Is CalyxOS Dead? What Happened, What It Means, and What to Do

If you’re searching for CalyxOS right now, you’re probably confused. The website is still up. The download pages still exist. But the operating system that hundreds of thousands of people trusted with their digital privacy hasn’t shipped a security update since June 2025.

That’s nine months without a patch. In mobile security terms, that’s not a pause — it’s an emergency.

Here’s the full story of what happened to CalyxOS, whether it’s actually coming back, the real risks you’re running if you’re still using it, and exactly what you should do next.

The August Letter That Changed Everything

On August 1, 2025, the Calyx Institute published an open letter to its community that landed like a bomb in privacy circles.

Two departures were announced simultaneously. Nicholas Merrill — the founder and president of the Calyx Institute, the man who built the organisation from scratch and championed digital privacy for over 25 years — had left to pursue other projects. And Chirayu Desai, the CalyxOS technical lead who had been the driving force behind the project’s actual Android development, had also departed.

For a project that was already lean, losing both the visionary leader and the technical backbone at the same time was devastating.

The remaining team laid out their plan: upgrade the technical infrastructure, stabilise the update release cycle across 25+ supported devices, and completely overhaul their signing and verification processes. They estimated this would take four to six months. During that time, no security updates would be released.

Four days later, on August 5, they posted a follow-up that was even more direct. They recommended that current CalyxOS users uninstall the operating system entirely and return to stock Android or move to another privacy-focused ROM. They published guides for backing up data with SeedVault and restoring devices to factory firmware.

It was an extraordinary moment of honesty. The people behind CalyxOS told their own users to stop using CalyxOS.

Why the Signing Keys Make This Worse Than a Simple Pause

The August announcement also revealed a technical complication that many users initially overlooked but that has enormous practical consequences.

Every Android operating system update is cryptographically signed with private keys that prove the update genuinely comes from the developer. Your phone checks these signatures before installing anything. When key personnel with access to signing keys leave a project, security best practice demands rotating those keys — even if there’s no reason to believe they were compromised.

The CalyxOS team was upfront about this: they would be generating entirely new signing keys using Hardware Security Modules (HSMs).

Here’s the problem: Android’s verified boot system doesn’t allow you to seamlessly switch signing keys through an over-the-air update. When CalyxOS comes back — if it comes back — every single user will need to do a full wipe and reinstall. There is no way around this. Your data, your apps, your configuration — all of it needs to be backed up and rebuilt from scratch.

This means that even in the best-case scenario where CalyxOS returns tomorrow, you can’t just hit “update” and carry on. You’re doing a fresh install regardless.

Where Things Stand in February 2026

So is CalyxOS dead? Not officially. But the word “paused” is doing a lot of heavy lifting.

The remaining team has published several progress updates since August 2025:

November 2025: Shared details about their new HSM-based signing solution built around the YubiHSM 2, using Shamir’s Secret Sharing for key backup.
December 2025: Reported the HSM key provisioning plan was undergoing a final security audit. Confirmed they had successfully booted Android 16 QPR1 on all modern supported devices. Hired a Community Coordinator and posted job openings for a BSP engineer.
January 31, 2026 (FOSDEM): The CalyxOS team gave a technical talk in Brussels about their signing redesign — covering PKCS #11 integration, key wrapping challenges on HSMs with limited storage, and plans to open-source everything.
February 10, 2026: Published a detailed blog post based on that FOSDEM talk.

All of this suggests genuine work is happening. But none of it has produced a usable build. As of late February 2026, CalyxOS has not completed the key ceremony, has not released a single new build, and has not provided a concrete release date. The original “four to six months” estimate from August 2025 has come and gone.

Meanwhile, the last CalyxOS security patch level remains June 1, 2025. That means nine months of Android security patches — covering dozens of known vulnerabilities, including remotely exploitable ones — are missing from every CalyxOS device in the world.

What You’re Actually Risking by Staying on CalyxOS

Let’s be blunt about what running an unpatched mobile OS means in practice.

Every month, Google’s Android Security Bulletin discloses vulnerabilities in the Android framework, the Linux kernel, and vendor-specific components. Many are classified as Critical or High severity. Some allow remote code execution — meaning an attacker can compromise your device without you clicking anything.

Since June 2025, multiple bulletins have been published. The vulnerabilities disclosed in those bulletins are now public knowledge, which means attackers know exactly what to exploit. CalyxOS devices are sitting ducks.

You might think: “I’m careful about what I install and which links I click.” That’s good practice, but it doesn’t protect you against zero-click exploits in the system itself — compromised Wi-Fi networks, malicious Bluetooth data, or even crafted SMS messages that exploit the processing stack. These are exactly the kinds of vulnerabilities that monthly patches fix.

The CalyxOS team was honest about this themselves. In their August 5 update, they wrote: “Without security updates, we can only be honest that this does not guarantee the level of security we strive for, especially when global threats to privacy and human rights are at a critical moment.”

If you’re a journalist, activist, dissident, or anyone with a heightened threat model, running unpatched CalyxOS is genuinely dangerous. But even for everyday users, the risk is real and growing with every passing month.

What CalyxOS Got Right — And Why People Loved It

Before talking about moving on, it’s worth acknowledging what CalyxOS built. This was not a half-baked hobby project. At its peak, CalyxOS was a thoughtfully designed privacy operating system that made real trade-offs in favour of usability.

microG instead of Google Play Services. CalyxOS shipped with microG — an open-source reimplementation of Google’s proprietary Play Services framework. Most apps requiring push notifications, location services, or Google APIs worked out of the box, without giving Google the deep system-level access it normally enjoys. For many users, this was the killer feature.

Datura Firewall. A built-in per-app firewall that gave users granular control over network access. You could block individual apps from using Wi-Fi, mobile data, or VPN connections — all from a simple toggle interface. No root required, no third-party app needed. Elegant and effective.

F-Droid integration. CalyxOS included F-Droid Basic as a privileged app, allowing seamless installs from the F-Droid repository. Combined with Aurora Store for accessing Google Play apps without a Google account, CalyxOS users had access to virtually any Android app through privacy-respecting channels.

SeedVault backup. An open-source backup solution integrated into the OS that encrypts your data and stores it on USB drives, Nextcloud, or other self-hosted storage. In a world where “backup” usually means handing your data to Google or Apple, SeedVault was a breath of fresh air.

Broad device support. While GrapheneOS supports only Pixel phones, CalyxOS ran on Pixels, Fairphones, Motorola devices, and even SHIFTphones. For privacy-conscious users who didn’t want Google hardware, CalyxOS was one of the only credible options. This was especially significant for the Fairphone community, whose hardware choices are driven by sustainability and ethics — not just privacy.

Ease of use. CalyxOS shipped with a guided installer, sane defaults, and an experience that felt close to stock Android. You didn’t need to be technical to use it. This accessibility was core to the project’s mission.

CalyxOS proved that deGoogling didn’t have to mean suffering.

The Bigger Picture: Privacy ROMs Are Dying

CalyxOS isn’t the only casualty. In December 2024, DivestOS — another privacy-focused Android ROM that had been maintained for a decade — announced its permanent shutdown. The sole developer cited lack of funding and the overwhelming burden of keeping pace with Google’s relentless release cadence.

The Mull browser (a privacy-hardened Firefox fork maintained by the same developer) also died, replaced by the community-driven IronFox project.

The pattern is hard to ignore. Maintaining a custom Android ROM is brutally demanding work. Starting with Android 16, Google has stopped publishing Pixel device trees in AOSP, forcing custom ROM developers to reverse-engineer device configurations. Monthly security patches have become harder to identify and integrate. The walls are closing in on the open-source Android ecosystem.

This leaves fewer and fewer options standing:

GrapheneOS remains healthy — active development, rapid security patches, growing user base, non-profit foundation backing
LineageOS continues as a general-purpose custom ROM, though with a different security model and no hardening focus
/e/OS (backed by Murena) offers a deGoogled experience across many devices but doesn’t aim for the same hardened-security profile
iodéOS — a French project based on LineageOS with microG and built-in tracker blocking — has quietly grown as a CalyxOS alternative, particularly for Fairphone users

The era of choosing from a half-dozen credible privacy ROMs is over.

What to Do Now: Your Migration Options

Your path forward depends on what hardware you’re holding.

If You’re on a Pixel: Move to GrapheneOS

This is the clear migration path for the majority of CalyxOS users. GrapheneOS is the most secure phone operating system available on any platform, with security hardening that goes well beyond what CalyxOS ever offered.

But it works differently in important ways, and former CalyxOS users should know what to expect:

Sandboxed Google Play instead of microG. GrapheneOS doesn’t use microG. Instead, it runs the actual Google Play Services inside a strict sandbox with no special privileges — no more access than any random app you install. You control its permissions. The practical result is near-perfect app compatibility: banking apps, streaming services, and other stubborn apps that break on microG tend to work flawlessly. The trade-off is that you’re running real Google code, but it’s sandboxed so aggressively that it can’t see your other apps, access your location without permission, or read your notifications.

Network permission toggle instead of Datura. No standalone firewall app — instead, GrapheneOS adds a network permission toggle directly into Android’s permission system. You revoke network access from any app the same way you’d revoke camera access. It’s technically more robust than a firewall (prevents requests at the OS level rather than intercepting traffic), though it doesn’t offer Datura’s fine-grained Wi-Fi-vs-cellular controls.

