How to Install Graphene OS on an Android Phone

GrapheneOS is a hardened Android-based operating system built on the Android Open Source Project. It retains full Android app compatibility while replacing Google's privileged service infrastructure, hardening the kernel and userspace, adding a substantial set of privacy and security controls absent from stock Android, and maintaining a verified boot chain that makes OS-level tampering detectable. It runs exclusively on Google Pixel devices — not as a preference, but because Pixels are currently the only Android hardware with the combination of a dedicated security chip (Titan M2), a bootloader that supports third-party verified boot signing, and documented unlocking procedures required for a trustworthy installation.

This guide covers the full installation procedure from device selection through post-install configuration, including the web installer, CLI path, all post-install security settings, the sandboxed Google Play architecture, and the profile system.

Supported Devices

GrapheneOS follows Google's upstream security patch timeline. When Google stops publishing firmware updates for a device, GrapheneOS cannot guarantee full security patching beyond that point. Device support is therefore tied to Google's published end-of-life dates.

Currently supported as of February 2026:

Pixel 8 and later devices carry a seven-year support commitment from Google, making them the best long-term choice for GrapheneOS. Pixel 6 and 6 Pro hit EOL in October 2026 — still receiving full updates today but not worth buying new at this point.

Dropped devices (no longer receiving GrapheneOS updates): Pixel 5a and all earlier models.

Device purchasing: Buy directly from store.google.com. Carrier-sold Pixels sometimes ship with a carrier ID embedded in the persist partition that permanently disables OEM unlocking. The device may be advertised as unlocked and show no external indication of the restriction until you attempt to enable OEM unlocking and find the toggle greyed out. There is no software fix; the only recourse is contacting the carrier. This problem does not exist on factory-unlocked units purchased directly from Google.

Prerequisites

Computer

• OS: Windows 10/11, macOS Sonoma or later, or one of: Arch Linux, Debian, Ubuntu, Linux Mint. Other distributions may work but are not officially tested.
• Browser (web installer): Any Chromium-based browser with WebUSB support — Google Chrome, Microsoft Edge, or Brave. Firefox and Safari do not implement WebUSB. If using Brave, disable Brave Shields before starting. On Ubuntu, do not use the Snap-packaged Chromium — the Snap version ships a broken WebUSB implementation. Install Chrome from Google's official .deb package or Chromium from the Chromium PPA.
• Flatpak browser versions: Also avoid — known to cause WebUSB issues.
• Storage: At least 32 GB free for the factory image download.
• RAM: At least 2 GB available.

USB Connection

Use the USB cable shipped with the Pixel, connected directly to a USB port on the computer — no hubs, docks, or adapters. Faulty or incompatible cables are the leading cause of failed installations. If the installer cannot detect the device, the cable is the first thing to replace.

Windows driver (older Pixels): Pixel 4a 5G and later are detected by Windows 10/11 using the built-in generic fastboot driver. Older models may require manual driver installation. With the device in fastboot mode and connected, open Windows Update, check Optional Updates, and install the LeMobile Android Device driver — this is the correct fastboot driver despite the name. Alternatively, download the Google USB driver and install via Device Manager. Symptom of a missing driver: fastboot devices returns empty output.

Device

• Battery: Charge to at least 50% before starting. No official minimum is documented, but a device shutdown mid-flash is unrecoverable without restarting from fastboot.
• Internet connection: The Pixel must have an active Wi-Fi or mobile data connection when enabling OEM unlocking. The stock OS makes a network request to verify the device is not carrier-locked. Without connectivity the toggle may remain greyed out regardless of lock status.
• Pixel 6a firmware: On Pixel 6a units shipped from factory, OEM unlocking does not function on the original factory firmware. Update to the June 2022 or later release via OTA, then perform a factory reset, before OEM unlocking will work correctly.
• Data backup: The bootloader unlock wipes the device completely. Back up everything before proceeding.

Understanding the Boot Chain

Before touching anything, understanding what the installer is doing and why avoids confusion during the process.

Bootloader: Firmware that runs before the operating system. Controls which OS can boot. On stock Pixel, it is locked and only boots signed Google images. Unlocking it removes this restriction but also disables verified boot, which is why re-locking after installation is mandatory.

Verified boot: A cryptographic chain of trust from bootloader → firmware → OS. When the bootloader is locked with GrapheneOS's signing keys, any modification to OS partitions is detected and boot is halted. This provides tamper detection against physical access attacks and ensures you are running exactly what was installed.

A/B partitions: Pixel devices maintain two complete sets of OS partitions (slot A and slot B). The running OS occupies one slot; updates are written to the other in the background. After a successful update, the device boots from the new slot. Interrupted flashes on one slot do not affect the other — contributing to the near-zero brick rate of the web installer.

OEM unlocking: A permission flag that, when set, allows the bootloader to accept an unlock command. It does not unlock the bootloader itself — it permits the unlock to happen. The actual unlock command (fastboot flashing unlock) wipes the device and transitions the bootloader to an unlocked state.

Step 1: Enable Developer Options and OEM Unlocking

On the Pixel, while running stock Android, with internet connectivity active:

1. Settings → About phone → Build number — tap Build number seven times consecutively. A countdown prompt appears after the third tap. A confirmation toast appears after the seventh.
2. Settings → System → Developer Options → OEM unlocking — enable the toggle.

If the toggle is greyed out with internet connectivity active, the device is carrier-locked. If it is greyed out without internet, connect to Wi-Fi or mobile data and wait for the network check to complete — the toggle will activate shortly after.

Developer Options location varies slightly by Android version and manufacturer skin. On stock Pixel it is consistently at Settings → System → Developer Options.

Step 2: Enter Fastboot Mode

Two methods:

Hardware: Power off the device. Hold Volume Down, then press and hold Power. Keep holding Volume Down until the fastboot screen appears — the Android figure with a padlock and "Fastboot Mode" displayed. Connect to the computer via USB.

ADB (if USB debugging is already enabled):

adb reboot bootloader

To verify the computer detects the device in fastboot mode:

fastboot devices

This should return the device serial number with "fastboot" status. If it returns empty, check the cable, port, and Windows driver.

Web Installer

The web installer at grapheneos.org/install/web handles the complete installation automatically: it detects the connected device, downloads and cryptographically verifies the correct factory image, flashes all partitions in the correct order, and guides through bootloader unlock and re-lock.

Open the installer in Chrome, Edge, or Brave (with Shields disabled). The installer will prompt you through each stage.

Stage 1: Connect the device

With the device in fastboot mode and connected via USB, the installer requests WebUSB permission to communicate with the device. Allow it. The installer will identify the device model and confirm the correct factory image to download.

Stage 2: Unlock the bootloader

The installer issues fastboot flashing unlock. On the device screen, a warning appears:

Unlock bootloader?
If you unlock the bootloader, you will be able to install custom operating system software on this phone.
A custom OS is not subject to the same testing as the original OS, and can cause your phone and installed applications to stop working properly.
To prevent unauthorized access to your personal data, unlocking the bootloader will also delete all personal data from your phone (a "factory reset").
Press the Volume Up/Down buttons to select Yes or No. Then press the Power button to confirm your selection.

Use Volume Down to navigate to "Unlock the bootloader" and press Power to confirm. The device wipes, reboots briefly, and returns to fastboot mode. This is expected behaviour.

Stage 3: Flash GrapheneOS

The installer downloads the factory image for the detected device, verifies it against GrapheneOS's published cryptographic signature, and flashes each partition: bootloader, radio firmware, and OS partitions. Do not disconnect the cable or allow the computer to sleep during this stage. Progress is visible in the browser.

Partition flashes can appear to stall for 60–90 seconds on certain partitions — this is normal. If there is genuinely no progress for more than five minutes, see troubleshooting below.

Stage 4: Lock the bootloader

After flashing, the installer issues fastboot flashing lock. On the device screen:

Lock bootloader?
If you lock the bootloader, you will not be able to install custom operating system software on this phone.
Press the Volume Up/Down buttons to select Yes or No. Then press the Power button to confirm your selection.

Navigate to "Lock the bootloader" and confirm with Power. The device reboots into GrapheneOS.

This step is not optional. Locking the bootloader activates GrapheneOS's verified boot implementation and enables hardware attestation via the Auditor app. An unlocked bootloader means anyone with USB access and a computer can replace or modify the OS without detection. Do not skip it.

CLI Installer (Alternative)

For users who prefer direct fastboot control or cannot use a Chromium browser, the CLI path at grapheneos.org/install/cli covers the same installation using fastboot commands directly.

Requirements:

• fastboot version 35.0.1 or later. Distribution-packaged versions are frequently outdated. Download the latest Android Platform Tools from Google: developer.android.com/tools/releases/platform-tools. The directory containing fastboot must be in your system PATH.
• OpenSSH (ssh-keygen) for signature verification.

Process overview:

1. Download the factory image for your specific device from grapheneos.org/releases.
2. Verify the download against GrapheneOS's published SSH signing key:

ssh-keygen -Y verify -f allowed_signers -I [email protected] -n "factory images" -s <image>.zip.sig < <image>.zip

1. Extract the factory image archive.
2. With the device in fastboot mode:

fastboot flashing unlock

Confirm on device.
5. Run the included flash script:

# Linux / macOS
./flash-all.sh

# Windows
flash-all.bat

1. After completion:

fastboot flashing lock

Confirm on device.

The flash script handles partition ordering, bootloader/firmware flashing, and OS partition flashing in the correct sequence. Do not modify it.

Troubleshooting

OEM unlocking toggle greyed out (internet connected)
Device is carrier-locked. Contact the carrier to request an unlock — policies and success rates vary. There is no technical workaround. For future purchases, buy directly from Google Store.

OEM unlocking toggle greyed out (no internet)
Connect to Wi-Fi or mobile data. The stock OS performs a carrier-lock network check before activating the toggle. Allow a few seconds after connecting.

Pixel 6a OEM unlock not functioning on original firmware
The device shipped from factory with a firmware version that prevents OEM unlocking from working correctly. Update to June 2022 firmware or later via OTA Settings → System → System update, then factory reset (Settings → System → Reset options → Erase all data), then re-enable Developer Options and OEM unlocking.

fastboot devices returns empty output
Try a different USB port (preferably USB-A). Try a different cable. Confirm the device is in fastboot mode, not booting into Android. Windows users: install the Google USB driver via Windows Update optional updates or Device Manager — see Prerequisites section.

Browser reports WebUSB not supported
Switch to a locally installed Chrome or Edge. On Ubuntu: install Chrome from Google's .deb package, not Snap. Check that the browser is not in private/incognito mode — some browsers restrict storage and device access in private mode.

Flash stalls or fails mid-process
If the cable disconnects or the flash genuinely stalls: disconnect the device, reboot it into fastboot mode (Volume Down + Power), reconnect, and restart the installer from the beginning. The A/B partition architecture means a partial flash of one slot does not affect the other — the device is recoverable.

Device reboots into a red warning screen after installation
This appears if the bootloader was not locked after flashing, or if the re-lock failed. The warning reads: "Your device is corrupt. It can't be trusted and may not work properly." If you see this and the bootloader is unlocked, re-enter fastboot mode and issue fastboot flashing lock. If the lock was confirmed and the warning still appears, something in the flash process went wrong — re-flash from the beginning.

First Boot and Initial Setup

GrapheneOS first boot presents a setup wizard. A few deliberate choices here matter:

Lock screen credential: Set a passphrase, not a PIN. GrapheneOS derives disk encryption keys from the lock screen credential — a longer passphrase substantially raises the cost of offline brute-force against a seized device. The auto-reboot timer (covered below) means the lock screen is doing cryptographic work on a regular cycle; its strength directly affects the security of your data at rest.

Skip Google account setup: Do not add a Google account during the wizard. Set up the device baseline first and add accounts deliberately through sandboxed Google Play later if needed.

Disable OEM unlocking: After setup completes, go to Settings → System → Developer Options and disable the OEM unlocking toggle. It was needed to install GrapheneOS; it serves no ongoing purpose and should be turned off.

Verify the installation with Auditor: Install the Auditor app from the GrapheneOS App Store. Auditor performs hardware-backed attestation of the device — it verifies via the Titan chip that the bootloader is locked, that GrapheneOS is the installed OS, and that the OS and bootloader have not been modified. The attestation is signed by the Titan chip's hardware-backed key, which cannot be extracted or forged in software. For remote attestation, the Auditor server at attestation.app stores a verification record that can be checked over time to detect any future modification.

