This is probably feasible, though I can’t say if it’s something that I’ll definitely work on or not. Some notes:
- Kicksecure doesn’t use GRUB to unlock encrypted disks. This is because we use Debian’s GRUB, and Debian’s GRUB only has very bad LUKS support (only supports LUKS1, can’t handle non-US keyboard layouts, ugly, slow, only gives you one shot to unlock the drive, and then the Linux kernel has to unlock the drive again once it boots). Instead, we use an unencrypted /boot partition and let the initramfs handle decrypt. This lets us use more secure encryption, provides a better user interface for decryption, works with multiple keyboard layouts, and works faster.
- Plausible deniability should not be relied upon unless you know exactly what you’re doing. It’s well known that such a thing exists, and it’s pretty uncommon for people to have a random block of “unallocated” (or allocated-but-unformatted) space on their disk. If you’re in enough danger to consider needing plausible deniability, you’re in enough danger for even random data to look suspicious if it’s at all unusual.