)
+			goto out;
+
+		crypt_hash_write(hd, utf16Password, passwordLen * 2);
+		r = crypt_hash_final(hd, kdf.initial_sha256, len);
+		if (r < 0)
+			goto out;
+
+		crypt_hash_write(hd, kdf.initial_sha256, len);
+		r = crypt_hash_final(hd, kdf.initial_sha256, len);
+		if (r < 0)
+			goto out;
+	} else {
+		/* recovery passphrase: already converted in #get_recovery_key, now just sha256(rpw) */
+		crypt_hash_write(hd, password, passwordLen);
+		r = crypt_hash_final(hd, kdf.initial_sha256, len);
+		if (r < 0)
+			goto out;
+	}
+
+	for (i = 0; i < BITLK_KDF_ITERATION_COUNT; i++) {
+		crypt_hash_write(hd, (const char*) &kdf, sizeof(kdf));
+		r = crypt_hash_final(hd, kdf.last_sha256, len);
+		if (r < 0)
+			goto out;
+		kdf.count = cpu_to_le64(le64_to_cpu(kdf.count) + 1);
+	}
+
+	*vk = crypt_alloc_volume_key(len, kdf.last_sha256);
+
+out:
+	crypt_safe_free(utf16Password);
+	if (hd)
+		crypt_hash_destroy(hd);
+	return r;
+}
+
+static int decrypt_key(struct crypt_device *cd,
+		       struct volume_key **vk,
+		       struct volume_key *enc_key,
+		       struct volume_key *key,
+		       const uint8_t *tag, size_t tag_size,
+		       const uint8_t *iv, size_t iv_size,
+		       bool is_fvek)
+{
+	char *outbuf;
+	int r;
+	uint32_t key_size = 0;
+
+	outbuf = crypt_safe_alloc(enc_key->keylength);
+	if (!outbuf)
+		return -ENOMEM;
+
+	r = crypt_bitlk_decrypt_key(key->key, key->keylength, enc_key->key, outbuf, enc_key->keylength,
+				(const char*)iv, iv_size, (const char*)tag, tag_size);
+	if (r < 0) {
+		if (r == -ENOTSUP)
+			log_err(cd, _("This operation is not supported."));
+		goto out;
+	}
+
+	/* key_data has it's size as part of the metadata */
+	memcpy(&key_size, outbuf, 4);
+	key_size = le32_to_cpu(key_size);
+	if (enc_key->keylength != key_size) {
+		log_err(cd, _("Wrong key size."));
+		r = -EINVAL;
+		goto out;
+	}
+
+	if (is_fvek && strcmp(crypt_get_cipher_mode(cd), "cbc-elephant") == 0 &&
+		crypt_get_volume_key_size(cd) == 16) {
+		/* 128bit AES-CBC with Elephant -- key size is 256 bit (2 keys) but key data is 512 bits,
+		   data: 16B CBC key, 16B empty, 16B elephant key, 16B empty */
+		memcpy(outbuf + 16 + BITLK_OPEN_KEY_METADATA_LEN,
+			outbuf + 2 * 16 + BITLK_OPEN_KEY_METADATA_LEN, 16);
+		key_size = 32 + BITLK_OPEN_KEY_METADATA_LEN;
+	}
+
+
+	*vk = crypt_alloc_volume_key(key_size - BITLK_OPEN_KEY_METADATA_LEN,
+					(const char *)(outbuf + BITLK_OPEN_KEY_METADATA_LEN));
+	r = *vk ? 0 : -ENOMEM;
+out:
+	crypt_safe_free(outbuf);
+	return r;
+}
+
+int BITLK_activate(struct crypt_device *cd,
+		   const char *name,
+		   const char *password,
+		   size_t passwordLen,
+		   const struct bitlk_metadata *params,
+		   uint32_t flags)
+{
+	int r = 0;
+	int i = 0;
+	int j = 0;
+	int min = 0;
+	int num_segments = 0;
+	struct crypt_dm_active_device dmd = {
+		.flags = flags,
+	};
+	struct dm_target *next_segment = NULL;
+	struct volume_key *open_vmk_key = NULL;
+	struct volume_key *open_fvek_key = NULL;
+	struct volume_key *vmk_dec_key = NULL;
+	struct volume_key *recovery_key = NULL;
+	const struct bitlk_vmk *next_vmk = NULL;
+	struct segment segments[MAX_BITLK_SEGMENTS] = {};
+	struct segment temp;
+	uint64_t next_start = 0;
+	uint64_t next_end = 0;
+	uint64_t last_segment = 0;
+	uint32_t dmt_flags;
+
+	if (!params->state) {
+		log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
+		r = -ENOTSUP;
+		goto out;
+	}
+
+	if (params->type != BITLK_ENCRYPTION_TYPE_NORMAL) {
+		log_err(cd, _("BITLK devices with type '%s' cannot be activated."), get_bitlk_type_string(params->type));
+		r = -ENOTSUP;
+		goto out;
+	}
+
+	next_vmk = params->vmks;
+	while (next_vmk) {
+		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
+			r = bitlk_kdf(cd, password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
+			if (r)
+				return r;
+		} else if (next_vmk->protection == BITLK_PROTECTION_RECOVERY_PASSPHRASE) {
+			r = get_recovery_key(cd, password, passwordLen, &recovery_key);
+			if (r)
+				return r;
+			if (recovery_key == NULL) {
+				/* r = 0 but no key -> given passphrase is not a recovery passphrase */
+				r = -EPERM;
+				next_vmk = next_vmk->next;
+				continue;
+			}
+			log_dbg(cd, "Trying to use given password as a recovery key.");
+			r = bitlk_kdf(cd, recovery_key->key, recovery_key->keylength,
+				      true, next_vmk->salt, &vmk_dec_key);
+			crypt_free_volume_key(recovery_key);
+			if (r)
+				return r;
+		} else {
+			/* only passphrase and recovery passphrase VMKs supported right now */
+			log_dbg(cd, "Skipping %s", get_vmk_protection_string(next_vmk->protection));
+			next_vmk = next_vmk->next;
+			if (r == 0)
+				/* we need to set error code in case we have only unsupported VMKs */
+				r = -ENOTSUP;
+			continue;
+		}
+
+		log_dbg(cd, "Trying to decrypt %s.", get_vmk_protection_string(next_vmk->protection));
+		r = decrypt_key(cd, &open_vmk_key, next_vmk->vk, vmk_dec_key,
+				next_vmk->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
+				next_vmk->nonce, BITLK_NONCE_SIZE, false);
+		if (r < 0) {
+			log_dbg(cd, "Failed to decrypt VMK using provided passphrase.");
+			crypt_free_volume_key(vmk_dec_key);
+			if (r == -ENOTSUP)
+				return r;
+			next_vmk = next_vmk->next;
+			continue;
+		}
+		crypt_free_volume_key(vmk_dec_key);
+
+		r = decrypt_key(cd, &open_fvek_key, params->fvek->vk, open_vmk_key,
+				params->fvek->mac_tag, BITLK_VMK_MAC_TAG_SIZE,
+				params->fvek->nonce, BITLK_NONCE_SIZE, true);
+		if (r < 0) {
+			log_dbg(cd, "Failed to decrypt FVEK using VMK.");
+			crypt_free_volume_key(open_vmk_key);
+			if (r == -ENOTSUP)
+				return r;
+		} else {
+			crypt_free_volume_key(open_vmk_key);
+			break;
+		}
+
+		next_vmk = next_vmk->next;
+	}
+
+	if (r) {
+		log_dbg(cd, "No more VMKs to try.");
+		return r;
+	}
+
+	/* Password verify only */
+	if (!name) {
+		crypt_free_volume_key(open_fvek_key);
+		return r;
+	}
+
+	next_vmk = params->vmks;
+	while (next_vmk) {
+		if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
+			crypt_free_volume_key(open_fvek_key);
+			log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
+			return -ENOTSUP;
+		}
+		next_vmk = next_vmk->next;
+	}
+
+	r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
+				0, &dmd.size, &dmd.flags);
+	if (r) {
+		crypt_free_volume_key(open_fvek_key);
+		return r;
+	}
+
+	/* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */
+	for (i = 0; i < 3; i++) {
+		segments[num_segments].offset = params->metadata_offset[i] / SECTOR_SIZE;
+		segments[num_segments].length = BITLK_FVE_METADATA_SIZE / SECTOR_SIZE;
+		segments[num_segments].iv_offset = 0;
+		segments[num_segments].type = BITLK_SEGTYPE_ZERO;
+		num_segments++;
+	}
+	segments[num_segments].offset = params->volume_header_offset / SECTOR_SIZE;
+	segments[num_segments].length = params->volume_header_size / SECTOR_SIZE;
+	segments[num_segments].iv_offset = 0;
+	segments[num_segments].type = BITLK_SEGTYPE_ZERO;
+	num_segments++;
+
+	/* filesystem header (moved from the special location) */
+	segments[num_segments].offset = 0;
+	segments[num_segments].length = params->volume_header_size / SECTOR_SIZE;
+	segments[num_segments].iv_offset = params->volume_header_offset / SECTOR_SIZE;
+	segments[num_segments].type = BITLK_SEGTYPE_CRYPT;
+	num_segments++;
+
+	/* now fill gaps between the dm-zero segments with dm-crypt */
+	last_segment = params->volume_header_size / SECTOR_SIZE;
+	while (true) {
+		next_start = dmd.size;
+		next_end = dmd.size;
+
+		/* start of the next segment: end of the first existing segment after the last added */
+		for (i = 0; i < num_segments; i++)
+			if (segments[i].offset + segments[i].length < next_start && segments[i].offset + segments[i].length >= last_segment)
+				next_start = segments[i].offset + segments[i].length;
+
+		/* end of the next segment: start of the next segment after start we found above */
+		for (i = 0; i < num_segments; i++)
+			if (segments[i].offset < next_end && segments[i].offset >= next_start)
+				next_end = segments[i].offset;
+
+		/* two zero segments next to each other, just bump the last_segment
+		   so the algorithm moves */
+		if (next_end - next_start == 0) {
+			last_segment = next_end + 1;
+			continue;
+		}
+
+		segments[num_segments].offset = next_start;
+		segments[num_segments].length = next_end - next_start;
+		segments[num_segments].iv_offset = next_start;
+		segments[num_segments].type = BITLK_SEGTYPE_CRYPT;
+		last_segment = next_end;
+		num_segments++;
+
+		if (next_end == dmd.size)
+			break;
+
+		if (num_segments == 10) {
+			log_dbg(cd, "Failed to calculate number of dm-crypt segments for open.");
+			r = -EINVAL;
+			goto out;
+		}
+	}
+
+	/* device mapper needs the segment sorted */
+	for (i = 0; i < num_segments - 1; i++) {
+		min = i;
+		for (j = i + 1; j < num_segments; j++)
+			if (segments[j].offset < segments[min].offset)
+				min = j;
+
+		if (min != i) {
+			temp.offset = segments[min].offset;
+			temp.length = segments[min].length;
+			temp.iv_offset = segments[min].iv_offset;
+			temp.type = segments[min].type;
+
+			segments[min].offset = segments[i].offset;
+			segments[min].length = segments[i].length;
+			segments[min].iv_offset = segments[i].iv_offset;
+			segments[min].type = segments[i].type;
+
+			segments[i].offset = temp.offset;
+			segments[i].length = temp.length;
+			segments[i].iv_offset = temp.iv_offset;
+			segments[i].type = temp.type;
+		}
+	}
+
+	r = dm_targets_allocate(&dmd.segment, num_segments);
+	if (r)
+		goto out;
+	next_segment = &dmd.segment;
+
+	for (i = 0; i < num_segments; i++) {
+		if (segments[i].type == BITLK_SEGTYPE_ZERO)
+			r = dm_zero_target_set(next_segment,
+					       segments[i].offset,
+					       segments[i].length);
+		else if (segments[i].type == BITLK_SEGTYPE_CRYPT)
+			r = dm_crypt_target_set(next_segment,
+						segments[i].offset,
+						segments[i].length,
+						crypt_data_device(cd),
+						open_fvek_key,
+						crypt_get_cipher_spec(cd),
+						segments[i].iv_offset,
+						segments[i].iv_offset,
+						NULL, 0,
+						SECTOR_SIZE);
+		if (r)
+			goto out;
+
+		next_segment = next_segment->next;
+	}
+
+	log_dbg(cd, "Trying to activate BITLK on device %s%s%s.",
+		device_path(crypt_data_device(cd)), name ? " with name " :"", name ?: "");
+
+	r = dm_create_device(cd, name, CRYPT_BITLK, &dmd);
+	if (r < 0) {
+		dm_flags(cd, DM_CRYPT, &dmt_flags);
+		if (!strcmp(params->cipher_mode, "cbc-eboiv") && !(dmt_flags & DM_BITLK_EBOIV_SUPPORTED)) {
+			log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for BITLK IV."));
+			r = -ENOTSUP;
+		}
+		if (!strcmp(params->cipher_mode, "cbc-elephant") && !(dmt_flags & DM_BITLK_ELEPHANT_SUPPORTED)) {
+			log_err(cd, _("Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."));
+			r = -ENOTSUP;
+		}
+	}
+out:
+	dm_targets_free(cd, &dmd);
+	crypt_free_volume_key(open_fvek_key);
+	return r;
+}
diff -Nru cryptsetup-2.2.2/lib/bitlk/bitlk.h cryptsetup-2.3.1/lib/bitlk/bitlk.h
--- cryptsetup-2.2.2/lib/bitlk/bitlk.h	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/lib/bitlk/bitlk.h	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,130 @@
+/*
+ * BITLK (BitLocker-compatible) header definition
+ *
+ * Copyright (C) 2019-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Milan Broz
+ * Copyright (C) 2019-2020 Vojtech Trefny
+ *
+ * This file is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this file; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRYPTSETUP_BITLK_H
+#define _CRYPTSETUP_BITLK_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+struct crypt_device;
+struct device;
+
+#define BITLK_NONCE_SIZE 12
+#define BITLK_SALT_SIZE 16
+#define BITLK_VMK_MAC_TAG_SIZE 16
+
+#define BITLK_STATE_NORMAL 0x0004
+
+typedef enum {
+	BITLK_ENCRYPTION_TYPE_NORMAL = 0,
+	BITLK_ENCRYPTION_TYPE_EOW,
+	BITLK_ENCRYPTION_TYPE_UNKNOWN,
+} BITLKEncryptionType;
+
+typedef enum {
+	BITLK_PROTECTION_CLEAR_KEY = 0,
+	BITLK_PROTECTION_TPM,
+	BITLK_PROTECTION_STARTUP_KEY,
+	BITLK_PROTECTION_TPM_PIN,
+	BITLK_PROTECTION_RECOVERY_PASSPHRASE,
+	BITLK_PROTECTION_PASSPHRASE,
+	BITLK_PROTECTION_SMART_CARD,
+	BITLK_PROTECTION_UNKNOWN,
+} BITLKVMKProtection;
+
+typedef enum {
+	BITLK_ENTRY_TYPE_PROPERTY = 0x0000,
+	BITLK_ENTRY_TYPE_VMK = 0x0002,
+	BITLK_ENTRY_TYPE_FVEK = 0x0003,
+	BITLK_ENTRY_TYPE_STARTUP_KEY = 0x0006,
+	BITLK_ENTRY_TYPE_DESCRIPTION = 0x0007,
+	BITLK_ENTRY_TYPE_VOLUME_HEADER = 0x000f,
+} BITLKFVEEntryType;
+
+typedef enum {
+	BITLK_ENTRY_VALUE_ERASED = 0x0000,
+	BITLK_ENTRY_VALUE_KEY = 0x0001,
+	BITLK_ENTRY_VALUE_STRING = 0x0002,
+	BITLK_ENTRY_VALUE_STRETCH_KEY = 0x0003,
+	BITLK_ENTRY_VALUE_USE_KEY = 0x0004,
+	BITLK_ENTRY_VALUE_ENCRYPTED_KEY = 0x0005,
+	BITLK_ENTRY_VALUE_TPM_KEY = 0x0006,
+	BITLK_ENTRY_VALUE_VALIDATION = 0x0007,
+	BITLK_ENTRY_VALUE_VMK = 0x0008,
+	BITLK_ENTRY_VALUE_EXTERNAL_KEY = 0x0009,
+	BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
+	BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
+} BITLKFVEEntryValue;
+
+struct bitlk_vmk {
+	char *guid;
+	char *name;
+	BITLKVMKProtection protection;
+	uint8_t salt[BITLK_SALT_SIZE];
+	uint8_t mac_tag[BITLK_VMK_MAC_TAG_SIZE];
+	uint8_t nonce[BITLK_NONCE_SIZE];
+	struct volume_key *vk;
+	struct bitlk_vmk *next;
+};
+
+struct bitlk_fvek {
+	uint8_t mac_tag[BITLK_VMK_MAC_TAG_SIZE];
+	uint8_t nonce[BITLK_NONCE_SIZE];
+	struct volume_key *vk;
+};
+
+struct bitlk_metadata {
+	bool togo;
+	bool state;
+	BITLKEncryptionType type;
+	const char *cipher;
+	const char *cipher_mode;
+	uint16_t key_size;
+	char *guid;
+	uint64_t creation_time;
+	char *description;
+	uint64_t metadata_offset[3];
+	uint32_t metadata_version;
+	uint64_t volume_header_offset;
+	uint64_t volume_header_size;
+	struct bitlk_vmk *vmks;
+	struct bitlk_fvek *fvek;
+};
+
+int BITLK_read_sb(struct crypt_device *cd, struct bitlk_metadata *params);
+
+int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_metadata *params);
+
+int BITLK_activate(struct crypt_device *cd,
+		   const char *name,
+		   const char *password,
+		   size_t passwordLen,
+		   const struct bitlk_metadata *params,
+		   uint32_t flags);
+
+void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek);
+void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk);
+void BITLK_bitlk_metadata_free(struct bitlk_metadata *params);
+
+#endif
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/argon2_generic.c cryptsetup-2.3.1/lib/crypto_backend/argon2_generic.c
--- cryptsetup-2.2.2/lib/crypto_backend/argon2_generic.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/argon2_generic.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Argon2 PBKDF2 library wrapper
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Milan Broz
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/cipher_check.c cryptsetup-2.3.1/lib/crypto_backend/cipher_check.c
--- cryptsetup-2.2.2/lib/crypto_backend/cipher_check.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/cipher_check.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Cipher performance check
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2019 Milan Broz
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -23,6 +23,10 @@
 #include <time.h>
 #include "crypto_backend_internal.h"
 
+#ifndef CLOCK_MONOTONIC_RAW
+#define CLOCK_MONOTONIC_RAW CLOCK_MONOTONIC
+#endif
+
 /*
  * This is not simulating storage, so using disk block causes extreme overhead.
  * Let's use some fixed block size where results are more reliable...
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/cipher_generic.c cryptsetup-2.3.1/lib/crypto_backend/cipher_generic.c
--- cryptsetup-2.2.2/lib/crypto_backend/cipher_generic.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/cipher_generic.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Linux kernel cipher generic utilities
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2019 Milan Broz
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_backend.h cryptsetup-2.3.1/lib/crypto_backend/crypto_backend.h
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_backend.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_backend.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -119,6 +119,12 @@
 
 bool crypt_storage_kernel_only(struct crypt_storage *ctx);
 
+/* Temporary Bitlk helper */
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length);
+
 /* Memzero helper (memset on stack can be optimized out) */
 static inline void crypt_backend_memzero(void *s, size_t n)
 {
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_backend_internal.h cryptsetup-2.3.1/lib/crypto_backend/crypto_backend_internal.h
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_backend_internal.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_backend_internal.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -55,5 +55,9 @@
 				const char *in, char *out, size_t length,
 				const char *iv, size_t iv_length);
 void crypt_cipher_destroy_kernel(struct crypt_cipher_kernel *ctx);
+int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
+				   const char *in, char *out, size_t length,
+				   const char *iv, size_t iv_length,
+				   const char *tag, size_t tag_length);
 
 #endif /* _CRYPTO_BACKEND_INTERNAL_H */
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_cipher_kernel.c cryptsetup-2.3.1/lib/crypto_backend/crypto_cipher_kernel.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_cipher_kernel.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_cipher_kernel.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation (skcipher)
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -40,6 +40,10 @@
 #define SOL_ALG 279
 #endif
 
+#ifndef ALG_SET_AEAD_AUTHSIZE
+#define ALG_SET_AEAD_AUTHSIZE 5
+#endif
+
 /*
  * ciphers
  *
@@ -49,7 +53,7 @@
  */
 static int _crypt_cipher_init(struct crypt_cipher_kernel *ctx,
 			      const void *key, size_t key_length,
-			      struct sockaddr_alg *sa)
+			      size_t tag_length, struct sockaddr_alg *sa)
 {
 	if (!ctx)
 		return -EINVAL;
@@ -71,6 +75,11 @@
 		return -EINVAL;
 	}
 
+	if (tag_length && setsockopt(ctx->tfmfd, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL, tag_length) < 0) {
+		crypt_cipher_destroy_kernel(ctx);
+		return -EINVAL;
+	}
+
 	ctx->opfd = accept(ctx->tfmfd, NULL, 0);
 	if (ctx->opfd < 0) {
 		crypt_cipher_destroy_kernel(ctx);
@@ -93,12 +102,13 @@
 
 	snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
 
-	return _crypt_cipher_init(ctx, key, key_length, &sa);
+	return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
 }
 
 /* The in/out should be aligned to page boundary */
 static int _crypt_cipher_crypt(struct crypt_cipher_kernel *ctx,
-			       const char *in, char *out, size_t length,
+			       const char *in, size_t in_length,
+			       char *out, size_t out_length,
 			       const char *iv, size_t iv_length,
 			       uint32_t direction)
 {
@@ -109,7 +119,7 @@
 	uint32_t *type;
 	struct iovec iov = {
 		.iov_base = (void*)(uintptr_t)in,
-		.iov_len = length,
+		.iov_len = in_length,
 	};
 	int iv_msg_size = iv ? CMSG_SPACE(sizeof(*alg_iv) + iv_length) : 0;
 	char buffer[CMSG_SPACE(sizeof(*type)) + iv_msg_size];
@@ -120,7 +130,7 @@
 		.msg_iovlen = 1,
 	};
 
-	if (!in || !out || !length)
+	if (!in || !out || !in_length)
 		return -EINVAL;
 
 	if ((!iv && iv_length) || (iv && !iv_length))
@@ -151,13 +161,13 @@
 	}
 
 	len = sendmsg(ctx->opfd, &msg, 0);
-	if (len != (ssize_t)length) {
+	if (len != (ssize_t)(in_length)) {
 		r = -EIO;
 		goto bad;
 	}
 
-	len = read(ctx->opfd, out, length);
-	if (len != (ssize_t)length)
+	len = read(ctx->opfd, out, out_length);
+	if (len != (ssize_t)out_length)
 		r = -EIO;
 bad:
 	crypt_backend_memzero(buffer, sizeof(buffer));
@@ -168,7 +178,7 @@
 				const char *in, char *out, size_t length,
 				const char *iv, size_t iv_length)
 {
-	return _crypt_cipher_crypt(ctx, in, out, length,
+	return _crypt_cipher_crypt(ctx, in, length, out, length,
 				   iv, iv_length, ALG_OP_ENCRYPT);
 }
 
@@ -176,7 +186,7 @@
 				const char *in, char *out, size_t length,
 				const char *iv, size_t iv_length)
 {
-	return _crypt_cipher_crypt(ctx, in, out, length,
+	return _crypt_cipher_crypt(ctx, in, length, out, length,
 				   iv, iv_length, ALG_OP_DECRYPT);
 }
 
@@ -243,13 +253,56 @@
 	memset(key, 0xab, key_length);
 	*key = 0xef;
 
-	r = _crypt_cipher_init(&c, key, key_length, &sa);
+	r = _crypt_cipher_init(&c, key, key_length, 0, &sa);
 	crypt_cipher_destroy_kernel(&c);
 	free(key);
 
 	return r;
 }
 
+int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
+				   const char *in, char *out, size_t length,
+				   const char *iv, size_t iv_length,
+				   const char *tag, size_t tag_length)
+{
+	struct crypt_cipher_kernel c;
+	struct sockaddr_alg sa = {
+		.salg_family = AF_ALG,
+		.salg_type = "aead",
+		.salg_name = "ccm(aes)",
+	};
+	int r;
+	char buffer[128], ccm_iv[16];
+
+	if (length + tag_length > sizeof(buffer))
+		return -EINVAL;
+
+	if (iv_length > sizeof(ccm_iv) - 2)
+		return -EINVAL;
+
+	r = _crypt_cipher_init(&c, key, key_length, tag_length, &sa);
+	if (r < 0)
+		return r;
+
+	memcpy(buffer, in, length);
+	memcpy(buffer + length, tag, tag_length);
+
+	/* CCM IV - RFC3610 */
+	memset(ccm_iv, 0, sizeof(ccm_iv));
+	ccm_iv[0] = 15 - iv_length - 1;
+	memcpy(ccm_iv + 1, iv, iv_length);
+	memset(ccm_iv + 1 + iv_length, 0, ccm_iv[0] + 1);
+	iv_length = sizeof(ccm_iv);
+
+	r =  _crypt_cipher_crypt(&c, buffer, length + tag_length, out, length,
+				 ccm_iv, iv_length, ALG_OP_DECRYPT);
+
+	crypt_cipher_destroy_kernel(&c);
+	crypt_backend_memzero(buffer, sizeof(buffer));
+
+	return r;
+}
+
 #else /* ENABLE_AF_ALG */
 int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 			     const char *mode, const void *key, size_t key_length)
@@ -280,4 +333,11 @@
 	/* Cannot check, expect success. */
 	return 0;
 }
+int crypt_bitlk_decrypt_key_kernel(const void *key, size_t key_length,
+				   const char *in, char *out, size_t length,
+				   const char *iv, size_t iv_length,
+				   const char *tag, size_t tag_length)
+{
+	return -ENOTSUP;
+}
 #endif
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.3.1/lib/crypto_backend/crypto_gcrypt.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_gcrypt.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_gcrypt.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * GCRYPT crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -479,3 +479,43 @@
 {
 	return ctx->use_kernel;
 }
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length)
+{
+#ifdef GCRY_CCM_BLOCK_LEN
+	gcry_cipher_hd_t hd;
+	uint64_t l[3];
+	int r = -EINVAL;
+
+	if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0))
+		return -EINVAL;
+
+	if (gcry_cipher_setkey(hd, key, key_length))
+		goto out;
+
+	if (gcry_cipher_setiv(hd, iv, iv_length))
+		goto out;
+
+	l[0] = length;
+	l[1] = 0;
+	l[2] = tag_length;
+	if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l)))
+		goto out;
+
+	if (gcry_cipher_decrypt(hd, out, length, in, length))
+		goto out;
+
+	if (gcry_cipher_checktag(hd, tag, tag_length))
+		goto out;
+
+	r = 0;
+out:
+	gcry_cipher_close(hd);
+	return r;
+#else
+	return -ENOTSUP;
+#endif
+}
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_kernel.c cryptsetup-2.3.1/lib/crypto_backend/crypto_kernel.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_kernel.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_kernel.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Linux kernel userspace API crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -392,3 +392,12 @@
 {
 	return true;
 }
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length)
+{
+	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+					      iv, iv_length, tag, tag_length);
+}
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_nettle.c cryptsetup-2.3.1/lib/crypto_backend/crypto_nettle.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_nettle.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_nettle.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Nettle crypto backend implementation
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2019 Milan Broz
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -433,3 +433,12 @@
 {
 	return true;
 }
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length)
+{
+	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+					      iv, iv_length, tag, tag_length);
+}
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_nss.c cryptsetup-2.3.1/lib/crypto_backend/crypto_nss.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_nss.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_nss.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * NSS crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -381,3 +381,12 @@
 {
 	return true;
 }
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length)
+{
+	return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
+					      iv, iv_length, tag, tag_length);
+}
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_openssl.c cryptsetup-2.3.1/lib/crypto_backend/crypto_openssl.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_openssl.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_openssl.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * OPENSSL crypto backend implementation
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -35,6 +35,8 @@
 #include <openssl/rand.h>
 #include "crypto_backend_internal.h"
 
+#define CONST_CAST(x) (x)(uintptr_t)
+
 static int crypto_backend_initialised = 0;
 
 struct crypt_hash {
@@ -505,3 +507,40 @@
 {
 	return ctx->use_kernel;
 }
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+			    const char *in, char *out, size_t length,
+			    const char *iv, size_t iv_length,
+			    const char *tag, size_t tag_length)
+{
+#ifdef EVP_CTRL_CCM_SET_IVLEN
+	EVP_CIPHER_CTX *ctx;
+	int len = 0, r = -EINVAL;
+
+	ctx = EVP_CIPHER_CTX_new();
+	if (!ctx)
+		return -EINVAL;
+
+	if (EVP_DecryptInit_ex(ctx, EVP_aes_256_ccm(), NULL, NULL, NULL) != 1)
+		goto out;
+
+	//EVP_CIPHER_CTX_key_length(ctx)
+	//EVP_CIPHER_CTX_iv_length(ctx)
+
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, iv_length, NULL) != 1)
+		goto out;
+	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_length, CONST_CAST(void*)tag) != 1)
+		goto out;
+
+	if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, (const unsigned char*)iv) != 1)
+		goto out;
+
+	if (EVP_DecryptUpdate(ctx, (unsigned char*)out, &len, (const unsigned char*)in, length) == 1)
+		r = 0;
+out:
+	EVP_CIPHER_CTX_free(ctx);
+	return r;
+#else
+	return -ENOTSUP;
+#endif
+}
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/crypto_storage.c cryptsetup-2.3.1/lib/crypto_backend/crypto_storage.c
--- cryptsetup-2.2.2/lib/crypto_backend/crypto_storage.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/crypto_storage.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * Generic wrapper for storage encryption modes and Initial Vectors
  * (reimplementation of some functions from Linux dm-crypt kernel)
  *
- * Copyright (C) 2014-2019 Milan Broz
+ * Copyright (C) 2014-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/pbkdf2_generic.c cryptsetup-2.3.1/lib/crypto_backend/pbkdf2_generic.c
--- cryptsetup-2.2.2/lib/crypto_backend/pbkdf2_generic.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/pbkdf2_generic.c	2020-03-12 08:39:20.000000000 +0000
@@ -4,8 +4,8 @@
  * Copyright (C) 2004 Free Software Foundation
  *
  * cryptsetup related changes
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/crypto_backend/pbkdf_check.c cryptsetup-2.3.1/lib/crypto_backend/pbkdf_check.c
--- cryptsetup-2.2.2/lib/crypto_backend/pbkdf_check.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypto_backend/pbkdf_check.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * PBKDF performance check
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
- * Copyright (C) 2016-2019 Ondrej Mosnacek
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
+ * Copyright (C) 2016-2020 Ondrej Mosnacek
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -27,6 +27,10 @@
 #include <sys/resource.h>
 #include "crypto_backend.h"
 
+#ifndef CLOCK_MONOTONIC_RAW
+#define CLOCK_MONOTONIC_RAW CLOCK_MONOTONIC
+#endif
+
 #define BENCH_MIN_MS 250
 #define BENCH_MIN_MS_FAST 10
 #define BENCH_PERCENT_ATLEAST 95
diff -Nru cryptsetup-2.2.2/lib/crypt_plain.c cryptsetup-2.3.1/lib/crypt_plain.c
--- cryptsetup-2.2.2/lib/crypt_plain.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/crypt_plain.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * cryptsetup plain device helper functions
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2019 Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/integrity/integrity.c cryptsetup-2.3.1/lib/integrity/integrity.c
--- cryptsetup-2.2.2/lib/integrity/integrity.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/integrity/integrity.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * Integrity volume handling
  *
- * Copyright (C) 2016-2019 Milan Broz
+ * Copyright (C) 2016-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -22,7 +22,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <fcntl.h>
 #include <uuid/uuid.h>
 
 #include "integrity.h"
@@ -41,8 +40,7 @@
 	if (read_lseek_blockwise(devfd, device_block_size(cd, device),
 		device_alignment(device), sb, sizeof(*sb), offset) != sizeof(*sb) ||
 	    memcmp(sb->magic, SB_MAGIC, sizeof(sb->magic)) ||
-	    (sb->version != SB_VERSION_1 && sb->version != SB_VERSION_2 &&
-	     sb->version != SB_VERSION_3)) {
+	    sb->version < SB_VERSION_1 || sb->version > SB_VERSION_4) {
 		log_std(cd, "No integrity superblock detected on %s.\n",
 			device_path(device));
 		r = -EINVAL;
@@ -58,7 +56,9 @@
 	return r;
 }
 
-int INTEGRITY_read_sb(struct crypt_device *cd, struct crypt_params_integrity *params)
+int INTEGRITY_read_sb(struct crypt_device *cd,
+		      struct crypt_params_integrity *params,
+		      uint32_t *flags)
 {
 	struct superblock sb;
 	int r;
@@ -70,6 +70,9 @@
 	params->sector_size = SECTOR_SIZE << sb.log2_sectors_per_block;
 	params->tag_size = sb.integrity_tag_size;
 
+	if (flags)
+		*flags = sb.flags;
+
 	return 0;
 }
 
@@ -92,10 +95,11 @@
 	if (sb.version == SB_VERSION_2 && (sb.flags & SB_FLAG_RECALCULATING))
 		log_std(cd, "recalc_sector %" PRIu64 "\n", sb.recalc_sector);
 	log_std(cd, "log2_blocks_per_bitmap %u\n", sb.log2_blocks_per_bitmap_bit);
-	log_std(cd, "flags %s%s%s\n",
+	log_std(cd, "flags %s%s%s%s\n",
 		sb.flags & SB_FLAG_HAVE_JOURNAL_MAC ? "have_journal_mac " : "",
 		sb.flags & SB_FLAG_RECALCULATING ? "recalculating " : "",
-		sb.flags & SB_FLAG_DIRTY_BITMAP ? "dirty_bitmap " : "");
+		sb.flags & SB_FLAG_DIRTY_BITMAP ? "dirty_bitmap " : "",
+		sb.flags & SB_FLAG_FIXED_PADDING ? "fix_padding " : "");
 
 	return 0;
 }
@@ -137,6 +141,27 @@
 	return -EINVAL;
 }
 
+/* Return hash or hmac(hash) size, if known */
+int INTEGRITY_hash_tag_size(const char *integrity)
+{
+	char hash[MAX_CIPHER_LEN];
+	int r;
+
+	if (!integrity)
+		return 0;
+
+	if (!strcmp(integrity, "crc32") || !strcmp(integrity, "crc32c"))
+		return 4;
+
+	r = sscanf(integrity, "hmac(%" MAX_CIPHER_LEN_STR "[^)]s", hash);
+	if (r == 1)
+		r = crypt_hash_size(hash);
+	else
+		r = crypt_hash_size(integrity);
+
+	return r < 0 ? 0 : r;
+}
+
 int INTEGRITY_tag_size(struct crypt_device *cd,
 		       const char *integrity,
 		       const char *cipher,
@@ -187,7 +212,7 @@
 		       struct volume_key *journal_crypt_key,
 		       struct volume_key *journal_mac_key,
 		       struct crypt_dm_active_device *dmd,
-		       uint32_t flags)
+		       uint32_t flags, uint32_t sb_flags)
 {
 	int r;
 
@@ -198,12 +223,16 @@
 		.flags = flags,
 	};
 
+	/* Workaround for kernel dm-integrity table bug */
+	if (sb_flags & SB_FLAG_RECALCULATING)
+		dmd->flags |= CRYPT_ACTIVATE_RECALCULATE;
+
 	r = INTEGRITY_data_sectors(cd, crypt_metadata_device(cd),
 				   crypt_get_data_offset(cd) * SECTOR_SIZE, &dmd->size);
 	if (r < 0)
 		return r;
 
-	return dm_integrity_target_set(&dmd->segment, 0, dmd->size,
+	return dm_integrity_target_set(cd, &dmd->segment, 0, dmd->size,
 			crypt_metadata_device(cd), crypt_data_device(cd),
 			crypt_get_integrity_tag_size(cd), crypt_get_data_offset(cd),
 			crypt_get_sector_size(cd), vk, journal_crypt_key,
@@ -213,7 +242,8 @@
 int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
 		       const char *name,
 		       const char *type,
-		       struct crypt_dm_active_device *dmd)
+		       struct crypt_dm_active_device *dmd,
+		       uint32_t sb_flags)
 {
 	int r;
 	uint32_t dmi_flags;
@@ -238,7 +268,13 @@
 
 	r = dm_create_device(cd, name, type, dmd);
 	if (r < 0 && (dm_flags(cd, DM_INTEGRITY, &dmi_flags) || !(dmi_flags & DM_INTEGRITY_SUPPORTED))) {
-		log_err(cd, _("Kernel doesn't support dm-integrity mapping."));
+		log_err(cd, _("Kernel does not support dm-integrity mapping."));
+		return -ENOTSUP;
+	}
+
+	if (r < 0 && (sb_flags & SB_FLAG_FIXED_PADDING) && !dm_flags(cd, DM_INTEGRITY, &dmi_flags) &&
+	    !(dmi_flags & DM_INTEGRITY_FIX_PADDING_SUPPORTED)) {
+		log_err(cd, _("Kernel does not support dm-integrity fixed metadata alignment."));
 		return -ENOTSUP;
 	}
 
@@ -251,15 +287,16 @@
 		       struct volume_key *vk,
 		       struct volume_key *journal_crypt_key,
 		       struct volume_key *journal_mac_key,
-		       uint32_t flags)
+		       uint32_t flags, uint32_t sb_flags)
 {
 	struct crypt_dm_active_device dmd = {};
-	int r = INTEGRITY_create_dmd_device(cd, params, vk, journal_crypt_key, journal_mac_key, &dmd, flags);
+	int r = INTEGRITY_create_dmd_device(cd, params, vk, journal_crypt_key,
+					    journal_mac_key, &dmd, flags, sb_flags);
 
 	if (r < 0)
 		return r;
 
-	r = INTEGRITY_activate_dmd_device(cd, name, CRYPT_INTEGRITY, &dmd);
+	r = INTEGRITY_activate_dmd_device(cd, name, CRYPT_INTEGRITY, &dmd, sb_flags);
 	dm_targets_free(cd, &dmd);
 	return r;
 }
@@ -289,7 +326,7 @@
 	if (params && params->integrity_key_size)
 		vk = crypt_alloc_volume_key(params->integrity_key_size, NULL);
 
-	r = dm_integrity_target_set(tgt, 0, dmdi.size, crypt_metadata_device(cd),
+	r = dm_integrity_target_set(cd, tgt, 0, dmdi.size, crypt_metadata_device(cd),
 			crypt_data_device(cd), crypt_get_integrity_tag_size(cd),
 			crypt_get_data_offset(cd), crypt_get_sector_size(cd), vk,
 			journal_crypt_key, journal_mac_key, params);
@@ -303,7 +340,7 @@
 
 	r = device_block_adjust(cd, tgt->data_device, DEV_EXCL, tgt->u.integrity.offset, NULL, NULL);
 	if (r < 0 && (dm_flags(cd, DM_INTEGRITY, &dmi_flags) || !(dmi_flags & DM_INTEGRITY_SUPPORTED))) {
-		log_err(cd, _("Kernel doesn't support dm-integrity mapping."));
+		log_err(cd, _("Kernel does not support dm-integrity mapping."));
 		r = -ENOTSUP;
 	}
 	if (r) {
diff -Nru cryptsetup-2.2.2/lib/integrity/integrity.h cryptsetup-2.3.1/lib/integrity/integrity.h
--- cryptsetup-2.2.2/lib/integrity/integrity.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/integrity/integrity.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * Integrity header definition
  *
- * Copyright (C) 2016-2019 Milan Broz
+ * Copyright (C) 2016-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -34,10 +34,12 @@
 #define SB_VERSION_1	1
 #define SB_VERSION_2	2
 #define SB_VERSION_3	3
+#define SB_VERSION_4	4
 
 #define SB_FLAG_HAVE_JOURNAL_MAC	(1 << 0)
 #define SB_FLAG_RECALCULATING		(1 << 1) /* V2 only */
 #define SB_FLAG_DIRTY_BITMAP		(1 << 2) /* V3 only */
+#define SB_FLAG_FIXED_PADDING		(1 << 3) /* V4 only */
 
 struct superblock {
 	uint8_t magic[8];
@@ -53,7 +55,9 @@
 	uint64_t recalc_sector; /* V2 only */
 } __attribute__ ((packed));
 
-int INTEGRITY_read_sb(struct crypt_device *cd, struct crypt_params_integrity *params);
+int INTEGRITY_read_sb(struct crypt_device *cd,
+		      struct crypt_params_integrity *params,
+		      uint32_t *flags);
 
 int INTEGRITY_dump(struct crypt_device *cd, struct device *device, uint64_t offset);
 
@@ -66,6 +70,7 @@
 		       const char *integrity,
 		       const char *cipher,
 		       const char *cipher_mode);
+int INTEGRITY_hash_tag_size(const char *integrity);
 
 int INTEGRITY_format(struct crypt_device *cd,
 		     const struct crypt_params_integrity *params,
@@ -78,7 +83,7 @@
 		       struct volume_key *vk,
 		       struct volume_key *journal_crypt_key,
 		       struct volume_key *journal_mac_key,
-		       uint32_t flags);
+		       uint32_t flags, uint32_t sb_flags);
 
 int INTEGRITY_create_dmd_device(struct crypt_device *cd,
 		       const struct crypt_params_integrity *params,
@@ -86,10 +91,11 @@
 		       struct volume_key *journal_crypt_key,
 		       struct volume_key *journal_mac_key,
 		       struct crypt_dm_active_device *dmd,
-		       uint32_t flags);
+		       uint32_t flags, uint32_t sb_flags);
 
 int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
 		       const char *name,
 		       const char *type,
-		       struct crypt_dm_active_device *dmd);
+		       struct crypt_dm_active_device *dmd,
+		       uint32_t sb_flags);
 #endif
diff -Nru cryptsetup-2.2.2/lib/internal.h cryptsetup-2.3.1/lib/internal.h
--- cryptsetup-2.2.2/lib/internal.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/internal.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -30,6 +30,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <inttypes.h>
+#include <fcntl.h>
 
 #include "nls.h"
 #include "bitops.h"
@@ -77,6 +78,10 @@
 		*_py = NULL; \
 	} while (0)
 
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#endif
+
 struct crypt_device;
 struct luks2_reenc_context;
 
diff -Nru cryptsetup-2.2.2/lib/libcryptsetup.h cryptsetup-2.3.1/lib/libcryptsetup.h
--- cryptsetup-2.2.2/lib/libcryptsetup.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/libcryptsetup.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -414,6 +414,8 @@
 #define CRYPT_TCRYPT "TCRYPT"
 /** INTEGRITY dm-integrity device */
 #define CRYPT_INTEGRITY "INTEGRITY"
+/** BITLK (BitLocker-compatible mode) */
+#define CRYPT_BITLK "BITLK"
 
 /** LUKS any version */
 #define CRYPT_LUKS NULL
@@ -505,6 +507,8 @@
 #define CRYPT_VERITY_CHECK_HASH  (1 << 1)
 /** Create hash - format hash device */
 #define CRYPT_VERITY_CREATE_HASH (1 << 2)
+/** Root hash signature required for activation */
+#define CRYPT_VERITY_ROOT_HASH_SIGNATURE (1 << 3)
 
 /**
  *
@@ -630,6 +634,26 @@
 	void *params);
 
 /**
+ * Set format compatibility flags.
+ *
+ * @param cd crypt device handle
+ * @param flags CRYPT_COMPATIBILITY_* flags
+ */
+void crypt_set_compatibility(struct crypt_device *cd, uint32_t flags);
+
+/**
+ * Get compatibility flags.
+ *
+ * @param cd crypt device handle
+ *
+ * @returns compatibility flags
+ */
+uint32_t crypt_get_compatibility(struct crypt_device *cd);
+
+/** dm-integrity device uses less effective (legacy) padding (old kernels) */
+#define CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING (1 << 0)
+
+/**
  * Convert to new type for already existing device.
  *
  * @param cd crypt device handle
@@ -828,6 +852,20 @@
 	int keyslot,
 	const char *keyfile,
 	size_t keyfile_size);
+/**
+ * Resume crypt device using provided volume key.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param volume_key provided volume key
+ * @param volume_key_size size of volume_key
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_resume_by_volume_key(struct crypt_device *cd,
+	const char *name,
+	const char *volume_key,
+	size_t volume_key_size);
 /** @} */
 
 /**
@@ -1061,6 +1099,8 @@
 #define CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF (1 << 19)
 /** dm-integrity: direct writes, use bitmap to track dirty sectors */
 #define CRYPT_ACTIVATE_NO_JOURNAL_BITMAP (1 << 20)
+/** device is suspended (key should be wiped from memory), output only */
+#define CRYPT_ACTIVATE_SUSPENDED (1 << 21)
 
 /**
  * Active device runtime attributes
@@ -1253,6 +1293,31 @@
 	uint32_t flags);
 
 /**
+ * Activate VERITY device using provided key and optional signature).
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create
+ * @param volume_key provided volume key
+ * @param volume_key_size size of volume_key
+ * @param signature buffer with signature for the key
+ * @param signature_size bsize of signature buffer
+ * @param flags activation flags
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note For VERITY the volume key means root hash required for activation.
+ *	Because kernel dm-verity is always read only, you have to provide
+ *	CRYPT_ACTIVATE_READONLY flag always.
+ */
+int crypt_activate_by_signed_key(struct crypt_device *cd,
+	const char *name,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	uint32_t flags);
+
+/**
  * Activate device using passphrase stored in kernel keyring.
  *
  * @param cd crypt device handle
@@ -1322,6 +1387,7 @@
  *
  * @note For TCRYPT cipher chain is the volume key concatenated
  * 	 for all ciphers in chain.
+ * @note For VERITY the volume key means root hash used for activation.
  */
 int crypt_volume_key_get(struct crypt_device *cd,
 	int keyslot,
@@ -2251,6 +2317,53 @@
 		struct crypt_params_reencrypt *params);
 /** @} */
 
+/**
+ * @defgroup crypt-memory Safe memory helpers functions
+ * @addtogroup crypt-memory
+ * @{
+ */
+
+/**
+ * Allocate safe memory (content is safely wiped on deallocation).
+ *
+ * @param size size of memory in bytes
+ *
+ * @return pointer to allocate memory or @e NULL.
+ */
+void *crypt_safe_alloc(size_t size);
+
+/**
+ * Release safe memory, content is safely wiped
+ * The pointer must be allocated with @link crypt_safe_alloc @endlink
+ *
+ * @param data pointer to memory to be deallocated
+ *
+ * @return pointer to allocate memory or @e NULL.
+ */
+void crypt_safe_free(void *data);
+
+/**
+ * Reallocate safe memory (content is copied and safely wiped on deallocation).
+ *
+ * @param data pointer to memory to be deallocated
+ * @param size new size of memory in bytes
+ *
+ * @return pointer to allocate memory or @e NULL.
+ */
+void *crypt_safe_realloc(void *data, size_t size);
+
+/**
+ * Safe clear memory area (compile should not compile this call out).
+ *
+ * @param data pointer to memory to cleared
+ * @param size new size of memory in bytes
+ *
+ * @return pointer to allocate memory or @e NULL.
+ */
+void crypt_safe_memzero(void *data, size_t size);
+
+/** @} */
+
 #ifdef __cplusplus
 }
 #endif
diff -Nru cryptsetup-2.2.2/lib/libcryptsetup.sym cryptsetup-2.3.1/lib/libcryptsetup.sym
--- cryptsetup-2.2.2/lib/libcryptsetup.sym	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/libcryptsetup.sym	2020-03-12 08:39:20.000000000 +0000
@@ -12,6 +12,9 @@
 		crypt_set_label;
 		crypt_set_data_device;
 
+		crypt_set_compatibility;
+		crypt_get_compatibility;
+
 		crypt_memory_lock;
 		crypt_metadata_locking;
 		crypt_format;
@@ -24,6 +27,7 @@
 		crypt_resume_by_keyfile;
 		crypt_resume_by_keyfile_offset;
 		crypt_resume_by_keyfile_device_offset;
+		crypt_resume_by_volume_key;
 		crypt_free;
 
 		crypt_keyslot_add_by_passphrase;
@@ -55,6 +59,7 @@
 		crypt_activate_by_keyfile_offset;
 		crypt_activate_by_keyfile_device_offset;
 		crypt_activate_by_volume_key;
+		crypt_activate_by_signed_key;
 		crypt_activate_by_keyring;
 		crypt_deactivate;
 		crypt_deactivate_by_name;
@@ -118,6 +123,11 @@
 		crypt_reencrypt_init_by_keyring;
 		crypt_reencrypt;
 		crypt_reencrypt_status;
+
+		crypt_safe_alloc;
+		crypt_safe_realloc;
+		crypt_safe_free;
+		crypt_safe_memzero;
 	local:
 		*;
 };
diff -Nru cryptsetup-2.2.2/lib/libdevmapper.c cryptsetup-2.3.1/lib/libdevmapper.c
--- cryptsetup-2.2.2/lib/libdevmapper.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/libdevmapper.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -27,7 +27,6 @@
 #include <dirent.h>
 #include <errno.h>
 #include <libdevmapper.h>
-#include <fcntl.h>
 #include <linux/fs.h>
 #include <uuid/uuid.h>
 #include <sys/stat.h>
@@ -47,6 +46,7 @@
 #define DM_INTEGRITY_TARGET	"integrity"
 #define DM_LINEAR_TARGET	"linear"
 #define DM_ERROR_TARGET         "error"
+#define DM_ZERO_TARGET		"zero"
 #define RETRY_COUNT		5
 
 /* Set if DM target versions were probed */
@@ -168,6 +168,12 @@
 		_dm_flags |= DM_CAPI_STRING_SUPPORTED;
 	}
 
+	if (_dm_satisfies_version(1, 19, 0, crypt_maj, crypt_min, crypt_patch))
+		_dm_flags |= DM_BITLK_EBOIV_SUPPORTED;
+
+	if (_dm_satisfies_version(1, 20, 0, crypt_maj, crypt_min, crypt_patch))
+		_dm_flags |= DM_BITLK_ELEPHANT_SUPPORTED;
+
 	_dm_crypt_checked = true;
 }
 
@@ -196,6 +202,9 @@
 		_dm_flags |= DM_VERITY_FEC_SUPPORTED;
 	}
 
+	if (_dm_satisfies_version(1, 5, 0, verity_maj, verity_min, verity_patch))
+		_dm_flags |= DM_VERITY_SIGNATURE_SUPPORTED;
+
 	_dm_verity_checked = true;
 }
 
@@ -218,6 +227,9 @@
 	if (_dm_satisfies_version(1, 3, 0, integrity_maj, integrity_min, integrity_patch))
 		_dm_flags |= DM_INTEGRITY_BITMAP_SUPPORTED;
 
+	if (_dm_satisfies_version(1, 4, 0, integrity_maj, integrity_min, integrity_patch))
+		_dm_flags |= DM_INTEGRITY_FIX_PADDING_SUPPORTED;
+
 	_dm_integrity_checked = true;
 }
 
@@ -265,7 +277,7 @@
 	if ((target_type == DM_CRYPT	 && _dm_crypt_checked) ||
 	    (target_type == DM_VERITY    && _dm_verity_checked) ||
 	    (target_type == DM_INTEGRITY && _dm_integrity_checked) ||
-	    (target_type == DM_LINEAR) ||
+	    (target_type == DM_LINEAR) || (target_type == DM_ZERO) ||
 	    (_dm_crypt_checked && _dm_verity_checked && _dm_integrity_checked))
 		return 1;
 
@@ -346,7 +358,7 @@
 	if ((target == DM_CRYPT	    && _dm_crypt_checked) ||
 	    (target == DM_VERITY    && _dm_verity_checked) ||
 	    (target == DM_INTEGRITY && _dm_integrity_checked) ||
-	    (target == DM_LINEAR)) /* nothing to check with linear */
+	    (target == DM_LINEAR) || (target == DM_ZERO)) /* nothing to check */
 		return 0;
 
 	return -ENODEV;
@@ -667,7 +679,7 @@
 	int max_size, r, num_options = 0;
 	struct crypt_params_verity *vp;
 	char *params = NULL, *hexroot = NULL, *hexsalt = NULL;
-	char features[256], fec_features[256];
+	char features[256], fec_features[256], verity_verify_args[512+32];
 
 	if (!tgt || !tgt->u.verity.vp)
 		return NULL;
@@ -697,6 +709,13 @@
 	} else
 		*fec_features = '\0';
 
+	if (tgt->u.verity.root_hash_sig_key_desc) {
+		num_options += 2;
+		snprintf(verity_verify_args, sizeof(verity_verify_args)-1,
+				" root_hash_sig_key_desc %s", tgt->u.verity.root_hash_sig_key_desc);
+	} else
+		*verity_verify_args = '\0';
+
 	if (num_options)
 		snprintf(features, sizeof(features)-1, " %d%s%s%s%s", num_options,
 		(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
@@ -722,19 +741,22 @@
 	max_size = strlen(hexroot) + strlen(hexsalt) +
 		   strlen(device_block_path(tgt->data_device)) +
 		   strlen(device_block_path(tgt->u.verity.hash_device)) +
-		   strlen(vp->hash_name) + strlen(features) + strlen(fec_features) + 128;
+		   strlen(vp->hash_name) + strlen(features) + strlen(fec_features) + 128 +
+		   strlen(verity_verify_args);
 
 	params = crypt_safe_alloc(max_size);
 	if (!params)
 		goto out;
 
 	r = snprintf(params, max_size,
-		     "%u %s %s %u %u %" PRIu64 " %" PRIu64 " %s %s %s%s%s",
+		     "%u %s %s %u %u %" PRIu64 " %" PRIu64 " %s %s %s%s%s%s",
 		     vp->hash_type, device_block_path(tgt->data_device),
 		     device_block_path(tgt->u.verity.hash_device),
 		     vp->data_block_size, vp->hash_block_size,
 		     vp->data_size, tgt->u.verity.hash_offset,
-		     vp->hash_name, hexroot, hexsalt, features, fec_features);
+		     vp->hash_name, hexroot, hexsalt, features, fec_features,
+		     verity_verify_args);
+
 	if (r < 0 || r >= max_size) {
 		crypt_safe_free(params);
 		params = NULL;
@@ -866,6 +888,11 @@
 		strncat(features, feature, sizeof(features) - strlen(features) - 1);
 		crypt_safe_free(hexkey);
 	}
+	if (tgt->u.integrity.fix_padding) {
+		num_options++;
+		snprintf(feature, sizeof(feature), "fix_padding ");
+		strncat(features, feature, sizeof(features) - strlen(features) - 1);
+	}
 
 	if (flags & CRYPT_ACTIVATE_RECALCULATE) {
 		num_options++;
@@ -922,6 +949,16 @@
 	return params;
 }
 
+static char *get_dm_zero_params(const struct dm_target *tgt, uint32_t flags)
+{
+	char *params = crypt_safe_alloc(1);
+	if (!params)
+		return NULL;
+
+	params[0] = 0;
+	return params;
+}
+
 /* DM helpers */
 static int _dm_remove(const char *name, int udev_wait, int deferred)
 {
@@ -1195,6 +1232,9 @@
 		case DM_LINEAR:
 			target = DM_LINEAR_TARGET;
 			break;
+		case DM_ZERO:
+			target = DM_ZERO_TARGET;
+			break;
 		default:
 			return -ENOTSUP;
 		}
@@ -1233,6 +1273,8 @@
 			tgt->params = get_dm_integrity_params(tgt, dmd->flags);
 		else if (tgt->type == DM_LINEAR)
 			tgt->params = get_dm_linear_params(tgt, dmd->flags);
+		else if (tgt->type == DM_ZERO)
+			tgt->params = get_dm_zero_params(tgt, dmd->flags);
 		else {
 			r = -ENOTSUP;
 			goto err;
@@ -1454,10 +1496,13 @@
 		crypt_free_verity_params(tgt->u.verity.vp);
 		device_free(cd, tgt->u.verity.hash_device);
 		free(CONST_CAST(void*)tgt->u.verity.root_hash);
+		free(CONST_CAST(void*)tgt->u.verity.root_hash_sig_key_desc);
 		/* fall through */
 	case DM_LINEAR:
 		/* fall through */
 	case DM_ERROR:
+		/* fall through */
+	case DM_ZERO:
 		break;
 	default:
 		log_err(cd, _("Unknown dm target type."));
@@ -1522,7 +1567,7 @@
 	/* If kernel keyring is not supported load key directly in dm-crypt */
 	if ((*dmd_flags & CRYPT_ACTIVATE_KEYRING_KEY) &&
 	    !(dmt_flags & DM_KERNEL_KEYRING_SUPPORTED)) {
-		log_dbg(cd, "dm-crypt doesn't support kernel keyring");
+		log_dbg(cd, "dm-crypt does not support kernel keyring");
 		*dmd_flags = *dmd_flags & ~CRYPT_ACTIVATE_KEYRING_KEY;
 		ret = 1;
 	}
@@ -1530,7 +1575,7 @@
 	/* Drop performance options if not supported */
 	if ((*dmd_flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)) &&
 	    !(dmt_flags & (DM_SAME_CPU_CRYPT_SUPPORTED | DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED))) {
-		log_dbg(cd, "dm-crypt doesn't support performance options");
+		log_dbg(cd, "dm-crypt does not support performance options");
 		*dmd_flags = *dmd_flags & ~(CRYPT_ACTIVATE_SAME_CPU_CRYPT | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS);
 		ret = 1;
 	}
@@ -1556,7 +1601,8 @@
 	if (r < 0 && dm_flags(cd, dmd->segment.type, &dmt_flags))
 		goto out;
 
-	if (r && (dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR) && check_retry(cd, &dmd->flags, dmt_flags))
+	if (r && (dmd->segment.type == DM_CRYPT || dmd->segment.type == DM_LINEAR || dmd->segment.type == DM_ZERO) &&
+		check_retry(cd, &dmd->flags, dmt_flags))
 		r = _dm_create_device(cd, name, type, dmd->uuid, dmd);
 
 	if (r == -EINVAL &&
@@ -1669,6 +1715,7 @@
 			strcmp(target_type, DM_VERITY_TARGET) &&
 			strcmp(target_type, DM_INTEGRITY_TARGET) &&
 			strcmp(target_type, DM_LINEAR_TARGET) &&
+			strcmp(target_type, DM_ZERO_TARGET) &&
 			strcmp(target_type, DM_ERROR_TARGET)))
 		goto out;
 	r = 0;
@@ -1957,6 +2004,7 @@
 	int r;
 	struct device *data_device = NULL, *hash_device = NULL, *fec_device = NULL;
 	char *hash_name = NULL, *root_hash = NULL, *salt = NULL, *fec_dev_str = NULL;
+	char *root_hash_sig_key_desc = NULL;
 
 	if (get_flags & DM_ACTIVE_VERITY_PARAMS) {
 		vp = crypt_zalloc(sizeof(*vp));
@@ -2140,6 +2188,15 @@
 				if (vp)
 					vp->fec_roots = val32;
 				i++;
+			} else if (!strcasecmp(arg, "root_hash_sig_key_desc")) {
+				str = strsep(&params, " ");
+				if (!str)
+					goto err;
+				if (!root_hash_sig_key_desc)
+					root_hash_sig_key_desc = strdup(str);
+				i++;
+				if (vp)
+					vp->flags |= CRYPT_VERITY_ROOT_HASH_SIGNATURE;
 			} else /* unknown option */
 				goto err;
 		}
@@ -2165,11 +2222,15 @@
 		vp->salt = salt;
 	if (vp && fec_dev_str)
 		vp->fec_device = fec_dev_str;
+	if (root_hash_sig_key_desc)
+		tgt->u.verity.root_hash_sig_key_desc = root_hash_sig_key_desc;
+
 	return 0;
 err:
 	device_free(cd, data_device);
 	device_free(cd, hash_device);
 	device_free(cd, fec_device);
+	free(root_hash_sig_key_desc);
 	free(root_hash);
 	free(hash_name);
 	free(salt);
@@ -2334,6 +2395,8 @@
 				}
 			} else if (!strcmp(arg, "recalculate")) {
 				*act_flags |= CRYPT_ACTIVATE_RECALCULATE;
+			} else if (!strcmp(arg, "fix_padding")) {
+				tgt->u.integrity.fix_padding = true;
 			} else /* unknown option */
 				goto err;
 		}
@@ -2416,6 +2479,14 @@
 	return 0;
 }
 
+static int _dm_target_query_zero(struct crypt_device *cd, struct dm_target *tgt)
+{
+	tgt->type = DM_ZERO;
+	tgt->direction = TARGET_QUERY;
+
+	return 0;
+}
+
 /*
  * on error retval has to be negative
  *
@@ -2437,6 +2508,8 @@
 		r = _dm_target_query_linear(cd, tgt, get_flags, params);
 	else if (!strcmp(target_type, DM_ERROR_TARGET))
 		r = _dm_target_query_error(cd, tgt);
+	else if (!strcmp(target_type, DM_ZERO_TARGET))
+		r = _dm_target_query_zero(cd, tgt);
 
 	if (!r) {
 		tgt->offset = *start;
@@ -2519,6 +2592,9 @@
 	if (dmi.read_only)
 		dmd->flags |= CRYPT_ACTIVATE_READONLY;
 
+	if (dmi.suspended)
+		dmd->flags |= CRYPT_ACTIVATE_SUSPENDED;
+
 	tmp_uuid = dm_task_get_uuid(dmt);
 	if (!tmp_uuid)
 		dmd->flags |= CRYPT_ACTIVATE_NO_UUID;
@@ -2566,6 +2642,7 @@
 
 static int _process_deps(struct crypt_device *cd, const char *prefix, struct dm_deps *deps, char **names, size_t names_offset, size_t names_length)
 {
+#if HAVE_DECL_DM_DEVICE_GET_NAME
 	struct crypt_dm_active_device dmd;
 	char dmname[PATH_MAX];
 	unsigned i;
@@ -2604,6 +2681,9 @@
 	}
 
 	return count;
+#else
+	return -EINVAL;
+#endif
 }
 
 int dm_device_deps(struct crypt_device *cd, const char *name, const char *prefix, char **names, size_t names_length)
@@ -2841,8 +2921,8 @@
 
 int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct device *hash_device, struct device *fec_device,
-	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
-	uint64_t hash_blocks, struct crypt_params_verity *vp)
+	const char *root_hash, uint32_t root_hash_size, const char *root_hash_sig_key_desc,
+	uint64_t hash_offset_block, uint64_t hash_blocks, struct crypt_params_verity *vp)
 {
 	if (!data_device || !hash_device || !vp)
 		return -EINVAL;
@@ -2857,6 +2937,7 @@
 	tgt->u.verity.fec_device = fec_device;
 	tgt->u.verity.root_hash = root_hash;
 	tgt->u.verity.root_hash_size = root_hash_size;
+	tgt->u.verity.root_hash_sig_key_desc = root_hash_sig_key_desc;
 	tgt->u.verity.hash_offset = hash_offset_block;
 	tgt->u.verity.fec_offset = vp->fec_area_offset / vp->hash_block_size;
 	tgt->u.verity.hash_blocks = hash_blocks;
@@ -2865,16 +2946,21 @@
 	return 0;
 }
 
-int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+int dm_integrity_target_set(struct crypt_device *cd,
+			struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 			struct device *meta_device,
 		        struct device *data_device, uint64_t tag_size, uint64_t offset,
 			uint32_t sector_size, struct volume_key *vk,
 			struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
 			const struct crypt_params_integrity *ip)
 {
+	uint32_t dmi_flags;
+
 	if (!data_device)
 		return -EINVAL;
 
+	_dm_check_versions(cd, DM_INTEGRITY);
+
 	tgt->type = DM_INTEGRITY;
 	tgt->direction = TARGET_SET;
 	tgt->offset = seg_offset;
@@ -2890,6 +2976,11 @@
 	tgt->u.integrity.journal_crypt_key = journal_crypt_key;
 	tgt->u.integrity.journal_integrity_key = journal_mac_key;
 
+	if (!dm_flags(cd, DM_INTEGRITY, &dmi_flags) &&
+	    (dmi_flags & DM_INTEGRITY_FIX_PADDING_SUPPORTED) &&
+	    !(crypt_get_compatibility(cd) & CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING))
+		tgt->u.integrity.fix_padding = true;
+
 	if (ip) {
 		tgt->u.integrity.journal_size = ip->journal_size;
 		tgt->u.integrity.journal_watermark = ip->journal_watermark;
@@ -2920,3 +3011,13 @@
 
 	return 0;
 }
+
+int dm_zero_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size)
+{
+	tgt->type = DM_ZERO;
+	tgt->direction = TARGET_SET;
+	tgt->offset = seg_offset;
+	tgt->size = seg_size;
+
+	return 0;
+}
diff -Nru cryptsetup-2.2.2/lib/loopaes/loopaes.c cryptsetup-2.3.1/lib/loopaes/loopaes.c
--- cryptsetup-2.2.2/lib/loopaes/loopaes.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/loopaes/loopaes.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2019 Milan Broz
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -81,7 +81,7 @@
 	const char *hash_name;
 	char tweak, *key_ptr;
 	unsigned int i;
-	int r;
+	int r = 0;
 
 	hash_name = hash_override ?: get_hash(key_len_output);
 	tweak = get_tweak(keys_count);
@@ -242,7 +242,7 @@
 
 	if (r < 0 && !dm_flags(cd, DM_CRYPT, &dmc_flags) &&
 	    (dmc_flags & req_flags) != req_flags) {
-		log_err(cd, _("Kernel doesn't support loop-AES compatible mapping."));
+		log_err(cd, _("Kernel does not support loop-AES compatible mapping."));
 		r = -ENOTSUP;
 	}
 
diff -Nru cryptsetup-2.2.2/lib/loopaes/loopaes.h cryptsetup-2.3.1/lib/loopaes/loopaes.h
--- cryptsetup-2.2.2/lib/loopaes/loopaes.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/loopaes/loopaes.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * loop-AES compatible volume handling
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2011-2019 Milan Broz
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/luks1/af.c cryptsetup-2.3.1/lib/luks1/af.c
--- cryptsetup-2.2.2/lib/luks1/af.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks1/af.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.
diff -Nru cryptsetup-2.2.2/lib/luks1/af.h cryptsetup-2.3.1/lib/luks1/af.h
--- cryptsetup-2.2.2/lib/luks1/af.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks1/af.h	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.
diff -Nru cryptsetup-2.2.2/lib/luks1/keyencryption.c cryptsetup-2.3.1/lib/luks1/keyencryption.c
--- cryptsetup-2.2.2/lib/luks1/keyencryption.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks1/keyencryption.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -22,7 +22,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include "luks.h"
@@ -89,7 +88,7 @@
 	r = device_block_adjust(ctx, crypt_metadata_device(ctx), DEV_OK,
 				sector, &dmd.size, &dmd.flags);
 	if (r < 0) {
-		log_err(ctx, _("Device %s doesn't exist or access denied."),
+		log_err(ctx, _("Device %s does not exist or access denied."),
 			device_path(crypt_metadata_device(ctx)));
 		return -EIO;
 	}
diff -Nru cryptsetup-2.2.2/lib/luks1/keymanage.c cryptsetup-2.3.1/lib/luks1/keymanage.c
--- cryptsetup-2.2.2/lib/luks1/keymanage.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks1/keymanage.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2013-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -23,7 +23,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <netinet/in.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
 #include <stdio.h>
@@ -260,7 +259,7 @@
 
 	r = 0;
 out:
-	crypt_memzero(&hdr, sizeof(hdr));
+	crypt_safe_memzero(&hdr, sizeof(hdr));
 	crypt_safe_free(buffer);
 	return r;
 }
@@ -284,7 +283,7 @@
 		buffer_size = LUKS_device_sectors(&hdr_file) << SECTOR_SHIFT;
 
 	if (r || buffer_size < LUKS_ALIGN_KEYSLOTS) {
-		log_err(ctx, _("Backup file doesn't contain valid LUKS header."));
+		log_err(ctx, _("Backup file does not contain valid LUKS header."));
 		r = -EINVAL;
 		goto out;
 	}
@@ -453,7 +452,7 @@
 	if (r)
 		log_err(ctx, _("Repair failed."));
 	crypt_free_volume_key(vk);
-	crypt_memzero(&temp_phdr, sizeof(temp_phdr));
+	crypt_safe_memzero(&temp_phdr, sizeof(temp_phdr));
 	return r;
 }
 
@@ -692,7 +691,7 @@
 		r = LUKS_decrypt_from_storage(buf, sizeof(buf), cipher, cipher_mode, empty_key, 0, ctx);
 
 	crypt_free_volume_key(empty_key);
-	crypt_memzero(buf, sizeof(buf));
+	crypt_safe_memzero(buf, sizeof(buf));
 	return r;
 }
 
@@ -787,10 +786,15 @@
 		return r;
 	assert(pbkdf->iterations);
 
-	PBKDF2_temp = (double)pbkdf->iterations * LUKS_MKD_ITERATIONS_MS / pbkdf->time_ms;
+	if (pbkdf->flags & CRYPT_PBKDF_NO_BENCHMARK && pbkdf->time_ms == 0)
+		PBKDF2_temp = LUKS_MKD_ITERATIONS_MIN;
+	else	/* iterations per ms * LUKS_MKD_ITERATIONS_MS */
+		PBKDF2_temp = (double)pbkdf->iterations * LUKS_MKD_ITERATIONS_MS / pbkdf->time_ms;
+
 	if (PBKDF2_temp > (double)UINT32_MAX)
 		return -EINVAL;
 	header->mkDigestIterations = at_least((uint32_t)PBKDF2_temp, LUKS_MKD_ITERATIONS_MIN);
+	assert(header->mkDigestIterations);
 
 	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, header->hashSpec, vk->key,vk->keylength,
 			header->mkDigestSalt, LUKS_SALTSIZE,
@@ -982,8 +986,10 @@
 			hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
 			derived_key->key, hdr->keyBytes,
 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
-	if (r < 0)
+	if (r < 0) {
+		log_err(ctx, _("Cannot open keyslot (using hash %s)."), hdr->hashSpec);
 		goto out;
+	}
 
 	log_dbg(ctx, "Reading key slot %d area.", keyIndex);
 	r = LUKS_decrypt_from_storage(AfKey,
@@ -1224,7 +1230,7 @@
 
 int LUKS_keyslot_pbkdf(struct luks_phdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf)
 {
-	if (keyslot >= LUKS_NUMKEYS || keyslot < 0)
+	if (LUKS_keyslot_info(hdr, keyslot) < CRYPT_SLOT_ACTIVE)
 		return -EINVAL;
 
 	pbkdf->type = CRYPT_KDF_PBKDF2;
diff -Nru cryptsetup-2.2.2/lib/luks1/luks.h cryptsetup-2.3.1/lib/luks1/luks.h
--- cryptsetup-2.2.2/lib/luks1/luks.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks1/luks.h	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_digest.c cryptsetup-2.3.1/lib/luks2/luks2_digest.c
--- cryptsetup-2.2.2/lib/luks2/luks2_digest.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_digest.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, digest handling
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_digest_pbkdf2.c cryptsetup-2.3.1/lib/luks2/luks2_digest_pbkdf2.c
--- cryptsetup-2.2.2/lib/luks2/luks2_digest_pbkdf2.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_digest_pbkdf2.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible)
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_disk_metadata.c cryptsetup-2.3.1/lib/luks2/luks2_disk_metadata.c
--- cryptsetup-2.2.2/lib/luks2/luks2_disk_metadata.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_disk_metadata.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -210,7 +210,7 @@
 	}
 
 	if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
-		log_dbg(cd, "LUKS2 offset 0x%04x in secondary header doesn't match size 0x%04x.",
+		log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
 			(unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
 		return -EINVAL;
 	}
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2.h cryptsetup-2.3.1/lib/luks2/luks2.h
--- cryptsetup-2.2.2/lib/luks2/luks2.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -600,7 +600,8 @@
 crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd,
 	struct crypt_params_reencrypt *params);
 
-int crypt_reencrypt_lock(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock);
+int crypt_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **reencrypt_lock);
+int crypt_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid, struct crypt_lock_handle **reencrypt_lock);
 void crypt_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *reencrypt_lock);
 
 int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic);
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_internal.h cryptsetup-2.3.1/lib/luks2/luks2_internal.h
--- cryptsetup-2.2.2/lib/luks2/luks2_internal.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_internal.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -23,7 +23,6 @@
 #define _CRYPTSETUP_LUKS2_INTERNAL_H
 
 #include <stdio.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <json-c/json.h>
 
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_json_format.c cryptsetup-2.3.1/lib/luks2/luks2_json_format.c
--- cryptsetup-2.2.2/lib/luks2/luks2_json_format.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_json_format.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 header format code
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_json_metadata.c cryptsetup-2.3.1/lib/luks2/luks2_json_metadata.c
--- cryptsetup-2.2.2/lib/luks2/luks2_json_metadata.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_json_metadata.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
- * Copyright (C) 2015-2019 Ondrej Kozina
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
+ * Copyright (C) 2015-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -45,11 +45,11 @@
 				 &buf, &buf_len))
 		return;
 
-	for (i = 0; i < buf_len / 2; i++)
-		log_std(cd, "%02hhx%s", buf[i], sep);
-	log_std(cd, "\n\t%s", line_sep);
-	for (i = buf_len / 2; i < buf_len; i++)
+	for (i = 0; i < buf_len; i++) {
+		if (i && !(i % 16))
+			log_std(cd, "\n\t%s", line_sep);
 		log_std(cd, "%02hhx%s", buf[i], sep);
+	}
 	log_std(cd, "\n");
 	free(buf);
 }
@@ -459,12 +459,12 @@
 	json_size = (uint64_t)strlen(json);
 
 	if (hdr_json_size != json_area_size) {
-		log_dbg(cd, "JSON area size doesn't match value in binary header.");
+		log_dbg(cd, "JSON area size does not match value in binary header.");
 		return 1;
 	}
 
 	if (json_size > json_area_size) {
-		log_dbg(cd, "JSON doesn't fit in the designated area.");
+		log_dbg(cd, "JSON does not fit in the designated area.");
 		return 1;
 	}
 
@@ -970,13 +970,16 @@
 	return r;
 }
 
-int LUKS2_hdr_write_force(struct crypt_device *cd, struct luks2_hdr *hdr)
+static int hdr_cleanup_and_validate(struct crypt_device *cd, struct luks2_hdr *hdr)
 {
-	/* NOTE: is called before LUKS2 validation routines */
-	/* erase unused digests (no assigned keyslot or segment) */
 	LUKS2_digests_erase_unused(cd, hdr);
 
-	if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
+	return LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN);
+}
+
+int LUKS2_hdr_write_force(struct crypt_device *cd, struct luks2_hdr *hdr)
+{
+	if (hdr_cleanup_and_validate(cd, hdr))
 		return -EINVAL;
 
 	return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), false);
@@ -984,11 +987,7 @@
 
 int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr)
 {
-	/* NOTE: is called before LUKS2 validation routines */
-	/* erase unused digests (no assigned keyslot or segment) */
-	LUKS2_digests_erase_unused(cd, hdr);
-
-	if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
+	if (hdr_cleanup_and_validate(cd, hdr))
 		return -EINVAL;
 
 	return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd), true);
@@ -1159,7 +1158,7 @@
 	device_free(cd, backup_device);
 
 	if (r < 0) {
-		log_err(cd, _("Backup file doesn't contain valid LUKS header."));
+		log_err(cd, _("Backup file does not contain valid LUKS header."));
 		goto out;
 	}
 
@@ -1270,8 +1269,8 @@
 	LUKS2_hdr_free(cd, hdr);
 	LUKS2_hdr_free(cd, &hdr_file);
 	LUKS2_hdr_free(cd, &tmp_hdr);
-	crypt_memzero(&hdr_file, sizeof(hdr_file));
-	crypt_memzero(&tmp_hdr, sizeof(tmp_hdr));
+	crypt_safe_memzero(&hdr_file, sizeof(hdr_file));
+	crypt_safe_memzero(&tmp_hdr, sizeof(tmp_hdr));
 	crypt_safe_free(buffer);
 
 	device_sync(cd, device);
@@ -2157,7 +2156,7 @@
 			return -EINVAL;
 		}
 
-		r = INTEGRITY_create_dmd_device(cd, NULL, NULL, NULL, NULL, &dmdi, dmd.flags);
+		r = INTEGRITY_create_dmd_device(cd, NULL, NULL, NULL, NULL, &dmdi, dmd.flags, 0);
 		if (r)
 			return r;
 
@@ -2205,24 +2204,19 @@
 	struct dm_target *tgt;
 	crypt_status_info ci;
 	struct crypt_dm_active_device dmdc;
-	char **dep, uuid[37], deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = { 0 };
+	char **dep, deps_uuid_prefix[40], *deps[MAX_DM_DEPS+1] = { 0 };
 	const char *namei = NULL;
 	struct crypt_lock_handle *reencrypt_lock = NULL;
 
-	if (!dmd || !dmd->uuid)
+	if (!dmd || !dmd->uuid || strncmp(CRYPT_LUKS2, dmd->uuid, sizeof(CRYPT_LUKS2)-1))
 		return -EINVAL;
 
-	r = snprintf(deps_uuid_prefix, sizeof(deps_uuid_prefix), CRYPT_SUBDEV "-%.32s", dmd->uuid + 6);
-	if (r < 0 || (size_t)r != (sizeof(deps_uuid_prefix) - 1))
-		return -EINVAL;
-
-	r = snprintf(uuid, sizeof(uuid), "%.8s-%.4s-%.4s-%.4s-%.12s",
-		 dmd->uuid + 6, dmd->uuid + 14, dmd->uuid + 18, dmd->uuid + 22, dmd->uuid + 26);
-	if (r < 0 || (size_t)r != (sizeof(uuid) - 1))
+	/* uuid mismatch with metadata (if available) */
+	if (hdr && crypt_uuid_cmp(dmd->uuid, hdr->uuid))
 		return -EINVAL;
 
-	/* uuid mismatch with metadata (if available) */
-	if (hdr && strcmp(hdr->uuid, uuid))
+	r = snprintf(deps_uuid_prefix, sizeof(deps_uuid_prefix), CRYPT_SUBDEV "-%.32s", dmd->uuid + 6);
+	if (r < 0 || (size_t)r != (sizeof(deps_uuid_prefix) - 1))
 		return -EINVAL;
 
 	tgt = &dmd->segment;
@@ -2236,7 +2230,7 @@
 		goto out;
 
 	if (contains_reencryption_helper(deps)) {
-		r = crypt_reencrypt_lock(cd, uuid, &reencrypt_lock);
+		r = crypt_reencrypt_lock_by_dm_uuid(cd, dmd->uuid, &reencrypt_lock);
 		if (r) {
 			if (r == -EBUSY)
 				log_err(cd, _("Reencryption in-progress. Cannot deactivate device."));
@@ -2345,9 +2339,9 @@
 	reqs &= ~reqs_mask;
 
 	if (reqs_reencrypt(reqs) && !quiet)
-		log_err(cd, _("Offline reencryption in progress. Aborting."));
+		log_err(cd, _("Operation incompatible with device marked for legacy reencryption. Aborting."));
 	if (reqs_reencrypt_online(reqs) && !quiet)
-		log_err(cd, _("Online reencryption in progress. Aborting."));
+		log_err(cd, _("Operation incompatible with device marked for LUKS2 reencryption. Aborting."));
 
 	/* any remaining unmasked requirement fails the check */
 	return reqs ? -EINVAL : 0;
@@ -2400,7 +2394,7 @@
 #endif
 }
 
-/* jobj_dst must contain pointer initialised to NULL (see json-c json_object_deep_copy API) */
+/* jobj_dst must contain pointer initialized to NULL (see json-c json_object_deep_copy API) */
 int json_object_copy(json_object *jobj_src, json_object **jobj_dst)
 {
 	if (!jobj_src || !jobj_dst || *jobj_dst)
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_keyslot.c cryptsetup-2.3.1/lib/luks2/luks2_keyslot.c
--- cryptsetup-2.2.2/lib/luks2/luks2_keyslot.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_keyslot.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, keyslot handling
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -79,19 +79,18 @@
 /* Check if a keyslot is assigned to specific segment */
 static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
 {
-	int keyslot_digest, segment_digest, s, count = 0;
+	int keyslot_digest, count = 0;
+	unsigned s;
 
 	keyslot_digest = LUKS2_digest_by_keyslot(hdr, keyslot);
 	if (keyslot_digest < 0)
 		return keyslot_digest;
 
-	if (segment >= 0) {
-		segment_digest = LUKS2_digest_by_segment(hdr, segment);
-		return segment_digest == keyslot_digest;
-	}
-	for (s = 0; s < 3; s++) {
-		segment_digest = LUKS2_digest_by_segment(hdr, s);
-		if (segment_digest == keyslot_digest)
+	if (segment >= 0)
+		return keyslot_digest == LUKS2_digest_by_segment(hdr, segment);
+
+	for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) {
+		if (keyslot_digest == LUKS2_digest_by_segment(hdr, s))
 			count++;
 	}
 
@@ -310,28 +309,16 @@
 	return 0;
 }
 
-static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
+static int _open_and_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
+	const keyslot_handler *h,
 	int keyslot,
-	int digest,
 	const char *password,
 	size_t password_len,
 	struct volume_key **vk)
 {
-	const keyslot_handler *h;
-	int key_size, r;
+	int r, key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
 
-	if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
-		return -ENOENT;
-
-	r = _keyslot_for_digest(hdr, keyslot, digest);
-	if (r) {
-		if (r == -ENOENT)
-			log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
-		return r;
-	}
-
-	key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
 	if (key_size < 0)
 		return -EINVAL;
 
@@ -350,19 +337,21 @@
 		*vk = NULL;
 	}
 
+	crypt_volume_key_set_id(*vk, r);
+
 	return r < 0 ? r : keyslot;
 }
 
-static int LUKS2_open_and_verify(struct crypt_device *cd,
+static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
-	int segment,
+	int digest,
 	const char *password,
 	size_t password_len,
 	struct volume_key **vk)
 {
 	const keyslot_handler *h;
-	int key_size, r;
+	int r;
 
 	if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
 		return -ENOENT;
@@ -373,36 +362,44 @@
 		return r;
 	}
 
-	r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
+	r = _keyslot_for_digest(hdr, keyslot, digest);
 	if (r) {
 		if (r == -ENOENT)
-			log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
+			log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
 		return r;
 	}
 
-	key_size = LUKS2_get_volume_key_size(hdr, segment);
-	if (key_size < 0)
-		key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
-	if (key_size < 0)
-		return -EINVAL;
+	return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
+}
 
-	*vk = crypt_alloc_volume_key(key_size, NULL);
-	if (!*vk)
-		return -ENOMEM;
+static int LUKS2_open_and_verify(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int keyslot,
+	int segment,
+	const char *password,
+	size_t password_len,
+	struct volume_key **vk)
+{
+	const keyslot_handler *h;
+	int r;
 
-	r = h->open(cd, keyslot, password, password_len, (*vk)->key, (*vk)->keylength);
-	if (r < 0)
-		log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
-	else
-		r = LUKS2_digest_verify(cd, hdr, *vk, keyslot);
+	if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
+		return -ENOENT;
 
-	if (r < 0) {
-		crypt_free_volume_key(*vk);
-		*vk = NULL;
-	} else
-		crypt_volume_key_set_id(*vk, r);
+	r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
+	if (r) {
+		log_dbg(cd, "Keyslot %d validation failed.", keyslot);
+		return r;
+	}
 
-	return r < 0 ? r : keyslot;
+	r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
+	if (r) {
+		if (r == -ENOENT)
+			log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
+		return r;
+	}
+
+	return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
 }
 
 static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
@@ -520,7 +517,7 @@
 	size_t password_len,
 	struct volume_key **vks)
 {
-	struct volume_key *vk;
+	struct volume_key *vk = NULL;
 	int digest_old, digest_new, r = -EINVAL;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 
@@ -530,7 +527,6 @@
 		r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
 		if (r < 0)
 			goto out;
-		crypt_volume_key_set_id(vk, digest_old);
 		crypt_volume_key_add_next(vks, vk);
 	}
 
@@ -540,7 +536,6 @@
 		r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
 		if (r < 0)
 			goto out;
-		crypt_volume_key_set_id(vk, digest_new);
 		crypt_volume_key_add_next(vks, vk);
 	}
 out:
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_keyslot_luks2.c cryptsetup-2.3.1/lib/luks2/luks2_keyslot_luks2.c
--- cryptsetup-2.2.2/lib/luks2/luks2_keyslot_luks2.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_keyslot_luks2.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_keyslot_reenc.c cryptsetup-2.3.1/lib/luks2/luks2_keyslot_reenc.c
--- cryptsetup-2.2.2/lib/luks2/luks2_keyslot_reenc.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_keyslot_reenc.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
  *
- * Copyright (C) 2016-2018, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2018, Ondrej Kozina
+ * Copyright (C) 2016-2020, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020, Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_luks1_convert.c cryptsetup-2.3.1/lib/luks2/luks2_luks1_convert.c
--- cryptsetup-2.2.2/lib/luks2/luks2_luks1_convert.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_luks1_convert.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS1 conversion code
  *
- * Copyright (C) 2015-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019 Ondrej Kozina
- * Copyright (C) 2015-2019 Milan Broz
+ * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Ondrej Kozina
+ * Copyright (C) 2015-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -402,6 +402,7 @@
 
 	json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN;
 	json_object_object_add(field, "json_size", json_object_new_uint64(json_size));
+	keyslots_size -= (keyslots_size % 4096);
 	json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size));
 
 	*luks1_object = luks1_obj;
@@ -466,7 +467,7 @@
 	r = 0;
 out:
 	device_sync(cd, device);
-	crypt_memzero(buf, buf_size);
+	crypt_safe_memzero(buf, buf_size);
 	free(buf);
 
 	return r;
@@ -577,6 +578,12 @@
 		goto out;
 	}
 
+	/* check future LUKS2 metadata before moving keyslots area */
+	if (LUKS2_hdr_validate(cd, hdr2->jobj, hdr2->hdr_size - LUKS2_HDR_BIN_LEN)) {
+		r = -EINVAL;
+		goto out;
+	}
+
 	if ((r = luks_header_in_use(cd))) {
 		if (r > 0)
 			r = -EBUSY;
@@ -586,6 +593,14 @@
 	// move keyslots 4k -> 32k offset
 	buf_offset = 2 * LUKS2_HDR_16K_LEN;
 	buf_size   = luks1_size - LUKS_ALIGN_KEYSLOTS;
+
+	/* check future LUKS2 keyslots area is at least as large as LUKS1 keyslots area */
+	if (buf_size > LUKS2_keyslots_size(hdr2->jobj)) {
+		log_err(cd, _("Unable to move keyslot area. LUKS2 keyslots area too small."));
+		r = -EINVAL;
+		goto out;
+	}
+
 	if ((r = move_keyslot_areas(cd, 8 * SECTOR_SIZE, buf_offset, buf_size)) < 0) {
 		log_err(cd, _("Unable to move keyslot area."));
 		goto out;
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_reencrypt.c cryptsetup-2.3.1/lib/luks2/luks2_reencrypt.c
--- cryptsetup-2.2.2/lib/luks2/luks2_reencrypt.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_reencrypt.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption helpers
  *
- * Copyright (C) 2015-2019, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2015-2019, Ondrej Kozina
+ * Copyright (C) 2015-2020, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2015-2020, Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -1401,12 +1401,12 @@
 			log_dbg(cd, "Failed to read journaled data.");
 			r = -EIO;
 			/* may content plaintext */
-			crypt_memzero(data_buffer, rh->length);
+			crypt_safe_memzero(data_buffer, rh->length);
 			goto out;
 		}
 		read = crypt_storage_wrapper_encrypt_write(cw2, 0, data_buffer, rh->length);
 		/* may content plaintext */
-		crypt_memzero(data_buffer, rh->length);
+		crypt_safe_memzero(data_buffer, rh->length);
 		if (read < 0 || (size_t)read != rh->length) {
 			log_dbg(cd, "recovery write failed.");
 			r = -EINVAL;
@@ -1436,13 +1436,13 @@
 			log_dbg(cd, "Failed to read data.");
 			r = -EIO;
 			/* may content plaintext */
-			crypt_memzero(data_buffer, rh->length);
+			crypt_safe_memzero(data_buffer, rh->length);
 			goto out;
 		}
 
 		read = crypt_storage_wrapper_encrypt_write(cw2, 0, data_buffer, rh->length);
 		/* may content plaintext */
-		crypt_memzero(data_buffer, rh->length);
+		crypt_safe_memzero(data_buffer, rh->length);
 		if (read < 0 || (size_t)read != rh->length) {
 			log_dbg(cd, "recovery write failed.");
 			r = -EINVAL;
@@ -2531,7 +2531,7 @@
 	else if (ri == CRYPT_REENCRYPT_CRASH)
 		r = reencrypt_load_crashed(cd, hdr, device_size, &tmp);
 	else if (ri == CRYPT_REENCRYPT_NONE) {
-		log_err(cd, _("No LUKS2 reencryption in progress."));
+		log_err(cd, _("Device not marked for LUKS2 reencryption."));
 		return -EINVAL;
 	} else
 		r = -EINVAL;
@@ -2546,21 +2546,10 @@
 	return 0;
 }
 
-/* internal only */
-int crypt_reencrypt_lock(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock)
+static int reencrypt_lock_internal(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock)
 {
 	int r;
 	char *lock_resource;
-	const char *tmp = crypt_get_uuid(cd);
-
-	if (!tmp && !uuid)
-		return -EINVAL;
-	if (!uuid)
-		uuid = tmp;
-	if (!tmp)
-		 tmp = uuid;
-	if (strcmp(uuid, tmp))
-		return -EINVAL;
 
 	if (!crypt_metadata_locking_enabled()) {
 		*reencrypt_lock = NULL;
@@ -2583,6 +2572,36 @@
 }
 
 /* internal only */
+int crypt_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid, struct crypt_lock_handle **reencrypt_lock)
+{
+	int r;
+	char hdr_uuid[37];
+	const char *uuid = crypt_get_uuid(cd);
+
+	if (!dm_uuid)
+		return -EINVAL;
+
+	if (!uuid) {
+		r = snprintf(hdr_uuid, sizeof(hdr_uuid), "%.8s-%.4s-%.4s-%.4s-%.12s",
+			 dm_uuid + 6, dm_uuid + 14, dm_uuid + 18, dm_uuid + 22, dm_uuid + 26);
+		if (r < 0 || (size_t)r != (sizeof(hdr_uuid) - 1))
+			return -EINVAL;
+	} else if (crypt_uuid_cmp(dm_uuid, uuid))
+		return -EINVAL;
+
+	return reencrypt_lock_internal(cd, uuid, reencrypt_lock);
+}
+
+/* internal only */
+int crypt_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **reencrypt_lock)
+{
+	if (!cd || !crypt_get_type(cd) || strcmp(crypt_get_type(cd), CRYPT_LUKS2))
+		return -EINVAL;
+
+	return reencrypt_lock_internal(cd, crypt_get_uuid(cd), reencrypt_lock);
+}
+
+/* internal only */
 void crypt_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *reencrypt_lock)
 {
 	crypt_unlock_internal(cd, reencrypt_lock);
@@ -2605,7 +2624,7 @@
 		return -EINVAL;
 	}
 
-	r = crypt_reencrypt_lock(cd, NULL, &h);
+	r = crypt_reencrypt_lock(cd, &h);
 	if (r < 0) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption process is already running."));
@@ -2809,7 +2828,7 @@
 	crypt_reencrypt_info ri;
 	struct crypt_lock_handle *reencrypt_lock;
 
-	r = crypt_reencrypt_lock(cd, NULL, &reencrypt_lock);
+	r = crypt_reencrypt_lock(cd, &reencrypt_lock);
 	if (r) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption in-progress. Cannot perform recovery."));
@@ -2936,7 +2955,7 @@
 
 	r = reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
 
-	crypt_memzero(passphrase, passphrase_size);
+	crypt_safe_memzero(passphrase, passphrase_size);
 	free(passphrase);
 
 	return r;
@@ -3386,7 +3405,7 @@
 		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 		if (r < 0)
 			goto err;
-		vk = vk->next;
+		vk = crypt_volume_key_next(vk);
 	}
 
 	if (luks2_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_segment.c cryptsetup-2.3.1/lib/luks2/luks2_segment.c
--- cryptsetup-2.2.2/lib/luks2/luks2_segment.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_segment.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, internal segment handling
  *
- * Copyright (C) 2018-2019, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2019, Ondrej Kozina
+ * Copyright (C) 2018-2020, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020, Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_token.c cryptsetup-2.3.1/lib/luks2/luks2_token.c
--- cryptsetup-2.2.2/lib/luks2/luks2_token.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_token.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, token handling
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Milan Broz
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -332,7 +332,7 @@
 	if (h->buffer_free)
 		h->buffer_free(buffer, buffer_len);
 	else {
-		crypt_memzero(buffer, buffer_len);
+		crypt_safe_memzero(buffer, buffer_len);
 		free(buffer);
 	}
 }
diff -Nru cryptsetup-2.2.2/lib/luks2/luks2_token_keyring.c cryptsetup-2.3.1/lib/luks2/luks2_token_keyring.c
--- cryptsetup-2.2.2/lib/luks2/luks2_token_keyring.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/luks2/luks2_token_keyring.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * LUKS - Linux Unified Key Setup v2, kernel keyring token
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/Makemodule.am cryptsetup-2.3.1/lib/Makemodule.am
--- cryptsetup-2.2.2/lib/Makemodule.am	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/Makemodule.am	2020-03-12 08:39:20.000000000 +0000
@@ -22,7 +22,8 @@
 	-I $(top_srcdir)/lib/loopaes		\
 	-I $(top_srcdir)/lib/verity		\
 	-I $(top_srcdir)/lib/tcrypt		\
-	-I $(top_srcdir)/lib/integrity
+	-I $(top_srcdir)/lib/integrity		\
+	-I $(top_srcdir)/lib/bitlk
 
 libcryptsetup_la_DEPENDENCIES = libutils_io.la libcrypto_backend.la lib/libcryptsetup.sym
 
@@ -39,6 +40,7 @@
 	@LIBARGON2_LIBS@	\
 	@JSON_C_LIBS@		\
 	@BLKID_LIBS@		\
+	$(LTLIBICONV)		\
 	libcrypto_backend.la	\
 	libutils_io.la
 
@@ -64,6 +66,7 @@
 	lib/utils_device_locking.c	\
 	lib/utils_device_locking.h	\
 	lib/utils_pbkdf.c		\
+	lib/utils_safe_memory.c		\
 	lib/utils_storage_wrappers.c	\
 	lib/utils_storage_wrappers.h	\
 	lib/libdevmapper.c		\
@@ -74,7 +77,7 @@
 	lib/base64.h			\
 	lib/base64.c			\
 	lib/integrity/integrity.h	\
-	lib/integrity/integrity.c       \
+	lib/integrity/integrity.c	\
 	lib/loopaes/loopaes.h		\
 	lib/loopaes/loopaes.c		\
 	lib/tcrypt/tcrypt.h		\
@@ -90,7 +93,7 @@
 	lib/verity/verity.h		\
 	lib/verity/rs_encode_char.c	\
 	lib/verity/rs_decode_char.c	\
-	lib/verity/rs.h                 \
+	lib/verity/rs.h		\
 	lib/luks2/luks2_disk_metadata.c	\
 	lib/luks2/luks2_json_format.c	\
 	lib/luks2/luks2_json_metadata.c	\
@@ -107,4 +110,6 @@
 	lib/luks2/luks2_internal.h	\
 	lib/luks2/luks2.h		\
 	lib/utils_blkid.c		\
-	lib/utils_blkid.h
+	lib/utils_blkid.h		\
+	lib/bitlk/bitlk.h		\
+	lib/bitlk/bitlk.c
diff -Nru cryptsetup-2.2.2/lib/random.c cryptsetup-2.3.1/lib/random.c
--- cryptsetup-2.2.2/lib/random.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/random.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * cryptsetup kernel RNG access functions
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -20,7 +20,6 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <assert.h>
 #include <sys/select.h>
@@ -28,10 +27,6 @@
 #include "libcryptsetup.h"
 #include "internal.h"
 
-#ifndef O_CLOEXEC
-#define O_CLOEXEC 0
-#endif
-
 static int random_initialised = 0;
 
 #define URANDOM_DEVICE	"/dev/urandom"
diff -Nru cryptsetup-2.2.2/lib/setup.c cryptsetup-2.3.1/lib/setup.c
--- cryptsetup-2.2.2/lib/setup.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/setup.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -26,7 +26,6 @@
 #include <stdlib.h>
 #include <stdarg.h>
 #include <sys/utsname.h>
-#include <fcntl.h>
 #include <errno.h>
 
 #include "libcryptsetup.h"
@@ -36,6 +35,7 @@
 #include "verity.h"
 #include "tcrypt.h"
 #include "integrity.h"
+#include "bitlk.h"
 #include "utils_device_locking.h"
 #include "internal.h"
 
@@ -50,6 +50,7 @@
 
 	struct volume_key *volume_key;
 	int rng_type;
+	uint32_t compatibility;
 	struct crypt_pbkdf_type pbkdf;
 
 	/* global context scope settings */
@@ -95,7 +96,7 @@
 	} loopaes;
 	struct { /* used in CRYPT_VERITY */
 		struct crypt_params_verity hdr;
-		char *root_hash;
+		const char *root_hash;
 		unsigned int root_hash_size;
 		char *uuid;
 		struct device *fec_device;
@@ -108,7 +109,12 @@
 		struct crypt_params_integrity params;
 		struct volume_key *journal_mac_key;
 		struct volume_key *journal_crypt_key;
+		uint32_t sb_flags;
 	} integrity;
+	struct { /* used in CRYPT_BITLK */
+		struct bitlk_metadata params;
+		char *cipher_spec;
+	} bitlk;
 	struct { /* used if initialized without header by name */
 		char *active_name;
 		/* buffers, must refresh from kernel on every query */
@@ -315,6 +321,11 @@
 	return (type && !strcmp(CRYPT_INTEGRITY, type));
 }
 
+static int isBITLK(const char *type)
+{
+	return (type && !strcmp(CRYPT_BITLK, type));
+}
+
 static int _onlyLUKS(struct crypt_device *cd, uint32_t cdflags)
 {
 	int r = 0;
@@ -572,6 +583,9 @@
 		return -EINVAL;
 
 	log_dbg(NULL, "Allocating context for crypt device %s.", device ?: "(none)");
+#if !HAVE_DECL_O_CLOEXEC
+	log_dbg(NULL, "Running without O_CLOEXEC.");
+#endif
 
 	if (!(h = malloc(sizeof(struct crypt_device))))
 		return -ENOMEM;
@@ -726,9 +740,6 @@
 		free(type);
 		LUKS2_hdr_free(cd, &hdr2);
 	}
-	/* FIXME: why? */
-	crypt_memzero(&hdr2, sizeof(hdr2));
-
 	return r;
 }
 
@@ -763,7 +774,7 @@
 
 	if (isLUKS1(requested_type) || version == 1) {
 		if (cd->type && isLUKS2(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 
@@ -803,7 +814,7 @@
 		memcpy(&cd->u.luks1.hdr, &hdr, sizeof(hdr));
 	} else if (isLUKS2(requested_type) || version == 2 || version == 0) {
 		if (cd->type && isLUKS1(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 
@@ -822,7 +833,7 @@
 		r = -EINVAL;
 	}
 out:
-	crypt_memzero(&hdr, sizeof(hdr));
+	crypt_safe_memzero(&hdr, sizeof(hdr));
 
 	return r;
 }
@@ -886,7 +897,7 @@
 		free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
 		free(CONST_CAST(void*)cd->u.verity.hdr.salt);
 		free(cd->u.verity.uuid);
-		crypt_memzero(&cd->u.verity.hdr, sizeof(cd->u.verity.hdr));
+		crypt_safe_memzero(&cd->u.verity.hdr, sizeof(cd->u.verity.hdr));
 		return -ENOMEM;
 	}
 
@@ -922,7 +933,7 @@
 	if (r < 0)
 		return r;
 
-	r = INTEGRITY_read_sb(cd, &cd->u.integrity.params);
+	r = INTEGRITY_read_sb(cd, &cd->u.integrity.params, &cd->u.integrity.sb_flags);
 	if (r < 0)
 		return r;
 
@@ -965,6 +976,31 @@
 	return 0;
 }
 
+static int _crypt_load_bitlk(struct crypt_device *cd,
+			     struct bitlk_metadata *params)
+{
+	int r;
+
+	r = init_crypto(cd);
+	if (r < 0)
+		return r;
+
+	r = BITLK_read_sb(cd, &cd->u.bitlk.params);
+	if (r < 0)
+		return r;
+
+	if (asprintf(&cd->u.bitlk.cipher_spec, "%s-%s",
+		     cd->u.bitlk.params.cipher, cd->u.bitlk.params.cipher_mode) < 0) {
+		cd->u.bitlk.cipher_spec = NULL;
+		return -ENOMEM;
+	}
+
+	if (!cd->type && !(cd->type = strdup(CRYPT_BITLK)))
+		return -ENOMEM;
+
+	return 0;
+}
+
 int crypt_load(struct crypt_device *cd,
 	       const char *requested_type,
 	       void *params)
@@ -987,29 +1023,35 @@
 
 	if (!requested_type || isLUKS1(requested_type) || isLUKS2(requested_type)) {
 		if (cd->type && !isLUKS1(cd->type) && !isLUKS2(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 
 		r = _crypt_load_luks(cd, requested_type, 1, 0);
 	} else if (isVERITY(requested_type)) {
 		if (cd->type && !isVERITY(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 		r = _crypt_load_verity(cd, params);
 	} else if (isTCRYPT(requested_type)) {
 		if (cd->type && !isTCRYPT(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 		r = _crypt_load_tcrypt(cd, params);
 	} else if (isINTEGRITY(requested_type)) {
 		if (cd->type && !isINTEGRITY(cd->type)) {
-			log_dbg(cd, "Context is already initialised to type %s", cd->type);
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
 			return -EINVAL;
 		}
 		r = _crypt_load_integrity(cd, params);
+	} else if (isBITLK(requested_type)) {
+		if (cd->type && !isBITLK(cd->type)) {
+			log_dbg(cd, "Context is already initialized to type %s", cd->type);
+			return -EINVAL;
+		}
+		r = _crypt_load_bitlk(cd, params);
 	} else
 		return -EINVAL;
 
@@ -1086,7 +1128,7 @@
 		free(CONST_CAST(void*)cd->u.verity.hdr.hash_device);
 		free(CONST_CAST(void*)cd->u.verity.hdr.fec_device);
 		free(CONST_CAST(void*)cd->u.verity.hdr.salt);
-		free(cd->u.verity.root_hash);
+		free(CONST_CAST(void*)cd->u.verity.root_hash);
 		free(cd->u.verity.uuid);
 		device_free(cd, cd->u.verity.fec_device);
 	} else if (isINTEGRITY(cd->type)) {
@@ -1095,6 +1137,9 @@
 		free(CONST_CAST(void*)cd->u.integrity.params.journal_crypt);
 		crypt_free_volume_key(cd->u.integrity.journal_crypt_key);
 		crypt_free_volume_key(cd->u.integrity.journal_mac_key);
+	} else if (isBITLK(cd->type)) {
+		free(cd->u.bitlk.cipher_spec);
+		BITLK_bitlk_metadata_free(&cd->u.bitlk.params);
 	} else if (!cd->type) {
 		free(cd->u.none.active_name);
 		cd->u.none.active_name = NULL;
@@ -1247,6 +1292,13 @@
 	} else if (isTCRYPT(cd->type) && single_segment(&dmd) && tgt->type == DM_CRYPT) {
 		r = TCRYPT_init_by_name(cd, name, dmd.uuid, tgt, &cd->device,
 					&cd->u.tcrypt.params, &cd->u.tcrypt.hdr);
+	} else if (isBITLK(cd->type)) {
+		r = _crypt_load_bitlk(cd, NULL);
+		if (r < 0) {
+			log_dbg(cd, "BITLK device header not available.");
+			crypt_set_null_type(cd);
+			r = 0;
+		}
 	}
 out:
 	dm_targets_free(cd, &dmd);
@@ -1269,6 +1321,7 @@
 	r = dm_query_device(cd, name,
 				DM_ACTIVE_DEVICE |
 				DM_ACTIVE_VERITY_HASH_DEVICE |
+				DM_ACTIVE_VERITY_ROOT_HASH |
 				DM_ACTIVE_VERITY_PARAMS, &dmd);
 	if (r < 0)
 		return r;
@@ -1300,6 +1353,7 @@
 		cd->u.verity.hdr.fec_roots = tgt->u.verity.vp->fec_roots;
 		MOVE_REF(cd->u.verity.fec_device, tgt->u.verity.fec_device);
 		MOVE_REF(cd->metadata_device, tgt->u.verity.hash_device);
+		MOVE_REF(cd->u.verity.root_hash, tgt->u.verity.root_hash);
 	}
 out:
 	dm_targets_free(cd, &dmd);
@@ -1413,6 +1467,8 @@
 			(*cd)->type = strdup(CRYPT_TCRYPT);
 		else if (!strncmp(CRYPT_INTEGRITY, dmd.uuid, sizeof(CRYPT_INTEGRITY)-1))
 			(*cd)->type = strdup(CRYPT_INTEGRITY);
+		else if (!strncmp(CRYPT_BITLK, dmd.uuid, sizeof(CRYPT_BITLK)-1))
+			(*cd)->type = strdup(CRYPT_BITLK);
 		else
 			log_dbg(NULL, "Unknown UUID set, some parameters are not set.");
 	} else
@@ -1424,7 +1480,7 @@
 			goto out;
 	}
 
-	/* Try to initialise basic parameters from active device */
+	/* Try to initialize basic parameters from active device */
 
 	if (tgt->type == DM_CRYPT || tgt->type == DM_LINEAR)
 		r = _init_by_name_crypt(*cd, name);
@@ -2090,6 +2146,7 @@
 				   struct crypt_params_integrity *params)
 {
 	int r;
+	uint32_t integrity_tag_size;
 	char *integrity = NULL, *journal_integrity = NULL, *journal_crypt = NULL;
 	struct volume_key *journal_crypt_key = NULL, *journal_mac_key = NULL;
 
@@ -2146,6 +2203,14 @@
 		goto err;
 	}
 
+	integrity_tag_size = INTEGRITY_hash_tag_size(integrity);
+	if (integrity_tag_size > 0 && params->tag_size && integrity_tag_size != params->tag_size)
+		log_std(cd, _("WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"),
+			params->tag_size, integrity, integrity_tag_size);
+
+	if (params->tag_size)
+		integrity_tag_size = params->tag_size;
+
 	cd->u.integrity.journal_crypt_key = journal_crypt_key;
 	cd->u.integrity.journal_mac_key = journal_mac_key;
 	cd->u.integrity.params.journal_size = params->journal_size;
@@ -2154,7 +2219,7 @@
 	cd->u.integrity.params.interleave_sectors = params->interleave_sectors;
 	cd->u.integrity.params.buffer_sectors = params->buffer_sectors;
 	cd->u.integrity.params.sector_size = params->sector_size;
-	cd->u.integrity.params.tag_size = params->tag_size;
+	cd->u.integrity.params.tag_size = integrity_tag_size;
 	cd->u.integrity.params.integrity = integrity;
 	cd->u.integrity.params.journal_integrity = journal_integrity;
 	cd->u.integrity.params.journal_crypt = journal_crypt;
@@ -2701,7 +2766,7 @@
 	 *	  explicit size stored in metadata (length != "dynamic")
 	 */
 
-	/* Device context type must be initialised */
+	/* Device context type must be initialized */
 	if (!cd || !cd->type || !name)
 		return -EINVAL;
 
@@ -2902,8 +2967,8 @@
 		else
 			r = LUKS2_hdr_restore(cd, &hdr2, backup_file);
 
-		crypt_memzero(&hdr1, sizeof(hdr1));
-		crypt_memzero(&hdr2, sizeof(hdr2));
+		crypt_safe_memzero(&hdr1, sizeof(hdr1));
+		crypt_safe_memzero(&hdr2, sizeof(hdr2));
 	} else if (isLUKS2(cd->type) && (!requested_type || isLUKS2(requested_type))) {
 		r = LUKS2_hdr_restore(cd, &cd->u.luks2.hdr, backup_file);
 		if (r)
@@ -2938,7 +3003,7 @@
 	free(CONST_CAST(void*)cd->pbkdf.hash);
 
 	/* Some structures can contain keys (TCRYPT), wipe it */
-	crypt_memzero(cd, sizeof(*cd));
+	crypt_safe_memzero(cd, sizeof(*cd));
 	free(cd);
 }
 
@@ -3147,7 +3212,7 @@
 	}
 
 	r = dm_resume_and_reinstate_key(cd, name, vk);
-	if (r)
+	if (r < 0)
 		log_err(cd, _("Error during resuming device %s."), name);
 out:
 	crypt_safe_free(passphrase_read);
@@ -3178,6 +3243,65 @@
 				      keyfile, keyfile_size, keyfile_offset);
 }
 
+int crypt_resume_by_volume_key(struct crypt_device *cd,
+	const char *name,
+	const char *volume_key,
+	size_t volume_key_size)
+{
+	struct volume_key *vk = NULL;
+	int r;
+
+	if (!name || !volume_key)
+		return -EINVAL;
+
+	log_dbg(cd, "Resuming volume %s by volume key.", name);
+
+	if ((r = onlyLUKS(cd)))
+		return r;
+
+	r = dm_status_suspended(cd, name);
+	if (r < 0)
+		return r;
+
+	if (!r) {
+		log_err(cd, _("Volume %s is not suspended."), name);
+		return -EINVAL;
+	}
+
+	vk = crypt_alloc_volume_key(volume_key_size, volume_key);
+	if (!vk)
+		return -ENOMEM;
+
+	if (isLUKS1(cd->type))
+		r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
+	else if (isLUKS2(cd->type))
+		r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
+	else
+		r = -EINVAL;
+	if (r == -EPERM || r == -ENOENT)
+		log_err(cd, _("Volume key does not match the volume."));
+	if  (r < 0)
+		goto out;
+	r = 0;
+
+	if (crypt_use_keyring_for_vk(cd)) {
+		r = LUKS2_key_description_by_segment(cd, &cd->u.luks2.hdr, vk, CRYPT_DEFAULT_SEGMENT);
+		if (!r)
+			r = crypt_volume_key_load_in_keyring(cd, vk);
+	}
+	if  (r < 0)
+		goto out;
+
+	r = dm_resume_and_reinstate_key(cd, name, vk);
+	if (r < 0)
+		log_err(cd, _("Error during resuming device %s."), name);
+out:
+	if (r < 0)
+		crypt_drop_keyring_key(cd, vk);
+	crypt_free_volume_key(vk);
+	return r;
+}
+
 /*
  * Keyslot manipulation
  */
@@ -3621,7 +3745,7 @@
 
 	device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL;
 
-	r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_INTEGRITY, dmdi);
+	r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_INTEGRITY, dmdi, 0);
 	if (r)
 		return r;
 
@@ -3643,6 +3767,27 @@
 	return r;
 }
 
+static int kernel_keyring_support(void)
+{
+	static unsigned _checked = 0;
+
+	if (!_checked) {
+		_kernel_keyring_supported = keyring_check();
+		_checked = 1;
+	}
+
+	return _kernel_keyring_supported;
+}
+
+static int dmcrypt_keyring_bug(void)
+{
+	uint64_t kversion;
+
+	if (kernel_version(&kversion))
+		return 1;
+	return kversion < version(4,15,0,0);
+}
+
 int create_or_reload_device(struct crypt_device *cd, const char *name,
 		     const char *type, struct crypt_dm_active_device *dmd)
 {
@@ -3717,7 +3862,7 @@
 		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 		if (r < 0)
 			return r;
-		vk = vk->next;
+		vk = crypt_volume_key_next(vk);
 	}
 
 	return 0;
@@ -3830,7 +3975,7 @@
 	if (crypt_use_keyring_for_vk(cd))
 		flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 
-	r = crypt_reencrypt_lock(cd, NULL, &reencrypt_lock);
+	r = crypt_reencrypt_lock(cd, &reencrypt_lock);
 	if (r) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption in-progress. Cannot activate device."));
@@ -3974,8 +4119,12 @@
 	} else if (isLUKS2(cd->type)) {
 		r = _open_and_activate_luks2(cd, keyslot, name, passphrase, passphrase_size, flags);
 		keyslot = r;
+	} else if (isBITLK(cd->type)) {
+		r = BITLK_activate(cd, name, passphrase, passphrase_size,
+				   &cd->u.bitlk.params, flags);
+		keyslot = 0;
 	} else {
-		log_err(cd, _("Device type is not properly initialised."));
+		log_err(cd, _("Device type is not properly initialized."));
 		r = -EINVAL;
 	}
 out:
@@ -4114,7 +4263,6 @@
 	return crypt_activate_by_keyfile_device_offset(cd, name, keyslot, keyfile,
 					keyfile_size, keyfile_offset, flags);
 }
-
 int crypt_activate_by_volume_key(struct crypt_device *cd,
 	const char *name,
 	const char *volume_key,
@@ -4209,25 +4357,7 @@
 		if (!r && name)
 			r = LUKS2_activate(cd, name, vk, flags);
 	} else if (isVERITY(cd->type)) {
-		/* volume_key == root hash */
-		if (!volume_key || !volume_key_size) {
-			log_err(cd, _("Incorrect root hash specified for verity device."));
-			return -EINVAL;
-		}
-
-		r = VERITY_activate(cd, name, volume_key, volume_key_size, cd->u.verity.fec_device,
-				    &cd->u.verity.hdr, flags|CRYPT_ACTIVATE_READONLY);
-
-		if (r == -EPERM) {
-			free(cd->u.verity.root_hash);
-			cd->u.verity.root_hash = NULL;
-		} if (!r) {
-			cd->u.verity.root_hash_size = volume_key_size;
-			if (!cd->u.verity.root_hash)
-				cd->u.verity.root_hash = malloc(volume_key_size);
-			if (cd->u.verity.root_hash)
-				memcpy(cd->u.verity.root_hash, volume_key, volume_key_size);
-		}
+		r = crypt_activate_by_signed_key(cd, name, volume_key, volume_key_size, NULL, 0, flags);
 	} else if (isTCRYPT(cd->type)) {
 		if (!name)
 			return 0;
@@ -4243,9 +4373,10 @@
 		}
 		r = INTEGRITY_activate(cd, name, &cd->u.integrity.params, vk,
 				       cd->u.integrity.journal_crypt_key,
-				       cd->u.integrity.journal_mac_key, flags);
+				       cd->u.integrity.journal_mac_key, flags,
+				       cd->u.integrity.sb_flags);
 	} else {
-		log_err(cd, _("Device type is not properly initialised."));
+		log_err(cd, _("Device type is not properly initialized."));
 		r = -EINVAL;
 	}
 
@@ -4256,6 +4387,77 @@
 	return r;
 }
 
+int crypt_activate_by_signed_key(struct crypt_device *cd,
+	const char *name,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	uint32_t flags)
+{
+	char description[512];
+	int r;
+
+	if (!cd || !isVERITY(cd->type))
+		return -EINVAL;
+
+	if (!volume_key || !volume_key_size || (!name && signature)) {
+		log_err(cd, _("Incorrect root hash specified for verity device."));
+		return -EINVAL;
+	}
+
+	log_dbg(cd, "%s volume %s by signed key.", name ? "Activating" : "Checking", name ?: "");
+
+	if (cd->u.verity.hdr.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE && !signature) {
+		log_err(cd, _("Root hash signature required."));
+		return -EINVAL;
+	}
+
+	r = _activate_check_status(cd, name, flags & CRYPT_ACTIVATE_REFRESH);
+	if (r < 0)
+		return r;
+
+	if (signature && !kernel_keyring_support()) {
+		log_err(cd, _("Kernel keyring missing: required for passing signature to kernel."));
+		return -EINVAL;
+	}
+
+	/* volume_key == root hash */
+	free(CONST_CAST(void*)cd->u.verity.root_hash);
+	cd->u.verity.root_hash = NULL;
+
+	if (signature) {
+		r = snprintf(description, sizeof(description)-1, "cryptsetup:%s%s%s",
+			     crypt_get_uuid(cd) ?: "", crypt_get_uuid(cd) ? "-" : "", name);
+		if (r < 0)
+			return -EINVAL;
+
+		log_dbg(cd, "Adding signature into keyring %s", description);
+		r = keyring_add_key_in_thread_keyring(USER_KEY, description, signature, signature_size);
+		if (r) {
+			log_err(cd, _("Failed to load key in kernel keyring."));
+			return r;
+		}
+	}
+
+	r = VERITY_activate(cd, name, volume_key, volume_key_size,
+			    signature ? description : NULL,
+			    cd->u.verity.fec_device,
+			    &cd->u.verity.hdr, flags | CRYPT_ACTIVATE_READONLY);
+
+	if (!r) {
+		cd->u.verity.root_hash_size = volume_key_size;
+		cd->u.verity.root_hash = malloc(volume_key_size);
+		if (cd->u.verity.root_hash)
+			memcpy(CONST_CAST(void*)cd->u.verity.root_hash, volume_key, volume_key_size);
+	}
+
+	if (signature)
+		crypt_drop_keyring_key_by_description(cd, description, USER_KEY);
+
+	return r;
+}
+
 int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t flags)
 {
 	struct crypt_device *fake_cd = NULL;
@@ -4295,7 +4497,7 @@
 			if (isLUKS2(cd->type))
 				hdr2 = crypt_get_hdr(cd, CRYPT_LUKS2);
 
-			if (!strncmp(CRYPT_LUKS2, dmd.uuid ?: "", sizeof(CRYPT_LUKS2)-1) || hdr2)
+			if ((dmd.uuid && !strncmp(CRYPT_LUKS2, dmd.uuid, sizeof(CRYPT_LUKS2)-1)) || hdr2)
 				r = LUKS2_deactivate(cd, name, hdr2, &dmd, flags);
 			else if (isTCRYPT(cd->type))
 				r = TCRYPT_deactivate(cd, name, flags);
@@ -4415,7 +4617,7 @@
 	struct volume_key *vk = NULL;
 	int key_len, r = -EINVAL;
 
-	if (!cd || !volume_key || !volume_key_size || (!isTCRYPT(cd->type) && !passphrase))
+	if (!cd || !volume_key || !volume_key_size || (!isTCRYPT(cd->type) && !isVERITY(cd->type) && !passphrase))
 		return -EINVAL;
 
 	if (isLUKS2(cd->type) && keyslot != CRYPT_ANY_SLOT)
@@ -4445,10 +4647,18 @@
 				passphrase, passphrase_size, &vk);
 	} else if (isTCRYPT(cd->type)) {
 		r = TCRYPT_get_volume_key(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params, &vk);
+	} else if (isVERITY(cd->type)) {
+		/* volume_key == root hash */
+		if (cd->u.verity.root_hash) {
+			memcpy(volume_key, cd->u.verity.root_hash, cd->u.verity.root_hash_size);
+			*volume_key_size = cd->u.verity.root_hash_size;
+			r = 0;
+		} else
+			log_err(cd, _("Cannot retrieve root hash for verity device."));
 	} else
 		log_err(cd, _("This operation is not supported for %s crypt device."), cd->type ?: "(none)");
 
-	if (r >= 0) {
+	if (r >= 0 && vk) {
 		memcpy(volume_key, vk->key, vk->keylength);
 		*volume_key_size = vk->keylength;
 	}
@@ -4475,6 +4685,9 @@
 		r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk);
 	else if (isLUKS2(cd->type))
 		r = LUKS2_digest_verify_by_segment(cd, &cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT, vk);
+	else
+		r = -EINVAL;
+
 
 	if (r == -EPERM)
 		log_err(cd, _("Volume key does not match the volume."));
@@ -4513,6 +4726,20 @@
 	return lock ? crypt_memlock_inc(cd) : crypt_memlock_dec(cd);
 }
 
+void crypt_set_compatibility(struct crypt_device *cd, uint32_t flags)
+{
+	if (cd)
+		cd->compatibility = flags;
+}
+
+uint32_t crypt_get_compatibility(struct crypt_device *cd)
+{
+	if (cd)
+		return cd->compatibility;
+
+	return 0;
+}
+
 /*
  * Reporting
  */
@@ -4632,6 +4859,8 @@
 		return TCRYPT_dump(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
 	else if (isINTEGRITY(cd->type))
 		return INTEGRITY_dump(cd, crypt_data_device(cd), 0);
+	else if (isBITLK(cd->type))
+		return BITLK_dump(cd, crypt_data_device(cd), &cd->u.bitlk.params);
 
 	log_err(cd, _("Dump operation is not supported for this device type."));
 	return -EINVAL;
@@ -4650,6 +4879,8 @@
 		return cd->u.plain.cipher_spec;
 	else if (isLOOPAES(cd->type))
 		return cd->u.loopaes.cipher_spec;
+	else if (isBITLK(cd->type))
+		return cd->u.bitlk.cipher_spec;
 	else if (!cd->type && !_init_by_name_crypt_none(cd))
 		return cd->u.none.cipher_spec;
 
@@ -4680,6 +4911,9 @@
 	if (isTCRYPT(cd->type))
 		return cd->u.tcrypt.params.cipher;
 
+	if (isBITLK(cd->type))
+		return cd->u.bitlk.params.cipher;
+
 	if (!cd->type && !_init_by_name_crypt_none(cd))
 		return cd->u.none.cipher;
 
@@ -4710,6 +4944,9 @@
 	if (isTCRYPT(cd->type))
 		return cd->u.tcrypt.params.mode;
 
+	if (isBITLK(cd->type))
+		return cd->u.bitlk.params.cipher_mode;
+
 	if (!cd->type && !_init_by_name_crypt_none(cd))
 		return cd->u.none.cipher_mode;
 
@@ -4784,6 +5021,9 @@
 	if (isVERITY(cd->type))
 		return cd->u.verity.uuid;
 
+	if (isBITLK(cd->type))
+		return cd->u.bitlk.params.guid;
+
 	return NULL;
 }
 
@@ -4844,6 +5084,9 @@
 	if (isTCRYPT(cd->type))
 		return cd->u.tcrypt.params.key_size;
 
+	if (isBITLK(cd->type))
+		return cd->u.bitlk.params.key_size / 8;
+
 	if (!cd->type && !_init_by_name_crypt_none(cd))
 		return cd->u.none.key_size;
 
@@ -5025,6 +5268,9 @@
 	if (isTCRYPT(cd->type))
 		return TCRYPT_get_data_offset(cd, &cd->u.tcrypt.hdr, &cd->u.tcrypt.params);
 
+	if (isBITLK(cd->type))
+		return cd->u.bitlk.params.volume_header_size / SECTOR_SIZE;
+
 	return cd->data_offset;
 }
 
@@ -5144,7 +5390,7 @@
 	vp->data_size = cd->u.verity.hdr.data_size;
 	vp->hash_area_offset = cd->u.verity.hdr.hash_area_offset;
 	vp->hash_type = cd->u.verity.hdr.hash_type;
-	vp->flags = cd->u.verity.hdr.flags & CRYPT_VERITY_NO_HEADER;
+	vp->flags = cd->u.verity.hdr.flags & (CRYPT_VERITY_NO_HEADER | CRYPT_VERITY_ROOT_HASH_SIGNATURE);
 	return 0;
 }
 
@@ -5596,7 +5842,7 @@
 
 	r = LUKS2_keyslot_params_default(cd, &cd->u.luks2.hdr, &params);
 	if (r < 0) {
-		log_err(cd, _("Failed to initialise default LUKS2 keyslot parameters."));
+		log_err(cd, _("Failed to initialize default LUKS2 keyslot parameters."));
 		goto out;
 	}
 
@@ -5624,32 +5870,11 @@
  * Keyring handling
  */
 
-static int kernel_keyring_support(void)
-{
-	static unsigned _checked = 0;
-
-	if (!_checked) {
-		_kernel_keyring_supported = keyring_check();
-		_checked = 1;
-	}
-
-	return _kernel_keyring_supported;
-}
-
-static int dmcrypt_keyring_bug(void)
-{
-	uint64_t kversion;
-
-	if (kernel_version(&kversion))
-		return 1;
-	return kversion < version(4,15,0,0);
-}
-
 int crypt_use_keyring_for_vk(struct crypt_device *cd)
 {
 	uint32_t dmc_flags;
 
-	/* dm backend must be initialised */
+	/* dm backend must be initialized */
 	if (!cd || !isLUKS2(cd->type))
 		return 0;
 
@@ -5770,7 +5995,7 @@
 
 	r = _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
 
-	crypt_memzero(passphrase, passphrase_size);
+	crypt_safe_memzero(passphrase, passphrase_size);
 	free(passphrase);
 
 	return r;
diff -Nru cryptsetup-2.2.2/lib/tcrypt/tcrypt.c cryptsetup-2.3.1/lib/tcrypt/tcrypt.c
--- cryptsetup-2.2.2/lib/tcrypt/tcrypt.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/tcrypt/tcrypt.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -23,7 +23,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <fcntl.h>
 #include <assert.h>
 
 #include "libcryptsetup.h"
@@ -301,8 +300,8 @@
 	}
 
 	crypt_cipher_destroy(cipher);
-	crypt_memzero(iv, bs);
-	crypt_memzero(iv_old, bs);
+	crypt_safe_memzero(iv, bs);
+	crypt_safe_memzero(iv_old, bs);
 	return r;
 }
 
@@ -369,8 +368,8 @@
 		crypt_cipher_destroy(cipher);
 	}
 
-	crypt_memzero(backend_key, sizeof(backend_key));
-	crypt_memzero(iv, TCRYPT_HDR_IV_LEN);
+	crypt_safe_memzero(backend_key, sizeof(backend_key));
+	crypt_safe_memzero(iv, TCRYPT_HDR_IV_LEN);
 	return r;
 }
 
@@ -420,8 +419,8 @@
 		if (cipher[j])
 			crypt_cipher_destroy(cipher[j]);
 
-	crypt_memzero(iv, bs);
-	crypt_memzero(iv_old, bs);
+	crypt_safe_memzero(iv, bs);
+	crypt_safe_memzero(iv_old, bs);
 	return r;
 }
 
@@ -474,13 +473,13 @@
 		r = -EPERM;
 	}
 
-	crypt_memzero(&hdr2, sizeof(hdr2));
+	crypt_safe_memzero(&hdr2, sizeof(hdr2));
 	return r;
 }
 
 static int TCRYPT_pool_keyfile(struct crypt_device *cd,
-				unsigned char pool[TCRYPT_KEY_POOL_LEN],
-				const char *keyfile)
+				unsigned char pool[VCRYPT_KEY_POOL_LEN],
+				const char *keyfile, int keyfiles_pool_length)
 {
 	unsigned char *data;
 	int i, j, fd, data_size, r = -EIO;
@@ -512,12 +511,12 @@
 		pool[j++] += (unsigned char)(crc >> 16);
 		pool[j++] += (unsigned char)(crc >>  8);
 		pool[j++] += (unsigned char)(crc);
-		j %= TCRYPT_KEY_POOL_LEN;
+		j %= keyfiles_pool_length;
 	}
 	r = 0;
 out:
-	crypt_memzero(&crc, sizeof(crc));
-	crypt_memzero(data, TCRYPT_KEYFILE_LEN);
+	crypt_safe_memzero(&crc, sizeof(crc));
+	crypt_safe_memzero(data, TCRYPT_KEYFILE_LEN);
 	free(data);
 
 	return r;
@@ -527,29 +526,41 @@
 			   struct tcrypt_phdr *hdr,
 			   struct crypt_params_tcrypt *params)
 {
-	unsigned char pwd[TCRYPT_KEY_POOL_LEN] = {};
-	size_t passphrase_size;
+	unsigned char pwd[VCRYPT_KEY_POOL_LEN] = {};
+	size_t passphrase_size, max_passphrase_size;
 	char *key;
 	unsigned int i, skipped = 0, iterations;
-	int r = -EPERM;
+	int r = -EPERM, keyfiles_pool_length;
 
 	if (posix_memalign((void*)&key, crypt_getpagesize(), TCRYPT_HDR_KEY_LEN))
 		return -ENOMEM;
 
+	if (params->flags & CRYPT_TCRYPT_VERA_MODES) {
+		max_passphrase_size = VCRYPT_KEY_POOL_LEN;
+		/* Really. Keyfile pool length depends on passphrase size in Veracrypt. */
+		if (params->passphrase_size > TCRYPT_KEY_POOL_LEN)
+			keyfiles_pool_length = VCRYPT_KEY_POOL_LEN;
+		else
+			keyfiles_pool_length = TCRYPT_KEY_POOL_LEN;
+	} else {
+		max_passphrase_size = TCRYPT_KEY_POOL_LEN;
+		keyfiles_pool_length = TCRYPT_KEY_POOL_LEN;
+	}
+
 	if (params->keyfiles_count)
-		passphrase_size = TCRYPT_KEY_POOL_LEN;
+		passphrase_size = max_passphrase_size;
 	else
 		passphrase_size = params->passphrase_size;
 
-	if (params->passphrase_size > TCRYPT_KEY_POOL_LEN) {
-		log_err(cd, _("Maximum TCRYPT passphrase length (%d) exceeded."),
-			      TCRYPT_KEY_POOL_LEN);
+	if (params->passphrase_size > max_passphrase_size) {
+		log_err(cd, _("Maximum TCRYPT passphrase length (%zu) exceeded."),
+			      max_passphrase_size);
 		goto out;
 	}
 
 	/* Calculate pool content from keyfiles */
 	for (i = 0; i < params->keyfiles_count; i++) {
-		r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i]);
+		r = TCRYPT_pool_keyfile(cd, pwd, params->keyfiles[i], keyfiles_pool_length);
 		if (r < 0)
 			goto out;
 	}
@@ -619,9 +630,9 @@
 			params->cipher, params->mode, params->key_size);
 	}
 out:
-	crypt_memzero(pwd, TCRYPT_KEY_POOL_LEN);
+	crypt_safe_memzero(pwd, TCRYPT_KEY_POOL_LEN);
 	if (key)
-		crypt_memzero(key, TCRYPT_HDR_KEY_LEN);
+		crypt_safe_memzero(key, TCRYPT_HDR_KEY_LEN);
 	free(key);
 	return r;
 }
@@ -747,7 +758,7 @@
 	}
 
 	if (strstr(params->mode, "-tcrypt")) {
-		log_err(cd, _("Kernel doesn't support activation for this TCRYPT legacy mode."));
+		log_err(cd, _("Kernel does not support activation for this TCRYPT legacy mode."));
 		return -ENOTSUP;
 	}
 
@@ -859,7 +870,7 @@
 
 	if (r < 0 &&
 	    (dm_flags(cd, DM_CRYPT, &dmc_flags) || ((dmc_flags & req_flags) != req_flags))) {
-		log_err(cd, _("Kernel doesn't support TCRYPT compatible mapping."));
+		log_err(cd, _("Kernel does not support TCRYPT compatible mapping."));
 		r = -ENOTSUP;
 	}
 
diff -Nru cryptsetup-2.2.2/lib/tcrypt/tcrypt.h cryptsetup-2.3.1/lib/tcrypt/tcrypt.h
--- cryptsetup-2.2.2/lib/tcrypt/tcrypt.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/tcrypt/tcrypt.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * TCRYPT (TrueCrypt-compatible)  header definition
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -42,6 +42,7 @@
 
 #define TCRYPT_LRW_IKEY_LEN 16
 #define TCRYPT_KEY_POOL_LEN 64
+#define VCRYPT_KEY_POOL_LEN 128
 #define TCRYPT_KEYFILE_LEN  1048576
 
 #define TCRYPT_HDR_FLAG_SYSTEM    (1 << 0)
diff -Nru cryptsetup-2.2.2/lib/utils_benchmark.c cryptsetup-2.3.1/lib/utils_benchmark.c
--- cryptsetup-2.2.2/lib/utils_benchmark.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_benchmark.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * libcryptsetup - cryptsetup library, cipher benchmark
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -72,7 +72,7 @@
 	if (r == -ERANGE)
 		log_dbg(cd, "Measured cipher runtime is too low.");
 	else if (r == -ENOTSUP || r == -ENOENT)
-		log_dbg(cd, "Cannot initialise cipher %s, mode %s.", cipher, cipher_mode);
+		log_dbg(cd, "Cannot initialize cipher %s, mode %s.", cipher, cipher_mode);
 
 out:
 	free(buffer);
diff -Nru cryptsetup-2.2.2/lib/utils_blkid.c cryptsetup-2.3.1/lib/utils_blkid.c
--- cryptsetup-2.2.2/lib/utils_blkid.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_blkid.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * blkid probe utilities
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -310,9 +310,9 @@
 
 off_t blk_get_offset(struct blkid_handle *h)
 {
-	const char *offset;
 	off_t offset_value = -1;
 #ifdef HAVE_BLKID
+	const char *offset;
 	if (blk_is_superblock(h)) {
 		if (!blkid_probe_lookup_value(h->pr, "SBMAGIC_OFFSET", &offset, NULL))
 			offset_value = strtoll(offset, NULL, 10);
diff -Nru cryptsetup-2.2.2/lib/utils_blkid.h cryptsetup-2.3.1/lib/utils_blkid.h
--- cryptsetup-2.2.2/lib/utils_blkid.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_blkid.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * blkid probe utilities
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils.c cryptsetup-2.3.1/lib/utils.c
--- cryptsetup-2.2.2/lib/utils.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -23,7 +23,6 @@
 
 #include <stdio.h>
 #include <errno.h>
-#include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
@@ -130,7 +129,7 @@
 			if (errno == EINTR)
 				continue;
 
-			crypt_memzero(tmp, sizeof(tmp));
+			crypt_safe_memzero(tmp, sizeof(tmp));
 			/* read error */
 			return -1;
 		}
@@ -142,7 +141,7 @@
 		bytes -= bytes_r;
 	}
 
-	crypt_memzero(tmp, sizeof(tmp));
+	crypt_safe_memzero(tmp, sizeof(tmp));
 	return bytes == 0 ? 0 : -1;
 }
 
@@ -181,7 +180,7 @@
 		key_size = DEFAULT_KEYFILE_SIZE_MAXKB * 1024 + 1;
 		unlimited_read = 1;
 		/* use 4k for buffer (page divisor but avoid huge pages) */
-		buflen = 4096 - sizeof(struct safe_allocation);
+		buflen = 4096 - sizeof(size_t); // sizeof(struct safe_allocation);
 	} else
 		buflen = key_size;
 
diff -Nru cryptsetup-2.2.2/lib/utils_crypt.c cryptsetup-2.3.1/lib/utils_crypt.c
--- cryptsetup-2.2.2/lib/utils_crypt.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_crypt.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -149,79 +149,6 @@
 	return 0;
 }
 
-/*
- * Replacement for memset(s, 0, n) on stack that can be optimized out
- * Also used in safe allocations for explicit memory wipe.
- */
-void crypt_memzero(void *s, size_t n)
-{
-#ifdef HAVE_EXPLICIT_BZERO
-	explicit_bzero(s, n);
-#else
-	volatile uint8_t *p = (volatile uint8_t *)s;
-
-	while(n--)
-		*p++ = 0;
-#endif
-}
-
-/* safe allocations */
-void *crypt_safe_alloc(size_t size)
-{
-	struct safe_allocation *alloc;
-
-	if (!size || size > (SIZE_MAX - offsetof(struct safe_allocation, data)))
-		return NULL;
-
-	alloc = malloc(size + offsetof(struct safe_allocation, data));
-	if (!alloc)
-		return NULL;
-
-	alloc->size = size;
-	crypt_memzero(&alloc->data, size);
-
-	/* coverity[leaked_storage] */
-	return &alloc->data;
-}
-
-void crypt_safe_free(void *data)
-{
-	struct safe_allocation *alloc;
-
-	if (!data)
-		return;
-
-	alloc = (struct safe_allocation *)
-		((char *)data - offsetof(struct safe_allocation, data));
-
-	crypt_memzero(data, alloc->size);
-
-	alloc->size = 0x55aa55aa;
-	free(alloc);
-}
-
-void *crypt_safe_realloc(void *data, size_t size)
-{
-	struct safe_allocation *alloc;
-	void *new_data;
-
-	new_data = crypt_safe_alloc(size);
-
-	if (new_data && data) {
-
-		alloc = (struct safe_allocation *)
-			((char *)data - offsetof(struct safe_allocation, data));
-
-		if (size > alloc->size)
-			size = alloc->size;
-
-		memcpy(new_data, data, size);
-	}
-
-	crypt_safe_free(data);
-	return new_data;
-}
-
 ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc)
 {
 	char buf[3] = "xx\0", *endp, *bytes;
diff -Nru cryptsetup-2.2.2/lib/utils_crypt.h cryptsetup-2.3.1/lib/utils_crypt.h
--- cryptsetup-2.2.2/lib/utils_crypt.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_crypt.h	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -29,14 +29,6 @@
 #define MAX_CIPHER_LEN_STR	"31"
 #define MAX_KEYFILES		32
 
-struct crypt_device;
-
-/* Not to be used directly */
-struct safe_allocation {
-	size_t	size;
-	char	data[0];
-};
-
 int crypt_parse_name_and_mode(const char *s, char *cipher,
 			      int *key_nums, char *cipher_mode);
 int crypt_parse_hash_integrity_mode(const char *s, char *integrity);
@@ -44,12 +36,6 @@
 			       int *integrity_key_size);
 int crypt_parse_pbkdf(const char *s, const char **pbkdf);
 
-void *crypt_safe_alloc(size_t size);
-void crypt_safe_free(void *data);
-void *crypt_safe_realloc(void *data, size_t size);
-
-void crypt_memzero(void *s, size_t n);
-
 ssize_t crypt_hex_to_bytes(const char *hex, char **result, int safe_alloc);
 
 #endif /* _UTILS_CRYPT_H */
diff -Nru cryptsetup-2.2.2/lib/utils_device.c cryptsetup-2.3.1/lib/utils_device.c
--- cryptsetup-2.2.2/lib/utils_device.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_device.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -24,7 +24,6 @@
 #include <assert.h>
 #include <string.h>
 #include <stdlib.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -145,7 +144,7 @@
 	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
 		r = 0;
 
-	crypt_memzero(buffer, sizeof(buffer));
+	crypt_safe_memzero(buffer, sizeof(buffer));
 	return r;
 }
 
@@ -185,7 +184,7 @@
 	}
 
 	if (devfd < 0) {
-		log_err(cd, _("Device %s doesn't exist or access denied."),
+		log_err(cd, _("Device %s does not exist or access denied."),
 			device_path(device));
 		return -EINVAL;
 	}
diff -Nru cryptsetup-2.2.2/lib/utils_device_locking.c cryptsetup-2.3.1/lib/utils_device_locking.c
--- cryptsetup-2.2.2/lib/utils_device_locking.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_device_locking.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Metadata on-disk locking for processes serialization
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -20,7 +20,6 @@
  */
 
 #include <errno.h>
-#include <fcntl.h>
 #include <linux/limits.h>
 #include <stdio.h>
 #include <stdlib.h>
diff -Nru cryptsetup-2.2.2/lib/utils_device_locking.h cryptsetup-2.3.1/lib/utils_device_locking.h
--- cryptsetup-2.2.2/lib/utils_device_locking.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_device_locking.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Metadata on-disk locking for processes serialization
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_devpath.c cryptsetup-2.3.1/lib/utils_devpath.c
--- cryptsetup-2.2.2/lib/utils_devpath.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_devpath.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -26,7 +26,6 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <limits.h>
 #include <sys/stat.h>
diff -Nru cryptsetup-2.2.2/lib/utils_dm.h cryptsetup-2.3.1/lib/utils_dm.h
--- cryptsetup-2.2.2/lib/utils_dm.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_dm.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -64,8 +64,12 @@
 #define DM_INTEGRITY_RECALC_SUPPORTED (1 << 16) /* dm-integrity automatic recalculation supported */
 #define DM_INTEGRITY_BITMAP_SUPPORTED (1 << 17) /* dm-integrity bitmap mode supported */
 #define DM_GET_TARGET_VERSION_SUPPORTED (1 << 18) /* dm DM_GET_TARGET version ioctl supported */
+#define DM_INTEGRITY_FIX_PADDING_SUPPORTED (1 << 19) /* supports the parameter fix_padding that fixes a bug that caused excessive padding */
+#define DM_BITLK_EBOIV_SUPPORTED (1 << 20) /* EBOIV for BITLK supported */
+#define DM_BITLK_ELEPHANT_SUPPORTED (1 << 21) /* Elephant diffuser for BITLK supported */
+#define DM_VERITY_SIGNATURE_SUPPORTED (1 << 22) /* Verity option root_hash_sig_key_desc supported */
 
-typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_UNKNOWN } dm_target_type;
+typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_ZERO, DM_UNKNOWN } dm_target_type;
 enum tdirection { TARGET_SET = 1, TARGET_QUERY };
 
 int dm_flags(struct crypt_device *cd, dm_target_type target, uint32_t *flags);
@@ -110,6 +114,7 @@
 
 		const char *root_hash;
 		uint32_t root_hash_size;
+		const char *root_hash_sig_key_desc;
 
 		uint64_t hash_offset;	/* hash offset in blocks (not header) */
 		uint64_t hash_blocks;	/* size of hash device (in hash blocks) */
@@ -138,10 +143,14 @@
 		struct volume_key *journal_crypt_key;
 
 		struct device *meta_device;
+
+		bool fix_padding;
 	} integrity;
 	struct {
 		uint64_t offset;
 	} linear;
+	struct {
+	} zero;
 	} u;
 
 	char *params;
@@ -175,9 +184,10 @@
 	uint32_t tag_size, uint32_t sector_size);
 int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct device *hash_device, struct device *fec_device,
-	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
-	uint64_t hash_blocks, struct crypt_params_verity *vp);
-int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+	const char *root_hash, uint32_t root_hash_size, const char *root_hash_sig_key_desc,
+	uint64_t hash_offset_block, uint64_t hash_blocks, struct crypt_params_verity *vp);
+int dm_integrity_target_set(struct crypt_device *cd,
+	struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *meta_device,
 	struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
 	struct volume_key *vk,
@@ -185,6 +195,7 @@
 	const struct crypt_params_integrity *ip);
 int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, uint64_t data_offset);
+int dm_zero_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size);
 
 int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
 int dm_status_device(struct crypt_device *cd, const char *name);
diff -Nru cryptsetup-2.2.2/lib/utils_fips.c cryptsetup-2.3.1/lib/utils_fips.c
--- cryptsetup-2.2.2/lib/utils_fips.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_fips.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * FIPS mode utilities
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_fips.h cryptsetup-2.3.1/lib/utils_fips.h
--- cryptsetup-2.2.2/lib/utils_fips.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_fips.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * FIPS mode utilities
  *
- * Copyright (C) 2011-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_io.c cryptsetup-2.3.1/lib/utils_io.c
--- cryptsetup-2.2.2/lib/utils_io.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_io.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_io.h cryptsetup-2.3.1/lib/utils_io.h
--- cryptsetup-2.2.2/lib/utils_io.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_io.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_keyring.c cryptsetup-2.3.1/lib/utils_keyring.c
--- cryptsetup-2.2.2/lib/utils_keyring.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_keyring.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * kernel keyring utilities
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -25,15 +25,14 @@
 #include <unistd.h>
 #include <sys/syscall.h>
 
+#include "libcryptsetup.h"
+#include "utils_keyring.h"
+
 #ifndef HAVE_KEY_SERIAL_T
 #define HAVE_KEY_SERIAL_T
-#include <stdint.h>
 typedef int32_t key_serial_t;
 #endif
 
-#include "utils_crypt.h"
-#include "utils_keyring.h"
-
 #ifndef ARRAY_SIZE
 # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 #endif
@@ -178,7 +177,7 @@
 	if (ret < 0) {
 		err = errno;
 		if (buf)
-			crypt_memzero(buf, len);
+			crypt_safe_memzero(buf, len);
 		free(buf);
 		return -err;
 	}
diff -Nru cryptsetup-2.2.2/lib/utils_keyring.h cryptsetup-2.3.1/lib/utils_keyring.h
--- cryptsetup-2.2.2/lib/utils_keyring.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_keyring.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * kernel keyring syscall wrappers
  *
- * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_loop.c cryptsetup-2.3.1/lib/utils_loop.c
--- cryptsetup-2.2.2/lib/utils_loop.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_loop.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * loopback block device utilities
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_loop.h cryptsetup-2.3.1/lib/utils_loop.h
--- cryptsetup-2.2.2/lib/utils_loop.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_loop.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * loopback block device utilities
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_pbkdf.c cryptsetup-2.3.1/lib/utils_pbkdf.c
--- cryptsetup-2.2.2/lib/utils_pbkdf.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_pbkdf.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * utils_pbkdf - PBKDF settings for libcryptsetup
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/lib/utils_safe_memory.c cryptsetup-2.3.1/lib/utils_safe_memory.c
--- cryptsetup-2.2.2/lib/utils_safe_memory.c	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_safe_memory.c	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,102 @@
+/*
+ * utils_safe_memory - safe memory helpers
+ *
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "libcryptsetup.h"
+
+struct safe_allocation {
+	size_t	size;
+	char	data[0];
+};
+
+/*
+ * Replacement for memset(s, 0, n) on stack that can be optimized out
+ * Also used in safe allocations for explicit memory wipe.
+ */
+void crypt_safe_memzero(void *data, size_t size)
+{
+#ifdef HAVE_EXPLICIT_BZERO
+	explicit_bzero(data, size);
+#else
+	volatile uint8_t *p = (volatile uint8_t *)data;
+
+	while(size--)
+		*p++ = 0;
+#endif
+}
+
+/* safe allocations */
+void *crypt_safe_alloc(size_t size)
+{
+	struct safe_allocation *alloc;
+
+	if (!size || size > (SIZE_MAX - offsetof(struct safe_allocation, data)))
+		return NULL;
+
+	alloc = malloc(size + offsetof(struct safe_allocation, data));
+	if (!alloc)
+		return NULL;
+
+	alloc->size = size;
+	crypt_safe_memzero(&alloc->data, size);
+
+	/* coverity[leaked_storage] */
+	return &alloc->data;
+}
+
+void crypt_safe_free(void *data)
+{
+	struct safe_allocation *alloc;
+
+	if (!data)
+		return;
+
+	alloc = (struct safe_allocation *)
+		((char *)data - offsetof(struct safe_allocation, data));
+
+	crypt_safe_memzero(data, alloc->size);
+
+	alloc->size = 0x55aa55aa;
+	free(alloc);
+}
+
+void *crypt_safe_realloc(void *data, size_t size)
+{
+	struct safe_allocation *alloc;
+	void *new_data;
+
+	new_data = crypt_safe_alloc(size);
+
+	if (new_data && data) {
+
+		alloc = (struct safe_allocation *)
+			((char *)data - offsetof(struct safe_allocation, data));
+
+		if (size > alloc->size)
+			size = alloc->size;
+
+		memcpy(new_data, data, size);
+	}
+
+	crypt_safe_free(data);
+	return new_data;
+}
diff -Nru cryptsetup-2.2.2/lib/utils_storage_wrappers.c cryptsetup-2.3.1/lib/utils_storage_wrappers.c
--- cryptsetup-2.2.2/lib/utils_storage_wrappers.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_storage_wrappers.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * Generic wrapper for storage functions
  * (experimental only)
  *
- * Copyright (C) 2018, Ondrej Kozina
+ * Copyright (C) 2018-2020, Ondrej Kozina
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -20,7 +20,6 @@
  */
 
 #include <errno.h>
-#include <fcntl.h>
 #include <stdio.h>
 #include <stddef.h>
 #include <stdint.h>
@@ -108,7 +107,7 @@
 	r = device_block_adjust(cd, device, DEV_OK,
 				device_offset, &dmd.size, &dmd.flags);
 	if (r < 0) {
-		log_err(cd, _("Device %s doesn't exist or access denied."),
+		log_err(cd, _("Device %s does not exist or access denied."),
 			device_path(device));
 		return -EIO;
 	}
diff -Nru cryptsetup-2.2.2/lib/utils_storage_wrappers.h cryptsetup-2.3.1/lib/utils_storage_wrappers.h
--- cryptsetup-2.2.2/lib/utils_storage_wrappers.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_storage_wrappers.h	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * Generic wrapper for storage functions
  * (experimental only)
  *
- * Copyright (C) 2018, Ondrej Kozina
+ * Copyright (C) 2018-2020, Ondrej Kozina
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/utils_wipe.c cryptsetup-2.3.1/lib/utils_wipe.c
--- cryptsetup-2.2.2/lib/utils_wipe.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/utils_wipe.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,8 +2,8 @@
  * utils_wipe - wipe a device
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -22,7 +22,6 @@
 
 #include <stdlib.h>
 #include <errno.h>
-#include <fcntl.h>
 #include "internal.h"
 
 /*
@@ -56,7 +55,7 @@
 			      size_t alignment, char *buffer,
 			      uint64_t offset, size_t size)
 {
-	int r;
+	int r = 0;
 	unsigned int i;
 	ssize_t written;
 
diff -Nru cryptsetup-2.2.2/lib/verity/rs_decode_char.c cryptsetup-2.3.1/lib/verity/rs_decode_char.c
--- cryptsetup-2.2.2/lib/verity/rs_decode_char.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/rs_decode_char.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,7 +3,7 @@
  *
  * Copyright (C) 2002, Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/verity/rs_encode_char.c cryptsetup-2.3.1/lib/verity/rs_encode_char.c
--- cryptsetup-2.2.2/lib/verity/rs_encode_char.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/rs_encode_char.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,7 +3,7 @@
  *
  * Copyright (C) 2002, Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/verity/rs.h cryptsetup-2.3.1/lib/verity/rs.h
--- cryptsetup-2.2.2/lib/verity/rs.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/rs.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,7 +3,7 @@
  *
  * Copyright (C) 2004 Phil Karn, KA9Q
  * libcryptsetup modifications
- *   Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+ *   Copyright (C) 2017-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
diff -Nru cryptsetup-2.2.2/lib/verity/verity.c cryptsetup-2.3.1/lib/verity/verity.c
--- cryptsetup-2.2.2/lib/verity/verity.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/verity.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -25,7 +25,6 @@
 #include <stdint.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <fcntl.h>
 #include <netinet/in.h>
 #include <uuid/uuid.h>
 
@@ -66,7 +65,7 @@
 		sizeof(struct verity_sb), device_path(device), sb_offset);
 
 	if (params->flags & CRYPT_VERITY_NO_HEADER) {
-		log_err(cd, _("Verity device %s doesn't use on-disk header."),
+		log_err(cd, _("Verity device %s does not use on-disk header."),
 			device_path(device));
 		return -EINVAL;
 	}
@@ -169,7 +168,7 @@
 	}
 
 	if (params->flags & CRYPT_VERITY_NO_HEADER) {
-		log_err(cd, _("Verity device %s doesn't use on-disk header."),
+		log_err(cd, _("Verity device %s does not use on-disk header."),
 			device_path(device));
 		return -EINVAL;
 	}
@@ -235,6 +234,7 @@
 		     const char *name,
 		     const char *root_hash,
 		     size_t root_hash_size,
+		     const char *signature_description,
 		     struct device *fec_device,
 		     struct crypt_params_verity *verity_hdr,
 		     uint32_t activation_flags)
@@ -252,6 +252,11 @@
 		name ?: "[none]", verity_hdr->hash_name);
 
 	if (verity_hdr->flags & CRYPT_VERITY_CHECK_HASH) {
+		if (signature_description) {
+			log_err(cd, _("Root hash signature verification is not supported."));
+			return -EINVAL;
+		}
+
 		log_dbg(cd, "Verification of data in userspace required.");
 		r = VERITY_verify(cd, verity_hdr, root_hash, root_hash_size);
 
@@ -291,7 +296,8 @@
 
 	r = dm_verity_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			crypt_metadata_device(cd), fec_device, root_hash,
-			root_hash_size, VERITY_hash_offset_block(verity_hdr),
+			root_hash_size, signature_description,
+			VERITY_hash_offset_block(verity_hdr),
 			VERITY_hash_blocks(cd, verity_hdr), verity_hdr);
 
 	if (r)
@@ -299,7 +305,11 @@
 
 	r = dm_create_device(cd, name, CRYPT_VERITY, &dmd);
 	if (r < 0 && (dm_flags(cd, DM_VERITY, &dmv_flags) || !(dmv_flags & DM_VERITY_SUPPORTED))) {
-		log_err(cd, _("Kernel doesn't support dm-verity mapping."));
+		log_err(cd, _("Kernel does not support dm-verity mapping."));
+		r = -ENOTSUP;
+	}
+	if (r < 0 && signature_description && !(dmv_flags & DM_VERITY_SIGNATURE_SUPPORTED)) {
+		log_err(cd, _("Kernel does not support dm-verity signature option."));
 		r = -ENOTSUP;
 	}
 	if (r < 0)
diff -Nru cryptsetup-2.2.2/lib/verity/verity_fec.c cryptsetup-2.3.1/lib/verity/verity_fec.c
--- cryptsetup-2.2.2/lib/verity/verity_fec.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/verity_fec.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * dm-verity Forward Error Correction (FEC) support
  *
  * Copyright (C) 2015 Google, Inc. All rights reserved.
- * Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -20,7 +20,6 @@
  */
 
 #include <stdlib.h>
-#include <fcntl.h>
 #include <errno.h>
 
 #include "verity.h"
diff -Nru cryptsetup-2.2.2/lib/verity/verity.h cryptsetup-2.3.1/lib/verity/verity.h
--- cryptsetup-2.2.2/lib/verity/verity.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/verity.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -46,6 +46,7 @@
 		     const char *name,
 		     const char *root_hash,
 		     size_t root_hash_size,
+		     const char *signature_description,
 		     struct device *fec_device,
 		     struct crypt_params_verity *verity_hdr,
 		     uint32_t activation_flags);
@@ -57,7 +58,7 @@
 
 int VERITY_create(struct crypt_device *cd,
 		  struct crypt_params_verity *verity_hdr,
-		  char *root_hash,
+		  const char *root_hash,
 		  size_t root_hash_size);
 
 int VERITY_FEC_process(struct crypt_device *cd,
diff -Nru cryptsetup-2.2.2/lib/verity/verity_hash.c cryptsetup-2.3.1/lib/verity/verity_hash.c
--- cryptsetup-2.2.2/lib/verity/verity_hash.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/verity/verity_hash.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * dm-verity volume handling
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
  *
  * This file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -102,7 +102,7 @@
 		       off_t *hash_level_block, off_t *hash_level_size)
 {
 	size_t hash_per_block_bits;
-	off_t s;
+	off_t s, s_shift;
 	int i;
 
 	if (!digest_size)
@@ -124,7 +124,10 @@
 		if (hash_level_block)
 			hash_level_block[i] = *hash_position;
 		// verity position of block data_file_blocks at level i
-		s = (data_file_blocks + ((off_t)1 << ((i + 1) * hash_per_block_bits)) - 1) >> ((i + 1) * hash_per_block_bits);
+		s_shift = (i + 1) * hash_per_block_bits;
+		if (s_shift > 63)
+			return -EINVAL;
+		s = (data_file_blocks + ((off_t)1 << s_shift) - 1) >> ((i + 1) * hash_per_block_bits);
 		if (hash_level_size)
 			hash_level_size[i] = s;
 		if ((*hash_position + s) < *hash_position ||
@@ -418,7 +421,7 @@
 /* Create verity hash */
 int VERITY_create(struct crypt_device *cd,
 		  struct crypt_params_verity *verity_hdr,
-		  char *root_hash,
+		  const char *root_hash,
 		  size_t root_hash_size)
 {
 	unsigned pgsize = (unsigned)crypt_getpagesize();
@@ -439,7 +442,7 @@
 		verity_hdr->data_block_size,
 		verity_hdr->data_size,
 		VERITY_hash_offset_block(verity_hdr),
-		root_hash,
+		CONST_CAST(char*)root_hash,
 		root_hash_size,
 		verity_hdr->salt,
 		verity_hdr->salt_size);
diff -Nru cryptsetup-2.2.2/lib/volumekey.c cryptsetup-2.3.1/lib/volumekey.c
--- cryptsetup-2.2.2/lib/volumekey.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/lib/volumekey.c	2020-03-12 08:39:20.000000000 +0000
@@ -2,7 +2,7 @@
  * cryptsetup volume key implementation
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -47,7 +47,7 @@
 		if (key)
 			memcpy(&vk->key, key, keylength);
 		else
-			crypt_memzero(&vk->key, keylength);
+			crypt_safe_memzero(&vk->key, keylength);
 	}
 
 	return vk;
@@ -120,7 +120,7 @@
 	struct volume_key *vk_next;
 
 	while (vk) {
-		crypt_memzero(vk->key, vk->keylength);
+		crypt_safe_memzero(vk->key, vk->keylength);
 		vk->keylength = 0;
 		free(CONST_CAST(void*)vk->key_description);
 		vk_next = vk->next;
diff -Nru cryptsetup-2.2.2/man/cryptsetup.8 cryptsetup-2.3.1/man/cryptsetup.8
--- cryptsetup-2.2.2/man/cryptsetup.8	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/man/cryptsetup.8	2020-03-12 08:39:20.000000000 +0000
@@ -12,7 +12,7 @@
 hand, the header is visible and vulnerable to damage.
 
