SteamOS
SteamOS copied to clipboard
ValveSoftware
[Feature] Full disk enrcryption
Your system information
- Steam client version: does not matter
- SteamOS version: 3.0
- Opted into Steam client beta?: No
- Opted into SteamOS beta?: Yes
- Have you checked for updates in Settings > System?: Yes
Please describe your issue in as much detail as possible:
Currently SteamOS does not encrypt anything: browser data, steam data, contents of sd cards and so on are easily explorable and modifiable if you connect the SD or SSD to another computer. Most of the users usually do not think about security concerns and may believe the recently added lockscreen is enough.
The only way to securely store sensitive data on the deck is using plasma vaults, but OS image does not include it's default backend (cryfs).
Yes, I know SteamOS is not a general purpose OS, but it gives users possibility to store and process sensitive data on the device but does not care about security putting it on the end user who is not always technically educated enough and used to trust platform holders in security questions.
I believe there must be a way to encrypt root fs and all partitions that may contain user data without making unlocking annoying to the user as the password for root fs may be equal to lockscreen pin and passwords for other partitions including the SD may be stored on the encrypted root and may be unique per partition. It must be even possible to use secure boot and everything almost transparently to the user.
WDYT?
I agree very strongly. I really do not want to lose the deck and have people access to my stuff. I created a new Arch install on my SD card where I had the home partition encrypted and auto unlocked on login. Maybe the new pin system could be combined with auto unlocking the encrypted folders/drives
+1. In this day and age you simply can not have a mobile device that does not have full disk encryption enabled by default. Especially when you are touting the features of it being a full fledged PC. Less tech savvy people will erroneously believe they can store their secure information on what might very well be their only portable computing device, only to have it seized during travel or stolen. I imagine you could ship the devices with full disk encryption already enabled and just require the use to change the encryption password on registration of the device.
Fscrypt could be also fine. It's pretty easy to use, it plays nice with ext4, can be unlocked on log in and already works on every single android device
I'm not sure if this is possible on Linux, but using hardware-backed encryption with automatic unlocking using the TPM, just like on Windows, can enable fully transparent disk encryption with next to no change to the current login experience. The encryption keys kept on the TPM could be backed up to Valve servers, like how BitLocker backs up encryption keys to your Microsoft Account.
@andritolion it's possible in general and even more possible when you fully own a platform like valve. Personally I'd prefer good old passwords, but tpm would sill be better than no encryption at all
However, I'd argue that the user's experience should not change when encryption is enabled or not. Considering that SteamOS's files used for large parts of the user interface (like the Steam Client) is located on the user partition, encrypting the user partition without automatic unlocking will change the user experience (they need to login twice, or login then wait a while until the system loads) and because of the change in device behavior, some people may decide not to encrypt their drives because they don't want to wait longer to boot. The best security is security that is invisible to the user. Additionally, the login screen is implemented in the Steam Client, and as that will be encrypted if the user partition is, the login screen will need to be rewritten. (Then again, maybe it's a good idea to rewrite it. There are so many issues I have with it, I think I might open an issue about it.)
+1, I consider this essentially required. I'm going to have to do a lot of complicated hacking to make SteamOS support this for my own install, and I'm guessing updates will bork it. This device is marketed for more than just games, and I intend to use it as such, and that requires security.
I share the same sentiment. Mobile devices can be stolen/lost easily.
Even if the user does not store anything important, the steam account is not protected and can easily be accessed outside of steam deck by copying over cookies etc.
But given how steam deck is such a versatile device, a good portion of the user base will use it as a personal computer as well. This is where fde become important.
Imo FDE is a mandatory feature in this day and age. Specially since Linux already supports this, making it an eventual reality shouldn't be difficult.
If a seamless experience cannot be achieved, at least allow power users to use it without having to implement it themselves.
FDE is a solution but not the only solution. In my opinion, we don't need to encrypt the A/B root partitions. the content is already available from Valve's servers. I am not sure about the other 2 /var partitions though (anything confidential in there? Wifi passwords maybe?)
The home partition is more important, a LUKS+TPM encrypted systemd-homed could be used. Or even just encrypting /home with LUKS + TPM for auto decryption without systemd-homed. Using the TPM is specifically desirable as it will keep the current user experience (not forcing a password/pin if the user doesn't want it)
I was really surprised that the steam deck doesn't encrypt home by default. I think it's irresponsible to offer a web browser that people can use to login to their private accounts without enabling encryption. Also, the current security lock gives a false sense of safety if someone looses their device. (A non sophisticated attacker could just pop out the SSD, mount it in another machine, and read the browser cookies in clear text).
A nice write up about a similar setup could be found here
My steam deck is ordered and on the way... a little concerned to read that it isn't secure by default.
+1 for this, even if it's just a key combination of just pin + TPM. Every cheap android device from 4 years ago has full disk encryption enabled by default. It would make the steam deck with the docking station a viable alternative to a big clunky desktop PC, which right now is not a choice because the steam deck is also a mobile device.
It's just too risky in case it gets stolen.
The Steam Deck is an incredible device, and has the ability to be a primary-use computer in my household, except this single concern is one that prevents truly using it for the desktop capacity.
For the time being, I can use it as a gaming device, but things like password managers, allowing access to file syncing services like Dropbox, saving sensitive site login cookies, etc. are all vulnerable without full disk encryption.
The Steam Deck is an incredible device, and has the ability to be a primary-use computer in my household, except this single concern is one that prevents truly using it for the desktop capacity.
