diff --git a/src/modules/grubcfg/main.py b/src/modules/grubcfg/main.py
index 22ef18130..9e9615a0c 100644
--- a/src/modules/grubcfg/main.py
+++ b/src/modules/grubcfg/main.py
@@ -90,6 +90,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
     swap_outer_uuid = ""
     swap_outer_mappername = None
     no_save_default = False
+    unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)
 
     for partition in partitions:
         if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"):
@@ -239,7 +240,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
     if not have_distributor_line:
         lines.append(distributor_line)
 
-    if cryptdevice_params:
+    if cryptdevice_params and not unencrypted_separate_boot:
         lines.append("GRUB_ENABLE_CRYPTODISK=y")
 
     with open(default_grub, 'w') as grub_file:
diff --git a/src/modules/initcpiocfg/main.py b/src/modules/initcpiocfg/main.py
index 6e3de6931..0ccffbf56 100644
--- a/src/modules/initcpiocfg/main.py
+++ b/src/modules/initcpiocfg/main.py
@@ -146,8 +146,7 @@ def modify_mkinitcpio_conf(partitions, root_mount_point):
         if partition["mountPoint"] == "/" and "luksMapperName" in partition:
             encrypt_hook = True
 
-        if (partition["mountPoint"] == "/boot"
-                and "luksMapperName" not in partition):
+        if (partition["mountPoint"] == "/boot" and "luksMapperName" not in partition):
             unencrypted_separate_boot = True
 
         if partition["mountPoint"] == "/usr":
diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
index 9bd2f66da..3869fb3cd 100644
--- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
+++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
@@ -129,6 +129,31 @@ setupLuks( const LuksDevice& d )
     return true;
 }
 
+// static
+QVariantList
+partitions()
+{
+    Calamares::GlobalStorage* globalStorage = Calamares::JobQueue::instance()->globalStorage();
+    return globalStorage->value( QStringLiteral( "partitions" ) ).toList();
+}
+
+// static
+bool
+hasUnencryptedSeparateBoot()
+{
+    const QVariantList partitions = ::partitions();
+    for ( const QVariant& partition : partitions )
+    {
+        QVariantMap partitionMap = partition.toMap();
+        QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString();
+        if ( mountPoint == QStringLiteral( "/boot" ) )
+        {
+            return !partitionMap.contains( QStringLiteral( "luksMapperName" ) );
+        }
+    }
+    return false;
+}
+
 Calamares::JobResult
 LuksBootKeyFileJob::exec()
 {
@@ -174,6 +199,13 @@ LuksBootKeyFileJob::exec()
         return Calamares::JobResult::ok();
     }
 
+    // /boot partition is not encrypted, keyfile must not be used
+    if ( hasUnencryptedSeparateBoot() )
+    {
+        cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
+        return Calamares::JobResult::ok();
+    }
+
     if ( s.devices.first().passphrase.isEmpty() )
     {
         cDebug() << Logger::SubEntry << "No root passphrase.";
diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py
index 8eb169867..06f21da4b 100644
--- a/src/modules/openrcdmcryptcfg/main.py
+++ b/src/modules/openrcdmcryptcfg/main.py
@@ -21,6 +21,7 @@ _ = gettext.translation("calamares-python",
                         fallback=True).gettext
 
 
+
 def pretty_name():
     return _("Configuring OpenRC dmcrypt service.")
 
@@ -28,6 +29,7 @@ def pretty_name():
 def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
     crypto_target = ""
     crypto_source = ""
+    unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)
 
     for partition in partitions:
         has_luks = "luksMapperName" in partition
@@ -36,7 +38,6 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
         if not has_luks and not skip_partitions:
             libcalamares.utils.debug(
                 "Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"]))
-
         if has_luks and not skip_partitions:
             crypto_target = partition["luksMapperName"]
             crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"])
@@ -46,7 +47,9 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
             with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file:
                 dmcrypt_file.write("\ntarget=" + crypto_target)
                 dmcrypt_file.write("\nsource=" + crypto_source)
-                dmcrypt_file.write("\nkey=/crypto_keyfile.bin")
+                # Don't use keyfile if boot is unencrypted, keys must not be stored on unencrypted partitions
+                if not unencrypted_separate_boot:
+                    dmcrypt_file.write("\nkey=/crypto_keyfile.bin")
                 dmcrypt_file.write("\n")
 
         if has_luks and skip_partitions: