diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8
--- cryptsetup-2.4.3.old/man/cryptsetup.8	2022-02-23 16:33:42.449525744 +0100
+++ cryptsetup-2.4.3/man/cryptsetup.8	2022-02-24 08:57:43.036396289 +0100
@@ -321,7 +321,8 @@ the command prompts for it interactively
 \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
 \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
 \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
-\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
+\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf,
+\-\-unbound].
 .PP
 \fIluksSuspend\fR <name>
 .IP
@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init
 integrity tag.
 .TP
 .B "\-\-unbound"
-
 Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
 \fIluksDump\fR actions for more details.
 
+When used in \fIluksOpen\fR action (allowed only together with
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
+keyslot is selected via \-\-key\-slot parameter.
+
 .TP
 .B "\-\-tcrypt\-hidden"
 .B "\-\-tcrypt\-system"
diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h
--- cryptsetup-2.4.3.old/src/cryptsetup_args.h	2022-02-23 16:33:42.450525749 +0100
+++ cryptsetup-2.4.3/src/cryptsetup_args.h	2022-02-24 08:57:43.036396289 +0100
@@ -75,7 +75,7 @@
 #define OPT_TCRYPT_HIDDEN_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
-#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION }
+#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
 #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION }
 #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION }
 #define OPT_UUID_ACTIONS			{ FORMAT_ACTION, UUID_ACTION }
diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
--- cryptsetup-2.4.3.old/src/cryptsetup.c	2022-02-23 16:33:42.450525749 +0100
+++ cryptsetup-2.4.3/src/cryptsetup.c	2022-02-24 08:57:43.036396289 +0100
@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32
 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
 
 	/* Only for LUKS2 but ignored elsewhere */
-	if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
+	if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
+	    (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
 
 	if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv)
 		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
 		poptGetInvocationName(popt_context));
 
+	if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type &&
+	    strncmp(device_type, "luks", 4))
+		usage(popt_context, EXIT_FAILURE,
+		_("Option --unbound is allowed only for open of luks device."),
+		poptGetInvocationName(popt_context));
+
+	if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
+	    !strcmp(aname, OPEN_ACTION))
+		usage(popt_context, EXIT_FAILURE,
+		_("Option --unbound cannot be used without --test-passphrase."),
+		poptGetInvocationName(popt_context));
+
 	if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
 		usage(popt_context, EXIT_FAILURE,
 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
--- cryptsetup-2.4.3.old/tests/compat-test2	2022-02-23 16:33:42.444525716 +0100
+++ cryptsetup-2.4.3/tests/compat-test2	2022-02-24 09:05:38.716422307 +0100
@@ -699,7 +699,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
 # otoh it should be allowed to test for proper passphrase
 prepare "" new
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
 [ -b /dev/mapper/$DEV_NAME ] && fail
 echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
@@ -708,7 +708,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
 $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
 
 prepare "[28] Detached LUKS header" wipe
@@ -967,11 +967,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
 # do not allow to replace keyslot by unbound slot
 echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
 # check we're able to change passphrase for unbound keyslot
 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
 echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail