GrapheneOS Installation Guide


My "Complete Reboot" clients each receive a new mobile device with new anonymous service. Unless my clients absolutely insist on an iPhone, I issue new devices containing custom Android builds by default. This is going to get very technical, but the final product we create will possess more privacy, security, and anonymity than anything you can buy off of a shelf.

I strongly recommend GrapheneOS (grapheneos.org) as a hardened Android custom operating system. It eliminates all data collection by Google and introduces “full verified boot”. This feature detects modifications to any of the partitions and it will prevent reading of any changed or corrupted data. If changes are detected, such as a malicious physical attempt to compromise the device, error correction data is used to attempt to obtain the original data. This protects the device from many attacks. The authenticity and integrity of the operating system is verified upon each boot. Because of this, a Google Pixel device is required to install GrapheneOS.

Some may be surprised at that sentence. Yes, I recommend a Google Pixel device. This is because we will completely remove all software included with the device and replace it with a better version. Pixel devices offer superior hardware capabilities than most Android devices. I purchased a Google Pixel 4a for $349, paid in cash at a local BestBuy store. These devices are plentiful at many local retail establishments, and it is always best to pay cash for any mobile device. If you want to ensure longer support, you might consider purchasing a Pixel 5. The instructions presented here are identical for the 4a, 4a (5G), and 5, with the exception of the specific version of GrapheneOS. They should also work for Pixels released after publication. Always purchase the latest model which you can afford. The following steps were slightly modified from the GrapheneOS website at grapheneos.org/install. Always check that site before proceeding as things may have changed since this writing.

The following tutorial requires an Ubuntu Linux computer, and I used a laptop with Ubuntu 20.04 as the host. I believe this is the purest option with the highest success rate. You can attempt a browser-based installation at grapheneos.org/install/web, but I have received complaints about the process. However, this will be the easiest option for users without a Linux machine. You can also install dirctly from a Windows or Mac host with instructions from grapheneos.org/install, but software requirements can vary and driver issues can be complicated. The Linux steps are more universal. If you do not have a dedicated Linux computer, you can boot to an Ubuntu ISO file and choose the “Try Ubuntu” option instead of “Install Ubuntu”. This will present a temporary live Linux environment which should suffice for installation, but a dedicated Linux host is much better. Never use a virtual machine.

If you would like to learn more about complete configuration of an anonymous device, including custom VOIP options which provide unlimited telephone numbers, please check out my book Extreme Privacy.

Buy The Book

Listen to the GrapheneOS Episode

Phase One: Prepare Pixel Device and Linux Host


Before we can install the new software, we must prepare the phone itself. Turn on the Pixel device. Dismiss any attempts to enter a Google account.

• Swipe the menu up to launch “Settings” and click “About phone”.
• Tap “Build number” at the bottom several times until “Developer mode” is enabled.
• Click the Back” arrow and click “System”, “Advanced”, then “Developer options”.
• Enable “OEM Unlocking” and confirm the choice.
• Power off the device.

Next, we must configure software within our Linux computer. Conduct the following within an Ubuntu Terminal session. Note that the exact version presented here may have been updated.

• sudo apt install libarchive-tools
• curl -O https://dl.google.com/android/repository/platform-tools_r31.0.3-linux.zip
• bsdtar xvf platform-tools_r31.0.3-linux.zip
• export PATH="$PWD/platform-tools:$PATH"
• sudo apt install android-sdk-platform-tools-common
• sudo apt install signify-openbsd
• fastboot --version

The final command verifies that Fastboot is installed which should display the version number. We now need to boot our device into the bootloader interface. To do this, hold the power and volume down buttons simultaneously while the device is off. This should present a “Fastboot mode” menu. Connect the device to your Ubuntu computer via USB cable. Execute the following command within Terminal and verify it displays “OKAY”.

• fastboot flashing unlock

Press the volume down button on the mobile device until “Unlock the bootloader” is displayed, then press the power button.

Phase Two: Download & Install Graphene OS


We are now ready to download the new operating system files. First, you must navigate to grapheneos.org/releases and select your device within the “Stable Channels” section. Next, Identify the latest version number, such as “2021081411”. You will need to replace each version within the following examples (2021081411) with the latest version displayed on the website during your installation. If installing on a device other than the 4a, select the appropriate file. Note that the 4a is code-named "sunfish", while other models are code-named "bramble" (4a 5G), "redfin" (5), and "barbet" (5a). It is vital to choose the correct version for your device. Execute the following within Terminal ONLY for the 4a.

• curl -O https://releases.grapheneos.org/factory.pub
• curl -O https://releases.grapheneos.org/sunfish-factory-2021081411.zip
• curl -O https://releases.grapheneos.org/sunfish-factory-2021081411.zip.sig
• signify-openbsd -Cqp factory.pub -x sunfish-factory-2021081411.zip.sig && echo verified

The last command should display a confirmation that the software is correct. This confirms that we have downloaded a secure file which has not been intercepted or maliciously replaced. The following Terminal steps extract the download and install it to the device.

