CalyxOS Setup Guide

This is a comprehensive and simple to use CalyxOS setup guide to maximize privacy.  Please use the steps below or watch the video for guidance.  This guide is assuming you have a a fresh installation of CalyxOS, or you have factory reset your phone that has CalyxOS installed on it.

Play Video

1. Initial Boot Up

To setup CalyxOS using this guide, first power on your phone and go through the setup screens, including:

    • Language: Set the operational language
    • Time and Date: Set the time zone, date and time
    • Wi-Fi: Connect to an accessible Wi-Fi network
    • Cell Data: Assuming you don’t have access to Wi-Fi, decide if you want to use cellular data in the setup process. Charges may apply depending on your plan and the number of apps you decide to install.
    • Location Access: Decide if you want apps to be given location access.  You can always change permission access in the phone settings once it’s been set up.
    • Secure Your Phone:  Decide what kind of security you want for your device to unlock it.  A fingerprint (if your model has one), or a PIN, password or pattern.  It’s highly recommended you set up at least one of these security features to prevent unauthorized access to your phone.
    • MicroG: Decide if you want to have microG in your CalyxOS setup.  This is a service that replicates many of the core functions of Google Play Services, allowing more apps to function on your phone, while keeping data collection and sharing with Google to an absolute minimum. MicroG is the most pragmatic balance between privacy, choice of apps, and functionality.
    • Install Recommended Apps: Decide which apps you would like to install as a part of the setup process.  It’s recommended to install Aurora Store at a minimum so you can easily download apps that you would find on the Google Play Store.  If you would like a secure encrypted messenger, that can replace your SMS texting app, then install Signal.  Note, only messages between Signal users will be encrypted, your SMS messages to non-Signal users will not.

2. Setup CalyxOS with MicroG

If you’ve installed MicroG from the previous section, now tweak your CalyxOS setup to meet your privacy and functionality preferences.

    • Go to Android Settings in the App Drawer and select MicroG
    • Select Self Check and ensure all the boxes are ticked.
    • Decide if you want to log into a Google Account.  If you do then select Account and sign in using your account credentials.  In order to maximize privacy, it’s recommended you do not sign in unless you want to install Google, or third party apps that require a Google Account.  Even then, sign in is not required unless you want to access something saved to Google’s Cloud connected to the app and your account.  For example, files in your Google Drive, personalized maps in your Google Maps etc. 
    • Some apps use push notifications, these are primarily apps like email, messengers, social media and calendars.  MicroG should have Google Device Registration and Cloud Messaging enabled.  It’s recommended to keep it unchanged for maximum functionality of your device.  This is of course unless you limit yourself to apps that don’t receive push notifications like those found on Atsanik’s list of Privacy Focused Alternative Apps page.
    • Enable Google Safety Net if you want to install apps like those used for banking, purchases and financial transactions, for example Paypal or Amazon.  You will need to see if each app will function properly because even with Google Safety Net enabled, some may not work.
    • Select Location Modules and ensure there is at least one Network-based geolocation module and one Address lookup module enabled.  The default modules work fine and provide a high level of privacy.  If you want to install additional modules, you can read more on the microG Unified Network Location Provider websiteThen search for and install each using the F-Droid app on your device.  After installing additional modules, you will need to enable them in MicroG by going to the App Drawer –> MicroG –> Location Modules.
    • Finally decide if you want to install a Covid-19 Contact Tracing app on your phone.  Most require Exposure Notifications to be enabled in MicroG but you can always test the app first it to see if it works without.

3. Setup CalyxOS with Apps from F-Droid and the Aurora Store

If you are not familiar with these two apps, Atsanik has a very comprehensive guide on How to Setup and Use F-Droid and Aurora Store.

  • Research and make a list of apps that you would like to install in your phone. 
  • Read Atsanik’s page on Privacy Focused App Alternatives and determine if any of these meet your needs or use the F-Droid app to look for apps.  Apps from F-Droid are free and open source, minimize permissions, and do not have built in app trackers thus assuring a high level of privacy.
  • If you need apps from the Google Play Store, use Aurora Store to download them.  Before doing so, go to the Exodus Privacy website and use their Search Tool to look up the each app’s name and determine the number and type of data trackers and permissions that app has.  Exodus will also tell you if any are considered dangerous.  If you don’t know exactly what trackers are and what they do, Exodus Privacy provides easy to understand information on trackers as well as permissions.
  • If during your research you find an app has too many trackers or permissions, look for alternatives in F-Droid or Aurora Store.  You can also lock down an app’s access to the internet, in Datura Firewall, to prevent tracking and data sharing but that will only work if the app does not need to access the internet as a core function.  For example, a video or audio streaming app.

4. Tweak Settings in Datura Firewall

During your CalyxOS setup process, you can use Datura Firewall to control background, Wi-Fi, mobile data and force app access through a VPN service installed on your device.  Blocking an apps access to the internet will also block it from sending data, collected through trackers and coding within the app, to Big Tech companies and third parties.  Some apps need internet access to function properly, so if you want to avoid tracking and data sharing, use the recommendations from the previous section.

  • Go to the App Drawer and select Datura Firewall
  • Block background network access to apps that don’t require notifications.  This is essentially anything outside a messenger, email, social media or calendar app but your preferences may differ.
  • Block Wi-Fi and mobile data access unless there is some core functionality that needs it.  For example, calendars, email, messenger apps, video and music streaming apps etc.  Also some apps need access to download content like apps for podcasts, maps and navigation, internet browsers, cloud storage, and some note taking apps with online syncing etc.
  • You many want some apps to access the network through a VPN, so toggle the appropriate settings in Datura Firewall and ensure a VPN application is installed and set up on your device.
  • You may need to test and tweak each app for your particular requirements.

5. Install a VPN Service

 A VPN service encrypts network traffic between your device and the VPN provider.  VPNs help cloak information from your internet provider who may block you from certain sites or even sell your browsing history data.

  • There are many free and paid services available.  For free services, Calyx, RiseUp and Proton are good choices for the average user.  Each of these VPN apps can be downloaded from F-Droid.
  • At a minimum, ensure you use a VPN when connected to any public (e.g. a coffee shop, library or airport) or shared Wi-Fi networks (e.g. work network). 
  • You can use a VPN a continuously, and you can usually set that up in the particular VPN app’s settings.  This may slow network traffic or use your battery more quickly.

6. Install a Private DNS Service

A DNS can be considered the telephone book of the internet.  It allows you to type a human friendly website name like atsanik.com instead of entering a computer friendly IP address, like 192.128.7.9, into a web browser. 

A DNS service translates the human friendly version of an address to the computer friendly numerical version.  Your network provider typically provides the DNS Service and in some jurisdictions can sell your browsing history to third parties.

  • In the App Drawer, select Android Settings –> Network and Internet –> Advanced –> Private DNS
  • CalxOS offers the choice of using Cloudfare DNS which promises not to sell your data.  You can also enter a alternate private DNS  by entering the hostname of the provider.  A list of private and free DNS services on our Private DNS Providers page.

7. Control App Permissions

Many apps ask for a significant number of permissions including access to sensors like the microphone, your location, the camera, body sensors and information like your contacts, messages, call logs and files.  Some of the information collected can be shared with Big Tech and other third parties via trackers or coding within the app.

The Android Permission Manager classifies permissions into 13 different categories. Within those categories are a total of 57 individual permissions. These are essentially hidden unless you research each app individually. One way to do this is the Exodus Privacy website, where you can search an app and determine which of the 57 permissions it’s requesting.

Unfortunately, Exodus Privacy only lists the permission and provides some general guidance if it could be dangerous. To find a full description, copy the Permission name from Exodus Privacy and then search for it on the our Android Permissions  page.

When you decide on a permission, ask yourself if it seems valid for the purpose and function of the app, and if you feel comfortable granting that type of access.

  • Go to the App Drawer and select Settings –> Apps and Notifications –> See All ## Apps –> then select an app –> Permissions
  • Individually go through the list of apps you installed and choose to Approve, Deny or Ask Every Time an app wants to access the permission.
  • There will be some trial and error to determine if an app actually requires a permission in order to operate as you or the app requires. 
  • It’s a good initial practice to Deny obvious flagrant permission requests. Select to Ask Every Time for ones you are not sure of and Allow access for ones that are obviously required.
Shopping Cart