Use the -y option to ssh-keygen:
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
From the 'man ssh-keygen'
-y This option will read a private OpenSSH format file and print an
OpenSSH public key to stdout.
Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.
Why encrypt it at all? I am playing devil's advocate here but for a reason.
There are valid reasons to encrypt removable drives and laptops and other portable devices in case you lose them.
I suppose you could lose a server if someone stole it or gained local access to it.
For laptops and other personal machines you can type a pass phrase to enable the server to unencrypt the devices on boot or as required.
Are you able to do this on the server?
If server does not require this intervention and can unencrypt the devices on boot the server is not more secure for being encrypted.
The answer is it depends on your circumstances and what you are trying to achieve. There is no rule that says you must encrypt everything and if you don't know why you are doing it I suspect you don't need to.
Based on your edit:
I would partition the disk like this:
First partition 100MB mounted on /boot as ext3
Rest of disk formated as encrypted LVM.
I then partition the LVM partition like this:
Create a volume group vg0
Create this logical volumes:
/dev/vg0/root mounted on /root as ext3 of 3GB
/dev/vg0/swap used as swpa space, twice the size of RAM
/dev/vg0/var mounted on /var as ext3 of 7GB
/dev/vg0/home mounted on /home as ext3 using the rest of the free space.
Then everything is encrypted apart from /boot.
Best Answer
The ability to use "eyaml edit" without the private key has been added in the master branch in GitHub.
This is how I am currently using it.
First configure eyaml so that it knows where your public key is (as per encrypt your data using hiera eyaml).
Then install master branch version of eyaml using the specific_install gem.
Now you should be able to edit your eyaml files so that encryption works but decryption is not attempted using either (-d or --no-decrypt flags) e.g.