UltraLocked
Crossing Lines series
Part 7 of 7

Your Complete Border-Crossing Checklist

Everything in the Crossing Lines series, consolidated into a working checklist you can save and reference before every international trip.

9 min read

This is the practical summary of everything covered in the Crossing Lines series. It is formatted to be saved, referenced before travel, and used as a working checklist rather than a document you read once and forget.

A note on threat modeling before you use it: not every item on this list applies to every traveler. A journalist crossing into China for an investigation has a different risk profile than a software engineer flying to London for a conference. The checklist is comprehensive — use the parts that fit your situation, skip the ones that do not, and calibrate based on where you are going, why, and what is on your device.

Two weeks before departure

Understand the legal landscape at your destination. Device search authority varies significantly by country. The U.S. operates under the border search exception with CBP Directive 3340-049B. The UK's Schedule 7 has explicit compulsion authority. Australia's ABF has broad Customs Act powers. China's Xinjiang crossing involves documented surveillance installation on devices. Know which framework applies to where you are going before you leave. (Part 1.)

Decide on your strategy. Choose between the three approaches covered in Part 3: dedicated travel device (highest protection, highest friction), clean phone (strip and restore), or vault-and-cross (protect sensitive content in hardware encryption, cross with the phone intact). The right choice depends on your threat model, your trip length, and your operational needs at the destination.

Conduct a full device audit. For each of the following categories, inventory what is on your phone and decide what needs to happen before you cross (Part 5 has the full guide):

  • Cloud storage apps (Dropbox, Drive, OneDrive): what files are cached locally for offline access?
  • Email: how much is cached locally? Can you reduce the offline cache in your email app's settings?
  • Notes: what sensitive content is in your notes apps? Is it synced to iCloud?
  • Contacts and call logs: are there contacts you would prefer a border agent not see?
  • Photos: is there sensitive content in your camera roll? Are photos synced to iCloud with local copies?
  • Messaging apps: how much conversation history is locally stored?
  • Professional apps: do any work apps have locally cached data that could expose client or source information?
  • Password managers: is your password database locally accessible and what protects it?

Move sensitive content into a hardware-encrypted vault. Any content you will need during the trip but would not want exposed at a border should be in a vault with genuine hardware-backed encryption — not just a password-protected app, but a vault whose encryption keys are anchored in the device's Secure Enclave and cannot be extracted by forensic software. UltraLocked uses this architecture: Secure Enclave-backed keys, no cloud sync, no account, no server.

If traveling to a high-risk destination, configure duress and dead man's switch settings. Set a duress code that opens a convincing decoy state rather than your real vault. The decoy should look used, not empty — an obviously empty vault can raise questions. Configure the dead man's switch with a window appropriate for your trip: if your device is seized and not returned within that window, the vault clears itself. (Part 4.)

Disable biometrics for the crossing. Turn off Face ID and Touch ID before you reach the border. Use your alphanumeric passcode. A passcode creates a legal question about compelled self-incrimination; biometrics are harder to argue are testimonial. CPJ explicitly recommends this step for all journalists crossing U.S. borders.

24–48 hours before crossing

Delete content you have decided not to carry — now, not at the airport. Deleted files may persist as recoverable artifacts, and the window for recovery shrinks with elapsed time and device use. Deleting at the gate gives a forensic tool the best possible chance of recovery. Deleting days in advance reduces that window meaningfully.

Sign out of accounts you do not need at the crossing. This includes cloud storage apps you will not need, messaging platforms not needed during the trip, and any app with sensitive account data. Remember that signing out is often not sufficient — deleting and reinstalling the app clears its local cache more completely.

Reduce your email app's offline cache. Check your email client's settings for offline storage limits. Reduce the cached period to the minimum you need. Do this at least 24 hours before departure so the change takes effect and the local database reflects the reduced cache.

Back up your device to a trusted location. Do a full backup before any preparation changes so you have a clean restore point if something goes wrong. If you are using a travel device, back up the pre-configured state.

Review what accounts are logged in and active on the device. A logged-in account is an access point. Make a conscious decision about each one. The goal is not to log out of everything, but to know exactly what is accessible on the device at the crossing.

At the crossing

Power your phone completely off before you reach the inspection area. Not just lock it — power it off. This puts the device into BFU (Before First Unlock) state, where most encryption keys are unavailable and forensic extraction is significantly more limited than in AFU (After First Unlock) state. Cellebrite's own published materials acknowledge that BFU extraction is limited to primarily system data. This is the single highest-leverage step in the entire process and costs nothing. (Part 2.)

