GrapheneOS is an open-source, privacy-and-security-focused mobile operating system for Google Pixel devices. It removes all Google tracking infrastructure, adds hardened memory allocation, verified boot, and gives you granular control over every app permission. It currently has over 300,000 active users including journalists, legal professionals, security researchers, and privacy-conscious individuals worldwide.

Will banking apps and everyday apps still work?

Yes. GrapheneOS includes a sandboxed Google Play Services environment that allows apps like CommBank, ANZ, Westpac, NAB, Uber, Google Maps, and MyGov to function normally — while keeping them strictly isolated from your personal data and each other.

What is Phantom Protocol?

Phantom Protocol is our exclusive in-house developed emergency data protection system. Features include remote erase, emergency PIN, decoy profiles, hardware sensor toggles, auto-reboot timer, and rapid lockdown mode. All features are completely legal in Australia and internationally.

What is included with every device?

Every order includes GrapheneOS (latest build, bootloader relocked), Phantom Protocol configured and armed, Threema license, Mullvad VPN 12-month subscription, global data eSIM for 170+ countries, local Australian SIM, multiple isolated user profiles, and 24/7 direct tech support.

Do you accept cryptocurrency?

Yes. We accept Bitcoin (BTC), Ethereum (ETH), Monero (XMR), and USDT via BitPay or direct wallet transfer. You can also pay with Visa, Mastercard, or Amex via Stripe.

Is a de-Googled phone legal in Australia?

Completely legal. These are standard Google Pixel devices running open-source software. You own the hardware and have the right to install whatever operating system you choose. Privacy is a fundamental right under Australian law.

Can I migrate from iPhone?

Absolutely. Our team personally guides every customer through the migration process: contacts, photos, notes, two-factor authentication apps, iMessage deregistration, and app equivalents. Most clients are fully operational within a week.

How long does shipping take and where do you ship?

Build time is 1–2 business days. Australian Express Post typically takes 1–3 business days with same-day dispatch for orders before 2pm AEST. International shipping available to 170+ countries via tracked courier, typically 5–12 business days.

What if I am not satisfied?

We offer a 100% money-back satisfaction guarantee within 14 days of receipt. In 450+ devices built, we have never had a refund request from someone who gave the device a genuine try.

What data do you collect when I order?

Only what is required to fulfil your order: name, shipping address, email, and payment details processed securely via Stripe. We never store card numbers. If you pay with Monero, you can order with minimal personal information.

← All Guides

Duress PIN Setup

A duress PIN is a credential you enter instead of your real unlock code. On GrapheneOS, entering the duress credential at the lock screen triggers an immediate, irreversible wipe of the device and all installed eSIMs. This is not a soft reset. It is a factory destruction of all local data, designed for situations where you are compelled to unlock your phone and need to ensure nothing remains.

This is an advanced feature. It requires a clear threat model, careful preparation, and a recovery plan that exists entirely outside the device. If you enable this without understanding the consequences, you risk permanently destroying your own data by accident.

Why it matters

Most device protections assume you retain control of the phone. A strong PIN, biometric lockout, and encryption at rest all work well when the device stays in your hands. But there are situations — border crossings, coercion, theft under duress — where someone may demand you unlock the device. In those cases, the question shifts from "can they get in?" to "what do they find if they do?"

A duress credential answers that question by ensuring the answer is nothing. When entered, the device wipes completely. There is no confirmation dialog. There is no undo. The phone returns to a factory state, and any eSIMs provisioned on the device are destroyed.

This is a last-resort mechanism. It only makes sense if you have already prepared for the total loss of the device and everything on it.

Image placeholder — custom visual to be added

Prerequisites

Before you touch the duress settings, complete every item on this list:

Back up all critical data externally. This includes photos, documents, authentication app seeds, and anything stored only on the device.
Record your messenger IDs and recovery information. Threema IDs, Signal PINs, session recovery phrases — write them down and store them in a secure location that is not this phone.
Document your account credentials. Password manager recovery kits, email recovery codes, two-factor backup codes. All of it, stored elsewhere.
Confirm you understand: entering the duress credential will destroy the device contents permanently. There is no warning, no countdown, and no recovery from the device itself.

