Key takeaways
- Your decoy vault is encrypted with a separate password — cryptographically identical to the real one
- No metadata, file size, or server record distinguishes the real vault from the decoy
- The guarantee holds only if the decoy contains genuinely plausible content
- Under coercion, you can hand over the decoy password without exposing your real vault
The decoy vault is the most frequently misunderstood feature we build. People hear “plausible deniability” and think it is a privacy gimmick or an edge case for extreme situations. It is neither — it is the answer to a specific, real threat that end-to-end encryption alone does not solve.
The threat this solves
End-to-end encryption protects against a remote, silent attacker: someone who tries to breach our servers, intercept your traffic, or steal your stored data without your knowledge. Against that attacker, strong encryption is sufficient.
But it does not protect against an in-person coercer: a partner who demands to see your phone, a border agent who requires you to unlock an app, an abuser who controls your physical access to devices. Against that threat, having strong encryption but a single password just means the coercer takes the password instead of the data. The vault still opens.
The decoy is for that second category.
How the decoy vault works
Every Inktally account can have two vaults: a real one and a decoy. They share an account (same email, same 2FA) but are otherwise entirely separate. Each vault is encrypted under a key derived from its own password. The real password cannot open the decoy vault and vice versa.
When you give someone your decoy password under coercion, they unlock a real vault — one you've filled with plausible-looking but non-sensitive content. Your real vault is invisible. There is no “decoy mode” indicator, no second app, no visual difference.
The only difference between the real vault and the decoy vault is the password used to open it. On the wire and on the server, they are structurally identical.
See this in practice.
Your vault is encrypted before it leaves your device. Inktally never sees your keys.
Try Inktally freeWhat “indistinguishable” actually means
In zero-knowledge mode, Inktally stores two encrypted blobs with independent auth verifiers. When we check your login, we check the verifier for whichever password you provide. We receive no information about which vault is “real” — we only know that the password matched a vault. An attacker who breaches our servers sees two vaults with no way to determine which is which.
The coercer unlocks the decoy and sees documents, recipients, settings. Nothing tells them there is a second vault. Nothing on our servers tells them either.
What the decoy does not protect against
The decoy is not a perfect shield. In server-side mode, we can see both vaults — a court order could compel disclosure. In zero-knowledge mode, a very sophisticated attacker with direct file-system access to your device might find evidence of two key-derivation runs, though this is an extremely high-capability threat model. And in some jurisdictions, using a decoy to mislead authorities may carry its own legal risk — we cannot advise on that and you should consult a lawyer before using the feature in a high-stakes context.
Used appropriately, for the in-person coercion case it is designed for, the decoy vault provides strong, practically enforceable plausible deniability.
