You must set up your Yubikey with the challenge-response algorithm in slot 2. One of the methods of doing so is using Yubico Authenticator.

First, become root and install yubikey-luks:

su -
sudo apt install yubikey-luks

Next, enroll your Yubikey. By default, the enrollment command will detect your boot disk and will save the new credential in LUKS slot 7, but you can adjust this. See man yubikey-luks-enroll

yubikey-luks-enroll

Follow the on-screen instructions. You will also be asked to enter a passphrase. This passphrase will be used in the challenge-response algorithm, and will still be needed at boot. This way, to unlock your disk, you will need something you have (the Yubikey) and something you know (the passphrase).

Then, adjust /etc/crypttab and append the keyscript parameter to refer to the ykluks keyscript.

Before:

sda3_crypt UUID=3d5a01bc-42dc-4ed8-9e61-caa3be6c66a1 none luks,discard

After:

sda3_crypt UUID=3d5a01bc-42dc-4ed8-9e61-caa3be6c66a1 none luks,discard,keyscript=/usr/share/yubikey-luks/ykluks-keyscript

Finally, update your initramfs:

update-initramfs -u

When you know reboot the system, you will be asked to insert a Yubikey and enter a passphrase. After doing so, you may need to touch the Yubikey before the challenge-response process is completed, depending on how you've set up your Yubikey. This process should now successfully unlock your disk at boot time.

https://packages.debian.org/unstable/yubikey-luks https://www.endpointdev.com/blog/2022/03/disk-decryption-yubikey/