Didn’t set up LUKS on install, whats the best option option for filesystem encryption?
Setup encryption containers in your home - unlock when needed. Choose something that fits your need.
Systemd-homed is also great for doing this, it can do you dm-crypt on the fly, but only for newly create user see options Home Directories.
If you have enough storage on drive and moving files around “knowing about how to preserve rights and ownership should be ok”.
Disclaimer: I’ve suffered data loss in the past due to a problem with $HOME encryption…
Anyway, I don’t understand the need to encrypt the entire $HOME. I mean, really: is your .[bash,zsh]rc that sensitive?
I have <5 total files in $HOME that I deem as so sensitive that they need to be encrypted. I GPG them. If I need to work on/view them, I decrypt it to /tmp…work on it, re-encrypt back to it’s storage location, and delete the file in /tmp.
Yeah, a few extra steps…but at least I don’t have to worry about whether or not something is going to change in the kernel, or if LP gets a wild hair up his…you know, and changes systemd-homed because…reasons.