Comment # 4 on bug 1231325 from Andrei Borzenkov

There is still race condition when multiple encrypted devices are present in
intird (most obvious case - root and swap). All of them will independently copy
file(s) from ESP overwriting the previous copy racing with systemd-cryptsetup
which is using them. It may result in systemd-cryptsetup getting incomplete or
otherwise corrupted file. Checking for existence of the copy target reduces
race window but does not eliminate it completely.

Copying should be done in separate unit which has RemainAfterExit=true. It
guarantees that copying will happen just once before all systemd-cryptsetup
services.