Store Page
Steam Deck
All Discussions Artwork Videos News Guides Reviews

Steam Deck

Store Page
Steam Deck > General Discussions > Topic Details
TheCrazyCanuck May 6, 2023 @ 5:51pm
Full disk encryption?
I have been searching around and haven't found anything that is convenient to setup. Initially I just wanted to encrypt the SD card since that's where my non-steam games live, but have read other discussions that have convinced me that I would really want the main drive protected (mostly) with full disk encryption. So if this was a fresh Linux install I know how to do this and I would want to be prompted at boot for the decryption key so does anyone have any recommendations for a user that mostly keeps the device in "mobile mode"? In other words I'm not interested in needing a mouse + keyboard to pull this off because I want to use the device as a handheld gaming device and not thin client that can game.

For a "mobile" device it is disappointing that this isn't already part of the default experience. Yes I'm aware you can protect the device with pass codes currently but your data is not encrypted and users who want to use their steam deck as a Linux desktop should be concerned about this (or not, it depends on you). I have read I can install Windows and utilize a TPM to bitlocker the device but that's not ideal either, plus I'd rather game on Linux on this device, I have a Windows PC for everything else.

So if anyone has recommendations I'm all ears. I'm running a 2TB M.2 and a 1TB SD card that I would like FDE on both, with my NVMe drive as the main and the SD card as my emulator drive. This post isn't intended to discuss the merits or paranoia, I'm just asking if there is a technical solution to full disk encryption that works well with the touchscreen/device buttons.
< >
Showing 1-11 of 11 comments
retrogunner May 6, 2023 @ 10:36pm 
Disclaimer - I've not dug into this topic to date for the Deck. I don't think Valve is bundling the necessary kernel mods (but I could be wrong not having checked.)

Unless Valve bakes in Full Disk Encryption, you'd have to come up with a janky work around & lots of manual effort. If you take a look through the https://wiki.archlinux.org/title/Category:Data-at-rest_encryption entries EncFS is likely your closest, viable option.
(Remember, SteamOS 3 is a downstream Arch distro like Debian > Ubuntu > Mint)

Wanting to keep an lean, appliance-like OS, there's many things they leave out for the kernel & other utils. The limited kernel modules would eliminate a full disk encryption via dm-crypt or ecryptfs[wiki.archlinux.org].

Instead, you'll likely be able to use EncFS[wiki.archlinux.org] on a per directory level given is uses the very common FUSE kernel feature.

No matter what, the Deck will experience a performance hit. But if you limiting it so very select directories - like account data direct and not steam/steamapps/common - that could be a fair compromise.

But, if you encrypt any data that is required when booting up to the default gamemode sequence, you could have a bad trip.

Please be sure to post your findings & experience. This is one area I've deeply explored on the Steam Deck.

Cheers, retro.
#1
TheCrazyCanuck May 6, 2023 @ 11:01pm 
Originally posted by retrogunner:
Disclaimer - I've not dug into this topic to date for the Deck. I don't think Valve is bundling the necessary kernel mods (but I could be wrong not having checked.)

Unless Valve bakes in Full Disk Encryption, you'd have to come up with a janky work around & lots of manual effort. If you take a look through the https://wiki.archlinux.org/title/Category:Data-at-rest_encryption entries EncFS is likely your closest, viable option.
(Remember, SteamOS 3 is a downstream Arch distro like Debian > Ubuntu > Mint)

Wanting to keep an lean, appliance-like OS, there's many things they leave out for the kernel & other utils. The limited kernel modules would eliminate a full disk encryption via dm-crypt or ecryptfs[wiki.archlinux.org].

Instead, you'll likely be able to use EncFS[wiki.archlinux.org] on a per directory level given is uses the very common FUSE kernel feature.

No matter what, the Deck will experience a performance hit. But if you limiting it so very select directories - like account data direct and not steam/steamapps/common - that could be a fair compromise.

But, if you encrypt any data that is required when booting up to the default gamemode sequence, you could have a bad trip.

Please be sure to post your findings & experience. This is one area I've deeply explored on the Steam Deck.

Cheers, retro.
At that point I'll just buy the ASUS thing.....
#2
Prezidentas May 7, 2023 @ 12:08am 
neither the deck nor the Asus has any way of entering an encryption password. unless you want to use TPM for your key, but that's just putting the key under the doormat.
#3
tfk May 7, 2023 @ 7:01am 
Desktop Mode (KDE) has something called Vaults. It let's you create encrypted folders where you can store sensitive data. What I personally like is that the time window where the vault is open is limited. You open the vault, use the data, and when done close the vault again.
#4
space_crossroads May 15, 2023 @ 9:49pm 
But how you enable backend (cryfs, gocryptfs...) as they are missing in default SteamOS installation?
#5
ReBoot May 15, 2023 @ 10:39pm 
Originally posted by space_crossroads:
But how you enable backend (cryfs, gocryptfs...) as they are missing in default SteamOS installation?
Disable write-protection on the system & go to town. How would you do that on another Linux?
#6
tfk May 16, 2023 @ 12:14am 
Yes, the back end is needed. On other Linux distros these packages are already there so it works out of the box.
#7
space_crossroads May 16, 2023 @ 11:25am 
I wanted to avoid disabling write-protection, and installing that way, but if that's the only option, I might go that way. I'm actually looking for option to use it via distrobox.

Now I'm using Cryptomator, It's good, but I think KDE Vaults has better workflow
Last edited by space_crossroads; May 16, 2023 @ 11:25am
#8
FeGeAD May 30, 2024 @ 2:39am 
dm-crypt works now out of the box, including integration of KDE file manager
Last edited by FeGeAD; May 30, 2024 @ 3:15am
#9
Draconic NEO May 30, 2024 @ 4:02am 
Originally posted by Prezidentas:
neither the deck nor the Asus has any way of entering an encryption password. unless you want to use TPM for your key, but that's just putting the key under the doormat.
USB keyboards work fine to enter passwords, if you have a docked setup on a desk one can simply enter it there.
#10
Prezidentas May 30, 2024 @ 7:22am 
Originally posted by Draconic NEO:
Originally posted by Prezidentas:
neither the deck nor the Asus has any way of entering an encryption password. unless you want to use TPM for your key, but that's just putting the key under the doormat.
USB keyboards work fine to enter passwords, if you have a docked setup on a desk one can simply enter it there.
OK, install a desktop distro and set up encryption then.
#11
< >
Showing 1-11 of 11 comments
Per page: 1530 50

Steam Deck > General Discussions > Topic Details
Date Posted: May 6, 2023 @ 5:51pm
Posts: 11

Discussions Rules and Guidelines