I think doing it on a physical host is probably more of an interesting experience. I did luks with mine which caused a couple issues but I was able to figure them out.
I basically put /boot and /boot/efi in the same partition, and used everything else for the rest of the filesystem and encrypted that. Aside from that you just have to edit some config files to tell the system you’re using luks.