For the time being, I can use it as a gaming device, but things like password managers, allowing access to file syncing services like Dropbox, saving sensitive site login cookies, etc. are all vulnerable without full disk encryption.
I agree with this 100%. I don't even use un-encrypted devices that always stay in my home (I.E. my desktop) due to the possibility of theft. Encryption is even more important for a device that you're intended to travel with.
This severely limits the use cases for my SteamDeck in desktop mode, particularly for anything that would require authentication. I'm glad I took pause and did some research before I even signed into any accounts on my SteamDeck. Mobile Steam library gaming via Discord sure would be nice. :disappointed:
I agree with this. It's a mobile device that is easily lost or stolen. It would be a real shame for that to happen and have credentials stolen. These days, email is the source of truth for identity (i.e. password recovery gets sent to email with full trust), so as long as a user simply signs in to their email account, they risk most of their credentials being stolen.
Just FYI, postmarketos uses https://wiki.postmarketos.org/wiki/Osk-sdl which allows unlocking the mobile devices using the touchscreen. I guess it shouldn't be too hard to port it to SteamOS.
+1, I consider this essentially required. I'm going to have to do a lot of complicated hacking to make SteamOS support this for my own install, and I'm guessing updates will bork it. This device is marketed for more than just games, and I intend to use it as such, and that requires security.
What hacks did you do? I'd want encryption too
I'm not sure how this would play out, but another issue I have with this is Steam Link. If stolen, an unencrypted device could possibly hold a session that allows attackers to gain remote access to other computers that have been accessed before.
I think encryption should be a feature and should be enabled by default during the installation, in the same way as it is enabled by default on Android, iOS, and macOS. Mobile devices have even bigger limitations in terms of storage speed and processing power and still ship with encryption enabled out-of-the-box.
if they had a tpm module, this wouldn't be too hard on future devices, requires some setup though.
https://github.com/noahbliss/mortar could work pretty well.
As a workaround, is there a place before Steam Client starts where I can have a custom script ask for a password and mount a directory?
I'd like to encrypt my Steam credentials; and I would be fine with having to (actually want to) type in a password every time I boot to unlock it.
As a workaround, is there a place before Steam Client starts where I can have a custom script ask for a password and mount a directory?
I'd like to encrypt my Steam credentials; and I would be fine with having to (actually want to) type in a password every time I boot to unlock it.
It looks like, unnoficially, someone was able to put together a flow that results in the home partition containing the primary steam account being encrypted. If you're really desperate for an intermediate workaround it might be worth a peek.
It looks like, unnoficially, someone was able to put together a flow that results in the home partition containing the primary steam account being encrypted. If you're really desperate for an intermediate workaround it might be worth a peek.
Interesting. It's very nice, but I think changing the partition structure could interfere with future updates.
What's interesting is that I already have something that feels very similar working, but without requiring partition change.
My implementation:
- On reboot, Steam starts but with a secondary account by default.
- Steam has a shortcut "unlock"; which -
- Asks for password
- If correct, mounts and binds alternative directories and restarts just the interface with the primary account and a few other directories mounted
- (On full reboot next time it would again log in to the secondary account with primary config not mounted)
I think my approach makes it is extremely safe in terms of not breaking any future SteamOS updates. It's not FDE, but anything including the full home directory can be encrypted. If anyone wants I can post a more detailed tutorial.
The compromises are -
- It's not FDE: But I think it's not an issue since I can encrypt anything and everything in home.
- It also needs a secondary account:
- Other alternative I tried: Defaulting to log in to Plasma - but doesn't work unless you have a Steam account, because otherwise Keyboard remains inaccessible.
- There's no automated log-in prompt.
The purpose of the question was to see if there's a less janky way; but probably there is none. As I write this up, I feel more happy about the current state. I will welcome any thoughts on making this even simpler.
PS. After looking at the work linked by @nmlsdev, and what I have so far, I realized my needs are met.
I polished up my set up and am actually quite happy with it :-) !
Basically, I'm using an encrypted container which I mount over /home/deck.
This has the following nice properties -
- Security:
/deck/homeis fully encrypted! - Security: Any inserted sd card is (optionally) fully encrypted!
- Convenience: Can set up without repartitioning / reformatting / re-imaging (but needs temporary free space; can use external space if available)
- Convenience + Functionality: This has no chance of breaking SteamOS updates.
- Functionality: Allows you to choose btrfs if you want!
- Functionality: Requires password to decrypt. I personally prefer this over TPM, I think it's more secure.
And still has the following nuisances -
- Issue: Needs a throwaway account. (It restarts steam with your main acct after you enter password. Would be nice if Steam allowed you to run a shortcut without having to log in to an account; but that's something beyond me.)
- Issue: Trim does not work yet on the encrypted container. I think this is an issue which will be fixed with the new kernel, see https://github.com/ValveSoftware/SteamOS/issues/1101
Other minor (non) issues -
- Not being a FDE, technically it can leak things through journal log, swap file. But unless you're doing something nefarious to bring in attention from FBI, I really think this security is very tight. Main purpose here is to defeat thieves and with this I have peace of mind.
I uploaded the instructions to set up encryption like I did (with credit to the previous project), here: https://github.com/hirak99/steam_deck_encryption
This is fairly non-intrusive to set up and should continue to get SteamOS updates.
On the other hand it's not FDE. But the tradeoff seems reasonable to me.
Hopefully this is helpful to someone!
Not having FDE stops me from doing any work on this device. Maybe that's a feature? ;)
Hopefully support for multi-boot will take this usecase in consideration.
