← Guides Privacy

GrapheneOS Setup Guide: Degoogle Your Phone in 30 Minutes (2026)

A no-BS guide to installing GrapheneOS on a Pixel phone — from picking the right device to setting up apps that actually work. Written by someone who's done it.

📱 18 min read · Last updated: February 17, 2026

Why Bother?

Let's be real — your stock Android phone is a surveillance device that happens to make calls. Google collects location data even when you tell it not to, tracks every app you open, and builds an advertising profile that knows you better than your therapist.

GrapheneOS is Android without the creepy parts. It's a hardened, privacy-focused operating system that runs on Google Pixel phones (ironic, I know). You get all the Android app compatibility you need, minus Google looking over your shoulder 24/7.

Here's what actually changes:

  • No Google Services by default — nothing phones home unless you explicitly allow it
  • Hardened memory allocator — makes entire classes of exploits way harder
  • Per-app network permissions — you choose which apps can access the internet (stock Android doesn't let you do this!)
  • Storage scopes — apps only see the files you explicitly share with them
  • Auto-reboot — phone reboots after inactivity to flush encryption keys from memory
  • Sensor permissions — individually control access to accelerometer, gyroscope, etc.

And before you ask: yes, your banking apps will work. Yes, your camera still takes good photos. No, you don't need to be a Linux wizard. The web installer literally walks you through it.

What You Need

The shopping list is short:

  • A supported Google Pixel phone — more on this in a second
  • A USB-C cable — preferably the one that came with the phone
  • A computer with a web browser — Chrome or Chromium-based works best for the web installer (Firefox has WebUSB issues)
  • 30-45 minutes — first time takes a bit; after that you could do it in 10
  • Your data backed up — installation wipes everything
⚠️ Important: Do NOT buy a carrier-locked Pixel. AT&T, Verizon, and T-Mobile variants often have locked bootloaders that make installation impossible. Buy unlocked directly from the Google Store, Best Buy (unlocked model), or a reputable reseller.

Picking the Right Pixel

GrapheneOS only works on Pixel phones. Not Samsung, not OnePlus, not your old Nexus gathering dust in a drawer. Pixels only. Here's why: they have the best hardware security features (Titan M2 chip, verified boot) and receive guaranteed security updates.

Currently Supported (2026)

Device Security Updates Until Verdict
Pixel 9 Pro / 9 Pro Fold ~2031 🏆 Best pick
Pixel 9 / 9a ~2031 ✅ Great value
Pixel 8 Pro / 8 ~2030 ✅ Solid choice
Pixel 8a ~2031 ✅ Budget king
Pixel 7 Pro / 7 / 7a ~2028-2029 👍 Still good
Pixel 6 series ~2026-2027 ⏳ Running out of time

My Recommendation

If you're buying new: Pixel 9. Best camera-to-price ratio, 7 years of updates, runs GrapheneOS beautifully.

If you're on a budget: grab a used Pixel 8a or 7a — they go for $200-250 on Swappa or eBay. That's 4+ years of security updates for the price of a fancy dinner.

If you already have a Pixel 6 or newer sitting around: just use that. Don't let "optimal device" paralyze you into doing nothing.

The Actual Installation

This used to be scary. It's not anymore. GrapheneOS has a web installer that does almost everything for you. Seriously — it's easier than setting up a new printer.

Step 1: Enable OEM Unlocking

On your Pixel (still running stock Android):

  1. Go to Settings → About phone
  2. Tap Build number 7 times (yes, really) to enable Developer options
  3. Go back to Settings → System → Developer options
  4. Enable OEM unlocking

If "OEM unlocking" is grayed out, your device is carrier-locked. You'll need to contact your carrier or, honestly, just buy an unlocked one.

Step 2: Use the Web Installer

  1. Open grapheneos.org/install/web in Chrome/Chromium
  2. Connect your Pixel via USB
  3. Boot into fastboot mode: hold Power + Volume Down while the phone restarts
  4. Click "Unlock bootloader" in the web installer
  5. Confirm on the phone (volume keys to select, power to confirm)
  6. Click "Download release" — the installer grabs the latest build
  7. Click "Flash release" — this writes GrapheneOS to your phone
  8. Lock the bootloader again — this is critical for security! The installer will prompt you
💡 Why lock the bootloader? An unlocked bootloader means anyone with physical access could flash malware. Locking it re-enables verified boot — the phone cryptographically verifies the OS hasn't been tampered with every time it starts.