Sandboxed Google Play

On stock Android, Google Play Services runs as a privileged system process with permissions that extend beyond the standard app sandbox. It functions as part of the OS infrastructure, with access to hardware identifiers, system APIs, and inter-app communication channels unavailable to regular apps.

GrapheneOS removes this privileged position entirely. Sandboxed Google Play installs and runs Google Play Services as a standard unprivileged app. A compatibility layer translates Google Play Services API calls to function within the app sandbox — most calls work correctly; the app assumes full access and receives appropriately scoped responses.

What this means in practice:

• Play Store installation, app updates, in-app purchases, Play Asset Delivery, and Play Feature Delivery all work.
• Firebase Cloud Messaging (push notifications) works after granting a battery optimization exception.
• Most Play-dependent apps work without modification.
• Google Pay's NFC payment function does not work — it requires hardware attestation confirming official Google firmware, which a custom OS cannot provide.
• Location requests from sandboxed Google Play are rerouted through GrapheneOS's own implementation of the geolocation service rather than going directly to Google.

Installation:

1. Open the GrapheneOS App Store (pre-installed, in the app drawer).
2. Install Google Play services — this installs Google Play Services and the Play Store as an interdependent bundle.
3. Open Play Store. Sign in if desired. Install apps normally.
4. For push notifications: Settings → Apps → Google Play services → Battery → Unrestricted.

Profile placement: Sandboxed Google Play is installed per profile. Installing it in the Owner profile gives it access to everything in that profile. For stronger isolation, create a dedicated secondary user profile, install Google Play there, and keep the Owner profile Google-free. Apps across profiles are cryptographically isolated — they cannot communicate with or enumerate apps in other profiles.

App Stores and Sideloading

GrapheneOS App Store: Pre-installed. Provides GrapheneOS-tested builds of sandboxed Google Play, plus mirrors Accrescent. Primary installation method for sandboxed Play.

Accrescent: A privacy-focused app store installable via the GrapheneOS App Store. Still in early development with a limited catalog. Uses a security model based on app signing key pinning and reproducible builds. Worth installing for the apps it does carry; not a general replacement for Play.

F-Droid: Open-source app repository. Install by sideloading the F-Droid APK from f-droid.org. GrapheneOS does not officially recommend F-Droid's standard client — its default repositories are signed by F-Droid's own key rather than the original developer's key, and builds are not always reproducible. The IzzyOnDroid repo and specific repos with developer-signed APKs are better options within F-Droid. Useful for a large catalog of FOSS Android apps not available elsewhere.

Aurora Store: An open-source Play Store frontend that downloads Play Store apps using anonymous shared accounts, allowing Play app access without a Google account. Sideload from auroraoss.com. The anonymous account pool periodically suffers rate-limiting, causing download failures. Not officially recommended by GrapheneOS. Useful as a secondary option.

Direct APK sideloading: Enabled in Settings → Apps → Special app access → Install unknown apps, then grant permission to the specific app (browser, file manager) you will use to open the APK. Disable after sideloading to reduce attack surface.

Exploit Protection Settings

Located at Settings → Security & privacy → Exploit protection.

Auto reboot

Automatically reboots the device after a configurable period of being locked without a successful unlock. Default: 18 hours. Configurable from 10 minutes to 72 hours.

After reboot, the device is in a Before First Unlock (BFU) state — all disk encryption keys are absent from memory, profile data is inaccessible, and the device presents a minimal attack surface. This directly limits the window of exposure after a device is seized or lost. The auto-reboot is implemented at the init process level to prevent bypass by a compromised userspace.

USB-C port control

Five modes:

The hardware-level disable in the default mode blocks USB peripheral driver vulnerabilities — including attacks from forensic extraction tools (e.g., Cellebrite) that target the USB interface to extract data from locked devices. The OS-level disable blocks at the driver layer; the hardware-level disable disconnects the data lines entirely.

