Preseeding Full Disk Encryption

If you've never worked with preseeding, this entire section of code probably looks incredibly foreign. As preseeding in general is documented well in a number of other places, I'm not going to bother breaking down every setting here. Instead, let me highlight the settings that matter for disk encryption. The most important one tells partman (the preseed partition manager) to use encryption:

d-i partman-auto/method string crypto

Next, because preseeded encrypted partitions need to use LVM, I must add LVM-specific preseed settings:

d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string crypt

In the last of these settings, I told partman to create a new LVM volume group named crypt that I will use to store my encrypted partitions. Further down when I define my swap and root partitions, you can see where I defined the logical volumes by name and set what volume group they are in:

2000 2000 2000 linux-swap                       \
        $lvmok{ } lv_name{ swap }               \
        in_vg { crypt }                         \
. . .
500 10000 1000000000 ext4                       \
        $lvmok{ } lv_name{ root }               \
        in_vg { crypt }                         \

Once these settings were in place, I was able to preseed an install and have disk encryption be almost fully automated, except that the installer prompted me for a passphrase, which I wanted.

The only missing piece to this automation was that the installer started overwriting the existing disk with random information. Now, there are good reasons why you may want to do this before setting up disk encryption, but in this case, the disk was blank beforehand, and I didn't want to wait the many hours it might take. Try as I might, no options to preseed this feature away seemed to work. After poring through the partman code to find the magic option, I finally resorted to patching the partman-crypto script on the fly in the middle of the install so that it skipped the erase process:

d-i partman/early_command \
       string sed -i.bak 's/-f $id\/skip_erase/-d $id/g'

This is an ugly hack indeed, but it was the only way I was able to find that worked. With that in place, I was able have an automated partitioning recipe with full-disk encryption that skipped the disk-erasing section. My hope is that the next time other people need to do this and do a search on-line, they at least can find my article and the two other examples and won't have to burn so much time.


Kyle Rankin is Chief Security Officer at Purism, a company focused on computers that respect your privacy, security, and freedom. He is the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu