Building encrypted images and then later using cryptsetup-reencrypt (to get a secret master key) is not set possible and may or may not be simple to implement in grml-debootstrap.
Also shipping already encrypted images would probably increase the size of the images since then compression would be hard.
There is probably no compression tool that understands the encryption master key and uses that for the benefit of the compression.
cryptsetup-reencrypt as far as I understand (I hope I am wrong?) can only be used for already encrypted luks images.
luksipc apparently seems capable of in-place encryption of non-luks disks.
At first boot after T907 the user could be prompted an offer to encrypt the disk in place.
- test lukspic to encrypt a previously unencrypted installed Debian and convert it into a full disk encrypted system
- research if there are better alternatives