New to GrapheneOS, and new to this board, no not sure if this is the right place to ask.
I've recently switched to GrapheneOS and have been playing around with different setups, based on the documentation and on what I've read here. I'm curious about others' thoughts on this. Do I understand the technicalities correctly? Is this a secure setup? Am I getting this right? I know I know, you'll tell me it depends on my threat model. But I prefer not to give too many details about that. Let's say I have a pretty sophisticated, well-resourced adversary, who is motivated to target me specifically.
I've currently set up three profiles, which I have named “1”, “2” and “3” so an attacker with access to these names would have no clue as to what they represent.
– 1 = Owner profile, no apps installed (except Private Lock just in case, see below)
– 2 = Google Play sandbox profile, with sandboxed Google Play and a few apps that require Google Play to function
– 3 = daily driver with all my apps, no sandboxed Google Play
All profiles have the Private Lock app installed from F-Droid so the screen gets locked when sudden fast movement is detected e.g. when someone snatches the phone out of my hand while I’m writing a message. (By the way, imho this really should be a built-in GrapheneOS feature). Also I have ProtonVPN with IP kill switch set for all profiles, but that's not realy relevant when it comes to OS infosec.
Profile 1 (owner profile) has a strong, 10 diceword passphrase. The two other profiles both have the same random 6 digit pin. Auto reboot is set to 2 hours. Since I tend to sleep more than two hours, my alarm clock is set in my owner profile so it still rings after reboot.
Workflow is like this: the alarm clock on my rebooted phone wakes me up in the morning. I unlock the phone as soon as I’m able to think properly (which admittedly, for a 10 diceword passphrase, can take some time – incidentally this discourages me from using my phone too early in the morning, which is a nice extra). After first unlock I immediately switch to my daily driver profile and leave it like that for the rest of the day. Only if I am in particulary risky situations I log out from my daily driver profile and go back to the owner profile temporarily. Google Play sandbox profile is rarely used, only when I specifically need one of those apps.
My reasoning is as follows:
– Owner profile is never at rest as soon as the phone is in AFU state. By putting my daily driver stuff in another profile, the second I feel uncomfortable with my security I can very quickly put it at rest by pressing the power button and logging out, going back to the owner profile. Assuming my suspicion was warranted, the attacker would then need to deal with the encryption at rest of my daily driver, even if they manage to get into my owner profile when in AFU state. I could also turn off the phone entirely of course, but by simply logging out and switching to the owner profile, I’m still reachable by regular phonecalls and texts for urgent but non-sensitive stuff (e.g. school calls because kid developped a fever)
– Also by putting the daily driver stuff in another profile and not in the owner profile, I can give my daily driver profile a less secure password (6 random digit pin, which is pretty secure already) without compromising the strength of the first unlock password: rebooting the phone will still require a 128-bit (10 diceword) owner profile passphrase
– Entering a 10 diceword passphrase (or even a 7 diceword passphrase, for that matter) is however tedious and impractical for continuous use. I’m fine with doing it once a day, or at specific times when I specifically chose to augment my security (and diminish useability), or from time to time when I have a very long, uninterrupted meeting and the phone auto reboots. For all the rest, a 6 random digit pin is way more practical.
How secure is this setup if I’m going about with my daily driver profile 99% of the time? Let’s say an attacker grabs my phone while I’m writing a Signal message while on my daily driver profile. Private Lock locks the screen upon this sudden movement; the phone now requires my 6 digit pin to unlock. Assuming the attacker has a way of circumventing the retry timer in the secure element (which is a generous assumption), they have 2 hours to bruteforce that 6 digit pin during AFU state before it auto reboots and have to deal with the BFU encryption and a 10 diceword passphrase (ain’t gonna happen). Without circumventing the secure element, they only have a couple of dozen of tries before the timer locks them out long enough to trigger the auto reboot, which would make it practically impossible to break in. So in short, they have to get to phone to a lab, start trying to break into it, deal with the disabled USB peripherals, circumvent the secure element and actually manage to bruteforce the 6 digit pin – all within two hours. Right? I don’t see this happening in any realistic scenario, but maybe I'm mistaken? Assuming a state actor, if I can trick them into bringing the phone to the interrogation, promising to unlock it for them, I can probably steal significant extra time for the auto reboot timer. Or enter the duress pin, if I’d really want that...
I’ve been using this setup for a while now and I find it the perfect tradeoff between useability and security: the 6 digit pin is already pretty safe and very easy to use contantly; entering the 10 diceword passphrase once or twice a day at specific moments is not much of an issue. But I'm not sure if I'm understanding everything correctly so not sure if it's as secure a I think it is.