When you sign up for Inktally, you’re asked to choose between two modes: zero-knowledge and server-side. Both keep your data encrypted in our database. They differ in who holds the key.
Zero-knowledge mode (default)
Your password never leaves your device. We store a one-way hash that lets us verify "yes, this password is correct" without ever seeing the password itself. The actual key that decrypts your vault is wrapped (locked) by your password, in your browser. The wrapped key sits on our servers; the unwrap happens locally every time you sign in.
What this buys you: if our database leaked tomorrow, the attacker gets ciphertext. If we’re subpoenaed for your data, we have nothing useful to hand over. Even our own engineers can’t read your vault.
What this costs you: if you forget your password, we cannot reset it. (Recovery via trusted contacts is the way back in — see the recovery guide.) Decoy mode is only available here.
Server-side mode
We hold the encryption key on our servers, protected with a hardware security module. You sign in with email + password, and we decrypt your vault to serve it to you.
What this buys you: a familiar password-reset flow (if you lose your password, we verify your identity through email and let you back in), plus server-side features that need to read your content — today that means full-text search across your notes, with document text and thumbnails to follow.
What this costs you: we can technically read your data. We promise not to and we lock down access internally, but the architecture allows it — and a subpoena or a breach could compel it. A decoy still works against someone who coerces you at your device (they can’t tell the decoy password from the real one), but it does not hide anything from us: in this mode we can see that both vaults exist.
Which one should you pick?
Most people who can manage a password manager should pick zero-knowledge. The data Inktally is for — last-resort instructions, executor notes, sensitive credentials — is exactly the data you don’t want anyone but the intended recipient to see, ever.
Server-side is the right call if you know yourself well enough to know you’ll lose the password, and a recovery-contact flow isn’t practical for you. We won’t judge you for picking it; we just want you to make the choice with eyes open.
Can I switch later?
Yes. Settings → Security → Encryption mode lets you migrate between modes. Moving from server-side to zero-knowledge is a sensible upgrade; moving the other direction weakens decoy protections and we’ll warn you clearly before it happens.