I would like to know if there is a way to encrypt a linux system which does not require a small unencrypted /boot partition.
In addition I would like to know if encryption can be implemented on an existing unencrypted system in such a manner that it will encrypt "on the fly" whilst a user is using the system. Thus requiring no re-install of the OS.
Right now the solution I use for linux is luks. I typically re-install the OS (backing up and restoring any data that needs to be kept) create a small /boot partition to boot from and all other partitions are encrypted, including swap. I use either kickstart for redhat or preseeding for debian based systems. The install, either encrypted or not is fully automated.
I understand for all practical purposes this encryption method is safe and there is no way (unless the password is actually saved there or something similarly stupid) to find information on how to decrypt the partitions using the small unencrypted /boot partition, as opposed to having an unencrypted swap partition which could potentially reveal data to help decrypt a partition. The reason I am looking into a solution like this is more practical.
I assume something like this would need to be started from the disk's boot block (mbr or otherwsise), or possibly chainloaded. It probably requires some functionality added to the bootloader, grub for example, to prompt for a password and use it to open the partitions so those can be read.
I did some research trying to find solutions, but I have not yet found one that works, or even if it may work, it's not practical at all (especially with a 100+ user base).
Eventually, you will need to start the system from a cleartext stub. If this stub is not in clear in the disk, the next option would be in the firmware; maybe one day all UEFI motherboards will support full-disk encryption.
That said, what matters with the small cleartext boot partition is not to have confidentiality (because it normally only contains publicly known boot data), but to have integrity. You don't want an attacker to grab your machine while you are sleeping, and replace the mounting code with a malicious one that will grab your password when you enter it, and store it some hidden disk area.
This is the problem Secure Boot is fixing, and you can (in theory) use it on linux, as long as the boot firmware allows you to use custom keys. A hardware component (the TPM) will ensure (using crypto) that the system will complain when booting if the cleartext partition has been altered.
There is a basic, incomplete, and obsolete procedure for Gentoo, that gives a rough idea of what can be done.