I have been able to bind my LUKS configuration (that includes all volumes except boot) with Clevis using TPM2 on Rocky 8.6. The automatic unlock works very well - all I need to do is to add the Clevis binding and rebuild boot with Dracut. But this solution does not offer any kind of authentication. It is more like for protecting the data if someone would steal/lose the disks only. So I was thinking that I would get one of those USB sticks with a PIN that encrypts the stick’s content, and use that to store the passphrase (or key or certificate, whatever we want to call it) that will be unencrypted and available only during the boot. The ultimate goal is to preserve automation, meaning that user would only need to ensure that the USB is present (no need to have keyboard or display at all during boot).
So what would be the most simple solution type to get USB sticks give out the LUKS secret at early boot without user input? Any good resources to share? I have found many but they are usually for some other flavor of Linux and cannot get them to work on Rocky 8.6. Desperately seeking someone who has managed to do this with Rocky 8.6.