Inktally’s decoy vault is a second password that opens a believable-but-separate vault. The threat it addresses: a situation where you might be physically coerced to unlock your account.
The threat model
Most attacks on a password manager are remote and silent — someone tries to phish your password or breach the database. Inktally is designed for those, but it’s also designed for a different class: the partner who demands to see your phone, the customs agent who insists on a password, the abuser who physically prevents you from refusing.
Against a remote attacker, end-to-end encryption is enough. Against an in-person coercer, you need a way to give them something without giving them everything. That’s the decoy.
How it works
Every account has room for two vaults: a real one and a decoy one. When you set the decoy up, you choose its password and it opens a genuinely separate vault — its contents are encrypted under a key only the decoy password can derive, so your real password can never open them. Both vaults look identical on the wire; the server cannot tell which is which.
Under coercion, you give up the decoy password. The vault opens. It contains whatever you’ve put there: a few plausible-looking documents, an old will, some recovery emails. It looks like the whole picture. The real vault stays invisible.
Setting up the decoy
Go to Settings → Decoy vault → Set up a decoy. You’ll confirm your real password, then choose a second password (different from your real one) that becomes the decoy. The decoy starts empty — you decide what goes in. You can re-key or remove it later from the same place.
Suggestions for filling it convincingly:
- An older version of your will or instructions.
- A real-looking recipient (a friend who’s in on the plan).
- One or two documents that you’d be okay losing if discovered.
- A note or two with the timestamps in the recent past.
The goal is that an attacker who unlocks the decoy thinks they’ve seen everything. An obviously empty decoy looks like a decoy, which defeats the point.
What’s isolated and what isn’t
Documents, notes, recipients, groups, tags, shares, and triggers are all per-vault. A decoy-session user can’t see any of the real vault’s data, and vice versa. Audit logs are also per-vault — opening the decoy doesn’t show real-vault history.
A few things are shared across both vaults at the account level: your email address, your 2FA setup, your recovery contacts, and your notification preferences. These aren’t enough on their own to confirm a real vault exists, but they’re things to know before assuming perfect isolation.
Important caveats
The decoy gives you full deniability only in zero-knowledge mode, where even we cannot tell the two vaults apart. In server-side mode it still works against someone who coerces you at your device — they can’t distinguish the decoy password from the real one — but it does not hold against us or anyone we’re compelled to answer to: in that mode we can see that both vaults exist. We make this very clear at decoy setup.
We also do not give legal advice. In some jurisdictions, using a decoy under coerced inspection may itself be a crime (obstruction, contempt). We can’t tell you whether to use the decoy — we just provide the capability.
Turning the decoy off
Settings → Security → Decoy → Disable. This wipes all decoy contents in one transaction and resets the decoy vault to a deterministic placeholder. After disable, both passwords still produce the same wire-level shape (so an observer can’t tell the decoy was disabled), but only the real password unlocks real content.