You don't seem to understand how markets work. System76 is a small company that is just starting out in this area (check out the About Us page). They aren't a massive OEM like Lenovo or Dell, both of which are manufacturing their own laptops in high volumes to bring costs down. System76 has, however, just recently purchased their own 22.4K sq. foot manufacturing facility in Denver, so they will be selling their own laptops soon. The current models are Clevo units with Intel ME disabled, and preloaded with Pop!_OS / Ubuntu 16.04.

So if you want Linux to succeed on the desktop, then you should invest into System76, even if the hardware is slightly more expensive than you get from a Windows OEM. That money will directly go into hiring more software & hardware engineers to work exclusively on the Linux desktop, and Linux-based desktop hardware solutions. Canonical is not manufacturing Linux-based laptops, and neither is Red Hat. They are more concerned with the Linux server & IoT spaces. The 'Year of the Linux Desktop' will only happen once a company like System76 steps up to start selling hardware to the masses in the same manner that Chromebooks, HP, Dell, Lenovo, etc. systems are being marketed and sold on TV and in stores.

PS: I'm one of their latest hires. We're writing the installer backend in Rust, while the Elementary team is working on the UI frontend which interfaces with distinst. Encryption is a thing that we are working on, as well as replacing GRUB with systemd-boot. There are a lot of issues that Canonical has not addressed, and we are going to pick up the slack to cater to the Linux desktop. Canonical's apparently only interested in server and IoT.

Ext4 encryption is also being pondered, but creating an encrypted LVM partition is generally going to be easier to support than handling filesystem-specific encryption options, and whether or not they support it.

The default OEM install will not be encrypted (it would be pointless, for obvious reasons -- encryption has to be set up when it is in the user's hands, not the OEMs). There will be an option to choose to reinstall the system with FDE though. That will boot into the recovery partition to start the re-installation process. Otherwise, if the user chooses not to have encryption, they will simply go on to system/user setup.

Full disk encryption has a non-negligible impact, but I think it is absolutely worth it. Michael frequently posts articles featuring this, a simple google search will give you several. Here is one from 2017: https://www.phoronix.com/scan.php?pa...-encrypt&num=1

Note that I said "non-negligible", which doesn't necessarily mean "large", it depends on what you are doing. Impact on gaming is close to 0 for instance.

What is this in reference to?

This is something interesting. What size esp partition will have by default?

Very well said.

Additionally, as was eluded to earlier with examples like Lenovo, I trust System76 more to provide continued support for their products even after the warranty period, as they have a more focused vision and user base that value OpenSource and are more security-aware. It's also worth reiterating the selection of hardware by System76 that is known to work with Linux; not only does that benefit the end-user that purchases from System76 directly, but it also creates a bigger incentive for hardware vendors and manufacturers to provide support for Linux if they want to be included in the systems that are offered.

Lastly, after the ongoing problems with Meltdown and Spectre, which are further exacerbated due to limited hardware vendors & providers, it should be obvious that choices in Hardware vendors and Open Hardware are becoming increasingly important. Therefore, I would say that, while it's possible to "support Linux" in other ways, there are disproportionately more "supporters" on the software side than with anything related to Open Hardware.

"cryptsetup" (the binary that configures LUKS on disk for you) has a built in benchmark that runs a single-threaded test. Test it on your own machine to see how it performs.

Here's my system. AES-XTS 512 gives me around 1GB/s read/write on my 5 year old Core i7 Dell Vostro 3560. That's quite a deal better than my SSD hard disk can do, and with 8 cores I'm not too fussed at the performance hit for the extra security (and business compliance) it provides.

$ grep ^'model name' /proc/cpuinfo | head -1
model name : Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz

$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 970903 iterations per second
PBKDF2-sha256 604715 iterations per second
PBKDF2-sha512 439838 iterations per second
PBKDF2-ripemd160 608222 iterations per second
PBKDF2-whirlpool 207392 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 538.1 MiB/s 1885.2 MiB/s
serpent-cbc 128b 77.4 MiB/s 254.6 MiB/s
twofish-cbc 128b 166.5 MiB/s 315.1 MiB/s
aes-cbc 256b 384.9 MiB/s 1386.3 MiB/s
serpent-cbc 256b 74.6 MiB/s 258.6 MiB/s
twofish-cbc 256b 161.6 MiB/s 301.1 MiB/s
aes-xts 256b 1559.8 MiB/s 1507.7 MiB/s
serpent-xts 256b 263.6 MiB/s 252.9 MiB/s
twofish-xts 256b 293.1 MiB/s 296.6 MiB/s
aes-xts 512b 1198.4 MiB/s 1223.0 MiB/s
serpent-xts 512b 266.8 MiB/s 260.4 MiB/s
twofish-xts 512b 297.0 MiB/s 309.6 MiB/s

Show me a Lenovo laptop that comes with full Lenovo vendor support for Linux. Or any other OEM where all of the laptop's features and functions "just work" out of the box. Laptops are notoriously fickle when it comes to drivers, and the big OEM's are Windows vendors when it comes to consumer products. They support Linux only on their high end professional workstation models, and typically only corporate distros like RHEL and SLES. And find me one big OEM that is disabling ME by default. The fact is, you get a lot for your money when you buy from System76. If you want to be a self-support penny pincher, that's your prerogative, but it's poor form to badmouth a leading Linux hardware vendor, and even more so when you haven't even used their product.

I would never trust encryption provided by a hardware vendor not to contain backdoors for law enforcement such as a keylogger to cache a copy of the passphrase, perhaps encrypted with a key provided only to the NSA and the FBI. This goes double for Lenovo, with their history of spyware such as Superfish and malicious UEFI code to do things like reinstall Windows bloatware or string check boot executables to ensure only Windows 8 or RHEL could boot.

Use Lenovo's HW encryption only as an additional barrier, and then use your strong passphrase with LUKS instead and on top of that.