Locking your laptop or workstation while away from it is good security sense. Learn a number of different ways to do so, both on MS Windows and common open source Unix-like operating systems.
A common part of corporate workstation security policy is a requirement for employees to lock their workstations while away from their desks, as suggested in 5 tips to improve physical access security. This is not only good advice for the workplace. In fact, it is even better advice in some other circumstances, such as when using a laptop at a coffee shop.
There are many ways to do so. Each version of MS Windows has its own way to lock the system when the user is away, and open source Unix-like systems offer a number of different ways to do it as well. What follows is a quick survey of some of those methods of locking the system, focusing solely on screen locking rather than password-protected screen savers or logging out.
Open source tools for Unix-like systems are several and varied, offering options that meet the needs of different circumstances and tastes. The most common options are the BSD
lock utility and the separate, copyleft licensed
vlock utility for virtual console locking, and the
xlock tools for X session locking.
lock command appeared for the first time in 3.0BSD, decades ago, and some version of it has existed in the major BSD Unix systems that have been available ever since. The versions of
lock included in the base systems of FreeBSD, NetBSD, and OpenBSD differ slightly in the command line options they provide today.
All three of them lock a standard virtual console. FreeBSD's lock in particular, distributed under copyfree terms (a BSD License), behaves as follows, by default.
- It asks for a "key", or password, that can be used to unlock the terminal at any time.
- It locks the terminal for fifteen minutes, or until it is unlocked with that key -- whichever comes first.
-n option can be specified to disable the timeout value, or an alternate value can be specified with the
-t option. The
-p option specifies that it should use the current user's password as the key, rather than requiring a user-specified key. Finally, -v prevents the user from switching consoles, effectively locking the whole computer against any local access until either the lock expires or the correct key is entered.
The "suckless" project provides "quality software with a focus on simplicity, clarity, and frugality." The
slock utility in particular is an X display locker distributed under copyfree terms (MIT/X11 License). In the words of the suckless page for
Simple X display locker. This is the simplest X screen locker we are aware of. It is stable and quite a lot of people in our community are using it every day when they are out with friends or fetching some food from the local pub.
Its only command line option is
-v, which prints the software version and copyright to standard output. Any other command line options (such as
--foobar) provide the following usage information.
usage: slock [-v]
If executed without any options, it blanks the screen of your X session unless and until the password for the current user is entered at the keyboard. The common way to use it is to set a keyboard shortcut for it with whatever facility is provided by the window manager or with a third-party keyboard shortcut tool.
For those who are not lucky enough to have the
lock utility available as part of their favorite Unix-like system, or even for those who do but prefer to use something else to lock virtual consoles, there is a utility called
vlock that provides similar functionality and is distributed under copyleft terms (GPLv2). Similarly to the
lock command, it simply locks the current virtual console.
It does not support specifying a key, but only defaults to requiring the password of the current user. It also does not support a time limit on the lock the way the BSD Unix
lock utility does. Its command line option to alter default behavior is the
--all option, which will "Lock all console sessions and disable VC switching." The
--current option causes it to only lock the current session, which is default behavior. The
--help option provides a brief help message, while
--version prints the version number to standard output.
Another way to lock an X Window System session, besides the suckless project's
slock utility, is
xlock. It is a much more complex tool than
slock, with dozens of non-default behaviors that can be specified with command line options, including some fairly fine-grained control over screen saver behavior.
The full set of options can be found in the
xlock manpage. It is distributed under a simple, copyfree-style custom license:
Copyright (c) 1988-1991 by Patrick J. Naughton
Copyright (c) 1993-2005 by David A. Bagley
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
The original BSD daemon is Copyright (c) 1988 Marshall Kirk McKusick. All Rights Reserved.
DEC, HP, IBM, Linux, SCO, SGI, and Sun icons have their respective copyrights.
MS Windows systems:
MS Windows, being a GUI-centric OS, offers no virtual consoles -- and thus, no virtual console locking tools. Each release version of MS Windows has its own, relatively simple screen locking mechanism built in.
Windows 2000 and XP
- Give the three-finger salute:
- Select the "Lock Workstation" option.
In WinXP, the user can also hold down the Windows key on the keyboard (if the keyboard has one) and press the
<L> key. This keyboard shortcut will save a little bit of mousing around.
Windows Vista and 7
- Open the Start menu.
- Click the padlock icon.
Each of these approaches to locking the system has its limitations. For instance, locking the screen within the X Window System using
xlock does not prevent the user from switching to a virtual console and logging in there (though a valid user account is still needed to do anything in a virtual console that is not logged in), and neither
lock is well suited to use within an X session, except in the rare case of only wanting to lock a single terminal emulator's shell session.
Crashing or killing the GUI can have interesting effects, which differ depending on the specific OS version being used, for any GUI-specific screen locking tool.
Of all the mentioned options,
lock -nv (at least on FreeBSD) is probably the safest and most fully secured way to lock a system while away, with
vlock offering a suitable replacement where
lock is not available. Ultimately, the means of locking the screen of a computer while away from it is the user's responsibility, or the responsibility of policy makers in a corporate environment.
Of course, the safest option of all, as long as your system is set up properly, is to simply log out and turn off the computer.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.