Package: debian-installer Version: stretch-rc2 The Debian Stretch RC2 installer and previous versions do not allow Full Disk Encryption since /boot is more vulnerable to Evil Maid attacks due to it being unencrypted. Securing /boot makes Evil Maid attacks slightly more difficult, raising the cost / time for an adversary with physical access.
I suggest looking at prior bugs from over a year ago suggesting how to start fixing this by enabling the cryptodisk option for grub, then modifying the debian-installer flows to automatically partition using a base encrypted volume for which all other partitions / LVM2 groups sit atop of, including /boot. This would hopefully replace the current and slightly more insecure "Guided - Use Entire Disk and Set Up Encrypted LVM..." option. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814798 Tested Debian Stretch RC2 and prior versions.
