You'd be looking for /usr/share/mkinitfs/initramfs-init
. I've never customized that myself, but it looks like there's already some support for a keyfile if you look for KOPT_cryptroot
and check that block of code. That looks like it's mostly set up for a keyfile embedded into the initramfs, but I guess it should be possible to replace that code with something that grabs the keyfile off an USB drive.
I suppose you'd make a copy of it, put it somewhere in /etc or whatever and change the mkinitfs.conf
to point to it. init="/etc/whatever/myinitramfs-init"
should do the trick since the config file just gets sourced in. That said you're definitively heading into unknown territory here. It might be easier to just use Dracut or the like instead.
Dracut may have this functionality already built in via rd.luks.key, so a custom module would really only make sense if you're trying to do more than that. You can probably get away with just using that if you just want it to work, but if you want to customize stuff:
I suspect your module is running well after the device is already supposed to be
cryptsetup open
ed. The way the default crypt module handles it is by setting up udev configuration in a very early phase, and then having udev request the password a little bit later when it finds the device it's trying to open, until all devices are ready. It's a complex mechanism compared to Alpine's straightforward script, but it's much more flexible when it comes to ordering of things like RAID/network devices/LUKS/etc.The result of that is that your code would have to run much earlier. There's some documentation on how hooks work, and the builtin
rd.luks.key
/ keydev handler runs at cmdline 10. That's well before your pre-mount, and probably where you'd want to run your code. Based on a cursory inspection of the other code, you could eithercryptsetup open
it yourself if you use the name it expects (rd.luks.name=
cmdline parameter orluks-$luks_container_uuid
), or you could use that/tmp/luks.keys
mechanism (it's a dracut-internal thing so you won't find much documentation, but it lives in crypt-lib.sh, cryptroot-ask.sh and probe-keydev.sh).As for debugging, the cmdline manpage has a few decent enough options.
rd.break=cmdline
or similar can force a shell before Dracut goes through a specific phase of hooks. You should be able to manually test doing things similar to your script at that point.