Has anyone managed to have cryptsetup open a LUKS volume using a passphrase stored in the kernel keyring? According to this article (see towards the bottom) it should be possible.

I have a passphrase loaded in the keyring for root with read permissions:

# keyctl list @u
1 key in keyring:
 57767030: --alswrv     0     0 user: nixos_data:passphrase
# keyctl describe 57767030
 57767030: alswrvalswrv------------     0     0 user: nixos_data:passphrase

If I open the encrypted volume by explicitly piping in the content of this key, the volume is successfully unlocked:

# keyctl pipe 57767030 | cryptsetup open /safe.img nixos_data_decrypted --key-file -

From the linked article, I understood that to have cryptsetup read the key directly from the keyring, I should add a token to the luks device like this:

# cryptsetup token add --key-description nixos_data:passphrase /safe.img

After which I should be able to open the device without explicitly specifying the passphrase like this:

# cryptsetup open --token-only /safe.img nixos_data_decrypted

Running this with --debug, however, gives the following output:

# Activating volume nixos_data_decrypted using token -1.
# Validating keyring token json
# keyring_get_passphrase failed (error -126)
# Token 0 (luks2-keyring) open failed with -22.
# Releasing crypt device /safe.img context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

Full output can be found here.

Edit: Omitting the --token-only option does not change this, in that case cryptsetup asks for an existing passphrase and so still does not use the passphrase stored in the kernel keyring.