Use your USB as security key in Linux

Have you ever had trouble remembering your password? Or, have you ever wondered if it’s possible to use something physical as a security key? If you have a USB flash drive lying around, you can use it as a security key to lock or unlock your Linux machine. In this guide, I’ll explain how. This will lock the screen as soon as you unplug your USB, and will unlock it when you plug it in.

Before getting into the how-to, let’s just check the pros and cons of using a USB drive as a key:

Pros:

  1. You don’t have to remember your password.
  2. Having a hardware key eliminates the problem of storing the password and/or using a password manager.

Cons:

  1. It can be a problem if you lose your key.
  2. The USB drive will occupy a port on your PC.
  3. Anyone with a USB drive of the same model can unlock your PC. So, please, do not use this method as a replacement for more secure locks. This is for educational purposes only.

Enough talking. Let’s get into the guide:

Before you start, your Linux machine should be running on Systemd. Unless you are using an old distro or an Init based distro like Devuan, Systemd should be the default. This method will work on init also, but requires modification.

So, how does it work? It makes use of the Udev, which is the device manager for Linux. The inherent idea is that, as soon as you plug or unplug a device, some Udev actions are triggered. Using Udev rules, you can capture these events and act based on them. Read more about Udev here.

First, you have to get the vendor and device ID of the USB. So, plug your USB in and run lsusb

From the output, find out your USB. Here’s the output on my machine-

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 8087:07dc Intel Corp.
Bus 001 Device 004: ID 13d3:5727 IMC Networks
Bus 001 Device 003: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller
Bus 001 Device 028: ID 03f0:5607 Hewlett-Packard
Bus 001 Device 027: ID 18d1:4ee7 Google Inc.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

In my case, the USB is of HP. So, I can see that the 5th entry corresponds to my USB, and the ID is 03f0:5607

Here the first part (03f0) is the vendor ID and second part (5607) is the device ID. Keep them noted.

Now, as root, create a new file named 80-usb.rules in /etc/udev/rules.d/ directory and paste these lines –

ACTION=="add", SUBSYSTEMS=="usb", ATTR{idVendor}=="<vendor-id>", ATTR{idProduct}=="<device-id>", RUN+="/usr/local/bin/usb-lock.sh unlock"
ACTION=="remove", SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="<vendor-id>", ENV{ID_MODEL_ID}=="<device-id>", RUN+="/usr/local/bin/usb-lock.sh lock"

Replace the <vendor-id> and <device-id> with the IDs of your USB.

Now, create the usb-lock.sh file in /usr/local/bin/ directory (you might need root permission), and paste this –

#!/bin/bash
session=$(loginctl|grep '<username>'|awk '{print $1;}')
if [ ${1} == "lock" ]
then
	loginctl lock-session ${session}
elif [ ${1} == "unlock" ]
then
	loginctl unlock-session ${session}
fi

Replace <username> in 2nd line with your username.

Make sure the file is executable –

chmod +x /usr/local/bin/usb-lock.sh

And you’re done. You don’t have to reboot, as Udev automatically catches changes in rules, but if it doesn’t work, you may reload the rules with –

sudo udevadm control --reload

Or just reboot.

That’s it. Now you can use your USB key instead of your password.

NOTE: When the machine boots up for the first time, you’ll still have to provide your password.

Aniket Bhattacharyea

Aniket Bhattacharyea