@ellis @weirdtreething
No, you don't need encrypted boot. With encrypted boot you need to have grub signed (only grub is capable of encrypted boot, with the downsides that @domi described).
For everything else you'll need to make a unified kernel image because it's not possible to sign the intramfs.
@walnut@thesoftestpaws.net