SOVEREIGN
← All guides/

Getting started

The Duress Password: A Second Code That Wipes Instead of Unlocks

4 min read

Most people will never need a duress password. But for journalists, legal professionals, executives carrying sensitive client data, and anyone who crosses borders with their devices, it's one of the most important features GrapheneOS offers.

The duress password is a second code you can enter at the lock screen. To anyone watching, it looks identical to your normal unlock attempt. The difference: it triggers an immediate, silent factory reset instead of opening the phone.

What the Duress Password Does

When you enter the duress code at the lock screen, GrapheneOS immediately begins wiping all user data. The wipe is silent — there's no visible error, no alert, no indication that anything unusual is happening. The device appears to be processing the unlock while the data destruction occurs in the background.

This is a GrapheneOS-specific feature. It does not exist on stock Android, iOS, or any mainstream mobile operating system. It is designed for situations where you are physically compelled to unlock your device and need to destroy its contents before handing it over.

Who It's For

The duress password is a genuine tool for genuine threats. It's appropriate for journalists who carry source materials, lawyers carrying privileged client communications, activists operating in environments where device seizure is possible, medical professionals with patient data, and executives who may be subject to targeted espionage.

For the majority of SOVEREIGN customers, the duress password is a worthwhile feature to understand and optionally configure — not something you'll ever use in practice. Having it set up costs you nothing.

Setting Up Your Duress Password

Settings → Security → Duress password. You'll be prompted to set a second PIN or password that is distinct from your primary credentials.

Choose a code that is plausible as a real PIN but clearly distinct from your actual unlock code. Avoid codes that are one digit off from your real PIN, reversed versions of your PIN, or anything adjacent on the keypad. The duress code should be memorable under stress but not guessable by someone who knows your normal code.

Test the feature on a device you're willing to wipe. The only reliable way to confirm it works is to trigger it. Set up a fresh test device, configure a duress password, enter it, and observe the wipe. On your real device: trust that it works, and don't test it.

The wipe begins immediately on duress code entry. There is no confirmation prompt. This is intentional — a confirmation would defeat the purpose.

What It Doesn't Protect Against

The duress password is a physical device security measure, not a legal protection. It destroys local data, but it doesn't protect against: remote data that's already been exfiltrated, legal orders compelling production of decryption keys or cloud credentials, coercion to reveal your backup passwords, or pre-existing copies of your data on other devices.

In jurisdictions where destroying evidence is a criminal offence, using the duress password during a law enforcement action may create additional legal exposure. Know your legal environment. The feature is a security tool, not legal advice.

Combining With a Backup Strategy

A duress wipe should not be catastrophic. If your important data exists only on your phone, a wipe — even a planned one — causes serious harm. The correct approach: keep encrypted backups of what matters (contacts, documents, Proton Drive), so that a wipe is a 30-minute recovery, not a permanent loss.

Signal has a local encrypted backup feature: Signal → Settings → Account → Local backup. Store this in Proton Drive. After a wipe and reinstall, restore from this backup and your message history returns.

Frequently asked questions

Will I accidentally trigger it?
Only if you accidentally enter that specific code at the lock screen. Use a code you would never type by accident, and that isn't adjacent to your real PIN on the keypad. Some users choose a duress password (letters) while using a PIN as their main lock — this makes accidental entry essentially impossible.
Can the wipe be stopped once started?
No. Once the duress code is entered, the wipe process begins and cannot be interrupted. This is by design.
Is the wiped data actually unrecoverable?
Yes. GrapheneOS stores data encrypted with AES-256-XTS. The wipe destroys the encryption keys. Without the keys, the remaining ciphertext is computationally unrecoverable with any known technology.
Can I set a duress fingerprint?
No. GrapheneOS's duress feature is code-only, not biometric. This is intentional: in some jurisdictions, you can be legally compelled to provide a fingerprint but not a code. A duress fingerprint would undermine the feature's purpose.

Still have questions?

We answer personally — no ticket queue.

Contact us →