What is needed are the following two lines at the beginning of grub.cfg: insmod luks cryptomount -u 1aa...
where 1aa... is the result of "cryptsetup luksUUID /dev/sda2". So the logic outlined in my previous message works: Determine the mapped-devices /dev/sdXY of type luks-device-mapping that lead to a file-system with needed-for-boot? set to #t. Using cryptsetup luksUUID /dev/sdXY determine a corresponding uuid 12345...0. If any such mapped-device exists, add insmod luks as the first line of grub.cfg. For any such mapped-device, add a line cryptomount -u 12345...0 right after that. To simplify the logic, we could also move the needed-for-boot? parameter to mapped-device, or add such a parameter there. Andreas
