diff --git a/man/crypttab.xml b/man/crypttab.xml
index e98151ca75..b130c32b11 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -529,11 +529,19 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>silent</option></term>
+        <term><option>password-echo=yes|no|masked</option></term>
 
-        <listitem><para>If an encryption password or security token PIN is
-        read from console, no asterisks will be shown while typing the pin or
-        password.</para></listitem>
+        <listitem><para>Controls whether to echo passwords or security token PINs
+        that are read from console. Takes a boolean or the special string <literal>masked</literal>.
+        The default is <option>password-echo=masked</option>.</para>
+
+        <para>If enabled, the typed characters are echoed literally. If disabled,
+        the typed characters are not echoed in any form, the user will not get
+        feedback on their input. If set to <literal>masked</literal>, an asterisk
+        (<literal>*</literal>) is echoed for each character typed. Regardless of
+        which mode is chosen, if the user hits the tabulator key (<literal>↹</literal>)
+        at any time, or the backspace key (<literal>⌫</literal>) before any other
+        data has been entered, then echo is turned off.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c
index 7e347f4bf0..dfaded3cdb 100644
--- a/src/cryptsetup/cryptsetup-fido2.c
+++ b/src/cryptsetup/cryptsetup-fido2.c
@@ -27,9 +27,8 @@ int acquire_fido2_key(
                 Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size,
-                bool silent) {
+                AskPasswordFlags ask_password_flags) {
 
-        AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT);
         _cleanup_strv_free_erase_ char **pins = NULL;
         _cleanup_free_ void *loaded_salt = NULL;
         const char *salt;
@@ -37,6 +36,8 @@ int acquire_fido2_key(
         char *e;
         int r;
 
+        ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
+
         assert(cid);
         assert(key_file || key_data);
 
@@ -96,11 +97,11 @@ int acquire_fido2_key(
                 if (headless)
                         return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
 
-                r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
+                r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
                 if (r < 0)
                         return log_error_errno(r, "Failed to ask for user password: %m");
 
-                flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+                ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
         }
 }
 
diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h
index a762311681..204f1e06c6 100644
--- a/src/cryptsetup/cryptsetup-fido2.h
+++ b/src/cryptsetup/cryptsetup-fido2.h
@@ -27,7 +27,7 @@ int acquire_fido2_key(
                 Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size,
-                bool silent);
+                AskPasswordFlags ask_password_flags);
 
 int find_fido2_auto_data(
                 struct crypt_device *cd,
@@ -58,7 +58,7 @@ static inline int acquire_fido2_key(
                 Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size,
-                bool silent) {
+                AskPasswordFlags ask_password_flags) {
 
         return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "FIDO2 token support not available.");
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index b64b47393d..dd84018c17 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -58,7 +58,7 @@ static char *arg_header = NULL;
 static unsigned arg_tries = 3;
 static bool arg_readonly = false;
 static bool arg_verify = false;
-static bool arg_silent = false;
+static AskPasswordFlags arg_ask_password_flags = 0;
 static bool arg_discards = false;
 static bool arg_same_cpu_crypt = false;
 static bool arg_submit_from_crypt_cpus = false;
@@ -235,9 +235,20 @@ static int parse_one_option(const char *option) {
                 arg_readonly = true;
         else if (streq(option, "verify"))
                 arg_verify = true;
-        else if (streq(option, "silent"))
-                arg_silent = true;
-        else if (STR_IN_SET(option, "allow-discards", "discard"))
+        else if ((val = startswith(option, "password-echo="))) {
+                if (streq(val, "masked"))
+                        arg_ask_password_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
+                else {
+                        r = parse_boolean(val);
+                        if (r < 0) {
+                                log_warning_errno(r, "Invalid password-echo= option \"%s\", ignoring.", val);
+                                return 0;
+                        }
+
+                        SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_ECHO, r);
+                        SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_SILENT, !r);
+                }
+        } else if (STR_IN_SET(option, "allow-discards", "discard"))
                 arg_discards = true;
         else if (streq(option, "same-cpu-crypt"))
                 arg_same_cpu_crypt = true;
@@ -543,7 +554,7 @@ static int get_password(
         _cleanup_strv_free_erase_ char **passwords = NULL;
         char **p, *id;
         int r = 0;
-        AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT);
+        AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE;
 
         assert(vol);
         assert(src);
@@ -811,7 +822,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                                 arg_headless,
                                 required,
                                 &decrypted_key, &decrypted_key_size,
-                                arg_silent);
+                                arg_ask_password_flags);
                 if (r >= 0)
                         break;
                 if (r != -EAGAIN) /* EAGAIN means: token not found */