(Or: why Chrome OS, Termux, YubiKey and Duo Mobile are awesome)
- Android-certified Chromebook
- Stock build for tpm verified boot, not Developer Mode
- New master account: +YubiKey +DuoMobile/Authenticator -SMS/phone
- Termux: +chroot (PRoot) +sshd
- SSH Chrome app as local shell to Termux tty on arc0
- Latest stable packages of, e.g.: Go, Node.js, Python/2, Ruby, clang, Erlang, Lua, MariaDB, Reddis, Postgres, Memcache, SQLite, Nginx, Apache...
- Signal (Chrome app), Wire (Play Store), Voice (web app)
- Sublime clone, GDocs, Netflix, salt to taste
Skip to the finished setup
I didn't really pay attention when Chromebooks first hit the consumer market. Most of my encounters were limited to small, abandoned displays at the big box retailers in the U.S. like Best Buy and Walmart. From the little I'd read in the tech press, it seemed like they were largely targeted as cheap netbooks for always-connected students or non-techies for lightweight web browsing. In recent years with each passing Google I/O conference, I seemed to hear more and more about them from developers, particularly since the release of the gorgeous all-aluminum high end Pixel. But still, I've been very happy with my trusty MacBook Pro and Librem, so I never looked too much closer.
Only in the last year while talking to respected security-focused engineers & developers have I come to fully appreciate Google's Chrome OS design. I learned that Chromebook is the daily driver for many of Google's own senior developers and security engineers. In short, the combination of the underlying Chromebook hardware with the OS architecture makes for a pretty compelling secure development environment.
Fast forward to March. In the past, I'd never given much thought to bringing my notebook with me while on travel -- it was just something I did as a matter of course. Now, though, with the changing landscape of airline restrictions and seemingly ad hoc draconian rules for what can and can't be brought on board, I've had to seriously reconsider my routine. There is zero chance I am willing to check my beloved MBP, given carriers' long history of indifference to ground crews playing hacky-sack with luggage. Who can forget United Breaks Guitars? And let's not even get into brazen theft.
The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.
It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) an inexpensive Chromebook, especially with the option to later securely restore over the air once at my destination. Since there is a wide range in Chromebook prices, the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. Here's what I came up with, and honestly, I'm pretty happy with it.
Nearly every how-to and blog post I've found on "Chromebooks for developers" essentially starts with either: "Boot into Developer Mode" or "Install Debian/Ubuntu as the main OS". I'll just say it: This is bad advice. It would be akin to recommending friends jailbreak their shiny new iPhone. You're obviously free to do as you wish with your own gear, but recognize that at Step 1, you'll have lost most of the core security features of Chromebook, not to mention virtually inviting bad development habits. As far as Debian/Ubuntu (and crouton), that's fine as far as it goes, but then you don't end up with a Chromebook, just a flakey cheap mini-notebook. The whole point of this exercise is to retain the hardened posture of the platform and have a flexible, safe development environment without depending on the crutch of privileged access.
- Very modest budget (ideally <$200 USD, all in)
- 8-10 hour real-world battery life
- First-class, updated local/non-connected dev environment for my current toolchain:
- go, c/c++, node, git, curl, nginx, postgres...
- Standard network tools (openssl cli, nmap, tcpdump...)
- Strong hardware-backed verification & mutual auth
- Open source, actively developed software whenever possible
- Bonus: secure messaging, voice, video chat, streaming movies
- Finished environment should not:
- bypass core OS security
- disable Verified Boot
- require sudo/root for dev environment
- rely on Crouton or Ubuntu
- require (or assume) an always-on network
Google announced a major development in the Chromebook roadmap recently and it seems to have been overlooked by many in the industry: over the past few months, several models have been updated to work with Play Store apps. In theory, this will open the door to many of the 3+ million Android apps. In practice, there's still a fair amount of work to do to "optimize" existing app display layouts and fix other UX quirks.
The official list of Chromebooks supporting Android apps (and the timeline for those planned in 2017) is here: https://sites.google.com/a/chromium.org/dev/chromium-os/chrome-os-systems-supporting-android-apps
While never explicitly stated, I take inclusion on this list as a rough proxy for commitment by manufacturers (and Google product engineering) to support these models.
