Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-31 02:18:50 -04:00
Code Issues Projects Releases Packages Wiki Activity

graphene improvements + css

Browse source
This commit is contained in:
anarsec 2024-04-11 19:39:00 +00:00
parent d34cbea02a
commit 6ebbac8958
No known key found for this signature in database
5 changed files with 26 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

16
content/posts/grapheneos/index.md
View file

@ -25,7 +25,11 @@ Due to the nature of [how the technology works](https://citizenlab.ca/2023/10/fi
# Installation
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
[Google Pixel](https://www.privacyguides.org/android/#google-pixel) phones are currently the only devices that meet the hardware security requirements of GrapheneOS - see [supported](https://grapheneos.org/faq#device-support) and [recommended devices](https://grapheneos.org/faq#recommended-devices). "Hardware memory tagging support" is a very powerful security feature that was introduced with the Pixel 8, [making it substantially harder to remotely exploit user installed apps like Signal](https://grapheneos.social/@GrapheneOS/111479318824446241).
Starting with the Pixel 6, Pixel devices will receive at least [5 years of security updates](https://grapheneos.org/faq#device-lifetime) from the date of release. End-of-life devices (GrapheneOS "extended support" devices) do not receive full security updates and therefore are not recommended. See [how long GrapheneOS will support the device for](https://grapheneos.org/faq#device-lifetime).
Avoid carrier variants of the phone, i.e. don't buy one from a mobile operator, which may prevent you from installing GrapheneOS. The cheapest option is to buy the "a" model right after the next flagship model is released - for example, the Google Pixel 6a after the Pixel 7 is released.
[GrapheneOS can be installed](https://grapheneos.org/install/) using a web browser or the [command line](/glossary#command-line-interface-cli). If you are uncomfortable with command line, the web browser installer is fine; as the [instructions note](https://grapheneos.org/install/cli#verifying-installation), "Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with Auditor", which is explained below. Both methods list the officially supported operating systems.
@ -86,8 +90,9 @@ The Owner user profile is the default profile that is present when you turn on t
We'll now create a second user profile for all applications that don't require Google Play services:
* **Settings → System → Multiple users**, press **Add user**. You can name it Default and press **Switch to Default**.
* Set a [strong password](/posts/tails-best/#passwords) that is different from your Owner user profile password.
* In the Default user profile, **Settings → Security → Screen lock settings → Lock after screen timeout** can be set to 30 minutes to minimize how often you'll have to re-enter the password.
* Set a password that is different from your Owner user profile password.
* Choose either the combination of a weak password + small locking time (trusting the rate-limiting of password attempts [enforced by the secure element](https://grapheneos.org/faq#encryption)), or a [strong password](/posts/tails-best/#passwords) + longer locking time (if rate-limiting is bypassed through a firmware vulnerability this is still a strong password, but the profile data is vulnerable if the device is left unattended). Keep in mind that if police ever seize your device (such as during a daytime house raid), it should ideally be turned off, and at minimum, it should be locked (which starts the countdown to the Auto-reboot feature mentioned below).
* In the Default user profile, you can set the locking time with **Settings → Security → Screen lock settings → Lock after screen timeout**, and the screen timeout with **Settings → Display → Screen timeout**.
Later, we will optionally create a third user profile for applications that require Google Play services.
@ -156,9 +161,10 @@ You may want to use [Tor](/glossary/#tor-network) from a smartphone. However, if
# Recommended Settings and Habits
* [Owner user profile] **Settings → Security → Auto reboot:** 8 hours
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting will return it to a more effective encryption once the time has elapsed.
* [Owner user profile] **Settings → Security → Auto reboot:** 18 hours or less
* The automatic reboot, if no profile has been unlocked for several hours, will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will reboot at least overnight if you forget to turn it off. If the device is compromised by [malware](/glossary/#malware), then [Verified Boot](https://www.privacyguides.org/en/os/android-overview/#verified-boot) will prevent and revert any changes to the operating system files when the device is rebooted. If the police ever manage to get their hands on your phone while it is in a lock-screen state, this setting [will return it to a more effective encryption once the time has elapsed](https://grapheneos.social/@GrapheneOS/112204443938445819).
* Leave the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when you don't need them for a specific purpose. Apps cannot use disabled features (even with individual permissions) until they are re-enabled. Also set a Bluetooth timeout: **Settings → Connected devices → Bluetooth timeout:** 2 minutes
* [Owner user profile] **Settings → Security → USB-C Port:** [Charging-only](https://grapheneos.social/@GrapheneOS/112204446073852302)
* Many applications allow you to "share" a file with them for media upload. For example, if you want to send a picture on Signal, do not grant Signal access to "photos and videos" because it will have access to all of your pictures. Instead, in the Files app, long-press to select the picture, and then share it with Signal.
* Once you have all the applications you need installed in a secondary user profile, disable app installation in that profile - apps installed in a secondary user profile delegated from the Owner profile will still be updated.
* [Owner user profile] **Settings → System → Multiple users → [Username] → App installs and updates:** Disabled