you should setup harddisk encryption during setup.

to add an encrypted /home partition afterwards might be possible but a lot more effort.

scroll very down if you want to know how to encrypt an usb sticks …

needless to say that Hello123! is NOT a sufficient passphrase…

echo -n Hello123! | md5sum
d953cb41bdcd32a035504f2e5237ab82 -

CrackStation can crack easy to guess md5 hashed passwords… so don’t use easy guessable passwords that can be brute-force discovered/attacked!

the harddisk layout now looks like this…

even the swap space is encrypted!

root@debian10:~# lsblk -fs
NAME                FSTYPE      LABEL UUID                                   MOUNTPOINT
sda1                ext2              6d3ee60f-3e72-4e3c-ae63-ebdd2c88cb98   /boot
debian10--vg-root   ext4              8e27a91c-fdc1-452b-8265-d83d83e1d085   /
└─sda5_crypt        LVM2_member       NrtUPx-d9Gf-CZig-bJls-ngje-NUjp-dz2sXU
  └─sda5            crypto_LUKS       7a3e0233-812d-445b-979d-1bcd52a27c39
debian10--vg-swap_1 swap              b8d23e5f-dffc-4c44-bb8f-a907dcc3f0bf   [SWAP]
└─sda5_crypt        LVM2_member       NrtUPx-d9Gf-CZig-bJls-ngje-NUjp-dz2sXU
  └─sda5            crypto_LUKS       7a3e0233-812d-445b-979d-1bcd52a27c39

usb stick encryption

fdisk /dev/sdb; # create a new partition for testing or attach your usb stick

apt-get install cryptsetup; # install THE STUFF

modprobe dm_mod; # device mapper module needs to be active for this to work

cryptsetup luksFormat /dev/sdb10; # will ask you for password

cryptsetup luksOpen /dev/sdb10 safe; # will create /dev/mapper/safe

cryptsetup luksFormat /dev/sdb10

This will overwrite data on /dev/sdb10 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

mkfs.ext3 /dev/mapper/safe
mkdir /mnt/safe
mount /dev/mapper/safe /mnt/safe
echo "top secret" > /mnt/safe/secret.txt
umount /mnt/safe/; # your usb stick is now encrypted beyond recognition :-D