 In addition, cryptsetup provides limited support for the use of
-loop-AES volumes and for TrueCrypt compatible volumes.
+loop-AES volumes, TrueCrypt, VeraCrypt and BitLocker compatible volumes.
 
 .SH PLAIN DM-CRYPT OR LUKS?
 .PP
@@ -84,6 +84,8 @@
 \fBloopaesOpen\fR: open \-\-type loopaes
 .br
 \fBtcryptOpen\fR: open \-\-type tcrypt
+.br
+\fBbitlkOpen\fR: open \-\-type bitlk
 
 \fB<options>\fR are type specific and are described below
 for individual device types. For \fBcreate\fR, the order of the <name>
@@ -743,6 +745,47 @@
 
 Please note that cryptsetup does not use TrueCrypt code, please report
 all problems related to this compatibility extension to the cryptsetup project.
+
+.SH BITLK (Windows BitLocker-compatible) EXTENSION (EXPERIMENTAL)
+cryptsetup supports mapping of BitLocker and BitLocker to Go encrypted partition
+using a native Linux kernel API.
+Header formatting and BITLK header changes are not supported, cryptsetup
+never changes BITLK header on-device.
+
+\fBWARNING:\fR This extension is EXPERIMENTAL.
+
+BITLK extension requires kernel userspace crypto API to be available
+(for details see TCRYPT section).
+
+Cryptsetup should recognize all BITLK header variants, except legacy
+header used in Windows Vista systems and partially decrypted BitLocker devices.
+Activation of legacy devices encrypted in CBC mode requires at least
+Linux kernel version 5.3 and for devices using Elephant diffuser kernel 5.6.
+
+The \fBbitlkDump\fR command should work for all recognized BITLK devices
+and doesn't require superuser privilege.
+
+For unlocking with the \fBopen\fR a password or a recovery passphrase must
+be provided. Other unlocking methods (TPM, SmartCard) are not supported.
+
+.PP
+\fIopen\fR \-\-type bitlk <device> <name>
+.br
+\fIbitlkOpen\fR <device> <name>  (\fBold syntax\fR)
+.IP
+Opens the BITLK (a BitLocker-compatible) <device> and sets up
+a mapping <name>.
+
+\fB<options>\fR can be [\-\-key\-file, \-\-readonly, \-\-test\-passphrase,
+\-\-allow-discards].
+
+.PP
+\fIbitlkDump\fR <device>
+.IP
+Dump the header information of a BITLK device.
+
+Please note that cryptsetup does not use any Windows BitLocker code, please report
+all problems related to this compatibility extension to the cryptsetup project.
 .SH MISCELLANEOUS
 .PP
 \fIrepair\fR <device>
@@ -1128,6 +1171,7 @@
 .B "\-\-allow\-discards\fR"
 Allow the use of discard (TRIM) requests for the device.
 This option is only relevant for \fIopen\fR action.
+This is also not supported for LUKS2 devices with data integrity protection.
 
 \fBWARNING:\fR This command can have a negative security impact
 because it can make filesystem-level operations visible on
@@ -1576,6 +1620,9 @@
 If you want to format LUKS2 device with data integrity protection,
 use \fI\-\-integrity\fR option.
 
+Since dm-integrity doesn't support discards (TRIM), dm-crypt device on top of it
+inherits this, so integrity protection mode doesn't support discards either.
+
 Some integrity modes requires two independent keys (key for encryption
 and for authentication). Both these keys are stored in one LUKS keyslot.
 
@@ -1636,9 +1683,9 @@
 .br
 Copyright \(co 2012-2014 Arno Wagner
 .br
-Copyright \(co 2009-2019 Red Hat, Inc.
+Copyright \(co 2009-2020 Red Hat, Inc.
 .br
-Copyright \(co 2009-2019 Milan Broz
+Copyright \(co 2009-2020 Milan Broz
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff -Nru cryptsetup-2.2.2/man/cryptsetup-reencrypt.8 cryptsetup-2.3.1/man/cryptsetup-reencrypt.8
--- cryptsetup-2.2.2/man/cryptsetup-reencrypt.8	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/man/cryptsetup-reencrypt.8	2020-03-12 08:39:20.000000000 +0000
@@ -285,9 +285,9 @@
 .SH AUTHORS
 Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.
 .SH COPYRIGHT
-Copyright \(co 2012-2019 Milan Broz
+Copyright \(co 2012-2020 Milan Broz
 .br
-Copyright \(co 2012-2019 Red Hat, Inc.
+Copyright \(co 2012-2020 Red Hat, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff -Nru cryptsetup-2.2.2/man/integritysetup.8 cryptsetup-2.3.1/man/integritysetup.8
--- cryptsetup-2.2.2/man/integritysetup.8	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/man/integritysetup.8	2020-03-12 08:39:20.000000000 +0000
@@ -165,8 +165,8 @@
 .TP
 .B "\-\-journal\-crypt ALGORITHM"
 Encryption algorithm for journal data area.
-You can use a block cipher here such as cbc(aes) or
-a stream cipher, for example, chacha20 or ctr(aes).
+You can use a block cipher here such as cbc-aes or
+a stream cipher, for example, chacha20 or ctr-aes.
 .TP
 .B "\-\-journal\-crypt\-key\-size BYTES"
 The size of the journal encryption key.
@@ -223,9 +223,9 @@
 The integritysetup tool is written by Milan Broz <gmazyland@gmail.com>
 and is part of the cryptsetup project.
 .SH COPYRIGHT
-Copyright \(co 2016-2019 Red Hat, Inc.
+Copyright \(co 2016-2020 Red Hat, Inc.
 .br
-Copyright \(co 2016-2019 Milan Broz
+Copyright \(co 2016-2020 Milan Broz
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff -Nru cryptsetup-2.2.2/man/veritysetup.8 cryptsetup-2.3.1/man/veritysetup.8
--- cryptsetup-2.2.2/man/veritysetup.8	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/man/veritysetup.8	2020-03-12 08:39:20.000000000 +0000
@@ -40,7 +40,7 @@
 
 \fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock,
 \-\-ignore-corruption or \-\-restart-on-corruption, \-\-ignore-zero-blocks,
-\-\-check-at-most-once]
+\-\-check-at-most-once, \-\-root-hash-signature]
 
 If option \-\-no-superblock is used, you have to use as the same options
 as in initial format operation.
@@ -165,6 +165,10 @@
 Number of generator roots. This equals to the number of parity bytes in the encoding data.
 In RS(M, N) encoding, the number of roots is M-N. M is 255 and M-N is between 2 and 24 (including).
 .TP
+.B "\-\-root-hash-signature=FILE"
+Path to roothash signature file used to verify the root hash (in kernel).
+This feature requires Linux kernel version 5.4 or more recent.
+.TP
 .SH RETURN CODES
 Veritysetup returns 0 on success and a non-zero value on error.
 
@@ -215,9 +219,9 @@
 This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com>
 and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.
 .SH COPYRIGHT
-Copyright \(co 2012-2019 Red Hat, Inc.
+Copyright \(co 2012-2020 Red Hat, Inc.
 .br
-Copyright \(co 2012-2019 Milan Broz
+Copyright \(co 2012-2020 Milan Broz
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
diff -Nru cryptsetup-2.2.2/misc/luks2_keyslot_example/keyslot_test.c cryptsetup-2.3.1/misc/luks2_keyslot_example/keyslot_test.c
--- cryptsetup-2.2.2/misc/luks2_keyslot_example/keyslot_test.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/misc/luks2_keyslot_example/keyslot_test.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * Example of LUKS2 kesylot handler (EXAMPLE)
  *
- * Copyright (C) 2016-2019 Milan Broz <gmazyland@gmail.com>
+ * Copyright (C) 2016-2020 Milan Broz <gmazyland@gmail.com>
  *
  * Use:
  *  - generate LUKS device
diff -Nru cryptsetup-2.2.2/misc/luks2_keyslot_example/keyslot_test_remote_pass.c cryptsetup-2.3.1/misc/luks2_keyslot_example/keyslot_test_remote_pass.c
--- cryptsetup-2.2.2/misc/luks2_keyslot_example/keyslot_test_remote_pass.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/misc/luks2_keyslot_example/keyslot_test_remote_pass.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * Example of LUKS2 token storing third party metadata (EXAMPLE)
  *
- * Copyright (C) 2016-2019 Milan Broz <gmazyland@gmail.com>
+ * Copyright (C) 2016-2020 Milan Broz <gmazyland@gmail.com>
  *
  * Use:
  *  - generate LUKS device
diff -Nru cryptsetup-2.2.2/po/cryptsetup.pot cryptsetup-2.3.1/po/cryptsetup.pot
--- cryptsetup-2.2.2/po/cryptsetup.pot	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/cryptsetup.pot	2020-03-12 08:39:20.000000000 +0000
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,617 +16,636 @@
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr ""
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr ""
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr ""
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr ""
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr ""
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr ""
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random "
 "events.\n"
 msgstr ""
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr ""
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr ""
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr ""
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr ""
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr ""
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr ""
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr ""
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr ""
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr ""
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr ""
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr ""
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr ""
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr ""
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr ""
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr ""
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr ""
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr ""
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr ""
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr ""
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr ""
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr ""
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr ""
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr ""
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr ""
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr ""
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr ""
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr ""
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr ""
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr ""
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr ""
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid ""
 "WARNING: The device activation will fail, dm-crypt is missing support for "
 "requested encryption sector size.\n"
 msgstr ""
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr ""
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr ""
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr ""
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr ""
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr ""
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr ""
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr ""
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr ""
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr ""
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr ""
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr ""
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr ""
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr ""
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr ""
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr ""
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr ""
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr ""
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid ""
+"WARNING: Requested tag size %d bytes differs from %s size output (%d "
+"bytes).\n"
+msgstr ""
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr ""
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr ""
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr ""
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr ""
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr ""
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr ""
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr ""
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr ""
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr ""
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr ""
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr ""
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr ""
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr ""
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr ""
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr ""
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr ""
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr ""
 
-#: lib/setup.c:3219 lib/setup.c:3407
-msgid "Cannot add key slot, all slots disabled and no volume key provided."
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
 msgstr ""
 
-#: lib/setup.c:3359
-msgid "Failed to swap new key slot."
+#: lib/setup.c:3343 lib/setup.c:3531
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr ""
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
+#: lib/setup.c:3483
+msgid "Failed to swap new key slot."
 msgstr ""
 
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr ""
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr ""
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr ""
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr ""
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr ""
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr ""
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr ""
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr ""
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr ""
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr ""
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr ""
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr ""
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr ""
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr ""
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr ""
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr ""
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr ""
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr ""
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr ""
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr ""
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr ""
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr ""
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr ""
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr ""
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr ""
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr ""
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr ""
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr ""
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr ""
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr ""
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr ""
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr ""
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr ""
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr ""
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr ""
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr ""
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr ""
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr ""
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr ""
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr ""
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr ""
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr ""
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr ""
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr ""
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr ""
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr ""
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr ""
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr ""
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid ""
 "Attaching loopback device failed (loop device with autoclear flag is "
 "required)."
 msgstr ""
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr ""
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr ""
@@ -694,259 +713,264 @@
 msgid "Not compatible PBKDF options."
 msgstr ""
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid ""
 "Locking aborted. The locking path %s/%s is unusable (not a directory or "
 "missing)."
 msgstr ""
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr ""
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid ""
 "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr ""
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr ""
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
 "Check that kernel supports %s cipher (check syslog for more info)."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr ""
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr ""
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr ""
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr ""
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid ""
 "does not contain LUKS header. Replacing header can destroy data on that "
 "device."
 msgstr ""
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid ""
 "already contains LUKS header. Replacing header will destroy existing "
 "keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
 msgstr ""
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr ""
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr ""
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr ""
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr ""
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid ""
 "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr ""
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr ""
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr ""
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr ""
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr ""
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr ""
@@ -964,97 +988,197 @@
 msgstr ""
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr ""
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr ""
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid ""
+"Unexpected metadata entry type '%u' found when parsing supported Volume "
+"Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
 msgstr ""
 
-#: lib/verity/verity.c:91
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid ""
+"Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid ""
+"Unexpected metadata entry value '%u' found when parsing supported Volume "
+"Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1192
+msgid ""
+"Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:1196
+msgid ""
+"Cannot activate device, kernel dm-crypt is missing support for BITLK "
+"Elephant diffuser."
+msgstr ""
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
+#, c-format
+msgid "Verity device %s does not use on-disk header."
+msgstr ""
+
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr ""
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr ""
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr ""
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr ""
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr ""
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr ""
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr ""
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
+msgstr ""
+
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
 msgstr ""
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr ""
 
@@ -1063,94 +1187,98 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr ""
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr ""
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr ""
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr ""
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr ""
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid ""
 "WARNING: Kernel cannot activate device if data block size exceeds page size "
 "(%u)."
 msgstr ""
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr ""
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr ""
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr ""
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr ""
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr ""
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr ""
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr ""
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
+msgstr ""
+
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
 msgstr ""
 
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr ""
@@ -1177,111 +1305,113 @@
 "keyslot count is very limited.\n"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid ""
 "Binary header with keyslot areas size differ on device and backup, restore "
 "failed."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid ""
 "does not contain LUKS2 header. Replacing header can destroy data on that "
 "device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid ""
 "already contains LUKS2 header. Replacing header will destroy existing "
 "keyslots."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
 "Replacing header with backup may corrupt the data on that device!"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
 "Replacing header with backup may corrupt data."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid ""
+"Operation incompatible with device marked for legacy reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid ""
+"Operation incompatible with device marked for LUKS2 reencryption. Aborting."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr ""
 
@@ -1294,57 +1424,61 @@
 msgid "No space for new keyslot."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr ""
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid ""
 "Cannot convert to LUKS1 format - default segment encryption sector size is "
 "not 512 bytes."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid ""
 "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid ""
 "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still "
 "active."
 msgstr ""
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr ""
@@ -1366,7 +1500,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr ""
 
@@ -1378,7 +1512,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr ""
@@ -1444,121 +1578,121 @@
 "sectors)."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr ""
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
+msgid "Device not marked for LUKS2 reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid ""
 "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> "
 "sectors long."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr ""
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr ""
 
@@ -1571,385 +1705,390 @@
 msgid "Failed to create builtin token %s."
 msgstr ""
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr ""
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid ""
 "WARNING: The --hash parameter is being ignored in plain mode with keyfile "
 "specified.\n"
 msgstr ""
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid ""
 "WARNING: The --keyfile-size option is being ignored, the read size is the "
 "same as the encryption key size.\n"
 msgstr ""
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid ""
 "Detected device signature(s) on %s. Proceeding further may damage existing "
 "data."
 msgstr ""
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr ""
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr ""
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr ""
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr ""
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr ""
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr ""
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
 "This dump should be always stored encrypted on safe place."
 msgstr ""
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr ""
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid ""
 "Resize of active device requires volume key in keyring but --disable-keyring "
 "option is set."
 msgstr ""
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr ""
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr ""
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr ""
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr ""
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid ""
 "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit "
 "key (requested %u ms time)\n"
 msgstr ""
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr ""
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr ""
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr ""
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
 msgstr ""
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr ""
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr ""
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr ""
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will "
 "contain invalid checksum).\n"
 msgstr ""
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr ""
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr ""
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr ""
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr ""
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr ""
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr ""
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr ""
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr ""
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid ""
 "Cannot determine volume key size for LUKS without keyslots, please use --key-"
 "size option."
 msgstr ""
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr ""
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr ""
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid ""
 "This is the last keyslot. Device will become unusable after purging this key."
 msgstr ""
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr ""
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr ""
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr ""
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr ""
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr ""
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr ""
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr ""
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr ""
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr ""
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr ""
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
 "Device will become unusable after this operation."
 msgstr ""
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr ""
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr ""
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr ""
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr ""
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr ""
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr ""
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr ""
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr ""
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr ""
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr ""
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr ""
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr ""
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr ""
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr ""
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1958,256 +2097,261 @@
 "To run reencryption in online mode, use --active-name parameter instead.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr ""
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid ""
 "Encryption without detached header (--header) is not possible without data "
 "device size reduction (--reduce-device-size)."
 msgstr ""
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid ""
 "Requested data offset must be less than or equal to half of --reduce-device-"
 "size parameter."
 msgstr ""
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid ""
 "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> "
 "(sectors).\n"
 msgstr ""
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr ""
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid ""
 "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr ""
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr ""
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr ""
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
+msgid "%s/%s is now active and ready for online encryption.\n"
 msgstr ""
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr ""
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid ""
 "Key file can be used only with --key-slot or with exactly one key slot "
 "active."
 msgstr ""
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr ""
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr ""
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr ""
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid ""
 "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt "
 "tool for LUKS1."
 msgstr ""
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid ""
 "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt "
 "utility."
 msgstr ""
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr ""
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr ""
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr ""
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr ""
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr ""
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr ""
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr ""
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr ""
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr ""
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr ""
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr ""
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr ""
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr ""
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr ""
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr ""
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr ""
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr ""
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr ""
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr ""
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr ""
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr ""
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr ""
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr ""
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr ""
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr ""
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr ""
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr ""
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr ""
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr ""
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr ""
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
 msgstr ""
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, "
+"bitlkClose\n"
 msgstr ""
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2217,14 +2361,14 @@
 "<key file> optional key file for the new key for luksAddKey action\n"
 msgstr ""
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in metadata format is %s (for luksFormat action).\n"
 msgstr ""
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2236,7 +2380,7 @@
 "\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
 msgstr ""
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2246,707 +2390,722 @@
 "\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
 msgstr ""
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid ""
 "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr ""
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr ""
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr ""
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr ""
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr ""
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr ""
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr ""
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr ""
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr ""
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr ""
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr ""
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr ""
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr ""
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr ""
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr ""
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr ""
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr ""
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr ""
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr ""
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr ""
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr ""
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr ""
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr ""
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr ""
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr ""
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr ""
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr ""
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr ""
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr ""
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr ""
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr ""
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr ""
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr ""
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr ""
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr ""
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr ""
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr ""
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr ""
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr ""
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr ""
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr ""
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr ""
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr ""
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr ""
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr ""
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr ""
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr ""
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr ""
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid ""
+"Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 msgstr ""
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr ""
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr ""
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr ""
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr ""
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr ""
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr ""
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr ""
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr ""
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr ""
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr ""
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr ""
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr ""
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr ""
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr ""
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr ""
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr ""
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr ""
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr ""
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr ""
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr ""
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr ""
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr ""
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr ""
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr ""
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr ""
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr ""
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr ""
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr ""
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr ""
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr ""
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr ""
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr ""
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr ""
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr ""
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr ""
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr ""
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr ""
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr ""
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr ""
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr ""
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr ""
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr ""
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr ""
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr ""
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr ""
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr ""
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid ""
 "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-"
 "size=(bytes)."
 msgstr ""
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr ""
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid ""
 "Option --integrity-no-wipe can be used only for format action with integrity "
 "extension.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid ""
 "Options --label and --subsystem are allowed only for luksFormat and config "
 "LUKS2 operations.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3640
+#: src/cryptsetup.c:3719
 msgid ""
-"Option --test-passphrase is allowed only for open of LUKS and TCRYPT "
+"Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK "
 "devices.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr ""
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr ""
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr ""
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr ""
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr ""
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr ""
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr ""
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr ""
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid ""
 "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only "
 "for luksFormat with LUKS2."
 msgstr ""
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid ""
 "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid ""
 "Option --offset is supported only for open of plain and loopaes devices, "
 "luksFormat and device reencryption.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid ""
 "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only "
 "for TCRYPT device.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid ""
 "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid ""
 "Option --veracrypt-query-pim is supported only for VeraCrypt compatible "
 "devices.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid ""
 "The options --veracrypt-pim and --veracrypt-query-pim are mutually "
 "exclusive.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid ""
 "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/"
 "argon2id.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid ""
 "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr ""
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr ""
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr ""
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr ""
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr ""
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr ""
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr ""
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr ""
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr ""
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr ""
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr ""
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr ""
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr ""
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr ""
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr ""
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr ""
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr ""
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr ""
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr ""
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr ""
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr ""
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr ""
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2956,7 +3115,7 @@
 "<root_hash> hash of the root node on <hash_device>\n"
 msgstr ""
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2965,93 +3124,101 @@
 "Hash format: %u\n"
 msgstr ""
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr ""
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr ""
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr ""
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr ""
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr ""
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr ""
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr ""
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr ""
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr ""
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr ""
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr ""
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr ""
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr ""
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr ""
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr ""
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr ""
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr ""
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr ""
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr ""
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr ""
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr ""
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid ""
 "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks "
 "is allowed only for open operation.\n"
 msgstr ""
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr ""
+
+#: src/veritysetup.c:592
 msgid ""
 "Option --ignore-corruption and --restart-on-corruption cannot be used "
 "together.\n"
@@ -3067,20 +3234,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr ""
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr ""
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr ""
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr ""
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3088,162 +3255,162 @@
 "<integrity_device> is the device containing data with integrity tags\n"
 msgstr ""
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr ""
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr ""
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr ""
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr ""
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr ""
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr ""
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr ""
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr ""
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr ""
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr ""
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr ""
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr ""
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr ""
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr ""
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr ""
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr ""
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr ""
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr ""
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr ""
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr ""
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr ""
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr ""
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr ""
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr ""
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr ""
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid ""
 "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and "
 "--no-wipe can be used only for format action.\n"
 msgstr ""
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr ""
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr ""
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid ""
 "Journal integrity algorithm must be specified if journal integrity key is "
 "used."
 msgstr ""
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid ""
 "Both journal encryption key file and key size options must be specified."
 msgstr ""
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid ""
 "Journal encryption algorithm must be specified if journal encryption key is "
 "used."
 msgstr ""
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr ""
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr ""
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr ""
 
@@ -3256,7 +3423,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr ""
 
@@ -3305,197 +3472,197 @@
 msgid "Activation of temporary devices failed."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid ""
 "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid ""
 "No decryption in progress, provided UUID can be used only to resume "
 "suspended decryption process."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid ""
 "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid ""
 "Option --new must be used together with --reduce-device-size or --header."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid ""
 "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-"
 "iterations."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr ""
 
diff -Nru cryptsetup-2.2.2/po/cs.po cryptsetup-2.3.1/po/cs.po
--- cryptsetup-2.2.2/po/cs.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/cs.po	2020-03-12 08:39:20.000000000 +0000
@@ -3,7 +3,7 @@
 # This file is distributed under the same license as the cryptsetup package.
 # Milan Broz <mbroz@redhat.com>, 2010.
 # Petr Pisar <petr.pisar@atlas.cz>, 2010, 2011, 2012, 2013, 2014, 2015, 2016.
-# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019.
+# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020.
 #
 # See `LUKS On-Disk Format Specification' document to clarify some terms.
 #
@@ -18,14 +18,15 @@
 # refresh → reaktivace
 # resume → probudit, dokončit
 # segment → část
+# signature → značka, vzorec nebo podpis (záleží na kontextu)
 # suspend → uspat
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-31 18:16+01:00\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 21:06+01:00\n"
 "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
 "Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
 "Language: cs\n"
@@ -35,65 +36,65 @@
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Nelze inicializovat device-mapper, nespuštěno superuživatelem."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Nelze inicializovat device-mapper. Je jaderný modul dm_mod zaveden?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Požadovaný příznak pozdrženo není podporován."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID pro zařízení %s bylo zkráceno."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Neznámý druh cíle DM."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Požadované výkonnostní volby dm-cryptu nejsou podporovány."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Požadované volby, jak zacházet s poškozením dat dm-verity, nejsou podporovány."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Požadované FEC volby dm-cryptu nejsou podporovány."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Požadované volby integrity dat nejsou podporovány."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "Požadované volby sector_size není podporována."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Požadovaný automatický přepočet značek integrity není podporován."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Požadovaný režim bitmapy integrity DM není podporován."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Zahazování (TRIM) není podporováno."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Dotaz na část dm-%s selhal."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -102,550 +103,567 @@
 "Aby bylo možné nasbírat náhodné události, žádáme uživatele, aby pohyboval\n"
 "myší nebo psal text do jiného okna.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Vytváří se klíč (%d %% hotovo).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Režim FIPS zapnut."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Fatální chyba během přípravy generátoru náhodných čísel."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "Požadována neznámá kvalita generátoru náhodných čísel."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Chyba při čtení z generátoru náhodných čísel."
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Implementaci šifrovacího generátoru náhodných čísel nelze inicializovat."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Implementaci šifrování nelze inicializovat."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hašovací algoritmus %s není podporován."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Chyba zpracování klíče (za použití haše %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Druh zařízení nelze určit. Nekompatibilní aktivace zařízení?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Tato operace je podporována jen u zařízení LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Tato operace je podporována jen u zařízení LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Všechny pozice klíčů jsou obsazeny."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Pozice klíče %d není platná, prosím, vyberte číslo mezi 0 a %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Pozice klíče %d je obsazena, prosím, vyberte jinou."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "Velikost zařízení není zarovnaná na velikost logického sektoru zařízení."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Nalezena hlavička, ale zařízení %s je příliš malé."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Tato operace není na zařízení tohoto typu podporována."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Zakázaná operace spolu s probíhajícím přešifrování."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nepodporovaná verze LUKS %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Zařízení s oddělenými metadaty není na šifře tohoto typu podporováno."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Zařízení %s není aktivní."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Zařízení nižší úrovně pod šifrovaným zařízením %s zmizelo."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Neplatné parametry plain šifry."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Neplatná velikost klíče."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID není na šifře tohoto typu podporováno."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Nepodporovaná velikost šifrovaného sektoru."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "Velikost zařízení není zarovnaná na požadovanou velikost sektoru."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "LUKS nelze bez zařízení naformátovat."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Požadované zarovnání dat není slučitelné s polohou dat."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "POZOR: Poloha dat je mimo nyní dostupné zařízení s daty.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Ze zařízení %s nelze odstranit hlavičku."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "POZOR: Aktivace zařízení selže, dm-crypt nepodporuje požadovanou velikost šifrovaného sektoru.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Klíč svazku je příliš malý na šifrovaní s rozšířeními pro integritu."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Šifra %s-%s (velikost klíče %zd bitů) není dostupná."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "POZOR: Metadata LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "POZOR: Oblast s pozicemi klíčů pro LUKS2 změnila velikost na %<PRIu64> bajtů.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Zařízení %s je příliš malé."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Zařízení %s, které se používá, nelze formátovat."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Zařízení %s nelze formátovat, povolení zamítnuto."
 
 # FIXME "format integrity" is nonsense
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Zařízení %s není možné formátovat integritu."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Zařízení %s nelze formátovat."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "LOOPAES nelze bez zařízení naformátovat."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "VERITY nelze bez zařízení naformátovat."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nepodporovaný druh VERITY haše %d."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Nepodporovaná velikost bloku VERITY."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Nepodporovaná poloha haše VERITY."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nepodporovaná poloha VERITY FEC."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "Oblast dat se překrývá s oblastí haše."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "Oblast FEC se překrývá s oblastí haše."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "Oblast dat se překrývá s oblastí FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "POZOR: Požadovaná velikost značky %d bajtů se liší od výstupu velikosti %s (%d bajtů).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Požadován neznámý typ šifrovaného zařízení %s."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nepodporované parametry na zařízení %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Neodpovídající parametry an za zařízení %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Zařízení dmcryptu si neodpovídají."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Zařízení %s nebylo možné znovu zavést."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Zařízení %s nebylo možné pozastavit."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Zařízení %s nebylo možné probudit."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Nepřekonatelná chyba při zavádění zařízení %s (nad zařízením %s)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Zařízení %s nebylo možné přepnout do dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "Nelze změnit velikost zařízení zpětné smyčky."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Opravdu chcete změnit UUID zařízení?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Soubor se zálohou hlavičky neobsahuje kompatibilní hlavičku LUKS."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Svazek %s není aktivní."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Svazek %s je již uspán."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Uspání není na zařízení %s podporováno."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Chyba při uspávání zařízení %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Svazek %s není uspán."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Probuzení není na zařízení %s podporováno."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Chyba při probouzení zařízení %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Heslo svazku neodpovídá svazku."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Nelze přidat pozici klíče, všechny pozice jsou zakázány a klíč svazku nebyl poskytnut."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Záměna novou pozicí klíče se nezdařila."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Heslo svazku neodpovídá svazku."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Pozice klíče %d je neplatná."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Pozice klíče %d není aktivní."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "Hlavička zařízení se překrývá s datovou oblastí."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Přešifrování již probíhá. Zařízení nelze aktivovat."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Získání zámku pro přešifrování selhalo."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Obnova přešifrování LUKS2 selhalo."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Typ zařízení není řádně inicializován."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Zařízení %s nelze použít. Název není platný nebo zařízení se stále používá."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Zařízení %s již existuje."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Byl zadán neplatný klíč svazku."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "K zařízení VERITY byl zadán neplatný kořenový haš."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Je potřeba podpis kořenového otisku."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Jaderná klíčenka chybí: je potřeba pro předání podpisu do jádra."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Klíč se nepodařilo přidat do jaderné klíčenky."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Zařízení %s se stále používá."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Neplatné zařízení %s."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Vyhrazená paměť pro klíč svazku je příliš malá."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Nelze získat klíč svazku pro otevřené zařízení."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "K zařízení VERITY nelze získat kořenový otisk."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Na šifrovaném zařízení %s není tato operace podporována."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Operace výpisu není na zařízení tohoto typu podporována."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Počátek dat není násobkem %u bajtů."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Zařízení %s, které se stále používá, nelze konvertovat."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Přiřazení pozice klíče %u jakožto nového klíče svazku se nezdařilo."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Inicializace parametrů výchozí pozice klíče LUKS2 selhala."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Přiřazení pozice klíče %d k otisku se nezdařilo."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Klíč se nepodařilo přidat do jaderné klíčenky."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Jaderná klíčenka není jádrem podporována."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Čtení hesla z klíčenky selhalo (chyba %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Získání zámku pro tvrdý přístup do globální paměti selhalo."
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Nelze zjistit prioritu procesu."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Paměť nelze odemknout."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Soubor s klíčem se nepodařilo otevřít."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Soubor s klíčem nelze z terminálu přečíst."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "O souboru s klíčem nebylo možné zjistit údaje."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Nelze se přesunout na požadované místo v souboru s klíčem."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Při čtení hesla došla paměť."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Chyba při čtení hesla."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Na vstupu není nic k přečtení."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Maximální délka souboru s klíčem překročena."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Požadované množství dat nelze načíst."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Zařízení %s neexistuje nebo přístup byl zamítnut."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Zařízení %s není kompatibilní."
 
 # TODO: Pluralize
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Zařízení %s je příliš malé. Je třeba alespoň %<PRIu64> bajtů."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Zařízení %s nelze použít, protože se již používá (již namapováno nebo připojeno)."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Zařízení %s nelze použít, povolení zamítnuto."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "O zařízení %s nelze získat údaje."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Zařízení typu loopback nelze použít, nespuštěno superuživatelem."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Připojení zařízení zpětné smyčky selhalo (požadováno zařízení s příznakem autoclear)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Požadovaná poloha je za hranicí skutečné velikosti zařízení %s."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Zařízení %s má nulovou velikost."
@@ -712,32 +730,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Neslučitelné volby PBKDF."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (není adresářem nebo neexistuje)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "POZOR: Adresář se zámkem %s/%s chybí!\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Zamykání zrušeno. Zamykací cesta %s/%s je nepoužitelná (%s není adresářem)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Nelze se přesunout na požadované místo v zařízení."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Chyba při čištění zařízení na pozici %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -746,120 +764,120 @@
 "Nepodařilo se nastavit mapování klíče v dm-cryptu pro zařízení %s.\n"
 "Zkontrolujte, že jádro podporuje šifru %s (podrobnosti v syslogu)."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "V režimu XTS musí být velikost klíče 256 nebo 512 bitů."
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Zápis šifry by měl být ve tvaru [šifra]-[režim]-[iv]."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Na zařízení %s nelze zapsat, povolení zamítnuto."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "Otevření dočasného zařízení s úložištěm klíče selhalo."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "Přístup do dočasného zařízení s úložištěm klíče selhal."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "Chyba vstupu/výstupu při šifrování pozice klíče."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Zařízení %s nelze otevřít."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "Chyba vstupu/výstupu při dešifrování pozice klíče."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Zařízení %s je příliš malé. (LUKS1 vyžaduje alespoň %<PRIu64> bajtů.)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "Pozice %u klíče LUKS není platná."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Zařízení %s není platným zařízením LUKS."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Požadovaný soubor se zálohou hlavičky %s již existuje."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Soubor se zálohou hlavičky %s nelze vytvořit."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Nelze zapsat soubor %s se zálohou hlavičky."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Záložní soubor neobsahuje platnou hlavičku LUKS."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Nelze otevřít soubor se zálohou hlavičky %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Soubor se zálohou hlavičky %s nelze načíst."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Počátek dat nebo velikost klíče se liší mezi zařízením a zálohou, obnova se nezdařila."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Zařízení %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "neobsahuje hlavičku LUKS. Nahrazení hlavičky může zničit data na daném zařízení."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "již obsahuje hlavičku LUKS. Nahrazení hlavičky zničí existující pozice s klíči."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -867,101 +885,106 @@
 "\n"
 "POZOR: hlavička ve skutečném zařízení má jiné UUID než záloha!"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Nestandardní velikost klíče, je třeba ruční opravy."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Nestandardní zarovnání pozice klíče, je třeba ruční opravy."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Opravují se pozice klíčů."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Pozice klíče %i: poloha opravena (%u → %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Pozice klíče %i: proklad opraven (%u → %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Pozice klíče %i: chybná značka oddílu."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Pozice klíče %i: sůl vymazána."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Hlavička LUKS se zapisuje na disk."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Oprava selhala."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Požadovaný haš LUKSu %s není podporován."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "V hlavičce LUKS nenalezen žádný známý problém."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Chyba při aktualizaci hlavičky LUKS na zařízení %s."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Chyba při opakovaném čtení hlavičky LUKS po aktualizaci zařízení %s."
 
 # TODO: Pluralize
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Poloha dat u hlavičky LUKS musí být buď 0 nebo více než velikost hlavičky."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Poskytnut UUID LUKSu ve špatném tvaru."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Hlavičku LUKS nelze vytvořit: čtení náhodné soli selhalo."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Hlavičku LUKS nelze vytvořit: výpočet otisku hlavičky (haš %s) selhal."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Pozice klíče %d je aktivní, nejprve ji uvolněte."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Pozice klíče %d obsahuje příliš málo útržků. Manipulace s hlavičkou?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Pozici s klíčem nezle otevřít (za použití haše %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Pozice klíče %d není platná, prosím, vyberte pozici mezi 0 a %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Zařízení %s není možné smazat."
@@ -979,98 +1002,190 @@
 msgstr "Zjištěn nekompatibilní soubor s klíčem loop-AES."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Jádro nepodporuje mapování kompatibilní s loop-AES."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Chyba při čtení souboru s klíčem %s"
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Překročena maximální délka hesla TCRYPT (%d)."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Překročena maximální délka hesla TCRYPT (%zu)."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Hašovací algoritmus PBKDF2 %s není podporován, přeskakuje se."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Požadované kryptografické rozhraní jádra není dostupné."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Ujistěte se, že jaderný modul algif_skcipher je zaveden."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivace nad sektory o velikosti %d není podporována."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Jádro nepodporuje aktivaci v tomto zastaralém režimu TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Aktivuje se systémové šifrování TCRYPT pro oddíl %s."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Jádro nepodporuje mapování kompatibilní s TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Bez dat s hlavičkou TCRYPT není tato funkce podporována."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Při rozboru podporovaného hlavního klíče svazku byla nalezena položka nečekaného typu „%u“."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Při rozboru hlavního svazku klíče byl nalezen neplatný řetězec."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Při rozboru hlavního klíče svazku byl nalezen nečekaný řetězec („%s“)."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Při rozboru hlavního klíče svazku byl nalezen záznam metadat s nečekanou hodnotou „%u“."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Z %s nebylo možné načíst vzorec BITLK."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK verze 1 není v současnosti podporován."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Neplatná nebo neznámá značka zavaděče zařízení BITLK."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Neplatná nebo neznámá značka zařízení BITLK."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Z %s nebylo možné načíst hlavičku BITLK."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Z %s nebylo možné přečíst metadata BITLK FVE."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Neznámý nebo nepodporovaný druh šifrování."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Z %s nebylo možné načíst položky metadat BITLK."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Tato operace není podporována."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Špatná velikost klíče."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Toto zařízení BITLK je v nepodporovaném stavu a nelze jej aktivovat."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Zařízení BITLK s typem „%s“ nelze aktivovat."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Aktivace částečně dešifrovaného zařízení BITLK není podporována."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu inicializačního vektoru BITLK."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Zařízení nelze aktivovat. Jaderný dm-crypt postrádá podporu difuzéru Elephant BITLK."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "Zařízení VERITY %s nepoužívá hlavičku uvnitř disku."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Zařízení %s není platným zařízením VERITY."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Nepodporovaná verze VERITY %d."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "Hlavička VERITY je poškozena."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Na zařízení %s poskytnuto UUID VERITY ve špatném tvaru."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Chyba při aktualizaci hlavičky VERITY na zařízení %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "Ověření podpisu kořenového otisku není podporováno."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Chyby v zařízení FEC nelze opravit."
 
 # TODO: Pluralize
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Nalezeno %u opravitelných chyb v zařízení FEC."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Jádro nepodporuje mapování dm-verity."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Jádro nepodporuje volbu pro podpis dm-verity."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Po aktivaci zjistilo zařízení VERITY poškození."
 
@@ -1079,92 +1194,98 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Řídká oblast na pozici %<PRIu64> není vynulována."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Pozice na zařízení přetekla."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Ověření na pozici %<PRIu64> selhalo."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Neplatné parametry velikosti pro zařízení VERITY."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Přetečení oblasti haše."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Ověření datové oblasti selhalo."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Ověření kořenového haše selhalo."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Při vytváření oblasti haší došlo k chybě na vstupu/výstupu."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Oblast haší se nepodařilo vytvořit."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "POZOR: Jádro nemůže aktivovat zařízení, pokud velikost datového bloku přesahuje velikost stránky (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Kontext RS se nepodařilo alokovat."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Vyrovnávací paměť se nepodařilo alokovat."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Čtení bloku RS %<PRIu64> bajtu %d selhalo."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Čtení parity bloku RS %<PRIu64> selhalo."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Oprava parity bloku RS %<PRIu64> selhala."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Zápis parity bloku RS %<PRIu64> selhal."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Velikosti bloků musí odpovídat FEC."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Chybný počet paritních bajtů."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Velikost zařízení %s se nepodařilo určit."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "Jádro nepodporuje mapování dm-integrity."
 
+# Fixed metadata means fix_padding attribute of dm-integrity target
+# documented as "use a smaller padding".
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Jádro nepodporuje drobné zarovnání metadat dm-integrity."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Získání zámku pro zápis do zařízení %s selhalo."
@@ -1191,40 +1312,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "POZOR: oblast s pozicemi klíčů (%<PRIu64> bajtů) je příliš malá, dostupný počet pozic klíčů LUKS2 je značně omezen.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Získání zámku pro čtení ze zařízení %s selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "V záloze %s byly zjištěny zakázané požadavky na LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Počátek dat se liší mezi zařízením a zálohou, obnova se nezdařila."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Velikost binární hlavičky s oblastí pro pozice klíčů se liší mezi zařízením a zálohou, obnova se nezdařila."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Zařízení %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "neobsahuje hlavičku LUKS2. Nahrazení hlavičky může zničit data na daném zařízení."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "již obsahuje hlavičku LUKS2. Nahrazení hlavičky zničí existující pozice s klíči."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1234,7 +1355,7 @@
 "POZOR: Ve skutečné hlavičce zařízení byly objeveny neznámé požadavky na LUKS2!\n"
 "Nahrazení hlavičky zálohou může zničit data na zařízení!"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1244,58 +1365,58 @@
 "POZOR: Na zařízení bylo objeveno nedokončené offline přešifrování!\n"
 "Nahrazení hlavičky zálohou může zničit data."
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Neznámý příznak %s ignorován."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Chybí klíč pro dm-crypt část %u."
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "Nastavení části dm-crypt selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "Nastavení části dm-linear selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Nepodporovaná konfigurace integrity zařízení."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Probíhá přešifrování. Zařízení nelze deaktivovat."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Výměna pozastaveného zařízení %s za cíl dm-error selhala."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Čtení požadavků na LUKS2 selhalo."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Zjištěny nesplněné požadavky na LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Probíhá offline přešifrování. Operace se ruší."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Probíhá přešifrování za běhu. Operace se ruší."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operace se neslučuje se zařízením označeným pro zastaralé přešifrování. Operace se ruší."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operace se neslučuje se zařízením označeným pro přešifrování LUKS2. Operace se ruší."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Nedostatek paměti pro otevření pozice s klíčem."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Otevření pozice s klíčem selhalo."
 
@@ -1308,53 +1429,57 @@
 msgid "No space for new keyslot."
 msgstr "Pro novou pozicí klíče není místo."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Nelze zjistit stav zařízení s UUID: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Hlavičky s dodatečnými metadaty LUKSMETA nelze převést."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Oblast s pozicemi klíčů nelze přesunout. Nedostatek místa."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Oblast s pozicemi klíčů nelze přesunout. Oblast s pozicemi klíčů LUKS2 je příliš malá."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Oblast s pozicemi klíčů nelze přesunout."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Nelze převést do formátu LUKS1 – výchozí velikost sektoru šifrování části není 512 bajtů."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Nelze převést do formátu LUKS1 – otisky v pozicích s klíči nejsou slučitelné s LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Nelze převést do formátu LUKS1 – zařízení používá šifru se zabaleným klíčem %s."
 
 # TODO: Pluralize
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Nelze převést do formátu LUKS1 – hlavička LUKS2 obsahuje %u token(ů)."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u je v nesprávném stavu."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Nelze převést do formátu LUKS1 – pozice s klíčem %u (nad maximem pozic) je stále aktivní."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Nelze převést do formátu LUKS1 – pozice s klíče %u není slučitelná s LUKS1."
@@ -1376,7 +1501,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Obálku pro starou část úložiště se nepodařilo inicializovat."
 
@@ -1388,7 +1513,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Kontrolní součty pro aktuální horkou zónu se nepodařilo přečíst."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Čtení oblasti s horkou zónou počínaje na %<PRIu64> selhalo."
@@ -1446,119 +1571,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Posun dat (%<PRIu64> sektorů) je menší než budoucí poloha dat (%<PRIu64> sektorů)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Zařízení %s nebylo možné otevřít ve výlučném režimu (již namapováno nebo připojeno)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Neprobíhá žádné přešifrování LUKS2."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Zařízení není označeno pro přešifrování LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Načtení kontextu přešifrování LUKS2 selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Stavu přešifrování se nepodařilo zjistit."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Zařízení se nepřešifrovává."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Proces přešifrování již běží."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Získání zámku pro přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "V přešifrování nelze pokračovat. Spusťte nejprve obnovu přešifrování."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Aktivní velikost zařízení a velikost požadovaná k přešifrování si neodpovídají."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "V parametrech přešifrování je požadována zakázaná velikost zařízení."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Probíhá přešifrování. Obnovu nelze provést."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "V metadatech je přešifrování LUKS2 již inicializováno."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Inicializace přešifrování LUKS2 v metadatech selhala."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Nastavení segmentů zařízení pro další horkou zónu přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Metadata pro odolnost při přešifrování se nepodařilo zapsat."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Rozšifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Zápis oblasti s horkou zónou počínaje na %<PRIu64> selhal."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Synchronizace dat selhala."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Po dokončení přešifrování aktuální horké zóny se nepodařilo aktualizovat metadata."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Zápis metadat LUKS2 selhal."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Vyčištění dat záložní části selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Vypnutí příznaku požadavku na přešifrování selhalo."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Nepřekonatelná chyba při přešifrování bloku na pozici %<PRIu64> dlouhého %<PRIu64> sektorů."
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Zařízení neprobouzejte, dokud jej ručně nenahradíte chybovým cílem."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "V přešifrování nelze pokračovat. Přešifrování se nachází v nečekaném stavu."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Chybějící nebo neplatný kontext přešifrování."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Zásobník zařízení k přešifrování se nepodařilo inicializovat."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Kontext přešifrování se nepodařilo aktualizovat."
 
@@ -1571,64 +1696,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Vestavěný token %s nebylo možné vytvořit"
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Se vstupem mimo terminál nelze ověřit heslo."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametry pro šifrování pozice s klíčem lze nastavit jen u zařízení LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Nelze najít žádný známý vzorek se specifikaci šifry."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "POZOR: Jedná-li se o režim plain a je-li určen soubor s klíčem, parametr --hash se ignoruje.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "POZOR: Přepínač --keyfile-size se ignoruje, velikost pro čtení je stejná jako velikosti šifrovacího klíče.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Na %s byla nalezen vzorec zařízení. Pokračování může poškodit existující data."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Operace zrušena.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Je vyžadován přepínač --key-file."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Zadejte PIM VeraCryptu: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Neplatná hodnota VIM: chyba rozboru"
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Neplatná hodnota PIM: 0"
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Neplatná hodnota PIM: mimo rozsah"
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "S tímto heslem není rozpoznatelná žádná hlavička zařízení."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Zařízení %s není platným zařízením BITLK."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1638,69 +1768,69 @@
 "který umožňuje přístup k šifrovanému oddílu bez znalosti hesla.\n"
 "Tento výpis by měl být vždy uložen na bezpečném místě a v zašifrované podobě."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Zařízení %s je stále aktivní a naplánováno pro opožděné odstranění.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Změna velikosti aktivního zařízení vyžaduje klíč svazku v klíčence. Byl však použit přepínač --disable-keyring."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Hodnocení výkonu přerušeno."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     –\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iterací za sekundu pro %zubitový klíč\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s –\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iterací, %5u paměti, %1u souběžných vláken (procesorů) pro %zubitový klíč (požadován čas %u ms)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Výsledek hodnocení výkonu není spolehlivý."
 
 # ???: are aproximated?
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Testy jsou počítány jen z práce s pamětí (žádné I/O úložiště).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*sAlgoritmus |      Klíč |       Šifrování |     Dešifrování\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Šifra %s není dostupná."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#    Algoritmus |      Klíč |       Šifrování |     Dešifrování\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "–"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1708,19 +1838,19 @@
 "Zdá se, že zařízení nevyžaduje obnovu přešifrování.\n"
 "Přejete si přesto pokračovat?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Opravdu pokračovat s obnovou přešifrování LUKS2?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Zadejte heslo pro obnovení přešifrování: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Opravdu se pokusit opravit hlavičku zařízení LUKS?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1729,129 +1859,129 @@
 "Lze přerušit pomocí Ctrl+C (zbytek nesmazaného zařízení bude obsahovat\n"
 "neplatné součty).\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Dočasné zařízení %s nelze deaktivovat."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Volby integrity lze použít jen při formátu LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nepodporované volby velikosti metadat LUKS2."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Soubor s hlavičkou %s nelze vytvořit."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Nelze najít žádný známý vzorek se specifikací integrity."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "%s nelze použít pro hlavičku uvnitř disku."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Toto nevratně přepíše data na %s."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Nastavení parametrů PBKDF selhalo."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Zmenšená poloha dat je dovolena jen u oddělené hlavičky LUKS."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Bez pozic pro klíče nelze určit velikost LUKS klíče svazku. Prosím, použijte přepínač --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Zařízení aktivováno, ale příznaky nelze učinit trvalými."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Ke smazání vybrán klíč na pozici %d."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr ""
 "Toto je poslední pozice klíče. Smazáním tohoto klíče přijdete o možnost\n"
 "zařízení použít."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Zadejte jakékoliv jiné heslo: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operace zrušena, pozice klíče NEBYLA vymazána.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Zadejte heslo, které se má smazat: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Zadejte nové heslo pro pozici klíče: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Zadejte jakékoliv existující heslo: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Zadejte heslo, které má být změněno: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Zadejte nové heslo: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Zadejte heslo pro pozici klíče, který má být převeden: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "U operace isLuks je podporován pouze jeden argument se zařízením."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Je vyžadován přepínač --header-backup-file."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s není zařízení spravované nástrojem cryptsetup."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Reaktivace není na zařízení typu %s podporována"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Nerozpoznaná metadata druhu zařízení %s."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Příkaz vyžaduje jako argumenty zařízení a mapovaný název."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1860,95 +1990,95 @@
 "Tento úkon smaže všechny pozice s klíči na zařízení %s.\n"
 "Po jeho dokončení zařízení bude nepoužitelné."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operace zrušena, pozice s klíči NEBYLY smazány.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Neplatný druh formátu LUKS. Podporován je pouze LUKS1 a LUKS2."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Zařízení je již druhu %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Tato operace převede formát %s na %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operace zrušena, zařízení NEBYLO převedeno.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Chybí přepínač --priority, --label nebo --subsystem."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d je neplatný."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d se používá."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Přidání tokenu %d klíčenky LUKS2 selhalo."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Přiřazení tokenu %d do pozice s klíčem %d selhalo."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d se nepoužívá."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Import tokenu ze souboru selhal."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Získání tokenu %d za účelem exportu selhalo."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Parametr --key-description je při přidávání tokenu povinný."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Akce vyžaduje určitý token. Použijte parametr --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Neplatná operace tokenu %s."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Automaticky nalezené aktivní zařízení DM „%s“ pro datové zařízení %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Zařízení %s není blokovým zařízením.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Držitele zařízení %s nebylo možné automaticky nalézt."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1961,233 +2091,237 @@
 "To může vést k poškození dat, bylo-li zařízení ve skutečnosti aktivováno.\n"
 "Pro přešifrování za běhu použijte parametr --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Neplatný druh zařízení LUKS."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Přešifrování bez odpojené hlavičky (--header) není možné bez zmenšení velikosti datového zařízení (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Požadovaný počátek dat musí být menší nebo roven polovině parametru --reduce-device-size"
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Upravuje se hodnota --reduce-device-size na dvojnásobek --offset %<PRIu64> (v sektorech).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Šifrování je podporováno jen s formátem LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "Na %s zjištěno zařízeno LUKS. Přejete si toto zařízení LUKS znovu zašifrovat?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Dočasný soubor s hlavičkou %s již existuje. Operace se ruší."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Dočasný soubor s hlavičkou %s nelze vytvořit."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s je nyní aktivní a připraveno pro přešifrování za běhu.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "Nedostatek pozic s klíči pro přešifrování."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Soubor s klíčem lze použít jen s přepínačem --key-slot nebo s právě jednou aktivní pozicí klíče."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Zadejte heslo pro pozici klíče %d: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Zadejte heslo pro pozici klíče %u: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "Příkaz vyžaduje jako argument zařízení."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "Nyní je podporován pouze formát LUKS2. Pro LUKS1, prosím, použijte nástroj cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Zastaralé offline přešifrování již probíhá. Použijte nástroj cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Přešifrování zařízení s profilem integrity není podporováno."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Přešifrování LUKS2 je již inicializováno. Operace se ruší."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "Zařízení LUKS2 se nepřešifrovává."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<zařízení> [--type <druh>] [<název>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "otevře zařízení jako <název>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<název>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "zavře zařízení (odstraní mapování)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "změní velikost aktivního zařízení"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "zobrazí stav zařízení"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <šifra>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "zhodnotí výkon šifry"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<zařízení>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "pokusí se opravit metadata uložená na disku"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "přešifruje zařízení LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "smaže všechny pozice s klíči (odstraní šifrovací klíč)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "převede formát LUKS do/z formátu LUKS2"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "nastaví trvalé volby konfigurace pro LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<zařízení> [<soubor_s_novým_klíčem>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "naformátuje zařízení LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "do zařízení LUKS přidá klíč"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<zařízení> [<soubor_s_klíčem>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "odstraní zadaný klíč nebo soubor s klíčem ze zařízení LUKS"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "změní zadaný klíč nebo soubor s klíčem u zařízení LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "převede klíč do nových parametrů PBKDF"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<zařízení> <pozice_klíče>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "smaže klíč s číslem <pozice_klíče> ze zařízení LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "zobrazí UUID zařízení LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "otestuje <zařízení> na hlavičku oddílu LUKS"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "vypíše údaje o oddílu LUKS"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "vypíše údaje o oddílu TCRYPT"
 
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "vypíše údaje o zařízení BITLK"
+
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Uspí zařízení LUKS a smaže klíč (všechny operace budou zmrazeny)"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Probudí uspané zařízení LUKS"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Zálohuje hlavičku zařízení LUKS a jeho pozice s klíči"
 
 # TODO: not consistent with previous line
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Obnoví hlavičku zařízení LUKS a jeho pozice s klíči"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <zařízení>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Zachází s tokeny LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2195,19 +2329,19 @@
 "\n"
 "<akce> je jedna z:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Rovněž lze použít aliasy se starým zápisem <akce>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2222,7 +2356,7 @@
 "<pozice_klíče> je číslo pozice klíče LUKS, který se má upravit\n"
 "<soubor_s_klíčem> je volitelný soubor s novým klíčem pro akci luksAddKey\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2231,7 +2365,7 @@
 "\n"
 "Výchozí zakompilovaný formát metadat (pro akci luksFormat) je %s.\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2248,7 +2382,7 @@
 "Výchozí PBKDF pro LUKS2: %s\n"
 "\tDoba iterací: %d, nutná paměť: %d kB, souběžná vlákna: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2263,439 +2397,443 @@
 "\tplain: %s, Klíč: %d bitů, Haš hesla: %s\n"
 "\tLUKS: %s, Klíč: %d bitů, Haš hlavičky LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: V režimu XTS (dva vnitřní klíče) bude výchozí velikost klíče zdvojnásobena.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: vyžaduje %s jako argumenty"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Zobrazí tuto nápovědu"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Zobrazí stručný návod na použití"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Vypíše verzi balíku"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Přepínače nápovědy:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Zobrazuje podrobnější chybové hlášky"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Zobrazuje ladicí hlášky"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Zobrazuje ladicí hlášky včetně metadat JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Šifra použita k zašifrování disku (vizte /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Haš použit k vytvoření šifrovacího klíče z hesla"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Ověřuje heslo dvojitým dotazem"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Klíč načte ze souboru"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "(Hlavní) klíč svazku načte ze souboru."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Vypíše (hlavní) klíč svazku namísto údajů o pozicích klíčů"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Velikost šifrovacího klíče"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BITY"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Omezí čtení ze souboru s klíčem"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "bajty"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Přeskočí daný počet bajtů na začátku souboru s klíčem"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Omezí čtení z nově přidaného souboru s klíčem"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Přeskočí daný počet bajtů na začátku nově přidaného souboru s klíčem"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Číslo pozice pro nový klíč (výchozí je první volná)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Velikost zařízení"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SEKTORY"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Použije zadanou velikost zařízení (ignoruje zbytek zařízení). NEBEZPEČNÉ!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Poloha začátku dat v podkladovém zařízení"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Kolik sektorů šifrovaných dat se má na začátku přeskočit"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Vytvoří mapování určené jen pro čtení"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Nevyžaduje potvrzení"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Časový limit pro interaktivní dotaz na heslo (v sekundách)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "sekundy"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Aktualizace ukazatele postupu (v sekundách)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Kolikrát se lze zeptat na heslo"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Zarovnává data na hranici <n> sektorů – pro luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Soubor se zálohou hlavičky LUKS a pozic s klíči"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Pro vytvoření klíče svazku použije /dev/random"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Pro vytvoření klíče svazku použije /dev/urandom"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Zařízení sdílí s jiným nepřekrývajícím se šifrovaným segmentem"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "Použije zařízení s UUID"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Povolí u daného zařízení požadavky na zahození (TRIM)"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Zařízení nebo soubor s oddělenou hlavičkou LUKS"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Zařízení neaktivuje, jen zkontroluje heslo"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Použije se skrytá hlavička (skryté zařízení TCRYPT)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Zařízení je systémová jednotka TCRYPT (se zavaděčem)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Použije se záložní (druhá) hlavička TCRYPT"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Hledá také zařízení kompatibilní s VeraCrypt"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Osobní iterační činitel (PIM) pro zařízení kompatibilní s VeraCrypt"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Zeptá se na Osobní iterační činitel pro zařízení kompatibilní s VeraCrypt"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Druh metadat zařízení: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Druh metadat zařízení: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Vypne kontrolku odolnosti hesla (byla-li zapnuta)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Použije výkonnostně kompatibilní přepínač dmcryptu same_cpu_crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Použije výkonnostně kompatibilní přepínač dmcryptu submit_from_crypt_cpus"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Odstranění zařízení se odloží, dokud jej poslední uživatel neuzavře"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Pro serializaci paměti těžkého PBKDF použije globální zámek (obezlička při nedostatku paměti)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Doba opakování PBKDF pro LUKS (v ms)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "milisekundy"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Algoritmus PBKDF (pro LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "omezení paměťové náročnosti PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "kilobajty"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "náročnost paralelizace PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "vlákna"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "náročnost iterací PBKDF (vynuceno, vypne test složitosti)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Priorita pozice klíče: ignore [ignorovat], normal [normální], prefer [upřednostnit]"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Vypne zamykání metadata uložených na disku"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Vypne načítání klíčů svazků přes jadernou klíčenku"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Algoritmus pro integritu dat (pouze LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Vypne žurnál pro zařízení s integritou"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Po formátu nevymazat zařízení"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Použije neefektivní zastaralé vyplňování (stará jádra)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
-msgstr "Neptat se na heslo, když aktivace tokenem selže"
+msgstr "Neptá se na heslo, když aktivace tokenem selže"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Číslo tokenu (výchozí cokoliv)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Popis klíče"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Velikost sektoru šifrování (výchozí: 512 bajtů)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Nastaví trvalé příznaky pro aktivaci zařízení"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Nastaví jmenovku zařízení LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Nastaví jmenovku podsystému zařízení LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Vytvoří nepřiřazenou (žádný datový segment nepřiřazen) LUKS2 pozici s klíčem"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Načte nebo zapíše JSON z nebo do souboru"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Velikost oblasti s metadaty hlavičky LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Velikost oblasti s pozicemi klíčů hlavičky LUKS"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Reaktivuje zařízení s novými parametry"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Pozice s klíčem LUKS2: Velikost šifrovacího klíče"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Pozice s klíčem LUKS2: Šifra použitá pro šifrování pozice s klíčem"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Zašifruje zařízení LUKS2 (šifrování bez mezikopie)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Natrvalo dešifruje zařízení LUKS2 (odstraní šifrování)."
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Inicializuje přešifrování LUKS2 pouze v metadatech."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Pouze dokončí již inicializované přešifrování LUKS2."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Zmenší velikost datového zařízení (posune začátek dat). NEBEZPEČNÉ!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Maximální velikost horké zóny při přešifrování."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Druh odolnosti horké zóny při přešifrování (checksum [kontrolní součet], journal [žurnál], none [žádná])"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "Algoritmus kontrolního součtu při přešifrování"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Přebije automatické hledání zařízení DM pro přešifrování"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[PŘEPÍNAČ…] <akce> <přepínače_akce>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Chybí argument <akce>."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Neznámá akce."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Přepínač --refresh je dovolen jen při příkazu otevření nebo reaktivace.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Přepínače --refresh a --test-passphrase se vzájemně vylučují.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Přepínač --deferred je dovolen jen při příkazu zavření.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Přepínač --shared je dovolen jen při úkonu otevírání zařízení plain.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Přepínač --allow-discards je dovolen jen při úkonu otevírání.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Přepínač --persistent je dovolen jen při úkonu otevírání.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "Přepínač --serialize-memory-hard-pbkdf je dovolen jen při úkonu otevírání.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Přepínač --persistent není dovolen současně s --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2704,245 +2842,255 @@
 "open a benchmark. Čtení ze souboru s klíčem lze omezit\n"
 "pomocí --keyfile-size=(bajty)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Přepínač --integrity je dovolen pouze u luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Přepínač --integrity-no-wipe smí být použit jen při formátování s rozšířením integrity.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Přepínače --label a --subsystem jsou dovoleny jen při úkonech luksFormat a config s LUKS2.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS a TCRYPT.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Přepínač --test-passphrase je dovolen pouze při otevírání zařízení LUKS, TCRYPT a BUTLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Velikost klíče musí být násobkem 8 bitů."
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Pozice klíče není platná."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Přepínač --key-file má přednost před zadaným argumentem souboru s klíčem."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "U přepínače není záporné číslo dovoleno."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Je dovolen pouze jeden argument přepínače --key-file."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Je dovolen pouze jeden z přepínačů --use-[u]random."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Přepínač --use-[u]random je dovolen pouze u luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Přepínač --uuid je dovolen pouze u luksFormat a luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Přepínač --align-payload je dovolen pouze u luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Přepínače --luks2-metadata-size a --opt-luks2-keyslots-size jsou dovoleny jen při úkonu luksFormat s LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Zadána neplatná velikost metadat LUKS2."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Zadána neplatná velikost pozic s klíči LUKS2."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Přepínače --align-payload a --offset nelze kombinovat."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Přepínač --skip je podporován jen při otevírání zařízení plain a loopaes.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Přepínač --offset je podporován jen při otevírání zařízení plain a loopaes a při úkonu luksFormat a přešifrování.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Přepínač --tcrypt-hidden, --tcrypt-system nebo --tcrypt-backup je podporován jen u zařízení TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Přepínač --tcrypt-hidden nelze použít s přepínačem --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Přepínač --veracrypt je podporován jen u typu zařízení TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Zadán neplatný argument parametru --veracrypt-pim.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Přepínač --veracrypt-pim je podporován jen u zařízení kompatibilním s VeraCrypt.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Přepínač --veracrypt-query-pim je podporován jen u zařízení kompatibilním s VeraCrypt.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Přepínače --veracrypt-pim a --veracrypt-query-pim se vzájemně vylučují.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Přepínač --priority smí mít pouze argument ignore, normal a prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Je nutné určit pozici s klíčem.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Funkce pro odvození klíče na základě hesla (PBKDF) smí být pouze pbkdf2 nebo argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Vynucené iterace PBKDF nelze kombinovat s volnou doby iterací.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "Tento příkaz nepodporuje volbu velikosti sektoru.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Nepodporovaná velikost šifrovaného sektoru.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "Přepínač --unbound vyžaduje velikost klíče.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Přepínač --unbound lze použít pouze s akcí luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Přepínač --refresh lze použít pouze s úkonem otevření.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Zamykání metadata nelze vypnout.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Zadána neplatná maximální velikost horké zóny při přešifrování."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "Zadána neplatná velikost zařízení."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Maximální velikost zmenšení zařízení je 1 GiB."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Velikost zmenšení musí být násobkem 512bajtových sektorů."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "Zadána neplatná velikost dat."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Velikost ke zmenšení přetekla."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "Dešifrování LUKS2 vyžaduje přepínač --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Velikost zařízení musí být násobkem 512bajtových sektorů."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Přepínače --reduce-device-size a --data-size nelze kombinovat."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Přepínače --device-size a --size nelze kombinovat."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Zadán neplatný řetězec se solí."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Nelze vytvořit obraz hašů %s určený k zápisu."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Nelze vytvořit obraz FEC %s určený k zápisu."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Zadán neplatný řetězec s kořenovým hašem."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Neplatné soubor s podpisem %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Soubor s podpisem %s nelze číst."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<zařízení_dat> <zařízení_hašů>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "naformátuje zařízení"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<zařízení_dat> <zařízení_hašů> <kořenový_haš>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "ověří zařízení"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<zařízení_dat> <název> <zařízení_hašů> <kořenový_haš>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "zobrazí stav aktivního zařízení"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<zařízení_hašů>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "zobrazí údaje z disku"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2957,7 +3105,7 @@
 "<zařízení_hašů> je zařízení obsahující ověřovací data\n"
 "<kořenový_haš> haš kořenového uzlu na <zařízení_hašů>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2968,91 +3116,99 @@
 "Výchozí zakompilované parametry dm-verity:\n"
 "\tHaš: %s, Datový blok (bajty): %u, Blok hašů (bajty): %u, Velikost soli: %u, Formát haše: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Nepoužije superblok verity"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Druh formátu (1 – běžný, 0 – původní z OS Chrome)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "číslo"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Velikost bloku na zařízení dat"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Velikost bloku na zařízení hašů"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "Paritní bajty FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Počet bloků v datovém souboru"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "bloky"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Cesta k zařízení s daty pro opravu chyb"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "cesta"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Poloha začátku dat v zařízení hašů"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Poloha začátku dat v zařízení FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Hašovací algoritmus"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "řetězec"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Sůl"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "šestnáctkový řetězec"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Cesta k souboru s podpisem kořenového otisku"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Restartuje jádro, pokud je zjištěno poškození"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Ignoruje poškození, pouze jej zaznamená"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Neověřuje vynulované bloky"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Ověří datový blok pouze při prvním čtení"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Přepínače --ignore-corruption, --restart-on-corruption nebo --ignore-zero-blocks jsou dovoleny jen při úkonu otevírání.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Přepínač --root-hash-signature smí být použit jen při otevírání.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Přepínače --ignore-corruption a --restart-on-corruption nelze použít najednou.\n"
 
@@ -3067,20 +3223,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Ze souboru s klíčem %2$s nelze přečíst %1$d bajtů."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formátováno s velikostí značky %u, vnitřní integrita %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<zařízení_s_daty_integrity>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<zařízení_s_daty_integrity> <název>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3091,158 +3247,158 @@
 "<název> je zařízení, které bude vytvořeno pod %s\n"
 "<zařízení_s_daty_integrity> je zařízení obsahující data se značkami integrity\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Výchozí zakompilované parametry dm-integrity:\n"
-"\tVelikost značky: %u bajtů, Algoritmus kontrolního součtu: %s\n"
+"\tAlgoritmus kontrolního součtu: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Cesta k zařízení s daty (je-li odděleno)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Velikost žurnálu"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Prokládat sektory"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Zaplněnost žurnálu"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "procenta"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Perioda vyprazdňování žurnálu"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Počet 512bajtových sektorů na bit (režim bitmapy)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Perioda vyprazdňování při režimu bitmapy"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Velikost značky (na sektor)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Velikost sektoru"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Velikost vyrovnávací paměti"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Algoritmus pro kontrolu integrity dat"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Velikost klíče pro integritu dat"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Klíč pro integritu načte ze souboru"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Algoritmus pro integritu žurnálu"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Velikost klíče integrity žurnálu"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Klíč integrity žurnálu načte ze souboru"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Algoritmus šifrování žurnálu"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Velikost šifrovacího klíče žurnálu"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Šifrovací klíč žurnálu načte ze souboru"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Režim obnovy (žádný žurnál, žádná kontrola značek)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Ke sledování změn použije bitmapu a vypne žurnál pro zařízení s integritou"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Automaticky přepočítá počáteční značky."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Přepínač --integrity-recalculate smí být použit jen při otevírání."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Přepínače --journal-size, --interleave-sectors, --sector-size, --tag-size a --no-wipe lze použít jen při formátování.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Zadána neplatná velikost žurnálu."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s klíčem a velikostí klíče."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Je-li použit klíč integrity, musí být zadán algoritmus integrity."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s klíčem žurnálu a velikostí klíče."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Je-li použit klíč integrity žurnálu, musí být zadán algoritmus integrity žurnálu."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Musí být zadány oba přepínače pro soubor s šifrovacím klíčem žurnálu a velikostí klíče."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Je-li použit šifrovací klíč žurnálu, musí být zadán algoritmus šifrování žurnálu."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Přepínače režimu bitmapy a obnovení se vzájemně vylučují."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Přepínače žurnálu nelze použití spolu s režimem bitmapy."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Přepínače bitmapy lze použít jen při režimu bitmapy."
 
@@ -3255,7 +3411,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Zařízení %s nelze výlučně otevřít. Zařízení se používá."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Alokace zarovnané paměti se nezdařila."
 
@@ -3304,190 +3460,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Aktivace dočasných zařízení selhala."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Nastavení polohy dat selhalo."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Nastavení velikosti metadat selhalo."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Byla vytvořena nová hlavička LUKS zařízení %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Tato verze cryptsetup-reencrypt neumí zacházet s novým vnitřním druhem tokenů %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Přečtení příznaků pro aktivaci ze záložní hlavičky selhalo."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Zápis příznaků pro aktivaci do nové hlavičky selhal."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Čtení požadavků ze záložní hlavičky selhalo."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Záloha hlavičky %s zařízení %s byla vytvořena."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Záložní hlavičky LUKS se nepodařilo vytvořit."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Hlavičku %s na zařízení %s nelze obnovit."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Hlavička %s na zařízení %s byla obnovena."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Nelze otevřít dočasné zařízení LUKS."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Velikost zařízení nelze zjistit."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Chyba vstupu/výstupu během přešifrování."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Poskytnuté UUID není platné."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Nelze otevřít soubor s protokolem přešifrování."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Žádné dešifrování není rozpracované. Poskytnuté UUID lze použít jen k dokončení pozastaveného procesu dešifrování."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Parametry PBKDF pro pozici klíče %i změněny."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Velikost bloku přešifrování"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Nezmění klíč, oblast s daty se nepřešifruje"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Nový (hlavní) klíč svazku načte ze souboru"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Doba opakování PBKDF2 pro LUKS (v ms)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "K zařízením se bude přistupovat pomocí přímého I/O"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Po každém bloku se zavolá fsync"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Po každém bloku se aktualizuje soubor s protokolem"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Použije se pouze tato pozice (ostatní budou zakázány)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Vytvoří novou hlavičku na nešifrovaném zařízení"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Natrvalo dešifruje zařízení (odstraní šifrování)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "UUID, které se použije pro dokončení dešifrování"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Druh metadat LUKS: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[PŘEPÍNAČ…] <zařízení>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Přešifrování změní: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "klíč svazku"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "nastaví haš na "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", nastaví šifru na "
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Vyžadován argument."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Velikost bloku při přešifrování může nabývat hodnot pouze mezi 1 a 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Maximální velikost zmenšení zařízení je 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Přepínač --new musí být použit spolu s --reduce-device-size nebo --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Přepínač --keep-key lze použít jen s přepínači --hash, --iter-time nebo --pbkdf-force-iterations."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Přepínač --new nelze být použit spolu s --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Přepínač --decrypt se neslučuje se zadanými parametry."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Přepínač --uuid lze použít jen spolu s přepínačem --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Neplatný druh LUKS. Použijte jeden z: „luks“, „luks1“ nebo „luks2“"
 
@@ -3718,6 +3874,15 @@
 msgid "Failed to write JSON file."
 msgstr "Zapsaní souboru s dokumentem JSON selhalo."
 
+#~ msgid "Offline reencryption in progress. Aborting."
+#~ msgstr "Probíhá offline přešifrování. Operace se ruší."
+
+#~ msgid "Online reencryption in progress. Aborting."
+#~ msgstr "Probíhá přešifrování za běhu. Operace se ruší."
+
+#~ msgid "No LUKS2 reencryption in progress."
+#~ msgstr "Neprobíhá žádné přešifrování LUKS2."
+
 #~ msgid "Interrupted by a signal."
 #~ msgstr "Přerušeno signálem."
 
@@ -3790,9 +3955,6 @@
 #~ msgid "Device is not in clean reencryption state."
 #~ msgstr "Zařízení není v čistém stavu přešifrování."
 
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "Z %s nebylo možné načíst údaje o zařízení."
-
 #~ msgid "Failed to calculate new segments."
 #~ msgstr "Výpočet nových částí selhal."
 
diff -Nru cryptsetup-2.2.2/po/da.po cryptsetup-2.3.1/po/da.po
--- cryptsetup-2.2.2/po/da.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/da.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,12 +1,14 @@
-# Danish translation cryptsetup-1.7.2.da.po.
-# Copyright (C) 2019 Free Software Foundation, Inc.
+# Danish translation cryptsetup-2.3.1.da.po.
+# Copyright (C) 2020 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Joe Hansen <joedalton2@yahoo.dk>, 2015, 2016, 2017, 2018, 2019.
+# Joe Hansen <joedalton2@yahoo.dk>, 2015, 2016, 2017, 2018, 2019, 2020.
 #
 # Konventioner
 # argument -> argument
 # deferred -> udskudt
 # iteration -> iteration (gennemløb)
+# memory hard -> hukommelsestung (bedre mulighed?) det er nok et tilvalg, så
+# evt. bevar den uændret. nok engelsk fejl hvor det er uden bindestreg.
 # parameter -> parameter
 # probe -> undersøge (bedre mulighed?)
 # reencryption -> omkryptering
@@ -15,10 +17,10 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup-2.1.0\n"
+"Project-Id-Version: cryptsetup-2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-01-26 19:02+0100\n"
-"PO-Revision-Date: 2019-03-03 22:35+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 22:35+0200\n"
 "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
 "Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
 "Language: da\n"
@@ -27,61 +29,65 @@
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 
-#: lib/libdevmapper.c:336
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Kan ikke initialisere enhedsoversætter, kører som ikke-root bruger."
 
-#: lib/libdevmapper.c:339
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Kan ikke initialisere enhedsoversætter. Er dm_mod-kernemodulet indlæst?"
 
-#: lib/libdevmapper.c:1010
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Det anmodede udskudte flag er ikke understøttet."
 
-#: lib/libdevmapper.c:1077
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID for enheden %s blev afkortet."
 
-#: lib/libdevmapper.c:1486
+#: lib/libdevmapper.c:1508
+msgid "Unknown dm target type."
+msgstr "Ukendt dm-måltype."
+
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Forespurgte dm-crypt-ydelsestilvalg er ikke understøttede."
 
-#: lib/libdevmapper.c:1493
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Forespurgte dm-verity-håndteringstilvalg for datakorruption er ikke understøttede."
 
-#: lib/libdevmapper.c:1497
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Forespurgte dm-verity FEC-tilvalg er ikke understøttede."
 
-#: lib/libdevmapper.c:1501
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Forespurgte dataintegritetstilvalg er ikke understøttede."
 
-#: lib/libdevmapper.c:1503
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "Forespurgte sector_size-tilvalg er ikke understøttet."
 
-#: lib/libdevmapper.c:1508
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Forespurgte automatiske genberegning af integritetsmærker er ikke understøttet."
 
-#: lib/libdevmapper.c:1534
-msgid "Requested dmcrypt performance options are not supported."
-msgstr "Forespurgte dmcrypt-ydelsestilvalg er ikke understøttede."
+#: lib/libdevmapper.c:1637
+msgid "Requested dm-integrity bitmap mode is not supported."
+msgstr "Forespurgte dm-integritetsbitmaptilstand er ikke understøttet."
 
-#: lib/libdevmapper.c:1537
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM %s er ikke understøttet."
 
-#: lib/libdevmapper.c:2413
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Kunne ikke forespørge dm-%s-segment."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -89,489 +95,569 @@
 "Systemet har ikke nok entropi til oprettelse af diskenhedsnøgle.\n"
 "Flyt venligst musen eller indtast noget tekst i et andet vindue for at samle nogle vilkårlige hændelser.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Opretter nøgle (%d%% færdig).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Kører i FIPS-tilstand."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Fatal fejl under RNG-initialisering."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "Der blev anmodt om ukendt RNG-kvalitet."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Der opstod en fejl under læsning fra RNG."
 
-#: lib/setup.c:214
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Kan ikke initialisere crypto RNG-motor."
 
-#: lib/setup.c:220
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Kan ikke initialisere crypto-motor."
 
-#: lib/setup.c:251 lib/setup.c:1899 lib/verity/verity.c:123
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hashalgoritmen %s er ikke understøttet."
 
-#: lib/setup.c:254 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Nøglebehandlingsfejl (der bruger hash %s)."
 
-#: lib/setup.c:315 lib/setup.c:342
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Kan ikke bestemme enhedstype. Er aktivering af enhed ikke kompatibel?"
 
-#: lib/setup.c:321 lib/setup.c:2892
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Denne operation er kun understøttet for LUKS-enhed."
 
-#: lib/setup.c:348
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Denne operation er kun understøttet for LUKS2-enhed."
 
-#: lib/setup.c:396
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Alle nøglepladser er udfyldt."
 
-#: lib/setup.c:407
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Nøglepladsen %d er ugyldig, vælg venligst mellem 0 og %d."
 
-#: lib/setup.c:413
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Nøglepladsen %d er fuld, vælg venligst en anden."
 
-#: lib/setup.c:589
+#: lib/setup.c:525 lib/setup.c:2824
+msgid "Device size is not aligned to device logical block size."
+msgstr "Enhedsstørrelsen er ikke justeret til logisk blokstørrelse for enhed."
+
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Teksthoved registreret men enheden %s er for lille."
 
-#: lib/setup.c:626
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Denne operation er ikke understøttet for denne enhedstype."
 
-#: lib/setup.c:791 lib/luks1/keymanage.c:481
+#: lib/setup.c:666
+msgid "Illegal operation with reencryption in-progress."
+msgstr "Ulovlig operation med omkryptering i gang."
+
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "LUKS-version %d er ikke understøttet."
 
-#: lib/setup.c:808 lib/setup.c:1403 lib/setup.c:1812
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Frakoblet metadataenhed er ikke understøttet for denne crypttype."
 
-#: lib/setup.c:1288 lib/setup.c:2392 lib/setup.c:2464 lib/setup.c:2476
-#: lib/setup.c:2625 lib/setup.c:4021
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Enheden %s er ikke aktiv."
 
-#: lib/setup.c:1310
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Underliggende enhed for cryptenheden %s forsvandt."
 
-#: lib/setup.c:1388
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Ugyldige rene crypt-parametre."
 
-#: lib/setup.c:1393 lib/setup.c:1802 src/integritysetup.c:72
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Ugyldig nøglestørrelse."
 
-#: lib/setup.c:1398 lib/setup.c:1807 lib/setup.c:2009
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID er ikke understøttet for denne crypttype."
 
-#: lib/setup.c:1413 lib/setup.c:1603 src/cryptsetup.c:1045
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Sektorstørrelsen på krypteringen er ikke understøttet."
 
-#: lib/setup.c:1421 lib/setup.c:1720
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "Enhedsstørrelsen er ikke justeret til den anmodede sektorstørrelse."
 
-#: lib/setup.c:1472 lib/setup.c:1591
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Kan ikke formatere LUKS uden enhed."
 
-#: lib/setup.c:1478 lib/setup.c:1597
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Forespurgte datajustering er ikke kompatibel med dataforskydning."
 
-#: lib/setup.c:1546 lib/setup.c:1715
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "ADVARSEL: Dataforskydning er uden for nuværende tilgængelige dataenhed.\n"
 
-#: lib/setup.c:1556 lib/setup.c:1735 lib/setup.c:1754 lib/setup.c:2021
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Kan ikke rydde teksthoved på enheden %s."
 
-#: lib/setup.c:1608
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "ADVARSEL: Enhedsaktiveringen vil fejle, dm-crypt mangler understøttelse for anmodet størrelse på krypteringssektor.\n"
 
-#: lib/setup.c:1630
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Diskenhedsnøglen er for lille til kryptering med integritetsudvidelser."
 
-#: lib/setup.c:1685
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Krypteringsalgoritmen %s-%s (nøglestørrelse %zd bit) er ikke tilgængelig."
 
-#: lib/setup.c:1747
+#: lib/setup.c:1854
 #, c-format
-msgid "Cannot format device %s which is still in use."
-msgstr "Kan ikke formatere enheden %s som stadig er i brug."
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr "ADVARSEL: LUKS2-metadatastørrelse ændret til %<PRIu64> byte.\n"
 
-#: lib/setup.c:1750 lib/setup.c:1775
+#: lib/setup.c:1858
 #, c-format
-msgid "Cannot format device %s, permission denied."
-msgstr "Kan ikke formatere enheden %s, tilladelse nægtet."
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr "ADVARSEL: LUKS2-nøglepladsens områdestørrelse er ændret til %<PRIu64> byte.\n"
 
-#: lib/setup.c:1762 lib/setup.c:2073
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
-msgid "Cannot format integrity for device %s."
-msgstr "Kan ikke formatere integritet for enheden %s."
+msgid "Device %s is too small."
+msgstr "Enheden %s er for lille."
 
-#: lib/setup.c:1772
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Kan ikke formatere enheden %s i brug."
 
-#: lib/setup.c:1779
+#: lib/setup.c:1896 lib/setup.c:1922
+#, c-format
+msgid "Cannot format device %s, permission denied."
+msgstr "Kan ikke formatere enheden %s, tilladelse nægtet."
+
+#: lib/setup.c:1908 lib/setup.c:2229
+#, c-format
+msgid "Cannot format integrity for device %s."
+msgstr "Kan ikke formatere integritet for enheden %s."
+
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Kan ikke formatere enheden %s."
 
-#: lib/setup.c:1797
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Kan ikke formatere LOOPAES uden enhed."
 
-#: lib/setup.c:1842
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Kan ikke formatere VERITY uden enhed."
 
-#: lib/setup.c:1853 lib/verity/verity.c:106
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "VERITY-hashtypen %d er ikke understøttet."
 
-#: lib/setup.c:1859 lib/verity/verity.c:114
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "VERITY-blokstørrelse er ikke understøttet."
 
-#: lib/setup.c:1864 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "VERITY-hashforskydning er ikke understøttet."
 
-#: lib/setup.c:1869
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "VERITY FEC-forskydning er ikke understøttet."
 
-#: lib/setup.c:1893
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "Dataområde overlapper med hashområde."
 
-#: lib/setup.c:1918
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "Dataområde overlapper med FEC-område."
 
-#: lib/setup.c:1925
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "Dataområde overlapper med FEC-område."
 
-#: lib/setup.c:2130
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "ADVARSEL: Anmodte mærkestørrelse %d byte er forskellig fra %s størrelsesuddata (%d byte).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Der blev anmodt om ukendt crypt-enhedstype %s."
 
-#: lib/setup.c:2398 lib/setup.c:2470 lib/setup.c:2483
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Ikke understøttede parametre på enheden %s."
 
-#: lib/setup.c:2404 lib/setup.c:2489
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parametre matcher ikke på enheden %s."
 
-#: lib/setup.c:2657
-msgid "Cannot resize loop device."
-msgstr "Kan ikke ændre størrelse på loop-enhed."
+#: lib/setup.c:2661
+msgid "Crypt devices mismatch."
+msgstr "Crypt-enheder er forskellige."
 
-#: lib/setup.c:2666
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
-msgid "Device %s size is not aligned to requested sector size (%u bytes)."
-msgstr "Enhedsstørrelsen for %s er ikke justeret til den anmodede sektorstørrelse (%u byte)."
+msgid "Failed to reload device %s."
+msgstr "Kunne ikke genindlæse enheden %s."
 
-#: lib/setup.c:2725
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
+#: lib/luks2/luks2_reencrypt.c:2032
+#, c-format
+msgid "Failed to suspend device %s."
+msgstr "Kunne ikke placere enheden %s i dvale."
+
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
+#, c-format
+msgid "Failed to resume device %s."
+msgstr "Kunne ikke genoptage enheden %s."
+
+#: lib/setup.c:2732
+#, c-format
+msgid "Fatal error while reloading device %s (on top of device %s)."
+msgstr "Der opstod en fatal fejl under genindlæsning af enheden %s (oven på enheden %s)."
+
+#: lib/setup.c:2735 lib/setup.c:2737
+#, c-format
+msgid "Failed to switch device %s to dm-error."
+msgstr "Kunne ikke skifte enheden %s til dm-error."
+
+#: lib/setup.c:2809
+msgid "Cannot resize loop device."
+msgstr "Kan ikke ændre størrelse på loop-enhed."
+
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Ønsker du at ændre UUID for enhed?"
 
-#: lib/setup.c:2801
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Sikkerhedskopifilen indeholder ikke gyldige LUKS-teksthoveder."
 
-#: lib/setup.c:2900
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Diskenheden %s er ikke aktiv."
 
-#: lib/setup.c:2911
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Diskenheden %s er allerede suspenderet."
 
-#: lib/setup.c:2925
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Suspension er ikke understøttet for enheden %s."
 
-#: lib/setup.c:2927
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Fejl under suspension af enheden %s."
 
-#: lib/setup.c:2960 lib/setup.c:3027
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Diskenheden %s er ikke suspenderet."
 
-#: lib/setup.c:2989
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Genoptag er ikke understøttet for enheden %s."
 
-#: lib/setup.c:2991 lib/setup.c:3059
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Fejl under genoptagelse af enheden %s."
 
-#: lib/setup.c:3127 lib/setup.c:3315
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Diskenhedsnøgle matcher ikke diskenheden."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Kan ikke tilføje nøgleplads, alle pladser er deaktiveret og ingen diskenhedsnøgle tilbudt."
 
-#: lib/setup.c:3267
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Kunne ikke swappe ny nøgleplads."
 
-#: lib/setup.c:3432 lib/setup.c:3865 lib/setup.c:3878 lib/setup.c:3886
-#: lib/setup.c:3899 lib/setup.c:4198 lib/setup.c:5274
-msgid "Volume key does not match the volume."
-msgstr "Diskenhedsnøgle matcher ikke diskenheden."
-
-#: lib/setup.c:3453
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Nøglepladsen %d er ugyldig."
 
-#: lib/setup.c:3459
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
-msgid "Key slot %d is not used."
-msgstr "Nøglepladsen %d er ikke brugt."
+msgid "Keyslot %d is not active."
+msgstr "Nøglepladsen %d er ikke aktiv."
 
-#: lib/setup.c:3478
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "Enhedsteksthoved overlapper med dataområde."
 
-#: lib/setup.c:3684 lib/setup.c:3952
-msgid "Device type is not properly initialised."
+#: lib/setup.c:3981
+msgid "Reencryption in-progress. Cannot activate device."
+msgstr "Omkryptering er i gang. Kan ikke aktivere enhed."
+
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
+msgid "Failed to get reencryption lock."
+msgstr "Kunne ikke indhente omkrypteringslås."
+
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
+msgid "LUKS2 reencryption recovery failed."
+msgstr "LUKS2-omkrypteringsgendannelse mislykkedes."
+
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Enhedstypen er ikke ordentlig initialiseret."
 
-#: lib/setup.c:3726
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Kan ikke bruge enheden %s, navnet er ugyldigt eller stadig i brug."
 
-#: lib/setup.c:3729
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Enheden %s findes allerede."
 
-#: lib/setup.c:3852
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Ukorrekt diskenhedsnøgle specificeret for ren enhed."
 
-#: lib/setup.c:3918
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "Ukorrekt roothash specificeret for verity-enhed."
 
-#: lib/setup.c:3995 lib/setup.c:4010
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Roothash-signatur er krævet."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Kernenøglering mangler: krævet for at sende signatur til kernen."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Kunne ikke indlæse nøgle i kernenøglefil."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Enheden %s er stadig i brug."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Ugyldig enhed %s."
 
-#: lib/setup.c:4134
-msgid "Function not available in FIPS mode."
-msgstr "Funktion er ikke tilgængelig i FIPS-tilstand."
-
-#: lib/setup.c:4148
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Diskenhedsnøglebuffer er for lille."
 
-#: lib/setup.c:4156
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Kan ikke indhente diskenhedsnøgle for ren enhed."
 
-#: lib/setup.c:4167
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Kan ikke hente roothash for verity-enhed."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Denne operation er ikke understøttet for %s crypt-enhed."
 
-#: lib/setup.c:4354
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Dump-operation er ikke understøttet for denne enhedstype."
 
-#: lib/setup.c:4930
+#: lib/setup.c:5190
+#, c-format
+msgid "Data offset is not multiple of %u bytes."
+msgstr "Dataforskydning er ikke et multiplum af %u byte."
+
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Kan ikke konvertere enheden %s som stadig er i brug."
 
-#: lib/setup.c:5213
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Kunne ikke tildele nøglepladsen %u som den nye diskenhedsnøgle."
 
-#: lib/setup.c:5280
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Kunne ikke initialisere standardparametre for LUKS2-nøgleplads."
 
-#: lib/setup.c:5286
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Kunne ikke tildele nøglepladsen %d til sammendrag."
 
-#: lib/setup.c:5370
-msgid "Failed to load key in kernel keyring."
-msgstr "Kunne ikke indlæse nøgle i kernenøglefil."
-
-#: lib/setup.c:5425
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Kernenøglering er ikke understøttet af kernen."
 
-#: lib/setup.c:5435
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Kunne ikke læse adgangsfrase fra nøglering (fejl %d)."
 
-#: lib/utils.c:81
+#: lib/setup.c:6016
+msgid "Failed to acquire global memory-hard access serialization lock."
+msgstr "Kunne ikke indhente global adgangsserialiseringslås for memory-hard."
+
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Kan ikke indhente procesprioritet."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Kan ikke låse hukommelsen op."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Kunne ikke åbne nøglefil."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Kan ikke læse nøglefilen fra en terminal."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "Kunne ikke køre stat på nøglefil."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Kan ikke søge til anmodede nøglefilsforskydning."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Ikke nok hukommelse under læsning af adgangsfrase."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Der opstod en fejl under læsning af adgangsfrase."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Intet at læse på inddata."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Nøglefilsstørrelsen er over maksimum."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Kan ikke læse den anmodede datamængde."
 
-#: lib/utils_device.c:184 lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Enheden %s findes ikke eller adgang nægtet."
 
-#: lib/utils_device.c:194
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Enheden %s er ikke kompatibel."
 
-#: lib/utils_device.c:560
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Enheden %s er for lille. Kræver mindst %<PRIu64> byte."
 
-#: lib/utils_device.c:641
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Kan ikke bruge enheden %s som er i brug (allerede kortlagt eller monteret)."
 
-#: lib/utils_device.c:645
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Kan ikke bruge enheden %s, tilladelse nægtet."
 
-#: lib/utils_device.c:648
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Kan ikke indhente information om enheden %s."
 
-#: lib/utils_device.c:671
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Kan ikke bruge en loopback-enhed, kører som ikke-root bruger."
 
-#: lib/utils_device.c:681
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Vedhæftelse af loopback-enhed mislykkedes (loop-enhed med flaget autoclear er krævet)."
 
-#: lib/utils_device.c:727
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Anmodt forskydning er mere end den reelle størrelse for enheden %s."
 
-#: lib/utils_device.c:735
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Enheden %s har nul størrelse."
 
-#: lib/utils_device.c:746 lib/luks1/keyencryption.c:252
-#, c-format
-msgid "Device %s is too small."
-msgstr "Enheden %s er for lille."
-
 #: lib/utils_pbkdf.c:100
 msgid "Requested PBKDF target time cannot be zero."
 msgstr "Anmodede PBKDF-måltidspunkt kan ikke være nul."
@@ -617,35 +703,49 @@
 msgid "Requested PBKDF parallel threads cannot be zero."
 msgstr "Anmodede PBKDF parallelle tråde kan ikke være nul."
 
-#: lib/utils_benchmark.c:317
+#: lib/utils_pbkdf.c:184
+msgid "Only PBKDF2 is supported in FIPS mode."
+msgstr "Kun PBKDF2 er understøttet i FIPS-tilstand."
+
+#: lib/utils_benchmark.c:166
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr "PBKDF-sammenligning deaktiveret men iterationer er ikke angivet."
 
-#: lib/utils_benchmark.c:336
+#: lib/utils_benchmark.c:185
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr "Ikke kompatible PBKDF2-tilvalg (der bruger hash-algoritme %s)."
 
-#: lib/utils_benchmark.c:356
+#: lib/utils_benchmark.c:205
 msgid "Not compatible PBKDF options."
 msgstr "Ikke kompatible PBKDF2-tilvalg."
 
-#: lib/utils_device_locking.c:80
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Låsning afbrudt. Låsestien %s/%s kan ikke bruges (ikke en mappe eller mangler)."
 
-#: lib/utils_device_locking.c:87
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "ADVARSEL: Låsemappen %s/%s mangler!\n"
 
-#: lib/utils_device_locking.c:97
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Låsning afbrudt. Låsestien %s/%s kan ikke bruges (%s er ikke en mappe)."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
+msgid "Cannot seek to device offset."
+msgstr "Kan ikke søge til enhedsforskydning."
+
+#: lib/utils_wipe.c:208
+#, c-format
+msgid "Device wipe error, offset %<PRIu64>."
+msgstr "Sletningsfejl for enhed (wipe), forskydning %<PRIu64>."
+
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -654,17 +754,17 @@
 "Kunne ikke opsætte dm-crypt nøgleoversættelse for enheden %s.\n"
 "Kontroller at kernen understøtter krypteringsalgoritmen %s (kontroller syslog for yderligere information)."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Nøglestørrelse i XTS-tilstand skal være 256- eller 512-bit."
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Specifikation for krypteringsalgoritme skal være i [cipher]-[mode]-[iv]-format."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:642 lib/luks1/keymanage.c:1079
-#: lib/luks2/luks2_json_metadata.c:1157 lib/luks2/luks2_keyslot.c:448
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Kan ikke skrive til enheden %s, tilladelse nægtet."
@@ -677,95 +777,97 @@
 msgid "Failed to access temporary keystore device."
 msgstr "Kunne ikke tilgå midlertidig nøglelagerenhed."
 
-#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:91
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "IO-fejl under kryptering af nøgleplads."
 
-#: lib/luks1/keyencryption.c:243 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:594 lib/luks1/keymanage.c:645 lib/tcrypt/tcrypt.c:663
-#: lib/verity/verity.c:81 lib/verity/verity.c:182 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1160
-#: src/cryptsetup_reencrypt.c:208
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
+#: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Kan ikke åbne enheden %s."
 
-#: lib/luks1/keyencryption.c:254 lib/luks2/luks2_keyslot_luks2.c:152
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "IO-fejl under dekryptering af nøgleplads."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Enheden %s er for lille. (LUKS1 kræver mindst %<PRIu64> byte.)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS-nøgleplads %u er ugyldig."
 
-#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:478
-#: lib/luks2/luks2_json_metadata.c:991 src/cryptsetup.c:1236
-#: src/cryptsetup.c:1355 src/cryptsetup.c:1412 src/cryptsetup.c:1468
-#: src/cryptsetup.c:1535 src/cryptsetup.c:1631 src/cryptsetup.c:1695
-#: src/cryptsetup.c:1855 src/cryptsetup.c:2044 src/cryptsetup.c:2104
-#: src/cryptsetup.c:2170 src/cryptsetup.c:2334 src/cryptsetup_reencrypt.c:1397
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Enheden %s er ikke en gyldig LUKS-enhed."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1010
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Den anmodede sikkerhedskopifil %s for teksthoveder findes allerede."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1012
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Kan ikke oprette sikkerhedskopifilen %s for teksthoveder."
 
-#: lib/luks1/keymanage.c:254 lib/luks2/luks2_json_metadata.c:1017
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Kan ikke skrive sikkerhedskopifilen %sf for teksthoveder."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1066
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Sikkerhedskopifilen indeholder ikke gyldige LUKS-teksthoveder."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:555
-#: lib/luks2/luks2_json_metadata.c:1087
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Kan ikke åbne sikkerhedskopifilen %s for teksthoveder."
 
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1093
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Kan ikke læse sikkerhedskopifilen %s for teksthoveder."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Dataforskydning eller nøglestørrelse er forskellige på enhed eller sikkerhedskopi, gendannelse mislykkedes."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Enheden %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "indeholder ikke LUKS-teksthoveder. Erstatning af teksthoved kan ødelægge data på den enhed."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "indeholder allerede LUKS-teksthoveder. Erstatning af teksthoveder vil ødelægge eksisterende nøglepladser."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1129
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -773,99 +875,105 @@
 "\n"
 "ADVARSEL: reel enhedsteksthoved har en anden UUID end sikkerhedskopien!"
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Nøglestørrelsen følger ikke standarden, en manuel reparation er krævet."
 
-#: lib/luks1/keymanage.c:386
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Nøglepladsopstillingen følger ikke standarden, en manuel reparation er krævet."
 
-#: lib/luks1/keymanage.c:396
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Reparerer nøglepladser."
 
-#: lib/luks1/keymanage.c:415
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Nøgleplads %i: forskydning repareret (%u -> %u)."
 
-#: lib/luks1/keymanage.c:423
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Nøgleplads %i: striber (»stripes«) repareret (%u -> %u)."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Nøgleplads %i: falsk partitionssignatur."
 
-#: lib/luks1/keymanage.c:437
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Nøgleplads %i: salt ryddet."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Skriver LUKS-teksthovedet til disken."
 
-#: lib/luks1/keymanage.c:459
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Reparation mislykkedes."
 
-#: lib/luks1/keymanage.c:487 lib/luks1/keymanage.c:758
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Den anmodede LUKS-hash %s er ikke understøttet."
 
-#: lib/luks1/keymanage.c:515 src/cryptsetup.c:960
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "Ingen kendte problemer registreret for LUKS-teksthoved."
 
-#: lib/luks1/keymanage.c:667
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Fejl under opdatering af LUKS-teksthoved på enheden %s."
 
-#: lib/luks1/keymanage.c:676
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Fejl under genlæsning af LUKS-teksthoved efter opdatering på enheden %s."
 
-#: lib/luks1/keymanage.c:752
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Dataforskydning for LUKS-teksthoved skal være enten 0 eller større end teksthovedstørrelse."
 
-#: lib/luks1/keymanage.c:763 lib/luks1/keymanage.c:828
-#: lib/luks2/luks2_json_format.c:207 lib/luks2/luks2_json_metadata.c:909
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Forkert LUKS UUID-format anført."
 
-#: lib/luks1/keymanage.c:786
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Kan ikke oprette LUKS-teksthoved: læsning af vilkårlig salt mislykkedes."
 
-#: lib/luks1/keymanage.c:807
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Kan ikke oprette LUKS-teksthoved: Teksthovedsammendrag mislykkedes (bruger hash %s)."
 
-#: lib/luks1/keymanage.c:851
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Nøgleplads %d aktiv, nulstil (purge) den først."
 
-#: lib/luks1/keymanage.c:857
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Nøgleplads %d-materiale inkluderer for få striber (»stribes«). Teksthovedmanipulering?"
 
-#: lib/luks1/keymanage.c:1065
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Kan ikke åbne nøgleplads (der bruger hash %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Nøgleplads %d er ugyldig, vælg nøgleplads mellem 0 og %d."
 
-#: lib/luks1/keymanage.c:1083 lib/luks2/luks2_keyslot.c:452
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Kan ikke rydde enheden %s."
@@ -883,97 +991,189 @@
 msgstr "Ikke kompatibel loop-AES-nøglefil registreret."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Kerne understøtter ikke loop-AES-kompatibel oversættelse."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Fejl under læsning af nøglefilen %s."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Den maksimale længde for TCRYPT-adgangsfrasen (%d) er overskredet."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Den maksimale længde for TCRYPT-adgangsfrasen (%zu) er overskredet."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "PBKDF2-hashalgoritmen %s er ikke tilgængelig, udelader."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:915
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Krævet kernegrænseflade for crypto er ikke tilgængelig."
 
-#: lib/tcrypt/tcrypt.c:606 src/cryptsetup.c:917
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Sikr dig at du har kernemodulet algif_skcipher indlæst."
 
-#: lib/tcrypt/tcrypt.c:746
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivering er endnu ikke understøttet for %d sektorstørrelse."
 
-#: lib/tcrypt/tcrypt.c:752
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Kerne understøtter ikke aktivering for denne TCRYPT legacy-tilstand."
 
-#: lib/tcrypt/tcrypt.c:786
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Aktivering af TCRYPT-systemkryptering for partition %s."
 
-#: lib/tcrypt/tcrypt.c:864
-msgid "Kernel doesn't support TCRYPT compatible mapping."
-msgstr "Kerne undersøtter ikke TCRYPT-kompatibel oversættelse."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
+msgstr "Kerne understøtter ikke TCRYPT-kompatibel oversættelse."
 
-#: lib/tcrypt/tcrypt.c:1085
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Denne funktion er ikke understøttet uden TCRYPT-teksthovedindlæsning."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:175
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Uventet metadataindgangstype »%u« fundet da understøttet Volume Master Key blev fortolket."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Ugyldig streng fundet da Volume Master Key blev fortolket."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Uventet streng (»%s«) fundet da Volume Master Key blev fortolket."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Uventet metadataindgangsværdi »%u« fundet da Volume Master Key blev fortolket."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Kunne ikke læse BITLK-signatur fra %s."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK version 1 er i øjeblikket ikke understøttet."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Ugyldig eller ukendt opstartssignatur for BITLK-enhed."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Ugyldig eller ukendt signatur for BITLK-enhed."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Kunne ikke læse BITLK-teksthoved fra %s."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Kunne ikke læse BITLK FVE-metadata fra %s."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Ukendt eller ikke understøttet krypteringstype."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Kunne ikke læse BITLK-metadataposter fra %s."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Denne operation er ikke understøttet."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Forkert nøglestørrelse."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Denne BITLK-enhed er i en ikkeunderstøttet tilstand og kan ikke aktiveres."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "BITLK-enheder med typen »%s« kan ikke aktiveres."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Aktivering af delvist dekrypteret BITLK-enhed er ikke understøttet."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Kan ikke aktivere enhed, kernel dm-crypt mangler understøttelse for BITLK IV."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Kan ikke aktivere enhed, kernen dm-crypt mangler understøttelse for BITLK Elephant diffuser."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "Verity-enheden %s bruger ikke on-disk-teksthoved."
 
-#: lib/verity/verity.c:94
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Enheden %s er ikke en gyldig VERITY-enhed."
 
-#: lib/verity/verity.c:101
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Ikke understøttet VERITY-version %d."
 
-#: lib/verity/verity.c:132
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "VERITY-teksthovedet er ødelagt."
 
-#: lib/verity/verity.c:169
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Forkert VERITY UUID-format indeholdt på enheden %s."
 
-#: lib/verity/verity.c:202
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Fejl under opdatering af verity-teksthoved på enheden %s."
 
-#: lib/verity/verity.c:266
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "Roothash-signaturverifikation er ikke understøttet."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Fejl kan ikke repareres med FEC-enhed."
 
-#: lib/verity/verity.c:268
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Fandt %u fejl der kan repareres med FEC-enhed."
 
-#: lib/verity/verity.c:306
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Kerne understøtter ikke dm-verity-oversættelse."
 
-#: lib/verity/verity.c:317
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Kerne understøtter ikke dm-verity-signaturtilvalg."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Verity-enheden registrerede korruption efter aktivering."
 
@@ -982,95 +1182,105 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Ledigt område nulstilles ikke (»not zeroed«) på position %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Forskydningsoverløb for enhed."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Verificering mislykkedes på position %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Ugyldig størrelse for parametre for verity-enhed."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Hashområdeoverløb."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Verifikation af dataområde mislykkedes."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Verifikation af root-hash mislykkedes."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Inddata/uddata-fejl under oprettelse af hash-område."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Oprettelse af hash-område mislykkedes."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ADVARSEL: Kerne kan ikke aktivere enhed hvis dataenes blokstørrelse er større end sidestørrelsen (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Kunne ikke allokere RS-kontekst."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Kunne ikke allokere buffer."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Kunne ikke læse RS-blok %<PRIu64> byte %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Kunne ikke læse paritet for RS-blok %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Kunne ikke reparere paritet for blok %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Kunne ikke skrive paritet for RS-blok %<PRIu64>.."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Blokstørrelser skal matche for FEC."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Ugyldigt antal paritetsbyte."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Kunne ikke bestemme størrelsen på enheden %s."
 
-#: lib/integrity/integrity.c:239 lib/integrity/integrity.c:304
-msgid "Kernel doesn't support dm-integrity mapping."
-msgstr "Kerne understøtter ikke dm-verity-oversættelse."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
+msgstr "Kerne understøtter ikke dm-integrity-oversættelse."
+
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Kerne understøtter ikke dm-integrity fast metadatajustering."
 
-#: lib/luks2/luks2_disk_metadata.c:413
-msgid "Failed to acquire write device lock."
-msgstr "Kunne ikke indhente skrivelås for enheden."
+#: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
+#: lib/luks2/luks2_json_metadata.c:1244
+#, c-format
+msgid "Failed to acquire write lock on device %s."
+msgstr "Kunne ikke indhente skrivelås på enheden %s."
+
+#: lib/luks2/luks2_disk_metadata.c:392
+msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
+msgstr "Registreret forsøg på samtidig LUKS2-metadataopdering. Afbryder operation."
 
-#: lib/luks2/luks2_disk_metadata.c:654 lib/luks2/luks2_disk_metadata.c:675
+#: lib/luks2/luks2_disk_metadata.c:691 lib/luks2/luks2_disk_metadata.c:712
 msgid ""
 "Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
 "Please run \"cryptsetup repair\" for recovery."
@@ -1078,60 +1288,49 @@
 "Enhed indeholder tvetydige signaturer, kan ikke gendanne LUKS2 automatisk.\n"
 "Kør venligst »cryptsetup repair« for gendannelse."
 
-#: lib/luks2/luks2_json_format.c:99
-msgid "No space for new keyslot."
-msgstr "Ingen plads for ny nøgleplads."
-
-#: lib/luks2/luks2_json_format.c:158
+#: lib/luks2/luks2_json_format.c:227
 msgid "Requested data offset is too small."
 msgstr "Forespurgte dataforskydning er for lille."
 
-#: lib/luks2/luks2_json_format.c:195
+#: lib/luks2/luks2_json_format.c:271
 #, c-format
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "ADVARSEL: nøglepladsområde (%<PRIu64> byte) er meget lille, tilgængelige LUKS2-nøglepladsantal er meget begrænset.\n"
 
-#: lib/luks2/luks2_json_metadata.c:866 lib/luks2/luks2_json_metadata.c:982
-#: lib/luks2/luks2_json_metadata.c:1055 lib/luks2/luks2_keyslot_luks2.c:105
-#: lib/luks2/luks2_keyslot_luks2.c:128
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Kunne ikke indhente læselås på enheden %s."
 
-#: lib/luks2/luks2_json_metadata.c:878 lib/luks2/luks2_json_metadata.c:1149
-#: lib/luks2/luks2_keyslot.c:431 lib/luks2/luks2_keyslot_luks2.c:40
-#: lib/luks2/luks2_keyslot_luks2.c:69
-#, c-format
-msgid "Failed to acquire write lock on device %s."
-msgstr "Kunne ikke indhente skrivelås på enheden %s."
-
-#: lib/luks2/luks2_json_metadata.c:1072
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Forbudt LUKS2-krav registreret i sikkerhedskopien %s."
 
-#: lib/luks2/luks2_json_metadata.c:1113
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Dataforskydning er forskellig på enhed eller sikkerhedskopi, gendannelse mislykkedes."
 
-#: lib/luks2/luks2_json_metadata.c:1119
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Binær teksthoved med nøglepladsområdestørrelse er forskellige på enhed eller sikkerhedskopi, gendannelse mislykkedes."
 
-#: lib/luks2/luks2_json_metadata.c:1126
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Enheden %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1127
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "indeholder ikke LUKS2-teksthoveder. Erstatning af teksthoved kan ødelægge data på den enhed."
 
-#: lib/luks2/luks2_json_metadata.c:1128
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "indeholder allerede LUKS2-teksthoveder. Erstatning af teksthoveder vil ødelægge eksisterende nøglepladser."
 
-#: lib/luks2/luks2_json_metadata.c:1130
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1141,7 +1340,7 @@
 "ADVARSEL: Ukendte LUKS2-krav registreret i reel enhedsteksthoved!\n"
 "Erstatning af teksthoved med sikkerhedskopi kan ødelægge data på den enhed!"
 
-#: lib/luks2/luks2_json_metadata.c:1132
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1151,77 +1350,335 @@
 "ADVARSEL: Ufærdig frakoblet omkryptering registreret på enheden!\n"
 "Erstatning af teksthoved med sikkerhedskopi kan ødelægge data."
 
-#: lib/luks2/luks2_json_metadata.c:1234
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Ignorerede ukendt flag %s."
 
-#: lib/luks2/luks2_json_metadata.c:1869
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
+#, c-format
+msgid "Missing key for dm-crypt segment %u"
+msgstr "Manglende nøgle for dm-crypt-segmentet %u"
+
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
+msgid "Failed to set dm-crypt segment."
+msgstr "Kunne ikke angive dm-crypt-segmentet."
+
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
+msgid "Failed to set dm-linear segment."
+msgstr "Kunne ikke angive dm-linear-segmentet."
+
+#: lib/luks2/luks2_json_metadata.c:2155
+msgid "Unsupported device integrity configuration."
+msgstr "Ikke understøttet konfiguration for enhedsintegritet."
+
+#: lib/luks2/luks2_json_metadata.c:2236
+msgid "Reencryption in-progress. Cannot deactivate device."
+msgstr "Omkryptering i gang. Kan ikke deaktivere enhed."
+
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
+#, c-format
+msgid "Failed to replace suspended device %s with dm-error target."
+msgstr "Kunne ikke erstatte enheden %s i dvale med dm-error-mål."
+
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Kunne ikke læse LUKS2-krav."
 
-#: lib/luks2/luks2_json_metadata.c:1876
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Uopfyldte LUKS2-krav registreret."
 
-#: lib/luks2/luks2_json_metadata.c:1884
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Frakoblet omkryptering i gang. Afbryder."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operation er ikke kompatibel med enhed markeret for forældet omkryptering. Afbryder."
 
-#: lib/luks2/luks2_luks1_convert.c:474
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operation er ikke kompatibel med enhed markeret for LUKS2-omkryptering. Afbryder."
+
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
+msgid "Not enough available memory to open a keyslot."
+msgstr "Ikke nok hukommelse tilgængelig til at åbne en nøgleplads."
+
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
+msgid "Keyslot open failed."
+msgstr "Åbning af nøgleplads mislykkedes."
+
+#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
 #, c-format
-msgid "Can not check status of device with uuid: %s."
+msgid "Cannot use %s-%s cipher for keyslot encryption."
+msgstr "Kan ikke brug %s-%s-krypteringsalgoritmen til nøglepladskryptering."
+
+#: lib/luks2/luks2_keyslot_luks2.c:480
+msgid "No space for new keyslot."
+msgstr "Ingen plads for ny nøgleplads."
+
+#: lib/luks2/luks2_luks1_convert.c:482
+#, c-format
+msgid "Cannot check status of device with uuid: %s."
 msgstr "Kan ikke kontrollere status for enheden med uuid: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:500
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Kan ikke konvertere teksthoved med yderligere metadata for LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:537
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Kan ikke flytte nøglepladsområde. Ikke nok plads."
 
-#: lib/luks2/luks2_luks1_convert.c:577 lib/luks2/luks2_luks1_convert.c:854
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Kan ikke flytte nøglepladsområde. LUKS2-nøglepladsområdet er for lille."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Kan ikke flytte nøglepladsområde."
 
-#: lib/luks2/luks2_luks1_convert.c:672
+#: lib/luks2/luks2_luks1_convert.c:697
+msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
+msgstr "Kan ikke konvertere til LUKS1-format - krypteringssektorstørrelsen for standardsegmenter er ikke 512 byte."
+
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Kan ikke konverterer til LUKS1-format - nøglepladssammendrag er ikke LUKS1-kompatibel."
 
-#: lib/luks2/luks2_luks1_convert.c:684
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr ""
 "Kan ikke konverterer til LUKS1-format - enheden bruger omsluttet\n"
 "nøglekrypteringsalgoritme %s."
 
-#: lib/luks2/luks2_luks1_convert.c:692
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr ""
 "Kan ikke konverterer til LUKS1-format - LUKS2-teksthoved indeholder\n"
 "%u symboler (tokens)."
 
-#: lib/luks2/luks2_luks1_convert.c:706
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Kan ikke konvertere til LUKS1-format - nøgleplads %u er i ugyldig tilstand."
 
-#: lib/luks2/luks2_luks1_convert.c:711
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr ""
 "Kan ikke konverterer til LUKS1-format - plads %u (over maksimalt antal pladser)\n"
 "er stadig aktiv."
 
-#: lib/luks2/luks2_luks1_convert.c:716
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr ""
 "Kan ikke konvertere til LUKS1-format - nøglepladsen %u er ikke\n"
 "LUKS1-kompatibel."
 
+#: lib/luks2/luks2_reencrypt.c:892
+#, c-format
+msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Hotzonestørrelsen skal være et multiplum af beregnet zonejustering (%zu byte)."
+
+#: lib/luks2/luks2_reencrypt.c:897
+#, c-format
+msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Enhedsstørrelsen skal være et multiplum af beregnet zonejustering (%zu byte)."
+
+#: lib/luks2/luks2_reencrypt.c:941
+#, c-format
+msgid "Unsupported resilience mode %s"
+msgstr "Resilience-tilstanden %s er ikke understøttet"
+
+#: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
+#: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
+#: lib/luks2/luks2_reencrypt.c:3030
+msgid "Failed to initialize old segment storage wrapper."
+msgstr "Kunne ikke initialisere gammelt lageromslag for segmentet."
+
+#: lib/luks2/luks2_reencrypt.c:1172 lib/luks2/luks2_reencrypt.c:1291
+msgid "Failed to initialize new segment storage wrapper."
+msgstr "Kunne ikke initialisere nyt lageromslag for segmentet."
+
+#: lib/luks2/luks2_reencrypt.c:1340
+msgid "Failed to read checksums for current hotzone."
+msgstr "Kunne ikke læse kontrolsummer for nuværende hotzone."
+
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
+#, c-format
+msgid "Failed to read hotzone area starting at %<PRIu64>."
+msgstr "Kunne ikke læse hotzone-område startende på %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:1366
+#, c-format
+msgid "Failed to decrypt sector %zu."
+msgstr "Kunne ikke dekryptere sektor %zu."
+
+#: lib/luks2/luks2_reencrypt.c:1372
+#, c-format
+msgid "Failed to recover sector %zu."
+msgstr "Kunne ikke gendanne sektor %zu."
+
+#: lib/luks2/luks2_reencrypt.c:1867
+#, c-format
+msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
+msgstr "Størrelsen på kilde- og målenhed er forskellig. Kilde %<PRIu64>, mål: %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:1965
+#, c-format
+msgid "Failed to activate hotzone device %s."
+msgstr "Kunne ikke køre aktivere hotzone-enheden %s."
+
+#: lib/luks2/luks2_reencrypt.c:1982
+#, c-format
+msgid "Failed to activate overlay device %s with actual origin table."
+msgstr "Kunne ikke aktivere overlagsenheden %s med faktiske origin-tabel."
+
+#: lib/luks2/luks2_reencrypt.c:1989
+#, c-format
+msgid "Failed to load new mapping for device %s."
+msgstr "Kunne ikke indlæse ny oversættelse for enheden %s."
+
+#: lib/luks2/luks2_reencrypt.c:2060
+msgid "Failed to refresh reencryption devices stack."
+msgstr "Kunne ikke opdatere omkrypteringsenhedsstakken."
+
+#: lib/luks2/luks2_reencrypt.c:2216
+msgid "Failed to set new keyslots area size."
+msgstr "Kunne ikke angive områdestørrelse for nye nøglepladser."
+
+#: lib/luks2/luks2_reencrypt.c:2318
+#, c-format
+msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgstr "Dataflytning er ikke justeret til den anmodede krypteringssektorstørrelse (%<PRIu32> byte)."
+
+#: lib/luks2/luks2_reencrypt.c:2339
+#, c-format
+msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgstr "Datanhed er ikke justeret til den anmodede krypteringssektorstørrelse (%<PRIu32> byte)."
+
+#: lib/luks2/luks2_reencrypt.c:2360
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr "Dataskift (%<PRIu64> sektorer) er mindre end fremtidig dataforskydning (%<PRIu64> sektorer)."
+
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
+#, c-format
+msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
+msgstr "Kan ikke åbne %s i eksklusiv tilstand (allerede kortlagt eller monteret)."
+
+#: lib/luks2/luks2_reencrypt.c:2534
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Enhed er ikke markeret for LUKS2-omkryptering."
+
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
+msgid "Failed to load LUKS2 reencryption context."
+msgstr "Kunne ikke indlæse LUKS2-omkrypteringskontekst."
+
+#: lib/luks2/luks2_reencrypt.c:2619
+msgid "Failed to get reencryption state."
+msgstr "Kunne ikke indhente omkrypteringstilstand."
+
+#: lib/luks2/luks2_reencrypt.c:2623
+msgid "Device is not in reencryption."
+msgstr "Enheden er ikke under omkryptering."
+
+#: lib/luks2/luks2_reencrypt.c:2630
+msgid "Reencryption process is already running."
+msgstr "Omkrypteringsproces er allerede i gang."
+
+#: lib/luks2/luks2_reencrypt.c:2632
+msgid "Failed to acquire reencryption lock."
+msgstr "Kunne ikke indhente omkrypteringslås."
+
+#: lib/luks2/luks2_reencrypt.c:2650
+msgid "Cannot proceed with reencryption. Run reencryption recovery first."
+msgstr "Kan ikke fortsætte med omkryptering. Kør omkrypteringsgendannelse først."
+
+#: lib/luks2/luks2_reencrypt.c:2750
+msgid "Active device size and requested reencryption size don't match."
+msgstr "Aktiv enhedsstørrelse og anmodet sektorstørrelse er forskellige."
+
+#: lib/luks2/luks2_reencrypt.c:2764
+msgid "Illegal device size requested in reencryption parameters."
+msgstr "Ugyldig enhedsstørrelse i omkrypteringsparametrene."
+
+#: lib/luks2/luks2_reencrypt.c:2834
+msgid "Reencryption in-progress. Cannot perform recovery."
+msgstr "Omkryptering er i gang. Kan ikke udføre gendannelse."
+
+#: lib/luks2/luks2_reencrypt.c:2906
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr "LUKS2-omkryptering er allerede initialiseret i metadata."
+
+#: lib/luks2/luks2_reencrypt.c:2913
+msgid "Failed to initialize LUKS2 reencryption in metadata."
+msgstr "Kunne ikke initialisere LUKS2-omkryptering i metadata."
+
+#: lib/luks2/luks2_reencrypt.c:3004
+msgid "Failed to set device segments for next reencryption hotzone."
+msgstr "Kunne ikke angive enhedssegmenter for næste omkrypteringshotzone."
+
+#: lib/luks2/luks2_reencrypt.c:3046
+msgid "Failed to write reencryption resilience metadata."
+msgstr "Kunne ikke skrive resilience-metadata for omkryptering."
+
+#: lib/luks2/luks2_reencrypt.c:3053
+msgid "Decryption failed."
+msgstr "Dekryptering mislykkedes."
+
+#: lib/luks2/luks2_reencrypt.c:3058
+#, c-format
+msgid "Failed to write hotzone area starting at %<PRIu64>."
+msgstr "Kunne ikke skrive hotzoneområde startende på %<PRIu64>."
+
+#: lib/luks2/luks2_reencrypt.c:3063
+msgid "Failed to sync data."
+msgstr "Kunne ikke synkronisere data."
+
+#: lib/luks2/luks2_reencrypt.c:3071
+msgid "Failed to update metadata after current reencryption hotzone completed."
+msgstr "Kunne ikke opdatere metadata efter nuværende omkrypteringshotzone var fuldført."
+
+#: lib/luks2/luks2_reencrypt.c:3138
+msgid "Failed to write LUKS2 metadata."
+msgstr "Kunne ikke skrive LUKS2-metadata."
+
+#: lib/luks2/luks2_reencrypt.c:3161
+msgid "Failed to wipe backup segment data."
+msgstr "Kunne ikke rydde segmentdata for sikkerhedskopien."
+
+#: lib/luks2/luks2_reencrypt.c:3174
+msgid "Failed to disable reencryption requirement flag."
+msgstr "Kunne ikke deaktivere kravflag for omkrypteringen."
+
+#: lib/luks2/luks2_reencrypt.c:3182
+#, c-format
+msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
+msgstr "Der opstod en fatal fejl under omkryptering af kodestump startende på %<PRIu64>, %<PRIu64> sektorer i alt."
+
+#: lib/luks2/luks2_reencrypt.c:3191
+msgid "Do not resume the device unless replaced with error target manually."
+msgstr "Genaktiver ikke enheden med mindre erstattet med fejlmål manuelt."
+
+#: lib/luks2/luks2_reencrypt.c:3240
+msgid "Cannot proceed with reencryption. Unexpected reencryption status."
+msgstr "Kan ikke fortsætte med omkryptering. Uventet omkrypteringsstatus."
+
+#: lib/luks2/luks2_reencrypt.c:3246
+msgid "Missing or invalid reencrypt context."
+msgstr "Manglende eller ugyldig omkrypteringskontekst."
+
+#: lib/luks2/luks2_reencrypt.c:3253
+msgid "Failed to initialize reencryption device stack."
+msgstr "Kunne ikke initialisere enhedsstak for omkryptering."
+
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
+msgid "Failed to update reencryption context."
+msgstr "Kunne ikke opdatere omkrypteringskontekst."
+
 #: lib/luks2/luks2_token.c:262
 msgid "No free token slot."
 msgstr "Ingen frie symbolpladser."
@@ -1231,62 +1688,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Kunne ikke oprette indbygget symbol %s."
 
-#: src/cryptsetup.c:141
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Kan ikke udføre verificering af adgangsfrase på ikke-tty-inddata."
 
-#: src/cryptsetup.c:182
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametre til kryptering af nøgleplads kan kun angives for LUKS2-enhed."
 
-#: src/cryptsetup.c:212 src/cryptsetup.c:849 src/cryptsetup.c:1088
-#: src/cryptsetup_reencrypt.c:749 src/cryptsetup_reencrypt.c:814
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Ikke kendt specifikationsmønster for krypteringsalgoritme registreret."
 
-#: src/cryptsetup.c:220
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ADVARSEL: Parameteren --hash bliver ignoreret i ren (plain) tilstand med nøglefil specificeret.\n"
 
-#: src/cryptsetup.c:228
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ADVARSEL: Tilvalget --keyfile-size bliver ignoreret, læsestørrelsen er den samme som størrelsen for krypteringsnøglen.\n"
 
-#: src/cryptsetup.c:268
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Registrerede enhedssignaturer på %s. Videre behandling kan beskadige eksisterende data."
 
-#: src/cryptsetup.c:274 src/cryptsetup.c:969 src/cryptsetup.c:1065
-#: src/cryptsetup.c:1138 src/cryptsetup.c:1763 src/integritysetup.c:230
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Operation afbrudt.\n"
 
-#: src/cryptsetup.c:342
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Tilvalget --key-file er krævet."
 
-#: src/cryptsetup.c:395
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Indtast VeraCrypt-PIM: "
 
-#: src/cryptsetup.c:404
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Ugyldig PIM-værdi: fortolkningsfejl."
 
-#: src/cryptsetup.c:407
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Ugyldig PIM-værdi: 0."
 
-#: src/cryptsetup.c:410
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Ugyldig PIM-værdi: uden for interval."
 
-#: src/cryptsetup.c:433
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "Intet enhedsteksthoved registreret med denne adgangsfrase."
 
-#: src/cryptsetup.c:495 src/cryptsetup.c:1790
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Enheden %s er ikke en gyldig BITLK-enhed."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1296,72 +1760,88 @@
 "som giver adgang til krypteret partition uden adgangsfrase.\n"
 "Dette dump bør altid lagres krypteret et sikkert sted."
 