Step 3: Verify

After the phone reboots, you should see the GrapheneOS setup wizard. Clean, minimal, no Google logos in sight. If the Auditor app (built-in) shows a green checkmark, you're golden.

🔥 Pro tip: If you want the CLI route instead, GrapheneOS also supports fastboot flashing. But honestly, the web installer is so smooth there's no reason to unless you enjoy typing commands.

First Boot: Don't Panic

Your phone boots up and it looks... like Android. Because it is Android. Just without the Google umbilical cord.

A few things you'll notice immediately:

  • No Google Play Store — expected, we'll fix this
  • The camera app is Pixel Camera — yes, it's the real deal with full computational photography
  • Settings has new privacy options — network permissions, sensor toggles, auto-reboot timers
  • Everything feels fast — no bloatware running in the background

First Things to Configure

  1. Set up a strong lock screen — use a 6+ digit PIN or passphrase. Avoid patterns (they're shoulder-surfable) and biometrics alone.
  2. Enable auto-reboot — Settings → Security → Auto reboot. Set it to 8-12 hours. This forces the phone to restart if left idle, flushing encryption keys from memory. If someone steals your phone while you're sleeping, they get an encrypted brick.
  3. Review network permissions — Settings → Apps → each app → Network. By default, nothing has internet access until you grant it.
  4. Turn on scramble PIN layout — Settings → Security → Scramble PIN input layout. The number positions randomize every time, defeating shoulder surfing and smudge analysis.

Setting Up Apps That Work

This is where most guides get either too paranoid ("only use F-Droid!") or too vague. Here's what actually works for normal humans who want privacy and a functional phone.

Getting Apps: Your Options

📦 GrapheneOS Apps (built-in)

Ships with a browser (Vanadium — hardened Chromium), camera, PDF viewer, and an app store for GrapheneOS-specific apps. These are your baseline.

🏪 Accrescent (recommended app store)

A newer app store focused on security. Apps are verified and signed properly. Still small, but growing. GrapheneOS recommends it. Install it from accrescent.app.

🤖 Google Play (via sandboxed Google Play)

Yes, you read that right. GrapheneOS lets you install Google Play services in a sandboxed profile — they run as regular apps with no special privileges. No more root access, no background tracking. Install from the built-in GrapheneOS App Store.

This is the killer feature. You get Play Store apps (banking, ride sharing, whatever) without giving Google the skeleton key to your phone.

🦊 F-Droid / Aurora Store

F-Droid has open-source apps. Aurora Store lets you download Play Store apps anonymously (no Google account). Both work, but GrapheneOS officially has some security concerns about F-Droid's signing process. Use Accrescent or sandboxed Play when possible.

The App Stack I'd Recommend

Here's a practical setup that balances privacy with not making your life miserable:

🌐 Browser Vanadium (built-in) or Brave
💬 Messaging Signal (via Play or signal.org APK)
📧 Email FairEmail or Thunderbird Mobile
🗺️ Maps Organic Maps (offline) or Google Maps (sandboxed)
🔐 Passwords Bitwarden or KeePassDX
📸 Camera Pixel Camera (built-in — the real one)
🎵 Music ViMusic / InnerTune (YouTube Music frontend)
📝 Notes Standard Notes or Joplin
🔒 VPN Mullvad or ProtonVPN
☁️ Cloud Sync Nextcloud or Syncthing
🏦 Banking Your bank's app (via sandboxed Play)
🛡️ 2FA Aegis Authenticator

The Google Services Question

"Should I install sandboxed Google Play?" — this comes up in every single GrapheneOS thread.

The answer: probably yes, in a separate profile.

Here's the trick that most guides miss: GrapheneOS lets you create separate user profiles. Think of them as completely isolated environments — different apps, different data, no cross-contamination.

The play is:

  • Owner profile — your private space. No Google anything. Signal, Vanadium, Bitwarden, your core apps.
  • Work profile or secondary user — install sandboxed Google Play here. Use it for banking apps, ride sharing, anything that demands Play Services. This profile can have a Google account; the owner profile stays clean.

