Boot sequence:
- Your UEFI-Bios needs to start a boot-loader readable from the ESP.
These can not be encrypted. - Your bootloader also needs to be able to read it’s configuration files, to show a boot menu of it’s own (this is a different menu as the boot menu provided by the UEFI-Bios), and load the kernel(s) and ramdisk(s).
-
Grubhas build-in functionality to decrypt certain encrypted partitions that it supports.
(But most other bootloaders don’t have that functionality)
-
- When Secure-Boot is enabled in the UEFI-Bios settings, the kernel needs to be signed by, at least one signature that is stored inside your NVRAM, or the signature build-into the boot-loader itself, or a signature provided via the Shim-functionality.
So when your BIOS starts your Grub-booloader from the ESP;
- Grub, in an effort to find and read it’s own configuration files, asks for your encryption password to decrypt any encrypted partitions it finds until it is able to find the files it needs.
- Because the default install places files that are needed under
/boot/grub, it is the default behavior for Grub to ask for the password in that scenario before it can display it’s own menu…
Feel free to comment with your opinions and eventual corrections. 