-#: src/cryptsetup.c:574
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Enheden %s er stadig aktiv og planlagt til udskudt fjernelse.\n"
 
-#: src/cryptsetup.c:602
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Ændring af størrelse på aktiv enhed kræver diskenhedsnøgle i nøglering men tilvalget --disable-keyring er ikke angivet."
 
-#: src/cryptsetup.c:727
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Sammenligning afbrudt."
 
-#: src/cryptsetup.c:748
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     -\n"
 
-#: src/cryptsetup.c:750
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iterationer per sekund for %zu-bit nøgle\n"
 
-#: src/cryptsetup.c:764
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s .\n"
 
-#: src/cryptsetup.c:766
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iterationer, %5u hukommelse, %1u parallelle tråde (CPU'er) for %zu-bit nøgle (anmodet %u ms time)\n"
 
-#: src/cryptsetup.c:790
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Sammenligningens resultat er ikke troværdigt."
 
-#: src/cryptsetup.c:841
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Test bruger kun hukommelse omtrentlig (ingen lager-IO).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:875
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algoritme |     Nøgle |      Kryptering |    Dekryptering\n"
 
-#: src/cryptsetup.c:879
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Krypteringsalgoritmen %s er ikke tilgængelig."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:899
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algoritme |       Nøgle |    Kryptering |    Dekryptering\n"
 
-#: src/cryptsetup.c:908
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "-"
 
-#: src/cryptsetup.c:968
+#: src/cryptsetup.c:1094
+msgid ""
+"Seems device does not require reencryption recovery.\n"
+"Do you want to proceed anyway?"
+msgstr ""
+"Ser ud til at enheden ikke kræver omkrypteringsgendannelse.\n"
+"Ønsker du at fortsætte alligevel?"
+
+#: src/cryptsetup.c:1100
+msgid "Really proceed with LUKS2 reencryption recovery?"
+msgstr "Fortsæt med LUKS2-omkrypteringsgendannelse?"
+
+#: src/cryptsetup.c:1109
+msgid "Enter passphrase for reencryption recovery: "
+msgstr "Indtast adgangsfrase for omkrypteringsgendannelse: "
+
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Skal LUKS-enhedsteksthovedet forsøges repareres?"
 
-#: src/cryptsetup.c:984 src/integritysetup.c:144
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1369,133 +1849,127 @@
 "Rydder enhed for at initialisere integritetskontrolsum.\n"
 "Du kan afbryde dette ved at trykke på CTRL+c (resten af ikke ryddet enhed vil indeholder ugyldig kontrolsum).\n"
 
-#: src/cryptsetup.c:1006 src/integritysetup.c:166
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Kan ikke deaktivere midlertidig enhed %s."
 
-#: src/cryptsetup.c:1050
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Integritetstilvalg kan kun bruges for LUKS2-format."
 
-#: src/cryptsetup.c:1055 src/cryptsetup.c:1115
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Indstillinger for LUKS2-metadatastørrelse er ikke understøttet."
 
-#: src/cryptsetup.c:1072
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Kan ikke oprette teksthovedfilen %s."
 
-#: src/cryptsetup.c:1095 src/integritysetup.c:192 src/integritysetup.c:201
-#: src/integritysetup.c:210 src/integritysetup.c:276 src/integritysetup.c:285
-#: src/integritysetup.c:295
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Ikke kendt specifikationsmønster for krypteringsalgoritme registreret."
 
-#: src/cryptsetup.c:1108
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Kan ikke bruge %s på on-disk-teksthoved."
 
-#: src/cryptsetup.c:1132 src/integritysetup.c:224
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Dette vil uigenkaldeligt overskrive data på %s."
 
-#: src/cryptsetup.c:1173 src/cryptsetup.c:1484 src/cryptsetup.c:1551
-#: src/cryptsetup.c:1646 src/cryptsetup.c:1712
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Kunne ikke angive pbkdf-parametre."
 
-#: src/cryptsetup.c:1242
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Reduceret dataforskydning er kun tilladt for frakoblet LUKS-teksthoved."
 
-#: src/cryptsetup.c:1284
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
+msgstr "Kan ikke bestemme nøglestørrelsen på diskenheden for LUKS uden nøglepladser, brug venligst tilvalget --key-size."
+
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Enhed aktiveret men kan ikke gøre flag vedvarende."
 
-#: src/cryptsetup.c:1365
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Nøgleplads %d valgt for sletning."
 
-#: src/cryptsetup.c:1368 src/cryptsetup.c:1706
-#, c-format
-msgid "Keyslot %d is not active."
-msgstr "Nøglepladsen %d er ikke aktiv."
-
-#: src/cryptsetup.c:1377 src/cryptsetup.c:1438
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Dette er den sidste nøgleplads. Enheden vil blive ubrugelig efter fjernelse af denne nøgle."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Indtast en eventuel tilbageværende adgangsfrase: "
 
-#: src/cryptsetup.c:1379 src/cryptsetup.c:1440
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operation afbrudt, nøglepladsen var IKKE ryddet.\n"
 
-#: src/cryptsetup.c:1417
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Indtast adgangsfrase som skal slettes: "
 
-#: src/cryptsetup.c:1435
-#, c-format
-msgid "Key slot %d selected for deletion."
-msgstr "Nøgleplads %d valgt for sletning."
-
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1565 src/cryptsetup.c:1599
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Indtast ny adgangsfrase for nøgleplads: "
 
-#: src/cryptsetup.c:1582 src/cryptsetup_reencrypt.c:1352
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Indtast en eventuel eksisterende adgangsfrase: "
 
-#: src/cryptsetup.c:1650
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Indtast adgangsfrase som skal ændres: "
 
-#: src/cryptsetup.c:1666 src/cryptsetup_reencrypt.c:1338
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Indtast ny adgangsfrase: "
 
-#: src/cryptsetup.c:1716
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Indtast adgangsfrase for nøgleplads til konvertering: "
 
-#: src/cryptsetup.c:1740
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Kun et enhedsargument for isLuks-operation er understøttet."
 
-#: src/cryptsetup.c:1924 src/cryptsetup.c:1945
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Tilvalget --header-backup-file er krævet."
 
-#: src/cryptsetup.c:1975
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s er ikke en cryptsetup-håndteret enhed."
 
-#: src/cryptsetup.c:1986
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Opdater er ikke understøttet for enhedstypen %s"
 
-#: src/cryptsetup.c:2024
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Metadataenhedstypen %s blev ikke genkendt."
 
-#: src/cryptsetup.c:2027
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Kommandoen kræver enhedsnavn og oversat navn som argumenter."
 
-#: src/cryptsetup.c:2049
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1504,213 +1978,336 @@
 "Denne operation vil slette alle nøglepladser på enheden %s.\n"
 "Enheden vil blive ubrugelig efter denne operation."
 
-#: src/cryptsetup.c:2056
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operation afbrudt, nøglepladser blev IKKE fjernet (wiped).\n"
 
-#: src/cryptsetup.c:2093
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Ugyldig LUKS-type, kun luks1 og luks2 er understøttet."
 
-#: src/cryptsetup.c:2111
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Enheden er allerede %s-type."
 
-#: src/cryptsetup.c:2116
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Denne operation vil konvertere %s til %s-format.\n"
 
-#: src/cryptsetup.c:2122
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operation afbrudt, enheden blev IKKE konverteret.\n"
 
-#: src/cryptsetup.c:2162
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Tilvalget --priority, --label eller --subsystem mangler."
 
-#: src/cryptsetup.c:2196 src/cryptsetup.c:2229 src/cryptsetup.c:2252
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Symbolet %d er ugyldigt."
 
-#: src/cryptsetup.c:2199 src/cryptsetup.c:2255
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Symbolet %d er i brug."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Kunne ikke tilføje luks2-keyringsymbolet %d."
 
-#: src/cryptsetup.c:2215 src/cryptsetup.c:2277
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Kunne ikke tildele symbolet %d til nøglepladsen %d."
 
-#: src/cryptsetup.c:2232
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Symbolet %d er ikke i brug."
 
-#: src/cryptsetup.c:2267
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Kunne ikke importere symbol fra fil."
 
-#: src/cryptsetup.c:2292
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Kunne ikke indhente symbolet %d for eksport."
 
-#: src/cryptsetup.c:2307
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "parameteren --key-description er obligatorisk for symbol tilføj-handling."
 
-#: src/cryptsetup.c:2313 src/cryptsetup.c:2321
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Handling kræver specifik symbol. Brug parameteren --token-id."
 
-#: src/cryptsetup.c:2326
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Ugyldig symboloperation %s."
 
-#: src/cryptsetup.c:2366
+#: src/cryptsetup.c:2607
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr "Automatisk registreret aktiv dm-enhed »%s« for dataenheden %s.\n"
+
+#: src/cryptsetup.c:2611
+#, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Enheden %s er ikke en blokenhed.\n"
+
+#: src/cryptsetup.c:2613
+#, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Kunne ikke automatisk registrere enheds-%s-holdere."
+
+#: src/cryptsetup.c:2615
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+"Kan ikke afklare om enheden %s er aktiv eller ej.\n"
+"Er du sikker på, at du ønsker at fortsætte med omkryptering i frakoblet\n"
+"tilstand?\n"
+"Det kan medføre dataødelæggelse, hvis enheden aktiveres.\n"
+"For at afvikle omkryptering i frakoblet tilstand bruges parameteren\n"
+"--active-name.\n"
+
+#: src/cryptsetup.c:2695
+msgid "Invalid LUKS device type."
+msgstr "Ugyldig LUKS-enhedstype."
+
+#: src/cryptsetup.c:2700
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr "Kryptering uden frakoblet teksthoved (--header) er ikke muligt uden størrelsesreduktion for dataenhed (--reduce-device-size)."
+
+#: src/cryptsetup.c:2705
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr "Anmodte dataforskydning skal være mindre end eller lig med halvdelen af --reduce-device-size parameter."
+
+#: src/cryptsetup.c:2714
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr "Justerer --reduce-device-size value til det dobbelte af --offset %<PRIu64> (sektorer).\n"
+
+#: src/cryptsetup.c:2718
+msgid "Encryption is supported only for LUKS2 format."
+msgstr "Kryptering er kun understøttet for formatet LUKS2."
+
+#: src/cryptsetup.c:2740
+#, c-format
+msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+msgstr "Registrerede LUKS-enhed på %s. Ønsker du at kryptere den LUKS-enhed igen?"
+
+#: src/cryptsetup.c:2755
+#, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Midlertidig teksthovedfil %s findes allerede. Afbryder."
+
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
+#, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Kan ikke oprette midlertidig teksthovedfil %s."
+
+#: src/cryptsetup.c:2828
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s er nu aktiv og klar til kryptering via nettet.\n"
+
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
+msgid "Not enough free keyslots for reencryption."
+msgstr "Ikke nok ledige nøglepladser for omkryptering."
+
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Nøglefil kan kun bruges med --key-slot eller med præcis en aktiv nøgleplads."
+
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
+#, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Indtast adgangsfrase for nøgleplads %d: "
+
+#: src/cryptsetup.c:3035
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Indtast adgangsfrase for nøgleplads %u: "
+
+#: src/cryptsetup.c:3202
+msgid "Command requires device as argument."
+msgstr "Kommandoen kræver enhed som argument."
+
+#: src/cryptsetup.c:3224
+msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+msgstr "Kun formatet LUKS2 er i øjeblikket understøttet. Brug venligst værktøjet cryptsetup-reencrypt for LUKS1."
+
+#: src/cryptsetup.c:3236
+msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+msgstr "Forældet frakoblet omkryptering er allerede i gang. Brug redskabet cryptsetup-reencrypt."
+
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr "Omkryptering af enhed med integritetsprofil er ikke understøttet."
+
+#: src/cryptsetup.c:3254
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr "LUKS2-omkryptering er allerede initialiseret. Afbryder operation."
+
+#: src/cryptsetup.c:3258
+msgid "LUKS2 device is not in reencryption."
+msgstr "LUKS2-enheden er ikke i omkryptering."
+
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<enhed> [--type <type>] [<navn>]"
 
-#: src/cryptsetup.c:2366
-msgid "open device as mapping <name>"
-msgstr "åbn enhed som oversættelse <navn>"
-
-#: src/cryptsetup.c:2367 src/cryptsetup.c:2368 src/cryptsetup.c:2369
-#: src/veritysetup.c:363 src/veritysetup.c:364 src/integritysetup.c:464
-#: src/integritysetup.c:465
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
+msgid "open device as <name>"
+msgstr "åbn enhed som <navn>"
+
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<navn>"
 
-#: src/cryptsetup.c:2367
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "luk enhed (fjern oversættelse)"
 
-#: src/cryptsetup.c:2368
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "ændr størrelse på aktiv enhed"
 
-#: src/cryptsetup.c:2369
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "vis enhedsstatus"
 
-#: src/cryptsetup.c:2370
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <krypteringsalgoritme>]"
 
-#: src/cryptsetup.c:2370
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "krypteringsalgoritme for sammenligning"
 
-#: src/cryptsetup.c:2371 src/cryptsetup.c:2372 src/cryptsetup.c:2373
-#: src/cryptsetup.c:2374 src/cryptsetup.c:2381 src/cryptsetup.c:2382
-#: src/cryptsetup.c:2383 src/cryptsetup.c:2384 src/cryptsetup.c:2385
-#: src/cryptsetup.c:2386 src/cryptsetup.c:2387 src/cryptsetup.c:2388
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<enhed>"
 
-#: src/cryptsetup.c:2371
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "prøv at reparere on-disk-metadata"
 
-#: src/cryptsetup.c:2372
+#: src/cryptsetup.c:3291
+msgid "reencrypt LUKS2 device"
+msgstr "omkrypter LUKS2-enhed"
+
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "slet alle nøglepladser (fjern krypteringsnøgle)"
 
-#: src/cryptsetup.c:2373
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "konverter LUKS fra/til LUKS2-format"
 
-#: src/cryptsetup.c:2374
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "angiv permanente konfigurationstilvalg for LUKS2"
 
-#: src/cryptsetup.c:2375 src/cryptsetup.c:2376
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<enhed> [<ny nøglefil>]"
 
-#: src/cryptsetup.c:2375
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "formaterer en LUKS-enhed"
 
-#: src/cryptsetup.c:2376
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "tilføj nøgle til LUKS-enhed"
 
-#: src/cryptsetup.c:2377 src/cryptsetup.c:2378 src/cryptsetup.c:2379
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<enhed> [<nøglefil>]"
 
-#: src/cryptsetup.c:2377
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "fjerner leveret nøgle eller nøglefil fra LUKS-enhed"
 
-#: src/cryptsetup.c:2378
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "ændrer leveret nøgle eller nøglefil for LUKS-enhed"
 
-#: src/cryptsetup.c:2379
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "konverterer en nøgle til nye pbkdf-parametre"
 
-#: src/cryptsetup.c:2380
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<enhed> <nøgleplads>"
 
-#: src/cryptsetup.c:2380
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "rydder nøgle med nummer <nøgleplads> fra LUKS-enhed"
 
-#: src/cryptsetup.c:2381
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "vis UUID for lUKS-enhed"
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "tester <enhed> for LUKS-partitionsteksthoved"
 
-#: src/cryptsetup.c:2383
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "dump LUKS-partitionsinformation"
 
-#: src/cryptsetup.c:2384
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "dump TCRYPT-enhedsinformation"
 
-#: src/cryptsetup.c:2385
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "dump BITLK-enhedsinformation"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspender LUKS-enhed og ryd nøgle (alle IO'er fryses fast)"
 
-#: src/cryptsetup.c:2386
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Genoptag suspenderet LUKS-enhed"
 
-#: src/cryptsetup.c:2387
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Lav sikkerhedskopi af LUKS-enhedsteksthoved og nøglepladser"
 
-#: src/cryptsetup.c:2388
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Gendan LUKS-teksthoved og nøglepladser"
 
-#: src/cryptsetup.c:2389
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <enhed>"
 
-#: src/cryptsetup.c:2389
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipuler LUKS2-symboler"
 
-#: src/cryptsetup.c:2407 src/veritysetup.c:380 src/integritysetup.c:481
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -1718,19 +2315,19 @@
 "\n"
 "<handling> er en af:\n"
 
-#: src/cryptsetup.c:2413
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Du kan også bruge gamle <handling> syntaksaliasser:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -1745,7 +2342,7 @@
 "<nøgleplads> er LUKS-nøglens pladsnummer, der skal ændres\n"
 "<nøglefil> valgfri nøglefil for den nye nøgle for luksAddKey-handling\n"
 
-#: src/cryptsetup.c:2424
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -1754,7 +2351,7 @@
 "\n"
 "Standardindkompileret metadataformat er %s (for luksFormat-handling).\n"
 
-#: src/cryptsetup.c:2429
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -1771,7 +2368,7 @@
 "Standard-PBKDF for LUKS2: %s\n"
 "\tTterationtid: %d, hukommelse krævet: %dkB, parallelle tråde: %d\n"
 
-#: src/cryptsetup.c:2440
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -1786,604 +2383,700 @@
 "\tplain: %s, Nøgle: %d bit, Adgangskodehashing: %s\n"
 "\tLUKS: %s, Nøgle: %d bit, LUKS-teksthovedhashing: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:2449
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Standardstørrelse på nøgle med XTS-tilstand (to interne nøgler) vil blive fordoblet.\n"
 
-#: src/cryptsetup.c:2460 src/veritysetup.c:537 src/integritysetup.c:621
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: kræver %s som argumenter"
 
-#: src/cryptsetup.c:2498 src/veritysetup.c:420 src/integritysetup.c:515
-#: src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Vis denne hjælpetekst"
 
-#: src/cryptsetup.c:2499 src/veritysetup.c:421 src/integritysetup.c:516
-#: src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Vis en kort brugsmanual"
 
-#: src/cryptsetup.c:2503 src/veritysetup.c:425 src/integritysetup.c:520
-#: src/cryptsetup_reencrypt.c:1616
-msgid "Help options:"
-msgstr "Hjælpetilvalg:"
-
-#: src/cryptsetup.c:2504 src/veritysetup.c:426 src/integritysetup.c:521
-#: src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Vis pakkeversion"
 
-#: src/cryptsetup.c:2505 src/veritysetup.c:427 src/integritysetup.c:522
-#: src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
+msgid "Help options:"
+msgstr "Hjælpetilvalg:"
+
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Viser mere detaljerede fejlbeskeder"
 
-#: src/cryptsetup.c:2506 src/veritysetup.c:428 src/integritysetup.c:523
-#: src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Vis fejlsøgningsbeskeder"
 
-#: src/cryptsetup.c:2507
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Vis fejlsøgningsbeskeder inklusive JSON-metadata"
 
-#: src/cryptsetup.c:2508 src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Krypteringsalgoritmen brugt til at kryptere disken (se /proc/crypto)"
 
-#: src/cryptsetup.c:2509 src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Hashen brugt til at oprette krypteringsnøglen fra adgangsfrasen"
 
-#: src/cryptsetup.c:2510
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Verificerer adgangsfrasen ved at anmode om den to gange"
 
-#: src/cryptsetup.c:2511 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Læs nøglen fra en fil"
 
-#: src/cryptsetup.c:2512
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Læs diskenhedens (master) nøgle fra fil."
 
-#: src/cryptsetup.c:2513
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Dump diskenheds (master) nøgle i stedet for information om nøgleplads"
 
-#: src/cryptsetup.c:2514 src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Krypteringsnøglens størrelse"
 
-#: src/cryptsetup.c:2514 src/cryptsetup.c:2571 src/integritysetup.c:539
-#: src/integritysetup.c:543 src/integritysetup.c:547
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BIT"
 
-#: src/cryptsetup.c:2515 src/cryptsetup_reencrypt.c:1638
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Begræns læsningen fra nøglefil"
 
-#: src/cryptsetup.c:2515 src/cryptsetup.c:2516 src/cryptsetup.c:2517
-#: src/cryptsetup.c:2518 src/cryptsetup.c:2568 src/cryptsetup.c:2569
-#: src/veritysetup.c:431 src/veritysetup.c:432 src/veritysetup.c:433
-#: src/veritysetup.c:436 src/veritysetup.c:437 src/integritysetup.c:530
-#: src/integritysetup.c:534 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1637 src/cryptsetup_reencrypt.c:1638
-#: src/cryptsetup_reencrypt.c:1639 src/cryptsetup_reencrypt.c:1640
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "byte"
 
-#: src/cryptsetup.c:2516 src/cryptsetup_reencrypt.c:1637
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Antallet af byte at udelade i nøglefil"
 
-#: src/cryptsetup.c:2517
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Begræns læsningnen fra nyligt tilføjet nøglefil"
 
-#: src/cryptsetup.c:2518
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Antallet af byte at udelade i senest tilføjet nøglefil"
 
-#: src/cryptsetup.c:2519
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Pladsnummer for ny nøgle (standard er den første ledige)"
 
-#: src/cryptsetup.c:2520
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Størrelse på enheden"
 
-#: src/cryptsetup.c:2520 src/cryptsetup.c:2521 src/cryptsetup.c:2522
-#: src/cryptsetup.c:2528 src/integritysetup.c:531 src/integritysetup.c:536
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SEKTORER"
 
-#: src/cryptsetup.c:2521
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Brug kun specificeret enhedstørrelse (ignorer resten af enheden). FARLIGT!"
+
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Startforskydningen i motorenheden"
 
-#: src/cryptsetup.c:2522
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Antal sektorer med krypterede data som skal udelades i begyndelsen"
 
-#: src/cryptsetup.c:2523
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Opret en skrivebeskyttet oversættelse"
 
-#: src/cryptsetup.c:2524 src/integritysetup.c:524
-#: src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Anmod ikke om bekræftelse"
 
-#: src/cryptsetup.c:2525
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Tidsudløb for interaktiv adgangsfraseprompt (i sekunder)"
 
-#: src/cryptsetup.c:2525 src/cryptsetup.c:2526 src/integritysetup.c:525
-#: src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "sek"
 
-#: src/cryptsetup.c:2526 src/integritysetup.c:525
-#: src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Statuslinjeopdatering (i sekunder)"
 
-#: src/cryptsetup.c:2527 src/cryptsetup_reencrypt.c:1630
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Hvor ofte inddata for adgangsfrasen kan indhentes"
 
-#: src/cryptsetup.c:2528
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Juster belastning ved <n> sektorgrænser - for luksFormat"
 
-#: src/cryptsetup.c:2529
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Fil med LUKS-teksthoved og sikkerhedskopi af nøglepladser"
 
-#: src/cryptsetup.c:2530 src/cryptsetup_reencrypt.c:1631
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Brug /dev/random til oprettelse af diskenhedsnøgle"
 
-#: src/cryptsetup.c:2531 src/cryptsetup_reencrypt.c:1632
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Brug /dev/urandom til oprettelse af diskenhedsnøgle"
 
-#: src/cryptsetup.c:2532
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Del enhed med et andet ikkeoverlappende kryptsegment"
 
-#: src/cryptsetup.c:2533 src/veritysetup.c:440
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID som enheden skal bruge"
 
-#: src/cryptsetup.c:2534
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Tillader fjernelsesforespørgsler (a.k.a. TRIM) for enhed"
 
-#: src/cryptsetup.c:2535 src/cryptsetup_reencrypt.c:1649
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Enhed eller fil med adskilt LUKS-teksthoved"
 
-#: src/cryptsetup.c:2536
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Aktiver ikke enhed, kontroller bare adgangsfrase"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Brug skjult teksthoved (skjult TCRYPT-enhed)"
 
-#: src/cryptsetup.c:2538
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Enhed er system-TCRYPT-drev (med opstartsindlæser)"
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Brug sikkerhedskopi (sekundær) TCRYPT-teksthoved"
 
-#: src/cryptsetup.c:2540
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Skan også for VeraCrypt-kompatibel enhed"
 
-#: src/cryptsetup.c:2541
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Personlig iterationmultiplikator for VeraCrypt-kompatibel enhed"
 
-#: src/cryptsetup.c:2542
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Forespørg personlig iterationmultiplikator for VeraCrypt-kompatibel enhed"
 
-#: src/cryptsetup.c:2543
-msgid "Type of device metadata: luks, plain, loopaes, tcrypt"
-msgstr "Type for enhedsmetadata: luks, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Type for enhedsmetadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:2544
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Deaktiver kontrol af adgangskodens kvalitet (hvis aktiveret)"
 
-#: src/cryptsetup.c:2545
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Brug tilvalgene dm-crypt og same_cpu_crypt for ydelseskompatibilitet"
 
-#: src/cryptsetup.c:2546
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Brug tilvalgene dm-crypt og submit_from_crypt_cpus for ydelseskompatibilitet"
 
-#: src/cryptsetup.c:2547
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Enhedsfjernelse er udskudt indtil den sidste bruger lukker enheden"
 
-#: src/cryptsetup.c:2548
+#: src/cryptsetup.c:3470
+msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
+msgstr "Brug global lås til at serialisere memory-hard-PBKDF (OOM-alternativ)"
+
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "PBKDF-iterationstid for LUKS (i ms)"
 
-#: src/cryptsetup.c:2548 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "ms"
 
-#: src/cryptsetup.c:2549 src/cryptsetup_reencrypt.c:1645
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "PBKDF-algoritme (for LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:2550 src/cryptsetup_reencrypt.c:1646
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "PBKDF-hukommelsesomkostningsbegrænsning"
 
-#: src/cryptsetup.c:2550 src/cryptsetup_reencrypt.c:1646
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "kilobyte"
 
-#: src/cryptsetup.c:2551 src/cryptsetup_reencrypt.c:1647
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "PBKDF-parallel omkostning"
 
-#: src/cryptsetup.c:2551 src/cryptsetup_reencrypt.c:1647
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "tråde"
 
-#: src/cryptsetup.c:2552 src/cryptsetup_reencrypt.c:1648
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "PBKDF-iterationsomkostning (tvunget, deaktiverer sammenligning)"
 
-#: src/cryptsetup.c:2553
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Nøglepladsprioritet: ignore, normal, prefer"
 
-#: src/cryptsetup.c:2554
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Deaktiver låsning af on-disk-metadata"
 
-#: src/cryptsetup.c:2555
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Deaktiver indlæsning af diskenhedsnøgler via kernenøglering"
 
-#: src/cryptsetup.c:2556
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Dataintegritetsalgoritme (kun LUKS2)"
 
-#: src/cryptsetup.c:2557 src/integritysetup.c:550
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Deaktiver journal for integritetsenhed"
 
-#: src/cryptsetup.c:2558 src/integritysetup.c:526
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Ryd ikke enhed efter formatering"
 
-#: src/cryptsetup.c:2559
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Brug ineffektive forældede mellemrum (gamle kerner)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "Spørg ikke om adgangsfrase hvis aktivering via symbol mislykkes"
 
-#: src/cryptsetup.c:2560
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Symbolnummer (standard: alle)"
 
-#: src/cryptsetup.c:2561
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Nøglebeskrivelse"
 
-#: src/cryptsetup.c:2562
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Sektorstørrelse for kryptering (standard: 512 byte)"
 
-#: src/cryptsetup.c:2563
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Angiv aktiveringsflag vedvarende for enhed"
 
-#: src/cryptsetup.c:2564
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Angiv etiket for LUKS2-enhed"
 
-#: src/cryptsetup.c:2565
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Angiv undersystemetiket for LUKS2-enhed"
 
-#: src/cryptsetup.c:2566
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Opret ubunden (intet tildelt datasegment) LUKS2-nøgleplads"
 
-#: src/cryptsetup.c:2567
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Læs eller skriv json fra eller til en fil"
 
-#: src/cryptsetup.c:2568
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Størrelse på metadataområdet for LUKS2-teksthovedet"
 
-#: src/cryptsetup.c:2569
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Størrelse på nøglepladsområdet for LUKS2-teksthovedet"
 
-#: src/cryptsetup.c:2570
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Opdater (genaktiver) enhed med nye parametre"
 
-#: src/cryptsetup.c:2571
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "LUKS2-nøgleplads: Krypteringsnøglens størrelse"
 
-#: src/cryptsetup.c:2572
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "LUKS2-nøgleplads: krypteringsalgoritmen brugt for nøglepladskryptering"
 
-#: src/cryptsetup.c:2588 src/veritysetup.c:461 src/integritysetup.c:568
+#: src/cryptsetup.c:3497
+msgid "Encrypt LUKS2 device (in-place encryption)."
+msgstr "Krypter LUKS2-enhed (på stedet kryptering)."
+
+#: src/cryptsetup.c:3498
+msgid "Decrypt LUKS2 device (remove encryption)."
+msgstr "Dekrypter LUKS2-enhed (fjern kryptering)."
+
+#: src/cryptsetup.c:3499
+msgid "Initialize LUKS2 reencryption in metadata only."
+msgstr "Initialiser LUKS2-omkryptering kun i metadata."
+
+#: src/cryptsetup.c:3500
+msgid "Resume initialized LUKS2 reencryption only."
+msgstr "Genoptag kun initialiseret LUKS2-omkryptering."
+
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Reducer dataenhedstørrelse (flyt dataforskydning). FARLIGT!"
+
+#: src/cryptsetup.c:3502
+msgid "Maximal reencryption hotzone size."
+msgstr "Maksimal størrelse for omkrypteringshotzone."
+
+#: src/cryptsetup.c:3503
+msgid "Reencryption hotzone resilience type (checksum,journal,none)"
+msgstr "Resilience-type for omkrypteringshotzonen (checksum,journal,none)"
+
+#: src/cryptsetup.c:3504
+msgid "Reencryption hotzone checksums hash"
+msgstr "Kontrolsumshash for omkrypteringshotzonen"
+
+#: src/cryptsetup.c:3505
+msgid "Override device autodetection of dm device to be reencrypted"
+msgstr "Overskriv automatisk registrering af enhed for dm-enhed der skal omkrypteres"
+
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[TILVALG...] <handling> <handling-specifik>"
 
-#: src/cryptsetup.c:2645 src/veritysetup.c:501 src/integritysetup.c:585
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Argument <handling> mangler."
 
-#: src/cryptsetup.c:2708 src/veritysetup.c:532 src/integritysetup.c:616
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Ukendt handling."
 
-#: src/cryptsetup.c:2718
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Parameteren --refresh er kun tilladt for kommandoerne open (åbn) eller refresh (opdater).\n"
 
-#: src/cryptsetup.c:2723
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Tilvalgene --refresh og --test-passphrase udelukker hinanden.\n"
 
-#: src/cryptsetup.c:2728
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Tilvalget --deferred er kun tilladt for kommandoen close (luk).\n"
 
-#: src/cryptsetup.c:2733
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Tilvalget --shared er kun tilladt for åbning af en ren enhed.\n"
 
-#: src/cryptsetup.c:2738
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Tilvalget --allow-discards er kun tilladt for åbne operationer.\n"
 
-#: src/cryptsetup.c:2743
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Tilvalget --persistent er kun tilladt for åben operation.\n"
 
-#: src/cryptsetup.c:2748
+#: src/cryptsetup.c:3681
+msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
+msgstr "Tilvalget --serialize-memory-hard-pbkdf er kun tilladt for åbne operationer.\n"
+
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Tilvalget --persistent er ikke tilladt med --test-passphrase.\n"
 
-#: src/cryptsetup.c:2757
+#: src/cryptsetup.c:3696
 msgid ""
-"Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n"
+"Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
 msgstr ""
-"Tilvalget --key-size er kun tilladt for luksFormat, luksAddKey (med --unbound),\n"
+"Tilvalget --key-size er kun tilladt for luksFormat, luksAddKey,\n"
 "åbn- og sammenligningshandlinger. For at begrænse læsning fra nøglefilen bruges\n"
 "--keyfile-size=(bytes)."
 
-#: src/cryptsetup.c:2763
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Tilvalget --integrity er kun tilladt for luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:2768
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Tilvalget --integrity-no-wipe kan kun bruges for formathandling med integritetudvidelse.\n"
 
-#: src/cryptsetup.c:2774
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Tilvalget --label og --subsystem er kun tilladt for luksFormat og config LUKS2-operationer.\n"
 
-#: src/cryptsetup.c:2780
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Tilvalget --test-passphrase er kun tilladt for åbning af LUKS- og TCRYPT-enheder.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Tilvalget --test-passphrase er kun tilladt for åbning af LUKS- TCRYPT- og BITLK-enheder.\n"
 
-#: src/cryptsetup.c:2785 src/cryptsetup_reencrypt.c:1718
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Nøglestørrelse skal gå op i 8 bit"
 
-#: src/cryptsetup.c:2791 src/cryptsetup_reencrypt.c:1403
-#: src/cryptsetup_reencrypt.c:1723
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Nøgleplads er ugyldig."
 
-#: src/cryptsetup.c:2798
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Tilvalget --key-file har forrang over specificeret nøglefilsargument."
 
-#: src/cryptsetup.c:2805 src/veritysetup.c:544 src/integritysetup.c:640
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Negativ nummer for tilvalg er ikke tilladt."
 
-#: src/cryptsetup.c:2809
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Kun et argument for --key-file er tilladt."
 
-#: src/cryptsetup.c:2813 src/cryptsetup_reencrypt.c:1689
-#: src/cryptsetup_reencrypt.c:1727
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Kun et af tilvalgene --use-[u]random er tilladt."
 
-#: src/cryptsetup.c:2817
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Tilvalget --use-[u]random er kun tilladt for luksFormat."
 
-#: src/cryptsetup.c:2821
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Tilvalget --uid er kun tilladt for luksFormat og luksUUID."
 
-#: src/cryptsetup.c:2825
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Tilvalget --align-payload er kun tilladt for luksFormat."
 
-#: src/cryptsetup.c:2829
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Tilvalgene --luks2-metadata-size og --opt-luks2-keyslots-size er kun tilladt for luksFormat med LUKS2."
 
-#: src/cryptsetup.c:2834
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Ugyldig specifikation for størrelsen på LUKS2-metadata."
 
-#: src/cryptsetup.c:2838
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Ugyldig specifikation for størrelsen på LUKS2-nøgleplads."
 
-#: src/cryptsetup.c:2842
-msgid "Option --align-payload and --offset cannot be combined."
+#: src/cryptsetup.c:3781
+msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Tilvalgene --align-payload og --offset kan ikke kombineres."
 
-#: src/cryptsetup.c:2848
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Tilvalget --skip er kun understøttet for åbning af plain- og loopaes-enheder.\n"
 
-#: src/cryptsetup.c:2855
-msgid "Option --offset is supported only for open of plain and loopaes devices and for luksFormat.\n"
-msgstr "Tilvalget --offset er kun understøttet for åbning af plain- og loopaes-enheder samt for LuksFormat.\n"
+#: src/cryptsetup.c:3794
+msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
+msgstr "Tilvalget --offset er kun understøttet for åbning af plain- og loopaes-enheder, luksFormat og enhedsomkryptering.\n"
 
-#: src/cryptsetup.c:2861
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Tilvalgene --tcrypt-hidden, --tcrypt-system eller --tcrypt-backup er kun understøttet for TCRYPT-enhed.\n"
 
-#: src/cryptsetup.c:2866
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Tilvaget --tcrypt-hidden kan ikke kombineres med --allow-discards.\n"
 
-#: src/cryptsetup.c:2871
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Tilvalget --veracrypt er kun understøttet for TCRYPT-enhedstype.\n"
 
-#: src/cryptsetup.c:2877
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Ugyldigt argument for parameteren --veracrypt-pim angivet.\n"
 
-#: src/cryptsetup.c:2881
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Tilvalget --veracrypt-pim er kun understøttet for VeraCrypt-kompatible enheder.\n"
 
-#: src/cryptsetup.c:2889
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Tilvalget --veracrypt-query-pim er kun understøttet for VeraCrypt-kompatible enheder.\n"
 
-#: src/cryptsetup.c:2893
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Tilvalgene --veracrypt-pim og --veracrypt-query-pm udelukker hinanden.\n"
 
-#: src/cryptsetup.c:2900
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Tilvalget --priority kan kun være ignore/normal/prefer.\n"
 
-#: src/cryptsetup.c:2905
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Nøglepladsspecifikation er krævet.\n"
 
-#: src/cryptsetup.c:2910 src/cryptsetup_reencrypt.c:1703
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Adgangskodebaseret nøgleudledningsfunktion (PBKDF) kan kun være pbkdf2 eller argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:2915 src/cryptsetup_reencrypt.c:1708
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "PBKDF-tvungne iterationer kan ikke kombineres med tilvalg for iterationstid.\n"
 
-#: src/cryptsetup.c:2921
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
-msgstr "Tilvalg for sektorstørrelse er ikke understøttet for denne kommando..\n"
+msgstr "Tilvalg for sektorstørrelse er ikke understøttet for denne kommando.\n"
 
-#: src/cryptsetup.c:2927
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Krypteringsektorstørrelsen er ikke understøttet.\n"
 
-#: src/cryptsetup.c:2932
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "Nøglestørrelse er krævet med tilvalget --unbound.\n"
 
-#: src/cryptsetup.c:2937
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Tilvalget --unbound kan kun bruges med luksAddKey-handlingen.\n"
 
-#: src/cryptsetup.c:2942
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Tilvalget --refresh kan kun bruges med open-handlingen.\n"
 
-#: src/cryptsetup.c:2953
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Kan ikke deaktivere metadatalåsning.\n"
 
-#: src/veritysetup.c:67
+#: src/cryptsetup.c:3902
+msgid "Invalid max reencryption hotzone size specification."
+msgstr "Ugyldig maksimal størrelsesspecifikation for omkrypteringshotzonen."
+
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
+msgid "Invalid device size specification."
+msgstr "Ugyldig specifikation for enhedsstørrelse."
+
+#: src/cryptsetup.c:3913
+msgid "Maximum device reduce size is 1 GiB."
+msgstr "Maksimal reduceringsstørrelse for enhed er 1 GiB."
+
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Reducer størrelse skal være multiplum af 512 byte sektor."
+
+#: src/cryptsetup.c:3921
+msgid "Invalid data size specification."
+msgstr "Ugyldig størrelsesspecifikation for data."
+
+#: src/cryptsetup.c:3926
+msgid "Reduce size overflow."
+msgstr "Reducer størrelsesoverløb."
+
+#: src/cryptsetup.c:3930
+msgid "LUKS2 decryption requires option --header."
+msgstr "LUKS2-omkryptering kræver tilvalget --header."
+
+#: src/cryptsetup.c:3934
+msgid "Device size must be multiple of 512 bytes sector."
+msgstr "Enhedsstørrelse skal være multiplum af 512 byte sektor."
+
+#: src/cryptsetup.c:3938
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr "Tilvalgene --reduce-device-size og --data-size kan ikke kombineres."
+
+#: src/cryptsetup.c:3942
+msgid "Options --device-size and --size cannot be combined."
+msgstr "Tilvalgene --device-size og --size kan ikke kombineres."
+
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Ugyldig salt-streng angivet."
 
-#: src/veritysetup.c:98
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Kan ikke oprette hashaftryk %s for skriving."
 
-#: src/veritysetup.c:108
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Kan ikke oprette FEC-aftryk %s for skriving."
 
-#: src/veritysetup.c:178
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Ugyldig root-hash-streng angivet."
 
-#: src/veritysetup.c:360
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Ugyldig signaturfil %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Kan ikke læse signaturfilen %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<data_enhed> <hash_device>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:462
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "formater enhed"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<data_enhed> <hash_enhed> <root_hash>"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "verificer enhed"
 
-#: src/veritysetup.c:362
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<data_enhed> <navn> <hash_enhed> <root_hash>"
 
-#: src/veritysetup.c:362 src/integritysetup.c:463
-msgid "open device as <name>"
-msgstr "åbn enhed som <navn>"
-
-#: src/veritysetup.c:363 src/integritysetup.c:464
-msgid "close device (deactivate and remove mapping)"
-msgstr "luk enhed (deaktiver og fjern oversættelse)"
-
-#: src/veritysetup.c:364 src/integritysetup.c:465
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "vis aktiv enhedsstatus"
 
-#: src/veritysetup.c:365
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<hash_enhed>"
 
-#: src/veritysetup.c:365 src/integritysetup.c:466
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "vis on-disk-information"
 
-#: src/veritysetup.c:384
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2398,7 +3091,7 @@
 "<hash_enhed> er enheden indeholdende verifikationsdata\n"
 "<root_hash> hash for root-knuden på <hash_enhed>\n"
 
-#: src/veritysetup.c:391
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2409,118 +3102,126 @@
 "Standardindkompilerede dm-verity-parametre:\n"
 "\tHash: %s, Databok (byte): %u, Hashblok (byte): %u, Salt-str.: %u, Hashformat: %u\n"
 
-#: src/veritysetup.c:429
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Brug ikke verity-superblok"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Formatype (1 - normal, 0 - original Chrome OS)"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "nummer"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Blokstørrelse på dataenheden"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Blokstørrelse på hashenheden"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "FEC-paritetbyte"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Antallet af blokke i datafilen"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "blokke"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Sti til enhed med fejlkorrektionsdata"
 
-#: src/veritysetup.c:435 src/integritysetup.c:528
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "sti"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Starter forskydning på hashenheden"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Starter forskydning på FEC-enheden"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Hashalgoritme"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "streng"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Salt"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "hex-streng"
 
-#: src/veritysetup.c:441
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Stil til roothash-signaturfil"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Genstart kerne hvis korruption er registreret"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Ignorer korruption, log den kun"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Bekræft ikke nulstillede blokke"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Verificer kun datablok første gang den læses"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Tilvalgene --ignore-corruption, --restart-on-corruption eller --ignore-zero-blocks er kun tilladt for åben operation.\n"
 
-#: src/veritysetup.c:555
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Tilvalget --root-hash-signature kan kun bruges til åben operation.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Tilvalgene --ignore-corruption og --restart-on-corruption kan ikke bruges sammen.\n"
 
-#: src/integritysetup.c:82 src/utils_password.c:298
+#: src/integritysetup.c:83 src/utils_password.c:305
 #, c-format
 msgid "Cannot read keyfile %s."
 msgstr "Kan ikke læse nøglefilen %s."
 
-#: src/integritysetup.c:86 src/utils_password.c:302
+#: src/integritysetup.c:87 src/utils_password.c:310
 #, c-format
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Kan ikke læse %d byte fra nøglefilen %s."
 
-#: src/integritysetup.c:248
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formateret med mærkestørrelse %u, intern integritet %s.\n"
 
-#: src/integritysetup.c:462 src/integritysetup.c:466
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<integritet_enhed>"
 
-#: src/integritysetup.c:463
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<integritet_enhed> <navn>"
 
-#: src/integritysetup.c:485
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -2531,523 +3232,532 @@
 "<navn> er enheden der skal opretttes under %s\n"
 "<integritet_enhed> er enheden indeholdende data med integritetsmærker\n"
 
-#: src/integritysetup.c:490
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
-"Standardindkompilerede dm-verity-parametre:\n"
-"\tMærkestørrelse: %u byte, kontrolsumalgoritme: %s\n"
+"Standardindkompilerede dm-integrity-parametre:\n"
+"\tkontrolsumalgoritme: %s\n"
 
-#: src/integritysetup.c:528
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Sti til dataenhed (hvis adskilt)"
 
-#: src/integritysetup.c:530
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Journalstørrelse"
 
-#: src/integritysetup.c:531
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Interleave-sektorer"
 
-#: src/integritysetup.c:532
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Journalvandmærke"
 
-#: src/integritysetup.c:532
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "procent"
 
-#: src/integritysetup.c:533
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Journal commit-tid"
 
-#: src/integritysetup.c:533
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:534
+#: src/integritysetup.c:549
+msgid "Number of 512-byte sectors per bit (bitmap mode)."
+msgstr "Antallet af 512-byte sektorer per bit (bitmap-tilstand)."
+
+#: src/integritysetup.c:550
+msgid "Bitmap mode flush time"
+msgstr "Flush-tid for Bitmap-tilstand"
+
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Mærkestørrelse (per-sektor)"
 
-#: src/integritysetup.c:535
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Sektorstørrelse"
 
-#: src/integritysetup.c:536
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Bufferstørrelse"
 
-#: src/integritysetup.c:538
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Dataintegritetsalgoritme"
 
-#: src/integritysetup.c:539
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Størrelsen for dataintegritetsnøglen"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Læs integritetsnøglen fra en fil"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Journalintegritetsalgoritme"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Størrelsen for journalintegritetsnøglen"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Læs journalintegritetsnøglen fra en fil"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Journalkrypteringsalgoritme"
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Størrelsen for journalkrypteringsnøglen"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Læs journalkrypteringsnøglen fra en fil"
 
-#: src/integritysetup.c:551
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Gendannelsestilstand (ingen journal, ingen mærkekontrol)"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:569
+msgid "Use bitmap to track changes and disable journal for integrity device"
+msgstr "Brug bitmap til at registrere ændringer og deaktivere journal for integritetsenhed"
+
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Genberegn oprindelige mærker automatisk."
 
-#: src/integritysetup.c:631
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Tilvalget --integrity-recalculate kan kun bruges for open-handling."
 
-#: src/integritysetup.c:646
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Tilvalgene --journal-size, --interleave-sectors, --sector-size, --tag-size og --no-wipe kan kun bruges for formathandlingen.\n"
 
-#: src/integritysetup.c:652
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Ugyldig specifikation for journalstørrelse."
 
-#: src/integritysetup.c:657
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Både nøglefil og tilvalg for nøglestørrelse skal være angivet."
 
-#: src/integritysetup.c:660
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Integritetsalgoritme skal være angivet hvis der bruges integritetsnøgle."
 
-#: src/integritysetup.c:665
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Både journalintegritetsnøglefil og tilvalg for nøglestørrelse skal være angivet."
 
-#: src/integritysetup.c:668
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Journalintegritetsalgoritme skal være angivet hvis journalintegritetsnøgle anvendes."
 
-#: src/integritysetup.c:673
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Både journalkrypteringsnøglefil og tilvalg for nøglestørrelse skal være angivet."
 
-#: src/integritysetup.c:676
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Journalkrypteringsalgoritme skal være angivet hvis journalkrypteringsnøgle bruges."
 
-#: src/cryptsetup_reencrypt.c:175
+#: src/integritysetup.c:690
+msgid "Recovery and bitmap mode options are mutually exclusive."
+msgstr "Tilvalgene recovery og bitmap udelukker hinanden."
+
+#: src/integritysetup.c:694
+msgid "Journal options cannot be used in bitmap mode."
+msgstr "Journaltilvalg kan ikke bruges i bitmap-tilstand."
+
+#: src/integritysetup.c:698
+msgid "Bitmap options can be used only in bitmap mode."
+msgstr "Bitmap-tilvalg kan kun bruges i bitmap-tilstand."
+
+#: src/cryptsetup_reencrypt.c:172
 msgid "Reencryption already in-progress."
 msgstr "Omkryptering er allerede i gang."
 
-#: src/cryptsetup_reencrypt.c:181
-msgid "Reencryption of device with integrity profile is not supported."
-msgstr "Omkryptering af enhed med integritetsprofil er ikke understøttet."
-
-#: src/cryptsetup_reencrypt.c:204
+#: src/cryptsetup_reencrypt.c:201
 #, c-format
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Kan ikke eksklusivt åbne %s, enheden er i brug."
 
-#: src/cryptsetup_reencrypt.c:218 src/cryptsetup_reencrypt.c:1148
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Allokering af tilpasset hukommelse mislykkedes."
 
-#: src/cryptsetup_reencrypt.c:225
+#: src/cryptsetup_reencrypt.c:222
 #, c-format
 msgid "Cannot read device %s."
 msgstr "Kan ikke læse enheden %s."
 
-#: src/cryptsetup_reencrypt.c:236
+#: src/cryptsetup_reencrypt.c:233
 #, c-format
 msgid "Marking LUKS1 device %s unusable."
 msgstr "Markerer LUKS-enheden %s som ubrugelig."
 
-#: src/cryptsetup_reencrypt.c:240
+#: src/cryptsetup_reencrypt.c:237
 #, c-format
 msgid "Setting LUKS2 offline reencrypt flag on device %s."
 msgstr "Angivelse af LUKS2 som frakoblet omkrypterer flag på enheden %s."
 
-#: src/cryptsetup_reencrypt.c:257
+#: src/cryptsetup_reencrypt.c:254
 #, c-format
 msgid "Cannot write device %s."
 msgstr "Kan ikke skrive enhed %s."
 
-#: src/cryptsetup_reencrypt.c:345
+#: src/cryptsetup_reencrypt.c:302
 msgid "Cannot write reencryption log file."
 msgstr "Kan ikke skrive omkrypteringslogfilen."
 
-#: src/cryptsetup_reencrypt.c:401
+#: src/cryptsetup_reencrypt.c:358
 msgid "Cannot read reencryption log file."
 msgstr "Kan ikke læse omkrypteringslogfilen."
 
-#: src/cryptsetup_reencrypt.c:439
+#: src/cryptsetup_reencrypt.c:396
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Logfilen %s findes, genoptager omkryptering.\n"
 
-#: src/cryptsetup_reencrypt.c:488
+#: src/cryptsetup_reencrypt.c:445
 msgid "Activating temporary device using old LUKS header."
 msgstr "Aktiverer midlertidig enhed via brug af gammelt LUKS-teksthoved."
 
-#: src/cryptsetup_reencrypt.c:498
+#: src/cryptsetup_reencrypt.c:455
 msgid "Activating temporary device using new LUKS header."
 msgstr "Aktiverer midlertidig enhed via brug af nyt LUKS-teksthoved."
 
-#: src/cryptsetup_reencrypt.c:508
+#: src/cryptsetup_reencrypt.c:465
 msgid "Activation of temporary devices failed."
 msgstr "Aktivering af midlertidige enheder mislykkedes."
 
-#: src/cryptsetup_reencrypt.c:586
-msgid "Failed to set PBKDF parameters."
-msgstr "Kunne ikke angive PBKDF-parametre."
-
-#: src/cryptsetup_reencrypt.c:592
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Kunne ikke angive dataforskydning."
 
-#: src/cryptsetup_reencrypt.c:600
+#: src/cryptsetup_reencrypt.c:558
+msgid "Failed to set metadata size."
+msgstr "Kunne ikke angive metadatastørrelse."
+
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Nyt LUKS-teksthoved for enheden %s oprettet."
 
-#: src/cryptsetup_reencrypt.c:660
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Denne version af cryptsetup-reencrypt kan ikke håndtere ny intern symboltype %s."
 
-#: src/cryptsetup_reencrypt.c:682
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Kunne ikke læse aktiveringsflag fra sikkerhedskopiteksthoved."
 
-#: src/cryptsetup_reencrypt.c:686
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Kunne ikke skrive aktiveringsflag til nyt teksthoved."
 
-#: src/cryptsetup_reencrypt.c:690 src/cryptsetup_reencrypt.c:694
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Kunne ikke læse krav fra sikkerhedskopiteksthoved."
 
-#: src/cryptsetup_reencrypt.c:731
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "%s-sikkerhedskopi af teksthoved for enheden %s er oprettet."
 
-#: src/cryptsetup_reencrypt.c:789
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Oprettelse af LUKS-sikkerhedskopiteksthoveder mislykkedes."
 
-#: src/cryptsetup_reencrypt.c:918
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Kan ikke gendanne %s-teksthoved på enheden %s."
 
-#: src/cryptsetup_reencrypt.c:920
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "%s-teksthoved på enheden %s er gendannet."
 
-#: src/cryptsetup_reencrypt.c:958 src/cryptsetup_reencrypt.c:1038
-msgid "Cannot seek to device offset."
-msgstr "Kan ikke søge til enhedsforskydning."
-
-#: src/cryptsetup_reencrypt.c:1081
-msgid "Cannot seek to device offset.\n"
-msgstr "Kan ikke søge til enhedsforskydning.\n"
-
-#: src/cryptsetup_reencrypt.c:1120 src/cryptsetup_reencrypt.c:1126
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Kan ikke åbne midlertidig LUKS-enhed."
 
-#: src/cryptsetup_reencrypt.c:1131 src/cryptsetup_reencrypt.c:1136
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Kan ikke indhente enhedsstørrelse."
 
-#: src/cryptsetup_reencrypt.c:1173
-msgid "Interrupted by a signal."
-msgstr "Afbrudt af et signal."
-
-#: src/cryptsetup_reencrypt.c:1175
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "IO-fejl under omkryptering."
 
-#: src/cryptsetup_reencrypt.c:1206
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Angivet UUID er ugyldig."
 
-#: src/cryptsetup_reencrypt.c:1309
-msgid "Key file can be used only with --key-slot or with exactly one key slot active."
-msgstr "Nøglefil kan kun bruges med --key-slot eller med præcis en aktiv nøgleplads."
-
-#: src/cryptsetup_reencrypt.c:1350 src/cryptsetup_reencrypt.c:1361
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Indtast adgangsfrase for nøgleplads %u: "
-
-#: src/cryptsetup_reencrypt.c:1432
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Kan ikke åbne omkrypteringslogfilen."
 
-#: src/cryptsetup_reencrypt.c:1438
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Ingen dekryptering i gang, angivet UUID kan kun bruges til at genoptage suspenderet dekrypteringsproces."
 
-#: src/cryptsetup_reencrypt.c:1513
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Ændret pbkdf-parameter i nøgleplads %i."
 
-#: src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Blokstørrelse for omkryptering"
 
-#: src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Ændr ikke nøgle, ingen dataområdeomkryptering"
 
-#: src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Læs ny diskenhednøgle (master) fra fil"
 
-#: src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "PBKDF2-iterationstid for LUKS (i ms)"
 
-#: src/cryptsetup_reencrypt.c:1633
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Brug direct-io når enheder tilgås"
 
-#: src/cryptsetup_reencrypt.c:1634
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Brug fsync efter hver blok"
 
-#: src/cryptsetup_reencrypt.c:1635
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Opdater logfil efter hver blok"
 
-#: src/cryptsetup_reencrypt.c:1636
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Brug kun denne plads (andre vil blive deaktiveret)"
 
-#: src/cryptsetup_reencrypt.c:1639
-msgid "Reduce data device size (move data offset). DANGEROUS!"
-msgstr "Reducer dataenhedstørrelse (flyt dataforskydning). FARLIGT!"
-
-#: src/cryptsetup_reencrypt.c:1640
-msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
-msgstr "Brug kun specificeret enhedstørrelse (ignorer resten af enheden). FARLIGT!"
-
-#: src/cryptsetup_reencrypt.c:1641
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Opret nyt teksthoved på ikke krypteret enhed"
 
-#: src/cryptsetup_reencrypt.c:1642
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Dekrypter enhed permanent (fjern kryptering)"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "UUID'en brugt til at genoptage dekryptering"
 
-#: src/cryptsetup_reencrypt.c:1644
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Type for LUKS-metadata: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1663
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[TILVALG...] <enhed>"
 
-#: src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Omkryptering vil ændre: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1678
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "diskenhedsnøgle"
 
-#: src/cryptsetup_reencrypt.c:1680
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "sæt hash til "
 
-#: src/cryptsetup_reencrypt.c:1681
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", set krypteringsalgoritme til "
 
-#: src/cryptsetup_reencrypt.c:1685
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Argument krævet."
 
-#: src/cryptsetup_reencrypt.c:1713
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Kun værdier mellem 1 MiB og 64 MiB tilladt for omkrypteringsblokstørrelsen."
 
-#: src/cryptsetup_reencrypt.c:1732 src/cryptsetup_reencrypt.c:1737
-msgid "Invalid device size specification."
-msgstr "Ugyldig specifikation for enhedsstørrelse."
-
-#: src/cryptsetup_reencrypt.c:1740
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Maksimal reduceringsstørrelse for enhed er 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1743
-msgid "Reduce size must be multiple of 512 bytes sector."
-msgstr "Reducer størrelse skal være multiplum af 512 byte sektor."
-
-#: src/cryptsetup_reencrypt.c:1747
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Tilvalget --new skal bruges sammen med --reduce-device-size eller --header."
 
-#: src/cryptsetup_reencrypt.c:1751
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Tilvalget --keep-key kan kun bruges med --hash, --iter-time eller --pbkdf-force-iterations."
 
-#: src/cryptsetup_reencrypt.c:1755
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Tilvalget --new kan ikke bruges sammen med --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1759
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Tilvalget --decrypt er ikke kompatibelt med specificerede parametre."
 
-#: src/cryptsetup_reencrypt.c:1763
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Tilvalget --uuid er kun tilladt sammen med --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1767
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Ugyldig luks-type. Brug en af disse: »luks«, »luks2« eller »luks2«."
 
-#: src/utils_tools.c:150
+#: src/utils_tools.c:151
 msgid "Error reading response from terminal."
 msgstr "Fejl ved læsning af svar fra terminal."
 
-#: src/utils_tools.c:175
+#: src/utils_tools.c:186
 msgid "Command successful.\n"
 msgstr "Kommando succesfuld.\n"
 
-#: src/utils_tools.c:183
+#: src/utils_tools.c:194
 msgid "wrong or missing parameters"
 msgstr "forkert eller manglende parametre"
 
-#: src/utils_tools.c:185
+#: src/utils_tools.c:196
 msgid "no permission or bad passphrase"
 msgstr "ingen tilladelse eller ugyldg adgangsfrase"
 
-#: src/utils_tools.c:187
+#: src/utils_tools.c:198
 msgid "out of memory"
 msgstr "ikke nok hukommelse"
 
-#: src/utils_tools.c:189
+#: src/utils_tools.c:200
 msgid "wrong device or file specified"
 msgstr "forkert enhed eller fil angivet"
 
-#: src/utils_tools.c:191
+#: src/utils_tools.c:202
 msgid "device already exists or device is busy"
 msgstr "enheden findes allerede eller enheden er optaget"
 
-#: src/utils_tools.c:193
+#: src/utils_tools.c:204
 msgid "unknown error"
 msgstr "ukendt fejl"
 
-#: src/utils_tools.c:195
+#: src/utils_tools.c:206
 #, c-format
 msgid "Command failed with code %i (%s).\n"
 msgstr "Kommando mislykkedes med kode %i (%s).\n"
 
-#: src/utils_tools.c:272
+#: src/utils_tools.c:283
 #, c-format
 msgid "Key slot %i created."
 msgstr "Nøglepladsen %i oprettet."
 
-#: src/utils_tools.c:274
+#: src/utils_tools.c:285
 #, c-format
 msgid "Key slot %i unlocked."
 msgstr "Nøgleplads %i låst op."
 
-#: src/utils_tools.c:276
+#: src/utils_tools.c:287
 #, c-format
 msgid "Key slot %i removed."
 msgstr "Nøgleplads %i fjernet."
 
-#: src/utils_tools.c:285
+#: src/utils_tools.c:296
 #, c-format
 msgid "Token %i created."
 msgstr "Symbol %i oprettet."
 
-#: src/utils_tools.c:287
+#: src/utils_tools.c:298
 #, c-format
 msgid "Token %i removed."
 msgstr "Symbol %i fjernet."
 
-#: src/utils_tools.c:453
+#: src/utils_tools.c:464
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+"\n"
+"Sletning (wipe) afbrudt."
+
+#: src/utils_tools.c:475
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
 msgstr "ADVARSEL: Enheden %s indeholder allerede en »%s«-partitionsignatur.\n"
 
-#: src/utils_tools.c:461
+#: src/utils_tools.c:483
 #, c-format
 msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
 msgstr "ADVARSEL: Enheden %s indeholder allerede en »%s«-superbloksignatur.\n"
 
-#: src/utils_tools.c:482 src/utils_tools.c:546
+#: src/utils_tools.c:504 src/utils_tools.c:568
 msgid "Failed to initialize device signature probes."
 msgstr "Kunne ikke initialisere enhedssignaturundersøgelser."
 
-#: src/utils_tools.c:526
+#: src/utils_tools.c:548
 #, c-format
 msgid "Failed to stat device %s."
 msgstr "Kunne ikke køre stat på enheden %s."
 
-#: src/utils_tools.c:539
+#: src/utils_tools.c:561
 #, c-format
 msgid "Device %s is in use. Can not proceed with format operation."
 msgstr "Enheden %s er i brug. Kan ikke fortsætte med formatoperation."
 
-#: src/utils_tools.c:541
+#: src/utils_tools.c:563
 #, c-format
 msgid "Failed to open file %s in read/write mode."
 msgstr "Kunne ikke åbne filen %s i læs/skriv-tilstand."
 
-#: src/utils_tools.c:561
+#: src/utils_tools.c:577
+#, c-format
+msgid "Existing '%s' partition signature (offset: %<PRIi64> bytes) on device %s will be wiped."
+msgstr "Eksisterende »%s«-partitionsignatur (forskydning: %<PRIi64> byte) på enheden %s vil blive slettet."
+
+#: src/utils_tools.c:580
+#, c-format
+msgid "Existing '%s' superblock signature (offset: %<PRIi64> bytes) on device %s will be wiped."
+msgstr "Eksisterende »%s«-superbloksignatur (forskydning: %<PRIi64> byte) på enheden %s vil blive slettet."
+
+#: src/utils_tools.c:583
 msgid "Failed to wipe device signature."
 msgstr "Kunne ikke rydde enhedssignatur."
 
-#: src/utils_tools.c:568
+#: src/utils_tools.c:590
 #, c-format
 msgid "Failed to probe device %s for a signature."
 msgstr "Kunne ikke undersøge enheden %s for en signatur."
 
+#: src/utils_tools.c:629
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr ""
+"\n"
+"Omkryptering afbrudt."
+
 #: src/utils_password.c:43 src/utils_password.c:75
 #, c-format
 msgid "Cannot check password quality: %s"
@@ -3088,21 +3798,25 @@
 msgid "Enter passphrase: "
 msgstr "Indtast adgangsfrase: "
 
-#: src/utils_password.c:255
+#: src/utils_password.c:256
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr "Indtast adgangsfrase for %s: "
 
-#: src/utils_password.c:285
+#: src/utils_password.c:287
 msgid "No key available with this passphrase."
 msgstr "Ingen nøgle tilgængelig med denne adgangsfrase."
 
-#: src/utils_password.c:320
+#: src/utils_password.c:289
+msgid "No usable keyslot is available."
+msgstr "Ingen brugbar nøgleplads tilgængelig."
+
+#: src/utils_password.c:328
 #, c-format
 msgid "Cannot open keyfile %s for write."
 msgstr "Kan ikke bne nøglefilen %s for skrivning."
 
-#: src/utils_password.c:327
+#: src/utils_password.c:335
 #, c-format
 msgid "Cannot write to keyfile %s."
 msgstr "Kan ikke skrive til nøglefilen %s."
@@ -3145,5 +3859,35 @@
 msgid "Failed to write JSON file."
 msgstr "Kunne ikke skrive JSON-fil."
 
+#~ msgid "Requested dmcrypt performance options are not supported."
+#~ msgstr "Forespurgte dmcrypt-ydelsestilvalg er ikke understøttede."
+
+#~ msgid "Cannot format device %s which is still in use."
+#~ msgstr "Kan ikke formatere enheden %s som stadig er i brug."
+
+#~ msgid "Key slot %d is not used."
+#~ msgstr "Nøglepladsen %d er ikke brugt."
+
+#~ msgid "Function not available in FIPS mode."
+#~ msgstr "Funktion er ikke tilgængelig i FIPS-tilstand."
+
+#~ msgid "Key slot %d selected for deletion."
+#~ msgstr "Nøgleplads %d valgt for sletning."
+
+#~ msgid "open device as mapping <name>"
+#~ msgstr "åbn enhed som oversættelse <navn>"
+
+#~ msgid "close device (deactivate and remove mapping)"
+#~ msgstr "luk enhed (deaktiver og fjern oversættelse)"
+
+#~ msgid "Failed to set PBKDF parameters."
+#~ msgstr "Kunne ikke angive PBKDF-parametre."
+
+#~ msgid "Cannot seek to device offset.\n"
+#~ msgstr "Kan ikke søge til enhedsforskydning.\n"
+
+#~ msgid "Interrupted by a signal."
+#~ msgstr "Afbrudt af et signal."
+
 #~ msgid "Device %s is too small. (LUKS2 requires at least %<PRIu64> bytes.)"
 #~ msgstr "Enheden %s er for lille. (LUKS2 kræver mindst %<PRIu64> byte.)"
diff -Nru cryptsetup-2.2.2/po/de.po cryptsetup-2.3.1/po/de.po
--- cryptsetup-2.2.2/po/de.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/de.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,14 +1,14 @@
 # German translation for the cryptsetup package.
 # Copyright (C) 2010 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Roland Illig <roland.illig@gmx.de>, 2010-2019.
+# Roland Illig <roland.illig@gmx.de>, 2010-2020.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-18 16:11+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 17:07+0100\n"
 "Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
 "Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
 "Language: de\n"
@@ -16,68 +16,68 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 2.2.4\n"
+"X-Generator: Poedit 2.3\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden, da das Programm nicht mit Root-Rechten läuft."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Das Kernelmodul »device-mapper« kann nicht initialisiert werden. Ist das Kernelmodul »dm_mod« geladen?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Verlangter »deferred«-Schalter wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID für Gerät »%s« wurde verkürzt."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Unbekannte Art des dm-Ziels."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Die verlangten dm-crypt-Performance-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Die verlangten dm-verity-Datenbeschädigungs-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Die verlangten dm-verity-FEC-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Die verlangten Datenintegritäts-Optionen werden nicht unterstützt."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "Die verlangte sector_size-Option wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Die verlangte automatische Berechnung der Integritätsangaben wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Der verlangte Bitmap-Modus für dm-Integrität wird nicht unterstützt."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "»Discard/TRIM« wird nicht unterstützt."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Fehler beim Abfragen des »dm-%s«-Segments."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -85,548 +85,565 @@
 "Das System hat keine Entropie mehr, um den Laufwerksschlüssel zu generieren.\n"
 "Bitte bewegen Sie die Maus oder tippen Sie etwas Text in ein anderes Fenster, um einige zufällige Ereignisse zu sammeln.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Schlüssel wird generiert (%d %% erledigt).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Laufe im FIPS-Modus."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Fataler Fehler während der Initialisierung des Zufallszahlengenerators."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "Unbekannte Qualität des Zufallszahlengenerators verlangt."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Fehler beim Einlesen vom Zufallszahlengenerator."
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Fehler beim Initialisieren des Krypto-Zufallszahlengenerator-Backends."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Fehler beim Initialisieren des Krypto-Backends."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Hash-Algorithmus »%s« wird nicht unterstützt."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Fehler beim Verarbeiten des Schlüssels (mit Hash-Algorithmus »%s«)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Geräte-Art kann nicht bestimmt werden. Inkompatible Aktivierung des Geräts?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Diese Operation wird nur für LUKS-Geräte unterstützt."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Diese Operation wird nur für LUKS2-Geräte unterstützt."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Alle Schlüsselfächer sind voll."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie eins zwischen 0 und %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Schlüsselfach %d ist voll, bitte wählen Sie ein anderes."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "Gerätegröße ist nicht an logischer Sektorgröße ausgerichtet."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Header gefunden, aber Gerät »%s« ist zu klein."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Diese Operation wird für diese Geräteart nicht unterstützt."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Ungültige Operation, während die Wiederverschlüsselung läuft."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nicht unterstützte LUKS-Version %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Gerät für separierte Metadaten wird für diese Verschlüsselungsart nicht unterstützt."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Gerät »%s« ist nicht aktiv."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Zugrundeliegendes Gerät für das Kryptogerät »%s« ist verschwunden."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Ungültige Parameter für Plain-Verschlüsselung."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Ungültige Schlüsselgröße."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID wird für diese Verschlüsselungsart nicht unterstützt."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "Gerätegröße ist nicht an verlangter Sektorgröße ausgerichtet."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Ohne Gerät kann LUKS nicht formatiert werden."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Die angeforderte Datenausrichtung ist nicht mit dem Datenoffset kompatibel."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "WARNING: Der Datenoffset ist außerhalb des derzeit verfügbaren Datengeräts.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Fehler beim Auslöschen des Headers auf Gerät »%s«."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "WARNUNG: Die Geräteaktivierung wird fehlschlagen, dm-crypt fehlt die Unterstützung für die angeforderte Verschlüsselungsgröße.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Laufwerksschlüssel ist zu klein für die Verschlüsselung mit Integritätserweiterungen."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Verschlüsselung »%s-%s« (Schlüsselgröße %zd Bits) ist nicht verfügbar."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "Warnung: Größe der LUKS2-Metadaten wurde auf %<PRIu64> geändert.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "Warnung: Größe des LUKS2-Schlüsselfachbereichs wurde auf %<PRIu64> Bytes geändert.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Gerät »%s« ist zu klein."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Gerät »%s« kann nicht formatiert werden, da es gerade benutzt wird."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Gerät »%s« kann nicht formatiert werden, Zugriff verweigert."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Fehler beim Formatieren der Integrität auf Gerät »%s«."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Gerät »%s« kann nicht formatiert werden."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Ohne Gerät kann LOOPAES nicht formatiert werden."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Ohne Gerät kann VERITY nicht formatiert werden."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nicht unterstützte VERITY-Hash-Art %d."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Nicht unterstützte VERITY-Blockgröße."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Nicht unterstützter VERITY-Hash-Offset."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nicht unterstützter VERITY-FEC-Offset."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "Datenbereich und Hashbereich überlappen sich."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "Hashbereich und FEC-Bereich überlappen sich."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "Datenbereich und FEC-Bereich überlappen sich."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "WARNUNG: Angeforderte Taggröße mit %d Bytes unterscheidet sich von der Ausgabe der Größe %s (%d Bytes).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Unbekannte Art des Verschlüsselungsgeräts »%s« verlangt."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nicht unterstützte Parameter für Gerät %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parameter für Gerät %s sind durcheinander."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Verschlüsselungsgeräte passen nicht zusammen."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Gerät »%s« konnte nicht neugeladen werden."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Gerät »%s« konnte nicht stillgelegt werden."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Gerät »%s« konnte nicht fortgesetzt werden."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Schwerwiegender Fehler beim Neuladen von Gerät »%s« (über Gerät »%s«)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Gerät »%s« konnte nicht auf dm-error umgeschaltet werden."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "Fehler beim Ändern der Größe des Loopback-Geräts."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Wollen Sie wirklich die UUID des Geräts ändern?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Header-Backupdatei enthält keinen kompatiblen LUKS-Header."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Laufwerk »%s« ist nicht aktiv."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Laufwerk »%s« ist bereits im Ruhezustand."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Das Gerät »%s« unterstützt keinen Ruhezustand."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Das Gerät »%s« kann nicht in den Ruhezustand versetzt werden."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Laufwerk »%s« ist nicht im Ruhezustand."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Das Gerät »%s« kann nicht aus dem Ruhezustand aufgeweckt werden."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Fehler beim Aufwecken von Gerät »%s« aus dem Ruhezustand."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Schlüsselfach kann nicht hinzugefügt werden, da alle Fächer deaktiviert sind und kein Laufwerksschlüssel angegeben wurde."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Neues Schlüsselfach konnte nicht ausgewechselt werden."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Der Laufwerksschlüssel passt nicht zum Laufwerk."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Schlüsselfach %d ist ungültig."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Schlüsselfach %d ist nicht aktiv."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "Geräteheader und Datenbereich überlappen sich."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Wiederverschlüsselung läuft bereits. Das Gerät kann nicht aktiviert werden."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Fehler beim Zugriff auf die Sperre zur Wiederverschlüsselung."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Fehler beim Wiederherstellen der LUKS2-Wiederverschlüsselung."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Geräteart ist nicht richtig initialisiert."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Gerät »%s« kann nicht verwendet werden, da es gerade benutzt wird oder der Name ungültig ist."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Das Gerät »%s« existiert bereits."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Falscher Laufwerksschlüssel für Plain-Gerät angegeben."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "Falscher Root-Hash-Schlüssel für VERITY-Gerät angegeben."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Signatur des Stammhashes erforderlich."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Der Kernel-Schlüsselbund fehlt. Wird benötigt, um die Signatur zum Kernel zu übergeben."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Gerät »%s« wird gerade benutzt."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Ungültiges Gerät »%s«."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Laufwerks-Schlüsselpuffer zu klein."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Fehler beim Ermitteln des Laufwerksschlüssels für Plain-Gerät."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Root-Hash für Verity-Gerät kann nicht ermittelt werden."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Diese Operation wird für Kryptogerät »%s« nicht unterstützt."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Die Dump-Operation wird für diese Geräteart nicht unterstützt."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Datenoffset ist kein Vielfaches von %u Bytes."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Gerät »%s« kann nicht konvertiert werden, da es gerade benutzt wird."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Schlüsselfach %u konnte nicht dem Laufwerksschlüssel zugeordnet werden."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Fehler beim Initialisieren der LUKS2-Schlüsselfach-Parameter."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Schlüsselfach %d konnte nicht dem Digest zugeordnet werden."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Fehler beim Laden des Schlüssels im Kernel-Schlüsselbund."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Der Kernel-Schlüsselbund wird vom Kernel nicht unterstützt."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Fehler beim Lesen der Passphrase vom Schlüsselbund (Fehler %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Globale Speicherzugriffsserialisierungssperre konnte nicht angefordert werden."
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Fehler beim Ermitteln der Prozesspriorität."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Fehler beim Entsperren des Speichers."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Fehler beim Öffnen der Schlüsseldatei."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Fehler beim Einlesen der Schlüsseldatei »%s« vom Terminal."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "Fehler beim Öffnen der Schlüsseldatei."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Fehler beim Zugriff auf die Schlüsseldatei."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Zu wenig Speicher zum Einlesen der Passphrase."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Fehler beim Einlesen der Passphrase."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Nichts zu lesen in der Eingabe."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Größenbegrenzung für die Schlüsseldatei überschritten."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Die gewünschte Menge an Daten kann nicht eingelesen werden."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Gerät »%s« existiert nicht oder Zugriff verweigert."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Gerät »%s« ist nicht kompatibel."
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Gerät »%s« ist zu klein. Mindestens %<PRIu64> Bytes erforderlich."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Gerät »%s« kann nicht benutzt werden, da es bereits anderweitig benutzt wird."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Gerät »%s« kann nicht verwendet werden, Zugriff verweigert."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Fehler beim Abrufen der Infos über Gerät »%s«."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Das Loopback-Gerät kann nicht benutzt werden, da das Programm nicht mit Root-Rechten läuft."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Anklemmen des Loopback-Geräts fehlgeschlagen (das Loopback-Gerät benötigt den »autoclear«-Schalter)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Der angeforderte Offset ist jenseits der wirklichen Größe des Geräts »%s«."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Gerät »%s« hat die Größe 0."
@@ -693,32 +710,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Inkompatible PBKDF2-Optionen."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (kein Verzeichnis oder existiert nicht)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "WARNUNG: Zugriffssperren-Verzeichnis %s/%s ist nicht vorhanden!\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Sperren abgebrochen. Der Sperrpfad %s/%s ist unbenutzbar (%s ist kein Verzeichnis)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Fehler beim Springen zum Gerät-Offset."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Fehler beim gründlichen Löschen des Geräts, an Offset %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -728,120 +745,120 @@
 "Stellen Sie sicher, dass der Kernel die Verschlüsselung »%s« unterstützt.\n"
 "(Sehen Sie im System-Log nach, ob sich dort Hinweise finden.)"
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Schlüsselgröße im XTS-Modus muss entweder 256 oder 512 Bits sein."
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Verschlüsselungsverfahren sollte im Format [Verfahren]-[Modus]-[IV] sein."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Fehler beim Schreiben auf Gerät »%s«, Zugriff verweigert."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "Fehler beim Öffnen des temporären Schlüsselspeichergeräts."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "Fehler beim Zugriff auf das temporäre Schlüsselspeichergerät."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "E/A-Fehler beim Verschlüsseln des Schlüsselfachs."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Fehler beim Öffnen des Geräts »%s«."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "E/A-Fehler beim Entschlüsseln des Schlüsselfachs."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Gerät »%s« ist zu klein. (LUKS1 benötigt mindestens %<PRIu64> Bytes.)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS-Schlüsselfach %u ist ungültig."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Gerät »%s« ist kein gültiges LUKS-Gerät."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Angeforderte Header-Backupdatei »%s« existiert bereits."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Fehler beim Anlegen der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Fehler beim Speichern der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Backupdatei enthält keinen gültigen LUKS-Header."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Fehler beim Öffnen der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Fehler beim Einlesen der Header-Backupdatei »%s«."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Unterschiedlicher Offset oder Schlüsselgröße zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Gerät »%s« %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "enthält keinen LUKS-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "enthält bereits einen LUKS-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -849,102 +866,107 @@
 "\n"
 "WARNUNG: Der Header des echten Geräts hat eine andere UUID als das Backup!"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Ungewöhnliche Schlüsselgröße, manuelles Reparieren erforderlich."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Ungewöhnliche Ausrichtung der Schlüsselfächer, manuelles Reparieren erforderlich."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Schlüsselfächer werden repariert."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Schlüsselfach %i: Offset repariert (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Schlüsselfach %i: Streifen repariert (%u -> %u)."
 
 # XXX
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Schlüsselfach %i: schwindlerische Partitions-Signatur."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Schlüsselfach %i: Salt gelöscht."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "LUKS-Header wird auf den Datenträger geschrieben."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Fehler beim Reparieren."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Verlangter LUKS-Hash »%s« wird nicht unterstützt."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "Keine bekannten Probleme im LUKS-Header erkannt."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Fehler beim Aktualisieren des LUKS-Headers auf Gerät »%s«."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Fehler beim Neueinlesen des LUKS-Headers nach dem Aktualisieren auf Gerät »%s«."
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Daten-Offset für LUKS-Header muss entweder 0 sein oder mehr als die Headergröße."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Falsches LUKS-UUID-Format angegeben."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Einlesen des zufälligen Salts."
 
 # XXX
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "LUKS-Header kann nicht angelegt werden: Fehler beim Hashen des Headers (mit Hash-Algorithmus »%s«)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Schlüsselfach %d aktiv, löschen Sie es erst."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Material für Schlüsselfach %d enthält zu wenige Streifen. Manipulation des Headers?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Schlüsselfach kann nicht geöffnet werden (mit Hash-Algorithmus »%s«)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Schlüsselfach %d ist ungültig, bitte wählen Sie ein Schlüsselfach zwischen 0 und %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Gerät »%s« kann nicht ausgelöscht werden."
@@ -962,97 +984,189 @@
 msgstr "Inkompatible Loop-AES-Schlüsseldatei erkannt."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Kernel unterstützt Loop-AES-kompatibles Mapping nicht."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Fehler beim Einlesen der Schlüsseldatei »%s«."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Maximale Länge der TCRYPT-Passphrase (%d) überschritten."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Maximale Länge der TCRYPT-Passphrase (%zu) überschritten."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Der Hash-Algorithmus »%s« für PBKDF2 wird nicht unterstützt, überspringe diesen Teil."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Die benötigte Crypto-Kernel-Schnittstelle ist nicht verfügbar."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Stellen Sie sicher, dass das Kernelmodul »algif_skcipher« geladen ist."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Aktivierung wird für die Sektorengröße %d nicht unterstützt."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Der Kernel unterstützt die Aktivierung für diesen TCRYPT-Legacymodus nicht."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "TCRYPT-Systemverschlüsselung für Partition »%s« wird aktiviert."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Kernel unterstützt TCRYPT-kompatibles Mapping nicht."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Diese Funktionalität braucht einen geladenen TCRYPT-Header."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Unerwartete Art »%u« des Metadaten-Eintrags beim Parsen des unterstützten Volume Master Keys gefunden."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Ungültige Zeichenkette beim Parsen des Volume Master Key gefunden."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Unerwartete Zeichenkette »%s« beim Parsen des Volume Master Key gefunden."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Unerwarteter Metadaten-Eintrag %u beim Einlesen des unterstützten Volume Master Key gefunden."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Fehler beim Lesen der BITLK-Signatur von »%s«."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK Version 1 wird derzeit nicht unterstützt."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Ungültige oder unbekannte Bootsignatur für BITLK-Gerät."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Ungültige oder unbekannte Signatur für BITLK-Gerät."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Fehler beim Lesen des BITLK-Headers von »%s«."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Fehler beim Schreiben der BITLK-FVE-Metadaten von »%s«."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Unbekannte oder nicht unterstützte Verschlüsselungsart."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Fehler beim Lesen der BITLK-Metadaten von »%s«."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Diese Operation wird nicht unterstützt."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Falsche Schlüsselgröße."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Dieses BITLK-Gerät ist in einem nicht unterstützten Zustand und kann daher nicht aktiviert werden."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "BITLK-Geräte der Art »%s« können nicht aktiviert werden."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Aktivieren eines teilweise entschlüsselten BITLK-Geräts wird nicht unterstützt."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Gerät kann nicht aktiviert werden, dem Kernelmodul dm-crypt fehlt die Unterstützung für BITLK-IV."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Gerät kann nicht aktiviert werden, da dem Kernelmodul dm-crypt die Unterstützung für BITLK-Elephant-Verschleierer fehlt."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "Verity-Gerät »%s« benutzt keinen Header auf dem Datenträger."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Gerät »%s« ist kein gültiges VERITY-Gerät."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Nicht unterstützte VERITY-Version %d."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "VERITY-Header verfälscht."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Falsches VERITY-UUID-Format über Gerät »%s« angegeben."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Fehler beim Aktualisieren des VERITY-Headers auf Gerät »%s«."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "Verifikation der Stammhash-Signatur wird nicht unterstützt."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Fehler können mit einem FEC-Gerät nicht repariert werden."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "%u reparierbare Fehler mit FEC-Gerät gefunden."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Kernel unterstützt dm-verity-Zuordnung nicht."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Kernel unterstützt Signatur-Option für dm-verity nicht."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Verity-Gerät hat eine Verfälschung nach der Aktivierung festgestellt."
 
@@ -1061,92 +1175,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Zusätzlicher Platz an Position %<PRIu64> ist nicht ausgenullt."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Überlauf beim Geräte-Offset."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Fehler beim Verifizieren an Position %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Ungültige Größenparameter für Verity-Gerät."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Überlauf des Hashbereichs."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Fehler beim Verifizieren des Datenbereichs."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Fehler beim Verifizieren des Root-Hashes."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "E/A-Fehler beim Anlegen des Hash-Bereiches."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Fehler beim Anlegen des Hash-Bereiches."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "WARNUNG: Kernel kann das Gerät nicht aktivieren, wenn die Datenblockgröße die Seitengröße (%u) übersteigt."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Fehler beim Reservieren des RS-Kontexts."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Fehler beim Reservieren des Puffers."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Fehler beim Lesen des RS-Blocks %<PRIu64>, Byte %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Fehler beim Lesen der Parität für RS-Block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Fehler beim Reparieren der Parität für RS-Block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Fehler beim Schreiben der Parität für RS-Block %<PRIu64>."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Blockgrößen müssen für FEC zusammen passen."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Ungültige Anzahl von Paritätsbytes."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Fehler beim Ermitteln der Größe von Gerät »%s«."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "Kernel unterstützt dm-integrity-Zuordnung nicht."
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Kernel unterstützt feste Ausrichtung der Metadaten für dm-integrity nicht."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Fehler beim exklusiven Schreibzugriff auf Gerät »%s«."
@@ -1172,40 +1290,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "WARNING: Der Schlüsselfach-Bereich (%<PRIu64> Bytes) ist sehr klein, die LUKS2-Schlüsselfachanzahl ist sehr begrenzt.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Fehler beim Zugriff auf die Lesesperre für das Gerät »%s«."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Verbotene LUKS2-Anforderungen in Backup »%s« entdeckt."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Unterschiedliche Datenoffsets auf Gerät und Backup. Wiederherstellung fehlgeschlagen."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Unterschiedliche Größe der Binärheader mit Schlüsselfach-Bereichen zwischen Gerät und Backup. Wiederherstellung fehlgeschlagen."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Gerät »%s« %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "enthält keinen LUKS2-Header. Das Ersetzen des Headers kann Daten auf dem Gerät zerstören."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "enthält bereits einen LUKS2-Header. Das Ersetzen des Headers wird bestehende Schlüsselfächer zerstören."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1215,7 +1333,7 @@
 "WARNUNG: Unbekannte LUKS2-Anforderungen im echten Geräteheader entdeckt!\n"
 "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen!"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1225,58 +1343,58 @@
 "WARNUNG: Unvollendete Offline-Wiederverschlüsselung auf dem Gerät entdeckt!\n"
 "Das Ersetzen des Headers mit dem Backup kann zu Datenverlust auf dem Gerät führen."
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Unbekannter Schalter »%s« wird ignoriert."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Fehlender Schlüssel für dm-crypt-Segment %u"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "Fehler beim Festlegen des »dm-crypt«-Segments."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "Fehler beim Festlegen des »dm-linear«-Segments."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Nicht unterstützte Konfiguration für Geräteintegrität."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Wiederverschlüsselung läuft gerade. Das Gerät kann nicht deaktiviert werden."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Das stillgelegte Gerät »%s« mit dm-error-Ziel konnte nicht in den Fehlerzustand gesetzt werden."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Fehler beim Lesen der LUKS2-Anforderungen."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Unerfüllte LUKS2-Anforderungen entdeckt."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Offline-Wiederverschlüsselung läuft gerade. Wird abgebrochen."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Online-Wiederverschlüsselung läuft gerade. Wird abgebrochen."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für Altlasten-Wiederverschlüsselung markiert ist. Wird abgebrochen."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Diese Operation kann nicht mit einem Gerät durchgeführt werden, das für LUKS2-Wiederverschlüsselung markiert ist. Wird abgebrochen."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Nicht genügend Speicher, um ein Schlüsselfach zu öffnen."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Fehler beim Öffnen des Schlüsselfachs."
 
@@ -1289,52 +1407,56 @@
 msgid "No space for new keyslot."
 msgstr "Nicht genug Speicherplatz für neues Schlüsselfach."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Fehler beim Prüfen des Zustands von Gerät mit der UUID %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Fehler beim Konvertieren des Headers mit zusätzlichen LUKSMETA-Metadaten."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Nicht genug Speicherplatz."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs. Bereich für die LUKS2-Schlüsselfächer ist zu klein."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Fehler beim Verschieben des Schlüsselfach-Bereichs."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Standardgröße für Verschlüsselungssektoren ist nicht 512 Bytes."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach-Digeste sind nicht zu LUKS1 kompatibel."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Gerät verwendet eingepacktes Verschlüsselungsverfahren %s."
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: LUKS2-Header enthält %u Token."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist in ungültigem Zustand."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u (über Maximalfach) ist noch aktiv."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Fehler beim Konvertieren in LUKS1-Format: Schlüsselfach %u ist nicht zu LUKS1 kompatibel."
@@ -1356,7 +1478,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Fehler beim Initialisieren der Umverpackung für den Speicher alter Segmente."
 
@@ -1368,7 +1490,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Fehler beim Lesen der Prüfsummen für die aktuelle Hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Fehler beim Lesen des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
@@ -1426,119 +1548,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Datenverschiebung (%<PRIu64> Sektoren) ist weniger als der zukünftige Datenoffset (%<PRIu64> Sektoren)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Fehler beim exklusiven Öffnen von »%s« (wird bereits anderweitig benutzt)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Derzeit läuft keine LUKS2-Wiederverschlüsselung."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Das Gerät ist nicht für LUKS2-Wiederverschlüsselung markiert."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Fehler beim Laden des LUKS2-Wiederverschlüsselungs-Kontextes."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Fehler beim Einlesen des Wiederverschlüsselungs-Zustands."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Das Gerät befindet sich nicht in der Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Der Wiederverschlüsselungs-Vorgang läuft bereits."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Fehler beim Zugriff auf die Schreibsperre für die Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Führen Sie zuerst die Wiederverschlüsselungs-Wiederherstellung durch."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Aktive Gerätegröße und angeforderte Wiederverschlüsselungsgröße passen nicht zusammen."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Ungültige Gerätegröße wurde in den Wiederverschlüsselungsparametern angefordert."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Wiederverschlüsselung läuft bereits. Wiederherstellung ist nicht möglich."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "LUKS2-Wiederverschlüsselung ist in den Metadaten bereits initialisiert."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "LUKS2-Wiederverschlüsselung konnte in den Metadaten nicht initialisiert werden."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Fehler beim Festlegen der Gerätesegmente für die nächste Wiederverschlüsselungs-Hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Fehler beim Schreiben der Metadaten für robuste Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Fehler beim Entschlüsseln."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Fehler beim Schreiben des Hotzone-Bereichs, der bei %<PRIu64> beginnt."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Fehler beim Synchronisieren von Daten."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Fehler beim Aktualisieren der Metadaten, nachdem die aktuelle Wiederverschlüsselungs-Hotzone beendet wurde."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Fehler beim Schreiben der LUKS2-Metadaten."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Fehler beim gründlichen Löschen der Backupsegmentdaten."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Fehler beim Deaktivieren der Wiederverschlüsselungsanforderung."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Schwerwiegender Fehler beim Wiederverschlüsseln des Blocks bei %<PRIu64>, %<PRIu64> Sektoren lang."
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Das Gerät nicht fortsetzen, außer es wird manuell durch das Fehlerziel ersetzt."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Wiederverschlüsselung kann nicht fortgesetzt werden. Unerwarteter Zustand der Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Fehlender oder ungültiger Wiederverschlüsselungs-Kontext."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Fehler beim Initialisieren des Gerätestapels für Wiederverschlüsselung."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Fehler beim Aktualisieren des Wiederverschlüsselungskontexts."
 
@@ -1552,64 +1674,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Fehler beim Erzeugen des eingebauten Tokens »%s«."
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Passphrase-Verifikation ist nur auf Terminal-Eingaben möglich."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Verschlüsselungsparameter für Schlüsselfach wird nur für LUKS2-Geräte unterstützt."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Kein bekanntes Verschlüsselungsmuster entdeckt."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "WARNUNG: Der Parameter --hash wird im Plain-Modus ignoriert, wenn eine Schlüsseldatei angegeben ist.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "WARNUNG: Die Option --keyfile-size wird ignoriert, da die Lesegröße die gleiche ist wie die Verschlüsselungsschlüsselgröße ist.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Gerätesignaturen auf »%s« erkannt. Wenn Sie fortfahren, könnte das bestehende Daten beschädigen."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Vorgang abgebrochen.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Die Option »--key-file« muss angegeben werden."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "VeraCrypt-PIM eingeben: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Ungültiger PIM-Wert: Formatfehler."
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Ungültiger PIM-Wert: 0."
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Ungültiger PIM-Wert: außerhalb des gültigen Bereichs."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "Kein Geräte-Header mit dieser Passphrase gefunden."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Gerät »%s« ist kein gültiges BITLK-Gerät."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1621,56 +1748,56 @@
 "daher ausschließlich an einem sicheren Ort und verschlüsselt\n"
 "aufbewahrt werden."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Gerät »%s« ist noch aktiv und zum verzögerten Entfernen eingeplant.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Um die Größe von aktiven Geräten zu öndern, muss der Laufwerksschlüssel im Schlüsselbund sein, aber die Option --disable-keyring wurde angegeben."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Benchmark unterbrochen."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     (nicht zutreffend)\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u Iterationen pro Sekunde für %zu-Bit-Schlüssel\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s (nicht zutreffend)\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u Iterationen, %5u Speicher, %1u parallele Threads (CPUs) für %zu-Bit-Schlüssel (Zieldauer %u Millisekunden)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Das Ergebnis des Benchmarks ist nicht zuverlässig."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Die Tests sind nur annähernd genau, da sie nicht auf den Datenträger zugreifen.\n"
 
 # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
 # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s   Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Verschlüsselung »%s« ist nicht verfügbar."
@@ -1678,15 +1805,15 @@
 # upstream: the following line should also be translated. This is because the long word "Schlüssel" for "Key" will break the layout, as well as "Verschlüsselung" for "Encryption".
 # To help the translators, you should provide an example for what goes into the %x placeholders, since I had to make an educated guess that the second %s would be exactly 4 characters long. This is an unnecessary burden for the translators.
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#   Algorithmus | Schlüssel | Verschlüsselung | Entschlüsselung\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "N/A"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1694,19 +1821,19 @@
 "Es scheint, dass das Gerät keine Wiederherstellung der Wiederverschlüsselung braucht.\n"
 "Trotzdem fortsetzen?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Wirklich mit der Wiederherstellung der LUKS2-Wiederverschlüsselung fortfahren?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Geben Sie die Passphrase für die Wiederherstellung der Wiederverschlüsselung ein: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Wirklich versuchen, den LUKS-Geräteheader wiederherzustellen?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1715,127 +1842,127 @@
 "Sie können diesen Vorgang mit Strg+C unterbrechen (der nicht gesäuberte Bereich des Geräts wird dann ungültige Prüfsummen haben).\n"
 
 # upstream: it is boring that I have to translate the newline at the end of each of these messages. Translating strings without newlines is much easier and faster. Since it is redundant anyway (all calls to log_err have a trailing newline), this newline should be written implicitly.
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Fehler beim Deaktivieren des temporären Geräts »%s«."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Die Integritätsoption kann nur für das LUKS2-Format verwendet werden."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nicht unterstützte Optionen für Größe der LUKS-Metadaten."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Fehler beim Anlegen der Headerdatei »%s«."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Kein bekanntes Integritätsspezifikationsmuster entdeckt."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Das Gerät »%s« kann nicht als Datenträger-Header benutzt werden."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Hiermit werden die Daten auf »%s« unwiderruflich überschrieben."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Fehler beim Festlegen der PBKDF-Parameter."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Verringerter Datenoffset ist nur für separaten LUKS-Header erlaubt."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Die Größe des Laufwerksschlüssels erfordert Schlüsselfächer, bitte nutzen Sie dazu die Option »--key-size«."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Gerät aktiviert, aber die Schalter können nicht dauerhaft gespeichert werden."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Schlüsselfach %d zum Löschen ausgewählt."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Dies ist das letzte Schlüsselfach. Wenn Sie diesen Schlüssel löschen, wird das Gerät unbrauchbar."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Geben Sie irgendeine verbleibende Passphrase ein: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Vorgang abgebrochen, das Schlüsselfach wurde NICHT gesäubert.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Geben Sie die zu löschende Passphrase ein: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Geben Sie die neue Passphrase für das Schlüsselfach ein: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Geben Sie irgendeine bestehende Passphrase ein: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Geben Sie die zu ändernde Passphrase ein: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Geben Sie die neue Passphrase ein: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Geben Sie die Passphrase für das umzuwandelnde Schlüsselfach ein: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Die Operation »isLuks« unterstützt nur genau ein Geräte-Argument."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Option »--header-backup-file« muss angegeben werden."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s ist kein von cryptsetup verwaltetes Gerät."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Die Geräteart »%s« kann nicht aufgefrischt werden"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Unbekannte Art »%s« des Metadaten-Geräts."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Dieser Befehl benötigt den Gerätenamen und den zugeordneten Namen als Argumente."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1844,95 +1971,95 @@
 "Diese Operation wird alle Schlüsselfächer auf Gerät »%s« löschen.\n"
 "Dadurch wird das Gerät unbrauchbar."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Vorgang abgebrochen, die Schlüsselfächer wurden NICHT gesäubert.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Invalid LUKS type, only luks1 and luks2 are supported."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Das Gerät hat bereits den Typ »%s«."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Diese Operation wird für »%s« ins Format »%s« umwandeln.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Vorgang abgebrochen, das Gerät wurde NICHT konvertiert.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Die Option --priority, --label oder --subsystem fehlt."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d ist ungültig."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d ist in Benutzung."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Fehler beim Hinzufügen des LUKS2-Schlüsselring-Tokens %d."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Token %d kann nicht dem Schlüsselfach %d zugeordnet werden."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d wird gerade nicht verwendet."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Token konnte nicht aus der Datei importiert werden."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Auf Token %d kann nicht für den Export zugegriffen werden."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Der Parameter --key-description ist Pflicht für die Aktion »token add«."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Die Aktion erfordert ein bestimmtes Token. Verwenden Sie den Parameter --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Ungültige Token-Operation »%s«."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Automatisch erkanntes aktives dm-Gerät »%s« für Datengerät »%s«.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Gerät »%s« ist kein Blockgerät.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Fehler bei der automatischen Erkennung von Gerät »%s«."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1945,229 +2072,233 @@
 "Es kann zu Datenverlust kommen, wenn das Gerät gerade aktiviert ist.\n"
 "Um die Wiederverschlüsselung im Online-Modus durchzuführen, verwenden Sie stattdessen den Parameter --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Ungültige LUKS-Geräteart."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Verschlüsselung ohne separaten Kopfbereich (--header) ist nur möglich, wenn die Größe des Hauptgeräts reduziert wird (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Der angeforderte Datenoffset darf maximal die Hälfte des Parameters --reduce-device-size betragen."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Der Wert von --reduce-device-size wird auf das Doppelte von --offset %<PRIu64> (in Sektoren) angepasst.\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Verschlüsselung wird nur für das LUKS2-Format unterstützt."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "LUKS-Gerät auf »%s« erkannt. Möchten Sie dieses LUKS-Gerät erneut verschlüsseln?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Temporäre Headerdatei »%s« existiert bereits. Wird abgebrochen."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Fehler beim Anlegen der temporären Headerdatei »%s«."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s ist jetzt aktiv und bereit für die Onlineverschlüsselung.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "Nicht genügend freie Schlüsselfächer für Wiederverschlüsselung."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Schlüsseldatei kann nur mit --key-slot oder mit genau einem aktiven Schlüsselfach benutzt werden."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Geben Sie die Passphrase für Schlüsselfach %d ein: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Geben Sie die Passphrase für Schlüsselfach %u ein: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "Dieser Befehl benötigt den Gerätenamen als Argument."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "Derzeit wird nur das LUKS2-Format unterstützt. Bitte verwenden Sie das Werkzeug cryptsetup-reencrypt für LUKS1."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Veraltete Offline-Wiederverschlüsselung wird gerade durchgeführt. Verwenden Sie das Hilfsprogramm cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Wiederverschlüsselung von Geräten mit Integritätsprofil wird nicht unterstützt."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Die LUKS2-Wiederverschlüsselung wurde bereits begonnen. Die Operation wird abgebrochen."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "LUKS2-Gerät wird derzeit nicht wiederverschlüsselt."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<Gerät> [--type <Art>] [<Name>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "Gerät als <Name> öffnen"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<Name>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "Gerät schließen (Zuordnung entfernen)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "Größe des aktiven Geräts ändern"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "Gerätestatus anzeigen"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <Algorithmus>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "Verschlüsselungsalgorithmus benchmarken"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<Gerät>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "Versuchen, die Metadaten auf dem Datenträger zu reparieren"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "LUKS2-Gerät wiederverschlüsseln"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "Alle Schlüsselfächer löschen (Verschlüsselungsschlüssel entfernen)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "Zwischen den Formaten LUKS und LUKS2 umwandeln"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "Permanente Konfigurationsoptionen für LUKS2 festlegen"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<Gerät> [<neue Schlüsseldatei>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "Ein LUKS-Gerät formatieren"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "Schlüssel zu LUKS-Gerät hinzufügen"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<Gerät> [<Schlüsseldatei>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "Entfernt bereitgestellten Schlüssel oder Schlüsseldatei vom LUKS-Gerät"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "Ändert den angegebenen Schlüssel oder die Schlüsseldatei des LUKS-Geräts"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "Wandelt einen Schlüssel in neue PBKDF-Parameter um"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<Gerät> <Schlüsselfach>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "Löscht Schlüssel mit Nummer <Schlüsselfach> vom LUKS-Gerät"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "UUID des LUKS-Geräts ausgeben"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "Testet <Gerät> auf Header einer LUKS-Partition"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "LUKS-Partitionsinformationen ausgeben"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "TCRYPT-Geräteinformationen ausgeben"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "BITLK-Geräteinformationen ausgeben"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "LUKS-Gerät in Ruhezustand versetzen und alle Schlüssel auslöschen (alle IOs werden eingefroren)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "LUKS-Gerät aus dem Ruhezustand aufwecken"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Header und Schlüsselfächer eines LUKS-Geräts sichern"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Header und Schlüsselfächer eines LUKS-Geräts wiederherstellen"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <Gerät>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "LUKS2-Token manipulieren"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2175,19 +2306,19 @@
 "\n"
 "<Aktion> ist eine von:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Sie können auch die alten <Aktion>-Aliase benutzen:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, lookaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2202,7 +2333,7 @@
 "<Schlüsselfach> ist die Nummer des zu verändernden LUKS-Schlüsselfachs\n"
 "<Schlüsseldatei> optionale Schlüsseldatei für den neuen Schlüssel der »luksAddKey«-Aktion\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2211,7 +2342,7 @@
 "\n"
 "Vorgegebenes festeingebautes Metadatenformat ist %s (für luksFormat-Aktion).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2228,7 +2359,7 @@
 "Vorgabe-PBKDF für LUKS2: %s\n"
 "\tIterationszeit: %d, benötigter Speicher: %d kB, parallele Threads: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2243,440 +2374,444 @@
 "\tplain: %s, Schlüssel: %d Bits, Passphrase-Hashen: %s\n"
 "\tLUKS: %s, Schlüssel: %d Bits, LUKS-Header-Hashen: %s, Zufallszahlengenerator: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Standard-Schlüsselgröße mit XTS-Modus (zwei interne Schlüssel) wird verdoppelt.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: Benötigt %s als Argumente"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Diese Hilfe anzeigen"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Kurze Aufrufsyntax anzeigen"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Paketversion ausgeben"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Hilfe-Optionen:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Zeigt detailliertere Fehlermeldungen an"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Zeigt Debugging-Meldungen an"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Debugging-Meldungen anzeigen, inclusive JSON-Metadaten"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Der Algorithmus zum Verschlüsseln des Datenträgers (siehe /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Das Hashverfahren, um den Verschlüsselungsschlüssel aus der Passphrase zu erzeugen"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Verifiziert die Passphrase durch doppeltes Nachfragen"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Schlüssel aus einer Datei lesen"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Laufwerks-(Master-)Schlüssel aus Datei lesen."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Laufwerks-(Master-)schlüssel anstelle der Schlüsselfach-Informationen wegschreiben"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Die Größe des Verschlüsselungsschlüssels"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BITS"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Begrenzt das Lesen aus der Schlüsseldatei"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "Bytes"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Anzahl der Bytes, die in der Schlüsseldatei übersprungen werden"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Begrenzt das Lesen aus der neu erzeugten Schlüsseldatei"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Anzahl der Bytes, die in der neu erzeugten Schlüsseldatei übersprungen werden"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Fachnummer für den neuen Schlüssel (im Zweifel das nächste freie)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Die Größe des Geräts"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SEKTOREN"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Nur die angegebene Gerätegröße benutzen (Rest des Gerätes ignorieren). GEFÄHRLICH!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Der Startoffset im Backend-Gerät"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Wieviele Sektoren der verschlüsselten Daten am Anfang übersprungen werden sollen"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Eine schreibgeschützte Zuordnung erzeugen"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Nicht nach Bestätigung fragen"
 
 # XXX
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Frist für interaktive Eingabe der Passphrase (in Sekunden)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "sek"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Aktualisierungsintervall für Fortschrittszeile (in Sekunden)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Wie oft die Eingabe der Passphrase wiederholt werden kann"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Nutzdaten an Grenzen von <n> Sektoren ausrichten - für luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Datei mit dem Backup der LUKS-Header und den Schlüsselfächern"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "/dev/random zum Generieren des Laufwerksschlüssels benutzen"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "/dev/urandom zum Generieren des Laufwerksschlüssels benutzen"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Gerät mit einem anderen nicht-überlappenden Kryptosegment teilen"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID für das zu verwendende Gerät"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Auswurf-Anfragen (»TRIM«-Befehl) für das Gerät zulassen"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Gerät oder Datei mit separatem LUKS-Header"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Gerät nicht aktivieren, nur Passphrase überprüfen"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Versteckten Header benutzen (verstecktes TCRYPT-Gerät)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Das Gerät ist das System-TCRYPT-Laufwerk (mit Bootlader)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Backup-(Zweit-)-TCRYPT-Header benutzen"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Auch nach VeryCrypt-kompatiblen Geräten suchen"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Persönlicher Interations-Multiplizierer (PIM) für VeryCrypt-kompatibles Gerät"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Bei VeraCrypt-kompatiblem Gerät nach persönlichem Iterations-Multiplizierer (PIM) fragen"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Art der Geräte-Metadaten: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Art der Geräte-Metadaten: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Passwort-Qualitätsprüfung deaktivieren (wenn sie aktiviert ist)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Kompatibilitäts-Performance-Option »same_cpu_crypt« für dm-crypt benutzen"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Kompatibilitäts-Performance-Option »submit_from_crypt_cpus« für dm-crypt benutzen"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Das Entfernen des Geräts wird aufgeschoben, bis der letzte Benutzer es schließt"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Globale Sperre verwenden, um speicherintensive PBKDF zu serialisieren (um Speicherprobleme zu umgehen)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "PBKDF-Iterationszeit for LUKS (in ms)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "msek"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "PBKDF-Algorithmus (für LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "PBKDF-Speicherkostengrenze"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "Kilobytes"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "PBKDF-Parallelitätskosten"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "Threads"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "PBKDF-Iterationskosten (erzwungen, deaktiviert Benchmark)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Schlüsselfach-Priorität: ignore (ignorieren), normal, prefer (bevorzugen)"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Dateisperrung von Metadaten auf der Platte deaktivieren"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Deaktivieren, dass Laufwerksschlüssel über den Kernel-Schlüsselbund geladen werden"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Datenintegritätsalgorithmus (nur LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Aufzeichnung für Integritätsgerät deaktivieren"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Gerät nach dem Formatieren nicht säubern"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Ineffizientes Altlasten-Padding verwenden (für alte Kernel)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "Nicht nach einer Passphrase fragen, wenn die Aktivierung durch Token fehlschlägt"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Token-Nummer (Vorgabe: eine beliebige)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Schlüsselbeschreibung"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Verschlüsselungs-Sektorgröße (Vorgabe: 512 Bytes)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Aktivierungsschalter für Gerät permanent festlegen"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Beschriftung für das LUKS2-Gerät festlegen"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Teilsystem-Beschriftung für das LUKS2-Gerät festlegen"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Unbeschränktes LUKS2-Schlüsselfach (ohne zugeordnetem Datensegment) anlegen"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "JSON aus einer Datei lesen oder in eine Datei schreiben"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Größe des Bereichs für LUKS2-Header-Metadaten"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Größe des Bereichs für Schlüsselfächer im LUKS2-Header"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Gerät mit neuen Parametern auffrischen (reaktivieren)"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "LUKS2-Schlüsselfach: Die Größe des Verschlüsselungsschlüssels"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "LUKS2-Keyslot: Der Algorithmus, der für die Keyslot-Verschlüsselung verwendet wird"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "LUKS2-Gerät verschlüsseln (direkt am Ort)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "LUKS2-Gerät entschlüsseln (Verschlüsselung entfernen)."
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "LUKS2-Wiederverschlüsselung nur in Metadaten beginnen."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Nur eine begonnene LUKS2-Wiederverschlüsselung fortsetzen."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Größe des Datengeräts reduzieren (Datenoffset verschieben). GEFÄHRLICH!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Maximalgröße der Wiederverschlüsselungs-Hotzone."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Widerstandsfähigkeit der Hotzone für die Wiederverschlüsselung (checksum,journal,none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "Hash für Prüfsummen der Wiederverschlüsselungs-Hotzone"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Automatische Geräteerkennung der dm-Geräte für die Wiederverschlüsselung übersteuern"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPTION...] <Aktion> <aktionsabhängig>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Argument <Aktion> fehlt."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Unbekannte Aktion."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Die Option --refresh ist nur beim »open«- oder »refresh«-Befehl erlaubt.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Die Optionen --refresh und --test-passphrase schließen sich gegenseitig aus.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Die Option --deferred ist nur beim »close«-Befehl erlaubt.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Die Option --shared ist nur beim beim »open«-Befehl eines Plain-Gerätes erlaubt.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Die Option --allow-discards ist nur beim »open«-Befehl erlaubt.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Die Option --persistent ist nur beim »open«-Befehl erlaubt.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "Die Option --serialize-memory-hard-pbkdf ist nur beim »open«-Befehl erlaubt.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Die Option --persistent ist nicht mit --test-passphrase kombinierbar.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2685,245 +2820,255 @@
 "»open« und »benchmark« erlaubt. Benutzen Sie stattdessen »--keyfile-size=(Bytes)«,\n"
 "um das Lesen aus der Schlüsseldatei zu begrenzen."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Die Option --align-payload ist nur für luksFormat erlaubt.\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Die Option --integrity-no-wipe ist nur für die »format«-Aktion mit Integritätserweiterung erlaubt.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Die Option --uuid ist nur für luksFormat und luksUUID erlaubt.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS- und TCRYPT-Geräten erlaubt.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Die Option --test-passphrase ist nur beim Öffnen von LUKS, TCRYPT- und BITLK-Geräten erlaubt.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Schlüsselgröße muss ein Vielfaches von 8 Bit sein"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Schlüsselfach ist ungültig."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Die Option --key-file wirkt stärker als das angegebene Schlüsseldatei-Argument."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Negative Zahl für die Option nicht erlaubt."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Die Option --key-file ist nur einmal erlaubt."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Nur eine der Optionen --use-[u]random ist erlaubt."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Die Option --use-[u]random ist nur für luksFormat erlaubt."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Die Option --uuid ist nur für luksFormat und luksUUID erlaubt."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Die Option --align-payload ist nur für luksFormat erlaubt."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Die Optionen --luks2-metadata-size und --opt-luks2-keyslots-size sind nur für luksFormat mit LUKS2 erlaubt."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Ungültige Angabe für die Größe der LUKS2-Metadaten."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Ungültige Angabe für die Größe der LUKS2-Schlüsselfächer."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Die Optionen --align-payload und --offset können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Die Option --skip ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Die Option --offset ist nur beim Öffnen von plain- und loopaes-Geräten erlaubt, sowie für luksFormat und Wiederverschlüsselung.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Die Optionen --tcrypt-hidden, --tcrypt-system und --tcrypt-backup sind nur zusammen mit einem TCRYPT-Gerät erlaubt.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Die Option --tcrypt-hidden kann nicht mit --allow-discards kombiniert werden.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Die Option --veracrypt wird nur für TCRYPT-kompatible Geräte unterstützt.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Ungültiges Argument für Parameter --veracrypt-pim angegeben.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Die Option --veracrypt-pim wird nur für VeraCrypt-kompatible Geräte unterstützt.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Die Option --veracrypt-query-pim wird nur für VeraCrypt-kompatible Geräte unterstützt.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Die Optionen --veracrypt-pim und --veracrypt-query-pim schließen sich gegenseitig aus.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Die Option --priority kann nur »ignore/normal/prefer« sein.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Das Schlüsselfach muss angegeben werden.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Passwortbasierte Schlüsselableitungsfunktion (PBKDF) kann nur »pbkdf2« oder »argon2i/argon2id« sein.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Bei PBKDF darf nur entweder die Anzahl der Durchläufe oder die Zeitbegrenzung angegeben werden.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "Die Option Sektorgröße wird für diesen Befehl nicht unterstützt.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Nicht unterstützte Sektorengröße für Verschlüsselung.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "Die Option »--unbound« erfordert die Schlüsselgröße.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Die Option »--unbound« kann nur zusammen mit der Aktion »luksAddKey« benutzt werden.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Die Option --refresh kann nur zusammen mit der Aktion »open« benutzt werden.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Fehler beim Deaktivieren der Metadaten-Dateisperre.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Ungültige Angabe der Maximalgröße für die Wiederverschlüsselungs-Hotzone."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "Ungültige Angabe der Gerätegröße."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Die maximale Verkleinerungsgröße ist 1 GiB."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Die verkleinerte Größe muss ein Vielfaches von 512-Byte-Sektoren sein."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "Ungültige Angabe der Datengröße."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Überlauf bei der Verringerungsgröße."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "LUKS2-Entschlüsselung erfordert die Option --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Die Gerätegröße muss ein Vielfaches von 512-Byte-Sektoren sein."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Die Optionen --reduce-device-size und --data-size können nicht kombiniert werden."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Die Optionen --device-size und --size können nicht kombiniert werden."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Ungültiger Salt-String angegeben."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Fehler beim Schreiben des Hash-Abbilds »%s«."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Fehler beim Schreiben des FEC-Abbilds »%s«."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Ungültiger Root-Hash-String angegeben."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Ungültige Signaturdatei »%s«."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Fehler beim Einlesen der Signaturdatei »%s«."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<Datengerät> <Hash-Gerät>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "Gerät formatieren"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<Datengerät> <Hash-Gerät> <Root-Hash>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "Gerät verifizieren"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<Datengerät> <Name> <Hash-Gerät> <Root-Hash>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "Status der aktiven Geräte anzeigen"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<Hash-Gerät>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "Auf dem Datenträger gespeicherte Informationen anzeigen"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2938,7 +3083,7 @@
 "<Hash-Gerät> ist das Gerät, das die Verifikationsdaten enthält\n"
 "<Root-Hash> ist der Hash des Rootknotens auf <Hash-Gerät>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2949,91 +3094,99 @@
 "Einkompilierte Vorgabewerte für dm-verity:\n"
 "\tHash: %s, Datenblock (Bytes): %u, Hashblock (Bytes): %u, Salt-Größe: %u, Hashformat: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Verity-Superblock nicht benutzen"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Format-Art (1 - normal, 0 - originales Chrome-OS)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "Zahl"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Blockgröße auf dem Datengerät"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Blockgröße auf dem Hash-Gerät"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "FEC-Paritätsbytes"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Die Anzahl der Blöcke in der Datendatei"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "Blöcke"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Pfad zum Gerät mit Fehlerkorrekturdaten"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "Pfad"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Start-Offset auf dem Hash-Gerät"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Start-Offset auf dem FEC-Gerät"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Hash-Algorithmus"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "Zeichenkette"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Salt"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "Hex-Zeichenkette"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Pfad zur Signaturdatei des Stammhashes"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Kernel neustarten wenn Beschädigung festgestellt wird"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Beschädigung ignorieren, nur mitloggen"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Ausgenullte Blöcke nicht überprüfen"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Datenblock nur beim erstmaligen Lesen verifizieren"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Die Optionen --ignore-corruption, --restart-on-corruption und --ignore-zero-blocks sind nur für die »open«-Aktion erlaubt.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Die Option --integrity-recalculate kann nur zusammen mit der Aktion »open« benutzt werden.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Die Optionen --ignore-corruption und --restart-on-corruption können nicht zusammen benutzt werden.\n"
 
@@ -3047,20 +3200,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Fehler beim Einlesen von %d Bytes aus der Schlüsseldatei »%s«."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formatiert mit Etikettgröße %u und interner Integrität %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<Integritätsgerät>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<Integritätsgerät> <Name>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3071,158 +3224,158 @@
 "<Name> ist das Gerät, das unter »%s« angelegt werden soll\n"
 "<Integritätsgerät> ist das Gerät, das die Daten mit Integritätsangaben enthält\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Einkompilierte Vorgabewerte für dm-integrity:\n"
-"\tEtikettgröße: %u Bytes, Prüfalgorithmus: %s\n"
+"\tPrüfalgorithmus: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Pfad zum Datengerät (wenn getrennt)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Journalgröße"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Sektoren verschränken"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Jornal-Wasserzeichen"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "Prozent"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Journal-Commitzeit"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Anzahl der 512-Byte-Sektoren pro Bit (Bitmap-Modus)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Zeit für sicheres Speichern im Bitmap-Modus"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Etikettgröße pro Sektor"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Sektorengröße"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Puffergröße"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Datenintegritäts-Algorithmus"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Die Größe des Datenintegritätsschlüssels"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Integritätsschlüssel aus einer Datei lesen"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Integritätsalgorithmus für Journal"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Die Größe des Integritätsschlüssels für das Journal"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Integritätsschlüssel für das Journal aus einer Datei lesen"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Algorithmus für Journalverschlüsselung"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Die Größe des Journal-Verschlüsselungsschlüssels"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Journal-Verschlüsselungsschlüssel aus einer Datei lesen"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Wiederherstellungsmodus (kein Journal, keine Etikettprüfung)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Bitmap verwenden, um Änderungen nachzuverfolgen und Journal für Integritätsgerät deaktivieren"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Initiale Integritätsangaben automatisch neu berechnen."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Die Option --integrity-recalculate kann nur zusammen mit der Aktion »open« benutzt werden."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Die Optionen --journal-size, --interleave-sectors, --sector-size, --tag-size und --no-wipe können nur bei der Aktion »format« verwendet werden.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Ungültige Angabe der Journalgröße."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen angegeben werden."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Wenn ein Integritätsschlüssel verwendet wird, muss auch der Integritätsalgorithmus angegeben werden."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Sowohl die Schlüsseldatei als auch die Schlüsselgröße müssen für die Journalintegrität angegeben werden."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Wenn ein Integritätsschlüssel für das Journal verwendet wird, muss auch der Integritätsalgorithmus angegeben werden."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Sowohl der Verschlüsselungsschlüssel als auch die Schlüsselgröße müssen für die Journalverschlüsselung angegeben werden."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Wenn ein Verschlüsselungsschlüssel für das Journal verwendet wird, muss auch der Verschlüsselungsalgorithmus angegeben werden."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Die Modi Wiederherstellung und Bitmap schließen sich gegenseitig aus."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Die Journal-Optionen können nicht im Bitmap-Modus verwendet werden."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Die Bitmapoptionen können nur im Bitmapmodus verwendet werden."
 
@@ -3235,7 +3388,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Gerät »%s« kann nicht exklusiv geöffnet werden, da es bereits benutzt wird."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Belegen des ausgerichteten Speichers fehlgeschlagen."
 
@@ -3284,190 +3437,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Fehler beim Aktivieren der temporären Geräte."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Fehler beim Festlegen des Daten-Offsets."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Fehler beim Festlegen der Metadatengröße."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Neuer LUKS-Header für Gerät »%s« angelegt."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Diese Version von cryptsetup-reencrypt kann internen Tokentyp %s nicht verarbeiten."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Fehler beim Lesen der Aktivierungsschalter aus dem Backup-Header."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Fehler beim Schreiben der Aktivierungsschalter in den neuen Header."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Fehler beim Lesen der Anforderungen aus dem Backup-Header."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "%s-Backup-Header von Gerät »%s« angelegt."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Fehler beim Anlegen des LUKS-Backup-Headers."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Fehler beim Wiederherstellen des %s-Headers auf Gerät »%s«."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "%s-Header auf Gerät »%s« wiederhergestellt."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Fehler beim Öffnen des temporären LUKS-Geräts."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Fehler beim Ermitteln der Gerätegröße."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "E/A-Fehler während der Wiederverschlüsselung."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Die angegebene UUID ist ungültig."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Fehler beim Öffnen der Wiederverschlüsselungs-Logdatei."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Derzeit ist keine Entschlüsselung im Gange, die angegebene UUID kann nur benutzt werden, um einen unterbrochenen Entschlüsselungsvorgang fortzusetzen."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "PBKDF-Parameter in Schlüsselfach %i wurden geändert."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Wiederverschlüsselungs-Blockgröße"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Schlüssel nicht ändern, Datenbereich nicht neu verschlüsseln"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Laufwerks-(Master-)Schlüssel aus Datei lesen"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "PBKDF2 Iterationszeit for LUKS (in ms)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Beim Zugriff auf die Geräte direct-io benutzen"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Nach jedem Block fsync aufrufen"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Logdatei nach jedem Block aktualisieren"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Nur dieses Schlüsselfach benutzen (alle anderen werden deaktiviert)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Neuen Header auf unverschlüsseltem Gerät anlegen"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Gerät dauerhaft entschlüsseln (Verschlüsselung entfernen)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "Die UUID, um das Entschlüsseln fortzusetzen"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Art der LUKS-Metadaten: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[OPTION...] <Gerät>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Wiederverschlüsselung ändert: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "Laufwerksschlüssel"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr ", Hash auf "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", Verschlüsselung auf "
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Argument muss angegeben werden."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Für die Wiederverschlüsselungs-Blockgröße sind nur Werte zwischen 1 MiB und 64 MiB erlaubt."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Die maximale Verkleinerungsgröße ist 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Die Option »--new« muss zusammen mit »--reduce-device-size« oder »--header« benutzt werden."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Die Option »--keep-new« kann nur zusammen mit »--hash«, »--iter-time« oder »--pbkdf-force-iterations« benutzt werden."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Die Option »--new« kann nicht zusammen mit »--decrypt« benutzt werden."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Die Option --decrypt verträgt sich nicht mit den angegebenen Parametern."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Die Option »--uuid« kann nur zusammen mit »--decrypt« benutzt werden."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Ungültiger LUKS-Typ. Verwenden Sie einen von diesen: luks, luks1, luks2."
 
@@ -3698,6 +3851,15 @@
 msgid "Failed to write JSON file."
 msgstr "JSON-Datei konnte nicht geschrieben werden."
 
+#~ msgid "Offline reencryption in progress. Aborting."
+#~ msgstr "Offline-Wiederverschlüsselung läuft gerade. Wird abgebrochen."
+
+#~ msgid "Online reencryption in progress. Aborting."
+#~ msgstr "Online-Wiederverschlüsselung läuft gerade. Wird abgebrochen."
+
+#~ msgid "No LUKS2 reencryption in progress."
+#~ msgstr "Derzeit läuft keine LUKS2-Wiederverschlüsselung."
+
 #~ msgid "Interrupted by a signal."
 #~ msgstr "Durch ein Signal unterbrochen."
 
@@ -3770,9 +3932,6 @@
 #~ msgid "Device is not in clean reencryption state."
 #~ msgstr "Das Gerät ist nicht in einem sauberen Wiederverschlüsselungszustand."
 
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "Fehler beim Lesen der Geräteinfos von »%s«."
-
 #~ msgid "Failed to calculate new segments."
 #~ msgstr "Fehler beim Berechnen der neuen Segmente."
 
diff -Nru cryptsetup-2.2.2/po/es.po cryptsetup-2.3.1/po/es.po
--- cryptsetup-2.2.2/po/es.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/es.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 # Spanish translations for cryptsetup package
 # Traducciones al español para el paquete cryptsetup.
-# Copyright (C) 2014, 2015, 2016, 2017, 2018, 2019 Free Software Foundation, Inc.
+# Copyright (C) 2014, 2015, 2016, 2017, 2018, 2019, 2020 Free Software Foundation, Inc.
 # This file is put in the public domain.
-# Antonio Ceballos <aceballos@gmail.com>, 2013, 2014, 2015, 2016, 2017, 2018, 2019
+# Antonio Ceballos <aceballos@gmail.com>, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020
 #
 # ######################################################################
 # Traducciones dudosas:
@@ -72,10 +72,10 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-18 17:15+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 23:19+0100\n"
 "Last-Translator: Antonio Ceballos <aceballos@gmail.com>\n"
 "Language-Team: Spanish <es@tp.org.es>\n"
 "Language: es\n"
@@ -85,65 +85,65 @@
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "No se puede inicializar el «device mapper», ejecutando como usuario no administrador."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "No se puede inicializar el «device-mapper». ¿Está cargado el módulo del núcleo dm_mod?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "El indicador diferido solicitado no está disponible."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "El DM-UUID del dispositivo %s ha sido truncado."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Tipo de objetivo dm desconocido."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Las opciones de rendimiento de dm-crypt solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Las opciones de manejo de corrupción de datos de dm-verity solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Las opciones FEC de dm-verity solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Las opciones de integridad de datos solicitadas no están disponibles."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "La opción sector_size solicitada no está disponible."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "El recómputo automático de las etiquetas de integridad solicitado no está disponible."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "El modo de mapa de bits de dm-integrity solicitado no está disponible."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Descartar/TRIM no disponible."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "No se ha podido consultar el segmento de dm-%s."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -151,548 +151,565 @@
 "El sistema se ha quedado sin entropía mientras estaba generando la clave del volumen.\n"
 "Por favor, mueva el ratón o pulse alguna tecla en otra ventana para provocar algún evento aleatorio.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Generando la clave (%d%% hecho).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Modo FIPS en funcionamiento."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Error fatal durante la inicialización del generador de números aleatorios."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "La calidad solicitada para el generador de números aleatorios es desconocida."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Error leyendo del generador de números aleatorios."
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "No se puede inicializar el «backend» del generador de números aleatorios de cifrado."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "No se puede inicializar el «backend» de cifrado."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Algoritmo «hash» %s no disponible."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Error de procesamiento de la clave (usando «hash» %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "No se puede determinar el tipo de dispositivo. ¿Es incompatible la activación del dispositivo?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Esta operación solamente está disponible para dispositivos LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Esta operación solamente está disponible para dispositivos LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Todas las ranuras de claves están llenas."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "La ranura de claves %d no es válida; seleccione un número entre 0 y %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "La ranura de claves %d está llena; seleccione otra."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "El tamaño del dispositivo no está alineado con el tamaño de bloque lógico del dispositivo."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Cabecera detectada pero el dispositivo %s es demasiado pequeño."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Esta operación no está disponible para este tipo de dispositivo."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Operación con recifrado en curso no válida."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Versión LUKS no disponible %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "El dispositivo de metadatos separado no está disponible para este tipo de cifrado."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "El dispositivo %s no está activo."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "El dispositivo subyacente asociado al dispositivo cifrado %s ha desaparecido."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Parámetros de cifrado para modo claro no válidos."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Tamaño de clave no válido."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "El UUID no está disponible para este tipo de cifrado."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Tamaño de sector de cifrado no admitido."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "El tamaño del dispositivo no está alineado con el tamaño del sector solicitado."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Imposible dar formato LUKS sin dispositivo."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "El alineamiento de datos solicitado no es compatible con el desplazamiento de los datos."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "ATENCIÓN: El desplazamiento de los datos está fuera del dispositivo de datos actualmente disponible.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "No se puede limpiar la cabecera del dispositivo %s."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "ATENCIÓN: La activación del dispositivo va a fallar; dm-crypt no admite el tamaño de sector de cifrado solicitado.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "La clave del volumen es demasiado pequeña para cifrado con extensiones de integridad."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "El algoritmo de cifrado %s-%s (tamaño de clave %zd bits) no está disponible."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "ATENCIÓN: el tamaño de los metadatos LUKS2 ha cambiado a %<PRIu64> bytes.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "ATENCIÓN: el tamaño de la zona de ranuras de claves LUKS2 ha cambiado a %<PRIu64> bytes.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "El dispositivo %s es demasiado pequeño."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "No se puede dar formato al dispositivo %s en uso."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "No se puede dar formato al dispositivo %s; permiso denegado."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "No se puede dar formato a la integridad del dispositivo %s."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "No se puede dar formato al dispositivo %s."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Imposible dar formato LOOPAES sin dispositivo."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Imposible dar formato VERITY sin dispositivo."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Tipo de «hash» VERITY %d no disponible."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Tamaño de bloque VERITY no disponible."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Desplazamiento «hash» VERITY no disponible."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Desplazamiento FEC VERITY no disponible."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "La zona de datos se solapa con la zona «hash»."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "La zona «hash» se solapa con la zona FEC."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "La zona de datos se solapa con la zona FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "ATENCIÓN: El tamaño de etiqueta de %d bytes solicitado difiere del tamaño de salida de %s (%d bytes).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "El tipo de dispositivo cifrado % solicitado es desconocido."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Parámetros no admitidos para el dispositivo %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Parámetros discordantes en el dispositivo %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Los dispositivos de cifrado no concuerdan."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "No se ha podido recargar el dispositivo %s."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "No se ha podido suspender el dispositivo %s."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "No se ha podido reanudar el dispositivo %s."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Error grave durante la recarga del dispositivo %s (por encima del dispositivo %s)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "No se ha podido conmutar el dispositivo %s a dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "No se ha podido cambiar el tamaño del dispositivo de bucle."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "¿Está seguro de que quiere cambiar el UUID del dispositivo?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "El fichero de copia de seguridad de la cabecera no contiene una cabecera LUKS compatible."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "El volumen %s no está activo."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "El volumen %s ya está suspendido."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "La suspensión no está disponible para el dispositivo %s."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Error durante la suspensión del dispositivo %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "EL volumen %s no está suspendido."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "La reanudación no está disponible para el dispositivo %s."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Error durante la reanudación del dispositivo %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "La clave de volumen no corresponde a este volumen."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "No se puede añadir ranura de claves; todas las ranuras están desactivadas y no se ha proporcionado una clave para el volumen."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "No se ha logrado intercambiar la nueva ranura de claves."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "La clave de volumen no corresponde a este volumen."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "La ranura de claves %d no es válida."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "La ranura de claves %d no está activa."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "La cabecera del dispositivo se solapa con la zona de datos."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Recifrado en curso. No se puede activar el dispositivo."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "No se ha podido conseguir el bloqueo de recifrado."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "La recuperación del recifrado LUKS2 ha fallado."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Este tipo de dispositivo no se ha inicializado adecuadamente."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "No se puede utilizar el dispositivo %s; el nombre no es válido o todavía está en uso."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "El dispositivo %s ya existe."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Clave de volumen incorrecta para dispositivo no cifrado."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "«Hash» raíz incorrecta para dispositivo «verity»."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Se requiere la firma «hash» raíz."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "El llavero de núcleo está ausente: se necesita para pasar la firma al núcleo."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "No se ha podido cargar la clave en el llavero del núcleo."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "El dispositivo %s todavía se está utilizando."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Dispositivo inválido %s."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "El «buffer» de la clave del volumen es demasiado pequeño."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "No se puede recuperar la clave para el dispositivo no cifrado."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "No se puede recuperar el «hash» raíz para dispositivo «verity»."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Esta operación no está disponible para el dispositivo cifrado %s."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Operación de volcado no deisponible para este tipo de dispositivo."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "El desplazamiento de datos no es múltiplo de %u bytes."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "No se puede convertir el dispositivo %s que todavía está en uso."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "No se ha logrado asignar la ranura de claves %u como nueva clave del volumen."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "No se han podido inicializar los parámetros predefinidos de la ranura de claves LUKS2."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "No se ha logrado asignar la ranura de claves %d al resumen."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "No se ha podido cargar la clave en el llavero del núcleo."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "El llavero de núcleo no está admitido en el núcleo."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "No se ha podido leer la frase contraseña desde el llavero (error %d)"
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "No se ha podido adquirir el bloqueo de la serialización de acceso duro de memoria global."
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "No se puede obtener la prioridad del proceso."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "No se puede desbloquear la memoria."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "No se ha podido abrir el fichero de claves."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "No se puede leer el fichero de claves desde un terminal."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "No se ha podido efectuar «stat» sobre el fichero de claves."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "No es posible situarse en la posición solicitada del fichero de claves."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Memoria agotada mientras se estaba leyendo la frase contraseña."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Error al leer la frase contraseña."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "No hay nada para leer en la entrada."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Se ha excedido el tamaño máximo de fichero de claves."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "No se puede leer la cantidad de datos solicitada."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "El dispositivo %s no existe o el acceso al mismo ha sido denegado."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "El dispositivo %s no es compatible."
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "El dispositivo %s es demasiado pequeño. Se necesitan %<PRIu64> bytes como mínimo."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "No se puede usar el dispositivo %s porque ya está en uso (asignado o montado)."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "No se puede utilizar el dispositivo %s; permiso denegado."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "No se puede obtener información del dispositivo %s."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "No se puede utilizar un dispositivo de bucle invertido como usuario no administrador."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "No se ha logrado asociar el dispositivo de bucle invertido (hace falta un dispositivo de bucle con marcador de auto-limpieza)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "El «offset» solicitado está más allá del tamaño real del dispositivo %s."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "El dispositivo %s tiene tamaño cero."
@@ -759,32 +776,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Opciones PBKDF no compatibles."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (o no es un directorio o no existe)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "ATENCIÓN: ¡Falta el directorio de bloqueo %s/%s!\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Bloqueo abortado. La ruta del bloqueo %s/%s no puede utilizarse (%s no es un directorio)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "No es posible situarse en la posición del dispositivo."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Error al limpiar el dispositivo, desplazamiento %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -793,121 +810,121 @@
 "No se ha podido establecer asignación de clave dm-crypt al dispositivo %s.\n"
 "Compruebe que el núcleo admite el algoritmo de cifrado %s (consulte syslog para más información)."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "El tamaño de clave en modo XTS debe ser 256 o 512 bits."
 
 # TODO
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "La especificación de cifrado debería estar en formato [cipher]-[mode]-[iv]."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "No se puede escribir en el dispositivo %s; permiso denegado."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "No se ha podido abrir el dispositivo de almacenamiento de claves temporal."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "No se ha podido acceder al dispositivo de almacenamiento de claves temporal."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "Error de entrada/salida mientras se cifraba una ranura de claves."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "No se puede abrir el dispositivo %s."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "Error de entrada/salida mientras se descifraba una ranura de claves."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "El dispositivo %s es demasiado pequeño. (LUKS1 necesita %<PRIu64> btyes como mínimo.)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "La ranura de claves LUKS %u no es válida."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "El dispositivo %s no es un dispositivo LUKS válido."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "El fichero de copia de seguridad de cabecera solicitado %s ya existe."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "No se puede crear el fichero de copia de seguridad %s."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "No se puede escribir en el fichero de copia de seguridad %s."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "El fichero de copia de seguridad no contiene una cabecera LUKS válida."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "No se puede abrir el fichero de copia de seguridad de cabecerda %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "No se puede leer el fichero de copia de seguridad de cabecerda %s."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "La posición de los datos o el tamaño de la clave no coinciden en el dispositivo y en la copia de seguridad."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Dispositivo %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "no contiene cabecera LUKS. Reemplazar la cabecera puede destruir los datos en ese dispositivo."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "ya contiene cabecera LUKS. Reemplazar la cabecera destruirá las ranuras de claves existentes."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -915,100 +932,105 @@
 "\n"
 "ATENCIÓN: ¡la cabecera del dispositivo real tiene un UUID distinto que el de la copia de seguridad!"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "El tamaño de la clave no es estándar; se requiere una reparación manual."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "El alineamiento de las ranuras de claves no es estándar; se requiere una reparación manual."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Reparando ranuras de claves."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Ranura de claves %i: posición reparada (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Ranura de claves %i: bandas reparadas (%u -> %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Ranura de claves %i: la firma de la partición es falsa."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Ranura de claves %i: «salt wiped»."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Escribiendo cabecera LUKS en el disco."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "La reparación ha fallado."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "La «hash» LUKS solicitada %s no está disponible."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "No se ha detectado ningún problema en la cabecera LUKS."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Error al actualizar la cabecera LUKS en el dispositivo %s."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Error al leer la cabecera LUKS después de actualizarla en el dispositivo %s."
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "La posición de los datos de una cabecera LUKS debe ser 0 o superior al tamaño de la cabecera."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "El formato de UUID LUKS proporcionado es incorrecto."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "No se puede crear la cabecera LUKS: fallo en la lectura «random salt»."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "No se puede crear la cabecera LUKS: fallo en la cabecera (usando «hash» %s)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "La ranura de claves %d está activa; primero hay que purgar."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "El material de la ranura de claves %d no tiene suficientes bandas. Quizá se haya manipulado la cabecera."
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "No se puede abrir la ranura de claves (usando «hash» %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "La ranura %d no es válida; seleccione una ranura de claves entre 0 y %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "No se puede limpiar el dispositivo %s."
@@ -1026,97 +1048,189 @@
 msgstr "Se ha detectado un fichero de claves incompatible con «loop-AES»."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "El núcleo no admite asignación compatible con «loop-AES»."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Error leyendo el fichero de claves %s."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Se ha excedido la longitud máxima (%d) de la frase contraseña TCRYPT."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Se ha excedido la longitud máxima (%zu) de la frase contraseña TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "El algoritmo «hash» %s no está disponible, por lo que se ha ignorado."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "La interfaz de cifrado del núcleo requerida no está disponible."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Asegúrese de que el módulo del núcleo algof_skcipher está cargado."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "No es posible la activación para el tamaño de sector %d."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "El núcleo no dispone de activación para este modo antiguo TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Activando el sistema de cifrado TCRYPT para la partición %s."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "El núcleo no admite asignación compatible con TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Esta función no está disponible sin carga de cabecera TCRYPT."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "El tipo de entrada de metadatos '%u' no esperado se ha encontrado mientras se analizaba la clave maestra del volumen soportado."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Se ha encontrado una cadena no válida mientras se analizaba la clave maestra del volumen."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Se ha encontrado una cadena no esperada ('%s') mientras se analizaba la clave maestra del volumen soportado."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "El valor de entrada de metadatos '%u' no esperado se ha encontrado mientras se analizaba la clave maestra del volumen soportado."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "No se ha podido leer la firma BITLK de %s."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK versión 1 no está admitido actualmente."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Firma de arranque no válida o desconocida para el dispositivo BITLK"
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Firma no válida o desconocida para el dispositivo BITLK"
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "No se ha podido leer la cabecera BITLK de %s."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "No se han podido leer los metadatos BITLK FVE de %s."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Tipo de cifrado desconocido o no admitido."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "No se han podido leer las entradas de los metadatos BITLK de %s."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Esta operación no está disponible."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Tamaño de clave incorrecto."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Este dispositivo BITLK se encuentra en un estado en el que no puede activarse."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Los dispositivos BITLK con tipo '%s' no puede activarse."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "La activación de un dispositivo BITLK parcialmente descifrado no puede hacerse."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para BITLK IV."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "No se puede activar el dispositivo; el dm-crypt del núcleo no sirve para difusor BITLK «Elephant»."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "El dispositivo «verity» %s no utiliza cabecera en disco."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "El dispositivo %s no es un dispositivo VERITY válido."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Versión VERITY %d no disponible."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "Cabecera VERITY corrupta."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "El formato UUID VERITY proporcionado en el dispositivo %s es incorrecto."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Error al actualizar la cabecera «verity» en el dispositivo %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "La verificación de firma «hash» raíz solicitada no está disponible."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Los errores no pueden repararse con dispositivo FEC."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Se han encontrado %u errores reparables con dispositivo FEC."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "El núcleo no dispone de asignación «dm-verity»."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "El núcleo no dispone de opción de firma «dm-verity»."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "El dispositivo «verity» ha detectado algo corrupto después de la activación."
 
@@ -1125,92 +1239,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "El área de reserva no tiene ceros en la posición %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Desbordamiento de la posición del dispositivo."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "La verificación ha fallado en la posición %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Parámetros de tamaño inválido para un dispositivo «verity»."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Desbordamiento del área «hash»."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Fallo en la verificación del área de datos."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Fallo en la verificación de la «hash» raíz."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Error de entrada/salida al crear el área «hash»."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "La creación del área «hash» ha fallado."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ATENCIÓN: el núcleo no puede activar un dispositivo si el tamaño del bloque de datos excede el tamaño de página (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "No se ha podido asignar contexto RS."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "No se ha podido asignar «buffer»."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "No se ha podido leer el bloque RS %<PRIu64> byte %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "No se ha podido leer la paridad para el bloque RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "No se ha podido reparar la paridad para el bloque %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "No se ha podido escribir la paridad para el bloque RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Los tamaños de bloque deben coincidir para FEC."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Número no válido de bytes de paridad."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "No se ha podido determinar el tamaño para el dispositivo %s."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "El núcleo no dispone de asociación «dm-integrity»."
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "El núcleo no dispone de alineamiento de metadatos fijo «dm-integrity»."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "No se ha podido adquirir el bloqueo de escritura del dispositivo %s."
@@ -1236,40 +1354,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "ATENCIÓN: la zona de ranuras de claves (%<PRIu64> bytes) es muy pequeña; el número de ranuras de claves LUKS2 disponibles es muy limitado.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "No se ha podido adquirir el bloqueo de lectura para el dispositivo %s."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Se han detectado requisitos prohibidos para LUKS2 en la copia de seguridad %s."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "La posición de los datos no coinciden en el dispositivo y en la copia de seguridad; ha fallado la restauración."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "La cabecera binaria con el tamaño de las áreas de ranuras de claves no coinciden en el dispositivo y en la copia de seguridad; la restauración ha fallado."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Dispositivo %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "no contiene cabecera LUKS2. Reemplazar la cabecera puede destruir los datos en ese dispositivo."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "ya contiene cabecera LUKS2. Reemplazar la cabecera destruirá las ranuras de claves existentes."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1280,7 +1398,7 @@
 "dispositivo real! Reemplazar la cabecera con la copia de seguridad puede\n"
 "corromper los datos en ese dispositivo!"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1290,58 +1408,58 @@
 "AVISO: ¡Se ha detectado recifrado «offline» no terminado en el dispositivo!\n"
 "¡Reemplazar la cabecera con la copia de seguridad puede corromper los datos!"
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Se hará caso omiso del indicador desconocido %s."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Falta la clave para el segmento dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "No se ha podido establecer el segmento de dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "No se ha podido establecer el segmento de dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Configuración de integridad de dispositivo no admitida."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Recifrado en curso. No se puede desactivar el dispositivo."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "No se ha podido reemplazar el dispositivo suspendido %s con el objetivo dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "No se ha podido leer los requisitos LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Se han detectado requisitos LUKS2 no satisfechos."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Recifrado «offline» en curso. Se aborta."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Recifrado «online» en curso. Se aborta."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operación incompatible con dispositivo marcado para recifrado obsoleto. Se aborta."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operación incompatible con dispositivo marcado para recifrado LUKS2. Se aborta."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "No hay memoria disponible suficiente para abrir una ranura de claves."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Fallo al abrir la ranura de claves."
 
