i guess another way is to use those shitty privacy screen protectors that do not work with fingerprints at all. They can try all they want, its not gonna work.

Or grapheneos but compartmentalize sensitive data to a profile where you use no fingerprints, only pins. Duress can be entered anywhere right? So if you’re being compromised , enter the duress pin.

any ideas how to add that engine to Vanadium on GrapheneOS?

Yes it is very much doable and you can get a functional system. But there can be 2 main problems for your case:

1. you would literally install Debian and choose nothing (no DE just a bare minimum). On Arch, this is easy because it came with some packages or you can install during live to get wifi working. On Debian , last I heard you need to do some dhcp wizardry.

2. cross apps compatibility. This is very serious. Even “lightweight” DE like xfce has a lot of hidden stuff that helps to run your notifications , powers and brightness/volume. And that does not count it you want stuff from Gnome or KDE: they even have more special libraries. In your case, the worst scenario would be to have multiple libraries/configs from different DE and they try to do the same thing. This is very hard to debug and maintain.

Point 1) is not as bad, if you use an Ethernet or somehow connects to the internet. It is only for the 1st phase where you install stuff though. After that you can just use the DE’s network manager.

Point 2) should not be a problem IF you are running a window manager. The reason is that in these setups you can choose exactly what you want without messing up…On DE you can too, but you migght break things. For eg, choose dunst for notitication or xfce4-notifyd. On a mixed DE setup? Bad idea imo.

anything that ties to Micro$oft is shady

thanks for the detailed answer. Did you use the battery protection, i.e. charge to 80%?

so most apps have restricted battery with the exception being Google Play Service?

2 months GOS user here on Pixel 9. So far so good. You do have a lot more controls over the traditional Android phones. In fact, you have too much that for average user, i think it can be a bit overwhelmed.

PROFILES

For eg, you can easily install Google apps and use them like a normal phone. Problem is on Graphene, you have many ways to set this up. You can:

a) install in your main profile and be done

b) install Gapps in main the private space within main profile

c) some crazy stuff like install Gapps in the private space of a secondary profile, which you lock using a completely different password.

I spent too much time in this loop lol. Finally i settle on: all daily apps in main profile and sensitive apps live in a separate profile (banks, important docs).

SECURITY

1. Next the security features in GOS are amazing. You can control every single permissions that an app can do. I mean every thing including the system Phone app. I can go 100% paranoid and prevent the Phone app from Phone logs, microphone and Phone. Essentially making the Phone app useless… Very very nice but you need to experiment with your apps and see which permisions you can deny and which you cant. On normal Android? You can deny some apps but the system ones, you cant.

2. I especially like the USB c feature. I leave mine on Charge only. So the port only functions to charge my phone. This cuts off every other connections: plug into PC, plug into car for Android Auto…etc. I like it that way. .

Btw, Android auto works great too if you need it. .

OS is so minimal that you will need to install essential apps on your own. For eg, i use Florisboard for keyboard, MiX for file manager.

3. I really like the screenlock options on GOS. You can set:

a) your usual password, pin, fingerprint

AND

b) a secondary pin that can be scrambled at random. So you unlock with your fingerprint then you need to enter that 2nd pin or password to enter the phone. EVERY single time. And it is scrambled too so you dont have to worry about people tracing your fingers.

AND

c) the Duress pin. This is like the nuke PIN. You set this up and hypothetically you are in a dangerous situations (thieves want you to unlock, local police abuse your phones…etc), you can enter this instead of your normal screen lock pin/password and every data is nuked. I havent tried it yet because i spent too much time set my phone rhe way I like it lol. If somebody tries it out, pls let me know.

INSTALLATIONS

Stupidly easy. On the OG Pixel, if you want to install LineageOS, you have to be very careful. Beside downloading the ROM, you need to flash a custom recovery like TWRP. Then becaude it is a Pixel, you nees to be careful which slot to flash the ROM. Flashing to the wrong one will brick the phone.

On Graphene? It is literally plug your phone in and open the browser where the install notes are. The ONLy technical thing I need to do during the process waa enable bootloader unlock. Everything else was like “GOS finishes this, GOS finishes that, can you press this button, GOS is rebooting…”. .Very very simple.

**SOME HELPFUL POINTS (i hope) **

1. dont treat this as a Degoogle phone. .You can but the strong point of GOS is security.

2. some features are not available compare to like.Samsung’s ONE UI . For eg, only allows an app to connect to 5G and not wifi.

3. dont create a super complicate setup. The backup process will a pain.

Windows Updates

Got an update while finishing a large project for work. Tried to postpone updates, Micro$oft said no and reboot anyway. Rebooted and waited 2 hrs for the “Please Wait” to go away.

Oh yeh and also the in your face OneDrive adware. I swear, every single time I update, the laptop keeps asking if I want to sign into onedrive.

I’m allowed my own laptop cuz most of my work is ssh to a server and fix shit. You have to register your laptop on the network first though.

Office, Team: these can work via the browser if your company/organizations pay for the subscription. In fact, the web versions run much better than the standalone desktop ones for me.

Code editor, terminal, programing in general: These work much much better in linux. You open a terminal and you write commands to install stuff. Editors are even easier, i.e. nano, vim, vscode, emacs… etc. just pick your poisons…

Email: now I login to my exchange email using the browser. That works for 100% of the stuff I need to do: basic emails stuff, accept/decline meetings…etc. Unless you absolutely need to use Outlook, there should be no problems.

Now… the real problem lies in specialized software like CAD, CAE tools. I like Linux but there isnt a free CAD / CAE tool that is comparable to what the industries are using. In academic? absolutely you can use for research.

before learning all the new tools like Linux distros, vpns, compartmentalization, offline storage, security…etc.

You better start controlling the apps/services you are using NOW !

Youtube, Gmail, Facebook, X, Maps…etc. all has shit tons of data about you. Limit what they can use. Dont give your info out easily (main email account).

yeh and if i remember correct, there are no options in Samsunf Keyboard to control the clipboard history length. It still remembers what you copied 3 weeks ago…

My recommendation is to use another keyboard. SimpleKeyboard, FlorisBoard…etc.

do you use a different Google account to download the bank app? or no Google at all in private space, and instead push an app downloaded from main?

hmm i really like the idea of navigation apps with location service in 1 profile. So you just dont listen/stream music while driving? Because thats another app right?

Also thats a lot of vpns lol.

Fedora then? Just choose the default Workstation. Easy to setup. Easy to do stuff too.

everything is a file lol, unlike on Windows where a lot of things are GUI based:

• Want to change your grub font size? Heres a file.
• Your python gives dependencies errors? Well, because the libraries (aka files) are in a different directory.
• want to change your password and username? Heres a file to change …so on and so forth

On Linux you have a lot of power, can use sudo to make changes to a file. If you know what youre doing, great. If you dont, system can break. Even without sudo, a misplace / mistype of files in the /home directory can cause weird stuff.

So TLDR is: be careful when make changes to files on Linux. Dont listen to stranger on forum who gives out command to paste and run. Do your research what the command does.

Keepass. I need to figure out a way to securely sync between Android <-> PC.

GNUpass should be very secure too but I need a way to view it on Android.

arch linux was what forced me to use LUKS on all of my installs regardless of distros, btw.

i used the standard layout:/boot, /, /home, swap. So when the installs break, the best way to fix is to use the archiso and remount and re arch-chroot.

Well… i found out that without LUKS, anybody can use any distros live cd and mount my stuff.

At first, I used LUKs only on the main partitions: so / and /home, or just / if no separate /home. Swap remains unencrypted. Boot is also unencrypted.

You could encrypt those too but need more work and hackery stuff:

• encrypted boot: can be slow if you boot the compututer from cold. There’s also this thing where you need to enter the password twice => think Fedora has an article to get around this. Iirc, it involves storing the boot’s encrypted password as a key deep within the root directory.

• encrypted swap: the tricky thing is to use this with hibernation. I managed to get it to work once but with Zram stuff, I dont use hibernation anymore. It involved writing the correct arguments in the /boot/grub/grub.cfg. Basically tells the bootloader to hibernate and resume from hibernation with the correct UUID.

not sure about price and speed, but their subscription model is designed such that you may not need to give away your info. E.g. pay with crypto and even cash in mail.

could just replace it, no? Unless your keyboard is weird, the size of window key is pretty standard right?