diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c
index 98fd83a014..8cbb1f7d88 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c
@@ -158,6 +158,7 @@ static int acquire_luks2_key_systemd(
 
         data.friendly_name = params->friendly_name;
         data.headless = params->headless;
+        data.askpw_flags = params->askpw_flags;
         data.until = params->until;
 
         /* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 204ffa9922..1ebebcb203 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1399,7 +1399,8 @@ static int attach_luks2_by_pkcs11_via_plugin(
         systemd_pkcs11_plugin_params params = {
                 .friendly_name = friendly_name,
                 .until = until,
-                .headless = headless
+                .headless = headless,
+                .askpw_flags = arg_ask_password_flags,
         };
 
         r = crypt_activate_by_token_pin(cd, name, "systemd-pkcs11", CRYPT_ANY_TOKEN, NULL, 0, &params, flags);
diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c
index 70469d0206..6e88dc3803 100644
--- a/src/shared/pkcs11-util.c
+++ b/src/shared/pkcs11-util.c
@@ -291,6 +291,7 @@ int pkcs11_token_login(
                 const char *key_name,
                 const char *credential_name,
                 usec_t until,
+                AskPasswordFlags ask_password_flags,
                 bool headless,
                 char **ret_used_pin) {
 
@@ -371,7 +372,7 @@ int pkcs11_token_login(
                                 return log_oom();
 
                         /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
-                        r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords);
+                        r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, ask_password_flags, &passwords);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
                 }
@@ -1058,6 +1059,8 @@ struct pkcs11_acquire_certificate_callback_data {
         char *pin_used;
         X509 *cert;
         const char *askpw_friendly_name, *askpw_icon_name;
+        AskPasswordFlags askpw_flags;
+        bool headless;
 };
 
 static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
@@ -1086,7 +1089,19 @@ static int pkcs11_acquire_certificate_callback(
 
         /* Called for every token matching our URI */
 
-        r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
+        r = pkcs11_token_login(
+                        m,
+                        session,
+                        slot_id,
+                        token_info,
+                        data->askpw_friendly_name,
+                        data->askpw_icon_name,
+                        "pkcs11-pin",
+                        "pkcs11-pin",
+                        UINT64_MAX,
+                        data->askpw_flags,
+                        data->headless,
+                        &pin_used);
         if (r < 0)
                 return r;
 
@@ -1325,6 +1340,7 @@ int pkcs11_crypt_device_callback(
                         "pkcs11-pin",
                         "cryptsetup.pkcs11-pin",
                         data->until,
+                        data->askpw_flags,
                         data->headless,
                         NULL);
         if (r < 0)
diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h
index ac2ee08535..5bc23c14c4 100644
--- a/src/shared/pkcs11-util.h
+++ b/src/shared/pkcs11-util.h
@@ -8,6 +8,7 @@
 #  include <p11-kit/uri.h>
 #endif
 
+#include "ask-password-api.h"
 #include "macro.h"
 #include "openssl-util.h"
 #include "time-util.h"
@@ -47,7 +48,7 @@ char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
 char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
 
 int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size);
-int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin);
+int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);
 
 int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
 #if HAVE_OPENSSL
@@ -75,6 +76,7 @@ typedef struct {
         size_t decrypted_key_size;
         bool free_encrypted_key;
         bool headless;
+        AskPasswordFlags askpw_flags;
 } pkcs11_crypt_device_callback_data;
 
 void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data);
@@ -102,6 +104,7 @@ typedef struct {
         const char *friendly_name;
         usec_t until;
         bool headless;
+        AskPasswordFlags askpw_flags;
 } systemd_pkcs11_plugin_params;
 
 int pkcs11_list_tokens(void);