Is it possible to encrypt the entire filesystem to prevent people from copying files off the board?
It is possible but it is a bit fiddly. A basic approach looks something
like the follows:
Make sure kernel has crypto support
Boot from SD card
a) Use tar or resize2fs/dd to backup current eMMC rootfs (this is
optional, you could also convert the current image from
b) Use cryptsetup to put a LUKS header on the underlying partition
and map it
c) Restore your backup onto the newly mapped device (it will be in
Mount the root filesystem (whilst still running from an SD card).
chroot into the rootfs and setup crypttab.
Regenerate and install a new initramfs
You might prefer a simpler approach (either as an alternative solution
or as a learning exercise to build confidence) of placing /home onto
an encrypted SD card. This is rather simpler because you can become
familiar with the crypto tooling without having to understand
backup/restore and initramfs at the same time.
Just a thought…