The "root account is locked" is due to a 2015 Debian change to harden security to prevent the single user mode passwordless shell. Link to the bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 IIRC it was meant more for publicly exposed systems, as the security benefits for an already fully encrypted system are very small, but it causes a lot of pain when trying to recover your system. I disabled it on mine with a workaround patch that's in the bug report.
Aug 11 2019
Aug 10 2019
This seems to have begun to occur more frequently to me lately. It happens after almost every suspend after a longer on time, having to resuspend and resume each time to fix it. I updated the firmware around a week ago (this is a Librem 15 v3).
Also I wouldn't call the resuspend/resume a "fix", but rather a workaround.
I think this is relevant: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930696
IMO a keyscript is unnecessary.
I ran into it when migrating my unencrypted PureOS to a new disk and adding LUKS to it at the same time (I first tried a fresh install but the installer failed for which I already opened a separate bug). I wrote up a quick guide on how to do that on Pureos/Debian, by the way: https://github.com/jjakob/wiki/wiki/Migrating-an-unencrypted-PureOS-Debian-install-to-fully-encrypted
Also getting rid of the unencrypted /boot partition would largely improve the security, I would highly recommend it as the default for the encrypted install. There's no need to enter the passphrase twice if a keyfile is used, and it works flawlessly.
May 28 2019
No prior partitions.