diff --git a/doc/user-guide/06-layout-configuration.adoc b/doc/user-guide/06-layout-configuration.adoc

index f59384db..88ba0420 100644

--- a/doc/user-guide/06-layout-configuration.adoc

+++ b/doc/user-guide/06-layout-configuration.adoc

@@ -630,7 +630,7 @@ lvmvol <volume_group> <name> <size(bytes)> <layout> [key:value ...]

 === LUKS Devices ===

 ----------------------------------

-crypt /dev/mapper/<name> <device> [cipher=<cipher>] [key_size=<key size>] [hash=<hash function>] [uuid=<uuid>] [keyfile=<keyfile>] [password=<password>]

+crypt /dev/mapper/<name> <device> [type=<type>] [cipher=<cipher>] [key_size=<key size>] [hash=<hash function>] [uuid=<uuid>] [keyfile=<keyfile>] [password=<password>]

 ----------------------------------

 === DRBD ===

diff --git a/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh b/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh

index 05279bc8..0c662f67 100644

--- a/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh

+++ b/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh

@@ -1,35 +1,75 @@

+

 # Code to recreate and/or open LUKS volumes.

 create_crypt() {

+    # See the create_device() function in lib/layout-functions.sh what "device type" means:

+    local device_type="$1"

+    if ! grep -q "^crypt $device_type " "$LAYOUT_FILE" ; then

+        LogPrintError "Skip recreating LUKS volume $device_type (no 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:

+        return 1

+    fi

+    

     local crypt target_device source_device options

-    read crypt target_device source_device options < <(grep "^crypt $1 " "$LAYOUT_FILE")

+    local mapping_name option key value

+    local cryptsetup_options="" keyfile="" password=""

-    local target_name=${target_device#/dev/mapper/}

+    read crypt target_device source_device options < <( grep "^crypt $device_type " "$LAYOUT_FILE" )

+

+    # Careful! One cannot 'test -b $source_device' here at the time when this code is run

+    # because the source device is usually a disk partition block device like /dev/sda2

+    # but disk partition block devices usually do not yet exist (in particular not on a new clean disk)

+    # because partitions are actually created later when the diskrestore.sh script is run

+    # but not here when this code is run which only generates the diskrestore.sh script:

+    if ! test $source_device ; then

+        LogPrintError "Skip recreating LUKS volume $device_type: No source device (see the 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:

+        return 1

+    fi

+

+    mapping_name=${target_device#/dev/mapper/}

+    if ! test $mapping_name ; then

+        LogPrintError "Skip recreating LUKS volume $device_type on $source_device: No /dev/mapper/... mapping name (see the 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:

+        return 1

+    fi

-    local cryptsetup_options="" keyfile="" password=""

-    local option key value

     for option in $options ; do

-        key=${option%=*}

+        # $option is of the form keyword=value and

+        # we assume keyword has no '=' character but value could be anything that may have a '=' character

+        # so we split keyword=value at the leftmost '=' character so that

+        # e.g. keyword=foo=bar gets split into key="keyword" and value="foo=bar":

+        key=${option%%=*}

         value=${option#*=}

-

+        # The "cryptseup luksFormat" command does not require any of the type, cipher, key-size, hash, uuid option values

+        # because if omitted a cryptseup default value is used so we treat those values as optional.

+        # Using plain test to ensure the value is a single non empty and non blank word

+        # without quoting because test " " would return zero exit code

+        # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style

         case "$key" in

-            cipher)

-                cryptsetup_options+=" --cipher $value"

+            (type)

+                test $value && cryptsetup_options+=" --type $value"

+                ;;

+            (cipher)

+                test $value && cryptsetup_options+=" --cipher $value"

+                ;;

+            (key_size)

+                test $value && cryptsetup_options+=" --key-size $value"

                 ;;

-            key_size)

-                cryptsetup_options+=" --key-size $value"

+            (hash)

+                test $value && cryptsetup_options+=" --hash $value"

                 ;;

-            hash)

-                cryptsetup_options+=" --hash $value"

+            (uuid)

+                test $value && cryptsetup_options+=" --uuid $value"

                 ;;

-            uuid)

-                cryptsetup_options+=" --uuid $value"

+            (keyfile)

+                test $value && keyfile=$value

                 ;;

-            keyfile)

-                keyfile=$value

+            (password)

+                test $value && password=$value

                 ;;

-            password)

-                password=$value

+            (*)

+                LogPrintError "Skipping unsupported LUKS cryptsetup option '$key' in 'crypt $target_device $source_device' entry in $LAYOUT_FILE"

                 ;;

         esac

     done

@@ -37,26 +77,25 @@ create_crypt() {

     cryptsetup_options+=" $LUKS_CRYPTSETUP_OPTIONS"

