Hey, howdy, hallo,
Happy Halloween! A common question I see is “What are the best settings for GrapheneOS?” Truthfully, the out-of-the-box defaults are pretty great, but there are a few I like to adjust. So, I thought I’d share those this month.
Owner user → Settings > Security & privacy > Exploit protection > Turn off Wi-Fi automatically | Turn off Bluetooth automatically
I think this is my favorite one. When you have Wi-Fi and Bluetooth on, they’re broadcasting, looking for devices and networks. People, companies, and governments have figured out how to abuse this behavior to track devices based on those beacons. Thankfully, on GrapheneOS (and I believe iOS and stock Pixel), we have MAC randomization. For Wi-Fi, that makes tracking infinitely harder (at least for historical tracking.)
Regardless, the best setting is “off”. Not broadcasting at all.
The time you configure is how long it will take for Wi-Fi or Bluetooth to turn off once there’s no longer a connection.
Example: Wi-Fi auto-off is set to 5 minutes. When you leave your home and are out of range of a known network, after 5 minutes Wi-Fi will be disabled. That means your phone will stop searching for networks, which is great when you’re out in public. The downside is you’ll need to remember to manually re-enable it when you get home so it reconnects.
My settings:
I used to have Bluetooth set lower, but it wasn’t long enough for me to pair a new device.
Any user → Settings > Security & privacy > Device unlock > Fingerprint Unlock > Second factor PIN
My main Owner user has an 8+ word Diceware password. It’s very time-consuming to enter that every time I want to access my Owner user after the first unlock, so I have a fingerprint configured as well.
In the United States, law enforcement can force you to unlock your phone using your fingerprint. This… is not good. So what can you do? GrapheneOS has a Second factor PIN option. This means you can configure a completely separate PIN that needs to be entered after your fingerprint is successful.
I have this set to something simple because I don’t want it to slow me down too much, but it’s enough protection that even if I were compelled to use my fingerprint, a PIN would still be needed.
I see this as a good balance between usability and security. I prefer using my fingerprint in public because you can’t “screen peek” a fingerprint. I suppose I am divulging my second factor PIN in public, but that’s a discussion for another time.
Owner user → Settings > Security & privacy > Exploit protection > Auto reboot
This feature is simple, but it’s vital. Your phone is most secure in the BFU (Before First Unlock) state. This is when all user data is fully encrypted at rest. Auto reboot returns your phone to this state automatically.
Example: If you set it to 18 hours, and there’s no successful authentication in that time, your device will reboot. The moment there is a successful authentication, the timer resets. So if you lose your phone, it’s seized by police, or taken at the border, your phone will return to its most secure state once the timer hits zero.
Useful tip: If your phone reboots and you use secondary users, those users remain at rest upon reboot. That means if you set an alarm in a secondary user and your phone reboots while you’re asleep, the alarm won’t go off. However, you can set an alarm in the Owner user using the stock clock app and your alarm will go off after a reboot. This is a great way to keep the Auto reboot interval short while staying practical.
Full disclosure: I have mine set to 18 hours. I can’t have it reboot while I’m sleeping because if I get an alert for Yellowball, I need to get notified.
I hope you had a great October, and I’ll see you in November!
-Josh
It’s like snake, but a maze.
🖥️ GrapheneOS Private Space Explained
🖥️ One of GrapheneOS’s Best New Features: Security Preview Releases
2025.10.27 - Removed Brave Browser (Actual Budget now works in Vanadium). Added Paralino. Removed SilverBullet, trying something else.
🟡 Most platforms host your feed on their domain. If they disappear or terminate your account, your audience disappears too. Yellowball lets you own your feed at your domain—so your show stays yours.
No BS. No tracking. No forced branding. No personal info required. Just a fast, private, creator-first platform with unlimited downloads and crypto payment support.
I host my show In the Shell on it—and if you’re thinking of starting your own, check out Yellowball or just reply to this email. Happy to help.
"They’re either going to say yes or they won’t."
-I don’t know, I wrote it down years ago and can’t find a source.
I don’t track or analyze these emails, so the only way I know they’re read is if you tell me. If you enjoyed it, reply with a 🎃. If not, send back one sentence with what you’d improve.