replacing initramfs-tools with dracut

dracut support was implemented in grml-debootstrap.

Kicksecure will move to dracut with its next major release (when rebasing to Debian 12 / bookworm).
(required for ram-wipe - Wipe RAM on shutdown and reboot - Kicksecure)

1 Like

dracut support was completed in git tag 17.0.2.5-developers-only.

This is a major issue for Kicksecure hosts (currently cannot use dracut):

Debian bug report:
unbootable system after installing dracut on a standard Debian installation

Not an issue for Kicksecure VMs or Whonix VMs because there dracut works for some reason.

Might be a duplicate of Debian bug report dracut: generic initrd does not work with encrypted root FS without further configuration.

Thanks to Laszlo Gombos, this has been reported upstream.

Debian bug report:
missing dependency on init / systemd-sysv / libpam-systemd

dracut has many optional modules:
https://wiki.gentoo.org/wiki/Dracut

Summary why Kicksecure was ported from initramfs-tools to dracut:

From the initrd generators I was aware of at the time, only dracut has an exitrd feature. Which means the system drops back into the initrd at shutdown time. It then (hopefully) cleanly unmounts encrypted devices. Then ram-wipe runs.

This couldn’t have been implemented with initramfs-tools unless contributing the exitrd functionality upstream first.

Switching to dracut was actually quite expensive. Specifically because nobody had shared in simple steps how to create a Debian based Live ISO using dracut.

Once dracut is running, writing initrd or exitrd modules is quite doable.

However, it’s best to not over invest into dracut as its days might be counted. One day it might get replaced by mkosi-initrd. On the other hand since Debian by default did not even move to dracut, it could take many Debian releases, years until that happens, if that ever happens.

1 Like

Useful for dracut-ng builds from source code only for testing: