TL; DR: create a /boot/refind_linux.conf file with the following content:
"Boot with standard options" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards quiet" "Boot to single-user mode" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards quiet single" "Boot with minimal options" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards"
The rest of the article is a nice story about why I needed this 😄️.
More fast storage!
I built my current desktop two years ago with the first money I earned during my internship. So, I was on a budget, and cheapening on the storage is always a way to save some bucks.
Therefore, I bought a WD Black 250GB SSD to dual boot my systems and a 2TB hard disk for the data.
Recently I changed job, and now I use my personal desktop to work. And I need more fast storage.
So, since I was already upgrading, I finally switched to full-disk encryption and btrfs.
I will not go into the details on how to do that because it is a topic that would require to be discussed a lot. There are a lot of resources on the web, for example, on the Arch wiki.
The problem
My motherboard is an ASRock B450 Pro4, and I turned on fast boot and deep sleep. With this combination, GRUB did not recognize my USB keyboard, and I could neither change OS to boot nor boot with custom options.
Therefore, I switched to rEFInd. I had already used it with troublesome machines. And it solved my issues also in this case.
However, I installed it manually, without any scripts to update its configuration, and so far, I never needed them. But FDE boot is more involved, and bootloaders need some additional clues.
Adding an OS to rEFInd is easy: you just need to modify the refind.conf. However, I wanted to keep the automatic list of all the available kernels.
The solution
rEFInd reads command-line arguments to pass to the Linux kernel from a file called refind_linux.conf that has to be in your /boot.
Here you can add all the items you want to appear for every kernel you have. The first one will be booted automatically.
I already had this file created somehow in my previous system (I do not know by whom). I had to update the details of the partitions and add the cryptdevice parameter:
"Boot with standard options" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards quiet" "Boot to single-user mode" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards quiet single" "Boot with minimal options" "root=UUID=uuid-of-unencrypted-root-partition ro cryptdevice=UUID=uuid-of-luks-partition:volume-name:allow-discards"
The root parameter refers to the unencrypted root partition, i.e., the one that is accessible as /dev/mapper/volume-name once unlocked. volume-name itself can be customized as you prefer.
The UUID in cryptdevice refers to the physical LUKS partition, i.e., the partition that you specify to cryptsetup luksOpen.
allow-discards is needed to allow trim commands in SSDs. In addition to that, you can add other options.
Finally, rEFInd can detect and show a custom icon for certain distributions. One trick is to include the distro name in your /boot partition label. If you want to add also other information, you need to use hyphens, underscores, or colons. For example, I called mine Debian-boot. Initially, I used camelCase, and I had a generic Tux icon instead.
After that, you will be able to use rEFInd to boot your encrypted system as usual.