Our approach is different to the default encryption built into distributions such as Ubuntu and Fedora because we don't leave the /boot partition unencrypted on the hard disk. We move it to a bootable USB key along with a far more secure key to unlock the hard disk.