@@ -1354,52 +1472,56 @@
 msgid "No space for new keyslot."
 msgstr "No hay espacio para la nueva ranura de claves."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "No se puede comprobar el estado del dispositivo con uuid: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Imposible convertir cabecera con metadatos adicionales LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Imposible mover el área de la ranura de claves. No hay suficiente espacio."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Imposible mover el área de la ranura de claves. Área de ranuras de clave LUKS2 demasiado pequeña."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Imposible mover el área de la ranura de claves."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "No se puede convertir a formato LUKS1 - el tamaño predefinido de sector de cifrado del segmento no es 512 bytes."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "No se puede convertir a formato LUKS1 - los resúmenes de rarunas de claves no son compatibles con LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "No se puede convertir a formato LUKS1 - el dispositivo utiliza el cifrado de clave encapsulado %s."
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "No se puede convertir a formato LUKS1 - la cabecera LUKS2 contiene %u «token(s)»."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u está en un estado no válido."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "No se puede convertir a formato LUKS1 - la ranura %u (sobre las ranuras máximas) todavía está activa."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "No se puede convertir a formato LUKS1 - la ranura de claves %u no es compatible con LUKS1."
@@ -1421,7 +1543,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "No se ha podido inicializar la envoltura antigua de almacenamiento del segmento."
 
@@ -1433,7 +1555,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "No se han podido leer las sumas de comprobación para la zona activa actual."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "No se ha podido leer la zona activa que comienza en %<PRIu64>."
@@ -1491,120 +1613,120 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "El desplazamiento de datos (%<PRIu64> sectores) es menor que el desplazamiento de datos futuros (%<PRIu64> sectores)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "No se ha podido abrir %s en modo exclusivo (ya está asignado o montado)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "No hay ningún recifrado LUKS2 en proceso."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "El dispositivo no está marcado para recifrado LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "No se ha podido cargar el contexto del recifrado LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "No se ha podido obtener el estado del recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "El dispositivo no está en recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "El proceso de recifrado ya está en marcha."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "No se ha podido adquirir el bloqueo de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "No se puede proceder con el recifrado. Ejecute primero la recuperación de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "El tamaño del dispositivo activo y el tamaño de recifrado solicitado no coinciden."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "El tamaño de dispositivo solicitado en los parámetros de recifrado no es válido."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Recifrado en proceso. No se puede llevar a cabo una recuperación."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Recifrado LUKS2 ya inicializado en los metadatos."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "No se ha podido inicializar el recifrado LUKS2 en los metadatos."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "No se han podido establecer los segmentos del dispositivo para la siguiente zona activa de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "No se han podido escribir los metadatos de resiliencia de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "El descifrado ha fallado."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "No se ha podido escribir la zona activa que comienza en %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "No se han podido sincronizar los datos."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "No se han podido actualizar los metadatos tras completar la zona activa de recifrado actual."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "No se han podido escribir los metadatos de LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "No se han podido limpiar los datos de segmentos de respaldo."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "No se ha podido desactivar el indicador del requisito de descifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Error fatal mientras se recifraba una porción que comienza en %<PRIu64>, de %<PRIu64> sectores de longitud."
 
 # No sé cómo traducir 'error target'.
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "No reanudar el dispositivo a menos que se reemplace con «error target» manualmente."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "No se puede proceder con el recifrado. Estado de recifrado inesperado."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Contexto de recifrado ausente o no válido."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "No se ha podido inicializar la pila del dispositivo de recifrado."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "No se ha podido actualizar el contexto de recifrado."
 
@@ -1617,64 +1739,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "No se ha podido crear el «token» interno %s."
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "No se puede hacer verificación de frase contraseña en entradas no tty."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Los parámetros de cifrado de ranura de claves solo pueden configurarse para dispositivos LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "No se ha detectado ningún patrón conocido de especificación de cifrado."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ATENCIÓN: No se va a hacer caso del parámetro --hash en modo no cifrado con el fichero de claves especificado.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ATENCIÓN: No se va a hacer caso de la opción --keyfile-size; el tamaño de lectura es igual al tamaño de la clave de cifrado.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Se ha(n) detectado firma(s) de dispositivo en %s. Si se prosigue, pueden dañarse los datos existentes."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Operación abortada.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Es necesaria la opción --key-file."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Introduzca PIM de VeraCrypt: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Valor de PIM no válido: error de análisis."
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Valor de PIM no válido: 0."
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Valor de PIM no válido: fuera de rango."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "No se ha detectado ninguna cabecera de dispositivo con esa frase contraseña."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "El dispositivo %s no es un dispositivo BITLK válido."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1684,68 +1811,68 @@
 "sensible que permite el acceso a una partición cifrada sin frase contraseña.\n"
 "Este volcado debería almacenarse siempre cifrado en un lugar seguro."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "El dispositivo %s todavía está activo y programado para borrado diferido.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "El cambio de tamaño del dispositivo activo requiere clave de volumen en el llavero pero la opción --disable-keyring está puesta."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Comparativa interrumpida."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iteraciones por segundo para clave de %zu bits\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iteraciones, %5u memora, %1u hilos paralelos (CPUs) para clave de %zu bits (tiempo solicitado %u ms)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "El resultado de la comparativa no es fiable."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Las pruebas son solo aproximadas usando memoria (no hay entrada/salida de almacenadmiento).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algoritmo |     Clave |         Cifrado |      Descifrado\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "El algoritmo de cifrado %s no está disponible."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algoritmo |     Clave |         Cifrado |      Descifrado\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "/N/A"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1753,19 +1880,19 @@
 "Parece que el dispositivo no necesita recuperación del recifrado.\n"
 "¿Desea continuar de todos modos?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "¿Está seguro de proceder con la recuperación del recifrado LUKS2?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Introduzca la frase contraseña para la recuperación del recifrado: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "¿Está seguro de que quiere intentar reparar la cabecera del dispositivo LUKS?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1773,127 +1900,127 @@
 "Limpieza de dispositivo para inicializar la suma de comprobación de integridad.\n"
 "Puede interrumpirse pulsando CTRL+c (el resto de dispositivo no limpiado contendrá sumas de comprobación no válidas.\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "No se puede desactivar el dispositivo temporal %s."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "La opción de integridad solo puede utilizarse para formato LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Opciones de tamaño de metadatos LUKS2 no admitidas."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "No se puede crear el fichero de cabecera %s."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "No se ha detectado ningún patrón conocido de especificación de integridad."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "No se puede utilizar %s como cabecera en disco."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Esto sobreescribirá los datos en %s de forma irrevocable."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "No se han podido establecer los parámetros pbkdf."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "La posición de datos reducida está permitida solamente para cabecera LUKS separada."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "No se puede determinar el tamaño de la clave del volumen para LUKS2 sin ranuras de claves; utilice la opción --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Dispositivo activado pero los indicadores no pueden hacerse persistentes."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "La ranura de claves %d se va a borrar."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Esta es la última ranura de claves. El dispositivo quedará inutilizado después de purgar esta clave."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Introduzca cualquier frase contraseña que quede: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operación abortada; la ranura de claves NO estaba limpia.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Introduzca la frase contraseña que hay que borrar: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Introduzca una nueva frase contraseña para la ranura de claves: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Introduzca cualquier frase contraseña que exista: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Introduzca la frase contraseña que hay que cambiar: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Introduzca una nueva frase contraseña: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Introduzca la frase contraseña para la ranura de claves que se va a convertir: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "La operación isLuks solo admite un argumento de dispositivo."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Es necesaria la opción --header-backup-file."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s no es un dispositivo gestionable por cryptsetup."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "El refresco no está disponible para el tipo de dispositivo %s"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Tipo de dispositivo de metadatos %s no reconocido."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Esta orden necesita como argumentos el dispositivo y el nombre asociado."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1902,95 +2029,95 @@
 "Esta operación borrará todas las ranuras de claves en el dispositivo %s.\n"
 "El dispositivo quedará inutilizable después de esta operación."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operación abortada; las ranuras de claves NO estaban limpias.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Tipo LUKS no válido; solo se admiten luks1 y luks2."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "El dispositivo ya es de tipo %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Esta operación convertirá el formato %s a %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operación abortada; el dispositivo NO estaba convertido.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Falta la opción --priority, --label o --subsystem."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "El «token» %d no es válido."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "El «token» %d está en uso."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "No se ha podido añadir el «token» %d al llavero luks."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "No se ha logrado asignar el «token» %d a la ranura de claves %d."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "El «token» %d no está en uso."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "No se ha podido importar el «token» del fichero."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "No se ha logrado obtener el «token» %d para exportar."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "El parámetro --key-description es obligatorio para la acción de añadir «token»."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "La acción requiere un «token» específico. Utilice el parámetro --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Operación de «token» no válida %s."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Se ha detectado automáticamente el dispositivo dm activo '%s' para el dispositivo de datos %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "El dispositivo %s no es un dispositivo de bloques.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "No se han podido detectar automáticamente los propietarios del dispositivo %s."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -2004,229 +2131,233 @@
 "activado. Para realizar recifrado en modo «online», utilice en su lugar\n"
 "el parámetro --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Tipo de dispositivo LUKS no válido."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "El cifrado sin cabecera separada (--header) no es posible sin reducción del tamaño del dispositivo de datos (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "El desplazamiento de datos solicitado debe ser menor o igual que la mitad del parámetro --reduce-device-size."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Ajustando el valor de --reduce-device-size al doble de --offset %<PRIu64> (sectores).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "El cifrado solo puede hacerse con formato LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "Se ha detectado un dispositivo LUKS en %s. ¿Desea cifrar de nuevo ese dispositivo LUKS?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "El fichero de cabecera temporal %s ya existe. Se aborta."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "No se puede crear el fichero de cabecera temporal %s."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s ahora está activo y preparado para cifrado «online»."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s ahora está activo y preparado para cifrado «online».\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "No hay suficientes ranuras de claves para el recifrado."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "El fichero de claves solo puede usarse con --key-slot o con una sola ranura de claves activa exactamente."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Introduzca la frase contraseña para la ranura de claves %d: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Introduzca la frase contraseña para la ranura de claves %u: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "Esta orden necesita un dispositivo como argumento."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "Actualmente solo se admite el formato LUKS2. Utilice la herramienta cryptsetup-reencrypt para LUKS1."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Ya hay un recifrado «offline» heredado en proceso. Utilice la utilidad cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "El recifrado de dispositivo con perfil de integridad no está admitido."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "El recifrado LUKS2 ya está inicializado. Se aborta la operación."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "El dispositivo LUKS2 no está en recifrado."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<dispositivo> [--type <tipo> [<nombre>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "abrir el dispositivo como <nombre>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<nombre>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "cerrar dispositivo (eliminar asociación)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "cambiar el tamaño del dispositivo activo"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "mostrar el estado del dispositivo"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cypher <algoritmo_de_cifrador>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "algoritmo de cifrado para pruebas"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<dispositivo>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "intentar reparar metadatos en disco"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "recifrar dispositivo LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "borrar todas las ranuras de claves (eliminar clave de cifrado)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "convertir formato LUKS de/en LUKS2"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "establecer opciones de configuración permanentes para LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<dispositivo> [<nuevo fichero de claves>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "da formato a un dispositivo LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "añadir clave a un dispositivo LUKS"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<dispositivo> [<fichero de claves>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "elimina la clave suministrada o el fichero de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "cambia la clave suministrada o el fichero de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "convierte una clave a los nuevos parámetros pbkdf"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<dispositivo> <ranura de claves>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "borra la clave con el número <ranura de clave> del dispositivo LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "imprimir el UUID del dispositivo LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "comprueba si <dispositivo> tiene cabecera de partición LUKS"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "volcar información sobre la partición LUKS"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "volcar información sobre el dispositivo TCRYPT"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "volcar información sobre el dispositivo BITLK"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspender el dispositivo LUKS y limpiar la clave (todas las entradas/salidas congeladas)."
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Reanudar el dispositivo LUKS suspendido."
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Hacer copia de seguridad de la cabecera y de las ranuras de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Restaurar la cabecera y las ranuras de claves del dispositivo LUKS"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<añade|elimina|importa|exporta> <dispositivo>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipular «tokens» LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2234,19 +2365,19 @@
 "\n"
 "<acción> es una de:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "También se pueden utilizar los alias del tipo <acción> de la antigua sintaxis:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2261,7 +2392,7 @@
 "<ranura de claves> es el número de la ranura de claves que se va a modificar\n"
 "<fichero de claves> fichero de claves opcional para la nueva clave para la acción 'luksAddKey'\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2270,7 +2401,7 @@
 "\n"
 "El formato de metadatos predefinido de fábrica es %s (para la acción luksFormat).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2287,7 +2418,7 @@
 "PBKDF predefinido para LUKS2: %s\n"
 "\tTiempo de iteración: %d, Memoria requerida: %dkB, hilos en paralelo: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2302,439 +2433,443 @@
 "\tsin cifrado: %s, Clave: %d bits, Contraseña «hashing»: %s\n"
 "\tLUKS: %s, Clave: %d bits, «hashing» de la cabecera LUKS: %s, Generador de números aleatorios: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: El tamaño de clave predefinido con modo XTS (dos claves internas) va a ser duplicado.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: necesita %s como argumentos"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Mostrar este mensaje de ayuda"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Mostrar brevemente cómo se usa"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Imprimir versión del paquete"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Opciones de ayuda:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Muestra mensajes de error más detallados"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Mostrar mensajes de depuración"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Mostrar mensajes de depuración incluidos los metadatos JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Algoritmo de cifrado utilizado para cifrar el disco (ver /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Algoritmo «hash» utilizado para crear la clave de cifrado a partir de la frase contraseña"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Verifica la frase contraseña preguntándola dos veces"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Leer la clave de un fichero."
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Leer la clave (maestra) del volumen desde fichero."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Volcar la clave (maestra) del volumen en lugar de la información de las ranuras de claves."
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Tamaño de la clave de cifrado"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BITS"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Limita la lectura desde fichero de claves"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "bytes"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Número de bytes que hay que saltar en el fichero de claves"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Limita la lectura desde un fichero de claves recién añadido"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Número de bytes que hay que saltar en el fichero de claves recién añadido"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Número de ranura para la nueva clave (el primero libre es lo predefinido)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Tamaño del dispositivo"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SECTORES"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Utilizar solamente el tamaño especificado de dispositivo (ignorar el resto del dispositivo). ¡PELIGROSO!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "iPosición de comienzo en el dispositivo «backend»"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Cuántos sectores de los datos cifrados hay que saltar al principio"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Crear una asignación alatoria"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "No pedir confirmación"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Tiempo de espera máximo para petición interactiva de frase contraseña (en segundos)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "s"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Actualización de la línea de progreso (en segundos)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Con qué frecuencia se puede volver a intentar introducir la frase contraseña"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Alinear los datos a <n> bordes de sector - para luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Fichero con copia de seguridad de cabecera LUKS y de ranuras de clave."
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Usar /dev/random para generar la clave del volumen."
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Usar /dev/urandom para generar la clave del volumen."
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Compartir dispositivo con otro segmento cifrado no solapado."
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID del dispositivo que se va a usar"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Permitir solicitudes de descarte (también llamadas TRIM) para el dispositivo"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Dispositivo o fichero con cabecera LUKS separada"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "No activar dispositivo; comprobar frase contraseña solamente"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Utilizar cabecera oculta (dispositivo TCRYPT oculto)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "El dispositivo es una unidad con sistema TCRYPT (con cargador de arranque)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Utilizar la cabecera TCRYPT de respaldo (secundaria)"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Explorar también si es un dispositivo compatible con VeraCrypt"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Multiplicador de iteración personal para dispositivo compatible con VeraCrypt"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Consulta el multiplicador de iteración personal para dispositivo compatible con VeraCrypt"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Tipo de metadatos del dispositivo: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Tipo de metadatos del dispositivo: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Desactivar la comprobación de la calidad de la contraseña (si estaba activada)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Utilizar la opción de compatibilidad de rendimiento same_cpu_crypt de dm-crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Utilizar la opción de compatibilidad de rendimiento submit_from_crypt_cpus de dm-crypt"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "La eliminación del dispositivo está diferida hasta que el último usuario lo cierre"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Utilizar un bloqueo global para serializar PBKDF estricto en memoria (solución OOM)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Tiempo de iteración PBKDF para LUKS (en ms)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "ms"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Algoritmo PBKDF (para LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "Límite del coste de memoria PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "kilobytes"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "Coste del paralelismo PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "hilos"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "Coste de las iteraciones PBKDF (forzado, desactiva el banco de pruebas)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Prioridad de la ranura de claves: ignorada, normal, preferente"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Desactiva el bloqueo de metadatos en disco"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Desactiva la carga de las claves del volumen mediante el llavero del núcleo"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Algoritmo de integridad de datos (solo LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Desactiva el diario para dispositivo de integridad"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "No limpiar dispositivo después de dar formato"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Utilizar relleno obsoleto ineficiente (núcleos antiguos)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "No pedir frase de paso si falla la activación por «token»"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Número de «token» (predefinido: cualquiera)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Descripción de la clave"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Tamaño de sector de cifrado (predeterminado: 512 bytes)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Establecer indicadores de activación persistentes para el dispositivo"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Poner etiqueta al dispositivo LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Poner etiqueta de subsistema al dispositivo LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Crear ranura de claves LUKS2 ilimitada (sin segmento de datos asignado)"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Leer o escribir el json de o en un fichero"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Tamaño de la zona de metadatos de la cabecera LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Tamaño de la zona de ranuras de clave de la cabecera LUKS2"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Refrescar (reactivar) el dispositivo con los nuevos parámetros"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Ranura de clave de LUKS2: Tamaño de la clave de cifrado"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Ranura de clave de LUKS2: El algoritmo de cifrado utilizado para el cifrado de ranuras de clave"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Crifrar el dispositivo LUKS2 (cifrado in situ)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Descifrar el dispositivo LUKS2 (elimina cifrado)"
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Inicializar solamente recifrado LUKS2 de los metadatos."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Reanudar solamente recifrado LUKS2 inicializado."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Reducir el tamaño del dispositivo de datos (mover la posición de los datos). ¡PELIGROSO!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Tamaño de zona activa de recifrado máximo."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Tipo de resiliencia de zona activa de recifrado (checksum,journal,none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "«Hash» de suma de comprobación de zona activa de recifrado"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Anular la autodetección de dispositivos del dispositivo dm que se va a recifrar"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPCIÓN...] <acción> <acción-específica>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "El argumento <acción> no se ha proporcionado."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Acción desconocida."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "El parámetro --refresh solo se permite con las órdenes de abrir y de refrescar.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Las opciones --refresh y --test-passphrase son mutuamente excluyentes.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "La opción --deferred solo se permite con la orden de cerrar.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "La opción --shared solo se permite para abrir dispositivos no cifrados.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "La opción --allow-discards solo se permite para la operación de abrir.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "La opción --persistent solo se permite para la operación de abrir.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "La opción --serialize-memory-hard-pbkdf solo se permite para la operación de abrir.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "La opción --persistent no se permite con --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2742,246 +2877,256 @@
 "La opción --key-size solo se permite con las acciones luksFormat, luksAddKey,\n"
 "open y benchmark. Para limitar la lectura del fichero de claves, utilizar --keyfile-size=(bytes)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "La opción --integrity solo se permite con luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "La opción --integrity-no-wipe solo puede usarse para la acción de formato con extensión de integridad.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Las opciones --label y --subsystem solo se permiten con las operaciones luksFormat y config LUKS2.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS y TCRYPT.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "La opción --test-passphrase solo se permite para abrir dispositivos LUKS, TCRYPT y BITLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "El tamaño de clave debe ser un múltiplo de 8 bits"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "La ranura de claves no es válida."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "La opción --key-file tiene precedencia sobre el argumento de fichero de claves especificado."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "No se permiten números negativos para esta opción."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Solo se permite un argumento --key-file."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Solo se permite una de las opciones --use-[u]random."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "La opción --use-[u]random solo se permite con luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "La opción --uuid solo se permite con luksFormat luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "La opción --align-payload solo se permite con luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Las opciones --luks2-metadata-size y --opt-luks2-keyslots-size solo se permiten para luksFormat con LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "La especificación del tamaño de los metadatos LUKS2 no es válida."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "La especificación del tamaño de las ranuras de claves LUKS2 no es válida."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Las opciones --align-payload y --offset no pueden combinarse."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "La opción --skip solo está disponible para abrir dispositivos no cifrados y «loopaes».\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "La opción --offset solo está disponible para abrir dispositivos no cifrados y «loopaes», «luksFormat» y recifrado de dispositivo.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "La opción --tcrypt-hidden o --tcrypt-system o --tcrypt-backup solo está disponible para dispositivos TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "La opción --tcrypt-hidden no puede combinarse con --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "La opción --veracrypt solo está disponible para dispositivos TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Argumento no válido para el parámetro --veracrypt-pim supplied.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "La opción --veracrypt-pim solo está disponible para dispositivos compatibles con VeraCrypt.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "La opción --veracrypt-query-pim  solo está disponible para dispositivos compatibles con VeraCrypt.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Las opciones --veracrypt-pim y --veracrypt-query-pim son mutuamente excluyentes.\n"
 
 # TODO
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "La opción --priority solo puede ser ignore/normal/prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Se requiere especificación de ranura de claves.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "La función de derivación de clave basada en contraseña (PBKDF) solo puede ser pbkdf2 o argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Las iteraciones forzadas de PBKDF no pueden combinarse con la opción de tiempo de iteración.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "La opción de tamaño de sector no está disponible para esta orden.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Tamaño de sector de cifrado no admitido.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "El tamaño de la clave es requerido con la opción --unbound.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "La opción --unbound solo puede utilizarse con la acción luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "La opción --refresh solo puede utilizarse con la acción de abrir.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "No se puede desactivar el bloqueo de metadatos.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "La especificación del tamaño máximo de zona activa del dispositivo no es válida."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "La especificación del tamaño del dispositivo no es válida."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "El tamaño máximo de reducción del dispositivo es de 1 GiB."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "El tamaño de reducción debe ser múltiplo de sectores de 512 bytes."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "La especificación del tamaño de los datos no es válida."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Desbordamiento del tamaño de la reducción."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "El descifrado LUKS2 requiere la opción --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "El tamaño del dispositivo debe ser múltiplo de sectores de 512 bytes."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Las opciones --reduce-device-size y --data-size no pueden combinarse."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Las opciones --device-size y --size no pueden combinarse."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "La cadena «salt» especificada no es válida."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "No se puede crear la imagen «hash» %s para escribir."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "No se puede crear la imagen FEC %s para escribir."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "La cadena «hash» raíz especificada no es válida."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Fichero de firmas inválido %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "No se puede leer el fichero de firmas %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<dispositivo_de_datos> <dispositivo_«hash»>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "dar formato al dispositivo"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<dispositivo_de_datos> <dispositivo_«hash»> <«hash»_raíz>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "verificar dispositivo"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<dispositivo_de_datos> <nombre> <dispositivo_«hash»> <«hash»_raíz>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "mostrar el estado del dispositivo activo"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<dispositivo_«hash»>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "mostrar información sobre el disco"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2996,7 +3141,7 @@
 "<dispositivo_«hash»> es el dispositivo que contiene los datos de verificación\n"
 "<«hash»_raíz> «hash» del nodo raíz en «dispositivo—«hash»>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -3007,91 +3152,99 @@
 "Parámetros dm-verity predefinidos de fábrica:\n"
 "\tAlgoritmo «hash»: %s, Bloque de datos (bytes): %u, Bloque «hash» (bytes): %u, Tamaño de «salt»: %u, Formato «hash»: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "No utilizar superbloque «verity»"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Tipo de formato (1 - normal, 0 - Chrome OS original)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "número"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Tamaño de bloque en el dispositivo de datos"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Tamaño de bloque en el dispositivo «hash»"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "Bytes de paridad FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Número de bloques en el fichero de datos"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "bloques"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Ruta a dispositivo con datos de corrección de errores"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "ruta"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Posición inicial en el dispositivo «hash»"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Posición inicial en el dispositivo FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Algoritmo «hash»"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "cadena"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "«Salt»"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "cadena hexadecimal"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Ruta al fichero de firmas «hash» raíz"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Reiniciar el núcleo si se detecta corrupción"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Ignorar corrupción, tomar nota únicamente"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "No verificar bloques con zeros"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Verificar el bloque de datos solo en la primera lectura"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Las opciones --ignore-corruption, --restart-on-corruption y --ignore-zero-blocks solo están permitidas para la operación de abrir.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "La opción --root-hash-signature solo puede usarse para la acción de abrir.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Las opciones --ignore-corruption y --restart-on-corruption no pueden utilizarse juntas.\n"
 
@@ -3105,20 +3258,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "No se pueden leer %d «bytes» en el fichero de claves %s."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formato dado con tamaño de etiqueta %u, integridad interna %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<dispositivo_de_integridad>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<dispositivo_de_integridad> <nombre>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3129,158 +3282,158 @@
 "<nombre> es el dispositivo que se va a crear bajo %s\n"
 "<dispositivo_de_integridad> es el dispositivo que contiene datos con etiquetas de integridad\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Parámetros dm-integrity predefinidos de fábrica:\n"
-"\tTamaño de etiqueta: %u bytes, Algoritmo para la suma de comprobación: %s\n"
+"\tAlgoritmo de la suma de comprobación: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Ruta al dispositivo de datos (si está separado)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Tamaño del diario"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Sectores de entrelazado"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Marca de agua del diario"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "por ciento"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Tiempo de escritura en el diario"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Número de sectores de 512 bytes por bit (modo mapa de bits)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Tiempo de «flush» del modo mapa de bits"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Tamaño de etiqueta (por sector)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Tamaño de sector"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Tamaño de los «buffers»"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Algoritmo para la integridad de datos"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Tamaño de la clave de integridad de datos"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Leer la clave de integridad de un fichero"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Algoritmo de integridad del diario"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Tamaño de la clave de integridad del diario"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Leer la clave de integridad del diario de un fichero"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Algoritmo de cifrado del diario"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Tamaño de la clave de cifrado del diario"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Leer la clave de cifrado del diario de un fichero"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Modo de recuperación (sin diario, sin comprobación de etiqueta)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Utilice bitmap para seguir los cambios y desactive el diario para el dispositivo de integridad"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Recalcular las etiquetas iniciales automáticamente."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "La opción --integrity-recalculate solo puede usarse para la acción de abrir."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Las opciones --journal-size, --interleave-sectors, --sector-size, --tag-size y --no-wipe solo pueden utilizarse para la acción de dar formato.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "La especificación del tamaño del diario no es válida."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Deben especificarse las opciones tanto de fichero de claves como tamaño de clave."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "El algoritmo para la integridad debe especificarse si se va a utilizar clave de integridad."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Deben especificarse la opción del fichero de clave de integridad del diario y la del tamaño de la clave."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Debe especificarse el algoritmo de integridad del diario si va a utilizarse la clave de integridad del diario."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Deben especificarse la opción del fichero de la clave de cifrado del diario y la del tamaño de la clave."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Debe especificarse el algoritmo de cifrado del diario si va a utilizarse la clave de cifrado del diario."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Las opciones de recuperación y de modo mapa de bits son mutuamente excluyentes."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Las opciones de diario no pueden utilizarse en modo mapa de bits."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Las opciones de mapa de bits solo pueden utilizarse en el modo mapa de bits."
 
@@ -3293,7 +3446,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "No se puede abrir %s en exclusividad; el dispositivo está en uso."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "La reserva de memoria alineada ha fallado."
 
@@ -3342,190 +3495,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Fallo en la activación de los dispositivos temporales."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "No se ha podido establecer el desplazamiento de los datos."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "No se ha podido establecer el tamaño de los metadatos."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Se ha creado una nueva cabecera LUKS para el dispositivo %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Esta versión de cryptsetup-reencrypt no sabe manejar el nuevo tipo de «token» interno %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "No se ha podido leer los indicadores de activación en la cabecera de respaldo."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "No se ha podido escribir los indicadores de activación en la nueva cabecera."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "No se ha podido leer los requisitos en la cabecera de respaldo."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Se ha creado una copia de seguridad de la cabecera %s del dispositivo %s."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "No se ha podido crear la copia de seguridad de las cabeceras LUKS."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "No se puede restaurar la cabecera %s en el dispositivo %s."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Se ha restaurado la cabecera %s en el dispositivo %s."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "No se puede abrir el dispositivo LUKS temporal."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "No se puede obtener el tamaño del dispositivo."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Error de entrada/salida durante el recifrado."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "El UUID proporcionado no es válido."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "No se puede abrir el fichero de registro de recifrado."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "No hay ningún proceso de descifrado en marcha; el UUID proporcionado solo puede utilizarse para reanudar un proceso de descifrado suspendido."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Se han cambiado los parámetros pbkdf en la ranura de claves %i."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Tamaño de bloque de recifrado"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "No cambie la clave; no hay recifrado en la zona de datos"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Leer la clave (maestra) del volumen desde fichero"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Tiempo de iteración PBKDF2 para LUKS (en ms)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Utilizar entrada/salida directa para acceder a los dispositivos"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Utilizar fsync después de cada bloque"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Actualizar el fichero de registro después de cada bloque"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Utilizar solamente esta ranura (se desactivarán las demás)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Crear nueva cabecera en dispositivo no cifrado"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Descifrar el dispositivo de forma permanente (eliminar cifrado)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "El UUID utilizado para reanudar el descifrado"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Tipo de metadato LUKS: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[OPCIÓN...] <dispositivo>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "El recifrado va a cambiar: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "clave del volumen"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "nuevo algoritmo «hash» "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", nuevo algoritmo de cifrado: "
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Hace falta argumento."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Solo se permiten valores entre 1 MiB y 64 MiB para el tamaño de bloque de recifrado."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "El tamaño máximo de reducción del dispositivo es de 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "La opción --new debe utilizarse conjuntamente con --reduce-device-size o --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "La opción --keep-key solamente puede utilizarse con --hash, --iter-time o --pbkdf-force-iterations."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "La opción --new no puede utilizarse conjuntamente con --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "La opción --decrypt es incompatible con los parámetros especificados."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "La opción --uuid solo está permitida conjuntamente con --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Tipo de luks no válido. Utilice uno de estos: 'luks', 'luks1' o 'luks2'."
 
@@ -3756,6 +3909,15 @@
 msgid "Failed to write JSON file."
 msgstr "No se ha podido escribir el fichero JSON."
 
+#~ msgid "Offline reencryption in progress. Aborting."
+#~ msgstr "Recifrado «offline» en curso. Se aborta."
+
+#~ msgid "Online reencryption in progress. Aborting."
+#~ msgstr "Recifrado «online» en curso. Se aborta."
+
+#~ msgid "No LUKS2 reencryption in progress."
+#~ msgstr "No hay ningún recifrado LUKS2 en proceso."
+
 #~ msgid "Interrupted by a signal."
 #~ msgstr "Interrumpido por una señal."
 
@@ -3828,9 +3990,6 @@
 #~ msgid "Device is not in clean reencryption state."
 #~ msgstr "El dispositivo no está en un estado de recifrado limpio."
 
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "No se ha podido leer la información del dispositivo en %s."
-
 #~ msgid "Failed to calculate new segments."
 #~ msgstr "No se ha podido calcular los nuevos segmentos."
 
diff -Nru cryptsetup-2.2.2/po/fr.po cryptsetup-2.3.1/po/fr.po
--- cryptsetup-2.2.2/po/fr.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/fr.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,16 +1,16 @@
 # Messages français pour cryptsetup.
-# Copyright (C) 2019 Free Software Foundation, Inc.
+# Copyright (C) 2020 Free Software Foundation, Inc.
 # This file is put in the public domain.
 #
 # Solveig <perso@solveig.org>, 2009.
 # Nicolas Provost <nprovost@quadriv.com>, 2011.
-# Frédéric Marchal <fmarchal@perso.be>, 2019.
+# Frédéric Marchal <fmarchal@perso.be>, 2020.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-21 17:27+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 15:59+0100\n"
 "Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
 "Language-Team: French <traduc@traduc.org>\n"
 "Language: fr\n"
@@ -20,65 +20,65 @@
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=2; plural=(n >= 2);\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Exécution comme un utilisateur non-root."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Impossible d'initialiser le gestionnaire « device-mapper ». Le module noyau dm_mod est-il chargé ?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Le fanion différé demandé n'est pas supporté."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "Le DM-UUID du périphérique %s a été tronqué."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Type de cible dm inconnu."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Les options de performance dm-crypt demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Les options demandées de gestion de corruption des données dm-verity ne sont pas supportées."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Les options dm-verity FEC demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Les options d'intégrité de données demandées ne sont pas supportées."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "L'option sector_size demandée n'est pas supportée."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Le recalcule automatique des balises de sécurité demandés n'est pas supporté."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Le mode de carte de bits d'intégrité dm demandé n'est pas supporté."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM n'est pas supporté."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Échec lors de l'interrogation du segment dm-%s."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -86,548 +86,565 @@
 "Le système a manqué d'entropie lors de la génération de la clef de volume.\n"
 "Veuillez remuer la souris ou taper du texte dans une autre fenêtre pour générer des événements aléatoires.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Génération de la clef (%d%% effectués).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Fonctionne en mode FIPS."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Erreur fatale d'initialisation RNG."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "La qualité du générateur aléatoire RNG demandé est inconnue."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Erreur en lecture du générateur aléatoire RNG "
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Impossible d'initialiser le moteur aléatoire RNG pour le chiffrement."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Impossible d'initialiser le moteur de chiffrement."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "L'algorithme de hachage %s n'est pas supporté."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Erreur de traitement de clé (valeur hachage %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Impossible de déterminer le type de périphérique. Activation du périphérique incompatible ?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Cette opération n'est possible que pour les périphériques LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Cette opération n'est possible que pour les périphériques LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Tous les emplacements de clés sont utilisés."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "L'emplacement de clé %d n'est pas valide, merci d'en choisir un entre 0 et %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "L'emplacement de clé %d est utilisé, merci d'en sélectionner un autre."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "La taille du périphérique n'est pas alignée avec la taille d'un bloc logique du périphérique."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "En-tête détecté mais le périphérique %s est trop petit."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Cette opération n'est pas supportée pour ce type de périphérique."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Opération illégale avec une re-chiffrement en cours."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "La version %d de LUKS n'est pas supportée."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Un périphérique avec des métadonnées détachées n'est pas supporté avec ce type de chiffrement."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Le périphérique %s n'est pas activé."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Le périphérique sous-jacent pour le périphérique chiffré %s a disparu."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Paramètres de chiffrement non valides."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "La taille de la clé n'est pas valide."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "le UUID n'est pas supporté avec ce type de chiffrement."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Taille de secteur de chiffrement non supportée."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "La taille du périphérique n'est pas alignée avec la taille de secteur demandée."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Impossible de formater en LUKS sans périphérique."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "L'alignement de données demandé n'est pas compatible avec le décalage des données."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "AVERTISSEMENT: L'offset des données est en dehors du périphérique de données actuellement disponible.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Impossible d'effacer l'en-tête du périphérique %s."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "AVERTISSEMENT: L'activation du périphérique va échouer, dm-crypt ne supporte pas la taille de secteur de chiffrement demandée.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "La clé de volume est trop petite pour chiffrer avec les extensions d'intégrité."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Le chiffrement %s-%s (clé de %zd bits) n'est pas disponible."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "ATTENTION: La taille des métadonnées LUKS2 est devenue %<PRIu64> octets.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "ATTENTION: La taille de la zone des emplacements de clés LUKS2 est devenue %<PRIu64> octets.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Le périphérique %s est trop petit."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Impossible de formater le périphérique %s qui est en cours d'utilisation."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Impossible de formater le périphérique %s. Permission refusée."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Impossible de formater l'intégrité du périphérique %s."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Impossible de formater le périphérique %s"
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Impossible de formater LOOPAES sans périphérique."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Impossible de formater VERITY sans périphérique."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Type de hachage VERITY %d non supporté."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Taille de bloc VERITY non supportée."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Décalage de hachage VERITY non supporté."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Décalage VERITY FEC non supporté."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "La zone de données recouvre la zone de hachage."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "La zone de hachage recouvre la zone FEC."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "La zone de données recouvre la zone FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "ATTENTION : La taille %d demandée pour l'étiquette est différente de la taille de sortie de %s (%d octets).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Type de chiffrement de périphérique demandé (%s) inconnu."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Paramètres non supportés sur le périphérique %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Paramètres non concordants sur le périphérique %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Désaccord entre les périphériques crypt."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Impossible de recharger le périphérique %s."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Impossible de suspendre le périphérique %s."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Impossible de redémarrer le périphérique %s."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Erreur fatale en rechargeant le périphérique %s (au dessus du périphérique %s)"
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Impossible de basculer le périphérique %s en dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "Impossible de redimensionner le périphérique loopback."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Voulez vous réellement changer l'UUID du périphérique ?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Le fichier de sauvegarde de l'en-tête ne contient pas d'en-tête compatible LUKS."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Le volume %s n'est pas actif."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Le volume %s est déjà suspendu."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Le périphérique %s ne supporte pas la suspension."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Erreur lors de la suspension du périphérique %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Le volume %s n'est pas suspendu."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Le périphérique %s ne supporte pas la remise en service."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Erreur lors de la remise en service du périphérique %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Ceci n'est pas la clé du volume."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Impossible d'ajouter un emplacement de clé, tous les emplacements sont désactivés et aucune clé n'a été fournie pour ce volume."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Nouvel emplacement de clé impossible à échanger."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Ceci n'est pas la clé du volume."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "L'emplacement de clé %d n'est pas valide."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "L'emplacement de clé %d n'est pas actif."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "L'en-tête du périphérique recouvre la zone de données."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Re-chiffrement en cours. Impossible d'activer le périphérique."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Impossible d'obtenir le verrou de re-chiffrement."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "La récupération du rechiffrement LUKS2 a échoué."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Type de périphérique improprement initialisé."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Impossible d'utiliser le périphérique %s, le nom est invalide ou est toujours utilisé."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Le périphérique %s existe déjà."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Clé de volume incorrecte pour le périphérique en clair."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "Hachage racine incorrect spécifié pour le périphérique verity."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Signature de hachage racine requise."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Le porte-clé du noyau est manquant : il est requis pour passer une signature au noyau."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Impossible de charger la clé dans le porte-clé du noyau."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Le périphérique %s est toujours occupé."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Le périphérique %s n'est pas valide."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Le tampon de la clé du volume est trop petit."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Impossible de récupérer la clé du volume pour ce périphérique de type « plain »."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Impossible de récupérer le hachage racine pour le périphérique verity."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Cette opération n'est pas possible pour le périphérique chiffré %s."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "L'opération de vidage n'est pas supportée pour ce type de périphérique."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Le décalage des données n'est pas un multiple de %u octets."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Impossible de convertir le périphérique %s qui est toujours en cours d'utilisation."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Échec de l'affectation de l'emplacement de clé %u pour la nouvelle clé de volume."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Échec de l'initialisation des paramètres par défaut des emplacement de clé LUKS2."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Échec de l'affectation de l'emplacement de clé %d aux résumé."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Impossible de charger la clé dans le porte-clé du noyau."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Le porte-clé du noyau n'est pas supporté par ce noyau."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Échec lors de la lecture du mot de passe depuis le porte-clé (erreur %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Erreur lors de l'acquisition du verrou global de sérialisation des accès strictes à la mémoire"
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Impossible d'obtenir la priorité du processus."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Impossible de déverrouiller la mémoire."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Impossible d'ouvrir le fichier de clef."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Impossible de lire le fichier de clé depuis un terminal."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "Impossible d'exécuter « stat » sur le fichier de clef."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Impossible de sauter au décalage demandé dans le fichier de clé."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Plus assez de mémoire lors de la lecture de la phrase secrète."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Erreur de lecture de la phrase secrète."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Rien à lire en entrée."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Taille max. de fichier de clé dépassée."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Impossible de lire la quantité de données demandée."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Le périphérique %s n'existe pas ou l'accès y est interdit."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Le périphérique %s n'est pas compatible."
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Le périphérique %s est trop petit. Il a besoin d'au moins %<PRIu64> octets."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Impossible d'utiliser le périphérique %s actuellement utilisé (déjà mappé ou monté)."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Impossible d'utiliser le périphérique %s, permission refusée."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Impossible d'obtenir des informations au sujet du périphérique %s."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Impossible d'utiliser un périphérique loopback. Fonctionne comme un utilisateur non-root."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Impossible d'associer le périphérique loopback (le drapeau « autoclear » est requis)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Le décalage demandé est au delà de la taille réelle du périphérique %s."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Le périphérique %s a une taille nulle."
@@ -694,32 +711,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Options PBKDF incompatibles."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (pas un répertoire ou est manquant)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "ATTENTION: Le répertoire verrou %s/%s est manquant !\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Verrouillage interrompu. Le chemin de verrouillage %s/%s est inutilisable (%s n'est pas un répertoire)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Impossible de se déplacer au décalage du périphérique."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Erreur durant l'effacement total, offset %<PRIu64>"
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -728,121 +745,121 @@
 "Impossible de configurer la correspondance des clés dm-crypt du périphérique %s.\n"
 "Vérifiez que le noyau supporte le chiffrement %s (pour plus d'informations, voir les journaux syslog)."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "La taille de la clé en mode XTS doit être un multiple de 256 ou 512 bits."
 
 # Frédéric: Je laisse iv (initialisation vector) sous cette forme car elle est plus habituelle que vi
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "La spécification du chiffrement devrait être au format [chiffrement]-[mode]-[iv]."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Impossible d'écrire sur le périphérique %s. Permission refusée."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "Échec lors de l'ouverture du périphérique de stockage temporaire de clés."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "Impossible d'accéder au périphérique de stockage temporaire de clés."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "Erreur E/S pendant le chiffrement de l'emplacement de clé."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Impossible d'ouvrir le périphérique %s."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "Erreur E/S pendant le déchiffrement de l'emplacement de clé."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Le périphérique %s est trop petit (LUKS1 a besoin d'au moins %<PRIu64> octets)."
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "L'emplacement de clé LUKS %u n'est pas valide."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "%s n'est pas un périphérique LUKS valide."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Le fichier de sauvegarde d'en-tête demandé %s existe déjà."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Impossible de créer le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Impossible d'écrire le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Le fichier de sauvegarde ne contient pas d'en-tête LUKS valide."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Impossible d'ouvrir le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Impossible de lire le fichier de sauvegarde d'en-tête %s."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Le décalage des données (« offset ») ou la taille de la clé ne sont pas identiques dans le périphérique et la sauvegarde. La restauration a échouée."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Périphérique %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "ne contient pas d'en-tête LUKS. Remplacer l'en-tête peut détruire les données de ce périphérique."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "contient déjà un en-tête LUKS. Remplacer l'en-tête détruira les emplacements de clés actuels."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -850,100 +867,105 @@
 "\n"
 "ATTENTION : l'en-tête du périphérique a un UUID différent de celui de la sauvegarde !"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Taille de clé non standard. Réparation manuelle requise."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Alignement non standard des emplacements de clé. Réparation manuelle requise."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Réparation des emplacements de clé."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Emplacement de clé %i : décalage réparé (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Emplacement de clé %i : bandes réparées (%u -> %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Emplacement de clé %i : signature de partition contrefaite."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Emplacement de clé %i : aléa effacé."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Écriture de l'en-tête LUKS sur le disque."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Échec de la réparation."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "L'algorithme de hachage LUKS demandé (%s) n'est pas supporté."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "Aucun problème connu détecté pour l'en-tête LUKS."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Erreur lors de la mise à jour de l'en-tête LUKS sur le périphérique %s."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Erreur lors de la relecture de l'en-tête LUKS après la mise à jour sur le périphérique %s."
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "L'offset des données d'un en-tête LUKS doit être soit 0 ou soit plus grand que la taille de l'en-tête."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Mauvais format fourni pour le UUID LUKS."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Impossible de créer un en-tête LUKS : échec lors de la lecture de l'aléa."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Impossible de créer un en-tête LUKS : le résumé (« digest ») de l'en-tête a échoué (en utilisant l'algorithme de hachage %s)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "L'emplacement de clé %d est activé, effacez le d'abord."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Le matériel de l'emplacement de clé %d a trop peu de bandes. L'en-tête a-t-il été modifié ?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Impossible d'ouvrir l'emplacement de clé (en utilisant le hachage %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "L'emplacement de clé %d n'est pas valide, merci de sélectionner un emplacement entre 0 et %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Impossible d'effacer de façon sécurisée le périphérique %s."
@@ -961,97 +983,189 @@
 msgstr "Fichier de clé incompatible pour boucle « loop-AES »."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Le noyau ne supporte pas les associations de type boucle « loop-AES »."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Erreur lors de la lecture du fichier de clé %s."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Longueur maximum de la phrase secrète TCRYPT (%d) dépassée."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Longueur maximum de la phrase secrète TCRYPT (%zu) dépassée."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "L'algorithme de hachage PBKDF2 %s n'est pas supporté, ignoré."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "L'interface du noyau requise pour le chiffrement n'est pas disponible."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Vérifiez que le module du noyau algif_skcipher est chargé."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "L'activation n'est pas supportée pour des secteurs de taille %d."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Le noyau ne supporte pas l'activation pour ce mode TCRYPT historique."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Activation du chiffrement du système TCRYPT sur la partition %s."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Le noyau ne supporte pas les associations de type TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Cette fonction n'est pas supportée sans le chargement de l'en-tête TCRYPT."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Un type d'entrée « %u » inattendu a été trouvé dans la méta-donnée en analysant la Clé Maître du Volume supportée."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Chaîne texte invalide rencontrée en analysant la Clé Maître du Volume."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Chaîne texte (« %s ») inattendue rencontrée en analysant la Clé Maître du Volume supportée."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "La valeur « %u » pour l'entrée de la méta-donnée est inattendue en analysant la Clé Maître du Volume supportée."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Impossible de lire la signature BITLK depuis %s."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "La version 1 de BITLK n'est actuellement pas supportée."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Signature d'amorce invalide ou inconnue pour le périphérique BITLK."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Signature invalide ou inconnue pour le périphérique BITLK."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Impossible de lire l'en-tête BITLK depuis %s."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Impossible de lire les méta-données BITLK FVE depuis %s."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Type de chiffrement inconnu ou non supporté."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Impossible de lire les entrées des méta-données de BITLK depuis %s."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Cette opération n'est pas supportée."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Mauvaise taille de clé."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Ce périphérique BITLK est dans un état non supporté et ne peut pas être activé."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Les périphériques BITLK avec le type « %s » ne peuvent pas être activés."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "L'activation d'un périphérique BITLK partiellement déchiffré n'est pas supporté."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas BITLK IV."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Impossible d'activer le périphérique car dm-crypt dans le noyau ne supporte pas le diffuseur BITLK Elephant."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "Le périphérique verity %s n'utilise pas l'en-tête sur le disque."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Le périphérique %s n'est pas un périphérique VERITY valable."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "La version VERITY %d n'est pas supportée."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "En-tête VERITY corrompu."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Mauvais format d'UUID VERITY fourni sur le périphérique %s."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Erreur lors de la mise à jour de l'en-tête verity sur le périphérique %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "La vérification de la signature du hachage racine n'est pas supportée."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Les erreurs ne savent pas être réparées avec un périphérique FEC."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "%u erreurs réparables ont été trouvées avec le périphérique FEC."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Le noyau ne supporte pas les associations de type dm-verity."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Le noyau ne supporte pas les options de signature dm-verity."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Le périphérique verity a détecté une corruption après l'activation."
 
@@ -1060,92 +1174,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "La zone de réserve n'a pas été mise à zéro à la positon %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Débordement du décalage du périphérique."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "La vérification a échoué à la position %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Mauvais paramètres de taille pour le périphérique verity."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Débordement de la zone de hachage."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "La vérification de la zone de données a échoué."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "La vérification du hachage de la racine a échoué."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Erreur d'entrée/sortie lors de la création de la zone de hachage."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "La création de la zone de hachage a échoué."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ATTENTION : Le kernel ne peut pas activer le périphérique si la taille des blocs de données dépasse la taille d'une page (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Échec de l'allocation du contexte RS."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Échec de l'allocation du tampon."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Échec de lecture du bloc RS %<PRIu64> octet %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Échec de la lecture de la parité du bloc RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Échec de la réparation de la parité du bloc %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Échec de l'écriture de la parité du bloc RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Les tailles des blocs doivent concorder pour FEC."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Nombre d'octets de parité invalide."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Impossible de déterminer la taille du périphérique %s."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "Le noyau ne supporte pas les associations de type dm-integrity."
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Le noyau ne supporte pas les alignements de méta-données fixés de dm-integrity."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Impossible d'acquérir un verrou en écriture sur le périphérique %s."
@@ -1171,40 +1289,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "ATTENTION: la zone des emplacements de clés (%<PRIu64> octets) est très petite, le nombre d'emplacements de clés LUKS2 est très limité.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Impossible d'acquérir le verrou de lecture sur le périphérique %s."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Des exigences LUKS2 interdites ont été détectées dans la sauvegarde %s."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Les décalages des données ne sont pas identiques sur le périphérique et la sauvegarde, la restauration a échoué."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Les en-têtes binaires avec des tailles de zones d'emplacements de clés sont différents sur le périphérique et la sauvegarde, la restauration a échouée."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Périphérique %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "ne contient pas d'en-tête LUKS2. Remplacer l'en-tête peut détruire les données de ce périphérique."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "contient déjà un en-tête LUKS2. Remplacer l'en-tête détruira les emplacements de clés actuels."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1214,7 +1332,7 @@
 "ATTENTION: des exigences LUKS2 inconnues ont été détectées sur l'en-tête du périphérique réel !\n"
 "Remplacer l'en-tête par la sauvegarde peut corrompre les données sur ce périphérique !"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1224,58 +1342,58 @@
 "ATTENTION: Un rechiffrement hors-ligne non terminé a été détecté sur le périphérique !\n"
 "Remplacer l'en-tête par la sauvegarde peut corrompre les données."
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Fanion inconnu %s ignoré."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Clé manquante pour le segment %u de dm-crypt"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "Impossible de définir le segment dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "Impossible de définir le segment dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Configuration d'intégrité du périphérique non supportée."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Re-chiffrement en cours. Le périphérique ne peut être désactivé."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Échec du remplacement du périphérique suspendu %s avec la cible dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Échec lors de la lecture des exigences LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Des exigences LUKS2 non rencontrées ont été détectées."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Un rechiffrement hors-ligne est en cours. Interruption."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Un rechiffrement en-ligne est en cours. Interruption."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement historique. Abandon."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Opération incompatible avec un périphérique marqué pour le rechiffrement LUKS2. Abandon."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Pas assez de mémoire disponible pour ouvrir l'emplacement de clé."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Échec de l'ouverture de l'emplacement de clé."
 
@@ -1288,52 +1406,56 @@
 msgid "No space for new keyslot."
 msgstr "Plus d'espace pour le nouvel emplacement de clé."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Ne peut vérifier le statut du périphérique avec le uuid : %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Impossible de convertir un en-tête avec des métadonnées LUKSMETA supplémentaires."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Impossible de déplacer la zone des emplacements de clés. Pas assez d'espace."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Impossible de déplacer la zone des emplacements de clés. Les emplacements de clés LULS2 sont trop petits."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Impossible de déplacer la zone des emplacements de clés."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Impossible de convertir au format LUKS1 – la taille du secteur de chiffrement du segment par défaut n'est pas 512 octets."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Impossible de convertir au format LUKS1 – les résumés des emplacements de clés ne sont pas compatibles avec LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Impossible de convertir au format LUKS1 – le périphérique utilise des clés de chiffrement %s emballées."
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Impossible de convertir au format LUKS1 – l'en-tête LUKS2 contient %u jeton(s)."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u est dans un état invalide."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement %u (sur les emplacements maximum) est toujours actif."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Impossible de convertir au format LUKS1 – l'emplacement de clé %u n'est pas compatible avec LUKS1."
@@ -1355,7 +1477,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Impossible d'initialiser l'encapsulation pour le stockage de l'ancien segment."
 
@@ -1367,7 +1489,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Impossible de lire les sommes de contrôle pour la zone chaude actuelle."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Échec de la lecture de la zone chaude démarrant à %<PRIu64>."
@@ -1425,120 +1547,120 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Le décalage de données (%<PRIu64> secteurs) est plus petit que le décalage de données future (%<PRIu64> secteurs)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Erreur lors de l'ouverture de %s en mode exclusif (déjà mappé ou monté)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Pas de rechiffrement LUKS2 en cours."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Le périphérique n'est pas marqué pour le rechiffrement LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Échec du chargement du contexte de rechiffrement LUKS2"
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Impossible d'obtenir l'état de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Le périphérique n'est pas en rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Le rechiffrement est déjà en cours."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Impossible d'acquérir le verrou de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Impossible de réaliser le rechiffrement. Exécutez d'abord la récupération du rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "La taille du périphérique actif et la taille de rechiffrement demandée ne correspondent pas."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "Taille de périphérique illégale demandée dans les paramètres de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Rechiffrement en cours. La récupération ne peut pas être réalisée."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Rechiffrement LUKS2 déjà initialisé dans les métadonnées."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Échec de l'initialisation du rechiffrement LUKS2 dans les métadonnées."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Impossible de définir les segments du périphérique pour le rechiffrement suivant de la zone chaude."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Échec lors de l'écriture des métadonnées de la résilience du rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Échec du déchiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Échec de l'écriture de la zone chaude démarrant à %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Erreur lors de la synchronisation des données."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Échec de la mise à jour des métadonnées après la fin du rechiffrement de la zone chaude courante."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Échec lors de l'écriture des métadonnées LUKS2"
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Échec lors de l'effacement des données du segment de sauvegarde."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Impossible de désactiver le fanion de demande de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Erreur fatale en rechiffrant le morceau commençant à %<PRIu64> d'une longueur de %<PRIu64> secteurs."
 
 # Frédéric: Je n'ai pas la moindre idée de ce que le développeur a voulu écrire. Qu'est-ce que "error target" dans ce contexte ?
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Ne pas redémarrer le périphérique à moins qu'il ait été remplacé manuellement par la cible en erreur."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Impossible de réaliser le rechiffrement. Statut de rechiffrement inattendu."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Contexte de rechiffrement manquant ou invalide."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Impossible d'initialiser la pile du périphérique de rechiffrement."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Échec de la mise à jour du contexte de rechiffrement."
 
@@ -1551,64 +1673,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Échec lors de la création du jeton intégré %s"
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Impossible de vérifier une phrase secrète non saisie sur une console."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Les paramètres de chiffrement des emplacement de clés peuvent uniquement être définis pour un périphérique LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Aucun motif connu d'algorithme de chiffrement n'a été détecté."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ATTENTION: Le paramètre --hash est ignoré en mode non chiffré quand le fichier de clé est spécifié.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ATTENTION: L'option --keyfile-size est ignorée. La taille de lecture est la même que la taille de la clé de chiffrement.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Signature(s) de périphérique détectée(s) sur %s. Continuer risque d'endommager les données existantes."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Opération interrompue.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "L'option --key-file est requise."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Entrez le PIN VeraCrypt : "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Valeur PIN invalide : erreur d'analyse"
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Valeur PIN invalide: 0"
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Valeur PIN invalide: hors des limites."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "Aucun en-tête détecté avec cette phrase secrète sur le périphérique."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Le périphérique %s n'est pas un périphérique BITLK valide."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1618,68 +1745,68 @@
 "sensible qui permet d'accéder à la partition chiffrée sans mot de passe.\n"
 "Ce contenu devrait toujours être stocké, chiffré, en lieu sûr."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Le périphérique %s est toujours actif et prévu pour une suppression différée.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Le redimensionnement d'un périphérique actif requiert que la clé du volume soit dans le porte-clé mais l'option --disable-keyring est définie."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Test de performance interrompu."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/A\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u itérations par seconde pour une clé de %zu bits\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/A\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u itérations, %5u mémoire, %1u threads parallèles (CPUs) pour une clé de %zu bits (temps de %u ms demandé)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Le résultat de l'évaluation de performance n'est pas fiable."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Tests approximatifs en utilisant uniquement la mémoire (pas de stockage E/S).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algorithme |       Clé |     Chiffrement |    Déchiffrement\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Le chiffrement %s n'est pas disponible."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#    Algorithme |       Clé |     Chiffrement |    Déchiffrement\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "N/D"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1687,19 +1814,19 @@
 "Le périphérique seems ne requière pas de récupération de rechiffrement.\n"
 "Voulez-vous quand-même continuer ?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Réellement procéder à la récupération du rechiffrement LUKS2 ?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Entrez la phrase secrète pour la récupération du rechiffrement : "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Réellement essayer de réparer l'en-tête du périphérique LUKS ?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1707,127 +1834,127 @@
 "Effacement du périphérique pour initialiser les sommes de contrôle d'intégrité.\n"
 "Vous pouvez interrompre ceci en appuyant sur CTRL+c (le reste du périphérique effacé contiendra toujours des sommes de contrôle invalides).\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Impossible de désactiver le périphérique temporaire %s."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "L'option d'intégrité peut uniquement être utilisée avec le format LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Options de taille des métadonnées LUKS2 non supportées."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Impossible de créer le fichier d'en-tête %s."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Aucun motif connu de spécification d'intégrité n'a été détecté."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Ne peut utiliser %s comme en-tête sur disque."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Cette action écrasera définitivement les données sur %s."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Impossible de définir les paramètres pbkdf."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Décalage réduit de données est uniquement permis dans un en-tête LUKS détaché."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Impossible de déterminer la taille de la clé de volume pour LUKS sans emplacement de clé, veuillez utiliser l'option --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Le périphérique a été activé mais les fanions ne peuvent pas être rendus permanents."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Emplacement de clé %d sélectionné pour suppression."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Ceci est le dernier emplacement de clé. Le périphérique sera inutilisable après la suppression de cette clé."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Entrez toute phrase secrète restante : "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Opération interrompue, l'emplacement de clé n'a PAS été effacé.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Entrez la phrase secrète à effacer : "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Entrez une nouvelle phrase secrète pour l'emplacement de clé : "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Entrez une phrase secrète existante : "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Entrez la phrase secrète à changer : "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Entrez la nouvelle phrase secrète : "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Entrez la phrase secrète pour l'emplacement de clé à convertir: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "L'opération isLuks supporte seulement un périphérique en argument."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "L'option --header-backup-file est requise."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s n'est pas un périphérique géré par cryptsetup."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Le rafraîchissement n'est pas supporté pour un périphérique de type %s"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Type de métadonnée du périphérique %s non reconnu."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "La commande exige un périphérique et un nom de correspondance comme arguments."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1836,95 +1963,95 @@
 "Cette opération va supprimer tous les emplacements de clés du périphérique %s.\n"
 "Le périphérique sera inutilisable après cette opération."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Opération interrompue, les emplacements de clés n'ont PAS été effacés.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Type LUKS invalide, seuls luks1 et luks2 sont supportés."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Le périphérique est déjà du type %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Cette opération va convertir %s au format %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Opération interrompue, le périphérique n'a PAS été converti.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "L'option --priority, --label ou --subsystem est manquante."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Le jeton %d est invalide."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Le jeton %d est utilisé."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Échec lors de l'ajout du jeton %d au porte-clé luks2."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Échec lors de l'affectation du jeton %d à l'emplacement de clé %d."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Le jeton %d n'est pas utilisé."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Impossible d'importer le jeton depuis le fichier."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Impossible d'obtenir le jeton %d pour l'export."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Le paramètre --key-description est requis pour l'action d'ajout d'un jeton."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "L'action requiert un jeton spécifique. Utilisez le paramètre --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "L'opération de jeton %s est invalide."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Périphérique dm actif auto-détecté « %s » pour le périphérique de données %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Le périphérique %s n'est pas un périphérique blocs.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Échec de l'auto-détection des containers du périphérique %s."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1937,229 +2064,233 @@
 "Les données pourraient être corrompues si le périphérique est réellement activé.\n"
 "Pour exécuter le rechiffrement en mode en ligne, utilisez le paramètre --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Type de périphérique LUKS invalide."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Le chiffrement sans en-tête détaché (--header) n'est pas possible sans une réduction de la taille du périphérique de données (--reduce-device-size)"
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Le décalage de données demandé doit être inférieur ou égal à la moitié du paramètre --reduce-device-size."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Ajustement de la valeur de --reduce-device-size à deux fois --offset %<PRIu64> (secteurs).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Le chiffrement est uniquement supporté avec le format LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "Périphérique LUKS détecté sur %s. Voulez-vous chiffrer à nouveau ce périphérique LUKS ?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Le fichier temporaire d'en-tête %s existe déjà. Abandon."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Impossible de créer le fichier temporaire d'en-tête %s."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s est maintenant actif et prêt pour un chiffrement en ligne.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "Pas assez d'emplacements de clés libres pour le rechiffrement."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Le fichier de clé peut uniquement être utilisé avec --key-slot ou avec exactement un seul emplacement de clé actif."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Entrez la phrase secrète pour l'emplacement de clé %d : "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Entrez la phrase secrète pour l'emplacement de clé %u : "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "La commande exige un périphérique comme argument."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "Seul le format LUKS2 est actuellement supporté. Veuillez utiliser l'outil cryptsetup-reencrypt pour LUKS1."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Un rechiffrement hors-ligne historique est déjà en cours. Utilisez l'utilitaire cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Le rechiffrement d'un périphérique avec un profil d'intégrité n'est pas supporté."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Rechiffrement LUKS2 déjà initialisé. Abandon de l'opération."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "Le périphérique LUKS2 n'est pas en rechiffrement."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<périphérique> [--type <type>] [<nom>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "ouvrir le périphérique comme <nom>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<nom>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "fermeture du périphérique (supprime le « mapping »)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "redimensionner le périphérique actif"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "afficher le statut du périphérique"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <chiffrement>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "chiffrement pour test de performance"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<périphérique>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "essayer de réparer les métadonnées sur le disque"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "rechiffrer le périphérique LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "supprimer tous les emplacements de clés (supprime la clé de chiffrement)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "convertir LUKS depuis/vers le format LUKS2"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "définir les options de configuration permanentes pour LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<périphérique> [<fichier de la nouvelle clé>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "formater un périphérique LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "ajouter une clé au périphérique LUKS"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<périphérique> [<fichier de clé>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "retire du périphérique LUKS la clé ou le fichier de clé fourni"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "modifie la clé ou le fichier de clé fourni pour le périphérique LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "converti une clé vers les nouveaux paramètres pbkdf"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<périphérique> <emplacement de clé>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "efface de façon sécurisée la clé avec le numéro <emplacement de clé> du périphérique LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "afficher l'UUID du périphérique LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "teste si <périphérique> a un en-tête de partition LUKS"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "affiche les informations LUKS de la partition"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "affiche les informations du périphérique TCRYPT"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "affiche les informations du périphérique BITLK"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Suspendre le périphérique LUKS et effacer de façon sécurisée la clé (toutes les entrées/sorties sont suspendues)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Remettre en service le périphérique LUKS suspendu"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Sauvegarder l'en-tête et les emplacements de clés du périphérique LUKS"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Restaurer l'en-tête et les emplacements de clés du périphérique LUKS"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <périphérique>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Manipuler les jetons LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2167,19 +2298,19 @@
 "\n"
 "<action> est l'une de :\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Vous pouvez aussi utiliser les alias de l'ancienne syntaxe <action> :\n"
-"\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\touvrir : create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tfermer : remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2194,7 +2325,7 @@
 "<emplacement> est le numéro de l'emplacement de clé LUKS à modifier\n"
 "<fichier de clé> est un fichier optionnel contenant la nouvelle clé pour l'action luksAddKey\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2203,7 +2334,7 @@
 "\n"
 "Le format de métadonnées compilé par défaut est %s (pour l'action luksFormat).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2220,7 +2351,7 @@
 "PBKDF par défaut pour LUKS2 : %s\n"
 "\tTemps d'itération: %d, Mémoire requise: %d ko, Threads parallèles: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2235,439 +2366,443 @@
 "\tplain: %s, Clé: %d bits, Hachage mot de passe: %s\n"
 "\tLUKS: %s, Clé: %d bits, Hachage en-tête LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: La taille de clé par défaut en mode XTS (deux clés internes) sera doublée.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s : exige %s comme arguments."
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Afficher ce message d'aide"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Afficher, en résumé, la syntaxe d'invocation"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Afficher la version du paquet"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Options d'aide :"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Afficher des messages d'erreur plus détaillés"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Afficher les messages de débogage"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Montrer les messages de débogage incluant les métadonnées JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "L'algorithme de chiffrement utilisé pour chiffrer le disque (voir /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "L'algorithme de hachage utilisé pour créer la clé de chiffrement à partir de la phrase secrète"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Vérifier la phrase secrète en la demandant deux fois"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Lire la clef depuis un fichier"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Lire la clé (maîtresse) du volume depuis un fichier."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Lister les informations de la clé (maîtresse) de volume au lieu des autres emplacements de clefs"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "La taille de la clé de chiffrement"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BITS"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Limite la lecture d'un fichier de clé"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "octets"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Nombre d'octets à ignorer dans le fichier de clé"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Limite la lecture d'un nouveau fichier de clé ajouté"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Nombre d'octets à ignorer dans le fichier de clé nouvellement ajouté"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Numéro de l'emplacement pour la nouvelle clé (par défaut, le premier disponible)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "La taille du périphérique"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SECTEURS"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Utiliser uniquement la taille demandée du périphérique (ignore le reste du périphérique). DANGEREUX !"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Le décalage de départ dans le périphérique sous-jacent"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Combien de secteurs de données chiffrées à ignorer au début"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Crée une association en lecture seule"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Ne pas demander confirmation"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Délai d'expiration de la demande interactive de phrase secrète (en secondes)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "s"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Mise à jour de la ligne de progression (en secondes)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Nombre de tentatives possibles pour entrer la phrase secrète"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Utiliser une limite de <n> secteurs pour aligner les données – pour luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Fichier contenant une sauvegarde de l'en-tête LUKS et des emplacements de clés"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Utiliser /dev/random pour générer la clé de volume"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Utiliser /dev/urandom pour générer la clé de volume"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Partager le périphérique avec un autre segment chiffré sans recouvrement"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID du périphérique à utiliser"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Autoriser les demandes d'abandon (TRIM) pour le périphérique"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Périphérique ou fichier avec un en-tête LUKS séparé"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Ne pas activer le périphérique. Vérifie simplement le phrase secrète"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Utilise l'en-tête caché (périphérique TCRYPT caché)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Le périphérique est un lecteur TCRYPT système (avec secteur d'amorçage)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Utiliser l'en-tête TCRYPT de secours (secondaire)"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Recherche aussi des périphériques compatibles avec VeraCrypt"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Multiplicateur d'Itération Personnel pour le périphérique compatible avec VeraCrypt"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Interroger le Multiplicateur d'Itération Personnel pour le périphérique compatible avec VeraCrypt"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Type de métadonnées du périphérique : luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Type de métadonnées du périphérique : luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Désactive la vérification de la qualité du mot de passe (si activé)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Utilise l'option de compatibilité de performance dm-crypt same_cpu_crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Utilise l'option de compatibilité de performance dm-crypt submit_from_crypt_cpus"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "La suppression du périphérique est différée jusqu'à ce que le dernier utilisateur le ferme"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Utiliser un verrou global pour sérialiser PBKDF qui utilise beaucoup de mémoire (évite le OOM)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Temps d'itération de PBKDF pour LUKS (en ms)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "ms"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Algorithme PBKDF (pour LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "Limite de coût mémoire PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "kilooctets"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "Coût parallèle PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "threads"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "Coût d'itération PBKDF (forcé, désactive l'étalon)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Priorité de l'emplacement de clé: ignore, normal, prefer"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Désactiver le verrouillage des métadonnées sur le disque"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Désactiver le chargement des clés de volume via le porte-clé du noyau"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Algorithme d'intégrité des données (uniquement LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Désactiver le journal pour le périphérique d'intégrité"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Ne pas effacer le périphérique après le formatage"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Utiliser le rembourrage historique inefficace (vieux noyaux)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "Ne pas demander le mot de passe si l'activation par jeton échoue"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Numéro de jeton (défaut: n'importe lequel)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Description de clé"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Taille du secteur de chiffrement (défaut: 512 octets)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Définir les fanions d'activation comme permanents pour le périphérique"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Définir l'étiquette pour le périphérique LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Définir l'étiquette de sous-système pour le périphérique LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Créer un emplacement de clé LUKS2 non lié (aucun segment de donnée assigné)"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Lire ou écrire le json depuis ou vers un fichier"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Taille de la zone de métadonnées de l'en-tête LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Taille de la zone des emplacements de clés de l'en-tête LUKS2"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Rafraîchir (réactiver) le périphérique avec de nouveaux paramètres"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Emplacement de clé LUKS2: La taille de la clé de chiffrement"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Emplacement de clé LUKS2: Le chiffrement utilisé pour le chiffrement de l'emplacement de clé"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Chiffrer le périphérique LUKS2 (chiffrement sur place)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Déchiffrer le périphérique LUKS2 (supprime le chiffrement)"
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Initialiser le rechiffrement LUKS2 uniquement dans les métadonnées."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Redémarrer uniquement le rechiffrement LUKS2 initialisé."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Réduire la taille des données du périphérique (déplace le décalage des données). DANGEREUX !"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Taille maximale de la zone chaude de rechiffrement."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Rechiffre le type de résilience de la zone chaude (checksum,journal,none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "Rechiffrer le hachage des sommes de contrôle de la zone chaude"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Outrepasser l'auto-détection du périphérique pour le périphérique dm à rechiffrer"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPTION...] <action> <paramètres de l'action>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Il manque l'argument <action>."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Action inconnue."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "L'option --refresh est permise uniquement avec les commandes open ou refresh.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Les options --refresh et --test-passphrase sont mutuellement exclusives.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "L'option --deferred est permise uniquement avec la commande close.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "L'option --shared est permise uniquement pour ouvrir un périphérique ordinaire.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "L'option --allow-discards est permise uniquement pour une opération d'ouverture.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "L'option --persistent est permise uniquement pour une opération d'ouverture.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "L'option --serialize-memory-hard-pbkdf est permise uniquement pour une opération d'ouverture.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "L'option --persistent n'est pas permise avec --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2675,245 +2810,255 @@
 "L'option --key-size est permise seulement avec les actions luksFormat, luksAddKey,\n"
 "open et benchmark. Pour limiter la lecture depuis un fichier de clé, utilisez --keyfile-size=(octets)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "L'option --integrity est autorisée uniquement avec luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "L'option --integrity-no-wipe peut uniquement être utilisée pour une action de formatage avec l'extension d'intégrité.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Les options --label et --subsystem sont permises uniquement pour les opérations luksFormat et config LUKS2.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS et TCRYPT.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "L'option --test-passphrase est autorisée uniquement pour ouvrir des périphériques LUKS, TCRYPT et BITLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "La taille de la clé doit être un multiple de 8 bits"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Emplacement de clé non valide."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "L'option --key-file est prioritaire par rapport à un fichier de clé spécifié en argument."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Nombre négatif non autorisé pour l'option."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Un seul argument --key-file est autorisé."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Seule une des deux possibilités --use-[u]random est autorisée."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "L'option --use-[u]random est autorisée seulement avec luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "L'option --uuid est autorisée seulement avec luksFormat et luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "L'option --align-payload est autorisée uniquement avec luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Les options --luks2-metadata-size et --opt-luks2-keyslots-size sont permises uniquement pour luksFormat avec LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Spécification de taille de métadonnées LUKS2 invalide."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Spécification de taille d'emplacements de clés LUKS2 invalide."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Les options --align-payload et --offset ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "L'option --skip est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "L'option --offset est supportée uniquement pour ouvrir des périphériques ordinaires et loopaes, luksFormat et le rechiffrement de périphérique.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Les options --tcrypt-hidden, --tcrypt-system ou --tcrypt-backup sont supportées seulement pour un périphérique TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "L'option --tcrypt-hidden ne peut pas être combinée avec --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "L'option --veracrypt est uniquement supportée pour un périphérique de type TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Argument invalide fourni pour le paramètre --veracrypt-pim.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "L'option --veracrypt-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "L'option --veracrypt-query-pim est uniquement supportée pour un périphérique compatible avec VeraCrypt.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Les options --veracrypt-pim et --veracrypt-query-pim sont mutuellement exclusives.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "L'option --priority peut uniquement être ignore/normal/prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Une spécification d'emplacement de clé est requise.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "La fonction de dérivation d'une clé basée sur un mot de passe (PBKDF = Password-Based Key Derivation Function) peut uniquement être pbkdf2 ou argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Les itérations forcées de PBKDF ne peuvent pas être combinées avec l'option de temps d'itération.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "L'option de taille de secteur n'est pas supportée pour cette commande.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Taille de secteur de chiffrement non supportée.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "La taille de clé est requise avec l'option --unbound.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "L'option --unbound peut uniquement être utilisée avec l'action luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "L'option --refresh peut uniquement être utilisée avec l'action open.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Impossible de désactiver le verrouillage des métadonnées.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "La spécification de la taille maximale de la zone chaude de rechiffrement est invalide."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "La taille de périphérique spécifiée est invalide."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "La taille maximum réduite pour le périphérique est 1 GiB."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "La taille réduite doit être un multiple d'un secteur de 512 octets."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "La taille des données spécifiée est invalide."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Débordement de la taille de réduction."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "Le déchiffrement LUKS2 requiert l'option --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "La taille du périphérique doit être un multiple d'un secteur de 512 octets."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Les options --reduce-device-size et --data-size ne peuvent pas être combinées."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Les options --device-size et --size ne peuvent pas être combinées."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Chaîne d'aléa spécifiée invalide."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Impossible de créer l'image de hachage %s en écriture."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Impossible de créer l'image FEC %s en écriture."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Chaîne de hachage racine invalide."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Fichier de signature %s invalide."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Impossible de lire le fichier de signature %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<périph_données> <périph_hachage>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "formater le périphérique"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<périph_données> <périph_hachage> <hachage_racine>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "vérifier le périphérique"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<périph_données> <nom> <périph_hachage> <hachage_racine>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "afficher le statut du périphérique actif"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<périph_hachage>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "afficher les informations sur le disque"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2928,7 +3073,7 @@
 "<périph_hachage> est le périphérique contenant les données de vérification\n"
 "<hachage_racine> hachage du nœud racine sur <périph_hachage>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2939,91 +3084,99 @@
 "Paramètres compilés par défaut dans dm-verity :\n"
 "\tHachage: %s, Bloc données (octets): %u, Bloc hachage (octets): %u, Taille aléa: %u, Format hachage: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Ne pas utiliser le superbloc de verity"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Type de format (1: normal ; 0: Chrome OS)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "nombre"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Taille de bloc sur le périphérique de données"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Taille de bloc sur le périphérique de hachage"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "Octets de parité FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Le nombre de blocs dans le fichier de données"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "blocs"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Chemin vers le périphérique avec les données de correction d'erreurs"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "chemin"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Décalage de départ sur le périphérique de hachage"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Décalage de départ sur le périphérique FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Algorithme de hachage"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "chaîne"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Aléa"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "chaîne hexa"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Chemin du fichier de signature du hachage racine"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Redémarrer le noyau si une corruption est détectée"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Ignore la corruption, elle est seulement enregistrée dans le journal"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Ne pas vérifier les blocs mis à zéro"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Vérifier le bloc de données uniquement à la première lecture"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "L'option --ignore-corruption, --restart-on-corruption ou --ignore-zero-blocks est seulement permise pour une opération d'ouverture.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "L'option --root-hash-signature peut uniquement être utilisée avec l'opération open.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Les options --ignore-corruption et --restart-on-corruption ne peuvent être utilisées ensembles.\n"
 
@@ -3037,20 +3190,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Échec à la lecture de %d octets du fichier de clé %s."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Formaté avec une taille de balise de %u, intégrité interne %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<périph_intégrité>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<périph_intégrigé> <nom>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3061,158 +3214,158 @@
 "<nom> est le périphérique à créer sous %s\n"
 "<périph_intégrité> est le périphérique contenant les données avec les balises d'intégrité\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Paramètres compilés par défaut dans dm-integrity :\n"
-"\tTaille d'étiquette : %u octets, Algorithme de somme de contrôle : %s\n"
+"\tAlgorithme de somme de contrôle : %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Chemin vers le périphérique de données (si séparé)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Taille du journal"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Secteurs d'entrelacement"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Filigrane du journal"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "pourcent"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Temps pour écrire le journal"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Nombre de secteurs de 512 octets par bit (mode champ de bit)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Temps de purge du mode champ de bit"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Taille de balise (par secteur)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Taille de secteur"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Taille des tampons"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Algorithme d'intégrité des données"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "La taille de la clé d'intégrité des données"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Lire la clef d'intégrité depuis un fichier"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Algorithme d'intégrité du journal"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "La taille de la clé du journal d'intégrité"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Lire la clé du journal d'intégrité depuis un fichier"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Algorithme de chiffrement du journal"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "La taille de la clé de chiffrement du journal"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Lire la clé de chiffrement du journal depuis un fichier"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Mode récupération (pas de journal, pas de vérification des balises)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Utiliser un champ de bits pour garder une trace des changements et désactiver le journal sur le périphérique d'intégrité"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Recalculer les balises initiales automatiquement."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "L'option --integrity-recalculate peut uniquement être utilisée avec l'action open."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Les options --journal-size, --interleave-sectors, --sector-size, --tag-size et --no-wipe peuvent uniquement être utilisée avec l'action de format.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "La spécification de la taille du journal est invalide."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Les options du fichier de clé et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "L'algorithme d'intégrité doit être spécifié si la clé d'intégrité est utilisée."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Les options du fichier de clé de l'intégrité du journal et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "L'algorithme d'intégrité du journal doit être spécifié si la clé d'intégrité du journal est utilisée."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Les options du fichier de clé de chiffrement du journal et de la taille de la clé doivent être spécifiées toutes les deux."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "L'algorithme de chiffrement du journal doit être spécifié si la clé de chiffrement du journal est utilisée."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Les options de mode récupération et champ de bits sont mutuellement exclusives."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Les options de journal ne peuvent pas être utilisées en mode champ de bits."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Les options de champ de bits peuvent uniquement être utilisées en mode champ de bits."
 
@@ -3225,7 +3378,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Impossible d'ouvrir exclusivement %s : périphérique utilisé."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "La réservation de la mémoire alignée a échoué."
 
@@ -3274,190 +3427,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Échec de l'activation des périphériques temporaires."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Impossible de définir les offsets des données."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Impossible de définir la taille des métadonnées."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Nouvel en-tête LUKS créé pour le périphérique %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Cette version de cryptsetup-reencrypt ne gère pas le nouveau type de jeton interne %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Échec lors de la lecture des fanions d'activation depuis l'en-tête de sauvegarde."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Échec lors de l'écriture des fanions d'activation dans le nouvel en-tête."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Échec lors de la lecture des exigences de l'en-tête de sauvegarde."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Sauvegarde de l'en-tête %s du périphérique %s créée."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "La création de la sauvegarde des en-têtes LUKS a échoué."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Impossible de rétablir l'en-tête %s sur le périphérique %s."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "En-tête %s rétabli sur le périphérique %s."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Impossible d'ouvrir le périphérique LUKS temporaire."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Impossible d'obtenir la taille du périphérique."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Erreur E/S pendant le re-chiffrement."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Le UUID fourni est invalide."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Impossible d'ouvrir le journal de re-chiffrement."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Pas de déchiffrement en cours. Le UUID fourni ne peut être utilisé que pour reprendre un déchiffrement suspendu."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Les paramètres pbkdf ont été changés dans l'emplacement de clé %i."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Taille de bloc de re-chiffrement"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Ne pas changer la clé, pas de re-chiffrement de la zone de donnée"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Lire la nouvelle clé (maîtresse) du volume depuis un fichier"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Temps d'itération de PBKDF2 pour LUKS (en ms)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Utiliser direct-io pour accéder aux périphériques"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Utiliser fsync après chaque bloc"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Mettre le journal à jour après chaque bloc"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Utiliser uniquement cet emplacement (les autres seront désactivés)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Créer un nouvel en-tête sur le périphérique non chiffré"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Déchiffrer le périphérique de manière permanente (supprime le chiffrement)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "Le UUID utilisé pour poursuivre le déchiffrement"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Type de métadonnées LUKS: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[OPTION...] <périph>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Le re-chiffrement va changer : %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "clé de volume"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "change hachage en "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", change chiffrement en "
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Argument requis."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Seules les valeurs entre 1 MiB et 64 MiB sont permises pour la taille des blocs de re-chiffrement."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "La taille maximum réduite pour le périphérique est 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "L'option --new doit être utilisée avec --reduce-device-size ou --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "L'option --keep-key ne peut être utilisée que avec --hash, --iter-time ou --pbkdf-force-iterations²."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "L'option --new ne peut pas être utilisée avec --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "L'option --decrypt est incompatible avec les paramètres spécifiés."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "L'option --uuid ne peut être utilisée qu'avec --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Type luks invalide. Utilisez « luks », « luks1 » ou « luks2 »."
 
@@ -3688,6 +3841,15 @@
 msgid "Failed to write JSON file."
 msgstr "Erreur lors de l'écriture du fichier JSON."
 
+#~ msgid "Offline reencryption in progress. Aborting."
+#~ msgstr "Un rechiffrement hors-ligne est en cours. Interruption."
+
+#~ msgid "Online reencryption in progress. Aborting."
+#~ msgstr "Un rechiffrement en-ligne est en cours. Interruption."
+
+#~ msgid "No LUKS2 reencryption in progress."
+#~ msgstr "Pas de rechiffrement LUKS2 en cours."
+
 #~ msgid "Interrupted by a signal."
 #~ msgstr "Interrompu par un signal."
 
@@ -3760,9 +3922,6 @@
 #~ msgid "Device is not in clean reencryption state."
 #~ msgstr "Le périphérique n'est pas dans un état de rechiffrement propre."
 
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "Impossible de lire les informations du périphérique dans %s."
-
 #~ msgid "Failed to calculate new segments."
 #~ msgstr "Échec lors du calcul des nouveaux segments."
 
diff -Nru cryptsetup-2.2.2/po/ja.po cryptsetup-2.3.1/po/ja.po
--- cryptsetup-2.2.2/po/ja.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/ja.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,14 +1,14 @@
 # Japanese messages for cryptsetup.
-# Copyright (C) 2019 Free Software Foundation, Inc.
+# Copyright (C) 2019, 2020 Free Software Foundation, Inc.
 # This file is put in the public domain, to the extent permitted under applicable law.
-# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019
+# Hiroshi Takekawa <sian@big.or.jp>, <sian.ht@gmail.com>, 2019, 2020
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-18 20:10+0900\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 21:37+0900\n"
 "Last-Translator: Hiroshi Takekawa <sian@big.or.jp>\n"
 "Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
 "Language: ja\n"
@@ -17,65 +17,65 @@
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "device-mapper を初期化できません、non-root で実行します。"
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "device-mapper を初期化できません。dm_mod モジュールはロードされてますか？"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "指定された延期フラグはサポートされていません。"
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "デバイス %s の DM-UUID は短縮されています。"
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "不明な dm target タイプです。"
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "指定された dm-crypt パフォーマンスオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "指定された dm-verity のデータ破壊時の対応についてのオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "指定された dm-verity の誤り訂正(FEC)オプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "指定されたデータの無改ざん確認のオプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "指定された sector_size オプションはサポートされていません。"
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "指定された改ざん確認タグの自動再計算はサポートされていません。"
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "要求された dm-integrity のビットマップモードはサポートされていません。"
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM はサポートしていません。"
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "dm-%s のクエリーに失敗しました。"
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -83,548 +83,565 @@
 "ボリュームキーを生成するためのエントロピー(この文脈では乱数の乱れ度合)が足りません。\n"
 "マウスを動かしたり、他のウィンドウで文字を入力したりしてみてください。\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "キー生成中 (%d%% 完了)。\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "FIPS モードで実行中。"
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "RNG(乱数生成器)初期化中に重大なエラーが発生しました。"
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "不明な RNG(乱数生成器) の質(quality)が要求されました。"
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "RNG(乱数生成器)から読み込み中にエラー。"
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "暗号向けRNG(乱数生成器)バックエンドの初期化ができません。"
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "暗号バックエンドの初期化ができません。"
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "ハッシュアルゴリズム %s がサポートされていません。"
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "鍵の処理でエラー (ハッシュ %s を使用)。"
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "デバイスタイプがわかりません。互換性のないデバイスのアクティベーションをしようとしていませんか？"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "この操作は LUKS デバイスでしかサポートされていません。"
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "この操作は LUKS2 デバイスでしかサポートされていません。"
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "キースロットがいっぱいです。"
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "キースロット %d は使われています。別の番号を選んでください。"
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "デバイスサイズが論理ブロックサイズのアライメントに合いません。"
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "ヘッダが検出されましたがデバイス %s が小さすぎます。"
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "この操作はこのデバイスタイプではサポートされていません。"
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "オフラインでの再暗号化中です。中止します。"
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "LUKS バージョン %d はサポートされていません。"
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "分離したメタデータデバイスはこの暗号タイプではサポートされていません。"
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "デバイス %s はアクティブではありません。"
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "暗号化されたデバイス %s の元になるデバイスが消滅しました。"
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "不正な plain crypt のパラメータ。"
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "不正なキーサイズ。"
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID はこの暗号タイプではサポートされていません。"
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "サポートされていない暗号化セクタサイズです。"
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "デバイスサイズが要求されたセクタサイズのアライメントに合いません。"
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "デバイスなしには LUKS 形式にフォーマットできません。"
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "要求されたデータアライメントとデータオフセットが合いません。"
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "警告: データオフセットが現在利用可能なデータの外にあります。\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "デバイス %s のヘッダを消し去れません。"
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "警告: デバイスアクティベーションが失敗しました。dm-crypt が要求された暗号セクタサイズをサポートしていません。\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "ボリュームキーは改ざん耐性拡張のため暗号には鍵長が小さすぎます。"
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "暗号 %s-%s (キーサイズ %zd ビット) は利用できません。"
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "警告: LUKS2 メタデータサイズが %<PRIu64> バイトに変更されました。\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "警告: LUKS2 キースロット領域サイズが %<PRIu64> バイトに変更されました。\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "デバイス %s のサイズが小さすぎます。"
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "デバイス %s は使用中のためフォーマットできません。"
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "デバイス %s は権限がないためフォーマットできません。"
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "デバイス %s を改ざん耐性がつくようフォーマットできません。"
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "デバイス %s をフォーマットできません。"
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "LOOPAES としてフォーマットするにはデバイスが必要です。"
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "VERITY としてフォーマットするにはデバイスが必要です。"
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "VERITY ハッシュタイプ %d はサポートしていません。"
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "サポートしていない VERITY ブロックサイズです。"
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "サポートしていない VERITY ハッシュオフセットです。"
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "サポートしていない VERITY FEC オフセットです。"
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "データ領域がハッシュ領域と重なっています。"
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "ハッシュ領域が FEC 領域と重なっています。"
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "データ領域が FEC 領域と重なっています。"
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "警告: 指定されたタグのサイズ %d バイトが %s の出力サイズと異なります (%d バイト)。\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "不明な暗号デバイスタイプ %s が指定されました。"
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "デバイス %s のパラメータはサポートしていません。"
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "デバイス %s のパラメータがミスマッチしています。"
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Crypt デバイスが一致しません。"
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "デバイス %s のリロードに失敗しました。"
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "デバイス %s のサスペンドに失敗しました。"
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "デバイス %s のリジュームに失敗しました。"
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "デバイス %s のリロード中に致命的なエラー(デバイス %s の上で)。"
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "デバイス %s を dm-error にスイッチできません。"
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "ループデバイスはリサイズできません。"
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "デバイスの UUID を本当に変更してもいいですか？"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "ヘッダのバックアップファイルの中味が LUKS ヘッダと互換性がありません。"
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "ボリューム %s はアクティブではありません。"
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "ボリューム %s は既に停止されています。"
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "デバイス %s の停止はサポートされていません。"
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "デバイス %s 停止中にエラー。"
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "ボリューム %s は停止されていません。"
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "デバイス %s は再開をサポートしていません。"
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "デバイス %s の再開中にエラー。"
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "ボリュームキーがボリュームに合いません。"
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "キースロットを追加できません。全てのスロットが無効でボリュームキーが渡されませんでした。"
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "新しいキースロットを交換できませんでした。"
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "ボリュームキーがボリュームに合いません。"
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "キースロット %d は不正です。"
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "キースロット %d は非アクティブです。"
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "デバイスヘッダがデータ領域に重なっています。"
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "既に再暗号化中です。デバイスをアクティベートできません。"
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "再暗号化ロックを取得できません。"
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "LUKS2 の再暗号化は既に初期化されました。"
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "デバイスタイプが正しく初期化されていません。"
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "デバイス %s を使えません。名前が不正か使用中です。"
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "デバイス %s は既に存在します。"
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "正しくないボリュームキーがプレーンデバイスに指定されました。"
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "正しくないルートハッシュが verity デバイスに指定されました。"
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "ルートハッシュ署名が必要です。"
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "署名をカーネルに渡すのに必要なカーネルキーリングをカーネルがサポートしていません。"
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "キーをカーネルキーリングにロードできません。"
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "デバイス %s は使用中です。"
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "デバイス %s は不正です。"
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "ボリュームキーのバッファが小さすぎます。"
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "プレーンデバイス向けのボリュームキーが取得できません。"
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "verity デバイスのルートハッシュが読み出せません。"
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "この操作は %s 暗号化デバイスではサポートされていません。"
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "このデバイスタイプはダンプ操作をサポートしていません。"
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "データオフセットが %u バイトの倍数である必要があります。"
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "使用中のデバイス %s を変換できません。"
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "新しいボリュームキー向けのキースロット %u を確保できません。"
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "デフォルト LUKS2 キースロットパラメータを初期化できません。"
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "ダイジェストするためのキースロット %d が確保できません。"
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "キーをカーネルキーリングにロードできません。"
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "カーネルがカーネルキーリングをサポートしていません。"
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "キーリングからパスフレーズが読み出せません (エラー %d)。"
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "グローバル memory-hard アクセス直列化ロックが取れません。"
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "プロセス優先度を取得できません。"
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "メモリをアンロックできません。"
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "キーファイルがオープンできません。"
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "ターミナルからキーファイルを読みこめません。"
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "キーファイルを stat() できません。"
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "指定されたキーファイルオフセットにシークできません。"
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "パスフレーズ読み込み中にメモリが不足しました。"
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "パスフレーズの読み込みでエラー。"
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "読もうとしたら入力が空です。"
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "キーファイルが最大サイズを超えています。"
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "指定されたサイズのデータを読み込めません。"
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "デバイス %s は存在しないかアクセスが拒否されました。"
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "デバイス %s は互換性がありません。"
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "デバイス %s が小さすぎます。少なくとも %<PRIu64> バイト必要です。"
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "デバイス %s は使用中で使えません (既にマップされているかマウントされています)。"
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "デバイス %s が使えません、拒否されました。"
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "デバイス %s についての情報が取得できません。"
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "ループバックデバイスが使えません、非 root ユーザで実行していませんか。"
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "ループデバイスのアタッチできません (autoclear 付きのループデバイスが必要です)。"
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "指定されたオフセットはデバイス %s の実際のサイズを超えています。"
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "デバイス %s のサイズが 0 です。"
@@ -691,32 +708,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "互換性のない PBKDF オプションです。"
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (ディレクトリでないか存在していません)。"
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "警告: ロックに使うディレクトリ %s/%s がありません！\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "ロックを中止します。ロックに使うパス %s/%s が使用できません (%s はディレクトリではありません)。"
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "デバイスオフセットまで seek できません。"
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "デバイスのワイプでエラー, オフセット %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -725,120 +742,120 @@
 "デバイス %s の dm-crypt のキーマッピングの設定に失敗しました。\n"
 "カーネルが暗号 %s をサポートしているか確認してください (syslog にさらに情報があります)。"
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "XTS モードのキーサイズは 256 か 512 ビットでなければなりません。"
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "暗号の指定は [暗号]-[モード]-[初期ベクタ] という形式であるべきです。"
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "デバイス %s に書き込めません。パーミッションがありません。"
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "一時的なキーストアデバイスを開けません。"
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "一時的なキーストアデバイスにアクセスできません。"
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "キースロットを暗号化中にI/Oエラーが発生しました。"
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "デバイス %s を開けません。"
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "キースロットを復号化中にI/Oエラーが発生しました。"
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "デバイス %s が小さすぎます。(LUKS1 は最低でも %<PRIu64> バイト必要です。)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "LUKS キースロット %u は不正です。"
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "デバイス %s は有効な LUKS デバイスではありません。"
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "要求されたヘッダバックアップファイル %s は既に存在しています。"
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "ヘッダバックアップファイル %s が作成できません。"
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "ヘッダバックアップファイル %s に書き込めません。"
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "バックアップファイルが有効な LUKS ヘッダを含んでいません。"
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "ヘッダバックアップファイル %s をオープンできません。"
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "ヘッダバックアップファイル %s を読めません。"
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "データオフセットかキーサイズがデバイスとバックアップで異なるのでリストアできません。"
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "デバイス %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "LUKS ヘッダが含まれていません。ヘッダを置き換えるとデバイスのデータを破壊する恐れがあります。"
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "LUKS ヘッダを既に含んでいます。ヘッダを置き換えると既にあるキースロットを破壊します。"
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -846,100 +863,105 @@
 "\n"
 "警告: 実デバイスのヘッダはバックアップとUUIDが異なります！"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "標準的でないキーサイズなので、手動の修復が必要です。"
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "標準的でないキースロットアライメントなので、手動の修復が必要です。"
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "キースロットを修復中です。"
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "キースロット %i: オフセットを修復 (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "キースロット %i: のストライプを修復 (%u -> %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "キースロット %i: パーティションの印(signature)がおかしいです。"
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "キースロット %i: ソルトを消しました。"
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "LUKS ヘッダを書きこんでいます。"
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "修復に失敗しました。"
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "要求された LUKS ハッシュ %s はサポートしていません。"
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "LUKS ヘッダに既知の不具合は検出されませんでした。"
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "デバイス %s の LUKS ヘッダを更新中にエラーが発生しました。"
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "デバイス %s の LUKS ヘッダを更新後の再読み込み中にエラーが発生しました。"
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "LUKS ヘッダのデータへのオフセットは 0 かヘッダサイズより大きくなければいけません。"
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "LUKS UUID の形式が間違っています。"
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "LUKS ヘッダを作成できません: ランダムなソルトを読み込めません。"
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "LUKS ヘッダを作成できません: ヘッダのハッシュが求められません (ハッシュには %s を使用)。"
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "キースロット %d が使用中なので、パージしてください。"
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "キースロット %d のストライプが少なすぎます。ヘッダを細工でもしましたか？"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "キースロットをオープンできません (ハッシュ %s を使用)。"
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "キースロット %d は不正です。0 から %d の間を選んでください。"
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "デバイス %s をワイプできません。"
@@ -957,97 +979,189 @@
 msgstr "互換性のない loop-AES キーファイルが検出されました。"
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "カーネルが loop-AES 互換マッピングをサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "キーファイル %s を読み込み中にエラー。"
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "TCRYPT パスフレーズの最大長 (%d) を超えました。"
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "TCRYPT パスフレーズの最大長 (%zu) を超えました。"
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "PBKDF2 ハッシュアルゴリズム %s が利用できないのでスキップします。"
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "必要なカーネル crypto インターフェースが使用できません。"
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "algif_skcipher カーネルモジュールをロードしてください。"
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "アクティベーションは %d セクタサイズではサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "カーネルが TCRYPT レガシーモードのアクティベーションをサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "TCRYPT システム暗号をパーティション %s に対してアクティベーションしました。"
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "カーネルが TCRYPT 互換のマッピングをサポートしていません。"
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "この機能は TCRYPT ヘッダの読み込みなしではサポートしません。"
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリタイプ '%u' が見つかりました。"
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "ボリュームマスターキーを解釈中に不正な文字列が見つかりました。"
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "ボリュームマスターキーを解釈中に予期しない文字列 ('%s') が見つかりました。"
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "ボリュームマスターキーを解釈中に予期しないメタデータエントリー値 '%u' が見つかりました。"
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "%s から BITLK シグネチャを読み込めませんでした。"
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK version 1 はサポートされていません。"
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "BITLK デバイスのブートシグネチャが不正また不明です。"
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "BITLK デバイスのシグネチャが不正また不明です。"
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "%s から BITLK ヘッダを読み出すのに失敗しました。"
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "%s から BITLK FVE メタデータを読み込めませんでした。"
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "不明かサポートされていない暗号化タイプです。"
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "%s から BITLK メタデータエントリを読み込めませんでした。"
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "この操作はサポートされていません。"
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "不正なキーサイズ。"
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "この BITLK デバイスはサポートされてない状態にあるためアクティベートできません。"
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "タイプ '%s' の BITLK デバイスはアクティベートできません。"
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "部分的に復号された BITLK デバイスのアクティベーションはサポートされていません。"
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "カーネルの dm-crypt が BITLK IV をサポートしていないためデバイスをアクティベートできません。"
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "カーネルの dm-crypt が BITLK Elephant diffuser をサポートしていないためデバイスをアクティベートできません。"
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Verity device %s does not use on-disk header."
 msgstr "Verity デバイス %s はディスク上のヘッダを使いません。"
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "デバイス %s が有効な VERITY デバイスではありません。"
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "VERITY バージョン %d はサポートされていません。"
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "VERITY ヘッダが壊れています。"
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "デバイス %s の VERITY UUID フォーマットが間違っています。"
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "デバイス %s の verity ヘッダを更新中にエラー。"
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "ルートハッシュ署名の検証はサポートしていません。"
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "FEC デバイスのエラーが修復できません。"
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "FEC デバイスに %u 個の修復可能なエラーが見つかりました。"
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "カーネルが dm-verity マッピングをサポートしていません。"
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "カーネルが dm-verity 署名オプションをサポートしていません。"
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "アクティベーションされた Verity デバイスが破損が見つかりました。"
 
@@ -1056,92 +1170,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "ポジション %<PRIu64> にあるスペア領域が 0 埋めされていません。"
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "デバイスオフセットオーバーフロー。"
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "検証がポジション %<PRIu64> で失敗しました。"
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "verity デバイスのパラメータサイズが不正です。"
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "ハッシュ領域がオーバーフロー。"
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "データ領域の検証に失敗しました。"
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "ルートハッシュの検証に失敗しました。"
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "ハッシュ領域を生成中に I/O エラー。"
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "ハッシュ領域の作成に失敗しました。"
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "警告: カーネルはデータブロックサイズがページサイズ (%u) を超えているとアクティベートできません。"
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Reed-Solomon 処理のためのコンテキストが確保できません。"
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "バッファを確保できませんでした。"
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Reed-Solomon ブロック %<PRIu64> バイト %d を読み込めませんでした。"
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Reed-Solomon ブロック %<PRIu64> のパリティを読み込めませんでした。"
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "ブロック %<PRIu64> のパリティが修復できませんでした。"
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Reed-Solomon ブロック %<PRIu64> のパリティの書き込みに失敗しました。"
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "ブロックサイズが FEC と合っていません。"
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "パリティのバイト数が不正です。"
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "デバイス %s のサイズが不明です。"
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "カーネルが dm-integrity マッピングをサポートしていません。"
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "カーネルが dm-integrity 固定メタデータアラインメントをサポートしていません。"
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "デバイス %s の書き込みのためのロックを取得できませんでした。"
@@ -1167,40 +1285,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "警告: キースロット領域 (%<PRIu64> バイト) がとても小さいため、利用可能な LUKS2 キースロット数が制限されます。\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "デバイス %s の読み込みのためのロックを取得できませんでした。"
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "禁止された LUKS2 要求がバックアップ %s に検出されました。"
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "データオフセットがデバイスとバックアップと異なるため修復できません。"
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "キースロット領域のあるバイナリヘッダのサイズがデバイスとバックアップで異なるため修復できません。"
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "デバイス %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "LUKS2 ヘッダが含まれていません。ヘッダを置き換えるとデータを破壊しかねません。"
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "既に LUKS2 ヘッダがあります。ヘッダを置き換えると既にあるキースロットを破壊します。"
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1210,7 +1328,7 @@
 "警告: 不明な LUKS2 への要求がリアルデバイスヘッダにあります！\n"
 "ヘッダをバックアップで置き換えるとデータを破壊する恐れがあります！"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1220,58 +1338,58 @@
 "警告: オフラインの再暗号化が終了していません！\n"
 "ヘッダを置き換えるとデータを破壊しかねません。"
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "不明なフラグ %s を無視しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "dm-crypt セグメント %u にキーがありません"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "dm-crypt セグメントの設定に失敗しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "dm-linear セグメントの設定に失敗しました。"
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "サポートしていないデバイス整合性設定です。"
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "再暗号化が実行中なのでデバイスのデアクティベートできません。. Cannot deactivate device."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "サスペンドされたデバイス %s を dm-error ターゲットで置き換えられません。"
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "LUKS2 の必要条件を読み込めませんでした。"
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "満たせない LUKS2 の必要条件があります。"
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "オフラインでの再暗号化中です。中止します。"
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "オフラインでの再暗号化中です。中止します。"
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "操作がレガシー再暗号化とマークされたデバイスと互換性がありません。中止します。"
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "操作が LUKS2 再暗号化とマークされたデバイスと互換性がありません。中止します。"
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "キースロットをオープンするのにメモリが足りません。"
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "キースロットのオープンに失敗しました。"
 
@@ -1284,52 +1402,56 @@
 msgid "No space for new keyslot."
 msgstr "新しいキースロット用の領域がありません。"
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "UUID が %s のデバイスの状態が確認できません。"
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "LUKSMETA メタデータ付きのヘッダは変換できません。"
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "領域が足りないのでキースロット領域を動かせません。"
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "LUKS2 キースロット領域が足りないのでキースロット領域を動かせません。"
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "キースロット領域を動かせません。"
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "LUKS1 形式に変換できません - デフォルトの暗号セクタサイズが 512 バイトではありません。"
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "LUKS1 形式に変換できません - キースロットのハッシュ関数が LUKS1 互換ではありません。"
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "LUKS1 形式に変換できません - ラップされたキーの暗号に %s が使われています。"
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "LUKS1 形式に変換できません - LUKS2 ヘッダ %u 個のトークンを含んでいます。"
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "LUKS1 形式に変換できません - キースロット %u が不正な状態です。"
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "LUKS1 形式に変換できません - スロット %u が(最大個数を超過して)有効です。"
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "LUKS1 形式に変換できません - キースロット %u が LUKS1 と互換ではありません。"
@@ -1351,7 +1473,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "古いセグメントのストレージラッパの初期化に失敗しました。"
 
@@ -1363,7 +1485,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "現在のホットゾーンのチェックサムを読み込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "%<PRIu64> から始めるホットゾーンエリアを読み込めません。"
@@ -1421,119 +1543,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "データシフト (%<PRIu64> セクタ) が今後のデータオフセットより少ないです (%<PRIu64> セクタ)。"
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "デバイス %s を排他モードでオープンでません (既にマップされているかマウントされています)。"
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "LUKS2 再暗号化が実行中ではありません。"
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "デバイスは LUKS2 再暗号化向けにマークされていません。"
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "LUKS2 再暗号化コンテキストをロードできません。"
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "再暗号化状態を取得できません。"
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "デバイス %s は再暗号化中ではありません。"
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "既に再暗号化中です。"
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "再暗号化ロックを取得できません。"
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "再暗号化を開始できません。再暗号化のリカバリを先にしてください。"
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "実際のデバイスサイズと要求された再暗号化サイズが一致しません。"
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "再暗号化のパラメータとして不正なデバイスサイズが要求されました。"
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "既に再暗号化中です。復元を実行できません。"
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "メタデータの LUKS2 の再暗号化は既に初期化されました。"
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "メタデータの LUKS2 再暗号化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "デバイスセグメントの次の再暗号化ホットゾーンの設定に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "再暗号化した耐性用メタデータを書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "復号に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "%<PRIu64> から始まるホットゾーンエリアに書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "データを sync できません。"
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "現在のホットゾーンの再暗号化完了後にメタデータが更新できません。"
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "LUKS2 メタデータが書き込めません。"
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "バックアップセグメントデータを消せません。"
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "再暗号化の要求(requirement)フラグを禁止できません。"
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "%<PRIu64> から %<PRIu64> セクタのチャンクの再暗号化中に致命的なエラー。"
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "手動でエラーターゲットに置き換えた場合以外はデバイスのレジュームをしないでください。"
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "再暗号化を開始できません。予期しない再暗号化状態です。"
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "ないか不正な再暗号化コンテキストです。"
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "再暗号化デバイススタックの初期化に失敗しました。"
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "再暗号化コンテキストが更新できません。"
 
@@ -1546,64 +1668,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "ビルトイントークン %s が作成できません。"
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "tty 入力以外ではパスフレーズ認証できません。"
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "キースロットの暗号化パラメータは LUKS2 デバイスでしか設定できません。"
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "未知の暗号スペックです。"
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "警告: --hash パラメータは plain モードでキーファイルが指定されていると無視されます。\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "警告: --keyfile-size オプションは無視されて、読み込みサイズは暗号鍵のサイズと同じになります。\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "%s にデバイス署名が検出されました。既にあるデータを破壊しかねません。"
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "中止されました。\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "オプション --key-file が必要です。"
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "VeraCrypt PIM を入力してください: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "不正な PIM: 解釈できません。"
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "不正 PIM の値で 0 です。"
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "不正な PIM の値: 範囲外です。"
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "このパスフレーズではデバイスヘッダが検出されませんでした。"
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "デバイス %s は有効な BITLK デバイスではありません。"
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1613,68 +1740,68 @@
 "暗号化されたパーティションにパスフレーズなしでアクセス可能にます。\n"
 "このダンプは暗号化された安全な所に保存してください。"
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "デバイス %s はまたアクティブで後から削除される予定になっています。.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "アクティブなデバイスをリサイズするにはボリュームキーがキーリングに必要ですが、--disable-keyring が指定されています。"
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "ベンチマークが中止されました。"
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     計測値なし\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u 回/秒 (%zu ビットの鍵)\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s 計測値なし\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u 回, %5u KB使用, %1u スレッド (%zu のビットの鍵) (%u ms 計測)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "ベンチマークの結果は信頼できません。"
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# テストはストレージI/Oがなくメモリ上のもののため目安です。\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s Algorithm |      キー |          暗号化 |           復号化\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "暗号 %s は使えません。"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#     Algorithm |      キー |          暗号化 |           復号化\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "計測値なし"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1682,19 +1809,19 @@
 "デバイスは再暗号化のリカバリを必要としていなそうです。\n"
 "本当にやりますか？"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "本当に LUKS2 再暗号化リカバリを行いますか？"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "再暗号化のリカバリのためのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "本当に LUKS デバイスヘッダの復元を試みていいですか？"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1702,127 +1829,127 @@
 "整合性チェックサムの初期化のためにデバイスのデータを消去しています。\n"
 "CTRL+c で中止できます (初期化されなかったデバイスのチェックサムは正しくなくなります)。\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "一時的デバイス %s を非アクティブにできません。"
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "整合性オプションは LUKS2 形式でしか使えません。"
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "サポートされていない LUKS2 メタデータのサイズオプションです。"
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "ヘッダファイル %s を作成できません。"
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "サポートしている整合性確認方式が検出されませんでした。"
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "%s を on-disk ヘッダとして使えません。"
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "%s のデータを上書きします。戻せません。"
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "pbkdf パラメータを設定できません。"
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "分離された LUKS ヘッダでのみ少ないデータオフセットが使えます。"
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "キースロットのない LUKS のボリュームキーサイズが決定できないので、--key-size を使ってください。"
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "デバイスはアクティベートされましたが、フラグを恒常的なものにできません。"
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "キースロット %d は削除対象として選択されました。"
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "これは最後のキースロットです。このキーがなくなるとデバイスは使用不能になります。"
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "残っているパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "操作は中止されました。キースロットは消去されていません。\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "削除するキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "キースロットの新しいパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "有効なパスフレーズをどれか入力してください: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "変更するキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "新しいキーのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "変換されるキースロットのパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "isLuks は一つのデバイス引数しかサポートしていません。"
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "オプション --header-backup-file が必要です。"
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s は cryptsetup で管理されているデバイスではありません。"
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "リフレッシュはデバイスタイプ %s ではサポートされていません。"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "%s は認識できないメタデータデータタイプです。"
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "コマンドはデバイスとマップされた名前を引数として必要とします。"
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1831,95 +1958,95 @@
 "この処理はデバイス %s の全てのキースロットを消去します。\n"
 "デバイスのデータは使用できなくなります。"
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "処理は中止されました。キースロットは消去されません。\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "不正な LUKS タイプです。luks1 と luks2 しかサポートしていません。"
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "デバイスは既にタイプ %s です。"
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "この処理は %s から %s フォーマットに変換します。\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "処理は中止されました。デバイスは変換されませんでした。\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "オプション --priority, --label か --subsystem がありません。"
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "トークン %d は不正です。"
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "トークン %d は使用中です。"
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "luks2-キーリングトークン %d を追加できませんでした。"
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "トークン %d をキースロット %d に割りあてられませんでした。"
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "トークン %d は使われていません。"
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "ファイルからトークンをインポートできません。"
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "トークン %d をエクスポートのために取得できませんでした。"
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "--key-description はトークン追加には必須です。"
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "トークンを必要としています。--token-id を使用してください。"
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "%s は不正なトークン処理です。"
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "データデバイス %2s のアクティブな dm デバイス '%1s'を自動検出しました。\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "デバイス %s は有効なブロックデバイスではありません。\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "デバイス %s のホルダ(holders)を自動検出できません。"
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1932,229 +2059,233 @@
 "アクティベートされていたらデータが破壊されるかもしれません。\n"
 "再暗号化をオンラインで行う場合は --active-name を代わりに使ってください。\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "LUKS デバイスタイプが不正です。"
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "データデバイスサイズの縮小(--reduce-device-size)なしに分離ヘッダ(--header)による暗号化はできません。"
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "要求されたデータオフセットは --reduce-device-size パラメータの半分以下である必要があります。"
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "--reduce-device-size の値を --offset %<PRIu64> (セクタ) の倍にします。\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "暗号化は LUKS2 形式でしか使えません。"
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "LUKS デバイスが %s に検出されました。もう一度 LUKS デバイスを暗号化したいのですか？"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "テンポラリヘッダファイル %s は既に存在しているので、中止します。"
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "テンポラリヘッダファイル %s を作成できません。"
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s がアクティブでオンライン暗号化可能です。"
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s がアクティブでオンライン暗号化可能です。\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "再暗号化に必要な空きキースロットがありません。"
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "キーファイルは --key-slot と使うか、1 つのキースロットだけアクティブの時にしか使えません。"
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "キースロット %d のパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "キースロット %u のパスフレーズを入力してください: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "コマンドはデバイスを引数として必要とします。"
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "現在 LUKS2 形式しかサポートされていません。LUKS1 には cryptsetup-reencrypt を使ってください。"
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "古いオフライン再暗号化が実行中です。cryptsetup-reencrypt を使ってください。"
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "整合性プロファイルつきのデバイスの再暗号化はサポートされていません。"
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "LUKS2 再暗号化が既に初期化済なので操作を中止します。"
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "LUKS2 デバイスは再暗号化中ではありません。"
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<デバイス> [--type <タイプ>] [<名前>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "デバイスを <名前> としてオープン"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<名前>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "デバイスをクローズします (マッピングを削除します)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "アクティブデバイスをリサイズ"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "デバイスステータスを表示"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <暗号>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "暗号ベンチマーク"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<デバイス>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "on-disk メタデータを修復しようとしています"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "LUKS2 デバイスを再暗号化"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "全てのキースロットを消去します (暗号鍵も削除します)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "LUKS2 から LUKS もしくは LUKS から LUKS2 形式に変換します"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "LUKS2 の permanent configuration オプションを設定します"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<デバイス> [<新しいキーファイル>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "LUKS デバイスをフォーマットします"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "LUKS デバイスにキーを追加します"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<デバイス> [<キーファイル>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "与えられたキーかキーファイルを LUKS デバイスから削除します。"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "与えられた LUKS デバイスのキーかキーファイルを変更します"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "キーを新しい pbkdf パラメータに変換します"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<デバイス> <キースロット>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "<キースロット>のキーを LUKS デバイスから削除します"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "LUKS デバイスの UUID を表示"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "<デバイス> の LUKS パーティションヘッダをテストします"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "LUKS パーティション情報をダンプします"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "TCRYPT デバイス情報をダンプします"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "BITLK デバイス情報をダンプします"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "LUKS デバイスを停止してキーを削除します (全てのI/Oは停止します)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "停止していた LUKS デバイスを再開します"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "LUKS デバイスヘッダとキースロットをバックアップします"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "LUKS デバイスヘッダとキースロットをリストアします"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <デバイス>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "LUKS2 トークンを操作します"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2162,19 +2293,19 @@
 "\n"
 "<action> は以下のうちの一つです:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "古い <アクション> という形式も使えます:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2189,7 +2320,7 @@
 "<キースロット> は変更する LUKS キースロット番号\n"
 "<キーファイル> は luskAddKey でオプションで与えられる新しいキーのキーファイル\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2198,7 +2329,7 @@
 "\n"
 "デフォルトのコンパイル時に決められたメタデータ形式は %s です(luksFormat で使われます)。\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2215,7 +2346,7 @@
 "デフォルト LUKS2 向け PBKDF: %s\n"
 "\t繰り返す時間: %d, 使うメモリ: %dkB, 並列スレッド: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2230,439 +2361,443 @@
 "\tplain: %s, キー: %d ビット, パスワードハッシュ: %s\n"
 "\tLUKS: %s, キー: %d ビット, LUKS ヘッダハッシュ: %s, 乱数生成: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: XTS モードのデフォルトキーサイズは (2つの内部キーがあるため) 倍になります。\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: は %s を引数で与える必要があります"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "このヘルプを表示します"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "コンパクトな使用法表示をします"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "パッケージのバージョンを表示"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "ヘルプオプション:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "より詳細なエラーメッセージを表示"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "デバッグメッセージを表示"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "JSON メタデータを含むデバッグメッセージを表示"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "ディスクを暗号化するのに用いられる暗号 (/proc/crypto を参照のこと)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "パスフレーズから暗号鍵を作るのに使われるハッシュ"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "パスフレーズは2回入力してもらって検証します"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "ファイルからキーを読む"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "ボリューム(マスター)キーをファイルから読む。"
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "ボリューム(マスター)キーをキースロット情報の代わりにダンプします"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "暗号鍵のサイズ"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "ビット"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "キーファイルから読み込みの制限"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "バイト"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "キーファイルでスキップするバイト数"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "新しく追加するキーファイルの読み込みの制限"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "新しく追加するキーファイルでスキップするバイト数"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "新しいキーのスロット番号 (デフォルトは最初の空き)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "デバイスのサイズ"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "セクタ"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "指定されたデバイスサイズ分だけ使います (デバイスの残りは無視します). 危険！"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "バックエンドデバイスの開始オフセット"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "最初の暗号化データのセクタを何セクタスキップするか"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "読み込み専用のマッピングを作成"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "確認をしません"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "パスフレーズの対話的入力のタイムアウト (秒単位)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "秒"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "進捗線の更新(秒単位)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "パスフレーズの再試行の回数"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "luksFormat 向けにペイロードを <n> セクタ境界に合わせます"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "LUKS ヘッダとキースロットバックアップのファイル"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "ボリュームキーの生成に /dev/random を使います"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "ボリュームキーの生成に /dev/urandom (擬似乱数)を使います"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "オーバーラップしない暗号セグメントのあるデバイスと共有します"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "使用するデバイスの UUID"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "デバイスに discards (TRIM) 処理を許可します"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "デバイスかファイルにある分離された LUKS ヘッダ"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "デバイスをアクティベートせず、パスフレーズだけ確認する"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "隠されたヘッダを使う (隠された TCRYPT デバイス)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "デバイスはシステム TCRYPT ドライブ (ブートローダの対応が必要)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "バックアップ (セカンダリ) TCRYPT ヘッダを使います"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "VeraCrypt 互換デバイスも探します"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "VeraCrypt 互換デバイス向けの Personal Iteration Multiplier"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "VeraCrypt互換デバイス向けの Query Personal Iteration Multiplier"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "デバイスメタデータのタイプ: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "デバイスメタデータのタイプ: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "パスワードの質の確認を無効にする (もし有効なら)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "dm-crypt の same_cpu_crypt performance compatibility オプションを使う"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "dm-crypt の submit_from_crypt_cpus performance compatibility オプションを使う"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "デバイスの削除はデバイス上のリソースを使う人がいなくなるまで遅延されます"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "OOM Killer を回避するために PBKDF メモリのシリアライズにグローバルロックを使います"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "LUKS 向けの PBKDF の繰り返し時間 (ms単位)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "ミリ秒"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "LUKS2 向けの PBKDF アルゴリズム: argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "PBKDF メモリコスト制限"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "キロバイト"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "PBKDF 並列コスト"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "スレッド"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "PBKDF 繰り返しコスト (強制する, ベンチマークしない)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "キースロット優先度: ignore, normal, prefer"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "ディスク上のメタデータのロックをしない"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "ボリュームキーの読み込みをカーネルキーリング経由で行わない"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "データ改ざん検出アルゴリズム (LUKS2 のみ)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "データ改ざん検出が有効なデバイスのジャーナリングを禁止します"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "フォーマット後にデバイスのデータを消去しない"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "非効率的なレガシーパディングを使う (古いカーネル)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "トークンによるアクティベーションが失敗したらパスフレーズを入力させません"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "トークンナンバー (デフォルト: 任意)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "キーデスクリプション"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "暗号化セクタサイズ (デフォルト: 512 バイト)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "デバイスのアクティベーションフラグを持続的にします"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "LUKS2 デバイスのラベルを設定"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "LUKS2 デバイスにサブシステムレベルを設定します"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "場所の束縛のない LUKS2 キースロットを作成します"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "json をファイルに読み書きする"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "LUKS2 ヘッダメタデータ領域サイズ"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "LUKS2 ヘッダキースロット領域サイズ"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "デバイスを新しいパラメータデリフレッシュ(再アクティベート)する"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "LUKS2 キースロット: 暗号鍵のサイズ"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "LUKS2 キースロット: キースロットの暗号化に使う暗号"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "LUKS2 デバイスを暗号化 (in-place で暗号化)"
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "LUKS2 デバイスを復号 (つまり暗号化をやめる)"
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "LUKS2 再暗号化をメタデータだけ初期化。"
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "初期化済 LUKS2 再暗号化だけ再開。"
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "データデバイスサイズを減らす (データオフセットを移動する). 危険！"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "最大再暗号化ホットゾーンサイズ"
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "再暗号化ホットゾーン弾性(resilience)タイプe (checksum,journal,none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "再暗号化ホットゾーンチェックサムハッシュ"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "再暗号化する dm デバイスの自動検出を上書きする"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[オプション...] <アクション> <アクション特有>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "<アクション> がありません。"
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "未知のアクションです。"
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "--refresh は open か refresh の時にしか使えません。\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "--refresh と --test-passphrase は同時には使えません。\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "--deferred は close でしか使えません。\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "--shared は open の plain デバイスにしか使えません。\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "--allow-discards は open でしか使えません。\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "--persistent は open でしか使えません。\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "--serialize-memory-hard-pbkdf は open でしか使えません。\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "--persistent は --test-passphrase と一緒には使えません。\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2670,245 +2805,255 @@
 "--key-size は luksFormat か luksAddKey で --unbound をつけた場合か、\n"
 "open, benchmark の時しか使えません。キーファイルについて制限をつけたい場合は --keyfile-size=(バイト) を使ってください。"
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "--integrity は luksFormat (LUKS2) でしか使えません。\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "--integrity-no-wipe は format で integrity extension 付きの時しか使えません。\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "--label と --subsystem は luksFormat で config LUKS2 operations にしか使えません。\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "--test-passphrase は LUKS か TCRYPT デバイスの open にしか使えません。.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "--test-passphrase は LUKS か TCRYPT か BITLK デバイスの open にしか使えません。.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "キーサイズは 8bit の倍数でなければなりません"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "キースロットは不正です。"
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "--key-file は他で指定されたキーファイルを上書きします。"
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "オプションに負の数を与えられません。"
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "--key-file は一つしか使えません。"
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "--use-[u]random は一つしか使えません。"
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "--use-[u]random は luksFormat にしか使えません。"
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "--uuid は luksFormat か luksUUID でしか使えません。"
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "--align-payload は luksFormat でしか使えません。"
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "--luks2-metadata-size と --opt-luks2-keyslots-size は LUKS2 で luksFormat でしか使えません。"
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "不正なLUKS2 メタデータサイズです。"
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "不正な LUKS2 キースロットサイズです。"
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "--align-payload と --offset は一緒に使えません。"
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "--skip は plain の open か loopaes デバイスにしか使えません。\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "--offset は plain の open か loopaes デバイス、luksFormat と再暗号化にしか使えません。\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "--tcrypt-hidden と --tcrypt-system と --tcrypt-backup は TCRYPT デバイスしか使えません。\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "--tcrypt-hidden は --allow-discards と一緒に使えません。\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "--veracrypt は TCRYPT デバイスでしか使えません。\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "--veracrypt-pim の引数が不正です。\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "--veracrypt-pim は VeraCrypt 互換デバイスにしか使えません。\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "--veracrypt-query-pim は VeraCrypt 互換デバイスにしか使えません。\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "--veracrypt-pim と --veracrypt-query-pim はどちらかしか使えません。\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "--priority の引数は ignore/normal/prefer のいずれかのみです。\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "キースロットの指定が必要です。\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "パスワードからキーを作る関数 (PBKDF) は pbkdf2 argon2i argon2id のいずれかのみです。\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "PBKDF の繰り返し回数の強制と回数指定オプションは共存できません。\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "このコマンドではセクタサイズオプションはサポートされていません。\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "サポートしていない暗号化セクタサイズです。\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "--unbound にはキーサイズが必要です。\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "--unbound は luksAddKey でしか使えません。\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "--refresh は open でしか使えません。\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "メタデータロックを禁止できません。\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "再暗号化ホットゾーン最大サイズの指定が不正です。"
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "デバイスサイズの指定が不正です。"
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "デバイスを減らせる最大値は 1 GiB です。"
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "減らすサイズは 512 バイトセクタの倍数である必要があります。"
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "データサイズの指定が不正です。"
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "減らすサイズのオーバーフロー。"
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "LUKS2 復号には --header が必要です。"
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "デバイスサイズは 512 バイトセクタの倍数である必要があります。"
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "--reduce-device-size と --data-size は一緒に使えません。"
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "--device-size と --size は一緒に使えません。"
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "不正なソルト文字列が指定されました。"
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "ハッシュイメージ %s を書けるように作成できませんでした。"
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "FEC イメージ %s を書けるように作成できませんでした。"
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "不正なルートハッシュ文字列が指定されました。"
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "署名ファイル %s が不正です。"
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "署名ファイル %s を読み込めませんでした。"
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<データデバイス> <ハッシュデバイス>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "デバイスをフォーマット"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<データデバイス> <ハッシュデバイス> <ルートハッシュ>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "デバイスを検証"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<データデバイス> <名前> <ハッシュデバイス> <ルートハッシュ>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "アクティブデバイスのステータスを表示"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<ハッシュデバイス>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "ディスク上の情報を表示"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2923,7 +3068,7 @@
 "<ハッシュデバイス> は検証用データが入るデバイス\n"
 "<ルートハッシュ> は <ハッシュデバイス> のルートノードのハッシュ\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2934,91 +3079,99 @@
 "コンパイル時に決めた dm-verity のデフォルトパラメータ:\n"
 "\tハッシュ: %s, データブロック (バイト): %u, ハッシュブロック (バイト): %u, ソルトサイズ: %u, ハッシュフォーマット: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "verity スーパーブロックを使いません"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "フォーマットタイプ (1 - ノーマル, 0 - Chrome OS 形式)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "数字"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "データデバイスのブロックサイズ"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "ハッシュデバイスのブロックサイズ"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "FEC パリティバイト"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "データファイルのブロック数"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "ブロック"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "誤り訂正用データが格納されるデバイスのパス"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "パス"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "ハッシュデバイスの開始オフセット"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "FEC デバイスの開始オフセット"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "ハッシュアルゴリズム"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "文字列"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "ソルト"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "16進数文字列"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "ルートハッシュ署名ファイルのパス"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "破損が検出されたらカーネルを再起動する"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "破損はログするだけで再起動まではしない"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "0 埋めされたブロックは検証しない"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "最初に読む時一度だけデータブロックを検証する"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "--ignore-corruption, --restart-on-corruption, --ignore-zero-blocks は open 時にか使えません。\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "--root-hash-signature は open でしか使えません。\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "--ignore-corruption と --restart-on-corruption は同時に使えません。\n"
 
@@ -3032,20 +3185,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "%d バイトをキーファイル %s から読みこめませんでした。"
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "タグサイズ %u、内部整合性は %s でフォーマットされました。\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<整合性デバイス>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<整合性デバイス> <名前>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3056,158 +3209,158 @@
 "<名前> は %s に作られるデバイス\n"
 "<整合性デバイス> は整合性タグを格納するデバイス\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "コンパイル時に決められたデフォルトの dm-integrity のパラメータ:\n"
-"\tタグサイズ: %u バイト, チェックサムアルゴリズム: %s\n"
+"\tチェックサムアルゴリズム: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "データデバイスのパス (分離されている場合)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "ジャーナルサイズ"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "インターリーブするセクタ数"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "ジャーナルをフラッシュする閾値"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "パーセント"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "ジャーナルがコミットされるまでの時間"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ミリ秒"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "ビットあたりの 512 バイトセクタ (bitmap モード)。"
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Bitmap モードのフラッシュ時間"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "タグサイズ (セクタ毎)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "セクタサイズ"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "バッファサイズ"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "データ整合性アルゴリズム"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "データ整合性キーのサイズ"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "整合性キーをファイルから読み込む"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "ジャーナル整合性アルゴリズム"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "ジャーナル整合性キーのサイズ"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "ジャーナル整合性キーをファイルから読み込む"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "ジャーナル暗号化アルゴリズム"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "ジャーナル暗号化キーのサイズ"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "ジャーナル暗号化キーをファイルから読み込む"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "リカバリモード (ジャーナル不使用、タグ確認なし)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "変更の追跡に bitmap を使いジャーナルの整合性デバイスの無効にします"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "初期タグを自動で再計算する。"
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "--integrity-recalculate は open でしか使えません。"
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "--journal-size, --interleave-sectors, --sector-size, --tag-size, --no-wipe format でしか使えません。\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "不正なジャーナルサイズの指定です。"
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "整合性キーを使う場合はアルゴリズムの指定が必要です。"
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "ジャーナル整合性キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "ジャーナル整合性キーを使う場合はアルゴリズムの指定が必要です。"
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "ジャーナル暗号キーファイルとキーサイズの両方の指定が必要です。"
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "ジャーナル暗号キーを使う場合はアルゴリズムの指定が必要です。"
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "リカバリと bitmap モードオプションは同時には使えません。"
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "ジャーナルオプションは bitmap モードでは使えません。"
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "bitmap オプションは bitmap モードでしか使えません。"
 
@@ -3220,7 +3373,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "デバイスが使用中のため %s を排他的にオープンできません。"
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "アライメントつきメモリの確保ができませんでした。"
 
@@ -3269,190 +3422,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "テンポラリデバイスの有効化に失敗しました。"
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "データオフセットの設定に失敗しました。"
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "メタデータサイズの設定に失敗しました。"
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "デバイス %s の新しい LUKS ヘッダを作成しました。"
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "このバージョンの cryptsetup-reencrypt は新しい内部トークンタイプ %s を扱えません。"
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "アクティベーションフラグをバックアップヘッダから読み込めません。"
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "アクティベーションフラグを新しいヘッダに書き込めません。"
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "バックアップヘッダから要求(requirements)を読み込めません。"
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "%s ヘッダバックアップデバイス %s が作成されました。"
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "LUKS バックアップヘッダが作成できません。"
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "デバイス %2s の %1s ヘッダが復元できません。"
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "デバイス %2s の %1s ヘッダを復元しました。"
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "テンポラリ LUKS デバイスをオープンできません。"
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "デバイスサイズを取得できません。"
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "再暗号化中に I/O エラーが発生しました。"
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "与えられた UUID が不正です。"
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "再暗号化ログファイルを開けません。"
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "復号を実行中ではありません。与えられた UUID は中止された復号を再開するためだけに使えます。"
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "キースロット %i の pbkdf パラメータを変更しました。"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "再暗号化のブロックサイズ"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "キーを変えず、データ領域の再暗号化を行わない"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "新しいボリューム(マスター)キーをファイルから読み込む"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "LUKS 向け PBKDF2 の繰り返し時間 (ミリ秒単位)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "デバイスアクセス時に direct-io を使う"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "ブロック毎に fsync() する"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "ログファイルをブロック毎に更新する"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "このスロットだけ使う (残りは無効化されます)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "暗号化されていないデバイスに新しいヘッダを作成する"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "デバイスを恒久的に復号状態にする (つまり暗号化をやめる)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "復号の再開に使う UUID"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "メタデータタイプ: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[オプション...] <デバイス>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "再暗号化で以下が変わります: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "ボリュームキー"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "ハッシュ"
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr "暗号(cipher)"
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "引数が必要です。"
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "再暗号化のブロックサイズは 1 MiB から 64 MiB までの値しか使えません。"
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "デバイスを減らせる最大値は 64 MiB です。"
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "--new は --reduce-device-size か --header と一緒に使う必要があります"
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "--keep-key は --hash か --iter-time か --pbkdf-force-iterations と使う必要があります。"
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "--new は --decrypt と一緒に使えません。"
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "--decrypt は指定されたパラメータと互換性がありません。"
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "--uuid は --decrypt と一緒にしか使えません。"
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "不正な luks タイプです。'luks', 'luks1', 'luks2' のいずれかを使ってください。"
 
diff -Nru cryptsetup-2.2.2/po/nl.po cryptsetup-2.3.1/po/nl.po
--- cryptsetup-2.2.2/po/nl.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/nl.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,15 +1,17 @@
-# Dutch translation of cryptsetup.
+# Dutch translations for cryptsetup.
+# Copyright (C) 2020 Free Software Foundation, Inc.
 # This file is distributed under the same license as the cryptsetup package.
-# Copyright (C) 2016 Free Software Foundation, Inc.
+#
 # Koen <koen@drunkfelines.com>, 2017.
+# Benno Schulenberg <vertaling@coevern.nl>, 2020.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup-1.7.4\n"
+"Project-Id-Version: cryptsetup-2.3.0-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2017-03-02 09:40+0100\n"
-"PO-Revision-Date: 2017-03-03 23:04+0100\n"
-"Last-Translator: Koen <koen@drunkfelines.com>\n"
+"POT-Creation-Date: 2020-01-12 12:33+0100\n"
+"PO-Revision-Date: 2020-01-13 20:42+0100\n"
+"Last-Translator: Benno Schulenberg <vertaling@coevern.nl>\n"
 "Language-Team: Dutch <vertaling@vrijschrift.org>\n"
 "Language: nl\n"
 "MIME-Version: 1.0\n"
@@ -17,29 +19,72 @@
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Poedit 1.6.10\n"
-
-#: lib/libdevmapper.c:262
-msgid "Cannot initialize device-mapper, running as non-root user.\n"
-msgstr "Kan apparaatstoewijzer niet initialiseren, uitvoering als non-root gebruiker.\n"
 
-#: lib/libdevmapper.c:265
-msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?\n"
-msgstr "Kan apparaatstoewijzer niet initialiseren. Is kernelmodule dm_mod geladen?\n"
+#: lib/libdevmapper.c:397
+msgid "Cannot initialize device-mapper, running as non-root user."
+msgstr "Kan apparaatstoewijzer niet initialiseren, uitvoering als non-root gebruiker."
+
+#: lib/libdevmapper.c:400
+msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
+msgstr "Kan apparaatstoewijzer niet initialiseren. Is kernelmodule dm_mod geladen?"
+
+#: lib/libdevmapper.c:1120
+#, fuzzy
+msgid "Requested deferred flag is not supported."
+msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund.\n"
 
-#: lib/libdevmapper.c:581
+#: lib/libdevmapper.c:1187
 #, c-format
-msgid "DM-UUID for device %s was truncated.\n"
-msgstr "DM-UUID voor apparaat %s werd afgekapt.\n"
+msgid "DM-UUID for device %s was truncated."
+msgstr "DM-UUID voor apparaat %s werd afgekapt."
+
+#: lib/libdevmapper.c:1509
+msgid "Unknown dm target type."
+msgstr ""
+
+#: lib/libdevmapper.c:1612 lib/libdevmapper.c:1664
+msgid "Requested dm-crypt performance options are not supported."
+msgstr "Aangevraagde prestatie-opties voor dm-crypt worden niet ondersteund."
+
+#: lib/libdevmapper.c:1619
+msgid "Requested dm-verity data corruption handling options are not supported."
+msgstr "Aangevraagde opties voor behandeling van datacorruptie van dm-verity worden niet ondersteund."
+
+#: lib/libdevmapper.c:1623
+#, fuzzy
+msgid "Requested dm-verity FEC options are not supported."
+msgstr "Aangevraagde prestatie-opties voor dm-crypt worden niet ondersteund.\n"
+
+#: lib/libdevmapper.c:1627
+#, fuzzy
+msgid "Requested data integrity options are not supported."
+msgstr "Aangevraagde prestatie-opties voor dm-crypt worden niet ondersteund.\n"
 
-#: lib/libdevmapper.c:729
-msgid "Requested dm-crypt performance options are not supported.\n"
+#: lib/libdevmapper.c:1629
+#, fuzzy
+msgid "Requested sector_size option is not supported."
 msgstr "Aangevraagde prestatie-opties voor dm-crypt worden niet ondersteund.\n"
 
-#: lib/libdevmapper.c:735
-msgid "Requested dm-verity data corruption handling options are not supported.\n"
+#: lib/libdevmapper.c:1634
+#, fuzzy
+msgid "Requested automatic recalculation of integrity tags is not supported."
+msgstr "Aangevraagde opties voor behandeling van datacorruptie van dm-verity worden niet ondersteund.\n"
+
+#: lib/libdevmapper.c:1638
+#, fuzzy
+msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Aangevraagde opties voor behandeling van datacorruptie van dm-verity worden niet ondersteund.\n"
 
+#: lib/libdevmapper.c:1667
+#, fuzzy
+msgid "Discard/TRIM is not supported."
+msgstr "Aangevraagd hash-algoritme %s wordt niet ondersteund.\n"
+
+#: lib/libdevmapper.c:2585
+#, c-format
+msgid "Failed to query dm-%s segment."
+msgstr ""
+
 #: lib/random.c:80
 msgid ""
 "System is out of entropy while generating volume key.\n"
@@ -54,468 +99,786 @@
 msgstr "Sleutel wordt gegenereerd (%d%% afgewerkt).\n"
 
 #: lib/random.c:170
-msgid "Running in FIPS mode.\n"
-msgstr "Uitvoering in FIPS-modus.\n"
+msgid "Running in FIPS mode."
+msgstr "Uitvoering in FIPS-modus."
 
 #: lib/random.c:176
-msgid "Fatal error during RNG initialisation.\n"
-msgstr "Fatale fout bij initialisatie van RNG.\n"
+msgid "Fatal error during RNG initialisation."
+msgstr "Fatale fout bij initialisatie van RNG."
 
 #: lib/random.c:213
-msgid "Unknown RNG quality requested.\n"
-msgstr "Onbekende RNG-kwaliteit aangevraagd.\n"
+msgid "Unknown RNG quality requested."
+msgstr "Onbekende RNG-kwaliteit aangevraagd."
 
 #: lib/random.c:218
-#, c-format
-msgid "Error %d reading from RNG: %s\n"
-msgstr "Fout %d bij lezen uit RNG: %s\n"
+msgid "Error reading from RNG."
+msgstr "Fout bij lezen uit RNG."
 
-#: lib/setup.c:200
-msgid "Cannot initialize crypto RNG backend.\n"
-msgstr "Kan RNG versleutelings-backend niet initialiseren.\n"
+#: lib/setup.c:230
+msgid "Cannot initialize crypto RNG backend."
+msgstr "Kan RNG versleutelings-backend niet initialiseren."
 
-#: lib/setup.c:206
-msgid "Cannot initialize crypto backend.\n"
-msgstr "Kan versleutelings-backend niet initialiseren.\n"
+#: lib/setup.c:236
+msgid "Cannot initialize crypto backend."
+msgstr "Kan versleutelings-backend niet initialiseren."
 
-#: lib/setup.c:237 lib/setup.c:1199 lib/verity/verity.c:123
+#: lib/setup.c:267 lib/setup.c:2044 lib/verity/verity.c:120
 #, c-format
-msgid "Hash algorithm %s not supported.\n"
-msgstr "Aangevraagd hash-algoritme %s wordt niet ondersteund.\n"
+msgid "Hash algorithm %s not supported."
+msgstr "Aangevraagd hash-algoritme %s wordt niet ondersteund."
 
-#: lib/setup.c:240 lib/loopaes/loopaes.c:90
+#: lib/setup.c:270 lib/loopaes/loopaes.c:90
 #, c-format
-msgid "Key processing error (using hash %s).\n"
-msgstr "Sleutelbehandelingsfout (met hash %s in gebruik).\n"
+msgid "Key processing error (using hash %s)."
+msgstr "Sleutelbehandelingsfout (met hash %s in gebruik)."
 
-#: lib/setup.c:285
-msgid "Cannot determine device type. Incompatible activation of device?\n"
-msgstr "Apparaatstype kan niet bepaald worden. Incompatibele apparaatsactivering?\n"
+#: lib/setup.c:336 lib/setup.c:363
+msgid "Cannot determine device type. Incompatible activation of device?"
+msgstr "Apparaatstype kan niet bepaald worden. Incompatibele apparaatsactivering?"
 
-#: lib/setup.c:289 lib/setup.c:1552
-msgid "This operation is supported only for LUKS device.\n"
-msgstr "Deze operatie wordt enkel ondersteund voor LUKS-apparaten.\n"
+#: lib/setup.c:342 lib/setup.c:3048
+msgid "This operation is supported only for LUKS device."
+msgstr "Deze operatie wordt enkel ondersteund voor LUKS-apparaten."
 
-#: lib/setup.c:321
-msgid "All key slots full.\n"
-msgstr "Alle sleutelplaatsen zijn vol.\n"
+#: lib/setup.c:369
+msgid "This operation is supported only for LUKS2 device."
+msgstr "Deze operatie wordt enkel ondersteund voor LUKS2-apparaten."
 
-#: lib/setup.c:328
+#: lib/setup.c:424 lib/luks2/luks2_reencrypt.c:2345
+msgid "All key slots full."
+msgstr "Alle sleutelplaatsen zijn vol."
+
+#: lib/setup.c:435
 #, c-format
-msgid "Key slot %d is invalid, please select between 0 and %d.\n"
-msgstr "Sleutelplaats %d is ongeldig, selecteer een plaats tussen 0 en %d.\n"
+msgid "Key slot %d is invalid, please select between 0 and %d."
+msgstr "Sleutelplaats %d is ongeldig, selecteer een plaats tussen 0 en %d."
 
