Package: dracut Version: 059-1 Severity: normal Dear Maintainer,
since version 059-1, dracut defaults to building a generic initrd. Unfortunately, the generic initrd means that it is not possible to switch from initramfs-tools to dracut on a system which uses an encrypted root FS without further configuration steps. For example, installing Debian in a VM using a recent (testing) Debian installer image, and opting for the guided partitioning, with an encrypted root fs, the system will end up with a configuration which looks something like this: /etc/crypttab: <dev>_crypt UUID=<some_uuid> none luks,discard /etc/fstab: /dev/mapper/<some_LVM_LV> / ext4 <options> /boot/grub/grub.cfg: linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet Now, after switching to dracut, the new initrd which is built will not contain the necessary configuration to actually setup the "<dev>_crypt" device, since autoconfiguration (rd.auto) is disabled and a hostonly initrd (which would include a custom /etc/crypttab in the initrd) is not built. The result is an initrd which will hang waiting for /dev/mapper/<some_LVM_LV> to show up, and which will eventually time out. A workaround for now is to change /etc/default/grub: GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1" And then run "update-grub". This, however, means that the name of the crypt device will change from "<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>", which will result in ugly error messages during boot (that's mostly cosmetic though) since systemd will fail to setup the device "<dev>_crypt". That, in turn, can be fixed by changing /etc/crypttab from: <dev>_crypt UUID=<some_uuid> none luks,discard so that it reads: luks-<some_uuid> UUID=<some_uuid> none luks,discard (I think that part might need changes to debian-installer, which might anyway be a good idea, since the luks-<uuid> naming provides a stable name). A further problem with building the generic initrd is that custom crypt addons (like the fido2 support) won't be included in the initrd even if fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh ("fido2-device=auto"). I'm not 100% sure what the best way to address this would be, but I think (hope) it should be easier to switch from initramfs-tools to dracut, even when using an encrypted root FS. Cheers, David Härdeman