Grub Live Machine-id Randomization Feature

Quiksilver · February 3, 2026, 5:24pm

I want to propose adding a feature for machine-id randomization for Grub Live to be done by a Dracut hook?

My Guess is /etc/ and /var/lib/dbus are not populated until pivot_root to the squashfs overlay. If yes then hook would have to run pre_pivot and empty the machine-id : > /etc/machine-id then syslink the new generated machine-id ln -sf /etc/machine-id /var/lib/dbus/machine-id

Since people aren’t going to be doing updates in Live Mode I don’t see any conflicts with the previous discussions mentioning anon-base-files breakage in Whonix?

See my other thread here → Machine-id doesn't change in Live Mode?

Notes

Systemd documentation explicitly classifies it as confidential information that must not be exposed in untrusted environments, especially over networks, due to its potential for host tracking.

https://www.freedesktop.org/software/systemd/man/latest/machine-id.html

Enhanced Session Anonymity and Anti-Tracking in Live Mode

Each Live boot would generate a fresh, unique machine-id, breaking continuity for any tracking relying on it.

Aligns with amnesic goals of RAM only mode, no persistent identifiers survive reboot.

Improved Anti-Forensics and Compromise Resistance

Post compromise, attackers cannot link Live sessions to prior/persistent ones via machine-id in memory dumps, journalctl logs, or cached D-Bus data, as ID resets per boot. No indication of a cloned systems.

Machine-id: b08dfa6083e7567a1921a715000001fb (Persistent Modes)

Machine-id: 4f3cec3bc757ec94a18b5b885a6738a5 (None Persistent Mode)

Patrick · February 3, 2026, 6:24pm

Not planned.

Because this is really difficult. Details here:

Quiksilver · February 8, 2026, 2:56am

hide-hardware-info.service

Thanks was not aware of the existence of this experimental feature.
In the big picture is machine-id really small when it comes to “Local Non-Deterministic Artifacts”.
If so I could see randomizing it a small priority then.

Given Dracut’s modular nature it wouldn’t be entirely not possible to implement would it? and would it be worth it if it was possible?

arraybolt3 · February 8, 2026, 4:40am

Randomizing the machine ID in live mode would be theoretically easy. It’s just not something we really want to do since it would only chip one small piece out of a much larger problem that we aren’t equipped to tackle in its entirety.

Patrick · February 8, 2026, 10:48am

Whonix:

See Identifiers Design Goals
More related:

For a related wiki page on identifiers, see: Protocol Leak Protection and Fingerprinting Protection‎.

Discussions:

This wiki chapter has been written in response to Some Linux systems (including Whonix) have a unique identifier called machine-id that doesn’t change. Here is how to change it.

Forum discussion: Anonymize /etc/machine-id