diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index eadf5a4ace..4fab74b8cc 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -675,6 +675,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--list-devices</option></term>
+
+        <listitem><para>Show a list of candidate block devices this command may operate on. Specifically,
+        this enumerates block devices currently present that contain a LUKS superblock, and shows their device
+        node paths along with any of their symlinks.</para>
+
+        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
     </variablelist>
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 263b8921b1..035310bc33 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -4,6 +4,7 @@
 #include <sys/mman.h>
 
 #include "ask-password-api.h"
+#include "blockdev-list.h"
 #include "blockdev-util.h"
 #include "build.h"
 #include "cryptenroll-fido2.h"
@@ -179,6 +180,7 @@ static int help(void) {
                "%5$sEnroll a security token or authentication credential to a LUKS volume.%6$s\n\n"
                "  -h --help            Show this help\n"
                "     --version         Show package version\n"
+               "     --list-devices    List candidate block devices to operate on\n"
                "     --wipe-slot=SLOT1,SLOT2,…\n"
                "                       Wipe specified slots\n"
                "\n%3$sUnlocking:%4$s\n"
@@ -266,6 +268,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_FIDO2_WITH_UP,
                 ARG_FIDO2_WITH_UV,
                 ARG_FIDO2_CRED_ALG,
+                ARG_LIST_DEVICES,
         };
 
         static const struct option options[] = {
@@ -294,6 +297,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "tpm2-pcrlock",                  required_argument, NULL, ARG_TPM2_PCRLOCK               },
                 { "tpm2-with-pin",                 required_argument, NULL, ARG_TPM2_WITH_PIN              },
                 { "wipe-slot",                     required_argument, NULL, ARG_WIPE_SLOT                  },
+                { "list-devices",                  no_argument,       NULL, ARG_LIST_DEVICES               },
                 {}
         };
 
@@ -622,6 +626,13 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
                 }
 
+                case ARG_LIST_DEVICES:
+                        r = blockdev_list(BLOCKDEV_LIST_SHOW_SYMLINKS|BLOCKDEV_LIST_REQUIRE_LUKS);
+                        if (r < 0)
+                                return r;
+
+                        return 0;
+
                 case '?':
                         return -EINVAL;
 
diff --git a/test/units/TEST-24-CRYPTSETUP.sh b/test/units/TEST-24-CRYPTSETUP.sh
index b788c82cd7..9e86523d0e 100755
--- a/test/units/TEST-24-CRYPTSETUP.sh
+++ b/test/units/TEST-24-CRYPTSETUP.sh
@@ -270,4 +270,6 @@ cryptsetup_start_and_check detached_slot{0..1}
 cryptsetup_start_and_check -f detached_slot_fail
 cryptsetup_start_and_check -u detached_nofail
 
+systemd-cryptenroll --list-devices
+
 touch /testok