diff --git a/misc/dracut_90reencrypt/parse-reencrypt.sh b/misc/dracut_90reencrypt/parse-reencrypt.sh
index 35b66651..6c076e9d 100755
--- a/misc/dracut_90reencrypt/parse-reencrypt.sh
+++ b/misc/dracut_90reencrypt/parse-reencrypt.sh
@@ -4,6 +4,11 @@ REENC=$(getargs rd_REENCRYPT=)
 REENC_DEV=$(echo $REENC | sed 's/:.*//')
 REENC_SIZE=$(echo $REENC | sed -n 's/.*://p')
 
+REENC_KEY=$(getargs rd_REENCRYPT_KEY=)
+if [ -z "$REENC_KEY" ] ; then
+    REENC_KEY=none
+fi
+
 if [ -n "$REENC_DEV" ] ; then
 {
    printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
@@ -11,7 +16,7 @@ if [ -n "$REENC_DEV" ] ; then
    printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV
    printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
            --unique --onetime --name crypt-reencrypt-%%k \
-           /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_SIZE"
+           /sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SIZE"
    printf 'LABEL="reenc_end"\n'
 } > /etc/udev/rules.d/69-reencryption.rules
 fi
diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
index d200a85d..d0a5f35f 100755
--- a/misc/dracut_90reencrypt/reencrypt.sh
+++ b/misc/dracut_90reencrypt/reencrypt.sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+#
+# $1=$device [$2=keyfile|none [$3=size]]
+#
 
 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
 
@@ -14,18 +17,39 @@ else
 fi
 
 PARAMS="$device -T 1 --use-fsync -B 32"
-if [ -n "$2" ]; then
-    PARAMS="$PARAMS --device-size $2"
+if [ -n "$3" ]; then
+    PARAMS="$PARAMS --device-size $3"
 fi
 
+reenc_readkey() {
+    local keypath="${1#*:}"
+    local keydev="${1%%:*}"
+
+    local mntp=$(mkuniqdir /mnt keydev)
+    mount -r "$keydev" "$mntp" || return
+    cat "$mntp/$keypath"
+    umount "$mntp"
+    rmdir "$mntp"
+}
+
+reenc_run() {
+    local cwd=$(pwd)
+    cd /tmp
+    if [ "$1" = "none" ] ; then
+        /bin/plymouth ask-for-password \
+        --prompt "LUKS password for REENCRYPTING $device" \
+        --command="/sbin/cryptsetup-reencrypt $PARAMS"
+    else
+        info "REENCRYPT using key $1"
+        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
+    fi
+    cd $cwd
+}
+
 info "REENCRYPT $device requested"
 # flock against other interactive activities
 { flock -s 9;
-    CURR=$(pwd)
-    cd /tmp
-    /bin/plymouth ask-for-password --prompt "LUKS password for REENCRYPTING $device" \
-      --command="/sbin/cryptsetup-reencrypt $PARAMS"
-    cd $CURR
+    reenc_run $2
 } 9>/.console.lock
 
 # do not ask again