You want help with a debootstrap recipe? Search my name on the forum. I've posted a few that you could modify to your needs.
Or here is one with all my notes, to modify from for LUKS-LVM.... I create a recipe. Add all the commends I'll need. Modify the DISK variable to what comes up... Basically, I create a plan. From a Server Edition LiveUSB, go past the Language and Keyboard panels > Help, Select command line > install openssh-server > connect to it from my workstation, from a graphical terminal session. That way I can cut-and-paste my commands. Then on any output, cut-and-paste into my recipe, to change the variables, and to document what happened in the install. That way, I have a record.:
Code:
### Encrypted LUKS with LVM2
# Become root
sudo su
# Create an alias variable, as a shortcut to typing it out each time
DISK=$(ls -l /dev/disk/by-id | awk '/sda/ {print "/dev/disk/by-id/"$9}' | head -n 1 )
echo -e "Disk found: $DISK"
# This is a USB for my keyfile
DEST=/dev/sdb1/luks.key
openssl genrsa -out /mnt/luks.key 4096
chmod -v 0400 $DEST
chown root:root $DEST
#Note that this is a specific disk identifier
# Partition the disk
sgdisk -n1:1M:+750M -t1:EF00 -c1:EFI $DISK # Create EFI partition
sgdisk -n2:0:+6G -t2:8200 -c2:SWAP $DISK # Create Swap partition
sgdisk -n3:0:+2G -t3:8309 -c3:BOOT $DISK # Create Boot partition
sgdisk -n4:0:+25G -t4:8309 -c4:ROOT $DISK # Create Root partition
sgdisk -n5:0:0 -t4:8309 -c5:HOME $DISK # Create Home partition
# Display partition table
sgdisk -p $DISK
# Format EFI partition
mkfs.vfat -F 32 -s 1 -n EFI ${DISK}-part1
# Format Boot as LUKS1 in a LUKS1 container
cryptsetup luksFormat --type luks1 -c aes-xts-plain64 -s 512 -h sha256 ${DISK}-part3
cryptsetup luksAddKey ${DISK}-part3 $DEST
ls /dev/mapper/
cryptsetup luksOpen ${DISK}-part3 luks1
mkfs.ext4 -L BOOT /dev/mapper/luks1
# mount /dev/mapper/luks1 /boot
# Create LUKS2 container and format for ROOT
cryptsetup luksFormat --type luks2 -c aes-xts-plain64 -s 512 -h sha256 ${DISK}-part4
cryptsetup luksAddKey ${DISK}-part4 $DEST
cryptsetup luksOpen ${DISK}-part4 luks2
# Create LUKS2 container and format for HOME
cryptsetup luksFormat --type luks2 -c aes-xts-plain64 -s 512 -h sha256 ${DISK}-part5
cryptsetup luksAddKey ${DISK}-part5 $DEST
cryptsetup luksOpen ${DISK}-part5 luks3
# Create encrypted Swap later in fstab using cryptab
# Verify that keys are set in the keslots
# Create LVM2
pvcreate /dev/mapper/luks[2,3] ${DISK}-part2luks
vgcreate vg_root /dev/mapper/luks2
vgcreate vg_home /dev/mapper/luks3
vgcreate vg_swap ${DISK}-part2
lvcreate -l 80%FREE -n lv_root vg_root
lvcreate -l 80%FREE -n lv_home vg_home
lvcreate -l 100%FREE -n lv_swap vg_swap
###
Leave the terminal session open...
Start up installer. When it gets to the partition stage, choose "Something else"...
Select sda1. Change. Format. Use as EFI filesystem.
Select /dev/mapper/luks1 (Linux device-mapper (crypt)). Change. Use as ext4, format, /boot.
Select /dev/mapper/vg_root-lv_root (Linux device-mapper (crypt)). Change. Use as ext4, format, /.
Select /dev/mapper/vg_home-lv_home. Change. Use as ext4, format, /home.
Select /dev/mapper/vg_swap-lv_swap. Change
Continue Install. At completion, DO NOT REBOOT. Instead choose "Continue Testing".
Go back to the open terminal session, which you are still root...
