ShredOS: permanently configure nwipe certificate defaults for mass server wipes

[LuthorDevelopment]

❓ How to permanently embed company information into a ShredOS image for nwipe certificates?

🎯 Goal

We need to customize ShredOS so that the certificate information for nwipe (Business, Customer, Operator) is automatically defined at boot.
Our use case: wiping a large number of servers. Entering this information manually on every boot is not feasible.

❓ Question

👉 How can we permanently embed our company/customer/operator information into a ShredOS image, so that it is automatically included in every generated certificate?

Is there a supported way (config file, build option, etc.), or do we need to modify the initramfs inside the bzImage?

🔍 Attempts So Far

• We are using ShredOS v2024.11_27_x86-64_0.38 vanilla (.iso/.img).
• In this build, the root filesystem is not provided as a separate core.gz or rootfs.gz, but appears to be embedded inside the bzImage.
• We analyzed bzImage with binwalk and extracted several large blobs (52C4, 24955D9, 2516AB3, 300138A-0).
• file reports zlib compressed data for 300138A-0.
• We attempted to decompress/extract with:
  • zcat, gunzip, zlib-flate
  • Python zlib.decompress() with different modes
  • lz4, xz, zstd
• All these attempts failed with various errors (incorrect header, invalid block lengths, unsupported format, etc.).
• binwalk -y cpio showed no hits → CPIO header not detected.
• Hypothesis: the initramfs is compressed differently (raw deflate, lzma/xz, multi-stream, or a custom format).

Thanks for any help :-)

[PartialVolume]

Before I list the various ways to do this, can you confirm what boot medium you are using. USB stick or, as you are wiping servers, PXE?

[LuthorDevelopment]

Hello,

Sorry, I seem to have left out the most important part :D
I am trying to manipulate an image so that I can write it to multiple USB sticks and delete multiple servers in parallel. I have made attempts in collaboration with ChatGPT and Stackoverflow, but unfortunately have not achieved a working result.

[PartialVolume]

So to create a modified .img, this is the way I've done it in the past. Ignore the references to Ventoy and grub.cfg, instead of grub.cfg you can insert /etc/nwipe/nwipe.conf this works with whatever method you use to burn to a USB stick.

See the following link for the command details: https://github.com/PartialVolume/shredos.x86_64?tab=readme-ov-file#how-to-edit-the-shredos-efibootgrubcfg-and-bootgrubgrubcfg-files-when-using-ventoy-with-shredos-img-files

In summary, we take the original .img, then copy it block by block to a file, we mount the file as a virtual disc, we write the modified /etc/nwipe/nwipe.conf file onto this virtual disc. Then unmount the virtual disc and now you have your modified .img file to burn to USB flash drives.

To generate your modified nwipe.conf I would boot a vanilla ShredOS, add your organisation name and details, then control C. These organisation changes will be written back to the USB stick in /etc/nwipe/nwipe.conf. You can then use this nwipe conf file (and also the customers file, should you wish to add customers to that) in the above procedure to create your modified .img

This assumes you are familiar with the Linux command line and have a Linux system you can do this on.

If any of this is unclear or you run into difficulties let me know and I'll hopefully be able to help.

[LuthorDevelopment]

Hi,
Thank you very much for your quick and detailed response. Everything worked immediately without any problems, just as you described, but unfortunately the data was not filled in automatically. I implemented it as follows (with ChatGPT) and tested it on a small laptop.

How ze ShredOS with Your Own nwipe.conf

In order to pre‑configure ShredOS with your organization and customer details, you can directly modify the ShredOS .img file.
This avoids having to enter your details manually each time you boot ShredOS.
to Customi

Steps

# Copy file
cp shredos-2024.11_27_x86-64_0.38_20250123.img shredos-custom.img

# make work directory
mkdir mnt-shredos

#Mount the image with loopback and offset
sudo mount -o loop,offset=$OFFSET shredos-custom.img mnt-shredos

sudo mkdir -p mnt-shredos/etc/nwipe

sudo cp nwipe.conf mnt-shredos/etc/nwipe/nwipe.conf

sudo umount mnt-shredos

nwipe.conf

business="Example Consulting"
business-address="1234 Example Street, 1010 Example City"
business-contact="John Doe, +1 (555) 123-4567"

customer="Sample Customer Inc."
customer-address="5678 Customer Road, 2020 Customer City"
customer-contact="Jane Smith, [email protected]"

operator="Technician01"

ChatGPT put together some instructions for me, but as I said, unfortunately they didn't work.

If the .conf file works, should the information also be visible in the GUI when ShredOs is started? Or is it only used when creating the PDF after deletion?

Br

[PartialVolume]

I bet ChatGPT generated that nwipe.conf with an air of misplaced confidence :-)

Unfortunately it's got the strict formatting of nwipe.conf completely wrong. There MUST exist three groups as shown below, these are Organisation_Details : , PDF_Certificate : and Selected_Customer : .

The Selected_Customer : group is normally only populated after selecting the customer from within the nwipe menus. However, because Selected_Customer : is present in nwipe.conf, then it must also exist in /etc/nwipe/nwipe_customers.csv. See the example files below.

