USB Kill Switch and Dead Man's Switch Toolkit for Linux Servers
An open-source toolkit combines LUKS encryption, USBGuard and Discord alerts to auto-wipe server keys on physical tampering or operator inactivity.
This project brings together LUKS disk encryption, USB device monitoring, and emergency kill switches to defend a Linux server against both physical and logical threats. The system arms itself while a specific USB key remains connected; removing that key instantly wipes the LUKS keys and reboots the machine. A companion dead man's switch requires the operator to send a heartbeat every 24 hours—missing that window triggers a Discord alert with a one-hour grace period, after which the same wipe routine fires if there's still no response.
The toolkit is built from several Flask-based services: a heartbeat server, a token-protected manual kill-switch web UI, and a USB authorization server integrated with USBGuard. All components can be installed as systemd services and run as root, since they need low-level access to cryptsetup and sysrq.
Key operational guidance includes exposing these services only through Tailscale or a VPN, replacing default tokens with strong values, and carefully verifying the correct LUKS volume before enabling any destructive commands—since wipe operations are irreversible. The setup offers a practical reference for security-focused teams wanting an automated, human-intervention-free layer of defense against physical tampering or operator incapacitation.