-#: lib/setup.c:334
+#: lib/setup.c:441
 #, c-format
-msgid "Key slot %d is full, please select another one.\n"
-msgstr "Sleutelplaats %d is vol, selecteer een andere.\n"
+msgid "Key slot %d is full, please select another one."
+msgstr "Sleutelplaats %d is vol, selecteer een andere."
+
+#: lib/setup.c:526 lib/setup.c:2822
+#, fuzzy
+msgid "Device size is not aligned to device logical block size."
+msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
 
-#: lib/setup.c:473
+#: lib/setup.c:622
 #, c-format
-msgid "Enter passphrase for %s: "
-msgstr "Voer wachtwoord in voor %s: "
+msgid "Header detected but device %s is too small."
+msgstr "Koptekst gevonden maar apparaat %s is te klein."
+
+#: lib/setup.c:659
+msgid "This operation is not supported for this device type."
+msgstr "Deze operatie wordt niet ondersteund voor dit apparaatstype."
+
+#: lib/setup.c:664
+msgid "Illegal operation with reencryption in-progress."
+msgstr ""
 
-#: lib/setup.c:654
+#: lib/setup.c:830 lib/luks1/keymanage.c:476
 #, c-format
-msgid "Header detected but device %s is too small.\n"
-msgstr "Koptekst gevonden maar apparaat %s is te klein.\n"
+msgid "Unsupported LUKS version %d."
+msgstr "Niet-ondersteunde LUKS-versie %d."
 
-#: lib/setup.c:670 lib/setup.c:1435
-msgid "This operation is not supported for this device type.\n"
-msgstr "Deze operatie wordt niet ondersteund voor dit apparaatstype.\n"
+#: lib/setup.c:847 lib/setup.c:1537 lib/setup.c:1957
+#, fuzzy
+msgid "Detached metadata device is not supported for this crypt type."
+msgstr "UUID wordt niet ondersteund voor dit encryptietype.\n"
 
-#: lib/setup.c:909 lib/setup.c:1388 lib/setup.c:2279
+#: lib/setup.c:1425 lib/setup.c:2542 lib/setup.c:2614 lib/setup.c:2626
+#: lib/setup.c:2775 lib/setup.c:4510
 #, c-format
-msgid "Device %s is not active.\n"
-msgstr "Apparaat %s is niet actief.\n"
+msgid "Device %s is not active."
+msgstr "Apparaat %s is niet actief."
 
-#: lib/setup.c:926
+#: lib/setup.c:1442
 #, c-format
-msgid "Underlying device for crypt device %s disappeared.\n"
-msgstr "Onderliggend apparaat van versleutelingsapparaat %s is verdwenen.\n"
+msgid "Underlying device for crypt device %s disappeared."
+msgstr "Onderliggend apparaat van versleutelingsapparaat %s is verdwenen."
 
-#: lib/setup.c:995
-msgid "Invalid plain crypt parameters.\n"
-msgstr "Ongeldige normale versleutelingsparameters.\n"
+#: lib/setup.c:1522
+msgid "Invalid plain crypt parameters."
+msgstr "Ongeldige normale versleutelingsparameters."
 
-#: lib/setup.c:1000 lib/setup.c:1120
-msgid "Invalid key size.\n"
-msgstr "Ongeldige sleutelgrootte.\n"
+#: lib/setup.c:1527 lib/setup.c:1947 src/integritysetup.c:73
+msgid "Invalid key size."
+msgstr "Ongeldige sleutelgrootte."
 
-#: lib/setup.c:1005 lib/setup.c:1125
-msgid "UUID is not supported for this crypt type.\n"
-msgstr "UUID wordt niet ondersteund voor dit encryptietype.\n"
+#: lib/setup.c:1532 lib/setup.c:1952 lib/setup.c:2155
+msgid "UUID is not supported for this crypt type."
+msgstr "UUID wordt niet ondersteund voor dit encryptietype."
+
+#: lib/setup.c:1547 lib/setup.c:1737 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1232
+#, fuzzy
+msgid "Unsupported encryption sector size."
+msgstr "Kan herencryptie-logbestand niet lezen.\n"
+
+#: lib/setup.c:1555 lib/setup.c:1862 lib/setup.c:2816
+#, fuzzy
+msgid "Device size is not aligned to requested sector size."
+msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
+
+#: lib/setup.c:1606 lib/setup.c:1725
+msgid "Can't format LUKS without device."
+msgstr "Kan LUKS niet formatteren zonder apparaat."
+
+#: lib/setup.c:1612 lib/setup.c:1731
+msgid "Requested data alignment is not compatible with data offset."
+msgstr ""
+
+#: lib/setup.c:1680 lib/setup.c:1849
+msgid "WARNING: Data offset is outside of currently available data device.\n"
+msgstr ""
+
+#: lib/setup.c:1690 lib/setup.c:1877 lib/setup.c:1898 lib/setup.c:2167
+#, c-format
+msgid "Cannot wipe header on device %s."
+msgstr "Kan koptekst op apparaat %s niet wissen."
+
+#: lib/setup.c:1742
+msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
+msgstr ""
+
+#: lib/setup.c:1764
+msgid "Volume key is too small for encryption with integrity extensions."
+msgstr ""
 
-#: lib/setup.c:1047
-msgid "Can't format LUKS without device.\n"
-msgstr "Kan LUKS niet formatteren zonder apparaat.\n"
+#: lib/setup.c:1819
+#, fuzzy, c-format
+msgid "Cipher %s-%s (key size %zd bits) is not available."
+msgstr "Versleutelalgoritme %s is niet beschikbaar.\n"
+
+#: lib/setup.c:1852
+#, c-format
+msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
+msgstr ""
 
-#: lib/setup.c:1090
+#: lib/setup.c:1856
 #, c-format
-msgid "Cannot format device %s which is still in use.\n"
+msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
+msgstr ""
+
+#: lib/setup.c:1880 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
+#, c-format
+msgid "Device %s is too small."
+msgstr "Apparaat %s is te klein."
+
+#: lib/setup.c:1891 lib/setup.c:1917
+#, fuzzy, c-format
+msgid "Cannot format device %s in use."
 msgstr "Kan apparaat %s niet formatteren; het is nog steeds actief.\n"
 
-#: lib/setup.c:1093
+#: lib/setup.c:1894 lib/setup.c:1920
 #, c-format
-msgid "Cannot format device %s, permission denied.\n"
-msgstr "Kan apparaat %s niet formatteren: toestemming geweigerd.\n"
+msgid "Cannot format device %s, permission denied."
+msgstr "Kan apparaat %s niet formatteren: toestemming geweigerd."
 
-#: lib/setup.c:1097
+#: lib/setup.c:1906 lib/setup.c:2227
+#, fuzzy, c-format
+msgid "Cannot format integrity for device %s."
+msgstr "Kan apparaat %s niet beschrijven.\n"
+
+#: lib/setup.c:1924
 #, c-format
-msgid "Cannot wipe header on device %s.\n"
-msgstr "Kan koptekst op apparaat %s niet wissen.\n"
+msgid "Cannot format device %s."
+msgstr "Kan apparaat %s niet formatteren."
+
+#: lib/setup.c:1942
+msgid "Can't format LOOPAES without device."
+msgstr "Kan LOOPAES niet formatteren zonder apparaat."
+
+#: lib/setup.c:1987
+msgid "Can't format VERITY without device."
+msgstr "Kan VERITY niet formatteren zonder apparaat."
+
+#: lib/setup.c:1998 lib/verity/verity.c:103
+#, c-format
+msgid "Unsupported VERITY hash type %d."
+msgstr "Niet-ondersteund VERITY-hashtype %d."
+
+#: lib/setup.c:2004 lib/verity/verity.c:111
+msgid "Unsupported VERITY block size."
+msgstr "Niet-ondersteunde VERITY-blokgrootte."
 
-#: lib/setup.c:1115
-msgid "Can't format LOOPAES without device.\n"
-msgstr "Kan LOOPAES niet formatteren zonder apparaat.\n"
+#: lib/setup.c:2009 lib/verity/verity.c:75
+msgid "Unsupported VERITY hash offset."
+msgstr "Niet-ondersteunde VERITY-hashgegevenspositie."
 
-#: lib/setup.c:1153
-msgid "Can't format VERITY without device.\n"
-msgstr "Kan VERITY niet formatteren zonder apparaat.\n"
+#: lib/setup.c:2014
+msgid "Unsupported VERITY FEC offset."
+msgstr "Niet-ondersteunde VERITY-FEC-gegevenspositie."
 
-#: lib/setup.c:1161 lib/verity/verity.c:106
+#: lib/setup.c:2038
+msgid "Data area overlaps with hash area."
+msgstr "Overlapping tussen datagedeelte en hashgedeelte."
+
+#: lib/setup.c:2063
+msgid "Hash area overlaps with FEC area."
+msgstr "Overlapping tussen hashgedeelte en FEC-gedeelte."
+
+#: lib/setup.c:2070
+msgid "Data area overlaps with FEC area."
+msgstr "Overlapping tussen datagedeelte en FEC-gedeelte."
+
+#: lib/setup.c:2206
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr ""
+
+#: lib/setup.c:2284
 #, c-format
-msgid "Unsupported VERITY hash type %d.\n"
-msgstr "Niet-ondersteund VERITY-hashtype %d.\n"
+msgid "Unknown crypt device type %s requested."
+msgstr "Onbekend versleutelingsapparaattype %s aangevraagd."
+
+#: lib/setup.c:2548 lib/setup.c:2620 lib/setup.c:2633
+#, fuzzy, c-format
+msgid "Unsupported parameters on device %s."
+msgstr "Kan koptekst op apparaat %s niet wissen.\n"
 
-#: lib/setup.c:1167 lib/verity/verity.c:114
-msgid "Unsupported VERITY block size.\n"
-msgstr "Niet-ondersteunde VERITY-blokgrootte.\n"
+#: lib/setup.c:2554 lib/setup.c:2639 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
+#, fuzzy, c-format
+msgid "Mismatching parameters on device %s."
+msgstr "Kan koptekst op apparaat %s niet wissen.\n"
+
+#: lib/setup.c:2659
+msgid "Crypt devices mismatch."
+msgstr ""
+
+#: lib/setup.c:2696 lib/setup.c:2701 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
+#, fuzzy, c-format
+msgid "Failed to reload device %s."
+msgstr "Kan apparaat niet lezen: %s.\n"
 
-#: lib/setup.c:1172 lib/verity/verity.c:76
-msgid "Unsupported VERITY hash offset.\n"
-msgstr "Niet-ondersteunde VERITY-hashgegevenspositie.\n"
+#: lib/setup.c:2706 lib/setup.c:2711 lib/luks2/luks2_reencrypt.c:2025
+#: lib/luks2/luks2_reencrypt.c:2032
+#, fuzzy, c-format
+msgid "Failed to suspend device %s."
+msgstr "Openen van sleutelbestand is mislukt.\n"
 
-#: lib/setup.c:1193
-msgid "Data area overlaps with hash area.\n"
-msgstr "Overlapping tussen datagedeelte en hashgedeelte.\n"
+#: lib/setup.c:2716 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
+#, fuzzy, c-format
+msgid "Failed to resume device %s."
+msgstr "Kan apparaat niet lezen: %s.\n"
 
-#: lib/setup.c:1292
+#: lib/setup.c:2730
 #, c-format
-msgid "Unknown crypt device type %s requested.\n"
-msgstr "Onbekend versleutelingsapparaattype %s aangevraagd.\n"
+msgid "Fatal error while reloading device %s (on top of device %s)."
+msgstr ""
 
-#: lib/setup.c:1402
-msgid "Cannot resize loop device.\n"
-msgstr "Kan grootte van loopback-apparaat niet aanpassen.\n"
+#: lib/setup.c:2733 lib/setup.c:2735
+#, fuzzy, c-format
+msgid "Failed to switch device %s to dm-error."
+msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
+
+#: lib/setup.c:2807
+msgid "Cannot resize loop device."
+msgstr "Kan grootte van loopback-apparaat niet aanpassen."
 
-#: lib/setup.c:1450
+#: lib/setup.c:2880
 msgid "Do you really want to change UUID of device?"
 msgstr "Bent u zeker dat u het UUID van het apparaat wilt wijzigen?"
 
-#: lib/setup.c:1560
-#, c-format
-msgid "Volume %s is not active.\n"
-msgstr "Opslagmedium %s is niet actief.\n"
+#: lib/setup.c:2956
+#, fuzzy
+msgid "Header backup file does not contain compatible LUKS header."
+msgstr "Reservekopiebestand bevat geen geldige LUKS-koptekst.\n"
 
-#: lib/setup.c:1571
+#: lib/setup.c:3056
 #, c-format
-msgid "Volume %s is already suspended.\n"
-msgstr "Opslagmedium %s is reeds geschorst.\n"
+msgid "Volume %s is not active."
+msgstr "Opslagmedium %s is niet actief."
 
-#: lib/setup.c:1578
+#: lib/setup.c:3067
 #, c-format
-msgid "Suspend is not supported for device %s.\n"
-msgstr "Opschorten wordt niet ondersteund voor apparaat %s.\n"
+msgid "Volume %s is already suspended."
+msgstr "Opslagmedium %s is reeds geschorst."
 
-#: lib/setup.c:1580
+#: lib/setup.c:3080
 #, c-format
-msgid "Error during suspending device %s.\n"
-msgstr "Fout bij het opschorten van apparaat %s.\n"
+msgid "Suspend is not supported for device %s."
+msgstr "Opschorten wordt niet ondersteund voor apparaat %s."
 
-#: lib/setup.c:1606 lib/setup.c:1653
+#: lib/setup.c:3082
 #, c-format
-msgid "Volume %s is not suspended.\n"
-msgstr "Opslagmedium %s is niet geschorst.\n"
+msgid "Error during suspending device %s."
+msgstr "Fout bij het opschorten van apparaat %s."
 
-#: lib/setup.c:1620
+#: lib/setup.c:3115 lib/setup.c:3182 lib/setup.c:3265
 #, c-format
-msgid "Resume is not supported for device %s.\n"
-msgstr "Hervatting wordt niet ondersteund voor apparaat %s.\n"
+msgid "Volume %s is not suspended."
+msgstr "Opslagmedium %s is niet geschorst."
 
-#: lib/setup.c:1622 lib/setup.c:1674
+#: lib/setup.c:3144
 #, c-format
-msgid "Error during resuming device %s.\n"
-msgstr "Fout bij het hervatten van apparaat %s.\n"
+msgid "Resume is not supported for device %s."
+msgstr "Hervatting wordt niet ondersteund voor apparaat %s."
 
-#: lib/setup.c:1660 lib/setup.c:2095 lib/setup.c:2109 src/cryptsetup.c:184
-#: src/cryptsetup.c:248 src/cryptsetup.c:736 src/cryptsetup.c:1171
-msgid "Enter passphrase: "
-msgstr "Voer wachtwoord in: "
+#: lib/setup.c:3146 lib/setup.c:3214 lib/setup.c:3295
+#, c-format
+msgid "Error during resuming device %s."
+msgstr "Fout bij het hervatten van apparaat %s."
 
-#: lib/setup.c:1722 lib/setup.c:1858
-msgid "Cannot add key slot, all slots disabled and no volume key provided.\n"
-msgstr "Kan geen sleutelplaats toevoegen, alle plaatsen zijn uitgeschakeld en er is geen sleutel tot het opslagmedium voorzien.\n"
+#: lib/setup.c:3280 lib/setup.c:3646 lib/setup.c:4307 lib/setup.c:4320
+#: lib/setup.c:4328 lib/setup.c:4341 lib/setup.c:4691 lib/setup.c:5834
+msgid "Volume key does not match the volume."
+msgstr "Sleutel tot opslagmedium komt niet overeen met het opslagmedium."
 
-#: lib/setup.c:1731 lib/setup.c:1864 lib/setup.c:1868
-msgid "Enter any passphrase: "
-msgstr "Voer enig wachtwoord in: "
+#: lib/setup.c:3341 lib/setup.c:3529
+msgid "Cannot add key slot, all slots disabled and no volume key provided."
+msgstr "Kan geen sleutelplaats toevoegen, alle plaatsen zijn uitgeschakeld en er is geen sleutel tot het opslagmedium voorzien."
 
-#: lib/setup.c:1748 lib/setup.c:1881 lib/setup.c:1885 lib/setup.c:1947
-#: src/cryptsetup.c:1001 src/cryptsetup.c:1032
-msgid "Enter new passphrase for key slot: "
-msgstr "Voer een nieuw wachtwoord in voor de sleutelplaats: "
+#: lib/setup.c:3481
+msgid "Failed to swap new key slot."
+msgstr "Kan nieuwe sleutelplaats niet verwisselen."
 
-#: lib/setup.c:1813
+#: lib/setup.c:3667
 #, c-format
-msgid "Key slot %d changed.\n"
-msgstr "Sleutelplaats %d werd gewijzigd.\n"
+msgid "Key slot %d is invalid."
+msgstr "Sleutelplaats %d is ongeldig."
 
-#: lib/setup.c:1816
+#: lib/setup.c:3673 src/cryptsetup.c:1577 src/cryptsetup.c:1922
 #, c-format
-msgid "Replaced with key slot %d.\n"
-msgstr "Vervangen door sleutelplaats %d.\n"
+msgid "Keyslot %d is not active."
+msgstr "Sleutelplaats %d is niet in gebruik."
 
-#: lib/setup.c:1821
-msgid "Failed to swap new key slot.\n"
-msgstr "Kan nieuwe sleutelplaats niet verwisselen.\n"
+#: lib/setup.c:3692
+msgid "Device header overlaps with data area."
+msgstr "Overlapping tussen apparaatskoptekst en hashgedeelte."
+
+#: lib/setup.c:3979
+msgid "Reencryption in-progress. Cannot activate device."
+msgstr ""
+
+#: lib/setup.c:3981 lib/luks2/luks2_json_metadata.c:2239
+#: lib/luks2/luks2_reencrypt.c:2836
+#, fuzzy
+msgid "Failed to get reencryption lock."
+msgstr "Kan herencryptie-logbestand niet lezen.\n"
+
+#: lib/setup.c:3994 lib/luks2/luks2_reencrypt.c:2855
+#, fuzzy
+msgid "LUKS2 reencryption recovery failed."
+msgstr "Kan herencryptie-logbestand niet openen.\n"
 
-#: lib/setup.c:1938 lib/setup.c:2199 lib/setup.c:2212 lib/setup.c:2354
-msgid "Volume key does not match the volume.\n"
-msgstr "Sleutel tot opslagmedium komt niet overeen met het opslagmedium.\n"
+#: lib/setup.c:4125 lib/setup.c:4377
+msgid "Device type is not properly initialized."
+msgstr "Apparaatstype is niet behoorlijk geïnitialiseerd."
+
+#: lib/setup.c:4169
+#, fuzzy, c-format
+msgid "Cannot use device %s, name is invalid or still in use."
+msgstr "Kan apparaat %s niet formatteren; het is nog steeds actief.\n"
 
-#: lib/setup.c:1976
+#: lib/setup.c:4172
 #, c-format
-msgid "Key slot %d is invalid.\n"
-msgstr "Sleutelplaats %d is ongeldig.\n"
+msgid "Device %s already exists."
+msgstr "Apparaat %s bestaat reeds."
+
+#: lib/setup.c:4294
+msgid "Incorrect volume key specified for plain device."
+msgstr "Incorrecte sleutel tot het opslagmedium voor normaal apparaat verschaft."
+
+#: lib/setup.c:4403
+msgid "Incorrect root hash specified for verity device."
+msgstr "Incorrecte root-hash voor het VERITY-apparaat opgegeven."
+
+#: lib/setup.c:4410
+msgid "Root hash signature required."
+msgstr ""
+
+#: lib/setup.c:4419
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr ""
+
+#: lib/setup.c:4436 lib/setup.c:5910
+#, fuzzy
+msgid "Failed to load key in kernel keyring."
+msgstr "Openen van sleutelbestand is mislukt.\n"
 
-#: lib/setup.c:1981
+#: lib/setup.c:4489 lib/setup.c:4505 lib/luks2/luks2_json_metadata.c:2292
+#: src/cryptsetup.c:2597
 #, c-format
-msgid "Key slot %d is not used.\n"
-msgstr "Sleutelplaats %d is niet in gebruik.\n"
+msgid "Device %s is still in use."
+msgstr "Apparaat %s is nog in gebruik."
 
-#: lib/setup.c:2011 lib/setup.c:2083 lib/setup.c:2175
+#: lib/setup.c:4514
 #, c-format
-msgid "Device %s already exists.\n"
-msgstr "Apparaat %s bestaat reeds.\n"
+msgid "Invalid device %s."
+msgstr "Ongeldig apparaat %s."
+
+#: lib/setup.c:4630
+msgid "Volume key buffer too small."
+msgstr "Sleutelbuffer van het opslagmedium is te klein."
 
-#: lib/setup.c:2186
-msgid "Incorrect volume key specified for plain device.\n"
-msgstr "Incorrecte sleutel tot het opslagmedium voor normaal apparaat verschaft.\n"
+#: lib/setup.c:4638
+msgid "Cannot retrieve volume key for plain device."
+msgstr "Kan sleutel tot het opslagmedium voor normaal apparaat niet ophalen."
 
-#: lib/setup.c:2219
-msgid "Incorrect root hash specified for verity device.\n"
+#: lib/setup.c:4655
+#, fuzzy
+msgid "Cannot retrieve root hash for verity device."
 msgstr "Incorrecte root-hash voor het VERITY-apparaat opgegeven.\n"
 
-#: lib/setup.c:2242
-msgid "Device type is not properly initialised.\n"
-msgstr "Apparaatstype is niet behoorlijk geïnitialiseerd.\n"
+#: lib/setup.c:4657
+#, c-format
+msgid "This operation is not supported for %s crypt device."
+msgstr "Deze operatie wordt niet ondersteund voor versleutelapparaat %s."
+
+#: lib/setup.c:4863
+msgid "Dump operation is not supported for this device type."
+msgstr "Dump-operatie wordt niet ondersteund voor dit apparaatstype."
 
-#: lib/setup.c:2274
+#: lib/setup.c:5188
 #, c-format
-msgid "Device %s is still in use.\n"
-msgstr "Apparaat %s is nog in gebruik.\n"
+msgid "Data offset is not multiple of %u bytes."
+msgstr ""
+
+#: lib/setup.c:5470
+#, fuzzy, c-format
+msgid "Cannot convert device %s which is still in use."
+msgstr "Kan apparaat %s niet formatteren; het is nog steeds actief.\n"
 
-#: lib/setup.c:2283
+#: lib/setup.c:5767
 #, c-format
-msgid "Invalid device %s.\n"
-msgstr "Ongeldig apparaat %s.\n"
+msgid "Failed to assign keyslot %u as the new volume key."
+msgstr ""
 
-#: lib/setup.c:2304
-msgid "Function not available in FIPS mode.\n"
-msgstr "Functie niet beschikbaar in FIPS-modus.\n"
+#: lib/setup.c:5840
+msgid "Failed to initialize default LUKS2 keyslot parameters."
+msgstr ""
 
-#: lib/setup.c:2310
-msgid "Volume key buffer too small.\n"
-msgstr "Sleutelbuffer van het opslagmedium is te klein.\n"
+#: lib/setup.c:5846
+#, fuzzy, c-format
+msgid "Failed to assign keyslot %d to digest."
+msgstr "Kan nieuwe sleutelplaats niet verwisselen.\n"
 
-#: lib/setup.c:2318
-msgid "Cannot retrieve volume key for plain device.\n"
-msgstr "Kan sleutel tot het opslagmedium voor normaal apparaat niet ophalen.\n"
+#: lib/setup.c:5977
+#, fuzzy
+msgid "Kernel keyring is not supported by the kernel."
+msgstr "Deze operatie wordt niet ondersteund voor dit apparaatstype.\n"
 
-#: lib/setup.c:2325
-#, c-format
-msgid "This operation is not supported for %s crypt device.\n"
-msgstr "Deze operatie wordt niet ondersteund voor versleutelapparaat %s.\n"
+#: lib/setup.c:5987 lib/luks2/luks2_reencrypt.c:2952
+#, fuzzy, c-format
+msgid "Failed to read passphrase from keyring (error %d)."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
 
-#: lib/setup.c:2521
-msgid "Dump operation is not supported for this device type.\n"
-msgstr "Dump-operatie wordt niet ondersteund voor dit apparaatstype.\n"
-
-#: lib/utils.c:244
-msgid "Cannot get process priority.\n"
-msgstr "Kan geen procesprioriteit verkrijgen.\n"
+#: lib/setup.c:6011
+msgid "Failed to acquire global memory-hard access serialization lock."
+msgstr ""
 
-#: lib/utils.c:258
-msgid "Cannot unlock memory.\n"
-msgstr "Kan geheugen niet ontgrendelen.\n"
+#: lib/utils.c:81
+msgid "Cannot get process priority."
+msgstr "Kan geen procesprioriteit verkrijgen."
+
+#: lib/utils.c:95
+msgid "Cannot unlock memory."
+msgstr "Kan geheugen niet ontgrendelen."
+
+#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+msgid "Failed to open key file."
+msgstr "Openen van sleutelbestand is mislukt."
+
+#: lib/utils.c:174
+#, fuzzy
+msgid "Cannot read keyfile from a terminal."
+msgstr "Kan sleutelbestand %s niet lezen.\n"
 
-#: lib/utils_crypt.c:242 lib/utils_crypt.c:255 lib/utils_crypt.c:402
-#: lib/utils_crypt.c:417
-msgid "Out of memory while reading passphrase.\n"
-msgstr "Geen geheugen meer beschikbaar bij lezen van wachtwoord.\n"
-
-#: lib/utils_crypt.c:247 lib/utils_crypt.c:262
-msgid "Error reading passphrase from terminal.\n"
-msgstr "Fout bij het lezen van het wachtwoord uit de terminal.\n"
+#: lib/utils.c:191
+msgid "Failed to stat key file."
+msgstr "Kan status van sleutelbestand niet opvragen."
+
+#: lib/utils.c:199 lib/utils.c:220
+msgid "Cannot seek to requested keyfile offset."
+msgstr "Kan niet zoeken tot aan het aangevraagde sleutelbestand."
+
+#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: src/utils_password.c:201
+msgid "Out of memory while reading passphrase."
+msgstr "Geen geheugen meer beschikbaar bij lezen van wachtwoord."
+
+#: lib/utils.c:249
+msgid "Error reading passphrase."
+msgstr "Fout bij lezen van wachtwoord."
 
-#: lib/utils_crypt.c:260
-msgid "Verify passphrase: "
-msgstr "Voer wachtwoord nogmaals in: "
+#: lib/utils.c:266
+msgid "Nothing to read on input."
+msgstr ""
 
-#: lib/utils_crypt.c:267
-msgid "Passphrases do not match.\n"
-msgstr "Wachtwoorden komen niet overeen.\n"
-
-#: lib/utils_crypt.c:351
-msgid "Cannot use offset with terminal input.\n"
-msgstr "Kan de gegevenspositie niet via terminalinvoer gebruiken.\n"
+#: lib/utils.c:273
+msgid "Maximum keyfile size exceeded."
+msgstr "Maximum sleutelbestandsgrootte overschreden."
 
-#: lib/utils_crypt.c:370 lib/tcrypt/tcrypt.c:468
-msgid "Failed to open key file.\n"
-msgstr "Openen van sleutelbestand is mislukt.\n"
+#: lib/utils.c:278
+msgid "Cannot read requested amount of data."
+msgstr "Kan aangevraagde hoeveelheid data niet lezen."
 
-#: lib/utils_crypt.c:379
-msgid "Failed to stat key file.\n"
-msgstr "Kan status van sleutelbestand niet opvragen.\n"
+#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
+#: lib/luks1/keyencryption.c:92
+#, c-format
+msgid "Device %s does not exist or access denied."
+msgstr "Apparaat %s bestaat niet of toegang is geweigerd."
 
-#: lib/utils_crypt.c:387 lib/utils_crypt.c:408
-msgid "Cannot seek to requested keyfile offset.\n"
-msgstr "Kan niet zoeken tot aan het aangevraagde sleutelbestand.\n"
+#: lib/utils_device.c:198
+#, c-format
+msgid "Device %s is not compatible."
+msgstr "Apparaat %s is niet compatibel."
 
-#: lib/utils_crypt.c:425
-msgid "Error reading passphrase.\n"
-msgstr "Fout bij lezen van wachtwoord.\n"
+#: lib/utils_device.c:643
+#, c-format
+msgid "Device %s is too small. Need at least %<PRIu64> bytes."
+msgstr "Apparaat %s is te klein.  Minstens %<PRIu64> bytes zijn vereist."
 
-#: lib/utils_crypt.c:448
-msgid "Maximum keyfile size exceeded.\n"
-msgstr "Maximum sleutelbestandsgrootte overschreden.\n"
+#: lib/utils_device.c:724
+#, c-format
+msgid "Cannot use device %s which is in use (already mapped or mounted)."
+msgstr "Kan apparaat %s niet gebruiken; het is nog actief (reeds toegewezen of aangekoppeld)."
 
-#: lib/utils_crypt.c:453
-msgid "Cannot read requested amount of data.\n"
-msgstr "Kan aangevraagde hoeveelheid data niet lezen.\n"
+#: lib/utils_device.c:728
+#, c-format
+msgid "Cannot use device %s, permission denied."
+msgstr "Kan apparaat %s niet gebruiken: toestemming geweigerd."
 
-#: lib/utils_device.c:138 lib/luks1/keyencryption.c:90
+#: lib/utils_device.c:731
 #, c-format
-msgid "Device %s doesn't exist or access denied.\n"
-msgstr "Apparaat %s bestaat niet of toegang is geweigerd.\n"
+msgid "Cannot get info about device %s."
+msgstr "Kan geen informatie verkrijgen over apparaat %s."
 
-#: lib/utils_device.c:429
-msgid "Cannot use a loopback device, running as non-root user.\n"
-msgstr "Kan geen loopback-apparaat gebruiken, uitvoering als non-root gebruiker.\n"
+#: lib/utils_device.c:754
+msgid "Cannot use a loopback device, running as non-root user."
+msgstr "Kan geen loopback-apparaat gebruiken, uitvoering als non-root gebruiker."
 
-#: lib/utils_device.c:439
-msgid "Attaching loopback device failed (loop device with autoclear flag is required).\n"
-msgstr "Vastmaken loopback-apparaat gefaald (loop-apparaat met autoclear-vlag is vereist).\n"
+#: lib/utils_device.c:764
+msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
+msgstr "Vastmaken loopback-apparaat gefaald (loop-apparaat met autoclear-vlag is vereist)."
 
-#: lib/utils_device.c:483
+#: lib/utils_device.c:810
 #, c-format
-msgid "Cannot use device %s which is in use (already mapped or mounted).\n"
-msgstr "Kan apparaat %s niet gebruiken; het is nog actief (reeds toegewezen of aangekoppeld).\n"
+msgid "Requested offset is beyond real size of device %s."
+msgstr "De aangevraagde gegevenspositie valt buiten de werkelijke grootte van apparaat %s."
 
-#: lib/utils_device.c:487
+#: lib/utils_device.c:818
 #, c-format
-msgid "Cannot get info about device %s.\n"
-msgstr "Kan geen informatie verkrijgen over apparaat %s.\n"
+msgid "Device %s has zero size."
+msgstr "Apparaat %s heeft grootte nul."
+
+#: lib/utils_pbkdf.c:100
+msgid "Requested PBKDF target time cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:106
+#, c-format
+msgid "Unknown PBKDF type %s."
+msgstr ""
+
+#: lib/utils_pbkdf.c:111
+#, fuzzy, c-format
+msgid "Requested hash %s is not supported."
+msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund.\n"
+
+#: lib/utils_pbkdf.c:122
+#, fuzzy
+msgid "Requested PBKDF type is not supported for LUKS1."
+msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund.\n"
+
+#: lib/utils_pbkdf.c:128
+msgid "PBKDF max memory or parallel threads must not be set with pbkdf2."
+msgstr ""
 
-#: lib/utils_device.c:493
+#: lib/utils_pbkdf.c:133 lib/utils_pbkdf.c:143
 #, c-format
-msgid "Requested offset is beyond real size of device %s.\n"
-msgstr "De aangevraagde gegevenspositie valt buiten de werkelijke grootte van apparaat %s.\n"
+msgid "Forced iteration count is too low for %s (minimum is %u)."
+msgstr ""
 
-#: lib/utils_device.c:501
+#: lib/utils_pbkdf.c:148
 #, c-format
-msgid "Device %s has zero size.\n"
-msgstr "Apparaat %s heeft grootte nul.\n"
+msgid "Forced memory cost is too low for %s (minimum is %u kilobytes)."
+msgstr ""
 
-#: lib/utils_device.c:512
+#: lib/utils_pbkdf.c:155
 #, c-format
-msgid "Device %s is too small.\n"
-msgstr "Apparaat %s is te klein.\n"
+msgid "Requested maximum PBKDF memory cost is too high (maximum is %d kilobytes)."
+msgstr ""
+
+#: lib/utils_pbkdf.c:160
+msgid "Requested maximum PBKDF memory cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:164
+msgid "Requested PBKDF parallel threads cannot be zero."
+msgstr ""
+
+#: lib/utils_pbkdf.c:184
+msgid "Only PBKDF2 is supported in FIPS mode."
+msgstr ""
+
+#: lib/utils_benchmark.c:166
+msgid "PBKDF benchmark disabled but iterations not set."
+msgstr ""
+
+#: lib/utils_benchmark.c:185
+#, c-format
+msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
+msgstr "Niet-compatibele PBKDF2-opties (met hash-algoritme %s in gebruik)."
+
+#: lib/utils_benchmark.c:205
+#, fuzzy
+msgid "Not compatible PBKDF options."
+msgstr "Niet-compatibele PBKDF2-opties (met hash-algoritme %s in gebruik).\n"
+
+#: lib/utils_device_locking.c:103
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
+msgstr ""
+
+#: lib/utils_device_locking.c:110
+#, c-format
+msgid "WARNING: Locking directory %s/%s is missing!\n"
+msgstr ""
+
+#: lib/utils_device_locking.c:120
+#, c-format
+msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
+msgstr ""
 
-#: lib/luks1/keyencryption.c:37
+#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
+msgid "Cannot seek to device offset."
+msgstr "Onmogelijk te zoeken tot startplaats van apparaat."
+
+#: lib/utils_wipe.c:209
 #, c-format
+msgid "Device wipe error, offset %<PRIu64>."
+msgstr ""
+
+#: lib/luks1/keyencryption.c:40
+#, fuzzy, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
-"Check that kernel supports %s cipher (check syslog for more info).\n"
+"Check that kernel supports %s cipher (check syslog for more info)."
 msgstr ""
 "Kan dm-crypt sleuteltoewijzing niet instellen voor apparaat %s.\n"
 "Kijk na of de kernel versleutelalgoritme %s ondersteunt (bekijk syslog voor meer informatie).\n"
 
-#: lib/luks1/keyencryption.c:42
-msgid "Key size in XTS mode must be 256 or 512 bits.\n"
-msgstr "In XTS-modus moet de sleutelgrootte 256 of 512 bits zijn.\n"
+#: lib/luks1/keyencryption.c:45
+msgid "Key size in XTS mode must be 256 or 512 bits."
+msgstr "In XTS-modus moet de sleutelgrootte 256 of 512 bits zijn."
+
+#: lib/luks1/keyencryption.c:47
+msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
+msgstr ""
 
-#: lib/luks1/keyencryption.c:96 lib/luks1/keymanage.c:296
-#: lib/luks1/keymanage.c:583 lib/luks1/keymanage.c:1033
+#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1079
+#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:734
 #, c-format
-msgid "Cannot write to device %s, permission denied.\n"
-msgstr "Kan apparaat %s niet beschrijven: toestemming geweigerd.\n"
+msgid "Cannot write to device %s, permission denied."
+msgstr "Kan apparaat %s niet beschrijven: toestemming geweigerd."
 
-#: lib/luks1/keyencryption.c:111
-msgid "Failed to open temporary keystore device.\n"
-msgstr "Openen van het tijdelijke sleutelopslagapparaat is mislukt.\n"
+#: lib/luks1/keyencryption.c:121
+msgid "Failed to open temporary keystore device."
+msgstr "Openen van het tijdelijke sleutelopslagapparaat is mislukt."
 
-#: lib/luks1/keyencryption.c:118
-msgid "Failed to access temporary keystore device.\n"
-msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat.\n"
+#: lib/luks1/keyencryption.c:128
+msgid "Failed to access temporary keystore device."
+msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat."
+
+#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
+msgid "IO error while encrypting keyslot."
+msgstr "Invoer/uitvoerfout tijdens het versleutelen van de sleutelplaats."
 
-#: lib/luks1/keyencryption.c:191
-msgid "IO error while encrypting keyslot.\n"
-msgstr "Invoer/uitvoerfout tijdens het versleutelen van de sleutelplaats.\n"
+#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
+#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
+#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
+#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: src/cryptsetup_reencrypt.c:205
+#, c-format
+msgid "Cannot open device %s."
+msgstr "Kan apparaat %s niet openen."
 
-#: lib/luks1/keyencryption.c:256
-msgid "IO error while decrypting keyslot.\n"
-msgstr "Invoer/uitvoerfout tijdens het ontsleutelen van de sleutelplaats.\n"
+#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+msgid "IO error while decrypting keyslot."
+msgstr "Invoer/uitvoerfout tijdens het ontsleutelen van de sleutelplaats."
 
-#: lib/luks1/keymanage.c:90
+#: lib/luks1/keymanage.c:111
 #, c-format
-msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
-msgstr "Apparaat %s is te klein. (LUKS vereist minstens %<PRIu64> bytes.)\n"
+msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
+msgstr "Apparaat %s is te klein.  (LUKS1 vereist minstens %<PRIu64> bytes.)"
 
-#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:419
-#: src/cryptsetup_reencrypt.c:1152
+#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
+#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
+#: lib/luks1/keymanage.c:175
 #, c-format
-msgid "Device %s is not a valid LUKS device.\n"
-msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
+msgid "LUKS keyslot %u is invalid."
+msgstr "LUKS-sleutelplaats %u is ongeldig."
 
-#: lib/luks1/keymanage.c:198
+#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
+#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1438
+#: src/cryptsetup.c:1564 src/cryptsetup.c:1621 src/cryptsetup.c:1677
+#: src/cryptsetup.c:1744 src/cryptsetup.c:1847 src/cryptsetup.c:1911
+#: src/cryptsetup.c:2071 src/cryptsetup.c:2264 src/cryptsetup.c:2324
+#: src/cryptsetup.c:2390 src/cryptsetup.c:2554 src/cryptsetup.c:3204
+#: src/cryptsetup.c:3213 src/cryptsetup_reencrypt.c:1381
 #, c-format
-msgid "Requested header backup file %s already exists.\n"
-msgstr "Aangevraagd reservekopiebestand %s van koptekst bestaat reeds.\n"
+msgid "Device %s is not a valid LUKS device."
+msgstr "Apparaat %s is geen geldig LUKS-apparaat."
 
-#: lib/luks1/keymanage.c:200
+#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
 #, c-format
-msgid "Cannot create header backup file %s.\n"
-msgstr "Kan reservekopiebestand %s van koptekst niet aanmaken.\n"
+msgid "Requested header backup file %s already exists."
+msgstr "Aangevraagd reservekopiebestand %s van koptekst bestaat reeds."
 
-#: lib/luks1/keymanage.c:205
+#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
 #, c-format
-msgid "Cannot write header backup file %s.\n"
-msgstr "Kan reservekopiebestand %s van koptekst niet schrijven.\n"
+msgid "Cannot create header backup file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet aanmaken."
 
-#: lib/luks1/keymanage.c:238
-msgid "Backup file doesn't contain valid LUKS header.\n"
-msgstr "Reservekopiebestand bevat geen geldige LUKS-koptekst.\n"
+#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#, c-format
+msgid "Cannot write header backup file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet schrijven."
 
-#: lib/luks1/keymanage.c:251 lib/luks1/keymanage.c:497
+#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
+msgid "Backup file does not contain valid LUKS header."
+msgstr "Reservekopiebestand bevat geen geldige LUKS-koptekst."
+
+#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
+#: lib/luks2/luks2_json_metadata.c:1183
 #, c-format
-msgid "Cannot open header backup file %s.\n"
-msgstr "Kan reservekopiebestand %s van koptekst niet openen.\n"
+msgid "Cannot open header backup file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet openen."
 
-#: lib/luks1/keymanage.c:257
+#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
 #, c-format
-msgid "Cannot read header backup file %s.\n"
-msgstr "Kan reservekopiebestand %s van koptekst niet lezen.\n"
+msgid "Cannot read header backup file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet lezen."
 
-#: lib/luks1/keymanage.c:269
-msgid "Data offset or key size differs on device and backup, restore failed.\n"
-msgstr "Verschillende gegevenspositie of sleutelgrootte in apparaat en reservekopie; herstelling is mislukt.\n"
+#: lib/luks1/keymanage.c:318
+msgid "Data offset or key size differs on device and backup, restore failed."
+msgstr "Verschillende gegevenspositie of sleutelgrootte in apparaat en reservekopie; herstelling is mislukt."
 
-#: lib/luks1/keymanage.c:277
+#: lib/luks1/keymanage.c:326
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Apparaat %s %s%s"
 
-#: lib/luks1/keymanage.c:278
+#: lib/luks1/keymanage.c:327
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "bevat geen LUKS-koptekst. Het vervangen van de koptekst kan gegevens op het apparaat vernietigen."
 
-#: lib/luks1/keymanage.c:279
+#: lib/luks1/keymanage.c:328
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "bevat reeds een LUKS-koptekst. Het vervangen van de koptekst zal bestaande sleutelplaatsen vernietigen."
 
-#: lib/luks1/keymanage.c:280
+#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -523,1302 +886,3099 @@
 "\n"
 "WAARSCHUWING: originele apparaatkoptekst heeft een ander UUID dan de reservekopie!"
 
-#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:536
-#: lib/luks1/keymanage.c:586 lib/tcrypt/tcrypt.c:625 lib/verity/verity.c:82
-#: lib/verity/verity.c:180 lib/verity/verity_hash.c:292
-#: lib/verity/verity_hash.c:303 lib/verity/verity_hash.c:323
-#: src/cryptsetup_reencrypt.c:154
-#, c-format
-msgid "Cannot open device %s.\n"
-msgstr "Kan apparaat %s niet openen.\n"
-
-#: lib/luks1/keymanage.c:330
-msgid "Non standard key size, manual repair required.\n"
-msgstr "Niet-standaard sleutelgrootte, handmatige herstelling is vereist.\n"
-
-#: lib/luks1/keymanage.c:335
-msgid "Non standard keyslots alignment, manual repair required.\n"
-msgstr "Niet-standaard sleutelplaatsuitlijning, handmatige herstelling is vereist.\n"
-
-#: lib/luks1/keymanage.c:341
-msgid "Repairing keyslots.\n"
-msgstr "Sleutelplaatsen worden hersteld.\n"
+#: lib/luks1/keymanage.c:376
+msgid "Non standard key size, manual repair required."
+msgstr "Niet-standaard sleutelgrootte, handmatige herstelling is vereist."
 
-#: lib/luks1/keymanage.c:352
-msgid "Repair failed."
-msgstr "Herstelling is mislukt."
-
-#: lib/luks1/keymanage.c:364
-#, c-format
-msgid "Keyslot %i: offset repaired (%u -> %u).\n"
-msgstr "Sleutelplaats %i: gegevenspositie hersteld (%u -> %u).\n"
+#: lib/luks1/keymanage.c:381
+msgid "Non standard keyslots alignment, manual repair required."
+msgstr "Niet-standaard sleutelplaatsuitlijning, handmatige herstelling is vereist."
 
-#: lib/luks1/keymanage.c:372
-#, c-format
-msgid "Keyslot %i: stripes repaired (%u -> %u).\n"
-msgstr "Sleutelplaats %i: fragmenten hersteld (%u -> %u).\n"
+#: lib/luks1/keymanage.c:391
+msgid "Repairing keyslots."
+msgstr "Sleutelplaatsen worden hersteld."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:410
 #, c-format
-msgid "Keyslot %i: bogus partition signature.\n"
-msgstr "Sleutelplaats %i: valse partitiehandtekening.\n"
+msgid "Keyslot %i: offset repaired (%u -> %u)."
+msgstr "Sleutelplaats %i: gegevenspositie hersteld (%u -> %u)."
 
-#: lib/luks1/keymanage.c:386
+#: lib/luks1/keymanage.c:418
 #, c-format
-msgid "Keyslot %i: salt wiped.\n"
-msgstr "Sleutelplaats %i: salt uitgewist.\n"
-
-#: lib/luks1/keymanage.c:397
-msgid "Writing LUKS header to disk.\n"
-msgstr "LUKS-koptekst wordt naar schijf geschreven.\n"
+msgid "Keyslot %i: stripes repaired (%u -> %u)."
+msgstr "Sleutelplaats %i: fragmenten hersteld (%u -> %u)."
 
-#: lib/luks1/keymanage.c:422
+#: lib/luks1/keymanage.c:427
 #, c-format
-msgid "Unsupported LUKS version %d.\n"
-msgstr "Niet-ondersteunde LUKS-versie %d.\n"
+msgid "Keyslot %i: bogus partition signature."
+msgstr "Sleutelplaats %i: valse partitiehandtekening."
 
-#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:672
+#: lib/luks1/keymanage.c:432
 #, c-format
-msgid "Requested LUKS hash %s is not supported.\n"
-msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund.\n"
+msgid "Keyslot %i: salt wiped."
+msgstr "Sleutelplaats %i: salt uitgewist."
 
-#: lib/luks1/keymanage.c:443
-#, c-format
-msgid "LUKS keyslot %u is invalid.\n"
-msgstr "LUKS-sleutelplaats %u is ongeldig.\n"
+#: lib/luks1/keymanage.c:449
+msgid "Writing LUKS header to disk."
+msgstr "LUKS-koptekst wordt naar schijf geschreven."
 
-#: lib/luks1/keymanage.c:457 src/cryptsetup.c:668
-msgid "No known problems detected for LUKS header.\n"
-msgstr "Geen gekende problemen gevonden bij LUKS-koptekst.\n"
+#: lib/luks1/keymanage.c:454
+msgid "Repair failed."
+msgstr "Herstelling is mislukt."
 
-#: lib/luks1/keymanage.c:607
+#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
 #, c-format
-msgid "Error during update of LUKS header on device %s.\n"
-msgstr "Fout bij het bijwerken van LUKS-koptekst op apparaat %s.\n"
+msgid "Requested LUKS hash %s is not supported."
+msgstr "Aangevraagde LUKS-hash %s wordt niet ondersteund."
 
-#: lib/luks1/keymanage.c:614
-#, c-format
-msgid "Error re-reading LUKS header after update on device %s.\n"
-msgstr "Fout bij het herlezen van LUKS-koptekst na bijwerken van apparaat %s.\n"
+#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1144
+msgid "No known problems detected for LUKS header."
+msgstr "Geen gekende problemen gevonden bij LUKS-koptekst."
 
-#: lib/luks1/keymanage.c:665
+#: lib/luks1/keymanage.c:661
 #, c-format
-msgid "Data offset for detached LUKS header must be either 0 or higher than header size (%d sectors).\n"
-msgstr "De datagegevenspositie voor een aparte LUKS-koptekst moet of 0 zijn, of hoger liggen dan de koptekstgrootte (%d sectoren).\n"
+msgid "Error during update of LUKS header on device %s."
+msgstr "Fout bij het bijwerken van LUKS-koptekst op apparaat %s."
 
-#: lib/luks1/keymanage.c:677 lib/luks1/keymanage.c:768
-msgid "Wrong LUKS UUID format provided.\n"
-msgstr "Verkeerd LUKS UUID-formaat verschaft.\n"
+#: lib/luks1/keymanage.c:669
+#, c-format
+msgid "Error re-reading LUKS header after update on device %s."
+msgstr "Fout bij het herlezen van LUKS-koptekst na bijwerken van apparaat %s."
 
-#: lib/luks1/keymanage.c:706
-msgid "Cannot create LUKS header: reading random salt failed.\n"
-msgstr "Kan LUKS-koptekst niet aanmaken: lezen van random salt is mislukt.\n"
+#: lib/luks1/keymanage.c:745
+msgid "Data offset for LUKS header must be either 0 or higher than header size."
+msgstr "De datagegevenspositie voor een aparte LUKS-koptekst moet of 0 zijn, of groter zijn dan de koptekstgrootte."
 
-#: lib/luks1/keymanage.c:713 lib/luks1/keymanage.c:809
-#, c-format
-msgid "Not compatible PBKDF2 options (using hash algorithm %s).\n"
-msgstr "Niet-compatibele PBKDF2-opties (met hash-algoritme %s in gebruik).\n"
+#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:826
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
+#: src/cryptsetup.c:2717
+msgid "Wrong LUKS UUID format provided."
+msgstr "Verkeerd LUKS UUID-formaat verschaft."
 
-#: lib/luks1/keymanage.c:728
-#, c-format
-msgid "Cannot create LUKS header: header digest failed (using hash %s).\n"
-msgstr "Kan LUKS-koptekst niet aanmaken: koptekst-extract is mislukt (met %s-hash).\n"
+#: lib/luks1/keymanage.c:779
+msgid "Cannot create LUKS header: reading random salt failed."
+msgstr "Kan LUKS-koptekst niet aanmaken: lezen van random salt is mislukt."
 
-#: lib/luks1/keymanage.c:793
+#: lib/luks1/keymanage.c:805
 #, c-format
-msgid "Key slot %d active, purge first.\n"
-msgstr "Sleutelplaats %d is actief; ruim eerst op.\n"
+msgid "Cannot create LUKS header: header digest failed (using hash %s)."
+msgstr "Kan LUKS-koptekst niet aanmaken: koptekst-extract is mislukt (met %s-hash)."
 
-#: lib/luks1/keymanage.c:799
+#: lib/luks1/keymanage.c:849
 #, c-format
-msgid "Key slot %d material includes too few stripes. Header manipulation?\n"
-msgstr "Inhoud van sleutelplaats %d bevat te weinig fragmenten. Koptekstmanipulatie?\n"
+msgid "Key slot %d active, purge first."
+msgstr "Sleutelplaats %d is actief; ruim eerst op."
 
-#: lib/luks1/keymanage.c:966
+#: lib/luks1/keymanage.c:855
 #, c-format
-msgid "Key slot %d unlocked.\n"
-msgstr "Sleutelplaats %d is ontgrendeld.\n"
-
-#: lib/luks1/keymanage.c:1001 src/cryptsetup.c:867
-#: src/cryptsetup_reencrypt.c:1041 src/cryptsetup_reencrypt.c:1078
-msgid "No key available with this passphrase.\n"
-msgstr "Geen sleutel beschikbaar met dit wachtwoord.\n"
+msgid "Key slot %d material includes too few stripes. Header manipulation?"
+msgstr "Inhoud van sleutelplaats %d bevat te weinig fragmenten. Koptekstmanipulatie?"
 
-#: lib/luks1/keymanage.c:1019
+#: lib/luks1/keymanage.c:1065
 #, c-format
-msgid "Key slot %d is invalid, please select keyslot between 0 and %d.\n"
-msgstr "Sleutelplaats %d is ongeldig, selecteer een sleutelplaats tussen 0 en %d.\n"
+msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
+msgstr "Sleutelplaats %d is ongeldig, selecteer een sleutelplaats tussen 0 en %d."
 
-#: lib/luks1/keymanage.c:1037
+#: lib/luks1/keymanage.c:1083 lib/luks2/luks2_keyslot.c:738
 #, c-format
-msgid "Cannot wipe device %s.\n"
-msgstr "Kan apparaat %s niet wissen.\n"
+msgid "Cannot wipe device %s."
+msgstr "Kan apparaat %s niet wissen."
 
 #: lib/loopaes/loopaes.c:146
-msgid "Detected not yet supported GPG encrypted keyfile.\n"
-msgstr "Nog niet ondersteund GPG-versleuteld sleutelbestand gevonden.\n"
+msgid "Detected not yet supported GPG encrypted keyfile."
+msgstr "Nog niet ondersteund GPG-versleuteld sleutelbestand gevonden."
 
 #: lib/loopaes/loopaes.c:147
 msgid "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 msgstr "Gebruik gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"
 
 #: lib/loopaes/loopaes.c:168 lib/loopaes/loopaes.c:188
-msgid "Incompatible loop-AES keyfile detected.\n"
-msgstr "Onverenigbaar loop-AES-sleutelbestand gevonden.\n"
+msgid "Incompatible loop-AES keyfile detected."
+msgstr "Onverenigbaar loop-AES-sleutelbestand gevonden."
 
-#: lib/loopaes/loopaes.c:244
-msgid "Kernel doesn't support loop-AES compatible mapping.\n"
-msgstr "Toewijzingen compatibel met loop-AES worden niet ondersteund door de kernel.\n"
+#: lib/loopaes/loopaes.c:245
+msgid "Kernel does not support loop-AES compatible mapping."
+msgstr "Toewijzingen compatibel met loop-AES worden niet ondersteund door de kernel."
 
-#: lib/tcrypt/tcrypt.c:476
+#: lib/tcrypt/tcrypt.c:505
 #, c-format
-msgid "Error reading keyfile %s.\n"
-msgstr "Fout bij het lezen van sleutelbestand %s.\n"
+msgid "Error reading keyfile %s."
+msgstr "Fout bij het lezen van sleutelbestand %s."
 
-#: lib/tcrypt/tcrypt.c:514
+#: lib/tcrypt/tcrypt.c:545
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded.\n"
-msgstr "Maximum TCRYPT-wachtwoorlengte (%d) overschreden.\n"
+msgid "Maximum TCRYPT passphrase length (%d) exceeded."
+msgstr "Maximum TCRYPT-wachtwoorlengte (%d) overschreden."
 
-#: lib/tcrypt/tcrypt.c:544
+#: lib/tcrypt/tcrypt.c:586
 #, c-format
-msgid "PBKDF2 hash algorithm %s not available, skipping.\n"
-msgstr "PBKDF2 hash-algoritme %s is niet beschikbaar, wordt overgeslaan.\n"
+msgid "PBKDF2 hash algorithm %s not available, skipping."
+msgstr "PBKDF2 hash-algoritme %s is niet beschikbaar, wordt overgeslaan."
 
-#: lib/tcrypt/tcrypt.c:562 src/cryptsetup.c:621
-msgid "Required kernel crypto interface not available.\n"
-msgstr "Benodigde kernel cryptografie-interface is niet beschikbaar.\n"
+#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:1021
+msgid "Required kernel crypto interface not available."
+msgstr "Benodigde kernel cryptografie-interface is niet beschikbaar."
 
-#: lib/tcrypt/tcrypt.c:564 src/cryptsetup.c:623
-msgid "Ensure you have algif_skcipher kernel module loaded.\n"
-msgstr "Kijk na of kernelmodule algif_skcipher geladen is.\n"
+#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:1023
+msgid "Ensure you have algif_skcipher kernel module loaded."
+msgstr "Kijk na of kernelmodule algif_skcipher geladen is."
 
-#: lib/tcrypt/tcrypt.c:708
+#: lib/tcrypt/tcrypt.c:744
 #, c-format
-msgid "Activation is not supported for %d sector size.\n"
-msgstr "Activatie wordt niet ondersteund voor %d sectorgrootte.\n"
+msgid "Activation is not supported for %d sector size."
+msgstr "Activatie wordt niet ondersteund voor %d sectorgrootte."
 
-#: lib/tcrypt/tcrypt.c:714
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode.\n"
-msgstr "Activatie voor deze TCRYPT-legacymodus wordt niet ondersteund door de kernel.\n"
+#: lib/tcrypt/tcrypt.c:750
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
+msgstr "Activatie voor deze TCRYPT-legacymodus wordt niet ondersteund door de kernel."
 
-#: lib/tcrypt/tcrypt.c:748
+#: lib/tcrypt/tcrypt.c:784
 #, c-format
-msgid "Activating TCRYPT system encryption for partition %s.\n"
-msgstr "TCRYPT-systeemversleuteling voor partitie %s wordt geactiveerd.\n"
+msgid "Activating TCRYPT system encryption for partition %s."
+msgstr "TCRYPT-systeemversleuteling voor partitie %s wordt geactiveerd."
 
-#: lib/tcrypt/tcrypt.c:815
-msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
-msgstr "Toewijzingen compatibel met TCRYPT worden niet ondersteund door de kernel.\n"
+#: lib/tcrypt/tcrypt.c:862
+msgid "Kernel does not support TCRYPT compatible mapping."
+msgstr "Toewijzingen compatibel met TCRYPT worden niet ondersteund door de kernel."
 
-#: lib/tcrypt/tcrypt.c:1030
+#: lib/tcrypt/tcrypt.c:1084
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Deze functie wordt niet ondersteund zonder TCRYPT-koptekst."
 
-#: lib/verity/verity.c:70 lib/verity/verity.c:173
+#: lib/bitlk/bitlk.c:305
 #, c-format
-msgid "Verity device %s doesn't use on-disk header.\n"
-msgstr "VERITY-apparaat %s gebruikt geen on-disk koptekst.\n"
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr ""
+
+#: lib/bitlk/bitlk.c:352
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr ""
 
-#: lib/verity/verity.c:94
+#: lib/bitlk/bitlk.c:357
 #, c-format
-msgid "Device %s is not a valid VERITY device.\n"
-msgstr "Apparaat %s is geen geldig VERITY-apparaat.\n"
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr ""
 
-#: lib/verity/verity.c:101
+#: lib/bitlk/bitlk.c:371
 #, c-format
-msgid "Unsupported VERITY version %d.\n"
-msgstr "Niet-ondersteunde VERITY-versie %d.\n"
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr ""
 
-#: lib/verity/verity.c:131
-msgid "VERITY header corrupted.\n"
-msgstr "VERITY-koptekst beschadigd.\n"
+#: lib/bitlk/bitlk.c:451
+#, fuzzy, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
 
-#: lib/verity/verity.c:167
-#, c-format
-msgid "Wrong VERITY UUID format provided on device %s.\n"
-msgstr "Verkeerd VERITY UUID-formaat verschaft op apparaat %s.\n"
+#: lib/bitlk/bitlk.c:457
+msgid "BITLK version 1 is currently not supported."
+msgstr ""
 
-#: lib/verity/verity.c:199
-#, c-format
-msgid "Error during update of verity header on device %s.\n"
-msgstr "Fout bij het bijwerken van VERITY-koptekst op apparaat %s.\n"
+#: lib/bitlk/bitlk.c:463
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr ""
 
-#: lib/verity/verity.c:279
-msgid "Kernel doesn't support dm-verity mapping.\n"
-msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
+#: lib/bitlk/bitlk.c:475
+msgid "Invalid or unknown signature for BITLK device."
+msgstr ""
 
-#: lib/verity/verity.c:290
-msgid "Verity device detected corruption after activation.\n"
-msgstr "VERITY-apparaat ontdekte beschadiging na activatie.\n"
+#: lib/bitlk/bitlk.c:483
+#, fuzzy, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
 
-#: lib/verity/verity_hash.c:59
+#: lib/bitlk/bitlk.c:499
 #, c-format
-msgid "Spare area is not zeroed at position %<PRIu64>.\n"
-msgstr "Reservegebied is niet ingesteld op positie %<PRIu64>.\n"
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr ""
 
-#: lib/verity/verity_hash.c:121 lib/verity/verity_hash.c:249
-#: lib/verity/verity_hash.c:277 lib/verity/verity_hash.c:284
-msgid "Device offset overflow.\n"
-msgstr "Overloop van apparaatsgegevenspositie.\n"
+#: lib/bitlk/bitlk.c:543
+#, fuzzy
+msgid "Unknown or unsupported encryption type."
+msgstr "UUID wordt niet ondersteund voor dit encryptietype.\n"
 
-#: lib/verity/verity_hash.c:161
+#: lib/bitlk/bitlk.c:576
 #, c-format
-msgid "Verification failed at position %<PRIu64>.\n"
-msgstr "Controle gefaald op positie %<PRIu64>.\n"
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr ""
 
-#: lib/verity/verity_hash.c:235
-msgid "Invalid size parameters for verity device.\n"
-msgstr "Ongeldige grootteparameters voor VERITY-apparaat.\n"
+#: lib/bitlk/bitlk.c:863
+#, fuzzy
+msgid "This operation is not supported."
+msgstr "Deze operatie wordt niet ondersteund voor versleutelapparaat %s.\n"
 
-#: lib/verity/verity_hash.c:266
-msgid "Too many tree levels for verity volume.\n"
-msgstr "Te veel niveau's in de boomstructuur voor een VERITY-volume.\n"
+#: lib/bitlk/bitlk.c:871
+#, fuzzy
+msgid "Wrong key size."
+msgstr "Ongeldige sleutelgrootte.\n"
 
-#: lib/verity/verity_hash.c:354
-msgid "Verification of data area failed.\n"
-msgstr "Controle van gegevensgebied gefaald.\n"
+#: lib/bitlk/bitlk.c:999
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr ""
 
-#: lib/verity/verity_hash.c:359
-msgid "Verification of root hash failed.\n"
-msgstr "Controle van root-hash gefaald.\n"
+#: lib/bitlk/bitlk.c:1132
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr ""
 
-#: lib/verity/verity_hash.c:365
-msgid "Input/output error while creating hash area.\n"
-msgstr "Invoer/uitvoerfout bij het aanmaken van hash-gebied.\n"
+#: lib/bitlk/bitlk.c:1136
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr ""
 
-#: lib/verity/verity_hash.c:367
-msgid "Creation of hash area failed.\n"
-msgstr "Creatie hash-gebied gefaald.\n"
+#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#, fuzzy, c-format
+msgid "Verity device %s does not use on-disk header."
+msgstr "VERITY-apparaat %s gebruikt geen on-disk koptekst.\n"
 
-#: lib/verity/verity_hash.c:414
+#: lib/verity/verity.c:91
 #, c-format
-msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u).\n"
-msgstr "WAARSCHUWING: Kernel kan apparaat niet activeren als de gegevensblokgrootte groter is dan de paginagrootte (%u).\n"
+msgid "Device %s is not a valid VERITY device."
+msgstr "Apparaat %s is geen geldig VERITY-apparaat."
 
-#: src/cryptsetup.c:92
-msgid "Can't do passphrase verification on non-tty inputs.\n"
-msgstr "Kan geen wachtwoordverificatie uitvoeren op invoer van buiten de terminal.\n"
-
-#: src/cryptsetup.c:133 src/cryptsetup.c:564 src/cryptsetup.c:711
-#: src/cryptsetup_reencrypt.c:524 src/cryptsetup_reencrypt.c:578
-msgid "No known cipher specification pattern detected.\n"
-msgstr "Geen bekend specificatiepatroon voor het sleutelalgoritme gevonden.\n"
+#: lib/verity/verity.c:98
+#, c-format
+msgid "Unsupported VERITY version %d."
+msgstr "Niet-ondersteunde VERITY-versie %d."
 
-#: src/cryptsetup.c:141
-msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
-msgstr "WAARSCHUWING: In normale modus met opgegeven sleutelbestand wordt de --hash-parameter genegeerd.\n"
+#: lib/verity/verity.c:129
+msgid "VERITY header corrupted."
+msgstr "VERITY-koptekst beschadigd."
 
-#: src/cryptsetup.c:149
-msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
-msgstr "WAARSCHUWING: De optie --keyfile-size wordt genegeerd, de leesgrootte is gelijk aan de encryptiesleutelgrootte.\n"
+#: lib/verity/verity.c:166
+#, c-format
+msgid "Wrong VERITY UUID format provided on device %s."
+msgstr "Verkeerd VERITY UUID-formaat verschaft op apparaat %s."
 
-#: src/cryptsetup.c:215
-msgid "Option --key-file is required.\n"
-msgstr "Optie --key-file is vereist.\n"
-
-#: src/cryptsetup.c:267
-msgid "No device header detected with this passphrase.\n"
-msgstr "Geen apparaatkoptekst beschikbaar met dit wachtwoord.\n"
+#: lib/verity/verity.c:199
+#, c-format
+msgid "Error during update of verity header on device %s."
+msgstr "Fout bij het bijwerken van VERITY-koptekst op apparaat %s."
 
-#: src/cryptsetup.c:327 src/cryptsetup.c:1160
-msgid ""
-"Header dump with volume key is sensitive information\n"
-"which allows access to encrypted partition without passphrase.\n"
-"This dump should be always stored encrypted on safe place."
+#: lib/verity/verity.c:257
+#, fuzzy
+msgid "Root hash signature verification is not supported."
+msgstr "Aangevraagd hash-algoritme %s wordt niet ondersteund.\n"
+
+#: lib/verity/verity.c:268
+msgid "Errors cannot be repaired with FEC device."
 msgstr ""
-"Dump van koptekst met sleutel tot het opslagmedium bevat gevoelige informatie\n"
-"die zonder wachtwoord toegang verschaft tot versleutelde partities.\n"
-"De dump zou steeds versleuteld en op een veilige plaats bewaard moeten worden."
 
-#: src/cryptsetup.c:517
-msgid "Result of benchmark is not reliable.\n"
-msgstr "Benchmarkresultaat is niet betrouwbaar.\n"
+#: lib/verity/verity.c:270
+#, c-format
+msgid "Found %u repairable errors with FEC device."
+msgstr ""
 
-#: src/cryptsetup.c:558
-msgid "# Tests are approximate using memory only (no storage IO).\n"
-msgstr "# Tests zijn bij benadering met enkel geheugen in gebruik (geen opslag-IO).\n"
+#: lib/verity/verity.c:309
+#, fuzzy
+msgid "Kernel does not support dm-verity mapping."
+msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
 
-#: src/cryptsetup.c:583 src/cryptsetup.c:605
-msgid "#  Algorithm | Key |  Encryption |  Decryption\n"
-msgstr "#  Algoritme | Sleutel |  Versleuteling |  Ontsleuteling\n"
+#: lib/verity/verity.c:313
+#, fuzzy
+msgid "Kernel does not support dm-verity signature option."
+msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
 
-#: src/cryptsetup.c:587
+#: lib/verity/verity.c:324
+msgid "Verity device detected corruption after activation."
+msgstr "VERITY-apparaat ontdekte beschadiging na activatie."
+
+#: lib/verity/verity_hash.c:59
 #, c-format
-msgid "Cipher %s is not available.\n"
-msgstr "Versleutelalgoritme %s is niet beschikbaar.\n"
+msgid "Spare area is not zeroed at position %<PRIu64>."
+msgstr "Reservegebied is niet ingesteld op positie %<PRIu64>."
 
-#: src/cryptsetup.c:614
-msgid "N/A"
-msgstr "N/A"
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
+msgid "Device offset overflow."
+msgstr "Overloop van apparaatsgegevenspositie."
 
-#: src/cryptsetup.c:639
+#: lib/verity/verity_hash.c:203
 #, c-format
-msgid "Cannot read keyfile %s.\n"
-msgstr "Kan sleutelbestand %s niet lezen.\n"
+msgid "Verification failed at position %<PRIu64>."
+msgstr "Controle gefaald op positie %<PRIu64>."
 
-#: src/cryptsetup.c:643
-#, c-format
-msgid "Cannot read %d bytes from keyfile %s.\n"
-msgstr "Kan %d bytes uit sleutelbestand %s niet lezen.\n"
+#: lib/verity/verity_hash.c:276
+msgid "Invalid size parameters for verity device."
+msgstr "Ongeldige grootteparameters voor VERITY-apparaat."
 
-#: src/cryptsetup.c:672
-msgid "Really try to repair LUKS device header?"
-msgstr "Bent u zeker de LUKS-apparaatkoptekst te willen herstellen?"
+#: lib/verity/verity_hash.c:296
+msgid "Hash area overflow."
+msgstr ""
+
+#: lib/verity/verity_hash.c:373
+msgid "Verification of data area failed."
+msgstr "Controle van gegevensgebied gefaald."
+
+#: lib/verity/verity_hash.c:378
+msgid "Verification of root hash failed."
+msgstr "Controle van root-hash gefaald."
 
-#: src/cryptsetup.c:697
+#: lib/verity/verity_hash.c:384
+msgid "Input/output error while creating hash area."
+msgstr "Invoer/uitvoerfout bij het aanmaken van hash-gebied."
+
+#: lib/verity/verity_hash.c:386
+msgid "Creation of hash area failed."
+msgstr "Creatie hash-gebied gefaald."
+
+#: lib/verity/verity_hash.c:433
 #, c-format
-msgid "This will overwrite data on %s irrevocably."
-msgstr "Dit zal data op %s onherroepelijk overschrijven."
+msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
+msgstr "WAARSCHUWING: Kernel kan apparaat niet activeren als de gegevensblokgrootte groter is dan de paginagrootte (%u)."
 
-#: src/cryptsetup.c:699
-msgid "memory allocation error in action_luksFormat"
-msgstr "geheugentoewijzingsfout in action_luksFormat"
+#: lib/verity/verity_fec.c:132
+msgid "Failed to allocate RS context."
+msgstr ""
+
+#: lib/verity/verity_fec.c:147
+#, fuzzy
+msgid "Failed to allocate buffer."
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
 
-#: src/cryptsetup.c:721
+#: lib/verity/verity_fec.c:157
 #, c-format
-msgid "Cannot use %s as on-disk header.\n"
-msgstr "Kan %s niet als on-diskkoptekst gebruiken.\n"
+msgid "Failed to read RS block %<PRIu64> byte %d."
+msgstr ""
 
-#: src/cryptsetup.c:788
-msgid "Reduced data offset is allowed only for detached LUKS header.\n"
-msgstr "Een verlaagde datagegevenspositie wordt enkel toegestaan voor een vrijstaande LUKS-koptekst.\n"
+#: lib/verity/verity_fec.c:170
+#, c-format
+msgid "Failed to read parity for RS block %<PRIu64>."
+msgstr ""
 
-#: src/cryptsetup.c:890 src/cryptsetup.c:946
+#: lib/verity/verity_fec.c:178
 #, c-format
-msgid "Key slot %d selected for deletion.\n"
-msgstr "Sleutelplaats %d geselecteerd voor verwijdering.\n"
+msgid "Failed to repair parity for block %<PRIu64>."
+msgstr ""
 
-#: src/cryptsetup.c:893
+#: lib/verity/verity_fec.c:189
 #, c-format
-msgid "Key %d not active. Can't wipe.\n"
-msgstr "Sleutel %d is niet actief. Kan niet wissen.\n"
+msgid "Failed to write parity for RS block %<PRIu64>."
+msgstr ""
 
-#: src/cryptsetup.c:901 src/cryptsetup.c:949
-msgid "This is the last keyslot. Device will become unusable after purging this key."
-msgstr "Dit is de laatste sleutelplaats. Apparaat zal onbruikbaar worden na het verwijderen van deze sleutel."
+#: lib/verity/verity_fec.c:224
+msgid "Block sizes must match for FEC."
+msgstr ""
 
-#: src/cryptsetup.c:902
-msgid "Enter any remaining passphrase: "
-msgstr "Voer enig overblijvend wachtwoord in: "
+#: lib/verity/verity_fec.c:230
+msgid "Invalid number of parity bytes."
+msgstr ""
 
-#: src/cryptsetup.c:930
-msgid "Enter passphrase to be deleted: "
-msgstr "Voer het te verwijderen wachtwoord in: "
+#: lib/verity/verity_fec.c:266
+#, fuzzy, c-format
+msgid "Failed to determine size for device %s."
+msgstr "Openen van het tijdelijke sleutelopslagapparaat is mislukt.\n"
 
-#: src/cryptsetup.c:1017 src/cryptsetup_reencrypt.c:1116
-#, c-format
-msgid "Enter any existing passphrase: "
-msgstr "Voer een bestaand wachtwoord in: "
+#: lib/integrity/integrity.c:268 lib/integrity/integrity.c:339
+#, fuzzy
+msgid "Kernel does not support dm-integrity mapping."
+msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
 
-#: src/cryptsetup.c:1072
-msgid "Enter passphrase to be changed: "
-msgstr "Voer het te wijzigen wachtwoord in: "
+#: lib/integrity/integrity.c:274
+#, fuzzy
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "dm-verity toewijzingen niet ondersteund door kernel.\n"
 
-#: src/cryptsetup.c:1086 src/cryptsetup_reencrypt.c:1101
-msgid "Enter new passphrase: "
-msgstr "Voer nieuw wachtwoord in: "
+#: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
+#: lib/luks2/luks2_json_metadata.c:1245
+#, fuzzy, c-format
+msgid "Failed to acquire write lock on device %s."
+msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat.\n"
 
-#: src/cryptsetup.c:1110
-msgid "Only one device argument for isLuks operation is supported.\n"
-msgstr "Voor de isLuks-operatie wordt slechts één apparaatsargument ondersteund.\n"
+#: lib/luks2/luks2_disk_metadata.c:392
+msgid "Detected attempt for concurrent LUKS2 metadata update. Aborting operation."
+msgstr ""
+
+#: lib/luks2/luks2_disk_metadata.c:691 lib/luks2/luks2_disk_metadata.c:712
+msgid ""
+"Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
+"Please run \"cryptsetup repair\" for recovery."
+msgstr ""
 
-#: src/cryptsetup.c:1266 src/cryptsetup.c:1287
-msgid "Option --header-backup-file is required.\n"
-msgstr "Optie --header-backup-file is vereist.\n"
+#: lib/luks2/luks2_json_format.c:227
+#, fuzzy
+msgid "Requested data offset is too small."
+msgstr "Apparaat %s is te klein.\n"
 
-#: src/cryptsetup.c:1324
+#: lib/luks2/luks2_json_format.c:271
 #, c-format
-msgid "Unrecognized metadata device type %s.\n"
-msgstr "Niet-herkende metadata bij apparaatstype %s.\n"
+msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
+msgstr ""
 
-#: src/cryptsetup.c:1327
-msgid "Command requires device and mapped name as arguments.\n"
-msgstr "Opdracht vereist apparaat en toewijzingsnaam als argumenten.\n"
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
+#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_keyslot_luks2.c:114
+#, fuzzy, c-format
+msgid "Failed to acquire read lock on device %s."
+msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat.\n"
 
-#: src/cryptsetup.c:1346
+#: lib/luks2/luks2_json_metadata.c:1168
 #, c-format
-msgid ""
-"This operation will erase all keyslots on device %s.\n"
-"Device will become unusable after this operation."
+msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr ""
-"Deze operatie zal alle sleutelplaatsen op apparaat %s wissen.\n"
-"Na deze operatie wordt het apparaat onbruikbaar."
 
-#: src/cryptsetup.c:1380
-msgid "<device> [--type <type>] [<name>]"
-msgstr "<apparaat> [--type <type>] [<naam>]"
+#: lib/luks2/luks2_json_metadata.c:1209
+#, fuzzy
+msgid "Data offset differ on device and backup, restore failed."
+msgstr "Verschillende gegevenspositie of sleutelgrootte in apparaat en reservekopie; herstelling is mislukt.\n"
 
-#: src/cryptsetup.c:1380
-msgid "open device as mapping <name>"
-msgstr "apparaat als toewijzing <naam> openen"
+#: lib/luks2/luks2_json_metadata.c:1215
+#, fuzzy
+msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
+msgstr "Verschillende gegevenspositie of sleutelgrootte in apparaat en reservekopie; herstelling is mislukt.\n"
 
-#: src/cryptsetup.c:1381 src/cryptsetup.c:1382 src/cryptsetup.c:1383
-#: src/veritysetup.c:329 src/veritysetup.c:330
-msgid "<name>"
-msgstr "<naam>"
+#: lib/luks2/luks2_json_metadata.c:1222
+#, fuzzy, c-format
+msgid "Device %s %s%s%s%s"
+msgstr "Apparaat %s %s%s"
 
-#: src/cryptsetup.c:1381
-msgid "close device (remove mapping)"
-msgstr "apparaat sluiten (toewijzingen verwijderen)"
+#: lib/luks2/luks2_json_metadata.c:1223
+#, fuzzy
+msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
+msgstr "bevat geen LUKS-koptekst. Het vervangen van de koptekst kan gegevens op het apparaat vernietigen."
 
-#: src/cryptsetup.c:1382
-msgid "resize active device"
-msgstr "actief apparaat vergroten of verkleinen"
+#: lib/luks2/luks2_json_metadata.c:1224
+#, fuzzy
+msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
+msgstr "bevat reeds een LUKS-koptekst. Het vervangen van de koptekst zal bestaande sleutelplaatsen vernietigen."
 
-#: src/cryptsetup.c:1383
-msgid "show device status"
-msgstr "apparaatstatus tonen"
+#: lib/luks2/luks2_json_metadata.c:1226
+msgid ""
+"\n"
+"WARNING: unknown LUKS2 requirements detected in real device header!\n"
+"Replacing header with backup may corrupt the data on that device!"
+msgstr ""
 
-#: src/cryptsetup.c:1384
-msgid "[--cipher <cipher>]"
-msgstr "[--cipher <versleutelalgoritme>]"
+#: lib/luks2/luks2_json_metadata.c:1228
+msgid ""
+"\n"
+"WARNING: Unfinished offline reencryption detected on the device!\n"
+"Replacing header with backup may corrupt data."
+msgstr ""
 
-#: src/cryptsetup.c:1384
-msgid "benchmark cipher"
-msgstr "versleutelalgoritme benchmarken"
+#: lib/luks2/luks2_json_metadata.c:1324
+#, c-format
+msgid "Ignored unknown flag %s."
+msgstr ""
 
-#: src/cryptsetup.c:1385 src/cryptsetup.c:1386 src/cryptsetup.c:1392
-#: src/cryptsetup.c:1393 src/cryptsetup.c:1394 src/cryptsetup.c:1395
-#: src/cryptsetup.c:1396 src/cryptsetup.c:1397 src/cryptsetup.c:1398
-#: src/cryptsetup.c:1399
-msgid "<device>"
-msgstr "<apparaat>"
+#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#, c-format
+msgid "Missing key for dm-crypt segment %u"
+msgstr ""
 
-#: src/cryptsetup.c:1385
-msgid "try to repair on-disk metadata"
-msgstr "on-disk metadata proberen te herstellen"
+#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#, fuzzy
+msgid "Failed to set dm-crypt segment."
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
 
-#: src/cryptsetup.c:1386
-msgid "erase all keyslots (remove encryption key)"
-msgstr "alle sleutelplaatsen wissen (encryptiesleutel verwijderen)"
+#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+msgid "Failed to set dm-linear segment."
+msgstr ""
 
-#: src/cryptsetup.c:1387 src/cryptsetup.c:1388
-msgid "<device> [<new key file>]"
-msgstr "<apparaat> [<nieuw sleutelbestand>]"
+#: lib/luks2/luks2_json_metadata.c:2156
+msgid "Unsupported device integrity configuration."
+msgstr ""
 
-#: src/cryptsetup.c:1387
-msgid "formats a LUKS device"
-msgstr "een LUKS-apparaat formatteren"
+#: lib/luks2/luks2_json_metadata.c:2237
+msgid "Reencryption in-progress. Cannot deactivate device."
+msgstr ""
 
-#: src/cryptsetup.c:1388
-msgid "add key to LUKS device"
-msgstr "sleutel aan LUKS-apparaat toevoegen"
+#: lib/luks2/luks2_json_metadata.c:2248 lib/luks2/luks2_reencrypt.c:3190
+#, c-format
+msgid "Failed to replace suspended device %s with dm-error target."
+msgstr ""
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1390
-msgid "<device> [<key file>]"
-msgstr "<apparaat> [<sleutelbestand>]"
+#: lib/luks2/luks2_json_metadata.c:2328
+msgid "Failed to read LUKS2 requirements."
+msgstr ""
 
-#: src/cryptsetup.c:1389
-msgid "removes supplied key or key file from LUKS device"
-msgstr "verschafte sleutel of sleutelbestand van LUKS-apparaat verwijderen"
+#: lib/luks2/luks2_json_metadata.c:2335
+msgid "Unmet LUKS2 requirements detected."
+msgstr ""
 
-#: src/cryptsetup.c:1390
-msgid "changes supplied key or key file of LUKS device"
-msgstr "wijzigt verschafte sleutel of sleutelbestand van LUKS-apparaat"
+#: lib/luks2/luks2_json_metadata.c:2343
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr ""
 
-#: src/cryptsetup.c:1391
-msgid "<device> <key slot>"
-msgstr "<apparaat> <sleutelplaats>"
+#: lib/luks2/luks2_json_metadata.c:2345
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr ""
 
-#: src/cryptsetup.c:1391
-msgid "wipes key with number <key slot> from LUKS device"
-msgstr "sleutel met nummer <sleutelplaats> van LUKS-apparaat verwijderen"
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
+msgid "Not enough available memory to open a keyslot."
+msgstr ""
 
-#: src/cryptsetup.c:1392
-msgid "print UUID of LUKS device"
-msgstr "UUID van LUKS-apparaat tonen"
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
+#, fuzzy
+msgid "Keyslot open failed."
+msgstr "Sleutelplaats %d is geverifieerd.\n"
 
-#: src/cryptsetup.c:1393
-msgid "tests <device> for LUKS partition header"
-msgstr "<apparaat> op een LUKS-partitiekoptekst testen"
+#: lib/luks2/luks2_keyslot_luks2.c:53 lib/luks2/luks2_keyslot_luks2.c:108
+#, c-format
+msgid "Cannot use %s-%s cipher for keyslot encryption."
+msgstr ""
 
-#: src/cryptsetup.c:1394
-msgid "dump LUKS partition information"
-msgstr "LUKS-partitie-informatie dumpen"
+#: lib/luks2/luks2_keyslot_luks2.c:480
+#, fuzzy
+msgid "No space for new keyslot."
+msgstr "Kan nieuwe sleutelplaats niet verwisselen.\n"
 
-#: src/cryptsetup.c:1395
-msgid "dump TCRYPT device information"
-msgstr "TCRYPT-apparaatsinformatie dumpen"
+#: lib/luks2/luks2_luks1_convert.c:481
+#, fuzzy, c-format
+msgid "Cannot check status of device with uuid: %s."
+msgstr "Kan wachtwoordkwaliteit niet nakijken: %s\n"
 
-#: src/cryptsetup.c:1396
-msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
-msgstr "LUKS-apparaat schorsen en sleutel wissen (alle in-/uitvoer wordt bevroren)."
+#: lib/luks2/luks2_luks1_convert.c:507
+msgid "Unable to convert header with LUKSMETA additional metadata."
+msgstr ""
 
-#: src/cryptsetup.c:1397
-msgid "Resume suspended LUKS device."
-msgstr "Geschorst LUKS-apparaat hervatten."
+#: lib/luks2/luks2_luks1_convert.c:547
+msgid "Unable to move keyslot area. Not enough space."
+msgstr ""
 
-#: src/cryptsetup.c:1398
-msgid "Backup LUKS device header and keyslots"
-msgstr "Reservekopie van LUKS-apparaatkoptekst en -sleutelplaatsen maken"
+#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#, fuzzy
+msgid "Unable to move keyslot area."
+msgstr "Openen van sleutelbestand is mislukt.\n"
 
-#: src/cryptsetup.c:1399
-msgid "Restore LUKS device header and keyslots"
-msgstr "LUKS-apparaatkoptekst en -sleutelplaatsen herstellen"
+#: lib/luks2/luks2_luks1_convert.c:682
+msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
+msgstr ""
 
-#: src/cryptsetup.c:1416 src/veritysetup.c:346
-msgid ""
-"\n"
-"<action> is one of:\n"
+#: lib/luks2/luks2_luks1_convert.c:690
+msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr ""
-"\n"
-"<actie> is één van:\n"
 
-#: src/cryptsetup.c:1422
-msgid ""
-"\n"
-"You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+#: lib/luks2/luks2_luks1_convert.c:702
+#, c-format
+msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr ""
-"\n"
-"U kan ook oude <actie>-syntax aliasen gebruiken:\n"
-"\topen: (plainOpen), luksOpen, loopaesOpen, tcryptOpen aanmaken\n"
-"\tclose: (plainClose), luksClose, loopaesClose, tryptClose verwijderen\n"
 
-#: src/cryptsetup.c:1426
+#: lib/luks2/luks2_luks1_convert.c:710
 #, c-format
-msgid ""
-"\n"
-"<name> is the device to create under %s\n"
-"<device> is the encrypted device\n"
-"<key slot> is the LUKS key slot number to modify\n"
-"<key file> optional key file for the new key for luksAddKey action\n"
+msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr ""
-"\n"
-"<naam> is het onder %s aan te maken apparaat\n"
-"<apparaat> is het versleutelde apparaat\n"
-"<sleutelplaats> is het nummer van de te wijzigen LUKS-sleutelplaats\n"
-"<sleutelbestand> optioneel sleutelbestand voor de nieuwe sleutel voor de luksAddKey-actie\n"
 
-#: src/cryptsetup.c:1433
+#: lib/luks2/luks2_luks1_convert.c:724
 #, c-format
-msgid ""
-"\n"
-"Default compiled-in key and passphrase parameters:\n"
-"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
-"Default PBKDF2 iteration time for LUKS: %d (ms)\n"
+msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr ""
-"\n"
-"Standaard meegecompileerde sleutel- en wachtwoordparameters:\n"
-"\tMaximum sleutelplaatsgrootte: %dkB, maximum lengte interactief wachtwoord %d (karakters)\n"
-"Standaard PBKDF2-herhalingstijd voor LUKS: %d (ms)\n"
 
-#: src/cryptsetup.c:1440
+#: lib/luks2/luks2_luks1_convert.c:729
 #, c-format
-msgid ""
-"\n"
-"Default compiled-in device cipher parameters:\n"
-"\tloop-AES: %s, Key %d bits\n"
-"\tplain: %s, Key: %d bits, Password hashing: %s\n"
-"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr ""
-"\n"
-"Standaard meegecompileerde parameters van het apparaatsversleutelingsalgoritme:\n"
-"\tloop-AES: %s, Sleutel: %d bits\n"
-"\tplain: %s, Sleutel: %d bits, Wachtwoordhashing: %s\n"
-"\tLUKS1: %s, Sleutel: %d bits, LUKS-kopteksthashing: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:1457 src/veritysetup.c:481
+#: lib/luks2/luks2_luks1_convert.c:734
 #, c-format
-msgid "%s: requires %s as arguments"
-msgstr "%s: vereist %s als argumenten"
+msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
+msgstr ""
 
-#: src/cryptsetup.c:1490 src/veritysetup.c:386 src/cryptsetup_reencrypt.c:1302
-msgid "Show this help message"
-msgstr "Deze hulptekst tonen"
+#: lib/luks2/luks2_reencrypt.c:892
+#, c-format
+msgid "Hotzone size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr ""
 
-#: src/cryptsetup.c:1491 src/veritysetup.c:387 src/cryptsetup_reencrypt.c:1303
-msgid "Display brief usage"
-msgstr "Korte gebruikssamenvatting tonen"
+#: lib/luks2/luks2_reencrypt.c:897
+#, fuzzy, c-format
+msgid "Device size must be multiple of calculated zone alignment (%zu bytes)."
+msgstr "Verkleiningsgrootte moet een meervoud zijn van de 512 bytes-grote sector."
 
-#: src/cryptsetup.c:1495 src/veritysetup.c:391 src/cryptsetup_reencrypt.c:1307
-msgid "Help options:"
-msgstr "Hulpopties:"
+#: lib/luks2/luks2_reencrypt.c:941
+#, fuzzy, c-format
+msgid "Unsupported resilience mode %s"
+msgstr "Niet-ondersteunde LUKS-versie %d.\n"
 
-#: src/cryptsetup.c:1496 src/veritysetup.c:392 src/cryptsetup_reencrypt.c:1308
-msgid "Print package version"
-msgstr "Pakketversie tonen"
+#: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
+#: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
+#: lib/luks2/luks2_reencrypt.c:3030
+#, fuzzy
+msgid "Failed to initialize old segment storage wrapper."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:1172 lib/luks2/luks2_reencrypt.c:1291
+#, fuzzy
+msgid "Failed to initialize new segment storage wrapper."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:1340
+#, fuzzy
+msgid "Failed to read checksums for current hotzone."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
+#, fuzzy, c-format
+msgid "Failed to read hotzone area starting at %<PRIu64>."
+msgstr "Reservegebied is niet ingesteld op positie %<PRIu64>.\n"
 
-#: src/cryptsetup.c:1497 src/veritysetup.c:393 src/cryptsetup_reencrypt.c:1309
-msgid "Shows more detailed error messages"
-msgstr "Gedetailleerdere foutboodschappen tonen"
+#: lib/luks2/luks2_reencrypt.c:1366
+#, fuzzy, c-format
+msgid "Failed to decrypt sector %zu."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:1372
+#, fuzzy, c-format
+msgid "Failed to recover sector %zu."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
 
-#: src/cryptsetup.c:1498 src/veritysetup.c:394 src/cryptsetup_reencrypt.c:1310
-msgid "Show debug messages"
-msgstr "Debug-boodschappen tonen"
+#: lib/luks2/luks2_reencrypt.c:1867
+#, c-format
+msgid "Source and target device sizes don't match. Source %<PRIu64>, target: %<PRIu64>."
+msgstr ""
 
-#: src/cryptsetup.c:1499 src/cryptsetup_reencrypt.c:1312
-msgid "The cipher used to encrypt the disk (see /proc/crypto)"
-msgstr "Het gebruikte versleutelalgoritme om de schijf te versleutelen (zie /proc/crypto)"
+#: lib/luks2/luks2_reencrypt.c:1965
+#, fuzzy, c-format
+msgid "Failed to activate hotzone device %s."
+msgstr "Kan geen toegang verkrijgen tot tijdelijk sleutelopslagapparaat.\n"
 
-#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1314
-msgid "The hash used to create the encryption key from the passphrase"
-msgstr "De gebruikte hash om de encryptiesleutel uit het wachtwoord aan te maken"
+#: lib/luks2/luks2_reencrypt.c:1982
+#, c-format
+msgid "Failed to activate overlay device %s with actual origin table."
+msgstr ""
 
-#: src/cryptsetup.c:1501
-msgid "Verifies the passphrase by asking for it twice"
-msgstr "Het wachtwoord controleren door het twee keer te vragen"
+#: lib/luks2/luks2_reencrypt.c:1989
+#, fuzzy, c-format
+msgid "Failed to load new mapping for device %s."
+msgstr "Openen van het tijdelijke sleutelopslagapparaat is mislukt.\n"
 
-#: src/cryptsetup.c:1502 src/cryptsetup_reencrypt.c:1316
-msgid "Read the key from a file."
-msgstr "De sleutel uit een bestand lezen."
+#: lib/luks2/luks2_reencrypt.c:2060
+msgid "Failed to refresh reencryption devices stack."
+msgstr ""
 
-#: src/cryptsetup.c:1503
-msgid "Read the volume (master) key from file."
-msgstr "De (hoofd)sleutel tot het opslagmedium uit een bestand lezen."
+#: lib/luks2/luks2_reencrypt.c:2216
+#, fuzzy
+msgid "Failed to set new keyslots area size."
+msgstr "Kan nieuwe sleutelplaats niet verwisselen.\n"
 
-#: src/cryptsetup.c:1504
-msgid "Dump volume (master) key instead of keyslots info."
-msgstr "Dump (hoofd)sleutel tot het opslagmedium in plaats van de sleutelplaatsinformatie."
+#: lib/luks2/luks2_reencrypt.c:2318
+#, c-format
+msgid "Data shift is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgstr ""
 
-#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
-msgid "The size of the encryption key"
-msgstr "De grootte van de encryptiesleutel"
+#: lib/luks2/luks2_reencrypt.c:2339
+#, c-format
+msgid "Data device is not aligned to requested encryption sector size (%<PRIu32> bytes)."
+msgstr ""
 
-#: src/cryptsetup.c:1505 src/cryptsetup_reencrypt.c:1313
-msgid "BITS"
-msgstr "BITS"
+#: lib/luks2/luks2_reencrypt.c:2360
+#, c-format
+msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
+msgstr ""
 
-#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1327
-msgid "Limits the read from keyfile"
-msgstr "Beperkt de lezing uit sleutelbestand"
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
+#, fuzzy, c-format
+msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
+msgstr "Kan apparaat %s niet gebruiken; het is nog actief (reeds toegewezen of aangekoppeld).\n"
 
-#: src/cryptsetup.c:1506 src/cryptsetup.c:1507 src/cryptsetup.c:1508
-#: src/cryptsetup.c:1509 src/veritysetup.c:397 src/veritysetup.c:398
-#: src/veritysetup.c:400 src/cryptsetup_reencrypt.c:1326
-#: src/cryptsetup_reencrypt.c:1327 src/cryptsetup_reencrypt.c:1328
-#: src/cryptsetup_reencrypt.c:1329
-msgid "bytes"
-msgstr "bytes"
+#: lib/luks2/luks2_reencrypt.c:2534
+#, fuzzy
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Sleutel niet wijzigen; gegevensgebied wordt niet opnieuw versleuteld."
 
-#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1326
-msgid "Number of bytes to skip in keyfile"
-msgstr "Aantal bytes over te slaan in sleutelbestand"
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
+msgid "Failed to load LUKS2 reencryption context."
+msgstr ""
 
-#: src/cryptsetup.c:1508
-msgid "Limits the read from newly added keyfile"
-msgstr "Beperkt de lezing uit een nieuw toegevoegd sleutelbestand"
+#: lib/luks2/luks2_reencrypt.c:2619
+#, fuzzy
+msgid "Failed to get reencryption state."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:2623
+#, fuzzy
+msgid "Device is not in reencryption."
+msgstr "Apparaat %s is niet actief.\n"
 
-#: src/cryptsetup.c:1509
-msgid "Number of bytes to skip in newly added keyfile"
-msgstr "Aantal bytes over te slaan in nieuwste toegevoegde sleutelbestand"
+#: lib/luks2/luks2_reencrypt.c:2630
+msgid "Reencryption process is already running."
+msgstr ""
 
-#: src/cryptsetup.c:1510
-msgid "Slot number for new key (default is first free)"
-msgstr "Plaatsnummer voor nieuwe sleutel (standaard is de eerste open plaats)"
+#: lib/luks2/luks2_reencrypt.c:2632
+#, fuzzy
+msgid "Failed to acquire reencryption lock."
+msgstr "Kan herencryptie-logbestand niet lezen.\n"
 
-#: src/cryptsetup.c:1511
-msgid "The size of the device"
-msgstr "De grootte van het apparaat"
+#: lib/luks2/luks2_reencrypt.c:2650
+msgid "Cannot proceed with reencryption. Run reencryption recovery first."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2750
+msgid "Active device size and requested reencryption size don't match."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2764
+msgid "Illegal device size requested in reencryption parameters."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2834
+msgid "Reencryption in-progress. Cannot perform recovery."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2906
+msgid "LUKS2 reencryption already initialized in metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:2913
+msgid "Failed to initialize LUKS2 reencryption in metadata."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3004
+msgid "Failed to set device segments for next reencryption hotzone."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3046
+#, fuzzy
+msgid "Failed to write reencryption resilience metadata."
+msgstr "Kan herencryptie-logbestand niet schrijven.\n"
+
+#: lib/luks2/luks2_reencrypt.c:3053
+#, fuzzy
+msgid "Decryption failed."
+msgstr "Herstelling is mislukt."
+
+#: lib/luks2/luks2_reencrypt.c:3058
+#, fuzzy, c-format
+msgid "Failed to write hotzone area starting at %<PRIu64>."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:3063
+#, fuzzy
+msgid "Failed to sync data."
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
+
+#: lib/luks2/luks2_reencrypt.c:3071
+msgid "Failed to update metadata after current reencryption hotzone completed."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3138
+#, fuzzy
+msgid "Failed to write LUKS2 metadata."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: lib/luks2/luks2_reencrypt.c:3161
+msgid "Failed to wipe backup segment data."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3174
+msgid "Failed to disable reencryption requirement flag."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3182
+#, c-format
+msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3191
+msgid "Do not resume the device unless replaced with error target manually."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3240
+msgid "Cannot proceed with reencryption. Unexpected reencryption status."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3246
+msgid "Missing or invalid reencrypt context."
+msgstr ""
+
+#: lib/luks2/luks2_reencrypt.c:3253
+#, fuzzy
+msgid "Failed to initialize reencryption device stack."
+msgstr "Kan versleutelings-backend niet initialiseren.\n"
+
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
+#, fuzzy
+msgid "Failed to update reencryption context."
+msgstr "Kan herencryptie-logbestand niet openen.\n"
+
+#: lib/luks2/luks2_token.c:262
+msgid "No free token slot."
+msgstr ""
+
+#: lib/luks2/luks2_token.c:269
+#, fuzzy, c-format
+msgid "Failed to create builtin token %s."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: src/cryptsetup.c:163
+msgid "Can't do passphrase verification on non-tty inputs."
+msgstr "Kan geen wachtwoordverificatie uitvoeren op invoer van buiten de terminal."
+
+#: src/cryptsetup.c:216
+#, fuzzy
+msgid "Keyslot encryption parameters can be set only for LUKS2 device."
+msgstr "Deze operatie wordt enkel ondersteund voor LUKS-apparaten.\n"
+
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1275
+#: src/cryptsetup.c:3078 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
+msgid "No known cipher specification pattern detected."
+msgstr "Geen bekend specificatiepatroon voor het sleutelalgoritme gevonden."
+
+#: src/cryptsetup.c:254
+msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
+msgstr "WAARSCHUWING: In normale modus met opgegeven sleutelbestand wordt de --hash-parameter genegeerd.\n"
+
+#: src/cryptsetup.c:262
+msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
+msgstr "WAARSCHUWING: De optie --keyfile-size wordt genegeerd, de leesgrootte is gelijk aan de encryptiesleutelgrootte.\n"
+
+#: src/cryptsetup.c:302
+#, c-format
+msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
+msgstr ""
+
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1252 src/cryptsetup.c:1325 src/cryptsetup.c:1979
+#: src/cryptsetup.c:2615 src/cryptsetup.c:2738 src/integritysetup.c:232
+msgid "Operation aborted.\n"
+msgstr ""
+
+#: src/cryptsetup.c:376
+msgid "Option --key-file is required."
+msgstr "Optie --key-file is vereist."
+
+#: src/cryptsetup.c:429
+msgid "Enter VeraCrypt PIM: "
+msgstr ""
+
+#: src/cryptsetup.c:438
+msgid "Invalid PIM value: parse error."
+msgstr ""
+
+#: src/cryptsetup.c:441
+#, fuzzy
+msgid "Invalid PIM value: 0."
+msgstr "Ongeldig apparaat %s.\n"
+
+#: src/cryptsetup.c:444
+msgid "Invalid PIM value: outside of range."
+msgstr ""
+
+#: src/cryptsetup.c:467
+msgid "No device header detected with this passphrase."
+msgstr "Geen apparaatkoptekst beschikbaar met dit wachtwoord."
+
+#: src/cryptsetup.c:536
+#, fuzzy, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2006
+msgid ""
+"Header dump with volume key is sensitive information\n"
+"which allows access to encrypted partition without passphrase.\n"
+"This dump should be always stored encrypted on safe place."
+msgstr ""
+"Dump van koptekst met sleutel tot het opslagmedium bevat gevoelige informatie\n"
+"die zonder wachtwoord toegang verschaft tot versleutelde partities.\n"
+"De dump zou steeds versleuteld en op een veilige plaats bewaard moeten worden."
+
+#: src/cryptsetup.c:668
+#, c-format
+msgid "Device %s is still active and scheduled for deferred removal.\n"
+msgstr ""
+
+#: src/cryptsetup.c:696
+msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
+msgstr ""
+
+#: src/cryptsetup.c:833
+#, fuzzy
+msgid "Benchmark interrupted."
+msgstr "versleutelalgoritme benchmarken"
+
+#: src/cryptsetup.c:854
+#, c-format
+msgid "PBKDF2-%-9s     N/A\n"
+msgstr ""
+
+#: src/cryptsetup.c:856
+#, c-format
+msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
+msgstr ""
+
+#: src/cryptsetup.c:870
+#, c-format
+msgid "%-10s N/A\n"
+msgstr ""
+
+#: src/cryptsetup.c:872
+#, c-format
+msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
+msgstr ""
+
+#: src/cryptsetup.c:896
+msgid "Result of benchmark is not reliable."
+msgstr "Benchmarkresultaat is niet betrouwbaar."
+
+#: src/cryptsetup.c:947
+msgid "# Tests are approximate using memory only (no storage IO).\n"
+msgstr "# Tests zijn bij benadering met enkel geheugen in gebruik (geen opslag-IO).\n"
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:981
+#, fuzzy, c-format
+msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
+msgstr "#  Algoritme | Sleutel |  Versleuteling |  Ontsleuteling\n"
+
+#: src/cryptsetup.c:985
+#, c-format
+msgid "Cipher %s is not available."
+msgstr "Versleutelalgoritme %s is niet beschikbaar."
+
+#. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
+#: src/cryptsetup.c:1005
+#, fuzzy
+msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
+msgstr "#  Algoritme | Sleutel |  Versleuteling |  Ontsleuteling\n"
+
+#: src/cryptsetup.c:1014
+msgid "N/A"
+msgstr "N/A"
+
+#: src/cryptsetup.c:1094
+msgid ""
+"Seems device does not require reencryption recovery.\n"
+"Do you want to proceed anyway?"
+msgstr ""
+
+#: src/cryptsetup.c:1100
+msgid "Really proceed with LUKS2 reencryption recovery?"
+msgstr ""
+
+#: src/cryptsetup.c:1109
+#, fuzzy
+msgid "Enter passphrase for reencryption recovery: "
+msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+
+#: src/cryptsetup.c:1152
+msgid "Really try to repair LUKS device header?"
+msgstr "Bent u zeker de LUKS-apparaatkoptekst te willen herstellen?"
+
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
+msgid ""
+"Wiping device to initialize integrity checksum.\n"
+"You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
+msgstr ""
+
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
+#, fuzzy, c-format
+msgid "Cannot deactivate temporary device %s."
+msgstr "Kan tijdelijk LUKS-apparaat niet openen.\n"
+
+#: src/cryptsetup.c:1237
+msgid "Integrity option can be used only for LUKS2 format."
+msgstr ""
+
+#: src/cryptsetup.c:1242 src/cryptsetup.c:1302
+#, fuzzy
+msgid "Unsupported LUKS2 metadata size options."
+msgstr "Niet-ondersteunde LUKS-versie %d.\n"
+
+#: src/cryptsetup.c:1259
+#, fuzzy, c-format
+msgid "Cannot create header file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet aanmaken.\n"
+
+#: src/cryptsetup.c:1282 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
+#, fuzzy
+msgid "No known integrity specification pattern detected."
+msgstr "Geen bekend specificatiepatroon voor het sleutelalgoritme gevonden.\n"
+
+#: src/cryptsetup.c:1295
+#, c-format
+msgid "Cannot use %s as on-disk header."
+msgstr "Kan %s niet als on-diskkoptekst gebruiken."
+
+#: src/cryptsetup.c:1319 src/integritysetup.c:226
+#, c-format
+msgid "This will overwrite data on %s irrevocably."
+msgstr "Dit zal data op %s onherroepelijk overschrijven."
+
+#: src/cryptsetup.c:1360 src/cryptsetup.c:1693 src/cryptsetup.c:1760
+#: src/cryptsetup.c:1862 src/cryptsetup.c:1928 src/cryptsetup_reencrypt.c:546
+#, fuzzy
+msgid "Failed to set pbkdf parameters."
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
+
+#: src/cryptsetup.c:1444
+msgid "Reduced data offset is allowed only for detached LUKS header."
+msgstr "Een verlaagde datagegevenspositie wordt enkel toegestaan voor een vrijstaande LUKS-koptekst."
+
+#: src/cryptsetup.c:1455 src/cryptsetup.c:1766
+msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
+msgstr ""
+
+#: src/cryptsetup.c:1493
+msgid "Device activated but cannot make flags persistent."
+msgstr ""
+
+#: src/cryptsetup.c:1574 src/cryptsetup.c:1644
+#, fuzzy, c-format
+msgid "Keyslot %d is selected for deletion."
+msgstr "Sleutelplaats %d geselecteerd voor verwijdering.\n"
+
+#: src/cryptsetup.c:1586 src/cryptsetup.c:1647
+msgid "This is the last keyslot. Device will become unusable after purging this key."
+msgstr "Dit is de laatste sleutelplaats. Apparaat zal onbruikbaar worden na het verwijderen van deze sleutel."
+
+#: src/cryptsetup.c:1587
+msgid "Enter any remaining passphrase: "
+msgstr "Voer enig overblijvend wachtwoord in: "
+
+#: src/cryptsetup.c:1588 src/cryptsetup.c:1649
+msgid "Operation aborted, the keyslot was NOT wiped.\n"
+msgstr ""
+
+#: src/cryptsetup.c:1626
+msgid "Enter passphrase to be deleted: "
+msgstr "Voer het te verwijderen wachtwoord in: "
+
+#: src/cryptsetup.c:1707 src/cryptsetup.c:1781 src/cryptsetup.c:1815
+msgid "Enter new passphrase for key slot: "
+msgstr "Voer een nieuw wachtwoord in voor de sleutelplaats: "
+
+#: src/cryptsetup.c:1798 src/cryptsetup_reencrypt.c:1336
+#, c-format
+msgid "Enter any existing passphrase: "
+msgstr "Voer een bestaand wachtwoord in: "
+
+#: src/cryptsetup.c:1866
+msgid "Enter passphrase to be changed: "
+msgstr "Voer het te wijzigen wachtwoord in: "
+
+#: src/cryptsetup.c:1882 src/cryptsetup_reencrypt.c:1322
+msgid "Enter new passphrase: "
+msgstr "Voer nieuw wachtwoord in: "
+
+#: src/cryptsetup.c:1932
+#, fuzzy
+msgid "Enter passphrase for keyslot to be converted: "
+msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+
+#: src/cryptsetup.c:1956
+msgid "Only one device argument for isLuks operation is supported."
+msgstr "Voor de isLuks-operatie wordt slechts één apparaatsargument ondersteund."
+
+#: src/cryptsetup.c:2140 src/cryptsetup.c:2161
+msgid "Option --header-backup-file is required."
+msgstr "Optie --header-backup-file is vereist."
+
+#: src/cryptsetup.c:2191
+#, fuzzy, c-format
+msgid "%s is not cryptsetup managed device."
+msgstr "%s is geen LUKS-apparaat."
+
+#: src/cryptsetup.c:2202
+#, fuzzy, c-format
+msgid "Refresh is not supported for device type %s"
+msgstr "Hervatting wordt niet ondersteund voor apparaat %s.\n"
+
+#: src/cryptsetup.c:2244
+#, c-format
+msgid "Unrecognized metadata device type %s."
+msgstr "Niet-herkende metadata bij apparaatstype %s."
+
+#: src/cryptsetup.c:2247
+msgid "Command requires device and mapped name as arguments."
+msgstr "Opdracht vereist apparaat en toewijzingsnaam als argumenten."
+
+#: src/cryptsetup.c:2269
+#, c-format
+msgid ""
+"This operation will erase all keyslots on device %s.\n"
+"Device will become unusable after this operation."
+msgstr ""
+"Deze operatie zal alle sleutelplaatsen op apparaat %s wissen.\n"
+"Na deze operatie wordt het apparaat onbruikbaar."
+
+#: src/cryptsetup.c:2276
+msgid "Operation aborted, keyslots were NOT wiped.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2313
+msgid "Invalid LUKS type, only luks1 and luks2 are supported."
+msgstr ""
+
+#: src/cryptsetup.c:2331
+#, fuzzy, c-format
+msgid "Device is already %s type."
+msgstr "Apparaat %s bestaat reeds.\n"
+
+#: src/cryptsetup.c:2336
+#, fuzzy, c-format
+msgid "This operation will convert %s to %s format.\n"
+msgstr "Deze operatie wordt niet ondersteund voor versleutelapparaat %s.\n"
+
+#: src/cryptsetup.c:2342
+msgid "Operation aborted, device was NOT converted.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2382
+msgid "Option --priority, --label or --subsystem is missing."
+msgstr ""
+
+#: src/cryptsetup.c:2416 src/cryptsetup.c:2449 src/cryptsetup.c:2472
+#, fuzzy, c-format
+msgid "Token %d is invalid."
+msgstr "Sleutelplaats %d is ongeldig.\n"
+
+#: src/cryptsetup.c:2419 src/cryptsetup.c:2475
+#, c-format
+msgid "Token %d in use."
+msgstr ""
+
+#: src/cryptsetup.c:2426
+#, fuzzy, c-format
+msgid "Failed to add luks2-keyring token %d."
+msgstr "Lezen uit sleutelopslag is mislukt.\n"
+
+#: src/cryptsetup.c:2435 src/cryptsetup.c:2497
+#, fuzzy, c-format
+msgid "Failed to assign token %d to keyslot %d."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: src/cryptsetup.c:2452
+#, fuzzy, c-format
+msgid "Token %d is not in use."
+msgstr "Sleutelplaats %d is niet in gebruik.\n"
+
+#: src/cryptsetup.c:2487
+#, fuzzy
+msgid "Failed to import token from file."
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#: src/cryptsetup.c:2512
+#, fuzzy, c-format
+msgid "Failed to get token %d for export."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: src/cryptsetup.c:2527
+msgid "--key-description parameter is mandatory for token add action."
+msgstr ""
+
+#: src/cryptsetup.c:2533 src/cryptsetup.c:2541
+msgid "Action requires specific token. Use --token-id parameter."
+msgstr ""
+
+#: src/cryptsetup.c:2546
+#, fuzzy, c-format
+msgid "Invalid token operation %s."
+msgstr "Ongeldige sleutelgrootte %d.\n"
+
+#: src/cryptsetup.c:2601
+#, c-format
+msgid "Auto-detected active dm device '%s' for data device %s.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2605
+#, fuzzy, c-format
+msgid "Device %s is not a block device.\n"
+msgstr "Apparaat %s is geen geldig LUKS-apparaat.\n"
+
+#: src/cryptsetup.c:2607
+#, fuzzy, c-format
+msgid "Failed to auto-detect device %s holders."
+msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
+
+#: src/cryptsetup.c:2609
+#, c-format
+msgid ""
+"Unable to decide if device %s is activated or not.\n"
+"Are you sure you want to proceed with reencryption in offline mode?\n"
+"It may lead to data corruption if the device is actually activated.\n"
+"To run reencryption in online mode, use --active-name parameter instead.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2689
+#, fuzzy
+msgid "Invalid LUKS device type."
+msgstr "Ongeldig apparaat %s.\n"
+
+#: src/cryptsetup.c:2694
+msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
+msgstr ""
+
+#: src/cryptsetup.c:2699
+msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
+msgstr ""
+
+#: src/cryptsetup.c:2708
+#, c-format
+msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
+msgstr ""
+
+#: src/cryptsetup.c:2712
+#, fuzzy
+msgid "Encryption is supported only for LUKS2 format."
+msgstr "Deze operatie wordt enkel ondersteund voor LUKS-apparaten.\n"
+
+#: src/cryptsetup.c:2734
+#, c-format
+msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
+msgstr ""
+
+#: src/cryptsetup.c:2749
+#, fuzzy, c-format
+msgid "Temporary header file %s already exists. Aborting."
+msgstr "Aangevraagd reservekopiebestand %s van koptekst bestaat reeds.\n"
+
+#: src/cryptsetup.c:2751 src/cryptsetup.c:2758
+#, fuzzy, c-format
+msgid "Cannot create temporary header file %s."
+msgstr "Kan reservekopiebestand %s van koptekst niet aanmaken.\n"
+
+#: src/cryptsetup.c:2822
+#, c-format
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr ""
+
+#: src/cryptsetup.c:2986 src/cryptsetup.c:2992
+#, fuzzy
+msgid "Not enough free keyslots for reencryption."
+msgstr "Sleutel niet wijzigen; gegevensgebied wordt niet opnieuw versleuteld."
+
+#: src/cryptsetup.c:3012 src/cryptsetup_reencrypt.c:1287
+msgid "Key file can be used only with --key-slot or with exactly one key slot active."
+msgstr "Sleutelbestand kan enkel gebruikt worden met optie --key-slot of met enkel één actieve sleutelplaats."
+
+#: src/cryptsetup.c:3021 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
+#, fuzzy, c-format
+msgid "Enter passphrase for key slot %d: "
+msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+
+#: src/cryptsetup.c:3029
+#, c-format
+msgid "Enter passphrase for key slot %u: "
+msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+
+#: src/cryptsetup.c:3196
+#, fuzzy
+msgid "Command requires device as argument."
+msgstr "Opdracht vereist apparaat en toewijzingsnaam als argumenten.\n"
+
+#: src/cryptsetup.c:3218
+msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
+msgstr ""
+
+#: src/cryptsetup.c:3230
+msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
+msgstr ""
+
+#: src/cryptsetup.c:3240 src/cryptsetup_reencrypt.c:178
+msgid "Reencryption of device with integrity profile is not supported."
+msgstr ""
+
+#: src/cryptsetup.c:3248
+msgid "LUKS2 reencryption already initialized. Aborting operation."
+msgstr ""
+
+#: src/cryptsetup.c:3252
+#, fuzzy
+msgid "LUKS2 device is not in reencryption."
+msgstr "Logbestand %s bestaat reeds, herencryptie wordt herstart.\n"
+
+#: src/cryptsetup.c:3279
+msgid "<device> [--type <type>] [<name>]"
+msgstr "<apparaat> [--type <type>] [<naam>]"
+
+#: src/cryptsetup.c:3279 src/veritysetup.c:394 src/integritysetup.c:474
+#, fuzzy
+msgid "open device as <name>"
+msgstr "apparaat als toewijzing <naam> openen"
+
+#: src/cryptsetup.c:3280 src/cryptsetup.c:3281 src/cryptsetup.c:3282
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
+msgid "<name>"
+msgstr "<naam>"
+
+#: src/cryptsetup.c:3280 src/veritysetup.c:395 src/integritysetup.c:475
+msgid "close device (remove mapping)"
+msgstr "apparaat sluiten (toewijzingen verwijderen)"
+
+#: src/cryptsetup.c:3281
+msgid "resize active device"
+msgstr "actief apparaat vergroten of verkleinen"
+
+#: src/cryptsetup.c:3282
+msgid "show device status"
+msgstr "apparaatstatus tonen"
+
+#: src/cryptsetup.c:3283
+msgid "[--cipher <cipher>]"
+msgstr "[--cipher <versleutelalgoritme>]"
+
+#: src/cryptsetup.c:3283
+msgid "benchmark cipher"
+msgstr "versleutelalgoritme benchmarken"
+
+#: src/cryptsetup.c:3284 src/cryptsetup.c:3285 src/cryptsetup.c:3286
+#: src/cryptsetup.c:3287 src/cryptsetup.c:3288 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3296 src/cryptsetup.c:3297 src/cryptsetup.c:3298
+#: src/cryptsetup.c:3299 src/cryptsetup.c:3300 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303
+msgid "<device>"
+msgstr "<apparaat>"
+
+#: src/cryptsetup.c:3284
+msgid "try to repair on-disk metadata"
+msgstr "on-disk metadata proberen te herstellen"
+
+#: src/cryptsetup.c:3285
+#, fuzzy
+msgid "reencrypt LUKS2 device"
+msgstr "sleutel aan LUKS-apparaat toevoegen"
+
+#: src/cryptsetup.c:3286
+msgid "erase all keyslots (remove encryption key)"
+msgstr "alle sleutelplaatsen wissen (encryptiesleutel verwijderen)"
+
+#: src/cryptsetup.c:3287
+msgid "convert LUKS from/to LUKS2 format"
+msgstr ""
+
+#: src/cryptsetup.c:3288
+msgid "set permanent configuration options for LUKS2"
+msgstr ""
+
+#: src/cryptsetup.c:3289 src/cryptsetup.c:3290
+msgid "<device> [<new key file>]"
+msgstr "<apparaat> [<nieuw sleutelbestand>]"
+
+#: src/cryptsetup.c:3289
+msgid "formats a LUKS device"
+msgstr "een LUKS-apparaat formatteren"
+
+#: src/cryptsetup.c:3290
+msgid "add key to LUKS device"
+msgstr "sleutel aan LUKS-apparaat toevoegen"
+
+#: src/cryptsetup.c:3291 src/cryptsetup.c:3292 src/cryptsetup.c:3293
+msgid "<device> [<key file>]"
+msgstr "<apparaat> [<sleutelbestand>]"
+
+#: src/cryptsetup.c:3291
+msgid "removes supplied key or key file from LUKS device"
+msgstr "verschafte sleutel of sleutelbestand van LUKS-apparaat verwijderen"
+
+#: src/cryptsetup.c:3292
+msgid "changes supplied key or key file of LUKS device"
+msgstr "wijzigt verschafte sleutel of sleutelbestand van LUKS-apparaat"
+
+#: src/cryptsetup.c:3293
+msgid "converts a key to new pbkdf parameters"
+msgstr ""
+
+#: src/cryptsetup.c:3294
+msgid "<device> <key slot>"
+msgstr "<apparaat> <sleutelplaats>"
+
+#: src/cryptsetup.c:3294
+msgid "wipes key with number <key slot> from LUKS device"
+msgstr "sleutel met nummer <sleutelplaats> van LUKS-apparaat verwijderen"
+
+#: src/cryptsetup.c:3295
+msgid "print UUID of LUKS device"
+msgstr "UUID van LUKS-apparaat tonen"
+
+#: src/cryptsetup.c:3296
+msgid "tests <device> for LUKS partition header"
+msgstr "<apparaat> op een LUKS-partitiekoptekst testen"
+
+#: src/cryptsetup.c:3297
+msgid "dump LUKS partition information"
+msgstr "LUKS-partitie-informatie dumpen"
+
+#: src/cryptsetup.c:3298
+msgid "dump TCRYPT device information"
+msgstr "TCRYPT-apparaatsinformatie dumpen"
+
+#: src/cryptsetup.c:3299
+#, fuzzy
+msgid "dump BITLK device information"
+msgstr "TCRYPT-apparaatsinformatie dumpen"
+
+#: src/cryptsetup.c:3300
+#, fuzzy
+msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
+msgstr "LUKS-apparaat schorsen en sleutel wissen (alle in-/uitvoer wordt bevroren)."
+
+#: src/cryptsetup.c:3301
+#, fuzzy
+msgid "Resume suspended LUKS device"
+msgstr "Geschorst LUKS-apparaat hervatten."
+
+#: src/cryptsetup.c:3302
+msgid "Backup LUKS device header and keyslots"
+msgstr "Reservekopie van LUKS-apparaatkoptekst en -sleutelplaatsen maken"
+
+#: src/cryptsetup.c:3303
+msgid "Restore LUKS device header and keyslots"
+msgstr "LUKS-apparaatkoptekst en -sleutelplaatsen herstellen"
+
+#: src/cryptsetup.c:3304
+msgid "<add|remove|import|export> <device>"
+msgstr ""
+
+#: src/cryptsetup.c:3304
+msgid "Manipulate LUKS2 tokens"
+msgstr ""
+
+#: src/cryptsetup.c:3322 src/veritysetup.c:412 src/integritysetup.c:492
+msgid ""
+"\n"
+"<action> is one of:\n"
+msgstr ""
+"\n"
+"<actie> is één van:\n"
+
+#: src/cryptsetup.c:3328
+#, fuzzy
+msgid ""
+"\n"
+"You can also use old <action> syntax aliases:\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
+msgstr ""
+"\n"
+"U kan ook oude <actie>-syntax aliasen gebruiken:\n"
+"\topen: (plainOpen), luksOpen, loopaesOpen, tcryptOpen aanmaken\n"
+"\tclose: (plainClose), luksClose, loopaesClose, tryptClose verwijderen\n"
+
+#: src/cryptsetup.c:3332
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<device> is the encrypted device\n"
+"<key slot> is the LUKS key slot number to modify\n"
+"<key file> optional key file for the new key for luksAddKey action\n"
+msgstr ""
+"\n"
+"<naam> is het onder %s aan te maken apparaat\n"
+"<apparaat> is het versleutelde apparaat\n"
+"<sleutelplaats> is het nummer van de te wijzigen LUKS-sleutelplaats\n"
+"<sleutelbestand> optioneel sleutelbestand voor de nieuwe sleutel voor de luksAddKey-actie\n"
+
+#: src/cryptsetup.c:3339
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in metadata format is %s (for luksFormat action).\n"
+msgstr ""
+
+#: src/cryptsetup.c:3344
+#, fuzzy, c-format
+msgid ""
+"\n"
+"Default compiled-in key and passphrase parameters:\n"
+"\tMaximum keyfile size: %dkB, Maximum interactive passphrase length %d (characters)\n"
+"Default PBKDF for LUKS1: %s, iteration time: %d (ms)\n"
+"Default PBKDF for LUKS2: %s\n"
+"\tIteration time: %d, Memory required: %dkB, Parallel threads: %d\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde sleutel- en wachtwoordparameters:\n"
+"\tMaximum sleutelplaatsgrootte: %dkB, maximum lengte interactief wachtwoord %d (karakters)\n"
+"Standaard PBKDF2-herhalingstijd voor LUKS: %d (ms)\n"
+
+#: src/cryptsetup.c:3355
+#, fuzzy, c-format
+msgid ""
+"\n"
+"Default compiled-in device cipher parameters:\n"
+"\tloop-AES: %s, Key %d bits\n"
+"\tplain: %s, Key: %d bits, Password hashing: %s\n"
+"\tLUKS: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde parameters van het apparaatsversleutelingsalgoritme:\n"
+"\tloop-AES: %s, Sleutel: %d bits\n"
+"\tplain: %s, Sleutel: %d bits, Wachtwoordhashing: %s\n"
+"\tLUKS1: %s, Sleutel: %d bits, LUKS-kopteksthashing: %s, RNG: %s\n"
+
+#: src/cryptsetup.c:3364
+msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3380 src/veritysetup.c:569 src/integritysetup.c:634
+#, c-format
+msgid "%s: requires %s as arguments"
+msgstr "%s: vereist %s als argumenten"
+
+#: src/cryptsetup.c:3418 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
+msgid "Show this help message"
+msgstr "Deze hulptekst tonen"
+
+#: src/cryptsetup.c:3419 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
+msgid "Display brief usage"
+msgstr "Korte gebruikssamenvatting tonen"
+
+#: src/cryptsetup.c:3420 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
+msgid "Print package version"
+msgstr "Pakketversie tonen"
+
+#: src/cryptsetup.c:3424 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
+msgid "Help options:"
+msgstr "Hulpopties:"
+
+#: src/cryptsetup.c:3425 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
+msgid "Shows more detailed error messages"
+msgstr "Gedetailleerdere foutboodschappen tonen"
+
+#: src/cryptsetup.c:3426 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
+msgid "Show debug messages"
+msgstr "Debug-boodschappen tonen"
+
+#: src/cryptsetup.c:3427
+#, fuzzy
+msgid "Show debug messages including JSON metadata"
+msgstr "Debug-boodschappen tonen"
+
+#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1610
+msgid "The cipher used to encrypt the disk (see /proc/crypto)"
+msgstr "Het gebruikte versleutelalgoritme om de schijf te versleutelen (zie /proc/crypto)"
+
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1612
+msgid "The hash used to create the encryption key from the passphrase"
+msgstr "De gebruikte hash om de encryptiesleutel uit het wachtwoord aan te maken"
+
+#: src/cryptsetup.c:3430
+msgid "Verifies the passphrase by asking for it twice"
+msgstr "Het wachtwoord controleren door het twee keer te vragen"
+
+#: src/cryptsetup.c:3431 src/cryptsetup_reencrypt.c:1614
+#, fuzzy
+msgid "Read the key from a file"
+msgstr "De sleutel uit een bestand lezen."
+
+#: src/cryptsetup.c:3432
+msgid "Read the volume (master) key from file."
+msgstr "De (hoofd)sleutel tot het opslagmedium uit een bestand lezen."
+
+#: src/cryptsetup.c:3433
+#, fuzzy
+msgid "Dump volume (master) key instead of keyslots info"
+msgstr "Dump (hoofd)sleutel tot het opslagmedium in plaats van de sleutelplaatsinformatie."
+
+#: src/cryptsetup.c:3434 src/cryptsetup_reencrypt.c:1611
+msgid "The size of the encryption key"
+msgstr "De grootte van de encryptiesleutel"
+
+#: src/cryptsetup.c:3434 src/cryptsetup.c:3494 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
+msgid "BITS"
+msgstr "BITS"
+
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1627
+msgid "Limits the read from keyfile"
+msgstr "Beperkt de lezing uit sleutelbestand"
+
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3436 src/cryptsetup.c:3437
+#: src/cryptsetup.c:3438 src/cryptsetup.c:3441 src/cryptsetup.c:3491
+#: src/cryptsetup.c:3492 src/cryptsetup.c:3500 src/cryptsetup.c:3501
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
+msgid "bytes"
+msgstr "bytes"
+
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1626
+msgid "Number of bytes to skip in keyfile"
+msgstr "Aantal bytes over te slaan in sleutelbestand"
+
+#: src/cryptsetup.c:3437
+msgid "Limits the read from newly added keyfile"
+msgstr "Beperkt de lezing uit een nieuw toegevoegd sleutelbestand"
+
+#: src/cryptsetup.c:3438
+msgid "Number of bytes to skip in newly added keyfile"
+msgstr "Aantal bytes over te slaan in nieuwste toegevoegde sleutelbestand"
+
+#: src/cryptsetup.c:3439
+msgid "Slot number for new key (default is first free)"
+msgstr "Plaatsnummer voor nieuwe sleutel (standaard is de eerste open plaats)"
+
+#: src/cryptsetup.c:3440
+msgid "The size of the device"
+msgstr "De grootte van het apparaat"
 
-#: src/cryptsetup.c:1511 src/cryptsetup.c:1512 src/cryptsetup.c:1513
-#: src/cryptsetup.c:1519
+#: src/cryptsetup.c:3440 src/cryptsetup.c:3442 src/cryptsetup.c:3443
+#: src/cryptsetup.c:3449 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SECTOREN"
 
-#: src/cryptsetup.c:1512
+#: src/cryptsetup.c:3441 src/cryptsetup_reencrypt.c:1629
+msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
+msgstr "Enkel ingegeven apparaatsgrootte gebruiken (rest van apparaat wordt genegeerd). GEVAARLIJK!"
+
+#: src/cryptsetup.c:3442
 msgid "The start offset in the backend device"
 msgstr "De startplaats in het backend-apparaat"
 
-#: src/cryptsetup.c:1513
+#: src/cryptsetup.c:3443
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Hoeveel sectoren van de versleutelde gegevens aan het begin over te slaan"
 
-#: src/cryptsetup.c:1514
+#: src/cryptsetup.c:3444
 msgid "Create a readonly mapping"
 msgstr "Een alleen-lezen toewijzing aanmaken"
 
-#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
-msgid "PBKDF2 iteration time for LUKS (in ms)"
-msgstr "PBKDF2 herhalingstijd voor LUKS (in ms)"
-
-#: src/cryptsetup.c:1515 src/cryptsetup_reencrypt.c:1317
-msgid "msecs"
-msgstr "milliseconden"
-
-#: src/cryptsetup.c:1516 src/cryptsetup_reencrypt.c:1318
+#: src/cryptsetup.c:3445 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Niet om bevestiging vragen"
 
-#: src/cryptsetup.c:1517
+#: src/cryptsetup.c:3446
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Timeout voor interactieve wachtwoordprompt (in seconden)"
 
-#: src/cryptsetup.c:1517
+#: src/cryptsetup.c:3446 src/cryptsetup.c:3447 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "seconden"
 
-#: src/cryptsetup.c:1518 src/cryptsetup_reencrypt.c:1319
+#: src/cryptsetup.c:3447 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
+msgid "Progress line update (in seconds)"
+msgstr ""
+
+#: src/cryptsetup.c:3448 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Hoe vaak de invoering van het wachtwoord opnieuw geprobeerd kan worden"
 
-#: src/cryptsetup.c:1519
+#: src/cryptsetup.c:3449
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Payload uitlijnen op meervouden van <n> sectoren – voor luksFormat"
 
-#: src/cryptsetup.c:1520
-msgid "File with LUKS header and keyslots backup."
+#: src/cryptsetup.c:3450
+#, fuzzy
+msgid "File with LUKS header and keyslots backup"
 msgstr "Bestand met reservekopie van LUKS-koptekst en -sleutelplaatsen."
 
-#: src/cryptsetup.c:1521 src/cryptsetup_reencrypt.c:1320
-msgid "Use /dev/random for generating volume key."
+#: src/cryptsetup.c:3451 src/cryptsetup_reencrypt.c:1620
+#, fuzzy
+msgid "Use /dev/random for generating volume key"
 msgstr "Gebruik /dev/random om de sleutel tot het opslagmedium te genereren."
 
-#: src/cryptsetup.c:1522 src/cryptsetup_reencrypt.c:1321
-msgid "Use /dev/urandom for generating volume key."
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1621
+#, fuzzy
+msgid "Use /dev/urandom for generating volume key"
 msgstr "Gebruik /dev/urandom om de sleutel tot het opslagmedium te genereren."
 
-#: src/cryptsetup.c:1523
-msgid "Share device with another non-overlapping crypt segment."
+#: src/cryptsetup.c:3453
+#, fuzzy
+msgid "Share device with another non-overlapping crypt segment"
 msgstr "Apparaat met een ander, niet-overlappend cryptsegment delen."
 
-#: src/cryptsetup.c:1524 src/veritysetup.c:403
-msgid "UUID for device to use."
+#: src/cryptsetup.c:3454 src/veritysetup.c:477
+#, fuzzy
+msgid "UUID for device to use"
 msgstr "UUID van het te gebruiken apparaat."
 
-#: src/cryptsetup.c:1525
-msgid "Allow discards (aka TRIM) requests for device."
+#: src/cryptsetup.c:3455
+#, fuzzy
+msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Discardaanvragen (alias TRIM) op dit apparaat toelaten."
 
-#: src/cryptsetup.c:1526
-msgid "Device or file with separated LUKS header."
+#: src/cryptsetup.c:3456 src/cryptsetup_reencrypt.c:1638
+#, fuzzy
+msgid "Device or file with separated LUKS header"
 msgstr "Apparaat of bestand met verschillende LUKS-koptekst."
 
-#: src/cryptsetup.c:1527
-msgid "Do not activate device, just check passphrase."
-msgstr "Apparaat niet activeren, enkel wachtwoord controleren."
+#: src/cryptsetup.c:3457
+#, fuzzy
+msgid "Do not activate device, just check passphrase"
+msgstr "Apparaat niet activeren, enkel wachtwoord controleren."
+
+#: src/cryptsetup.c:3458
+#, fuzzy
+msgid "Use hidden header (hidden TCRYPT device)"
+msgstr "Verborgen koptekst gebruiken (verborgen TCRYPT-apparaat)."
+
+#: src/cryptsetup.c:3459
+#, fuzzy
+msgid "Device is system TCRYPT drive (with bootloader)"
+msgstr "Apparaat is TCRYPT-systeemschijf (met bootloader)."
+
+#: src/cryptsetup.c:3460
+#, fuzzy
+msgid "Use backup (secondary) TCRYPT header"
+msgstr "Reserve (secundaire) TCRYPT-koptekst gebruiken."
+
+#: src/cryptsetup.c:3461
+#, fuzzy
+msgid "Scan also for VeraCrypt compatible device"
+msgstr "Eveneens naar VeraCrypt-compatibel apparaat scannen."
+
+#: src/cryptsetup.c:3462
+#, fuzzy
+msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
+msgstr "Eveneens naar VeraCrypt-compatibel apparaat scannen."
+
+#: src/cryptsetup.c:3463
+#, fuzzy
+msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
+msgstr "Eveneens naar VeraCrypt-compatibel apparaat scannen."
+
+#: src/cryptsetup.c:3464
+#, fuzzy
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Soorten apparaat-metadata: luks, plain, loopaes, tcrypt."
+
+#: src/cryptsetup.c:3465
+#, fuzzy
+msgid "Disable password quality check (if enabled)"
+msgstr "Wachtwoordkwaliteitscontrole uitschakelen (indien ingeschakeld)."
+
+#: src/cryptsetup.c:3466
+#, fuzzy
+msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
+msgstr "dm-crypt same_cpu_crypt prestatie-compatibiliteitsoptie gebruiken."
+
+#: src/cryptsetup.c:3467
+#, fuzzy
+msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
+msgstr "dm-crypt submit_from_crypt_cpus prestatie-compatibiliteitsoptie gebruiken."
+
+#: src/cryptsetup.c:3468
+msgid "Device removal is deferred until the last user closes it"
+msgstr ""
+
+#: src/cryptsetup.c:3469
+msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
+msgstr ""
+
+#: src/cryptsetup.c:3470
+#, fuzzy
+msgid "PBKDF iteration time for LUKS (in ms)"
+msgstr "PBKDF2 herhalingstijd voor LUKS (in ms)"
+
+#: src/cryptsetup.c:3470 src/cryptsetup_reencrypt.c:1616
+msgid "msecs"
+msgstr "milliseconden"
+
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1634
+msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
+msgstr ""
+
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1635
+msgid "PBKDF memory cost limit"
+msgstr ""
+
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1635
+#, fuzzy
+msgid "kilobytes"
+msgstr "bytes"
+
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1636
+msgid "PBKDF parallel cost"
+msgstr ""
+
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1636
+msgid "threads"
+msgstr ""
+
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1637
+msgid "PBKDF iterations cost (forced, disables benchmark)"
+msgstr ""
+
+#: src/cryptsetup.c:3475
+msgid "Keyslot priority: ignore, normal, prefer"
+msgstr ""
+
+#: src/cryptsetup.c:3476
+#, fuzzy
+msgid "Disable locking of on-disk metadata"
+msgstr "on-disk metadata proberen te herstellen"
+
+#: src/cryptsetup.c:3477
+msgid "Disable loading volume keys via kernel keyring"
+msgstr ""
+
+#: src/cryptsetup.c:3478
+msgid "Data integrity algorithm (LUKS2 only)"
+msgstr ""
+
+#: src/cryptsetup.c:3479 src/integritysetup.c:567
+msgid "Disable journal for integrity device"
+msgstr ""
+
+#: src/cryptsetup.c:3480 src/integritysetup.c:541
+msgid "Do not wipe device after format"
+msgstr ""
+
+#: src/cryptsetup.c:3481 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr ""
+
+#: src/cryptsetup.c:3482
+msgid "Do not ask for passphrase if activation by token fails"
+msgstr ""
+
+#: src/cryptsetup.c:3483
+msgid "Token number (default: any)"
+msgstr ""
+
+#: src/cryptsetup.c:3484
+msgid "Key description"
+msgstr ""
+
+#: src/cryptsetup.c:3485
+msgid "Encryption sector size (default: 512 bytes)"
+msgstr ""
+
+#: src/cryptsetup.c:3486
+msgid "Set activation flags persistent for device"
+msgstr ""
+
+#: src/cryptsetup.c:3487
+#, fuzzy
+msgid "Set label for the LUKS2 device"
+msgstr "een LUKS-apparaat formatteren"
+
+#: src/cryptsetup.c:3488
+msgid "Set subsystem label for the LUKS2 device"
+msgstr ""
+
+#: src/cryptsetup.c:3489
+msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
+msgstr ""
+
+#: src/cryptsetup.c:3490
+#, fuzzy
+msgid "Read or write the json from or to a file"
+msgstr "De sleutel uit een bestand lezen."
+
+#: src/cryptsetup.c:3491
+msgid "LUKS2 header metadata area size"
+msgstr ""
+
+#: src/cryptsetup.c:3492
+#, fuzzy
+msgid "LUKS2 header keyslots area size"
+msgstr "Bestand met reservekopie van LUKS-koptekst en -sleutelplaatsen."
+
+#: src/cryptsetup.c:3493
+msgid "Refresh (reactivate) device with new parameters"
+msgstr ""
+
+#: src/cryptsetup.c:3494
+#, fuzzy
+msgid "LUKS2 keyslot: The size of the encryption key"
+msgstr "De grootte van de encryptiesleutel"
+
+#: src/cryptsetup.c:3495
+msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
+msgstr ""
+
+#: src/cryptsetup.c:3496
+#, fuzzy
+msgid "Encrypt LUKS2 device (in-place encryption)."
+msgstr "Apparaat permanent ontsleutelen (encryptie verwijderen)."
 
-#: src/cryptsetup.c:1528
-msgid "Use hidden header (hidden TCRYPT device)."
-msgstr "Verborgen koptekst gebruiken (verborgen TCRYPT-apparaat)."
+#: src/cryptsetup.c:3497
+#, fuzzy
+msgid "Decrypt LUKS2 device (remove encryption)."
+msgstr "Apparaat permanent ontsleutelen (encryptie verwijderen)."
 
-#: src/cryptsetup.c:1529
-msgid "Device is system TCRYPT drive (with bootloader)."
-msgstr "Apparaat is TCRYPT-systeemschijf (met bootloader)."
+#: src/cryptsetup.c:3498
+msgid "Initialize LUKS2 reencryption in metadata only."
+msgstr ""
 
-#: src/cryptsetup.c:1530
-msgid "Use backup (secondary) TCRYPT header."
-msgstr "Reserve (secundaire) TCRYPT-koptekst gebruiken."
+#: src/cryptsetup.c:3499
+msgid "Resume initialized LUKS2 reencryption only."
+msgstr ""
 
-#: src/cryptsetup.c:1531
-msgid "Scan also for VeraCrypt compatible device."
-msgstr "Eveneens naar VeraCrypt-compatibel apparaat scannen."
+#: src/cryptsetup.c:3500 src/cryptsetup_reencrypt.c:1628
+msgid "Reduce data device size (move data offset). DANGEROUS!"
+msgstr "Grootte van gegevensapparaat wijzigen (gegevenspositie wijzigen). GEVAARLIJK!"
 
-#: src/cryptsetup.c:1532
-msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
-msgstr "Soorten apparaat-metadata: luks, plain, loopaes, tcrypt."
+#: src/cryptsetup.c:3501
+#, fuzzy
+msgid "Maximal reencryption hotzone size."
+msgstr "Blokgrootte herencryptie"
 
-#: src/cryptsetup.c:1533
-msgid "Disable password quality check (if enabled)."
-msgstr "Wachtwoordkwaliteitscontrole uitschakelen (indien ingeschakeld)."
+#: src/cryptsetup.c:3502
+msgid "Reencryption hotzone resilience type (checksum,journal,none)"
+msgstr ""
 
-#: src/cryptsetup.c:1534
-msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
-msgstr "dm-crypt same_cpu_crypt prestatie-compatibiliteitsoptie gebruiken."
+#: src/cryptsetup.c:3503
+#, fuzzy
+msgid "Reencryption hotzone checksums hash"
+msgstr "Blokgrootte herencryptie"
 
-#: src/cryptsetup.c:1535
-msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
-msgstr "dm-crypt submit_from_crypt_cpus prestatie-compatibiliteitsoptie gebruiken."
+#: src/cryptsetup.c:3504
+msgid "Override device autodetection of dm device to be reencrypted"
+msgstr ""
 
-#: src/cryptsetup.c:1551 src/veritysetup.c:423
+#: src/cryptsetup.c:3520 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPTIE…] <actie> <actie-specifiek>"
 
-#: src/cryptsetup.c:1602 src/veritysetup.c:460
+#: src/cryptsetup.c:3571 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Argument <actie> ontbreekt."
 
-#: src/cryptsetup.c:1655 src/veritysetup.c:466
+#: src/cryptsetup.c:3640 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Onbekende actie."
 
