Fully-secured screen lock in Ubuntu with encryption

Question

I have Ubuntu 19.10 with full disk encryption. The encryption is effective as long as the system is turned off or restarted. Otherwise the data is unencrypted behind a locked screen which may not be very secured.

I wish to protect against:

mechanisms that bypass screen lock (I have disabled SysRq, but there might be other ways too)
cold boot attacks
attacks through DMA, network, WiFi/Ethernet, physical ports, etc

What's the best way to proceed? Can I have a home encryption on top of full disk encryption, and set the screen lock such that the same password will unlock and decrypt the home drive (I don't want to enter two passwords)?

Is there any secure screen lock (no bug, no vulnerability against X11 crashes, etc)?

The OS + encryption should be able to protect the system 100 percent (except for cold boot attacks which mostly aren't practical: the data rapidly deteriorates).

Does this answer your question? [Breaching security of a notebook with full disc encryption when screen is locked](https://security.stackexchange.com/questions/103111/breaching-security-of-a-notebook-with-full-disc-encryption-when-screen-is-locked) — Filipe dos Santos, Feb 14 '20 at 21:13
No. I had read that. It just says that there are hardware attacks. That's question 3. The post doesn't provide any answer. — eli, Feb 14 '20 at 21:22
How do you think SysRq would let someone bypass your screen lock? — Joseph Sible-Reinstate Monica, Mar 22 '20 at 20:01

score 0 · Answer 1 · answered Feb 14 '20 at 21:37

Based on my understanding what you're looking for is a combination of a few different things that are likely too broad for a single question.

This should give you an idea of how to encrypt on suspend in Linux.

Is there any secure screen lock (no bug, no vulnerability against X11 crashes, etc)?

Nothing is totally secure and immune from bugs or vulnerabilities. I would shop around and weigh different options. One thing to keep in mind is that you may face incompatibility issues between a custom lock screen application and your desktop environment (if applicable).

Can I have a home encryption on top of full disk encryption, and set the screen lock such that the same password will unlock and decrypt the home drive (I don't want to enter two passwords)?

This will depend on the implementation of your particular lock screen and encryption setup.

Protecting against cold boot attacks and physical port access or tampering are whole other issues with plenty of material written on them at your fingertips. You'll gain more traction by doing some research on each, picking out specific areas you want clarification on and asking them as separate questions.

Fully-secured screen lock in Ubuntu with encryption

1 Answers1