Duress code / duress password

A duress code (also duress password, panic code) is a pre-arranged signal designed to be revealed under coercion without telling the coercer. Variants include: a wrong password that triggers a wipe instead of unlocking, a phrase that triggers an alarm or a help message to a third party, a different pattern that opens a decoy environment instead of the real one. Used in scenarios where the threat model includes physical compulsion to disclose credentials.

What it means in practice

Duress mechanisms exist on a small number of consumer products. Some MDM-managed phones support a wipe-on-incorrect-passcode policy that can be configured for specific scenarios. VeraCrypt’s hidden-volume feature provides a form of duress: the outer volume password reveals decoy content, the hidden volume password reveals real content, and there is no way to prove the hidden volume exists without the password. Some self-hosted Signal-Briar configurations allow per-conversation duress passwords. The discipline is in the rehearsal: under coercion, the operator needs to type the duress code without showing recognition that they are doing something different. Most duress mechanisms fail not because the technology is wrong but because the operator hesitates and the adversary notices.

Where it shows up

Useful for: high-risk travel through jurisdictions where coercion to unlock devices is realistic and not legally bounded (some authoritarian-state borders, some high-conflict zones), operators with serious physical-threat models (sources who fear detention with the journalist’s contact info on their phone), and (in narrower contexts) executives in kidnap-and-ransom scenarios where pre-planned duress signaling can trigger response. Less useful for: scenarios where the adversary is sophisticated enough to recognize duress patterns (a forensic examiner who knows VeraCrypt looks for hidden-volume signatures regardless of the user claiming it is just an outer volume). Like plausible deniability, the value is calibrated to the actual adversary, not the imagined one.

What you can change today

If your threat model justifies duress mechanisms, set them up in low-stakes time. VeraCrypt for sensitive offline storage: read the documentation on hidden volumes (veracrypt.fr/en/Hidden Volume), build a setup with a realistic outer volume containing plausible-looking decoy data, test the workflow several times before relying on it. For mobile: explore Briar’s duress feature if you use Briar, configure MDM wipe-on-failed-passcode if you have admin control of the device. The discipline more important than the configuration: rehearse the disclosure scenario so the muscle memory is present when the moment comes. The operator who has practiced the duress workflow performs it; the operator who has only configured it freezes.

Related articles