###
mkdir -p /target
MapMount=$(ls /dev/mapper/vg_root-lv_root)
mount $MapMount /target
for DIR in proc sys dev /etc/resolv.conf; do mount --rbind /$DIR /target/$DIR; done
mount -a
blkid | grep 'sda' | grep -e 'crypto_LUKS\|SWAP' | awk '{print $1 " " $2 " " $4}'
# copy that output to an editor...
###
SAMPLE:
root@ubuntu:/# blkid | grep 'sda' | grep -e 'crypto_LUKS\|SWAP' | awk '{print $1 " " $2 " " $4}'
/dev/sda4: UUID="bc0c4867-6a91-4f2d-a257-4374d3b8a83c" PARTLABEL="ROOT"
/dev/sda2: UUID="eHwceL-GwKl-TQuK-2Ddh-zElM-EDn5-iOLvMn" PARTLABEL="SWAP"
/dev/sda5: UUID="1d1eaa5a-3d67-4568-b4d8-c15a87c7eb64" PARTLABEL="HOME"
/dev/sda3: UUID="d50cf8d8-fd62-4384-932d-994f2d59dde5" PARTLABEL="BOOT"
# Add these lines, substituting the UUID's from the output above
luks1 UUID="d50cf8d8-fd62-4384-932d-994f2d59dde5" none luks
luks2 UUID="bc0c4867-6a91-4f2d-a257-4374d3b8a83c" none luks
luks3 UUID="1d1eaa5a-3d67-4568-b4d8-c15a87c7eb64" none luks
swap /dev/mapper/vg_swap-lv_swap /dev/urandom swap,cipher=aes-xts-plain64:sha256,size=512
# The last line will be the encrypted swap, which we need to modify the fstab file to use...
echo /dev/mapper/vg_swap-lv_swap none swap defaults 0 0 >> /etc/fstab
sudo nano /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
# `GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 rd.auto=1 cryptdevice=/dev/sda4:root"
sudo cryptsetup luksDump ${DISK}-part3 && sudo cryptsetup luksDump ${DISK}-part4 && sudo cryptsetup luksDump ${DISK}-part5
### RESCUE
sudo su
DISK=$(ls -l /dev/disk/by-id | awk '/sda/ {print "/dev/disk/by-id/"$9}' | head -n 1 )
DEST=/dev/sdb1/luks.key
cryptsetup luksOpen ${DISK}-part3 luks1 --key-file $DEST
cryptsetup luksOpen ${DISK}-part4 luks2 --key-file $DEST
cryptsetup luksOpen ${DISK}-part5 luks3 --key-file $DEST
pvscan
vgscan
lvscan
mount /dev/mapper/vg_root-lv_root
for DIR in proc sys dev /etc/resolv.conf
do
mount --rbind /$DIR /mnt/$DIR
done
chroot /mnt
mount -a
sudo cryptsetup convert ${DISK}-part1 --type luks1
####
# <name> <device> <password> <options>
# Asks passphrase
#luks1 UUID="d50cf8d8-fd62-4384-932d-994f2d59dde5" none luks
#luks2 UUID="bc0c4867-6a91-4f2d-a257-4374d3b8a83c" none luks
#luks3 UUID="1d1eaa5a-3d67-4568-b4d8-c15a87c7eb64" none luks
# Uses keyfile
luks1 UUID="d50cf8d8-fd62-4384-932d-994f2d59dde5" /keystore/luks.key luks
luks2 UUID="bc0c4867-6a91-4f2d-a257-4374d3b8a83c" /keystore/luks.key luks
luks3 UUID="1d1eaa5a-3d67-4568-b4d8-c15a87c7eb64" /keystore/luks.key luks
# Encryted swap
swap /dev/mapper/vg_swap-lv_swap /dev/urandom swap,cipher=aes-xts-plain64:sha256,size=512
# swap /dev/mapper/vg_swap-lv_swap /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/vg_root-lv_root / ext4 errors=remount-ro 0 1
#/dev/mapper/luks1 /boot ext4 defaults 0 2
# /boot/efi was on /dev/sda1 during installation
UUID=3B24-07E9 /boot/efi vfat umask=0077 0 1
/dev/mapper/vg_home-lv_home /home ext4 defaults 0 2
#/dev/mapper/vg_swap-lv_swap none swap sw 0 0
/dev/mapper/vg_swap-lv_swap none swap defaults 0 0
UUID=09660ab9-d621-4752-b1f7-fc1e7118979a /boot ext4 defaults 0 2
UUID="4987-2A68" /keystore vfat defaults 0 2
nano /etc/cryptsetup-initramfs/conf-hook
KEYFILE_PATTERN="/keystore/*.key"
Remember to change the $DISK variables to what you are installing to, and mix and match what you want to install. This should be way more complex than you need, but examples for what can be done... A good example to modify from.