4 files changed, 20 insertions, 5 deletions

diff --git a/man/crypttab.xml b/man/crypttab.xml
index d3aa3b8fc1..8f0ed5b77d 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -529,6 +529,13 @@
       </varlistentry>
 
       <varlistentry>
+        <term><option>silent</option></term>
+
+        <listitem><para>If the encryption password is read from console, no asterisks will be shown
+        while typing the password.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>pkcs11-uri=</option></term>
 
         <listitem><para>Takes either the special value <literal>auto</literal> or an <ulink
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ca6bdecb86..74bd071c10 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -57,6 +57,7 @@ static char *arg_header = NULL;
 static unsigned arg_tries = 3;
 static bool arg_readonly = false;
 static bool arg_verify = false;
+static bool arg_silent = false;
 static bool arg_discards = false;
 static bool arg_same_cpu_crypt = false;
 static bool arg_submit_from_crypt_cpus = false;
@@ -233,6 +234,8 @@ static int parse_one_option(const char *option) {
                 arg_readonly = true;
         else if (streq(option, "verify"))
                 arg_verify = true;
+        else if (streq(option, "silent"))
+                arg_silent = true;
         else if (STR_IN_SET(option, "allow-discards", "discard"))
                 arg_discards = true;
         else if (streq(option, "same-cpu-crypt"))
@@ -539,6 +542,7 @@ static int get_password(
         _cleanup_strv_free_erase_ char **passwords = NULL;
         char **p, *id;
         int r = 0;
+        AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT);
 
         assert(vol);
         assert(src);
@@ -561,7 +565,7 @@ static int get_password(
         id = strjoina("cryptsetup:", disk_path);
 
         r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", "cryptsetup.passphrase", until,
-                              ASK_PASSWORD_PUSH_CACHE | (accept_cached*ASK_PASSWORD_ACCEPT_CACHED),
+                              flags | (accept_cached*ASK_PASSWORD_ACCEPT_CACHED),
                               &passwords);
         if (r < 0)
                 return log_error_errno(r, "Failed to query password: %m");
@@ -576,7 +580,7 @@ static int get_password(
 
                 id = strjoina("cryptsetup-verification:", disk_path);
 
-                r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", "cryptsetup.passphrase", until, ASK_PASSWORD_PUSH_CACHE, &passwords2);
+                r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", "cryptsetup.passphrase", until, flags, &passwords2);
                 if (r < 0)
                         return log_error_errno(r, "Failed to query verification password: %m");
 
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index 04c6b5287e..0895a24c7f 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -799,12 +799,14 @@ int ask_password_agent(
                 "Socket=%s\n"
                 "AcceptCached=%i\n"
                 "Echo=%i\n"
-                "NotAfter="USEC_FMT"\n",
+                "NotAfter="USEC_FMT"\n"
+                "Silent=%i\n",
                 getpid_cached(),
                 socket_name,
                 (flags & ASK_PASSWORD_ACCEPT_CACHED) ? 1 : 0,
                 (flags & ASK_PASSWORD_ECHO) ? 1 : 0,
-                until);
+                until,
+                (flags & ASK_PASSWORD_SILENT) ? 1 : 0);
 
         if (message)
                 fprintf(f, "Message=%s\n", message);
diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c
index ceacb61bf1..e056853f31 100644
--- a/src/tty-ask-password-agent/tty-ask-password-agent.c
+++ b/src/tty-ask-password-agent/tty-ask-password-agent.c
@@ -169,7 +169,7 @@ static int agent_ask_password_tty(
 
 static int process_one_password_file(const char *filename) {
         _cleanup_free_ char *socket_name = NULL, *message = NULL;
-        bool accept_cached = false, echo = false;
+        bool accept_cached = false, echo = false, silent = false;
         uint64_t not_after = 0;
         unsigned pid = 0;
 
@@ -180,6 +180,7 @@ static int process_one_password_file(const char *filename) {
                 { "Ask", "PID",          config_parse_unsigned, 0, &pid           },
                 { "Ask", "AcceptCached", config_parse_bool,     0, &accept_cached },
                 { "Ask", "Echo",         config_parse_bool,     0, &echo          },
+                { "Ask", "Silent",       config_parse_bool,     0, &silent        },
                 {}
         };
 
@@ -239,6 +240,7 @@ static int process_one_password_file(const char *filename) {
                 SET_FLAG(flags, ASK_PASSWORD_ACCEPT_CACHED, accept_cached);
                 SET_FLAG(flags, ASK_PASSWORD_CONSOLE_COLOR, arg_console);
                 SET_FLAG(flags, ASK_PASSWORD_ECHO, echo);
+                SET_FLAG(flags, ASK_PASSWORD_SILENT, silent);
 
                 if (arg_plymouth)
                         r = ask_password_plymouth(message, not_after, flags, filename, &passwords);