As I think that there will never be an acceptable solution in grub I searched for an alternative and found systemd-boot. I dropped grub and do use systemd-boot, dracut --uefi (uefi stubs), secure boot (and kernel lockdown) now. This works perfectly and the opening of the crypted partitions is completely smooth as expected. Even retyping of wrong passphrases is supported. Just all the basics are working.