Dynamic code loading restrictions

Three toggles:

• Block loading executable code from memory — prevents apps from generating and executing code at runtime from anonymous memory mappings. Blocks shellcode-based exploits that execute in memory without touching disk.
• Block loading executable code from storage — prevents apps from loading executable code from files they write themselves. Blocks a common malware technique of writing a payload to storage and dlopen-ing it.
• Disable WebView JIT — disables just-in-time compilation in the WebView component. Reduces attack surface significantly at the cost of WebView rendering performance. Primarily relevant for apps that use WebView extensively.

These are disabled by default for compatibility. Enable them on apps that do not require dynamic code execution.

Native code debugging (ptrace)

Blocked by default for all system and bundled apps. Per-app toggle available for user-installed apps. ptrace allows one process to inspect and modify another's memory — a capability heavily exploited in privilege escalation chains. Disabling it breaks debuggers and some app instrumentation tools but significantly hardens the process isolation model.

PIN scrambling

Settings → Security & privacy → Device unlock → Scramble PIN

Randomizes digit positions on the PIN keypad on every unlock attempt. Prevents visual shoulder-surfing and defeats side-channel attacks that reconstruct PIN entries from accelerometer or gyroscope data by correlating expected digit positions with recorded motion.

Duress PIN / Duress Password

Settings → Security & privacy → Device unlock → Duress password

A secondary credential that, when entered at any authentication prompt — lock screen, in-app unlock, or any context that requests device credentials — triggers an immediate and irreversible wipe of all hardware-backed keystore keys, followed by eSIM wipe, followed by device shutdown.

The wipe operates at the hardware level: all disk encryption keys are derived from keystore-protected keys, so destroying the keystore keys makes all encrypted data permanently unrecoverable without a reboot or any user-visible "wipe in progress" notification. The process is fast enough to complete before a device can be powered off by a third party.

Duress PIN and Duress Password are configured and operate independently — the PIN version only triggers at PIN input prompts, the password version only at password input prompts. Set whichever matches your primary lock screen type, or both.

Two-factor fingerprint unlock

Settings → Security & privacy → Device unlock → 2-factor fingerprint unlock

Requires a secondary PIN in addition to a biometric scan to unlock the device. The PIN entry uses scrambled digits. This configuration provides the convenience of fingerprint combined with the active knowledge requirement of a PIN — biometric alone cannot unlock the device.

The 2-factor fingerprint unlock is only available for 48 hours after the last successful primary credential (passphrase) unlock. After 48 hours, the device falls back to requiring the primary passphrase. This prevents long-term biometric-only use while still providing convenience for regular active use.

Battery charge limit

Settings → Battery → Charge limit

Caps charging at 80% to reduce electrochemical stress on the battery and extend its lifespan. The device periodically charges to 100% for calibration purposes. Toggle for users who keep the device plugged in for extended periods.

Permission System

GrapheneOS extends Android's standard permission model with several additions unavailable on stock Android.

Network permission (per-app)

Every app has a Network toggle in Settings → Apps → [App] → Permissions → Network. When disabled, GrapheneOS presents a network-unavailable condition to the app using standard system error codes — the app receives ENETDOWN or similar errors, behaving as it would on an offline device. It does not receive a "permission denied" response, maintaining behavioural compatibility while completely blocking network access including local network connections.

This toggle appears at install time in the installation confirmation dialog, allowing network access to be blocked before the app ever executes.

Sensors permission (per-app)

A Sensors toggle blocks access to accelerometer, gyroscope, barometer, thermometer, step counter, and other body and motion sensors. Standard Android has no corresponding permission — all apps have unrestricted sensor access by default. The GrapheneOS toggle allows running apps that have no legitimate sensor need in a sensor-free environment.

Storage Scopes

When Storage Scopes is enabled for an app instead of granting broad storage permission, the app receives a virtual view of storage containing only files and directories the user explicitly adds as scopes. From the app's perspective, it has full storage permission — it simply only sees what the user has authorised. The app cannot detect that its view is filtered.

Storage Scopes applies to both external storage (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE) and the broader media permissions introduced in Android 13+.

Contact Scopes

Analogous to Storage Scopes for the Contacts permission. When enabled:

• The app assumes it has contacts access and sees an empty contacts list by default.
• The user can grant read access to specific contacts, specific groups, or specific fields per contact (phone number or email independently).
• Write access is fully blocked — apps with Contact Scopes cannot add, modify, or delete contacts regardless of what access they attempt.

