partman-crypto adds support to DebianInstaller for configuring, setting up and installing onto encrypted block devices. It allows users to setup dm-crypt encrypted partitions for their Debian system during installation.

partman-crypto is intended to use secure defaults while allowing experienced users to change settings as they require.


partman-crypto is included in the installer since Debian Etch (4.0).

Support for plain dm-crypt is mostly complete and tested. The current focus is on testing the existing features, fixing known bugs and on improving usability. Bugs and feature requests are tracked on the partman-crypto BTS page.


Ideas, Features, Problems

This sections is about ideas, feature requests, known problems and how those could be solved/implemented/etc. Feel free to add any features that you'd like to see.

Key generation / Lack of entropy

Random keys for dm-crypt are created from /dev/random. It is important that we have a good source of entropy to allow us to extract the required amount of key data from /dev/random. Currently, the low amount of entropy in the kernel pool causes the key generation to block for a long time.

There are some ideas for how to solve this:

The current idea is to check if rngd (package rng-tools) could be extended to read from one or more FIFOs and character devices, do FIPS tests and feed the kernel entropy pool. If this is feasible audio-entropyd, video-entropyd, software for collecting network traffic timings etc. could be packaged and be made to feed rngd. TODO: Ask the maintainer of rng-tools (hmh@d.o) if this approach is sound and practically feasible.


People working on partman-crypto currently include

If you would like to contribute, send feedback, suggestions or criticism, get in touch with us on the Debian Boot mailinglist <>