I have noticed that on a fully encrypted system, when typing the wrong password at boot, you are thrown straight into grub-rescue. When I installed Arch with their install script, it would give me at least another attempt (probably 3). Could we tweak the calamares installation process to allow for multiple attempts, or was there a deliberate decision to only allow one?
I also realized LUKS is implemented differently in Garuda since even the grub screen is behind the password, rather than unencrypted grub in Arch. So maybe it’s not possible
The difference is the installation script you are using to install Arch does not use full disk encryption, it leaves the EFI partition unencrypted. This allows Grub access to its configuration files, enabling all features and configuration options to be used.
By contrast, with full disk encryption GRUB needs to kind of start the boot process without access to these files–basically, before GRUB itself has been properly started. A tiny piece of code runs, which just collects the encryption passphrase and attempts to boot with it. If that effort succeeds, GRUB gets access to its files and the bootloader phase proceeds normally. If the passphrase is incorrect, the boot attempt fails and, well, that’s it.
As far as I know, there is no way to change the default behavior of the FDE LUKS unlock step aside from downloading the source code for GRUB, patching in some logic to allow multiple passphrase attempts, rebuild it, and then install your new version of GRUB.