Skip to content

ChromeOS Security Best Practices

ChromeOS is designed to be a secure operating system that employs several measures to ensure that your private data is protected and kept safe from malicious users. This section of the guide will provide you with several practical ways to ensure your ChromeOS Device is as secure as possible.

If you are using a managed ChromeOS device provided by an employer or educational facility, they may already force several of these measures by default and limit your ability to change these settings.

Physical Security

You should always ensure that your device is kept in a secure location and not left unattended in locations where it can be stolen or tampered with, such as at a shared office facility, airport or coffee shop.

If you must leave your ChromeOS device in a unattended location, you should ensure that you lock the display, so you must enter a password before being able to access your session again when resuming.

If you use a hardware security token, you should ensure that you remove your security token when not actively in use and keep it on your person at all times. Never leave your hardware token in your ChromeOS device when you step away.

Disable "Pin-Based Authentication"

Your ChromeOS device can be set up to be unlocked with a numerical pin instead of a password. Numerical pins can greatly speed up the amount of time it takes you to unlock your device. However, it can also grant that same level of convenience to a malicious attacker who can use several methods to obtain your password.

Secure Storage Locations

ChromeOS is designed to be a very secure operating system; however, it does not encrypt external or expandable storage. This means, an attacker who gains physical access to your device can remove the MicroSD Card or USB flash drive from your device and read it on any other computer. To protect against this sort of attack, you should always store any sensitive documents on your ChromeOS Device's internal storage, which is always encrypted.

Developer Mode

ChromeOS has the ability to be transitioned into "Developer Mode" which allows advanced users to gain additional access to the Linux subsystem that is present on all ChromeOS devices. When a device is placed into Developer Mode, it defeats many of the safeguards that are baked into ChromeOS such as verified boot, and may even stop automatic updates.

Generally speaking, you should never put your primary device into Developer Mode unless you specifically have the need to do so.

Disable Guest Access

All non-enterprise enrolled ChromeOS devices can add "Guest Users". While guest accounts are great for some use cases, especially on ChromeOS devices setup as a public internet kiosk or shared machine, it is strongly advised to disable the ability to use a Guest Account on personal machines. A user with guest access will not be able to access any files stored on your {MODEL}. However, a user may be able to access files stored on any SD/MicroSD or USB storage device connected to your device.

Disable The Ability To Add Accounts

Devices that run ChromeOS can be set up to work with a theoretical infinite number of users as long as they have access to a Google account. However, this does mean that anyone can add their accounts to your ChromeOS Device and access it like any other user. An added user will not be able to access any files stored on your device; however, a user may be able to access files stored on any SD/MicroSD or USB storage device connected to your ChromeOS Device.