Plain answers
Questions, answered honestly
The questions a careful, at-risk reader actually asks — with answers bounded by what the system really does. Where a fact is still being confirmed, we say so.
What it is
What GuardTalk is — and is not.
What is GuardTalk, in one sentence?
GuardTalk is a counter-surveillance communication system whose defining principle is an air gap: your phone has zero direct internet access and reaches the world only through a hardware gateway you own and hold, which routes everything through hardened defences and Tor.
Is this a VPN app or an "encrypted phone"?
No. It is not a VPN app you install, and it is not a single "encrypted phone" product. It is one integrated system — a hardened OS, a hardware gateway, a messenger, rotating infrastructure, and a Tor admin component — working together. A VPN app still leaves your phone directly on the internet; GuardTalk takes the phone off the internet entirely.
Is this an "untraceable phone"?
No, and we will not use that word. The closed, "untraceable" black boxes sold by honeypot vendors were repeatedly broken or turned out to be backdoors run by police. GuardTalk is the opposite on every axis: open source, auditable, with no vendor-readable server and no backdoor. We state mechanisms and limits rather than absolutes. See the threat model for exactly where the system ends.
The architecture
The air gap and the device.
What is the air gap, concretely?
Your phone's mobile modem stays off. The phone connects only over Wi-Fi to the GuardTalk gateway — never directly to the internet. The gateway is the single bridge to the outside world, and it routes traffic through WireGuard and Tor. Incoming probes from the internet stop at the gateway and never reach the phone.
Which devices are supported?
GuardTalkOS is a GrapheneOS-based build and runs on the same hardware-security-vetted devices — the Pixel 8 and Pixel 9. The OS ships as version 0.1.0. You buy the GuardTalk Mobile Protector from us as a complete, provisioned device — there is no bring-your-own-Pixel path.
How much effort is setup?
The journey is: receive the kit, set up the biometric key, first boot, connect the phone to the gateway, then communicate and monitor. It is more involved than installing an app and deliberately so — the air gap is hardware, not a toggle. The device arrives provisioned, so most of the work is binding the biometric key and pairing the phone to your gateway.
Under pressure
Seizure, metadata, and limits.
What happens if my device is seized?
Data at rest is protected by full-disk encryption (LUKS2 / argon2id / AES-256-XTS), unlocked by a biometric key you hold. A device that fails to check in for 12 hours is automatically wiped, and a duress panic credential wipes the local keys on demand. Honestly bounded: none of this can recover data already exfiltrated, protect a device seized while unlocked and running, or protect you under physical coercion beyond the wipe itself. The duress and check-in behaviour is described responsibly, not operationally.
What metadata does GuardTalk leave?
The messenger is a Jami-based peer-to-peer messenger: it runs without a central server, needs no phone number, and uses quantum-resistant end-to-end encryption (QPC) — so there is no vendor-held record of who spoke to whom, and message content remains protected against both classical and future quantum adversaries. Tor hides your network location from most observers. The honest limit: a global passive adversary observing both ends of the network can attempt end-to-end traffic correlation, and the people you talk to are still endpoints. The full residual-metadata picture is on the threat model.
What are the limits of the threat model?
Firmware or baseband implants beneath the OS, a targeted 0-day against the gateway itself, physical coercion beyond the duress wipe, compromise of the other person's device, nation-state global traffic correlation, and human error are all explicitly out of scope. If your adversary is on that list, GuardTalk alone is not enough — read the limits before you decide.
Trust and ethos
Payment, source, and credit.
Why Monero?
Because the access path should not undo the privacy the product provides. Monero lets you pay without surrendering a card, a bank trail, or a full identity. We collect the minimum to fulfil an order — at most a shipping destination, handled minimally — and there is no third-party card processor. See Request access and the privacy policy.
Why open source?
So you can check rather than trust. Every protection resolves to a named mechanism and, where it exists, a repository or audit you can read. We hold no keys and ship no backdoor — and the source is how you confirm that, instead of taking our word. Verify it yourself on Verify and Security.
Who do you build on, and credit?
GuardTalkOS is a GrapheneOS-based build (grapheneos.org), and the system routes through the Tor network. GrapheneOS is an independent project; GuardTalk is not affiliated with or endorsed by it. We depend on and credit the privacy commons respectfully, comply with upstream licensing and naming, and never imply their protections are absolute.