-#: src/cryptsetup.c:1665
+#: src/cryptsetup.c:3650
+msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3655
+msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3660
+#, fuzzy
+msgid "Option --deferred is allowed only for close command.\n"
+msgstr "Optie --shared wordt enkel toegestaan voor open-opdracht op plain-apparaat.\n"
+
+#: src/cryptsetup.c:3665
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Optie --shared wordt enkel toegestaan voor open-opdracht op plain-apparaat.\n"
 
-#: src/cryptsetup.c:1670
+#: src/cryptsetup.c:3670
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
 
-#: src/cryptsetup.c:1678
+#: src/cryptsetup.c:3675
+#, fuzzy
+msgid "Option --persistent is allowed only for open operation.\n"
+msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
+
+#: src/cryptsetup.c:3680
+#, fuzzy
+msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
+msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
+
+#: src/cryptsetup.c:3685
+msgid "Option --persistent is not allowed with --test-passphrase.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3695
+#, fuzzy
 msgid ""
-"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
-"To limit read from keyfile use --keyfile-size=(bytes)."
+"Option --key-size is allowed only for luksFormat, luksAddKey,\n"
+"open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
 msgstr ""
 "Optie --key-size is enkel toegestaan bij luksFormat, open en benchmark.\n"
 "Om de lezing uit een sleutelbestand te beperken, gebruik --keyfile-size=(bytes)."
 
-#: src/cryptsetup.c:1685
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
+#: src/cryptsetup.c:3701
+#, fuzzy
+msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
+msgstr "Optie --align-payload is enkel toegestaan voor luksFormat."
+
+#: src/cryptsetup.c:3706
+msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3712
+#, fuzzy
+msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
+msgstr "Optie --allow-discards wordt enkel ondersteund voor de luksOpen-, loopaesOpen- en create-opdrachten.\n"
+
+#: src/cryptsetup.c:3718
+#, fuzzy
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
 msgstr "Optie --test-passphrase is enkel toegestaan bij open van LUKS- en TCRYPT-apparaten.\n"
 
-#: src/cryptsetup.c:1690 src/cryptsetup_reencrypt.c:1389
+#: src/cryptsetup.c:3723 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Sleutelgrootte moet een meervoud zijn van 8 bits"
 
-#: src/cryptsetup.c:1697 src/cryptsetup_reencrypt.c:1394
+#: src/cryptsetup.c:3729 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Sleutelplaats is ongeldig."
 
-#: src/cryptsetup.c:1704
-msgid "Option --key-file takes precedence over specified key file argument.\n"
-msgstr "Optie --key-file krijgt voorrang over het gespecificeerde sleutelbestandsargument.\n"
+#: src/cryptsetup.c:3736
+msgid "Option --key-file takes precedence over specified key file argument."
+msgstr "Optie --key-file krijgt voorrang over het gespecificeerde sleutelbestandsargument."
 
-#: src/cryptsetup.c:1712 src/veritysetup.c:488 src/cryptsetup_reencrypt.c:1378
+#: src/cryptsetup.c:3743 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Een negatief getal wordt niet toegestaan voor deze optie."
 
-#: src/cryptsetup.c:1716
+#: src/cryptsetup.c:3747
 msgid "Only one --key-file argument is allowed."
 msgstr "Slechts een enkel gebruik van het --key-file argument is toegestaan."
 
-#: src/cryptsetup.c:1720 src/cryptsetup_reencrypt.c:1372
-#: src/cryptsetup_reencrypt.c:1398
+#: src/cryptsetup.c:3751 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Slechts een enkel gebruik van de opties --use-[u]random is toegestaan."
 
-#: src/cryptsetup.c:1724
+#: src/cryptsetup.c:3755
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "OPtie --use-[u]random is enkel toegestaan bij luksFormat."
 
-#: src/cryptsetup.c:1728
+#: src/cryptsetup.c:3759
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Optie --uuid is enkel toegestaan bij luksFormat en luksUUID."
 
-#: src/cryptsetup.c:1732
+#: src/cryptsetup.c:3763
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Optie --align-payload is enkel toegestaan voor luksFormat."
 
-#: src/cryptsetup.c:1738
+#: src/cryptsetup.c:3767
+msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
+msgstr ""
+
+#: src/cryptsetup.c:3772
+#, fuzzy
+msgid "Invalid LUKS2 metadata size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup.c:3776
+#, fuzzy
+msgid "Invalid LUKS2 keyslots size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup.c:3780
+#, fuzzy
+msgid "Options --align-payload and --offset cannot be combined."
+msgstr "Optie --align-payload is enkel toegestaan voor luksFormat."
+
+#: src/cryptsetup.c:3786
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Optie --skip wordt enkel ondersteund voor open-opdracht op plain- en loopaes-apparaten.\n"
 
-#: src/cryptsetup.c:1744
-msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
+#: src/cryptsetup.c:3793
+#, fuzzy
+msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Optie --offset wordt enkel ondersteund voor open-opdracht op plain- en loopaes-apparaten.\n"
 
-#: src/cryptsetup.c:1750
+#: src/cryptsetup.c:3799
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Optie --tcrypt-hidden, --tcrypt-system of --tcrypt-backup wordt enkel ondersteund voor TCRYPT-apparaten.\n"
 
-#: src/cryptsetup.c:1755
+#: src/cryptsetup.c:3804
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Optie --tcrypt-hidden kan niet met --allow-discards gecombineerd worden.\n"
 
-#: src/cryptsetup.c:1760
+#: src/cryptsetup.c:3809
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Optie --veracrypt wordt enkel ondersteund voor TCRYPT-apparaatstype.\n"
 
-#: src/veritysetup.c:61
-msgid "Invalid salt string specified.\n"
-msgstr "Ongeldige salt-tekenreeks opgegeven.\n"
+#: src/cryptsetup.c:3815
+msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3819
+#, fuzzy
+msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
+msgstr "Optie --veracrypt wordt enkel ondersteund voor TCRYPT-apparaatstype.\n"
+
+#: src/cryptsetup.c:3827
+#, fuzzy
+msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
+msgstr "Optie --veracrypt wordt enkel ondersteund voor TCRYPT-apparaatstype.\n"
+
+#: src/cryptsetup.c:3831
+msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3838
+msgid "Option --priority can be only ignore/normal/prefer.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3843
+msgid "Keyslot specification is required.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3848 src/cryptsetup_reencrypt.c:1686
+msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3853 src/cryptsetup_reencrypt.c:1691
+msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3859
+#, fuzzy
+msgid "Sector size option is not supported for this command.\n"
+msgstr "Deze operatie wordt niet ondersteund voor dit apparaatstype.\n"
+
+#: src/cryptsetup.c:3865
+#, fuzzy
+msgid "Unsupported encryption sector size.\n"
+msgstr "Kan herencryptie-logbestand niet lezen.\n"
+
+#: src/cryptsetup.c:3870
+msgid "Key size is required with --unbound option.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3875
+#, fuzzy
+msgid "Option --unbound may be used only with luksAddKey action.\n"
+msgstr "Optie --new kan niet samen met --decrypt gebruikt worden."
+
+#: src/cryptsetup.c:3880
+#, fuzzy
+msgid "Option --refresh may be used only with open action.\n"
+msgstr "Optie -- keep-key kan enkel samen met --hash of --iter-time gebruikt worden."
+
+#: src/cryptsetup.c:3891
+msgid "Cannot disable metadata locking.\n"
+msgstr ""
+
+#: src/cryptsetup.c:3901
+#, fuzzy
+msgid "Invalid max reencryption hotzone size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup.c:3909 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
+msgid "Invalid device size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup.c:3912
+#, fuzzy
+msgid "Maximum device reduce size is 1 GiB."
+msgstr "Maximum apparaatsverkleiningsgrootte is 64 MB."
+
+#: src/cryptsetup.c:3915 src/cryptsetup_reencrypt.c:1726
+msgid "Reduce size must be multiple of 512 bytes sector."
+msgstr "Verkleiningsgrootte moet een meervoud zijn van de 512 bytes-grote sector."
+
+#: src/cryptsetup.c:3920
+#, fuzzy
+msgid "Invalid data size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
+
+#: src/cryptsetup.c:3925
+#, fuzzy
+msgid "Reduce size overflow."
+msgstr "Overloop van apparaatsgegevenspositie.\n"
+
+#: src/cryptsetup.c:3929
+msgid "LUKS2 decryption requires option --header."
+msgstr ""
+
+#: src/cryptsetup.c:3933
+#, fuzzy
+msgid "Device size must be multiple of 512 bytes sector."
+msgstr "Verkleiningsgrootte moet een meervoud zijn van de 512 bytes-grote sector."
+
+#: src/cryptsetup.c:3937
+msgid "Options --reduce-device-size and --data-size cannot be combined."
+msgstr ""
+
+#: src/cryptsetup.c:3941
+msgid "Options --device-size and --size cannot be combined."
+msgstr ""
+
+#: src/veritysetup.c:66
+msgid "Invalid salt string specified."
+msgstr "Ongeldige salt-tekenreeks opgegeven."
+
+#: src/veritysetup.c:97
+#, c-format
+msgid "Cannot create hash image %s for writing."
+msgstr "Kan hashafbeeling %s niet aanmaken voor beschrijving."
+
+#: src/veritysetup.c:107
+#, fuzzy, c-format
+msgid "Cannot create FEC image %s for writing."
+msgstr "Kan hashafbeeling %s niet aanmaken voor beschrijving.\n"
+
+#: src/veritysetup.c:179
+msgid "Invalid root hash string specified."
+msgstr "Ongeldige root-hash tekenreeks opgegeven."
+
+#: src/veritysetup.c:187
+#, fuzzy, c-format
+msgid "Invalid signature file %s."
+msgstr "Ongeldig apparaat %s.\n"
+
+#: src/veritysetup.c:194
+#, fuzzy, c-format
+msgid "Cannot read signature file %s."
+msgstr "Kan sleutelbestand %s niet lezen.\n"
+
+#: src/veritysetup.c:392
+msgid "<data_device> <hash_device>"
+msgstr "<gegevensapparaat> <hash-apparaat>"
+
+#: src/veritysetup.c:392 src/integritysetup.c:473
+msgid "format device"
+msgstr "apparaat formateren"
+
+#: src/veritysetup.c:393
+msgid "<data_device> <hash_device> <root_hash>"
+msgstr "<gegevensapparaat> <hash-apparaat> <root-hash>"
+
+#: src/veritysetup.c:393
+msgid "verify device"
+msgstr "apparaat controleren"
+
+#: src/veritysetup.c:394
+#, fuzzy
+msgid "<data_device> <name> <hash_device> <root_hash>"
+msgstr "<gegevensapparaat> <hash-apparaat> <root-hash>"
+
+#: src/veritysetup.c:396 src/integritysetup.c:476
+msgid "show active device status"
+msgstr "status van actief apparaat tonen"
+
+#: src/veritysetup.c:397
+msgid "<hash_device>"
+msgstr "<hash-apparaat>"
+
+#: src/veritysetup.c:397 src/integritysetup.c:477
+msgid "show on-disk information"
+msgstr "on-disk informatie tonen"
+
+#: src/veritysetup.c:416
+#, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<data_device> is the data device\n"
+"<hash_device> is the device containing verification data\n"
+"<root_hash> hash of the root node on <hash_device>\n"
+msgstr ""
+"\n"
+"<naam> is de naam van het onder %s te creëren apparaat\n"
+"<gegevensapparaat> is het de naam van het gegevensapparaat\n"
+"<hash-apparaat> is de naam van het apparaat dat de verificatiegegevens bevat\n"
+"<root-hash> is de hash van de rootnode op <hash-apparaat>\n"
+
+#: src/veritysetup.c:423
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-verity parameters:\n"
+"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+msgstr ""
+"\n"
+"Standaard meegecompileerde dm-verity parameters:\n"
+"\tHash: %s, Datablok (bytes): %u, Hashblock (bytes): %u, Saltgrootte: %u, Hashformaat: %u\n"
+
+#: src/veritysetup.c:466
+msgid "Do not use verity superblock"
+msgstr "VERITY-superblok niet gebruiken"
+
+#: src/veritysetup.c:467
+msgid "Format type (1 - normal, 0 - original Chrome OS)"
+msgstr "Formaatstype (1 - normaal, 0 - origineel Chrome OS)"
+
+#: src/veritysetup.c:467
+msgid "number"
+msgstr "nummer"
+
+#: src/veritysetup.c:468
+msgid "Block size on the data device"
+msgstr "Blokgrootte op het gegevensapparaat"
+
+#: src/veritysetup.c:469
+msgid "Block size on the hash device"
+msgstr "Blokgrootte op het hash-apparaat"
+
+#: src/veritysetup.c:470
+msgid "FEC parity bytes"
+msgstr ""
+
+#: src/veritysetup.c:471
+msgid "The number of blocks in the data file"
+msgstr "Aantal blokken in het gegevensbestand"
+
+#: src/veritysetup.c:471
+msgid "blocks"
+msgstr "blokken"
+
+#: src/veritysetup.c:472
+msgid "Path to device with error correction data"
+msgstr ""
+
+#: src/veritysetup.c:472 src/integritysetup.c:543
+msgid "path"
+msgstr ""
+
+#: src/veritysetup.c:473
+msgid "Starting offset on the hash device"
+msgstr "De startplaats op het hash-apparaat"
+
+#: src/veritysetup.c:474
+#, fuzzy
+msgid "Starting offset on the FEC device"
+msgstr "De startplaats op het hash-apparaat"
+
+#: src/veritysetup.c:475
+msgid "Hash algorithm"
+msgstr "Hash-algoritme"
+
+#: src/veritysetup.c:475
+msgid "string"
+msgstr "tekenreeks"
+
+#: src/veritysetup.c:476
+msgid "Salt"
+msgstr "Salt"
+
+#: src/veritysetup.c:476
+msgid "hex string"
+msgstr "hex-tekenreeks"
+
+#: src/veritysetup.c:478
+#, fuzzy
+msgid "Path to root hash signature file"
+msgstr "Creatie hash-gebied gefaald.\n"
+
+#: src/veritysetup.c:479
+msgid "Restart kernel if corruption is detected"
+msgstr "Kernel herstarten bij ontdekking van corruptie"
+
+#: src/veritysetup.c:480
+msgid "Ignore corruption, log it only"
+msgstr "Datacorruptie negeren, enkel loggen"
+
+#: src/veritysetup.c:481
+msgid "Do not verify zeroed blocks"
+msgstr "Op nul ingestelde blokken niet controleren"
+
+#: src/veritysetup.c:482
+msgid "Verify data block only the first time it is read"
+msgstr ""
+
+#: src/veritysetup.c:582
+#, fuzzy
+msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
+msgstr "Opties --ignore-corruption, --restart-on-corruption of --ignore-zero-blocks kunnen enkel bij een create-operatie gebruikt worden.\n"
+
+#: src/veritysetup.c:587
+#, fuzzy
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
+
+#: src/veritysetup.c:592
+msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
+msgstr "Opties --ignore-corruption en --restart-on-corruption kunnen niet samen gebruikt worden.\n"
+
+#: src/integritysetup.c:83 src/utils_password.c:305
+#, c-format
+msgid "Cannot read keyfile %s."
+msgstr "Kan sleutelbestand %s niet lezen."
+
+#: src/integritysetup.c:87 src/utils_password.c:310
+#, c-format
+msgid "Cannot read %d bytes from keyfile %s."
+msgstr "Kan %d bytes uit sleutelbestand %s niet lezen."
+
+#: src/integritysetup.c:253
+#, c-format
+msgid "Formatted with tag size %u, internal integrity %s.\n"
+msgstr ""
+
+#: src/integritysetup.c:473 src/integritysetup.c:477
+#, fuzzy
+msgid "<integrity_device>"
+msgstr "apparaat controleren"
+
+#: src/integritysetup.c:474
+msgid "<integrity_device> <name>"
+msgstr ""
+
+#: src/integritysetup.c:496
+#, fuzzy, c-format
+msgid ""
+"\n"
+"<name> is the device to create under %s\n"
+"<integrity_device> is the device containing data with integrity tags\n"
+msgstr ""
+"\n"
+"<naam> is de naam van het onder %s te creëren apparaat\n"
+"<gegevensapparaat> is het de naam van het gegevensapparaat\n"
+"<hash-apparaat> is de naam van het apparaat dat de verificatiegegevens bevat\n"
+"<root-hash> is de hash van de rootnode op <hash-apparaat>\n"
+
+#: src/integritysetup.c:501
+#, c-format
+msgid ""
+"\n"
+"Default compiled-in dm-integrity parameters:\n"
+"\tChecksum algorithm: %s\n"
+msgstr ""
+
+#: src/integritysetup.c:543
+msgid "Path to data device (if separated)"
+msgstr ""
+
+#: src/integritysetup.c:545
+msgid "Journal size"
+msgstr ""
+
+#: src/integritysetup.c:546
+msgid "Interleave sectors"
+msgstr ""
+
+#: src/integritysetup.c:547
+msgid "Journal watermark"
+msgstr ""
+
+#: src/integritysetup.c:547
+msgid "percent"
+msgstr ""
+
+#: src/integritysetup.c:548
+msgid "Journal commit time"
+msgstr ""
+
+#: src/integritysetup.c:548 src/integritysetup.c:550
+msgid "ms"
+msgstr ""
+
+#: src/integritysetup.c:549
+msgid "Number of 512-byte sectors per bit (bitmap mode)."
+msgstr ""
+
+#: src/integritysetup.c:550
+msgid "Bitmap mode flush time"
+msgstr ""
+
+#: src/integritysetup.c:551
+msgid "Tag size (per-sector)"
+msgstr ""
 
-#: src/veritysetup.c:91
-#, c-format
-msgid "Cannot create hash image %s for writing.\n"
-msgstr "Kan hashafbeeling %s niet aanmaken voor beschrijving.\n"
+#: src/integritysetup.c:552
+msgid "Sector size"
+msgstr ""
 
-#: src/veritysetup.c:158
-msgid "Invalid root hash string specified.\n"
-msgstr "Ongeldige root-hash tekenreeks opgegeven.\n"
+#: src/integritysetup.c:553
+msgid "Buffers size"
+msgstr ""
 
-#: src/veritysetup.c:326
-msgid "<data_device> <hash_device>"
-msgstr "<gegevensapparaat> <hash-apparaat>"
+#: src/integritysetup.c:555
+msgid "Data integrity algorithm"
+msgstr ""
 
-#: src/veritysetup.c:326
-msgid "format device"
-msgstr "apparaat formateren"
+#: src/integritysetup.c:556
+#, fuzzy
+msgid "The size of the data integrity key"
+msgstr "De grootte van de encryptiesleutel"
 
-#: src/veritysetup.c:327
-msgid "<data_device> <hash_device> <root_hash>"
-msgstr "<gegevensapparaat> <hash-apparaat> <root-hash>"
+#: src/integritysetup.c:557
+#, fuzzy
+msgid "Read the integrity key from a file"
+msgstr "De sleutel uit een bestand lezen."
 
-#: src/veritysetup.c:327
-msgid "verify device"
-msgstr "apparaat controleren"
+#: src/integritysetup.c:559
+msgid "Journal integrity algorithm"
+msgstr ""
 
-#: src/veritysetup.c:328
-msgid "<name> <data_device> <hash_device> <root_hash>"
-msgstr "<naam> <gegevensapparaat> <hash-apparaat> <root-hash>"
-
-#: src/veritysetup.c:328
-msgid "create active device"
-msgstr "actief apparaat aanmaken"
-
-#: src/veritysetup.c:329
-msgid "remove (deactivate) device"
-msgstr "apparaat verwijderen (deactiveren)"
+#: src/integritysetup.c:560
+#, fuzzy
+msgid "The size of the journal integrity key"
+msgstr "De grootte van de encryptiesleutel"
 
-#: src/veritysetup.c:330
-msgid "show active device status"
-msgstr "status van actief apparaat tonen"
+#: src/integritysetup.c:561
+#, fuzzy
+msgid "Read the journal integrity key from a file"
+msgstr "De sleutel uit een bestand lezen."
 
-#: src/veritysetup.c:331
-msgid "<hash_device>"
-msgstr "<hash-apparaat>"
+#: src/integritysetup.c:563
+msgid "Journal encryption algorithm"
+msgstr ""
 
-#: src/veritysetup.c:331
-msgid "show on-disk information"
-msgstr "on-disk informatie tonen"
+#: src/integritysetup.c:564
+#, fuzzy
+msgid "The size of the journal encryption key"
+msgstr "De grootte van de encryptiesleutel"
 
-#: src/veritysetup.c:350
-#, c-format
-msgid ""
-"\n"
-"<name> is the device to create under %s\n"
-"<data_device> is the data device\n"
-"<hash_device> is the device containing verification data\n"
-"<root_hash> hash of the root node on <hash_device>\n"
-msgstr ""
-"\n"
-"<naam> is de naam van het onder %s te creëren apparaat\n"
-"<gegevensapparaat> is het de naam van het gegevensapparaat\n"
-"<hash-apparaat> is de naam van het apparaat dat de verificatiegegevens bevat\n"
-"<root-hash> is de hash van de rootnode op <hash-apparaat>\n"
+#: src/integritysetup.c:565
+#, fuzzy
+msgid "Read the journal encryption key from a file"
+msgstr "De sleutel uit een bestand lezen."
 
-#: src/veritysetup.c:357
-#, c-format
-msgid ""
-"\n"
-"Default compiled-in dm-verity parameters:\n"
-"\tHash: %s, Data block (bytes): %u, Hash block (bytes): %u, Salt size: %u, Hash format: %u\n"
+#: src/integritysetup.c:568
+msgid "Recovery mode (no journal, no tag checking)"
 msgstr ""
-"\n"
-"Standaard meegecompileerde dm-verity parameters:\n"
-"\tHash: %s, Datablok (bytes): %u, Hashblock (bytes): %u, Saltgrootte: %u, Hashformaat: %u\n"
 
-#: src/veritysetup.c:395
-msgid "Do not use verity superblock"
-msgstr "VERITY-superblok niet gebruiken"
+#: src/integritysetup.c:569
+msgid "Use bitmap to track changes and disable journal for integrity device"
+msgstr ""
 
-#: src/veritysetup.c:396
-msgid "Format type (1 - normal, 0 - original Chrome OS)"
-msgstr "Formaatstype (1 - normaal, 0 - origineel Chrome OS)"
+#: src/integritysetup.c:570
+msgid "Recalculate initial tags automatically."
+msgstr ""
 
-#: src/veritysetup.c:396
-msgid "number"
-msgstr "nummer"
+#: src/integritysetup.c:641
+#, fuzzy
+msgid "Option --integrity-recalculate can be used only for open action."
+msgstr "Optie --allow-discards wordt enkel toegestaan voor de open-operatie.\n"
 
-#: src/veritysetup.c:397
-msgid "Block size on the data device"
-msgstr "Blokgrootte op het gegevensapparaat"
+#: src/integritysetup.c:656
+msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
+msgstr ""
 
-#: src/veritysetup.c:398
-msgid "Block size on the hash device"
-msgstr "Blokgrootte op het hash-apparaat"
+#: src/integritysetup.c:662
+#, fuzzy
+msgid "Invalid journal size specification."
+msgstr "Ongeldig apparaatsgrootte ingegeven."
 
-#: src/veritysetup.c:399
-msgid "The number of blocks in the data file"
-msgstr "Aantal blokken in het gegevensbestand"
+#: src/integritysetup.c:667
+msgid "Both key file and key size options must be specified."
+msgstr ""
 
-#: src/veritysetup.c:399
-msgid "blocks"
-msgstr "blokken"
+#: src/integritysetup.c:670
+msgid "Integrity algorithm must be specified if integrity key is used."
+msgstr ""
 
-#: src/veritysetup.c:400
-msgid "Starting offset on the hash device"
-msgstr "De startplaats op het hash-apparaat"
+#: src/integritysetup.c:675
+msgid "Both journal integrity key file and key size options must be specified."
+msgstr ""
 
-#: src/veritysetup.c:401
-msgid "Hash algorithm"
-msgstr "Hash-algoritme"
+#: src/integritysetup.c:678
+msgid "Journal integrity algorithm must be specified if journal integrity key is used."
+msgstr ""
 
-#: src/veritysetup.c:401
-msgid "string"
-msgstr "tekenreeks"
+#: src/integritysetup.c:683
+msgid "Both journal encryption key file and key size options must be specified."
+msgstr ""
 
-#: src/veritysetup.c:402
-msgid "Salt"
-msgstr "Salt"
+#: src/integritysetup.c:686
+msgid "Journal encryption algorithm must be specified if journal encryption key is used."
+msgstr ""
 
-#: src/veritysetup.c:402
-msgid "hex string"
-msgstr "hex-tekenreeks"
+#: src/integritysetup.c:690
+msgid "Recovery and bitmap mode options are mutually exclusive."
+msgstr ""
 
-#: src/veritysetup.c:404
-msgid "Restart kernel if corruption is detected"
-msgstr "Kernel herstarten bij ontdekking van corruptie"
+#: src/integritysetup.c:694
+msgid "Journal options cannot be used in bitmap mode."
+msgstr ""
 
-#: src/veritysetup.c:405
-msgid "Ignore corruption, log it only"
-msgstr "Datacorruptie negeren, enkel loggen"
+#: src/integritysetup.c:698
+msgid "Bitmap options can be used only in bitmap mode."
+msgstr ""
 
-#: src/veritysetup.c:406
-msgid "Do not verify zeroed blocks"
-msgstr "Op nul ingestelde blokken niet controleren"
+#: src/cryptsetup_reencrypt.c:172
+msgid "Reencryption already in-progress."
+msgstr "Herencryptie is al bezig"
 
-#: src/veritysetup.c:494
-msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"
-msgstr "Opties --ignore-corruption, --restart-on-corruption of --ignore-zero-blocks kunnen enkel bij een create-operatie gebruikt worden.\n"
+#: src/cryptsetup_reencrypt.c:201
+#, c-format
+msgid "Cannot exclusively open %s, device in use."
+msgstr "Kan %s niet exclusief openen, apparaat wordt gebruikt."
 
-#: src/veritysetup.c:499
-msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
-msgstr "Opties --ignore-corruption en --restart-on-corruption kunnen niet samen gebruikt worden.\n"
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
+msgid "Allocation of aligned memory failed."
+msgstr "Reservering van uitgelijnd geheugen gefaald."
 
-#: src/cryptsetup_reencrypt.c:150
+#: src/cryptsetup_reencrypt.c:222
 #, c-format
-msgid "Cannot exclusively open %s, device in use.\n"
-msgstr "Kan %s niet exclusief openen, apparaat wordt gebruikt.\n"
+msgid "Cannot read device %s."
+msgstr "Kan apparaat niet lezen: %s."
 
-#: src/cryptsetup_reencrypt.c:164 src/cryptsetup_reencrypt.c:920
-msgid "Allocation of aligned memory failed.\n"
-msgstr "Reservering van uitgelijnd geheugen gefaald.\n"
-
-#: src/cryptsetup_reencrypt.c:171
+#: src/cryptsetup_reencrypt.c:233
 #, c-format
-msgid "Cannot read device %s.\n"
-msgstr "Kan apparaat niet lezen: %s.\n"
+msgid "Marking LUKS1 device %s unusable."
+msgstr "LUKS1-apparaat %s wordt als onbruikbaar gemarkeerd."
 
-#: src/cryptsetup_reencrypt.c:182
+#: src/cryptsetup_reencrypt.c:237
 #, c-format
-msgid "Marking LUKS device %s unusable.\n"
-msgstr "LUKS-apparaat %s wordt als onbruikbaar gemarkeerd.\n"
+msgid "Setting LUKS2 offline reencrypt flag on device %s."
+msgstr ""
 
-#: src/cryptsetup_reencrypt.c:198
+#: src/cryptsetup_reencrypt.c:254
 #, c-format
-msgid "Cannot write device %s.\n"
-msgstr "Kan apparaat %s niet beschrijven.\n"
+msgid "Cannot write device %s."
+msgstr "Kan apparaat %s niet beschrijven."
 
-#: src/cryptsetup_reencrypt.c:281
-msgid "Cannot write reencryption log file.\n"
-msgstr "Kan herencryptie-logbestand niet schrijven.\n"
+#: src/cryptsetup_reencrypt.c:302
+msgid "Cannot write reencryption log file."
+msgstr "Kan herencryptie-logbestand niet schrijven."
 
-#: src/cryptsetup_reencrypt.c:337
-msgid "Cannot read reencryption log file.\n"
-msgstr "Kan herencryptie-logbestand niet lezen.\n"
+#: src/cryptsetup_reencrypt.c:358
+msgid "Cannot read reencryption log file."
+msgstr "Kan herencryptie-logbestand niet lezen."
 
-#: src/cryptsetup_reencrypt.c:375
+#: src/cryptsetup_reencrypt.c:396
 #, c-format
 msgid "Log file %s exists, resuming reencryption.\n"
 msgstr "Logbestand %s bestaat reeds, herencryptie wordt herstart.\n"
 
-#: src/cryptsetup_reencrypt.c:425
-msgid "Activating temporary device using old LUKS header.\n"
-msgstr "Activatie van tijdelijke apparaat met oude LUKS-koptekst.\n"
+#: src/cryptsetup_reencrypt.c:445
+msgid "Activating temporary device using old LUKS header."
+msgstr "Activatie van tijdelijke apparaat met oude LUKS-koptekst."
+
+#: src/cryptsetup_reencrypt.c:455
+msgid "Activating temporary device using new LUKS header."
+msgstr "Activatie van tijdelijke apparaat met nieuwe LUKS-koptekst."
+
+#: src/cryptsetup_reencrypt.c:465
+msgid "Activation of temporary devices failed."
+msgstr "Activatie van tijdelijke apparaten gefaald."
 
-#: src/cryptsetup_reencrypt.c:436
-msgid "Activating temporary device using new LUKS header.\n"
-msgstr "Activatie van tijdelijke apparaat met nieuwe LUKS-koptekst.\n"
+#: src/cryptsetup_reencrypt.c:552
+msgid "Failed to set data offset."
+msgstr ""
 
-#: src/cryptsetup_reencrypt.c:446
-msgid "Activation of temporary devices failed.\n"
-msgstr "Activatie van tijdelijke apparaten gefaald.\n"
+#: src/cryptsetup_reencrypt.c:558
+msgid "Failed to set metadata size."
+msgstr ""
 
-#: src/cryptsetup_reencrypt.c:472
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
-msgid "New LUKS header for device %s created.\n"
-msgstr "Nieuwe LUKS-koptekst voor apparaat %s aangemaakt.\n"
+msgid "New LUKS header for device %s created."
+msgstr "Nieuwe LUKS-koptekst voor apparaat %s aangemaakt."
 
-#: src/cryptsetup_reencrypt.c:480
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
-msgid "Activated keyslot %i.\n"
-msgstr "Sleutelplaats %d geactiveerd.\n"
+msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
+msgstr ""
 
-#: src/cryptsetup_reencrypt.c:506
-#, c-format
-msgid "LUKS header backup of device %s created.\n"
-msgstr "Reservekopie van LUKS-koptekst op apparaat %s aangemaakt .\n"
+#: src/cryptsetup_reencrypt.c:648
+msgid "Failed to read activation flags from backup header."
+msgstr ""
+
+#: src/cryptsetup_reencrypt.c:652
+#, fuzzy
+msgid "Failed to write activation flags to new header."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
 
-#: src/cryptsetup_reencrypt.c:554
-msgid "Creation of LUKS backup headers failed.\n"
-msgstr "Creatie van LUKS-reservekopteksten gefaald.\n"
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
+#, fuzzy
+msgid "Failed to read requirements from backup header."
+msgstr "Lezen uit sleutelopslag is mislukt."
 
-#: src/cryptsetup_reencrypt.c:656
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
-msgid "Cannot restore LUKS header on device %s.\n"
-msgstr "Kan koptekst op apparaat %s niet herstellen.\n"
+msgid "%s header backup of device %s created."
+msgstr "Reservekopie van %s-koptekst op apparaat %s is aangemaakt."
 
-#: src/cryptsetup_reencrypt.c:658
+#: src/cryptsetup_reencrypt.c:761
+msgid "Creation of LUKS backup headers failed."
+msgstr "Creatie van LUKS-reservekopteksten gefaald."
+
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
-msgid "LUKS header on device %s restored.\n"
-msgstr "LUKS-koptekst op apparaat %s hersteld.\n"
+msgid "Cannot restore %s header on device %s."
+msgstr "Kan %s-koptekst op apparaat %s niet herstellen."
 
-#: src/cryptsetup_reencrypt.c:693
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
-msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
-msgstr "Vooruitgang: %5.1f%%, geschatte voltooiïngstijd %02llu:%02llu, %4llu MB geschreven, snelheid %5.1f MiB/s%s"
+msgid "%s header on device %s restored."
+msgstr "%s-koptekst op apparaat %s is hersteld."
 
-#: src/cryptsetup_reencrypt.c:732 src/cryptsetup_reencrypt.c:811
-#: src/cryptsetup_reencrypt.c:853
-msgid "Cannot seek to device offset.\n"
-msgstr "Onmogelijk te zoeken tot startplaats van apparaat.\n"
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
+msgid "Cannot open temporary LUKS device."
+msgstr "Kan tijdelijk LUKS-apparaat niet openen."
 
-#: src/cryptsetup_reencrypt.c:892 src/cryptsetup_reencrypt.c:898
-msgid "Cannot open temporary LUKS device.\n"
-msgstr "Kan tijdelijk LUKS-apparaat niet openen.\n"
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
+msgid "Cannot get device size."
+msgstr "Kan apparaatgrootte niet lezen."
 
-#: src/cryptsetup_reencrypt.c:903 src/cryptsetup_reencrypt.c:908
-msgid "Cannot get device size.\n"
-msgstr "Kan apparaatgrootte niet lezen.\n"
-
-#: src/cryptsetup_reencrypt.c:946
-msgid "Interrupted by a signal.\n"
-msgstr "Onderbroken door een signaal.\n"
-
-#: src/cryptsetup_reencrypt.c:948
-msgid "IO error during reencryption.\n"
-msgstr "Invoer/uitvoerfout tijdens herencryptie.\n"
-
-#: src/cryptsetup_reencrypt.c:978
-msgid "Provided UUID is invalid.\n"
-msgstr "Opgegeven UUID is ongeldig.\n"
-
-#: src/cryptsetup_reencrypt.c:1070
-msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
-msgstr "Sleutelbestand kan enkel gebruikt worden met optie --key-slot of met enkel één actieve sleutelplaats.\n"
+#: src/cryptsetup_reencrypt.c:1151
+msgid "IO error during reencryption."
+msgstr "Invoer/uitvoerfout tijdens herencryptie."
 
-#: src/cryptsetup_reencrypt.c:1114 src/cryptsetup_reencrypt.c:1129
-#, c-format
-msgid "Enter passphrase for key slot %u: "
-msgstr "Voer wachtwoord voor sleutelplaats %u in: "
+#: src/cryptsetup_reencrypt.c:1182
+msgid "Provided UUID is invalid."
+msgstr "Opgegeven UUID is ongeldig."
 
-#: src/cryptsetup_reencrypt.c:1178
-msgid "Cannot open reencryption log file.\n"
-msgstr "Kan herencryptie-logbestand niet openen.\n"
+#: src/cryptsetup_reencrypt.c:1416
+msgid "Cannot open reencryption log file."
+msgstr "Kan herencryptie-logbestand niet openen."
 
-#: src/cryptsetup_reencrypt.c:1184
-msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process.\n"
-msgstr "Er is geen ontsleutelingsproces aan de gang. Het opgegeven UUID kan enkel gebruikt worden om een geschorst ontsleutelingsproces opnieuw te starten.\n"
+#: src/cryptsetup_reencrypt.c:1422
+msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
+msgstr "Er is geen ontsleutelingsproces aan de gang. Het opgegeven UUID kan enkel gebruikt worden om een geschorst ontsleutelingsproces opnieuw te starten."
+
+#: src/cryptsetup_reencrypt.c:1497
+#, c-format
+msgid "Changed pbkdf parameters in keyslot %i."
+msgstr ""
 
-#: src/cryptsetup_reencrypt.c:1311
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
-msgstr "Blokgrootte herencryptie"
+msgstr "Blokgrootte voor herencryptie"
 
-#: src/cryptsetup_reencrypt.c:1311
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
-msgstr "MB"
-
-#: src/cryptsetup_reencrypt.c:1315
-msgid "Do not change key, no data area reencryption."
-msgstr "Sleutel niet wijzigen; gegevensgebied wordt niet opnieuw versleuteld."
-
-#: src/cryptsetup_reencrypt.c:1322
-msgid "Use direct-io when accessing devices."
-msgstr "direct-io gebruiken bij het lezen van apparaten."
-
-#: src/cryptsetup_reencrypt.c:1323
-msgid "Use fsync after each block."
-msgstr "fsync na elk blok gebruiken."
-
-#: src/cryptsetup_reencrypt.c:1324
-msgid "Update log file after every block."
-msgstr "Na elk blok het logbestand bijwerken."
-
-#: src/cryptsetup_reencrypt.c:1325
-msgid "Use only this slot (others will be disabled)."
-msgstr "Enkel deze plaats gebruiken (anderen worden uitgeschakeld)."
+msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1328
-msgid "Reduce data device size (move data offset). DANGEROUS!"
-msgstr "Grootte van gegevensapparaat wijzigen (gegevenspositie wijzigen). GEVAARLIJK!"
-
-#: src/cryptsetup_reencrypt.c:1329
-msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
-msgstr "Enkel ingegeven apparaatsgrootte gebruiken (rest van apparaat wordt genegeerd). GEVAARLIJK!"
+#: src/cryptsetup_reencrypt.c:1613
+msgid "Do not change key, no data area reencryption"
+msgstr "Sleutel niet wijzigen; gegevensgebied wordt niet opnieuw versleuteld"
 
-#: src/cryptsetup_reencrypt.c:1330
-msgid "Create new header on not encrypted device."
-msgstr "Nieuwe koptekst op niet-versleuteld apparaat invoeren."
+#: src/cryptsetup_reencrypt.c:1615
+msgid "Read new volume (master) key from file"
+msgstr "De (hoofd)sleutel tot het opslagmedium uit een bestand lezen"
 
-#: src/cryptsetup_reencrypt.c:1331
-msgid "Permanently decrypt device (remove encryption)."
-msgstr "Apparaat permanent ontsleutelen (encryptie verwijderen)."
+#: src/cryptsetup_reencrypt.c:1616
+msgid "PBKDF2 iteration time for LUKS (in ms)"
+msgstr "PBKDF2 herhalingstijd voor LUKS (in ms)"
 
-#: src/cryptsetup_reencrypt.c:1332
-msgid "The uuid used to resume decryption."
-msgstr "Het UUID om de ontsleuteling te hervatten."
+#: src/cryptsetup_reencrypt.c:1622
+msgid "Use direct-io when accessing devices"
+msgstr "'direct-io' gebruiken bij het lezen van apparaten"
+
+#: src/cryptsetup_reencrypt.c:1623
+msgid "Use fsync after each block"
+msgstr "Na elk blok 'fsync' gebruiken"
+
+#: src/cryptsetup_reencrypt.c:1624
+msgid "Update log file after every block"
+msgstr "Na elk blok het logbestand bijwerken"
+
+#: src/cryptsetup_reencrypt.c:1625
+msgid "Use only this slot (others will be disabled)"
+msgstr "Enkel deze plaats gebruiken (anderen worden uitgeschakeld)"
+
+#: src/cryptsetup_reencrypt.c:1630
+msgid "Create new header on not encrypted device"
+msgstr "Nieuwe koptekst op niet-versleuteld apparaat invoeren"
+
+#: src/cryptsetup_reencrypt.c:1631
+msgid "Permanently decrypt device (remove encryption)"
+msgstr "Apparaat permanent ontsleutelen (encryptie verwijderen)"
+
+#: src/cryptsetup_reencrypt.c:1632
+msgid "The UUID used to resume decryption"
+msgstr "Het UUID om de ontsleuteling te hervatten"
+
+#: src/cryptsetup_reencrypt.c:1633
+msgid "Type of LUKS metadata: luks1, luks2"
+msgstr "Soorten apparaat-metadata: luks, plain, loopaes, tcrypt"
 
-#: src/cryptsetup_reencrypt.c:1348
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[OPTIE...] <apparaat>"
 
-#: src/cryptsetup_reencrypt.c:1362
-#, c-format
-msgid "Reencryption will change: volume key%s%s%s%s.\n"
+#: src/cryptsetup_reencrypt.c:1660
+#, fuzzy, c-format
+msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Herencryptie zal sleutel tot het opslagmedium %s%s%s%s wijzigen.\n"
 
-#: src/cryptsetup_reencrypt.c:1363
-msgid ", set hash to "
+#: src/cryptsetup_reencrypt.c:1661
+msgid "volume key"
+msgstr ""
+
+#: src/cryptsetup_reencrypt.c:1663
+#, fuzzy
+msgid "set hash to "
 msgstr ", stel hash in op "
 
-#: src/cryptsetup_reencrypt.c:1364
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", stel sleutelalgoritme in op "
 
-#: src/cryptsetup_reencrypt.c:1368
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Argument is vereist."
 
-#: src/cryptsetup_reencrypt.c:1384
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Enkel waarden tussen 1 MB en 64 MB zijn toegestaan als herencryptieblokgrootte."
 
-#: src/cryptsetup_reencrypt.c:1403 src/cryptsetup_reencrypt.c:1408
-msgid "Invalid device size specification."
-msgstr "Ongeldig apparaatsgrootte ingegeven."
-
-#: src/cryptsetup_reencrypt.c:1411
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Maximum apparaatsverkleiningsgrootte is 64 MB."
 
-#: src/cryptsetup_reencrypt.c:1414
-msgid "Reduce size must be multiple of 512 bytes sector."
-msgstr "Verkleiningsgrootte moet een meervoud zijn van de 512 bytes-grote sector."
-
-#: src/cryptsetup_reencrypt.c:1418
-msgid "Option --new must be used together with --reduce-device-size."
+#: src/cryptsetup_reencrypt.c:1730
+#, fuzzy
+msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Optie --new moet samen met --reduce-device-size gebruikt worden."
 
-#: src/cryptsetup_reencrypt.c:1422
-msgid "Option --keep-key can be used only with --hash or --iter-time."
+#: src/cryptsetup_reencrypt.c:1734
+#, fuzzy
+msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Optie -- keep-key kan enkel samen met --hash of --iter-time gebruikt worden."
 
-#: src/cryptsetup_reencrypt.c:1426
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Optie --new kan niet samen met --decrypt gebruikt worden."
 
-#: src/cryptsetup_reencrypt.c:1430
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Optie --decrypt is niet verenigbaar met de verschafte parameters."
 
-#: src/cryptsetup_reencrypt.c:1434
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Optie --uuid kan enkel samen met --decrypt gebruikt worden."
 
+#: src/cryptsetup_reencrypt.c:1750
+msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
+msgstr ""
+
 #: src/utils_tools.c:151
-msgid "Error reading response from terminal.\n"
-msgstr "Fout bij het lezen van antwoord uit de terminal.\n"
+msgid "Error reading response from terminal."
+msgstr "Fout bij het lezen van antwoord uit de terminal."
 
-#: src/utils_tools.c:173
+#: src/utils_tools.c:186
 msgid "Command successful.\n"
 msgstr "Opdracht succesvol.\n"
 
-#: src/utils_tools.c:191
-#, c-format
-msgid "Command failed with code %i"
+#: src/utils_tools.c:194
+msgid "wrong or missing parameters"
+msgstr ""
+
+#: src/utils_tools.c:196
+#, fuzzy
+msgid "no permission or bad passphrase"
+msgstr "Voer enig wachtwoord in: "
+
+#: src/utils_tools.c:198
+#, fuzzy
+msgid "out of memory"
+msgstr "Kan geheugen niet ontgrendelen.\n"
+
+#: src/utils_tools.c:200
+msgid "wrong device or file specified"
+msgstr ""
+
+#: src/utils_tools.c:202
+#, fuzzy
+msgid "device already exists or device is busy"
+msgstr "Apparaat %s bestaat reeds.\n"
+
+#: src/utils_tools.c:204
+msgid "unknown error"
+msgstr ""
+
+#: src/utils_tools.c:206
+#, fuzzy, c-format
+msgid "Command failed with code %i (%s).\n"
 msgstr "Opdracht is mislukt met code %i"
 
-#: src/utils_password.c:42 src/utils_password.c:74
+#: src/utils_tools.c:283
+#, fuzzy, c-format
+msgid "Key slot %i created."
+msgstr "Sleutelplaats %d werd gewijzigd.\n"
+
+#: src/utils_tools.c:285
+#, fuzzy, c-format
+msgid "Key slot %i unlocked."
+msgstr "Sleutelplaats %d is ontgrendeld.\n"
+
+#: src/utils_tools.c:287
+#, fuzzy, c-format
+msgid "Key slot %i removed."
+msgstr "Sleutelplaats %d is ontgrendeld.\n"
+
+#: src/utils_tools.c:296
 #, c-format
-msgid "Cannot check password quality: %s\n"
-msgstr "Kan wachtwoordkwaliteit niet nakijken: %s\n"
+msgid "Token %i created."
+msgstr ""
+
+#: src/utils_tools.c:298
+#, c-format
+msgid "Token %i removed."
+msgstr ""
+
+#: src/utils_tools.c:464
+msgid ""
+"\n"
+"Wipe interrupted."
+msgstr ""
+
+#: src/utils_tools.c:475
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' partition signature.\n"
+msgstr ""
+
+#: src/utils_tools.c:483
+#, c-format
+msgid "WARNING: Device %s already contains a '%s' superblock signature.\n"
+msgstr ""
+
+#: src/utils_tools.c:504 src/utils_tools.c:568
+#, fuzzy
+msgid "Failed to initialize device signature probes."
+msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
+
+#: src/utils_tools.c:548
+#, fuzzy, c-format
+msgid "Failed to stat device %s."
+msgstr "Kan status van sleutelbestand niet opvragen.\n"
+
+#: src/utils_tools.c:561
+#, c-format
+msgid "Device %s is in use. Can not proceed with format operation."
+msgstr ""
+
+#: src/utils_tools.c:563
+#, c-format
+msgid "Failed to open file %s in read/write mode."
+msgstr ""
+
+#: src/utils_tools.c:577
+#, c-format
+msgid "Existing '%s' partition signature (offset: %<PRIi64> bytes) on device %s will be wiped."
+msgstr ""
 
-#: src/utils_password.c:50
+#: src/utils_tools.c:580
 #, c-format
+msgid "Existing '%s' superblock signature (offset: %<PRIi64> bytes) on device %s will be wiped."
+msgstr ""
+
+#: src/utils_tools.c:583
+#, fuzzy
+msgid "Failed to wipe device signature."
+msgstr "Schrijven naar sleutelopslag is mislukt.\n"
+
+#: src/utils_tools.c:590
+#, fuzzy, c-format
+msgid "Failed to probe device %s for a signature."
+msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
+
+#: src/utils_tools.c:629
+#, fuzzy
+msgid ""
+"\n"
+"Reencryption interrupted."
+msgstr "Blokgrootte herencryptie"
+
+#: src/utils_password.c:43 src/utils_password.c:75
+#, fuzzy, c-format
+msgid "Cannot check password quality: %s"
+msgstr "Kan wachtwoordkwaliteit niet nakijken: %s\n"
+
+#: src/utils_password.c:51
+#, fuzzy, c-format
 msgid ""
 "Password quality check failed:\n"
-" %s\n"
+" %s"
 msgstr ""
 "Wachtwoordkwaliteitscontrole gefaald:\n"
 "%s\n"
 
-#: src/utils_password.c:82
+#: src/utils_password.c:83
+#, c-format
+msgid "Password quality check failed: Bad passphrase (%s)"
+msgstr "Wachtwoordkwaliteitscontrole gefaald: wachtwoord is van slechte kwaliteit (%s)"
+
+#: src/utils_password.c:193 src/utils_password.c:208
+msgid "Error reading passphrase from terminal."
+msgstr "Fout bij het lezen van het wachtwoord uit de terminal."
+
+#: src/utils_password.c:206
+msgid "Verify passphrase: "
+msgstr "Voer wachtwoord nogmaals in: "
+
+#: src/utils_password.c:213
+msgid "Passphrases do not match."
+msgstr "Wachtwoorden komen niet overeen."
+
+#: src/utils_password.c:250
+msgid "Cannot use offset with terminal input."
+msgstr "Kan de gegevenspositie niet via terminalinvoer gebruiken."
+
+#: src/utils_password.c:253
+#, c-format
+msgid "Enter passphrase: "
+msgstr "Voer wachtwoord in: "
+
+#: src/utils_password.c:256
 #, c-format
-msgid "Password quality check failed: Bad passphrase (%s)\n"
-msgstr "Wachtwoordkwaliteitscontrole gefaald: Wachtwoord is van slechte kwaliteit (%s)\n"
+msgid "Enter passphrase for %s: "
+msgstr "Voer wachtwoord in voor %s: "
+
+#: src/utils_password.c:287
+msgid "No key available with this passphrase."
+msgstr "Geen sleutel beschikbaar met dit wachtwoord."
+
+#: src/utils_password.c:289
+msgid "No usable keyslot is available."
+msgstr ""
+
+#: src/utils_password.c:328
+#, fuzzy, c-format
+msgid "Cannot open keyfile %s for write."
+msgstr "Kan bestand %s niet openen.\n"
+
+#: src/utils_password.c:335
+#, fuzzy, c-format
+msgid "Cannot write to keyfile %s."
+msgstr "Kan sleutelbestand %s niet lezen.\n"
+
+#: src/utils_luks2.c:47
+#, fuzzy, c-format
+msgid "Failed to open file %s in read-only mode."
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#: src/utils_luks2.c:60
+msgid "Provide valid LUKS2 token JSON:\n"
+msgstr ""
+
+#: src/utils_luks2.c:67
+#, fuzzy
+msgid "Failed to read JSON file."
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#: src/utils_luks2.c:72
+#, fuzzy
+msgid ""
+"\n"
+"Read interrupted."
+msgstr "VERITY-koptekst beschadigd.\n"
+
+#: src/utils_luks2.c:113
+#, fuzzy, c-format
+msgid "Failed to open file %s in write mode."
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#: src/utils_luks2.c:122
+msgid ""
+"\n"
+"Write interrupted."
+msgstr ""
+
+#: src/utils_luks2.c:126
+#, fuzzy
+msgid "Failed to write JSON file."
+msgstr "Openen van sleutelbestand is mislukt.\n"
+
+#~ msgid "Replaced with key slot %d.\n"
+#~ msgstr "Vervangen door sleutelplaats %d.\n"
+
+#~ msgid "Function not available in FIPS mode.\n"
+#~ msgstr "Functie niet beschikbaar in FIPS-modus.\n"
+
+#~ msgid "Too many tree levels for verity volume.\n"
+#~ msgstr "Te veel niveau's in de boomstructuur voor een VERITY-volume.\n"
+
+#~ msgid "memory allocation error in action_luksFormat"
+#~ msgstr "geheugentoewijzingsfout in action_luksFormat"
+
+#~ msgid "Key %d not active. Can't wipe.\n"
+#~ msgstr "Sleutel %d is niet actief. Kan niet wissen.\n"
+
+#~ msgid "<name> <data_device> <hash_device> <root_hash>"
+#~ msgstr "<naam> <gegevensapparaat> <hash-apparaat> <root-hash>"
+
+#~ msgid "create active device"
+#~ msgstr "actief apparaat aanmaken"
+
+#~ msgid "remove (deactivate) device"
+#~ msgstr "apparaat verwijderen (deactiveren)"
+
+#~ msgid "Activated keyslot %i.\n"
+#~ msgstr "Sleutelplaats %d geactiveerd.\n"
+
+#~ msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
+#~ msgstr "Vooruitgang: %5.1f%%, geschatte voltooiïngstijd %02llu:%02llu, %4llu MB geschreven, snelheid %5.1f MiB/s%s"
+
+#~ msgid "Interrupted by a signal.\n"
+#~ msgstr "Onderbroken door een signaal.\n"
 
 #~ msgid "Cannot find a free loopback device.\n"
 #~ msgstr "Kan geen vrij loopback-apparaat vinden.\n"
@@ -1856,12 +4016,6 @@
 #~ msgid "Cannot open device %s for %s%s access.\n"
 #~ msgstr "Kan apparaat %s niet openen voor %s%s-toegang.\n"
 
-#~ msgid "exclusive "
-#~ msgstr "exclusieve "
-
-#~ msgid "writable"
-#~ msgstr "schrijf"
-
 #~ msgid "read-only"
 #~ msgstr "alleen-lezen"
 
@@ -1871,21 +4025,9 @@
 #~ msgid "Unable to obtain sector size for %s"
 #~ msgstr "Kan sectorgrootte van %s niet verkrijgen"
 
-#~ msgid "Failed to obtain device mapper directory."
-#~ msgstr "Kan geen map voor de apparaatstoewijzer verkrijgen."
-
 #~ msgid "Backup file %s doesn't exist.\n"
 #~ msgstr "Reservekopiebestand %s bestaat niet.\n"
 
-#~ msgid "Cannot open file %s.\n"
-#~ msgstr "Kan bestand %s niet openen.\n"
-
-#~ msgid "Failed to write to key storage.\n"
-#~ msgstr "Schrijven naar sleutelopslag is mislukt.\n"
-
-#~ msgid "Failed to read from key storage.\n"
-#~ msgstr "Lezen uit sleutelopslag is mislukt.\n"
-
 #~ msgid "<name> <device>"
 #~ msgstr "<naam> <apparaat>"
 
@@ -1904,18 +4046,9 @@
 #~ msgid "remove loop-AES mapping"
 #~ msgstr "loop-AES-toewijzing verwijderen"
 
-#~ msgid "Option --allow-discards is allowed only for luksOpen, loopaesOpen and create operation.\n"
-#~ msgstr "Optie --allow-discards wordt enkel ondersteund voor de luksOpen-, loopaesOpen- en create-opdrachten.\n"
-
 #~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
 #~ msgstr "Kan apparaat %s niet gebruiken (cryptsegmenten overlappen of worden door een ander apparaat gebruikt).\n"
 
-#~ msgid "Key slot %d verified.\n"
-#~ msgstr "Sleutelplaats %d is geverifieerd.\n"
-
-#~ msgid "Invalid key size %d.\n"
-#~ msgstr "Ongeldige sleutelgrootte %d.\n"
-
 #~ msgid "Block mode XTS is available since kernel 2.6.24.\n"
 #~ msgstr "Blokmodus XTS is beschikbaar vanaf kernelversie 2.6.24.\n"
 
@@ -1937,9 +4070,6 @@
 #~ msgid "Cannot open device: %s\n"
 #~ msgstr "Kan apparaat niet openen: %s\n"
 
-#~ msgid "BLKROGET failed on device %s.\n"
-#~ msgstr "BLKROGET() is mislukt op apparaat %s.\n"
-
 #~ msgid "BLKGETSIZE failed on device %s.\n"
 #~ msgstr "BLKGETSIZE() is mislukt op apparaat %s.\n"
 
@@ -1967,6 +4097,3 @@
 
 #~ msgid "%s is not LUKS device.\n"
 #~ msgstr "%s is geen LUKS-apparaat.\n"
-
-#~ msgid "%s is not LUKS device."
-#~ msgstr "%s is geen LUKS-apparaat."
diff -Nru cryptsetup-2.2.2/po/pl.po cryptsetup-2.3.1/po/pl.po
--- cryptsetup-2.2.2/po/pl.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/pl.po	2020-03-12 08:39:20.000000000 +0000
@@ -1,14 +1,14 @@
 # Polish translation for cryptsetup.
 # Copyright (C) 2010 Free Software Foundation, Inc.
 # This file is put in the public domain.
-# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2019.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2010-2020.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-18 16:11+0200\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 14:31+0100\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
 "Language: pl\n"
@@ -18,65 +18,65 @@
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Nie można zainicjować device-mappera w czasie działania jako nie-root."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Nie można zainicjować device-mappera. Czy moduł jądra dm_mod jest wczytany?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Żądana flaga odroczona nie jest obsługiwana."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID dla urządzenia %s został skrócony."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Nieznany typ celu dm."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Żądane opcje dm-crypta dotyczące wydajności nie są obsługiwane."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Żądane opcje dm-verity dotyczące obsługi uszkodzenia danych nie są obsługiwane."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Żądane opcje FEC dm-verity nie są obsługiwane."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Żądane opcje integralności danych nie są obsługiwane."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "Żądana opcja sector_size nie jest obsługiwana."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Żądane automatyczne przeliczenie znaczników integralności nie jest obsługiwane."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Żądany tryb bitmapy dm-integrity nie jest obsługiwany."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Porzucenie/TRIM nie jest obsługiwane."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Nie udało się odpytać segmentu dm-%s."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -84,548 +84,565 @@
 "Entropia w systemie wyczerpała się w trakcie generowania klucza wolumenu.\n"
 "Proszę poruszać myszą albo wpisać trochę tekstu w innym oknie w celu zebrania zdarzeń losowych.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Generowanie klucza (gotowe %d%%).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Działanie w trybie FIPS."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Błąd krytyczny w trakcie inicjalizacji RNG."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "Nieznane żądanie jakości RNG."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Błąd odczytu z RNG."
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Nie można zainicjować backendu kryptograficznego RNG."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Nie można zainicjować backendu kryptograficznego."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Algorytm skrótu %s nie jest obsługiwany."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Błąd przetwarzania klucza (użyto algorytmu skrótu %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
-msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób aktywacji urządzenia?"
+msgstr "Nie można określić rodzaju urządzenia. Niezgodny sposób uaktywniania urządzenia?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Ta operacja jest obsługiwana tylko dla urządzeń LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Wszyskie miejsca na klucze są pełne."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Numer klucza %d jest błędny, proszę wybrać wartość między 0 a %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Miejsce na klucz %d jest pełne, proszę wybrać inne."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "Rozmiar urządzenia nie jest wyrównany do rozmiaru bloku logicznego urządzenia."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Wykryto nagłówek, ale urządzenie %s jest zbyt małe."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Ta operacja nie jest obsługiwana dla tego rodzaju urządzenia."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Niedozwolona operacja w trakcie ponownego szyfrowania."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Nieobsługiwana wersja LUKS %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Osobne urządzenie metadanych nie jest obsługiwane dla tego rodzaju szyfrowania."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Urządzenie %s nie jest aktywne."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Urządzenie stojące za urządzeniem szyfrowanym %s zniknęło."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Błędne parametry szyfru plain."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Błędny rozmiar klucza."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "UUID nie jest obsługiwany dla tego rodzaju szyfrowania."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Nieobsługiwany rozmiar sektora szyfrowania."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "Rozmiar urządzenia nie jest wyrównany do żądanego rozmiaru sektura."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Nie można sformatować LUKS-a bez urządzenia."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Żądane wyrównanie metadanych nie jest zgodne z offsetem danych."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "UWAGA: offset danych leży poza obecnie dostępnym urządzeniem danych.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Nie można wymazać nagłówka na urządzeniu %s."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
-msgstr "UWAGA: aktywacja urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n"
+msgstr "UWAGA: uaktywnienie urządzenia się nie powiedzie, dm-crypt nie ma obsługi żądanego rozmiaru sektora szyfrowania.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Klucz wolumenu jest zbyt mały do szyfrowania z rozszerzeniami integralności."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Szyfr %s-%s (rozmiar klucza w bitach: %zd) nie jest dostępny."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "UWAGA: rozmiar metadanych LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "UWAGA: rozmiar obszaru kluczy LUKS2 zmienił się na %<PRIu64> (w bajtach).\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Urządzenie %s jest zbyt małe."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Nie można sformatować urządzenia %s, które jest w użyciu."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Nie można sformatować urządzenia %s, brak uprawnień."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Nie można sformatować integralności dla urządzenia %s."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Nie można sformatować urządzenia %s."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Nie można sformatować urządzenia LUKSAES bez urządzenia."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Nie można sformatować VERITY bez urządzenia."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Nieobsługiwany typ hasza VERITY %d."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Nieobsługiwany rozmiar bloku VERITY."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Nieobsługiwany offset hasza VERITY."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Nieobsługiwany offset FEC VERITY."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "Obszar danych zachodzi na obszar skrótów."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "Obszar skrótu zachodzi na obszar FEC."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "Obszar danych zachodzi na obszar FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "UWAGA: żądany rozmiar znacznika %d B różni się od rozmiaru wyjścia %s (%d B).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Nieznany typ żądanego urządzenia szyfrującego %s."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Nieobsługiwane parametry urządzenia %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Niezgodne parametry dla urządzenia %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Urządzenia szyfrowane nie zgadzają się."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Nie udało się przeładować urządzenia %s."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Nie udało się wstrzymać urządzenia %s."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Nie udało wznowić urządzenia %s."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Błąd krytyczny przy przeładowywaniu urządzenia %s (w oparciu o urządzenie %s)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Nie udało się przełączyć urządzenia %s na dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "Nie można zmienić rozmiaru urządzenia loopback."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Czy na pewno zmienić UUID urządzenia?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Plik nagłówka kopii zapasowej nie zawiera zgodnego nagłówka LUKS."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Wolumen %s nie jest aktywny."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Wolumen %s już został wstrzymany."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Wstrzymywanie nie jest obsługiwane dla urządzenia %s."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Błąd podczas wstrzymywania urządzenia %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Wolumen %s nie jest wstrzymany."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Wznawianie nie jest obsługiwane dla urządzenia %s."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Błąd podczas wznawiania urządzenia %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Klucz wolumenu nie pasuje do wolumenu."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Nie można dodać klucza, wszystkie miejsca na klucze wyłączone i nie podano klucza wolumenu."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Nie udało się podstawić nowego klucza."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Klucz wolumenu nie pasuje do wolumenu."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Numer klucza %d jest nieprawidłowy."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Klucz %d nie jest aktywny."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "Nagłówek urządzenia zachodzi na obszar danych."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Ponowne szyfrowanie trwa. Nie można uaktywnić urządzenia."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Nie udało się uzyskać blokady ponownego szyfrowania."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Odtwarzanie ponownego szyfrowania LUKS2 nie powiodło się."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Typ urządzenia nie został właściwie zainicjalizowany."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Nie można użyć urządzenia %s, nazwa jest nieprawidłowa lub nadal w użyciu."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Urządzenie %s już istnieje."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Podano niewłaściwy klucz wolumenu dla zwykłego urządzenia."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "Podano niewłaściwy hasz główny dla urządzenia VERITY."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Wymagany podpis hasza głównego."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Brak pęku kluczy w jądrze: wymagany do przekazania podpisu do jądra."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Urządzenie %s jest nadal w użyciu."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Błędne urządzenie %s."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Bufor klucza wolumenu zbyt mały."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Nie można odtworzyć klucza wolumenu dla zwykłego urządzenia."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Nie można odtworzyć hasza głównego dla urządzenia VERITY."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Ta operacja nie jest obsługiwana dla urządzenia szyfrującego %s."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Operacja zrzutu nie jest obsługiwana dla tego rodzaju urządzenia."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Offset danych nie jest wielokrotnością liczby bajtów %u."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Nie można przekonwertować urządzenia %s, które jest nadal w użyciu."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Nie udało się przypisać klucza %u jako nowego klucza wolumenu."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Nie udało się zainicjować domyślnych parametrów klucza LUKS2."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Nie udało się przypisać klucza %d do skrótu."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Nie udało się załadować klucza do pęku kluczy w jądrze."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Pęk kluczy w jądrze nie jest obsługiwany przez jądro."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Nie udało się odczytać hasła z pęku kluczy (błąd %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Nie udało się uzyskać globalnej blokady serializacji dostępu ciężkiego pamięciowo."
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Nie można odczytać priorytetu procesu."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Nie można odblokować pamięci."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Nie udało się otworzyć pliku klucza."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Nie można odczytać pliku klucza z terminala."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "Nie udało się wykonać stat na pliku klucza."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Nie można przemieścić się do żądanego położenia pliku klucza."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Brak pamięci podczas odczytu hasła."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Błąd podczas odczytu hasła."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Na wejściu nie ma nic do odczytu."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Przekroczono maksymalny rozmiar pliku klucza."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Nie można odczytać żądanej ilości danych."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Urządzenie %s nie istnieje lub dostęp jest zabroniony."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Urządzenie %s nie jest zgodne."
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Urządzenie %s jest zbyt małe. Wymagane przynajmniej %<PRIu64> bajtów."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Nie można użyć urządzenia %s, które jest w użyciu (już podmapowane lub zamontowane)."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Nie można użyć urządzenia %s, brak uprawnień."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Nie można uzyskać informacji o urządzeniu %s."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Nie można użyć urządzenia loopback w czasie działania jako nie-root."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Nie udało się podłączyć urządzenia loopback (wymagane urządzenie loop z flagą autoclear)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Żądany offset jest poza rzeczywistym rozmiarem urządzenia %s."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Urządzenie %s ma zerowy rozmiar."
@@ -692,32 +709,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Niekompatybilne opcje PBKDF."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Blokowanie nie powiodło się. Ścieżka blokady %s/%s jest nieużywalna (brak lub nie jest katalogiem)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "UWAGA: brak katalogu blokad %s/%s!\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Blokowanie przerwane. Ścieżka blokady %s/%s jest nieużywalna (%s nie jest katalogiem)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Nie można przemieścić się we właściwe położenie urządzenia."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Błąd wymazywania urządzenia, offset %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -726,120 +743,120 @@
 "Nie udało się ustawić odwzorowania klucza dm-crypt dla urządzenia %s.\n"
 "Proszę sprawdzić, czy jądro obsługuje szyfr %s (więcej informacji w syslogu)."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Rozmiar klucza w trybie XTS musi wynosić 256 lub 512 bitów."
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Określenie szyfru powinno być w formacie [szyfr]-[tryb]-[iv]."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Nie można zapisać na urządzenie %s, brak uprawnień."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "Nie udało się otworzyć urządzenia do tymczasowego przechowywania kluczy."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "Nie udało się uzyskać dostępu do urządzenia do tymczasowego przechowywania kluczy."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "Błąd we/wy podczas szyfrowania klucza."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Nie można otworzyć urządzenia %s."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "Błąd we/wy podczas odszyfrowywania klucza."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Urządzenie %s jest zbyt małe (LUKS1 wymaga przynajmniej %<PRIu64> bajtów)."
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "Numer klucza LUKS %u jest nieprawidłowy."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem LUKS."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Żądany plik kopii zapasowej nagłówka %s już istnieje."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Nie można utworzyć pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Nie można zapisać pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Plik kopii zapasowej nie zawiera prawidłowego nagłówka LUKS."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Nie można otworzyć pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Nie można odczytać pliku kopii zapasowej nagłówka %s."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Offset danych lub rozmiar klucza różnią się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Urządzenie %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "nie zawiera nagłówka LUKS. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "już zawiera nagłówek LUKS. Nadpisanie nagłówka zniszczy istniejące klucze."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -847,100 +864,105 @@
 "\n"
 "UWAGA: nagłówek prawdziwego urządzenia ma inny UUID niż kopia zapasowa!"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Niestandardowy rozmiar klucza, wymagana ręczna naprawa."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Niestandardowe wyrównanie kluczy, wymagana ręczna naprawa."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Naprawianie kluczy."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Klucz %i: naprawiono offset (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Klucz %i: naprawiono pasy (%u -> %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Klucz %i: błędna sygnatura partycji."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Klucz %i: zarodek wymazany."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Zapis nagłówka LUKS na dysk."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Naprawa nie powiodła się."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Żądany skrót LUKS %s nie jest obsługiwany."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "W nagłówku LUKS nie wykryto żadnych znanych problemów."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Błąd podczas uaktualniania nagłówka LUKS na urządzeniu %s."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Błęd podczas ponownego odczytu nagłówka LUKS po uaktualnieniu na urządzeniu %s."
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Offset danych dla nagłówka LUKS musi wynosić 0 lub więcej niż rozmiar nagłówka."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Podano zły format LUKS UUID."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Nie można utworzyć nagłówka LUKS: odczyt losowego zarodka nie powiódł się."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Nie można utworzyć nagłówka LUKS: uzyskanie skrótu nagłówka nie powiodło się (przy użyciu algorytmu %s)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Klucz numer %d jest aktywny, należy go najpierw wyczyścić."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Klucz %d zawiera zbyt mało pasów. Zmieniony nagłówek?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Nie można otworzyć klucza (przy użyciu skrótu %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Numer klucza %d jest błędny, proszę wybrać numer od 0 do %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Nie można wymazać urządzenia %s."
@@ -958,97 +980,189 @@
 msgstr "Wykryto niekompatybilny plik klucza loop-AES."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Jądro nie obsługuje odwzorowań zgodnych z loop-AES."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Błąd odczytu pliku klucza %s."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Przekroczono maksymalną długość hasła TCRYPT (%d)."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Przekroczono maksymalną długość hasła TCRYPT (%zu)."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Algorytm skrótu PBKDF2 %s nie jest dostępny, pominięto."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Wymagany interfejs kryptograficzny jądra nie jest dostępny."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Proszę upewnić się, że moduł jądra algif_skcipher został załadowany."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
-msgstr "Aktywacja nie jest obsługiwana dla rozmiaru sektora %d."
+msgstr "Uaktywnianie nie jest obsługiwane dla rozmiaru sektora %d."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
-msgstr "Jądro nie obsługuje aktywacji dla tego starego trybu TCRYPT."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
+msgstr "Jądro nie obsługuje uaktywniania dla tego starego trybu TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Włączanie szyfrowania systemu TCRYPT dla partycji %s."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Jądro nie obsługuje odwzorowań zgodnych z TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Ta funkcja nie jest obsługiwana bez załadowanego nagłówka TCRYPT."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany wpis metadanych typu '%u'."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Przy analizie Głównego Klucza Wolumenu napotkano błędny ciąg znaków."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwany ciąg znaków ('%s')."
+
+#: lib/bitlk/bitlk.c:398
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Przy analizie obsługiwanego Głównego Klucza Wolumenu napotkano nieoczekiwaną wartość wpisu metadanych '%u'."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Nie udało się odczytać sygnatury BITLK z %s."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK w wersji 1 nie jest obecnie obsługiwany."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Błędna lub nieznana sygnatura rozruchowa urządzenia BITLK."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Błędna lub nieznana sygnatura urządzenia BITLK."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Nie udało się odczytać nagłówka BITLK z %s."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Nie udało się odczytać metadanych BITLK FVE z %s."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Nieznany lub nieobsługiwany rodzaj szyfrowania."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Nie udało się odczytać wpisów metadanych BITLK z %s."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Ta operacja nie jest obsługiwana."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Błędny rozmiar klucza."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "To urządzenie BITLK jest w nieobsługiwanym stanie i może być uaktywnione."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Urządzenia BITLK o typie '%s' nie mogą być uaktywnione."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Uaktywnianie częściowo odszyfrowanych urządzeń BITLK nie jest obsługiwane."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Nie można uaktywnić urządzenia, brak obsługi BITLK IV w module dm-crypt jądra."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Nie można uaktywnić urządzenia, brak obsługi dyfuzora BITLK Elephant w module dm-crypt jądra."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
+#, c-format
+msgid "Verity device %s does not use on-disk header."
 msgstr "Urządzenie Verity %s nie używa nagłówka na dysku."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Urządzenie %s nie jest prawidłowym urządzeniem VERITY."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Nieobsługiwana wersja VERITY %d."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "Uszkodzony nagłówek VERITY."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "Podano zły format UUID-a VERITY na urządzeniu %s."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Błąd podczas uaktualniania nagłówka VERITY na urządzeniu %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "Weryfikacja podpisu hasza głównego nie jest obsługiwana."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Błędów nie można naprawić z urządzeniem FEC."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Znaleziono %u błędów możliwych do naprawienia z urządzeniem FEC."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Jądro nie obsługuje odwzorowań dm-verity."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Jądro nie obsługuje opcji podpisu dm-verity."
+
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Urządzenie VERITY wykryło uszkodzenie po uaktywnieniu."
 
@@ -1057,92 +1171,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Nie wyzerowane miejsce zapasowe na pozycji %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Przepełnienie offsetu urządzenia."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Weryfikacja nie powiodła się na pozycji %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Błędne parametry rozmiaru dla urządzenia VERITY."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Przepełnienie obszaru skrótu."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Weryfikacja obszaru danych nie powiodła się."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Weryfikacja głównego hasza nie powiodła się."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Błąd wejścia/wyjścia podczas tworzenia obszaru haszy."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Tworzenie obszaru haszy nie powiodło się."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "UWAGA: Jądro nie może uaktywnić urządzenia, jeśli rozmiar bloku danych przekracza rozmiar strony (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Nie udało się przydzielić kontekstu RS."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Nie udało się przydzielić bufora."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Nie udało się odczytać bloku RS %<PRIu64> bajt %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Nie udało się odczytać parzystości dla bloku RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Nie udało się naprawić parzystości dla bloku %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Nie udało się zapisać parzystości dla bloku RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Dla FEC rozmiary bloków muszą się zgadzać."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Błędna liczba bajtów parzystości."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Nie udało się określić rozmiaru urządzenia %s."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "Jądro nie obsługuje odwzorowań dm-integrity."
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Jądro nie obsługuje stałego wyrównania metadanych dm-integrity."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Nie udało się uzyskać blokady dla zapisu na urządzeniu %s."
@@ -1168,40 +1286,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "UWAGA: obszar kluczy (%<PRIu64> bajtów) bardzo mały, dostępna liczba kluczy LUKS2 jest bardzo ograniczona.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Nie udało się uzyskać blokady do odczytu na urządzeniu %s."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "Wykryto zabronione wymagania LUKS2 w kopii zapasowej %s."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Offset danych różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Nagłówek binarny z rozmiarem obszarów kluczy różni się między urządzeniem a kopią zapasową; przywrócenie nie powiodło się."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Urządzenie %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "nie zawiera nagłówka LUKS2. Nadpisanie nagłówka może zniszczyć dane na tym urządzeniu."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "już zawiera nagłówek LUKS2. Nadpisanie nagłówka zniszczy istniejące klucze."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1211,7 +1329,7 @@
 "UWAGA: wykryto nieznane wymagania LUKS2 w nagłówku prawdziwego urządzenia!\n"
 "Nadpisanie nagłówka kopią zapasową może uszkodzić dane na tym urządzeniu!"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1221,58 +1339,58 @@
 "UWAGA: wykryto nie zakończone ponowne szyfrowanie offline na urządzeniu!\n"
 "Nadpisanie nagłówka kopią zapasową może uszkodzić dane."
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Zignorowano nieznaną flagę %s."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Brak klucza dla segmentu dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "Nie udało się ustawić segmentu dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "Nie udało się ustawić segmentu dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Nieobsługiwana konfiguracja integralności urządzenia."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Podobne szyfrowanie trwa. Nie można dezaktywować urządzenia."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Nie udało się zastąpić wstrzymanego urządzenia %s celem dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Nie udało się odczytać wymagań LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Wykryto nie spełnione wymagania LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Ponowne szyfrowanie offline w trakcie. Przerwano."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Ponowne szyfrowanie online trwa. Przerwano."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania starym szyfrem. Przerwano."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Operacja niezgodna z urządzeniem oznaczonym do ponownego szyfrowania LUKS2. Przerwano."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Za mało dostępnej pamięci, aby otworzyć klucz."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Nie udało się otworzyć klucza."
 
@@ -1285,52 +1403,56 @@
 msgid "No space for new keyslot."
 msgstr "Brak miejsca na nowy klucz."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Nie można sprawdzić stanu urządzenia mającego UUID: %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Nie można przekonwertować nagłówka z dodatkowymi metadanymi LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Nie można przenieść obszaru kluczy. Brak miejsca."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Nie można przenieść obszaru kluczy. Obszar kluczy LUKS2 zbyt mały."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Nie można przenieść obszaru kluczy."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Nie można przekonwertować do formatu LUKS1 - domyślny rozmiar sektora szyfrowania segmentu nie wynosi 512 bajtów."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Nie można przekonwertować formatu LUKS1 - skróty kluczy nie są zgodne z LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Nie można przekonwertować formatu LUKS1 - urządzenie używa szyfru %s z obudowanym kluczem."
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Nie można przekonwertować do formatu LUKS1 - nagłówek LUKS2 zawiera %u token(ów)."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u jest w błędnym stanie."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u (powyzej maksimum) jest nadal aktywny."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "Nie można przekonwertować do formatu LUKS1 - klucz %u nie jest zgodny z LUKS1."
@@ -1352,7 +1474,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Nie udało się zainicjować obudowania przestrzeni starego segmentu."
 
@@ -1364,7 +1486,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Nie udało się odczytać sum kontrolnych dla aktualnej strefy hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Nie udało się odczytać obszaru hotzone zaczynającego się od %<PRIu64>."
@@ -1422,119 +1544,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Przesunięcie danych (sektorów: %<PRIu64>) jest mniejsze niż przyszły offset danych (sektorów: %<PRIu64>)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Nie udało się otworzyć %s w trybie wyłączności (już odwzorowano lub zamontowano)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Brak trwającego ponownego szyfrowania LUKS2."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Urządzenie nie jest oznaczone do ponownego szyfrowania LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Nie udało się załadować kontekstu ponownego szyfrowania LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Nie udało się pobrać stanu ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Urządzenie nie jest w trakcie ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Proces ponownego szyfrowania już trwa."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Nie udało się uzyskać blokady dla ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Nie można kontynuować ponownego szyfrowania. Należy najpierw uruchomić odtworzenie ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Rozmiar urządzenia aktywnego oraz żądany rozmiar ponownego szyfrowania różnią się."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "W parametrach ponownego szyfrowania zażądano niedozwolonego rozmiaru urządzenia."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Ponowne szyfrowanie trwa. Nie można wykonać odzyskiwania."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane w metadanych."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Nie udało się zainicjować ponownego szyfrowania LUKS2 w metadanych."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Nie udało się ustawić segmentów urządzeń dla następnej strefy hotzone ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Nie udało się zapisać metadanych odporności ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Odszyfrowanie nie powiodło się."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Nie udało się zapisać obszaru hotzone zaczynającego się od %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Nie udało się zsynchronizować danych."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Nie udało się uaktualnić metadanych po zakończeniu aktualnej strefy hotzone ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Nie udało się zapisać metadanych LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Nie udało wymazać danych segmentu zapasowego."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Nie udało się wyłączyć flagi wymagania ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Błąd krytyczny podczas ponownego szyfrowania fragmentu zaczynającego się od %<PRIu64> o długości w sektorach %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Proszę nie wznawiać urządzenia dopóki nie zostanie zastąpione celem błędnym ręcznie."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Nie można kontynuować ponownego szyfrowania. Nieoczekiwany stan ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Brak lub błędny kontekst ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Nie udało się zainicjować stosu urządzenia ponownego szyfrowania."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Nie udało się uaktualnić kontekstu ponownego szyfrowania."
 
@@ -1547,64 +1669,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Nie udało się utworzyć wbudowanego tokenu %s."
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Nie można wykonać weryfikacji hasła, jeśli wejściem nie jest terminal."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Parametry szyfrowania kluczy mogą być ustawione tylko dla urządzeń LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Nie wykryto znanego wzorca określającego szyfr."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "UWAGA: Parametr --hash jest ignorowany w trybie zwykłym z podanym plikiem klucza.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "UWAGA: Opcja --keyfile-size jest ignorowana, rozmiar odczytu jest taki sam, jak rozmiar klucza szyfrującego.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Wykryto sygnatury urządzeń na %s. Dalsze operacje mogą uszkodzić istniejące dane."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Operacja przerwana.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Wymagana jest opcja --key-file."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Proszę wprowadzić PIM VeraCrypt: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Błędna wartość PIM: błąd składni."
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Błędna wartość PIM: 0."
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Błędna wartość PIM: poza zakresem."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "Nie wykryto nagłówka urządzenia z tym hasłem."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Urządzenie %s nie jest prawidłowym urządzeniem BITLK."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1615,68 +1742,68 @@
 "Zrzut ten powinien być zawsze zapisywany w postaci zaszyfrowanej\n"
 "w bezpiecznym miejscu."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Urządzenie %s jest nadal aktywne i zaplanowane do odroczonego usunięcia.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Zmiana rozmiaru aktywnego urządzenia wymaga klucza wolumenu w pęku, ale ustawiono opcję --disable-keyring."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Test szybkości przerwany."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     N/D\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u iteracji/sekundę dla klucza %zu-bitowego\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s N/D\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u iteracji, pamięć: %5u, równoległe wątki (CPU): %1u dla klucza %zu-bitowego (żądany czas %u ms)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Wynik testu wydajności nie jest wiarygodny."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Testy są przybliżone tylko z użyciem pamięci (bez we/wy na dysk).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s  Algorytm |     Klucz |     Szyfrowanie | Odszyfrowywanie\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Szyfr %s nie jest dostępny."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#      Algorytm |     Klucz |     Szyfrowanie | Odszyfrowywanie\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "N/D"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1684,19 +1811,19 @@
 "Wygląda na to, że urządzenie nie wymaga odtwarzania ponownego szyfrowania.\n"
 "Czy mimo to kontynuować?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Naprawdę kontynuować odtwarzanie ponownego szyfrowania LUKS2?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Hasło do odtwarzania ponownego szyfrowania: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Naprawdę próbować naprawić nagłówek urządzenia LUKS?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1704,127 +1831,127 @@
 "Czyszczenie urządzenia w celu zainicjowania sumy kontrolnej integralności.\n"
 "Można przerwać ten proces wciskając Ctrl+C (reszta nie wymazanego urządzenia będzie zawierać błędną sumę kontrolną).\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Nie można dezaktywować urządzenia tymczasowego %s."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Opcja integralności może być używana tylko dla formatu LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Nieobsługiwane opcje rozmiaru metadanych LUKS2."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Nie można utworzyć pliku nagłówka %s."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Nie wykryto znanego wzorca określającego integralność."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Nie można użyć %s jako nagłówka na dysku."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "To nieodwołalnie nadpisze dane na %s."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Nie udało się ustawić parametrów PBKDF."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Offset zmniejszonych danych jest dozwolony tylko dla osobnego nagłówka LUKS."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Nie można określić rozmiaru klucza wolumenu dla LUKS bez kluczy, proszę użyć opcji --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
-msgstr "Urządzenie aktywowane, ale nie można uczynić flag trwałymi."
+msgstr "Urządzenie uaktywnione, ale nie można uczynić flag trwałymi."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Klucz %d jest wybrany do usunięcia."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "To jest ostatni klucz. Urządzenie stanie się bezużyteczne po usunięciu tego klucza."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Dowolne pozostałe hasło: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Operacja przerwana, klucz NIE został wymazany.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Hasło do usunięcia: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Nowe hasło dla klucza: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Dowolne istniejące hasło: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Hasło, które ma być zmienione: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Nowe hasło: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Hasło dla klucza do konwersji: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Dla operacji isLuks obsługiwany jest tylko jeden argument będący urządzeniem."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Wymagana jest opcja --header-backup-file."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s nie jest urządzeniem zarządzanym przez cryptsetup."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Odświeżanie nie jest obsługiwane dla typu urządzenia %s"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Nie rozpoznany typ urządzenia metadanych %s."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Polecenie wymaga urządzenia i nazwy odwzorowywanej jako argumentów."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1833,95 +1960,95 @@
 "Ta operacja usunię wszystkie klucze na urządzeniu %s.\n"
 "Urządzenie po tej operacji stanie się bezużyteczne."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Operacja przerwana, klucze NIE zostały wymazane.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Błędny typ LUKS, obsługiwane są tylko luks1 i luks2."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Urządzenie już ma typ %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Ta operacja przekonwertuje %s do formatu %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Operacja przerwana, urządzenie NIE zostało skonwertowane.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Brak opcji --priority, --label lub --subsystem."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Token %d jest błędny."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Token %d jest w użyciu."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Nie udało się dodać tokenu %d do pęku kluczy luks2."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Nie udało się przypisać tokenu %d do klucza %d."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Token %d nie jest w użyciu."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Nie udało się zaimportować tokenu z pliku."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Nie udało się pobrać tokenu %d do eksportu."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Parametr --key-description jest wymagany do akcji dodania tokenu."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Akcja wymaga określonego tokenu. Należy użyć parametru --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Błędna operacja na tokenie %s."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Wykryto aktywne urządzenie dm '%s' dla urządzenia danych %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Urządzenie %s nie jest urządzeniem blokowym.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Nie udało się wykryć właścicieli urządzenia %s."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1935,229 +2062,233 @@
 "Aby uruchomić ponowne szyfrowanie w trybie online, należy użyć parametru\n"
 "--active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Błędny typ urządzenia LUKS."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Szyfrowanie bez odłączonego nagłówka (--header) jest niemożliwe bez ograniczenia rozmiaru urządzenia danych (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Żądany offset danych musi być mniejszy lub równy połowie parametru --reduce-device-size."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Modyfikowanie wartości --reduce-device-size do dwukrotności parametru --offset %<PRIu64> (w sektorach).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Szyfrowanie jest obsługiwane tylko w formacie LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "Wykrytu urządzenie LUKS na %s. Czy zaszyfrować to urządzenie LUKS jeszcze raz?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Plik nagłówka %s już istnieje. Przerwano."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Nie można utworzyć pliku tymczasowego nagłówka %s."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s jest teraz aktywne i gotowe do szyfrowania w locie.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "Za mało wolnych kluczy do ponownego szyfrowania."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Rozmiaru klucza można użyć tylko z --key-slot albo przy dokładnie jednym aktywnym kluczu."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Hasło dla klucza %d: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Hasło dla klucza %u: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "Polecenie wymaga urządzenia jako argumentu."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "Obecnie obsługiwany jest tylko format LUKS2. Dla LUKS1 proszę użyć narzędzia cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Tradycyjne ponowne szyfrowanie offline juz trwa. Proszę użyć narzędzia cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Ponowne szyfrowanie urządzenia z profilem integralności nie jest obsługiwane."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Ponowne szyfrowanie LUKS2 jest już zainicjowane. Przerywanie operacji."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "Urządzenie LUKS2 nie jest w trakcie ponownego szyfrowania."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<uządzenie> [--type <typ>] [<nazwa>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "otwarcie urządzenia jako <nazwa>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<nazwa>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "zamknięcie urządzenia (usunięcie odwzorowania)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "zmiana rozmiaru aktywnego urządzenia"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "pokazanie stanu urządzenia"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <szyfr>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "test szybkości szyfru"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<urządzenie>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "próba naprawy metadanych na dysku"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "ponowne szyfrowanie urządzenia LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "usunięcie wszystkich kluczy (usunięcie klucza szyfrującego)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "przekonwertowanie formatu LUKS z/do LUKS2"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "ustawienie opcji trwałej konfiguracji dla LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<urządzenie> [<nowy plik klucza>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "sformatowanie urządzenia LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "dodanie klucza do urządzenia LUKS"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<urządzenie> [<plik klucza>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "usunięcie podanego klucza lub pliku klucza z urządzenia LUKS"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "zmiana podanego klucza lub pliku klucza urządzenia LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "konwersja klucza na nowe parametry pbkdf"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<urządzenie> <numer klucza>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "wymazanie klucza o numerze <numer klucza> z urządzenia LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "wypisanie UUID-a urządzenia LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "sprawdzenie <urządzenia> pod kątem nagłówka partycji LUKS"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "zrzut informacji o partycji LUKS"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "zrzut informacji o urządzeniu TCRYPT"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "zrzut informacji o urządzeniu BITLK"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Wstrzymanie urządzenia LUKS i wymazanie klucza (zamraża wszystkie operacje we/wy)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Wznowienie zatrzymanego urządzenia LUKS"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Kopia zapasowa nagłówka i kluczy urządzenia LUKS"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Odtworzenie nagłówka i kluczy urządzenia LUKS z kopii zapasowej"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <urządzenie>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Operacja na tokenach LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2165,19 +2296,19 @@
 "\n"
 "<akcja> to jedno z:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Można także używać starych aliasów składni <akcja>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2192,7 +2323,7 @@
 "<numer klucza> to numer klucza LUKS do zmiany\n"
 "<plik klucza> to opcjonalny plik nowego klucza dla akcji luksAddKey\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2201,7 +2332,7 @@
 "\n"
 "Domyślny wkompilowany format metadanych to %s (dla akcji luksFormat).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2218,7 +2349,7 @@
 "Domyślny PBKDF dla LUKS2: %s\n"
 "\tCzas iteracji: %d, wymagana pamięć: %dkB, liczba wątków: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2233,439 +2364,443 @@
 "\tplain: %s, bitów klucza: %d, skrót hasła: %s\n"
 "\tLUKS: %s, bitów klucza: %d, skrót nagłówka LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Domyślny rozmiar klucza z trybem XTS (dwa klucze wewnętrzne) będzie podwojony.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: wymaga %s jako argumentów"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Wyświetlenie tego opisu"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Wyświetlenie krótkiej informacji o składni"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Wypisanie wersji pakietu"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Opcje pomocnicze:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Wyświetlanie bardziej szczegółowych komunikatów błędów"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Wyświetlanie informacji diagnostycznych"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Wyświetlanie informacji diagnostycznych wraz z metadanymi JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Szyfr używany do zaszyfrowania dysku (p. /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Skrót używany do utworzenia klucza szyfrującego z hasła"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Sprawdzenie poprawności hasła poprzez dwukrotne pytanie"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Odczyt klucza z pliku"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Odczyt klucza wolumenu (klucza głównego) z pliku."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Zrzut (głównego) klucza wolumenu zamiast informacji o kluczach"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Rozmiar klucza szyfrującego"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "BITÓW"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Ograniczenie odczytu z pliku klucza"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "bajty"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Liczba bajtów do pominięcia w pliku klucza"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Ograniczenie odczytu z nowo dodanego pliku klucza"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Liczba bajtów do pominięcia w nowo dodanym kluczu"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Numer dla nowego klucza (domyślny: pierwszy wolny)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Rozmiar urządzenia"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "SEKTORÓW"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Użycie tylko określonego rozmiaru urządzenia (zignorowanie pozostałej części). NIEBEZPIECZNE!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Offset początku na urządzeniu przechowującym"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Liczba sektorów zaszyfrowanych danych do pominięcia"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Utworzenie odwzorowania tylko do odczytu"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Bez pytań o potwierdzenie"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Limit czasu przy interaktywnym pytaniu o hasło (w sekundach)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "s"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Uaktualnianie wiersza postępu (w sekundach)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Jak często można powtarzać próby wprowadzenia hasła"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Wyrównanie danych do granicy <n> sektorów - dla luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Plik z kopią zapasową nagłówka LUKS i kluczy"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Użycie /dev/random do wygenerowania klucza wolumenu"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Użycie /dev/urandom do wygenerowania klucza wolumenu"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Współdzielenie urządzenia z innym, nie zachodzącym segmentem szyfrowanym"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID dla urządzenia, które ma być użyte"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Zezwolenie na żądania porzucenia (TRIM) dla urządzenia"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Urządzenie lub plik z osobnym nagłówkiem LUKS"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Sprawdzenie hasła bez uaktywniania urządzenia"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Użycie nagłówka ukrytego (ukrytego urządzenia TCRYPT)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Urządzenie jest napędem systemowym TCRYPT (z bootloaderem)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Użycie zapasowego (drugiego) nagłówka TCRYPT"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Wyszukiwanie także urządzeń zgodnych z VeraCryptem"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "PIM (osobisty mnożnik iteracji) dla urządzenia zgodnego z VeraCryptem"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Odpytanie PIM (osobistego mnożnika iteracji) pod kątem urządzenia zgodnego z VeraCryptem"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Typ metadanych urządzenia: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Typ metadanych urządzenia: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Wyłączenie sprawdzania jakości hasła (jeśli włączone)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Użycie opcji zgodności wydajności dm-crypta same_cpu_crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Użycie opcji zgodności wydajności dm-crypta submit_from_crypt_cpus"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Usunięcie urządzenia jest odroczone do czasu zamknięcia przez ostatniego użytkownika"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Użycie globalnej blokady do serializacji ciężkich pamięciowo PBKDF (obejście OOM)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Czas iteracji PBKDF dla LUKS (w milisekundach)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "ms"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Algorytm PBKDF (dla LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "Limit kosztu pamięciowego PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "kilobajty"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "Koszt zrównoleglenia PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "wątki"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "Koszt iteracji PBKDF (wymuszony, wyłącza test wydajności)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Priorytet klucza: ignore, normal, prefer"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Wyłączenie blokowania metadanych na dysku"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Wyłączenie ładowania kluczy wolumenu przez pęk kluczy w jądrze"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Algorytm integralności danych (tylko LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Wyłączenie kroniki dla urządzenia integralności"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Bez wymazania urządzenia po formatowaniu"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Użycie niewydajnego starego wyrównania (stare jądra)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
-msgstr "Bez pytania o hasło, jeśli aktywacja przy użyciu tokenu się nie powiedzie"
+msgstr "Bez pytania o hasło, jeśli uaktywnienie przy użyciu tokenu się nie powiedzie"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Numer tokenu (domyślnie: dowolny)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Opis klucza"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Rozmiar sektora szyfrowania (domyślnie: 512 bajtów)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
-msgstr "Trwałe ustawienie flag aktywowania dla urządzenia"
+msgstr "Trwałe ustawienie flag uaktywniania dla urządzenia"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Ustawienie etykiety dla urządzenia LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Ustawienie etykiety podsystemu dla urządzenia LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Utworzenie nie powiązanego (z segmentem danych) klucza LUKS2"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Odczyt lub zapis danych JSON z/do pliku"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Rozmiar obszaru metadanych nagłówka LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Rozmiar obszaru kluczy nagłówka LUKS2"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
-msgstr "Odświeżenie (ponowna aktywacja) urządzenia z nowymi parametrami"
+msgstr "Odświeżenie (ponowne uaktywnienie) urządzenia z nowymi parametrami"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Klucz LUKS2: rozmiar klucza szyfrującego"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Klucz LUKS2: szyfr używany do szyfrowania kluczy"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Szyfrowanie urządzenia LUKS2 (w miejscu)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Odszyfrowanie urządzenia LUKS2 (usunięcie szyfrowania)."
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Zainicjowanie ponownego szyfrowania LUKS2 wyłącznie w metadanych."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Wyłącznie wznowienie zainicjowanego ponownego szyfrowania LUKS2."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Ograniczenie rozmiaru urządzenia danych (przesunięcie położenia danych). NIEBEZPIECZNE!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Maksymalny rozmiar strefy hotzone ponownego szyfrowania."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Typ odporności strefy hotzone ponownego szyfrowania (checksum, journal, none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "Skrót sum kontrolknych strefy hotzone ponownego szyfrowania"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Nadpisanie wykrytego urządzenia dla urządzenia dm do ponownego szyfrowania"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[OPCJA...] <akcja> <parametry-akcji>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Brak argumentu <akcja>."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Nieznana akcja."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Parametr --refresh jest dozwolony tylko dla operacji otwarcia i odświeżenia.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Opcje --refresh i --test-passphrase wykluczają się wzajemnie.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Opcja --deferred jest dozwolona tylko dla operacji zamknięcia.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Opcja --shared jest dozwolona tylko dla operacji otwarcia zwykłego urządzenia.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Opcja --allow-discards jest dozwolona tylko dla operacji otwarcia.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Opcja --persistent jest dozwolona tylko dla operacji otwarcia.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "Opcja --serialize-memory-hard-pbkdf jest dozwolona tylko dla operacji otwarcia.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Opcja --persistent nie jest dozwolona z --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2674,245 +2809,255 @@
 "open i benchmark. Aby ograniczyć odczyt z pliku klucza, należy użyć\n"
 "--keyfile-size=(bajty)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Opcja --integrity jest dozwolona tylko dla operacji luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Opcja --integrity-no-wipe może być użyta tylko do akcji formatowania z rozszerzeniem integralności.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Opcje --label i --subsystem są dozwolone tylko dla operacji LUKS2 luksFormat i config.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS i TRCYPT.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Opcja --test-passphrase jest dozwolona tylko przy otwieraniu urządzeń LUKS, TRCYPT i BITLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Rozmiar klucza musi być wielokrotnością 8 bitów"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Numer klucza jest nieprawidłowy."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Opcja --key-file ma priorytet nad podanym argumentem pliku klucza."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Liczba ujemna nie jest dozwolona dla tej opcji."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Dozwolony jest tylko jeden argument --key-file."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Dozwolona jest tylko jedna z opcji --use-[u]random."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Opcja --use-[u]random jest dozwolona tylko dla operacji luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Opcja --uuid jest dozwolona tylko dla operacji luksFormat i luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Opcja --align-payload jest dozwolona tylko dla operacji luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Opcje --luks2-metadata-size i --opt-luks2-keyslots-size są dozwolone tylko dla operacji luksFormat z LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Błędne określenie rozmiaru metadanych LUKS2."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Błędne określenie rozmiaru kluczy LUKS2."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Opcji --align-payload i --offset nie można łączyć."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Opcja --skip jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Opcja --offset jest obsługiwana tylko przy otwieraniu urządzeń plain i loopaes oraz dla operacji luksFormat i ponownego szyfrowania.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Opcje --tcrypt-hidden, --tcrypt-system i --tcrypt-backup są obsługiwane tylko dla urządzeń TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Opcji --tcrypt-hidden nie można łączyć z --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Opcja --veracrypt jest obsługiwana tylko dla typu urządzeń TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Podano błędny argument dla parametru --veracrypt-pim.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Opcja --veracrypt-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Opcja --veracrypt-query-pim jest obsługiwana tylko dla urządzeń zgodnych z VeraCryptem.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Opcje --veracrypt-pim i --veracrypt-query-pim wykluczają się wzajemnie.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Opcja --priority może mieć wartości tylko ignore/normal/prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Wymagane jest określenie klucza.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Funkcja pochodna klucza oparta na haśle (PBKDF) może być tylko pbkdf2 lub argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Wymuszonych iteracji PBKDF nie można łączyć z opcją czasu iteracji.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "Opcja rozmiaru sektora nie jest obsługiwana dla tego polecenia.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Nieobsługiwany rozmiar sektora szyfrowania.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "Przy opcji --unbound wymagany jest rozmiar klucza.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Opcja --unbound może być użyta tylko z akcją luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Opcja --refresh może być użyta tylko dla akcji otwierania.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Nie można wyłączyć blokowania metadanych.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Błędne określenie maksymalnego rozmiaru strefy hotzone ponownego szyfrowania."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "Błędne określenie rozmiaru urządzenia."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 1GiB."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Rozmiar ograniczenia musi być wielokrotnością 512-bajtowego sektora."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "Błędne określenie rozmiaru danych."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Zmniejszenie przepełnienia rozmiaru."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "Odszyfrowanie LUKS2 wymaga opcji --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Rozmiar urządzenia musi być wielokrotnością 512-bajtowego sektora."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Opcji --reduce-device-size i --data-size nie można łączyć."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Opcji --device-size i --size nie można łączyć."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Podano błędny łańcuch zarodka."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Nie można utworzyć obrazu hasza %s do zapisu."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Nie można utworzyć obrazu FEC %s do zapisu."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Podano błędny łańcuch głównego hasza."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Błędny plik podpisu %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Nie można odczytać pliku klucza %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<urządzenie_danych> <urządzenie_haszy>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "sformatowanie urządzenia"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<urządzenie_danych> <urządzenie_haszy> <główny_hasz>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "weryfikacja urządzenia"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<urządzenie_danych> <nazwa> <urządzenie_haszy> <główny_hasz>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "pokazanie stanu aktywnego urządzenia"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<urządzenie_haszy>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "wyświetlenie informacji z dysku"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2927,7 +3072,7 @@
 "<urządzenie_haszy> to urządzenie zawierające dane weryfikacyjne\n"
 "<główny_hasz> to hasz głównego węzła na <urządzeniu_haszy>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2938,91 +3083,99 @@
 "Domyślnie wkompilowane parametry dm-verity:\n"
 "\tHasz: %s, blok danych (bajtów): %u, blok haszy (bajtów): %u, rozmiar zarodka: %u, format haszy: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Nieużywanie superbloku VERITY"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Typ formatu (1 - normalny, 0 - oryginalny Chrome OS)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "liczba"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Rozmiar bloku na urządzeniu z danymi"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Rozmiar bloku na urządzeniu z haszami"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "bajty parzystości FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Liczba bloków w pliku danych"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "bloki"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Ścieżka do urządzenia z danymi korekcji błędów"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "ścieżka"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Offset początku na urządzeniu z haszami"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Offset początku na urządzeniu FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Algorytm skrótu"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "łańcuch"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Zarodek"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "Łańcuch szesnastkowy"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Ścieżka pliku podpisu hasza głównego"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Restart jądra po wykryciu uszkodzenia"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Zignotowanie uszkodzenia, jedynie logowanie"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Bez weryfikacji wyzerowanych bloków"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Sprawdzenie bloku danych tylko przy pierwszym odczycie"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Opcje --ignore-corruption, --restart-on-corruption oraz --ignore-zero-blocks są dozwolone tylko przy operacji otwierania.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Opcja --root-hash-signature może być użyta tylko dla akcji otwierania.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Opcji --ignore-corruption oraz --restart-on-corruption nie można użyć naraz.\n"
 
@@ -3036,20 +3189,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Nie można odczytać %d bajtów z pliku klucza %s."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Sformatowano z rozmiarem znacznika %u, wewnętrzna integralność %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<urządzenie_integralności>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<urządzenie_integralności> <nazwa>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3060,158 +3213,158 @@
 "<nazwa> to urządzenie do utworzenia pod %s\n"
 "<urządzenie_integralności> to urządzenie zawierające dane ze znacznikami integralności\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Domyślnie wkompilowane parametry dm-integrity:\n"
-"\tRozmiar znacznika (bajtów): %u, algorytm sumy kontrolnej: %s\n"
+"\tAlgorytm sumy kontrolnej: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Ścieżka do urządzenia danych (jeśli osobne)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Rozmiar kroniki"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Sektory przeplotu"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Znak wodny kroniki"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "procent"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Czas zatwierdzania kroniki"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "ms"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Liczba 512-bajtowych sektorów na bit (tryb bitmapy)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Czas zrzutu trybu bitmapy"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Rozmiar znacznika (na sektor)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Rozmiar sektora"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Rozmiar buforów"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Algorytm integralności danych"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Rozmiar klucza integralności danych"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Odczyt klucza integralności z pliku"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Algorytm integralności kroniki"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Rozmiar klucza integralności kroniki"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Odczyt klucza integralności z pliku"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Algorytm szyfrowania kroniki"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Rozmiar klucza szyfrowania kroniki"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Odczyt klucza szyfrującego kroniki z pliku"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Tryb odtwarzania (bez kroniki, bez sprawdzania znaczników)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Użycie bitmapy do śledzenia zmian i wyłączenie kroniki dla urządzenia integralności"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Automatyczne przeliczenie znaczników początkowych."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Opcja --integrity-recalculate może być użyta tylko dla akcji otwierania."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Opcje --journal-size, --interleave-sectors, --sector-size, --tag-size oraz --no-wipe mogą być użyte tylko dla akcji formatowania.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Błędne określenie rozmiaru kroniki."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku klucza i rozmiaru klucza."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Algorytm integralności musi być podany, jeśli używany jest klucz integralności."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku klucza integralności i rozmiaru klucza."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Algorytm integralności kroniki musi być podany, jeśli używany jest klucz integralności kroniki."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Muszą być podane obie opcje: pliku szyfrowania kroniki i rozmiaru klucza."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Algorytm szyfrowania kroniki musi być podany, jeśli używany jest klucz szyfrowania kroniki."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Opcje trybu odtwarzania i bitmapy wykluczają się wzajemnie."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Opcji kroniki nie można używać w trybie bitmapy."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Opcje bitmapy mogą być używane tylko w trybie bitmapy."
 
@@ -3224,7 +3377,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Nie można otworzyć %s w trybie wyłącznym, urządzenie jest w użyciu."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Przydzielenie wyrównanego obszaru pamięci nie powiodło się."
 
@@ -3263,200 +3416,200 @@
 
 #: src/cryptsetup_reencrypt.c:445
 msgid "Activating temporary device using old LUKS header."
-msgstr "Aktywacja urządzenia tymczasowego przy użyciu starego nagłówka LUKS."
+msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu starego nagłówka LUKS."
 
 #: src/cryptsetup_reencrypt.c:455
 msgid "Activating temporary device using new LUKS header."
-msgstr "Aktywacja urządzenia tymczasowego przy użyciu nowego nagłówka LUKS."
+msgstr "Uaktywnianie urządzenia tymczasowego przy użyciu nowego nagłówka LUKS."
 
 #: src/cryptsetup_reencrypt.c:465
 msgid "Activation of temporary devices failed."
-msgstr "Aktywacja urządzeń tymczasowych nie powiodła się."
+msgstr "Uaktywnianie urządzeń tymczasowych nie powiodła się."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Nie udało się ustawić offsetu danych."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Nie udało się ustawić rozmiaru metadanych."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Utworzono nowy nagłówek LUKS dla urządzenia %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Ta wersja cryptsetup-reencrypt nie obsługuje nowego typu tokenu wewnętrznego %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
-msgstr "Nie udało się odczytać flag aktywacji z nagłówka zapasowego."
+msgstr "Nie udało się odczytać flag uaktywniania z nagłówka zapasowego."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
-msgstr "Nie udało się zapisać flag aktywacji w nowym nagłówku."
+msgstr "Nie udało się zapisać flag uaktywniania w nowym nagłówku."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Nie udało się odczytać wymagań z nagłówka zapasowego."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Utworzono kopię zapasową nagłówka %s urządzenia %s."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Tworzenie kopii zapasowych nagłówków LUKS nie powiodło się."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Nie można odtworzyć nagłówka %s na urządzeniu %s."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Odtworzono nagłówek %s na urządzeniu %s."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Nie można otworzyć tymczasowego urządzenia LUKS."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Nie można pobrać rozmiaru urządzenia."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Błąd we/wy podczas ponownego szyfrowania."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Dostarczony UUID jest nieprawidłowy."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Nie można otworzyć pliku logu ponownego szyfrowania."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Nie w trakcie odszyfrowywania; dostarczony UUID może być użyty tylko do wznowienia wstrzymanego procesu odszyfrowywania."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Zmieniono parametry PBKDF dla klucza %i."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Rozmiar bloku ponownego szyfrowania"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "MiB"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Bez zmiany klucza i ponownego szyfrowania obszaru danych"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Odczyt nowego klucza wolumenu (klucza głównego) z pliku"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Czas iteracji PBKDF2 dla LUKS (w milisekundach)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Użycie bezpośredniego we/wy przy dostępie do urządzeń"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Użycie fsync po każdym bloku"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Uaktualnianie pliku logu po każdym bloku"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Użycie tylko tego slotu (wyłączenie pozostałych)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Utworzenie nowego nagłówka na nieszyfrowanym urządzeniu"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Trwałe odszyfrowanie urządzenia (usunięcie szyfrowania)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "UUID używany do wznowienia odszyfrowywania"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Typ metadanych LUKS: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[OPCJA...] <urządzenie>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Ponowne szyfrowanie zmieni: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "klucz wolumenu"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "hasz na "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", szyfr na"
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Wymagany argument."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Jako rozmiar bloku ponownego szyfrowania dozwolone są jedynie wartości od 1 MiB do 64 MiB."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Maksymalna wartość ograniczenia rozmiaru urządzenia to 64MiB."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Opcja --new musi być użyta wraz z --reduce_device_size lub --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Opcja --keep-key może być użyta tylko z --hash, --iter-time lub --pbkdf-force-iterations.."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Opcja --new nie może być użyta wraz z --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Opcja --decrypt jest niezgodna z podanymi parametrami."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Opcja --uuid jest dozwolona tylko wraz z --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Błędny typ LUKS - musi być jednym z 'luks', 'luks1' lub 'luks2'."
 
diff -Nru cryptsetup-2.2.2/po/POTFILES.in cryptsetup-2.3.1/po/POTFILES.in
--- cryptsetup-2.2.2/po/POTFILES.in	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/POTFILES.in	2020-03-12 08:39:20.000000000 +0000
@@ -22,6 +22,7 @@
 lib/luks1/keymanage.c
 lib/loopaes/loopaes.c
 lib/tcrypt/tcrypt.c
+lib/bitlk/bitlk.c
 lib/verity/verity.c
 lib/verity/verity_hash.c
 lib/verity/verity_fec.c
diff -Nru cryptsetup-2.2.2/po/ru.po cryptsetup-2.3.1/po/ru.po
--- cryptsetup-2.2.2/po/ru.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/ru.po	2020-03-12 08:39:20.000000000 +0000
@@ -4,13 +4,13 @@
 #
 # Rosetta Contributors and Canonical Ltd <EMAIL@ADDRESS>, 2007.
 # Eugene Roskin <Unknown>, 2016.
-# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019.
+# Yuri Kozlov <yuray@komyakino.ru>, 2018, 2019, 2020.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.0-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-25 19:33+0300\n"
+"POT-Creation-Date: 2020-01-12 12:33+0100\n"
+"PO-Revision-Date: 2020-01-18 12:31+0300\n"
 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
 "Language-Team: Russian <gnu@d07.ru>\n"
 "Language: ru\n"
@@ -22,60 +22,60 @@
 "X-Generator: Lokalize 2.0\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:397
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Не удалось инициализировать device-mapper, выполняется без прав суперпользователя."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:400
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Не удалось инициализировать device-mapper. Загружен ли модуль ядра dm_mod?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1120
 msgid "Requested deferred flag is not supported."
 msgstr "Запрошенный флаг отсрочки не поддерживается."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1187
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "У устройства %s был обрезан DM-UUID."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1509
 msgid "Unknown dm target type."
 msgstr "Неизвестный тип цели dm."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1612 lib/libdevmapper.c:1664
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Запрошенные параметры производительности dm-crypt не поддерживаются."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1619
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Запрошенные параметры обработки повреждённых данных dm-verify не поддерживаются."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1623
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Запрошенные параметры FEC dm-verify не поддерживаются."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1627
 msgid "Requested data integrity options are not supported."
 msgstr "Запрошенные параметры целостности данных не поддерживаются."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1629
 msgid "Requested sector_size option is not supported."
 msgstr "Запрошенный параметр sector_size не поддерживается."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1634
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Запрошенный автоматический пересчёт тегов целостности не поддерживается."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1638
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Запрошенный режим битовой карты dm-integrity не поддерживается."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1667
 msgid "Discard/TRIM is not supported."
 msgstr "Discard/TRIM не поддерживается."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2585
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Ошибка при запросе сегмента dm-%s."
@@ -109,434 +109,451 @@
 msgid "Error reading from RNG."
 msgstr "Ошибка чтения из RNG."
 
-#: lib/setup.c:223
+#: lib/setup.c:230
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Невозможно инициализировать внутренний интерфейс crypto RNG."
 
-#: lib/setup.c:229
+#: lib/setup.c:236
 msgid "Cannot initialize crypto backend."
 msgstr "Невозможно инициализировать внутренний интерфейс crypto."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:267 lib/setup.c:2044 lib/verity/verity.c:120
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Алгоритм хэширования %s не поддерживается."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:270 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Ошибка обработки ключа (используется хэш %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:336 lib/setup.c:363
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Невозможно определить тип устройства. Несовместимая активация устройства?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:342 lib/setup.c:3048
 msgid "This operation is supported only for LUKS device."
 msgstr "Эта операция поддерживается только для устройства LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:369
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Эта операция поддерживается только для устройства LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:424 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Заполнены все слоты ключей."
 
-#: lib/setup.c:423
+#: lib/setup.c:435
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Некорректный слот ключа %d, укажите значение между 0 и %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:441
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Слот ключа %d заполнен, выберите другой."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:526 lib/setup.c:2822
 msgid "Device size is not aligned to device logical block size."
 msgstr "Размер устройства не выровнен к размеру логического блока устройства."
 
-#: lib/setup.c:610
+#: lib/setup.c:622
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Обнаружен заголовок, но устройство %s слишком маленькое."
 
-#: lib/setup.c:647
+#: lib/setup.c:659
 msgid "This operation is not supported for this device type."
 msgstr "Эта операция не поддерживается для этого типа устройств."
 
-#: lib/setup.c:652
+#: lib/setup.c:664
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Недопустимая операция во время работы перешифрования."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:830 lib/luks1/keymanage.c:476
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Неподдерживаемая версия LUKS %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:847 lib/setup.c:1537 lib/setup.c:1957
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Отсоединение устройства метаданных не поддерживается для этого типа crypt."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1425 lib/setup.c:2542 lib/setup.c:2614 lib/setup.c:2626
+#: lib/setup.c:2775 lib/setup.c:4510
 #, c-format
 msgid "Device %s is not active."
 msgstr "Устройство %s не активно."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1442
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Исчезло нижележащее устройство у устройства crypt %s."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1522
 msgid "Invalid plain crypt parameters."
 msgstr "Неверные параметры plain crypt."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1527 lib/setup.c:1947 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Неверный размер ключа."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1532 lib/setup.c:1952 lib/setup.c:2155
 msgid "UUID is not supported for this crypt type."
 msgstr "Для данного типа crypt UUID не поддерживается."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1547 lib/setup.c:1737 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1232
 msgid "Unsupported encryption sector size."
 msgstr "Неподдерживаемый размер сектора шифрования."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1555 lib/setup.c:1862 lib/setup.c:2816
 msgid "Device size is not aligned to requested sector size."
 msgstr "Размер устройства не выровнен к запрошенному размеру сектора."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1606 lib/setup.c:1725
 msgid "Can't format LUKS without device."
 msgstr "Невозможно отформатировать LUKS без устройства."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1612 lib/setup.c:1731
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Запрошенный тип выравнивания данных не совместим со смещением данных."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1680 lib/setup.c:1849
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: смещение данных находится за пределами доступного в данный момент устройства данных.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1690 lib/setup.c:1877 lib/setup.c:1898 lib/setup.c:2167
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "невозможно затереть заголовок на устройстве %s."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1742
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: Активация устройства завершится ошибкой, так как отсутствует поддержка dm-crypt для запрошенного размера сектора шифрования.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1764
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Ключ тома слишком мал для шифрования с целостными расширениями."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1819
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Шифр %s-%s (размер ключа %zd бит) недоступен."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1852
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: размер метаданных LUKS2 изменился и стал %<PRIu64> байт.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1856
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: размер слотов ключа LUKS2 изменился и стал %<PRIu64> байт.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1880 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Устройство %s слишком маленькое."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1891 lib/setup.c:1917
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Невозможно отформатировать устройство %s, которое используется."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1894 lib/setup.c:1920
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Невозможно отформатировать устройство %s, недостаточно прав."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1906 lib/setup.c:2227
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Невозможно отформатировать целостность для устройства %s."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1924
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Невозможно отформатировать устройство %s."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1942
 msgid "Can't format LOOPAES without device."
 msgstr "Невозможно отформатировать LOOPAES без устройства."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1987
 msgid "Can't format VERITY without device."
 msgstr "Невозможно отформатировать VERITY без устройства."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:1998 lib/verity/verity.c:103
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Неподдерживаемый тип хэша %d для VERITY."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2004 lib/verity/verity.c:111
 msgid "Unsupported VERITY block size."
 msgstr "Неподдерживаемый размер блока для VERITY."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2009 lib/verity/verity.c:75
 msgid "Unsupported VERITY hash offset."
 msgstr "Неподдерживаемое смещение хэша для VERITY."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2014
 msgid "Unsupported VERITY FEC offset."
 msgstr "Неподдерживаемое смещение FEC для VERITY."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2038
 msgid "Data area overlaps with hash area."
 msgstr "Область данных перекрывает области хэша."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2063
 msgid "Hash area overlaps with FEC area."
 msgstr "Область хэша перекрывает область FEC."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2070
 msgid "Data area overlaps with FEC area."
 msgstr "Область данных перекрывает область FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2206
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "ПРЕДУПРЕЖДЕНИЕ: запрошенный размер тега в %d байт отличается от выходного размера %s (%d байт).\n"
+
+#: lib/setup.c:2284
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Запрошен неизвестный тип устройства crypt %s."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2548 lib/setup.c:2620 lib/setup.c:2633
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Неподдерживаемые параметры для устройства %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2554 lib/setup.c:2639 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Несовпадение параметров для устройства %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2659
 msgid "Crypt devices mismatch."
 msgstr "Несоответствие устройств crypt."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2696 lib/setup.c:2701 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Ошибка при перезагрузке устройства %s."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2706 lib/setup.c:2711 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Ошибка при приостановке устройства %s."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2716 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Ошибка при возобновлении работы устройства %s."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2730
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Критическая ошибка при перезагрузке устройства %s (поверх устройства %s)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2733 lib/setup.c:2735
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Ошибка при переключении устройства %s на dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2807
 msgid "Cannot resize loop device."
 msgstr "Невозможно изменить размер закольцованного (loop) устройства."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2880
 msgid "Do you really want to change UUID of device?"
 msgstr "Вы действительно хотите изменить UUID устройства?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2956
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Файл резервного заголовка не содержит заголовка совместимого с LUKS."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3056
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Том %s не активен."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3067
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Том %s уже приостановлен."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3080
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Приостановка не поддерживается устройством %s."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3082
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Ошибка во время приостановки устройства %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3115 lib/setup.c:3182 lib/setup.c:3265
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Том %s не приостановлен."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3144
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Возобновление не поддерживается устройством %s."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3146 lib/setup.c:3214 lib/setup.c:3295
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Ошибка во время возобновления устройства %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3280 lib/setup.c:3646 lib/setup.c:4307 lib/setup.c:4320
+#: lib/setup.c:4328 lib/setup.c:4341 lib/setup.c:4691 lib/setup.c:5834
+msgid "Volume key does not match the volume."
+msgstr "Ключ тома не подходит к тому."
+
+#: lib/setup.c:3341 lib/setup.c:3529
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Невозможно добавить слот ключа, все слоты отключены и не предоставлен ключ тома."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3481
 msgid "Failed to swap new key slot."
 msgstr "Ошибка при переключении на новый слот ключа."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Ключ тома не подходит к тому."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3667
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Некорректный слот ключа %d."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3673 src/cryptsetup.c:1577 src/cryptsetup.c:1922
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Слот ключа %d не активен."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3692
 msgid "Device header overlaps with data area."
 msgstr "Заголовок устройства перекрывает область данных."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3979
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Выполняется перешифрование. Невозможно активировать устройство."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3981 lib/luks2/luks2_json_metadata.c:2239
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Ошибка при получении блокировки перешифрования."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3994 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Ошибка восстановления перешифрования LUKS2."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4125 lib/setup.c:4377
+msgid "Device type is not properly initialized."
 msgstr "Тип устройства инициализирован неправильно."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4169
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Невозможно использовать устройство %s, некорректное имя или оно всё ещё используется."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4172
 #, c-format
 msgid "Device %s already exists."
 msgstr "Устройство %s уже существует."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4294
 msgid "Incorrect volume key specified for plain device."
 msgstr "Для устройства plain указан некорректный ключ тома."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4403
 msgid "Incorrect root hash specified for verity device."
 msgstr "Некорректный корневой хэш для указанного устройства verity."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4410
+msgid "Root hash signature required."
+msgstr "Требуется подпись корневого хэша."
+
+#: lib/setup.c:4419
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Отсутствует связка ключей ядра: требуется для передачи подписи в ядро."
+
+#: lib/setup.c:4436 lib/setup.c:5910
+msgid "Failed to load key in kernel keyring."
+msgstr "Ошибка при загрузке ключа в связку ключей ядра."
+
+#: lib/setup.c:4489 lib/setup.c:4505 lib/luks2/luks2_json_metadata.c:2292
+#: src/cryptsetup.c:2597
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Устройство %s всё ещё используется."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4514
 #, c-format
 msgid "Invalid device %s."
 msgstr "Неверное устройство %s."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4630
 msgid "Volume key buffer too small."
 msgstr "Буфер ключа тома слишком мал."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4638
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Невозможно получить ключ тома для устройства plain."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4655
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Невозможно получить корневой хэш для устройства verity."
+
+#: lib/setup.c:4657
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Эта операция не поддерживается для устройства crypt %s."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4863
 msgid "Dump operation is not supported for this device type."
 msgstr "Операция дампа не поддерживается для устройства этого типа."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5188
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Смещение данных не кратно %u байтам."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5470
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Невозможно преобразовать устройство %s, которое всё ещё используется."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5767
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Ошибка при назначении слота ключа %u в качестве нового ключа тома."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5840
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Ошибка при инициализации параметров слота ключа по умолчанию LUKS2."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5846
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Ошибка при назначении слота ключа %d дайджесту."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Ошибка при загрузке ключа в связку ключей ядра."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5977
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "Связка ключей ядра не поддерживается ядром."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5987 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Не удалось прочитать парольную фразу из связки ключей (ошибка %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6011
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Не удалось захватить глобальную блокировку сериализации доступа на скорости памяти (memory-hard)."
 
@@ -588,7 +605,7 @@
 #: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
 #: lib/luks1/keyencryption.c:92
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Устройство %s не существует или отказано в доступе."
 
 #: lib/utils_device.c:198
@@ -711,8 +728,8 @@
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Блокировка прервана. Путь блокировки %s/%s использовать невозможно (%s не является каталогом)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Невозможно перемещаться по устройству."
 
@@ -739,8 +756,8 @@
 msgstr "Шифр должен указываться в формате [шифр]-[режим]-[iv]."
 
 #: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1079
+#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Невозможно записать на устройство %s, недостаточно прав."
@@ -760,8 +777,8 @@
 
 #: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
 #: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
+#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
 #: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
 #: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
 #: src/cryptsetup_reencrypt.c:205
@@ -786,12 +803,12 @@
 msgstr "Некорректный слот ключа LUKS %u."
 
 #: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1438
+#: src/cryptsetup.c:1564 src/cryptsetup.c:1621 src/cryptsetup.c:1677
+#: src/cryptsetup.c:1744 src/cryptsetup.c:1847 src/cryptsetup.c:1911
+#: src/cryptsetup.c:2071 src/cryptsetup.c:2264 src/cryptsetup.c:2324
+#: src/cryptsetup.c:2390 src/cryptsetup.c:2554 src/cryptsetup.c:3204
+#: src/cryptsetup.c:3213 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Устройство %s не является корректным устройством LUKS."
@@ -812,7 +829,7 @@
 msgstr "Невозможно записать файл резервного заголовка %s."
 
 #: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Резервный файл не содержит корректный заголовок LUKS."
 
 #: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
@@ -896,7 +913,7 @@
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Запрошенный хэш LUKS %s не поддерживается."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "Известных неполадок в заголовке LUKS не обнаружено."
 
@@ -914,9 +931,9 @@
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Смещение данных заголовка LUKS должно быть равно 0 или быть больше размера заголовка."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
+#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:826
 #: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: src/cryptsetup.c:2717
 msgid "Wrong LUKS UUID format provided."
 msgstr "Указан неправильный формат LUKS UUID."
 
@@ -924,27 +941,27 @@
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Невозможно создать заголовок LUKS: ошибка при чтении случайной соли."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:805
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Невозможно создать заголовок LUKS: ошибка подсчёта дайджеста заголовка (используйте хэш %s)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:849
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Активен слот ключа %d, сначала нужна вычистка."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:855
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Данный слота ключа %d содержат несколько полос. Подделка заголовка?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:1065
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Некорректный слот ключа %d, значение слота ключа должно быть между 0 и %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1083 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Невозможно затереть устройство %s."
@@ -962,7 +979,7 @@
 msgstr "Обнаружен несовместимый файл ключа loop-AES."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "Ядро не поддерживает совместимое отображение loop-AES."
 
 #: lib/tcrypt/tcrypt.c:505
@@ -980,11 +997,11 @@
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Алгоритм хэширования PBKDF2 %s недоступен, пропускается."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Требуемый интерфейс ядра crypto недоступен."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Убедитесь, что загружен ядерный модуль algif_skcipher."
 
@@ -994,7 +1011,7 @@
 msgstr "Активация не поддерживается при размере сектора %d."
 
 #: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "Ядро не поддерживает активацию для данного устаревшего режима TCRYPT."
 
 #: lib/tcrypt/tcrypt.c:784
@@ -1003,17 +1020,92 @@
 msgstr "Активируется система шифрования TCRYPT для раздела %s."
 
 #: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "Ядро не поддерживает совместимое отображение TCRYPT."
 
 #: lib/tcrypt/tcrypt.c:1084
 msgid "This function is not supported without TCRYPT header load."
 msgstr "эта функция не поддерживается без загрузки заголовка TCRYPT."
 
+#: lib/bitlk/bitlk.c:305
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "При анализе поддерживаемого главного ключа тома обнаружен неожиданный тип элемента метаданных «%u»."
+
+#: lib/bitlk/bitlk.c:352
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "При анализе поддерживаемого главного ключа тома обнаружена некорректная строка."
+
+#: lib/bitlk/bitlk.c:357
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "При анализе поддерживаемого главного ключа тома обнаружена неожиданная строка («%s»)."
+
+#: lib/bitlk/bitlk.c:371
+#, c-format
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "При анализе поддерживаемого главного ключа тома обнаружено неожиданное значение элемента метаданных «%u»."
+
+#: lib/bitlk/bitlk.c:451
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Ошибка чтения подписи BITLK из %s."
+
+#: lib/bitlk/bitlk.c:457
+msgid "BITLK version 1 is currently not supported."
+msgstr "BITLK версии 1 пока не поддерживается."
+
+#: lib/bitlk/bitlk.c:463
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Некорректная или неизвестная подпись загрузчика устройства BITLK."
+
+#: lib/bitlk/bitlk.c:475
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Некорректная или неизвестная подпись устройства BITLK."
+
+#: lib/bitlk/bitlk.c:483
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Ошибка чтения заголовка BITLK из %s."
+
+#: lib/bitlk/bitlk.c:499
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Ошибка чтения метаданных BITLK FVE из %s."
+
+#: lib/bitlk/bitlk.c:543
+msgid "Unknown or unsupported encryption type."
+msgstr "Неизвестный или неподдерживаемый тип шифрования."
+
+#: lib/bitlk/bitlk.c:576
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Ошибка чтения элементов метаданных BITLK из %s."
+
+#: lib/bitlk/bitlk.c:863
+msgid "This operation is not supported."
+msgstr "Эта операция не поддерживается."
+
+#: lib/bitlk/bitlk.c:871
+msgid "Wrong key size."
+msgstr "Неверный размер ключа."
+
+#: lib/bitlk/bitlk.c:999
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Активация частично расширенного устройства BITLK не поддерживается."
+
+#: lib/bitlk/bitlk.c:1132
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK IV."
+
+#: lib/bitlk/bitlk.c:1136
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Невозможно активировать устройство, в ядерном dm-crypt отсутствует поддержка BITLK Elephant diffuser."
+
 #: lib/verity/verity.c:69 lib/verity/verity.c:172
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
-msgstr "Устройство verity %s не содержит заголовка на диске."
+msgid "Verity device %s does not use on-disk header."
+msgstr "Устройство verity %s не использует заголовок на диске."
 
 #: lib/verity/verity.c:91
 #, c-format
@@ -1039,20 +1131,28 @@
 msgid "Error during update of verity header on device %s."
 msgstr "Ошибка при обновлении заголовка verity на устройстве %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:257
+msgid "Root hash signature verification is not supported."
+msgstr "Проверка подписи корневого хэша не поддерживается."
+
+#: lib/verity/verity.c:268
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Невозможно исправить ошибки с устройством FEC."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:270
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "Найдено %u исправимых ошибок с устройством FEC."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
+#: lib/verity/verity.c:309
+msgid "Kernel does not support dm-verity mapping."
 msgstr "Ядро не поддерживает отображение dm-verity."
 
 #: lib/verity/verity.c:313
+msgid "Kernel does not support dm-verity signature option."
+msgstr "Ядро не поддерживает параметр подписи dm-verity."
+
+#: lib/verity/verity.c:324
 msgid "Verity device detected corruption after activation."
 msgstr "После активации обнаружено повреждение устройства verity."
 
@@ -1061,41 +1161,41 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Резервная область не заполнена нулями по адресу %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Переполнение смещения устройства."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Ошибка при проверке по адресу %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Неправильный размер параметров для устройства verity."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Переполнение области хэша."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Ошибка при сверке области данных."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Ошибка при сверке корневого хэша."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Ошибка ввода-вывода при создании области хэша."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Ошибка при создании области хэша."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "ПРЕДУПРЕЖДЕНИЕ: ядро не сможет активировать устройство, если размер блока данных превышает размер страницы (%u)."
@@ -1141,10 +1241,14 @@
 msgid "Failed to determine size for device %s."
 msgstr "Не удалось определить размер устройства %s."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:268 lib/integrity/integrity.c:339
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "Ядро не поддерживает отображение dm-integrity."
 
+#: lib/integrity/integrity.c:274
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "Ядро не поддерживает выравнивание фиксированных метаданных dm-integrity."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
 #: lib/luks2/luks2_json_metadata.c:1245
 #, c-format
@@ -1248,36 +1352,36 @@
 msgid "Unsupported device integrity configuration."
 msgstr "Неподдерживаемые настройки целостности устройства."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2237
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Выполняется перешифрование. Невозможно деактивировать устройство."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2248 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Не удалось заменить приостановленное устройство %s на цель dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2328
 msgid "Failed to read LUKS2 requirements."
 msgstr "Ошибка при чтении требований LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2335
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Обнаружены неудовлетворяемые требования LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Ведётся внесистемное (offline) перешифрование. Прерываемся."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Ведётся оперативное (online) перешифрование. Прерываемся."
+#: lib/luks2/luks2_json_metadata.c:2343
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Операция не совместима с устройством, отмеченным для устаревшего перешифрования. Прерываемся."
+
+#: lib/luks2/luks2_json_metadata.c:2345
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Операция не совместима с устройством, отмеченным для перешифрования LUKS2. Прерываемся."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Недостаточно памяти для открытия слота ключа."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Ошибка открытия слота ключа."
 
@@ -1357,7 +1461,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Ошибка при инициализации старой сегментной обёртки хранилища."
 
@@ -1369,7 +1473,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Ошибка чтения контрольных сумм текущей hotzone."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Не удалось прочитать область hotzone начиная с %<PRIu64>."
@@ -1427,119 +1531,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Сдвиг данных (%<PRIu64> секторов) меньше чем будущее смещение данных (%<PRIu64> секторов)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Ошибка при открытии %s в монопольном режиме (уже отображено или примонтировано)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Перешифрование LUKS2 в данный момент не выполняется."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Устройство не отмечено для перешифрования LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Ошибка при загрузке контекста перешифрования LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Ошибка при получении состояния перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Устройство не перешифровывается."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Процесс перешифрования уже запущен."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Ошибка при захвате блокировки перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Невозможно продолжить с перешифрованием. Сначала запустите восстановление перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Активный размер устройства и запрошенный размер перешифрования не совпадают."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "В параметрах перешифрования запрошен некорректный размер устройства."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Выполняется перешифрование. Восстановление выполнить невозможно."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Перешифрование LUKS2 уже инициализировано в метаданных."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Не удалось инициализировать перешифрование LUKS2 в метаданных."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Ошибка при назначении сегментов устройства для следующей hotzone перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Ошибка при записи метаданных устойчивости перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Не удалось расшифровать."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Не удалось записать область hotzone начиная с %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Ошибка синхронизации данных."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Ошибка при обновлении метаданных после завершения текущей hotzone перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Ошибка при записи метаданных LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Ошибка при затирании резервной копии сегмента данных."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Не удалось выключить флаг требования перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Критическая ошибка при перешифровании куска начиная с %<PRIu64>, длиной в %<PRIu64> секторов."
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Устройство не возобновит работу пока не будет заменено вручную с целью error."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Невозможно продолжить с перешифрованием. Неожиданное состояние перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Контекст перешифрования отсутствует или неверен."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Ошибка при инициализации стека устройства перешифрования."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Ошибка при обновлении контекста перешифрования."
 
@@ -1552,64 +1656,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Ошибка при создании встроенного токена %s."
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Невозможно проверить парольную фразу не с входных tty."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Параметры шифрования слота ключа могут задаваться только для устройства LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1275
+#: src/cryptsetup.c:3078 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Обнаружено указание неизвестного шаблона шифра."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --hash игнорируется в режиме plain с указанным файлом ключа.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "ПРЕДУПРЕЖДЕНИЕ: параметр --keyfile-size игнорируется, размер для чтения приравнивается размеру ключа шифрования.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "Обнаружены подпись(и) устройства на %s. Продолжение работы может повредить существующие данные."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1252 src/cryptsetup.c:1325 src/cryptsetup.c:1979
+#: src/cryptsetup.c:2615 src/cryptsetup.c:2738 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Операция прервана.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Параметр --key-file является обязательным."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Введите VeraCrypt PIM: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Недопустимое значение PIM: ошибка при разборе."
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Недопустимое значение PIM: 0."
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Недопустимое значение PIM: вышло за границы диапазона."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "С этой парольной фразой заголовка устройства не обнаружено."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Устройство %s не является корректным устройством BITLK."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2006
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1619,70 +1728,70 @@
 "обеспечивающей доступ к зашифрованному разделу без парольной фразы.\n"
 "Этот дамп следует всегда хранить зашифрованным в надёжном месте."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Устройство %s всё ещё активно и запланировано к отложенному удалению.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Для изменения размера активного устройства требуется ключ тома в связке ключей, но указан параметр --disable-keyring."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Оценка производительности прервана."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     Н/Д\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u итераций в секунду для %zu-битного ключа\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s Н/Д\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u итераций, %5u памяти, %1u параллельных нитей (ЦП) для %zu-битного ключа (запрашивался %u мс)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Результат оценки производительности ненадёжен."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Тесты, использующие практически только память (без ввода-вывода на хранилище).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "#%*s  Алгоритм |      Ключ |      Шифрование |     Расшифровка\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Шифр %s недоступен."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr ""
 "#     Algorithm |       Key |      Encryption |      Decryption\n"
 "#      Алгоритм |      Ключ |      Шифрование |     Расшифровка\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "Н/Д"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1690,19 +1799,19 @@
 "Кажется, что устройству не требуется восстановление перешифрования.\n"
 "Продолжить?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Действительно продолжить восстановление перешифрования LUKS2?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Введите пароль для восстановления перешифрования: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Действительно попробовать восстановить заголовок устройства LUKS?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1710,127 +1819,127 @@
 "Затирается устройство для инициализации целостности контрольной суммы.\n"
 "Вы можете прервать процесс нажав CTRL+c (остаток незатёртого устройства будет содержать некорректную контрольную сумму).\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Невозможно деактивировать временное устройство %s."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1237
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Параметр целостности можно использовать только в формате LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1242 src/cryptsetup.c:1302
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Неподдерживаемый размер параметров метаданных LUKS2."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1259
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Невозможно создать файл заголовка %s."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1282 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Обнаружено указание неизвестного шаблона целостности."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1295
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Невозможно использовать %s в качестве заголовка для диска."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1319 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Данные на %s будут перезаписаны без возможности восстановления."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1360 src/cryptsetup.c:1693 src/cryptsetup.c:1760
+#: src/cryptsetup.c:1862 src/cryptsetup.c:1928 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Ошибка при задании параметров pbkdf."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1444
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Сокращение смещения данных допускается только для отсоединённого заголовка LUKS."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1455 src/cryptsetup.c:1766
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Невозможно определить размер ключа тома LUKS без слотов ключа, укажите параметр --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1493
 msgid "Device activated but cannot make flags persistent."
 msgstr "Устройство активировано, но нельзя сделать флаги постоянными."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1574 src/cryptsetup.c:1644
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Для удаления выбран слот ключа %d."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1586 src/cryptsetup.c:1647
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Это последний слот ключа. Устройство станет неработоспособным после вычистки этого ключа."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1587
 msgid "Enter any remaining passphrase: "
 msgstr "Введите любую оставшуюся парольную фразу: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1588 src/cryptsetup.c:1649
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Операция прервана, слот ключа НЕ затёрт.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1626
 msgid "Enter passphrase to be deleted: "
 msgstr "Введите удаляемую парольную фразу: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1707 src/cryptsetup.c:1781 src/cryptsetup.c:1815
 msgid "Enter new passphrase for key slot: "
 msgstr "Введите новую парольную фразу для слота ключа: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1798 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Введите любую существующую парольную фразу: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1866
 msgid "Enter passphrase to be changed: "
 msgstr "Введите изменяемую парольную фразу: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1882 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Введите новую парольную фразу: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1932
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Введите парольную фразу для преобразуемого слота ключа: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1956
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "Только одно устройство можно указать для операции isLuks."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2140 src/cryptsetup.c:2161
 msgid "Option --header-backup-file is required."
 msgstr "Параметр --header-backup-file является обязательным."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2191
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s не является управляемым устройством cryptsetup."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2202
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Обновление не поддерживается для устройств типа %s"
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2244
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Нераспознанный тип метаданных устройства %s."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2247
 msgid "Command requires device and mapped name as arguments."
 msgstr "Для команды требуется задать устройство и имя отображения."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2269
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1839,95 +1948,95 @@
 "Эта операция сотрёт все слоты ключей на устройстве %s.\n"
 "Устройство станет неработоспособным после этой операции."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2276
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Операция прервана, слоты ключа НЕ затёрты.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2313
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Некорректный тип LUKS, поддерживаются только luks1 и luks2."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2331
 #, c-format
 msgid "Device is already %s type."
 msgstr "Устройство уже имеет тип %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2336
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Данная операция преобразует формат %s в %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2342
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Операция прервана, устройство НЕ преобразовано.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2382
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Отсутствует параметр --priority, --label или --subsystem."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2416 src/cryptsetup.c:2449 src/cryptsetup.c:2472
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Некорректный токен %d."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2419 src/cryptsetup.c:2475
 #, c-format
 msgid "Token %d in use."
 msgstr "Используется токен %d."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2426
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Ошибка при добавлении токена luks2-keyring %d."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2435 src/cryptsetup.c:2497
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Ошибка при назначении токена %d слоту ключа %d."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2452
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Токен %d не используется."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2487
 msgid "Failed to import token from file."
 msgstr "Ошибка при импорте токена из файла."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2512
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Ошибка при получении токена %d для экспорта."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2527
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Для добавления токена требуется параметр --key-description."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2533 src/cryptsetup.c:2541
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Для действия требуется указать токен. Используйте параметр --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2546
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Некорректная операция с токеном %s."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2601
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Автоматически обнаруженное активное устройство dm «%s» для устройства данных %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2605
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Устройство %s не является блочным.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Не удалось автоматически обнаружить держателей устройства %s."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2609
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1940,229 +2049,233 @@
 "Это может привести к потере данных, если устройство всё же активно.\n"
 "Для запуска перешифрования в оперативном режиме укажите параметр --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2689
 msgid "Invalid LUKS device type."
 msgstr "Неверный тип устройства LUKS."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2694
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Шифрование без отсоединённого заголовка (--header) невозможно без сокращения размера устройства данных (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2699
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Запрошенное смещение данных должно быть меньше или равно половине значения параметра --reduce-device-size."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2708
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Подгоняется значение --reduce-device-size под двукратный размер --offset %<PRIu64> (секторов).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2712
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Шифрование поддерживается только для формата LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2734
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "На %s обнаружено устройство LUKS. Хотите снова зашифровать это устройство LUKS?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2749
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Временный файл заголовка %s уже существует. Прекращение работы."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2751 src/cryptsetup.c:2758
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Невозможно создать временный файл заголовка %s."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2822
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s теперь активен и готов для оперативного шифрования."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s теперь активен и готов для оперативного шифрования.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2986 src/cryptsetup.c:2992
 msgid "Not enough free keyslots for reencryption."
 msgstr "Для шифрования недостаточно свободных слотов ключей."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3012 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Файл ключа можно использовать только с --key-slot или только при одном активном слоте."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3021 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Введите парольную фразу для слота ключа %d: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3029
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Введите парольную фразу для слота ключа %u: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3196
 msgid "Command requires device as argument."
 msgstr "Для команды требуется в аргументе указать устройство."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3218
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "В настоящий момент поддерживается только формат LUKS2. Для LUKS1 используйте программу cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3230
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Уже выполняется устаревшее внесистемное (offline) перешифрование. Используйте программу cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3240 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Перешифрование устройства с профилем целостности не поддерживается."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3248
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Перешифрование LUKS2 уже инициализировано. Прекращение работы."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3252
 msgid "LUKS2 device is not in reencryption."
 msgstr "Устройство LUKS2 не перешифровывается."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3279
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<устройство> [--type <тип>] [<имя>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3279 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "открыть устройство как <имя>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3280 src/cryptsetup.c:3281 src/cryptsetup.c:3282
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<имя>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3280 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "закрыть устройство (удалить отображение)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3281
 msgid "resize active device"
 msgstr "изменить размер активного устройства"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3282
 msgid "show device status"
 msgstr "показать состояние устройства"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3283
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <шифр>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3283
 msgid "benchmark cipher"
 msgstr "оценка производительности шифра"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3284 src/cryptsetup.c:3285 src/cryptsetup.c:3286
+#: src/cryptsetup.c:3287 src/cryptsetup.c:3288 src/cryptsetup.c:3295
+#: src/cryptsetup.c:3296 src/cryptsetup.c:3297 src/cryptsetup.c:3298
+#: src/cryptsetup.c:3299 src/cryptsetup.c:3300 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303
 msgid "<device>"
 msgstr "<устройство>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3284
 msgid "try to repair on-disk metadata"
 msgstr "попытаться исправить метаданные на диске"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3285
 msgid "reencrypt LUKS2 device"
 msgstr "перешифровать устройство LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3286
 msgid "erase all keyslots (remove encryption key)"
 msgstr "стереть все слоты ключей (удалить ключ шифрования)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3287
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "преобразовать LUKS из/в формат LUKS2"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3288
 msgid "set permanent configuration options for LUKS2"
 msgstr "задать постоянные параметры настройки LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3289 src/cryptsetup.c:3290
 msgid "<device> [<new key file>]"
 msgstr "<устройство> [<новый файл ключа>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3289
 msgid "formats a LUKS device"
 msgstr "форматировать устройство LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3290
 msgid "add key to LUKS device"
 msgstr "добавить ключ к устройству LUKS"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3291 src/cryptsetup.c:3292 src/cryptsetup.c:3293
 msgid "<device> [<key file>]"
 msgstr "<устройство> [<файл ключа>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3291
 msgid "removes supplied key or key file from LUKS device"
 msgstr "удалить заданный ключ или файл ключа с устройства LUKS"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3292
 msgid "changes supplied key or key file of LUKS device"
 msgstr "изменить заданный ключ или файл ключа устройства LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3293
 msgid "converts a key to new pbkdf parameters"
 msgstr "преобразовать ключ в новые параметры pbkdf"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3294
 msgid "<device> <key slot>"
 msgstr "<устройство> <слот ключа>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3294
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "затереть ключ с номером <слот ключа> с устройства LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3295
 msgid "print UUID of LUKS device"
 msgstr "напечатать UUID устройства LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3296
 msgid "tests <device> for LUKS partition header"
 msgstr "проверить <устройство> на наличие заголовка раздела LUKS"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3297
 msgid "dump LUKS partition information"
 msgstr "выгрузить в дамп информацию о разделе LUKS"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3298
 msgid "dump TCRYPT device information"
 msgstr "выгрузить в дамп информацию об устройстве TCRYPT"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3299
+msgid "dump BITLK device information"
+msgstr "выгрузить в дамп информацию об устройстве BITLK"
+
+#: src/cryptsetup.c:3300
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Приостановить устройство LUKS и затереть ключ (заморозка операций ввода-вывода)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3301
 msgid "Resume suspended LUKS device"
 msgstr "Возобновить работу приостановленного устройства LUKS"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3302
 msgid "Backup LUKS device header and keyslots"
 msgstr "Сделать резервную копию заголовка и слотов ключей устройства LUKS"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3303
 msgid "Restore LUKS device header and keyslots"
 msgstr "Восстановить заголовок и слоты ключей устройства LUKS"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3304
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <устройство>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3304
 msgid "Manipulate LUKS2 tokens"
 msgstr "Управление токенами LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3322 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2170,19 +2283,19 @@
 "\n"
 "<действие> может быть:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3328
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Также можно использовать псевдонимы старого синтаксиса <действия>:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3332
 #, c-format
 msgid ""
 "\n"
@@ -2197,7 +2310,7 @@
 "<слот ключа> - номер слота ключа LUKS для изменения\n"
 "<файл ключа> - необязательный файл ключа для нового ключа для действия luksAddKey\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3339
 #, c-format
 msgid ""
 "\n"
@@ -2206,7 +2319,7 @@
 "\n"
 "Встроенным форматом по умолчанию для метаданных является %s (для действия luksFormat).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3344
 #, c-format
 msgid ""
 "\n"
@@ -2223,7 +2336,7 @@
 "PBKDF по умолчанию для LUKS2: %s\n"
 "\tВремя итерации: %d, Требуемая память: %dКБ, Кол-во параллельных нитей: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3355
 #, c-format
 msgid ""
 "\n"
@@ -2238,439 +2351,443 @@
 "\tplain: %s, Ключ: %d бит, хэширование пароля: %s\n"
 "\tLUKS: %s, Ключ: %d бит, хэширование заголовка LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3364
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: Размер ключа по умолчанию в режиме XTS (два внутренних ключа) будет удвоен.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3380 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: требуется %s в качестве аргументов"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3418 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Показать это сообщение"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3419 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Показать краткие инструкции"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3420 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Показать версию пакета"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3424 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Параметры справки:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3425 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Показывать подробные сообщения об ошибках"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3426 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Показывать отладочные сообщения"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3427
 msgid "Show debug messages including JSON metadata"
 msgstr "Показывать отладочные сообщения включая метаданные JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Шифр, используемый для шифрования диска (смотрите /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Хэш, используемый для создания ключа шифрования из парольной фразы"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3430
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Проверить правильность парольной фразы, запрашивая её дважды"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3431 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Прочитать ключ из файла"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3432
 msgid "Read the volume (master) key from file."
 msgstr "Прочитать (главный) ключ тома из файла."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3433
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Создать дамп (главного) ключа, а не информации слотов ключей"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3434 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Размер ключа шифрования"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3434 src/cryptsetup.c:3494 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "БИТ"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Ограничить чтение из файла ключа"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3436 src/cryptsetup.c:3437
+#: src/cryptsetup.c:3438 src/cryptsetup.c:3441 src/cryptsetup.c:3491
+#: src/cryptsetup.c:3492 src/cryptsetup.c:3500 src/cryptsetup.c:3501
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "байт"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Количество пропускаемых байтов в файле ключа"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3437
 msgid "Limits the read from newly added keyfile"
 msgstr "Ограничить чтение из только что добавленного файла ключа"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3438
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Количество пропускаемых байтов в только что добавленном файле ключа"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3439
 msgid "Slot number for new key (default is first free)"
 msgstr "Номер слота для нового ключа (по умолчанию первый свободный)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3440
 msgid "The size of the device"
 msgstr "Размер устройства"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3440 src/cryptsetup.c:3442 src/cryptsetup.c:3443
+#: src/cryptsetup.c:3449 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "СЕКТОРОВ"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3441 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Использовать только заданный размер устройства (игнорировать остаток устройства). ОПАСНО!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3442
 msgid "The start offset in the backend device"
 msgstr "Начальное смещение в нижележащем (backend) устройстве"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3443
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Сколько секторов зашифрованных данных пропускать от начала"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3444
 msgid "Create a readonly mapping"
 msgstr "Создать отображение в режиме только для чтения"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3445 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Не запрашивать подтверждение"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3446
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Время ожидания при ручном вводе парольной фразы (в секундах)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3446 src/cryptsetup.c:3447 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "сек"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Обновление строки хода выполнения (в секундах)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3448 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Как часто можно повторять попытку ввода парольной фразы"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3449
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Выравнивать полезные данные по границам <n> секторов — для luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3450
 msgid "File with LUKS header and keyslots backup"
 msgstr "Файл резервной копии заголовка и слотов ключей LUKS"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3451 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Использовать /dev/random для генерации ключа тома"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Использовать /dev/urandom для генерации ключа тома"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3453
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Совместно использовать устройство с другим неперекрывающимся шифрованным сегментом"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3454 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "Используемый для устройства UUID"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3455
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Разрешить отбрасывать запросы (так называемые TRIM) к устройству"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3456 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Устройство или файл с отдельным заголовком LUKS"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3457
 msgid "Do not activate device, just check passphrase"
 msgstr "Не активировать устройство, только проверить парольную фразу"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3458
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Использовать скрытый заголовок (спрятанное устройство TCRYPT)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3459
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Устройство является системным диском TCRYPT (с загрузчиком)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3460
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Использовать резервный (вторичный) заголовок TCRYPT"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3461
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Также искать устройство совместимое с VeraCrypt"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3462
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Персональный умножитель итерации для устройства, совместимого с VeraCrypt"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3463
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Запрос персонального умножителя итерации для устройства, совместимого с VeraCrypt"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Тип метаданных устройства: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3464
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Тип метаданных устройства: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3465
 msgid "Disable password quality check (if enabled)"
 msgstr "Выключить проверку качество пароля (если включена)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3466
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Использовать параметр производительности same_cpu_crypt для dm-crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Использовать параметр производительности submit_from_crypt_cpus для dm-crypt"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3468
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Удаление устройства отложено, пока его не закроет последний пользователь"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3469
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Использовать глобальную блокировку для сериализации доступа на скорости памяти (memory-hard) PBKDF (для обхода OOM)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3470
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Время итерации PBKDF для LUKS (в мс)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3470 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "мс"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Алгоритм PBKDF (для LUKS2): argon2i, argon2id, pbkdf2"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "Ограничение стоимости памяти PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "килобайт"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "Стоимость параллельности PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "нити"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "Стоимость итераций PBKDF (принудительная, оценка производительности отключена)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3475
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Приоритет слота ключа: ignore, normal, prefer"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3476
 msgid "Disable locking of on-disk metadata"
 msgstr "Выключить блокировку метаданных на диске"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3477
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Выключить загрузку ключей томов через связку ключей ядра"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3478
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Алгоритм целостности данных (только для LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3479 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Выключить журналирование для устройства целостности"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3480 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Не затирать устройство после форматирования"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3481 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Использовать неэффективное устаревшее дополнение (старые ядра)"
+
+#: src/cryptsetup.c:3482
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "Не запрашивать парольную фразу, если активация токеном завершилась ошибкой"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3483
 msgid "Token number (default: any)"
 msgstr "Номер токена (по умолчанию: любой)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3484
 msgid "Key description"
 msgstr "Описание ключа"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3485
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Размер сектора шифрования (по умолчанию: 512 байт)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3486
 msgid "Set activation flags persistent for device"
 msgstr "Задать набор постоянных флагов активации устройства"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3487
 msgid "Set label for the LUKS2 device"
 msgstr "Задать метку устройства LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3488
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Задать метку подсистемы устройства LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3489
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Создать непривязанный (без назначенного сегмента данных) слот ключа LUKS2"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3490
 msgid "Read or write the json from or to a file"
 msgstr "Прочитать или записать json в файл"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3491
 msgid "LUKS2 header metadata area size"
 msgstr "Размер области метаданных заголовка LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header keyslots area size"
 msgstr "Размер области слотов ключей заголовка LUKS2"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3493
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Обновить (реактивировать) устройство с новыми параметрами"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3494
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Слот ключа LUKS2: Размер ключа шифрования"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Слот ключа LUKS2: Шифр, используемый для шифрования слота ключа"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3496
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Зашифровать устройство LUKS2 (шифрование по месту (in-place))"
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3497
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Расшифровать устройство LUKS2 (удалить шифрование)"
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3498
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Инициализировать перешифрование LUKS2 только метаданных."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3499
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Возобновить только инициализированное перешифрование LUKS2."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3500 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Сократить размер данных устройства (переместить смещение данных). ОПАСНО!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3501
 msgid "Maximal reencryption hotzone size."
 msgstr "Максимальный размер hotzone перешифрования."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3502
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Тип устойчивости перешифрования hotzone (checksum,journal,none)"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone checksums hash"
 msgstr "Контрольные хэш-суммы hotzone перешифрования"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3504
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Заменить автоопределение устройства dm для перешифруемого устройства"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3520 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[ПАРАМЕТР…] <действие> <данные для действия>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3571 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Не задан параметр <действие>."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3640 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Неизвестное действие."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3650
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Параметр --refresh допускается только с командами open и refresh.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3655
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Параметры --refresh и --test-passphrase взаимно исключают друг друга.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3660
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Параметр --deferred допускается только для команды close.\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3665
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Параметр --shared допускается только для открытия устройства plain.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3670
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Параметр --allow-discards допускается только для операции открытия.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3675
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Параметр --persistent допускается только для операции открытия.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3680
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "Параметр --serialize-memory-hard-pbkdf допускается только для операции открытия.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3685
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Параметр --persistent не допускается одновременно указывать с --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3695
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2678,245 +2795,255 @@
 "Параметр --key-size допускается только для  luksFormat, luksAddKey,\n"
 "действий open и benchmark. Для ограничения чтения из файла ключа используйте --keyfile-size=(байт)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3701
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Параметр --integrity допускается только для luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3706
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Параметр --integrity-no-wipe можно использовать только для действия format с расширением целостности.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3712
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Параметры --label и --subsystem допускаются только для операций LUKS2 luksFormat и config.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Параметр --test-passphrase допускается только для открытия устройств LUKS и TCRYPT.\n"
+#: src/cryptsetup.c:3718
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Параметр --test-passphrase допускается только для открытия устройств LUKS, TCRYPT и BITLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3723 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Размер ключа должен быть кратен 8-ми битам"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3729 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Некорректный слот ключа."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3736
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Параметр --key-file имеет приоритет над указанным значением файла ключа."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3743 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "В параметре нельзя использовать отрицательные числа."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3747
 msgid "Only one --key-file argument is allowed."
 msgstr "Разрешено указывать только один параметр --key-file."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3751 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Разрешено использовать только один параметр --use-[u]random."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3755
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Параметр --use-[u]random допускается только для luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3759
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Параметр --uuid допускается только для luksFormat и luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3763
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Параметр --align-payload допускается только для luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3767
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Параметры --luks2-metadata-size и --opt-luks2-keyslots-size допускаются только для операции luksFormat с LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3772
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Неправильно указан размер метаданных LUKS2."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3776
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Неправильно указан размер слота ключа LUKS2."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3780
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Параметры --align-payload и --offset не допускается указывать вместе."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3786
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Параметр --skip поддерживается только для открытия устройств plain и loopaes.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3793
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Параметр --offset поддерживается только для открытия устройств plain и loopaes, luksFormat и перешифрования устройства.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3799
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Параметр --tcrypt-hidden, --tcrypt-system или --tcrypt-backup поддерживается только для устройства TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3804
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Параметр --tcrypt-hidden нельзя указывать вместе с --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3809
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Параметр --veracrypt поддерживается только для устройств TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3815
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Указано некорректное значение параметра --veracrypt-pim.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3819
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Параметр --veracrypt-pim поддерживается только для устройств, совместимых с VeraCrypt.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3827
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Параметр --veracrypt-query-pim поддерживается только для устройств, совместимых с VeraCrypt.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3831
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Параметры --veracrypt-pim и --veracrypt-query-pim взаимно исключают друг друга.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3838
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Значением параметра --priority может быть только ignore/normal/prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3843
 msgid "Keyslot specification is required.\n"
 msgstr "Требуется указать слот ключа.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3848 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Функцией отклонения на основе пароля для ключа (PBKDF) может быть только pbkdf2 или argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3853 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "PBKDF принудительной итерации нельзя объединять вместе с параметром времени итерации.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3859
 msgid "Sector size option is not supported for this command.\n"
 msgstr "Параметр размера сектора не поддерживается этой командой.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3865
 msgid "Unsupported encryption sector size.\n"
 msgstr "Неподдерживаемый размер сектора шифрования.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3870
 msgid "Key size is required with --unbound option.\n"
 msgstr "С параметром --unbound требуется задать размер ключа.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3875
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Параметр --unbound можно использовать только при действии luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3880
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Параметр --refresh можно использовать только при действии open.\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3891
 msgid "Cannot disable metadata locking.\n"
 msgstr "Невозможно выключить блокировку метаданных.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3901
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Неправильный максимальный размер перешифрования hotzone."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3909 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "Неправильно указан размер устройства."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3912
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Максимальный размер сокращения устройства равен 1 ГиБ."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3915 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Размер сокращения должен быть кратен 512 байтовому сектору."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3920
 msgid "Invalid data size specification."
 msgstr "Неправильный размер устройства данных."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3925
 msgid "Reduce size overflow."
 msgstr "Переполнение размера сокращения."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3929
 msgid "LUKS2 decryption requires option --header."
 msgstr "Для расшифровки LUKS2 требуется параметр --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3933
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Размер устройства должен быть кратен 512 байтовому сектору."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3937
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Параметры ---reduce-device-size и --data-size не допускается указывать вместе."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3941
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Параметры --device-size и --size не допускается указывать вместе."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Указана недопустимая строка соли."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Невозможно создать образ хэша %s для записи."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Невозможно создать образ FEC %s для записи."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Указана недопустимая строка корневого хэша."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Неверный файл подписи %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Невозможно прочитать файл подписи %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<устройство_данных> <устройство_хэша>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "отформатировать устройство"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<устройство_данных> <устройство_хэша> <корневой_хэш>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "проверить устройство"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<устройство_данных> <имя> <устройство_хэша> <корневой_хэш>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "показать состояние активного устройства"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<устройство_хэша>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "показать информацию на диске"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2931,7 +3058,7 @@
 "<устройство_хэша> — устройство, содержащее проверочные данные\n"
 "<корневой_хэш> — хэш корневого узла на <устройстве_хэша>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2942,91 +3069,99 @@
 "Встроенные параметры dm-verity по умолчанию:\n"
 "\tХэш: %s, Блок данных (байт): %u, Блок хэша (байт): %u, Размер соли: %u, Формат хэша: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Не использовать проверочный суперблок"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Тип форматирования (1 - обычное, 0 - как в Chrome OS)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "число"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Размер блока устройства данных"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Размер блока устройства хэша"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "байты чётности FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Количество блоков в файле данных"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "блоков"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Путь к устройству с данными коррекции ошибок"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "путь"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Начальное смещение на устройстве хэша"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Начальное смещение на устройстве FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Алгоритм хэширования"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "строка"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Соль"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "шестн. строка"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Путь к файлу с подписью корневого хэша"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Перезапустить ядро, если обнаружится ошибка"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Игнорировать повреждение, только запротоколировать"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Не проверять обнулённые блоки"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Проверять блок данных только при первом чтении"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Параметр --ignore-corruption, --restart-on-corruption или --ignore-zero-blocks допускается только для операции открытия.\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Параметр --root-hash-signature можно использовать только для действия open.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Параметры --ignore-corruption и --restart-on-corruption нельзя использовать вместе.\n"
 
@@ -3040,20 +3175,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Невозможно прочитать %d байт из файл ключа %s."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Отформатирован с размером тега %u, внутренняя целостность %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<устройство_целостности>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<устройство_целостности> <имя>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3064,158 +3199,158 @@
 "<имя> — устройство, создаваемое на %s\n"
 "<устройство_целостности> — устройство, содержащее данные с тегами целостности\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Встроенные параметры dm-integrity:\n"
-"\tРазмер тега: %u байт, Алгоритм контрольной суммы: %s\n"
+"\tАлгоритм контрольной суммы: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Путь к устройству данных (при разделении устройств)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Размер журнала"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Чередующиеся секторы"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "Отметка журнала"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "процент"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Время фиксации журнала"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "мс"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Количество 512-байтовых секторов на бит (режим битовой карты)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Время стирания в режиме битовой карты"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Размер тега (на сектор)"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Размер сектора"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Размер буфера"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Алгоритм целостности данных"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Размер ключа целостности данных"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Прочитать ключ целостности из файла"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Алгоритм целостности журнала"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Размер ключа целостности журнала"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Прочитать ключ целостности журнала из файла"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Алгоритм шифрования журнала"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Размер ключа шифрования журнала"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Прочитать ключ шифрования журнала из файла"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Режим восстановления (без проверки журнала и тегов)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Использовать битовую карту для отслеживания изменений и выключить журналирование для устройства целостности"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Автоматически вычислять начальные теги повторно."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Параметр --integrity-recalculate можно использовать только для действия open."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Параметры --journal-size, --interleave-sectors, --sector-size, --tag-size и --no-wipe можно использовать только для действия format.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Неправильное задание размера журнала."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа и размер ключа одновременно."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Если используется ключ целостности, то должен быть указан алгоритм целостности."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа целостности и размер ключа одновременно."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Если используется ключ целостности журнала, то должен быть указан алгоритм целостности журнала."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Должны быть указаны параметры файла ключа шифрования и размер ключа одновременно."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Если используется ключ шифрования журнала, то должен быть указан алгоритм шифрования журнала."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Параметры восстановления и режима битовой карты взаимно исключают друг друга."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Параметры журнала нельзя использовать в режиме битовой карты."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Параметр битовой карты можно использовать только в режиме битовой карты."
 
@@ -3228,7 +3363,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Невозможно монопольно открыть устройство %s, оно уже используется."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Не удалось выделить выровненную память."
 
@@ -3277,190 +3412,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Ошибка при активации временного устройства."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Не удалось задать смещение данных."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Не удалось задать размер метаданных."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Создан новый заголовок LUKS для устройства %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Эта версия cryptsetup-reencrypt не работает с новым типом внутреннего токена %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Ошибка чтения флагов активации из резервной копии заголовка."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Ошибка записи флагов активации в новый заголовок."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Ошибка чтения требований из резервной копии заголовка."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Создана резервная копия заголовка %s для устройства %s."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Ошибка при создании резервных копий заголовка LUKS."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Невозможно восстановить заголовок %s устройства %s."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Заголовок %s устройства %s восстановлен."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Невозможно открыть временное устройство LUKS."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Невозможно получить размер устройства."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Ошибка ввода-вывода при перешифровании."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Указан некорректный UUID."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Невозможно открыть файл протокола перешифрования."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Расшифровка не выполняется, указанный UUID можно использовать только для возобновления приостановленного процесса расшифровки."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Изменённые параметры pbkdf в слоте ключа %i."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Размер блока перешифрования"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "МиБ"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Не изменять ключ, нет области перешифрования данных"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Прочитать новый (главный) ключ тома из файла"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Время итерации PBKDF2 для LUKS (мс)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Использовать direct-io для доступа к устройствам"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Вызывать fsync после каждого блока"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Обновлять файл протокола после каждого блока"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Использовать только этот слот (остальные будут выключены)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Создать новый заголовок на не шифрованном устройстве"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Окончательно расшифровать устройство (удалить шифрование)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "Используемый для возобновления шифрования UUID"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Тип метаданных LUKS: luks1, luks2"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[ПАРАМЕТР…] <устройство>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Перешифрование изменит: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "ключ тома"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "установить хэш равным"
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", установить шифр равным"
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Требуется аргумент."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Значение размера блока перешифрования должно быть в диапазоне от 1 МиБ до 64 МиБ."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Максимальный размер сокращения устройства равен 64 МиБ."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Параметр --new должен использоваться вместе с --reduce-device-size или --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Параметр --keep-key можно использовать только с --hash, --iter-time или --pbkdf-force-iterations."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Параметр --new нельзя использовать вместе с --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Параметр --decrypt несовместим с указанными параметрами."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Параметр --uuid можно использовать только вместе с --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Некорректный тип luks. Возможные значения: «luks», «luks1» или «luks2»."
 
@@ -3691,6 +3826,15 @@
 msgid "Failed to write JSON file."
 msgstr "Ошибка записи в файл JSON."
 
+#~ msgid "Offline reencryption in progress. Aborting."
+#~ msgstr "Ведётся внесистемное (offline) перешифрование. Прерываемся."
+
+#~ msgid "Online reencryption in progress. Aborting."
+#~ msgstr "Ведётся оперативное (online) перешифрование. Прерываемся."
+
+#~ msgid "No LUKS2 reencryption in progress."
+#~ msgstr "Перешифрование LUKS2 в данный момент не выполняется."
+
 #~ msgid "Interrupted by a signal."
 #~ msgstr "Прервано сигналом."
 
@@ -3763,9 +3907,6 @@
 #~ msgid "Device is not in clean reencryption state."
 #~ msgstr "Устройство не в начальном (clean) состояния перешифрования."
 
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "Ошибка чтения информации об устройстве из %s."
-
 #~ msgid "Failed to calculate new segments."
 #~ msgstr "Ошибка при вычислении новых сегментов."
 
diff -Nru cryptsetup-2.2.2/po/uk.po cryptsetup-2.3.1/po/uk.po
--- cryptsetup-2.2.2/po/uk.po	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/po/uk.po	2020-03-12 08:39:20.000000000 +0000
@@ -2,13 +2,13 @@
 # Copyright (C) 2012 Free Software Foundation, Inc.
 # This file is put in the public domain.
 #
-# Yuri Chornoivan <yurchor@ukr.net>, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019.
+# Yuri Chornoivan <yurchor@ukr.net>, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020.
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.2.2-rc0\n"
+"Project-Id-Version: cryptsetup 2.3.1-rc0\n"
 "Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
-"POT-Creation-Date: 2019-10-18 10:57+0200\n"
-"PO-Revision-Date: 2019-10-18 14:07+0300\n"
+"POT-Creation-Date: 2020-03-08 10:59+0100\n"
+"PO-Revision-Date: 2020-03-08 13:54+0200\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
 "Language: uk\n"
@@ -17,67 +17,67 @@
 "Content-Transfer-Encoding: 8bit\n"
 "X-Bugs: Report translation errors to the Language-Team address.\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Lokalize 19.04.0\n"
+"X-Generator: Lokalize 20.03.70\n"
 
-#: lib/libdevmapper.c:384
+#: lib/libdevmapper.c:396
 msgid "Cannot initialize device-mapper, running as non-root user."
 msgstr "Не можна ініціалізувати device-mapper, якщо програму запущено не від імені адміністратора (root)."
 
-#: lib/libdevmapper.c:387
+#: lib/libdevmapper.c:399
 msgid "Cannot initialize device-mapper. Is dm_mod kernel module loaded?"
 msgstr "Не вдалося ініціалізувати device-mapper. Чи завантажено модуль ядра dm_mod?"
 
-#: lib/libdevmapper.c:1082
+#: lib/libdevmapper.c:1119
 msgid "Requested deferred flag is not supported."
 msgstr "Підтримки бажаного прапорця відкладення, %s, не передбачено."
 
-#: lib/libdevmapper.c:1149
+#: lib/libdevmapper.c:1186
 #, c-format
 msgid "DM-UUID for device %s was truncated."
 msgstr "DM-UUID для пристрою %s було обрізано."
 
-#: lib/libdevmapper.c:1463
+#: lib/libdevmapper.c:1508
 msgid "Unknown dm target type."
 msgstr "Невідомий тип призначення dm."
 
-#: lib/libdevmapper.c:1565 lib/libdevmapper.c:1617
+#: lib/libdevmapper.c:1611 lib/libdevmapper.c:1663
 msgid "Requested dm-crypt performance options are not supported."
 msgstr "Підтримки вказаних параметрів швидкодії dm-crypt не передбачено."
 
-#: lib/libdevmapper.c:1572
+#: lib/libdevmapper.c:1618
 msgid "Requested dm-verity data corruption handling options are not supported."
 msgstr "Підтримки вказаних параметрів обробки пошкоджених даних за допомогою dm-verity не передбачено."
 
-#: lib/libdevmapper.c:1576
+#: lib/libdevmapper.c:1622
 msgid "Requested dm-verity FEC options are not supported."
 msgstr "Підтримки вказаних параметрів FEC за допомогою dm-verity не передбачено."
 
-#: lib/libdevmapper.c:1580
+#: lib/libdevmapper.c:1626
 msgid "Requested data integrity options are not supported."
 msgstr "Підтримки вказаних параметрів цілісності даних не передбачено."
 
-#: lib/libdevmapper.c:1582
+#: lib/libdevmapper.c:1628
 msgid "Requested sector_size option is not supported."
 msgstr "Підтримки вказаного параметра sector_size не передбачено."
 
-#: lib/libdevmapper.c:1587
+#: lib/libdevmapper.c:1633
 msgid "Requested automatic recalculation of integrity tags is not supported."
 msgstr "Підтримки потрібного вам автоматичного повторного обчислення міток цілісності не передбачено."
 
-#: lib/libdevmapper.c:1591
+#: lib/libdevmapper.c:1637
 msgid "Requested dm-integrity bitmap mode is not supported."
 msgstr "Підтримки вказаного режиму бітової карти цілісності dm не передбачено."
 
-#: lib/libdevmapper.c:1620
+#: lib/libdevmapper.c:1666
 msgid "Discard/TRIM is not supported."
 msgstr "Підтримки відкидання або обрізання не передбачено."
 
-#: lib/libdevmapper.c:2511
+#: lib/libdevmapper.c:2584
 #, c-format
 msgid "Failed to query dm-%s segment."
 msgstr "Не вдалося опитати сегмент dm-%s."
 
-#: lib/random.c:80
+#: lib/random.c:75
 msgid ""
 "System is out of entropy while generating volume key.\n"
 "Please move mouse or type some text in another window to gather some random events.\n"
@@ -85,548 +85,565 @@
 "Під час створення ключа тому було вичерпано буфер ентропії системи.\n"
 "Будь ласка, пересуньте вказівник миші або наберіть якийсь текст у іншому вікні, щоб зібрати додаткові дані на основі випадкових подій.\n"
 
-#: lib/random.c:84
+#: lib/random.c:79
 #, c-format
 msgid "Generating key (%d%% done).\n"
 msgstr "Створення ключа (виконано %d%%).\n"
 
-#: lib/random.c:170
+#: lib/random.c:165
 msgid "Running in FIPS mode."
 msgstr "Працюємо у режимі FIPS."
 
-#: lib/random.c:176
+#: lib/random.c:171
 msgid "Fatal error during RNG initialisation."
 msgstr "Критична помилка під час ініціалізації генератора псевдовипадкових чисел."
 
-#: lib/random.c:213
+#: lib/random.c:208
 msgid "Unknown RNG quality requested."
 msgstr "Надійшов запит щодо невідомої якості псевдовипадкових чисел."
 
-#: lib/random.c:218
+#: lib/random.c:213
 msgid "Error reading from RNG."
 msgstr "Помилка читання з генератора псевдовипадкових чисел."
 
-#: lib/setup.c:223
+#: lib/setup.c:229
 msgid "Cannot initialize crypto RNG backend."
 msgstr "Не вдалося ініціалізувати допоміжну програму шифрування генератора псевдовипадкових чисел."
 
-#: lib/setup.c:229
+#: lib/setup.c:235
 msgid "Cannot initialize crypto backend."
 msgstr "Не вдалося ініціалізувати допоміжну програму шифрування."
 
-#: lib/setup.c:260 lib/setup.c:1990 lib/verity/verity.c:120
+#: lib/setup.c:266 lib/setup.c:2046 lib/verity/verity.c:119
 #, c-format
 msgid "Hash algorithm %s not supported."
 msgstr "Підтримки алгоритму хешування %s не передбачено."
 
-#: lib/setup.c:263 lib/loopaes/loopaes.c:90
+#: lib/setup.c:269 lib/loopaes/loopaes.c:90
 #, c-format
 msgid "Key processing error (using hash %s)."
 msgstr "Помилка під час обробки ключа (на основі хешу %s)."
 
-#: lib/setup.c:324 lib/setup.c:351
+#: lib/setup.c:335 lib/setup.c:362
 msgid "Cannot determine device type. Incompatible activation of device?"
 msgstr "Не вдалося визначити тип пристрою. Несумісна дія з активації пристрою?"
 
-#: lib/setup.c:330 lib/setup.c:2985
+#: lib/setup.c:341 lib/setup.c:3050
 msgid "This operation is supported only for LUKS device."
 msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS."
 
-#: lib/setup.c:357
+#: lib/setup.c:368
 msgid "This operation is supported only for LUKS2 device."
 msgstr "Підтримку цієї дії передбачено лише для пристроїв LUKS2."
 
-#: lib/setup.c:412 lib/luks2/luks2_reencrypt.c:2345
+#: lib/setup.c:423 lib/luks2/luks2_reencrypt.c:2345
 msgid "All key slots full."
 msgstr "Заповнено всі слоти ключів."
 
-#: lib/setup.c:423
+#: lib/setup.c:434
 #, c-format
 msgid "Key slot %d is invalid, please select between 0 and %d."
 msgstr "Слот ключа %d є некоректним, будь ласка, виберіть число від 0 до %d."
 
-#: lib/setup.c:429
+#: lib/setup.c:440
 #, c-format
 msgid "Key slot %d is full, please select another one."
 msgstr "Слот ключа %d заповнено, будь ласка, виберіть інший."
 
-#: lib/setup.c:514 lib/setup.c:2759
+#: lib/setup.c:525 lib/setup.c:2824
 msgid "Device size is not aligned to device logical block size."
 msgstr "Розмір пристрою не вирівняно за розміром логічного блоку пристрою."
 
-#: lib/setup.c:610
+#: lib/setup.c:624
 #, c-format
 msgid "Header detected but device %s is too small."
 msgstr "Виявлено заголовок, але об’єм пристрою %s є надто малим."
 
-#: lib/setup.c:647
+#: lib/setup.c:661
 msgid "This operation is not supported for this device type."
 msgstr "Підтримки цієї дії для цього типу пристроїв не передбачено."
 
-#: lib/setup.c:652
+#: lib/setup.c:666
 msgid "Illegal operation with reencryption in-progress."
 msgstr "Виконуємо заборонену дію із повторного шифрування."
 
-#: lib/setup.c:821 lib/luks1/keymanage.c:476
+#: lib/setup.c:832 lib/luks1/keymanage.c:475
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr "Непідтримувана версія LUKS, %d."
 
-#: lib/setup.c:838 lib/setup.c:1483 lib/setup.c:1903
+#: lib/setup.c:849 lib/setup.c:1539 lib/setup.c:1959
 msgid "Detached metadata device is not supported for this crypt type."
 msgstr "Підтримки пристрою від'єднаних метаданих для цього типу шифрування не передбачено."
 
-#: lib/setup.c:1373 lib/setup.c:2479 lib/setup.c:2551 lib/setup.c:2563
-#: lib/setup.c:2712 lib/setup.c:4310
+#: lib/setup.c:1427 lib/setup.c:2544 lib/setup.c:2616 lib/setup.c:2628
+#: lib/setup.c:2777 lib/setup.c:4512
 #, c-format
 msgid "Device %s is not active."
 msgstr "Пристрій %s є неактивним."
 
-#: lib/setup.c:1390
+#: lib/setup.c:1444
 #, c-format
 msgid "Underlying device for crypt device %s disappeared."
 msgstr "Зник основний пристрій для пристрою для шифрування %s."
 
-#: lib/setup.c:1468
+#: lib/setup.c:1524
 msgid "Invalid plain crypt parameters."
 msgstr "Некоректні параметри звичайного шифрування."
 
-#: lib/setup.c:1473 lib/setup.c:1893 src/integritysetup.c:73
+#: lib/setup.c:1529 lib/setup.c:1949 src/integritysetup.c:73
 msgid "Invalid key size."
 msgstr "Некоректний розмір ключа."
 
-#: lib/setup.c:1478 lib/setup.c:1898 lib/setup.c:2100
+#: lib/setup.c:1534 lib/setup.c:1954 lib/setup.c:2157
 msgid "UUID is not supported for this crypt type."
 msgstr "Підтримки UUID для цього типу шифрування не передбачено."
 
-#: lib/setup.c:1493 lib/setup.c:1683 lib/luks2/luks2_reencrypt.c:2308
-#: src/cryptsetup.c:1169
+#: lib/setup.c:1549 lib/setup.c:1739 lib/luks2/luks2_reencrypt.c:2308
+#: src/cryptsetup.c:1237
 msgid "Unsupported encryption sector size."
 msgstr "Непідтримуваний розмір сектора шифрування."
 
-#: lib/setup.c:1501 lib/setup.c:1808 lib/setup.c:2753
+#: lib/setup.c:1557 lib/setup.c:1864 lib/setup.c:2818
 msgid "Device size is not aligned to requested sector size."
 msgstr "Розмір пристрою не вирівняно за вказаним розміром сектора."
 
-#: lib/setup.c:1552 lib/setup.c:1671
+#: lib/setup.c:1608 lib/setup.c:1727
 msgid "Can't format LUKS without device."
 msgstr "Форматування LUKS без пристрою неможливе."
 
-#: lib/setup.c:1558 lib/setup.c:1677
+#: lib/setup.c:1614 lib/setup.c:1733
 msgid "Requested data alignment is not compatible with data offset."
 msgstr "Потрібне вам вирівнювання даних є несумісним із відступом у даних."
 
-#: lib/setup.c:1626 lib/setup.c:1795
+#: lib/setup.c:1682 lib/setup.c:1851
 msgid "WARNING: Data offset is outside of currently available data device.\n"
 msgstr "Увага: відступ у даних виходить за межі поточного доступного пристрою для зберігання даних.\n"
 
-#: lib/setup.c:1636 lib/setup.c:1823 lib/setup.c:1844 lib/setup.c:2112
+#: lib/setup.c:1692 lib/setup.c:1879 lib/setup.c:1900 lib/setup.c:2169
 #, c-format
 msgid "Cannot wipe header on device %s."
 msgstr "Не можна витирати заголовок на пристрої %s."
 
-#: lib/setup.c:1688
+#: lib/setup.c:1744
 msgid "WARNING: The device activation will fail, dm-crypt is missing support for requested encryption sector size.\n"
 msgstr "Увага: спроба активувати пристрій завершиться невдало, у dm-crypt не передбачено підтримки для вказаного розміру сектора шифрування.\n"
 
-#: lib/setup.c:1710
+#: lib/setup.c:1766
 msgid "Volume key is too small for encryption with integrity extensions."
 msgstr "Ключ тому є надто малим для шифрування із розширеннями цілісності."
 
-#: lib/setup.c:1765
+#: lib/setup.c:1821
 #, c-format
 msgid "Cipher %s-%s (key size %zd bits) is not available."
 msgstr "Шифрування  %s-%s (розмір ключа — %zd бітів) є недоступним."
 
-#: lib/setup.c:1798
+#: lib/setup.c:1854
 #, c-format
 msgid "WARNING: LUKS2 metadata size changed to %<PRIu64> bytes.\n"
 msgstr "Увага: розмір метаданих LUKS2 змінено до %<PRIu64> байтів.\n"
 
-#: lib/setup.c:1802
+#: lib/setup.c:1858
 #, c-format
 msgid "WARNING: LUKS2 keyslots area size changed to %<PRIu64> bytes.\n"
 msgstr "Увага: розмір області слотів ключів LUKS2 змінено до %<PRIu64> байтів.\n"
 
-#: lib/setup.c:1826 lib/utils_device.c:829 lib/luks1/keyencryption.c:256
-#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3348
+#: lib/setup.c:1882 lib/utils_device.c:828 lib/luks1/keyencryption.c:255
+#: lib/luks2/luks2_reencrypt.c:2356 lib/luks2/luks2_reencrypt.c:3367
 #, c-format
 msgid "Device %s is too small."
 msgstr "Об’єм пристрою %s є надто малим."
 
-#: lib/setup.c:1837 lib/setup.c:1863
+#: lib/setup.c:1893 lib/setup.c:1919
 #, c-format
 msgid "Cannot format device %s in use."
 msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні."
 
-#: lib/setup.c:1840 lib/setup.c:1866
+#: lib/setup.c:1896 lib/setup.c:1922
 #, c-format
 msgid "Cannot format device %s, permission denied."
 msgstr "Не можна форматувати пристрій %s, недостатні права доступу."
 
-#: lib/setup.c:1852 lib/setup.c:2164
+#: lib/setup.c:1908 lib/setup.c:2229
 #, c-format
 msgid "Cannot format integrity for device %s."
 msgstr "Не вдалося форматувати цілісність для пристрою %s."
 
-#: lib/setup.c:1870
+#: lib/setup.c:1926
 #, c-format
 msgid "Cannot format device %s."
 msgstr "Не вдалося форматувати пристрій %s."
 
-#: lib/setup.c:1888
+#: lib/setup.c:1944
 msgid "Can't format LOOPAES without device."
 msgstr "Не можна форматувати LOOPAES без пристрою."
 
-#: lib/setup.c:1933
+#: lib/setup.c:1989
 msgid "Can't format VERITY without device."
 msgstr "Форматування VERITY без пристрою неможливе."
 
-#: lib/setup.c:1944 lib/verity/verity.c:103
+#: lib/setup.c:2000 lib/verity/verity.c:102
 #, c-format
 msgid "Unsupported VERITY hash type %d."
 msgstr "Непідтримуваний тип хешування VERITY, %d."
 
-#: lib/setup.c:1950 lib/verity/verity.c:111
+#: lib/setup.c:2006 lib/verity/verity.c:110
 msgid "Unsupported VERITY block size."
 msgstr "Непідтримуваний розмір блоку VERITY."
 
-#: lib/setup.c:1955 lib/verity/verity.c:75
+#: lib/setup.c:2011 lib/verity/verity.c:74
 msgid "Unsupported VERITY hash offset."
 msgstr "Непідтримуваний відступ хешу VERITY."
 
-#: lib/setup.c:1960
+#: lib/setup.c:2016
 msgid "Unsupported VERITY FEC offset."
 msgstr "Непідтримуваний зсув FEC VERITY."
 
-#: lib/setup.c:1984
+#: lib/setup.c:2040
 msgid "Data area overlaps with hash area."
 msgstr "Область даних перекривається із областю хешу."
 
-#: lib/setup.c:2009
+#: lib/setup.c:2065
 msgid "Hash area overlaps with FEC area."
 msgstr "Область хешування перекриваються з областю FEC."
 
-#: lib/setup.c:2016
+#: lib/setup.c:2072
 msgid "Data area overlaps with FEC area."
 msgstr "Область даних перекривається із областю FEC."
 
-#: lib/setup.c:2221
+#: lib/setup.c:2208
+#, c-format
+msgid "WARNING: Requested tag size %d bytes differs from %s size output (%d bytes).\n"
+msgstr "Увага: бажаний розмір мітки у %d байтів відрізняється від розміру у результаті %s (%d байтів).\n"
+
+#: lib/setup.c:2286
 #, c-format
 msgid "Unknown crypt device type %s requested."
 msgstr "Надіслано запит щодо невідомого типу пристрою шифрування, %s."
 
-#: lib/setup.c:2485 lib/setup.c:2557 lib/setup.c:2570
+#: lib/setup.c:2550 lib/setup.c:2622 lib/setup.c:2635
 #, c-format
 msgid "Unsupported parameters on device %s."
 msgstr "Непідтримувані параметри на пристрої %s."
 
-#: lib/setup.c:2491 lib/setup.c:2576 lib/luks2/luks2_reencrypt.c:2408
-#: lib/luks2/luks2_reencrypt.c:2718
+#: lib/setup.c:2556 lib/setup.c:2641 lib/luks2/luks2_reencrypt.c:2408
+#: lib/luks2/luks2_reencrypt.c:2737
 #, c-format
 msgid "Mismatching parameters on device %s."
 msgstr "Невідповідність параметрів на пристрої %s."
 
-#: lib/setup.c:2596
+#: lib/setup.c:2661
 msgid "Crypt devices mismatch."
 msgstr "Невідповідність пристроїв шифрування."
 
-#: lib/setup.c:2633 lib/setup.c:2638 lib/luks2/luks2_reencrypt.c:2054
-#: lib/luks2/luks2_reencrypt.c:3126
+#: lib/setup.c:2698 lib/setup.c:2703 lib/luks2/luks2_reencrypt.c:2054
+#: lib/luks2/luks2_reencrypt.c:3145
 #, c-format
 msgid "Failed to reload device %s."
 msgstr "Не вдалося перезавантажити пристрій %s."
 
-#: lib/setup.c:2643 lib/setup.c:2648 lib/luks2/luks2_reencrypt.c:2025
+#: lib/setup.c:2708 lib/setup.c:2713 lib/luks2/luks2_reencrypt.c:2025
 #: lib/luks2/luks2_reencrypt.c:2032
 #, c-format
 msgid "Failed to suspend device %s."
 msgstr "Не вдалося приспати пристрій %s."
 
-#: lib/setup.c:2653 lib/luks2/luks2_reencrypt.c:2039
-#: lib/luks2/luks2_reencrypt.c:3061 lib/luks2/luks2_reencrypt.c:3130
+#: lib/setup.c:2718 lib/luks2/luks2_reencrypt.c:2039
+#: lib/luks2/luks2_reencrypt.c:3080 lib/luks2/luks2_reencrypt.c:3149
 #, c-format
 msgid "Failed to resume device %s."
 msgstr "Не вдалося відновити роботу пристрою %s."
 
-#: lib/setup.c:2667
+#: lib/setup.c:2732
 #, c-format
 msgid "Fatal error while reloading device %s (on top of device %s)."
 msgstr "Критична помилка під час перезавантаження пристрої %s (над пристроєм %s)."
 
-#: lib/setup.c:2670 lib/setup.c:2672
+#: lib/setup.c:2735 lib/setup.c:2737
 #, c-format
 msgid "Failed to switch device %s to dm-error."
 msgstr "Не вдалося перемкнути пристрій %s у режим dm-error."
 
-#: lib/setup.c:2744
+#: lib/setup.c:2809
 msgid "Cannot resize loop device."
 msgstr "Неможливо змінити розмір петльового пристрою."
 
-#: lib/setup.c:2817
+#: lib/setup.c:2882
 msgid "Do you really want to change UUID of device?"
 msgstr "Ви справді хочете змінити UUID пристрою?"
 
-#: lib/setup.c:2893
+#: lib/setup.c:2958
 msgid "Header backup file does not contain compatible LUKS header."
 msgstr "Файл резервної копії заголовка не містить сумісного із LUKS заголовка."
 
-#: lib/setup.c:2993
+#: lib/setup.c:3058
 #, c-format
 msgid "Volume %s is not active."
 msgstr "Том %s не є активним."
 
-#: lib/setup.c:3004
+#: lib/setup.c:3069
 #, c-format
 msgid "Volume %s is already suspended."
 msgstr "Том %s вже приспано."
 
-#: lib/setup.c:3017
+#: lib/setup.c:3082
 #, c-format
 msgid "Suspend is not supported for device %s."
 msgstr "Підтримки присипляння для пристрою %s не передбачено."
 
-#: lib/setup.c:3019
+#: lib/setup.c:3084
 #, c-format
 msgid "Error during suspending device %s."
 msgstr "Помилка під час спроби приспати пристрій %s."
 
-#: lib/setup.c:3052 lib/setup.c:3119
+#: lib/setup.c:3117 lib/setup.c:3184 lib/setup.c:3267
 #, c-format
 msgid "Volume %s is not suspended."
 msgstr "Том %s не приспано."
 
-#: lib/setup.c:3081
+#: lib/setup.c:3146
 #, c-format
 msgid "Resume is not supported for device %s."
 msgstr "Підтримки дії з пробудження для пристрою %s не передбачено."
 
-#: lib/setup.c:3083 lib/setup.c:3151
+#: lib/setup.c:3148 lib/setup.c:3216 lib/setup.c:3297
 #, c-format
 msgid "Error during resuming device %s."
 msgstr "Помилка під час спроби пробудити пристрій %s."
 
-#: lib/setup.c:3219 lib/setup.c:3407
+#: lib/setup.c:3282 lib/setup.c:3648 lib/setup.c:4309 lib/setup.c:4322
+#: lib/setup.c:4330 lib/setup.c:4343 lib/setup.c:4693 lib/setup.c:5839
+msgid "Volume key does not match the volume."
+msgstr "Ключ тому не відповідає тому."
+
+#: lib/setup.c:3343 lib/setup.c:3531
 msgid "Cannot add key slot, all slots disabled and no volume key provided."
 msgstr "Не вдалося додати слот ключа, всі слоти вимкнено і не вказано ключа тому."
 
-#: lib/setup.c:3359
+#: lib/setup.c:3483
 msgid "Failed to swap new key slot."
 msgstr "Не вдалося зарезервувати новий слот ключа."
 
-#: lib/setup.c:3524 lib/setup.c:4161 lib/setup.c:4174 lib/setup.c:4182
-#: lib/setup.c:4195 lib/setup.c:4480 lib/setup.c:5593
-msgid "Volume key does not match the volume."
-msgstr "Ключ тому не відповідає тому."
-
-#: lib/setup.c:3545
+#: lib/setup.c:3669
 #, c-format
 msgid "Key slot %d is invalid."
 msgstr "Слот ключа %d є некоректним."
 
-#: lib/setup.c:3551 src/cryptsetup.c:1511 src/cryptsetup.c:1856
+#: lib/setup.c:3675 src/cryptsetup.c:1583 src/cryptsetup.c:1928
 #, c-format
 msgid "Keyslot %d is not active."
 msgstr "Слот ключа %d не є активним."
 
-#: lib/setup.c:3570
+#: lib/setup.c:3694
 msgid "Device header overlaps with data area."
 msgstr "Заголовок пристрою перекривається із областю даних."
 
-#: lib/setup.c:3836
+#: lib/setup.c:3981
 msgid "Reencryption in-progress. Cannot activate device."
 msgstr "Виконуємо повторне шифрування. Не можна активувати пристрій."
 
-#: lib/setup.c:3838 lib/luks2/luks2_json_metadata.c:2244
-#: lib/luks2/luks2_reencrypt.c:2817
+#: lib/setup.c:3983 lib/luks2/luks2_json_metadata.c:2238
+#: lib/luks2/luks2_reencrypt.c:2836
 msgid "Failed to get reencryption lock."
 msgstr "Не вдалося отримати стан блокування для повторного шифрування."
 
-#: lib/setup.c:3851 lib/luks2/luks2_reencrypt.c:2836
+#: lib/setup.c:3996 lib/luks2/luks2_reencrypt.c:2855
 msgid "LUKS2 reencryption recovery failed."
 msgstr "Не вдалося виконати відновлення даних повторного шифрування LUKS2."
 
-#: lib/setup.c:3978 lib/setup.c:4248
-msgid "Device type is not properly initialised."
+#: lib/setup.c:4127 lib/setup.c:4379
+msgid "Device type is not properly initialized."
 msgstr "Тип пристрою не ініціалізовано належним чином."
 
-#: lib/setup.c:4022
+#: lib/setup.c:4171
 #, c-format
 msgid "Cannot use device %s, name is invalid or still in use."
 msgstr "Неможливо скористатися пристроєм %s, некоректна назва або пристрій усе ще використовується."
 
-#: lib/setup.c:4025
+#: lib/setup.c:4174
 #, c-format
 msgid "Device %s already exists."
 msgstr "Пристрій %s вже існує."
 
-#: lib/setup.c:4148
+#: lib/setup.c:4296
 msgid "Incorrect volume key specified for plain device."
 msgstr "Для пристрою зі звичайним шифруванням вказано помилковий ключ тому."
 
-#: lib/setup.c:4214
+#: lib/setup.c:4405
 msgid "Incorrect root hash specified for verity device."
 msgstr "Для пристрою перевірки вказано помилковий кореневий хеш."
 
-#: lib/setup.c:4289 lib/setup.c:4305 lib/luks2/luks2_json_metadata.c:2297
-#: src/cryptsetup.c:2527
+#: lib/setup.c:4412
+msgid "Root hash signature required."
+msgstr "Потрібен хеш-підпис кореневої теки."
+
+#: lib/setup.c:4421
+msgid "Kernel keyring missing: required for passing signature to kernel."
+msgstr "Немає сховища ключів ядра: це сховище потрібне для передавання підпису ядру."
+
+#: lib/setup.c:4438 lib/setup.c:5915
+msgid "Failed to load key in kernel keyring."
+msgstr "Не вдалося завантажити ключ до сховища ключів ядра."
+
+#: lib/setup.c:4491 lib/setup.c:4507 lib/luks2/luks2_json_metadata.c:2291
+#: src/cryptsetup.c:2603
 #, c-format
 msgid "Device %s is still in use."
 msgstr "Пристрій %s все ще використовується."
 
-#: lib/setup.c:4314
+#: lib/setup.c:4516
 #, c-format
 msgid "Invalid device %s."
 msgstr "Некоректний пристрій %s."
 
-#: lib/setup.c:4430
+#: lib/setup.c:4632
 msgid "Volume key buffer too small."
 msgstr "Буфер ключів тому є занадто малим."
 
-#: lib/setup.c:4438
+#: lib/setup.c:4640
 msgid "Cannot retrieve volume key for plain device."
 msgstr "Неможливо отримати ключ тому для пристрою зі звичайним шифруванням."
 
-#: lib/setup.c:4449
+#: lib/setup.c:4657
+msgid "Cannot retrieve root hash for verity device."
+msgstr "Не вдалося отримати кореневий хеш для пристрою VERITY."
+
+#: lib/setup.c:4659
 #, c-format
 msgid "This operation is not supported for %s crypt device."
 msgstr "Підтримки цієї дії для шифрованого пристрою %s не передбачено."
 
-#: lib/setup.c:4636
+#: lib/setup.c:4865
 msgid "Dump operation is not supported for this device type."
 msgstr "Підтримки дії зі створення дампу для цього типу пристроїв не передбачено."
 
-#: lib/setup.c:4947
+#: lib/setup.c:5190
 #, c-format
 msgid "Data offset is not multiple of %u bytes."
 msgstr "Зсув у даних не є кратним до %u байтів."
 
-#: lib/setup.c:5229
+#: lib/setup.c:5475
 #, c-format
 msgid "Cannot convert device %s which is still in use."
 msgstr "Не можна перетворити пристрій %s, який перебуває у користуванні."
 
-#: lib/setup.c:5526
+#: lib/setup.c:5772
 #, c-format
 msgid "Failed to assign keyslot %u as the new volume key."
 msgstr "Не вдалося прив'язати слот ключа %u як новий ключ тому."
 
-#: lib/setup.c:5599
-msgid "Failed to initialise default LUKS2 keyslot parameters."
+#: lib/setup.c:5845
+msgid "Failed to initialize default LUKS2 keyslot parameters."
 msgstr "Не вдалося ініціалізувати типові параметри слоту ключів LUKS2."
 
-#: lib/setup.c:5605
+#: lib/setup.c:5851
 #, c-format
 msgid "Failed to assign keyslot %d to digest."
 msgstr "Не вдалося прив'язати слот ключа %d до контрольної суми."
 
-#: lib/setup.c:5690
-msgid "Failed to load key in kernel keyring."
-msgstr "Не вдалося завантажити ключ до сховища ключів ядра."
-
-#: lib/setup.c:5757
+#: lib/setup.c:5982
 msgid "Kernel keyring is not supported by the kernel."
 msgstr "У ядрі не передбачено підтримки сховища ключів ядра."
 
-#: lib/setup.c:5767 lib/luks2/luks2_reencrypt.c:2933
+#: lib/setup.c:5992 lib/luks2/luks2_reencrypt.c:2952
 #, c-format
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr "Не вдалося прочитати пароль із ключа зі сховища ключів (помилка %d)."
 
-#: lib/setup.c:5791
+#: lib/setup.c:6016
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr "Не вдалося створити загальне блокування серіалізації доступу до пам'яті."
 
-#: lib/utils.c:81
+#: lib/utils.c:80
 msgid "Cannot get process priority."
 msgstr "Не вдалося отримати значення пріоритетності процесу."
 
-#: lib/utils.c:95
+#: lib/utils.c:94
 msgid "Cannot unlock memory."
 msgstr "Не вдалося розблокувати пам’ять."
 
-#: lib/utils.c:169 lib/tcrypt/tcrypt.c:498
+#: lib/utils.c:168 lib/tcrypt/tcrypt.c:497
 msgid "Failed to open key file."
 msgstr "Не вдалося відкрити файл ключа."
 
-#: lib/utils.c:174
+#: lib/utils.c:173
 msgid "Cannot read keyfile from a terminal."
 msgstr "Не вдалося прочитати файл ключа з термінала."
 
-#: lib/utils.c:191
+#: lib/utils.c:190
 msgid "Failed to stat key file."
 msgstr "Не вдалося отримати статистичні дані щодо файла ключа."
 
-#: lib/utils.c:199 lib/utils.c:220
+#: lib/utils.c:198 lib/utils.c:219
 msgid "Cannot seek to requested keyfile offset."
 msgstr "Не вдалося встановити потрібну позицію у файлі ключа."
 
-#: lib/utils.c:214 lib/utils.c:229 src/utils_password.c:188
+#: lib/utils.c:213 lib/utils.c:228 src/utils_password.c:188
 #: src/utils_password.c:201
 msgid "Out of memory while reading passphrase."
 msgstr "Під час читання пароля вичерпано пам’ять."
 
-#: lib/utils.c:249
+#: lib/utils.c:248
 msgid "Error reading passphrase."
 msgstr "Помилка під час читання пароля."
 
-#: lib/utils.c:266
+#: lib/utils.c:265
 msgid "Nothing to read on input."
 msgstr "Нічого читати з вхідних даних."
 
-#: lib/utils.c:273
+#: lib/utils.c:272
 msgid "Maximum keyfile size exceeded."
 msgstr "Перевищено максимальний розмір файла ключа."
 
-#: lib/utils.c:278
+#: lib/utils.c:277
 msgid "Cannot read requested amount of data."
 msgstr "Не вдалося прочитати бажаний об’єм даних."
 
-#: lib/utils_device.c:188 lib/utils_storage_wrappers.c:111
-#: lib/luks1/keyencryption.c:92
+#: lib/utils_device.c:187 lib/utils_storage_wrappers.c:110
+#: lib/luks1/keyencryption.c:91
 #, c-format
-msgid "Device %s doesn't exist or access denied."
+msgid "Device %s does not exist or access denied."
 msgstr "Пристрою %s не існує або доступ до цього пристрою заборонено."
 
-#: lib/utils_device.c:198
+#: lib/utils_device.c:197
 #, c-format
 msgid "Device %s is not compatible."
 msgstr "Пристрій %s є сумісним."
 
-#: lib/utils_device.c:643
+#: lib/utils_device.c:642
 #, c-format
 msgid "Device %s is too small. Need at least %<PRIu64> bytes."
 msgstr "Обсяг пристрою %s є надто малим. Потрібно принаймні %<PRIu64> байтів."
 
-#: lib/utils_device.c:724
+#: lib/utils_device.c:723
 #, c-format
 msgid "Cannot use device %s which is in use (already mapped or mounted)."
 msgstr "Не можна використовувати пристрій %s, оскільки його вже використано (призначено або змонтовано)."
 
-#: lib/utils_device.c:728
+#: lib/utils_device.c:727
 #, c-format
 msgid "Cannot use device %s, permission denied."
 msgstr "Не можна скористатися пристроєм %s, недостатні права доступу."
 
-#: lib/utils_device.c:731
+#: lib/utils_device.c:730
 #, c-format
 msgid "Cannot get info about device %s."
 msgstr "Не вдалося отримати дані щодо пристрою %s."
 
-#: lib/utils_device.c:754
+#: lib/utils_device.c:753
 msgid "Cannot use a loopback device, running as non-root user."
 msgstr "Не можна використовувати петльовий пристрій, програму запущено не від імені адміністративного користувача (root)."
 
-#: lib/utils_device.c:764
+#: lib/utils_device.c:763
 msgid "Attaching loopback device failed (loop device with autoclear flag is required)."
 msgstr "Спроба долучення петльового пристрою зазнала невдачі (потрібен петльовий пристрій з встановленим прапорцем автоматичного спорожнення)."
 
-#: lib/utils_device.c:810
+#: lib/utils_device.c:809
 #, c-format
 msgid "Requested offset is beyond real size of device %s."
 msgstr "Бажана точка відступу перебуває за межами об’єму пристрою %s."
 
-#: lib/utils_device.c:818
+#: lib/utils_device.c:817
 #, c-format
 msgid "Device %s has zero size."
 msgstr "Об’єм пристрою %s є нульовим."
@@ -693,32 +710,32 @@
 msgid "Not compatible PBKDF options."
 msgstr "Несумісні параметри PBKDF."
 
-#: lib/utils_device_locking.c:103
+#: lib/utils_device_locking.c:102
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (not a directory or missing)."
 msgstr "Блокування перервано. Шлях блокування %s/%s є непридатним для користування (не є каталогом або його не вказано)."
 
-#: lib/utils_device_locking.c:110
+#: lib/utils_device_locking.c:109
 #, c-format
 msgid "WARNING: Locking directory %s/%s is missing!\n"
 msgstr "ПОПЕРЕДЖЕННЯ: не вистачає блокування каталогу %s/%s!\n"
 
-#: lib/utils_device_locking.c:120
+#: lib/utils_device_locking.c:119
 #, c-format
 msgid "Locking aborted. The locking path %s/%s is unusable (%s is not a directory)."
 msgstr "Блокування перервано Шлях блокування %s/%s є непридатним для користування (%s не є каталогом)."
 
-#: lib/utils_wipe.c:185 src/cryptsetup_reencrypt.c:933
-#: src/cryptsetup_reencrypt.c:1017
+#: lib/utils_wipe.c:184 src/cryptsetup_reencrypt.c:934
+#: src/cryptsetup_reencrypt.c:1018
 msgid "Cannot seek to device offset."
 msgstr "Не вдалося встановити вказану позицію на пристрої."
 
-#: lib/utils_wipe.c:209
+#: lib/utils_wipe.c:208
 #, c-format
 msgid "Device wipe error, offset %<PRIu64>."
 msgstr "Помилка витирання пристрою, зсув %<PRIu64>."
 
-#: lib/luks1/keyencryption.c:40
+#: lib/luks1/keyencryption.c:39
 #, c-format
 msgid ""
 "Failed to setup dm-crypt key mapping for device %s.\n"
@@ -727,120 +744,120 @@
 "Не вдалося визначити призначення ключа dm-crypt для пристрою %s.\n"
 "Перевірте, чи передбачено у ядрі підтримку шифрування %s (докладніші дані можна знайти у журналі системи (syslog))."
 
-#: lib/luks1/keyencryption.c:45
+#: lib/luks1/keyencryption.c:44
 msgid "Key size in XTS mode must be 256 or 512 bits."
 msgstr "Розмір ключа у режимі XTS має бути рівним 256 або 512 бітів."
 
-#: lib/luks1/keyencryption.c:47
+#: lib/luks1/keyencryption.c:46
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr "Специфікацію шифрування слід вказувати так: [алгоритм]-[режим]-[iv]."
 
-#: lib/luks1/keyencryption.c:98 lib/luks1/keymanage.c:345
-#: lib/luks1/keymanage.c:636 lib/luks1/keymanage.c:1074
-#: lib/luks2/luks2_json_metadata.c:1253 lib/luks2/luks2_keyslot.c:739
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:344
+#: lib/luks1/keymanage.c:635 lib/luks1/keymanage.c:1080
+#: lib/luks2/luks2_json_metadata.c:1252 lib/luks2/luks2_keyslot.c:734
 #, c-format
 msgid "Cannot write to device %s, permission denied."
 msgstr "Не вдалося виконати запис на пристрій %s, недостатні права доступу."
 
-#: lib/luks1/keyencryption.c:121
+#: lib/luks1/keyencryption.c:120
 msgid "Failed to open temporary keystore device."
 msgstr "Не вдалося відкрити пристрій тимчасового сховища ключів."
 
-#: lib/luks1/keyencryption.c:128
+#: lib/luks1/keyencryption.c:127
 msgid "Failed to access temporary keystore device."
 msgstr "Не вдалося отримати доступ до пристрою тимчасового сховища ключів."
 
-#: lib/luks1/keyencryption.c:201 lib/luks2/luks2_keyslot_luks2.c:60
+#: lib/luks1/keyencryption.c:200 lib/luks2/luks2_keyslot_luks2.c:60
 #: lib/luks2/luks2_keyslot_luks2.c:78 lib/luks2/luks2_keyslot_reenc.c:134
 msgid "IO error while encrypting keyslot."
 msgstr "Помилка введення-виведення під час шифрування слоту ключів."
 
-#: lib/luks1/keyencryption.c:247 lib/luks1/keymanage.c:348
-#: lib/luks1/keymanage.c:589 lib/luks1/keymanage.c:639 lib/tcrypt/tcrypt.c:661
-#: lib/verity/verity.c:81 lib/verity/verity.c:179 lib/verity/verity_hash.c:308
-#: lib/verity/verity_hash.c:319 lib/verity/verity_hash.c:339
-#: lib/verity/verity_fec.c:242 lib/verity/verity_fec.c:254
-#: lib/verity/verity_fec.c:259 lib/luks2/luks2_json_metadata.c:1256
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:588 lib/luks1/keymanage.c:638 lib/tcrypt/tcrypt.c:672
+#: lib/verity/verity.c:80 lib/verity/verity.c:178 lib/verity/verity_hash.c:311
+#: lib/verity/verity_hash.c:322 lib/verity/verity_hash.c:342
+#: lib/verity/verity_fec.c:241 lib/verity/verity_fec.c:253
+#: lib/verity/verity_fec.c:258 lib/luks2/luks2_json_metadata.c:1255
 #: src/cryptsetup_reencrypt.c:205
 #, c-format
 msgid "Cannot open device %s."
 msgstr "Не вдалося відкрити пристрій %s."
 
-#: lib/luks1/keyencryption.c:258 lib/luks2/luks2_keyslot_luks2.c:137
+#: lib/luks1/keyencryption.c:257 lib/luks2/luks2_keyslot_luks2.c:137
 msgid "IO error while decrypting keyslot."
 msgstr "Помилка введення-виведення під час розшифрування слоту ключів."
 
-#: lib/luks1/keymanage.c:111
+#: lib/luks1/keymanage.c:110
 #, c-format
 msgid "Device %s is too small. (LUKS1 requires at least %<PRIu64> bytes.)"
 msgstr "Обсяг пристрою %s є надто малим. (LUKS1 потрібно принаймні %<PRIu64> байтів.)"
 
-#: lib/luks1/keymanage.c:132 lib/luks1/keymanage.c:140
-#: lib/luks1/keymanage.c:152 lib/luks1/keymanage.c:163
-#: lib/luks1/keymanage.c:175
+#: lib/luks1/keymanage.c:131 lib/luks1/keymanage.c:139
+#: lib/luks1/keymanage.c:151 lib/luks1/keymanage.c:162
+#: lib/luks1/keymanage.c:174
 #, c-format
 msgid "LUKS keyslot %u is invalid."
 msgstr "Слот ключа LUKS %u є некоректним."
 
-#: lib/luks1/keymanage.c:229 lib/luks1/keymanage.c:473
-#: lib/luks2/luks2_json_metadata.c:1084 src/cryptsetup.c:1372
-#: src/cryptsetup.c:1498 src/cryptsetup.c:1555 src/cryptsetup.c:1611
-#: src/cryptsetup.c:1678 src/cryptsetup.c:1781 src/cryptsetup.c:1845
-#: src/cryptsetup.c:2005 src/cryptsetup.c:2194 src/cryptsetup.c:2254
-#: src/cryptsetup.c:2320 src/cryptsetup.c:2484 src/cryptsetup.c:3134
-#: src/cryptsetup.c:3143 src/cryptsetup_reencrypt.c:1372
+#: lib/luks1/keymanage.c:228 lib/luks1/keymanage.c:472
+#: lib/luks2/luks2_json_metadata.c:1083 src/cryptsetup.c:1444
+#: src/cryptsetup.c:1570 src/cryptsetup.c:1627 src/cryptsetup.c:1683
+#: src/cryptsetup.c:1750 src/cryptsetup.c:1853 src/cryptsetup.c:1917
+#: src/cryptsetup.c:2077 src/cryptsetup.c:2270 src/cryptsetup.c:2330
+#: src/cryptsetup.c:2396 src/cryptsetup.c:2560 src/cryptsetup.c:3210
+#: src/cryptsetup.c:3219 src/cryptsetup_reencrypt.c:1381
 #, c-format
 msgid "Device %s is not a valid LUKS device."
 msgstr "Пристрій %s не є коректним пристроєм LUKS."
 
-#: lib/luks1/keymanage.c:247 lib/luks2/luks2_json_metadata.c:1101
+#: lib/luks1/keymanage.c:246 lib/luks2/luks2_json_metadata.c:1100
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr "Потрібний вам файл резервної копії заголовка, %s, вже існує."
 
-#: lib/luks1/keymanage.c:249 lib/luks2/luks2_json_metadata.c:1103
+#: lib/luks1/keymanage.c:248 lib/luks2/luks2_json_metadata.c:1102
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr "Не вдалося створити файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:256 lib/luks2/luks2_json_metadata.c:1110
+#: lib/luks1/keymanage.c:255 lib/luks2/luks2_json_metadata.c:1109
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr "Не вдалося записати файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:287 lib/luks2/luks2_json_metadata.c:1162
-msgid "Backup file doesn't contain valid LUKS header."
+#: lib/luks1/keymanage.c:286 lib/luks2/luks2_json_metadata.c:1161
+msgid "Backup file does not contain valid LUKS header."
 msgstr "Файл резервної копії не містить коректного заголовка LUKS."
 
-#: lib/luks1/keymanage.c:300 lib/luks1/keymanage.c:550
-#: lib/luks2/luks2_json_metadata.c:1183
+#: lib/luks1/keymanage.c:299 lib/luks1/keymanage.c:549
+#: lib/luks2/luks2_json_metadata.c:1182
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr "Не вдалося відкрити файл резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:308 lib/luks2/luks2_json_metadata.c:1191
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1190
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr "Не вдалося прочитати дані з файла резервної копії заголовка, %s."
 
-#: lib/luks1/keymanage.c:318
+#: lib/luks1/keymanage.c:317
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr "Відступ у даних або розмір ключа на пристрої і у резервній копії є різними. Відновлення неможливе."
 
-#: lib/luks1/keymanage.c:326
+#: lib/luks1/keymanage.c:325
 #, c-format
 msgid "Device %s %s%s"
 msgstr "Пристрій %s %s%s"
 
-#: lib/luks1/keymanage.c:327
+#: lib/luks1/keymanage.c:326
 msgid "does not contain LUKS header. Replacing header can destroy data on that device."
 msgstr "не містить заголовка LUKS. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
 
-#: lib/luks1/keymanage.c:328
+#: lib/luks1/keymanage.c:327
 msgid "already contains LUKS header. Replacing header will destroy existing keyslots."
 msgstr "вже містить заголовок LUKS. Заміна заголовка призведе до руйнування вже створених слотів ключів."
 
-#: lib/luks1/keymanage.c:329 lib/luks2/luks2_json_metadata.c:1225
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1224
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
@@ -848,100 +865,105 @@
 "\n"
 "ПОПЕРЕДЖЕННЯ: заголовок, що зберігається на пристрої, має інший UUID, ніж заголовок у резервній копії!"
 
-#: lib/luks1/keymanage.c:376
+#: lib/luks1/keymanage.c:375
 msgid "Non standard key size, manual repair required."
 msgstr "Нестандартний розмір ключа, слід виправити дані вручну."
 
-#: lib/luks1/keymanage.c:381
+#: lib/luks1/keymanage.c:380
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr "Нестандартне вирівнювання слотів ключів, слід виправити дані вручну."
 
-#: lib/luks1/keymanage.c:391
+#: lib/luks1/keymanage.c:390
 msgid "Repairing keyslots."
 msgstr "Виправлення слотів ключів."
 
-#: lib/luks1/keymanage.c:410
+#: lib/luks1/keymanage.c:409
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr "Слот ключа %i: виправлено відступ (%u -> %u)."
 
-#: lib/luks1/keymanage.c:418
+#: lib/luks1/keymanage.c:417
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr "Слот ключа %i: виправлено смужки (%u -> %u)."
 
-#: lib/luks1/keymanage.c:427
+#: lib/luks1/keymanage.c:426
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr "Слот ключа %i: зайвий підпис розділу."
 
-#: lib/luks1/keymanage.c:432
+#: lib/luks1/keymanage.c:431
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr "Слот ключа %i: дані ініціалізації (сіль) витерто."
 
-#: lib/luks1/keymanage.c:449
+#: lib/luks1/keymanage.c:448
 msgid "Writing LUKS header to disk."
 msgstr "Запис заголовка LUKS на диск."
 
-#: lib/luks1/keymanage.c:454
+#: lib/luks1/keymanage.c:453
 msgid "Repair failed."
 msgstr "Спроба виправлення зазнала невдачі."
 
-#: lib/luks1/keymanage.c:482 lib/luks1/keymanage.c:751
+#: lib/luks1/keymanage.c:481 lib/luks1/keymanage.c:750
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr "Підтримки бажаного хешування LUKS, %s, не передбачено."
 
-#: lib/luks1/keymanage.c:510 src/cryptsetup.c:1081
+#: lib/luks1/keymanage.c:509 src/cryptsetup.c:1144
 msgid "No known problems detected for LUKS header."
 msgstr "У заголовку LUKS не виявлено жодних проблем."
 
-#: lib/luks1/keymanage.c:661
+#: lib/luks1/keymanage.c:660
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr "Помилка під час оновлення заголовка LUKS на пристрої %s."
 
-#: lib/luks1/keymanage.c:669
+#: lib/luks1/keymanage.c:668
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr "Помилка під час спроби повторного читання заголовка LUKS після оновлення на пристрої %s."
 
-#: lib/luks1/keymanage.c:745
+#: lib/luks1/keymanage.c:744
 msgid "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr "Відступ даних для заголовка LUKS має бути або рівним нулеві, або перевищувати розмір заголовка."
 
-#: lib/luks1/keymanage.c:756 lib/luks1/keymanage.c:821
-#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1002
-#: src/cryptsetup.c:2647
+#: lib/luks1/keymanage.c:755 lib/luks1/keymanage.c:825
+#: lib/luks2/luks2_json_format.c:283 lib/luks2/luks2_json_metadata.c:1001
+#: src/cryptsetup.c:2723
 msgid "Wrong LUKS UUID format provided."
 msgstr "Вказано UUID LUKS у помилковому форматі."
 
-#: lib/luks1/keymanage.c:779
+#: lib/luks1/keymanage.c:778
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr "Не вдалося створити заголовок LUKS: помилка читання випадкових даних для ініціалізації."
 
-#: lib/luks1/keymanage.c:800
+#: lib/luks1/keymanage.c:804
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr "Не вдалося створити заголовок LUKS: помилка під час обчислення контрольної суми заголовка (з використанням хешу %s)."
 
-#: lib/luks1/keymanage.c:844
+#: lib/luks1/keymanage.c:848
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr "Слот ключа %d є активним. Його слід спочатку спорожнити."
 
-#: lib/luks1/keymanage.c:850
+#: lib/luks1/keymanage.c:854
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr "Ентропія даних слота ключа %d є надто низькою. Маніпуляції з заголовком?"
 
-#: lib/luks1/keymanage.c:1060
+#: lib/luks1/keymanage.c:990
+#, c-format
+msgid "Cannot open keyslot (using hash %s)."
+msgstr "Не вдалося відкрити слот ключа (за допомогою хешу %s)."
+
+#: lib/luks1/keymanage.c:1066
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr "Слот ключа %d є некоректним, будь ласка, виберіть слот ключа з номером від 0 до %d."
 
-#: lib/luks1/keymanage.c:1078 lib/luks2/luks2_keyslot.c:743
+#: lib/luks1/keymanage.c:1084 lib/luks2/luks2_keyslot.c:738
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr "Не вдалося витерти пристрій %s."
@@ -959,97 +981,189 @@
 msgstr "Виявлено несумісний з loop-AES файл ключа."
 
 #: lib/loopaes/loopaes.c:245
-msgid "Kernel doesn't support loop-AES compatible mapping."
+msgid "Kernel does not support loop-AES compatible mapping."
 msgstr "У ядрі не передбачено підтримки призначення, сумісного з loop-AES."
 
-#: lib/tcrypt/tcrypt.c:505
+#: lib/tcrypt/tcrypt.c:504
 #, c-format
 msgid "Error reading keyfile %s."
 msgstr "Помилка під час спроби читання файла ключа %s."
 
-#: lib/tcrypt/tcrypt.c:545
+#: lib/tcrypt/tcrypt.c:556
 #, c-format
-msgid "Maximum TCRYPT passphrase length (%d) exceeded."
-msgstr "Перевищено максимальну можливу довжину пароля TCRYPT (%d)."
+msgid "Maximum TCRYPT passphrase length (%zu) exceeded."
+msgstr "Перевищено максимальну можливу довжину пароля TCRYPT (%zu)."
 
-#: lib/tcrypt/tcrypt.c:586
+#: lib/tcrypt/tcrypt.c:597
 #, c-format
 msgid "PBKDF2 hash algorithm %s not available, skipping."
 msgstr "Засіб створення хешів PBKDF2 за алгоритмом %s недоступний, пропускаємо."
 
-#: lib/tcrypt/tcrypt.c:602 src/cryptsetup.c:959
+#: lib/tcrypt/tcrypt.c:613 src/cryptsetup.c:1021
 msgid "Required kernel crypto interface not available."
 msgstr "Потрібний для роботи інтерфейс ядра для шифрування недоступний."
 
-#: lib/tcrypt/tcrypt.c:604 src/cryptsetup.c:961
+#: lib/tcrypt/tcrypt.c:615 src/cryptsetup.c:1023
 msgid "Ensure you have algif_skcipher kernel module loaded."
 msgstr "Переконайтеся, що завантажено модуль ядра algif_skcipher."
 
-#: lib/tcrypt/tcrypt.c:744
+#: lib/tcrypt/tcrypt.c:755
 #, c-format
 msgid "Activation is not supported for %d sector size."
 msgstr "Підтримки активації для розміру сектора %d не передбачено."
 
-#: lib/tcrypt/tcrypt.c:750
-msgid "Kernel doesn't support activation for this TCRYPT legacy mode."
+#: lib/tcrypt/tcrypt.c:761
+msgid "Kernel does not support activation for this TCRYPT legacy mode."
 msgstr "У ядрі не передбачено підтримки вмикання цього застарілого режиму TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:784
+#: lib/tcrypt/tcrypt.c:795
 #, c-format
 msgid "Activating TCRYPT system encryption for partition %s."
 msgstr "Активуємо шифрування системи за допомогою TCRYPT для розділу %s."
 
-#: lib/tcrypt/tcrypt.c:862
-msgid "Kernel doesn't support TCRYPT compatible mapping."
+#: lib/tcrypt/tcrypt.c:873
+msgid "Kernel does not support TCRYPT compatible mapping."
 msgstr "У ядрі не передбачено підтримки призначення, сумісного з TCRYPT."
 
-#: lib/tcrypt/tcrypt.c:1084
+#: lib/tcrypt/tcrypt.c:1095
 msgid "This function is not supported without TCRYPT header load."
 msgstr "Підтримки цієї дії без завантаження заголовка TCRYPT."
 
-#: lib/verity/verity.c:69 lib/verity/verity.c:172
+#: lib/bitlk/bitlk.c:332
+#, c-format
+msgid "Unexpected metadata entry type '%u' found when parsing supported Volume Master Key."
+msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний тип запису метаданих «%u»."
+
+#: lib/bitlk/bitlk.c:379
+msgid "Invalid string found when parsing Volume Master Key."
+msgstr "Під час обробки основного ключа тому виявлено некоректний рядок."
+
+#: lib/bitlk/bitlk.c:384
+#, c-format
+msgid "Unexpected string ('%s') found when parsing supported Volume Master Key."
+msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуваний рядок («%s»)."
+
+#: lib/bitlk/bitlk.c:398
 #, c-format
-msgid "Verity device %s doesn't use on-disk header."
+msgid "Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."
+msgstr "Під час обробки підтримуваного основного ключа тому виявлено неочікуване значення запису метаданих «%u»."
+
+#: lib/bitlk/bitlk.c:477
+#, c-format
+msgid "Failed to read BITLK signature from %s."
+msgstr "Не вдалося прочитати підпис BITLK з %s."
+
+#: lib/bitlk/bitlk.c:483
+msgid "BITLK version 1 is currently not supported."
+msgstr "Підтримки BITLK версії 1 у поточній версії не передбачено."
+
+#: lib/bitlk/bitlk.c:489
+msgid "Invalid or unknown boot signature for BITLK device."
+msgstr "Некоректний або невідомий підпис завантаження для пристрою BITLK."
+
+#: lib/bitlk/bitlk.c:501
+msgid "Invalid or unknown signature for BITLK device."
+msgstr "Некоректний або невідомий підпис для пристрою BITLK."
+
+#: lib/bitlk/bitlk.c:509
+#, c-format
+msgid "Failed to read BITLK header from %s."
+msgstr "Не вдалося прочитати заголовок BITLK з %s."
+
+#: lib/bitlk/bitlk.c:534
+#, c-format
+msgid "Failed to read BITLK FVE metadata from %s."
+msgstr "Не вдалося прочитати метадані FVE BITLK з %s."
+
+#: lib/bitlk/bitlk.c:585
+msgid "Unknown or unsupported encryption type."
+msgstr "Невідомий або непідтримуваний тип шифрування."
+
+#: lib/bitlk/bitlk.c:618
+#, c-format
+msgid "Failed to read BITLK metadata entries from %s."
+msgstr "Не вдалося прочитати записи метаданих BITLK з %s."
+
+#: lib/bitlk/bitlk.c:911
+msgid "This operation is not supported."
+msgstr "Підтримки цієї дії не передбачено."
+
+#: lib/bitlk/bitlk.c:919
+msgid "Wrong key size."
+msgstr "Помилковий розмір ключа."
+
+#: lib/bitlk/bitlk.c:971
+msgid "This BITLK device is in an unsupported state and cannot be activated."
+msgstr "Цей пристрій BITLK перебуває у непідтримуваному стані — його неможливо активувати."
+
+#: lib/bitlk/bitlk.c:977
+#, c-format
+msgid "BITLK devices with type '%s' cannot be activated."
+msgstr "Пристрої BITLK типу «%s» неможливо активувати."
+
+#: lib/bitlk/bitlk.c:1059
+msgid "Activation of partially decrypted BITLK device is not supported."
+msgstr "Активації частково розшифрованого пристрою BITLK не передбачено."
+
+#: lib/bitlk/bitlk.c:1192
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK IV."
+msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки BITLK IV."
+
+#: lib/bitlk/bitlk.c:1196
+msgid "Cannot activate device, kernel dm-crypt is missing support for BITLK Elephant diffuser."
+msgstr "Не вдалося активувати пристрій — у dm-crypt ядра немає підтримки дифузера Elephant BITLK."
+
+#: lib/verity/verity.c:68 lib/verity/verity.c:171
+#, c-format
+msgid "Verity device %s does not use on-disk header."
 msgstr "На пристрої VERITY %s не використовується вбудований заголовок."
 
-#: lib/verity/verity.c:91
+#: lib/verity/verity.c:90
 #, c-format
 msgid "Device %s is not a valid VERITY device."
 msgstr "Пристрій %s не є коректним пристроєм VERITY."
 
-#: lib/verity/verity.c:98
+#: lib/verity/verity.c:97
 #, c-format
 msgid "Unsupported VERITY version %d."
 msgstr "Непідтримувана версія VERITY, %d."
 
-#: lib/verity/verity.c:129
+#: lib/verity/verity.c:128
 msgid "VERITY header corrupted."
 msgstr "Пошкоджено заголовок VERITY."
 
-#: lib/verity/verity.c:166
+#: lib/verity/verity.c:165
 #, c-format
 msgid "Wrong VERITY UUID format provided on device %s."
 msgstr "На пристрої %s вказано UUID VERITY у помилковому форматі."
 
-#: lib/verity/verity.c:199
+#: lib/verity/verity.c:198
 #, c-format
 msgid "Error during update of verity header on device %s."
 msgstr "Помилка під час оновлення заголовка verity на пристрої %s."
 
-#: lib/verity/verity.c:262
+#: lib/verity/verity.c:256
+msgid "Root hash signature verification is not supported."
+msgstr "Підтримки перевірки підпису кореневого хешу не передбачено."
+
+#: lib/verity/verity.c:267
 msgid "Errors cannot be repaired with FEC device."
 msgstr "Помилки не може бути виправлено за допомогою пристрою FEC."
 
-#: lib/verity/verity.c:264
+#: lib/verity/verity.c:269
 #, c-format
 msgid "Found %u repairable errors with FEC device."
 msgstr "За допомогою пристрою FEC виявлено %u придатних до виправлення помилок."
 
-#: lib/verity/verity.c:302
-msgid "Kernel doesn't support dm-verity mapping."
-msgstr "У ядрі не передбачено підтримки призначення за dm-verity."
+#: lib/verity/verity.c:308
+msgid "Kernel does not support dm-verity mapping."
+msgstr "У ядрі не передбачено підтримки прив'язки dm-verity."
+
+#: lib/verity/verity.c:312
+msgid "Kernel does not support dm-verity signature option."
+msgstr "У ядрі не передбачено підтримки параметра підпису dm-verity."
 
-#: lib/verity/verity.c:313
+#: lib/verity/verity.c:323
 msgid "Verity device detected corruption after activation."
 msgstr "Виявлено пошкодження даних на пристрої перевірки після активації."
 
@@ -1058,92 +1172,96 @@
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr "Резервну область не занулено у позиції %<PRIu64>."
 
-#: lib/verity/verity_hash.c:160 lib/verity/verity_hash.c:287
-#: lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:163 lib/verity/verity_hash.c:290
+#: lib/verity/verity_hash.c:303
 msgid "Device offset overflow."
 msgstr "Переповнення відступу на пристрої."
 
-#: lib/verity/verity_hash.c:200
+#: lib/verity/verity_hash.c:203
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
 msgstr "Помилка під час перевірки за позицією %<PRIu64>."
 
-#: lib/verity/verity_hash.c:273
+#: lib/verity/verity_hash.c:276
 msgid "Invalid size parameters for verity device."
 msgstr "Некоректні параметри розміру для пристрою перевірки."
 
-#: lib/verity/verity_hash.c:293
+#: lib/verity/verity_hash.c:296
 msgid "Hash area overflow."
 msgstr "Переповнення області хешу."
 
-#: lib/verity/verity_hash.c:370
+#: lib/verity/verity_hash.c:373
 msgid "Verification of data area failed."
 msgstr "Не вдалося перевірити область даних."
 
-#: lib/verity/verity_hash.c:375
+#: lib/verity/verity_hash.c:378
 msgid "Verification of root hash failed."
 msgstr "Не вдалося перевірити кореневий хеш."
 
-#: lib/verity/verity_hash.c:381
+#: lib/verity/verity_hash.c:384
 msgid "Input/output error while creating hash area."
 msgstr "Під час створення області хешу сталася помилка введення або виведення даних."
 
-#: lib/verity/verity_hash.c:383
+#: lib/verity/verity_hash.c:386
 msgid "Creation of hash area failed."
 msgstr "Не вдалося створити область хешу."
 
-#: lib/verity/verity_hash.c:430
+#: lib/verity/verity_hash.c:433
 #, c-format
 msgid "WARNING: Kernel cannot activate device if data block size exceeds page size (%u)."
 msgstr "Попередження: ядро не зможе задіяти пристрій, якщо розмір блоку перевищуватиме розмір сторінки (%u)."
 
-#: lib/verity/verity_fec.c:132
+#: lib/verity/verity_fec.c:131
 msgid "Failed to allocate RS context."
 msgstr "Не вдалося розмістити контекст RS."
 
-#: lib/verity/verity_fec.c:147
+#: lib/verity/verity_fec.c:146
 msgid "Failed to allocate buffer."
 msgstr "Не вдалося розмістити у пам'яті буфер."
 
-#: lib/verity/verity_fec.c:157
+#: lib/verity/verity_fec.c:156
 #, c-format
 msgid "Failed to read RS block %<PRIu64> byte %d."
 msgstr "Не вдалося прочитати блок RS %<PRIu64>, байт %d."
 
-#: lib/verity/verity_fec.c:170
+#: lib/verity/verity_fec.c:169
 #, c-format
 msgid "Failed to read parity for RS block %<PRIu64>."
 msgstr "Не вдалося прочитати парність для блоку RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:178
+#: lib/verity/verity_fec.c:177
 #, c-format
 msgid "Failed to repair parity for block %<PRIu64>."
 msgstr "Не вдалося відновити парність для блоку %<PRIu64>."
 
-#: lib/verity/verity_fec.c:189
+#: lib/verity/verity_fec.c:188
 #, c-format
 msgid "Failed to write parity for RS block %<PRIu64>."
 msgstr "Не вдалося прочитати парність для блоку RS %<PRIu64>."
 
-#: lib/verity/verity_fec.c:224
+#: lib/verity/verity_fec.c:223
 msgid "Block sizes must match for FEC."
 msgstr "Розміри блоків для FEC мають бути однаковими."
 
-#: lib/verity/verity_fec.c:230
+#: lib/verity/verity_fec.c:229
 msgid "Invalid number of parity bytes."
 msgstr "Некоректна кількість байтів парності."
 
-#: lib/verity/verity_fec.c:266
+#: lib/verity/verity_fec.c:265
 #, c-format
 msgid "Failed to determine size for device %s."
 msgstr "Не вдалося визначити розмір для пристрою %s."
 
-#: lib/integrity/integrity.c:241 lib/integrity/integrity.c:306
-msgid "Kernel doesn't support dm-integrity mapping."
+#: lib/integrity/integrity.c:271 lib/integrity/integrity.c:343
+msgid "Kernel does not support dm-integrity mapping."
 msgstr "У ядрі не передбачено підтримки прив'язки dm-integrity."
 
+#: lib/integrity/integrity.c:277
+msgid "Kernel does not support dm-integrity fixed metadata alignment."
+msgstr "У ядрі не передбачено підтримки вирівнювання фіксованих метаданих dm-integrity."
+
 #: lib/luks2/luks2_disk_metadata.c:383 lib/luks2/luks2_json_metadata.c:959
-#: lib/luks2/luks2_json_metadata.c:1245
+#: lib/luks2/luks2_json_metadata.c:1244
 #, c-format
 msgid "Failed to acquire write lock on device %s."
 msgstr "Не вдалося отримати блокування запису на пристрої %s."
@@ -1169,40 +1287,40 @@
 msgid "WARNING: keyslots area (%<PRIu64> bytes) is very small, available LUKS2 keyslot count is very limited.\n"
 msgstr "Увага: область слоту ключів є надто малою (%<PRIu64> байтів), доступна кількість слотів ключів LUKS2 буде дуже обмеженою.\n"
 
-#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1075
-#: lib/luks2/luks2_json_metadata.c:1151 lib/luks2/luks2_keyslot_luks2.c:92
+#: lib/luks2/luks2_json_metadata.c:946 lib/luks2/luks2_json_metadata.c:1074
+#: lib/luks2/luks2_json_metadata.c:1150 lib/luks2/luks2_keyslot_luks2.c:92
 #: lib/luks2/luks2_keyslot_luks2.c:114
 #, c-format
 msgid "Failed to acquire read lock on device %s."
 msgstr "Не вдалося отримати блокування читання на пристрої %s."
 
-#: lib/luks2/luks2_json_metadata.c:1168
+#: lib/luks2/luks2_json_metadata.c:1167
 #, c-format
 msgid "Forbidden LUKS2 requirements detected in backup %s."
 msgstr "У резервній копії %s виявлено заборонені вимоги щодо LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:1209
+#: lib/luks2/luks2_json_metadata.c:1208
 msgid "Data offset differ on device and backup, restore failed."
 msgstr "Зсуви даних на пристрої і на резервній копії різняться, не вдалося відновити."
 
-#: lib/luks2/luks2_json_metadata.c:1215
+#: lib/luks2/luks2_json_metadata.c:1214
 msgid "Binary header with keyslot areas size differ on device and backup, restore failed."
 msgstr "Двійкові заголовки із розмірами областей слотів ключів на пристрої і у резервній копії різняться, не вдалося відновити копію."
 
-#: lib/luks2/luks2_json_metadata.c:1222
+#: lib/luks2/luks2_json_metadata.c:1221
 #, c-format
 msgid "Device %s %s%s%s%s"
 msgstr "Пристрій %s %s%s%s%s"
 
-#: lib/luks2/luks2_json_metadata.c:1223
+#: lib/luks2/luks2_json_metadata.c:1222
 msgid "does not contain LUKS2 header. Replacing header can destroy data on that device."
 msgstr "не містить заголовка LUKS2. Заміна заголовка може зруйнувати дані, що зберігаються на пристрої."
 
-#: lib/luks2/luks2_json_metadata.c:1224
+#: lib/luks2/luks2_json_metadata.c:1223
 msgid "already contains LUKS2 header. Replacing header will destroy existing keyslots."
 msgstr "вже містить заголовок LUKS2. Заміна заголовка призведе до руйнування вже створених слотів ключів."
 
-#: lib/luks2/luks2_json_metadata.c:1226
+#: lib/luks2/luks2_json_metadata.c:1225
 msgid ""
 "\n"
 "WARNING: unknown LUKS2 requirements detected in real device header!\n"
@@ -1212,7 +1330,7 @@
 "ПОПЕРЕДЖЕННЯ: виявлено невідомі вимоги LUKS2 у справжньому заголовку пристрою!\n"
 "Заміна заголовка резервною копією може пошкодити дані на пристрої!"
 
-#: lib/luks2/luks2_json_metadata.c:1228
+#: lib/luks2/luks2_json_metadata.c:1227
 msgid ""
 "\n"
 "WARNING: Unfinished offline reencryption detected on the device!\n"
@@ -1222,58 +1340,58 @@
 "ПОПЕРЕДЖЕННЯ: на пристрої виявлено дані незавершеного повторного шифрування!\n"
 "Заміна заголовка заголовком із резервної копії може пошкодити дані."
 
-#: lib/luks2/luks2_json_metadata.c:1324
+#: lib/luks2/luks2_json_metadata.c:1323
 #, c-format
 msgid "Ignored unknown flag %s."
 msgstr "Проігноровано невідомий прапорець %s."
 
-#: lib/luks2/luks2_json_metadata.c:2011 lib/luks2/luks2_reencrypt.c:1746
+#: lib/luks2/luks2_json_metadata.c:2010 lib/luks2/luks2_reencrypt.c:1746
 #, c-format
 msgid "Missing key for dm-crypt segment %u"
 msgstr "Не вистачає ключа для сегмента dm-crypt %u"
 
-#: lib/luks2/luks2_json_metadata.c:2023 lib/luks2/luks2_reencrypt.c:1764
+#: lib/luks2/luks2_json_metadata.c:2022 lib/luks2/luks2_reencrypt.c:1764
 msgid "Failed to set dm-crypt segment."
 msgstr "Не вдалося встановити сегмент dm-crypt."
 
-#: lib/luks2/luks2_json_metadata.c:2029 lib/luks2/luks2_reencrypt.c:1770
+#: lib/luks2/luks2_json_metadata.c:2028 lib/luks2/luks2_reencrypt.c:1770
 msgid "Failed to set dm-linear segment."
 msgstr "Не вдалося встановити сегмент dm-linear."
 
-#: lib/luks2/luks2_json_metadata.c:2156
+#: lib/luks2/luks2_json_metadata.c:2155
 msgid "Unsupported device integrity configuration."
 msgstr "Непідтримувані налаштування цілісності даних на пристрої."
 
-#: lib/luks2/luks2_json_metadata.c:2242
+#: lib/luks2/luks2_json_metadata.c:2236
 msgid "Reencryption in-progress. Cannot deactivate device."
 msgstr "Виконуємо повторне шифрування. Не можна деактивувати пристрій."
 
-#: lib/luks2/luks2_json_metadata.c:2253 lib/luks2/luks2_reencrypt.c:3171
+#: lib/luks2/luks2_json_metadata.c:2247 lib/luks2/luks2_reencrypt.c:3190
 #, c-format
 msgid "Failed to replace suspended device %s with dm-error target."
 msgstr "Не вдалося замінити пристрій %s, роботу якого призупинено, ціллю dm-error."
 
-#: lib/luks2/luks2_json_metadata.c:2333
+#: lib/luks2/luks2_json_metadata.c:2327
 msgid "Failed to read LUKS2 requirements."
 msgstr "Не вдалося прочитати вимоги LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2340
+#: lib/luks2/luks2_json_metadata.c:2334
 msgid "Unmet LUKS2 requirements detected."
 msgstr "Виявлено невідповідність вимог LUKS2."
 
-#: lib/luks2/luks2_json_metadata.c:2348
-msgid "Offline reencryption in progress. Aborting."
-msgstr "Виконується повторне шифрування з від'єднанням. Перериваємо."
-
-#: lib/luks2/luks2_json_metadata.c:2350
-msgid "Online reencryption in progress. Aborting."
-msgstr "Виконується повторне шифрування без від'єднання. Перериваємо."
+#: lib/luks2/luks2_json_metadata.c:2342
+msgid "Operation incompatible with device marked for legacy reencryption. Aborting."
+msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування застарілого варіанта. Перериваємо дію."
+
+#: lib/luks2/luks2_json_metadata.c:2344
+msgid "Operation incompatible with device marked for LUKS2 reencryption. Aborting."
+msgstr "Дія є несумісною із пристроєм, який позначено для перешифрування LUKS2. Перериваємо дію."
 
-#: lib/luks2/luks2_keyslot.c:552 lib/luks2/luks2_keyslot.c:589
+#: lib/luks2/luks2_keyslot.c:547 lib/luks2/luks2_keyslot.c:584
 msgid "Not enough available memory to open a keyslot."
 msgstr "Недостатньо пам'яті для відкриття слоту ключів."
 
-#: lib/luks2/luks2_keyslot.c:554 lib/luks2/luks2_keyslot.c:591
+#: lib/luks2/luks2_keyslot.c:549 lib/luks2/luks2_keyslot.c:586
 msgid "Keyslot open failed."
 msgstr "Не вдалося відкрити слот ключів."
 
@@ -1286,52 +1404,56 @@
 msgid "No space for new keyslot."
 msgstr "Немає простору для нового слоту ключа."
 
-#: lib/luks2/luks2_luks1_convert.c:481
+#: lib/luks2/luks2_luks1_convert.c:482
 #, c-format
 msgid "Cannot check status of device with uuid: %s."
 msgstr "Не вдалося перевірити стан пристрою з uuid %s."
 
-#: lib/luks2/luks2_luks1_convert.c:507
+#: lib/luks2/luks2_luks1_convert.c:508
 msgid "Unable to convert header with LUKSMETA additional metadata."
 msgstr "Не вдалося перетворити заголовок з додатковими метаданими LUKSMETA."
 
-#: lib/luks2/luks2_luks1_convert.c:547
+#: lib/luks2/luks2_luks1_convert.c:548
 msgid "Unable to move keyslot area. Not enough space."
 msgstr "Не вдалося пересунути область слотів ключів. Недостатньо місця."
 
-#: lib/luks2/luks2_luks1_convert.c:590 lib/luks2/luks2_luks1_convert.c:872
+#: lib/luks2/luks2_luks1_convert.c:599
+msgid "Unable to move keyslot area. LUKS2 keyslots area too small."
+msgstr "Не вдалося пересунути область слотів ключів. Область слотів ключів LUKS2 є надто малою."
+
+#: lib/luks2/luks2_luks1_convert.c:605 lib/luks2/luks2_luks1_convert.c:887
 msgid "Unable to move keyslot area."
 msgstr "Не вдалося пересунути область слотів ключів."
 
-#: lib/luks2/luks2_luks1_convert.c:682
+#: lib/luks2/luks2_luks1_convert.c:697
 msgid "Cannot convert to LUKS1 format - default segment encryption sector size is not 512 bytes."
 msgstr "Не вдалося перетворити на формат LUKS1 — типовий розмір сектору шифрування сегмента не дорівнює 512 байтам."
 
-#: lib/luks2/luks2_luks1_convert.c:690
+#: lib/luks2/luks2_luks1_convert.c:705
 msgid "Cannot convert to LUKS1 format - key slot digests are not LUKS1 compatible."
 msgstr "Не вдалося перетворити до формату LUKS1 — контрольні суми слотів ключів не сумісні з LUKS1."
 
-#: lib/luks2/luks2_luks1_convert.c:702
+#: lib/luks2/luks2_luks1_convert.c:717
 #, c-format
 msgid "Cannot convert to LUKS1 format - device uses wrapped key cipher %s."
 msgstr "Не вдалося перетворити до формату LUKS1 — на пристрої використовується загорнуте шифрування ключів %s."
 
-#: lib/luks2/luks2_luks1_convert.c:710
+#: lib/luks2/luks2_luks1_convert.c:725
 #, c-format
 msgid "Cannot convert to LUKS1 format - LUKS2 header contains %u token(s)."
 msgstr "Не вдалося перетворити до формату LUKS1 - заголовок LUKS2 містить %u ключів."
 
-#: lib/luks2/luks2_luks1_convert.c:724
+#: lib/luks2/luks2_luks1_convert.c:739
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is in invalid state."
 msgstr "Не вдалося перетворити до формату LUKS1 - слот ключа %u перебуває у некоректному стані."
 
-#: lib/luks2/luks2_luks1_convert.c:729
+#: lib/luks2/luks2_luks1_convert.c:744
 #, c-format
 msgid "Cannot convert to LUKS1 format - slot %u (over maximum slots) is still active."
 msgstr "Не вдалося перетворити до формату LUKS1 — слот %u (перевищує максимальну кількість слотів) усе ще є активним."
 
-#: lib/luks2/luks2_luks1_convert.c:734
+#: lib/luks2/luks2_luks1_convert.c:749
 #, c-format
 msgid "Cannot convert to LUKS1 format - keyslot %u is not LUKS1 compatible."
 msgstr "не вдалося перетворити до формату LUKS1 — слот ключів %u є несумісним з LUKS1."
@@ -1353,7 +1475,7 @@
 
 #: lib/luks2/luks2_reencrypt.c:1158 lib/luks2/luks2_reencrypt.c:1313
 #: lib/luks2/luks2_reencrypt.c:1396 lib/luks2/luks2_reencrypt.c:1430
-#: lib/luks2/luks2_reencrypt.c:3011
+#: lib/luks2/luks2_reencrypt.c:3030
 msgid "Failed to initialize old segment storage wrapper."
 msgstr "Не вдалося ініціалізувати обгортку старого сховища сегментів."
 
@@ -1365,7 +1487,7 @@
 msgid "Failed to read checksums for current hotzone."
 msgstr "Не вдалося прочитати контрольні суми для поточної «гарячої» ділянки."
 
-#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3019
+#: lib/luks2/luks2_reencrypt.c:1347 lib/luks2/luks2_reencrypt.c:3038
 #, c-format
 msgid "Failed to read hotzone area starting at %<PRIu64>."
 msgstr "Не вдалося прочитати «гарячу» ділянку, починаючи з %<PRIu64>."
@@ -1423,119 +1545,119 @@
 msgid "Data shift (%<PRIu64> sectors) is less than future data offset (%<PRIu64> sectors)."
 msgstr "Зміщення даних (%<PRIu64> секторів) є меншим за майбутній зсув даних (%<PRIu64> секторів)."
 
-#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2760
-#: lib/luks2/luks2_reencrypt.c:2781
+#: lib/luks2/luks2_reencrypt.c:2366 lib/luks2/luks2_reencrypt.c:2779
+#: lib/luks2/luks2_reencrypt.c:2800
 #, c-format
 msgid "Failed to open %s in exclusive mode (already mapped or mounted)."
 msgstr "Не вдалося відкрити %s в ексклюзивному режимі (вже пов'язано або змонтовано)."
 
 #: lib/luks2/luks2_reencrypt.c:2534
-msgid "No LUKS2 reencryption in progress."
-msgstr "Зараз не виконуємо жодного повторного шифрування LUKS2."
+msgid "Device not marked for LUKS2 reencryption."
+msgstr "Пристрій не позначено для повторного шифрування LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3276
+#: lib/luks2/luks2_reencrypt.c:2540 lib/luks2/luks2_reencrypt.c:3295
 msgid "Failed to load LUKS2 reencryption context."
 msgstr "Не вдалося завантажити контекст повторного шифрування LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:2600
+#: lib/luks2/luks2_reencrypt.c:2619
 msgid "Failed to get reencryption state."
 msgstr "Не вдалося отримати стан повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2604
+#: lib/luks2/luks2_reencrypt.c:2623
 msgid "Device is not in reencryption."
 msgstr "Пристрій не перебуває у повторному шифруванні."
 
-#: lib/luks2/luks2_reencrypt.c:2611
+#: lib/luks2/luks2_reencrypt.c:2630
 msgid "Reencryption process is already running."
 msgstr "Процес повторного шифрування вже виконується."
 
-#: lib/luks2/luks2_reencrypt.c:2613
+#: lib/luks2/luks2_reencrypt.c:2632
 msgid "Failed to acquire reencryption lock."
 msgstr "Не вдалося створити блокування для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2631
+#: lib/luks2/luks2_reencrypt.c:2650
 msgid "Cannot proceed with reencryption. Run reencryption recovery first."
 msgstr "Продовження повторного шифрування неможливе. Спочатку слід виконати відновлення повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2731
+#: lib/luks2/luks2_reencrypt.c:2750
 msgid "Active device size and requested reencryption size don't match."
 msgstr "Не збігаються розмір активного пристрою і запитаний розмір повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:2745
+#: lib/luks2/luks2_reencrypt.c:2764
 msgid "Illegal device size requested in reencryption parameters."
 msgstr "У параметрах повторного шифрування вказано некоректний розмір пристрою."
 
-#: lib/luks2/luks2_reencrypt.c:2815
+#: lib/luks2/luks2_reencrypt.c:2834
 msgid "Reencryption in-progress. Cannot perform recovery."
 msgstr "Виконується повторне шифрування. Неможливо виконати відновлення."
 
-#: lib/luks2/luks2_reencrypt.c:2887
+#: lib/luks2/luks2_reencrypt.c:2906
 msgid "LUKS2 reencryption already initialized in metadata."
 msgstr "Повторне шифрування LUKS2 вже ініційовано у метаданих."
 
-#: lib/luks2/luks2_reencrypt.c:2894
+#: lib/luks2/luks2_reencrypt.c:2913
 msgid "Failed to initialize LUKS2 reencryption in metadata."
 msgstr "Не вдалося ініціалізувати повторне шифрування LUKS2 лише у метаданих."
 
-#: lib/luks2/luks2_reencrypt.c:2985
+#: lib/luks2/luks2_reencrypt.c:3004
 msgid "Failed to set device segments for next reencryption hotzone."
 msgstr "Не вдалося встановити сегменти пристрою для наступної «гарячої» ділянки повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3027
+#: lib/luks2/luks2_reencrypt.c:3046
 msgid "Failed to write reencryption resilience metadata."
 msgstr "Не вдалося записати метадані стійкості для повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3034
+#: lib/luks2/luks2_reencrypt.c:3053
 msgid "Decryption failed."
 msgstr "Помилка розшифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3039
+#: lib/luks2/luks2_reencrypt.c:3058
 #, c-format
 msgid "Failed to write hotzone area starting at %<PRIu64>."
 msgstr "Не вдалося записати «гарячу» ділянку, починаючи з %<PRIu64>."
 
-#: lib/luks2/luks2_reencrypt.c:3044
+#: lib/luks2/luks2_reencrypt.c:3063
 msgid "Failed to sync data."
 msgstr "Не вдалося синхронізувати дані."
 
-#: lib/luks2/luks2_reencrypt.c:3052
+#: lib/luks2/luks2_reencrypt.c:3071
 msgid "Failed to update metadata after current reencryption hotzone completed."
 msgstr "Не вдалося оновити метадані після завершення обробки поточної «гарячої» зони повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3119
+#: lib/luks2/luks2_reencrypt.c:3138
 msgid "Failed to write LUKS2 metadata."
 msgstr "Не вдалося записати метадані LUKS2."
 
-#: lib/luks2/luks2_reencrypt.c:3142
+#: lib/luks2/luks2_reencrypt.c:3161
 msgid "Failed to wipe backup segment data."
 msgstr "Не вдалося витерти дані резервного сегмента."
 
-#: lib/luks2/luks2_reencrypt.c:3155
+#: lib/luks2/luks2_reencrypt.c:3174
 msgid "Failed to disable reencryption requirement flag."
 msgstr "Не вдалося вимкнути прапорець вимоги повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3163
+#: lib/luks2/luks2_reencrypt.c:3182
 #, c-format
 msgid "Fatal error while reencrypting chunk starting at %<PRIu64>, %<PRIu64> sectors long."
 msgstr "Критична помилка під час повторного шифрування фрагмента, починаючи з %<PRIu64>, довжиною у %<PRIu64> секторів."
 
-#: lib/luks2/luks2_reencrypt.c:3172
+#: lib/luks2/luks2_reencrypt.c:3191
 msgid "Do not resume the device unless replaced with error target manually."
 msgstr "Не відновлюйте пристрій, якщо не заміните вручну пристрій призначення для помилок."
 
-#: lib/luks2/luks2_reencrypt.c:3221
+#: lib/luks2/luks2_reencrypt.c:3240
 msgid "Cannot proceed with reencryption. Unexpected reencryption status."
 msgstr "Не вдалося виконати повторне шифрування. Неочікуваний стан засобу повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3227
+#: lib/luks2/luks2_reencrypt.c:3246
 msgid "Missing or invalid reencrypt context."
 msgstr "Не вказано контекст повторного шифрування або вказано некоректний контекст."
 
-#: lib/luks2/luks2_reencrypt.c:3234
+#: lib/luks2/luks2_reencrypt.c:3253
 msgid "Failed to initialize reencryption device stack."
 msgstr "Не вдалося ініціалізувати стос пристроїв повторного шифрування."
 
-#: lib/luks2/luks2_reencrypt.c:3253 lib/luks2/luks2_reencrypt.c:3289
+#: lib/luks2/luks2_reencrypt.c:3272 lib/luks2/luks2_reencrypt.c:3308
 msgid "Failed to update reencryption context."
 msgstr "Не вдалося оновити контекст повторного шифрування."
 
@@ -1548,64 +1670,69 @@
 msgid "Failed to create builtin token %s."
 msgstr "Не вдалося створити вбудований ключ %s."
 
-#: src/cryptsetup.c:162
+#: src/cryptsetup.c:163
 msgid "Can't do passphrase verification on non-tty inputs."
 msgstr "Перевірку паролів не можна виконувати на основі вхідних даних, які надходять не з tty."
 
-#: src/cryptsetup.c:215
+#: src/cryptsetup.c:216
 msgid "Keyslot encryption parameters can be set only for LUKS2 device."
 msgstr "Параметри шифрування слоту ключів можна встановлювати лише для пристроїв LUKS2."
 
-#: src/cryptsetup.c:245 src/cryptsetup.c:893 src/cryptsetup.c:1212
-#: src/cryptsetup.c:3008 src/cryptsetup_reencrypt.c:715
-#: src/cryptsetup_reencrypt.c:785
+#: src/cryptsetup.c:246 src/cryptsetup.c:955 src/cryptsetup.c:1280
+#: src/cryptsetup.c:3084 src/cryptsetup_reencrypt.c:716
+#: src/cryptsetup_reencrypt.c:786
 msgid "No known cipher specification pattern detected."
 msgstr "Не виявлено жодного відомого зразка специфікації шифрування."
 
-#: src/cryptsetup.c:253
+#: src/cryptsetup.c:254
 msgid "WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.\n"
 msgstr "Попередження: параметр --hash у простому режимі із вказаним файлом ключа ігнорується.\n"
 
-#: src/cryptsetup.c:261
+#: src/cryptsetup.c:262
 msgid "WARNING: The --keyfile-size option is being ignored, the read size is the same as the encryption key size.\n"
 msgstr "Попередження: параметр --keyfile-size проігноровано, розмір прочитаних даних збігається із розміром ключа шифрування.\n"
 
-#: src/cryptsetup.c:301
+#: src/cryptsetup.c:302
 #, c-format
 msgid "Detected device signature(s) on %s. Proceeding further may damage existing data."
 msgstr "На %s виявлено підписи пристроїв. Подальша обробка може пошкодити наявні дані."
 
-#: src/cryptsetup.c:307 src/cryptsetup.c:1038 src/cryptsetup.c:1090
-#: src/cryptsetup.c:1189 src/cryptsetup.c:1262 src/cryptsetup.c:1913
-#: src/cryptsetup.c:2545 src/cryptsetup.c:2668 src/integritysetup.c:232
+#: src/cryptsetup.c:308 src/cryptsetup.c:1101 src/cryptsetup.c:1153
+#: src/cryptsetup.c:1257 src/cryptsetup.c:1330 src/cryptsetup.c:1985
+#: src/cryptsetup.c:2621 src/cryptsetup.c:2744 src/integritysetup.c:232
 msgid "Operation aborted.\n"
 msgstr "Дію перервано.\n"
 
-#: src/cryptsetup.c:375
+#: src/cryptsetup.c:376
 msgid "Option --key-file is required."
 msgstr "Слід вказати параметр --key-file."
 
-#: src/cryptsetup.c:428
+#: src/cryptsetup.c:429
 msgid "Enter VeraCrypt PIM: "
 msgstr "Введіть PIM VeraCrypt: "
 
-#: src/cryptsetup.c:437
+#: src/cryptsetup.c:438
 msgid "Invalid PIM value: parse error."
 msgstr "Некоректне значення PIM: помилка обробки."
 
-#: src/cryptsetup.c:440
+#: src/cryptsetup.c:441
 msgid "Invalid PIM value: 0."
 msgstr "Некоректне значення PIM: 0."
 
-#: src/cryptsetup.c:443
+#: src/cryptsetup.c:444
 msgid "Invalid PIM value: outside of range."
 msgstr "Некоректне значення PIM: поза межами діапазону."
 
-#: src/cryptsetup.c:466
+#: src/cryptsetup.c:467
 msgid "No device header detected with this passphrase."
 msgstr "Для цього пароля не виявлено заголовка пристрою."
 
-#: src/cryptsetup.c:528 src/cryptsetup.c:1940
+#: src/cryptsetup.c:536
+#, c-format
+msgid "Device %s is not a valid BITLK device."
+msgstr "Пристрій %s не є коректним пристроєм BITLK."
+
+#: src/cryptsetup.c:571 src/cryptsetup.c:2012
 msgid ""
 "Header dump with volume key is sensitive information\n"
 "which allows access to encrypted partition without passphrase.\n"
@@ -1616,68 +1743,68 @@
 "без пароля. Цей дамп слід зберігати у зашифрованому форматі\n"
 "у безпечному місці."
 
-#: src/cryptsetup.c:607
+#: src/cryptsetup.c:668
 #, c-format
 msgid "Device %s is still active and scheduled for deferred removal.\n"
 msgstr "Пристрій %s усе ще є активним, його заплановано для відкладеного вилучення.\n"
 
-#: src/cryptsetup.c:635
+#: src/cryptsetup.c:696
 msgid "Resize of active device requires volume key in keyring but --disable-keyring option is set."
 msgstr "Зміна розмірів активного пристрою потребує наявності ключа тому у сховищі ключів, але вказано параметр --disable-keyring."
 
-#: src/cryptsetup.c:771
+#: src/cryptsetup.c:833
 msgid "Benchmark interrupted."
 msgstr "Тестування перервано."
 
-#: src/cryptsetup.c:792
+#: src/cryptsetup.c:854
 #, c-format
 msgid "PBKDF2-%-9s     N/A\n"
 msgstr "PBKDF2-%-9s     н/д\n"
 
-#: src/cryptsetup.c:794
+#: src/cryptsetup.c:856
 #, c-format
 msgid "PBKDF2-%-9s %7u iterations per second for %zu-bit key\n"
 msgstr "PBKDF2-%-9s %7u ітерацій за секунду для %zu-бітового ключа\n"
 
-#: src/cryptsetup.c:808
+#: src/cryptsetup.c:870
 #, c-format
 msgid "%-10s N/A\n"
 msgstr "%-10s н/д\n"
 
-#: src/cryptsetup.c:810
+#: src/cryptsetup.c:872
 #, c-format
 msgid "%-10s %4u iterations, %5u memory, %1u parallel threads (CPUs) for %zu-bit key (requested %u ms time)\n"
 msgstr "%-10s %4u ітерацій, пам'ять: %5u, %1u паралельних потоків (процесорів) для %zu-бітового ключа (запит на %u мс часу)\n"
 
-#: src/cryptsetup.c:834
+#: src/cryptsetup.c:896
 msgid "Result of benchmark is not reliable."
 msgstr "Результат тестування є ненадійним."
 
-#: src/cryptsetup.c:885
+#: src/cryptsetup.c:947
 msgid "# Tests are approximate using memory only (no storage IO).\n"
 msgstr "# Наближені значення під час перевірки визначаються лише за допомогою оперативної пам’яті (без запису на диск).\n"
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:919
+#: src/cryptsetup.c:981
 #, c-format
 msgid "#%*s Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "№%*s Алгоритм |      Ключ |      Шифрування |   Розшифрування\n"
 
-#: src/cryptsetup.c:923
+#: src/cryptsetup.c:985
 #, c-format
 msgid "Cipher %s is not available."
 msgstr "Шифрування %s є недоступним."
 
 #. TRANSLATORS: The string is header of a table and must be exactly (right side) aligned.
-#: src/cryptsetup.c:943
+#: src/cryptsetup.c:1005
 msgid "#     Algorithm |       Key |      Encryption |      Decryption\n"
 msgstr "№      Алгоритм |      Ключ |      Шифрування |   Розшифрування\n"
 
-#: src/cryptsetup.c:952
+#: src/cryptsetup.c:1014
 msgid "N/A"
 msgstr "н/д"
 
-#: src/cryptsetup.c:1031
+#: src/cryptsetup.c:1094
 msgid ""
 "Seems device does not require reencryption recovery.\n"
 "Do you want to proceed anyway?"
@@ -1685,19 +1812,19 @@
 "Здається, пристрій не потребує відновлення повторного шифрування.\n"
 "Хочете виконати цю дію попри це?"
 
-#: src/cryptsetup.c:1037
+#: src/cryptsetup.c:1100
 msgid "Really proceed with LUKS2 reencryption recovery?"
 msgstr "Ви справді хочете продовжити процедуру відновлення повторного шифрування LUKS2?"
 
-#: src/cryptsetup.c:1046
+#: src/cryptsetup.c:1109
 msgid "Enter passphrase for reencryption recovery: "
 msgstr "Вкажіть пароль для відновлення повторного шифрування: "
 
-#: src/cryptsetup.c:1089
+#: src/cryptsetup.c:1152
 msgid "Really try to repair LUKS device header?"
 msgstr "Спробувати відновити заголовок пристрою LUKS?"
 
-#: src/cryptsetup.c:1108 src/integritysetup.c:145
+#: src/cryptsetup.c:1171 src/integritysetup.c:145
 msgid ""
 "Wiping device to initialize integrity checksum.\n"
 "You can interrupt this by pressing CTRL+c (rest of not wiped device will contain invalid checksum).\n"
@@ -1705,127 +1832,127 @@
 "Витираємо пристрій для ініціалізації контрольних сум для цілісності.\n"
 "Ви можете перервати цей процес натисканням комбінації клавіш CTRL+C (решта невитертого пристрою міститиме некоректну контрольну суму).\n"
 
-#: src/cryptsetup.c:1130 src/integritysetup.c:167
+#: src/cryptsetup.c:1193 src/integritysetup.c:167
 #, c-format
 msgid "Cannot deactivate temporary device %s."
 msgstr "Не можна скасувати активацію тимчасового пристрою %s."
 
-#: src/cryptsetup.c:1174
+#: src/cryptsetup.c:1242
 msgid "Integrity option can be used only for LUKS2 format."
 msgstr "Параметр цілісності може бути використано лише для формату LUKS2."
 
-#: src/cryptsetup.c:1179 src/cryptsetup.c:1239
+#: src/cryptsetup.c:1247 src/cryptsetup.c:1307
 msgid "Unsupported LUKS2 metadata size options."
 msgstr "Непідтримувані параметри розміру метаданих LUKS2."
 
-#: src/cryptsetup.c:1196
+#: src/cryptsetup.c:1264
 #, c-format
 msgid "Cannot create header file %s."
 msgstr "Не вдалося створити файл заголовка %s."
 
-#: src/cryptsetup.c:1219 src/integritysetup.c:194 src/integritysetup.c:203
-#: src/integritysetup.c:212 src/integritysetup.c:279 src/integritysetup.c:288
-#: src/integritysetup.c:298
+#: src/cryptsetup.c:1287 src/integritysetup.c:194 src/integritysetup.c:203
+#: src/integritysetup.c:212 src/integritysetup.c:283 src/integritysetup.c:292
+#: src/integritysetup.c:302
 msgid "No known integrity specification pattern detected."
 msgstr "Не виявлено жодного відомого зразка специфікації цілісності."
 
-#: src/cryptsetup.c:1232
+#: src/cryptsetup.c:1300
 #, c-format
 msgid "Cannot use %s as on-disk header."
 msgstr "Не можна використовувати %s як заголовок на диску."
 
-#: src/cryptsetup.c:1256 src/integritysetup.c:226
+#: src/cryptsetup.c:1324 src/integritysetup.c:226
 #, c-format
 msgid "This will overwrite data on %s irrevocably."
 msgstr "Дані на %s буде перезаписано без можливості відновлення."
 
-#: src/cryptsetup.c:1297 src/cryptsetup.c:1627 src/cryptsetup.c:1694
-#: src/cryptsetup.c:1796 src/cryptsetup.c:1862 src/cryptsetup_reencrypt.c:545
+#: src/cryptsetup.c:1365 src/cryptsetup.c:1699 src/cryptsetup.c:1766
+#: src/cryptsetup.c:1868 src/cryptsetup.c:1934 src/cryptsetup_reencrypt.c:546
 msgid "Failed to set pbkdf parameters."
 msgstr "Не вдалося встановити параметри pbkdf."
 
-#: src/cryptsetup.c:1378
+#: src/cryptsetup.c:1450
 msgid "Reduced data offset is allowed only for detached LUKS header."
 msgstr "Зменшений відступ даних можна використовувати лише для від’єднаних заголовків LUKS."
 
-#: src/cryptsetup.c:1389 src/cryptsetup.c:1700
+#: src/cryptsetup.c:1461 src/cryptsetup.c:1772
 msgid "Cannot determine volume key size for LUKS without keyslots, please use --key-size option."
 msgstr "Неможливо визначити розмір ключа тому для LUKS без слотів ключів. Будь ласка, скористайтеся параметром --key-size."
 
-#: src/cryptsetup.c:1427
+#: src/cryptsetup.c:1499
 msgid "Device activated but cannot make flags persistent."
 msgstr "Пристрій задіяно, але не вдалося зробити прапорці сталими."
 
-#: src/cryptsetup.c:1508 src/cryptsetup.c:1578
+#: src/cryptsetup.c:1580 src/cryptsetup.c:1650
 #, c-format
 msgid "Keyslot %d is selected for deletion."
 msgstr "Слот ключа %d позначено для вилучення."
 
-#: src/cryptsetup.c:1520 src/cryptsetup.c:1581
+#: src/cryptsetup.c:1592 src/cryptsetup.c:1653
 msgid "This is the last keyslot. Device will become unusable after purging this key."
 msgstr "Це останній слот ключа. Пристрій стане непридатним для використання після спорожнення цього ключа."
 
-#: src/cryptsetup.c:1521
+#: src/cryptsetup.c:1593
 msgid "Enter any remaining passphrase: "
 msgstr "Введіть будь-який інший пароль: "
 
-#: src/cryptsetup.c:1522 src/cryptsetup.c:1583
+#: src/cryptsetup.c:1594 src/cryptsetup.c:1655
 msgid "Operation aborted, the keyslot was NOT wiped.\n"
 msgstr "Дію перервано, слот ключів НЕ витерто.\n"
 
-#: src/cryptsetup.c:1560
+#: src/cryptsetup.c:1632
 msgid "Enter passphrase to be deleted: "
 msgstr "Введіть пароль, який слід вилучити: "
 
-#: src/cryptsetup.c:1641 src/cryptsetup.c:1715 src/cryptsetup.c:1749
+#: src/cryptsetup.c:1713 src/cryptsetup.c:1787 src/cryptsetup.c:1821
 msgid "Enter new passphrase for key slot: "
 msgstr "Введіть новий пароль для слота ключа: "
 
-#: src/cryptsetup.c:1732 src/cryptsetup_reencrypt.c:1327
+#: src/cryptsetup.c:1804 src/cryptsetup_reencrypt.c:1336
 #, c-format
 msgid "Enter any existing passphrase: "
 msgstr "Введіть будь-який пароль: "
 
-#: src/cryptsetup.c:1800
+#: src/cryptsetup.c:1872
 msgid "Enter passphrase to be changed: "
 msgstr "Введіть пароль, який слід змінити: "
 
-#: src/cryptsetup.c:1816 src/cryptsetup_reencrypt.c:1313
+#: src/cryptsetup.c:1888 src/cryptsetup_reencrypt.c:1322
 msgid "Enter new passphrase: "
 msgstr "Введіть новий пароль: "
 
-#: src/cryptsetup.c:1866
+#: src/cryptsetup.c:1938
 msgid "Enter passphrase for keyslot to be converted: "
 msgstr "Вкажіть пароль для слоту ключа, який буде перетворено: "
 
-#: src/cryptsetup.c:1890
+#: src/cryptsetup.c:1962
 msgid "Only one device argument for isLuks operation is supported."
 msgstr "У команді isLuks можна використовувати лише один аргумент назви пристрою."
 
-#: src/cryptsetup.c:2074 src/cryptsetup.c:2095
+#: src/cryptsetup.c:2146 src/cryptsetup.c:2167
 msgid "Option --header-backup-file is required."
 msgstr "Слід вказати параметр --header-backup-file."
 
-#: src/cryptsetup.c:2125
+#: src/cryptsetup.c:2197
 #, c-format
 msgid "%s is not cryptsetup managed device."
 msgstr "%s не є керованим cryptsetup пристроєм."
 
-#: src/cryptsetup.c:2136
+#: src/cryptsetup.c:2208
 #, c-format
 msgid "Refresh is not supported for device type %s"
 msgstr "Підтримки дії з оновлення для пристрою типу %s не передбачено."
 
-#: src/cryptsetup.c:2174
+#: src/cryptsetup.c:2250
 #, c-format
 msgid "Unrecognized metadata device type %s."
 msgstr "Нерозпізнаний тип пристрою метаданих, %s."
 
-#: src/cryptsetup.c:2177
+#: src/cryptsetup.c:2253
 msgid "Command requires device and mapped name as arguments."
 msgstr "Аргументами команди мають бути назва пристрою та призначена до нього назва."
 
-#: src/cryptsetup.c:2199
+#: src/cryptsetup.c:2275
 #, c-format
 msgid ""
 "This operation will erase all keyslots on device %s.\n"
@@ -1834,95 +1961,95 @@
 "У результаті виконання цієї операції буде витерто усі слоти ключів на пристрої %s.\n"
 "Після виконання цієї дії пристроєм не можна буде скористатися."
 
-#: src/cryptsetup.c:2206
+#: src/cryptsetup.c:2282
 msgid "Operation aborted, keyslots were NOT wiped.\n"
 msgstr "Дію перервано, слоти ключів НЕ витерто.\n"
 
-#: src/cryptsetup.c:2243
+#: src/cryptsetup.c:2319
 msgid "Invalid LUKS type, only luks1 and luks2 are supported."
 msgstr "Некоректний тип LUKS. Передбачено підтримку лише luks1 і luks2."
 
-#: src/cryptsetup.c:2261
+#: src/cryptsetup.c:2337
 #, c-format
 msgid "Device is already %s type."
 msgstr "Пристрій вже належить до типу %s."
 
-#: src/cryptsetup.c:2266
+#: src/cryptsetup.c:2342
 #, c-format
 msgid "This operation will convert %s to %s format.\n"
 msgstr "Ця дія перетворить %s до формату %s.\n"
 
-#: src/cryptsetup.c:2272
+#: src/cryptsetup.c:2348
 msgid "Operation aborted, device was NOT converted.\n"
 msgstr "Дію перервано, дані пристрою НЕ перетворено.\n"
 
-#: src/cryptsetup.c:2312
+#: src/cryptsetup.c:2388
 msgid "Option --priority, --label or --subsystem is missing."
 msgstr "Пропущено параметр --priority, --label або --subsystem."
 
-#: src/cryptsetup.c:2346 src/cryptsetup.c:2379 src/cryptsetup.c:2402
+#: src/cryptsetup.c:2422 src/cryptsetup.c:2455 src/cryptsetup.c:2478
 #, c-format
 msgid "Token %d is invalid."
 msgstr "Ключ %d є некоректним."
 
-#: src/cryptsetup.c:2349 src/cryptsetup.c:2405
+#: src/cryptsetup.c:2425 src/cryptsetup.c:2481
 #, c-format
 msgid "Token %d in use."
 msgstr "Ключ %d використовується."
 
-#: src/cryptsetup.c:2356
+#: src/cryptsetup.c:2432
 #, c-format
 msgid "Failed to add luks2-keyring token %d."
 msgstr "Не вдалося додати ключ %d зі сховища ключів luks2."
 
-#: src/cryptsetup.c:2365 src/cryptsetup.c:2427
+#: src/cryptsetup.c:2441 src/cryptsetup.c:2503
 #, c-format
 msgid "Failed to assign token %d to keyslot %d."
 msgstr "Не вдалося прив'язати ключ %d до слоту ключа %d."
 
-#: src/cryptsetup.c:2382
+#: src/cryptsetup.c:2458
 #, c-format
 msgid "Token %d is not in use."
 msgstr "Ключ %d не використовується."
 
-#: src/cryptsetup.c:2417
+#: src/cryptsetup.c:2493
 msgid "Failed to import token from file."
 msgstr "Не вдалося імпортувати ключ з файла."
 
-#: src/cryptsetup.c:2442
+#: src/cryptsetup.c:2518
 #, c-format
 msgid "Failed to get token %d for export."
 msgstr "Не вдалося отримати ключ %d для експортування."
 
-#: src/cryptsetup.c:2457
+#: src/cryptsetup.c:2533
 msgid "--key-description parameter is mandatory for token add action."
 msgstr "Параметр --key-description є обов'язковим для дій із додавання ключів."
 
-#: src/cryptsetup.c:2463 src/cryptsetup.c:2471
+#: src/cryptsetup.c:2539 src/cryptsetup.c:2547
 msgid "Action requires specific token. Use --token-id parameter."
 msgstr "Для виконання дії потрібен специфічний ключ. Скористайтеся параметром --token-id."
 
-#: src/cryptsetup.c:2476
+#: src/cryptsetup.c:2552
 #, c-format
 msgid "Invalid token operation %s."
 msgstr "Некоректна дія з ключем %s."
 
-#: src/cryptsetup.c:2531
+#: src/cryptsetup.c:2607
 #, c-format
 msgid "Auto-detected active dm device '%s' for data device %s.\n"
 msgstr "Автоматично виявлено активний пристрій dm «%s» для пристрою даних %s.\n"
 
-#: src/cryptsetup.c:2535
+#: src/cryptsetup.c:2611
 #, c-format
 msgid "Device %s is not a block device.\n"
 msgstr "Пристрій %s не є блоковим пристроєм.\n"
 
-#: src/cryptsetup.c:2537
+#: src/cryptsetup.c:2613
 #, c-format
 msgid "Failed to auto-detect device %s holders."
 msgstr "Не вдалося автоматично визначити утримувачів пристрою %s."
 
-#: src/cryptsetup.c:2539
+#: src/cryptsetup.c:2615
 #, c-format
 msgid ""
 "Unable to decide if device %s is activated or not.\n"
@@ -1935,229 +2062,233 @@
 "Таке шифрування може призвести до пошкодження даних, якщо пристрій задіяно.\n"
 "Щоб запустити повторне шифрування у режимі без від'єднання, скористайтеся параметром --active-name.\n"
 
-#: src/cryptsetup.c:2619
+#: src/cryptsetup.c:2695
 msgid "Invalid LUKS device type."
 msgstr "Некоректний тип пристрою LUKS."
 
-#: src/cryptsetup.c:2624
+#: src/cryptsetup.c:2700
 msgid "Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."
 msgstr "Шифрування без від'єднаного заголовка (--header) є неможливим без зменшення розміру пристрою зберігання даних (--reduce-device-size)."
 
-#: src/cryptsetup.c:2629
+#: src/cryptsetup.c:2705
 msgid "Requested data offset must be less than or equal to half of --reduce-device-size parameter."
 msgstr "Вказаний зсув даних має бути меншим або рівним половині значення параметра --reduce-device-size."
 
-#: src/cryptsetup.c:2638
+#: src/cryptsetup.c:2714
 #, c-format
 msgid "Adjusting --reduce-device-size value to twice the --offset %<PRIu64> (sectors).\n"
 msgstr "Коригуємо значення --reduce-device-size до подвійного значення --offset %<PRIu64> (у секторах).\n"
 
-#: src/cryptsetup.c:2642
+#: src/cryptsetup.c:2718
 msgid "Encryption is supported only for LUKS2 format."
 msgstr "Підтримку шифрування передбачено лише для формату LUKS2."
 
-#: src/cryptsetup.c:2664
+#: src/cryptsetup.c:2740
 #, c-format
 msgid "Detected LUKS device on %s. Do you want to encrypt that LUKS device again?"
 msgstr "Виявлено пристрій LUKS на %s. Хочете зашифрувати цей пристрій LUKS знову?"
 
-#: src/cryptsetup.c:2679
+#: src/cryptsetup.c:2755
 #, c-format
 msgid "Temporary header file %s already exists. Aborting."
 msgstr "Файл тимчасового заголовка %s вже існує. Перериваємо обробку."
 
-#: src/cryptsetup.c:2681 src/cryptsetup.c:2688
+#: src/cryptsetup.c:2757 src/cryptsetup.c:2764
 #, c-format
 msgid "Cannot create temporary header file %s."
 msgstr "Не вдалося створити файл тимчасового заголовка %s."
 
-#: src/cryptsetup.c:2752
+#: src/cryptsetup.c:2828
 #, c-format
-msgid "%s/%s is now active and ready for online encryption."
-msgstr "%s/%s задіяно, система готова до інтерактивного шифрування."
+msgid "%s/%s is now active and ready for online encryption.\n"
+msgstr "%s/%s задіяно, система готова до інтерактивного шифрування.\n"
 
-#: src/cryptsetup.c:2916 src/cryptsetup.c:2922
+#: src/cryptsetup.c:2992 src/cryptsetup.c:2998
 msgid "Not enough free keyslots for reencryption."
 msgstr "Недостатньо вільних слотів ключів для повторного шифрування."
 
-#: src/cryptsetup.c:2942 src/cryptsetup_reencrypt.c:1284
+#: src/cryptsetup.c:3018 src/cryptsetup_reencrypt.c:1287
 msgid "Key file can be used only with --key-slot or with exactly one key slot active."
 msgstr "Файлом ключа можна користуватися лише з --key-slot, або якщо активним є лише один слот ключа."
 
-#: src/cryptsetup.c:2951 src/cryptsetup_reencrypt.c:1325
-#: src/cryptsetup_reencrypt.c:1336
+#: src/cryptsetup.c:3027 src/cryptsetup_reencrypt.c:1334
+#: src/cryptsetup_reencrypt.c:1345
 #, c-format
 msgid "Enter passphrase for key slot %d: "
 msgstr "Вкажіть пароль для слоту ключа %d: "
 
-#: src/cryptsetup.c:2959
+#: src/cryptsetup.c:3035
 #, c-format
 msgid "Enter passphrase for key slot %u: "
 msgstr "Вкажіть пароль для слоту ключа %u: "
 
-#: src/cryptsetup.c:3126
+#: src/cryptsetup.c:3202
 msgid "Command requires device as argument."
 msgstr "Комарні слід передати аргумент пристрою."
 
-#: src/cryptsetup.c:3148
+#: src/cryptsetup.c:3224
 msgid "Only LUKS2 format is currently supported. Please use cryptsetup-reencrypt tool for LUKS1."
 msgstr "У поточній версії передбачено підтримку лише формату LUKS2. Для роботи з LUKS1, будь ласка, скористайтеся програмою cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3160
+#: src/cryptsetup.c:3236
 msgid "Legacy offline reencryption already in-progress. Use cryptsetup-reencrypt utility."
 msgstr "Вже виконується повторне шифрування з від'єднанням у застарілому режимі. Скористайтеся програмою cryptsetup-reencrypt."
 
-#: src/cryptsetup.c:3170 src/cryptsetup_reencrypt.c:178
+#: src/cryptsetup.c:3246 src/cryptsetup_reencrypt.c:178
 msgid "Reencryption of device with integrity profile is not supported."
 msgstr "Підтримки повторного шифрування пристрою із профілем цілісності не передбачено."
 
-#: src/cryptsetup.c:3178
+#: src/cryptsetup.c:3254
 msgid "LUKS2 reencryption already initialized. Aborting operation."
 msgstr "Вже ініційовано повторне шифрування LUKS2. Перериваємо виконання дії."
 
-#: src/cryptsetup.c:3182
+#: src/cryptsetup.c:3258
 msgid "LUKS2 device is not in reencryption."
 msgstr "Пристрій LUKS2 не перебуває у стані повторного шифрування."
 