After reading an absurd number of reviews and forum posts, I eventually settled on the Samsung Chromebook 3. It's lightweight (a little over 2 lbs), comes with 4GB RAM and a 16GB solid state drive (expandable via MicroSD to 256GB), and uses a low-power Intel x86-64 dual core N3060 1.6/2.4 GHz processor. Other goodies include USB 2/3 ports, HDMI, 720p webcam, and a water-resistant keyboard.
You would definitely notice the performance boost if you bumped up to 8GB of memory or an m5/i5 CPU, but prices at that tier start at $800 and rise quickly (see note¹ below on Amazon). There's no shortage of high end Chromebooks available, but my testing of the "serviceable, but won't-cry-if-I-lose-it" category, 4GB of RAM and a non-ARM processor seem to be the sweet spot. If you are tempted to save $40 and opt for the super cheap 2GB models, don't expect to open more than a handful of browser tabs before hitting a tar pit.
-
Samsung Chromebook 3 ($169 on Amazon)
-
U2F YubiKey. I recommend the FIDO U2F blue key ($17 on Amazon)
- A good 2-Factor Authentication app (installed on your phone, not your Chromebook). Personally, I trust the free Duo Mobile app, available on iOS and Android. Many people also like Google Authenticator.
- If necessary, wipe the Chromebook to factory settings via Powerwash
- Boot and set up a new Google account to manage your device (this will help segment your data, and if you need it you can still access your existing gmail accounts). You'll likely be asked for a recovery/SMS phone number, but you can remove it in a few minutes.
- Ensure the latest OS & app updates are installed:
- Account photo / gear icon / Settings dropdown / About Chrome OS / Check for Updates
- Set up mutual authentication with the U2F YubiKey. After rebooting, open Security settings in the new Google account (https://myaccount.google.com/security#signin) and click 2-Step Verification. You'll be prompted for your password. Follow the prompts for "Add a Security Key". Once confirmed by logging out then back in using your YubiKey, continue to the next step below.
- Add a 2FA authentication fallback option. Navigate back to the Settings menu above, then:
- 2-Step Verification / Authenticator App / Setup (choose Google Authenticator; the QR codes are universal) / Next / QR code should display
- On your phone, open Duo Mobile then: Begin Setup / Scan barcode / Next
- On your Chromebook, type the code you see in Duo Mobile into the text box / Verify / Done
- Verify that the authenticator is working correctly. The 2FA authenticator verification is an access safety mechanism should you lose the YubiKey:
- Log out then log back in. Ignore the prompt to insert your Yubikey, and instead click on the link at the bottom of the login page Having Trouble?. Choose Get a verification code from the Google Authenticator app.
- On Duo Mobile app, click the Google account key icon and enter the 2FA code into the browser.
- Print out the backup codes should you lose both your mobile phone (or at least the secret TOTP seeds in your 2FA app) and your YubiKey.
- Note: for both the 2-Step Verification and Authenticator login paths, you may want to consider unchecking Dont' ask again on this computer.
- With two step verification set up, it is safe to remove the phone number you supplied earlier from the account recovery menu
-
Set privacy and tracking configuration. Depending on your use case, you will probably want to limit the ad data that Google collects.
- Navigate to https://myaccount.google.com (the 3x3 box in the top right corner in Gmail) > Personal Info & Privacy > Your personal info > Ad settings
-
Set cloud sync preferences.
- Chromebook settings > People > Sync
- I recommend enabling: Apps, Extensions, and Settings, but not Autofill, History, and Open Tabs. Also — crucially — note that allowing Apps and Extension sync will likely mirror sensitive content including credentials, keys, API tokens, passwords & password manager vaults, and other secrets stored locally on your notebook. This could be a huge convenience or utterly catastrophic if left unencrypted, depending on your threat model and risk tolerance. You mileage will definitely vary.
