echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf

l1tf=off mds=off mitigations=off no_stf_barrier noexec32=off noexec=off noibpb noibrs nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2

/usr/bin/compton --backend glx --paint-on-overlay --vsync opengl-swc

/usr/share/lightdm/lightdm.conf.d/01_debian.conf
[SeatDefaults]
autologin-user=root
/etc/pam.d/lightdm-autologin
#auth      required pam_succeed_if.so user != root quiet_success

/sbin/rmmod pcspkr

browser.bookmarks.max_backups
browser.newtabpage.directory.ping
browser.newtabpage.directory.source
browser.safebrowsing.blockedURIs.enabled
browser.tabs.animate
browser.tabs.showAudioPlayingIcon
datareporting.policy.dataSubmissionEnabled
extensions.blocklist.enabled
extensions.getAddons.cache.enabled
extensions.update.enabled
gfx.downloadable_fonts.enabled
lightweightThemes.update.enabled
mousewheel.default.delta_multiplier_x
mousewheel.default.delta_multiplier_y
mousewheel.default.delta_multiplier_z
network.captive-portal-service.enabled
network.dns.disablePrefetch
network.prefetch-next
permissions.memory_only
reader.parse-on-load.enabled
security.nocertdb
toolkit.telemetry.unified

wget -O firefox.tar.bz2 --no-check-certificate "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-GB"

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin

Modify /etc/crypttab by changing …

sda1_crypt UUID=xxxx.......... none luks,discard

… to …

sda1_crypt UUID=xxxx......... /crypto_keyfile.bin luks,discard,keyscript=/bin/cat

Create crypto_keyfile and place in /etc/initramfs-tools/hooks with …

#!/bin/sh
cp /crypto_keyfile.bin "${DESTDIR}"

Make the file executable and regenerate the ramdisk …

chmod 755 /etc/initramfs-tools/hooks/crypto_keyfile
update-initramfs -u -k all

Confirm that the keyfile has been inserted in the ramdisk …

lsinitramfs $(ls /boot/initrd.img-*) | grep keyfile