diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml
index d159c0e..35f8fb0 100644
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -59,6 +59,14 @@
       when: configuration_luks_auto_method == 'keyfile'
       ansible.builtin.include_tasks: encryption/keyfile.yml
 
+    - name: Record final LUKS auto-decrypt method
+      ansible.builtin.set_fact:
+        configuration_luks_final_method: "{{ configuration_luks_auto_method }}"
+
+    - name: Report LUKS auto-decrypt configuration
+      ansible.builtin.debug:
+        msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}"
+
     - name: Build LUKS parameters
       vars:
         luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}"
diff --git a/roles/configuration/tasks/encryption/keyfile.yml b/roles/configuration/tasks/encryption/keyfile.yml
index 11719b6..0117c52 100644
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -104,6 +104,13 @@
       failed_when: false
       no_log: true
 
+    - name: Warn about keyfile enrollment failure
+      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
+      ansible.builtin.debug:
+        msg: >-
+          LUKS keyfile enrollment failed — falling back to manual unlock at boot.
+          The system will prompt for the LUKS passphrase during startup.
+
     - name: Fallback to manual LUKS unlock if keyfile enrollment failed
       when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
       ansible.builtin.set_fact: