> Current GRUB2 supports directly reading encrypted partitions via > dm-crypt and LUKS. This allows setting up an encrypted disk without a > separate unencrypted /boot partition. Please consider supporting this > configuration in debian-installer.
Grub currently doesn't support LUKS2 very well. For example, PBKDF2 has to be used instead of Argon2 for key derivation. The Debian Installer currently doesn't allow changing this. Even worse, I haven't had any success at creating a LUKS2 volume that grub-efi-amd64-signed recognizes. Additionally, partman doesn't recognize LUKS1 partitions well and cannot create any either. This makes it much harder to install Debian on a LUKS1 volume. Please add support for this scenario, as the additional unencrypted /boot partition is unnecessary on UEFI systems and increases the attack surface of encrypted disks.
