Encryption without separate /boot becomes even more attractive when using the kernel's EFI stub to boot, directly off the EFI partition. In that scenario, the passphrase needs to be entered only once. Florian