Setting GRUB up with full-disk encryption and BTRFS snapshots is braindead easy. Maybe it'd be just as easy with Gummiboot or rEFInd, but you know what they say about fixing things that aren't broken.
What's the current state of the art on this? Last time I looked it was really not trivial, because of two things:
1) there is only one bootloader (grub2) that can load kernels from encrypted /boot partitions, but the support for that is limited, you have to use a weaker encryption if I remember correctly, AND decryption speed (after entering the luks password) is super slow, because the CPU extensions that speed that up (AES) are not yet online that early in the boot process
2) you can choose to not encrypt /boot, and have it as a separate partition, but now your btrfs snapshots will not include the kernel, so restoring after kernel upgrades is going to break your system
I am only really familiar with Arch and OpenSUSE, so I don't know how other distros do it, but OpenSUSE keeps the (I believe) latest 5 kernels, so I just have to delete snapshots older than the oldest kernel in my /boot. I like that system so I do the same thing on Arch (but don't tell anyone, otherwise I'm gonna get yelled at).
Doesn't deleting old kernels defeat snapshots? You do a system update, you get a new kernel, you delete the old ones, now all snapshots that depend on that older kernel are busted, what am I missing?
You may have misread, what I do is I keep the 5 latest versions of the kernel the distro ships and I delete snapshots which depend on kernels older than those 5. I could keep all the kernels and snapshots, but I don't have that much storage dedicated to / and /boot.
It really is easy, it is just mostly a matter of proper initramfs, and a "linux" line in the GRUB configuration file. Arch wiki gets into it in detail.
