How to boot into recovery (single user) mode is now documented: Recovery - Kicksecure
The issue with locking and expiring root account is, that it breaks recovery mode.
Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details.
Solution: passwordless recovery console
References:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
- UNTESTED: Use sulogin --force when locking root account (bc5ca2de) · Commits · Andreas Henriksson / user-setup · GitLab
One could argue this is insecure in very special situations (such as kios mode or without FDE) (see references above) but I think the balance locked/expired root account in regular boot mode and functional recovery mode is more important. Recovery mode on real hardware can still be secured by using some of the following combinations: BIOS password protection; grub password protection; FDE.
Expired root password breaks lxsu but not lxsudo which is ok.
When locking root account, when trying to login as root at virtual console will say:
Login incorrect.
Without previously asking for a password. This is not the worst case for usability. Better than asking for password and then failing. Will update /etc/issue.whonix to document this.