sda1: /boot with initramfs (including cryptsetup and scripts)
sda2: crypto_LUKS partition which contains an LVM PV, like /dev/mapper/crypto-sda2
/dev/mapper/crypto-sda2: from that, build an VG "debian"
VG "debian" -> usually has three LVs: "home", "system", "swap"
The trick is to wrap swap, and all other partitions into a VG which is put on an encrypted PV wholesale. So during boot, the initramfs asks for a password for decrypting this PV, which also works for resuming from hibernation.
(In reply to comment #17)
> How do you do that?
The standard setup for this looks like this:
sda1: /boot with initramfs (including cryptsetup and scripts) crypto- sda2 crypto- sda2: from that, build an VG "debian"
sda2: crypto_LUKS partition which contains an LVM PV, like /dev/mapper/
/dev/mapper/
VG "debian" -> usually has three LVs: "home", "system", "swap"
The trick is to wrap swap, and all other partitions into a VG which is put on an encrypted PV wholesale. So during boot, the initramfs asks for a password for decrypting this PV, which also works for resuming from hibernation.