🎥 Video Link

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven’t had a chance to read through it yet.

So today I want to talk about the private space feature on GrapheneOS.

But before we get into that, I want to mention that I do offer paid consulting. I truly think anyone can figure out anything given enough time, but there are some people that prefer to save time by spending money — and if that’s you, then I’m happy to help. Whether you’re an individual just getting started with GrapheneOS, you’re looking to get into self-hosting, or maybe you’re a business looking to improve your overall security or privacy — if you want to find out more, you can head on over to sideofburritos.com and click on Schedule Consultation.

I want to start by going through the official announcement first by the GrapheneOS team on the discussion forum. I realize this was posted almost a year ago, and some things have changed since the initial announcement, but I still think it’s beneficial to go through.

GrapheneOS and the Private Space Feature

So, GrapheneOS fully supports the private space feature on Android 15, which is essentially a separate user nested inside of the owner user. This last part has already changed — the private space feature is now available in all users, not just the owner profile anymore.

The team strongly recommends it as a replacement for a work profile managed by a local profile admin app. It has better OS integration and isolation. So if you’re using something like Shelter on your phone currently to create a work profile, this is a great replacement.

The private space is an isolated workspace profile for apps and data, similar to both user profiles and work profiles. All three forms of profiles have entirely separate VPN configurations, which is very useful even if you are connected to the same VPN, since exit IPs can be separate. That part might sound a little confusing, but I’ll explain that better in the demo.

All forms of profiles have separate encryption keys. You can keep a private space at rest while the owner user is logged in, just as you can with a secondary user. This was a big reason I always liked using secondary users — you could end the session on that user profile and now it’s at rest, as compared to the owner user profile, which you need to be logged into in order to use your device.

Now, you can have a single profile setup. You can use the owner user profile, have a separate private space in there, and then put that private space at rest if you have something running that you don’t always want running. Before, you needed a secondary user profile for that.

The private space makes it easier to share data than users. The clipboard is shared, but we could add a setting for it — they have added a setting for that, which I’ll point out. All the features, including contact scopes, storage scopes, and sandboxed Play Services, have full support of private space. So if you use any of those features and you’re concerned about them not working in private space — they do work.

Currently, I think a lot of users use a separate user profile if they want to use sandboxed Google Play. And while this does provide great isolation, it can be cumbersome to switch to that separate user in order to use apps. Now, with private space, you get the same benefit of isolation, but it’s much more convenient to use those apps in the same user profile you always use.

I realize a lot of this might sound confusing in the way I’m explaining it, but hopefully that’ll be cleared up in the demo. So let’s get into that.

Setting Up a Private Space

Here I am in my owner user profile on a Pixel 7 running GrapheneOS. The first thing we’re going to do is set up a private space — and again, this works in any user profile, so if you’re in a secondary user, you can follow this same process and set one up there.

Go into Settings, scroll down to Security and Privacy. At the bottom, you’ll see Private Space — tap on that.

The screen will then prompt you for your user PIN, so type that in. Here we have some details about the private space — I suggest reading through that. At the bottom, there’s a warning:

“Private spaces are not suitable for apps that need to run in the background or send critical notifications, such as medical apps.”

This is because notifications and background activity are stopped when your space is locked. As the warning states — if the private space is locked, notifications will not work. But if it’s not locked, notifications should work. Do your own testing before depending on it for something critical to your health or well-being.

Once you’ve read through that, tap Set Up at the bottom right. Once that finishes, you’ll be prompted to choose the lock method for your private space. You can either use your screen lock or choose a new lock. I’ve been using my screen lock, but if you want it different, go ahead and do that.

Tap Use Screen Lock and it’s all set. It tells you where to find it. Click Done, and as you can see, I’m now in the app drawer. Swipe up from the home screen and you’ll now see the private space at the bottom — on the right side, you’ll see the lock icon, which means it’s currently locked.

Tap on that, enter your lock screen PIN or password, and once entered correctly, you are now presented with the private space.

Navigating the Private Space

A couple of things — when it’s unlocked, you can swipe up or go back, and it stays unlocked. Tap the lock button to lock it again. Remember: when the private space is locked, those apps are not running. So if you need notifications from any apps in your private space, those will not work while it’s locked.

You’ll notice some apps already installed — these are the same default apps that come on GrapheneOS when you install it. Each app installed in the private space has a small shield-and-key icon at the bottom right — that means it’s installed in the private space.

There are a couple of ways to install apps into the private space. If you tap the Install button here, it opens the GrapheneOS App Store. From there, you can install Google Play Store and Google Play Services. This is great for people currently using a separate user profile for apps that require Play Store. You get that same separation with the convenience of being able to lock or turn off the private space when not using it — something you couldn’t do with apps installed in the owner profile without powering your phone down.

Private Space Settings

Tap the gear icon next to the lock icon — these are the private space settings.

Private Space Lock – You can change it so it doesn’t use the device screen lock.

Lock Private Space Automatically – By default, it’s set to Every Time Device Locks. If you want it to run continuously in the background, change it to Only After Device Restarts.

Hide Private Space – By default, this is off. Turning it on hides the private space from the app drawer. To access it, go to Settings → Security and Privacy → Private Space → Unlock. I keep this off since I’m the only one who uses my device.

Cross-Profile Shared Clipboard – The default option allows sharing between the main user and private space. It’s up to personal preference whether to keep or restrict that.

End Session Immediately on Lock – Disallows delayed locking of storage. I don’t fully understand this option, but it seems safe to enable.

At the bottom, you’ll see the same warning from setup — again, test notifications before relying on them.

Installing Apps from the Main Profile

Going back to Install Available Apps, tapping it shows a list of all apps installed in the current user profile. Installing apps to the private space is as simple as toggling the switch next to the app. For example, if we enable Molly, we’ll now see it in our private space.

Default apps are separated by a horizontal rule, and anything with the small icon in the corner is in the private space. This is helpful for distinguishing which version you’re in — for example, if you have Signal installed in both, the icon tells you whether you’re in the private space or the main profile.

VPN and Profile Isolation

All three forms of profiles have entirely separate VPN configurations. For example, in my owner profile, I have ProtonVPN installed. If I connect there, that VPN only applies to the owner user. If I go to the private space and check my IP in Vanadium, it will show my home or cellular IP.

To apply a VPN to the private space, install and sign in to your VPN there separately. While it might sound cumbersome, it’s actually a benefit — you can have different exit IPs or countries per profile. This is the same behavior as secondary users on GrapheneOS.

Final Thoughts

I’ve been testing out the private space feature for the past few weeks, and it’s been working well. It’s much more convenient to use than a separate user profile. The only app I noticed some oddities with was MySudo — some calls and texts behaved oddly, at least notifications did.

I reached out to the MySudo team, and they said it should be supported in any profile type. I’m going to continue testing before fully committing and deleting my secondary user. But I think the private space is a great option for a lot of people, especially if you’re just getting started.

It makes the transition much easier than having a separate user, where you need to switch whenever you want to use those apps or get notifications.

Looking back at my notes, I covered a lot of information in this video. Hopefully it didn’t come across as too confusing, and it can serve as a good place to get you started. If you’ve been testing the private space feature, feel free to share your experience. And if you have any questions or comments, feel free to leave those down below — and I’ll see you next time.