     (

-    echo "Log \"Creating LUKS device $target_name on $source_device\""

+    echo "LogPrint \"Creating LUKS volume $mapping_name on $source_device\""

     if [ -n "$keyfile" ] ; then

         # Assign a temporary keyfile at this stage so that original keyfiles do not leak onto the rescue medium.

         # The original keyfile will be restored from the backup and then re-assigned to the LUKS device in the

         # 'finalize' stage.

         # The scheme for generating a temporary keyfile path must be the same here and in the 'finalize' stage.

-        keyfile="${TMPDIR:-/tmp}/LUKS-keyfile-$target_name"

+        keyfile="$TMP_DIR/LUKS-keyfile-$mapping_name"

         dd bs=512 count=4 if=/dev/urandom of="$keyfile"

         chmod u=rw,go=- "$keyfile"

-

         echo "cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device $keyfile"

-        echo "cryptsetup luksOpen --key-file $keyfile $source_device $target_name"

+        echo "cryptsetup luksOpen --key-file $keyfile $source_device $mapping_name"

     elif [ -n "$password" ] ; then

         echo "echo \"$password\" | cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device"

-        echo "echo \"$password\" | cryptsetup luksOpen $source_device $target_name"

+        echo "echo \"$password\" | cryptsetup luksOpen $source_device $mapping_name"

     else

-        echo "LogPrint \"Please enter the password for LUKS device $target_name ($source_device):\""

+        echo "LogUserOutput \"Set the password for LUKS volume $mapping_name (for 'cryptsetup luksFormat' on $source_device):\""

         echo "cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device"

-        echo "LogPrint \"Please re-enter the password for LUKS device $target_name ($source_device):\""

-        echo "cryptsetup luksOpen $source_device $target_name"

+        echo "LogUserOutput \"Enter the password for LUKS volume $mapping_name (for 'cryptsetup luksOpen' on $source_device):\""

+        echo "cryptsetup luksOpen $source_device $mapping_name"

     fi

     echo ""

     ) >> "$LAYOUT_CODE"

@@ -64,38 +103,61 @@ create_crypt() {

 # Function open_crypt() is meant to be used by the 'mountonly' workflow

 open_crypt() {

+    # See the do_mount_device() function in lib/layout-functions.sh what "device type" means:

+    local device_type="$1"

+    if ! grep -q "^crypt $device_type " "$LAYOUT_FILE" ; then

+        LogPrintError "Skip opening LUKS volume $device_type (no 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the do_mount_device() function in lib/layout-functions.sh:

+        return 1

+    fi

+

     local crypt target_device source_device options

-    read crypt target_device source_device options < <(grep "^crypt $1 " "$LAYOUT_FILE")

+    local mapping_name option key value

+    local cryptsetup_options="" keyfile="" password=""

-    local target_name=${target_device#/dev/mapper/}

+    read crypt target_device source_device options < <( grep "^crypt $device_type " "$LAYOUT_FILE" )

+

+    if ! test -b "$source_device" ; then

+        LogPrintError "Skip opening LUKS volume $device_type on device '$source_device' that is no block device (see the 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the do_mount_device() function in lib/layout-functions.sh:

+        return 1

+    fi

+

+    mapping_name=${target_device#/dev/mapper/}

+    if ! test $mapping_name ; then

+        LogPrintError "Skip opening LUKS volume $device_type on $source_device: No /dev/mapper/... mapping name (see the 'crypt $device_type' entry in $LAYOUT_FILE)"

+        # FIXME: The return code is ignored in the do_mount_device() function in lib/layout-functions.sh:

+        return 1

+    fi

-    local cryptsetup_options="" keyfile="" password=""

-    local option key value

     for option in $options ; do

-        key=${option%=*}

+        # $option is of the form keyword=value and

+        # we assume keyword has no '=' character but value could be anything that may have a '=' character

+        # so we split keyword=value at the leftmost '=' character so that

+        # e.g. keyword=foo=bar gets split into key="keyword" and value="foo=bar":

+        key=${option%%=*}

         value=${option#*=}

-

         case "$key" in

-            keyfile)

-                keyfile=$value

+            (keyfile)

+                test $value && keyfile=$value

                 ;;

-            password)

-                password=$value

+            (password)

+                test $value && password=$value

                 ;;

         esac

     done

     (

-    echo "Log \"Opening LUKS device $target_name on $source_device\""

+    echo "LogPrint \"Opening LUKS volume $mapping_name on $source_device\""

     if [ -n "$keyfile" ] ; then

         # During a 'mountonly' workflow, the original keyfile is supposed to be

         # available at this point.

-        echo "cryptsetup luksOpen --key-file $keyfile $source_device $target_name"

+        echo "cryptsetup luksOpen --key-file $keyfile $source_device $mapping_name"

     elif [ -n "$password" ] ; then

-        echo "echo \"$password\" | cryptsetup luksOpen $source_device $target_name"

+        echo "echo \"$password\" | cryptsetup luksOpen $source_device $mapping_name"

     else

-        echo "LogPrint \"Please enter the password for LUKS device $target_name ($source_device):\""

-        echo "cryptsetup luksOpen $source_device $target_name"

+        echo "LogUserOutput \"Enter the password for LUKS volume $mapping_name (for 'cryptsetup luksOpen' on $source_device):\""

+        echo "cryptsetup luksOpen $source_device $mapping_name"

     fi

     echo ""

     ) >> "$LAYOUT_CODE"

diff --git a/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh b/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh

index c1e1cfd5..afeabf6a 100644

--- a/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh

+++ b/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh

@@ -9,6 +9,8 @@ Log "Saving Encrypted volumes."

 REQUIRED_PROGS+=( cryptsetup dmsetup )

 COPY_AS_IS+=( /usr/share/cracklib/\* /etc/security/pwquality.conf )

+local invalid_cryptsetup_option_value="no"

+

 while read target_name junk ; do

     # find the target device we're mapping

     if ! [ -e /dev/mapper/$target_name ] ; then

@@ -30,29 +32,96 @@ while read target_name junk ; do

         source_device="$(get_device_name ${slave##*/})"

     done

-    if ! cryptsetup isLuks $source_device >/dev/null 2>&1; then

+    if ! blkid -p -o export $source_device >$TMP_DIR/blkid.output ; then

+        LogPrintError "Error: Cannot get attributes for $target_name ('blkid -p -o export $source_device' failed)"

         continue

     fi

-    # gather crypt information

-    cipher=$(cryptsetup luksDump $source_device | grep "Cipher name" | sed -r 's/^.+:\s*(.+)$/\1/')

-    mode=$(cryptsetup luksDump $source_device | grep "Cipher mode" | cut -d: -f2- | awk '{printf("%s",$1)};')

-    key_size=$(cryptsetup luksDump $source_device | grep "MK bits" | sed -r 's/^.+:\s*(.+)$/\1/')

-    hash=$(cryptsetup luksDump $source_device | grep "Hash spec" | sed -r 's/^.+:\s*(.+)$/\1/')

-    uuid=$(cryptsetup luksDump $source_device | grep "UUID" | sed -r 's/^.+:\s*(.+)$/\1/')

-    keyfile_option=$([ -f /etc/crypttab ] && awk '$1 == "'"$target_name"'" && $3 != "none" && $3 != "-" && $3 != "" { print "keyfile=" $3; }' /etc/crypttab)

+    if ! grep -q "TYPE=crypto_LUKS" $TMP_DIR/blkid.output ; then

+        Log "Skipping $target_name (no 'TYPE=crypto_LUKS' in 'blkid -p -o export $source_device' output)"

+        continue

+    fi

-    # LUKS version 2 is not yet suppported, see https://github.com/rear/rear/issues/2204

-    # When LUKS version 2 is used the above code fails at least to determine the hash value

-    # so we use an empty hash value as a simple test if gathering crypt information was successful:

-    test "$hash" || Error "No hash value for LUKS device '$target_name' at '$source_device' (only LUKS version 1 is supported)"

+    # Detect LUKS version:

+    # Remove all non-digits in particular to avoid leading or trailing spaces in the version string

+    # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style

+    # that could happen if the blkid output contains "VERSION = 2" so that 'cut -d= -f2' results " 2".

+    version=$( grep "VERSION" $TMP_DIR/blkid.output | cut -d= -f2 | tr -c -d '[:digit:]' )

+    if ! test "$version" = "1" -o "$version" = "2" ; then

+        LogPrintError "Error: Unsupported LUKS version for $target_name ('blkid -p -o export $source_device' shows 'VERSION=$version')"

+        continue

+    fi

+    luks_type=luks$version

-    echo "crypt /dev/mapper/$target_name $source_device cipher=$cipher-$mode key_size=$key_size hash=$hash uuid=$uuid $keyfile_option" >> $DISKLAYOUT_FILE

-done < <( dmsetup ls --target crypt )

+    # Gather crypt information:

+    if ! cryptsetup luksDump $source_device >$TMP_DIR/cryptsetup.luksDump ; then

+        LogPrintError "Error: Cannot get LUKS$version values for $target_name ('cryptsetup luksDump $source_device' failed)"

+        continue

+    fi

+    uuid=$( grep "UUID" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+    keyfile_option=$( [ -f /etc/crypttab ] && awk '$1 == "'"$target_name"'" && $3 != "none" && $3 != "-" && $3 != "" { print "keyfile=" $3; }' /etc/crypttab )

+    if test $luks_type = "luks1" ; then

+        cipher_name=$( grep "Cipher name" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+        cipher_mode=$( grep "Cipher mode" $TMP_DIR/cryptsetup.luksDump | cut -d: -f2- | awk '{printf("%s",$1)};' )

+        cipher=$cipher_name-$cipher_mode

+        key_size=$( grep "MK bits" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+        hash=$( grep "Hash spec" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+    elif test $luks_type = "luks2" ; then

+        cipher=$( grep "cipher:" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+        # More than one keyslot may be defined - use key_size from the first slot.

