Security Architecture
How VaultPhone is actually built — and what we deliberately do not ship.
Google Pixel Hardware
VaultPhone is built on stock Google Pixel hardware with an IP-verified (locked) bootloader. We do not modify the kernel; all hardening is applied at the distribution level so the device behaves differently from a stock Pixel from first boot.
Distribution-Level Hardening
Stock Google and OEM apps are removed. Network behavior, identifier exposure, and default messengers are set at the distribution layer, not by an app you install on top of the OS — so there is no misconfiguration path for the user.
Tor by Default
All network traffic is routed through Tor by default, enforced at the OS level. There is no user-facing “VPN on/off” toggle to forget. Signal is preinstalled as the default secure messenger.
eSIM in Ghost Countries
Connectivity is provisioned via eSIM in privacy-friendly jurisdictions that do not share subscriber data with requesting parties. The device does not expose IMEI or other hardware identifiers on the network.
Emergency Kill Switch
A software-triggered emergency wipe destroys the encrypted volume keys, rendering filesystem data unrecoverable. After a wipe, the device must be re-provisioned via support — see the kill switch guide.
Software Filesystem Encryption
The filesystem is encrypted in software. We do not use hardware-level encryption and we do not ship PGP. If your threat model requires hardware-attested cryptography or PGP, this is not the device for you — and we would rather you knew before buying.
What VaultPhone is NOT
- • No hardware-level encryption (filesystem encryption is software).
- • No PGP — encrypted messaging is handled by Signal.
- • No physical circuit-cutting kill switches. The kill switch is a software emergency wipe.
- • No baseband removal. The device is a Pixel; baseband exists. We mitigate exposure at the distribution and network layer, not by ripping out radios.
Honest disclosure is part of the product. See the full spec sheet and the threat model.