diff --git a/_scripts/unlock-luks-after-install.py b/_scripts/unlock-luks-after-install.py
index b78fb79..d544da0 100755
--- a/_scripts/unlock-luks-after-install.py
+++ b/_scripts/unlock-luks-after-install.py
@@ -73,10 +73,18 @@ def main() -> int:
     proxmox_skip_tls_verify = (
         get_variable_default(variables_common, "proxmox_skip_tls_verify") or False
     )
+    default_luks_passphrase = get_variable_default(
+        variables_common, "default_luks_passphrase"
+    )
     proxmox_node = get_variable_default(variables, "proxmox_node")
     template_vm_id = get_variable_default(variables, "template_vm_id")
 
-    _ = proxmox_api_url, proxmox_node, template_vm_id, credentials
+    _ = (
+        proxmox_api_url,
+        proxmox_node,
+        template_vm_id,
+        credentials,
+    )
 
     server_event = threading.Event()
 
@@ -232,7 +240,9 @@ def main() -> int:
                 )
                 if remaining:
                     time.sleep(1)
-            for char in "packer":
+            if not default_luks_passphrase:
+                raise RuntimeError("default_luks_passphrase not set")
+            for char in default_luks_passphrase:
                 send_key(char)
                 time.sleep(0.1)
             send_key("ret")
diff --git a/debian/13-trixie-luks/debian-trixie.pkr.hcl b/debian/13-trixie-luks/debian-trixie.pkr.hcl
index ec7acee..5540149 100644
--- a/debian/13-trixie-luks/debian-trixie.pkr.hcl
+++ b/debian/13-trixie-luks/debian-trixie.pkr.hcl
@@ -74,8 +74,13 @@ source "proxmox-iso" "debian-13-trixie-luks" {
   boot_command = [
     "<wait3>c<wait3>",
     "linux /install.amd/vmlinuz auto-install/enable=true priority=critical ",
+    "DEBIAN_FRONTEND=text ",
+    "passwd/root-password='${var.default_root_passphrase}' ",
+    "passwd/root-password-again='${var.default_root_passphrase}' ",
+    "partman-crypto/passphrase='${var.default_luks_passphrase}' ",
+    "partman-crypto/passphrase-again='${var.default_luks_passphrase}' ",
     "INSTALL_FINISHED_INFORM_URL='http://{{ .HTTPIP }}:${var.install_finished_inform_port}/install_finished' ",
-    "DEBIAN_FRONTEND=text preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>",
+    "preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg noprompt<enter>",
     "initrd /install.amd/initrd.gz<enter>",
     "DEBCONF_DEBUG=5<enter>",
     "boot<enter>"
@@ -87,7 +92,7 @@ source "proxmox-iso" "debian-13-trixie-luks" {
 
   # SSH Settings
   ssh_username = "root"
-  ssh_password = "packer"
+  ssh_password = "${var.default_root_passphrase}"
   ssh_timeout  = "20m"
   ssh_pty      = true
 }
@@ -104,9 +109,9 @@ build {
       "apt -y autoremove --purge 2> /dev/null",
       "apt -y clean 2> /dev/null",
       "apt -y autoclean 2> /dev/null",
+      "rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
       "cloud-init clean",
       "rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg",
-      "rm -rf /var/cache/apt/archives /var/lib/apt/lists/*",
       "sync"
     ]
   }
diff --git a/debian/13-trixie-luks/http/preseed.cfg b/debian/13-trixie-luks/http/preseed.cfg
index cf494cb..d139d75 100644
--- a/debian/13-trixie-luks/http/preseed.cfg
+++ b/debian/13-trixie-luks/http/preseed.cfg
@@ -18,8 +18,9 @@ d-i netcfg/disable_dhcp boolean false
 
 ### Root Password (no user)
 d-i passwd/make-user boolean false
-d-i passwd/root-password password packer
-d-i passwd/root-password-again password packer
+# Root password is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
+# d-i passwd/root-password password "$PACKER_ROOT_PASS"
+# d-i passwd/root-password-again password "$PACKER_ROOT_PASS"
 
 ### Mirror / APT
 d-i apt-setup/cdrom/set-first boolean false
@@ -71,8 +72,9 @@ d-i partman-md/confirm boolean true
 d-i partman-md/confirm_nooverwrite boolean true
 
 # LUKS password
-d-i partman-crypto/passphrase password packer
-d-i partman-crypto/passphrase-again password packer
+# LUKS passphrase is set via kernel cmdline in debian-trixie.pkr.hcl; these lines are ignored but left here for reference:
+# d-i partman-crypto/passphrase password "$PACKER_LUKS_PASS"
+# d-i partman-crypto/passphrase-again password "$PACKER_LUKS_PASS"
 d-i partman-crypto/weak_passphrase boolean true
 d-i partman-crypto/confirm boolean true
 d-i partman-auto-crypto/erase_disks boolean false
diff --git a/variables-common.pkr.hcl b/variables-common.pkr.hcl
index 7021f69..76c7358 100644
--- a/variables-common.pkr.hcl
+++ b/variables-common.pkr.hcl
@@ -15,3 +15,15 @@ variable "source_proxmox_http_interface" {
   default     = "en18"
   description = "The network interface to use for the Proxmox HTTP source"
 }
+
+variable "default_luks_passphrase" {
+  type        = string
+  default     = "packer"
+  description = "Default passphrase for LUKS encryption (will be removed, when setup is completed via cloudinit)"
+}
+
+variable "default_root_passphrase" {
+  type        = string
+  default     = "packer"
+  description = "Default passphrase for root user (will be removed, when setup is completed via cloudinit)"
+}