Grub is asking for the password so that it can read its menu and other configuration.
The kernel is asking for the password so that it can access the disks.
At present, there is no secure way for grub to communicate the password to the kernel.
Is it normal?
Yes, this is normal.
You can avoid that by having a separate unencrypted “/boot” partition. But, if using “btrfs”, it is better for “/boot” to be part of the root file system and not a separate partition.
How to make it ask me only once (on boot before GRUB)?
Yes, it is possible to do this. I don’t recommend it.
I do have that set up in a virtual machine (for testing it). But I am not using it on real computers. I prefer to enter the password twice where needed.
If you want to set this up, here’s an outline of how to do it. (I can fill in more details later, if needed)
(1) Put a password into a file in the root file system. It is best to do this with a separate password, and add that as an alternative decryption password (using “cryptsetup luksAddKey”). You can use a random 256 byte key for this. And since the key is in a file, you can add the path to that file to “/etc/crypttab”. Make sure that the file is readable only by root.
(2) Because the password file is in the encrypted file system, the kernel cannot actually read it until it already has the encryption key. So you have to force this password file to be copied into the “initrd”. You would usually set that up with a file in “/etc/dracut.conf.d”. And then run “mkinitrd”.
The disadvantage: you now have an encryption key in a file in the root file system. And you also have it in the “initrd”. The more copies, the more likely that it will leak. However, the file in the root file system is readable only by root, and the “initrd” is readable only by root. So some folk think this is a reasonable approach.
If you later install Xen support on a UEFI machine, the “initrd” will be copied to the EFI partition. And that make it readable by anyone with sufficient access to your machine. So the encryption key has been made more readily accessible, which is risky.