linux/slzs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
slzs (snix luks zfs ssh mkinitfs) Linux initramfs builder with remote SSH unlock support for encrypted ZFS rootfs, with snix layout.
103 commits 1 branch 0 tags 170 KiB
  • Shell 100%
Find a file
Exact
sam c05f3adf2d update
2026-05-07 09:57:09 +02:00
alpine update 2026-05-04 11:39:38 +02:00
arch update 2026-05-07 09:57:09 +02:00
LICENSE Aggiorna LICENSE 2026-03-24 05:49:51 +00:00
README.md update 2026-05-06 09:51:00 +02:00
VERSION Aggiorna VERSION 2026-05-04 07:44:05 +00:00
VERSIONS update 2026-05-04 11:15:05 +02:00

README.md

slzs

Initramfs builder with encrypted ZFS rootfs and LUKS unlock support, for Alpine Linux and Arch Linux.

Overview

slzs produces an initramfs that:

  • Unlocks LUKS-encrypted devices and imports a ZFS pool at boot
  • Loads ZFS native encryption key
  • Supports remote SSH unlock (Alpine) or automatic/USB unlock (Arch)
  • Shuts down network access after unlock (Alpine)

Structure

slzs/
  alpine/    — Alpine Linux (mkinitfs)
  arch/      — Arch Linux (mkinitcpio)

Alpine Linux

Components

File Location Description
slzs /usr/sbin/slzs Main builder — generates the initramfs
slzs-enc /usr/sbin/slzs-enc Generates and encrypts keys.enc
safego /sbin/safego Decrypts keys, unlocks LUKS, imports ZFS
go /sbin/go Runs safego then gameover
gameover /sbin/gameover Wipes keys and shuts down network/SSH
bootup /sbin/bootup Continues normal boot after unlock
slzs.files /etc/mkinitfs/slzs/features.d/ mkinitfs feature — includes sshd and openssl

Requirements

  • Alpine Linux with mkinitfs, zstd, cpio
  • ZFS pool as rootfs (root=ZFS=poolname/dataset in kernel cmdline)
  • LUKS-encrypted devices under the ZFS pool
  • keygen in PATH
  • openssh installed on the host

Setup

1. Build the initramfs

slzs

On first run, slzs generates /etc/slzs.conf with commented defaults and prompts for any missing values interactively.

This will:

  1. Detect the NIC module and network configuration
  2. Build the initramfs via mkinitfs
  3. Inject SSH host key, authorized_keys, keys.enc and unlock scripts
  4. Repackage and replace /boot/initramfs-<type>

2. Options

slzs [options]

  -v                  Verbose mode
  -a, --all           Process all kernels in /lib/modules
  --keep              Keep initramfs backup after update
  -k KERNEL_VERSION   Specify kernel version manually
  -i INIT_FILE        Specify custom initramfs-init script
  -c COMPRESSION      Compression type (default: zstd)
  -m MKINITFS_CONF    Path to mkinitfs.conf
  -s SSH_KEY          SSH host key (default: /etc/ssh/ssh_host_ed25519_key)
  -p PASSPHRASE       Passphrase for keys.enc
  --save              Save passphrase to /etc/mkinitfs/slzs/passphrase
  -V                  Show version
  -h                  Show help

Remote Unlock

At boot, connect via SSH and run:

go

go runs safego (unlock) then gameover (wipe keys + kill network/SSH).

Configuration

/etc/slzs.conf — generated on first run:

# DEFAULT_MKINITFS_CONF=/etc/mkinitfs/mkinitfs.conf
# DEFAULT_ENCRYPT_SCRIPT=/usr/sbin/slzs-enc
# DEFAULT_SCRIPTS_DIR=/etc/mkinitfs/slzs/scripts
# DEFAULT_SSH_KEY=/etc/ssh/ssh_host_ed25519_key
# DEFAULT_AUTHORIZED_KEYS=/etc/ssh/authorized_keys
# DEFAULT_COMPRESSION=zstd
# BACKUP_KEEP=n
# DEFAULT_AUTO_UNLOCK=no

Arch Linux

Components

File Location Description
install/slzs /usr/lib/initcpio/install/slzs mkinitcpio build hook — generates keys.enc and /usr/bin/go
hooks/slzs /usr/lib/initcpio/hooks/slzs mkinitcpio runtime hook — calls /usr/bin/go at boot

Requirements

  • Arch Linux with mkinitcpio, openssl, cryptsetup, zfs-utils
  • ZFS pool as rootfs (root=ZFS=poolname/dataset in kernel cmdline)
  • LUKS-encrypted devices under the ZFS pool

Setup

1. Add hook to mkinitcpio.conf

Add slzs to your HOOKS array. slzs includes all ZFS and dm-crypt modules — zfs and encrypt are not needed.

HOOKS=(... slzs)

Minimal working example:

HOOKS=(base systemd autodetect modconf block keyboard slzs)

2. Generate initramfs

mkinitcpio -p $kernel

On first run, install/slzs generates /etc/slzs.conf and prompts for any missing values interactively.

Configuration

/etc/slzs.conf — generated on first run:

# ZPOOL=<poolname>                 # optional, auto-detected from mount
# AUTO_UNLOCK=no                   # yes = embed passphrase in initramfs (offuscated)
# PASSPHRASE=<passphrase>          # or:
# PASSPHRASE_FILE=/path/to/file
# USB_UUID=<uuid>                  # unlock via USB device
# USB_KEYFILE=/slzs/<pool_guid>    # path on USB (default: /slzs/<pool_guid>)

Unlock modes

  • AUTO_UNLOCK=yes — passphrase embedded in initramfs, offuscated with rev+base64, stored at a random path under /usr/lib/
  • USB_UUID — passphrase read from a file on a USB device at boot
  • Both modes decrypt keys.enc, unlock LUKS, import ZFS and load the native encryption key automatically

License

GPL-3.0-or-later