All the versions of this article: [English] [français]

Le 5/12/2015, 18:20
How to lock a running tails with a password

As cofounder of La Quadrature du Net (a NGO fighting for freedoms in the digital age, still waiting for your support ;) ), founder of Octopuce (my company) and more generally as an hacktivist, I often use Tails, a Linux distribution trying to enhance the anonymity of our communications and enhancing our personal digital safety.

Tails is very useful, not only because it allows me to carry important elements of my digital life in a simple USB dongle, protected by a strong password, but it also allows me to use the anonymisation network Tor in excellent conditions.

Sadly, I was missing an important feature, for me but also for all the hacktivists and journalists whose awareness I try to raise on digital freedom and personal data protection. It’s currently not possible to lock a running Tails and require a password to unlock it.

After an hour of research, I finally found a simple solution, allowing you to lock your running Tails with a password, so that you can go away from your computer for a few minutes without putting your personal data in danger.

How to enable the session locking in Tails

Disclaimer: I’m not sure this method is 100% efficient and won’t allow anyone to unlock your computer. Nobody is 100% sure in this digital world :/ If you find an issue with the way I lock my running Tails, please tell me by mail at (PGP 0xAECEF546EC8B0260) Thanks !

To enable the session locking in Tails, you need to have a Tails USB dongle (the latest one!) and preferably with the persistence enabled, where you’ll be able to store your gnome-screensaver package (to make it easier at next boot).

If you don’t know how to enable persistence, please look at Tails documentation.

After booting tails, choose the country you want (US in my case): this changes the language of the interface and the keyboard map (here qwerty US-international mapping).

Then, choose "Yes" when asked to choose detailed options, and "Next". Tails shows you a form where you can set an administrator password (for the "amnesia" account). Enter a passphrase twice here.

As usual, you’ll choose a long and unique passphrase, ideally a good sentence ;)

Then, connect to the Internet, either via Wifi, or by using an ethernet cable, and wait until Tails tells you that Tor is ready to use.

Then, launch a terminal, and type the following commands. (They are explained below). The 2 first will ask for the administrator password you choose before booting.

sudo apt-get update
sudo apt-get install gnome-screensaver
dconf write "/org/gnome/desktop/lockdown/disable-lock-screen" "false"

- sudo apt-get update updates the list of available software packages in Tails, from the Debian GNU/Linux distribution on which tails is based. This command WILL take time to complete before letting you go next (about 5 minutes)
- sudo apt-get install gnome-screensaver this installs the gnome-screensaver package, which is the lock screen feature for (black screen) asking for your password.
- gnome-screensaver This launches the newly installed software
- dconf write "/org/gnome/desktop/lockdown/disable-lock-screen" "false" This command tells the Tails system that you want to be able to use the screen locking feature from gnome-screensaver.

Then, you can lock your screen by :

- typing Control + Alt + l (letter L)
- or by typing the command gnome-screensaver-command --lock in a terminal

Once locked, you need to move the mouse or type a key to see the password prompt. Enter your password to unlock the Tails system.

How can I do it next time?

If you enabled the persistence in your Tails key, including the persistence of packages and packages index, you’ll be able to do this operation a lot faster after boot time, by doing as follow :

sudo apt-get install gnome-screensaver
dconf write "/org/gnome/desktop/lockdown/disable-lock-screen" "false"

The first step being removed, we go from 5 to 1 minutes to setup your locking of tails, and you don’t need to access the Internet either, since the .deb package of gnome-screensaver will already be available in your persistence folder !

I hope this tutorial will be useful. If you have any question or request, please write to (PGP 0xAECEF546EC8B0260) Thanks !