See also #5684.

Tails is currently lacking a screen locker and this has been a frequent feature request. For example, as Tails is been adopted more and more by journalists, they want to be able to leave their computer unattended in their office to go to the toilets for a minute and have their screen locked.

How do other live distributions do that?

  • Knoppix
    • No password whatsoever → not possible to lock (or unlock!)
    • http://www.linux-magazine.com/Online/Features/Getting-Started-with-Knoppix-7.3
    • Base: Debian
    • Desktop: KDE
    • Might be interested in our solution.
  • Grml
    • Already have a custom script called grml-lock which is a wrapper around vlock that asks for a password on first use.
    • Base: Debian
    • Desktop: fluxbox
  • Jondo Live
    • Ask for user password on boot, then I didn't find a way of locking the screen xlock. No xlock.
    • Base: Debian
    • Desktop: XFCE
  • Kali
    • Lock screen through GNOME and the default 'toor' password.
    • Base: Debian
    • Desktop: GNOME
    • Low interest in our solution as Kali is not mainly used in live environment.
  • Tanglu
    • Lock screen through GNOME and the default 'live' password.
    • Base: Debian
    • Desktop: GNOME
  • Debian Live
    • Lock screen through GNOME and the default 'live' password.
    • Base: Debian
    • Desktop: GNOME

Which password to use?

It is already possible to set an administration password from Tails Greeter, and we could reuse it for unlocking the screen. But we also need a solution for when no administration password has been set.

During the 201412 monthly meeting we proposed to prompt for a password before locking the screen for the first time, if there is no administration password.

How to activate it?

  • Through the better power off button (#5322).
  • Through the usual GNOME shortcut: Meta+L
  • If a password has been set already:
    • Automatically after X minutes of idle.
    • When closing the lid.

Implementation

An initial implementation was started in feature/better power off button, and reverted since it turned out to be more complicated than originally thought. This implementation and the problems listed below were discussed on the tails-dev ML in November 2012.

Ideas to implement the password prompt before the first locking:

  • Use a different PAM config for the screensaver
  • Turn the admin password into the root one, and use the user password's as the locker's one.