I installed the Kicksecure 18 iso with FDE enabled, so that I have have to input my luks password during boot.
Running /usr/libexec/systemcheck/crypt-check shows:
/usr/libexec/systemcheck/crypt-check: INFO: Root partition is encrypted.
sudo cryptsetup luksDump /dev/disk/by-uuid/1579d221-fab5-4c12-ac88-66bd895c65f4 outputs:
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 1579d221-fab5-4c12-ac88-66bd895c65f4
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 1048576
Threads: 4
Salt: 10 f6 17 b2 4f 0c 4f 13 a9 ba df 30 6f dd 43 35
5a 4c 7f 29 73 71 d9 0a d5 c0 6b 45 9f c8 ea d7
AF stripes: 4000
AF hash: sha512
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha512
Iterations: 191906
...
Yet systemcheck claims that FDE is absent:
[INFO] [systemcheck] Connected to Tor.
[INFO] [systemcheck] Kicksecure is a research project.
[INFO] [systemcheck] user-sysmaint-split-check installation check result: Enabled
https://www.kicksecure.com/wiki/sysmaint
[INFO] [systemcheck] user-sysmaint-split session detection result: SYSMAINT Session.
[INFO] [systemcheck] Full Disk Encryption (FDE): Absent
See also: https://www.kicksecure.com/wiki/Full_Disk_Encryption
[INFO] [systemcheck] GRUB bootloader password: Enabled
See also: https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Bootloader_Password