Secure Chrome Profile

I finally decided to use Chrome as a usual browser about a year ago today. One of Chrome’s short-comings is security, not from websites or remote intrusions, but from local users. If you want to have the convenience of syncing bookmarks and history and chrome app shortcuts between devices and computers, you have virtually no security. You must either always sign out of Chrome or chose not to sign on in the first place. It’s easy for a local user, guest, or friend to simply switch to your profile (or open Chrome if you only have a default profile) and view all your history, bookmarks, saved passwords, etc. Currently the only method for protecting your setup is to install, IMHO, insecure, unstable, and unreliable extensions like “secure chrome profile,” claims to password protect your chrome profile. I’ve since seen it fail to block loading the chrome profiles on more than one occasion.

My solution is Mac/Linux-specific and involves creating a default basic profile without signing in, and then create a second profile that is a symbolic link to an encrypted disk image. In Mac this is quite easy and seems to work flawlessly. This method works in conjunction with Chrome’s multiple profiles as well as using an encrypted virtual disk.

Open Chrome and navigate to the settings page.

Chrome Settings Page Screenshot

You will see that I have two user profiles setup. The first is a vanilla (default) chrome profile. The second is the profile I intend to use for myself. You can customize the icons and names of these profiles however you wish. Do not log in to either of these accounts with your google account information. Now that the profiles are setup, we will create a virtual encrypted disk image for the corresponding profile directory.

In Mac, your could follow directions from here to create the encrypted disk image, but that image is fixed in size and would not allow the profile directory to expand as needed when new bookmarks and chrome apps are added. Instead use a dynamic-sized virtual encrypted disk, which will ensure the profile directory never runs out of space. I actually created a dynamic disk by following the directions outlined here. There must be a way to create a sparse disk image of a target directory in one go, but I created an encrypted sparse disk image. Ubuntu users can create a dynamic virtual disk using TrueCrypt. The target directory to encrypt will be the second user profile, or the one you intend to password protect. In Mac the path to my actual second profile is:

~/Library/Application\ Support/Google/Chrome/Profile\ 2/

When naming the disk image, be sure to give it a name that matches its directory. In this case, my disk image and directory are named “Profile 2.” This should now mount to:

/Volumes/Profile\ 2/

If the image does not for some reason mount to that path, you will need to manually mount it to that path as we will create a symbolic link using that path. Now that you have your disk image, simply mount the encrypted image and copy all the files from the actual directory to the mounted image. You can do this by just dragging all the files in the actual second profile directory to the root of the disk image. Once the disk has fully copied the actual profile contents, you can begin the linking process.

Make sure Chrome is closed. Delete the actual profile second profile directory. Be sure to empty the trash. Also make sure the encrypted disk image is mounted at the approprate location. Now you need to create a symbolic link to the disk image in terminal:

ln -s /Volumes/Profile\ 2/ ~/Library/Application\ Support/Google/Chrome/Profile\ 2

Notice the syntax of running this command. You are creating a symbolic link to the encrypted volume and placing that link in the Chrome directory so that Chrome finds the second profile in the mounted directory. If you have problems with running the command make sure your paths are correct and make sure you have permissions (or sudo for permissions). If you now open chrome, you can switch to your encrypted profile. If you close chrome and eject the encrypted disk, your profile is secure. You can try opening chrome again and switching to your profile, but chrome will not switch because the path to the profile directory is not mounted; it will instead use the default profile that isn’t logged into chrome. You will also experience issues with switching to your profile if the profile is not mounted in the same place you put in the symbolic link.

There you have it folks, secure chrome.