Full disk encryption requires you to enter a password on boot, and isn’t the smoothest experience. It is the best approach from a security point of view, but I’m a believer in practical compromises. With linux, for me that means transparent home folder encryption.
First of all, make a copy of your home directory, so that this doesn’t become a fancy way of wiping your computer. Make sure you are not logged in as the user whose directory is being encrypted, otherwise you will get a failure saying that ecryptfs cannot proceed.
# As root, install the packages needed
apt install ecryptfs-utils
# Add the appropriate kernel module
# Then add 'ecryptfs' to this file to make it persistant through reboots
# Encrypt the home folder
ecryptfs-migrate-home -u <username>
# And then log in as that user, BEFORE REBOOTING
# If you were using dropbox, you'll need to re-login
Once this is done, you should generate a key for recovery, by running ecryptfs-unwrap-passphrase as the encrypted user.
For complete protection, if you can live without hibernate/resume capabilities, you can encrypt your swap space (you’ll still keep suspend/resume) by running ecryptfs-setup-swap. Personally, my laptop has sufficient RAM that I disable swap entirely. You can do this by:
# As root, turn off all swap partitions
# Then edit your fstab and comment out the swap partition
Now the last step is to repeat all this for the root user.