Using a debian netinstall iso with non-free firmware (like remarked here).
During the partition layout, create
* a small boot partition, like 120 MB for the Debian kernel (if you want to keep more kernels, make it bigger)
* a big partition as primary volume for the encrypted stuff
Use the big partition as physical volume for lvm. Format the boot partition as ext4 and set the bootable flag, while setting the mount point as well.
Then choose the encryption assistant and pin it the the big partition, setup a fully crypted partition. Once the partition’s data is cleared up, it will ask you to set a passphrase for the crypted lvm. Choose it wisely, as it will be the key to your data.
You will now see that there’s a new partition created, namely sda2_crypt. The default is ext4 which is not what we want. Mark it, and change it’s usage to “physical volume for LVM”.
Then start the logical volume manager and go on with setting up a volume group, namely “luksvg”. There will be yet another question for which partition to use, point it to /dev/mapper/sda2_crypt
Next, create the logical volumes for the filesystems.
* root (10GB) [ext4, mount as /]
* home (50GB) [ext4, mount as /home]
* swap (8GB) [swap]
* vms (50GB) [ext4, mount as /vms]
* data (50gb) [ext4, mount as /data (for icinga debug logs and so on)]
* backup (30GB) [ext4, mount as /backup]
Now back in the partition table, select each partition and format it as ext4 (except swap, use swap space) and add their mount point.
Proceed with the install.