
Better-initramfs: initramfs supporting SSH, lvm, luks, raid, uswsusp and more - djsumdog
https://github.com/slashbeast/better-initramfs
======
rdslw
If you look for 'kitchen sink included' currently maintained, and supported by
redhat,debian and others, look for dracut:
[https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/...](https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html)

If you look for really FAST and streamline solution (one binary), check this
post: [https://michael.stapelberg.ch/posts/2020-01-21-initramfs-
fro...](https://michael.stapelberg.ch/posts/2020-01-21-initramfs-from-scratch-
golang/)

~~~
anon9001
Dracut works pretty well. I managed to get it to auth me with sshd using an
ed25519 key stored on my yubikey. I then use gpg-agent in dracut to decrypt my
keyfile and use that to unlock the root partition, which then boots and kicks
me out of ssh. It's a pretty clean answer for a fully encrypted home server.

Of course, it doesn't encrypt /boot, but I keep a separate USB stick for that
and put it in the server when it needs a reboot.

~~~
rdslw
Can you share (blog? github?) more details (ideally whole dracut module :)
about your implementation?

~~~
anon9001
I haven't posted it anywhere because it's a bit of a mess, but here you go:
[https://pastebin.com/ZfkM2zkU](https://pastebin.com/ZfkM2zkU)

I'm not proud, or smart, but it works. Systemd is used for networking to make
it simpler.

I based it on this: [https://github.com/gsauthof/dracut-
sshd](https://github.com/gsauthof/dracut-sshd)

I should probably package it up with all the config options you'd need to
specify drive and keyfile location and all that, but I'm a terrible member of
the community and haven't actually done it yet.

The real trick that took me a long time to figure out was invoking "cryptsetup
luksOpen" with my mount.sh script and then using "systemctl stop systemd-
cryptsetup@nvme0n1p3_crypt.service" to get the thing to keep booting. I still
don't really understand the tty ask password stuff in systemd, but this seems
to work fine.

You just ssh in and run ./mount.sh and it decrypts/mounts/boots.

------
megous
I'm working on something similar, specialized just for PinePhone:

[https://www.youtube.com/watch?v=ZL1GREqoqx8](https://www.youtube.com/watch?v=ZL1GREqoqx8)

So far it serves as a boot menu. But given that it's a full Linux kernel
running, I expect it will also support OS installation over WiFi or flashing
over USB mass storage, and some basic HW tests, sshing in, and encrypted
rootfs unlocking, etc.

~~~
HeckFeck
Thank-you for your work. Bits like this will help make the PinePhone be a fine
phone.

------
sprash
How about no initramfs? The Kernel can even boot from encrypted raid volumes
as EFISTUB or even more complicated setups without any further need for user
space software.

On non-critical devices which can be booted via USB in a case of emergency
(like laptops or desktops) initramfss are kind of pointless and just
unnecessarily prolong the boot time.

As long as you statically compile in the ext4 (or whatever FS) support every
needed kernel module can then be loaded regular boot.

~~~
piotrkarbowski
Even if you boot kernel with EFISTUB or whatever way you decide, you still
need something that will mount encrypted storage before you can switch to
/sbin/init.

------
juuul
Hm, last updated 3 years ago and depends on the unmaintained Aboriginal Linux.

~~~
piotrkarbowski
Devel branch updated on 2019-10-19 and uses Alpine Linux as sysroot.

------
david_draco
tuxonice! Long time no see. It used to be so reliable, a shame that it was
rejected from the mainline kernel. I still have issues with suspend/hibernate
in Ubuntu.

~~~
war1025
I don't remember when it was exactly, but there was a point a couple years ago
where some kernel developer looked at the hibernate code and realized it was
basically garbage and redid it.

Ever since then, I haven't had any problems. Previous to that, I couldn't get
hibernate to work on my Thinkpad at all.

I believe the core issue is the original writer tried to get too fancy with
the data serialization and it was getting corrupted somewhere along the way.
So then it would go to resume from hibernate, find garbage data, and freeze
up.

------
vesinisa
Does it support Debian-style initramfs shell scripts?

