diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 63d378fbc62..8ac98a6cf7f 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -265,32 +265,11 @@
- Options
+ Unlocking
- The following options are understood:
+ The following options are understood that may be used to unlock the device in preparation of the enrollment operations:
-
-
-
- Enroll a regular password/passphrase. This command is mostly equivalent to
- cryptsetup luksAddKey, however may be combined with
- in one call, see below.
-
-
-
-
-
-
-
- Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
- computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
- key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-
-
-
-
-
@@ -328,7 +307,45 @@
+
+
+
+ Simple Enrollment
+
+ The following options are understood that may be used to enroll simple user input based
+ unlocking:
+
+
+
+
+
+ Enroll a regular password/passphrase. This command is mostly equivalent to
+ cryptsetup luksAddKey, however may be combined with
+ in one call, see below.
+
+
+
+
+
+
+
+ Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+ computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+ key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+
+
+
+
+
+
+
+
+ PKCS#11 Enrollment
+
+ The following option is understood that may be used to enroll PKCS#11 tokens:
+
+
@@ -361,7 +378,15 @@
+
+
+
+ FIDO2 Enrollment
+
+ The following options are understood that may be used to enroll PKCS#11 tokens:
+
+ Specify COSE algorithm used in credential generation. The default value is
@@ -461,7 +486,15 @@
+
+
+
+ TPM2 Enrollment
+
+ The following options are understood that may be used to enroll TPM2 devices:
+
+
@@ -636,7 +669,15 @@
+
+
+
+ Other Options
+
+ The following additional options are understood:
+
+