I enrolled my FIDO2 Yubikey device as a way to unlock my encrypted partition:
/etc/crypttab
dm_crypt-0 UUID=78768999-69dd-44ba-8858-dd0c2ecbc2b5 none luks
dm_crypt-0 UUID=78768999-69dd-44ba-8858-dd0c2ecbc2b5 none fido2-device=auto
Yay. Now I also want to do this at boot, but my changes in /etc/crypttab aren't recognised by initramfs:
ignoring unknown option 'fido2-device'
Various guides exist for Arch Linux and Ubuntu that almost all involve switching from initramfs-tools to dracut. But this has repeatedly left me stranded with an initramfs or emergency shell after which I had to spend a lot of time repairing my initramfs.
Extra bonus points if I can also use the Yubikey as 2FA in addition to entering my password.