Coercion-Resistant Security: Decoy, Duress, and Destruct
How Vaultr’s decoy, duress, and destruct slots turn “just encrypt it” into real-world, coercion-resistant security.
There’s a famous webcomic in security circles. Two panels. In the first, a nerd imagines an attacker building a billion-dollar cluster to crack his encryption. In the second, the attacker simply picks up a $5 wrench and says: “tell us the password.”
Every encrypted vault on earth has the same flaw. The math is unbreakable. The human holding the key is not. The moment someone can threaten you, your encryption is worth nothing — you’ll hand over the password yourself.
Vaultr was built to answer the question almost no one else asks: what happens when the attacker is standing in front of you?
The problem with “just encrypt it”
Strong encryption assumes the attacker only has your ciphertext. That assumption breaks at a border crossing, in a robbery, during a kidnapping, or any time someone with power over you says “unlock it.”
In those moments you have two bad options: comply and expose everything, or refuse and face the consequences. Coercion resistance is about engineering a third option — comply in a way that gives the attacker something believable while protecting what matters.
Three kinds of slots
Vaultr’s vault supports up to 16 slots per account, and each slot is opened by its own password. Critically, the server always reports a slot’s type as “normal” — it never reveals whether a slot is real, fake, or a trap. That property is what makes the whole system work.
Decoy slots — plausible deniability
A decoy slot unlocks a complete, believable profile: a display name, contacts, a wallet with small but realistic balances, normal-looking settings. None of it is real. When someone forces you to “open your wallet,” you open the decoy. They see a modest, ordinary account and move on. Your real vault never appears, and there’s no indication it exists.
Duress slots — silent distress
A duress slot is the most subtle piece of the system. When unlocked, it returns a perfectly normal success response, fires a silent fire-and-forget alert to your nominated guardians, and produces no banner, no sound, no error — nothing the coercer can detect. To the person holding the wrench, nothing happened except a successful unlock. To your guardians, an alarm just went off.
Destruct slots — the last resort
When a situation is beyond recovery, a destruct slot wipes all normal vault data in a single operation — and still returns a normal success response. The attacker believes they’ve unlocked your vault. They’re looking at nothing.
Why “indistinguishable success” matters
The thread connecting all three is that failure looks exactly like success. A coercer learns nothing from your screen. There’s no error to react to, no “wrong password” to punish, no tell that you triggered something. That’s the difference between a security feature and security theater — and it’s why coercion resistance has to be designed into the data model, not bolted on as a UI toggle.
This is a philosophy, not a checkbox
Most apps treat security as “how hard is the password to guess.” Vaultr treats it as “what can an adversary actually do to you” — including adversaries with physical power. That’s a different question, and it leads to a different product.
Your vault should protect you from the hacker and the coercer.