This is a good starting point for learning this stuff. I use this "on steroids" and you can really get some secure containers if you do. For the highest level security needs you can do this headerless on the media where your data is being stored.
FDE is essential, for sure. But it's the final backstop in good OpSec. What's key is to never need it, because adversaries don't know who you are, and/or where to look.
I preach this all the time. I always have that "concerned thought" that somehow I'll get a knock on the door by THEM - looking for someone else. i.e. - I'll end up in the equation by complete accident. e.g. - traffic accident where someone hits me and my encrypted laptop gets taken, followed by questions galore. All archives I move are device encrypted with a decoy as an OUT for the above. No such option for a linux system disk though.
Surprisingly unlike a number of you, Ive only been using FDE for about 6-8 months. I have switched both my computer (which also utilizes hardware encryption) as well as all my external backup media to Luks, and its been painless ever since (though 3-wipe shred runs were painful, and on my external USB 2.0 2TB 5300RPM drive it took 4 days :O ). I was mostly focused on function and performance, and only recently (within the last year or so) realized the importance of security. I have to say that LUKS is pretty great, though I do wish it had some means of accomplishing plausible deniability (like VeraCrypt hidden containers). Nonetheless I dont see myself in a court battle where I would need to hide data in such a way, so my primary focus is preventing hotel maids (yeah right) or thieves from getting my data Luks is pretty awesome here. Being able to revoke keys and add keys at will is nice, and having keyfiles makes things very convenient. I encourage everyone who reads this to use FDE, especially when they setup an install. Most of my trouble came from moving my install to an external, using my SSD software to secure erase my SSD, repartitioning, rsyncing everything over, then shredding each external disk before paritioning and luks'ing the drive, then doing the same on another external drive, then editing /etc/crypttab, /etc/fstab, etc to match the luks partition and so on. So much trouble can be saved by just doing FDE right out of the gate. If you use AES encryption, most modern processors with AES NI instructions can see nearly no performance concessions- you wont even be able to tell the difference.
