diff --git a/man/common_options.adoc b/man/common_options.adoc
index d7f89229..5c113094 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -590,7 +590,8 @@ endif::[]
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME[]
 *--link-vk-to-keyring* _<keyring_description>::<key_description>_::
 Link volume key in a keyring with specified key name. The volume key is linked only
-if requested action is successfully finished.
+if requested action is successfully finished (with --test-passphrase the verified
+volume key is linked in a keyring without taking further action).
 +
 _<keyring_description>_ string has to contain existing kernel keyring
 description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.
diff --git a/src/utils_luks.c b/src/utils_luks.c
index 5007b3f4..5c51a5a2 100644
--- a/src/utils_luks.c
+++ b/src/utils_luks.c
@@ -104,6 +104,9 @@ void set_activation_flags(uint32_t *flags)
             (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
 
+	if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID))
+		*flags |= CRYPT_ACTIVATE_KEYRING_KEY;
+
 	if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
 		*flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
 
diff --git a/tests/compat-test-opal b/tests/compat-test-opal
index 3d5c07c6..0b8a8802 100755
--- a/tests/compat-test-opal
+++ b/tests/compat-test-opal
@@ -231,6 +231,30 @@ function setup_luks2_env() {
 	$CRYPTSETUP close $DEV_NAME || fail
 }
 
+# $1 key name
+# $2 keyring to link VK to
+# $3 key type (optional)
+test_vk_link_with_passphrase_check() {
+	KEY_TYPE=${3:-user}
+	if [ -z "$3" ]; then
+		KEY_DESC=$1
+	else
+		KEY_DESC="%$3:$1"
+	fi
+
+	KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+
+	echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
+	keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
+	if [ $KEY_TYPE = "user" ]; then
+		$CRYPTSETUP open $OPAL2_DEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
+	fi
+	keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
+
+	echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV || fail
+	keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
+}
+
 # $1 key name
 # $2 keyring to link VK to
 # $3 key type (optional)
@@ -1234,6 +1258,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	# explicitly specify keyring key type
 	test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
 
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
+
 	test_vk_link_and_reactivate $KEY_NAME "@u" "user"
 	test_vk_link_and_reactivate $KEY_NAME "@u"
 	[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user"
diff --git a/tests/compat-test2 b/tests/compat-test2
index bc865638..b54a509c 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -297,6 +297,30 @@ function add_scsi_device() {
 	[ -b $DEV ] || fail "Cannot find $DEV."
 }
 
+# $1 key name
+# $2 keyring to link VK to
+# $3 key type (optional)
+test_vk_link_with_passphrase_check() {
+	KEY_TYPE=${3:-user}
+	if [ -z "$3" ]; then
+		KEY_DESC=$1
+	else
+		KEY_DESC="%$3:$1"
+	fi
+
+	KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
+
+	echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
+	keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
+	if [ $KEY_TYPE = "user" ]; then
+		$CRYPTSETUP open $LOOPDEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
+	fi
+	keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
+
+	echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV || fail
+	keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
+}
+
 # $1 key name
 # $2 keyring to link VK to
 # $3 key type (optional)
@@ -1474,6 +1498,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user"
 	test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
 
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
+	test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
+
 	# test numeric keyring name -5 is user session (@us) keyring
 	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail
 	keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."