Interesting!

I went on a similar journey recently with debian and FDE on luks2, which involved a fair amount of learning and messing around, but I got there. No Btrfs though, just plain old ext4+swap volumes using lvm on luks2, and a small uefi partition.

My /boot is encrypted so I enter the LUKS2 passcode before grub can even access its config, and I've rolled an unlock key into the initramfs (which is loaded by grub from the encrypted partition) so that I don't have to enter it twice. The only cleartext stuff is /boot/efi.

Next project is secure boot, but so far I have failed to add a MOK to my system (it just doesn't seem to persist for some reason), and I've not got any further than shim->grub->FAIL.

Hibernate is less interesting, and apparently unsupported using secure boot anyway.

What's the point of encrypting /boot exactly? From an Encrypt All The Things! perspective I get it, but practically... it seems overkill?

As the other poster mentioned, without secure boot, there are no guarantees about a kernel or initramfs that are sitting out there in plaintext (and yes, someone could mess with my grub install).

It was mostly because "this should be possible, right?"

So yeah - Encrypt all the things :)

You don't need to encrypt anything to verify those images, you just need to sign them. See how Heads does this.

https://github.com/osresearch/heads