YubiKey: Autolockscreen via udev (Hyprland)

Automatically lock your Hyprland session the moment you pull your YubiKey out of the USB port. A udev rule triggers a screen lock script.

Read hyprlock doc first!

⚠️ : If you are using hyprland the default application to lock the screen is Hyprlock. Hyprlock does not automatically create a config, and without one, hyprlock will not render anything. But even without a config, your session will get locked and thus Hyprland will cover your session with a black screen.
https://wiki.hypr.land/Hypr-Ecosystem/hyprlock/

Install lsusb

sudo pacman -S usbutils

The lock script

Create
/usr/local/bin/automate/yubikey-lockscreen.sh

#!/bin/bash
USER_NAME="slexi"
USER_ID=$(id -u "$USER_NAME" 2>/dev/null)
HYPR_DIR="/run/user/$USER_ID/hypr"
INSTANCE=$(ls "$HYPR_DIR" 2>/dev/null | head -1)
#Because the trigger will run this as root we have to login as the user first
sudo -u "$USER_NAME" \
  XDG_RUNTIME_DIR="/run/user/$USER_ID" \
    HYPRLAND_INSTANCE_SIGNATURE="$INSTANCE" \
      /usr/bin/hyprctl dispatch exec hyprlock

Make it executable:

sudo chmod +x /usr/local/bin/automate/yubikey-lockscreen.sh

Find YubiKey’s Vendor ID and Product ID

lsusb | grep Yub
# Bus 005 Device 071: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID

For a YubiKey 5C we get VendorID 1050 and ProductID 0407.

Find the HID bus ID:

ls /sys/bus/hid/devices/ | grep 1050:0407
# 0003:1050:0407.0016
# 0003:1050:0407.0017

The udev rule

Create
/etc/udev/rules.d/11-yubikey-autolockscreen.rules

ACTION=="remove", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", \
  RUN+="/usr/local/bin/automate/yubikey-lockscreen.sh"

Reload udev:

sudo udevadm control --reload-rules
sudo udevadm trigger

That’s it. It was an amazing moment to see my first udev rule in action.
But 10minutes later my screen suddendly locked.
What happend ?

I hovered with the mouse over my keepass window, the databse was locked, this interrupted the yubikey, the system tought its removed and did what it’s supposed to do.\

The workaround is a second of sleep and check if the yubikey is still present.

#!/bin/bash
sleep 1
if lsusb | grep -q "1050:0407"; then
  echo "Yubikiey still attached"
exit 0

else
USER_NAME="slexi"
USER_ID=$(id -u "$USER_NAME" 2>/dev/null)
HYPR_DIR="/run/user/$USER_ID/hypr"
INSTANCE=$(ls "$HYPR_DIR" 2>/dev/null | head -1)
   sudo -u "$USER_NAME" \
       XDG_RUNTIME_DIR="/run/user/$USER_ID" \
       HYPRLAND_INSTANCE_SIGNATURE="$INSTANCE" \
       /usr/bin/hyprctl dispatch exec hyprlock
fi