Richard Bucker

A New Case for ChromeOS

Posted at — Aug 6, 2022

As an independent “international” contractor I migrated to Mac because vault would encrypt the HDD so that my customers' data could be safe. Over the years I’ve refined my operation to implement my desktop on ChromeOS because It’s encrypted, everything is in the cloud, non-premium chromebooks can do the job, and disaster recovery only takes a few minutes.

recently after some quirky hardware failures I was forced to move my dev workstation to Pop_OS

NOTE: One very costly operation is what happens when a client wants to leave and take their data when they part of a monolithic application? Federated data was always partitioned based on some other metric like dates but there is no reason that federated DBs could not be partitioned by multiple dimensions.

One particular client of mine has a particular position on networking that is mostly complete (actually quite common). The philosophy is that ALL traffic must go through the VPN when connected. While this is good for them it’s not good for everyone. Certainly if you are onsite then you really have no choice but if you’re working from home [a] I do not want my music streaming going thru the corporate network [b] I do not want my email or chat going through the corporate network [c] fill in the blank with ANY other communicates in the clear.

same rules for hotels.

There are a number of different configurations…. On my Pop_OS laptops I use domain directed routing (or some such name). Only my customer domains and netmask and IP range go out through that VPN. I also add some missing routes. Then all my private domains are on the local network or IPSEC tunnel and they both can coexist. I know this because my wifi network is not on my lab network.

So here’s the environment:

For any particular client with or without VPN needs:

NOTE: we use the term “container” a lot here. Containers have many purposes and are constantly misused. In a server environment like Docker, Swarm, Kubernetes a container is meant to run a standalone service which does not require an entire operating system. In this case the container is an entire OS. That means each has to be maintained and so do the tools. On the one hand that might require a lot of disk which modest ChromeOS devices to not have. The upside is if you can manage your environments this way it can be automated and others in the team will also benefit.

In conclusion:

Federating my development workspace on my ChromeOS machine means [a] when the engagement is complete I can just delete the container [b] taking proper procedures I should be able to recover a client container in a short time. [c] Having a container that can run GUI and temrinal software does limit the attack surface area. [d] and my desktop is partitioned from client.

Use your desktop for normal desktop activities. And use the container for dedicated client activities.

UPDATE keep in mind that a computer is more pencil than it is ‘rube goldberg’ device. It should be easier to maintain.