I have solved my problem, and now have Grub working with an encrypted /.
The config I had before had a gpt partitioned disk, with bios boot. I had
an encrypted / and a separate, unencrypted /boot.
When I changed the configuration to not use a separate /boot filesystem,
and put /boot on the encrypted root, Grub dutifully prompts me for a
password, and is then able to boot the system normally.
Is it a bug that a separate /boot doesn't work? Is it worth mentioning in
the manual that a separate /boot isn't needed?
As a side note: I had been expecting 'insmod luks' and 'cryptomount …'
lines in the grub.cfg. They don't appear even with the working setup, but
we are running grub-install with the GRUB_ENABLE_CRYPTODISK environment
variable set. I couldn't find a mention of this variable in the Grub
manual. What's going on here/how do all the pieces fit together?
Best,
Jack