User profiles for isolation. GrapheneOS makes heavy use of user profiles — essentially separate phones within one device, each with its own apps, accounts, and encryption keys. Many CalyxOS users who relied on work-profile tools will find this more comprehensive.

No F-Droid by default. The GrapheneOS team has been vocal about F-Droid’s security limitations. You can still install it manually, but the recommended approach is Accrescent or direct APK downloads from developers.

Migration steps:

Back up everything. Use SeedVault to create an encrypted backup to USB. Manually note 2FA tokens, app-specific settings, and anything you’d need to rebuild.
Unlock your bootloader. Enable OEM unlocking in Developer Options. Connect to a computer and run fastboot flashing unlock. This erases your device.
Install GrapheneOS. Use the web installer — it takes about 15 minutes, no command line needed.
Relock your bootloader. The installer prompts you. This restores verified boot with GrapheneOS’s own signing keys — something CalyxOS never offered.
Restore your data and optionally install Sandboxed Google Play from the GrapheneOS app menu.

If You’re on a Fairphone or Other Non-Pixel Device

GrapheneOS only runs on Pixels. If you’re on a Fairphone, Motorola, or SHIFTphone, your options are more limited but still viable.

/e/OS is the most direct alternative. It uses microG (like CalyxOS did), includes Advanced Privacy for system-wide tracker blocking, and has a formal partnership with Fairphone for long-term support. The transition from CalyxOS will feel familiar. Trade-off: /e/OS doesn’t offer the same security hardening, and its update cadence can lag.

iodéOS is worth serious consideration, particularly for Fairphone users. It’s built on LineageOS with pre-installed microG (opt-in during setup) and a system-wide ad/tracker blocker. The Techlore community and Fairphone forums frequently recommend it as the closest spiritual successor to CalyxOS for non-Pixel hardware. It’s snappy, well-maintained, and French-based (GDPR territory).

Stock Android with hardening is a pragmatic fallback. At least you’ll be receiving security patches. Supplement with privacy-focused apps — a DNS-based ad blocker, NetGuard for network control, and privacy-respecting defaults.

Should You Just Buy a Pixel?

If your non-Pixel device is ageing out of support anyway, this is the right moment to consider it. A used Pixel 8a goes for around €350–400, runs GrapheneOS with full verified boot, and gets security patches within hours of Google’s release. The security gap between GrapheneOS on a Pixel and any non-Pixel privacy ROM is substantial.

We get that this is a hard pill for Fairphone users who chose their device for ethical and sustainability reasons. But when it comes to protecting your data, the Pixel + GrapheneOS combination is in a different league. See our guide to encrypted phones for a full hardware comparison.

Should You Wait for CalyxOS to Come Back?

The honest answer: don’t hold your breath.

The CalyxOS team is clearly doing real work. Their HSM signing infrastructure is genuinely impressive. The FOSDEM 2026 talk was technically serious. They’ve booted Android 16 QPR1 on modern Pixels. They’re hiring.

But as of February 2026, seven months past their original timeline, they haven’t completed the key ceremony. They haven’t released a build. They haven’t provided a date. And even when they do release, you’ll need a full wipe and reinstall anyway — which is the same process as switching to a different ROM.

The security cost of waiting is accumulating. Every month on the June 2025 patch level, the gap between your device’s defences and the known attack surface grows wider. Vulnerability brokers and exploitation frameworks incorporate newly disclosed Android bugs within weeks of public disclosure.

Our recommendation: migrate now. If CalyxOS comes back with Android 16, new signing keys, and a reinvigorated team, you can always evaluate switching back. But don’t sit on an unpatched operating system waiting for a timeline that has already slipped twice.

The Legacy That Matters

CalyxOS proved something important: that a privacy-focused phone operating system could be accessible to ordinary people. Not just security researchers and Linux veterans, but journalists, small business owners, activists, and anyone who simply didn’t want to be surveilled.

Its combination of microG, Datura Firewall, SeedVault, and broad device support set a standard for what “privacy-friendly” should look like. Much of that work continues to influence the broader ecosystem. SeedVault is being adopted by other projects. The concept of per-app network control has found its way into GrapheneOS as a built-in permission toggle. The conversations CalyxOS started about usability in privacy software continue to shape how projects think about their users.

Whether CalyxOS returns or not, what it built mattered. And the people who used it — who made the deliberate choice to take control of their phone’s privacy — should feel good about that choice. The project may have stalled, but the instinct that led you to it was right.

Now it’s time to take that instinct and move somewhere safe.