2012-09-25

Ubuntu preseed.cfg with encrypted lvm

I wanted to automate my laptop setup with preseeding and ran into a wall when trying to automate an encrypted setup (which is the only sane option for a laptop).
I took a look at the Ubuntu guide, the preseed example file and the partman auto recipe document - all of them mentioned the possibility to create an encrypted setup but none said how. So I google'd and I google'd but couldn't find anybody who had actually done it and shared their results.
I did however find some failed attempts and many dead forum posts where the question had been raised but not answered. One person said that the setup should be really close to an LVM setup but hadn't posted a working example with the encryption part. (Sorry, I don't have a link to this post) So I took most of the example and modified it to fit my needs and started experimenting. 16 hours and about a hundred tries on my test VM later, I seem to have figured out how to do it. Here is the relevant part of the preseed.cfg file:
#Partitioning
d-i partman-auto/disk string /dev/sda
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto/method string crypto
d-i partman-auto/choose_recipe select boot-crypto
d-i partman-auto-lvm/new_vg_name string crypt
d-i partman-auto/expert_recipe string boot-crypto :: \
        250 35 250 ext4 $primary{ } $bootable{ } \
        method{ format } format{ } \
        use_filesystem{ } filesystem{ ext4 } \
        mountpoint{ /boot } \
        .\
        3072 75 3072 ext4 $lvmok{ } lv_name{ root } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ ext4 } mountpoint{ / } \
        .\
        100% 75 100% linux-swap $lvmok{ } lv_name{ swap } \
        in_vg { crypt } method{ swap } format{ } \
        .\
        2048 50 3072 ext4 $lvmok{ } lv_name{ usr } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ ext4 } mountpoint{ /usr } \
        .\
        512 50 1024 ext4 $lvmok{ } lv_name{ tmp } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ ext4 } mountpoint{ /tmp } \
        .\
        256 25 1000000 ext4 $lvmok{ } lv_name{ home } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ ext4 } mountpoint{ /home } \
        .\
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
This gets the encryption working and is a decent bootable setup. I did run into some trouble when trying to use btrfs and ext2 filesystems for some partitions, but it didn't bother me so much as to try to fix it.
I hope this will help somebody in the future or myself, should my PXE machine die.