通常，我尽量撰写不针对特定发行版的文章。 尽管我可能会给出基于 Debian 发行版的示例，但只要有可能，我都会尽量使我的说明适用于所有人。 这篇文章不是其中之一。 在这里，我记录了最近在使用 Debian 预播种（一种自动化 Debian 安装的方法，类似于 Red Hat 系统的 kickstart）时遇到的一个过程，我发现它比实际需要的要困难得多，主要是因为文档太稀疏了。 事实上，在我的研究中，我只找到了两个可靠的例子，其中一个提到了另一个。

在本文中，我将描述如何在 Debian 安装中预播种全盘加密。 当我尝试为笔记本电脑创建完全自动化的“OEM”安装时，出现了这个问题。 目标是拥有一个自动化的启动模式，引导用户完成他们的操作系统安装，并默认使用全盘加密，但尽可能简化用户的操作。 通常，除非您打算将整个磁盘加密为一个大的分区，否则 Debian 安装程序会让您在安装期间跳过几个步骤来设置磁盘加密。

在我的例子中，我不能只使用整个磁盘，因为我需要从磁盘上分割出一个小区域作为救援分区，用来存储 OEM 安装镜像本身。 我的最终目标是让用户只需输入他们的密码，它就会设置一个未加密的 /boot 和救援磁盘分区，以及一个加密的 / 和交换分区。 还有一个额外的挑战，我还想跳过通常在使用 Debian 启用磁盘加密时发生的耗时的磁盘擦除过程，因为磁盘一开始就是空白的。

不幸的是，虽然有很多关于如何使用预播种自动化普通分区和 LVM 的文档（事实上，我自己在其中一本书中写了一整节关于这个主题的内容），但我很难找到关于如何在其中添加加密的文档。 经过大量研究后，我终于找到了两个帖子（正如我提到的，其中一个引用了另一个），描述了启用此功能的魔法咒语。 不幸的是，Debian 预播种中加密磁盘的唯一支持模式需要使用 LVM（这是我稍后在阅读负责安装这部分的代码时确认的）。 这不是世界末日，但如果它没有这个要求，我认为会更简单。

由于您需要一个基本的未加密 /boot 分区来加载内核并提示用户输入密码，因此我必须同时考虑这两个分区，并保留磁盘上已经存在的小型 2GB 救援磁盘分区。 之后，剩余的 / 和交换分区被加密。 这是预播种配置文件的分区部分

d-i partman-auto/method string crypto
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string crypt
d-i partman-auto/disk string /dev/sda
d-i partman-auto/choose_recipe select root-encrypted
d-i partman-auto/expert_recipe string                         \
      root-encrypted ::                                       \
              500 500 500 ext3                                \
                      $primary{ } $bootable{ }                \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext4 }    \
                      mountpoint{ /boot }                     \
              .                                               \
              2000 2000 2000 linux-swap                       \
                      $lvmok{ } lv_name{ swap }               \
                      in_vg { crypt }                         \
                      $primary{ }                             \
                      method{ swap } format{ }                \
              .                                               \
              500 10000 1000000000 ext4                       \
                      $lvmok{ } lv_name{ root }               \
                      in_vg { crypt }                         \
                      $primary{ }                             \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext4 }    \
                      mountpoint{ / }                         \
              .                                               \
              2000 2000 2000 ext4                             \
                      $primary{ }                             \
                      method{ keep }                          \
                      use_filesystem{ } filesystem{ ext4 }    \
                      label{ rescuedisk }                     \
              .

d-i partman-md/device_remove_md boolean true
d-i partman-basicfilesystems/no_mount_point boolean false
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true




If you've never worked with preseeding, this entire section of code
probably looks incredibly foreign. As preseeding in general is documented
well in a number of other places, I'm not going to bother breaking down
every setting here. Instead, let me highlight the settings that matter
for disk encryption. The most important one tells partman (the preseed
partition manager) to use encryption:


d-i partman-auto/method string crypto





Next, because preseeded encrypted partitions need to use LVM, I must add
LVM-specific preseed settings:


d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string crypt





In the last of these settings, I told partman to create a new LVM volume
group named crypt that I will use to store my encrypted partitions.
Further down when I define my swap and root partitions, you can see where I
defined the logical volumes by name and set what volume group they are in:


2000 2000 2000 linux-swap                       \
        $lvmok{ } lv_name{ swap }               \
        in_vg { crypt }                         \
. . .
500 10000 1000000000 ext4                       \
        $lvmok{ } lv_name{ root }               \
        in_vg { crypt }                         \





Once these settings were in place, I was able to preseed an install and have
disk encryption be almost fully automated, except that the installer
prompted me for a passphrase, which I wanted.



The only missing piece to this automation was that the installer started
overwriting the existing disk with random information. Now, there are good
reasons why you may want to do this before setting up disk encryption, but
in this case, the disk was blank beforehand, and I didn't want to wait the
many hours it might take. Try as I might, no options to preseed this feature
away seemed to work. After poring through the partman code to find the
magic option, I finally resorted to patching the partman-crypto script
on the fly in the middle of the install so that it skipped the erase
process:


d-i partman/early_command \
       string sed -i.bak 's/-f $id\/skip_erase/-d $id/g'
/lib/partman/lib/crypto-base.sh





This is an ugly hack indeed, but it was the only way I was able to find
that worked. With that in place, I was able have an automated partitioning
recipe with full-disk encryption that skipped the disk-erasing section. My
hope is that the next time other people need to do this and do a search
on-line, they at least can find my article and the two other examples and
won't have to burn so much time.