GrapheneOS is an open-source, privacy-and-security-focused mobile operating system for Google Pixel devices. It removes all Google tracking infrastructure, adds hardened memory allocation, verified boot, and gives you granular control over every app permission. It currently has over 300,000 active users including journalists, legal professionals, security researchers, and privacy-conscious individuals worldwide.

Will banking apps and everyday apps still work?

Yes. GrapheneOS includes a sandboxed Google Play Services environment that allows apps like CommBank, ANZ, Westpac, NAB, Uber, Google Maps, and MyGov to function normally — while keeping them strictly isolated from your personal data and each other.

What is Phantom Protocol?

Phantom Protocol is our exclusive in-house developed emergency data protection system. Features include remote erase, emergency PIN, decoy profiles, hardware sensor toggles, auto-reboot timer, and rapid lockdown mode. All features are completely legal in Australia and internationally.

What is included with every device?

Every order includes GrapheneOS (latest build, bootloader relocked), Phantom Protocol configured and armed, Threema license, Mullvad VPN 12-month subscription, global data eSIM for 170+ countries, local Australian SIM, multiple isolated user profiles, and 24/7 direct tech support.

Do you accept cryptocurrency?

Yes. We accept Bitcoin (BTC), Ethereum (ETH), Monero (XMR), and USDT via BitPay or direct wallet transfer. You can also pay with Visa, Mastercard, or Amex via Stripe.

Is a de-Googled phone legal in Australia?

Completely legal. These are standard Google Pixel devices running open-source software. You own the hardware and have the right to install whatever operating system you choose. Privacy is a fundamental right under Australian law.

Can I migrate from iPhone?

Absolutely. Our team personally guides every customer through the migration process: contacts, photos, notes, two-factor authentication apps, iMessage deregistration, and app equivalents. Most clients are fully operational within a week.

How long does shipping take and where do you ship?

Build time is 1–2 business days. Australian Express Post typically takes 1–3 business days with same-day dispatch for orders before 2pm AEST. International shipping available to 170+ countries via tracked courier, typically 5–12 business days.

What if I am not satisfied?

We offer a 100% money-back satisfaction guarantee within 14 days of receipt. In 450+ devices built, we have never had a refund request from someone who gave the device a genuine try.

What data do you collect when I order?

Only what is required to fulfil your order: name, shipping address, email, and payment details processed securely via Stripe. We never store card numbers. If you pay with Monero, you can order with minimal personal information.

← All Guides

First Boot Setup

Your device has arrived. It is hardened, encrypted, and running GrapheneOS — but it is not yet configured. The first boot is where you set the foundation. A deliberate, minimal setup now prevents messy security compromises later. Rush this step and you spend weeks undoing bad decisions. Take thirty minutes, follow the sequence, and your device starts clean.

Why It Matters

Most security failures on mobile devices trace back to the first hour. Users restore old backups full of bloatware and stale permissions. They connect to unknown networks. They install every app they can think of before reviewing a single setting. The result is a device that looks new but carries every bad habit from the old one.

GrapheneOS gives you a genuine fresh start — separate from stock Android in ways that matter. But the operating system cannot protect you from your own impatience. A good first boot is minimal, deliberate, and boring. That is exactly what you want.

Image placeholder — custom visual to be added

Step 1: The Boot Warning Screen

When you power on a Pixel running GrapheneOS, you will see a warning screen stating the device is running a different operating system. This is normal. Every Pixel that runs a non-stock OS displays this message. It does not mean your device is compromised, tampered with, or broken. The screen appears because the bootloader verifies the OS image and finds GrapheneOS instead of Google's factory image. Press the power button to continue booting.

If your device was provisioned by Privacy Devices, the bootloader has been re-locked after installation. This means the verified boot chain is intact — GrapheneOS is the verified, expected operating system on your device.

Step 2: Set a Strong Unlock Method

Your first real decision. Choose a PIN, password, or pattern to protect the device. For most users, a random 6-digit PIN is the right balance.

On Pixel hardware, a 6-digit PIN is more meaningful than it sounds. The Titan M2 secure element enforces exponential throttling on failed attempts. After several wrong guesses, delays escalate rapidly — making brute-force attacks against even a 6-digit PIN computationally impractical. A random PIN means no birthdays, no repeated digits, no sequences. Write it down and store it securely offline until you have committed it to memory.

Avoid biometrics as your sole unlock method. Fingerprint unlock is a convenience layer, not a security boundary. Set the PIN first, then optionally add fingerprint access afterward.

Step 3: Connect Carefully

You need internet access to check for updates and install apps. Be selective about how you connect.

Use a trusted Wi-Fi network you control, or your own mobile data connection. Do not connect to public Wi-Fi, hotel networks, or shared hotspots during initial setup. If you must use mobile data, insert your SIM or configure your eSIM before proceeding (see the SIM and eSIM Setup guide for details).

GrapheneOS randomises your MAC address per network by default, which is good practice — but connecting to a hostile network during setup still exposes you to unnecessary risk before your device is fully configured.

Step 4: Check for Updates Immediately

Before installing anything else, go to Settings > System > System update. Let the device check for and install any available updates. GrapheneOS releases security patches frequently. Your device may have been provisioned days or weeks ago, and patches issued since then need to be applied.

The update system uses A/B partitions — it downloads and installs in the background, then applies on the next reboot. Let the update complete and reboot when prompted.

Step 5: Do Not Restore Old Backups

This is critical. Do not blindly restore a Google backup, a cloud sync, or a full device transfer from your previous phone. Restoring everything defeats the purpose of starting clean. Old backups carry stale app permissions, tracking-heavy applications, accounts you no longer use, and configurations that conflict with a privacy-focused setup.

Start from zero. Install only what you need. If there is specific data you must transfer — contacts, photos, documents — move it manually via encrypted transfer or a USB cable after your device is fully configured.

Step 6: Install Only Core Apps First

Resist the urge to install everything at once. Begin with the essentials:

Secure messenger — Signal or a comparable end-to-end encrypted messaging app.
Browser — Vanadium is pre-installed and hardened. If you need a secondary browser, install one with strong privacy defaults.
Password manager — Bitwarden, KeePassDX, or your preferred option. This should be among the first apps on your device.
VPN — If you use a VPN service, install and configure it early so all subsequent network traffic is routed through it.

Install these from the App Store (GrapheneOS's F-Droid-compatible app source) or via direct APK from the developer's official site. Do not install sandboxed Google Play yet unless you have a specific, immediate need for it.

Image placeholder — custom visual to be added

Step 7: Plan Your Profiles Early

GrapheneOS supports multiple user profiles — isolated workspaces with separate apps, data, and encryption keys. Planning your profile structure now saves significant reorganisation later. A practical starting point:

Owner profile: Administration only. Minimal apps. Used for system settings and updates.
Daily profile: Your normal personal use. Messenger, browser, password manager, everyday apps.
Banking/Google profile: For compatibility apps that require sandboxed Google Play Services. Banking apps, rideshare, anything that demands Play Services.
Travel profile: A stripped-down profile for crossing borders or travelling. Minimal data, minimal apps.

You do not need to create all of these now, but decide on the structure before you start installing apps in the wrong places. See the Profiles and Compartmentalisation guide for full instructions.

Step 8: Review Key Settings

Work through these settings before you start daily use:

Permissions: Settings > Privacy > Permission manager. Review what each pre-installed app can access. Deny anything that is not clearly necessary.
Notification previews: Settings > Notifications. Set lock screen notifications to "Hide sensitive content" or disable them entirely. Notification previews on a locked screen leak information.
Private DNS: Settings > Network & internet > Private DNS. Set to a trusted provider such as Cloudflare (one.one.one.one) or Quad9 (dns.quad9.net).
Biometrics: If you choose to enable fingerprint unlock, do so now — but understand it is a convenience feature, not a replacement for your PIN.
Auto-reboot: Settings > Security > Auto reboot. Configure the device to automatically reboot after a period of inactivity. This re-encrypts the device and clears sensitive data from memory.
Sandboxed Google Play: Only install this if you have a confirmed need. It can be added to a specific profile later without affecting your other profiles.

Best Practices

Document your profile plan and PIN storage method before you finish setup. Memory is unreliable under stress.
Keep the Owner profile minimal. It is an administration workspace, not your daily driver.
Disable Bluetooth and NFC when not actively in use. Both are enabled by default on fresh installs.
Set a SIM PIN if your carrier supports it. This prevents your SIM from being used in another device without the PIN.

Common Mistakes

Restoring a full backup from a previous device and inheriting every old permission and tracking app.
Choosing a weak or predictable PIN (000000, 123456, birthday digits).
Installing sandboxed Google Play in the Owner profile instead of an isolated secondary profile.
Connecting to public Wi-Fi during setup because a trusted network was not available.
Installing dozens of apps before reviewing any system settings.
Skipping the initial system update and running on outdated patches for weeks.

Reality Check

A hardened operating system is not a magic shield. GrapheneOS provides strong defaults and meaningful isolation, but it cannot override poor decisions made during setup. If you restore a tracking-heavy backup, connect to compromised networks, and install every app you have ever used, you have an expensive phone running good software badly.

The first boot is your single best opportunity to start with discipline. Everything that follows builds on the choices you make in this first half hour.

Conclusion

A good first boot is quiet. Update the OS, set a strong PIN, connect to a trusted network, install only what you need, plan your profiles, and review your settings. No rushing, no bulk restores, no unnecessary apps. Thirty minutes of deliberate setup creates a device that is clean, compartmentalised, and ready for daily use without the security debt that comes from cutting corners.

Just received your device? Follow this guide and you are set.

Browse secure devices or ask us on WhatsApp.