• CaptKoala
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 months ago

      TIL, I use GOS and never thought to look, I just see a banner saying there’s been updates and I’ve got “update and restart now”, “schedule restart” and “I’ll restart myself when ready” (or some such).

      • impure9435@kbin.run
        link
        fedilink
        arrow-up
        22
        ·
        7 months ago

        The main purpose of this is actually security. Because when the device is in BFU (before first unlock) state, it’s much harder to gain access to the data (without the correct unlock credentials). During the reboot, the encryption keys are wiped from RAM, making it essentially impossible to access the device, since brute-force unlock attempts are prohibited by Weaver API, which is enforced by the Titan M2 hardware security module. You can read more about this at https://grapheneos.org/faq#encryption

        • CaptKoala
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          I will give that a read. I have been unintentionally using this feature, anytime I expect I won’t use the GOS pixel for a bit I restart it, I’ve also found it disables biometrics as a security measure. Cool stuff.

          • impure9435@kbin.run
            link
            fedilink
            arrow-up
            9
            ·
            7 months ago

            It doesn’t intentionally disable biometrics. Disabling biometrics is just a logical consequence of wiping the encryption keys from RAM. Your data is encrypted with your password as the key (not exactly, it first goes through a key derivation function, but the PIN/password is the entry point for the KDF). Your biometric information can’t decrypt your data, as your data is not encrypted with your biometric information as the key. When using biometrics, the encryption key is kept in RAM, and the biometric data is only validated by the OS. No actual decryption occurs here. The data on your phone is only being decrypted during the first unlock after a reboot. That’s why security states are grouped into BFU (before first unlock) and AFU (after first unlock).

            • CaptKoala
              link
              fedilink
              English
              arrow-up
              4
              ·
              7 months ago

              Thank you for your in depth explanation, hope your comments help many others on top of myself.

    • unfinished | 🇵🇸
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      7 months ago

      This! Actually a great feature on GrapheneOS, been using it for over a year now.