@unlocked I see you make a lot of concerned posts, so here's what I think you should do: Make sure to buy the Pixel from a reputable shop, brand new, not previously used. Don't insert any SIM card into it. Don't connect it to anything beyond a charger using the USB-C cable included in the original box. Then do this:
https://discuss.grapheneos.org/d/30767-how-to-set-up-a-new-pixel-to-avoid-google-before-installing-grapheneos/2
Do exactly what I did. You can also check your security patch level to confirm you have the latest (at least January 5, 2026 as of now). Don't waste time until Google releases the next month's updates. After you do this, you must get the correct verified boot key fingerprint in a secure way, and I recommend writing it down on a piece of paper in your handwriting (you can group every four characters together to keep track of them visually, or use another trusted person to read it out for you while you're writing it down). The official fingerprints are listed here:
https://grapheneos.org/install/web#verified-boot-key-hash
https://grapheneos.org/install/cli#verified-boot-key-hash
Some ideas for what might be a secure way of getting it: using the stock Pixel OS's Chrome browser, or going to a random stranger and asking them to browse to the page.
Once you know your Pixel is authentic and up-to-date, and you know the authentic verified boot key fingerprint of GrapheneOS, you have the ability to know you installed the official GrapheneOS and locked the bootloader with it, which is a strong guarantee that your device will stay secure going forward.
Next, install GrapheneOS using the official installation guide (you can choose either):
https://grapheneos.org/install/web (easier)
https://grapheneos.org/install/cli
I recommend manually downloading the latest stable security preview installation zip from the releases page, for the CLI guide. The security preview release isn't linked to from the releases page, so you'll have to copy the link to the latest stable release and change the version number to match the security preview version (just change the 00 at the end to 01). This will ensure you're directly installing the security preview release, instead of installing the vulnerable open source release and then upgrading to security previews, but you will still have to enable security previews in the System Updater settings if you want to stay on the security previews.
It shouldn't matter if you use an infected computer to install it, but you should avoid it if possible, and even better if you can find an up-to-date Chromebook or Mac with Apple silicon. After you install GrapheneOS, you must lock the bootloader.
After you've installed GrapheneOS and locked the bootloader, do exactly this:
- Disconnect all cables and peripherals from the Pixel. Don't plug anything into it.
- Make sure the Pixel is powered on. If it's off, you can just power it on, and press the power button to pause on the boot warning. (You should release the power button, and the text should say “press the power button to resume” instead of “to pause”.)
- Release all buttons. Start holding the power button and keep holding it for 34 seconds. When the time is over, release all buttons and start holding only the volume down button. Wait until your Pixel reaches Fastboot mode.
- Release all buttons. Use the volume buttons to scroll to the recovery mode (not rescue mode) option, and press the power button once to confirm the selection. When you see the boot warning, press the power button once to pause on the boot warning screen.
- Verify that the screen shows exactly this: a yellow (not orange, not red) warning sign; the text “Your device is loading a different operating system” (no warning about “integrity” or an “attacker”); the full fingerprint is displayed, and you must verify it against your handwritten paper, and it must match exactly. Only if what you see matches what I said, you know your new Pixel is locked with the authentic GrapheneOS. If something doesn't match, then the authentic GrapheneOS wasn't installed on your device, or you didn't lock the bootloader, or some other fault, and you need to go back, and repeat all of these steps from the beginning (not just this step).
- Press the power button once to resume booting into recovery mode. Once you see the empty screen with the green robot illustration, start holding the power button, and press the volume up button once to enter the recovery menu.
- Release all buttons. The line at the top should say “GrapheneOS Recovery”, and it should show which GrapheneOS version you have. You must make sure that the shown version number matches the latest stable security preview release on the GrapheneOS website, or the latest non-preview version if you used the WebUSB method.
- Use the volume buttons to scroll down to the factory reset option, and confirm erasing all of the data. Once the factory reset conpletes and you're back at the main menu, scroll down to the poweroff option and confirm.
You can now start using your new Pixel. Don't ever unlock the bootloader again unless you want to go back to the stock OS. You don't need to unlock the bootloader to “reinstall” GrapheneOS or even to sideload an OTA update package. Unlocking the bootloader puts your device at risk.
Next, follow my guide to increase security from the default out of the box state:
https://discuss.grapheneos.org/d/28682-maximum-security-and-anonymity/4