diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest
index fe76a92b75..4d53fded06 100644
--- a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest
@@ -1,2 +1,4 @@
-DIST cryptsetup-2.8.1.tar.xz 11821036 BLAKE2B 148ff29e94c77abf66b3ebf1a6c291031a786dc2ccb23a3ccd6b816711aac56d64743b709ca6ed4378bf55946cd2c67ba300ed4b7ad831c341fcb37d580efaa5 SHA512 a5171e18c55bfbc57330f2d46ab06b5ac6957392a77aef74c3d1c5295eb39962d1db19ddd3420ea1154d730b361d09e72bf5315c7a3d56eb36cee9c2531bca5d
+DIST cryptsetup-2.8.3.tar.sign 833 BLAKE2B f03bb85dfdcc3b22ab7141478fb289fb6ff8bc2000da62a952266e47e894b611439f32456db7fb0340f124af33e05932f4ebeae1b4f985e8cb42ed58302d5f67 SHA512 893215ec657b73608ff7d97313b4f0b56126ee20a9f7cd2d5c69b844dac06a3ac5cdac470b358d3920c51afd72047012948b71200b8b2d4f437856657f82d37a
 DIST cryptsetup-2.8.3.tar.xz 11863620 BLAKE2B 9559fb8cd0d916903c0e491c14f8d30a156672313065f4d58ca02a67293288831e6b5d12e843ae607c604d6a08bed46da887308a9ff87413e413b1cf7756810d SHA512 6aaf5a7e6d716e581b50fce417dad079022ff15d54e8a93697888b030b8defa03a39fd94725c3a8692cd07147573bd7f1c3c41571c488aabd44e4f9def9673e2
+DIST cryptsetup-2.8.4.tar.sign 833 BLAKE2B 22264d6a314cb14cabf1614225cc339261ec7dc44c280547a00ee552f6723243591260e0aa793330f4a2a8460840e687847d08923ab3abfea2e11d81a8e3e805 SHA512 b568ea6272960f186c83247c95c666355c44deb9be7508202ec56d0bca8dcfe660ef175f0f0792ebf9c1219f15cd3f24536dffff5e131142c1ead408a5350274
+DIST cryptsetup-2.8.4.tar.xz 11880632 BLAKE2B 135721fe1daca13bf5c1116dfe9888d50e617d06f8c2c3cff60bb76ab9d2ef4f91524d8c4185c5f673290b5a7f9dcd83b9ab9c25112500fea9100e30d8a8caf0 SHA512 cf9923552f93d3ca047fa17e2d73923b782e0f5146d9721fb8e1196374185524c2642c1243ea72107aef03a0b0b9d967576a58b1a680dd9b6a17dbf4a4430489
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild
similarity index 87%
rename from sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.1-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild
index 8f113c0e66..0c09081602 100644
--- a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.1-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild
@@ -1,14 +1,18 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
 
 # TODO: meson (not just yet as of 2.8.0, see https://gitlab.com/cryptsetup/cryptsetup/-/issues/949#note_2585304492)
-inherit linux-info tmpfiles
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/milanbroz.asc
+inherit linux-info tmpfiles verify-sig
 
 DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
 HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup"
-SRC_URI="https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz"
+SRC_URI="
+	https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz
+	verify-sig? ( https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.sign )
+"
 S="${WORKDIR}"/${P/_/-}
 
 LICENSE="GPL-2+"
@@ -63,8 +67,13 @@ DEPEND="
 BDEPEND="
 	virtual/pkgconfig
 	test? ( app-editors/vim-core )
+	verify-sig? ( sec-keys/openpgp-keys-milanbroz )
 "
 
+PATCHES=(
+	"${FILESDIR}/cryptsetup-2.8.3-bitlocker.patch"
+)
+
 pkg_setup() {
 	local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256"
 	local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
@@ -74,6 +83,15 @@ pkg_setup() {
 	check_extra_config
 }
 
+src_unpack() {
+	if use verify-sig; then
+		verify-sig_uncompress_verify_unpack "${DISTDIR}"/${P/_/-}.tar.xz \
+			"${DISTDIR}"/${P/_/-}.tar.sign
+	else
+		default
+	fi
+}
+
 src_prepare() {
 	default
 
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.4.ebuild
similarity index 88%
rename from sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.4.ebuild
index 453959440e..8409a39b54 100644
--- a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.8.4.ebuild
@@ -1,14 +1,18 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
 
 # TODO: meson (not just yet as of 2.8.0, see https://gitlab.com/cryptsetup/cryptsetup/-/issues/949#note_2585304492)
-inherit linux-info tmpfiles
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/milanbroz.asc
+inherit linux-info tmpfiles verify-sig
 
 DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
 HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup"
-SRC_URI="https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz"
+SRC_URI="
+	https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz
+	verify-sig? ( https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.sign )
+"
 S="${WORKDIR}"/${P/_/-}
 
 LICENSE="GPL-2+"
@@ -63,6 +67,7 @@ DEPEND="
 BDEPEND="
 	virtual/pkgconfig
 	test? ( app-editors/vim-core )
+	verify-sig? ( sec-keys/openpgp-keys-milanbroz )
 "
 
 pkg_setup() {
@@ -74,6 +79,15 @@ pkg_setup() {
 	check_extra_config
 }
 
+src_unpack() {
+	if use verify-sig; then
+		verify-sig_uncompress_verify_unpack "${DISTDIR}"/${P/_/-}.tar.xz \
+			"${DISTDIR}"/${P/_/-}.tar.sign
+	else
+		default
+	fi
+}
+
 src_prepare() {
 	default
 
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch
new file mode 100644
index 0000000000..a6ca2652cd
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch
@@ -0,0 +1,45 @@
+https://bugs.gentoo.org/969153
+https://gitlab.com/cryptsetup/cryptsetup/-/issues/973
+https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/883
+
+From 4eb729da3f46642d6fe1fabbbedb127078eccb95 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Sun, 11 Jan 2026 14:31:29 +0100
+Subject: [PATCH] bitlk: Do not try to use empty password for password keyslots
+
+Passing empty password means we want to try to open the device
+using the clear key so we can skip all other keyslots in this case.
+
+This also fixes unlocking a BitLocker device where recovery
+passphrase is in the first keyslot where we try to use the empty
+passhrase first, hoping for a clear key, and never actually prompt
+user for an actual (recovery) passphrase after.
+
+Fixes: #973
+---
+ lib/bitlk/bitlk.c         |  11 +++++++++++
+ tests/bitlk-images.tar.xz | Bin 355720 -> 376840 bytes
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
+index 3b7b093d..0e8f9d1d 100644
+--- a/lib/bitlk/bitlk.c
++++ b/lib/bitlk/bitlk.c
+@@ -1300,6 +1300,17 @@ int BITLK_get_volume_key(struct crypt_device *cd,
+ 	next_vmk = params->vmks;
+ 	while (next_vmk) {
+ 		bool is_decrypted = false;
++
++		if (password == NULL && next_vmk->protection != BITLK_PROTECTION_CLEAR_KEY) {
++			/*
++			 * Clearkey is the only slot that doesn't require password so no password
++			 * means we are trying to use clearkey and we can skip all other key slots.
++			 */
++			r = -EPERM;
++			next_vmk = next_vmk->next;
++			continue;
++		}
++
+ 		if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) {
+ 			r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key);
+ 			if (r) {