nötkey

Complete walkthrough

Provisioning Guide

← Back to QR code

Nötkey Provisioning Guide

Public page: https://notkey.app/provision

This page contains the QR code required to provision Nötkey as Device Owner during Android setup. Applies to: Guardian, Sentinel, Sentinel Pro (Security Tier 1) Audience: New users setting up Nötkey with Device Owner for the first time Read time: ~15–20 minutes Last updated: 2026-03-03

What this guide covers

This guide walks you through setting up Nötkey's full protection mode from start to finish.

Full protection mode — called Security Tier 1 — requires your phone to be configured with a special Android capability called Device Owner. This setup requires a full factory reset of your phone.

By the end of this guide, you will have:

  • A Public Profile: the environment you present during routine inspections or coercive situations
  • A Private Profile: the isolated environment where you keep sensitive apps and data
  • Both profiles protected by separate PINs
  • Confirmed that switching between them works correctly

This process is irreversible without a second factory reset. Take the time to read and follow each step.

What this setup helps you achieve

When complete, this provisioning setup gives you:

  • A Public Profile that can be configured to appear as a normal, everyday Android phone to anyone who looks at it.
  • A Private Profile that is isolated from the Public Profile — its apps, data, and accounts are not visible from the Public Profile.
  • Stronger enforcement of the separation between these two environments compared to a standard app installation. Device Owner allows Nötkey to apply its security posture more reliably.

This setup is designed to reduce the risk of accidental exposure and to give you a credible environment to present under inspection.

What this does NOT do

This setup does not:

  • Protect data already backed up to cloud services (Google Drive, Samsung Cloud, etc.)
  • Protect you from being legally compelled to provide a password
  • Guarantee that data is unrecoverable by professional forensic tools
  • Protect accounts (email, social media) that exist outside the device
  • Work without a factory reset — there is no shortcut

Before you begin

Time required

Set aside at least 45 to 60 minutes for this process. Do not start if you might be interrupted.

What you will need

  • Your phone (charged to at least 60% or plugged in)
  • A stable Wi-Fi connection
  • A pen and paper, or a secure place to write down PINs
  • Access to your Google account credentials
  • Any two-factor authentication (2FA) recovery codes you depend on

Two-factor authentication apps — such as Google Authenticator or Authy — generate login codes used for securely accessing websites and services. These codes are often stored only on your device. If you lose access to them, you may be locked out of accounts permanently.

What "Device Owner" means for this setup

When Nötkey is set up as Device Owner, Android gives it a management role that allows more reliable enforcement of the separation between your Public Profile and Private Profile. This role can only be granted during the initial setup of a freshly reset phone. It cannot be added to an existing device setup.

Pre-check checklist

Complete every item before you reset your phone. Do not skip any.

Contacts

  • Confirm contacts are synced to your Google account or another service.
  • Open your contacts app and verify the last sync time.

Photos

  • Open your backup service (such as Google Photos) and confirm the last backup completed successfully.
  • Check that backup is set to back up all folders, not just selected ones.

Messages

  • Decide whether you need your SMS message history.
  • If yes, use a third-party SMS backup app before proceeding. Android does not automatically restore SMS history after a factory reset.

Two-factor authentication apps

  • Identify every website or service where you use an authentication app.
  • For each one: either export your codes (if the app supports it), note your backup codes, or confirm you have another recovery method.
  • If you are unsure, do not proceed until this is resolved.

Notes and documents

  • Check your notes app, downloads folder, and any other local storage.
  • Any file stored only on the device will be permanently erased.

Installed apps

  • Your apps will need to be reinstalled after the reset. They will be available from the Play Store again, but any app data not synced to a cloud service will be lost.

PINs and passwords

  • Write down your Google account email address and password.
  • Write down any banking or service recovery codes.
  • Store this information somewhere physically secure, separate from your phone.

Once you have completed this checklist, you are ready to proceed.

Phase 1: Factory reset your phone

A factory reset erases everything on your phone and returns it to a blank state. This is required to set up Device Owner.

The reset is permanent. Once started, it cannot be undone.

Step 1: Open Android Settings

Open the Settings app on your phone.

Step 2: Navigate to reset options

The path varies slightly by phone manufacturer:

  • Google Pixel: Settings → System → Reset options → Erase all data (factory reset)
  • Samsung: Settings → General management → Reset → Factory data reset
  • OnePlus: Settings → System → Reset options → Erase all data
  • Other Android phones: Look for Settings → System → Reset, or search "factory reset" in the settings search bar.

Step 3: Confirm you want to erase

Android will show a summary of what will be erased. Read it carefully. You will typically be asked to:

  • Enter your current screen lock PIN or password to confirm your identity
  • Tap "Erase all data" or "Reset phone" to confirm

Step 4: Wait for the reset to complete

The phone will restart and begin erasing. This takes between 5 and 15 minutes depending on your device. Do not interrupt the process.

When complete, the phone will restart and show the Android initial setup screen.

What this means for you: Your phone is now in a blank state. The next phase is critical — you must set up Nötkey as Device Owner before completing the Android setup process.

Phase 2: Set up Nötkey as Device Owner

This phase happens during Android's initial setup wizard — the screens you see immediately after a factory reset. Device Owner must be granted to Nötkey before the setup wizard finishes.

If you complete the Android setup wizard before setting up Nötkey as Device Owner, you will need to factory reset again.

Step 1: Work through Android's initial screens

When the phone boots to the setup screen, complete the early steps:

  • Choose your language
  • Connect to Wi-Fi
  • Sign in to your Google account (or skip if preferred)

Do not rush through these screens. Read each one carefully.

Step 2: Enter Android's Device Owner provisioning mode

On the Wi-Fi selection screen during initial setup, do not continue forward.

Instead:

  1. Tap the screen repeatedly (typically 6 times) on the blank area of the screen.
  2. Android will display a prompt to scan a QR code for device provisioning.
  3. Select the option to scan a QR code.

This opens Android's managed provisioning mode, which allows Nötkey to be granted Device Owner status.

If this option does not appear, your device manufacturer may use a slightly different gesture. Consult support before proceeding.

Step 3: Scan the Nötkey provisioning QR code

Using another device, open the Nötkey provisioning page at https://notkey.app/provisioning and display the QR code.

Scan the QR code with your phone.

Android will:

  • Download Nötkey
  • Begin provisioning
  • Request confirmation to grant Device Owner permissions

Follow the on-screen instructions carefully.

If you continue through the Android setup wizard without entering provisioning mode, Device Owner cannot be granted. You will need to factory reset and begin again.

Step 4: Grant Device Owner permission

When Nötkey's setup screen appears, you will be asked to confirm that Nötkey can act as the device's administrator.

Read the permission screen carefully. Confirm only when you understand what you are granting. This step is what allows Nötkey to enforce the separation between your profiles.

Step 5: Complete the Android setup wizard

After granting Device Owner, continue through the remaining Android setup steps until the phone reaches the home screen.

You are now in your Public Profile (the default Android environment, also called User 0). Nötkey is active as Device Owner.

What this means for you: Nötkey now has the system-level access needed to maintain the separation between your Public Profile and Private Profile environments. This cannot be undone without another factory reset.

Phase 3: Set up your Public Profile

Your Public Profile is the environment you use daily and the one you would present if asked to show your phone. It should look like a normal, reasonable phone.

Step 1: Open Nötkey

Open the Nötkey app. You should see the Nötkey setup wizard.

Step 2: Create your Public Profile PIN

You will be asked to set a PIN for your Public Profile.

This PIN unlocks your Public Profile. Choose a PIN you can remember under pressure. Write it down immediately and store it somewhere physically secure and separate from your phone.

Warning: If you forget your Public Profile PIN, you will permanently lose access to your Public Profile data. Android provides no account-based recovery for Device Owner PINs.

  • Use 6 or more digits.
  • Do not use obvious sequences (birthdays, repeating numbers).
  • Do not store the PIN on your phone.

Step 3: Set up your Public Profile environment

After your PIN is set, your Public Profile is active. You can now:

  • Install apps that reflect normal daily use (maps, social media, email, news)
  • Add a normal-looking lock screen wallpaper
  • Configure the profile so it would appear unremarkable to an observer

The Public Profile does not need to be elaborate, but it should not be empty. A sparsely configured device may appear unusual.

Take your time with this step. You can continue populating the Public Profile after setup is complete.

Phase 4: Set up your Private Profile

Your Private Profile is the isolated environment where you keep sensitive apps, data, and communications. It is not visible from the Public Profile.

Step 1: Use Nötkey to create the Private Profile

Inside the Nötkey app, select the option to create your Private Profile. Nötkey will create a separate Android user (sometimes called a secondary user or User 10).

The device may briefly reboot or pause during this process. Wait for it to complete.

Step 2: Switch to your Private Profile

Nötkey will guide you through switching to the Private Profile for the first time. After the switch, the phone will lock. Unlock it using the Private Profile PIN prompt.

The first time you switch, the Private Profile is blank. This is expected.

Step 3: Create your Private Profile PIN

You will be prompted to create a PIN for the Private Profile.

This PIN is separate from your Public Profile PIN. Use a different PIN.

