Something that wasn't obvious to me: unless working with extremely limited hardware where performance is a concern, there's no reason not to use full disk encryption on a Linux machine in 2023, including for machines you want to be able to boot non-interactively.
You can configure the boot loader to try the empty passphrase, or look for a key file on a plugged in thumb drive which you can remove to disable boot. You can later re-key the encrypted volume as appropriate, without re-formatting.
@dwf I have my formatting still running. Searched the web for more infos on how long this may take for a big disk. Found that https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/
@nixCraft
Always again a good base for nix crafting infos :)