+        # Depending on the version the "cryptsetup luksDump" command outputs the key_size value

+        # as a line like

+        #         Key:        512 bits

+        # and/or as a line like

+        #         Cipher key: 512 bits

+        # cf. https://github.com/rear/rear/pull/2504#issuecomment-718729198 and subsequent comments

+        # so we grep for both lines but use only the first match from the first slot:

+        key_size=$( egrep -m 1 "Key:|Cipher key:" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+) bits$/\1/' )

+        hash=$( grep "Hash" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )

+    fi

-# cryptsetup is required in the recovery system if disklayout.conf contains at least one 'crypt' entry

-# see the create_crypt function in layout/prepare/GNU/Linux/160_include_luks_code.sh

-# what program calls are written to diskrestore.sh

-# cf. https://github.com/rear/rear/issues/1963

-grep -q '^crypt ' $DISKLAYOUT_FILE && REQUIRED_PROGS+=( cryptsetup ) || true

+    # Basic checks that the cipher key_size hash uuid values exist

+    # cf. https://github.com/rear/rear/pull/2504#issuecomment-718729198

+    # because some values are needed during "rear recover"

+    # to set cryptsetup options in layout/prepare/GNU/Linux/160_include_luks_code.sh

+    # and it seems cryptsetup fails when options with empty values are specified

+    # cf. https://github.com/rear/rear/pull/2504#issuecomment-719479724

+    # For example a LUKS1 crypt entry in disklayout.conf looks like

+    # crypt /dev/mapper/luks1test /dev/sda7 type=luks1 cipher=aes-xts-plain64 key_size=256 hash=sha256 uuid=1b4198c9-d9b0-4c57-b9a3-3433e391e706 

+    # and a LUKS1 crypt entry in disklayout.conf looks like

+    # crypt /dev/mapper/luks2test /dev/sda8 type=luks2 cipher=aes-xts-plain64 key_size=256 hash=sha256 uuid=3e874a28-7415-4f8c-9757-b3f28a96c4d2 

+    # Only the keyfile_option value is optional and the luks_type value is already tested above.

+    # Using plain test to ensure a value is a single non empty and non blank word

+    # without quoting because test " " would return zero exit code

+    # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style

+    # Do not error out instantly here but only report errors here so the user can see all messages

+    # and actually error out at the end of this script if there was one actually invalid value:

+    if ! test $cipher ; then

+        LogPrint "No 'cipher' value for LUKS$version volume $target_name in $source_device"

+    fi

+    if test $key_size ; then

+        if ! is_positive_integer $key_size ; then

+            LogPrintError "Error: 'key_size=$key_size' is no positive integer for LUKS$version volume $target_name in $source_device"

+            invalid_cryptsetup_option_value="yes"

+        fi

+    else

+        LogPrint "No 'key_size' value for LUKS$version volume $target_name in $source_device"

+    fi

+    if ! test $hash ; then

+        LogPrint "No 'hash' value for LUKS$version volume $target_name in $source_device"

+    fi

+    if ! test $uuid ; then

+        # Report a missig uuid value as an error to have the user informed

+        # but do not error out here because things can be fixed manually during "rear recover"

+        # cf. https://github.com/rear/rear/pull/2506#issuecomment-721757810

+        # and https://github.com/rear/rear/pull/2506#issuecomment-722315498

+        # and https://github.com/rear/rear/issues/2509

+        LogPrintError "Error: No 'uuid' value for LUKS$version volume $target_name in $source_device (mounting it or booting the recreated system may fail)"

+    fi

+

+    echo "crypt /dev/mapper/$target_name $source_device type=$luks_type cipher=$cipher key_size=$key_size hash=$hash uuid=$uuid $keyfile_option" >> $DISKLAYOUT_FILE

+

+done < <( dmsetup ls --target crypt )

+# Let this script return successfully when invalid_cryptsetup_option_value is not true:

+is_true $invalid_cryptsetup_option_value && Error "Invalid or empty LUKS cryptsetup option value(s) in $DISKLAYOUT_FILE" || true