diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index 45dd365f..19e96b17 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -1023,9 +1023,6 @@ static int LUKS_open_key(unsigned int keyIndex,
 	/* Allow only empty passphrase with null cipher */
 	if (!r && !strcmp(hdr->cipherName, "cipher_null") && passwordLen)
 		r = -EPERM;
-
-	if (!r)
-		log_verbose(ctx, _("Key slot %d unlocked."), keyIndex);
 out:
 	crypt_safe_free(AfKey);
 	crypt_free_volume_key(derived_key);
diff --git a/lib/setup.c b/lib/setup.c
index d5008a4a..97dc37d8 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -2701,15 +2701,9 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
 	} else
 		r = -EINVAL;
 
-	if (keyslot_old == keyslot_new) {
-		if (r >= 0)
-			log_verbose(cd, _("Key slot %d changed."), keyslot_new);
-	} else {
-		if (r >= 0) {
-			log_verbose(cd, _("Replaced with key slot %d."), keyslot_new);
-			r = crypt_keyslot_destroy(cd, keyslot_old);
-		}
-	}
+	if (r >= 0 && keyslot_old != keyslot_new)
+		r = crypt_keyslot_destroy(cd, keyslot_old);
+
 	if (r < 0)
 		log_err(cd, _("Failed to swap new key slot."));
 out:
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 26bfcd7d..2792b37d 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -521,6 +521,7 @@ static int action_resize(void)
 		/* try load VK in kernel keyring using token */
 		r = crypt_activate_by_token(cd, NULL, opt_token, NULL,
 					    CRYPT_ACTIVATE_KEYRING_KEY);
+		tools_keyslot_msg(r, UNLOCKED);
 		if (r < 0 && opt_token_only)
 			goto out;
 
@@ -534,6 +535,7 @@ static int action_resize(void)
 						 password, passwordLen,
 						 CRYPT_ACTIVATE_KEYRING_KEY);
 		tools_passphrase_msg(r);
+		tools_keyslot_msg(r, UNLOCKED);
 		crypt_safe_free(password);
 	}
 
@@ -1066,6 +1068,7 @@ static int action_luksFormat(void)
 					    password, passwordLen);
 	if (r < 0) /* FIXME: call wipe signatures again */
 		goto out;
+	tools_keyslot_msg(r, CREATED);
 
 	if (opt_integrity && !opt_integrity_no_wipe)
 		r = _wipe_data_device(cd);
@@ -1119,6 +1122,7 @@ static int action_open_luks(void)
 						 key, keysize, activate_flags);
 	} else {
 		r = crypt_activate_by_token(cd, activated_name, opt_token, NULL, activate_flags);
+		tools_keyslot_msg(r, UNLOCKED);
 		if (r >= 0 || opt_token_only)
 			goto out;
 
@@ -1132,6 +1136,7 @@ static int action_open_luks(void)
 
 			r = crypt_activate_by_passphrase(cd, activated_name,
 				opt_key_slot, password, passwordLen, activate_flags);
+			tools_keyslot_msg(r, UNLOCKED);
 			tools_passphrase_msg(r);
 			check_signal(&r);
 			crypt_safe_free(password);
@@ -1236,6 +1241,7 @@ static int action_luksKillSlot(void)
 			_("Enter any remaining passphrase: "),
 			_("Operation aborted, the keyslot was NOT wiped.\n"),
 			opt_key_file, opt_keyfile_offset, opt_keyfile_size);
+		tools_keyslot_msg(r, UNLOCKED);
 
 		if (r == -EPIPE && (!opt_key_file || tools_is_stdin(opt_key_file))) {
 			log_dbg("Failed read from input, ignoring passphrase.");
@@ -1247,6 +1253,7 @@ static int action_luksKillSlot(void)
 	}
 
 	r = crypt_keyslot_destroy(cd, opt_key_slot);
+	tools_keyslot_msg(r, REMOVED);
 out:
 	crypt_free(cd);
 	return r;
@@ -1282,6 +1289,7 @@ static int action_luksRemoveKey(void)
 	check_signal(&r);
 	if (r < 0)
 		goto out;
+	tools_keyslot_msg(r, UNLOCKED);
 
 	opt_key_slot = r;
 	log_verbose(_("Key slot %d selected for deletion."), opt_key_slot);
@@ -1295,6 +1303,7 @@ static int action_luksRemoveKey(void)
 	}
 
 	r = crypt_keyslot_destroy(cd, opt_key_slot);
+	tools_keyslot_msg(r, REMOVED);
 out:
 	crypt_safe_free(password);
 	crypt_free(cd);
@@ -1349,6 +1358,7 @@ static int luksAddUnboundKey(void)
 
 	r = crypt_keyslot_add_by_key(cd, opt_key_slot, key, keysize,
 			password_new, password_new_size, CRYPT_VOLUME_KEY_NO_SEGMENT);
+	tools_keyslot_msg(r, CREATED);
 out:
 	crypt_safe_free(password_new);
 	crypt_safe_free(key);
@@ -1430,6 +1440,7 @@ static int action_luksAddKey(void)
 		tools_passphrase_msg(r);
 		if (r < 0)
 			goto out;
+		tools_keyslot_msg(r, UNLOCKED);
 
 		r = tools_get_key(_("Enter new passphrase for key slot: "),
 				  &password_new, &password_new_size,
@@ -1443,6 +1454,7 @@ static int action_luksAddKey(void)
 						    password_new, password_new_size);
 	}
 out:
+	tools_keyslot_msg(r, CREATED);
 	crypt_safe_free(password);
 	crypt_safe_free(password_new);
 	crypt_safe_free(key);
@@ -1488,6 +1500,7 @@ static int action_luksChangeKey(void)
 	check_signal(&r);
 	if (r < 0)
 		goto out;
+	tools_keyslot_msg(r, UNLOCKED);
 
 	r = tools_get_key(_("Enter new passphrase: "),
 			  &password_new, &password_new_size,
@@ -1499,6 +1512,7 @@ static int action_luksChangeKey(void)
 
 	r = crypt_keyslot_change_by_passphrase(cd, opt_key_slot, opt_key_slot,
 		password, password_size, password_new, password_new_size);
+	tools_keyslot_msg(r, CREATED);
 out:
 	crypt_safe_free(password);
 	crypt_safe_free(password_new);
@@ -1535,6 +1549,7 @@ static int action_luksConvertKey(void)
 	r = crypt_keyslot_change_by_passphrase(cd, opt_key_slot, opt_key_slot,
 			password, password_size, password, password_size);
 	tools_passphrase_msg(r);
+	tools_keyslot_msg(r, CREATED);
 out:
 	crypt_safe_free(password);
 	crypt_free(cd);
@@ -1621,6 +1636,7 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
 	check_signal(&r);
 	if (r < 0)
 		goto out;
+	tools_keyslot_msg(r, UNLOCKED);
 
 	if (opt_master_key_file) {
 		r = tools_write_mk(opt_master_key_file, vk, vk_size);
@@ -1711,6 +1727,7 @@ static int action_luksResume(void)
 					       password, passwordLen);
 		tools_passphrase_msg(r);
 		check_signal(&r);
+		tools_keyslot_msg(r, UNLOCKED);
 
 		crypt_safe_free(password);
 		password = NULL;
@@ -1832,6 +1849,7 @@ static int action_luksErase(void)
 			r = crypt_keyslot_destroy(cd, i);
 			if (r < 0)
 				goto out;
+			tools_keyslot_msg(r, REMOVED);
 		}
 	}
 out:
@@ -1965,6 +1983,7 @@ static int _token_add(struct crypt_device *cd)
 	}
 
 	token = r;
+	tools_token_msg(token, CREATED);
 
 	r = crypt_token_assign_keyslot(cd, token, opt_key_slot);
 	if (r < 0) {
@@ -1975,6 +1994,26 @@ static int _token_add(struct crypt_device *cd)
 	return r;
 }
 
+static int _token_remove(struct crypt_device *cd)
+{
+	crypt_token_info token_info;
+	int r;
+
+	token_info = crypt_token_status(cd, opt_token, NULL);
+	if (token_info < CRYPT_TOKEN_INACTIVE) {
+		log_err(_("Token %d is invalid."), opt_token);
+		return -EINVAL;
+	} else if (token_info == CRYPT_TOKEN_INACTIVE) {
+		log_err(_("Token %d is not in use."), opt_token);
+		return -EINVAL;
+	}
+
+	r = crypt_token_json_set(cd, opt_token, NULL);
+	tools_token_msg(r, REMOVED);
+
+	return r;
+}
+
 static int _token_import(struct crypt_device *cd)
 {
 	char *json;
@@ -2005,6 +2044,7 @@ static int _token_import(struct crypt_device *cd)
 	}
 
 	token = r;
+	tools_token_msg(token, CREATED);
 
 	if (opt_key_slot != CRYPT_ANY_SLOT) {
 		r = crypt_token_assign_keyslot(cd, token, opt_key_slot);
@@ -2075,8 +2115,7 @@ static int action_token(void)
 		r = _token_add(cd);
 		break;
 	case REMOVE:
-		/* FIXME: add prompt here? a) for all types, b) external only? */
-		r = crypt_token_json_set(cd, opt_token, NULL);
+		r = _token_remove(cd);
 		break;
 	case IMPORT:
 		r = _token_import(cd);
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
index 84d7fed0..60128ce7 100644
--- a/src/cryptsetup.h
+++ b/src/cryptsetup.h
@@ -62,7 +62,6 @@ extern int opt_batch_mode;
 extern int opt_force_password;
 extern int opt_progress_frequency;
 
-
 /* Common tools */
 void clogger(struct crypt_device *cd, int level, const char *file, int line,
 	     const char *format, ...)  __attribute__ ((format (printf, 5, 6)));
@@ -77,6 +76,10 @@ void usage(poptContext popt_context, int exitcode, const char *error, const char
 void dbg_version_and_cmd(int argc, const char **argv);
 int translate_errno(int r);
 
+typedef enum { CREATED, UNLOCKED, REMOVED  } crypt_object_op;
+void tools_keyslot_msg(int keyslot, crypt_object_op op);
+void tools_token_msg(int token, crypt_object_op op);
+
 extern volatile int quit;
 void set_int_block(int block);
 void set_int_handler(int block);
diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
index 048a05a9..676f2a84 100644
--- a/src/cryptsetup_reencrypt.c
+++ b/src/cryptsetup_reencrypt.c
@@ -600,7 +600,7 @@ static int create_new_header(struct reenc_ctx *rc, struct crypt_device *cd_old,
 		r = create_new_keyslot(rc, i, cd_old, cd_new);
 		if (r < 0)
 			goto out;
-		log_verbose(_("Activated keyslot %i."), r);
+		tools_keyslot_msg(r, CREATED);
 		r = 0;
 	}
 out:
@@ -1271,6 +1271,7 @@ static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
 			return r;
 
 		if (r >= 0) {
+			tools_keyslot_msg(r, UNLOCKED);
 			rc->p[r].password = password;
 			rc->p[r].passwordLen = passwordLen;
 			if (ki != CRYPT_SLOT_UNBOUND)
diff --git a/src/utils_tools.c b/src/utils_tools.c
index 1773d917..a0740f36 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -272,6 +272,30 @@ int translate_errno(int r)
 	return r;
 }
 
+void tools_keyslot_msg(int keyslot, crypt_object_op op)
+{
+	if (keyslot < 0)
+		return;
+
+	if (op == CREATED)
+		log_verbose(_("Key slot %i created."), keyslot);
+	else if (op == UNLOCKED)
+		log_verbose(_("Key slot %i unlocked."), keyslot);
+	else if (op == REMOVED)
+		log_verbose(_("Key slot %i removed."), keyslot);
+}
+
+void tools_token_msg(int token, crypt_object_op op)
+{
+	if (token < 0)
+		return;
+
+	if (op == CREATED)
+		log_verbose(_("Token %i created."), token);
+	else if (op == REMOVED)
+		log_verbose(_("Token %i removed."), token);
+}
+
 /*
  * Device size string parsing, suffixes:
  * s|S - 512 bytes sectors