I've been writing my own token to use the new external token API, but I've been surprised at a few quirks which I'll file here for your consideration... When I return -ENOANO cryptsetup will ask for the PIN, and retry the library call with cryptsetup_token_open_pin,.. but only when cryptsetup open is invoked in --token-only mode.. Otherwise it goes straight to asking the user for the unlock passphrase and never tries again. It seems to me like it would be nice to ask for a token PIN if the library suggested it. It might be nice to pass the passphrase into the library as a PIN if it didn't unlock anything successfully, but I can see that has potentially its own security risks or problems with tokens that have try counters. Is it appropriate for the token library to prompt for a PIN on the console rather than return -ENOANO if it will be ignored?