LUKS Full Disk Encryption including /boot partitions in preseeded installation

I'm attempting to bring a bitlocker-esque experience to users in my ubuntu environment. I have a preseeded ubuntu 20.04 installation I deploy that currently has a working disk encryption scheme on root and other file systems. /, /var, /usr, /swap and /home are all in a lvm volume group with luks enabled and unlocking automatically via clevis. I would like to also encrypt the grub/boot partitions and at this time I'm able to successfully move/copy the boot partition to the lvm and encrypt it or just convert it into a luks enabled partition outside of the lvm.

However this results in grub not prompting for a password and being unable to load at boot, I'm assuming this is due to the disk still being locked at boot. Is there some intermediate step (bootloader?) that should be loading the encrypted grub partition and unlocking it? Is EFI/Secure boot required to accomplish this or can an encrypted boot partition be used with a legacy bios?

I've been following this guide here to copy/move the boot partition into a encrypted partition. When the guide was originally written it looks like grub only supported luks1 encrypted partitions, however it appears that luks2 support has been added?

I appreciate any guidance.

UPDATE

After a bit more investigation I'm finding that I get prompted with a password during boot if I only encrypt the /boot partition and leave the partition with /boot/efi unencrypted.

My disk layout looks like this now.

lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/nvme0n1
NAME                        FSTYPE      MOUNTPOINT
nvme0n1                                 
├─nvme0n1p1                 vfat        /boot/efi
├─nvme0n1p2                 crypto_LUKS 
│ └─boot_crypt              ext4        /boot
└─nvme0n1p3                 crypto_LUKS 
  └─nvme0n1p3_crypt         LVM2_member 
    ├─encrypted--lvm-root   ext4        /
    ├─encrypted--lvm-var    ext4        /var
    ├─encrypted--lvm-swap_1 swap        [SWAP]
    ├─encrypted--lvm-tmp    ext4        /tmp
    └─encrypted--lvm-home   ext4        /home

Should I encrypt the EFI partition? Or is it necessary for it to be unencrypted to unlock the partition containing grub? Does this prevent any potential 'evil maid' attacks? Or is there some potential security flaw still open especially if secure boot is not currently enabled?