Home     Blog     Rss     Contact     Donate

Resetting /etc/machine-id every boot

The /etc/machine-id and /var/lib/dbus/machine-id files can potentially be used to fingerprint a system over the long term. Of course, some will argue that this is merely FUD, but it really isn't. The key word here is *potentially*.

There may not be any indications that this file is actively being used in a malicious capacity by anyone (or anything), but the fact that it can be used in such a manner should be enough for someone who cares about their privacy to take steps to at least minimize this potential threat.

The dead-simple solution

Luckily, the solution is as simple as can be: remove the file at shutdown so that it gets re-created by dbus at boot time. Obviously, the better solution would be to not have the file at all, but some programs rely on it, and it always gets created at boot if it doesn't exist.

Removing the file at shutdown is trivial with the help of a simple init script. Do note that some software (systemd-journald being one of them) requires that this file remains the same across reboots, so if you wish to benefit from this script, alternatives to such programs will have to be used.

A small script

This is a simple sysvinit script that can easily be converted to runit or OpenRC's styles.

Note: I will eventually create init scripts for runit and OpenRC, but only when I have the time to actually test them. I will not share untested scripts.


#!/bin/sh
### BEGIN INIT INFO
# Provides:     rm-machineid
# Required-Start:
# Required-Stop:    
# Default-Start:
    # Default-stop:     0 6
# Short-Description:    execute the rm-machineid script
# Description:
### END INIT INFO

do_stop() {
    echo "removing machine-id"

    # on non-systemd systems, this file doesn't exist (normally)
    if [ -f /etc/machine-id ]; then
        rm -f /etc/machine-id
    fi

    rm -f /var/lib/dbus/machine-id
}

case "$1" in
    start)  echo "invalid option" ;;
    stop)   do_stop ;;
    *)  do_stop ;;
esac

You can also download the script here: https://raw.githubusercontent.com/RagnarokOS/src/master/base/etc/init.d/rm-machineid

This script should be added to the shutdown and reboot runlevels (usually 0 and 6).

Final note

Distributions like Devuan, tails and whonix already take care of regenerating machine-id every boot, so this script is not necessary if you're using one of them. There may be other distributions doing the same thing, so refer to their own docs to see if they do. I can only confirm that Debian does not, and it's highly likely that any distribution that uses systemd (and systemd-journald) do not either.

© 2023 Ian LeCorbeau