Camera and microphone indicators

Persistent status bar indicators when any app accesses the camera or microphone — identical to the indicators added to stock Android in Android 12, preserved and visible in GrapheneOS.

Per-app exec spawning

Settings → Apps → [App] → Exec spawning

Standard Android uses a Zygote spawning model: new app processes are forked from a pre-initialised Zygote process, sharing memory pages with other apps until they write to those pages (copy-on-write). This is fast but creates shared memory state between processes.

GrapheneOS's isolated spawning mode creates each app process from scratch with no shared Zygote memory. This eliminates cross-app memory residue at the cost of slightly slower app launch times. Configurable per-app for apps where the extra isolation justifies the performance trade-off.

Profiles

GrapheneOS significantly expands Android's multi-user profile system.

Profile isolation: Each profile has independent apps, app data, settings, and disk encryption keys. Apps in one profile cannot communicate with, enumerate, or access data from apps in another profile. Switching profiles requires authenticating with that profile's credentials. GrapheneOS supports up to 31 secondary user profiles (stock Android supports 3).

Owner profile: The primary profile with full device administration. Can restrict what secondary profiles are permitted to do — including disabling the ability to install apps, enabling a fixed app set model.

End Session: Secondary profiles support an End Session action that locks the profile and evicts its disk encryption keys from memory, returning the profile's data to an encrypted-at-rest state without uninstalling anything. Resuming the session requires re-authenticating with the profile's credentials and reloading the keys.

Profile-specific VPN: Each profile maintains independent VPN configuration. A VPN active in one profile does not route traffic from other profiles — and traffic from other profiles cannot bypass through the VPN tunnel of an active profile.

Notification forwarding: Background profiles can optionally forward notifications to the active profile. Disabled by default. When enabled, notification content from background profiles appears in the foreground profile's notification shade.

Cross-profile app installation: Packages already installed in one profile can be installed in another profile from a local cache without re-downloading.

Recommended compartmentalization model: Owner profile with no Google services. Secondary profile with sandboxed Google Play for apps that require it. Additional profiles as needed for work separation, burner app isolation, or high-trust financial apps. Each profile maintains separate encrypted storage and independent app state.

Keeping GrapheneOS Updated

Updates are delivered via an A/B partition model: the new OS version is written to the inactive partition while the device is in normal use. A reboot switches the active partition to the updated slot. If the new slot fails to boot, the device falls back to the previous slot automatically.

GrapheneOS publishes security updates typically within hours to days of the monthly Android Security Bulletin — often ahead of official Pixel OTA releases. Update settings are at Settings → System → System update.

Security Preview channel: An opt-in channel that delivers Android Security Bulletin patches before official Google disclosure. Accessible at Settings → System → System update → Release channel → Security Preview. Patches in this channel are based on embargo-period source code — they are functional but the underlying source cannot be published until official disclosure. Switch back to Stable when a patch is no longer under embargo.

Returning to Stock Android

GrapheneOS is fully reversible. To return to stock Android:

1. Download the factory image for your device from google.com/android/find.
2. Boot into fastboot mode.
3. Unlock the bootloader: fastboot flashing unlock (this wipes the device again).
4. Flash the factory image using the included flash-all.sh / flash-all.bat.
5. Lock the bootloader: fastboot flashing lock.

After re-locking with Google's signing keys, the device boots stock Android with verified boot active. The unlocked bootloader period is not visible in any software-accessible state after re-locking.

Further Reading

• The Complete Android Privacy and Security Guide — the broader Android threat model and what GrapheneOS addresses
• Realistic Options to Gain Phone Privacy — stock Android hardening for those not switching OS
• Fingerprint vs PIN — Which Is Better for Your Security? — GrapheneOS's 2-factor fingerprint changes this analysis
• Why Rebooting Your Phone Is a Key Security Habit — auto-reboot automates the BFU state recommendation
• GrapheneOS official documentation — features overview, usage guide, and FAQ
• GrapheneOS releases — current supported device list and changelogs
• Auditor app — hardware attestation for verifying the installation

Last updated: February 2026. Verify the current supported device list at grapheneos.org/releases before purchasing a device.