Chromebooks are one of the most secure devices you can give a non-technical end user, and at a price point few can argue with, but that security comes with a privacy trade off: you have to trust Google, which is part of the NSA’s Prism programme, with your data in the cloud.
Even those who put their faith in the company’s rusty “don’t be evil” mantra may find Chromebook functionality limiting—if you want more than Google services, Netflix, some other Web apps, and maybe the Android app store, then you’re out of luck.
Geeky users willing to engage in some entry-level hackery, however, can install Linux on their Chromebook and unleash the Power of Torvalds™.
Crouton: Linux crunch for your Chrome salad
Crouton installed in less than half an hour on our 2016-era Acer Chromebook (buy here), and runs in a chroot side-by-side with Chrome OS. The project name is an acronym for “ChRomium Os Universal chrooT envirONment,” according to the witty GitHub README, and currently supports Debian Linux and derivatives like Ubuntu and Kali Linux.
Trying out Crouton is easy, and worth an evening’s tinkering. Enter developer mode on your Chromebook, which for most users means holding down the Esc and Refresh keys while tapping the power button. Doing so will erase all local data on your Chromebook (in the unlikely event that you have any locally stored data on a cloud-focused device, granted). Hit Ctrl-D, Enter, and wait five minutes or so for the Chromebook to wipe.
Once in developer mode, your Chromebook will offer a warning message every time you boot-up that the device is now vulnerable. David Schneider, the Crouton maintainer, who works for Google but was unable to get permission to speak to Ars for this article, outlines the security trade offs on the Crouton wiki:
“Dev mode out of the box does several things that compromise security, including disabling verified boot, enabling VT2 [terminal], and activating passwordless root shell access. This means even without Crouton, if you’re in dev mode, someone can switch to VT2, log in as root and add a keylogger that runs at startup, then switch back without you knowing. If you’re logged in, they can also access the unencrypted contents of your Chrome profile and copy it elsewhere. If an exploit to Chrome is found, verified boot will no longer protect you from persistent compromises. Essentially, dev mode by default is less physically secure than a standard laptop running Linux.”
You’ve been warned. Once in dev mode, enter your Wi-Fi password and accept the EULA, then select “Browse as Guest.” Head on over to Schneider’s GitHub repo and download Crouton, and follow the instructions.
Open a terminal in Chrome OS. To do so, hit Ctrl-Alt-T in a browser, which will open
crosh, the native, stripped-down shell. Type
shell to get a real shell, and run
sh ~/Downloads/crouton to see install options.
Crouton defaults to Ubuntu LTS 12.04. A sensible first-time default install might look like:
sudo sh ~/Downloads/crouton -e -t xfce
This will install Crouton with the xfce desktop environment, with encrypted
(-e) filesystem and touchcreen
(-t) support. A full range of distro images are available and can be specified with the release
(-r) flag. If all you’re after is a Linux command line, you can eschew X and install a headless Linux system using
-t core or
Alas, Crouton doesn’t check developer signatures, because bugs, making it difficult to be sure your download hasn’t been MITMed. Hopefully this issue will be fixed soon.
Once installed, launch Crouton from Chrome OS by opening
crosh with a Ctrl-Alt-T, typing
shell, followed by
enter-chroot startxfce4. If you’re running an ARM Chromebook, you’ll be limited to F/LOSS software compiled to support that chipset, but Intel Chromebook owners can look forward to hours of distraction playing Steam games. Numerous integration features make it easy to switch back and forth between Chrome OS and your Debian-based chroot.
When your significant other or school-age child demands their Chromebook back, deleting your hackery is as simple as disabling developer mode. At boot, instead of clicking through the Chrome OS warning page with Ctrl-D, re-enable normal mode by hitting the space bar (see screenshot). This will wipe your changes and restore Chrome OS, and send you running to Amazon for a Chromebook of your very own to hack.