Google Play in this sandboxed setup has zero special privileges. It can't see your contacts, can't scan your files, can't track your location unless you explicitly grant it — and only for that profile. It's Google in a cage.

💡 Push notifications: Apps that rely on Google's Firebase Cloud Messaging (FCM) for push notifications will work in the profile where sandboxed Play is installed. In your clean profile, apps need their own push implementation (Signal has this, most others don't).

Daily Driving Tips

After a few weeks with GrapheneOS, here are the things that'll make your life easier:

Battery Life Is Better

No, seriously. Without Google Play Services constantly phoning home, polling your location, and syncing data you never asked it to sync, most people see 15-25% better battery life. It's not a bug — it's what happens when your phone isn't running a surveillance operation in the background.

Updates Are Automatic

GrapheneOS pushes updates frequently (often faster than stock Pixel OS). They install in the background and apply on reboot. You don't need to think about it.

Use Multiple Profiles Wisely

Beyond the Google/non-Google split, consider profiles for:

  • Travel — a stripped-down profile with only maps and translation apps, in case your phone gets inspected at a border
  • Kids — hand them the phone on a restricted profile
  • Work — keep work apps and accounts completely separate from personal

Backups

GrapheneOS supports encrypted backups via Seedvault (built-in). You can back up to a USB drive, Nextcloud, or DAVx⁵-compatible cloud. Set it up early — don't be that person who loses everything because "I'll set up backups tomorrow."

Common Issues (and Fixes)

🏦 "My bank app doesn't work!"

Install it in a profile with sandboxed Google Play. Most banking apps need Play Services for push notifications and attestation. In the sandbox, they work fine — the app thinks it's on a normal Android phone.

If it still fails: some banks check for unlocked bootloaders. Since you relocked yours during installation (you did, right?), this shouldn't be an issue. If it is, the app is using Play Integrity API — check the GrapheneOS banking apps page for specific workarounds.

📍 "Location accuracy is worse"

Without Google's network location service, your phone relies on GPS only (slower initial fix). Install sandboxed Play Services in the relevant profile to get assisted location. Or use MicroG UnifiedNlp backends if you want location assist without Google.

🔔 "Some apps don't send notifications"

Most apps use Firebase (Google) for push notifications. Without sandboxed Play in that profile, they can't receive pushes. Either install Play in that profile, or check if the app supports alternative push (Signal, Telegram, Matrix clients all do natively).

📷 "Camera quality seems different"

GrapheneOS includes the real Pixel Camera app with all the computational photography features. If photos look off, make sure you're using the included camera app (not a third-party one) and that you've granted it camera permissions. The quality should be identical to stock.

🎮 "Can I play games?"

Most games work fine in a profile with sandboxed Play. Some games with aggressive anti-cheat or Play Integrity checks might not. Casual games, puzzle games, even most popular titles work without issues.

So... Is It Worth It?

If you've read this far, you're probably already leaning yes. So let me just confirm it: absolutely.

GrapheneOS isn't a compromise anymore. It's not the hair-shirt, "I gave up all my apps for privacy" experience it was five years ago. With sandboxed Google Play, you get 99% of app compatibility with dramatically more control over your data.

The 30 minutes you spend installing it buys you years of not being the product. Your location data stays yours. Your app usage stays yours. Your phone becomes a tool that works for you instead of an advertising company.

And honestly? Once you see how fast your phone runs without Google's bloatware chugging away in the background, you'll wonder why you didn't do this sooner.

🚀 Ready to go? Head to grapheneos.org/install/web and follow along. The whole process is about as risky as assembling IKEA furniture — slightly annoying the first time, totally fine once you get going.

Further Reading

🛒

Need a Pixel?

You don't need the latest and greatest — a used Pixel 7a or 8a works perfectly for GrapheneOS and costs a fraction of retail. Here are some solid options:

Pixel 8a on Amazon Pixel 7a on Amazon Pixel 9 on Amazon Used on Swappa

💡 Always buy unlocked — carrier models may have locked bootloaders. Swappa is great for verified used devices.