In the interest of maximizing battery life, I’ve set up suspend-then-hibernate on my laptop. Using a discrete window manager, so I have a systemd unit that locks the screen when I close the lid. After an hour, it automatically goes into hibernation.
All is well, until I have to boot up from hibernation. I’m prompted to unlock LUKS, then I’m hit with a redundant lock screen once resumed. I’ve tried setting up systemd units referencing suspend-then-hibernate.target and hibernate.target, but I can’t get it to kill the screen locker when resuming from hibernation only, so I don’t have to type in my password twice. Is there any way to have systemd discriminate between the suspend and hibernate parts of suspend-then-hibernate?
You don’t want anything like what you’re attempting.
Instead, look into Clevis. Pair it with your TPM, and set it to handle the lower level LUKS challenge. Learn about it to understand the tradeoffs in security, but it’s going to be more secure than what you’re attempting.
This is for a SeaBIOS system without functional TPM.
Could you explain this? I do not see how it would compromise the security model since the lock screen would be dismissed only after the LUKS password is entered. The screenlocker is only relevant when suspended to RAM as the LUKS key is no longer in RAM once hibernated.
I am using
slock
, which is separate from my session manager (startx
in~/.profile
), and in my testing, I was able to kill it without issue.If killing your lock screen unlocks the system, that signals there is actually little protection. Killing a lock screen should kill the session and log you out, or at least render the session unusable.
If you still want to go that route, you could wrap your hibernation process in a script or use a slightly more complex service setup to kill it once, by inspecting system/service state and enqueued systemctl operations, you determine hibernation is done (not pending)
If you don’t care about the session manager password challenge, then set it to allow you to automatically login. Then you only have the LUKS challenge, and if you’re comfortable with that, go for it.