Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed

[Frans Pop <elendil@planet.nl>]

severity 530784 wishlist
retitle 530784 Consider adding support to preseed a dm-crypt passphrase
thanks

On Wednesday 27 May 2009, Gabriel Sailer wrote:
> i tried to install about 20 laptops full preseeded with crypted
> root and swap (and a normal /boot). The installation work but
> without accepting my preseeded partman-crypto/passphrase (and
> partman-crypto/passphrase-again).

Thanks for the additional info.

The problem seems to be in the blockdev-keygen script. This has:
get_passphrase () {
        local pass_ok

        pass_ok=0
        while [ $pass_ok -eq 0 ]; do
                templ="partman-crypto/passphrase"
                db_set $templ ""
                db_fset $templ seen false
                db_subst $templ DEVICE "$description"
                db_input critical $templ

                templ="partman-crypto/passphrase-again"
                db_set $templ ""
                db_fset $templ seen false
                db_input critical $templ

                db_go || return 1

Basically this means that the passphrase gets reset before it is asked. So 
in the current code preseeding the passphrase is very simply not 
supported. As the code also unsets the "seen" flag and the priority of 
the question is critical, the question should always be asked though.

Possibly preseeding of the passphrase was not considered safe enough by 
the original authors of the code. Possibly also because having the same 
passphrase for multiple machines would rather defeat the purpose (altough 
I could see some logic to that in a corporate setting where the main goal 
is to protect data against outsiders).

Cheers,
FJP