Disk encrypt utólag

Yes, there is a way. The LUKS cryptsetup utility contains the reencrypt command that you can also use to encrypt your existing unencrypted root partition, i.e. without destroying the existing filesystem.

That said, before performing such a conversion you should still backup your data. Of course, one should always perform backups on a regular schedule, because of possible hardware failure etc. Thus, this is kind of redundant advice.

Switching an existing root filesystem from unencrypted to encrypted requires quite a few steps:

backup

make sure that the cryptsetup package is installed

make sure that your root filesystem has some free space (at least 100 MiB to be on the safe side)

identify the partition your root partition is located on: e.g. with df /, lookup the UUID of the filesystem with blkid and store it somewhere

boot into a rescue system where you can unmount your root filesystem (e.g. boot from an USB stick which contains - say - Grml)

locate your root partition (e.g. with blkid and look for the UUID)

if it's ext4 execute a filesystem check: e2fsck -f /dev/sdXY

shrink the filesystem to make some room for the LUKS header, e.g. if it's an ext4 filesystem: resize2fs /dev/sdXY $smallersizeinGiB_G (you need to shrink it by at least 32 MiB)

encrypt it: cryptsetup reencrypt --encrypt /dev/sdXY --reduce-device-size 32M

open it: cryptsetup open /dev/sdXY root

enlarge the filesystem to the maximum: resize2fs /dev/mapper/root

mount it to - say - /mnt/root

mount the boot filesystem on /mnt/root and bind-mount pseudo filesystems /dev, /sys, /proc under /mnt/root.

chroot into your system by: chroot /mnt/root /bin/bash

update kernel parameters in /etc/default/grub or some equivalent location, e.g. when your distro uses dracut (which is likely) you need to add rd.luks.uuid=$UUID_OF_LUKS_DEVICE (cf. blkid, note that this UUID is different from the root filesystem one), if you have selinux installed you should add enforcing=0 (and later remove it) because of all the edits

if your distribution has selinux enabled, configure a relabeling: touch /mnt/root/.autorelabel

regenerate grub config: grub2-mkconfig -o /boot/.../grub...cfg

regenerate initramfs (to make sure that cryptsetup support is included): dracut -f /boot/initramfs....img kernelversion

exit the chroot

unmount everything

cryptsetup close root

reboot

As you see these are many steps, i.e. there is some potential to introduce errors. Thus, arguably it might be simpler to just reinstall and restore your backup (e.g. config files and $HOME).

Also, in my experience as of 2020, cryptsetup reencrypt is relatively slow, thus it may be faster to just cryptsetup luksFormat the device and restore a backup.

If you have an XFS filesystem, you can't just shrink it, because XFS doesn't support this, as of 2020. Thus, you would need to fstransform it before being able to shrink it. With a transformed filesystem you have another uuid to take care of. That means either change the UUID of the new filessytem to the UUID of the old one. Or update the UUID of the filesystem in /mnt/root/etc/fstab.

With a dracut based distribution you don't need to create a /etc/crypttab, other distribution might require it (also before the initramfs update, because it might need to be included there).