- Set Update Channel from Stable to Beta (some models already officially support Android apps in Stable)
- Profile picture in lower right > Settings > About Chrome OS (bottom of menu) > Detailed Build Information > Channel > Change Channel > Beta > Change Channel > Restart
- Enable Chromebook Android apps
- Sign into the Play Store web site and navigate to Settings (https://play.google.com/settings/). Alternatively, from Gmail > top right 3x3 square icon > Play Store > top right gear icon > Settings
- Register your device, e.g.: "No carrier Samsung Chromebook 3" and give it a memorable name
- Confirm Play Store is enabled on your device. Bottom right photo > Settings > Play Store
- If you hit any problems, see the official detailed how-to on enabling Android apps on Chromebook
- Install the Termux Android app: https://play.google.com/store/apps/details?id=com.termux. This is the killer app that makes a flexible dev shell access possible as an unprivileged user. The Termux project has been under active development for the past two years and is fully open source (https://github.com/termux/termux-app). It offers a chroot-like option to present a conventional linux filesystem, and in most respects feels like stable a Debian-based distro, with the latest i686 stable versions of widely used development & system tools including:
- apache 2.4
- bash 4.4
- clang 4.0.1
- erlang 19.3
- git 2.13
- gnupg2 2.1
- golang 1.8.3
- libgcc 4.9
- libsodium 1.0.13
- lighttpd 1.4
- llvm 4.0
- ltrace 0.7.3
- lua 5.3
- mariadb 10.2
- mosh 1.3
- nginx 1.12
- nmap 7.50
- nodejs 6.11
- python 3.6.1
- python2 2.7.13
- redis 3.2.9
- ruby 2.4.1
- sqlite 3.19
- sslscan 1.11
- tcpdump 4.8
- tor 0.3.0.9
- transmission 2.92
-
Setup Termux base
pkg upgrade apt update apt upgrade apt install coreutils # Create symlinks & permissions for typical Android filesystems # (Downloads, Audio, Images, SD Card, etc) pkg install dpkg net-tools termux-tools tracepath tree git # For a full list of available packages (Go, Node, Python, etc): pkg list-all # or: apt list termux-setup-storage # Set symlinks for typical Linux fs termux-chroot # Note this reserved IP number -- you'll need it for any localhost servers ifconfig arc0 | awk '/inet /{print $2}'
-
Install a desktop SSH Chrome app. I recommend FireSSH GitHub, or optionally Google's terminal emulator & SSH client based on NaCl, NaSSH app; GitHub source repo here.
-
Create a local ssh keypair:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"``` Generating public/private rsa key pair. Enter file in which to save the key: /Downloads/devbox/ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Downloads/devbox/ssh/id_rsa. Your public key has been saved in /Downloads/devbox/ssh/id_rsa.pub. The key fingerprint is: SHA256:yzwrsYbtfJGe6b9o9UVXLvAs96HbSjyhWTGwiL3V1YI your_email@example.com The key's randomart image is: +---[RSA 4096]----+ | . . ..| | o . E o o| | . o o B o.| | o . O.o| | So *.+.| | .oo.. =.o .| | o +== + =o | | ..= *+ o... | | oo=+.o. .. | +----[SHA256]-----+ -
Start the ssh server
whoami sshd -
Connect with the FireSSH app to: the reserved IP address displayed earlier as the current user over port 8022, e.g., u0_a49 to 100.115.92.2 using the private key just created:
/Downloads/devbox/ssh/id_rsaSSH configs: /data/data/com.termux/files/usr/etc/ssh -
Install the Termux:Style UI plugin. This isn't required, but these folks do great work, so please consider ponying up $2 for the themes add-on which has some really nice palette choices.
ZZTOP
-
uBlock Origin high-performance ad blocker extension
-
DOM Distiller Mode quick toggle from a cluttered page to Reader mode[GitHub]. Example here.
-
Zed, a highly configurable desktop code & markdown editor [GitHub]. The UI is purposely non-intrusive, but the minimalism can be a bit confusing at first. Check out the docs here.
