What's the current state of the art on this? Last time I looked it was really not trivial, because of two things:

1) there is only one bootloader (grub2) that can load kernels from encrypted /boot partitions, but the support for that is limited, you have to use a weaker encryption if I remember correctly, AND decryption speed (after entering the luks password) is super slow, because the CPU extensions that speed that up (AES) are not yet online that early in the boot process

2) you can choose to not encrypt /boot, and have it as a separate partition, but now your btrfs snapshots will not include the kernel, so restoring after kernel upgrades is going to break your system

It really is easy, it is just mostly a matter of proper initramfs, and a "linux" line in the GRUB configuration file. Arch wiki gets into it in detail.