vlock

Lock current virtual console session

$ vlock

$ vlock [[-c|--current]]

$ vlock [[-a|--all]]

$ vlock [[-h|--help]]

$ vlock [[-v|--version]]

vlock [options]
vlock -a [options]
vlock -u [options]

-a, --all
    Locks all virtual consoles. Only the console from which vlock was invoked can be unlocked. This option typically requires root privileges.

-c, --current
    Locks only the current virtual console. This is often the default behavior if no other console options are specified.

-n, --no-beep
    Suppresses the audible beep sound that typically occurs when an incorrect password is entered.

-s, --silent
    Does not print the "Password:" prompt to the console, which can be useful when scripting or integrating vlock into automated processes.

-u, --unlock-all
    Unlocks all previously locked virtual consoles. This option typically requires root privileges or the password of the user who initiated the lock.

-o owner, --owner owner
    Specifies the owner for the lock file. This is an advanced option and not commonly used in typical console locking scenarios.

-d descriptor, --descriptor descriptor
    Specifies the descriptor for the lock file. Similar to -o, this is an advanced option for specific use cases.

vlock is a powerful yet straightforward command-line utility in Linux, specifically designed to secure one or all virtual consoles (TTYs). Its primary function is to prevent unauthorized access to an active console session. When you execute vlock, it prompts you for a password—either your user password or the root password, depending on the command's options and your system's configuration. Upon successful authentication, vlock effectively freezes the console, disabling all keyboard and mouse input until the correct password is re-entered. This makes it an indispensable tool in multi-user environments, protecting your open applications, shell sessions, and data when you step away from the physical machine. Unlike graphical screen lockers that secure desktop environments, vlock operates at the foundational virtual console level, making it a robust security measure for text-based interfaces.

vlock is designed exclusively for virtual consoles (text-mode TTYs); it offers no protection for graphical desktop environments (e.g., Xorg, Wayland). For securing graphical sessions, users should employ dedicated screen lockers provided by their desktop environment or tools like xscreensaver. Using -a (lock all) or -u (unlock all) typically requires root privileges. A regular user running vlock without these flags can usually only lock and unlock their own current console.

While effective at preventing casual access to a physical console, vlock is a basic security measure and not designed to thwart sophisticated attacks. An attacker with physical access might bypass vlock through system reboot, removal of power, or other hardware-level interventions. It provides a deterrent against opportunistic peeking rather than an impenetrable barrier.

When a non-root user executes vlock without the -a or -u options, it typically locks only their current console and can be unlocked using their own user password. However, to lock or unlock all available virtual consoles, vlock generally requires root privileges, often invoked with sudo, to ensure system-wide control.

vlock has been a consistent and reliable utility within the Linux ecosystem for many years. It is often included as part of the kbd package, which encompasses various tools for managing the keyboard and console. Its development has focused on maintaining a simple yet effective mechanism for basic console security, with its core functionality remaining largely unchanged over time.

login(1), chvt(1), kbd_mode(1), screen(1), tmux(1), xscreensaver(1)