45mg <45mg.wri...@gmail.com> writes: >>> What most distributions do is use something like `ukify` to generate a >>> bootable UEFI image that has includes the required crypto modules.
Please disregard this, I don't actually know how prevalent UKIs are. What I was going for was - usually the kernel and initramfs images are written to eg. `/boot`, which can be unencrypted. And the initramfs is able to mount the encrypted volume. (To fully secure this setup you'd need Secure Boot, which is addressed in the bootloader rewrite I think...)
