Title: Automatically lock screen on OpenBSD using xidle and xlock
Author: Solène
Date: 30 July 2021
Tags: openbsd security
Description: 

# Introduction

For security reasons I like when my computer screen get locked when I'm
away and forgot to lock it manually or when I suspend the computer. 
Those operations are usually native in desktop managers such as Xfce,
MATE or Gnome but not when you use a simple window manager.

Yesterday, I was looking at the xlock man page and found
recommendations to use it with xidle, a program that triggers a command
when we don't use a computer.  That was the match I required to do
something.

# xidle

xidle is simple, you tell it about conditions and it will run a
command.  Basically, it has three triggers:

* no activity from the user after $TIMEOUT
* cursor is moved in a screen border or corner for $SECONDS
* xidle receives a SIGUSR1 signal

The first trigger is useful for automatic run, usually when you leave
the computer and you forget to lock.  The second one is a simple way to
trigger your command manually by moving the cursor at the right place,
and finally the last one is the way to script the trigger.

xidle man page, EXAMPLES section showing how to use it with xlock

xlock man page

# Using both

Reusing the example given in xidle it was easy to build the command
line.  You would have to use this in your ~/.xsession file that contain
instructions to run your graphical session.  The following command will
lock the screen if you let your mouse cursor in the upper left corner
of the screen for 5 seconds or if you are inactive for 1800 seconds (30
minutes), once the screen is locked by xlock, it will turn off the
display after 5 seconds.  It is critical to run this command in
background using "&" so the xsession script can continue.

```shell commands
xidle -delay 5 -nw -program "/usr/X11R6/bin/xlock -dpmsstandby 5" -timeout 1800 &
```

# Resume / Suspend case

So, we currently made your computer auto locking after some time when
you are not using it, but what if you put your computer on suspend and
leave, this mean anyone can open it and it won't be locked.  We should
trigger the command just before suspending the device, so it will be
locked upon resume.

This operation is possible by giving a SIGUSR1 to xidle at the right
time, and apmd (the power management daemon on OpenBSD) is able to
execute scripts when suspending (and not only).

apmd man page, FILES section about the supported operations running scripts

Create the directory /etc/apm/ and write /etc/apm/suspend with this
content:

```shell script
#!/bin/sh

pkill -USR1 xidle
```

Make the script executable with chmod +x /etc/apm/suspend and restart
apmd.  Now, you should have the screen getting locked when you suspend
your computer, automatically.

# Conclusion

Locking access to a computer is very important because most of the time
we have programs opened, security keys unlocked (ssh, gpg, password
managers etc...) and if someone put their hands on it they can access
all files.  Locking the screen is a simple but very effective way to
prevent this disaster to happen.