Continuing the near death experience saga, I have some good news to share.

The failing disk resisted resyncing too hard, and eventually I gave up. I got a new one, put it in place, set up an encrypted LVM, synced up the raid1 subvolume, lowered anxiety, installed grub on the disk, and there!, I still had an unbootable system without the flash drive I'd set up to boot it up.

Further investigation revealed that this is a known limitation of GNU GRUB 2.06 on Trisquel 11 (and also on GNUboot 0.1rc1), when it comes to decrypting LUKS2 volumes with argon2id PBKDF.

(Side conclusion: unlike my earlier claim, I mustn't have tested booting up with only the external disk plugged in: unlike the much older internal disk, the external one had been created with LUKS2 Argon2ID, so there's no chance whatsoever that the test would have succeeded.)

Adding a pbkdf2 key to both encrypted volumes enabled GNUboot to decrypt them.

Rebuilding grub2-2.12 from the upcoming Trisquel release seems to have enabled at least grub-probe to recognize the LUKS2 volumes and create a reasonable-looking grub.cfg that attempts to cryptomount them both. I'm yet to reboot to test it, but I expect it to succeed at decrypting them as well, using the PBKDF2 key, and then I'll be back to easy reboots with SEABIOS loading GNU GRUB from the disk.

Hopefully future releases of Trisquel, and of GNUboot, will integrate existing improvements for GNU GRUB that enable LUKS2 Argon2ID support.

So blong,