Hello devs,

I am very thankful for the duress pin feature that just launched. It is obvious that a lot of time and care went into making sure the feature actually work as intended. thanks again for all the hard work.

with that said, i would like to make a suggestion:

the current feature disables the entire phone. this does not give you any plausible deniability. if you are a journalist with damaging information on a particular nation, it would be obvious to an adversary that you deleted evidence.

is it possible for this feature to have more granulated control, allowing you to choose what gets deleted when the duress pin is entered? it would be very helpful if you could select certain users while leaving the admin user untouched.

this would allow you to keep all sensitive information in a particular user, and covertly wipe all that information without making it obvious that you deleted information.

thanks again for all the hard work!!

    de0u or a journalist or other such person. Getting rid of sources, or a sensitive story (backed up but worked on and researched on the device)

      It’s frequently easier to think up things for other people to do, than it is to actually do them.

      It sounds like a good idea to me, but I don’t have to make it happen.

      fid02 thanks for the link. It is unfortunate that this issue has already been closed. I have personally, and several others that I am connect with, needed a quick user delete feature more than once.

      I hope the dev team is open to more perspectives than one individual who seems to not understand there are many duress situations where a forensic audit isn't eminent...unless it is obvious there has been evidence deleted.

      A quick wipe of sub users would be much safer than an entire phone wipe, depending on the situation at hand.

      Props to the team for making such an awesome feature. A bit more granular control would greatly benefit their userbase.

          rusty-cheeto I hope the dev team is open to more perspectives than one individual

          Just saying so that it's clear, I'm not part of these conversations but I do know that this isn't the case. Features, decisions, etc are discussed by multiple people. Decisions aren't made by one person. Please don't make assumptions like this.

          You have to keep in mind that they have thought through these things. They've been working on this feature for a long time. If you read through the issue that was linked you'll see that deleting profiles can't be done in a way that doesn't leave traces of the old deleted profiles.

              I don't know if that's what the OP had in mind, but I also find the way de0u described the feature quite interesting: the ability to quickly delete a profile with sensitive information (e.g. banking profile, journalists' source data) without the need to withstand a forensic investigation (sidenote: a complete wipe of the device may not leave any forensic traces, but my adversary will probably still realize that the device has been wiped on purpose- I also have to think beforehand about whether I want to/can bear the consequences).

                Again, the thing does what is is supposed to do:

                1. Enter PIN
                2. Wipe all data and eSIM

                Now if you're going to be thrown in the Gulag for that, then think if it's worth it and don't give the Duress Pin.

                I don't understand all the melodrama surround this.

                This is an amazing feature, thank you GrapheneOS team for launching it sooner than expected by most of us.

                  bayesian I don't understand all the melodrama surround this.

                  I dont think there is any melodrama surrounding it. It's simply a discussion.

                    other8026 If you read through the issue that was linked you'll see that deleting profiles can't be done in a way that doesn't leave traces of the old deleted

                    But does that matter ? I know the forum would cry 'security theatre', and I agree but, hear me out.

                    A nuke phone option, like the one just released, is an epic addition. And is exactly what's needed in an OS like this.

                    However, plenty of people use profiles to hide things or separate things that aren't being so done to hide from deep state actors, or LE, or anyone with any ability to forensically inspect a phone.

                    A lawyer being shaken down by a mafia, a journalist suddenly worried they're in a dangerous position and wants to quickly and slyly delete a contact list and drop point notes, but still needs to keep a working phone. A person trying to escape an abusive relationship that has a profile to help with that, but has been discovered. Even someone having an affair, whether thats right or wrong.

                    These types of situations are arguably the majority of reasons why someone may want to use grapheneOS and are wishing to utilise a duress feature. In all of these situations a complete wipe of the phone is overkill and may do more harm than good. And none of these situations are likely to present a chance that the phone will undergo anything near a forensic going over, or even anything more than a cursory glance.

                    Thats said, I'm happy with the feature as is. For me, the all or nothing approach is all I would need.

                      A question: my phone relies on a PIN for security, not a password. Are both required when attempting to set up duress erase? My threat model is mild, I am not protecting much. I couldn't tell whether entering a PIN alone was accepted on entry, and testing it is pretty drastic.

                        jet_silver I think its in anticipation of the new 2 factor method whereby you have a password and a pin. My owner has a password and my profiles have pins so i have automatically set both without much thought. I imagine that you only have to enter either not both. So if you only have a pin then you only need to use a pin. But yes I can't test it either 😂

                          jet_silver You need to enter both cause you might eventually create a profile secured by a password, or change from a PIN to a password, if you only use a PIN, set a password and it won't do anything.

                            jet_silver To trigger the wipe-before-reboot, you only need to enter one of either the duress PIN or duress password. So if your profile's screen lock is set to a PIN, you merely have to enter the duress PIN on any device credential screen (such as the lockscreen) to trigger the wipe-before-reboot. You won't be asked for both.
                            Only in the setup screen for duress password is it necessary to set both a duress PIN and a duress password.

                            Not sure I managed to explain it properly, so here's a video showing how it works in practice: https://x.com/tuxpizza/status/1797314703468753342

                              Thanks for the very helpful remarks, the settings were accepted as soon as I entered both PIN and password.

                              I wonder what happens in countries with key disclosure laws (this includes some "liberal" countries like the UK, France or Australia, too). If you can go to jail for not giving your password to the police, how is a duress PIN treated legally?

                                Viewpoint0232 I'm not really sure that this is the correct forum to provide or discuss legal matters like that. Things are going to wildly differ in different parts of the world, and these things can change at moment's notice.

                                GrapheneOS has designed a feature with a clear goal and a focus on reliably doing what it says. Beyond that, it is up to people to decide if, how, and when to use it.

                                    matchboxbananasynergy

                                    Yes definitely, and it shouldn't be GrapheneOS's problem anyway (like some countries not allowing call recording or mandating a camera shutter sound). I am just curious if anyone here has some legal knowledge.

                                        Viewpoint0232

                                        You seem to want an easy answer to satisfy a question that isn't so simple.

                                        Whether or not duress pin is "legal" in whatever country does not matter. "Legal" is not a black and white thing, not even remotely. People get arrested for things all the time that are not technically illegal.

                                        For any given country you happen to be in, let's say you get picked up by the cops and you trigger the duress pin - will you get in legal trouble? Maybe/probably. Does this mean you'll actually be prosecuted for this? That's an entirely different thing, since it depends on

                                        • what country you're in

                                        • how good your lawyer is

                                        • how much press your arrest gets

                                        • what else you've been picked up for

                                        • what other metadata they can find on you

                                        or a million other things.

                                        Matchboxbananasynergy already stated that this is not the proper forum for a legal discussion.