GrapheneOS

GrapheneOS duress PIN: wipe your phone under coercion

Who this guide is for: Journalists, activists, higher-risk users, and people in stalking or domestic-abuse situations who may realistically face forced phone unlocking. For most everyday users, this goes beyond what they need.

GrapheneOS duress PIN: wipe your phone under coercion

Who this guide is for: Journalists, activists, higher-risk users, and people in stalking or domestic-abuse situations who may realistically face forced phone unlocking. For most everyday users, this goes beyond what they need.

A duress PIN is a second PIN you set alongside your normal unlock code. When entered, it wipes the phone instead of unlocking it.

The scenario: you’re forced to unlock your phone — at a border crossing, during an arrest, or by someone pressuring you. You give the duress PIN. The phone wipes itself while appearing to comply.

What you gain, and what it costs

You gain a last-resort defense for situations where physical coercion is more realistic than remote hacking. If someone forces you to unlock your phone, you have an option that can erase the device immediately without navigating menus or explaining what you are doing.

The cost is that this feature only works if you remember it correctly and combine it with solid backups. A duress PIN you forget, confuse with your normal PIN, or enter by accident wipes your phone just as effectively as in a genuine emergency.

When this is overkill

For most people, a strong normal PIN, disabling biometrics when risk rises, and enabling auto-reboot are already enough. A duress PIN mainly belongs in scenarios where forced unlocking is a plausible threat: border crossings, arrests, stalking, domestic abuse, or targeted intimidation.

How it works

GrapheneOS supports a duress PIN as a built-in option. After entering it:

The phone starts the wipe process immediately
The screen behaves normally while data is being erased
After wiping, the phone reboots to the initial setup screen

The wipe removes all data on the device, including installed eSIMs.

GrapheneOS supports both a duress PIN and a duress password, depending on how you unlock your phone. If you unlock with a PIN, you set a duress PIN. If you unlock with a password, you set a duress password. Both are configured separately and are independent from your normal unlock credential.

Setup

Requirements:

GrapheneOS (this feature does not exist in standard Android)
Your primary screen lock must already be configured

Steps:

Go to Settings → Security & privacy → Device unlock
Tap Duress password
Enter your current PIN or password for verification
Enter the duress PIN or duress password you want to use — never use the same as your normal unlock code
Confirm it

Done. The setting is active as soon as you confirm.

Choosing your duress PIN carefully

Don’t use:

The same as your normal PIN
An obvious variation (your normal PIN +1)
Something you’d accidentally type when in a hurry

Do use:

A PIN you’ll remember but won’t enter accidentally
Something structurally different from your normal PIN — if your normal PIN is 6 digits, consider 4 for the duress PIN, or vice versa

Never test it on your primary phone unless you have a full backup. The wipe function is irreversible.

Combine with other GrapheneOS security features

Auto-reboot: GrapheneOS can automatically restart the phone after a set time if it has not been unlocked. Configure it via Settings → Security & privacy → Exploit protection → Auto-reboot. The default is 18 hours, adjustable from 10 minutes to 72 hours. After a reboot, all data is encrypted at rest and inaccessible without the PIN.

**USB access restriction:**Settings → Security & privacy → Exploit protection → USB-C port control. The default is already “Charging-only when locked”, which blocks new USB connections once the phone is locked. Check that this setting has not been relaxed. This helps prevent tools like Cellebrite from reading data over USB while the phone is locked.

Lockdown mode: Via the power button, choose Lockdown. This is different from the regular Lock option. It activates a temporary mode that disables biometrics. Useful if you expect to be coerced — PIN required, no fingerprint.

Who is this relevant for?

Journalists and activists who have sensitive sources or material on their phone and expect border controls or arrests.

High-risk users in countries with aggressive surveillance or arbitrary device checks.

People in stalking or domestic violence situations where someone can physically force access to the phone.

Less relevant for most everyday users — the threat threshold must justify accepting a wipe function.

What you can’t protect against

A duress PIN doesn’t help if:

The phone is already unlocked at the time of seizure
Someone has a backup of your data (iCloud, Google Drive, a previously made copy)
The attacker uses advanced forensic tools while the phone is on and was unlocked

Always combine the duress PIN with full disk encryption (enabled by default on GrapheneOS), a strong PIN, and auto-reboot.

Next step

Go further

GrapheneOS hardening guide — broader, maintainable high-risk setup
GrapheneOS first setup — getting started with GrapheneOS

Profiles

Profile: journalist or activist — when a duress PIN is part of the picture
Profile: high risk — complete approach for high threat level

← Back to guides