To read keyslots of an existing LUKS device:
systemd-cryptenroll [device]
To enroll a password and recovery key:
systemd-cryptenroll --password [device]
systemd-cryptenroll --recovery-key [device]
To enroll a TPM device with PIN:
systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=yes [device]
To remove a key:
systemd-cryptenroll --wipe-slot=[slot index] [device]