Auto-Reboot

[!toc] Table of Contents

Because all encrypted devices store their encryption keys in their RAM after you first entered the device password during the start up, bad actors could try to read your encryption keys out of the RAM, even when your device is just screen locked.

[!technical] What is RAM?

In very short, the RAM is a very fast memory device, that has one important feature for us: it loses all data, when the power is turned off!

Because of this, we want to automatically turn off our devices to clear our encryption keys from the RAM.

Automatic reboot can be configured on all PC platforms and some Android devices. Instructions for the native functions of the various platforms are provided below. No additional programs need to be installed.

PC

Linux

On Linux, you can use crontab for automatic jobs such as auto reboot. For example, to set the PC to restart every morning at 4 a.m.:

• Open Terminal (Command Line)
• Enter this command in the terminal: sudo crontab -e

An editor will now open (or you will need to select one, TIP: select nano)

• Paste the following line at the bottom: 0 4 * * * /sbin/shutdown -r
  • To do this, copy the line above
  • Go back to the command line in the editor
  • Right-click > Paste
  • First press Control + S for “safe”
    • then press Control+X for “exit”
  • Done

[!technical] Explanation of the cron command

0 4 * * * /sbin/shutdown -r

From left to right:

• zero minutes
• fourth hour
• *th day of the month
• *th month
• *th day of the week
• Execute the terminal command /sbin/shutdown -r

The asterisks mean “all possible values.” This means that the complete line reads:

Execute the command /sbin/shutdown -r every month on every day at hour 4 at minute 0.

The -r at the end of /sbin/shutdown -r stands for reboot. If you simply omit this -r, the PC will not restart automatically, but will simply remain off.

Additional settings when using suspend mode

Especially on laptops suspend mode is used often when people close the lid. This leads to the situation where the above cronjob is not sufficient, because it does not work while in suspend. This leads to the system being vulnerable to attacks. Therefore we nedd to introduce another automated action to ensure the device will shut down securely. This is done by waking up the system from suspend 5 minutes before it shall be shut down by using the Linux module (systemd)

• Open Terminal (Command Line)
• Enter this command in the terminal: sudo nano /etc/systemd/system/set-wakealarm.service
• Past the following content into the file:

[Unit]
Description=Daily wake up from suspend

[Service]
Type=oneshot
ExecStart=/bin/bash -c "/usr/sbin/rtcwake -a -m no -t $(date -d 'tomorrow 03:55' +%%s)"
[Install]
WantedBy=multi-user.target

[!technical] Explanation of the systemd job

[Unit] just contains the description

[Service] contains the job which shall be executed in which mode.

Type=oneshot means it will be executed once

ExecStart is the command which shall be executed.

/bin/bash -c just tells systemd to run a new bash console and execute the command in "..."

/usr/sbin/rtcwake will execute the programm rtcwake which will set a wake up alarm in the devices hardware timer

-a uses automatic clock detection

-m no tells the programm to not do any direct action, only set the RTC wakeup time.

-t $(date -d 'tomorrow 03:55' +%%s) is a complicated way of setting the wakeup time to 3:55

• After that, the following two commands will advise systemd to directly make use of the new wakeup command

sudo systemctl daemon-reload
sudo systemctl enable set-wakealarm.service

• To test if everything is setup correctly this command can be used: sudo systemctl start set-wakealarm.service
• In case the command finishes without any output, it's set up correctly.
• After that, you can check if the wakeup time was set corretly in the devices hardware timer: cat /proc/driver/rtc There you should see the following values:

[...]
alrm_time	: 02:55:01 (Attention, this is UTC, which might have an offset to your local timezone)
alrm_date	: <date of the next day>
alarm_IRQ	: yes
[...]

• It is highly recommended to test if this works the next couple of nights. So put your device in suspend in the evening and check if it is shut down the next morning. With journalctl --list-boots you can check the timespans your PC was running, which includes times in suspend mode.

MacOS

• Click on the Apple logo in the menu bar.
• System Preferences
• Energy Saver
• Schedule

The top checkbox can be used to specify when the PC should be restarted when it is turned off. We are not interested in this. We want to automatically turn off the PC to clear the RAM.

• So we select the bottom checkbox
• Every day
• Choosing the reboot time is up to you, but we would recommend a time at night (e.g., 2 a.m.), as this is when we usually do not use the computer. Additionally, house searches are often conducted in the morning, so rebooting our computer beforehand makes sense.

Windows

We can use the Task Scheduler to shut down the computer, restart it, or perform any action once or at regular intervals.

If you prefer to follow a video tutorial, there is also YouTube video on this topic.

• Enter taskschd.msc in the Start search and open Task Scheduler.
• In the right-hand bar, click on Create basic task
  • Give the task a name, e.g. Auto Reboot
  • Execute whether the user is logged on or not
• Go to the next tab and select Triggers
  • Daily
  • Set the restart time (e.g. 2 a.m.).
  • Start date and start time: Select the current time i.e. valid from now
• OK and go to the next tab Action. Here, select Start a program
  • Now enter shutdown in the Program/script field
  • Now enter /r /f in the Add arguments field
  • The \r stands for reboot. If you only enter /f there, the PC will not restart automatically, but will simply remain off.
• Next and go to the next tab Conditions
• Make sure that under the “Power” section:
  • the top two checkboxes are unchecked, i.e. off
  • and the last one, “Wake the computer to run this program,” is checked.
• Click Next to check everything and then click “Finish.”
• Finally, you will probably have to enter your password.

Mobile devices

Android

An automatic restart can also be set on common Android devices. GrapheneOS even offers the option to restart the device whenever it has been unlocked for X hours.

A restart at a fixed time can be set as follows:

• Settings
• Utilities
• Scheduled power on and off

Here you can now specify when the device should always shut down and when it should restart.

iOS

Unfortunately, iOS does not currently offer a function for scheduled restarts.