-
Calculator, a handy Chrome app by Google [Github]
-
Signal Desktop app, the standard in secure messaging. Fully supports documents & group chats. More info at Whisper Systems
-
Wire Desktop Android app, supports secure text, video & voice calls [GitHub]. Note: Consider signing out of the app when not in use, as the background memory use can substantial.
-
HP Print app if you have an HP, you'll thank me.
-
Native Microsoft documents app from Google to edit & view Word, Excel, Powerpoint files (docx, xlsx, pptx)
-
Google Docs: native app Option A; more stable, offline by default
-
Google Docs: web app Option B; requires connectivity to start, quasi-offline capable
-
- Launcher (the O button on the bottom left menu bar) > Netflix > right click > Open in Window > Pin to Shelf. (This, by the way, is very useful for most Chrome web apps)
-
Quake (because why not?)
-
Brave Android native app GitHub. Possibly useful to segregate web traffic, but presents as a mobile browser
-
Mosh persistent mobile SSH shell (useful for working with intermittent connectivity, e.g., remote VMs) GitHub
Hello world!
-
kill/restarting shell
- When things get completely borked (which in two weeks of heavy use only happened a couple of times for me), you can kill & restart Termux. There might be a more elegant way to do this, but here's the blunt hammer method:
- Slow press on the Termux app > More > Kill Process > OK > close window
- Open Launcher (the O button on the bottom far left menu bar) > right click > App Info > Force Stop > OK
- Relaunch Termux
- When things get completely borked (which in two weeks of heavy use only happened a couple of times for me), you can kill & restart Termux. There might be a more elegant way to do this, but here's the blunt hammer method:
-
termux-chroot (PRoot)
-
It's important to call chroot before starting sshd so that new sessions will see the more familiar filesystem layout. Unfortunately, termux-chroot is a script which spawns a new shell, so if you call it from a script, the remainder of code won't execute until PRoot exits. It would be ideal to have chroot & sshd autostart, but that feature is still in the works as Termux:Boot add-on. In the meantime, a less elegant work-around can be added/created in ~/.bash_profile:
if ! pgrep -f "sshd" >/dev/null ; then echo "[Starting sshd...]" && sshd && echo "[OK]"; else echo "[SSH is running]";fi if ! pgrep -f "termux-chroot" >/dev/null ; then echo "[Starting chroot...]"; else echo "[chroot is running]";fi $ killall termux-chroot $ killall sshd ; sleep 2 && sshd
-
-
package corruption/interuption (if an install or removal hangs from e.g., a remote repo hiccup)
# If package $ apt-get clean $ apt-get autoclean -
termux-wake-lock (useful option to avoid sleep & network weirdness with ssh from sleep/wake cycles, i.e., from closing lid)
-
The built-in Chrome developer shell, crosh is somewhat useful, but is fairly restricted. Worth checking out the help_advanced options.
-
The physical file system location for Downloads (pre-chroot) is:
/home/chronos/user/Downloads/, or in a browser as:file:///home/chronos/user/Downloads/ -
chrome://about/
-
Shift+Esc is a cool shortcut to the OS task viewer (able to see per-tab processes)
-
Ctrl+Alt +/- resizes the native Termux app fonts
-
Shift+Ctrl +/- resizes the Chromebook display (1366x768 is optimal/native mode on the Samsung)
-
If an Android native app goes full screen (i.e., loses the resize buttons in the top right corner, slow press or right click to get a context menu which includes full-screen toggle off
-
To share local files easier with other apps, create a transfer folder in Termux to the /Downloads directory, eg:
cd /storage/emulated/0/Downloads mkdir code cd code # If running chroot, simply mkdir -p /Downloads/code cd /Downloads/codeImportant caveat: You can create and edit files & code under /Downloads, e.g.: hello.go but can't execute from the directory because of security restrictions. Instead, build and edit where you wish, but run executables from your Termux directories (ex /home, etc).
¹Disclosure: Be wary of 3rd-party sellers offering "open box" and "refurbished" products. These often have poor (or no) warranties, and typically have higher return rates. Links to Amazon were carefully researched to ensure the items are as listed in the descriptions. I receive a small referral credit from purchases made through this post.
© 2017 Kenneth White @kennwhite