diff --git a/.gitignore b/.gitignore
index 8688f41..aecd8d4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@
 /clevis-18.tar.xz
 /clevis-19.tar.xz
 /clevis-20.tar.xz
+/clevis-21.tar.xz
diff --git a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
deleted file mode 100644
index 263166d..0000000
--- a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
+++ /dev/null
@@ -1,56 +0,0 @@
---- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c	2024-03-08 09:35:37.000000000 +0100
-+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c	2024-05-21 10:04:15.301469592 +0200
-@@ -264,8 +264,10 @@
- 
- error:
-     g_list_free_full(ctx.lst, g_free);
--    g_main_loop_unref(ctx.loop);
--    g_object_unref(ctx.clt);
-+    if (ctx.loop) 
-+        g_main_loop_unref(ctx.loop);
-+    if (ctx.clt) 
-+        g_object_unref(ctx.clt);
-     close(sock);
-     return exit_status;
- }
-@@ -299,12 +301,12 @@
-     safeclose(&pair[0]);
- }
- 
--static ssize_t
--recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
-+static uint32_t
-+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
- {
-     int push[2] = { -1, -1 };
-     int pull[2] = { -1, -1 };
--    ssize_t bytes = 0;
-+    int32_t bytes = 0;
-     pid_t chld = 0;
- 
-     if (pipe(push) != 0)
-@@ -379,12 +381,18 @@
-     }
- 
-     bytes = 0;
--    for (ssize_t block = 1; block > 0; bytes += block) {
--        block = read(pull[PIPE_RD], &out[bytes], max - bytes);
--        if (block < 0) {
--            kill(chld, SIGTERM);
--            goto error;
--        }
-+    ssize_t block = 0;
-+    while (max > 0 && max > bytes) {
-+       do {
-+           block = read(pull[PIPE_RD], &out[bytes], max - bytes);
-+       } while (block < 0 && errno == EINTR);
-+       if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
-+           kill(chld, SIGTERM);
-+           goto error;
-+       }
-+       if (block == 0)
-+           break;
-+       bytes += block;
-     }
- 
-     safeclose(&pull[PIPE_RD]);
diff --git a/clevis.spec b/clevis.spec
index f2c70d2..73a824b 100644
--- a/clevis.spec
+++ b/clevis.spec
@@ -1,5 +1,5 @@
 Name:           clevis
-Version:        20
+Version:        21
 Release:        %autorelease
 Summary:        Automated decryption framework
 
@@ -7,7 +7,6 @@ License:        GPL-3.0-or-later
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Source1:        clevis.sysusers
-Patch1:         0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
 
 BuildRequires:  git-core
 BuildRequires:  gcc
@@ -35,6 +34,8 @@ BuildRequires:  openssl
 BuildRequires:  diffutils
 BuildRequires:  cryptsetup
 BuildRequires:  jq
+BuildRequires:  pcsc-lite
+BuildRequires:  opensc
 
 Requires:       tpm2-tools >= 4.0.0
 Requires:       coreutils
@@ -44,6 +45,8 @@ Requires:       jq
 Requires(pre):  shadow-utils
 Requires(post): systemd
 Requires:       clevis-pin-tpm2
+Requires:       pcsc-lite
+Requires:       opensc
 
 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@@ -134,15 +137,20 @@ exit 0
 %{_bindir}/%{name}-decrypt-tpm2
 %{_bindir}/%{name}-decrypt-sss
 %{_bindir}/%{name}-decrypt-null
+%{_bindir}/%{name}-decrypt-pkcs11
 %{_bindir}/%{name}-decrypt
 %{_bindir}/%{name}-encrypt-tang
 %{_bindir}/%{name}-encrypt-tpm2
 %{_bindir}/%{name}-encrypt-sss
 %{_bindir}/%{name}-encrypt-null
+%{_bindir}/%{name}-encrypt-pkcs11
+%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
+%{_bindir}/%{name}-pkcs11-common
 %{_bindir}/%{name}
 %{_mandir}/man1/%{name}-encrypt-tang.1*
 %{_mandir}/man1/%{name}-encrypt-tpm2.1*
 %{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
 %{_mandir}/man1/%{name}-decrypt.1*
 %{_mandir}/man1/%{name}.1*
 %{_sysusersdir}/clevis.conf
@@ -170,8 +178,12 @@ exit 0
 %files systemd
 %{_libexecdir}/%{name}-luks-askpass
 %{_libexecdir}/%{name}-luks-unlocker
+%{_libexecdir}/%{name}-luks-pkcs11-askpass
+%{_libexecdir}/%{name}-luks-pkcs11-askpin
 %{_unitdir}/%{name}-luks-askpass.path
 %{_unitdir}/%{name}-luks-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.service
+%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
 
 %files dracut
 %{_prefix}/lib/dracut/modules.d/60%{name}
@@ -179,6 +191,9 @@ exit 0
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
 
 %files udisks2
 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
diff --git a/sources b/sources
index ebb2917..85f0289 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe
+SHA512 (clevis-21.tar.xz) = 66f141b9d0c35ec3bb975b49053ee11f8fd5492b2af0377797892d6e28f4491b146e48477107dcf0ae5860ed1b08920bc95ed69893664689077c1342169cd399