After reading release announcement of D-I RC2 [1], it's got my attention that there's an well written doc [2]. It's mentioned that /boot should be in LUKS1, due to grub doesn't support LUKS2 yet [3], which is why this ticket originally reported, I guess.
I confirmed with /boot set up in LUKS1, everything works fine. It‘d configure non encrypted /boot when in D-I, then after finishing D-I, and reboot to system, manually make LUKS1 for /boot partition. Detail procedure is in the doc [2]. [1] https://lists.debian.org/debian-devel-announce/2019/06/msg00005.html [2] https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html [3] https://savannah.gnu.org/bugs/?55093 -- Roger Shimizu, GMT +9 Tokyo PGP/GPG: 4096R/6C6ACD6417B3ACB1
