alpine/slzs

Fork 0

slzs (snix luks zfs ssh mkinitfs) Alpine Linux initramfs builder with remote SSH unlock support for encrypted ZFS rootfs, with snix layout.

Shell 100%

Find a file

sam 34e054f2c6 update		2026-04-07 09:51:03 +02:00
etc/mkinitfs/slzs	Aggiorna etc/mkinitfs/slzs/scripts/safego	2026-04-07 07:31:46 +00:00
usr/sbin	update	2026-04-07 09:51:03 +02:00
LICENSE	Aggiorna LICENSE	2026-03-24 05:49:51 +00:00
README.md	Aggiungi README.md	2026-03-27 19:08:40 +00:00
VERSION	Aggiorna VERSION	2026-03-20 08:25:34 +00:00

README.md

slzs

Alpine Linux initramfs builder with remote SSH unlock support for encrypted ZFS rootfs.

Overview

slzs extends the standard Alpine mkinitfs to produce an initramfs that:

Starts SSH at boot (before the rootfs is mounted)
Unlocks LUKS-encrypted devices and imports a ZFS pool remotely
Loads ZFS native encryption key
Shuts down network access after unlock

Components

File	Location	Description
`slzs`	`/usr/sbin/slzs`	Main builder — generates the initramfs
`slzs-enc`	`/usr/sbin/slzs-enc`	Generates and encrypts `keys.enc`
`safego`	`/sbin/safego`	Initramfs script — decrypts keys, unlocks LUKS, imports ZFS
`go`	`/sbin/go`	Initramfs shortcut — runs `safego` then `gameover`
`gameover`	`/sbin/gameover`	Initramfs script — wipes keys and shuts down network/SSH
`bootup`	`/sbin/bootup`	Initramfs script — continues normal boot after unlock
`ssh.files`	`/etc/mkinitfs/slzs/features.d/`	mkinitfs feature — includes sshd and openssl

Requirements

Alpine Linux with mkinitfs, zstd, cpio
ZFS pool as rootfs (root=ZFS=poolname/dataset in kernel cmdline)
LUKS-encrypted devices under the ZFS pool
keygen in PATH
openssh installed on the host

Setup

1. Generate keys.enc

Run on the live system before building the initramfs:

slzs-enc -p <passphrase> -d /etc/mkinitfs/slzs/keys.enc

This generates a keys.enc file containing:

One line per LUKS device: keygen(uuid) uuid
One line for the ZFS pool: keygen(guid) poolname

All encrypted with AES-256-CBC using the provided passphrase.

2. Add authorized SSH key

Place the public key in /etc/ssh/authorized_keys:

cat ~/.ssh/id_ed25519.pub >> /etc/ssh/authorized_keys

Or let slzs prompt for it interactively if the file does not exist.

3. Build the initramfs

slzs

This will:

Detect the NIC module and network configuration
Build the initramfs via mkinitfs
Inject SSH host key, authorized_keys, keys.enc and unlock scripts
Repackage and replace /boot/initramfs-<type>

Usage

slzs [options]

Options:
  -v                  Verbose mode
  -a, --all           Process all kernels in /lib/modules
  --keep              Keep initramfs backup after update
  -k KERNEL_VERSION   Specify kernel version manually
  -i INIT_FILE        Specify custom initramfs-init script
  -c COMPRESSION      Compression type (default: zstd)
  -m MKINITFS_CONF    Path to mkinitfs.conf
  -s SSH_KEY          SSH host key (default: /etc/ssh/ssh_host_ed25519_key)
  -p PASSPHRASE       Passphrase for keys.enc
  --save              Save passphrase to /etc/mkinitfs/slzs/passphrase
  -V                  Show version
  -h                  Show help

Remote Unlock

At boot, connect via SSH and run:

go <passphrase>

Or interactively (passphrase hidden):

go

go runs safego (unlock) then gameover (wipe keys + kill network/SSH).

What safego does

Decrypts /etc/keys.enc using the passphrase → /dev/shm/keys
Unlocks each LUKS device with its derived key
Imports the ZFS pool
Loads the ZFS native encryption key
Calls bootup to continue normal boot

What gameover does

Wipes /dev/shm/keys
Kills sshd
Flushes all network interfaces
Kills busybox (ends the initramfs shell)

Configuration

slzs generates /etc/slzs.conf on first run with commented defaults:

# DEFAULT_MKINITFS_CONF=/etc/mkinitfs/mkinitfs.conf
# DEFAULT_ENCRYPT_SCRIPT=/usr/sbin/slzs-enc
# DEFAULT_SCRIPTS_DIR=/etc/mkinitfs/slzs/scripts
# DEFAULT_SSH_KEY=/etc/ssh/ssh_host_ed25519_key
# DEFAULT_AUTHORIZED_KEYS=/etc/ssh/authorized_keys
# DEFAULT_COMPRESSION=zstd
# BACKUP_KEEP=n

License

GPL-3.0-or-later