\u00a0<\/em>mode into a hibernation mode after a preset period\u00a0of time. In our example, we’ll use 300 seconds (five minutes). Hibernate mode is a deeper sleep, where the system commits its memory contents to disk and shuts down the processor. Until the system is in hibernate mode, you’ll be able to unlock the device with your fingerprint, which we don’t want. From a terminal window, run the following commands to adjust the various sleep and hibernate timers:<\/p>\nsudo pmset -a standbydelay 300\r\nsudo pmset -a standby 1\r\nsudo pmset -a networkoversleep 0\r\nsudo pmset -a sleep 0\r\nsudo pmset -a autopoweroffdelay 300\r\nsudo pmset -a autopoweroff 1\r\nsudo pmset -a womp 0<\/pre>\nAlso setting womp<\/em> to 0 keeps network from keeping the system awake.<\/p>\nNext, there is a parameter named\u00a0hibernatemode\u00a0<\/em>that is a bit of a misnomer; it more or less determines how sleep behaves, rather than how hibernate behaves. Changing this\u00a0alters the behavior of sleep mode\u00a0in a wonderful way if you want the computer to almost instantly enter hibernate mode (< 60 seconds).. When set to the value\u00a025<\/em>, this parameter will cause macOS to remove power to\u00a0the RAM to go into a “safe sleep” mode instead of regular sleep mode, which thwarts future cold boot attacks against the system.<\/p>\nsudo pmset -a hibernatemode 25<\/pre>\nOnly do this if you want to enter hibernation in around 60 seconds, instead of 5 or 10 minutes. If you want the longer grace period, use the default value of 3.<\/p>\n
sudo pmset -a hibernatemode 3<\/pre>\nThe default does not remove power to the RAM during sleep, but will still cut power to it\u00a0for hibernate mode, which is what you’ll want if you need a five or ten minute grace period. During the grace period, your system will still be getting juice to the RAM (so that you can unlock with your fingerprint, and quickly restore state), so it’ll be susceptible to a cold boot attack until it hits hibernate later on. A firmware password can help mitigate this concern.<\/p>\n
Lastly, a hidden setting named\u00a0DestroyFVKeyOnStandby<\/em> can be set that will cause hibernate mode to destroy the File Vault keys from memory (or stored memory), effectively locking the encryption of the system.<\/p>\nsudo pmset -a DestroyFVKeyOnStandby 1<\/pre>\nWith all of these put into place, you can now put your system on a timed lockdown. Here’s how it works:<\/p>\n
\n- The user presses the sleep button on the Touch Bar<\/li>\n
- The screen immediately locks, the system goes to sleep and a five minute timer starts<\/li>\n
- If the user unlocks the machine within the five minute period, all services are restored and they can use their fingerprint to authenticate<\/li>\n
- Once the timer expires, the system transitions from sleep mode to hibernate mode<\/li>\n
- Upon entering hibernate mode, power is removed from the RAM and the File Vault keys are destroyed in memory<\/li>\n
- When the user wakes the machine, they will be prompted for their password in order to unlock File Vault<\/li>\n
- Once the user has authenticated with a password, they will be prompted a second time to authenticate with their fingerprint (or password); this is the restored state from when the system was first locked<\/li>\n<\/ol>\n
This type of setup works well in the workplace, where you may walk away from your machine often, or while in public or any other venue where you may temporarily leave your system for a short period, but are concerned about physical security. If you are a political dissident or someone else who may be targeted, using this system provides a convenient way to manage your system to keep the fingerprint reader useful, but also lock down if an unexpected\u00a0event occurs and your devices are physically compromised.<\/p>\n
You can restore all power management defaults in\u00a0<\/em>System Preferences<\/em> if you decide to back out of this configuration, and of course depending on your level of paranoia, you may wish to adjust the hibernate timer to one minute or ten, to your liking.<\/p>\nIf you don’t have a Touch Bar, no sweat. You can configure sleep using hot corners or a hotkey. It’s not quite as easily accessible in an emergency, but does the job. This also works by simply closing the lid.<\/p>\n","protected":false},"excerpt":{"rendered":"
The new Touch Bar is often marketed as a gimmick, but one powerful\u00a0capability it has is to function as a lockdown mechanism for your machine in the event of a physical breach. By changing a few power management settings and customizing the Touch Bar, you can add a button that will instantly lock the machine’s screen\u00a0and\u00a0then begin a countdown (that’s configurable, e.g. 5 minutes) to lock down the entire system, which will disable the fingerprint reader, remove power to the RAM, and\u00a0discard your FileVault keys, effectively locking the encryption, protecting you from cold boot attacks, and prevent the system from being unlocked by a fingerprint.<\/p>\n
One of the reasons you may\u00a0want to do this is to allow the system to remain live while you step away, answer the door, or run to the bathroom, but in the event that you don’t come back within a few minutes, lock things down. It can be ideal for the office, hotels, or anywhere you feel that you feel your system may become physically compromised. This technique offers the convenience of being able to unlock the system with your fingerprint if you come back quickly, but the safety of having the system secure itself if you don’t.<\/p>\n
Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,14],"tags":[],"class_list":["post-6705","post","type-post","status-publish","format-standard","hentry","category-apple","category-security"],"_links":{"self":[{"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6705"}],"version-history":[{"count":0,"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/6705\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zdziarski.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/www.zdziarski.com\/blog\/wp-content\/uploads\/2017\/01\/Screen-Shot-2017-01-17-at-4.46.55-PM.png\")
<\/a><\/p>\n