diff --git a/src/Makemodule.am b/src/Makemodule.am
index c5c3104d..eac084cc 100644
--- a/src/Makemodule.am
+++ b/src/Makemodule.am
@@ -1,30 +1,24 @@
-noinst_LTLIBRARIES += libutils_tools.la
-
-libutils_tools_la_SOURCES =	\
-	src/utils_tools.c	\
-	src/utils_password.c	\
-	lib/utils_io.c		\
-	lib/utils_blkid.c	\
-	src/cryptsetup.h
-
-libutils_tools_la_CFLAGS = $(AM_CFLAGS)
-
-libutils_tools_la_LIBADD = -lm @BLKID_LIBS@ @PWQUALITY_LIBS@ @PASSWDQC_LIBS@
-
 # cryptsetup
 if CRYPTSETUP
 
 cryptsetup_SOURCES =		\
 	lib/utils_crypt.c	\
 	lib/utils_loop.c	\
+	lib/utils_io.c		\
+	lib/utils_blkid.c	\
+	src/utils_tools.c	\
+	src/utils_password.c	\
+	src/utils_luks2.c	\
 	src/cryptsetup.c	\
 	src/cryptsetup.h
 
-cryptsetup_LDADD = \
+cryptsetup_LDADD = -lm		\
 	libcryptsetup.la	\
-	libutils_tools.la	\
 	@POPT_LIBS@		\
-	@UUID_LIBS@
+	@PWQUALITY_LIBS@	\
+	@PASSWDQC_LIBS@		\
+	@UUID_LIBS@		\
+	@BLKID_LIBS@
 
 sbin_PROGRAMS += cryptsetup
 
@@ -46,13 +40,16 @@ if VERITYSETUP
 veritysetup_SOURCES =		\
 	lib/utils_crypt.c	\
 	lib/utils_loop.c	\
+	lib/utils_io.c		\
+	lib/utils_blkid.c	\
+	src/utils_tools.c	\
 	src/veritysetup.c	\
 	src/cryptsetup.h
 
-veritysetup_LDADD = \
+veritysetup_LDADD = -lm		\
 	libcryptsetup.la	\
-	libutils_tools.la	\
-	@POPT_LIBS@
+	@POPT_LIBS@		\
+	@BLKID_LIBS@
 
 sbin_PROGRAMS += veritysetup
 
@@ -74,14 +71,16 @@ if INTEGRITYSETUP
 integritysetup_SOURCES =	\
 	lib/utils_crypt.c	\
 	lib/utils_loop.c	\
+	lib/utils_blkid.c	\
+	src/utils_tools.c	\
 	src/integritysetup.c	\
 	src/cryptsetup.h
 
-integritysetup_LDADD = \
+integritysetup_LDADD = -lm	\
 	libcryptsetup.la	\
-	libutils_tools.la	\
 	@POPT_LIBS@		\
-	@UUID_LIBS@
+	@UUID_LIBS@		\
+	@BLKID_LIBS@
 
 sbin_PROGRAMS += integritysetup
 
@@ -101,14 +100,20 @@ endif
 if REENCRYPT
 cryptsetup_reencrypt_SOURCES =		\
 	lib/utils_crypt.c		\
+	lib/utils_io.c			\
+	lib/utils_blkid.c		\
+	src/utils_tools.c		\
+	src/utils_password.c		\
 	src/cryptsetup_reencrypt.c	\
 	src/cryptsetup.h
 
-cryptsetup_reencrypt_LDADD = \
+cryptsetup_reencrypt_LDADD = -lm	\
 	libcryptsetup.la		\
-	libutils_tools.la		\
 	@POPT_LIBS@			\
-	@UUID_LIBS@
+	@PWQUALITY_LIBS@		\
+	@PASSWDQC_LIBS@			\
+	@UUID_LIBS@			\
+	@BLKID_LIBS@
 
 sbin_PROGRAMS += cryptsetup-reencrypt
 
diff --git a/src/utils_luks2.c b/src/utils_luks2.c
new file mode 100644
index 00000000..63d5c120
--- /dev/null
+++ b/src/utils_luks2.c
@@ -0,0 +1,139 @@
+/*
+ * Helper utilities for LUKS2 features
+ *
+ * Copyright (C) 2018, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2018, Milan Broz
+ * Copyright (C) 2018, Ondrej Kozina
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "cryptsetup.h"
+
+/*
+ * FIXME: 4MiBs is max LUKS2 mda length (including binary header).
+ * In future, read max allowed JSON size from config section.
+ */
+#define LUKS2_MAX_MDA_SIZE 0x400000
+int tools_read_json_file(struct crypt_device *cd, const char *file, char **json, size_t *json_size)
+{
+	ssize_t ret;
+	int fd, block, r;
+	void *buf = NULL;
+
+	block = tools_signals_blocked();
+	if (block)
+		set_int_block(0);
+
+	if (tools_is_stdin(file)) {
+		fd = STDIN_FILENO;
+		log_dbg("STDIN descriptor JSON read requested.");
+	} else {
+		log_dbg("File descriptor JSON read requested.");
+		fd = open(file, O_RDONLY);
+		if (fd < 0) {
+			log_err(_("Failed to open file %s in read-only mode."), file);
+			r = -EINVAL;
+			goto out;
+		}
+	}
+
+	buf = malloc(LUKS2_MAX_MDA_SIZE);
+	if (!buf) {
+		r = -ENOMEM;
+		goto out;
+	}
+
+	if (isatty(fd) && !opt_batch_mode)
+		log_std(_("Provide valid LUKS2 token JSON:\n"));
+
+	/* we expect JSON (string) */
+	r = 0;
+	ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
+	if (ret < 0) {
+		r = -EIO;
+		log_err(_("Failed to read JSON file."));
+		goto out;
+	}
+	check_signal(&r);
+	if (r) {
+		log_err(_("\nRead interrupted."));
+		goto out;
+	}
+
+	*json_size = (size_t)ret;
+	*json = buf;
+	*(*json + ret) = '\0';
+out:
+	if (block && !quit)
+		set_int_block(1);
+	if (fd >= 0 && fd != STDIN_FILENO)
+		close(fd);
+	if (r && buf) {
+		memset(buf, 0, LUKS2_MAX_MDA_SIZE);
+		free(buf);
+	}
+	return r;
+}
+
+int tools_write_json_file(struct crypt_device *cd, const char *file, const char *json)
+{
+	int block, fd, r;
+	size_t json_len;
+	ssize_t ret;
+
+	if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
+		return -EINVAL;
+
+	block = tools_signals_blocked();
+	if (block)
+		set_int_block(0);
+
+	if (tools_is_stdin(file)) {
+		fd = STDOUT_FILENO;
+		log_dbg("STDOUT descriptor JSON write requested.");
+	} else {
+		log_dbg("File descriptor JSON write requested.");
+		fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
+	}
+
+	if (fd < 0) {
+		log_err(_("Failed to open file %s in write mode."), file ?: "");
+		r = -EINVAL;
+		goto out;
+	}
+
+	r = 0;
+	ret = write_buffer_intr(fd, json, json_len, &quit);
+	check_signal(&r);
+	if (r) {
+		log_err(_("\nWrite interrupted."));
+		goto out;
+	}
+	if (ret < 0 || (size_t)ret != json_len) {
+		log_err(_("Failed to write JSON file."));
+		r = -EIO;
+		goto out;
+	}
+
+	if (isatty(fd))
+		(void) write_buffer_intr(fd, "\n", 1, &quit);
+out:
+	if (block && !quit)
+		set_int_block(1);
+	if (fd >=0 && fd != STDOUT_FILENO)
+		close(fd);
+	return r;
+}
diff --git a/src/utils_password.c b/src/utils_password.c
index b15f9eb3..81c35da0 100644
--- a/src/utils_password.c
+++ b/src/utils_password.c
@@ -94,25 +94,6 @@ static int tools_check_pwquality(const char *password)
 }
 #endif /* ENABLE_PWQUALITY || ENABLE_PASSWDQC */
 
-int tools_is_cipher_null(const char *cipher)
-{
-	if (!cipher)
-		return 0;
-
-	return !strcmp(cipher, "cipher_null") ? 1 : 0;
-}
-
-/*
- * Keyfile - is standard input treated as a binary file (no EOL handling).
- */
-int tools_is_stdin(const char *key_file)
-{
-	if (!key_file)
-		return 1;
-
-	return strcmp(key_file, "-") ? 0 : 1;
-}
-
 /* Password reading helpers */
 static int untimed_read(int fd, char *pass, size_t maxlen)
 {
diff --git a/src/utils_tools.c b/src/utils_tools.c
index 6cfd66cc..f0ba6f3e 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -583,118 +583,21 @@ out:
 	return r;
 }
 
