#!/bin/bash
set -e  # The script will exit if a command fails.
read -r uuid usbmntpt <<< $(lsblk -o UUID,MOUNTPOINT | grep media)    
mntdest="$usbmntpt/mykeyfile"
uuiddest="/dev/disk/by-uuid/$uuid:/mykeyfile"
sudo dd bs=1M count=4 if=/dev/urandom of=$mntdest iflag=fullblock
sudo chmod -v 0400 $mntdest
device=$(sudo blkid --match-token TYPE=crypto_LUKS -o device)
sudo cryptsetup luksAddKey $device $mntdest
sudo cryptsetup luksOpen --test-passphrase --key-file $mntdest $device
sudo cp /etc/crypttab /etc/crypttab.original
sudo sed -i "s|none|$uuiddest|g" /etc/crypttab
sudo sed -i "s|$|,discard,keyscript=/lib/cryptsetup/scripts/keyscript.sh,tries=4|" /etc/crypttab 
sudo wget -O /lib/cryptsetup/scripts/keyscript.sh \
  https://raw.githubusercontent.com/filisko/cryptsetup-usb-keyscript/main/src/keyscript.sh
sudo chown root:root /lib/cryptsetup/scripts/keyscript.sh
sudo chmod 755 /lib/cryptsetup/scripts/keyscript.sh
sudo update-initramfs -u
echo "If all went well restart your computer."

https://filis.me/posts/how-to-decrypt-a-luks-setup-with-a-pendrive