I've done this now on a few systems, mostly laptops. My reasoning is that any data I care about (particularly email) are stored in my home directory. If the laptop were to get out of my possession, it would likely be shut off at the time, and I don't use suspend/resume. So encrypting /home suffices to protect me if the laptop is lost or stolen. It's also easier and more performance-friendly than encrypting the root dir or swap.
When I installed my current laptop, I knew I'd encrypt /home eventually so I left a spare partition, hda3. If you don't have one, you'll need to shrink a filesystem to create a new partition or logical volume. When you're ready with that, the next step is to create the encrypted mapping.
modprobe aes # or aes-i586 on x86 systems emerge cryptsetup-luks cryptsetup --verify-passphrase luksFormat /dev/hda3 cryptsetup luksOpen /dev/hda3 home mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/home
Next copy the existing /home to the encrypted filesystem. Be sure not to alter any important data in /home since you'll lose any changes made after the copy. You can enforce this by switching to single user mode but I don't bother personally.
mkdir /mnt/newhome mount /dev/mapper/home /mnt/newhome cp -ax /home/. /mnt/newhome umount /mnt/newhome
Next let Gentoo know about it, then reboot to start using the encrypted /home:
printf 'mount=home\nsource=/dev/hda3\ntype=luks\n' >> /etc/conf.d/cryptfs echo '/dev/mapper/home /home ext3 noatime 0 0' >> /etc/fstab echo 'aes' >> /etc/modules.autoload.d/kernel-2.6 # or aes-i586 mv /home /oldhome mkdir /home reboot
Finally, when you've verified that it's working, be sure to remove the old home which still contains unencrypted data!
rm -rf /oldhome