I'm using encrypted ZFS as the root partition on my server and I've (mostly) followed the instructions in point #15 from here: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Bookworm%20Root%20on%20ZFS.html

This starts dropbear as an SSH server that only has a single task: when someone logs in to it they get asked for the decryption key of the root partition.

I suspect that this could be adopted to whatever encryption mechanism you use.

I didn't follow it exactly, because I didn't want the "real" SSH host keys of the host to be accessible unencrypted in the initrd, so the "locked host" has a different SSH host key than when it is fully booted, which is preferred for me.