William Morder wrote:

> Yes, this was more or less my plan. It was yourself or another who
> suggested the logical volumes inside sda2, and yes, I was also planning to
> encrypt, although I wasn't sure of the method. (I've previously used
> truecrypt, easycrypt, and variants, but I needed something to encrypt
> everything from scratch.) I will look into luks.
> 

crypt luks layer comes first.
look below I post some of my notes - you must update the values to match
your setup

> I ought to say, too, that I intend to backup the contents of my flash
> drive somewhere secure (say, online ...?), but I haven't quite decided
> that. My O.G. friend has some kind of secure storage on a server that he
> has been using since about 1970 or so; I was thinking of some kind of
> server with an onion address, so that I can go to the library, etc., and
> download my system to a flash drive.
> 

why not buy another usb stick and replicate the first one - keep the second
at home or wherever is secure

> I believe I have the basic idea for how to partition my hard drives
> according to my needs from what was said earlier about creating logical
> volumes inside sda2. The rest is just working out what I want to backup
> from /opt, /etc, and so on.
>

You don't backup things you can easily recreate (for example default
installation and config files). You also design your backup by asking
yourself how you would eventually restore.
In any case nowdays usb3.1 has amazing speed and I just bought few days ago
usb3.1 64GB. I was also thinking to make a rescue system out of it :)


Notes:

CRYPTSETUP

WARNING! The following command will remove all data on the partition that
you are encrypting. You WILL lose all your information! So make sure you
backup your data to an external source such as NAS or hard disk before
typing any one of the following command.

In this example, I'm going to encrpt /dev/sdb7. Type the following command:

 # cryptsetup -y -v luksFormat /dev/sdb7

    Open the crypted device

 # cryptsetup luksOpen /dev/sdb7 backup

LVM setup

    Create physical volumes

 # pvcreate /dev/mapper/backup

    Create a volume group

 # vgcreate G750lvm /dev/mapper/backup

     Creating a logical volume

 # lvcreate -L50G -nroot G750lvm

 # lvcreate -L150G -nhome G750lvm

 # lvcreate -L2G -nswap1 G750lvm

 # lvcreate -L2G -nswap2 G750lvm


    After rebooting the system or running vgchange -an, you will not be able
to access your VGs and LVs. To reactivate the volume group, run:

 # vgchange -a y G750lvm
       
    Check the dm device

 # ls -l /dev/mapper/backup

or use following command

 # cryptsetup -v status backup

You can dump LUKS headers using the following command:

 # cryptsetup luksDump /dev/sdb7

    Close a dm device after unmounting it

 # cryptsetup luksClose backup