diff --git a/static/install/web.html b/static/install/web.html
index b7bd6333..5ec251f8 100644
--- a/static/install/web.html
+++ b/static/install/web.html
@@ -28,7 +28,7 @@
         <link rel="license" href="/LICENSE.txt"/>
         <script type="module" src="/js/redirect.js?9"></script>
         <script type="module" src="/js/fastboot/dist/fastboot.min.mjs?7"></script>
-        <script type="module" src="/js/web-install.js?12"></script>
+        <script type="module" src="/js/web-install.js?13"></script>
     </head>
     <body>
         <header>
@@ -80,6 +80,7 @@
                             <li><a href="#booting">Booting</a></li>
                             <li><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></li>
                             <li><a href="#verifying-installation">Verifying installation</a></li>
+                            <li><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></li>
                             <li><a href="#further-information">Further information</a></li>
                         </ul>
                     </li>
@@ -333,6 +334,23 @@
                     also consider setting up the optional remote attestation service.</p>
                 </section>
 
+                <section id="replacing-grapheneos-with-the-stock-os">
+                    <h3><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h3>
+
+                    <p>Installation of the stock OS via the stock factory images is the same process
+                    described above. However, before locking, there's an additional step to fully revert
+                    the device to a clean factory state.</p>
+
+                    <p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
+                    needs to be erased to fully revert back to a stock device state. After flashing the
+                    stock factory images and before locking the bootloader, you should erase the custom
+                    Android Verified Boot key to untrust it:</p>
+
+                    <button id="remove-custom-key-button" disabled="disabled">Remove non-stock key</button>
+
+                    <p><strong id="remove-custom-key-status"></strong></p>
+                </section>
+
                 <section id="further-information">
                     <h3><a href="#further-information">Further information</a></h3>
 
diff --git a/static/js/web-install.js b/static/js/web-install.js
index 9571b49f..9b88502e 100644
--- a/static/js/web-install.js
+++ b/static/js/web-install.js
@@ -207,6 +207,19 @@ async function flashRelease(setProgress) {
     return `Flashed ${latestZip} to device.`;
 }
 
+async function eraseNonStockKey(setProgress) {
+    await ensureConnected(setProgress);
+
+    setProgress("Erasing key...");
+    try {
+        await device.runCommand("erase:avb_custom_key");
+    } catch (error) {
+        console.log(error);
+        throw error;
+    }
+    return "Key erased.";
+}
+
 async function lockBootloader(setProgress) {
     await ensureConnected(setProgress);
 
@@ -281,6 +294,7 @@ if ("usb" in navigator) {
     addButtonHook("download-release", downloadRelease);
     addButtonHook("flash-release", flashRelease);
     addButtonHook("lock-bootloader", lockBootloader);
+    addButtonHook("remove-custom-key", eraseNonStockKey);
 } else {
     console.log("WebUSB unavailable");
 }