I am on the same boat as you, it has been a nightmare this past couple of days to figure this out - it's ridiculous how challenging it is to do a full install to USB with encryption and UEFI support - something that linux mint does automatically within a few minutes. I'm even more surprised to take so long to find the solution - I'm imagining most people end up just giving up on this.
The steps to do this are as follows:
1. Unplug all hard drives from the computer so you don't mess up existing OS and plug both USB sticks you will be using (one with the live install and the other formatted as GPT)
2, Install Kali as you would normally do - for UEFI you will need two unencrypted partitions - The EFI partition (that has the boot flag) and a separate boot partition (I use ext2 and mounted on /boot); In the remaining space create volume for encryption and configure the logical volumes as you see fit (I use a small swap and root logical volumes); continue the installation until the end;
EDIT: At this point I find that if I do not remove the USB after install, while the boot configuration is still stored in Nvram, I can easily boot directly into the newly installed system - in that case there is no need to mount anything, just log in, edit the '/etc/default/grub' as in step 7 and run:
Code:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=<whatever name> --boot-directory=/boot --removable --recheck --debug
update-grub
After that reboot into the system - you will be asked the encryption password twice - to prevent that just comment out or delete the "GRUB_ENABLE_CRYPTODISK=y" in '/etc/default/grub' and run 'update-grub' again.
# If needed to install grub after removed from nvram (when it's not recognized as UEFI disk) carry on bellow
3. Boot again from the live OS to rebuild the EFI bootloader
4. In the live session, open the encrypted root partition on the usb so you can mount it (use Disk or "cryptsetup open" in shell)
5. Find out which one is your root volume with lvscan command and confirm that it is active;
6. Mount the necessary partitions - For the sake of this tutorial I'll assume your USB is partitioned with sdX1 (the EFI system partition), sdX2 (the /boot partition) and sdX3 (the LUKS encrypted Volume) and that "vgkali" is your encrypted volume group and "lvroot" is your root logical volume name:
7. edit your "/etc/default/grub" and add the entry "GRUB_ENABLE_CRYPTODISK=y";
8. Open Terminal and run:
Code:
mount /dev/mapper/vgkali-lvroot /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars
mount /dev/sdX2 /mnt/boot
mount /dev/sdX1 /mnt/boot/efi
mount -o remount,rw /dev/sdX1 /mnt/boot/efi
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun
chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=<whatever name> --boot-directory=/boot --removable --recheck --debug
update-grub
(At this stage it seems like it hangs - it took about 10 minutes for it to answer "generating configuration file" and probably another 10 minutes until it started outputting udev errors; at this time i interrupt with ctrl+c and continue unmounting)
Code:
exit
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys/firmware/efi/efivars
umount /mnt/sys
umount /mnt/boot/efi
umount /mnt/boot
umount /mnt/hostrun
umount /mnt/run/lvm
umount /mnt
Turn off the computer, remove the USB and insert it into another UEFI computer and it should be recognized as a UEFI device and you will be able to boot it. It is also recognized as UEFI in a macbook.
edit: to avoid inputting the encryption password twice edit the /etc/deafults/grub and comment out/delete the "GRUB_ENABLE_CRYPTODISK=y" option and run update-grub again.
Note: when running update-grub, it will pick-up on other UEFI OS that can find and list the entries in the grub menu - to avoid this run update-grub without any other drive attached.
The "--removable" argument in the "install-grub" above is the key to force the EFI installation to the USB EFI partition and make it recognized as UEFI and bootable from other computers.
I can't believe this is not done by the default installer when recognizing a USB device and that it took me the best of two days to finally figure it out.
Hopefully it will help you save some time.