+int tools_is_cipher_null(const char *cipher)
+{
+	if (!cipher)
+		return 0;
+
+	return !strcmp(cipher, "cipher_null") ? 1 : 0;
+}
+
 /*
- * FIXME: 4MiBs is max LUKS2 mda length (including binary header).
- * In future, read max allowed JSON size from config section.
+ * Keyfile - is standard input treated as a binary file (no EOL handling).
  */
-#define LUKS2_MAX_MDA_SIZE 0x400000
-int tools_read_json_file(struct crypt_device *cd, const char *file, char **json, size_t *json_size)
+int tools_is_stdin(const char *key_file)
 {
-	ssize_t ret;
-	int fd, block, r;
-	void *buf = NULL;
+	if (!key_file)
+		return 1;
 
-	block = tools_signals_blocked();
-	if (block)
-		set_int_block(0);
-
-	if (tools_is_stdin(file)) {
-		fd = STDIN_FILENO;
-		log_dbg("STDIN descriptor JSON read requested.");
-	} else {
-		log_dbg("File descriptor JSON read requested.");
-		fd = open(file, O_RDONLY);
-		if (fd < 0) {
-			log_err(_("Failed to open file %s in read-only mode."), file);
-			r = -EINVAL;
-			goto out;
-		}
-	}
-
-	buf = malloc(LUKS2_MAX_MDA_SIZE);
-	if (!buf) {
-		r = -ENOMEM;
-		goto out;
-	}
-
-	if (isatty(fd) && !opt_batch_mode)
-		log_std(_("Provide valid LUKS2 token JSON:\n"));
-
-	/* we expect JSON (string) */
-	r = 0;
-	ret = read_buffer_intr(fd, buf, LUKS2_MAX_MDA_SIZE - 1, &quit);
-	if (ret < 0) {
-		r = -EIO;
-		log_err(_("Failed to read JSON file."));
-		goto out;
-	}
-	check_signal(&r);
-	if (r) {
-		log_err(_("\nRead interrupted."));
-		goto out;
-	}
-
-	*json_size = (size_t)ret;
-	*json = buf;
-	*(*json + ret) = '\0';
-out:
-	if (block && !quit)
-		set_int_block(1);
-	if (fd >= 0 && fd != STDIN_FILENO)
-		close(fd);
-	if (r && buf) {
-		memset(buf, 0, LUKS2_MAX_MDA_SIZE);
-		free(buf);
-	}
-	return r;
-}
-
-int tools_write_json_file(struct crypt_device *cd, const char *file, const char *json)
-{
-	int block, fd, r;
-	size_t json_len;
-	ssize_t ret;
-
-	if (!json || !(json_len = strlen(json)) || json_len >= LUKS2_MAX_MDA_SIZE)
-		return -EINVAL;
-
-	block = tools_signals_blocked();
-	if (block)
-		set_int_block(0);
-
-	if (tools_is_stdin(file)) {
-		fd = STDOUT_FILENO;
-		log_dbg("STDOUT descriptor JSON write requested.");
-	} else {
-		log_dbg("File descriptor JSON write requested.");
-		fd = open(file, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
-	}
-
-	if (fd < 0) {
-		log_err(_("Failed to open file %s in write mode."), file ?: "");
-		r = -EINVAL;
-		goto out;
-	}
-
-	r = 0;
-	ret = write_buffer_intr(fd, json, json_len, &quit);
-	check_signal(&r);
-	if (r) {
-		log_err(_("\nWrite interrupted."));
-		goto out;
-	}
-	if (ret < 0 || (size_t)ret != json_len) {
-		log_err(_("Failed to write JSON file."));
-		r = -EIO;
-		goto out;
-	}
-
-	if (isatty(fd))
-		(void) write_buffer_intr(fd, "\n", 1, &quit);
-out:
-	if (block && !quit)
-		set_int_block(1);
-	if (fd >=0 && fd != STDOUT_FILENO)
-		close(fd);
-	return r;
+	return strcmp(key_file, "-") ? 0 : 1;
 }