diff -Nru zfs-linux-0.8.2/debian/changelog zfs-linux-0.8.2/debian/changelog
--- zfs-linux-0.8.2/debian/changelog	2019-12-16 11:42:52.000000000 -0600
+++ zfs-linux-0.8.2/debian/changelog	2019-12-23 20:00:44.000000000 -0600
@@ -1,3 +1,10 @@
+zfs-linux (0.8.2-3ubuntu5) focal; urgency=medium
+
+  * debian/patches/initramfs-with-default-encryption.patch: Use a well-
+    known default encryption key in the initramfs.  Closes LP: #1857398.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Dec 2019 20:00:44 -0600
+
 zfs-linux (0.8.2-3ubuntu4) focal; urgency=medium
 
   * debian/patches/initramfs-setup-keymapping-and-video-for-
diff -Nru zfs-linux-0.8.2/debian/patches/initramfs-with-default-encryption.patch zfs-linux-0.8.2/debian/patches/initramfs-with-default-encryption.patch
--- zfs-linux-0.8.2/debian/patches/initramfs-with-default-encryption.patch	1969-12-31 18:00:00.000000000 -0600
+++ zfs-linux-0.8.2/debian/patches/initramfs-with-default-encryption.patch	2019-12-23 20:00:31.000000000 -0600
@@ -0,0 +1,32 @@
+Description: Use a well-known default encryption key in the initramfs
+ If the zfs root device has encryption enabled and the keylocation points
+ to a particular predefined value (/run/zfs-root-default), use a default
+ key to unlock the disk.  This allows installation with always-enabled
+ encryption and lets the user change the key later to increase the
+ security of their system.
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1857398
+
+Index: zfs-linux-0.8.2/contrib/initramfs/scripts/zfs.in
+===================================================================
+--- zfs-linux-0.8.2.orig/contrib/initramfs/scripts/zfs.in
++++ zfs-linux-0.8.2/contrib/initramfs/scripts/zfs.in
+@@ -415,8 +415,17 @@
+ 		# If root dataset is encrypted...
+ 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+ 			TRY_COUNT=3
++			KEYLOCATION=$(${ZFS} get -H -o value keylocation "$ENCRYPTIONROOT")
++			if [ "$KEYLOCATION" = file:///run/zfs-root-default ]; then
++				# Default from the installer: this passphrase
++				# is not a secret, but allows us to install
++				# with encryption enabled and lets the user
++				# re-key the disk later to take control and
++				# make it secure
++				echo -n ubuntuzfs > /run/zfs-root-default
++				${ZFS} load-key "${ENCRYPTIONROOT}"
+ 			# Prompt with plymouth, if active
+-			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
++			elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
+ 				while [ $TRY_COUNT -gt 0 ]; do
+ 					plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
+ 						$ZFS load-key "${ENCRYPTIONROOT}" && break
diff -Nru zfs-linux-0.8.2/debian/patches/series zfs-linux-0.8.2/debian/patches/series
--- zfs-linux-0.8.2/debian/patches/series	2019-12-16 11:42:01.000000000 -0600
+++ zfs-linux-0.8.2/debian/patches/series	2019-12-23 17:18:12.000000000 -0600
@@ -20,3 +20,4 @@
 3206-Break-out-of-zfs_zget-early-if-unlinked-znode.patch
 3207-Check-for-unlinked-znodes-after-igrab.patch
 initramfs-setup-keymapping-and-video-for-prompts.patch 
+initramfs-with-default-encryption.patch