Hello! (And apologies Christopher for not replying earlier!)
I’m happy to report that this issue is finally fixed in f7f292d359e0eb77617f4ecf6b3164f868ec1784! The complete list of relevant commits is this: --8<---------------cut here---------------start------------->8--- f7f292d * install: Enable "cryptodisk" handling in GRUB. b7d408e * mapped-devices: Use 'cryptsetup-static' in 'luks-device-mapping'. fe93383 * marionette: Add 'marionette-screen-text' using OCR. f25c9eb * marionette: Delay synchronization with the host's REPL. [...] 106b389 * gnu: Add 'cryptsetup-static'. 01f94cc * gnu: Add 'lvm2-static'. 10da75d * gnu: grub: Add dependency on LVM2. --8<---------------cut here---------------end--------------->8--- Without LVM2 support, ‘grub-install’ and ‘grub-probe’ would fail to determine what to do with the LUKS-encrypted partition. When using ‘cryptsetup’ instead of ‘cryptsetup-static’, we were pulling the whole closure of ‘cryptsetup’ (105 MiB) in the initrd, which was clearly unreasonable. ;-) The guts was to come up with a test strategy that would work. The difficulty here is that we have to enter a passphrase early one in GRUB, and then once again once the kernel has booted, when ‘cryptsetup’ is invoked from the initrd. At this point, we have no good communication channel with the hosts, hence the screenshots with OCR! (Idea stolen from NixOS’ own tests.) You can run the test with: make check-system TESTS=encrypted-root-os Further testing welcome! Ludo’.