• bsdtar xvf sunfish-factory-2021081411.zip
• cd sunfish-factory-2021081411
• ./flash-all.sh
• fastboot flashing lock

You should now see the option “Do not lock the bootloader” on the device. Press the volume down button until “Lock the bootloader” is displayed and press the power button. You can now reboot the device by pressing the power button labeled “Start” or holding down the power button to turn off, and then turning on as normal. You may see an error about booting into a different operating system, but this is normal. Allow the phone to boot without making any selection. Upon first boot of GrapheneOS, press “Next” until the Wi-Fi connection screen is present. Connect to Wi-Fi and complete the following tasks, with considerations for each.

• Disable location services for now, this can be set up later if needed.
• Assign a secure PIN for the screen lock.
• If desired, add your fingerprint to the screen lock function.
• Skip any restore options.

Your installation is now complete. The device itself is completely encrypted and sends no data to Google. Next, let’s harden a few settings.

Phase Three: Configuration of GrapheneOS


Once you are within the new operating system, disable OEM unlocking and developer options with the following steps. This may be redundant, but we want to make sure we are protected.

• Swipe the menu up to launch “Settings” and click “About phone”.
• Tap “Build number” at the bottom several times until “Developer mode” is enabled.
• Click the Back” arrow and click “System”, “Advanced”, then “Developer options”.
• Disable “OEM Unlocking” and confirm the choice.
• Disable “Developer options”.
• Reboot the device.

Your new GrapheneOS device is very private and secure, but there is always room for improvement. There are no Google services, and Google is not receiving any data about your usage. This presents a new problem. Without Google services, there is no Google Play store which is used to obtain apps. Since we will not compromise our integrity by adding the required Google software to activate the store, we will use better options instead.

• Launch the Vanadium browser within the apps menu and navigate to f-droid.org.
• Click the “Download F-Droid” button.
• Confirm the download and click “Open” at the bottom of the screen.
• If prompted, click “Settings” and enable “Allow from source”.
• Click the back button and confirm the installation of F-Droid.
• Open the F-Droid application.
• Swipe down from the top and install any F-Droid updates available.
• If prompted, repeat enabling of “Allow from source” settings.
• Reopen the F-Droid application.

You now have a substitute app store which is not powered by Google. Many of the open- source applications we will use will come from this repository. This device is more private and secure than any stock unit which could be purchased from a retailer. Unlike a traditional iOS or Android phone, a user account is not required in order to use the device. If ever prompted to add a Google account, avoid or “skip” the option. This way, there is no single Google or Apple account which can be tracked, archived, and abused. Again, by default, GrapheneOS transmits no data to Google. Eliminating these privacy threats provides great benefits.

Along with F-Droid, I recommend the application Aurora Store. Aurora Store is an unofficial client to Google’s Play Store. You can search, download, and update apps. You can also spoof your device information, language, and region to gain access to the apps which are restricted in your country. Aurora Store does not require Google’s proprietary framework. With Aurora Store, you can install most of the mobile apps mentioned throughout this book. Aurora Store can be installed through F-Droid. During installation, be sure to choose “Anonymous” mode, which prevents Google account requirements. Always attempt any app installations through F-Droid before Aurora. If an app is missing from F-Droid, rely on Aurora Store. You can use the “Updates” menu of each app to make sure all of your installed applications stay updated. Make sure to keep Aurora updated through F-Droid in order to maintain functionality.

Let’s pause and digest what we have accomplished. Our phone possesses the basic communications technology we need for daily use. It does not share any data to Google or Apple. An account is not required to download applications; therefore, an account does not exist to collect and analyze data about our usage. There are no embedded cloud storage options which can accidentally be enabled. This is a huge feature for most clients. This minimal device encourages us to return to the original intention of a mobile phone: communications.

If you would like to learn more about complete configuration of an anonymous device, including custom VOIP options which provide unlimited telephone numbers, please check out my book Extreme Privacy.

Buy The Book

Privacy Guide


My latest book on Extreme Privacy is now available. Click HERE for details.


OSINT Guide


My latest book on Open Source Intelligence (OSINT) is now available! Click HERE for details.

Weekly Podcast


The weekly podcast presents ideas to help you become digitally invisible, stay secure from cyber threats, and make you a better online investigator. All book updates will be presented on the show. Click HERE to listen or subscribe.

Free Workbooks


These digital guides contain my entire collection of personal online data removal links from all of my books and the latest credit freeze tutorials. They are updated often as services change. Choose the PDF or Online versions below.

Data Removal PDF

Data Removal Online

Credit Freeze PDF

Credit Freeze Online