I’m an Arch user new to Qubes, and I’m curious why Qubes doesn’t encrypt /boot. Grub has long supported encrypting /boot in luks1 partitions, and I believe now supports it even in luks2 partitions. I assume Qubes has some reason for still preferring the old behavior with unencrypted /boot. Can someone explain, please?
Thanks.