Full Disk Encryption

Nowadays a full disk encryption that includes the entire disk (including /boot) is a must, not just the root or home filesystems.
The purpose of full disk encryption is to protect data in case of physical disk access.

Currently the disk encryption option in Ubuntu only encrypts the / root filesystem including /home and leaves /boot un-encrypted, which is fine if the attacker is just trying to copy the data on disk.

But that’s not only the threat, an attacker could modify the kernel or initramfs files on a plain /boot partition with a rootkit or malware then when the user boots his system, the whole system and user’s passwords are compromised and data can be transferred remotely or physically and the attacker has full root access to that system.

Debian 12 already supports the encryption of the entire disk in their installer, only leaves the EFI partition plain of course.
In this case it uses LUKS1 which is supported by older Grub versions.
It works if you select manual partitioning and created a plain EFI partition and an encrypted / root filesystem without creating a separate /boot partition.

Currently Grub 2.12 I think supports LUKS2 which is shipped in Ubuntu 23.10.

Encryption of /boot should be out of the box or by an option in the Ubuntu installer.