I figured it out.
It now works.
It’s a different syntax in the boot loader config when you want to use systemd HOOKS
If using the “standard” encrypt HOOKS
Grub config looks like this:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=73213ab9-5c8c-4c2a-a397-aa321ebfd4ec:cryptroot ro"
the corresponding /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf block encrypt filesystems shutdown keyboard resume)
If using the systemd HOOKS
Grub config looks like this:
GRUB_CMDLINE_LINUX="luks.name=73213ab9-5c8c-4c2a-a397-aa321ebfd4ec=cryptroot ro"
the corresponding /etc/mkinitcpio.conf
HOOKS=(base systemd autodetect modconf block sd-vconsole sd-encrypt filesystems fsck)
cryptdevice=UUID=73213ab9-5c8c-4c2a-a397-aa321ebfd4ec:cryptroot
vs
luks.name=73213ab9-5c8c-4c2a-a397-aa321ebfd4ec=cryptroot
As a bonus, you get some feedback (stars) while typing in the password …