Configuring the Touch Bar for System Lockdown

The new Touch Bar is often marketed as a gimmick, but one powerful capability it has is to function as a lockdown mechanism for your machine in the event of a physical breach. By changing a few power management settings and customizing the Touch Bar, you can add a button that will instantly lock the machine’s screen and then begin a countdown (that’s configurable, e.g. 5 minutes) to lock down the entire system, which will disable the fingerprint reader, remove power to the RAM, and discard your FileVault keys, effectively locking the encryption, protecting you from cold boot attacks, and prevent the system from being unlocked by a fingerprint.

One of the reasons you may want to do this is to allow the system to remain live while you step away, answer the door, or run to the bathroom, but in the event that you don’t come back within a few minutes, lock things down. It can be ideal for the office, hotels, or anywhere you feel that you feel your system may become physically compromised. This technique offers the convenience of being able to unlock the system with your fingerprint if you come back quickly, but the safety of having the system secure itself if you don’t.

To configure this, we’ll first add a sleep button to the Touch Bar, then look to command-line power management settings to customize its behavior.

Adding a sleep button to the Touch Bar is pretty straight forward. Launch System Preferences, then click on Keyboard. At the bottom of the window is a button labeled Customize Control Strip.

 

To add a sleep button to the Touch Bar, choose which of the four existing buttons you can live without. Most people choose the Siri button, because it’s accessible from both the dock and the menubar as well. Drag the icon labeled Sleep from the window onto the Siri button on the Touch Bar, and the button will turn into a sleep button. If you would also like a screen lock that does not perform any lockdown function while on AC power, you can also drag the Screen Lock button onto the Touch Bar, and use that for when you don’t want lock down (it may still lock down on battery, as the system will sleep whenever it’s on battery). Once you’re finished customizing the Touch Bar, click Done.

OK! So we’ve got a sleep button on the Touch Bar – this is our future lockdown button; it can be triggered a lot faster than holding in the power button, and even better, will be able to lock down the system without losing all your work.

By default, however, putting the machine to sleep on its own doesn’t really lock anything down, and you can still unlock it with your fingerprint when it wakes, so next we’re going to need to change the system’s sleep behavior. There are a number of hidden knobs that can be set on the command-line to change how power management behaves on sleep.

We need to set a few different options. First, we need the system to go from sleep mode into a hibernation mode after a preset period of time. In our example, we’ll use 300 seconds (five minutes). Hibernate mode is a deeper sleep, where the system commits its memory contents to disk and shuts down the processor. Until the system is in hibernate mode, you’ll be able to unlock the device with your fingerprint, which we don’t want. From a terminal window, run the following commands to adjust the various sleep and hibernate timers:

sudo pmset -a standbydelay 300
sudo pmset -a standby 1
sudo pmset -a networkoversleep 0
sudo pmset -a sleep 0
sudo pmset -a autopoweroffdelay 300
sudo pmset -a autopoweroff 1
sudo pmset -a womp 0

Also setting womp to 0 keeps network from keeping the system awake.

Next, there is a parameter named hibernatemode that is a bit of a misnomer; it more or less determines how sleep behaves, rather than how hibernate behaves. Changing this alters the behavior of sleep mode in a wonderful way if you want the computer to almost instantly enter hibernate mode (< 60 seconds).. When set to the value 25, this parameter will cause macOS to remove power to the RAM to go into a “safe sleep” mode instead of regular sleep mode, which thwarts future cold boot attacks against the system.

sudo pmset -a hibernatemode 25

Only do this if you want to enter hibernation in around 60 seconds, instead of 5 or 10 minutes. If you want the longer grace period, use the default value of 3.

sudo pmset -a hibernatemode 3

The default does not remove power to the RAM during sleep, but will still cut power to it for hibernate mode, which is what you’ll want if you need a five or ten minute grace period. During the grace period, your system will still be getting juice to the RAM (so that you can unlock with your fingerprint, and quickly restore state), so it’ll be susceptible to a cold boot attack until it hits hibernate later on. A firmware password can help mitigate this concern.

Lastly, a hidden setting named DestroyFVKeyOnStandby can be set that will cause hibernate mode to destroy the File Vault keys from memory (or stored memory), effectively locking the encryption of the system.

sudo pmset -a DestroyFVKeyOnStandby 1

With all of these put into place, you can now put your system on a timed lockdown. Here’s how it works:

  1. The user presses the sleep button on the Touch Bar
  2. The screen immediately locks, the system goes to sleep and a five minute timer starts
  3. If the user unlocks the machine within the five minute period, all services are restored and they can use their fingerprint to authenticate
  4. Once the timer expires, the system transitions from sleep mode to hibernate mode
  5. Upon entering hibernate mode, power is removed from the RAM and the File Vault keys are destroyed in memory
  6. When the user wakes the machine, they will be prompted for their password in order to unlock File Vault
  7. Once the user has authenticated with a password, they will be prompted a second time to authenticate with their fingerprint (or password); this is the restored state from when the system was first locked

This type of setup works well in the workplace, where you may walk away from your machine often, or while in public or any other venue where you may temporarily leave your system for a short period, but are concerned about physical security. If you are a political dissident or someone else who may be targeted, using this system provides a convenient way to manage your system to keep the fingerprint reader useful, but also lock down if an unexpected event occurs and your devices are physically compromised.

You can restore all power management defaults in System Preferences if you decide to back out of this configuration, and of course depending on your level of paranoia, you may wish to adjust the hibernate timer to one minute or ten, to your liking.

If you don’t have a Touch Bar, no sweat. You can configure sleep using hot corners or a hotkey. It’s not quite as easily accessible in an emergency, but does the job. This also works by simply closing the lid.