physlock

Lock every console (require current user or root to unlock)

$ physlock

$ physlock -m

$ physlock -s

$ physlock -p "[Locked!]"

$ physlock -d

physlock [options]

-p, --prompt TEXT
    Sets the prompt text displayed to the user when the console is locked.

-t, --timeout SECONDS
    Specifies an unlock timeout in seconds. If no input is received within this time, the system can be configured to take a specific action (e.g., suspend).

-u, --users USERS
    A comma-separated list of users who are allowed to unlock the console. Defaults to root and the current user.

-s, --suspend
    Suspends the system (to RAM) after successfully locking the console. This is a very common use case for physlock.

-f, --force-suspend
    Forces system suspend, even if the underlying console locking command fails. Use with caution.

-L, --lock-command COMMAND
    Specifies the command to execute for locking the console. Defaults to vlock --all.

-U, --unlock-command COMMAND
    Specifies a command to execute immediately before the console is unlocked.

-e, --exec-on-unlock COMMAND
    Executes the specified command immediately after successful unlock.

-x, --exit-on-unlock
    Exits physlock after successful unlock (this is often the default behavior).

-c, --clear-screen
    Clears the screen before displaying the lock prompt, ensuring no previous output is visible.

-D, --disable-dpms
    Disables DPMS (Display Power Management Signaling) while the console is locked, preventing the screen from turning off.

-d, --debug
    Enables debug output, which can be useful for troubleshooting issues.

-h, --help
    Displays a help message with command usage and options, then exits.

-v, --version
    Displays the version information for physlock, then exits.

physlock is a lightweight utility designed to securely lock a physical console (TTY) on a Linux system, often used in conjunction with suspend or hibernation operations. Unlike graphical screen lockers, physlock operates at the console level, preventing unauthorized access to the TTYs when the system resumes.

It acts as a wrapper around underlying console locking mechanisms like vlock, ensuring that a password is required before the console can be used again. This is particularly useful for systems configured with full disk encryption (e.g., LUKS), where the console might otherwise be accessible without re-entering the passphrase after a suspend-to-RAM operation. Its primary goal is to maintain physical security for the console, especially when the system is in a low-power state.

• physlock primarily targets physical console (TTYs) locking and is not a graphical screen locker. For X11 or Wayland sessions, use dedicated graphical lockers like i3lock or gnome-screensaver.
• It typically relies on external utilities like vlock to perform the actual console locking. Ensure these utilities are installed and functional on your system.
• Effective console locking usually requires root privileges or appropriate capabilities to interact with TTY devices securely.
• While useful for preventing unauthorized access after suspend, physlock does not encrypt or protect data in RAM during suspend-to-RAM operations. For that, consider suspend-to-disk (hibernate) with full disk encryption.

A common scenario for physlock is to integrate it with system suspend/hibernate. For example, a systemd service or a custom script can be configured to execute physlock --suspend just before the system goes to sleep. Upon resume, physlock will present a password prompt, requiring authentication before the console becomes usable again. This significantly enhances security for systems with disk encryption, as it prevents bypassing the encryption passphrase simply by suspending and resuming.

physlock was developed to address a critical security gap in Linux systems that utilize full disk encryption (like LUKS) and suspend to RAM. Without a console locker, resuming from suspend could expose an unprotected console, potentially allowing unauthorized access to the system without re-entering the disk encryption passphrase. physlock emerged as a simple, effective solution to bridge this gap, often integrated into system suspend hooks or pre-suspend scripts, ensuring that the console is locked before the system enters a low-power state.

vlock(1), systemctl(1), cryptsetup(8), i3lock(1), slock(1)