Published May 12, 2026
Setting up GrapheneOS without losing your mind
Do it in this order: a Pixel GrapheneOS fully supports (Pixel 9a is the straightforward pick; Pixel 10a is still experimental in the FAQ), flash with the web installer, lock the bootloader before you spend hours on apps and toggles.
Which Pixel to buy
GrapheneOS only ships for hardware it can harden end to end. That is why the list is Pixels, not “any unlockable phone.” See supported devices.
Pixel 9a sits in the official production list. Pixel 10a is experimental: you get official builds, but expect rough edges until it graduates.
Buying notes that match the project’s own advice:
- Buy hardware you can bootloader-unlock; carrier-tied SKUs often ship with unlocking disabled at the firmware level.
- Flash it yourself when you can. Resellers add cost and trust you do not need; GrapheneOS recommends self-install partly because the web installer is meant to be simple.
Google’s published minimum support windows per model are in the FAQ table. Use that as “how long firmware keeps flowing,” not “how long any ROM stays trouble-free.”
The install is easier than people think
Chromium plus WebUSB talking to fastboot. Follow Web installer step by step.
Computer side:
- Leave the browser ~2GB RAM and ~32GB disk free for unpack jobs.
- Use Chrome-class browsers (Chrome, Edge, Brave with Shields off, Vanadium). No Snap or Flatpak builds. No Incognito if it throttles storage for extracted images.
- Debian/Ubuntu:
android-sdk-platform-tools-commonfor udev. Arch:android-udev. - Prefer bare metal over a VM; USB passthrough is where installs go to die.
Cable and port:
- Prefer the cable in the box. Plug into rear motherboard USB on desktops, not a flaky hub.
Bootloader:
- Tap Build number until Developer options appears.
- Enable OEM unlocking (some carrier SKUs need a one-time network check so stock Android can prove the device was not sold locked).
- Reboot with volume-down held until fastboot reads “Fastboot Mode.” Stay there; do not exit the menu mid-installer.
Then Unlock bootloader, Download when prompted, Flash release, Lock bootloader. Each unlock or lock wipes data. Plan for one clean wipe.
After flash:
- Yellow boot screen on newer Pixels shows the alternate-OS key fingerprint; match it to published hashes when the supply chain is not yours alone.
- Auditor plus a second Android device covers ongoing checks; see Hardware-based attestation.
Setup Wizard offers to turn OEM unlocking back off at the end. Leave it off unless you live in fastboot.
Good defaults after first boot
Lock screen hides sensitive notifications by default. Keyboard personalization from typing history stays off until you opt in. Wi‑Fi and Bluetooth scanning for “network location” stay off unless you enable them under Location services; that is what keeps the radios actually off when the toggles say they are off (Wi‑Fi privacy).
Keep Vanadium as browser and WebView. GrapheneOS argues against piling fingerprint-heavy “privacy” browser tweaks on mobile.
Permissions worth using on purpose:
- Network blocks internet for apps that have no business online.
- Sensors limits IMU access; you can default it off for newly installed apps under Security when you want the stricter baseline.
Scopes replace broad grants:
- Storage Scopes keep legacy storage-hungry apps working while you hand-pick folders (storage).
- Contact Scopes expose slices of the address book instead of the full dump (contacts).
Sandboxed Google Play installs per user profile from the GrapheneOS App Store. Play stays an app like any other, not an OS backend (details). If you rely on push notifications through Play services, give it a battery optimization exception as the docs describe.
For VPNs, GrapheneOS suggests Mullvad’s app or upstream WireGuard; turn on Always-on VPN and “block without VPN” when your client supports it.
Separate profiles separate data. Secondary profiles can end a session and drop encryption keys without rebooting the device (disk encryption FAQ).
Installing apps without rebuilding stock Android
- Side-load or fetch Droid-ify from its site or F-Droid; use it as the daily F-Droid client.
- Install FOSS replacements first so you are not fighting Play-shaped dependencies on day one.
- Add Aurora Store (F-Droid) when an app never hit F-Droid or licensing ties you to Play binaries. Read the anti-feature labels: Aurora hits Google’s CDN by design; tune or accept the trade.
If billing, Asset Delivery, or licenses get painful, install the Play Store through sandboxed Google Play in that same profile instead of stacking half-working storefronts.
A small starter pack
| Job | Pick | Notes |
|---|---|---|
| Password vault | KeePassDX | .kdbx files; pairs with desktop KeePass tooling. |
| Second factor | Aegis | Encrypted TOTP; export before you swap hardware. |
| Offline maps | Organic Maps | Vector maps and offline routing without a map vendor account. |
| Folder sync | Syncthing-Fork | Device-to-device sync without a hosted middleman. |
| Podcasts | AntennaPod | OPML in and out; downloads on your terms. |
| RSS | Feeder | Local feed reader when you want text, not algorithmic feeds. |
| Files | Material Files | SFTP/SMB/WebDAV when the stock Files app falls short. |
Each install is code execution plus whatever domains it phones home to; trim permissions when you notice an app overshooting.
Summary
Supported Pixel, web installer on real hardware with a sane cable, fastboot left alone during flashing, bootloader locked afterward, OEM unlock off in Setup Wizard. Apps: F-Droid through Droid-ify first, Aurora or sandboxed Play when something non-negotiable needs it, scopes instead of storage and contacts wide open. Boring beats clever here.
Leave the right message behind
Set up encrypted messages, files, and instructions for the people who would need them most if something happened to you.