Skip to content

Instantly share code, notes, and snippets.

@mhitza
Created August 25, 2024 17:48
Show Gist options
  • Save mhitza/ddfe3b52ce529039a89747afb8b11e44 to your computer and use it in GitHub Desktop.
Save mhitza/ddfe3b52ce529039a89747afb8b11e44 to your computer and use it in GitHub Desktop.
Tweaking desktop mode on the Steam Deck

As the Deck is mainly marketed as a portable gaming device, there are a few kinks with the desktop experience. In this living blog post I'm collecting the notes, scripts, and steps I've went through to replicate my existing workflows on the Deck Desktop.

SteamOS is the first immutable distro I'm using, which makes things a bit more challenging, after using Fedora - non-GNOME spins - for more than 14 years where I've become accustomed to the distribution packages, and patched up the system to what I wanted by sudo viming across the filesystem.

There is no background ssh-agent by default in the default desktop session.

To fix this, I've written the following script to $HOME/.config/plasma-workspace/env/ssh-agent.sh

#
# Thanks Josue for the insight:
#   https://dev.to/manekenpix/kde-plasma-ssh-keys-111e
#

[ -z "$SSH_AGENT_PID" ] && eval "$(ssh-agent -s)"

All files stored under $HOME/.config/plasma-workspaces/env are automatically sourced at session startup.

In the absence of full disk encryption, KDE Vaults offer a satisfactory compromise to keep personal files safe in case of device theft.

Vaults can work with three different encryption backends:

While I've used EncFS in the past, given it's no longer maintained status, I've went with GoCryptFS. The only choice really, until the day I can figure out how to make sddm, and systemd-homed work nicely with each other on the Deck.

All these system work by storing your files encrypted, and giving you an unencrypted view by mounting an overlay FUSE (Filesystem in Userspace) directory.

Sidenote: gocryptfs went through a security audit back in 2017. While there are some interesting exploit scenarios under circumstances of direct access to the encrypted + parts of unencrypted files, it does not apply for a scenario in which the device is stolen while Vaults are locked.

The upside of gocryptfs is that it's written in Go, which makes it easy to deploy on a readonly filesystem such as the Steam Deck (as it's statically linked and doesn't depend on dynamic system libraries).

To get things set up, I've installed the binaries in my ~/.local/bin/ directory and extended the plasma session PATH environment to be aware of this new executable location path.

#
# https://github.com/rfjakob/gocryptfs/releases
#
version=v2.4.0
archive="gocryptfs_${version}_linux-static_amd64.tar.gz"

local_bin="$HOME/.local/bin"

mkdir -p "$local_bin"

mkdir /tmp/gocryptfs-download
pushd /tmp/gocryptfs-download

wget "https://github.com/rfjakob/gocryptfs/releases/download/$version/$archive"
tar xf "$archive"

mv gocryptfs gocryptfs-xray "$local_bin/"

#
# KDE will source all scripts in your $HOME/.config/plasma-workspace/env directory.
# Single quotes are important here to avoid variable interpolation.
#
echo 'export PATH="$HOME/.local/bin:$PATH"' > "$HOME/.config/plasma-workspace/env/local-bin.sh"

popd && rm -rf /tmp/gocryptfs-download

# Reboot / Re-login and start using Vaults.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment