On a normal Zorin desktop, I wouldn’t recommend fully randomizing machine-id. It’s a local system identifier used by systemd and D-Bus, not a tracking ID, and changing it can break services.
Yes, if you want an ephemeral ID, the GRUB systemd.machine_id=uninitialized option is the least disruptive.
For stronger fingerprint resistance, Whonix or a VM fits that threat model better.
That makes sense. Just to clarify though, machine-id is only exposed on the local system. It isn’t broadcast directly on the network. NetworkManager may hash it for DHCP client IDs,but that’s not the raw ID and can be disabled or overridden without touching machine-id itself.
Chrome can read it locally, but that doesn’t mean it’s sent as a stable network identifier. For public Wi-Fi tracking, random MAC plus a custom DHCP client ID is the cleaner fix. Rotating machine-id is heavy-handed and risks breakage without any gains in prvacy.
For example some captive portal (i don’t want to disclose which exactly) still knows that it is me even after MAC randomization complete. Only manual regeneration of machine-id helped, so after some research, i think the problem is DHCP ID
@jessy, thank you for posting about “machine-id”. I have read about this, and I was considering using the Whonix UUID in my next rebuilds.
To my dismay, both Arkenfox (hardened Firefox) and Chromium displayed the “machine-id”: file:///etc/machine-id
This is where it gets interesting. I checked three installations of Linux Mint v21.1, and all three show an identical UUID for “/etc/machine-id”. These were manually built with no cloning or time-saving shortcuts.
I double-checked my installation document, and I have made no changes to “machine-id”. I think Linux Mint was already doing this for me. Searching this UUID turns up hits for only Linux Mint forum postings.
I wonder if Zorin is doing something similar.
I was genuinely surprised that Arkenfox was not blocking reading “machine-id”. As I was poking at this, and before I realized that Linux Mint was probably hard coding a value (not the same one used by Whonix), I was considering adding to the Firejail profile a block to the paths necessary to read it by Arkenfox.
I think I will leave my “machine-id” at the Linux Mint default.
Thanks again for reminding me to dig deeper into the topic.
This ID uniquely identifies the host. It should be considered “confidential”, and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID will be properly unique, and derived in a constant way from the machine ID but there will be no way to retrieve the original machine ID from the application-specific one. The sd_id128_get_machine_app_specific(3) API provides an implementation of such an algorithm.
@jessy , Linux Mint v21.1 Cinnamon, whether booted normally or with the ISO into the live environment shows the same “machine-id” of the following: e7d0df732b0649e49e97a4d764308014
This confirms that I have made no changes and that Linux Mint uses a ‘standardized’ value, at least for this version and edition of Linux Mint (not Debian Edition). To clarify, I am seeing the same “machine-id” on both QEMU-KVM guests and real iron. Additionally, the same “machine-id” is seen on multiple instances of real iron. Linux Mint appears to be following a similar methodology to Whonix.
I am curious if you find similar behavior with Zorin.
@MarshallJFlinkman I realize I am not the intended recipient of this post or question, but, I do run 4 instances of Zorin 17.3. Two desktop towers and two laptops (a Lenovo Thinkpad and a Dell Latitude).
I was not aware of this file before this discussion, so if any changes have been made to them, they were not intentional by me. I’m assuming then that each of them are the “default”.
With that being said, each machine is showing a different and unique ( I added the “unique” part to clarify that I see no sequential ordering to it ) machine-id.
@benowe1717 , thank you for testing with Zorin. I suppose this indicates that Linux Mint’s implementation of “machine-id” is either truly a bug or it is a privacy design choice. Optimistically, I will choose the latter.
