GrapheneOS version 2024053100 released.
This update contains the longly requested and demanded Duress Password feature. In any prompt where the user PIN or Password is requested, an optional duress PIN can be entered to make all data on device unrecoverable.
To configure this option go to Settings (in owner profile) -> Security -> Duress password.
Changelog:
  • add support for setting a duress password and PIN for quickly wiping all hardware keystore keys including keys used as part of deriving the key encryption keys for disk encryption to make all OS data unrecoverable followed by wiping eSIMs and then shutting down
  • disable unused adoptable storage support since it would complicate duress password support (support can be added if we ever support a device able to use it)
  • increase default max password length to 128 to improve support for strong diceware passphrases, which will become more practical for people who don't want biometric-only secondary unlock with our upcoming 2-factor fingerprint unlock feature
  • disable camera lockscreen shortcut functionality when camera access while locked is disabled to avoid the possibility of misconfiguration by adding the camera lockscreen shortcut and then forgetting to remove it when disabling camera access
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.153
  • kernel (6.1): update to latest GKI LTS branch revision
  • Vanadium: update to version 125.0.6422.147.0
  • GmsCompatConfig: update to version 115
  • make SystemUI tests compatible with GrapheneOS changes
I know many do not see the need for this but people living under oppressive regimes need this option to protect those they communicate with. Obviously one is still at risk in a physical attack scenario but this option really could help others.
reply
169 sats \ 5 replies \ @freetx 1 Jun
I've been thinking about this feature. First off I think its great, but I'm trying to imagine how it would play out in real life.
  1. You've been arrested by oppressive regime. They are demanding you give up your pin because they (rightly) believe you have sensitive material on your phone.
  2. You deploy duress-pin and your phone is erased.
  3. Now what?
They are going to know that you disabled / erased phone somehow. Are they now just going to let you go? Do they now torture you?
I have a feeling that a better feature is not a duress-erase-everything password. But a diversion-fake-account password? This way you give them a password and it takes them to an account filled with meaningless cat photos and "be there in 10 mins" messages.
I guess the thing is...unless the phone is erased they would probably take a backup and then its possible that they will access the real data.
I suppose the gold ring would be to combine these two ideas: Diversion pass takes them to fake account and simultaneously erases all the real data from main profile. In this way you get plausible deniability and erased messages.
reply
11 sats \ 0 replies \ @anon 2 Jun
Now what?
You've bravely sacrificed yourself to protect the data on your phone. Sometimes that's worth it.
reply
111 sats \ 1 reply \ @final OP 1 Jun
This feature had been heavily requested but it won't be added, it adds trust in a feature that wouldn't meet the objective people would want it to have. There will always be traces such a feature is either in use or was configured if they had file system access or other control. The device keeps the OS installed anyways so it can be recovered to a fresh install.
There's some justification here:
It wouldn't be good to assume a regime with power to locate you and kill you would be subverted by a simple trick. We are on many peoples' radars already as per leaked Cellebrite documentation describing their lack of GrapheneOS extraction capabilities. It wouldn't be far from the tree to assume the big guys describe GrapheneOS features to their customers and partners. A knowledgeable person also wouldn't trust a GrapheneOS user to comply with this feature.
You should never use GrapheneOS features to trick people, and to use the duress PIN that way isn't the way it's designed to be used. You can't really be sure that they will let you go if the trick worked or even if you complied either. If they can kill or torture someone without accountability then there'd be little disadvantage in keeping you or even killing you beyond them cleaning up the blood and guts. Duress is to protect data, not the device owner.
reply
13 sats \ 0 replies \ @freetx 2 Jun
Many thanks for the explanation.
reply
10 sats \ 1 reply \ @kepford 1 Jun
That's a good scenario and I think you are correct. My thought was more along the lines of wiping the phone before they ask for a pin.
Like I said, I don't think this feature protects the user more than those that are yet to be connected to them.
reply
13 sats \ 0 replies \ @freetx 1 Jun
My thought was more along the lines of wiping the phone before they ask for a pin.
ahhh...yeah good point.
reply
Thai is great. Graphene OS is gonna take a big leap with this.
reply
0 sats \ 2 replies \ @OT 1 Jun
Interesting option
I guess it’s easier to just wipe than to load a decoy
reply
The idea of a wipe on mine terrifies me. Primarily because I have no backup(s). Is there even a backup solution available?
reply
0 sats \ 0 replies \ @OT 5 Jun
I guess you would need to carefully pick what apps you want to use on the device. A bitcoin wallet like electrum it’s possible to have a backup. Not sure about notes, photos or password managers.
You would need to think about everything you install before setting up this option
reply
Sounds great!
reply