systemd-cryptenroll

Interactively enroll or remove methods used to unlock LUKS2-encrypted devices. Uses a password to unlock the device unless otherwise specified. In order to allow a partition to be unlocked during system boot, update the /etc/crypttab file or the initramfs. More information: https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html.

systemd-cryptenroll --password path/to/luks2_block_device

systemd-cryptenroll --recovery-key path/to/luks2_block_device

systemd-cryptenroll --pkcs11-token-uri list|auto|pkcs11_token_uri path/to/luks2_block_device

systemd-cryptenroll --fido2-device list|auto|path/to/fido2_hidraw_device path/to/luks2_block_device

systemd-cryptenroll --fido2-device auto|path/to/fido2_hidraw_device --fido2-with-user-verification yes path/to/luks2_block_device

systemd-cryptenroll --unlock-fido2-device path/to/fido2_hidraw_unlock_device --fido2-device path/to/fido2_hidraw_enroll_device path/to/luks2_block_device

systemd-cryptenroll --tpm2-device auto|path/to/tpm2_block_device --tpm2-with-pin yes path/to/luks2_block_device

systemd-cryptenroll --wipe-slot empty|password|fido2|pkcs#11|tpm2|recovery|all path/to/luks2_block_device