Provided that you only hardware encrypt an LBA range that corresponds to the root partition, not the boot partition?