Ubuntu – Installing Ubuntu on a LUKS encrypted USB thumb drive

The EFI System Partition (ESP; what Ubuntu and you refer to as an "EFI boot partition") is not exactly the same as a Linux /boot partition. The ESP holds EFI boot loaders and associated files. The /boot directory (or partition, if it's a separate partition) holds the Linux kernel. I'm not a LUKS expert, but presumably the Linux kernel is kept outside of LUKS because that enables the boot loader to read it without having to understand LUKS encryption. In your configuration, /boot is encrypted, so the boot loader would need to understand encryption in order to work. That could be why it's failed.

In other words, try again, but this time, do create a separate /boot partition in addition to the ESP.

This is impossible since if the boot volume is encrypted the BIOS / UEFI will be unable to execute the boot sector / boot application.

What you can do though is use the Ubuntu Live Installer to install Ubuntu onto another USB stick as the system disk, with LUKS encryption. The drawback will be that you lose the ability to hibernate because Ubiquity currently creates much too small swap partitions, and also randomizes the encryption key at every start, which obliterates the state of the swap partition.

In the second scenario you will have the boot partition unencrypted, so it can still be tampered with, ie a keylogger could be written into it. You can get around that by signing the boot volume and using Secure Boot, but then you have to talk Microsoft into signing your boot volume or giving you a signing key. Good luck with that.

If you really are worried about keyloggers, then carry your own PC, do not use wireless keyboard/mouse, enable secure boot, boot a LiveCD image which doesn't preserve any state whatsoever, use a VPN to connect a VNC/RDP client over SSL to the machine you actually keep your state with, use a strong, memorable password that you never record anywhere (see https://xkcd.com/936/ for an understanding of what this means.)

That will protect you from physical access, it will protect you from remote access, and it will save you from brute-force. It will be inconvenient since you won't always have network access, you will always have to carry the hardware with you, and you will not be able to get good value from the hardware you are carrying since you're only using it as a thin client, disregarding its additional memory / processing / storage capabilities.

Even all of this won't protect you from a CCTV camera locked on your keyboard while you type, so you will also need to be aware of your surroundings.

It may also run you up a significant mobile data bill.

So unless you really are a very exceptionally fat, juicy target that's likely to be targeted by people who are prepared to invest the resources to hack you, I think you're better off just avoiding using public internet terminals, carrying your own inexpensive device, securing it with LUKS, using a VPN or at least TORBrowser to guarantee your browsing isn't being spied on. Then your biggest worry should be whether you leave your device somewhere and it gets stolen, but no worry over whether they have access to your data.