It’s frequently easier to think up things for other people to do, than it is to actually do them.
It sounds like a good idea to me, but I don’t have to make it happen.
Duress PIN thoughts
fid02 thanks for the link. It is unfortunate that this issue has already been closed. I have personally, and several others that I am connect with, needed a quick user delete feature more than once.
I hope the dev team is open to more perspectives than one individual who seems to not understand there are many duress situations where a forensic audit isn't eminent...unless it is obvious there has been evidence deleted.
A quick wipe of sub users would be much safer than an entire phone wipe, depending on the situation at hand.
Props to the team for making such an awesome feature. A bit more granular control would greatly benefit their userbase.
rusty-cheeto I hope the dev team is open to more perspectives than one individual
Just saying so that it's clear, I'm not part of these conversations but I do know that this isn't the case. Features, decisions, etc are discussed by multiple people. Decisions aren't made by one person. Please don't make assumptions like this.
You have to keep in mind that they have thought through these things. They've been working on this feature for a long time. If you read through the issue that was linked you'll see that deleting profiles can't be done in a way that doesn't leave traces of the old deleted profiles.
I don't know if that's what the OP had in mind, but I also find the way de0u described the feature quite interesting: the ability to quickly delete a profile with sensitive information (e.g. banking profile, journalists' source data) without the need to withstand a forensic investigation (sidenote: a complete wipe of the device may not leave any forensic traces, but my adversary will probably still realize that the device has been wiped on purpose- I also have to think beforehand about whether I want to/can bear the consequences).
Again, the thing does what is is supposed to do:
- Enter PIN
- Wipe all data and eSIM
Now if you're going to be thrown in the Gulag for that, then think if it's worth it and don't give the Duress Pin.
I don't understand all the melodrama surround this.
This is an amazing feature, thank you GrapheneOS team for launching it sooner than expected by most of us.
- Edited
other8026 If you read through the issue that was linked you'll see that deleting profiles can't be done in a way that doesn't leave traces of the old deleted
But does that matter ? I know the forum would cry 'security theatre', and I agree but, hear me out.
A nuke phone option, like the one just released, is an epic addition. And is exactly what's needed in an OS like this.
However, plenty of people use profiles to hide things or separate things that aren't being so done to hide from deep state actors, or LE, or anyone with any ability to forensically inspect a phone.
A lawyer being shaken down by a mafia, a journalist suddenly worried they're in a dangerous position and wants to quickly and slyly delete a contact list and drop point notes, but still needs to keep a working phone. A person trying to escape an abusive relationship that has a profile to help with that, but has been discovered. Even someone having an affair, whether thats right or wrong.
These types of situations are arguably the majority of reasons why someone may want to use grapheneOS and are wishing to utilise a duress feature. In all of these situations a complete wipe of the phone is overkill and may do more harm than good. And none of these situations are likely to present a chance that the phone will undergo anything near a forensic going over, or even anything more than a cursory glance.
Thats said, I'm happy with the feature as is. For me, the all or nothing approach is all I would need.
A question: my phone relies on a PIN for security, not a password. Are both required when attempting to set up duress erase? My threat model is mild, I am not protecting much. I couldn't tell whether entering a PIN alone was accepted on entry, and testing it is pretty drastic.
jet_silver I think its in anticipation of the new 2 factor method whereby you have a password and a pin. My owner has a password and my profiles have pins so i have automatically set both without much thought. I imagine that you only have to enter either not both. So if you only have a pin then you only need to use a pin. But yes I can't test it either 😂
jet_silver You need to enter both cause you might eventually create a profile secured by a password, or change from a PIN to a password, if you only use a PIN, set a password and it won't do anything.
- Edited
jet_silver To trigger the wipe-before-reboot, you only need to enter one of either the duress PIN or duress password. So if your profile's screen lock is set to a PIN, you merely have to enter the duress PIN on any device credential screen (such as the lockscreen) to trigger the wipe-before-reboot. You won't be asked for both.
Only in the setup screen for duress password is it necessary to set both a duress PIN and a duress password.
Not sure I managed to explain it properly, so here's a video showing how it works in practice: https://x.com/tuxpizza/status/1797314703468753342
Thanks for the very helpful remarks, the settings were accepted as soon as I entered both PIN and password.
I wonder what happens in countries with key disclosure laws (this includes some "liberal" countries like the UK, France or Australia, too). If you can go to jail for not giving your password to the police, how is a duress PIN treated legally?
Viewpoint0232 I'm not really sure that this is the correct forum to provide or discuss legal matters like that. Things are going to wildly differ in different parts of the world, and these things can change at moment's notice.
GrapheneOS has designed a feature with a clear goal and a focus on reliably doing what it says. Beyond that, it is up to people to decide if, how, and when to use it.
Yes definitely, and it shouldn't be GrapheneOS's problem anyway (like some countries not allowing call recording or mandating a camera shutter sound). I am just curious if anyone here has some legal knowledge.
- Edited
You seem to want an easy answer to satisfy a question that isn't so simple.
Whether or not duress pin is "legal" in whatever country does not matter. "Legal" is not a black and white thing, not even remotely. People get arrested for things all the time that are not technically illegal.
For any given country you happen to be in, let's say you get picked up by the cops and you trigger the duress pin - will you get in legal trouble? Maybe/probably. Does this mean you'll actually be prosecuted for this? That's an entirely different thing, since it depends on
what country you're in
how good your lawyer is
how much press your arrest gets
what else you've been picked up for
what other metadata they can find on you
or a million other things.
Matchboxbananasynergy already stated that this is not the proper forum for a legal discussion.
Hi all,
I had a quick test of the duress on the pixel 8. I noticed that you need to press the enter to start the process. If I may suggest would it be possible for the duress to be triggered once the Duress PIN or Password in inputted without the need to press enter? Just a thought...
Thank you to the GrapheneOS team. This feature is amazing. It just get better and better.
ShinRamen247 I had a quick test of the duress on the pixel 8. I noticed that you need to press the enter to start the process.
That is the same as entering a regular PIN/passphrase, right?
ShinRamen247 If I may suggest would it be possible for the duress to be triggered once the Duress PIN or Password in inputted without the need to press enter?
I suspect that would require a substantial restructuring of the PIN/passphrase code, which must be right, so a change like that would be high-risk.
This can already be done by enabling "auto-confirm PIN" in your PIN options. We don't recommend doing that as it lowers security slightly compared to leaving it disabled, but the option exists. You should take care to make the actual PIN and duress PIN the same length if you enable that. If the actual PIN is for example 6 digits and the duress PIN is 8, then due to how auto-confirm PIN works, you won't be able to enter it.
Understood,
In the past my girlfiend wanted to check my phone and I wish there was a duress PIN. It would've saved my life!
So lets say that scenario was replayed, and the Duress Pin was eg 123123, all she need to do is enter that and its gone.
Otherwise she will be at it until she forces me to handover the password. Lesson learnt and I have behaved.
Another question if I may, would the duress pin be triggered if there was a brute force attempt?