emerg-shutdown immediately and forcibly powers off the system if the boot drive is removed or a "panic" key combo is pressed. When used in combination with full disk encryption, it is a powerful tool to prevent data theft by physically present attackers.

Overview

Some of Kicksecure's security features require the system to be powered off to be effective. For instance, Full Disk Encryption only works if an attacker cannot gain access to the encryption key used to lock the disk. This key is stored in RAM while the system is powered on and running normally. If an attacker can gain physical access to the machine while the key is in RAM, they can likely extract the data on the disk or even the key itself. Disk encryption is therefore not reliable unless the system is powered off when an attacker gains access to it.

If a user has to defend against an adversary that may become physically present without warning and take control of the system, they must power the system down as quickly as possible after the adversary arrives. However, traditional shutdown mechanisms are insufficient for a number of reasons:

They are oftentimes cumbersome to access (Start Menu → Power button → Shut Down → Yes), greatly reducing the chances that a user (especially a panicking user) will be able to use them in a timely fashion.
Even if a user can initiate a normal shutdown quickly enough, systemd may take an excessive amount of time to finish powering off the machine, allowing the adversary to initiate a cold boot attack or similar before the machine fully powers off.
Desktop machines can be physically unplugged to quickly power them off, but laptops generally will remain powered on even when AC power is lost, and removing the battery from most modern laptops is not a task that can be performed quickly.

emerg-shutdown solves these problems by allowing a user to instantly power off the system by removing the boot drive or by pressing a "panic" key combo.

emerg-shutdown is installed and enabled by default on Kicksecure 18 and higher. It is part of the security-misc package.

Usage

Warning: This is for testers-only!

Due to a few known issues, this is for testers only.

When emerg-shutdown is enabled, the system may be immediately shut down by doing one of the following actions:

Press the emergency key combo (by default ++).^[1] This shortcut is recognized by emerg-shutdown as a "panic button" and will cause the system to be forcibly shut down.
Unplug the drive or eject the disc the system was booted from (only applicable when booting from a live ISO or a USB installation). emerg-shutdown will detect the drive removal and will forcibly shut down the system in response.^[2]

Both of these actions are expected to be fast and easy to do even in high-stress situations, while also being difficult to do by accident.

emerg-shutdown can also be used in scripts, programs, and system services to trigger an immediate shutdown. Running /run/emerg-shutdown --instant-shutdown as root will cause the system to be forcibly shut down.^[3]

emerg-shutdown prioritizes shutdown speed over avoiding data loss. The system will be powered off immediately, without taking the time to sync disks, unmount filesystems, or properly terminate applications. This will cause loss of unsaved data. If disks are mounted writable, it may also cause file corruption and filesystem damage. emerg-shutdown should be used only in emergencies or when testing. It should not be used as a general system shutdown mechanism.

Known issue:

emerg-shutdown bypasses ram-wipe. This may make cold boot attacks easier. A normal shutdown is therefore more secure if an attacker is not physically present. Of course, emerg-shutdown should be used if an attacker is physically present, because quick shutdown is more important than explicitly wiping memory contents in this scenario.

This will likely be fixed in the next version.

If a normal shutdown is started (for instance by using LXQt's "Shut Down" feature, shutdown now, poweroff, or similar), systemd will kill the emerg-shutdown process. Therefore, emerg-shutdown cannot be used to power off the system if it hangs during shutdown, and it may not work if an attacker arrives after you have already started shutting down the system.

A future version is planned to add an ensure-shutdown feature.

Configuration

The emergency key combination in emerg-shutdown may be configured by placing a file under /etc/security-misc/emerg-shutdown or /usr/local/etc/security-misc/emerg-shutdown. See /etc/security-misc/emerg-shutdown/30_security_misc.conf for details.

The list of supported keys is hardcoded in the emerg-shutdown source code, in the key_table variable. See /usr/src/security-misc/emerg-shutdown.c. Additional keys may be added to this list in the future if necessary.

Forum Discussions

Footnotes

↑ Why ++? Originally ++ was used as the panic key, but other applications such as systemd may interpret this shortcut, and a more powerful ++ handler may be added to Kicksecure in the future. ++ is the keyboard shortcut used by Windows Remote Desktop Connection to send ++ to a remote system (https://serverfault.com/a/57233), so it was considered suitable as an "alternate ++".
↑ emerg-shutdown's core executable supports a --paranoid option that will cause an immediate shutdown if any device is removed from the system. This may be useful in the future for users who need the system to shut down even if they unplug the "wrong" device. There is currently no configuration option to enable this mode.
↑ This requires root access because otherwise it would make denial-of-service attacks trivial. The usual methods of triggering emerg-shutdown don't require the ability to log in as root, but they do not pose a denial-of-service risk because they require a physically present user.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2026 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Why ++? Originally ++ was used as the panic key, but other applications such as systemd may interpret this shortcut, and a more powerful ++ handler may be added to Kicksecure in the future. ++ is the keyboard shortcut used by Windows Remote Desktop Connection to send ++ to a remote system (https://serverfault.com/a/57233), so it was considered suitable as an "alternate ++".

[2] emerg-shutdown's core executable supports a --paranoid option that will cause an immediate shutdown if any device is removed from the system. This may be useful in the future for users who need the system to shut down even if they unplug the "wrong" device. There is currently no configuration option to enable this mode.

[3] This requires root access because otherwise it would make denial-of-service attacks trivial. The usual methods of triggering emerg-shutdown don't require the ability to log in as root, but they do not pose a denial-of-service risk because they require a physically present user.

[1]

[2]

[3]

emerg-shutdown - Instantly Power Off the System

Contents

Overview

Usage

Configuration

Forum Discussions

Footnotes

Navigation menu

emerg-shutdown - Instantly Power Off the System

Overview

Usage

Configuration

Forum Discussions

Footnotes

Navigation menu

Search