Summary why Kicksecure was ported from initramfs-tools to dracut:
From the initrd generators I was aware of at the time, only dracut has an exitrd feature. Which means the system drops back into the initrd at shutdown time. It then (hopefully) cleanly unmounts encrypted devices. Then ram-wipe runs.
- ram-wipe - Wipe RAM on shutdown and reboot
- RAM Wipe Development Notes
- GitHub - Kicksecure/ram-wipe: Wipe RAM on shutdown and reboot - Cold Boot Attack Defense
This couldn’t have been implemented with initramfs-tools unless contributing the exitrd functionality upstream first.
Switching to dracut was actually quite expensive. Specifically because nobody had shared in simple steps how to create a Debian based Live ISO using dracut.
Once dracut is running, writing initrd or exitrd modules is quite doable.
However, it’s best to not over invest into dracut as its days might be counted. One day it might get replaced by mkosi-initrd. On the other hand since Debian by default did not even move to dracut, it could take many Debian releases, years until that happens, if that ever happens.