SOVEREIGN
← All guides/

Getting started

First Boot: What to Do When Your Device Arrives

6 min read

Your phone arrives already running GrapheneOS with our documented hardening profile applied. Signal is installed. Proton VPN is configured. Vanadium is your default browser. You don't need to install anything to be private — it starts that way.

That said, there are a few things worth doing immediately: verifying the device is genuine, setting your own passphrase, and beginning the move from your old phone. Here's the sequence that matters.

Before You Turn It On

Check the box seal is intact and matches what we described in your shipping confirmation. Your device ships with a printed getting-started guide — read it before powering on. It contains your device's verified boot fingerprint, which you'll use in step three.

Do not connect to your old Google account during the setup wizard. GrapheneOS doesn't need one, and adding your primary Google account defeats most of the privacy work we've done.

Setting Up at First Boot

The setup wizard is minimal — GrapheneOS strips most of the Google onboarding flow. You'll be asked to select a language, connect to Wi-Fi, and set a lock screen. That's it.

Set a strong PIN (at minimum 8 digits, not a birthday or year) or a passphrase. See our passphrase guide for the reasoning — but don't use pattern unlock, and don't skip the lock screen entirely.

After the PIN is set, add a fingerprint for day-to-day convenience: Settings → Security → Fingerprint unlock. Fingerprint supplements the PIN; it doesn't replace it. If the phone is powered off, only the PIN works — this is intentional.

Verify the Device Is Genuine (Takes 2 Minutes)

GrapheneOS's Verified Boot gives you cryptographic proof that the operating system hasn't been tampered with. We re-lock the bootloader before shipping, meaning the Titan M security chip checks the OS on every power-on.

To verify: Settings → About phone → Device identifiers → Verified boot state. You should see 'Boot verified' and a fingerprint hash. Compare this to the fingerprint on your printed guide and on our website at /verify.

If you see 'Boot unverified' or 'Boot warning', stop and contact us before doing anything else. It shouldn't happen, but it would matter.

Check for Updates Immediately

We configure devices with the latest stable GrapheneOS release, but we recommend checking for updates as soon as you connect to Wi-Fi. Security patches are released monthly.

Settings → System → System update. If an update is available, let it download and install. You'll be prompted to reboot — do it before setting up anything else. The A/B partition system means updates install in the background without interrupting you.

Moving From Your Old Phone

Don't restore from a Google backup. Restoring from a Google Backup reintroduces the exact surveillance infrastructure you've just removed — app permissions, account associations, and all.

Instead, move selectively. Export contacts as a .vcf file from your old phone and import them into GrapheneOS Contacts. Signal can be transferred using its built-in device transfer feature (Signal → Settings → Account → Transfer account). For photos, use a USB cable to copy them directly.

Set up Signal with your existing phone number. Your contacts will see you as active on Signal without needing to do anything — the number is the identifier.

Your First-Week Checklist

  • Check and install available OS updates (Settings → System → System update)
  • Verify your boot fingerprint matches the published value
  • Set a strong PIN or passphrase
  • Enable Proton VPN kill switch (it ships pre-configured — verify it's on)
  • Import contacts via .vcf
  • Transfer Signal account from old device
  • Set auto-reboot timer: Settings → Security → Auto reboot → 72 hours
  • Review app permissions: Settings → Privacy → Permission manager
  • Enable USB-C lockdown: Settings → Security → USB-C connection → Charging only

Frequently asked questions

Should I update GrapheneOS before setting up my apps?
Yes. Check for updates before doing anything else. Installing apps and then updating can occasionally cause minor issues with sandboxed app sessions. Update first, reboot, then set up your apps.
Can I restore a WhatsApp backup?
If you enable Sandboxed Google Play, WhatsApp can restore from a local backup stored on your old phone. Transfer the backup file via USB cable before restoring. Google Drive WhatsApp backups work too, but require a Google account in the sandboxed profile.
What is the default PIN?
There is no default PIN. GrapheneOS requires you to set one during first boot. We don't know your PIN and have no access to it.
Should I use fingerprint or PIN?
Both. Set a strong PIN as your primary, then add a fingerprint for daily convenience. When you want PIN-only mode (border crossings, high-risk situations), power the phone off — on reboot, only the PIN works.
Do I need to add a Google account?
No. GrapheneOS runs fully without any Google account. If you need access to specific apps that require Play Services, we recommend setting up a separate, anonymous Google account only within the sandboxed profile — never in the main OS.

Still have questions?

We answer personally — no ticket queue.

Contact us →