Blog
Writing on security, privacy, and digital continuity.
Deep dives, product updates, and plain-English explanations of how Inktally protects what matters most.
Why your password is the only key — and what that means
Inktally derives your vault key from your password on your device. We never see it. Here is the trade-off that makes that safe instead of scary.
Choosing XChaCha20-Poly1305 over AES-GCM
Nonce-misuse resistance, performance on mobile, and why a 192-bit nonce lets us stop worrying about a whole class of bugs.
Introducing recovery contacts
A safer middle ground between "trust us with a backup key" and "lose your password, lose everything." Here is how it works.
Plausible deniability, explained without the hand-waving
A decoy vault that is cryptographically indistinguishable from your real one — what that actually guarantees, and what it does not.
Why we are based in India and store data across three regions
Jurisdiction matters for a continuity product. Here is how we think about where your encrypted bytes live.
How we hash-chain the audit log
Every action you take is verifiable, client-side, without trusting our servers. A look at the Merkle structure underneath.
Triggers: scheduled, inactivity, and manual release
Three ways to decide when your vault opens — and the cooling-off window that keeps an accident from becoming final.
What a subpoena gets you when the provider is zero-knowledge
Spoiler: opaque blobs. We walk through exactly what Inktally can and cannot hand over, and why.
Get the security writing in your inbox.
No marketing. One email when something worth reading publishes.
No tracking pixels. Unsubscribe any time.