Per the guide (it’s kind of hidden with a drop down) (LUKS Encrypt Your Root File System on Raspberry Pi):
To convert your root file system to LUKS/dm-crypt, you will need to connect an external USB disk (as temporary storage). As mentioned previously, this is necessary because it is not possible to encrypt the partition in place, so the external disk is needed as temporary storage and a temporary root file system while the conversion takes place. The external disk needs to be at least twice as big as the root partition. Next, run the following script:
curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
This script is parameterized, so if you have special requirements (e.g. root file system lives on /dev/mmcblk0p4), you can invoke it in the following fashion:
curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash -s – -x <path to external storage device (e.g. /dev/sdX> -m
In the above invocation with no parameters, the defaults are:
Original root file system located on /dev/mmcblk0p2
Temporary root file system/storage for original root tarball located on /dev/sda
Temporary root file system takes up entirety of new device
The very first run of this script on a new temporary external USB disk could take a long time. Also, two reboots are required before the script is complete.
One thing to note is that, if the external storage device has an ext4 formatted partition with the original root file system partition (e.g. /dev/mmcblk0p2) on it, this script will use what is already on the external storage device to convert the SD card. This cuts down time for converting lots of Pi root file systems and allows the script to be used in a mass production deployment.
On a Pi3 with an attached USB SSD as the external device on a bare Jessie “full” version (~4GB), the first run of this script requires about an hour to complete the first phase. The second phase takes around 15 minutes.
The same platform with a Jessie “lite” version (~1.6GB) takes around 20 minutes for phase 1 and 5 minutes for phase 2.
Based on the above, using the formatted external device to convert subsequent units should only take 15/5 minutes.