Remote wipe and recovery

SP-REMOTE · SELF-HOSTED

Revoke access before a lost phone becomes an incident.
Then reissue cleanly.

SecurePhone supports peer-authorized wipe requests, administrator actions, server-side credential revocation, subscription lockout, and one-time reactivation. The erase scope stays explicit: Global Chat data on ordinary installs, or a whole-device reset when an enrolled Device Owner path is available.

Peer-authorizedAdministrator actionServer revocation
DEVICE RESPONSE LIVE

Pixel 8 · field-07Last sync 2 minutes ago

AT RISK
Trusted wipe contact

security@chat.examplePeer authorization verified

Authorized
01

Server credentialsAccount + device tokens

Revoked
02

Device commandAvailable erase scope

Queued
03

Replacement activationFresh OMEMO bundle

Ready
Revoke and wipe device
REQUEST PEER / ADMINSCOPE EXPLICIT
01Peer/adminindependent request paths
02Revokecredentials and device tokens first
03Fresh keysnew activation and OMEMO bundle
04Explicitchat-data or whole-device scope
Loss response

Wipe, lock out, and reissue from separate control paths.

A good loss workflow does not depend on a single administrator being online. It distinguishes local erase, whole-device reset, server revocation, and later recovery instead of calling every action ‘wipe.’

01

Designate trusted wipe contacts

Authorize specific SecurePhone identities—such as a spouse, security officer, or duress contact—to request a wipe without entering the administrator portal.

02

Administrator remote wipe

IT can revoke an enrolled user and issue the appropriate erase command from management, with server access severed even while the endpoint is offline.

03

Subscription-tied lockout

When service expires, server-side credentials rotate and the app enters lockout on its next successful sync instead of retaining indefinite access.

04

Reissue after wipe or replacement

Issue a new single-use activation, invalidate the old endpoint, and establish fresh device credentials and an independent OMEMO bundle.

Incident sequence

Cut access, erase what is reachable, preserve recovery context.

The sequence is designed for a device that may be offline, stolen, damaged, or already outside administrator control.

01

Authorize the request

A trusted peer or administrator starts the action through their permitted surface.

02

Revoke server access

Account and device credentials are invalidated so an offline endpoint cannot resume normal service later.

03

Execute the available erase

Ordinary installs clear Global Chat data; properly enrolled Device Owner phones can receive a whole-device reset command.

04

Reissue to a clean endpoint

After identity checks, provision a new one-time activation and restore only the services the replacement device needs.

Scope must be explicit

Remote wipe is not magic when a phone is offline.

Server-side revocation can happen immediately. Local erase still requires the endpoint to receive or execute the command, and whole-device factory reset requires managed Device Owner authority.

See Panic Wipe
01

Offline commands wait

An offline device cannot acknowledge or execute an erase command until it reconnects.

02

Two different erase scopes

Global Chat data wipe and whole-device factory reset are separate actions.

03

Panic Wipe is on-device

The separate emergency control performs an immediate Device Owner reset from the phone itself.

04

Recovery needs a runbook

Apps, policy, eSIM, and identity may need to be provisioned again on the replacement endpoint.

Prepare the runbook

Decide wipe scope before a device disappears.

Define who can trigger an action, what gets revoked, which devices can factory-reset, and how a legitimate user returns afterward.

Configure yours