Systemd 248 To Allow Unlocking Encrypted Volumes Via TPM2 / FIDO2 / PKCS#11 Hardware
While systemd-cryptsetup has already supported unlocking LUKs2 volumes at boot via user-supplied passphrases and key files on a local or removable disk, with systemd 248 will be the ability to make use of TPM2 / FIDO2 / PKCS#11 security hardware for unlocking volumes if desired.
The latest systemd-cryptsetup code has native support for unlocking LUKS2 volumes via FIDO2 security tokens (newer YubiKeys), TPM2 security chips (found in many laptops and other systems), or via PKCS#11 security tokens such as within smartcards and older YubiKeys. As another new feature, systemd 248 will also allow unlocking LUKS2 volumes via keys acquired through trivial AF_UNIX/SOCK_STREAM socket IPC.
More details on the new systemd-cryptsetup capabilities via Lennart's blog.