I really appreciate the helpful responses and pointers. The more I played with things the more I I realized my question was sparse with information. To make up for it I'll try to document what I ended up doing, since there are a few tricky points worth touching on for anyone who deals with an install as obtuse as mine.
For booting with elilo, I run
mkinitrd this way
Code:
mkinitrd -c -k 5.4.18 -u -L -m ext4:algif_skcipher \
-f ext4 -r /dev/cryptvg0/root -C /dev/sdc1:/dev/sda2 \
-h /dev/cryptvg1/swap \
-o /boot/initrd.gz
then copy the appropriate files to
/boot/efi/EFI/boot/ (my UEFI system is one of those that finds my EFI partition files effortlessly at that location). The volume group device names for the -r and -h arguments are those returned by
lvscan(8), since early in the boot process /dev/mapper/
<something>-style names apparently can't be used to refer to these devices. Because I did not setup my root (/) and swap within the same encrypted volume group, I must unlock two devices with the -C argument (i.e., therefore having to type my passphrase twice) just so the resume= device can be found and correctly passed to the kernel. Lesson learned.
With root and swap unlocked,
now I can make life a little easier. I went with the common advice of generating a random key file and using it to add an additional key to the LUKS header of each of the devices I unlock with
/etc/crypttab, e.g., /home and external hard drives.
Code:
cryptvg2 UUID=<some long uuid> /root/lukskey
mediahd UUID=<another long uuid> /root/lukskey
[...]
Especially with external hard drives, you may find the name of some of your devices differ on each boot (e.g., /dev/sde instead of /dev/sdf). Using UUIDs instead of normal device names avoids this issue.
So in the end, I save myself from needlessly typing a passphrase for each device added to crypttab but can't save myself from wastefully entering it a second time to unlock swap. So ends my small encrypted partition journey.