The right way for laptop encryption

[mef]

What is currently the right way for full disk encryption (when installing a new system)? I have a laptop with Debian Stretch, with only one HDD, that I want to be fully encryped, and also have separate partitions for boot, root, swap and home).
Tried this approach, couldn't get it to work.
Then tried partitioning it manually creating a single encrypted volume containing all the partitions. Then tried guided partitioning (which is basically same scheme).
Both give me these warnings on startup:

Code: Select all

WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group deblvm not found
Cannot process volume group deblvm
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group deblvm not found
Cannot process volume group deblvm
Please unlock disk sda2_crypt: _

After entering the passphrase it gives me one more warning like that, and then everything works.

I want a fully encrypted system with these partitions:
sda1 ext2 Boot 1GB
sda2 ext4 Root 30GB
sda3 swap 4GB
sda4 ext4 Home

I also want to be able to use suspend-to-disk without compromising the passphrase. I would be grateful for any help.

[Ardouos]

Both give me these warnings on startup:

Code: Select all

WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group deblvm not found
Cannot process volume group deblvm
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group deblvm not found
Cannot process volume group deblvm
Please unlock disk sda2_crypt: _

After entering the passphrase it gives me one more warning like that, and then everything works.

I think this is pretty normal, my laptop does the same thing. I used the Debian installer to setup the disk encryption with LVM. Linux does generally verbose a lot of information. Someone can correct me if I am wrong though.

I want a fully encrypted system with these partitions:
sda1 ext2 Boot 1GB
sda2 ext4 Root 30GB
sda3 swap 4GB
sda4 ext4 Home

/boot needs to be the first un-encrypted partition or the computer will not boot. All other partitions you should encrypted if you are using FDE.

I also want to be able to use suspend-to-disk without compromising the passphrase. I would be grateful for any help.

When you say "suspend to disk", do you mean hibernation? As long as swap is encrypted then the passphase should not be compromised when hibernating the machine. Sleeping/ suspending the computer on the other hand will not request the decryption key as the key is still active in the memory.

[mef]

Yes, I forgot to mention, that I create the boot partition outside the encrypted lvm.
And I meant hybernation, yes. Looks like I have no reasons to be concerned then? Nice to know, that I'm doing something right.

[Ardouos]

Looks like I have no reasons to be concerned then? Nice to know, that I'm doing something right.

From what I can see from the errors. LVM is trying to find the volume group, which it cant because the devices are encrypted. It is only when the decryption key is used, LVM can then find the volume group. So yes, no need to worry... Especially when your laptop is successfully booting.

[mef]

I'll try to find a way to silence them. Leave only the prompt for a passphrase.