In case of systemd-cryptenroll (and other LUKS-related systemd infra, even without TPM) it's systemd that handles the passphrase to generate a key to unlock LUKS device - possibly combining with a PIN or passphrase or also a FIDO-compatible device or a smartcard.