I did this LUKS1 encrypted boot partition thing on a relatively recent laptop, and GRUB takes about 25 seconds to validate the passphrase. Once it loads the initrd, the early kernel environment validates the the root volume passphrase in about 2 seconds, presumably because it's using an optimized implementation that's available in the kernel but not in GRUB...
Right now I wouldn't recommend doing this unless you have a really good reason for encrypting the boot partition. Most people will be better off having an unencrypted boot and enabling secure boot with your own platform key instead.
My understanding is the LUKS header block contains a key actually used to decrypt your data, but that key is itself decrypted by a key derived from your password or other auth data. grub is using the first key to obtain the second key, the kernel already has the second key (or you'd have to enter your password again).
When you set up the encrypted drive, it deliberately picks settings for this that will be as slow as possible to resist brute force attacks while also aiming not to take over 30s on your current CPU. You'd have to manually specify a lower iteration count to cryptsetup to get a faster unlock.
I'm on a different machine now, but I'll have to go back and verify what I did -- it sounds like I may have set it up incorrectly.
My /boot is a LUKS1 volume, and I thought that my GRUB boot passphrase for this volume was in the first slot, and that I was using the same iteration count as the root volume.
My / is a LUKS2 volume with a different passphrase that I need to enter after the initrd has been loaded. Decrypting the root volume is fast, so I suspect I set this one up correctly. Once the root volume is decrypted, I have a separate key on the filesystem to re-decrypt /boot so that it can be mounted without re-entering the /boot passphrase. This part is also fast.
Something must have gone wonky with the boot passphrase. Either a crazy iteration count or a key slot that forces GRUB to not test it first.
I did this LUKS1 encrypted boot partition thing on a relatively recent laptop, and GRUB takes about 25 seconds to validate the passphrase. Once it loads the initrd, the early kernel environment validates the the root volume passphrase in about 2 seconds, presumably because it's using an optimized implementation that's available in the kernel but not in GRUB...
Right now I wouldn't recommend doing this unless you have a really good reason for encrypting the boot partition. Most people will be better off having an unencrypted boot and enabling secure boot with your own platform key instead.