You were right originally,
GRUB_ENABLE_CRYPTODISK=y was the missing piece, unfortunately without this all steps in the grub installation chain for an encrypted /boot directory fail.
I’ll list the manual steps I had to do to repair encypted grub and you can retrofit it back into manjaro-architect.
/dev/sdb1, and manjaro-chroot into it.
sudo cryptsetup open --type luks /dev/sdb1 cryptroot
sudo mount /dev/mapper/cryptroot /manjaro
sudo manjaro-chroot /manjaro
From here I had to add
/etc/default/grub on cryptoroot.
=> This is missing from the current install
Grub config then had to be re-generated to reflect this
sudo grub-mkconfig -o /boot/grub/grub.cfg
Grub then had to be re-installed to link to the newly (ie correctly) generated grub.cfg
sudo mount /dev/sda1 /boot/efi
sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro_grub --boot-directory=/boot --recheck
This installed a functioning grub in
[manjaro@manjaro-luks EFI]$ ll manjaro_grub
drwxr-xr-x 2 root root 4096 Feb 12 13:08 .
drwxr-xr-x 5 root root 4096 Feb 12 13:08 ..
-rwxr-xr-x 1 root root 198656 Feb 26 03:45 grubx64.efi
=> This failed in the current manjaro-architect bootloader install
Without the correctly generated grub.cfg, grub-install must have failed and the subsequent error was not captured or handled.
To make this new grub the default bootloader I had to manually clobber the old one
sudo mv /boot/efi/EFI/manjaro_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
=> This is not working in the current manjaro-architect bootloader install
This step was probably not linked to a successful completion of
grub-install, or the error not detected, thus the default boot loader was simply replaced with whatever was already in
Proof of life…
So it should be noted that installing to an encrypted partition you must install the grub bootloader to subsequently use it. This should probably be reflected within manjaro-grub in the form of dependencies somehow.
Using another grub instance will not find this system, due to os-prober explicitly skipping detection process on partitions of type luks. No idea why this is the case.