ISO: Change to unencrypted /boot if using Full Disk Encryption

Calamares setting up encrpyted /boot (which gets decrypted with GRUB2) causes many issues.

  • GRUB2 needs a very long time to decrypt the root disk.
  • Need to enter full disk password twice, at grub boot menu and systemd during boot. This might be a missing dracut module or bug.
  • And the worst issue: Keyboard layout issues. There is no way to define keyboard layout during GRUB2 pre-boot full disk encryption password entry. (If there is, these are very complicated, not suitable for a Debian derivative and also break SecureBoot.)

This should be no security issue. This is what most distributions are using. The kernel image is not secret. Unencrypted /boot that Debian (CLI looking) installer (“DI”) is using that too. Encrypted /boot is simply not ready due to these upstream bugs which will very most likely not be resolved anytime soon.


  • Find a distribution that uses Calamares and implemented unencrypted /boot.
    • Maybe Ubuntu? Check
      • git clone
    • Linux Mint?
    • Elementary OS?
  • Copy over the Calamares config files to Kicksecure (if permissible by the license, which is probably the case).
  • Change Kicksecure Calamares Installer to the usual unencrypted /boot partition.

Probably not possible as long as Kicksecure is based on Debian 12 / bookworm.

Requires a newer calamares version which is only installable in Debian 13 / trixie.

Very difficult to install the newer calamares version in Debian 13 due to dependency issues.