Attention: this instruction is relevant for Ubuntu 17.04 x64 on a UEFI system.
Warning #2: If this seems too complicated for you, you can always reinstall the system by choosing the encrypted installation option in the Ubuntu installer, although the configuration there will be less "clean" than here.
Attention number 3: I strongly recommend that you first install a similar system in a virtual machine and carry out all the necessary operations there, and only after making sure that everything worked out to do something with a live system.
Attention #4: always have a bootable Ubuntu flash drive on hand just in case, you can use it to work wonders :)
I have everything encrypted except for the boot flash drive, where is grub2, several modules and config that indicates how to find the disk that needs to be decrypted.
Without formatting, you can transfer, having a second disk nearby, otherwise I would say that no, having a second disk and the btrfs file system, you can generally transfer everything right from the working system back and forth.
In general, I did this (with BTRFS, because it's much easier, it also assumes that you have UEFI, otherwise it's even more difficult):
1) sudo cryptsetup -s 512 luksFormat /dev/nvme0n1- this is for nvme SSD, replace it with your disk
2) Open the cryptocontainer, create a file system, then either mount and transfer files, or simply add this new partition to the existing file system and delete the old one (I don’t give commands, read https://wiki.archlinux.org/index.php/Dm-crypt/Encr... , there many examples, and https://btrfs.wiki.kernel.org/index.php/Main_Page , everything is there with examples too)
3) Edit /etc/crypttab(create if not), my example is:

system UUID=739967f1-9770-470a-a031-8d8b8bcdb350 none luks,discard,keyscript=/etc/cryptroot/system.64.sh

and /etc/fstabsomething like this:

proc                /proc     proc  nodev,noexec,nosuid                   0 0
tmpfs               /tmp      tmpfs defaults                              0 0
/dev/mapper/system  /         btrfs compress=lzo,noatime,ssd,subvol=/root 0 1
UUID=E495-1F0C      /boot/efi vfat  defaults,discard                      0 0

4) Since you cannot simply specify a file with a key to automatically open the luks container because it will not get into the initramfs image and you will need to enter the password twice (once in grub to start loading and once after starting to unlock the root file system), you need to write shell script ( /etc/cryptroot/system.64.shin the example above) that will output this key. To do this, we generate raw data for the key, turn the data into base64 so that it is easy to work with it in a shell script and create a shell script, then adjust the rights:

sudo mkdir /etc/cryptroot
sudo dd bs=1024 count=4 if=/dev/urandom of=/etc/cryptroot/system
sudo cat /etc/cryptroot/system | base64 | sudo tee /etc/cryptroot/system.64
echo "echo '" | sudo tee /etc/cryptroot/system.64.sh
sudo cat /etc/cryptroot/system.64 | sudo tee --append /etc/cryptroot/system.64.sh
echo "'" | sudo tee --apppend /etc/cryptroot/system.64.sh
sudo chmod 400 /etc/cryptroot/system
sudo chmod 400 /etc/cryptroot/system.64
sudo chmod 500 /etc/cryptroot/system.64.sh

5) Add this key to the container's luks slot

sudo cryptsetup luksAddKey /dev/nvme0n1 /etc/cryptroot/system.64

6) We put it on a bootable flash drive (gpt table, FAT32 partition with esp flag) in EFI/ubuntugrubx64.efi, (should already be there), create a folder x86_64-efifor modules, put the modules there that are necessary to open the luks container (you can take them in /boot/grub/x86_64-efi):

cryptodisk.mod
gcry_sha256.mod
luks.mod
procfs.mod

7) Configure grub (copying modules and manual configuration is a consequence of the bug https://bugs.launchpad.net/ubuntu/+source/grub2/+b... ). First, add GRUB_ENABLE_CRYPTODISK=yin /etc/default/grub(somewhere right after GRUB_CMDLINE_LINUX), create/edit /boot/efi/EFI/ubuntu/grubwith the following content:

search.fs_uuid E495-1F0C boot
set prefix=($boot)'/EFI/ubuntu'
insmod luks
insmod gcry_sha256
cryptomount -u 739967f19770470aa0318d8b8bcdb350
search.fs_uuid 5170aca4-061a-4c6c-ab00-bd7fc8ae6030 root cryptouuid/739967f19770470aa0318d8b8bcdb350 
set prefix=($root)'/root/boot/grub'
configfile $prefix/grub.cfg

This E495-1F0Cis your ESP partition on the flash drive, 739967f19770470aa0318d8b8bcdb350this is your crypto container, and 5170aca4-061a-4c6c-ab00-bd7fc8ae6030this is the root file system. This config uses the modules copied earlier, tries to open the luks container and take the main grub config from there to display the menu and then boot. I would suggest making a copy of the config side by side just in case Ubuntu decides to overwrite it with the non-working version from above.
8) We chroot into the root system from point 2) and update grub sudo dpkg-reconfigure grub-efi-amd64(make sure that the config we created was not overwritten), initramfssudo update-initramfs -u -k all
If I have not forgotten anything in the course of writing, then after that it will be possible to boot into a fully encrypted system. There will be several files on the flash drive with a total size of 255KiB, before displaying the grub menu, the system will ask you for the password from the luks container, without which, apart from a few non-confidential files, everything on the flash drive is completely encrypted.
PS Sorry that it turned out not to be a short answer, but a whole article, I just had special requirements (the same btrfs), and there is a lot of outdated material on the Internet, so I had to assemble a system that was not fully described anywhere from the places I found, moreover , some bugs were found in Ubuntu / grub, the bypass of which I also described in the instructions.