I recently learned about the boot key on the new generation Pixel devices. What does the key check and how is it different from Auditor. I have never used Auditor before. Is the boot key a complete replacement or are there differences?

I'm not an expert on all this, but I do know these things:

Android Verified Boot uses some system using hashes to make sure system files aren't tampered with. This is paired somehow with a key, signed by the GOS dev team. This is how we can verify the system image is built by GOS and can be trusted.

In a nutshell, Auditor uses this key and other keys and certificates to verify the installation hasn't been tampered with. Here's the intro for Auditor: https://attestation.app/about

I know as much as you know. Is there any reason to use Auditor since the boot key?

    adelina
    I'm not sure I understand the question.

    Basically all Auditor does is help users verify they're running unmodified GrapheneOS using the GrapheneOS Android Verified Boot key. Auditor can be run multiple times or it could be scheduled to run regularly and remotely to verify the OS wasn't tampered with.

    It's good to use it to check at least once if you ask me.

      • [deleted]

      It's true that I didn't understand the interest of the remote verification either...

      unwat My understanding is that Auditor does the same thing as I do when I manually check the boot key. Is there a reason to use Auditor (e.g. more trusted environment, more checks, more features, etc.)?

        adelina
        I don't think so. Pixels didn't use to display the full, or any boot key hash, so Auditor was actually very useful then.

        Personally, I just used it to remotely verify my installation the first time and I just left it running because I figure it won't hurt anything. After that it's not really necessary as long as the phone is locked again after OS installation. If it's locked, it's not really possible to tamper with the OS.

        Perfect! For me, the remote attestation was not a good experience because I don't want to ping the GrapheneOS servers all the time and I also don't want to use email and an email client on my device. Scanning locally with a second phone after installation was fine for me but the boot key is perfect because that means I don't use Auditor anymore. Less tech is always a good idea.

        9 days later

        This is not abc explained for Noobs but willing to learn like me. I downloaded from GrapheneOs site etc everything so far almost ok. Then Auditor for how + why to learn is drama, no step by step video's online found, on the official site I read and read again but don't understand it.
        1, verification with other Android....no option, this is my first Android.
        2, go to, make account log in no problem, then enable etc email no problem. But, what hours to choose because I dont understand the first and second option hours to fill in?
        From my device I did scan the qr code on the iPhone no problem, then what? How to scan back? They say refresh, ok I did then what? I no need to scan back? And no need to disable remote .... before I left?

        About the key...when restart I see the begin end numbers is yes the same, how can in a cpl seconds read/ check this key so long???

          Graphty6pro

          Android and Auditor use a lot of different technologies to work. The documentation online is very technical, so it's not very easy to follow. In a nutshell, it uses cryptography to verify the system files haven't been modified at all and you're running a legitimate version of GrapheneOS.

          Graphty6pro verification with other Android....no option, this is my first Android

          no problem. The remote verification works pretty much the same way as Android to Android pairing.

          Graphty6pro what hours to choose because I dont understand the first and second option hours to fill in?

          The first field, verify interval, is how often your phone will send data to the server to check if the OS is okay. The second field, delay until alerts, just means if your phone stops syncing the site will send you an email to tell you your phone isn't syncing. I have mine set to verify interval: 2 hours, delay until alerts: 32 hours.

          Graphty6pro From my device I did scan the qr code on the iPhone no problem, then what? How to scan back? They say refresh, ok I did then what? I no need to scan back? And no need to disable remote .... before I left?

          Once you scan the QR code from the Auditor app, you're finished. Everything will work on its own and you don't need to worry about it anymore. If there are any issues, you'll get an email or notification.

          If you can't scan, go to Auditor, hit the three dots menu in the upper-right hand corner, hit disable remote verification, hit the three dots again, then hit enable remote verification, then scan the QR code. Once it's scanned, you're finished. Then you can refresh the https://attestation.app/ page to see your information.

          Graphty6pro About the key...when restart I see the begin end numbers is yes the same, how can in a cpl seconds read/ check this key so long???

          Once you see that screen, hit the phone's lock button. It'll pause there while you check those numbers. When you're finished, hit the lock button again and your phone will start to boot up.

            I just back home an hour ago and now reading your help by explaining it to me and I definitely understand how you do that, very helpful, thanks a lot! As you see English isn't the best, so when reading instructions or tech talk sometimes I misunderstand.
            Now (late but better than never) gonna switch to Android/ GrapheneOs, and still do not use the Pixel, every little time I try to learn some new info, the Pixel is in front with laptop install and personal future, and I won't completely understand it before I switch off the iPhone. And use the time to think about what is for me really needed about apps on the phone.
            Now that GrapheneOs finally finds its way in my country, companies asking around $1500,- so a lot of $$$.
            I just bought a new Pixel and learn how to here on the other site GrapheneOs. For all of you simple but for me, I keep thinking when doing something wrong I ******** my phone, lol. But with follow step by step and watching a video on YouTube it was simple hahaha.
            Thanks for the help!

            a year later

            Hello is this book key operational or not?

            • de0u replied to this.

              bilbo I think this thread (from a year ago) was asking about the Verified Boot signing key hash displayed by the bootloader on modern Pixel devices. If so, I do believe it is operational (on modern Pixel devices).