Bug#530784: partman-crypto: preseeding of the dm-crypt passphrase failed
severity 530784 wishlist
retitle 530784 Consider adding support to preseed a dm-crypt passphrase
thanks
On Wednesday 27 May 2009, Gabriel Sailer wrote:
> i tried to install about 20 laptops full preseeded with crypted
> root and swap (and a normal /boot). The installation work but
> without accepting my preseeded partman-crypto/passphrase (and
> partman-crypto/passphrase-again).
Thanks for the additional info.
The problem seems to be in the blockdev-keygen script. This has:
get_passphrase () {
local pass_ok
pass_ok=0
while [ $pass_ok -eq 0 ]; do
templ="partman-crypto/passphrase"
db_set $templ ""
db_fset $templ seen false
db_subst $templ DEVICE "$description"
db_input critical $templ
templ="partman-crypto/passphrase-again"
db_set $templ ""
db_fset $templ seen false
db_input critical $templ
db_go || return 1
Basically this means that the passphrase gets reset before it is asked. So
in the current code preseeding the passphrase is very simply not
supported. As the code also unsets the "seen" flag and the priority of
the question is critical, the question should always be asked though.
Possibly preseeding of the passphrase was not considered safe enough by
the original authors of the code. Possibly also because having the same
passphrase for multiple machines would rather defeat the purpose (altough
I could see some logic to that in a corporate setting where the main goal
is to protect data against outsiders).
Cheers,
FJP
Reply to: