Situation: A Desktop Linux (eg. Debian, Xfce desktop, Lightdm login) with LUKS-encrypted partitions (as far as possible, eg. Efi files are not encrypted of course).
The computer is in sleep mode (not hibernate, ie. Luks in unlocked and key in RAM).
Now a thief steals the computer and wants to find a way in.
- Anything that involves turning it off will of course not help because of the disk encryption.
- Installing hardware keyloggers, replacing Bootloader/Efi with something maliciours, and similar things won’t help because the owner knows it is stolen and it can’t be trusted.
- Elaborate attacks that eg. read the keys directly from RAM through some means are outside of the thiefs capabilities and/or a risk that the owner takes for being able to use sleep instead of shutdown.
- That leaves the risk that the login screen (of LightDM) can be bypassed somehow, given the already running Desktop behind it.
My question is, what things I do need to be aware to prevent this?
Following points I already know:
- Switching terminals (CtrlAltFn).
- It the GUI is started with startx, this allows to get an TTY where the user is logged in already. However there is no such TTY when using LightDM.
- There is also a GUI screen which just displays “This session is locked, will switch to login in few seconds” (or similar message). However it doesn’t appear that there is an easy way to break out from that.
- X Server has a DontZap config option which allows to kill X with the shortcut CtrlAltBackspace. This might help in the “locked” screen or even Lightm, however it is disabled by default, so no problem.
- There is another X shortcut CtrlAlt* (star) (config AllowClosedownGrabs) which kills all processess that hold a “lock” (whatever lock this means). This too is disabled by default.
- Kernel SysRQ shortcut F for OOM killer. Can be disabled, and maybe the two GUIs are among the processes protected against it (I tried about 50 times and and failed to kill LightDM, just not sure about the exact reason).
What other risks might be there in 2018?