Help learning graphene

navtis

I am trying to set up my phone (a Pixel 8) with GrapheneOS for the first time and struggling with documentation. I have never had an Android phone. Phones I have had in the past have all run variants of Maemo or Sailfish, basically a more standard Linux version than Android. The Graphene documentation mostly assumes you are very familiar with Android, and so just covers points where Graphene is different from Android; on the other hand generic Android documentation mostly assumes you are very tied in to the Google ecosystem and doesn't necessarily help with a phone running Graphene and trying to minimise use of Google.

Understanding the use of 'profiles' for example, and how they are different from 'users' in more standard Linux.

Any suggestions for where to look for information, basic userguides for complete novices, etc?

other8026

navtis There is a YouTuber that many within the GrapheneOS community like. The channel name is "Side Of Burritos". I found a couple of videos that might be interesting for you. Keep in mind, though, that some of the other videos are a little older (like the two I'm posting here are from 1 and 2 years ago). I hope they can help you get a better understanding of things, but watch out, if you look for more videos, you may see lots of pictures of delicious burritos and get hungry like what happened to me just now.

Anyway, here are the videos:

Considering GrapheneOS? Quick tour + useful settings: https://www.youtube.com/watch?v=d777l1i1p2k

GrapheneOS Profiles - Work Profiles vs User Profiles | Shelter & Insular - https://www.youtube.com/watch?v=20C0FD7mGDY

Eirikr70

Hello, you will hardly find any information apart from the sources you have already mentionned. But I think Android is user-friendly enough for you to learn quite fast.
As for the profiles, I would say that they are a way to divide you apps/data into different "containers" with no transfer (a profile can't read what is available in the other profile. One profile can be "at rest" while another is active, except the master profile, that manages all the others (although it can't read them).

navtis

other8026 Those were useful. This one by Naomi Brockwell on profiles too:

Use a 2nd Profile to Stop Your Apps Communicating!

Having tried profiles a little bit now there is one feature I may be missing: how do you quickly see which profile you are using? For example, when the pin screen comes up its hard to be certain which profile you are entering the pin for.

The other thing that strikes me is that it would be useful to be able to change the entry method for profiles depending on the threat model. For example, I want the pin enforced for a banking app profile in case I put my phone down somewhere in public. But if the profile is just to isolate generic GPS apps then I would be happy to have some kind of equivalent of an ssh encryption key which allows automatic switching of profiles at user request so that switching is a bit less painful.

Also the profile switching icon is buried a bit too deep in the menu hierarchy for ease of use, it would be nice to have it on top...

I'm slowly getting there though :-)

Dumdum

navtis Having tried profiles a little bit now there is one feature I may be missing: how do you quickly see which profile you are using? For example, when the pin screen comes up its hard to be certain which profile you are entering the pin for.

If you drag the lock screen down twice to get to the shortcuts (drag once for notifications, twice for shortcuts), then you'll see some small icons in the bottom right. From right to left is the Power icon, the Settings icon and more importantly the Profile icon. Clicking this will allow you to switch profiles (and see your current profile obviously). You can also give the profile a distinct icon in the settings (Settings > System > Multiple Users > (profile) > click the icon to edit) so that you can tell the current profile just from the small icon displayed in the bottom right of the shortcut area.

N1b

Dan-cer I think the issue is not to enter the wrong pin, but to accidentally unlock the wrong profile (e.g. I want to go to my banking profile and assume that's the last one I was on, but happen to log in to my owner profile instead).

There are good use cases for using different pins or security settings btw., e.g. if you are okay sharing a specific profile with your partner or use one less sensitive profile in places where people or cameras can spot your pin.

navtis The other thing that strikes me is that it would be useful to be able to change the entry method for profiles depending on the threat model.

Not exactly perfect for what you are asking for, but to my knowledge the lockscreen security settings are independent in each profile. You could allow fingerprint unlock in one, long passkeys in the second and no protection at all in a third profile (not advised). This will make it easier to unlock lower threat model profiles without compromising the security of other profiles.

The method of switching profiles will remain the same though, and I assume it can't be automated since that might increase your attack surface.

navtis

Dumdum Yes, but you have to go to the shortcuts to see it. There's nothing on the pin input page to show which profile pin it wants!

Dumdum

navtis
If you have distinct icons for your profiles, you can also see what profile you're in from the icon in the top right of the lock screen (without dragging the lock screen down). Check the profile icon before accessing the PIN entry screen.

stereo3441

navtis You can also set distinct lockscreen/homescreen wallpapers so that you can instantly tell which profile you are attempting to unlock/are in. If you would like any more help or have any questions about Android or GrapheneOS I can send my current Signal invite link

navtis

stereo3441 I've set up wallpaper on the lockscreens now, so that solves my recognition problem. Thank you!

Dan-cer

At least if I am the only user of both profiles, the most obvious solution for me is to use the same PIN for both profiles.

navtis

N1b Yes, in fact I have enabled fingerprint on the GPS profile. But when I switch from the owner profile the default login method is still pin; I have to wait for the pin screen to timeout before the fingerprint option appears. Is there a way to reverse this? (ie. make the fingerprint option appear first)

N1b

navtis that sounds a lot like a bug, can't test it right now but I'll see whether it's occurring on my device too...