For the paranoid amongst us, on Saturday I decided to do a little test.
I used the Debian "bootable business card" image, 43MB, very light on the bandwidth for initial downloading. But it requires a network connection to pull down all the initial packages, which really means it needs a full CD's worth of network time anyway. CD#1 or DVD#1 don't need a network connection at all for the install.
During disk preparation, I selected "use entire disk, set up encrypted Logical Volume Manager". I'd heard that full disk encryption like that was easy, but this is the first time I tried it.
It didn't even bat an eye. It asked me for a passphrase, asked me to confirm that I wanted to use a weak one (since this was just a test), and then Just Worked.
The real test was compiling and installing the latest kernel from Kernel.org. As I mentioned above, I do this for fun once in a while. And, I wanted to see if there would be trouble with the new kernel decoding a previously encrypted disk.
No trouble at all.
Caveat: the /boot area, with the Linux kernel and support files, is NOT encrypted. So while encryption will save your files from casual thieves, the FBI could still stick a hacked kernel in place on your disk while you're not looking and get your passphrase when you unknowingly use it.
But as has been said, many times many ways, locks keep out honest people. The truly paranoid use bootable USB memory sticks that they keep on chains around their necks like ICBM launch keys.