When it comes to custom ROMs and privacy on a mobile phone, it is always GrapheneOS for me
Even though it only works on Pixel phones, it has always been something I've always felt comfortable leaving the house with. Knowing I was not being traced, or spied on, or risking having my data taken and sold to the highest bidder, it's a great feeling! Even Edward Snowden once tweeted that GrapheneOS would be his pick.
If I were configuring a smartphone today, I'd use @DanielMicay's @GrapheneOS as the base operating system. I'd desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn't need them. I would route traffic through the @torproject network.
CalyxOS is great for privacy-oriented people, but also works for the soccer mom who just wants to use her phone and at the same time values some privacy. CalyxOS has a setup which comes with or without MicroG pre-installed, in other words it can use Google Play Services and push notifications, but is open-source and doesn't connect to Google's privacy invasive servers, just to the necessary ones!
Note: GrapheneOS does not use Micro-G but has a sandboxed Play Service which can be installed afterwards. I prefer that option, security and privacy-wise!
Let's just step back in history a bit. The Calyx Institute is a Non-Profit-Organization from NY. Founded in 2010 by Nicholas Merrill, who owned an ISP (internet Service Provider) named Calyx. At the time he operated the ISP, the FBI approached him with an NSL (National Security Letter) asking for the data of a user. The letter also indicated that Merrill wasn't allowed to talk to anyone about the letter. He, however, decided to fight to protect his and his customer's rights, going to court and winning the case after eleven years of legal action.
https://calyxinstitute.org/about/board
After that short history lesson on who is behind Calyx, let's jump into the actual OS.
Just like GrapheneOS, you can only install CalyxOS on Google Pixel phones and on a cheaper Xiaomi Mi A2 device. CalyxOS launched V1 of its OS in early September 2020. It is based on the AOSP (Android Open-Source Project) but with some privacy and security tweaks. CalyxOS is based on Android 12. Installation is via script, but should be easy enough for most geeks out there to install. ;)
This is straightforward, but it is easier to install GrapheneOS even for the non-geeks out there.
The installation of CalyxOS will replace the Google key with an CalyxOS key and therefore allow you to lock the bootloader again. This is recommended, but if you like to use AFWall+ to lockdown your apps, you can keep it unlocked. I, personally, recommend a locked bootloader for security reasons.
The built-in Datura Firewall gives you fine-grained control over network access for all of your apps, so you do not need AFWall+ and compromise any security.
During the process and the first boot, CalyxOS will let you pick if you like the MicroG version or don't want to use MicroG. To explain this again, MicroG is an open-source replacement for the Google Framework which allows push notifications and play services. If you don't need push or services, we recommend not installing MicroG. Most push notifications like Signal or Threema work without any need for GCM or MicroG.
You'll not just get MicroG during the setup but also F-Droid which is, and should be, your main go-to store for all apps. You can install the Aurora Store, which allows you to use the Google Play Store (anonymously) on your phone.
Unlike GrapheneOS, you have this option during the first boot, and it is easy to select and install apps this way. Including Signal etc.
CalyxOS allows backing up data via Seedvault as a replacement to Google cloud backup. You get 12 words as a seed similar to a Bitcoin seed and that can be used as an encryption for your backup so write that down!
CalyxOS looks pretty much like the normal Android experience that you would get from a Pixel phone, minus the Google apps and privacy invasion system Google ships with it. The system is fully encrypted and uses the chip Google ships with the Pixel phones, so everything happens on your phone! Google won't have this encryption/decryption key.
Talking of security, CalyxOS updates are pushed once a month, so they are solid, like a Samsung or most other updates pushing once a month, but not as fast as GrapheneOS. Please keep that in mind. I still think it's a solid and fast update and should not concern most people.
CalyxOS can be used as a daily drive, even for people who are in need of apps that depend on Google Services. It helps just knowing that you are still using a privacy orientated and not an utterly 'googlely' phone. My personal take is that it is second to GrapheneOS when it comes to privacy and security, yet a great companion for people who use apps for business that rely on Google Services, for push or other features or reasons.
Unlike other Android devices, Tethered network devices (USB or Wi-Fi) can use the phone's VPN or Tor.
Pre-installed free and trusted VPNs from The Calyx Institute and Riseup.
Mozilla Location Services (and Dejavu) available as default location services.
Nominatim available as default geocoding service.
π¨ Panic button functionality lets a user uninstall apps and more.
π€« Sensitive Numbers privacy. Calls to numbers for help lines such as domestic violence, child abuse, suicide hotlines are not recorded in the call log.
β° Automatic backups (once configured) of your apps.
βοΈ Backup your files to a USB drive or Nextcloud
π Client-side encryption protects all of your backed-up data.
I strongly recommend, as always, to use a secure DNS Settings β Private DNS in your settings to force all traffic to be encrypted, NextDNS, for example. Also allows you to filter traffic, which is an easy to handle yet powerful tool to have.