Know what you will do before you are asked. Decide in advance: will you unlock if asked? Under what circumstances? What is your answer if asked to open a specific app? The worst time to make these decisions is when an officer is standing in front of you. Having a prepared answer — even if that answer is "I would like to speak with a supervisor" — is better than improvising.

Know your rights by citizenship status. U.S. citizens cannot be denied entry for refusing to unlock, but can be detained and have devices seized. Lawful permanent residents have protected entry rights but may face additional proceedings in some circumstances. Visa holders and VWP travelers can be denied entry for noncompliance. Know which category you fall into before you get to the checkpoint.

If you unlock, type the passcode yourself. You are not required to hand over your PIN. You are generally being asked to unlock the device — you can type the code yourself and hand over the unlocked phone. This does not change what the officer can access, but it means your passcode is not verbally communicated or observed.

Ask for names, badge numbers, and paperwork. If your device is taken or searched, ask for the officer's name and badge number. Ask for a Form 6051D (the CBP device-search receipt). Write everything down as soon as you are through the checkpoint.

If you have a duress scenario: use your duress code, not your real code. If you are compelled to unlock UltraLocked specifically and your real vault contents must not be exposed, the duress code opens the decoy vault and simultaneously destroys the local key material required to decrypt the real vault. The files are not merely hidden; without that key material, the encrypted contents are intended to be unrecoverable.

On return

Audit the device before you cross back. Everything on the device at the return crossing is what you have used, received, and created during the trip. Do the same review you did before departure: what is in the camera roll, what documents are in cloud sync, what messages are cached. Move anything sensitive into the vault before the return crossing. (Part 6.)

Treat a device that left your sight as potentially handled. If your device was taken from you at any point during the trip — by border agents, by hotel staff, by anyone — treat it as potentially compromised. This does not require assuming the worst, but it means taking the post-seizure steps described in Part 6: change passwords from a separate device, revoke sessions and tokens, review configuration profiles and trusted devices.

Change passwords and revoke sessions if the device was seized. Do this from a separate, trusted device that was not exposed to the same crossing. Start with email, Apple ID or Google account, then work outward through password manager, banking, work SSO, and professional platforms.

File a report if appropriate. If you are a journalist, document the encounter for the U.S. Press Freedom Tracker. If you are a lawyer, document it for potential privilege-protection purposes. If you are affiliated with a university or institution, report to your institution's security or legal team. If you believe the search was without legal basis, EFF recommends contacting the CBP/ICE supervisor listed on Form 6051D or filing with DHS TRIP.

Ongoing

Keep iOS updated before every international trip. Security patches matter. Running an outdated iOS version before travel is avoidable exposure.

Review your vault contents periodically. Files that no longer need to be in the vault should be removed. Files you have added to other apps that should be in the vault should be moved. The vault is only as useful as what is in it.

Stay current on developments in border device search law. The legal landscape is not settled. The circuit split over forensic search standards has not been resolved by the Supreme Court. CBP's policies and technical capabilities continue to evolve. EFF, CPJ, and Access Now publish updated guidance; follow them if this is an ongoing concern.

A note on UltraLocked

This series was written to be useful regardless of what tools you use. The checklist above works with any sufficiently strong vault application, any dedicated travel device, or any combination of the approaches covered.

UltraLocked is the vault we built for exactly this use case. It uses Apple's Secure Enclave-protected keys to anchor its file-encryption architecture — the same dedicated hardware chip that protects Face ID. The design is intended to make vault keys non-exportable to ordinary software and resistant to extraction by forensic tools. There is no cloud sync, no account, no server. Everything stays on your device, protected by silicon. The duress code and dead man's switch features covered in Part 4 are real, implemented features built for exactly the scenarios this series describes.

The 7-day free trial is at ultralocked.com. After that, it is $29.99/month. If you cross borders with sensitive files regularly, it is worth the evaluation.

If it is not the right fit, the rest of this series still is.

This is the final installment of Crossing Lines, a seven-part series on protecting your iPhone at international borders.

Sources for this series include CBP annual statistics and Directives 3340-049A (2018) and 3340-049B (2026); federal court opinions in Alasaad v. Mayorkas, United States v. Cano, United States v. Kolsuz, United States v. Aigbekaen, United States v. Touset, Riley v. California, and United States v. Cotterman; reporting by The Guardian, WIRED, The Washington Post, Motherboard/Vice, and the New York Times; guidance published by the Electronic Frontier Foundation, the Committee to Protect Journalists, Access Now, the ACLU, Princeton University, and the University of California; vendor documentation from Cellebrite, Magnet Forensics, and MSAB; and EPIC reporting on CBP procurement records.