Step-by-step setup

Verify your external backups. Open your backup location — whether that is an encrypted USB drive, a secure cloud backup, or a written record stored safely — and confirm everything you need is there. Do not skip this step.
Open Settings on your device. Navigate to Settings > Security > Duress password. This option is only available from the Owner profile.
Set your duress PIN. Choose a numeric PIN that is clearly different from your real unlock PIN. Do not use a PIN that is one digit off, a reversed version, or otherwise easy to confuse with your actual credential. The consequences of accidental entry are total and permanent.
Set your duress password. In addition to the duress PIN, you must also configure a duress password. This is a separate alphanumeric credential. Again, make it clearly distinct from any password you actually use to unlock the device.
Confirm your understanding. Do not test the duress credential on your live device. Instead, review what you have set: you now have a real PIN and password for normal use, and a duress PIN and password that will wipe the device if entered. Make sure you can clearly distinguish between them under stress.
Document your recovery plan. Write down exactly what you would need to do to restore a working device from scratch: where your backups are, what accounts need recovery, what credentials are stored where. Store this plan separately from the device.

Image placeholder — custom visual to be added

Best practices

Keep your duress credentials mentally separated from your real credentials. Some people use a completely different pattern — for example, if your real PIN is six digits, make your duress PIN four digits, or vice versa. The goal is to make it nearly impossible to enter the wrong one by accident, even when you are tired, stressed, or distracted.
Review your recovery plan periodically. Backups go stale. Messenger IDs change. Authentication apps get reconfigured. If your recovery documentation does not reflect the current state of the device, the duress feature becomes a self-destruct button with no way back.
Only enable this feature if your threat model specifically calls for it. If you cannot articulate a realistic scenario where you would need to wipe the device under duress, you probably do not need this feature. A strong lock credential, auto-reboot, and proper profile separation already provide substantial protection for most users.
Consider who else might use your phone. If a partner, child, or colleague occasionally picks up your device, the existence of a duress credential is a serious safety concern. Anyone who enters it — intentionally or not — triggers the wipe.

Common mistakes

Setting the duress PIN too close to the real PIN. A duress PIN of 1235 when your real PIN is 1234 is an accident waiting to happen. Choose something with no resemblance to your actual credential.
Enabling the feature without a recovery plan. The duress wipe is designed to be unrecoverable from the device. If you have no external backups, you lose everything permanently — not just from a threat actor, but from yourself.
Telling others the duress credential. The entire point is that it looks like a normal unlock attempt. If someone else knows which credential triggers the wipe, they may enter it accidentally or, worse, use that knowledge against your interests.
Assuming partial wipe or recovery. There is no partial mode. The wipe includes all user data, all profiles, and all installed eSIMs. The device returns to factory state. Anything not backed up externally is gone.
Forgetting you enabled it. If you set this up and then forget which PIN is which months later, you may wipe your own device. Keep a secure, external record of the fact that duress credentials are active, without recording the credentials themselves in an insecure location.

Reality check

A duress credential is a powerful tool, but it is not a complete security plan. It only protects data at rest on the device at the moment of entry. It does not affect data already synced to cloud services, messages already delivered to other people, or metadata held by your carrier or service providers.

It also requires you to be able to enter the credential. If the device is taken from you while unlocked, or if you are unable to interact with the lock screen, the duress PIN cannot help.

This feature works best as one layer within a broader approach: strong encryption, profile separation, minimal data retention, external backups, and clear operational procedures. It is a last resort, not a first line of defence.

Conclusion

The duress PIN on GrapheneOS provides a defined, predictable response to a specific threat: being compelled to unlock your device. It works exactly as designed — immediately and irreversibly. That precision is what makes it valuable, and also what makes it dangerous if misunderstood. Set it up only after your recovery plan is complete, your backups are current, and you are certain you understand what happens when it is used. This is a feature that rewards preparation and punishes carelessness in equal measure.

Every Privacy Devices phone can be configured with duress PIN protection as part of your security setup.

Browse secure devices or ask us on WhatsApp.