After using the duress password, is it possible to reinstall Graphene and make a new setup, or is the hardware bricked?
Discussion
Bonus question: can anyone comment on the legality of wiping your device if you find yourself in the hot seat? Pretty sure there's a jurisdiction somewhere that would charge you with destruction of evidence... even without any evidence
It'd be better if the OS just got silently replaced a decoy image.
It's easy, just don't use GrapheneOsπ I will always use it.
Obviously we can't speak on what potential bad guys (criminals or abusive states) would do. Laws are different elsewhere, but some would likely choose whatever would happen to them over what would happen if they surrendered. If a threat threatens to kill you, how can you be sure they won't just kill you if you complied anyway?
Sadly a duress PIN isn't designed to make you unaccountable. An erased device will always look obvious, and how they treat it really depends on who is trying to take it away.
You can best describe it as a trigger for erasing data to prevent an unauthorized party (in your proximity) from having potential access. It's great for protecting data you do not want anybody but yourself knowing. A whistleblower preparing to leak something confidential could come to mind.
It's more about protecting your data than yourself.
Yes of course. Wouldn't make sense to do something that causes permanent damage. Can reinstall GrapheneOS or another OS without problems.
Since release is in Alpha there will be people in Alpha testing channels reinstalling GrapheneOS often for further QA.
Once backups are improved and not using Seedvault, that new backup system should be designed to work well for recovering after a duress trigger. Although there are bigger priorities right now.
FYI: GrapheneOS does remain installed after a trigger right now so you can go into a recovery.
Another interesting feature would be a pin that unlocks to a hidden user account with some generic applications installed.
It isn't planned currently as a technical threat would be able to figure that out, or would be able to tell if it is a decoy through other means. It's a big reason we don't have a hidden profile feature at all (e.g. FFS would leave signs). The feature would only work best against someone with no knowledge on what GrapheneOS is. Cellebrite and XRY and other industry actors mentioning us in their internal documents or product material would suggest they study our work and read our posts.
Another example is Owner is still required to be authenticated first and there's tons of ways to see if an authenticated profile os the Owner or not.
We believe features involved in tricking someone could lead to someone trusting that feature and underestimating how skilled the person they're trying to trick, which could endanger them or bring even more trouble. While you could also trick someone with our Duress PIN that's not the objective, the device owner should trigger it when the time is right.
btw, for example the coldcard hardware wallet has a "brick me pin" which actually makes that hardware unusable.