Write it down immediately and store it in a physically secure location, separate from both your phone and your Public Profile PIN record.

Warning: If you forget your Private Profile PIN, you will permanently lose access to your Private Profile data. There is no account-based recovery.

Step 4: Set up your Private Profile environment

With your Private Profile active, you can now:

  • Install secure messaging apps
  • Set up accounts you do not want visible in the Public Profile environment
  • Add sensitive documents or photos
  • Configure the profile for your actual work

This step can take multiple sessions. There is no rush.

Step 5: Switch back to your Public Profile

When you are ready, use Nötkey to switch back to your Public Profile. The phone will lock. Unlock it with your Public Profile PIN.

Confirm you are in the Public Profile by checking the Nötkey status screen.

Phase 5: Verify everything works

Before relying on this setup, confirm each of the following.

Verification 1: Confirm Device Owner is active

Open Nötkey and check the status screen. You should see:

  • Device Owner: Enabled
  • Security Tier: 1

You can also verify in Android Settings: navigate to Security (or Passwords & security) and look for Device management” or “Device admin apps (or similar device management section). Nötkey should appear there.

If Device Owner is not shown as enabled, do not rely on this setup. See the troubleshooting section.

Verification 2: Practice switching profiles

Practice switching from Public Profile to Private Profile and back at least twice. Confirm:

  • The switch works in both directions.
  • Each profile requires its PIN.
  • Your content is separate in each profile (Public Profile apps do not appear in Private Profile and vice versa).

Verification 3: Confirm your PINs

Without looking at your written record, attempt to recall both PINs. Then confirm they match your written record.

If you cannot recall either PIN, update your written record immediately.

Verification 4: Confirm no sensitive content is visible in your Public Profile

From the Public Profile, attempt to navigate to any sensitive content you installed in your Private Profile. Confirm it is not visible or accessible from the Public Profile.

Troubleshooting

Problem: Nötkey did not appear during Android setup

Cause: The provisioning step was missed or the timing was incorrect. Fix: If the Android setup wizard has been completed without granting Device Owner to Nötkey, you must perform another factory reset and repeat Phase 2 more carefully. There is no other way to correct this.

Problem: Device Owner shows as not enabled after setup

Fix:

  1. Confirm you are on a Guardian or higher subscription tier.
  2. Restart the phone and check the Nötkey status screen again.
  3. Navigate to Android Settings → Security → Device admin apps and verify Nötkey is listed.
  4. If it is not listed, perform another factory reset.

If the problem persists on the same device, the issue may be an OEM compatibility issue. Some device manufacturers restrict Device Owner functionality. Contact support with your device model and Android version.

Problem: Profile switch does not work

Fix:

  1. Ensure you are in the Public Profile when attempting to switch.
  2. Check your subscription tier in the Nötkey status screen.
  3. Restart the phone and attempt again.
  4. If switching fails repeatedly, contact support.

Problem: I forgot one of my PINs

Situation A — Forgot Public Profile PIN: You cannot access your Public Profile. The phone's standard Android lock screen recovery may allow recovery if you used a Google account during setup. However, this does not recover Device Owner–managed PINs in all configurations. Assume data loss is possible and plan for a factory reset.

Situation B — Forgot Private Profile PIN: You cannot access your Private Profile or its data. There is no recovery mechanism. You must factory reset to regain a usable device. Your Private Profile data is permanently lost.

Situation C — Forgot both PINs: Perform a factory reset. Both profiles and all data are permanently lost.

This is why writing down both PINs and storing them securely is mandatory, not optional.

Problem: OEM-specific issue (Samsung, OnePlus, Xiaomi, etc.)

Some device manufacturers include software that may interfere with Device Owner provisioning. If you encounter errors during the provisioning step specific to your device brand, contact support with your device model. Not all devices are fully supported.

What this setup does not protect against

  • Someone who has physical custody of your unlocked phone and time to examine it
  • Legal orders compelling you to provide your PIN
  • Cloud backups of data you have already synced (those still exist in the cloud)
  • Forensic analysis by a well-resourced actor with direct access to the device hardware
  • Spyware or malware already installed on the device before provisioning
  • Accounts (email, social media) that exist outside this device

Nötkey improves your control over what is visible on your device. It is not a guarantee of privacy in all circumstances.

Next steps

After completing this guide:

  1. Spend time populating both profiles with appropriate content.
  2. Practice the switching process until it is second nature.
  3. Review the in-app documentation for panic features (available on your tier).
  4. Consider the irreversibility of this setup and confirm you have accepted the tradeoffs.

If you need help at any point, use the in-app support option. Include your phone model, Android version, Nötkey version, and a screenshot of the Nötkey status screen when contacting support.