gentoo-config-luks2-grub-systemd: Update passphrase prompt instructions

GRUB 2.14 automatically prompts the user to re-enter the passphrase if
the user entered a wrong passphrase, and it no longer falls back to
rescue mode if the menu has not been shown.  Therefore, delaying the
prompt is not very vital for user experience any more and can thus be
demoted to an optional step.

Author: Leo3418

content/en/collections/gentoo-config-luks2-grub-systemd/goals.md

@@ -78,25 +78,8 @@ extent, and they are recommended to consult these additional resources:
 
 ## Resulting Boot Process
 
-The boot process that the instructions in this tutorial are intended to achieve
-is described as follows:
+After following this tutorial's instructions, the user will just need to enter
+the LUKS partition's passphrase *once* in the entire boot process.  The user
+will enter the passphrase in GRUB, before the Linux kernel is loaded.
 
-1. When GRUB starts, it shows the menu without asking for the passphrase.  This
-   will allow the user to not enter the passphrase until it is really needed.
-   For example, booting an alternative operating system that is not on the LUKS
-   partition (e.g. Microsoft Windows) does not require the passphrase for the
-   LUKS partition; neither does using the "UEFI Firmware Settings" option to
-   easily launch the computer's BIOS utility.  With the resulting
-   configuration, the passphrase will not be asked in these scenarios.
-2. When a menu entry for the operating system on the LUKS partition is
-   selected, GRUB prompts for the passphrase.  This will be the **only** time
-   when the user needs to enter the passphrase.
-   ![GRUB asks for passphrase after selecting a menu
-   entry]({{< static-path img grub-unlock.png >}})
-3. If the passphrase entered is correct, then the boot process continues
-   normally.  The passphrase will not be asked anymore during the boot.
-   ![GRUB boots the operating system upon successful
-   authentication]({{< static-path img grub-unlock-success.png >}})
-4. If an incorrect passphrase is supplied, GRUB returns to the menu.  The user
-   can retry entering the passphrase by selecting the same menu entry, or
-   choose a different entry.
+![GRUB asks for passphrase]({{< static-path img grub-unlock.png >}})

content/en/collections/gentoo-config-luks2-grub-systemd/setup-process/_index.md

@@ -17,7 +17,6 @@ The overall setup process consists of the following steps:
    2. The system is configured so that the passphrase is asked only once during
       boot.
    3. The Linux kernel is configured with support for the LUKS partition.
-   4. To improve user experience, GRUB is configured to postpone asking for the
-      passphrase until necessary.
+   4. GRUB is configured for unlocking the LUKS partition.
 4. The LUKS partition's parameters are tuned to achieve an acceptable unlock
    speed in GRUB.

content/en/collections/gentoo-config-luks2-grub-systemd/setup-process/configure-gentoo/grub.md

@@ -1,11 +1,8 @@
 ---
-title: "Configure GRUB for Better User Experience"
+title: "Configure GRUB"
 weight: 337
 ---
 
-A few additional configuration steps can be taken to improve the user
-experience of unlocking the LUKS partition from GRUB.
-
 ## Update GRUB Settings for LUKS
 
 With the default configuration, GRUB disregards operating systems in LUKS
@@ -54,54 +51,57 @@ with the actual block device for the ESP.
 # mount /dev/sda1 "${ESP}"
 ```
 
-## Improve GRUB's Passphrase Prompt
+## Optional: Delay GRUB's Passphrase Prompt
 
-At this point, if GRUB was installed normally, it would be functional and can
-unlock the LUKS partition already.  However, it would ask for the passphrase
-immediately when it launches, before even showing any menu entries:
+At this point, if GRUB has been installed normally, it will be functional and
+can unlock the LUKS partition already.  However, it will ask for the LUKS
+partition's passphrase *immediately* when it launches, even *before* showing
+any menu entries:
 
 ![GRUB asks for passphrase directly when it starts]({{< static-path img
 grub-start-unlock.png >}})
 
-This might be an acceptable behavior, until an incorrect passphrase is entered,
-in which case GRUB would directly fall back to the rescue mode without giving a
-chance to reenter the passphrase:
+Users who accept this behavior of GRUB can skip this step and move on to the
+next one.
 
-![GRUB falls back to the rescue mode directly if authentication fails when it
-starts]({{< static-path img grub-start-unlock-failure.png >}})
+To some users, this behavior may be undesirable because they want to access
+some GRUB menu options without entering the passphrase.  After all, some options
+do not really need the passphrase because they need not unlock the LUKS
+partition, like options to boot an alternative operating system that is not on
+the LUKS partition (e.g.  Microsoft Windows), and the “UEFI Firmware Settings”
+option for launching the computer’s BIOS utility.  These users might not wish to
+unnecessarily enter the passphrase to use these options.
 
-To avoid this behavior of GRUB, move the `/boot/grub` directory to the ESP,
-then create a symbolic link to the new directory under `/boot`.
+To avoid this behavior of GRUB, these users should move the `/boot/grub`
+directory to the ESP, then create a symbolic link to the new directory under
+`/boot`:
 
-If a new Gentoo installation is being performed, or an existing installation
-where GRUB is not used is being worked with, then please run the following
-command:
+1. If a new Gentoo installation is being performed, or an existing installation
+   where GRUB is not used is being worked with, then please run the following
+   command:
 
-```console
-# mkdir "${ESP}/grub"
-```
+   ```console
+   # mkdir "${ESP}/grub"
+   ```
 
-If GRUB is already being used as the bootloader, please use this command
-instead to move existing GRUB files to the ESP:
+   If GRUB is already being used as the bootloader, please use this command
+   instead to move existing GRUB files to the ESP:
 
-```console
-# mv /boot/grub "${ESP}"
-```
+   ```console
+   # mv /boot/grub "${ESP}"
+   ```
 
-Then, **in both cases**, run the following command to set up the symbolic link:
+2. Then, **in both cases**, run the following command to set up the symbolic link:
 
-```console
-# ln -s "${ESP}/grub" /boot
-```
+   ```console
+   # ln -s "${ESP}/grub" /boot
+   ```
 
 Now, GRUB's passphrase prompt is deferred until a menu entry that requires the
-LUKS partition to be unlocked is selected, and if an incorrect passphrase is
-entered, GRUB no longer falls back to the rescue mode.  Instead, the user can
-press any key to return to the menu and reselect the same menu entry to reenter
-the passphrase.
+LUKS partition to be unlocked is selected.
 
-![GRUB allows authentication retry]({{< static-path img grub-unlock-failure.png
->}})
+![GRUB asks for passphrase after selecting a menu entry]({{< static-path img
+grub-unlock.png >}})
 
 Moving the contents of the `/boot/grub` directory to the ESP resolves this user
 experience issue by making all critical files GRUB needs for full