I have seen various guides and recommendations on web about how best to do this but nothing that clearly explains the best way and why. So I understand there is a need for part of Debian during install to be un-encrypted on its own partition to allow it to boot. Most info I have seen is call this /boot and set the boot flag. Next I believe the best approach is to create another partition out of all the rest of the disk space, encrypt this, then on top of that create a LVM and then within the LVM create my various partitions , name them , select size, and file system type. Can I include /swap in the encrypted LVM part ? Is this approach sound? If so what are the partitions I should use (this is going to be a minimal server install with a view to install as and when what I need for a dev server)? Finally how does the installer know what to put in each partition I define ?
I appreciate there are more than one question but any help and suggestions would be appreciated. If further clarification is needed please mention in the comments .
EDIT : 16/3/2010
After Richard Holloways reply I thought it relevant to add this info:
The reasons why I want to do this are to explore maximising security on any server install and set up, due to interest in the area of Computer Security and Forensics. Also I am trying to peform the task as if it being performed in an enterprise situation.
On a technical matter, once set up and configured with minimal packages and ssh this server will not physically be easy to access so I will only be entering via ssh. (Yes I know why encrypt something no one will ever be able to get their hands on? Because I can and I want to is the simple answer, but see above too).
Best Answer
Why encrypt it at all? I am playing devil's advocate here but for a reason.
There are valid reasons to encrypt removable drives and laptops and other portable devices in case you lose them.
I suppose you could lose a server if someone stole it or gained local access to it.
For laptops and other personal machines you can type a pass phrase to enable the server to unencrypt the devices on boot or as required.
Are you able to do this on the server? If server does not require this intervention and can unencrypt the devices on boot the server is not more secure for being encrypted.
The answer is it depends on your circumstances and what you are trying to achieve. There is no rule that says you must encrypt everything and if you don't know why you are doing it I suspect you don't need to.
Based on your edit:
I would partition the disk like this:
First partition 100MB mounted on /boot as ext3
Rest of disk formated as encrypted LVM.
I then partition the LVM partition like this:
Create a volume group vg0
Create this logical volumes:
/dev/vg0/root mounted on /root as ext3 of 3GB
/dev/vg0/swap used as swpa space, twice the size of RAM
/dev/vg0/var mounted on /var as ext3 of 7GB
/dev/vg0/home mounted on /home as ext3 using the rest of the free space.
Then everything is encrypted apart from /boot.