-#: src/cryptsetup.c:3209
+#: src/cryptsetup.c:3285
 msgid "<device> [--type <type>] [<name>]"
 msgstr "<пристрій> [--type <тип>] [<назва>]"
 
-#: src/cryptsetup.c:3209 src/veritysetup.c:358 src/integritysetup.c:470
+#: src/cryptsetup.c:3285 src/veritysetup.c:394 src/integritysetup.c:474
 msgid "open device as <name>"
 msgstr "відкрити пристрій як <назва>"
 
-#: src/cryptsetup.c:3210 src/cryptsetup.c:3211 src/cryptsetup.c:3212
-#: src/veritysetup.c:359 src/veritysetup.c:360 src/integritysetup.c:471
-#: src/integritysetup.c:472
+#: src/cryptsetup.c:3286 src/cryptsetup.c:3287 src/cryptsetup.c:3288
+#: src/veritysetup.c:395 src/veritysetup.c:396 src/integritysetup.c:475
+#: src/integritysetup.c:476
 msgid "<name>"
 msgstr "<назва>"
 
-#: src/cryptsetup.c:3210 src/veritysetup.c:359 src/integritysetup.c:471
+#: src/cryptsetup.c:3286 src/veritysetup.c:395 src/integritysetup.c:475
 msgid "close device (remove mapping)"
 msgstr "закрити пристрій (вилучити призначення)"
 
-#: src/cryptsetup.c:3211
+#: src/cryptsetup.c:3287
 msgid "resize active device"
 msgstr "змінити розмір активного пристрою"
 
-#: src/cryptsetup.c:3212
+#: src/cryptsetup.c:3288
 msgid "show device status"
 msgstr "показати стан пристрою"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "[--cipher <cipher>]"
 msgstr "[--cipher <шифр>]"
 
-#: src/cryptsetup.c:3213
+#: src/cryptsetup.c:3289
 msgid "benchmark cipher"
 msgstr "перевірити швидкодію шифрування"
 
-#: src/cryptsetup.c:3214 src/cryptsetup.c:3215 src/cryptsetup.c:3216
-#: src/cryptsetup.c:3217 src/cryptsetup.c:3218 src/cryptsetup.c:3225
-#: src/cryptsetup.c:3226 src/cryptsetup.c:3227 src/cryptsetup.c:3228
-#: src/cryptsetup.c:3229 src/cryptsetup.c:3230 src/cryptsetup.c:3231
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3290 src/cryptsetup.c:3291 src/cryptsetup.c:3292
+#: src/cryptsetup.c:3293 src/cryptsetup.c:3294 src/cryptsetup.c:3301
+#: src/cryptsetup.c:3302 src/cryptsetup.c:3303 src/cryptsetup.c:3304
+#: src/cryptsetup.c:3305 src/cryptsetup.c:3306 src/cryptsetup.c:3307
+#: src/cryptsetup.c:3308 src/cryptsetup.c:3309
 msgid "<device>"
 msgstr "<пристрій>"
 
-#: src/cryptsetup.c:3214
+#: src/cryptsetup.c:3290
 msgid "try to repair on-disk metadata"
 msgstr "спробувати виправити метадані на диску"
 
-#: src/cryptsetup.c:3215
+#: src/cryptsetup.c:3291
 msgid "reencrypt LUKS2 device"
 msgstr "повторно зашифрувати пристрій LUKS2"
 
-#: src/cryptsetup.c:3216
+#: src/cryptsetup.c:3292
 msgid "erase all keyslots (remove encryption key)"
 msgstr "витерти усі слоти ключів (вилучити ключ шифрування)"
 
-#: src/cryptsetup.c:3217
+#: src/cryptsetup.c:3293
 msgid "convert LUKS from/to LUKS2 format"
 msgstr "перетворити LUKS із формату LUKS2 або навпаки"
 
-#: src/cryptsetup.c:3218
+#: src/cryptsetup.c:3294
 msgid "set permanent configuration options for LUKS2"
 msgstr "встановити сталі параметри налаштування для LUKS2"
 
-#: src/cryptsetup.c:3219 src/cryptsetup.c:3220
+#: src/cryptsetup.c:3295 src/cryptsetup.c:3296
 msgid "<device> [<new key file>]"
 msgstr "<пристрій> [<новий файл ключа>]"
 
-#: src/cryptsetup.c:3219
+#: src/cryptsetup.c:3295
 msgid "formats a LUKS device"
 msgstr "форматує пристрій LUKS"
 
-#: src/cryptsetup.c:3220
+#: src/cryptsetup.c:3296
 msgid "add key to LUKS device"
 msgstr "додати ключ до пристрою LUKS"
 
-#: src/cryptsetup.c:3221 src/cryptsetup.c:3222 src/cryptsetup.c:3223
+#: src/cryptsetup.c:3297 src/cryptsetup.c:3298 src/cryptsetup.c:3299
 msgid "<device> [<key file>]"
 msgstr "<пристрій> [<файл ключа>]"
 
-#: src/cryptsetup.c:3221
+#: src/cryptsetup.c:3297
 msgid "removes supplied key or key file from LUKS device"
 msgstr "вилучає наданий ключ або файл ключа з пристрою LUKS"
 
-#: src/cryptsetup.c:3222
+#: src/cryptsetup.c:3298
 msgid "changes supplied key or key file of LUKS device"
 msgstr "змінює наданий ключ або файл ключа пристрою LUKS"
 
-#: src/cryptsetup.c:3223
+#: src/cryptsetup.c:3299
 msgid "converts a key to new pbkdf parameters"
 msgstr "перетворює ключ до нових параметрів pbkdf"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "<device> <key slot>"
 msgstr "<пристрій> <слот ключа>"
 
-#: src/cryptsetup.c:3224
+#: src/cryptsetup.c:3300
 msgid "wipes key with number <key slot> from LUKS device"
 msgstr "вилучає ключ з номером <слот ключа> з пристрою LUKS"
 
-#: src/cryptsetup.c:3225
+#: src/cryptsetup.c:3301
 msgid "print UUID of LUKS device"
 msgstr "вивести UUID пристрою LUKS"
 
-#: src/cryptsetup.c:3226
+#: src/cryptsetup.c:3302
 msgid "tests <device> for LUKS partition header"
 msgstr "виконати спробу виявлення заголовка розділу LUKS на пристрої <пристрій>"
 
-#: src/cryptsetup.c:3227
+#: src/cryptsetup.c:3303
 msgid "dump LUKS partition information"
 msgstr "створити дамп даних щодо розділу LUKS"
 
-#: src/cryptsetup.c:3228
+#: src/cryptsetup.c:3304
 msgid "dump TCRYPT device information"
 msgstr "створити дамп даних пристрою TCRYPT"
 
-#: src/cryptsetup.c:3229
+#: src/cryptsetup.c:3305
+msgid "dump BITLK device information"
+msgstr "створити дамп даних пристрою BITLK"
+
+#: src/cryptsetup.c:3306
 msgid "Suspend LUKS device and wipe key (all IOs are frozen)"
 msgstr "Приспати пристрій LUKS і витерти ключ (роботу всіх каналів введення-виведення буде заморожено)"
 
-#: src/cryptsetup.c:3230
+#: src/cryptsetup.c:3307
 msgid "Resume suspended LUKS device"
 msgstr "Відновити роботу приспаного пристрою LUKS"
 
-#: src/cryptsetup.c:3231
+#: src/cryptsetup.c:3308
 msgid "Backup LUKS device header and keyslots"
 msgstr "Створити резервну копію заголовка пристрою LUKS і слотів ключів"
 
-#: src/cryptsetup.c:3232
+#: src/cryptsetup.c:3309
 msgid "Restore LUKS device header and keyslots"
 msgstr "Відновити заголовок пристрою LUKS і слоти ключів"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "<add|remove|import|export> <device>"
 msgstr "<add|remove|import|export> <пристрій>"
 
-#: src/cryptsetup.c:3233
+#: src/cryptsetup.c:3310
 msgid "Manipulate LUKS2 tokens"
 msgstr "Керування ключами LUKS2"
 
-#: src/cryptsetup.c:3251 src/veritysetup.c:376 src/integritysetup.c:488
+#: src/cryptsetup.c:3328 src/veritysetup.c:412 src/integritysetup.c:492
 msgid ""
 "\n"
 "<action> is one of:\n"
@@ -2165,20 +2296,20 @@
 "\n"
 "<дія> є однією з таких:\n"
 
-#: src/cryptsetup.c:3257
+#: src/cryptsetup.c:3334
 msgid ""
 "\n"
 "You can also use old <action> syntax aliases:\n"
-"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 msgstr ""
 "\n"
 "Ви також можете скористатися застарілими альтернативними\n"
 "синтаксичними конструкціями для запису <дія>:\n"
-"\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-"\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"
+"\tвідкрити: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+"\tзакрити: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"
 
-#: src/cryptsetup.c:3261
+#: src/cryptsetup.c:3338
 #, c-format
 msgid ""
 "\n"
@@ -2193,7 +2324,7 @@
 "<слот ключа> — номер слота ключа LUKS, який слід змінити\n"
 "<файл ключа> — необов’язковий файл ключа для нового ключа для дії luksAddKey\n"
 
-#: src/cryptsetup.c:3268
+#: src/cryptsetup.c:3345
 #, c-format
 msgid ""
 "\n"
@@ -2202,7 +2333,7 @@
 "\n"
 "Типовий укомпільований формат метаданих — %s (для дії luksFormat).\n"
 
-#: src/cryptsetup.c:3273
+#: src/cryptsetup.c:3350
 #, c-format
 msgid ""
 "\n"
@@ -2219,7 +2350,7 @@
 "Типовий PBKDF для LUKS2: %s\n"
 "\tЧас ітерації: %d, потрібний обсяг пам'яті: %d кБ, паралельних потоків: %d\n"
 
-#: src/cryptsetup.c:3284
+#: src/cryptsetup.c:3361
 #, c-format
 msgid ""
 "\n"
@@ -2234,439 +2365,443 @@
 "\tзвичайне: %s, ключ: %d-бітовий, хешування пароля: %s\n"
 "\tLUKS: %s, ключ: %d-бітовий, хешування заголовка LUKS: %s, RNG: %s\n"
 
-#: src/cryptsetup.c:3293
+#: src/cryptsetup.c:3370
 msgid "\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"
 msgstr "\tLUKS: типовий розмір ключа у режимі XTS (два вбудованих ключа) буде подвоєно.\n"
 
-#: src/cryptsetup.c:3309 src/veritysetup.c:532 src/integritysetup.c:630
+#: src/cryptsetup.c:3386 src/veritysetup.c:569 src/integritysetup.c:634
 #, c-format
 msgid "%s: requires %s as arguments"
 msgstr "%s: слід вказати у параметрах %s"
 
-#: src/cryptsetup.c:3347 src/veritysetup.c:421 src/integritysetup.c:527
-#: src/cryptsetup_reencrypt.c:1591
+#: src/cryptsetup.c:3419 src/veritysetup.c:457 src/integritysetup.c:530
+#: src/cryptsetup_reencrypt.c:1600
 msgid "Show this help message"
 msgstr "Показати цю довідку"
 
-#: src/cryptsetup.c:3348 src/veritysetup.c:422 src/integritysetup.c:528
-#: src/cryptsetup_reencrypt.c:1592
+#: src/cryptsetup.c:3420 src/veritysetup.c:458 src/integritysetup.c:531
+#: src/cryptsetup_reencrypt.c:1601
 msgid "Display brief usage"
 msgstr "Показати короткі настанови щодо користування"
 
-#: src/cryptsetup.c:3349 src/veritysetup.c:423 src/integritysetup.c:529
-#: src/cryptsetup_reencrypt.c:1593
+#: src/cryptsetup.c:3421 src/veritysetup.c:459 src/integritysetup.c:532
+#: src/cryptsetup_reencrypt.c:1602
 msgid "Print package version"
 msgstr "Вивести дані щодо версії пакунка"
 
-#: src/cryptsetup.c:3353 src/veritysetup.c:427 src/integritysetup.c:533
-#: src/cryptsetup_reencrypt.c:1597
+#: src/cryptsetup.c:3425 src/veritysetup.c:463 src/integritysetup.c:536
+#: src/cryptsetup_reencrypt.c:1606
 msgid "Help options:"
 msgstr "Пункти довідки:"
 
-#: src/cryptsetup.c:3354 src/veritysetup.c:428 src/integritysetup.c:534
-#: src/cryptsetup_reencrypt.c:1598
+#: src/cryptsetup.c:3426 src/veritysetup.c:464 src/integritysetup.c:537
+#: src/cryptsetup_reencrypt.c:1607
 msgid "Shows more detailed error messages"
 msgstr "Показувати докладні повідомлення про помилки"
 
-#: src/cryptsetup.c:3355 src/veritysetup.c:429 src/integritysetup.c:535
-#: src/cryptsetup_reencrypt.c:1599
+#: src/cryptsetup.c:3427 src/veritysetup.c:465 src/integritysetup.c:538
+#: src/cryptsetup_reencrypt.c:1608
 msgid "Show debug messages"
 msgstr "Показувати діагностичні повідомлення"
 
-#: src/cryptsetup.c:3356
+#: src/cryptsetup.c:3428
 msgid "Show debug messages including JSON metadata"
 msgstr "Показувати діагностичні повідомлення, зокрема метадані JSON"
 
-#: src/cryptsetup.c:3357 src/cryptsetup_reencrypt.c:1601
+#: src/cryptsetup.c:3429 src/cryptsetup_reencrypt.c:1610
 msgid "The cipher used to encrypt the disk (see /proc/crypto)"
 msgstr "Шифр, який використано для шифрування даних диска (див. /proc/crypto)"
 
-#: src/cryptsetup.c:3358 src/cryptsetup_reencrypt.c:1603
+#: src/cryptsetup.c:3430 src/cryptsetup_reencrypt.c:1612
 msgid "The hash used to create the encryption key from the passphrase"
 msgstr "Хеш, використаний для створення ключа шифрування на основі пароля"
 
-#: src/cryptsetup.c:3359
+#: src/cryptsetup.c:3431
 msgid "Verifies the passphrase by asking for it twice"
 msgstr "Перевіряє пароль повторним запитом щодо нього"
 
-#: src/cryptsetup.c:3360 src/cryptsetup_reencrypt.c:1605
+#: src/cryptsetup.c:3432 src/cryptsetup_reencrypt.c:1614
 msgid "Read the key from a file"
 msgstr "Прочитати ключ з файла"
 
-#: src/cryptsetup.c:3361
+#: src/cryptsetup.c:3433
 msgid "Read the volume (master) key from file."
 msgstr "Прочитати ключ тому (основний ключ) з файла."
 
-#: src/cryptsetup.c:3362
+#: src/cryptsetup.c:3434
 msgid "Dump volume (master) key instead of keyslots info"
 msgstr "Створити дамп ключа тому (основного ключа) замість показу даних щодо слотів ключів"
 
-#: src/cryptsetup.c:3363 src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup_reencrypt.c:1611
 msgid "The size of the encryption key"
 msgstr "Розмір ключа шифрування"
 
-#: src/cryptsetup.c:3363 src/cryptsetup.c:3422 src/integritysetup.c:553
-#: src/integritysetup.c:557 src/integritysetup.c:561
-#: src/cryptsetup_reencrypt.c:1602
+#: src/cryptsetup.c:3435 src/cryptsetup.c:3495 src/integritysetup.c:556
+#: src/integritysetup.c:560 src/integritysetup.c:564
+#: src/cryptsetup_reencrypt.c:1611
 msgid "BITS"
 msgstr "БІТИ"
 
-#: src/cryptsetup.c:3364 src/cryptsetup_reencrypt.c:1618
+#: src/cryptsetup.c:3436 src/cryptsetup_reencrypt.c:1627
 msgid "Limits the read from keyfile"
 msgstr "Обмежує читання з файла ключа"
 
-#: src/cryptsetup.c:3364 src/cryptsetup.c:3365 src/cryptsetup.c:3366
-#: src/cryptsetup.c:3367 src/cryptsetup.c:3370 src/cryptsetup.c:3419
-#: src/cryptsetup.c:3420 src/cryptsetup.c:3428 src/cryptsetup.c:3429
-#: src/veritysetup.c:432 src/veritysetup.c:433 src/veritysetup.c:434
-#: src/veritysetup.c:437 src/veritysetup.c:438 src/integritysetup.c:542
-#: src/integritysetup.c:548 src/integritysetup.c:549
-#: src/cryptsetup_reencrypt.c:1617 src/cryptsetup_reencrypt.c:1618
-#: src/cryptsetup_reencrypt.c:1619 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3436 src/cryptsetup.c:3437 src/cryptsetup.c:3438
+#: src/cryptsetup.c:3439 src/cryptsetup.c:3442 src/cryptsetup.c:3492
+#: src/cryptsetup.c:3493 src/cryptsetup.c:3501 src/cryptsetup.c:3502
+#: src/veritysetup.c:468 src/veritysetup.c:469 src/veritysetup.c:470
+#: src/veritysetup.c:473 src/veritysetup.c:474 src/integritysetup.c:545
+#: src/integritysetup.c:551 src/integritysetup.c:552
+#: src/cryptsetup_reencrypt.c:1626 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup_reencrypt.c:1628 src/cryptsetup_reencrypt.c:1629
 msgid "bytes"
 msgstr "байти"
 
-#: src/cryptsetup.c:3365 src/cryptsetup_reencrypt.c:1617
+#: src/cryptsetup.c:3437 src/cryptsetup_reencrypt.c:1626
 msgid "Number of bytes to skip in keyfile"
 msgstr "Кількість байтів, які слід пропустити у файлі ключа"
 
-#: src/cryptsetup.c:3366
+#: src/cryptsetup.c:3438
 msgid "Limits the read from newly added keyfile"
 msgstr "Обмежує читання з щойно доданого файла ключа"
 
-#: src/cryptsetup.c:3367
+#: src/cryptsetup.c:3439
 msgid "Number of bytes to skip in newly added keyfile"
 msgstr "Кількість байтів, які слід пропустити у щойно доданому файлі ключа"
 
-#: src/cryptsetup.c:3368
+#: src/cryptsetup.c:3440
 msgid "Slot number for new key (default is first free)"
 msgstr "Номер слоту для нового ключа (типовим слотом є перший вільний слот)"
 
-#: src/cryptsetup.c:3369
+#: src/cryptsetup.c:3441
 msgid "The size of the device"
 msgstr "Розмір пристрою"
 
-#: src/cryptsetup.c:3369 src/cryptsetup.c:3371 src/cryptsetup.c:3372
-#: src/cryptsetup.c:3378 src/integritysetup.c:543 src/integritysetup.c:550
+#: src/cryptsetup.c:3441 src/cryptsetup.c:3443 src/cryptsetup.c:3444
+#: src/cryptsetup.c:3450 src/integritysetup.c:546 src/integritysetup.c:553
 msgid "SECTORS"
 msgstr "СЕКТОРИ"
 
-#: src/cryptsetup.c:3370 src/cryptsetup_reencrypt.c:1620
+#: src/cryptsetup.c:3442 src/cryptsetup_reencrypt.c:1629
 msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
 msgstr "Використовувати лише вказаний розмір пристрою (ігнорувати решту об’єму). НЕБЕЗПЕЧНО!"
 
-#: src/cryptsetup.c:3371
+#: src/cryptsetup.c:3443
 msgid "The start offset in the backend device"
 msgstr "Початковий відступ на допоміжному пристрої"
 
-#: src/cryptsetup.c:3372
+#: src/cryptsetup.c:3444
 msgid "How many sectors of the encrypted data to skip at the beginning"
 msgstr "Кількість секторів зашифрованих даних, які слід пропустити на початку"
 
-#: src/cryptsetup.c:3373
+#: src/cryptsetup.c:3445
 msgid "Create a readonly mapping"
 msgstr "Створити призначення у режимі лише читання"
 
-#: src/cryptsetup.c:3374 src/integritysetup.c:536
-#: src/cryptsetup_reencrypt.c:1608
+#: src/cryptsetup.c:3446 src/integritysetup.c:539
+#: src/cryptsetup_reencrypt.c:1617
 msgid "Do not ask for confirmation"
 msgstr "Не питати про підтвердження"
 
-#: src/cryptsetup.c:3375
+#: src/cryptsetup.c:3447
 msgid "Timeout for interactive passphrase prompt (in seconds)"
 msgstr "Час очікування у інтерактивному запиті щодо пароля (у секундах)"
 
-#: src/cryptsetup.c:3375 src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3447 src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "secs"
 msgstr "секунди"
 
-#: src/cryptsetup.c:3376 src/integritysetup.c:537
-#: src/cryptsetup_reencrypt.c:1609
+#: src/cryptsetup.c:3448 src/integritysetup.c:540
+#: src/cryptsetup_reencrypt.c:1618
 msgid "Progress line update (in seconds)"
 msgstr "Оновлення лінії поступу (у секундах)"
 
-#: src/cryptsetup.c:3377 src/cryptsetup_reencrypt.c:1610
+#: src/cryptsetup.c:3449 src/cryptsetup_reencrypt.c:1619
 msgid "How often the input of the passphrase can be retried"
 msgstr "Частота повторень спроб отримання вхідних даних пароля"
 
-#: src/cryptsetup.c:3378
+#: src/cryptsetup.c:3450
 msgid "Align payload at <n> sector boundaries - for luksFormat"
 msgstr "Вирівняти дані за областями у <n> секторів, для luksFormat"
 
-#: src/cryptsetup.c:3379
+#: src/cryptsetup.c:3451
 msgid "File with LUKS header and keyslots backup"
 msgstr "Файл з заголовком LUKS та резервною копію слотів ключів"
 
-#: src/cryptsetup.c:3380 src/cryptsetup_reencrypt.c:1611
+#: src/cryptsetup.c:3452 src/cryptsetup_reencrypt.c:1620
 msgid "Use /dev/random for generating volume key"
 msgstr "Використовувати для створення ключа тому /dev/random"
 
-#: src/cryptsetup.c:3381 src/cryptsetup_reencrypt.c:1612
+#: src/cryptsetup.c:3453 src/cryptsetup_reencrypt.c:1621
 msgid "Use /dev/urandom for generating volume key"
 msgstr "Використовувати для створення ключа тому /dev/urandom"
 
-#: src/cryptsetup.c:3382
+#: src/cryptsetup.c:3454
 msgid "Share device with another non-overlapping crypt segment"
 msgstr "Використовувати пристрій спільно з іншим сегментом шифрування, без перекриття"
 
-#: src/cryptsetup.c:3383 src/veritysetup.c:441
+#: src/cryptsetup.c:3455 src/veritysetup.c:477
 msgid "UUID for device to use"
 msgstr "UUID пристрою, який слід використати"
 
-#: src/cryptsetup.c:3384
+#: src/cryptsetup.c:3456
 msgid "Allow discards (aka TRIM) requests for device"
 msgstr "Дозволити запити відкидання (або TRIM) до пристрою"
 
-#: src/cryptsetup.c:3385 src/cryptsetup_reencrypt.c:1629
+#: src/cryptsetup.c:3457 src/cryptsetup_reencrypt.c:1638
 msgid "Device or file with separated LUKS header"
 msgstr "Пристрій або файл з окремим заголовком LUKS"
 
-#: src/cryptsetup.c:3386
+#: src/cryptsetup.c:3458
 msgid "Do not activate device, just check passphrase"
 msgstr "Не задіювати пристрій, просто перевірити пароль"
 
-#: src/cryptsetup.c:3387
+#: src/cryptsetup.c:3459
 msgid "Use hidden header (hidden TCRYPT device)"
 msgstr "Використовувати прихований заголовок (прихований пристрій TCRYPT)"
 
-#: src/cryptsetup.c:3388
+#: src/cryptsetup.c:3460
 msgid "Device is system TCRYPT drive (with bootloader)"
 msgstr "Пристрій є системним диском TCRYPT (диском з завантажувачем)"
 
-#: src/cryptsetup.c:3389
+#: src/cryptsetup.c:3461
 msgid "Use backup (secondary) TCRYPT header"
 msgstr "Використовувати резервний (вторинний) заголовок TCRYPT"
 
-#: src/cryptsetup.c:3390
+#: src/cryptsetup.c:3462
 msgid "Scan also for VeraCrypt compatible device"
 msgstr "Виконати також пошук сумісних із VeraCrypt пристроїв"
 
-#: src/cryptsetup.c:3391
+#: src/cryptsetup.c:3463
 msgid "Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Особистий множник ітерації (Personal Iteration Multiplier або PIM) для сумісного з VeraCrypt пристрою"
 
-#: src/cryptsetup.c:3392
+#: src/cryptsetup.c:3464
 msgid "Query Personal Iteration Multiplier for VeraCrypt compatible device"
 msgstr "Особистий множник ітерації (Personal Iteration Multiplier або PIM) запису для сумісного з VeraCrypt пристрою"
 
-#: src/cryptsetup.c:3393
-msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"
-msgstr "Типи метаданих пристрою: luks, luks1, luks2, plain, loopaes, tcrypt"
+#: src/cryptsetup.c:3465
+msgid "Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
+msgstr "Типи метаданих пристрою: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"
 
-#: src/cryptsetup.c:3394
+#: src/cryptsetup.c:3466
 msgid "Disable password quality check (if enabled)"
 msgstr "Вимкнути перевірку якості пароля (якщо її увімкнено)"
 
-#: src/cryptsetup.c:3395
+#: src/cryptsetup.c:3467
 msgid "Use dm-crypt same_cpu_crypt performance compatibility option"
 msgstr "Скористатися параметром сумісності швидкодії dm-crypt same_cpu_crypt"
 
-#: src/cryptsetup.c:3396
+#: src/cryptsetup.c:3468
 msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option"
 msgstr "Скористатися параметром сумісності швидкодії dm-crypt submit_from_crypt_cpus"
 
-#: src/cryptsetup.c:3397
+#: src/cryptsetup.c:3469
 msgid "Device removal is deferred until the last user closes it"
 msgstr "Вилучення пристрою відкладено до часу, коли останній користувач закриє його"
 
-#: src/cryptsetup.c:3398
+#: src/cryptsetup.c:3470
 msgid "Use global lock to serialize memory hard PBKDF (OOM workaround)"
 msgstr "Скористатися загальним блокуванням для перетворення у послідовну форму «жорсткого» PBKDF у пам'яті (обхід OOM)"
 
-#: src/cryptsetup.c:3399
+#: src/cryptsetup.c:3471
 msgid "PBKDF iteration time for LUKS (in ms)"
 msgstr "Тривалість ітерації PBKDF для LUKS (у мс)"
 
-#: src/cryptsetup.c:3399 src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup.c:3471 src/cryptsetup_reencrypt.c:1616
 msgid "msecs"
 msgstr "мс"
 
-#: src/cryptsetup.c:3400 src/cryptsetup_reencrypt.c:1625
+#: src/cryptsetup.c:3472 src/cryptsetup_reencrypt.c:1634
 msgid "PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2"
 msgstr "Алгоритм PBKDF (для LUKS2) (argon2i/argon2id/pbkdf2)"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "PBKDF memory cost limit"
 msgstr "Обмеження вартості пам'яті PBKDF"
 
-#: src/cryptsetup.c:3401 src/cryptsetup_reencrypt.c:1626
+#: src/cryptsetup.c:3473 src/cryptsetup_reencrypt.c:1635
 msgid "kilobytes"
 msgstr "кілобайти"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "PBKDF parallel cost"
 msgstr "Вартість розпаралелювання PBKDF"
 
-#: src/cryptsetup.c:3402 src/cryptsetup_reencrypt.c:1627
+#: src/cryptsetup.c:3474 src/cryptsetup_reencrypt.c:1636
 msgid "threads"
 msgstr "threads"
 
-#: src/cryptsetup.c:3403 src/cryptsetup_reencrypt.c:1628
+#: src/cryptsetup.c:3475 src/cryptsetup_reencrypt.c:1637
 msgid "PBKDF iterations cost (forced, disables benchmark)"
 msgstr "Вартість ітерацій PBKDF (примусово, вимикає тестування)"
 
-#: src/cryptsetup.c:3404
+#: src/cryptsetup.c:3476
 msgid "Keyslot priority: ignore, normal, prefer"
 msgstr "Пріоритетність слотів ключів: ignore, normal, prefer"
 
-#: src/cryptsetup.c:3405
+#: src/cryptsetup.c:3477
 msgid "Disable locking of on-disk metadata"
 msgstr "Вимкнути блокування метаданих на диску"
 
-#: src/cryptsetup.c:3406
+#: src/cryptsetup.c:3478
 msgid "Disable loading volume keys via kernel keyring"
 msgstr "Вимкнути завантаження ключів тому за допомогою сховища ключів ядра"
 
-#: src/cryptsetup.c:3407
+#: src/cryptsetup.c:3479
 msgid "Data integrity algorithm (LUKS2 only)"
 msgstr "Алгоритм перевірки цілісності даних (лише LUKS2)"
 
-#: src/cryptsetup.c:3408 src/integritysetup.c:564
+#: src/cryptsetup.c:3480 src/integritysetup.c:567
 msgid "Disable journal for integrity device"
 msgstr "Вимкнути журнал для пристрою забезпечення цілісності"
 
-#: src/cryptsetup.c:3409 src/integritysetup.c:538
+#: src/cryptsetup.c:3481 src/integritysetup.c:541
 msgid "Do not wipe device after format"
 msgstr "Не витирати пристрій після форматування"
 
-#: src/cryptsetup.c:3410
+#: src/cryptsetup.c:3482 src/integritysetup.c:571
+msgid "Use inefficient legacy padding (old kernels)"
+msgstr "Скористатися неефективним застарілим відступом (застарілі ядра)"
+
+#: src/cryptsetup.c:3483
 msgid "Do not ask for passphrase if activation by token fails"
 msgstr "Не просити ввести пароль, якщо не вдасться скористатися активацією за ключем"
 
-#: src/cryptsetup.c:3411
+#: src/cryptsetup.c:3484
 msgid "Token number (default: any)"
 msgstr "Номер ключа (типове значення: будь-який)"
 
-#: src/cryptsetup.c:3412
+#: src/cryptsetup.c:3485
 msgid "Key description"
 msgstr "Опис ключа"
 
-#: src/cryptsetup.c:3413
+#: src/cryptsetup.c:3486
 msgid "Encryption sector size (default: 512 bytes)"
 msgstr "Розмір сектора шифрування (типове значення: 512 байтів)"
 
-#: src/cryptsetup.c:3414
+#: src/cryptsetup.c:3487
 msgid "Set activation flags persistent for device"
 msgstr "Встановити сталі прапорці активації для пристрою"
 
-#: src/cryptsetup.c:3415
+#: src/cryptsetup.c:3488
 msgid "Set label for the LUKS2 device"
 msgstr "Встановити мітку для пристрою LUKS2"
 
-#: src/cryptsetup.c:3416
+#: src/cryptsetup.c:3489
 msgid "Set subsystem label for the LUKS2 device"
 msgstr "Встановити мітку підтому для пристрою LUKS2"
 
-#: src/cryptsetup.c:3417
+#: src/cryptsetup.c:3490
 msgid "Create unbound (no assigned data segment) LUKS2 keyslot"
 msgstr "Створити непов'язаний (без пов'язаного сегмента даних) слот ключів LUKS2"
 
-#: src/cryptsetup.c:3418
+#: src/cryptsetup.c:3491
 msgid "Read or write the json from or to a file"
 msgstr "Прочитати json з файла або записати json до файла"
 
-#: src/cryptsetup.c:3419
+#: src/cryptsetup.c:3492
 msgid "LUKS2 header metadata area size"
 msgstr "Розмір області метаданих у заголовку LUKS2"
 
-#: src/cryptsetup.c:3420
+#: src/cryptsetup.c:3493
 msgid "LUKS2 header keyslots area size"
 msgstr "Розмір області слотів ключів у заголовку LUKS2"
 
-#: src/cryptsetup.c:3421
+#: src/cryptsetup.c:3494
 msgid "Refresh (reactivate) device with new parameters"
 msgstr "Оновити (повторно активувати) пристрій згідно з новими параметрами"
 
-#: src/cryptsetup.c:3422
+#: src/cryptsetup.c:3495
 msgid "LUKS2 keyslot: The size of the encryption key"
 msgstr "Слот ключів LUKS2: розмір ключа шифрування"
 
-#: src/cryptsetup.c:3423
+#: src/cryptsetup.c:3496
 msgid "LUKS2 keyslot: The cipher used for keyslot encryption"
 msgstr "Слот ключа LUKS2: шифрування, яке використано для слоту ключів"
 
-#: src/cryptsetup.c:3424
+#: src/cryptsetup.c:3497
 msgid "Encrypt LUKS2 device (in-place encryption)."
 msgstr "Зашифрувати пристрій LUKS2 (шифрування на місці)."
 
-#: src/cryptsetup.c:3425
+#: src/cryptsetup.c:3498
 msgid "Decrypt LUKS2 device (remove encryption)."
 msgstr "Розшифрувати пристрій LUKS2 (усунути шифрування)."
 
-#: src/cryptsetup.c:3426
+#: src/cryptsetup.c:3499
 msgid "Initialize LUKS2 reencryption in metadata only."
 msgstr "Ініціалізувати повторне шифрування LUKS2 лише у метаданих."
 
-#: src/cryptsetup.c:3427
+#: src/cryptsetup.c:3500
 msgid "Resume initialized LUKS2 reencryption only."
 msgstr "Відновлювати лише ініціалізоване повторне шифрування LUKS2."
 
-#: src/cryptsetup.c:3428 src/cryptsetup_reencrypt.c:1619
+#: src/cryptsetup.c:3501 src/cryptsetup_reencrypt.c:1628
 msgid "Reduce data device size (move data offset). DANGEROUS!"
 msgstr "Зменшити розмір пристрою зберігання даних (змістити відступ даних). НЕБЕЗПЕЧНО!"
 
-#: src/cryptsetup.c:3429
+#: src/cryptsetup.c:3502
 msgid "Maximal reencryption hotzone size."
 msgstr "Максимальний розмір «гарячої» ділянки повторного шифрування."
 
-#: src/cryptsetup.c:3430
+#: src/cryptsetup.c:3503
 msgid "Reencryption hotzone resilience type (checksum,journal,none)"
 msgstr "Тип стійкості «гарячої» ділянки повторного шифрування (checksum (контрольна сума), journal (журнал), none (немає))"
 
-#: src/cryptsetup.c:3431
+#: src/cryptsetup.c:3504
 msgid "Reencryption hotzone checksums hash"
 msgstr "Хеш контрольних сум «гарячої» ділянки повторного шифрування"
 
-#: src/cryptsetup.c:3432
+#: src/cryptsetup.c:3505
 msgid "Override device autodetection of dm device to be reencrypted"
 msgstr "Перевизначити автоматично визначені параметри пристрою dm, який буде повторно зашифровано"
 
-#: src/cryptsetup.c:3448 src/veritysetup.c:462 src/integritysetup.c:583
+#: src/cryptsetup.c:3521 src/veritysetup.c:499 src/integritysetup.c:587
 msgid "[OPTION...] <action> <action-specific>"
 msgstr "[ПАРАМЕТР...] <дія> <параметри_дії>"
 
-#: src/cryptsetup.c:3499 src/veritysetup.c:496 src/integritysetup.c:594
+#: src/cryptsetup.c:3572 src/veritysetup.c:533 src/integritysetup.c:598
 msgid "Argument <action> missing."
 msgstr "Не вказано аргумент <дія>."
 
-#: src/cryptsetup.c:3562 src/veritysetup.c:527 src/integritysetup.c:625
+#: src/cryptsetup.c:3641 src/veritysetup.c:564 src/integritysetup.c:629
 msgid "Unknown action."
 msgstr "Невідома дія."
 
-#: src/cryptsetup.c:3572
+#: src/cryptsetup.c:3651
 msgid "Parameter --refresh is only allowed with open or refresh commands.\n"
 msgstr "Параметром --refresh можна користуватися лише для команд open або refresh.\n"
 
-#: src/cryptsetup.c:3577
+#: src/cryptsetup.c:3656
 msgid "Options --refresh and --test-passphrase are mutually exclusive.\n"
 msgstr "Не можна поєднувати параметри --refresh і --test-passphrase.\n"
 
-#: src/cryptsetup.c:3582
+#: src/cryptsetup.c:3661
 msgid "Option --deferred is allowed only for close command.\n"
 msgstr "Параметр --deferred можна використовувати лише для команди закриття (close).\n"
 
-#: src/cryptsetup.c:3587
+#: src/cryptsetup.c:3666
 msgid "Option --shared is allowed only for open of plain device.\n"
 msgstr "Параметр --shared можна використовувати лише для відкриття незашифрованого пристрою.\n"
 
-#: src/cryptsetup.c:3592
+#: src/cryptsetup.c:3671
 msgid "Option --allow-discards is allowed only for open operation.\n"
 msgstr "Параметр --shared можна використовувати лише для дії з відкриття.\n"
 
-#: src/cryptsetup.c:3597
+#: src/cryptsetup.c:3676
 msgid "Option --persistent is allowed only for open operation.\n"
 msgstr "Параметр --persistent можна використовувати лише для дії з відкриття.\n"
 
-#: src/cryptsetup.c:3602
+#: src/cryptsetup.c:3681
 msgid "Option --serialize-memory-hard-pbkdf is allowed only for open operation.\n"
 msgstr "Параметр --serialize-memory-hard-pbkdf можна використовувати лише для дії з відкриття.\n"
 
-#: src/cryptsetup.c:3607
+#: src/cryptsetup.c:3686
 msgid "Option --persistent is not allowed with --test-passphrase.\n"
 msgstr "Параметр --persistent не можна використовувати разом із --test-passphrase.\n"
 
-#: src/cryptsetup.c:3617
+#: src/cryptsetup.c:3696
 msgid ""
 "Option --key-size is allowed only for luksFormat, luksAddKey,\n"
 "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."
@@ -2674,245 +2809,255 @@
 "Параметр --key-size можна використовувати лише для luksFormat, luksAddKey,\n"
 "дій open і benchmark. Щоб обмежити читання з файла ключа, скористайтеся параметром --keyfile-size=(об’єм у байтах)."
 
-#: src/cryptsetup.c:3623
+#: src/cryptsetup.c:3702
 msgid "Option --integrity is allowed only for luksFormat (LUKS2).\n"
 msgstr "Параметр --integrity можна використовувати лише для luksFormat (LUKS2).\n"
 
-#: src/cryptsetup.c:3628
+#: src/cryptsetup.c:3707
 msgid "Option --integrity-no-wipe can be used only for format action with integrity extension.\n"
 msgstr "Параметром --integrity-no-wipe можна користуватися лише для дії з форматування із розширенням забезпечення цілісності.\n"
 
-#: src/cryptsetup.c:3634
+#: src/cryptsetup.c:3713
 msgid "Options --label and --subsystem are allowed only for luksFormat and config LUKS2 operations.\n"
 msgstr "Параметри --label і --subsystem можна використовувати лише для дій luksFormat та config для LUKS2.\n"
 
-#: src/cryptsetup.c:3640
-msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
-msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS та TCRYPT.\n"
+#: src/cryptsetup.c:3719
+msgid "Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"
+msgstr "Параметр --test-passphrase можна використовувати лише для відкриття пристроїв LUKS, TCRYPT та BITLK.\n"
 
-#: src/cryptsetup.c:3645 src/cryptsetup_reencrypt.c:1692
+#: src/cryptsetup.c:3724 src/cryptsetup_reencrypt.c:1701
 msgid "Key size must be a multiple of 8 bits"
 msgstr "Розмір ключа має бути кратним 8 бітам"
 
-#: src/cryptsetup.c:3651 src/cryptsetup_reencrypt.c:1378
-#: src/cryptsetup_reencrypt.c:1697
+#: src/cryptsetup.c:3730 src/cryptsetup_reencrypt.c:1387
+#: src/cryptsetup_reencrypt.c:1706
 msgid "Key slot is invalid."
 msgstr "Некоректний слот ключа."
 
-#: src/cryptsetup.c:3658
+#: src/cryptsetup.c:3737
 msgid "Option --key-file takes precedence over specified key file argument."
 msgstr "Параметр --key-file має пріоритет над вказаним параметром файла ключа."
 
-#: src/cryptsetup.c:3665 src/veritysetup.c:539 src/integritysetup.c:649
-#: src/cryptsetup_reencrypt.c:1671
+#: src/cryptsetup.c:3744 src/veritysetup.c:576 src/integritysetup.c:650
+#: src/cryptsetup_reencrypt.c:1680
 msgid "Negative number for option not permitted."
 msgstr "Не можна використовувати від’ємні значення для параметра."
 
-#: src/cryptsetup.c:3669
+#: src/cryptsetup.c:3748
 msgid "Only one --key-file argument is allowed."
 msgstr "Можна використовувати лише один аргумент --key-file."
 
-#: src/cryptsetup.c:3673 src/cryptsetup_reencrypt.c:1663
-#: src/cryptsetup_reencrypt.c:1701
+#: src/cryptsetup.c:3752 src/cryptsetup_reencrypt.c:1672
+#: src/cryptsetup_reencrypt.c:1710
 msgid "Only one of --use-[u]random options is allowed."
 msgstr "Можна використовувати лише один з параметрів --use-[u]random."
 
-#: src/cryptsetup.c:3677
+#: src/cryptsetup.c:3756
 msgid "Option --use-[u]random is allowed only for luksFormat."
 msgstr "Параметр --use-[u]random можна використовувати лише для дії luksFormat."
 
-#: src/cryptsetup.c:3681
+#: src/cryptsetup.c:3760
 msgid "Option --uuid is allowed only for luksFormat and luksUUID."
 msgstr "Параметр --uuid можна використовувати лише для дій luksFormat і luksUUID."
 
-#: src/cryptsetup.c:3685
+#: src/cryptsetup.c:3764
 msgid "Option --align-payload is allowed only for luksFormat."
 msgstr "Параметр --align-payload можна використовувати лише для дії luksFormat."
 
-#: src/cryptsetup.c:3689
+#: src/cryptsetup.c:3768
 msgid "Options --luks2-metadata-size and --opt-luks2-keyslots-size are allowed only for luksFormat with LUKS2."
 msgstr "Параметрами --luks2-metadata-size і --opt-luks2-keyslots-size можна користуватися лише для luksFormat з LUKS2."
 
-#: src/cryptsetup.c:3694
+#: src/cryptsetup.c:3773
 msgid "Invalid LUKS2 metadata size specification."
 msgstr "Некоректна специфікація розміру метаданих LUKS2."
 
-#: src/cryptsetup.c:3698
+#: src/cryptsetup.c:3777
 msgid "Invalid LUKS2 keyslots size specification."
 msgstr "Некоректна специфікація розміру слоту ключів LUKS2."
 
-#: src/cryptsetup.c:3702
+#: src/cryptsetup.c:3781
 msgid "Options --align-payload and --offset cannot be combined."
 msgstr "Не можна одночасно використовувати параметри --align-payload і --offset."
 
-#: src/cryptsetup.c:3708
+#: src/cryptsetup.c:3787
 msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
 msgstr "Підтримку параметра --skip передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes.\n"
 
-#: src/cryptsetup.c:3715
+#: src/cryptsetup.c:3794
 msgid "Option --offset is supported only for open of plain and loopaes devices, luksFormat and device reencryption.\n"
 msgstr "Підтримку параметра --offset передбачено лише для відкриття незашифрованих пристроїв та пристроїв loopaes, luksFormat та повторного шифрування.\n"
 
-#: src/cryptsetup.c:3721
+#: src/cryptsetup.c:3800
 msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
 msgstr "Підтримку параметрів --tcrypt-hidden, --tcrypt-system і --tcrypt-backup передбачено лише для пристроїв TCRYPT.\n"
 
-#: src/cryptsetup.c:3726
+#: src/cryptsetup.c:3805
 msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
 msgstr "Параметр --tcrypt-hidden не можна поєднувати з --allow-discards.\n"
 
-#: src/cryptsetup.c:3731
+#: src/cryptsetup.c:3810
 msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
 msgstr "Підтримку параметра --veracrypt передбачено лише для пристроїв TCRYPT.\n"
 
-#: src/cryptsetup.c:3737
+#: src/cryptsetup.c:3816
 msgid "Invalid argument for parameter --veracrypt-pim supplied.\n"
 msgstr "Надано некоректний аргумент для параметра --veracrypt-pim.\n"
 
-#: src/cryptsetup.c:3741
+#: src/cryptsetup.c:3820
 msgid "Option --veracrypt-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Параметр --veracrypt-pim можна використовувати лише для сумісних із VeraCrypt пристроїв.\n"
 
-#: src/cryptsetup.c:3749
+#: src/cryptsetup.c:3828
 msgid "Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices.\n"
 msgstr "Параметр --veracrypt-query-pim можна використовувати лише для сумісних із VeraCrypt пристроїв.\n"
 
-#: src/cryptsetup.c:3753
+#: src/cryptsetup.c:3832
 msgid "The options --veracrypt-pim and --veracrypt-query-pim are mutually exclusive.\n"
 msgstr "Не можна поєднувати параметри --veracrypt-pim і --veracrypt-query-pim.\n"
 
-#: src/cryptsetup.c:3760
+#: src/cryptsetup.c:3839
 msgid "Option --priority can be only ignore/normal/prefer.\n"
 msgstr "Значенням для параметра --priority може бути лише один з таких рядків: ignore, normal або prefer.\n"
 
-#: src/cryptsetup.c:3765
+#: src/cryptsetup.c:3844
 msgid "Keyslot specification is required.\n"
 msgstr "Слід вказати специфікація слотів ключів.\n"
 
-#: src/cryptsetup.c:3770 src/cryptsetup_reencrypt.c:1677
+#: src/cryptsetup.c:3849 src/cryptsetup_reencrypt.c:1686
 msgid "Password-based key derivation function (PBKDF) can be only pbkdf2 or argon2i/argon2id.\n"
 msgstr "Функцією отримання ключа на основі пароля (PBKDF) може бути лише pbkdf2 або argon2i/argon2id.\n"
 
-#: src/cryptsetup.c:3775 src/cryptsetup_reencrypt.c:1682
+#: src/cryptsetup.c:3854 src/cryptsetup_reencrypt.c:1691
 msgid "PBKDF forced iterations cannot be combined with iteration time option.\n"
 msgstr "Примусові ітерації PBKDF не можна поєднувати із параметром тривалості ітерацій.\n"
 
-#: src/cryptsetup.c:3781
+#: src/cryptsetup.c:3860
 msgid "Sector size option is not supported for this command.\n"
 msgstr "У цій команді не передбачено підтримки параметра розміру сектора.\n"
 
-#: src/cryptsetup.c:3787
+#: src/cryptsetup.c:3866
 msgid "Unsupported encryption sector size.\n"
 msgstr "Непідтримуваний розмір сектора шифрування.\n"
 
-#: src/cryptsetup.c:3792
+#: src/cryptsetup.c:3871
 msgid "Key size is required with --unbound option.\n"
 msgstr "Разом із параметром --unbound слід вказувати розмір ключа.\n"
 
-#: src/cryptsetup.c:3797
+#: src/cryptsetup.c:3876
 msgid "Option --unbound may be used only with luksAddKey action.\n"
 msgstr "Параметр --unbound можна використовувати лише з дією luksAddKey.\n"
 
-#: src/cryptsetup.c:3802
+#: src/cryptsetup.c:3881
 msgid "Option --refresh may be used only with open action.\n"
 msgstr "Параметр --refresh можна використовувати лише під час дії з відкриття (open).\n"
 
-#: src/cryptsetup.c:3813
+#: src/cryptsetup.c:3892
 msgid "Cannot disable metadata locking.\n"
 msgstr "Не вдалося вимкнути блокування метаданих.\n"
 
-#: src/cryptsetup.c:3823
+#: src/cryptsetup.c:3902
 msgid "Invalid max reencryption hotzone size specification."
 msgstr "Некоректна специфікація розміру «гарячої» ділянки повторного шифрування."
 
-#: src/cryptsetup.c:3831 src/cryptsetup_reencrypt.c:1706
-#: src/cryptsetup_reencrypt.c:1711
+#: src/cryptsetup.c:3910 src/cryptsetup_reencrypt.c:1715
+#: src/cryptsetup_reencrypt.c:1720
 msgid "Invalid device size specification."
 msgstr "Некоректна специфікація розміру пристрою."
 
-#: src/cryptsetup.c:3834
+#: src/cryptsetup.c:3913
 msgid "Maximum device reduce size is 1 GiB."
 msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 1 ГіБ."
 
-#: src/cryptsetup.c:3837 src/cryptsetup_reencrypt.c:1717
+#: src/cryptsetup.c:3916 src/cryptsetup_reencrypt.c:1726
 msgid "Reduce size must be multiple of 512 bytes sector."
 msgstr "Розмір зменшення має бути кратним до 512-байтового сектора."
 
-#: src/cryptsetup.c:3842
+#: src/cryptsetup.c:3921
 msgid "Invalid data size specification."
 msgstr "Некоректна специфікація розміру даних."
 
-#: src/cryptsetup.c:3847
+#: src/cryptsetup.c:3926
 msgid "Reduce size overflow."
 msgstr "Переповнення розміру зменшення."
 
-#: src/cryptsetup.c:3851
+#: src/cryptsetup.c:3930
 msgid "LUKS2 decryption requires option --header."
 msgstr "Розшифрування LUKS2 потребує параметра --header."
 
-#: src/cryptsetup.c:3855
+#: src/cryptsetup.c:3934
 msgid "Device size must be multiple of 512 bytes sector."
 msgstr "Розмір пристрою має бути кратним до 512-байтового сектора."
 
-#: src/cryptsetup.c:3859
+#: src/cryptsetup.c:3938
 msgid "Options --reduce-device-size and --data-size cannot be combined."
 msgstr "Не можна одночасно використовувати параметри --reduce-device-size і --data-size."
 
-#: src/cryptsetup.c:3863
+#: src/cryptsetup.c:3942
 msgid "Options --device-size and --size cannot be combined."
 msgstr "Не можна одночасно використовувати параметри --device-size і --size."
 
-#: src/veritysetup.c:65
+#: src/veritysetup.c:66
 msgid "Invalid salt string specified."
 msgstr "Вказано некоректний рядок солі."
 
-#: src/veritysetup.c:96
+#: src/veritysetup.c:97
 #, c-format
 msgid "Cannot create hash image %s for writing."
 msgstr "Не вдалося створити образ хешу %s для запису."
 
-#: src/veritysetup.c:106
+#: src/veritysetup.c:107
 #, c-format
 msgid "Cannot create FEC image %s for writing."
 msgstr "Не вдалося створити образ FEC %s для запису."
 
-#: src/veritysetup.c:176
+#: src/veritysetup.c:179
 msgid "Invalid root hash string specified."
 msgstr "Вказано некоректний рядок кореневого хешу."
 
-#: src/veritysetup.c:356
+#: src/veritysetup.c:187
+#, c-format
+msgid "Invalid signature file %s."
+msgstr "Некоректний файл підпису %s."
+
+#: src/veritysetup.c:194
+#, c-format
+msgid "Cannot read signature file %s."
+msgstr "Не вдалося прочитати файл підпису %s."
+
+#: src/veritysetup.c:392
 msgid "<data_device> <hash_device>"
 msgstr "<пристрій_даних> <пристрій_хешу>"
 
-#: src/veritysetup.c:356 src/integritysetup.c:469
+#: src/veritysetup.c:392 src/integritysetup.c:473
 msgid "format device"
 msgstr "форматувати пристрій"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "<data_device> <hash_device> <root_hash>"
 msgstr "<пристрій_даних> <пристрій_хешу> <кореневий_хеш>"
 
-#: src/veritysetup.c:357
+#: src/veritysetup.c:393
 msgid "verify device"
 msgstr "перевірити пристрій"
 
-#: src/veritysetup.c:358
+#: src/veritysetup.c:394
 msgid "<data_device> <name> <hash_device> <root_hash>"
 msgstr "<пристрій_даних> <назва> <пристрій_хешу> <кореневий_хеш>"
 
-#: src/veritysetup.c:360 src/integritysetup.c:472
+#: src/veritysetup.c:396 src/integritysetup.c:476
 msgid "show active device status"
 msgstr "показати стан активного пристрою"
 
-#: src/veritysetup.c:361
+#: src/veritysetup.c:397
 msgid "<hash_device>"
 msgstr "<пристрій_хешу>"
 
-#: src/veritysetup.c:361 src/integritysetup.c:473
+#: src/veritysetup.c:397 src/integritysetup.c:477
 msgid "show on-disk information"
 msgstr "показати вбудовані дані"
 
-#: src/veritysetup.c:380
+#: src/veritysetup.c:416
 #, c-format
 msgid ""
 "\n"
@@ -2927,7 +3072,7 @@
 "<пристрій_хешу> — пристрій, на якому зберігаються дані для перевірки\n"
 "<кореневий_хеш> — хеш кореневого вузла на пристрої <пристрій_хешу>\n"
 
-#: src/veritysetup.c:387
+#: src/veritysetup.c:423
 #, c-format
 msgid ""
 "\n"
@@ -2938,91 +3083,99 @@
 "Типові вбудовані параметри dm-verity:\n"
 "\tхеш: %s, блок даних (у байтах): %u, блок хешу (у байтах): %u, розмір солі: %u, формат хешування: %u\n"
 
-#: src/veritysetup.c:430
+#: src/veritysetup.c:466
 msgid "Do not use verity superblock"
 msgstr "Не використовувати суперблок verity"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "Format type (1 - normal, 0 - original Chrome OS)"
 msgstr "Тип форматування (1 — звичайне, 0 — початкове Chrome OS)"
 
-#: src/veritysetup.c:431
+#: src/veritysetup.c:467
 msgid "number"
 msgstr "номер"
 
-#: src/veritysetup.c:432
+#: src/veritysetup.c:468
 msgid "Block size on the data device"
 msgstr "Розмір блоку на пристрої даних"
 
-#: src/veritysetup.c:433
+#: src/veritysetup.c:469
 msgid "Block size on the hash device"
 msgstr "Розмір блоку на пристрої хешу"
 
-#: src/veritysetup.c:434
+#: src/veritysetup.c:470
 msgid "FEC parity bytes"
 msgstr "Байти парності FEC"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "The number of blocks in the data file"
 msgstr "Кількість блоків у файлі даних"
 
-#: src/veritysetup.c:435
+#: src/veritysetup.c:471
 msgid "blocks"
 msgstr "блоки"
 
-#: src/veritysetup.c:436
+#: src/veritysetup.c:472
 msgid "Path to device with error correction data"
 msgstr "Шлях до пристрою із даними для виправлення помилок"
 
-#: src/veritysetup.c:436 src/integritysetup.c:540
+#: src/veritysetup.c:472 src/integritysetup.c:543
 msgid "path"
 msgstr "шлях"
 
-#: src/veritysetup.c:437
+#: src/veritysetup.c:473
 msgid "Starting offset on the hash device"
 msgstr "Початковий відступ на пристрої хешу"
 
-#: src/veritysetup.c:438
+#: src/veritysetup.c:474
 msgid "Starting offset on the FEC device"
 msgstr "Початковий відступ на пристрої FEC"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "Hash algorithm"
 msgstr "Алгоритм хешування"
 
-#: src/veritysetup.c:439
+#: src/veritysetup.c:475
 msgid "string"
 msgstr "рядок"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "Salt"
 msgstr "Сіль"
 
-#: src/veritysetup.c:440
+#: src/veritysetup.c:476
 msgid "hex string"
 msgstr "шістнадцятковий рядок"
 
-#: src/veritysetup.c:442
+#: src/veritysetup.c:478
+msgid "Path to root hash signature file"
+msgstr "Шлях до файла підпису кореневого хешу"
+
+#: src/veritysetup.c:479
 msgid "Restart kernel if corruption is detected"
 msgstr "Перезапустити ядро, якщо виявлено пошкодження"
 
-#: src/veritysetup.c:443
+#: src/veritysetup.c:480
 msgid "Ignore corruption, log it only"
 msgstr "Ігнорувати пошкодження, лише записати повідомлення до журналу"
 
-#: src/veritysetup.c:444
+#: src/veritysetup.c:481
 msgid "Do not verify zeroed blocks"
 msgstr "Не перевіряти занулені блоки"
 
-#: src/veritysetup.c:445
+#: src/veritysetup.c:482
 msgid "Verify data block only the first time it is read"
 msgstr "Перевіряти блок даних лише під час його першого читання"
 
-#: src/veritysetup.c:545
+#: src/veritysetup.c:582
 msgid "Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"
 msgstr "Параметри --ignore-corruption, --restart-on-corruption та --ignore-zero-blocks можна використовувати лише для дії з відкриття (open).\n"
 
-#: src/veritysetup.c:550
+#: src/veritysetup.c:587
+msgid "Option --root-hash-signature can be used only for open operation.\n"
+msgstr "Параметром --root-hash-signature можна користуватися лише для дії з відкриття.\n"
+
+#: src/veritysetup.c:592
 msgid "Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"
 msgstr "Параметри --ignore-corruption і --restart-on-corruption не можна використовувати одночасно.\n"
 
@@ -3036,20 +3189,20 @@
 msgid "Cannot read %d bytes from keyfile %s."
 msgstr "Не вдалося прочитати %d байтів з файла ключа %s."
 
-#: src/integritysetup.c:250
+#: src/integritysetup.c:253
 #, c-format
 msgid "Formatted with tag size %u, internal integrity %s.\n"
 msgstr "Форматовано із розміром мітки %u, внутрішня цілісність %s.\n"
 
-#: src/integritysetup.c:469 src/integritysetup.c:473
+#: src/integritysetup.c:473 src/integritysetup.c:477
 msgid "<integrity_device>"
 msgstr "<пристрій_цілісності>"
 
-#: src/integritysetup.c:470
+#: src/integritysetup.c:474
 msgid "<integrity_device> <name>"
 msgstr "<пристрій_цілісності> <назва>"
 
-#: src/integritysetup.c:492
+#: src/integritysetup.c:496
 #, c-format
 msgid ""
 "\n"
@@ -3060,158 +3213,158 @@
 "<назва> є пристроєм, який слід створити у %s\n"
 "<пристрій_цілісності> є пристроєм, на якому зберігаються дані із мітками цілісності\n"
 
-#: src/integritysetup.c:497
+#: src/integritysetup.c:501
 #, c-format
 msgid ""
 "\n"
 "Default compiled-in dm-integrity parameters:\n"
-"\tTag size: %u bytes, Checksum algorithm: %s\n"
+"\tChecksum algorithm: %s\n"
 msgstr ""
 "\n"
 "Типові компільовані параметри dm-integrity:\n"
-"\tРозмір міток: %u байтів, алгоритм перевірки контрольних сум: %s\n"
+"\tАлгоритм обчислення контрольної суми: %s\n"
 
-#: src/integritysetup.c:540
+#: src/integritysetup.c:543
 msgid "Path to data device (if separated)"
 msgstr "Шлях до пристрою даних (якщо відокремлено)"
 
-#: src/integritysetup.c:542
+#: src/integritysetup.c:545
 msgid "Journal size"
 msgstr "Розмір журналу"
 
-#: src/integritysetup.c:543
+#: src/integritysetup.c:546
 msgid "Interleave sectors"
 msgstr "Перемежовування секторів"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "Journal watermark"
 msgstr "«Водяний знак» журналу"
 
-#: src/integritysetup.c:544
+#: src/integritysetup.c:547
 msgid "percent"
 msgstr "відсоток"
 
-#: src/integritysetup.c:545
+#: src/integritysetup.c:548
 msgid "Journal commit time"
 msgstr "Час внесення до журналу"
 
-#: src/integritysetup.c:545 src/integritysetup.c:547
+#: src/integritysetup.c:548 src/integritysetup.c:550
 msgid "ms"
 msgstr "мс"
 
-#: src/integritysetup.c:546
+#: src/integritysetup.c:549
 msgid "Number of 512-byte sectors per bit (bitmap mode)."
 msgstr "Кількість 512-байтових секторів на біт (режим бітової карти)."
 
-#: src/integritysetup.c:547
+#: src/integritysetup.c:550
 msgid "Bitmap mode flush time"
 msgstr "Час спорожнення режиму бітової карти"
 
-#: src/integritysetup.c:548
+#: src/integritysetup.c:551
 msgid "Tag size (per-sector)"
 msgstr "Розмір мітки на сектор"
 
-#: src/integritysetup.c:549
+#: src/integritysetup.c:552
 msgid "Sector size"
 msgstr "Розмір сектора"
 
-#: src/integritysetup.c:550
+#: src/integritysetup.c:553
 msgid "Buffers size"
 msgstr "Розмір буферів"
 
-#: src/integritysetup.c:552
+#: src/integritysetup.c:555
 msgid "Data integrity algorithm"
 msgstr "Алгоритм забезпечення цілісності даних"
 
-#: src/integritysetup.c:553
+#: src/integritysetup.c:556
 msgid "The size of the data integrity key"
 msgstr "Розмір ключа цілісності даних"
 
-#: src/integritysetup.c:554
+#: src/integritysetup.c:557
 msgid "Read the integrity key from a file"
 msgstr "Прочитати ключ цілісності з файла"
 
-#: src/integritysetup.c:556
+#: src/integritysetup.c:559
 msgid "Journal integrity algorithm"
 msgstr "Алгоритм забезпечення цілісності журналу"
 
-#: src/integritysetup.c:557
+#: src/integritysetup.c:560
 msgid "The size of the journal integrity key"
 msgstr "Розмір ключа цілісності журналу"
 
-#: src/integritysetup.c:558
+#: src/integritysetup.c:561
 msgid "Read the journal integrity key from a file"
 msgstr "Прочитати ключ цілісності журналу з файла"
 
-#: src/integritysetup.c:560
+#: src/integritysetup.c:563
 msgid "Journal encryption algorithm"
 msgstr "Алгоритм шифрування журналу"
 
-#: src/integritysetup.c:561
+#: src/integritysetup.c:564
 msgid "The size of the journal encryption key"
 msgstr "Розмір ключа шифрування журналу"
 
-#: src/integritysetup.c:562
+#: src/integritysetup.c:565
 msgid "Read the journal encryption key from a file"
 msgstr "Читати ключ шифрування журналу з файла"
 
-#: src/integritysetup.c:565
+#: src/integritysetup.c:568
 msgid "Recovery mode (no journal, no tag checking)"
 msgstr "Режим відновлення (без журналу, без перевірки міток)"
 
-#: src/integritysetup.c:566
+#: src/integritysetup.c:569
 msgid "Use bitmap to track changes and disable journal for integrity device"
 msgstr "Використовувати для стеження за змінами бітову карту і вимкнути журнал для пристрою забезпечення цілісності"
 
-#: src/integritysetup.c:567
+#: src/integritysetup.c:570
 msgid "Recalculate initial tags automatically."
 msgstr "Обчислювати початкові мітки автоматично."
 
-#: src/integritysetup.c:640
+#: src/integritysetup.c:641
 msgid "Option --integrity-recalculate can be used only for open action."
 msgstr "Параметр --integrity-recalculate можна використовувати лише під час дії з відкриття (open)."
 
-#: src/integritysetup.c:655
+#: src/integritysetup.c:656
 msgid "Options --journal-size, --interleave-sectors, --sector-size, --tag-size and --no-wipe can be used only for format action.\n"
 msgstr "Параметри --journal-size, --interleave-sectors, --sector-size, --tag-size та --no-wipe можна використовувати лише для дії з форматування.\n"
 
-#: src/integritysetup.c:661
+#: src/integritysetup.c:662
 msgid "Invalid journal size specification."
 msgstr "Некоректна специфікація розміру журналу."
 
-#: src/integritysetup.c:666
+#: src/integritysetup.c:667
 msgid "Both key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа і розміру ключа."
 
-#: src/integritysetup.c:669
+#: src/integritysetup.c:670
 msgid "Integrity algorithm must be specified if integrity key is used."
 msgstr "Якщо використано ключ цілісності, має бути вказано алгоритм забезпечення цілісності."
 
-#: src/integritysetup.c:674
+#: src/integritysetup.c:675
 msgid "Both journal integrity key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа цілісності журналу і розміру ключа."
 
-#: src/integritysetup.c:677
+#: src/integritysetup.c:678
 msgid "Journal integrity algorithm must be specified if journal integrity key is used."
 msgstr "Якщо використано ключ цілісності журналу, має бути вказано алгоритм забезпечення цілісності журналу."
 
-#: src/integritysetup.c:682
+#: src/integritysetup.c:683
 msgid "Both journal encryption key file and key size options must be specified."
 msgstr "Не можна одночасно вказувати параметри файла ключа шифрування журналу і розміру ключа."
 
-#: src/integritysetup.c:685
+#: src/integritysetup.c:686
 msgid "Journal encryption algorithm must be specified if journal encryption key is used."
 msgstr "Якщо використано ключ шифрування журналу, має бути вказано алгоритм забезпечення шифрування журналу."
 
-#: src/integritysetup.c:689
+#: src/integritysetup.c:690
 msgid "Recovery and bitmap mode options are mutually exclusive."
 msgstr "Не можна поєднувати параметри відновлення і бітової карти."
 
-#: src/integritysetup.c:693
+#: src/integritysetup.c:694
 msgid "Journal options cannot be used in bitmap mode."
 msgstr "Параметри журналу у режимі бітової карти використовувати не можна."
 
-#: src/integritysetup.c:697
+#: src/integritysetup.c:698
 msgid "Bitmap options can be used only in bitmap mode."
 msgstr "Параметри бітової карти можна використовувати лише у режимі бітового карти."
 
@@ -3224,7 +3377,7 @@
 msgid "Cannot exclusively open %s, device in use."
 msgstr "Не можна відкрити %s у виключному режимі, пристрій вже використовується."
 
-#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1127
+#: src/cryptsetup_reencrypt.c:215 src/cryptsetup_reencrypt.c:1128
 msgid "Allocation of aligned memory failed."
 msgstr "Спроба розподілу вирівняних ділянок пам’яті зазнала невдачі."
 
@@ -3273,190 +3426,190 @@
 msgid "Activation of temporary devices failed."
 msgstr "Спроба задіяти тимчасові пристрої зазнала невдачі."
 
-#: src/cryptsetup_reencrypt.c:551
+#: src/cryptsetup_reencrypt.c:552
 msgid "Failed to set data offset."
 msgstr "Не вдалося встановити відступ у даних."
 
-#: src/cryptsetup_reencrypt.c:557
+#: src/cryptsetup_reencrypt.c:558
 msgid "Failed to set metadata size."
 msgstr "Не вдалося встановити розмір метаданих."
 
-#: src/cryptsetup_reencrypt.c:565
+#: src/cryptsetup_reencrypt.c:566
 #, c-format
 msgid "New LUKS header for device %s created."
 msgstr "Створено новий заголовок LUKS для пристрою %s."
 
-#: src/cryptsetup_reencrypt.c:625
+#: src/cryptsetup_reencrypt.c:626
 #, c-format
 msgid "This version of cryptsetup-reencrypt can't handle new internal token type %s."
 msgstr "Ця версія cryptsetup-reencrypt не може обробляти новий тип вбудованих ключів %s."
 
-#: src/cryptsetup_reencrypt.c:647
+#: src/cryptsetup_reencrypt.c:648
 msgid "Failed to read activation flags from backup header."
 msgstr "Не вдалося прочитати прапорці активації з резервного заголовка."
 
-#: src/cryptsetup_reencrypt.c:651
+#: src/cryptsetup_reencrypt.c:652
 msgid "Failed to write activation flags to new header."
 msgstr "Не вдалося записати прапорці активації до нового заголовка."
 
-#: src/cryptsetup_reencrypt.c:655 src/cryptsetup_reencrypt.c:659
+#: src/cryptsetup_reencrypt.c:656 src/cryptsetup_reencrypt.c:660
 msgid "Failed to read requirements from backup header."
 msgstr "Не вдалося прочитати вимоги із резервного заголовка."
 
-#: src/cryptsetup_reencrypt.c:697
+#: src/cryptsetup_reencrypt.c:698
 #, c-format
 msgid "%s header backup of device %s created."
 msgstr "Створено резервну копію заголовка %s пристрою %s."
 
-#: src/cryptsetup_reencrypt.c:760
+#: src/cryptsetup_reencrypt.c:761
 msgid "Creation of LUKS backup headers failed."
 msgstr "Спроба створення заголовків резервних копій LUKS зазнала невдачі."
 
-#: src/cryptsetup_reencrypt.c:893
+#: src/cryptsetup_reencrypt.c:894
 #, c-format
 msgid "Cannot restore %s header on device %s."
 msgstr "Не вдалося відновити заголовок %s на пристрої %s."
 
-#: src/cryptsetup_reencrypt.c:895
+#: src/cryptsetup_reencrypt.c:896
 #, c-format
 msgid "%s header on device %s restored."
 msgstr "Відновлено заголовок %s на пристрої %s."
 
-#: src/cryptsetup_reencrypt.c:1099 src/cryptsetup_reencrypt.c:1105
+#: src/cryptsetup_reencrypt.c:1100 src/cryptsetup_reencrypt.c:1106
 msgid "Cannot open temporary LUKS device."
 msgstr "Неможливо відкрити тимчасовий пристрій LUKS."
 
-#: src/cryptsetup_reencrypt.c:1110 src/cryptsetup_reencrypt.c:1115
+#: src/cryptsetup_reencrypt.c:1111 src/cryptsetup_reencrypt.c:1116
 msgid "Cannot get device size."
 msgstr "Не вдалося отримати дані щодо розміру пристрою."
 
-#: src/cryptsetup_reencrypt.c:1150
+#: src/cryptsetup_reencrypt.c:1151
 msgid "IO error during reencryption."
 msgstr "Помилка введення-виведення під час повторного шифрування."
 
-#: src/cryptsetup_reencrypt.c:1181
+#: src/cryptsetup_reencrypt.c:1182
 msgid "Provided UUID is invalid."
 msgstr "Наданий UUID є некоректним."
 
-#: src/cryptsetup_reencrypt.c:1407
+#: src/cryptsetup_reencrypt.c:1416
 msgid "Cannot open reencryption log file."
 msgstr "Не вдалося відкрити файл журналу повторного шифрування."
 
-#: src/cryptsetup_reencrypt.c:1413
+#: src/cryptsetup_reencrypt.c:1422
 msgid "No decryption in progress, provided UUID can be used only to resume suspended decryption process."
 msgstr "Розшифровування не виконується. Наданий UUID можна використовувати лише для відновлення призупиненого процесу розшифровування."
 
-#: src/cryptsetup_reencrypt.c:1488
+#: src/cryptsetup_reencrypt.c:1497
 #, c-format
 msgid "Changed pbkdf parameters in keyslot %i."
 msgstr "Змінено параметри pbkdf у слоті ключа %i."
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "Reencryption block size"
 msgstr "Розмір блоку повторного шифрування"
 
-#: src/cryptsetup_reencrypt.c:1600
+#: src/cryptsetup_reencrypt.c:1609
 msgid "MiB"
 msgstr "МіБ"
 
-#: src/cryptsetup_reencrypt.c:1604
+#: src/cryptsetup_reencrypt.c:1613
 msgid "Do not change key, no data area reencryption"
 msgstr "Не змінювати ключ, не виконувати повторного шифрування області даних"
 
-#: src/cryptsetup_reencrypt.c:1606
+#: src/cryptsetup_reencrypt.c:1615
 msgid "Read new volume (master) key from file"
 msgstr "Прочитати новий ключ тому (основний ключ) з файла"
 
-#: src/cryptsetup_reencrypt.c:1607
+#: src/cryptsetup_reencrypt.c:1616
 msgid "PBKDF2 iteration time for LUKS (in ms)"
 msgstr "Тривалість ітерації PBKDF2 для LUKS (у мс)"
 
-#: src/cryptsetup_reencrypt.c:1613
+#: src/cryptsetup_reencrypt.c:1622
 msgid "Use direct-io when accessing devices"
 msgstr "Використовувати безпосереднє введення-виведення під час доступу до пристроїв"
 
-#: src/cryptsetup_reencrypt.c:1614
+#: src/cryptsetup_reencrypt.c:1623
 msgid "Use fsync after each block"
 msgstr "Використовувати fsync після кожного блоку"
 
-#: src/cryptsetup_reencrypt.c:1615
+#: src/cryptsetup_reencrypt.c:1624
 msgid "Update log file after every block"
 msgstr "Оновлювати файл журналу після кожного блоку"
 
-#: src/cryptsetup_reencrypt.c:1616
+#: src/cryptsetup_reencrypt.c:1625
 msgid "Use only this slot (others will be disabled)"
 msgstr "Використовувати лише цей слот (інші буде вимкнено)"
 
-#: src/cryptsetup_reencrypt.c:1621
+#: src/cryptsetup_reencrypt.c:1630
 msgid "Create new header on not encrypted device"
 msgstr "Створити новий заголовок на незашифрованому пристрої"
 
-#: src/cryptsetup_reencrypt.c:1622
+#: src/cryptsetup_reencrypt.c:1631
 msgid "Permanently decrypt device (remove encryption)"
 msgstr "Остаточно розшифрувати пристрій (скасувати шифрування)"
 
-#: src/cryptsetup_reencrypt.c:1623
+#: src/cryptsetup_reencrypt.c:1632
 msgid "The UUID used to resume decryption"
 msgstr "UUID, що використовується для відновлення розшифровування"
 
-#: src/cryptsetup_reencrypt.c:1624
+#: src/cryptsetup_reencrypt.c:1633
 msgid "Type of LUKS metadata: luks1, luks2"
 msgstr "Тип метаданих LUKS (luks1 або luks2)"
 
-#: src/cryptsetup_reencrypt.c:1643
+#: src/cryptsetup_reencrypt.c:1652
 msgid "[OPTION...] <device>"
 msgstr "[ПАРАМЕТР...] <пристрій>"
 
-#: src/cryptsetup_reencrypt.c:1651
+#: src/cryptsetup_reencrypt.c:1660
 #, c-format
 msgid "Reencryption will change: %s%s%s%s%s%s."
 msgstr "Повторне шифрування призведе до зміни: %s%s%s%s%s%s."
 
-#: src/cryptsetup_reencrypt.c:1652
+#: src/cryptsetup_reencrypt.c:1661
 msgid "volume key"
 msgstr "ключ тому"
 
-#: src/cryptsetup_reencrypt.c:1654
+#: src/cryptsetup_reencrypt.c:1663
 msgid "set hash to "
 msgstr "встановити хеш у значення "
 
-#: src/cryptsetup_reencrypt.c:1655
+#: src/cryptsetup_reencrypt.c:1664
 msgid ", set cipher to "
 msgstr ", встановити шифрування "
 
-#: src/cryptsetup_reencrypt.c:1659
+#: src/cryptsetup_reencrypt.c:1668
 msgid "Argument required."
 msgstr "Слід вказати аргумент."
 
-#: src/cryptsetup_reencrypt.c:1687
+#: src/cryptsetup_reencrypt.c:1696
 msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
 msgstr "Розмір блоку повторного шифрування повинен належати діапазону від 1 МіБ до 64 МІБ."
 
-#: src/cryptsetup_reencrypt.c:1714
+#: src/cryptsetup_reencrypt.c:1723
 msgid "Maximum device reduce size is 64 MiB."
 msgstr "Максимальний розмір зменшення розміру пристрою дорівнює 64 МіБ."
 
-#: src/cryptsetup_reencrypt.c:1721
+#: src/cryptsetup_reencrypt.c:1730
 msgid "Option --new must be used together with --reduce-device-size or --header."
 msgstr "Параметр --new слід використовувати разом з --reduce-device-size або --header."
 
-#: src/cryptsetup_reencrypt.c:1725
+#: src/cryptsetup_reencrypt.c:1734
 msgid "Option --keep-key can be used only with --hash, --iter-time or --pbkdf-force-iterations."
 msgstr "Параметр --keep-key можна використовувати лише разом з параметром --hash --iter-time або --pbkdf-force-iterations."
 
-#: src/cryptsetup_reencrypt.c:1729
+#: src/cryptsetup_reencrypt.c:1738
 msgid "Option --new cannot be used together with --decrypt."
 msgstr "Параметр --new не можна використовувати разом з --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1733
+#: src/cryptsetup_reencrypt.c:1742
 msgid "Option --decrypt is incompatible with specified parameters."
 msgstr "Параметр --decrypt є несумісним із вказаними параметрами."
 
-#: src/cryptsetup_reencrypt.c:1737
+#: src/cryptsetup_reencrypt.c:1746
 msgid "Option --uuid is allowed only together with --decrypt."
 msgstr "Параметр --uuid можна використовувати лише разом із --decrypt."
 
-#: src/cryptsetup_reencrypt.c:1741
+#: src/cryptsetup_reencrypt.c:1750
 msgid "Invalid luks type. Use one of these: 'luks', 'luks1' or 'luks2'."
 msgstr "Некоректний тип luks. Скористайтеся одним з таких типів: luks, luks1 або luks2."
 
@@ -3686,240 +3839,3 @@
 #: src/utils_luks2.c:126
 msgid "Failed to write JSON file."
 msgstr "Не вдалося записати файл JSON."
-
-#~ msgid "Interrupted by a signal."
-#~ msgstr "Перервано за сигналом."
-
-#~ msgid "Function not available in FIPS mode."
-#~ msgstr "Ця функція недоступна у режимі FIPS."
-
-#~ msgid "Failed to write hash."
-#~ msgstr "Не вдалося записати хеш."
-
-#~ msgid "Failed to finalize hash."
-#~ msgstr "Не вдалося завершити хеш."
-
-#~ msgid "Invalid resilience parameters (internal error)."
-#~ msgstr "Некоректні параметри стійкості (внутрішня помилка)."
-
-#~ msgid "Failed to assign new enc segments."
-#~ msgstr "Не вдалося призначити нові сегменти шифрування."
-
-#~ msgid "Failed to assign digest %u to segment %u."
-#~ msgstr "Не вдалося пов'язати контрольну суму %u із сегментом %u."
-
-#~ msgid "Failed to set segments."
-#~ msgstr "Не вдалося встановити сегменти."
-
-#~ msgid "Failed to assign reencrypt previous backup segment."
-#~ msgstr "Не вдалося призначити попередній резервний сегмент повторного шифрування."
-
-#~ msgid "Failed to assign reencrypt final backup segment."
-#~ msgstr "Не вдалося призначити останній резервний сегмент повторного шифрування."
-
-#~ msgid "Failed generate 2nd segment."
-#~ msgstr "Не вдалося створити другий сегмент."
-
-#~ msgid "Failed generate 1st segment."
-#~ msgstr "Не вдалося створити перший сегмент."
-
-#~ msgid "Failed to allocate device %s."
-#~ msgstr "Не вдалося розмістити пристрій %s."
-
-#~ msgid "Failed to allocate dm segments."
-#~ msgstr "Не вдалося розмістити сегменти dm."
-
-#~ msgid "Failed to create dm segments."
-#~ msgstr "Не вдалося створити сегменти dm."
-
-#~ msgid "Failed to allocate device for new backing device."
-#~ msgstr "Не вдалося отримати місце для нового резервного пристрою."
-
-#~ msgid "Failed to reload overlay device %s."
-#~ msgstr "Не вдалося перезавантажити пристрій-накладку %s."
-
-#~ msgid "Failed to refresh helper devices."
-#~ msgstr "Не вдалося освіжити список допоміжних пристроїв."
-
-#~ msgid "Failed to create reencryption backup segments."
-#~ msgstr "Не вдалося створити резервні сегменти повторного шифрування."
-
-#~ msgid "Failed to set online-reencryption requirement."
-#~ msgstr "Не вдалося встановити вимогу щодо повторного шифрування без від'єднання."
-
-#~ msgid "Failed to hash sector at offset %zu."
-#~ msgstr "Не вдалося визначити хеш сектора зі зсувом %zu."
-
-#~ msgid "Failed to read sector hash."
-#~ msgstr "Не вдалося прочитати хеш сектора."
-
-#~ msgid "Error: Calculated reencryption offset %<PRIu64> is beyond device size %<PRIu64>."
-#~ msgstr "Помилка: обчислений зсув повторного шифрування %<PRIu64> виходить за межі розміру пристрою — %<PRIu64>."
-
-#~ msgid "Device is not in clean reencryption state."
-#~ msgstr "Пристрій не перебуває у «чистому» стані повторного шифрування."
-
-#~ msgid "Failed to read device info from %s."
-#~ msgstr "Не вдалося прочитати дані щодо пристрою з %s."
-
-#~ msgid "Failed to calculate new segments."
-#~ msgstr "Не вдалося обчислити нові сегменти."
-
-#~ msgid "Failed to assign pre reenc segments."
-#~ msgstr "Не вдалося прив'язати сегменти перед повторним шифруванням."
-
-#~ msgid "Failed finalize hotzone resilience, retval = %d"
-#~ msgstr "Не вдалося завершити забезпечення стійкості «гарячої» ділянки, повернуте значення = %d"
-
-#~ msgid "Failed to write data."
-#~ msgstr "Не вдалося записати дані."
-
-#~ msgid "Failed to update metadata or reassign device segments."
-#~ msgstr "Не вдалося оновити метадані або повторно пов'язати сегменти пристрою."
-
-#~ msgid "Failed to reload %s device."
-#~ msgstr "Не вдалося перезавантажити пристрій %s."
-
-#~ msgid "Failed to erase backup segments"
-#~ msgstr "Не вдалося витерти резервні сегменти"
-
-#~ msgid "Requested dmcrypt performance options are not supported."
-#~ msgstr "Підтримки вказаних параметрів швидкодії dmcrypt не передбачено."
-
-#~ msgid "Cannot format device %s which is still in use."
-#~ msgstr "Не можна форматувати пристрій %s, який перебуває у користуванні."
-
-#~ msgid "Key slot %d is not used."
-#~ msgstr "Слот ключа %d не використовується."
-
-#~ msgid "Key slot %d selected for deletion."
-#~ msgstr "Слот ключа %d позначено для вилучення."
-
-#~ msgid "open device as mapping <name>"
-#~ msgstr "відкрити пристрій як призначення <назва>"
-
-#~ msgid "close device (deactivate and remove mapping)"
-#~ msgstr "закрити пристрій (скасувати активацію і вилучити призначення)"
-
-#~ msgid "Failed to set PBKDF parameters."
-#~ msgstr "Не вдалося встановити параметри PBKDF."
-
-#~ msgid "Cannot seek to device offset.\n"
-#~ msgstr "Не вдалося встановити вказану позицію на пристрої.\n"
-
-#~ msgid "Device %s is too small. (LUKS2 requires at least %<PRIu64> bytes.)"
-#~ msgstr "Обсяг пристрою %s є надто малим. (LUKS2 потрібно принаймні %<PRIu64> байтів.)"
-
-#~ msgid "Replaced with key slot %d."
-#~ msgstr "Замінено слотом ключа %d."
-
-#~ msgid "Missing LUKS target type, option --type is required."
-#~ msgstr "Не вказано типу призначення LUKS, слід вказати параметр --type."
-
-#~ msgid "Missing --token option specifying token for removal."
-#~ msgstr "Пропущено параметр --token, який задає ключ, який слід вилучити."
-
-#~ msgid "Add or remove keyring token"
-#~ msgstr "Додати або вилучити ключ зі сховища ключів"
-
-#~ msgid "Activated keyslot %i."
-#~ msgstr "Задіяний слот ключа %i."
-
-#~ msgid "memory allocation error in action_luksFormat"
-#~ msgstr "помилка під час отримання області пам’яті у action_luksFormat"
-
-#~ msgid "Key slot is invalid.\n"
-#~ msgstr "Слот ключа є некоректним.\n"
-
-#~ msgid "Using default pbkdf parameters for new LUKS2 header.\n"
-#~ msgstr "Використовуємо типові параметри pbkdf для нового заголовка LUKS2.\n"
-
-#~ msgid "Too many tree levels for verity volume.\n"
-#~ msgstr "Занадто високий рівень вкладеності для тому перевірки.\n"
-
-#~ msgid "Key %d not active. Can't wipe.\n"
-#~ msgstr "Ключ %d не є активним. Його не можна витерти.\n"
-
-#~ msgid "<name> <data_device> <hash_device> <root_hash>"
-#~ msgstr "<назва> <пристрій_даних> <пристрій_хешу> <кореневий_хеш>"
-
-#~ msgid "create active device"
-#~ msgstr "створити активний пристрій"
-
-#~ msgid "remove (deactivate) device"
-#~ msgstr "вилучити пристрій (скасувати активацію)"
-
-#~ msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
-#~ msgstr "Поступ: %5.1f%%, час до завершення: %02llu:%02llu, записано %4llu МіБ, швидкість %5.1f МіБ/с%s"
-
-#~ msgid "Cannot find a free loopback device.\n"
-#~ msgstr "Не вдалося знайти вільний петльовий пристрій.\n"
-
-#~ msgid "Cannot open device %s\n"
-#~ msgstr "Не вдалося відкрити пристрій %s\n"
-
-#~ msgid "Cannot use passed UUID unless decryption in progress.\n"
-#~ msgstr "Не можна використовувати переданий UUID, якщо не виконується дія з розшифровування.\n"
-
-#~ msgid "Marking LUKS device %s usable.\n"
-#~ msgstr "Позначаємо пристрій LUKS %s як придатний\n"
-
-#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
-#~ msgstr "ПОПЕРЕДЖЕННЯ: цей код не перевірено достатнім чином, його використання може призвести до незворотного пошкодження даних.\n"
-
-#~ msgid "FIPS checksum verification failed.\n"
-#~ msgstr "Контрольні суми FIPS не збігаються.\n"
-
-#~ msgid "WARNING: device %s is a partition, for TCRYPT system encryption you usually need to use whole block device path.\n"
-#~ msgstr "Попередження: пристрій %s є розділом; для шифрування системи за допомогою TCRYPT, зазвичай, вам слід використовувати шлях до цілого блокового пристрою.\n"
-
-#~ msgid "Kernel doesn't support plain64 IV.\n"
-#~ msgstr "У ядрі не передбачено підтримки plain64 IV.\n"
-
-#~ msgid "Enter LUKS passphrase: "
-#~ msgstr "Введіть пароль LUKS: "
-
-#~ msgid "Enter new LUKS passphrase: "
-#~ msgstr "Введіть новий пароль LUKS: "
-
-#~ msgid "Enter any LUKS passphrase: "
-#~ msgstr "Введіть довільний пароль LUKS: "
-
-#~ msgid "Backup file %s doesn't exist.\n"
-#~ msgstr "Файла резервної копії, %s, не існує.\n"
-
-#~ msgid "create device"
-#~ msgstr "створити пристрій"
-
-#~ msgid "remove device"
-#~ msgstr "вилучити пристрій"
-
-#~ msgid "remove LUKS mapping"
-#~ msgstr "вилучити призначення LUKS"
-
-#~ msgid "open loop-AES device as mapping <name>"
-#~ msgstr "відкрити пристрій loop-AES як призначення <назва>"
-
-#~ msgid "remove loop-AES mapping"
-#~ msgstr "вилучити призначення loop-AES"
-
-#~ msgid "Cannot open device %s for %s%s access.\n"
-#~ msgstr "Не вдалося відкрити пристрій %s для доступу %s%s.\n"
-
-#~ msgid "exclusive "
-#~ msgstr "ексклюзивний "
-
-#~ msgid "writable"
-#~ msgstr "придатний до запису"
-
-#~ msgid "read-only"
-#~ msgstr "тільки читання"
-
-#~ msgid "WARNING!!! Possibly insecure memory. Are you root?\n"
-#~ msgstr "УВАГА!!! Небезпека доступу до даних у пам’яті. Працюєте від імені адміністратора?\n"
-
-#~ msgid "Unable to obtain sector size for %s"
-#~ msgstr "Не вдалося отримати розмір сектора %s"
-
-#~ msgid "Cannot use device %s (crypt segments overlaps or in use by another device).\n"
-#~ msgstr "Використання пристрою %s неможливе (сегменти шифрування перекриваються або використовуються іншим пристроєм).\n"
diff -Nru cryptsetup-2.2.2/README.md cryptsetup-2.3.1/README.md
--- cryptsetup-2.2.2/README.md	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/README.md	2020-03-12 08:39:20.000000000 +0000
@@ -5,8 +5,8 @@
 **Cryptsetup** is a utility used to conveniently set up disk encryption based
 on the [DMCrypt](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt) kernel module.
 
-These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**
-and **TrueCrypt** (including **VeraCrypt** extension) formats.
+These include **plain** **dm-crypt** volumes, **LUKS** volumes, **loop-AES**,
+**TrueCrypt** (including **VeraCrypt** extension) and **BitLocker** formats.
 
 The project also includes a **veritysetup** utility used to conveniently setup
 [DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) block integrity checking kernel module
@@ -44,16 +44,16 @@
 --------
 All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest cryptsetup version is 2.2.1**
-  * [cryptsetup-2.2.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.1.tar.xz)
-  * Signature [cryptsetup-2.2.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.1.tar.sign)
+**The latest stable cryptsetup version is 2.3.0**
+  * [cryptsetup-2.3.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.0.tar.xz)
+  * Signature [cryptsetup-2.3.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.0.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.2.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.1-ReleaseNotes).
+  * [Cryptsetup 2.3.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.0-ReleaseNotes).
 
 Previous versions
- * [Version 2.2.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.0-ReleaseNotes).
+ * [Version 2.2.2](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.2.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.2.tar.sign) -
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.2-ReleaseNotes).
  * [Version 2.0.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes).
diff -Nru cryptsetup-2.2.2/src/cryptsetup.c cryptsetup-2.3.1/src/cryptsetup.c
--- cryptsetup-2.2.2/src/cryptsetup.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/cryptsetup.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -85,6 +85,7 @@
 static const char *opt_integrity = NULL; /* none */
 static int opt_integrity_nojournal = 0;
 static int opt_integrity_no_wipe = 0;
+static int opt_integrity_legacy_padding = 0;
 static const char *opt_key_description = NULL;
 static int opt_sector_size = 0;
 static int opt_persistent = 0;
@@ -448,7 +449,7 @@
 				continue;
 
 			params->veracrypt_pim = (uint32_t)tmp_pim_ull;
-			crypt_memzero(&tmp_pim_ull, sizeof(tmp_pim_ull));
+			crypt_safe_memzero(&tmp_pim_ull, sizeof(tmp_pim_ull));
 		}
 
 		if (opt_tcrypt_hidden)
@@ -512,7 +513,49 @@
 out:
 	crypt_free(cd);
 	crypt_safe_free(CONST_CAST(char*)params.passphrase);
-	crypt_memzero(&params.veracrypt_pim, sizeof(params.veracrypt_pim));
+	crypt_safe_memzero(&params.veracrypt_pim, sizeof(params.veracrypt_pim));
+	return r;
+}
+
+static int action_open_bitlk(void)
+{
+	struct crypt_device *cd = NULL;
+	const char *activated_name;
+	uint32_t activate_flags = 0;
+	int r, tries;
+	char *password = NULL;
+	size_t passwordLen;
+
+	activated_name = opt_test_passphrase ? NULL : action_argv[1];
+
+	if ((r = crypt_init(&cd, action_argv[0])))
+		goto out;
+
+	r = crypt_load(cd, CRYPT_BITLK, NULL);
+	if (r < 0) {
+		log_err(_("Device %s is not a valid BITLK device."), action_argv[0]);
+		goto out;
+	}
+	_set_activation_flags(&activate_flags);
+
+	tries = (tools_is_stdin(opt_key_file) && isatty(STDIN_FILENO)) ? opt_tries : 1;
+	do {
+		r = tools_get_key(NULL, &password, &passwordLen,
+				opt_keyfile_offset, opt_keyfile_size, opt_key_file,
+				opt_timeout, _verify_passphrase(0), 0, cd);
+		if (r < 0)
+			goto out;
+
+		r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT,
+						 password, passwordLen, activate_flags);
+		tools_passphrase_msg(r);
+		check_signal(&r);
+		crypt_safe_free(password);
+		password = NULL;
+	} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
+out:
+	crypt_safe_free(password);
+	crypt_free(cd);
 	return r;
 }
 
@@ -587,6 +630,24 @@
 	return r;
 }
 
+static int action_bitlkDump(void)
+{
+	struct crypt_device *cd = NULL;
+	int r;
+
+	if ((r = crypt_init(&cd, action_argv[0])))
+		goto out;
+
+	r = crypt_load(cd, CRYPT_BITLK, NULL);
+	if (r < 0)
+		goto out;
+
+	r = crypt_dump(cd);
+out:
+	crypt_free(cd);
+	return r;
+}
+
 static int action_close(void)
 {
 	struct crypt_device *cd = NULL;
@@ -744,8 +805,9 @@
 		log_std("  size:    %" PRIu64 " sectors\n", cad.size);
 		if (cad.iv_offset)
 			log_std("  skipped: %" PRIu64 " sectors\n", cad.iv_offset);
-		log_std("  mode:    %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
-					   "readonly" : "read/write");
+		log_std("  mode:    %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
+					   "readonly" : "read/write",
+					   (cad.flags & CRYPT_ACTIVATE_SUSPENDED) ? " (suspended)" : "");
 		if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS|
 				 CRYPT_ACTIVATE_SAME_CPU_CRYPT|
 				 CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS))
@@ -983,6 +1045,7 @@
 
 	if (opt_pbkdf_iterations) {
 		pbkdf.iterations = opt_pbkdf_iterations;
+		pbkdf.time_ms = 0;
 		pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
 	}
 
@@ -1133,6 +1196,11 @@
 	return r;
 }
 
+static int strcmp_or_null(const char *str, const char *expected)
+{
+	return !str ? 0 : strcmp(str, expected);
+}
+
 static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
 {
 	int r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0;
@@ -1302,6 +1370,9 @@
 	if (signatures && ((r =	tools_wipe_all_signatures(header_device)) < 0))
 		goto out;
 
+	if (opt_integrity_legacy_padding)
+		crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING);
+
 	r = crypt_format(cd, type, cipher, cipher_mode,
 			 opt_uuid, key, keysize, params);
 	check_signal(&r);
@@ -1321,10 +1392,11 @@
 	}
 	tools_keyslot_msg(r, CREATED);
 
-	if (opt_integrity && !opt_integrity_no_wipe)
+	if (opt_integrity && !opt_integrity_no_wipe &&
+	    strcmp_or_null(params2.integrity, "none"))
 		r = _wipe_data_device(cd);
 out:
-	if (r == 0 && r_cd && r_password && r_passwordLen) {
+	if (r >= 0 && r_cd && r_password && r_passwordLen) {
 		*r_cd = cd;
 		*r_password = password;
 		*r_passwordLen = passwordLen;
@@ -1374,7 +1446,7 @@
 			goto out;
 		}
 
-		if (!data_device && (crypt_get_data_offset(cd) < 8)) {
+		if (!data_device && (crypt_get_data_offset(cd) < 8) && !opt_test_passphrase) {
 			log_err(_("Reduced data offset is allowed only for detached LUKS header."));
 			r = -EINVAL;
 			goto out;
@@ -2169,6 +2241,10 @@
 		if (action_argc < 2 && !opt_test_passphrase)
 			goto args;
 		return action_open_tcrypt();
+	} else if (!strcmp(opt_type, "bitlk")) {
+		if (action_argc < 2 && !opt_test_passphrase)
+			goto args;
+		return action_open_bitlk();
 	}
 
 	log_err(_("Unrecognized metadata device type %s."), opt_type);
@@ -2748,11 +2824,8 @@
 		activated_name = action_argv[1];
 		_set_activation_flags(&activate_flags);
 		r = crypt_activate_by_passphrase(*cd, activated_name, opt_key_slot, password, passwordLen, activate_flags);
-		if (r >= 0) {
-			log_std(_("%s/%s is now active and ready for online encryption."), crypt_get_dir(), activated_name);
-			/* FIXME: Hotfix for 2.2.2 only. Fix the translated string correctly in next relese. */
-			log_std("\n");
-		}
+		if (r >= 0)
+			log_std(_("%s/%s is now active and ready for online encryption.\n"), crypt_get_dir(), activated_name);
 	}
 
 	if (r < 0)
@@ -3229,6 +3302,7 @@
 	{ "isLuks",       action_isLuks,       1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
 	{ "luksDump",     action_luksDump,     1, 1, N_("<device>"), N_("dump LUKS partition information") },
 	{ "tcryptDump",   action_tcryptDump,   1, 1, N_("<device>"), N_("dump TCRYPT device information") },
+	{ "bitlkDump",    action_bitlkDump,    1, 1, N_("<device>"), N_("dump BITLK device information") },
 	{ "luksSuspend",  action_luksSuspend,  1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen)") },
 	{ "luksResume",   action_luksResume,   1, 1, N_("<device>"), N_("Resume suspended LUKS device") },
 	{ "luksHeaderBackup", action_luksBackup,1,1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
@@ -3259,8 +3333,8 @@
 
 		log_std(_("\n"
 			  "You can also use old <action> syntax aliases:\n"
-			  "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
-			  "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"));
+			  "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen\n"
+			  "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose\n"));
 		log_std(_("\n"
 			 "<name> is the device to create under %s\n"
 			 "<device> is the encrypted device\n"
@@ -3337,11 +3411,6 @@
 	return translate_errno(r);
 }
 
-static int strcmp_or_null(const char *str, const char *expected)
-{
-	return !str ? 0 : strcmp(str, expected);
-}
-
 int main(int argc, const char **argv)
 {
 	static char *popt_tmp;
@@ -3393,7 +3462,7 @@
 		{ "veracrypt",         '\0', POPT_ARG_NONE, &opt_veracrypt,             0, N_("Scan also for VeraCrypt compatible device"), NULL },
 		{ "veracrypt-pim",     '\0', POPT_ARG_INT, &opt_veracrypt_pim,          0, N_("Personal Iteration Multiplier for VeraCrypt compatible device"), NULL },
 		{ "veracrypt-query-pim", '\0', POPT_ARG_NONE, &opt_veracrypt_query_pim, 0, N_("Query Personal Iteration Multiplier for VeraCrypt compatible device"), NULL },
-		{ "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt"), NULL },
+		{ "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL },
 		{ "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)"), NULL },
 		{ "perf-same_cpu_crypt",'\0', POPT_ARG_NONE, &opt_perf_same_cpu_crypt,  0, N_("Use dm-crypt same_cpu_crypt performance compatibility option"), NULL },
 		{ "perf-submit_from_crypt_cpus",'\0', POPT_ARG_NONE, &opt_perf_submit_from_crypt_cpus,0,N_("Use dm-crypt submit_from_crypt_cpus performance compatibility option"), NULL },
@@ -3410,6 +3479,7 @@
 		{ "integrity",          'I', POPT_ARG_STRING, &opt_integrity,           0, N_("Data integrity algorithm (LUKS2 only)"), NULL },
 		{ "integrity-no-journal",'\0',POPT_ARG_NONE, &opt_integrity_nojournal,  0, N_("Disable journal for integrity device"), NULL },
 		{ "integrity-no-wipe", '\0', POPT_ARG_NONE, &opt_integrity_no_wipe,     0, N_("Do not wipe device after format"), NULL },
+		{ "integrity-legacy-padding",'\0', POPT_ARG_NONE, &opt_integrity_legacy_padding,0, N_("Use inefficient legacy padding (old kernels)"), NULL },
 		{ "token-only",        '\0', POPT_ARG_NONE, &opt_token_only,            0, N_("Do not ask for passphrase if activation by token fails"), NULL },
 		{ "token-id",          '\0', POPT_ARG_INT, &opt_token,                  0, N_("Token number (default: any)"), NULL },
 		{ "key-description",   '\0', POPT_ARG_STRING, &opt_key_description,     0, N_("Key description"), NULL },
@@ -3534,13 +3604,19 @@
 	} else if (!strcmp(aname, "tcryptOpen")) {
 		aname = "open";
 		opt_type = "tcrypt";
+	} else if (!strcmp(aname, "bitlkOpen")) {
+		aname = "open";
+		opt_type = "bitlk";
 	} else if (!strcmp(aname, "tcryptDump")) {
 		opt_type = "tcrypt";
+	} else if (!strcmp(aname, "bitlkDump")) {
+		opt_type = "bitlk";
 	} else if (!strcmp(aname, "remove") ||
 		   !strcmp(aname, "plainClose") ||
 		   !strcmp(aname, "luksClose") ||
 		   !strcmp(aname, "loopaesClose") ||
-		   !strcmp(aname, "tcryptClose")) {
+		   !strcmp(aname, "tcryptClose") ||
+		   !strcmp(aname, "bitlkClose")) {
 		aname = "close";
 	} else if (!strcmp(aname, "luksErase")) {
 		aname = "erase";
@@ -3638,9 +3714,9 @@
 		      poptGetInvocationName(popt_context));
 
 	if (opt_test_passphrase && (strcmp(aname, "open") || !opt_type ||
-	    (strncmp(opt_type, "luks", 4) && strcmp(opt_type, "tcrypt"))))
+	    (strncmp(opt_type, "luks", 4) && strcmp(opt_type, "tcrypt") && strcmp(opt_type, "bitlk"))))
 		usage(popt_context, EXIT_FAILURE,
-		      _("Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"),
+		      _("Option --test-passphrase is allowed only for open of LUKS, TCRYPT and BITLK devices.\n"),
 		      poptGetInvocationName(popt_context));
 
 	if (opt_key_size % 8 || opt_keyslot_key_size % 8)
diff -Nru cryptsetup-2.2.2/src/cryptsetup.h cryptsetup-2.3.1/src/cryptsetup.h
--- cryptsetup-2.2.2/src/cryptsetup.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/cryptsetup.h	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/src/cryptsetup_reencrypt.c cryptsetup-2.3.1/src/cryptsetup_reencrypt.c
--- cryptsetup-2.2.2/src/cryptsetup_reencrypt.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/cryptsetup_reencrypt.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * cryptsetup-reencrypt - crypt utility for offline re-encryption
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz All rights reserved.
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -485,6 +485,7 @@
 
 	if (opt_pbkdf_iterations) {
 		pbkdf.iterations = opt_pbkdf_iterations;
+		pbkdf.time_ms = 0;
 		pbkdf.flags |= CRYPT_PBKDF_NO_BENCHMARK;
 	}
 
@@ -1272,18 +1273,23 @@
 	if (r < 0)
 		return r;
 
-	r = crypt_activate_by_passphrase(cd, NULL, slot_check, password,
-					 passwordLen, 0);
-
-	/*
-	 * Allow keyslot only if it is last slot or if user explicitly
-	 * specify which slot to use (IOW others will be disabled).
-	 */
-	if (r >= 0 && opt_key_slot == CRYPT_ANY_SLOT &&
-	    crypt_keyslot_status(cd, r) != CRYPT_SLOT_ACTIVE_LAST) {
-		log_err(_("Key file can be used only with --key-slot or with "
-			  "exactly one key slot active."));
-		r = -EINVAL;
+	/* mode ENCRYPT call this without header */
+	if (cd) {
+		r = crypt_activate_by_passphrase(cd, NULL, slot_check, password,
+						 passwordLen, 0);
+
+		/*
+		 * Allow keyslot only if it is last slot or if user explicitly
+		 * specify which slot to use (IOW others will be disabled).
+		 */
+		if (r >= 0 && opt_key_slot == CRYPT_ANY_SLOT &&
+		    crypt_keyslot_status(cd, r) != CRYPT_SLOT_ACTIVE_LAST) {
+			log_err(_("Key file can be used only with --key-slot or with "
+				  "exactly one key slot active."));
+			r = -EINVAL;
+		}
+	} else {
+		r = slot_check == CRYPT_ANY_SLOT ? 0 : slot_check;
 	}
 
 	if (r < 0) {
@@ -1310,7 +1316,10 @@
 	log_dbg("Passphrases initialization.");
 
 	if (rc->reencrypt_mode == ENCRYPT && !rc->in_progress) {
-		r = init_passphrase1(rc, cd, _("Enter new passphrase: "), opt_key_slot, 0, 1);
+		if (opt_key_file)
+			r = init_keyfile(rc, NULL, opt_key_slot);
+		else
+			r = init_passphrase1(rc, NULL, _("Enter new passphrase: "), opt_key_slot, 0, 1);
 		return r > 0 ? 0 : r;
 	}
 
diff -Nru cryptsetup-2.2.2/src/integritysetup.c cryptsetup-2.3.1/src/integritysetup.c
--- cryptsetup-2.2.2/src/integritysetup.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/integritysetup.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * integritysetup - setup integrity protected volumes for dm-integrity
  *
- * Copyright (C) 2017-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2017-2019 Milan Broz
+ * Copyright (C) 2017-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2017-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -24,7 +24,6 @@
 
 #define PACKAGE_INTEGRITY "integritysetup"
 
-#define DEFAULT_TAG_SIZE 4
 #define DEFAULT_ALG_NAME "crc32c"
 #define MAX_KEY_SIZE 4096
 
@@ -58,6 +57,7 @@
 static int opt_integrity_nojournal = 0;
 static int opt_integrity_recovery = 0;
 static int opt_integrity_bitmap = 0;
+static int opt_integrity_legacy_padding = 0;
 
 static int opt_integrity_recalculate = 0;
 
@@ -182,7 +182,7 @@
 		.buffer_sectors = opt_buffer_sectors,
 		.tag_size = opt_tag_size,
 		.sector_size = opt_sector_size ?: SECTOR_SIZE,
-	};
+	}, params2;
 	char integrity[MAX_CIPHER_LEN], journal_integrity[MAX_CIPHER_LEN], journal_crypt[MAX_CIPHER_LEN];
 	char *integrity_key = NULL, *msg = NULL;
 	int r;
@@ -242,12 +242,16 @@
 	if (signatures && ((r =	tools_wipe_all_signatures(action_argv[0])) < 0))
 		goto out;
 
+	if (opt_integrity_legacy_padding)
+		crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING);
+
 	r = crypt_format(cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params);
 	if (r < 0) /* FIXME: call wipe signatures again */
 		goto out;
 
-	if (!opt_batch_mode)
-		log_std(_("Formatted with tag size %u, internal integrity %s.\n"), opt_tag_size, opt_integrity);
+	if (!opt_batch_mode && !crypt_get_integrity_info(cd, &params2))
+		log_std(_("Formatted with tag size %u, internal integrity %s.\n"),
+			params2.tag_size, params2.integrity);
 
 	if (!opt_no_wipe)
 		r = _wipe_data_device(cd, integrity_key);
@@ -495,8 +499,7 @@
 			crypt_get_dir());
 
 		log_std(_("\nDefault compiled-in dm-integrity parameters:\n"
-			  "\tTag size: %u bytes, Checksum algorithm: %s\n"),
-			  DEFAULT_TAG_SIZE, DEFAULT_ALG_NAME);
+			  "\tChecksum algorithm: %s\n"), DEFAULT_ALG_NAME);
 		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
 	} else if (key->shortName == 'V') {
@@ -565,6 +568,7 @@
 		{ "integrity-recovery-mode",    'R', POPT_ARG_NONE,  &opt_integrity_recovery,  0, N_("Recovery mode (no journal, no tag checking)"), NULL },
 		{ "integrity-bitmap-mode",      'B', POPT_ARG_NONE,  &opt_integrity_bitmap, 0, N_("Use bitmap to track changes and disable journal for integrity device"), NULL },
 		{ "integrity-recalculate",     '\0', POPT_ARG_NONE,  &opt_integrity_recalculate,  0, N_("Recalculate initial tags automatically."), NULL },
+		{ "integrity-legacy-padding",  '\0', POPT_ARG_NONE,  &opt_integrity_legacy_padding, 0, N_("Use inefficient legacy padding (old kernels)"), NULL },
 		POPT_TABLEEND
 	};
 	poptContext popt_context;
@@ -632,9 +636,6 @@
 		      poptGetInvocationName(popt_context));
 	}
 
-	if (!strcmp(aname, "format") && opt_tag_size == 0)
-		opt_tag_size = DEFAULT_TAG_SIZE;
-
 	if (opt_integrity_recalculate && strcmp(aname, "open"))
 		usage(popt_context, EXIT_FAILURE,
 		      _("Option --integrity-recalculate can be used only for open action."),
diff -Nru cryptsetup-2.2.2/src/Makemodule.am cryptsetup-2.3.1/src/Makemodule.am
--- cryptsetup-2.2.2/src/Makemodule.am	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/Makemodule.am	2020-03-12 08:39:20.000000000 +0000
@@ -44,12 +44,15 @@
 	lib/utils_io.c		\
 	lib/utils_blkid.c	\
 	src/utils_tools.c	\
+	src/utils_password.c	\
 	src/veritysetup.c	\
 	src/cryptsetup.h
 
 veritysetup_LDADD = $(LDADD)	\
 	libcryptsetup.la	\
 	@POPT_LIBS@		\
+	@PWQUALITY_LIBS@	\
+	@PASSWDQC_LIBS@		\
 	@BLKID_LIBS@
 
 sbin_PROGRAMS += veritysetup
diff -Nru cryptsetup-2.2.2/src/utils_blockdev.c cryptsetup-2.3.1/src/utils_blockdev.c
--- cryptsetup-2.2.2/src/utils_blockdev.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/utils_blockdev.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Linux block devices helpers
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2019 Ondrej Kozina
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -103,11 +103,11 @@
 		}
 
 		/* looking for dm-X/dm directory, symlinks are fine */
-		dmfd = openat(dirfd(dir), dm_subpath, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+		dmfd = openat(dirfd(dir), dm_subpath, O_DIRECTORY | O_RDONLY);
 		if (dmfd < 0)
 			continue;
 
-		fd = openat(dmfd, "uuid", O_RDONLY | O_CLOEXEC);
+		fd = openat(dmfd, "uuid", O_RDONLY);
 		if (fd < 0) {
 			close(dmfd);
 			continue;
@@ -130,7 +130,7 @@
 			continue;
 		}
 
-		fd = openat(dmfd, "name", O_RDONLY | O_CLOEXEC);
+		fd = openat(dmfd, "name", O_RDONLY);
 		if (fd < 0) {
 			close(dmfd);
 			continue;
diff -Nru cryptsetup-2.2.2/src/utils_luks2.c cryptsetup-2.3.1/src/utils_luks2.c
--- cryptsetup-2.2.2/src/utils_luks2.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/utils_luks2.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * Helper utilities for LUKS2 features
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2018-2019 Milan Broz
- * Copyright (C) 2018-2019 Ondrej Kozina
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Milan Broz
+ * Copyright (C) 2018-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/src/utils_password.c cryptsetup-2.3.1/src/utils_password.c
--- cryptsetup-2.2.2/src/utils_password.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/utils_password.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * Password quality check wrapper
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/src/utils_tools.c cryptsetup-2.3.1/src/utils_tools.c
--- cryptsetup-2.2.2/src/utils_tools.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/utils_tools.c	2020-03-12 08:39:20.000000000 +0000
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -142,7 +142,7 @@
 
 	if (isatty(STDIN_FILENO) && !opt_batch_mode) {
 		log_std("\nWARNING!\n========\n");
-		log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
+		log_std("%s\n\nAre you sure? (Type 'yes' in capital letters): ", msg);
 		fflush(stdout);
 		if(getline(&answer, &size, stdin) == -1) {
 			r = 0;
diff -Nru cryptsetup-2.2.2/src/veritysetup.c cryptsetup-2.3.1/src/veritysetup.c
--- cryptsetup-2.2.2/src/veritysetup.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/src/veritysetup.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * veritysetup - setup cryptographic volumes for dm-verity
  *
- * Copyright (C) 2012-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2012-2019 Milan Broz
+ * Copyright (C) 2012-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -40,6 +40,7 @@
 static int opt_ignore_corruption = 0;
 static int opt_ignore_zero_blocks = 0;
 static int opt_check_at_most_once = 0;
+static const char *opt_root_hash_signature = NULL;
 
 static const char **action_argv;
 static int action_argc;
@@ -141,7 +142,9 @@
 	uint32_t activate_flags = CRYPT_ACTIVATE_READONLY;
 	char *root_hash_bytes = NULL;
 	ssize_t hash_size;
-	int r;
+	struct stat st;
+	char *signature = NULL;
+	int signature_size = 0, r;
 
 	if ((r = crypt_init_data_device(&cd, hash_device, data_device)))
 		goto out;
@@ -177,11 +180,28 @@
 		r = -EINVAL;
 		goto out;
 	}
-	r = crypt_activate_by_volume_key(cd, dm_device,
+
+	if (opt_root_hash_signature) {
+		// FIXME: check max file size
+		if (stat(opt_root_hash_signature, &st) || !S_ISREG(st.st_mode) || !st.st_size) {
+			log_err(_("Invalid signature file %s."), opt_root_hash_signature);
+			r = -EINVAL;
+			goto out;
+		}
+		signature_size = st.st_size;
+		r = tools_read_mk(opt_root_hash_signature, &signature, signature_size);
+		if (r < 0) {
+			log_err(_("Cannot read signature file %s."), opt_root_hash_signature);
+			goto out;
+		}
+	}
+	r = crypt_activate_by_signed_key(cd, dm_device,
 					 root_hash_bytes,
 					 hash_size,
+					 signature, signature_size,
 					 activate_flags);
 out:
+	crypt_safe_free(signature);
 	crypt_free(cd);
 	free(root_hash_bytes);
 	free(CONST_CAST(char*)params.salt);
@@ -193,7 +213,8 @@
 	return _activate(action_argv[1],
 			 action_argv[0],
 			 action_argv[2],
-			 action_argv[3], 0);
+			 action_argv[3],
+			 opt_root_hash_signature ? CRYPT_VERITY_ROOT_HASH_SIGNATURE : 0);
 }
 
 static int action_verify(int arg)
@@ -225,7 +246,8 @@
 	struct crypt_params_verity vp = {};
 	struct crypt_device *cd = NULL;
 	struct stat st;
-	char *backing_file;
+	char *backing_file, *root_hash;
+	size_t root_hash_size;
 	unsigned i, path = 0;
 	int r = 0;
 
@@ -269,8 +291,9 @@
 		if (r < 0)
 			goto out;
 
-		log_std("  status:      %s\n",
-			cad.flags & CRYPT_ACTIVATE_CORRUPTED ? "corrupted" : "verified");
+		log_std("  status:      %s%s\n",
+			cad.flags & CRYPT_ACTIVATE_CORRUPTED ? "corrupted" : "verified",
+			vp.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE ? " (with signature)" : "");
 
 		log_std("  hash type:   %u\n", vp.hash_type);
 		log_std("  data block:  %u\n", vp.data_block_size);
@@ -311,6 +334,19 @@
 				vp.fec_area_offset * vp.hash_block_size / 512);
 			log_std("  FEC roots:   %u\n", vp.fec_roots);
 		}
+
+		root_hash_size = crypt_get_volume_key_size(cd);
+		if (root_hash_size > 0 && (root_hash = malloc(root_hash_size))) {
+			r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash, &root_hash_size, NULL, 0);
+			if (!r) {
+				log_std("  root hash:   ");
+				for (i = 0; i < root_hash_size; i++)
+					log_std("%02hhx", (const char)root_hash[i]);
+				log_std("\n");
+			}
+			free(root_hash);
+		}
+
 		if (cad.flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
 				 CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
 				 CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS|
@@ -439,6 +475,7 @@
 		{ "hash",            'h',  POPT_ARG_STRING, &hash_algorithm, 0, N_("Hash algorithm"), N_("string") },
 		{ "salt",            's',  POPT_ARG_STRING, &salt_string,    0, N_("Salt"), N_("hex string") },
 		{ "uuid",            '\0', POPT_ARG_STRING, &opt_uuid,       0, N_("UUID for device to use"), NULL },
+		{ "root-hash-signature",'\0', POPT_ARG_STRING, &opt_root_hash_signature,  0, N_("Path to root hash signature file"), NULL },
 		{ "restart-on-corruption", 0,POPT_ARG_NONE,&opt_restart_on_corruption, 0, N_("Restart kernel if corruption is detected"), NULL },
 		{ "ignore-corruption", 0,  POPT_ARG_NONE, &opt_ignore_corruption,  0, N_("Ignore corruption, log it only"), NULL },
 		{ "ignore-zero-blocks", 0, POPT_ARG_NONE, &opt_ignore_zero_blocks, 0, N_("Do not verify zeroed blocks"), NULL },
@@ -545,6 +582,11 @@
 		_("Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for open operation.\n"),
 		poptGetInvocationName(popt_context));
 
+	if (opt_root_hash_signature && strcmp(aname, "open"))
+		usage(popt_context, EXIT_FAILURE,
+		_("Option --root-hash-signature can be used only for open operation.\n"),
+		poptGetInvocationName(popt_context));
+
 	if (opt_ignore_corruption && opt_restart_on_corruption)
 		usage(popt_context, EXIT_FAILURE,
 		_("Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"),
diff -Nru cryptsetup-2.2.2/tests/api-test-2.c cryptsetup-2.3.1/tests/api-test-2.c
--- cryptsetup-2.2.2/tests/api-test-2.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/api-test-2.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * cryptsetup library LUKS2 API check functions
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -537,6 +537,9 @@
 
 static void SuspendDevice(void)
 {
+	struct crypt_active_device cad;
+	char key[128];
+	size_t key_size;
 	int suspend_status;
 
 	OK_(crypt_init(&cd, DEVICE_1));
@@ -552,6 +555,8 @@
 	}
 
 	OK_(suspend_status);
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
 #ifdef KERNEL_KEYRING
 	FAIL_(_volume_key_in_keyring(cd, 0), "");
 #endif
@@ -561,6 +566,9 @@
 	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
 	FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)), "not suspended");
 
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(0, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
+
 	OK_(prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
 	OK_(crypt_suspend(cd, CDEVICE_1));
 	FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1 "blah", 0), "wrong keyfile");
@@ -587,6 +595,14 @@
 	OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, DEVICE_1));
 	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
 
+	/* Resume by volume key */
+	OK_(crypt_suspend(cd, CDEVICE_1));
+	key_size = sizeof(key);
+	memset(key, 0, key_size);
+	FAIL_(crypt_resume_by_volume_key(cd, CDEVICE_1, key, key_size), "wrong key");
+	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+	OK_(crypt_resume_by_volume_key(cd, CDEVICE_1, key, key_size));
+
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	CRYPT_FREE(cd);
 
diff -Nru cryptsetup-2.2.2/tests/api-test.c cryptsetup-2.3.1/tests/api-test.c
--- cryptsetup-2.2.2/tests/api-test.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/api-test.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * cryptsetup library API check functions
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -678,6 +678,9 @@
 
 static void SuspendDevice(void)
 {
+	struct crypt_active_device cad;
+	char key[128];
+	size_t key_size;
 	int suspend_status;
 
 	OK_(crypt_init(&cd, DEVICE_1));
@@ -693,12 +696,18 @@
 	}
 
 	OK_(suspend_status);
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
+
 	FAIL_(crypt_suspend(cd, CDEVICE_1), "already suspended");
 
 	FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)-1), "wrong key");
 	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
 	FAIL_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)), "not suspended");
 
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(0, cad.flags & CRYPT_ACTIVATE_SUSPENDED);
+
 	OK_(prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
 	OK_(crypt_suspend(cd, CDEVICE_1));
 	FAIL_(crypt_resume_by_keyfile(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEYFILE1 "blah", 0), "wrong keyfile");
@@ -726,6 +735,14 @@
 	OK_(crypt_init_by_name_and_header(&cd, CDEVICE_1, DEVICE_1));
 	OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, KEY1, strlen(KEY1)));
 
+	/* Resume by volume key */
+	OK_(crypt_suspend(cd, CDEVICE_1));
+	key_size = sizeof(key);
+	memset(key, 0, key_size);
+	FAIL_(crypt_resume_by_volume_key(cd, CDEVICE_1, key, key_size), "wrong key");
+	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+	OK_(crypt_resume_by_volume_key(cd, CDEVICE_1, key, key_size));
+
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 	CRYPT_FREE(cd);
 
@@ -922,6 +939,7 @@
 	OK_(pbkdf.iterations < 1000); /* set by minimum iterations above */
 	EQ_(0, pbkdf.max_memory_kb);
 	EQ_(0, pbkdf.parallel_threads);
+	FAIL_(crypt_keyslot_get_pbkdf(cd, 2, &pbkdf), "Keyslot 2 is inactive.");
 
 	OK_(prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1)));
 	OK_(prepare_keyfile(KEYFILE2, KEY2, strlen(KEY2)));
@@ -985,6 +1003,18 @@
 
 	FAIL_(crypt_deactivate(cd, CDEVICE_2), "not active");
 	CRYPT_FREE(cd);
+
+	// No benchmark PBKDF2
+	pbkdf.flags = CRYPT_PBKDF_NO_BENCHMARK;
+	pbkdf.hash = "sha256";
+	pbkdf.iterations = 1000;
+	pbkdf.time_ms = 0;
+
+	OK_(crypt_init(&cd, DEVICE_2));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	OK_(crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, key, key_size, &params));
+	CRYPT_FREE(cd);
+
 	_cleanup_dmdevices();
 }
 
@@ -1541,7 +1571,8 @@
 {
 	const char *salt_hex =  "20c28ffc129c12360ba6ceea2b6cf04e89c2b41cfe6b8439eb53c1897f50df7b";
 	const char *root_hex =  "ab018b003a967fc782effb293b6dccb60b4f40c06bf80d16391acf686d28b5d6";
-	char salt[256], root_hash[256];
+	char salt[256], root_hash[256], root_hash_out[256];
+	size_t root_hash_out_size = 256;
 	struct crypt_active_device cad;
 	struct crypt_params_verity params = {
 		.data_device = DEVICE_EMPTY,
@@ -1628,6 +1659,10 @@
 	CRYPT_FREE(cd);
 
 	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+	memset(root_hash_out, 0, root_hash_out_size);
+	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_out, &root_hash_out_size, NULL, 0));
+	EQ_(32, root_hash_out_size);
+	OK_(memcmp(root_hash, root_hash_out, root_hash_out_size));
 	OK_(crypt_deactivate(cd, CDEVICE_1));
 
 	/* hash fail */
diff -Nru cryptsetup-2.2.2/tests/api_test.h cryptsetup-2.3.1/tests/api_test.h
--- cryptsetup-2.2.2/tests/api_test.h	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/api_test.h	2020-03-12 08:39:20.000000000 +0000
@@ -1,9 +1,9 @@
 /*
  * cryptsetup library API check functions
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
- * Copyright (C) 2016-2019 Ondrej Kozina
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
+ * Copyright (C) 2016-2020 Ondrej Kozina
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/tests/bitlk-compat-test cryptsetup-2.3.1/tests/bitlk-compat-test
--- cryptsetup-2.2.2/tests/bitlk-compat-test	1970-01-01 00:00:00.000000000 +0000
+++ cryptsetup-2.3.1/tests/bitlk-compat-test	2020-03-12 08:39:20.000000000 +0000
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# check bitlk images parsing
+
+[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+TST_DIR=bitlk-images
+MAP=bitlktst
+
+[ -z "$srcdir" ] && srcdir="."
+
+function remove_mapping()
+{
+	[ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
+}
+
+function fail()
+{
+	[ -n "$1" ] && echo "$1"
+	echo " [FAILED]"
+	echo "FAILED backtrace:"
+	while caller $frame; do ((frame++)); done
+	remove_mapping
+	exit 2
+}
+
+function skip()
+{
+	[ -n "$1" ] && echo "$1"
+	echo "Test skipped."
+	exit 77
+}
+
+function load_vars()
+{
+        local file=$(echo $1 | sed -e s/^$TST_DIR\\/// | sed -e s/\.img$//)
+        source <(grep = <(grep -A8 "\[$file\]" $TST_DIR/images.conf))
+}
+
+function check_dump()
+{
+        dump=$1
+        file=$2
+
+        # load variables for this image from config file
+        load_vars $file
+
+        # GUID
+        dump_guid=$(echo "$dump" | grep Version -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
+        [ ! -z "$GUID" -a "$dump_guid" = "$GUID"  ] || fail " GUID check from dump failed."
+
+        # cipher
+        dump_cipher=$(echo "$dump" | grep "Cipher name" | cut -d: -f2 | tr -d "\t\n ")
+        dump_mode=$(echo "$dump" | grep "Cipher mode" | cut -d: -f2 | tr -d "\t\n ")
+        cipher=$(echo "$dump_cipher-$dump_mode")
+        [ ! -z "$CIPHER" -a "$cipher" = "$CIPHER" ] || fail " cipher check from dump failed."
+
+        if echo "$file" | grep -q -e "smart-card"; then
+                # smart card protected VMK GUID
+                dump_sc_vmk=$(echo "$dump" | grep "VMK protected with smart card" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
+                [ ! -z "$SC_VMK_GUID" -a "$dump_sc_vmk" = "$SC_VMK_GUID" ] || fail " smart card protected VMK GUID check from dump failed."
+        else
+                # password protected VMK GUID
+                dump_pw_vmk=$(echo "$dump" | grep "VMK protected with passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
+                [ ! -z "$PW_VMK_GUID" -a "$dump_pw_vmk" = "$PW_VMK_GUID" ] || fail " password protected VMK GUID check from dump failed."
+        fi
+
+        # recovery password protected VMK GUID
+        dump_rp_vmk=$(echo "$dump" | grep "VMK protected with recovery passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
+        [ ! -z "$RP_VMK_GUID" -a "$dump_rp_vmk" = "$RP_VMK_GUID" ] || fail " recovery password protected VMK GUID check from dump failed."
+
+}
+
+export LANG=C
+[ ! -d $TST_DIR ] && tar xJSf $srcdir/bitlk-images.tar.xz --no-same-owner
+
+echo "HEADER CHECK"
+for file in $(ls $TST_DIR/bitlk-*) ; do
+	echo -n " $file"
+	out=$($CRYPTSETUP bitlkDump $file)
+        check_dump "$out" "$file"
+	echo " [OK]"
+done
+
+if [ $(id -u) != 0 ]; then
+	echo "WARNING: You must be root to run activation part of test, test skipped."
+	exit 0
+fi
+
+remove_mapping
+
+echo "ACTIVATION FS UUID CHECK"
+for file in $(ls $TST_DIR/bitlk-*) ; do
+	# load variables for this image from config file
+        load_vars $file
+
+	# test with both passphrase and recovery passphrase
+	for PASSPHRASE in $PW $RP ; do
+		echo -n " $file"
+		echo $PASSPHRASE | $CRYPTSETUP bitlkOpen -r $file --test-passphrase >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 1 ] && echo " [N/A]" && continue
+		echo $PASSPHRASE | $CRYPTSETUP bitlkOpen -r $file $MAP >/dev/null 2>&1
+		ret=$?
+		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc" ) && echo " [N/A]" && continue
+		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "aes-cbc-elephant" ) && echo " [N/A]" && continue
+		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "clearkey" ) && echo " [N/A]" && continue
+		[ $ret -eq 1 ] && ( echo "$file" | grep -q -e "eow" ) && echo " [N/A]" && continue
+		[ $ret -eq 0 ] || fail " failed to open $file ($ret)"
+		$CRYPTSETUP status $MAP >/dev/null || fail
+		$CRYPTSETUP status /dev/mapper/$MAP >/dev/null || fail
+		uuid=$(lsblk -n -o UUID /dev/mapper/$MAP)
+		sha256sum=$(sha256sum /dev/mapper/$MAP | cut -d" " -f1)
+		$CRYPTSETUP remove $MAP || fail
+		[ "$uuid" = "$UUID" ] || fail " UUID check failed."
+		[ "$sha256sum" = "$SHA256SUM" ] || fail " SHA256 sum check failed."
+		echo " [OK]"
+	done
+done
Binary files /tmp/tmpv8_dHb/b11Ux4gn6d/cryptsetup-2.2.2/tests/bitlk-images.tar.xz and /tmp/tmpv8_dHb/uQUQidZ7az/cryptsetup-2.3.1/tests/bitlk-images.tar.xz differ
diff -Nru cryptsetup-2.2.2/tests/compat-test cryptsetup-2.3.1/tests/compat-test
--- cryptsetup-2.2.2/tests/compat-test	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/compat-test	2020-03-12 08:39:20.000000000 +0000
@@ -216,6 +216,10 @@
 echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
 [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
 echo $PWD1 | $CRYPTSETUP luksOpen $IMG --test-passphrase || fail
+# test detached header --test-passphrase
+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --header $HEADER_IMG $IMG || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
+rm -f $HEADER_IMG
 echo "[3] add key"
 echo $PWD1 | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
 echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
@@ -692,6 +696,7 @@
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV || fail
 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP luksSuspend $DEV_NAME || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
 $CRYPTSETUP -q resize  $DEV_NAME 2>/dev/null && fail
 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
@@ -753,6 +758,7 @@
 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
 
 prepare "[29] Repair metadata" wipe
 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 0 || fail
@@ -838,7 +844,7 @@
 proc abort {} { send_error "Timeout. "; exit 2 }
 set timeout 10
 eval spawn $CRYPTSETUP luksKillSlot -v $LOOPDEV 0
-expect timeout abort "Are you sure? (Type uppercase yes):"
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter any remaining passphrase:"
 sleep 0.1
@@ -857,7 +863,7 @@
 proc abort {} { send_error "Timeout. "; exit 2 }
 set timeout 10
 eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
-expect timeout abort "Are you sure? (Type uppercase yes):"
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
 sleep 0.1
@@ -882,12 +888,12 @@
 proc abort {} { send_error "Timeout. "; exit 2 }
 set timeout 10
 eval spawn $CRYPTSETUP erase -v $LOOPDEV
-expect timeout abort "Are you sure? (Type uppercase yes):"
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Command successful."
 expect timeout abort eof
 eval spawn $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
-expect timeout abort "Are you sure? (Type uppercase yes):"
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
 send "YES\n"
 expect timeout abort "Enter passphrase for $EXPECT_DEV:"
 sleep 0.1
diff -Nru cryptsetup-2.2.2/tests/compat-test2 cryptsetup-2.3.1/tests/compat-test2
--- cryptsetup-2.2.2/tests/compat-test2	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/compat-test2	2020-03-12 08:39:20.000000000 +0000
@@ -641,6 +641,7 @@
 echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fail
 echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP luksSuspend $DEV_NAME || fail
+$CRYPTSETUP -q status  $DEV_NAME | grep -q "(suspended)" || fail
 $CRYPTSETUP -q resize  $DEV_NAME 2>/dev/null && fail
 echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
 [ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
@@ -709,6 +710,7 @@
 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
 
 prepare "[29] Repair metadata" wipe
 xz -dk $HEADER_LUKS2_PV.xz
@@ -752,6 +754,12 @@
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
 
+# create LUKS1 with data offset not aligned to 4KiB
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
+$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
+$CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
+$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
+
 if dm_crypt_keyring_flawed; then
 	prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
 	echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
diff -Nru cryptsetup-2.2.2/tests/crypto-vectors.c cryptsetup-2.3.1/tests/crypto-vectors.c
--- cryptsetup-2.2.2/tests/crypto-vectors.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/crypto-vectors.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * cryptsetup crypto backend test vectors
  *
- * Copyright (C) 2018-2019 Milan Broz
+ * Copyright (C) 2018-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/tests/differ.c cryptsetup-2.3.1/tests/differ.c
--- cryptsetup-2.2.2/tests/differ.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/differ.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * cryptsetup file differ check (rewritten Clemens' fileDiffer in Python)
  *
- * Copyright (C) 2010-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/tests/integrity-compat-test cryptsetup-2.3.1/tests/integrity-compat-test
--- cryptsetup-2.2.2/tests/integrity-compat-test	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/integrity-compat-test	2020-03-12 08:39:20.000000000 +0000
@@ -141,53 +141,64 @@
 	int_check_sum_only $2
 }
 
-intformat() # alg alg_out tagsize sector_size csum [keyfile keysize]
+intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 {
-	if [ -n "$7" ] ; then
-		KEY_PARAMS="--integrity-key-file $6 --integrity-key-size $7"
+	if [ -n "$8" ] ; then
+		KEY_PARAMS="--integrity-key-file $7 --integrity-key-size $8"
 	else
 		KEY_PARAMS=""
 	fi
 
-	echo -n "[INTEGRITY:$2:$3:$4]"
+	if [ $3 -ne 0 ] ; then
+		TAG_PARAMS="--tag-size $3"
+	else
+		TAG_PARAMS=""
+	fi
+
+	echo -n "[INTEGRITY:$2:$4:$5]"
 	echo -n "[FORMAT]"
-	$INTSETUP format -q --integrity $1 --tag-size $3 --sector-size $4 $KEY_PARAMS $DEV || fail "Cannot format device."
-	dump_check "tag_size" $3
-	dump_check "sector_size" $4
+	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null || fail "Cannot format device."
+	dump_check "tag_size" $4
+	dump_check "sector_size" $5
 	echo -n "[ACTIVATE]"
 	$INTSETUP open $DEV $DEV_NAME --integrity $1 $KEY_PARAMS || fail "Cannot activate device."
-	status_check "tag size" $3
+	status_check "tag size" $4
 	status_check "integrity" $2
-	status_check "sector size" "$4 bytes"
-	int_check_sum $1 $5 $6 $7
+	status_check "sector size" "$5 bytes"
+	int_check_sum $1 $6 $7 $8
 	echo -n "[REMOVE]"
 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
 	echo "[OK]"
 }
 
-int_error_detection() # mode alg tagsize sector_size key_file key_size
+int_error_detection() # mode alg tagsize outtagsize sector_size key_file key_size
 {
 	if [ "$1" == "B" ] ; then
 		INT_MODE="-B"
 	else
 		INT_MODE=""
 	fi
-	if [ -n "$6" ] ; then
-		KEY_PARAMS="--integrity-key-file $5 --integrity-key-size $6"
+	if [ -n "$7" ] ; then
+		KEY_PARAMS="--integrity-key-file $6 --integrity-key-size $7"
 	else
 		KEY_PARAMS=""
 	fi
+	if [ $3 -ne 0 ] ; then
+		TAG_PARAMS="--tag-size $3"
+	else
+		TAG_PARAMS=""
+	fi
 	dd if=/dev/zero of=$DEV bs=1M count=32 >/dev/null 2>&1
 
-	echo -n "[INTEGRITY:$1:$2:$3:$4]"
+	echo -n "[INTEGRITY:$1:$2:$4:$5]"
 	echo -n "[FORMAT]"
-	$INTSETUP format -q --integrity $2 --tag-size $3 --sector-size $4 $KEY_PARAMS $DEV $INT_MODE || fail "Cannot format device."
+	$INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device."
 	echo -n "[ACTIVATE]"
 	$INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device."
 
-	if [ -n "$5" -a -n "$6" ]; then
+	if [ -n "$6" -a -n "$7" ]; then
 		echo -n "[KEYED HASH]"
-		KEY_HEX=$(xxd -c 256 -l $6 -p $5)
+		KEY_HEX=$(xxd -c 256 -l $7 -p $6)
 		[ -z "$KEY_HEX" ] && fail "Cannot decode key."
 		dmsetup table --showkeys $DEV_NAME | grep -q $KEY_HEX || fail "Key mismatch."
 	fi
@@ -305,29 +316,29 @@
 dm_integrity_features
 
 add_device
-intformat crc32c      crc32c          4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
-intformat crc32       crc32           4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
-intformat sha1        sha1           20  512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7
-intformat sha1        sha1           16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b
-intformat sha256      sha256         32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
-intformat hmac-sha256 hmac\(sha256\) 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 $KEY_FILE 32
-intformat sha256      sha256         32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4
-intformat hmac-sha256 hmac\(sha256\) 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 32
+intformat crc32c      crc32c          0  4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
+intformat crc32       crc32           0  4  512 08f63eb27fb9ce2ce903b0a56429c68ce5e209253ba42154841ef045a53839d7
+intformat sha1        sha1            0 20  512 6eedd6344dab8875cd185fcd6565dfc869ab36bc57e577f40c685290b1fa7fe7
+intformat sha1        sha1           16 16 4096 e152ec88227b539cd9cafd8bdb587a1072d720cd6bcebe1398d4136c9e7f337b
+intformat sha256      sha256          0 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11
+intformat hmac-sha256 hmac\(sha256\)  0 32  512 8e5fe4119558e117bfc40e3b0f13ade3abe497b52604d4c7cca0cfd6c7f4cf11 $KEY_FILE 32
+intformat sha256      sha256          0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4
+intformat hmac-sha256 hmac\(sha256\)  0 32 4096 33f7dfa5163ca9f740383fb8b0919574e38a7b20a94a4170fde4238196b7c4b4 $KEY_FILE 32
 
 echo "Error detection tests:"
-int_error_detection J crc32c      4  512
-int_error_detection J crc32c      4  4096
-int_error_detection J crc32       4  512
-int_error_detection J crc32       4  4096
-int_error_detection J sha1        20 512
-int_error_detection J sha1        16 512
-int_error_detection J sha1        20 4096
-int_error_detection J sha256      32 512
-int_error_detection J sha256      32 4096
+int_error_detection J crc32c  0  4  512
+int_error_detection J crc32c  0  4  4096
+int_error_detection J crc32   0  4  512
+int_error_detection J crc32   0  4  4096
+int_error_detection J sha1    0 20 512
+int_error_detection J sha1   16 16 512
+int_error_detection J sha1    0 20 4096
+int_error_detection J sha256  0 32 512
+int_error_detection J sha256  0 32 4096
 
 which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required."
-int_error_detection J hmac-sha256 32 512 $KEY_FILE 32
-int_error_detection J hmac-sha256 32 4096 $KEY_FILE 32
+int_error_detection J hmac-sha256  0 32 512 $KEY_FILE 32
+int_error_detection J hmac-sha256  0 32 4096 $KEY_FILE 32
 
 echo "Journal parameters tests:"
 # Watermark is calculated in kernel, so it can be rounded down/up
@@ -385,12 +396,12 @@
 	$INTSETUP close $DEV_NAME fail "Cannot deactivate device."
 	echo "[OK]"
 	echo "Bitmap error detection tests:"
-	int_error_detection B crc32c      4  512
-	int_error_detection B crc32c      4  4096
-	int_error_detection B sha256      32 512
-	int_error_detection B sha256      32 4096
-	int_error_detection B hmac-sha256 32 512 $KEY_FILE 32
-	int_error_detection B hmac-sha256 32 4096 $KEY_FILE 32
+	int_error_detection B crc32c      0  4 512
+	int_error_detection B crc32c      0  4 4096
+	int_error_detection B sha256      0 32 512
+	int_error_detection B sha256      0 32 4096
+	int_error_detection B hmac-sha256 0 32 512 $KEY_FILE 32
+	int_error_detection B hmac-sha256 0 32 4096 $KEY_FILE 32
 else
 	echo "[N/A]"
 fi
diff -Nru cryptsetup-2.2.2/tests/luks2-integrity-test cryptsetup-2.3.1/tests/luks2-integrity-test
--- cryptsetup-2.2.2/tests/luks2-integrity-test	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/luks2-integrity-test	2020-03-12 08:39:20.000000000 +0000
@@ -93,7 +93,7 @@
 	echo -n "[$1:$2:$4:$6]"
 	echo -n "[FORMAT]"
 	$CRYPTSETUP luksFormat --type luks2 -q -c $1 --integrity $2 --sector-size $6 -s $4 \
-		$FAST_PBKDF_OPT -d $KEY_FILE $DEV --offset 8192 >/dev/null 2>&1
+		$FAST_PBKDF_OPT -d $KEY_FILE $DEV --offset 8192 --integrity-legacy-padding >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
 		echo "[N/A]"
 		return
@@ -162,15 +162,5 @@
 
 intformat aegis128-random  aead aead 128 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
 intformat aegis128-random  aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
-intformat aegis128l-random aead aead 128 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat aegis128l-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
-intformat aegis256-random  aead aead 256 0  512 492c2d1cc9e222a850c399bfef4ed5a86bf5afc59e54f0f0c7ba8e2a64548323
-intformat aegis256-random  aead aead 256 0 4096 8c0463f5ac09613674bdf40b0ff6f985edbc3de04e51fdc688873cb333ef3cda
-intformat morus640-random  aead aead 128 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat morus640-random  aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
-intformat morus1280-random aead aead 128 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat morus1280-random aead aead 128 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
-intformat morus1280-random aead aead 256 0  512 ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c
-intformat morus1280-random aead aead 256 0 4096 358d6beceddf593aff6b22c31684e0df9c226330aff5812e060950215217d21b
 
 cleanup
diff -Nru cryptsetup-2.2.2/tests/luks2-reencryption-test cryptsetup-2.3.1/tests/luks2-reencryption-test
--- cryptsetup-2.2.2/tests/luks2-reencryption-test	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/luks2-reencryption-test	2020-03-12 08:39:20.000000000 +0000
@@ -816,7 +816,7 @@
 
 # Device activation after encryption initialization
 wipe_dev $DEV
-echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 -S11 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
 check_hash_dev /dev/mapper/$DEV_NAME $HASH5
 echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
diff -Nru cryptsetup-2.2.2/tests/Makefile.am cryptsetup-2.3.1/tests/Makefile.am
--- cryptsetup-2.2.2/tests/Makefile.am	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/Makefile.am	2020-03-12 08:39:20.000000000 +0000
@@ -17,7 +17,8 @@
 	luks2-validation-test \
 	luks2-integrity-test \
 	vectors-test \
-	blockwise-compat
+	blockwise-compat \
+	bitlk-compat-test
 
 if VERITYSETUP
 TESTS += verity-compat-test
@@ -67,11 +68,13 @@
 	cryptsetup-valg-supps valg.sh valg-api.sh \
 	blockwise-compat \
 	blkid-luks2-pv.img.xz \
-	Makefile.localtest
+	Makefile.localtest \
+	bitlk-compat-test \
+	bitlk-images.tar.xz
 
 CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log
 clean-local:
-	-rm -rf tcrypt-images luks1-images luks2-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp
+	-rm -rf tcrypt-images luks1-images luks2-images bitlk-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp
 
 differ_SOURCES = differ.c
 differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
diff -Nru cryptsetup-2.2.2/tests/reencryption-compat-test cryptsetup-2.3.1/tests/reencryption-compat-test
--- cryptsetup-2.2.2/tests/reencryption-compat-test	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/reencryption-compat-test	2020-03-12 08:39:20.000000000 +0000
@@ -286,6 +286,10 @@
 check_hash $PWD1 $HASH5
 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
 prepare 8192
+OFFSET=4096
+echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
+$CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
+wipe_dev $LOOPDEV1
 
 echo "[5] Reencryption using specific keyslot"
 echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
diff -Nru cryptsetup-2.2.2/tests/test_utils.c cryptsetup-2.3.1/tests/test_utils.c
--- cryptsetup-2.2.2/tests/test_utils.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/test_utils.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,8 +1,8 @@
 /*
  * cryptsetup library API test utilities
  *
- * Copyright (C) 2009-2019 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2019 Milan Broz
+ * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2020 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/tests/unit-utils-io.c cryptsetup-2.3.1/tests/unit-utils-io.c
--- cryptsetup-2.2.2/tests/unit-utils-io.c	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/tests/unit-utils-io.c	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 /*
  * simple unit test for utils_io.c (blockwise low level functions)
  *
- * Copyright (C) 2018-2019 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Red Hat, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff -Nru cryptsetup-2.2.2/.travis.yml cryptsetup-2.3.1/.travis.yml
--- cryptsetup-2.2.2/.travis.yml	2019-11-01 08:02:46.000000000 +0000
+++ cryptsetup-2.3.1/.travis.yml	2020-03-12 08:39:20.000000000 +0000
@@ -1,7 +1,7 @@
 language: c
 
 sudo: required
-dist: xenial
+dist: bionic
 
 compiler:
   - gcc
@@ -15,7 +15,6 @@
   only:
     - master
     - wip-luks2
-    - v2_0_x
 
 before_install:
   - uname -a