Instead of using chatGPT, you could have used ShredOS to generate the files for you. I created the files below by booting ShredOS, going into the config menu, selecting preview details and filling in all the fields. ESC or save to get back the the drive selection screen then Control C to exit nwipe. The nwipe.conf and nwipe_customers.csv get written back to /etc/nwipe/ on the USB stick you booted from. If the nwipe.conf and nwipe_customers.csv files don't already exist, nwipe will create them automatically and populate them with basic information.

Using your example, here's what nwipe.conf and nwipe_customers.csv should look like.

nwipe.conf

Organisation_Details : 
{
  Business_Name = "Example Consulting";
  Business_Address = "1234 Example Street, 1010 Example City";
  Contact_Name = "John Doe, +1 (555) 123-4567";
  Contact_Phone = "N/A";
  Op_Tech_Name = "Technician01";
};
PDF_Certificate : 
{
  PDF_Enable = "ENABLED";
  PDF_Preview = "DISABLED";
};
Selected_Customer : 
{
  Customer_Name = "Sample Customer Inc";
  Customer_Address = "5678 Customer Road, 2020 Customer City";
  Contact_Name = "Jane Smith, [email protected]";
  Contact_Phone = "";
};

nwipe_customers.csv

"Customer Name";"Contact Name";"Customer Address";"Contact Phone"
"Sample Customer Inc";"5678 Customer Road, 2020 Customer City";"Jane Smith, [email protected]";""
"Not Applicable";"Not Applicable";"Not Applicable";"Not Applicable"

[PartialVolume]

If the .conf file works, should the information also be visible in the GUI when ShredOs is started? Or is it only used when creating the PDF after deletion?

Yes, If nwipe.conf has the correct formatting it will be visible in the GUI when ShredOS is started, assuming you have selected the preview of organisation and customer details in the config menu. That's represented by PDF_Preview = "ENABLED"; being set to ENABLED rather than DISABLED in nwipe.conf.

PDF_Certificate : 
{
  PDF_Enable = "ENABLED";
  PDF_Preview = "ENABLED";

[PartialVolume]

One other comment, the contents of nwipe.conf's group and label names are case sensitive, if you get the case wrong or miss out any underscores it won't work.

[PartialVolume]

As I was curious, I just asked chatGPT the following question.

"Can you show me an example of the nwipe.conf configuration file as used by the open source program called nwipe?"

Here's ChatGPTs response...

Certainly! The nwipe.conf file is used to preconfigure the behavior of nwipe, an open-source data erasure tool (a fork of dwipe, which itself comes from DBAN). While nwipe is mostly driven via command-line or interactive terminal UI, it can accept configurations via nwipe.conf to preset options and automate behavior.

🧾 Example nwipe.conf File
Here is a typical example of what a nwipe.conf might look like:

# nwipe.conf - example configuration file

# Enable verbose output
verbose = yes

# Automatically start wiping when nwipe is launched
autonuke = no

# Use DoD 5220.22-M wipe method
method = dod5220

# Wipe all detected devices (use with extreme caution!)
wipeall = no

# If wipeall = yes, skip confirmation prompt (DANGEROUS!)
nowarn = no

# Verify after each pass
verify = yes

# Number of rounds (if applicable to method)
rounds = 3

# PRNG to use (random/random_device/urandom)
prng = random

# Wipe specific devices only
# (list of device paths, e.g. /dev/sdX)
device = /dev/sdb
device = /dev/sdc

This is nothing like nwipe.conf should be configured, although I suppose it qualified the statement by saying it 'might' look like this .. or not.

The formatting of nwipe.conf is completely wrong however the preamble about dwipe and that is command line driven and also has an interactive terminal user interface, is correct. It could have been more specific and said it uses a ncurses based user interface.

[LuthorDevelopment]

Thank you very much for your patience and your answers. With your help, I was able to finalize it and now have 5 finished USB sticks that I can use.

Best regards

[PartialVolume]

That's great. Glad you got it working and hope you find it useful.

[PartialVolume]

For what its worth, Google's Gemini (Chrome in AI mode) generated data that is pretty accurate on the first attempt, even including the config library we use.

Q: Show me an example of nwipe.conf as used by the opensource program called nwipe.

Nwipe's configuration file, /etc/nwipe/nwipe.conf, utilizes the libconfig library for its formatting. This typically involves key-value pairs organized within groups.

While the full range of configurable options in nwipe.conf is still under development, current versions mainly focus on storing PDF parameters. However, future releases are expected to include settings for default wiping parameters and other functionalities.
Here's an example structure you might see in a nwipe.conf file:

Organisation_Details :
{
    Business_Name = "Not Applicable (BN)";
    Business_Address = "";
    Contact_Name = "";
    Contact_Phone = "";
};

PDF_Settings :
{
    Generate_PDF = true;
    PDF_Output_Directory = "/var/log/nwipe_reports";
    Anonymize_Serial_Numbers = true;
};

This example demonstrates:
The use of groups like Organisation_Details and PDF_Settings to organize related settings.
Key-value pairs within those groups (e.g., Business_Name = "Not Applicable (BN)";).
Configuration options for generating PDF reports, including the output directory and whether to anonymize serial numbers.
Note: The exact options and their values may vary depending on the specific nwipe version you are using. Refer to the official nwipe documentation or man page for a comprehensive and up-to-date list of configuration options available for your version.