diff --git a/plugins/modules/luks_device.py b/plugins/modules/luks_device.py
index 156f4b321..337c4c8f6 100644
--- a/plugins/modules/luks_device.py
+++ b/plugins/modules/luks_device.py
@@ -70,9 +70,9 @@
   passphrase_encoding:
     description:
       - Determine how passphrases are provided to parameters such as O(passphrase), O(new_passphrase), and O(remove_passphrase).
-      - Please note that binary passphrases cannot contain all possible binary octets. For example, a newline (0x0A)
-        cannot be used since it indicates that the passphrase is over. If you want to use arbitrary binary data, you must
-        use keyfiles.
+      - Please note that binary passphrases cannot always contain all possible binary octets. When adding a new key to an existing
+        container, a newline (0x0A) cannot be used since it indicates that the passphrase is over. If you want to use arbitrary
+        binary data, you must use keyfiles.
     type: str
     default: text
     choices:
@@ -488,8 +488,6 @@ def get_passphrase_from_module_params(self, parameter_name):
             self._module.fail_json("Error while base64-decoding '{parameter_name}': {exc}".format(parameter_name=parameter_name, exc=exc))
 
     def _run_command(self, command, data=None):
-        if data is not None:
-            data += b'\n'
         return self._module.run_command(command, data=data, binary_data=True)
 
     def get_device_by_uuid(self, uuid):
@@ -635,6 +633,8 @@ def run_luks_create(self, device, keyfile, passphrase, keyslot, keysize, cipher,
         args.extend(['-q', device])
         if keyfile:
             args.append(keyfile)
+        else:
+            args.append('-')
 
         result = self._run_command(args, data=passphrase)
         if result[RETURN_CODE] != 0:
@@ -646,6 +646,8 @@ def run_luks_open(self, device, keyfile, passphrase, perf_same_cpu_crypt, perf_s
         args = [self._cryptsetup_bin]
         if keyfile:
             args.extend(['--key-file', keyfile])
+        else:
+            args.extend(['--key-file', '-'])
         if perf_same_cpu_crypt:
             args.extend(['--perf-same_cpu_crypt'])
         if perf_submit_from_crypt_cpus:
@@ -759,6 +761,8 @@ def run_luks_remove_key(self, device, keyfile, passphrase, keyslot,
             args = [self._cryptsetup_bin, 'luksKillSlot', device, '-q', str(keyslot)]
         if keyfile:
             args.extend(['--key-file', keyfile])
+        else:
+            args.extend(['--key-file', '-'])
         result = self._run_command(args, data=passphrase)
         if result[RETURN_CODE] != 0:
             raise ValueError('Error while removing LUKS key from %s: %s'
@@ -774,6 +778,7 @@ def luks_test_key(self, device, keyfile, passphrase, keyslot=None):
         if keyfile:
             args.extend(['--key-file', keyfile])
         else:
+            args.extend(['--key-file', '-'])
             data = passphrase
 
         if keyslot is not None: