[hannibalhorn]

I actually keep my FDE password separate just because I use such a long password it's not practical to type every time my screen locks. The GUI doesn't expose it, but you can encrypt your root volume independent of your user account directly with a "diskutil cs encryptVolume" command. There's a great writeup of it here: https://www.westhoffswelt.de/blog/2014/9/9/osx-full-disk-enc...

I think a physical token for the user account is still good for times when one I'm just away from the desk for a bit, a physical key is better than a short password that someone could probably shoulder surf me typing 50 times a day anyway.

There seems to be some info on using the Yubikey with FDE on their site, it's worth a look but indeed, I'm not sure there's anything that they could do there beyond effectively storing said really long password anyway.