What plausible deniability messaging really means
Someone hands your phone back and says, "open it." Maybe it is a border officer, maybe a jealous partner, maybe a thief who already has your wrist twisted. You are not going to win that standoff by refusing. The password is in your head, and the person across from you knows it.
This is the situation plausible deniability is built for. The idea is easy to say and hard to do well: if you can be made to hand over a key, then the key you hand over should open something you do not mind being seen. The real message stays out of reach, and nothing about what you reveal hints that there is more.
What plausible deniability actually means
Most encryption has one answer. One key, one message, and if you give up the key you give up the message. Plausible deniability breaks that one-to-one link. The same locked thing can open to more than one result depending on which key is used, and an outsider has no way to tell whether what they are looking at is everything or just the part you chose to show them.
Security people have a blunt name for the attack this defends against. They call it rubber-hose cryptanalysis: not breaking the math, just pressuring the person until they open it themselves. No cipher helps you there. The only move left is to control what opening actually reveals.
Where the idea comes from
This is older than smartphones. In 1997 a group that included Julian Assange, Suelette Dreyfus, and Ralf Weinmann released Rubberhose, one of the first tools built so a hard drive could hide the fact that it was hiding anything at all. Later, disk-encryption tools like VeraCrypt brought the same trick to ordinary users with hidden volumes: you fill an outer container with believable but unimportant files, then tuck the real volume into the leftover space, where it looks like random noise. GrapheneOS, the hardened Android build, ships a duress PIN that wipes the phone when you type it. Different mechanisms, one shared goal. Give the person doing the coercing a door that opens, just not the door you care about.
The messaging version shrinks that idea from a whole disk down to a single message. You are not hiding a filesystem. You are handing someone one photo or one code, and making sure that if they force it open, what comes out is dull.
How a decoy key works in GhostCode
In GhostCode this layer is called Failsafe. When you create a message you set your real Key and your real content the usual way. Then you set a second pair: a decoy Key and a harmless message to go with it. Two keys, two outcomes, one ordinary-looking photo or QR code.
If someone makes you open it, you give them the decoy Key. It opens the harmless message the way any valid key opens exactly what it is meant to. There is no error buzz, no second prompt, nothing that suggests a real message is sitting behind the one they just read. You decide ahead of time what the safe version says, so it fits the moment you might need it. A dull receipt. A note about dinner. A link to a recipe.
It works the same whether the carrier is a QR code or a photo. To anyone scanning or glancing, a GhostCode message is just a code or just a picture. The decoy Key is the part that keeps the cover believable even when someone gets you to open it while they watch.
Where it genuinely helps
Decoy keys earn their place in a narrow set of situations, and they are all the same shape: you cannot refuse to unlock, but you can choose what unlocking shows. A device search where saying no is not a real option. A controlling person who goes through your phone. A borrowed or shared device you had to type a key into while someone stood over you. In each of these the threat is not a cryptographer in a lab. It is a person right next to you who expects to be shown something.
If that is your situation, a decoy is one of the few things that actually helps, because it answers the exact problem in front of you. It gives you something true-looking to surrender.
Where it is overkill, and where it stops working
Now the part most write-ups skip. A decoy key is not a magic word, and treating it like one is how people get hurt.
The biggest limit is awareness. Plausible deniability leans on the other person not knowing a second message could exist. The moment they know the tool has a decoy feature, they can just demand the other key, and you are back where you started with less room to deny. That is the standing critique of every deniable system ever built: it protects you well against someone who does not know the trick, and much less against someone who does. Be honest with yourself about which one you are facing before you rely on it.
The rest of the limits are the ordinary ones. If a real message was already open on your screen and someone photographed it, a decoy does nothing, the same way a self-destruct timer cannot reach a screenshot someone already took. And if nobody ever forces you to open anything, you did not need a decoy to begin with. You needed the plain version, where a GhostCode message simply sits in front of people as something hidden in plain sight and never asks to be explained.
So treat a decoy key as exactly what it is. A specific tool for the specific moment when you are made to unlock something. Write the safe version with some care, make it boring enough to end the conversation, and do not let the fact that the feature exists talk you into carrying something you should not be carrying at all. The strongest deniability is still a message that nobody has any reason to go looking for.
Set a message that can open two ways
GhostCode hides your message inside a photo or a QR code, so only the person you choose can read it, and a decoy Key can open a harmless version if you are ever made to unlock it. See how it works.