What is a Decoy PIN, and why do jewellers need one?

Most security software protects against a hacker thousands of kilometres away. The Decoy PIN protects against a problem most jewellers know personally: someone standing across the counter with a reason to want to see the books.

This article explains what a Decoy PIN actually is, how it works under the hood, why it matters for Indian jewellery shops in particular, and where it stops being useful. Read time about 7 minutes.

What is a Decoy PIN?

A Decoy PIN is a second, independent PIN you set up alongside your real PIN. When entered, the app opens a separate vault — a different database file — with whatever you have chosen to put inside it (which can be nothing, or a small set of fake-looking records).

• Real PIN → opens your actual ledger
• Decoy PIN → opens an empty (or pre-seeded with realistic but fake) ledger
• No visual difference between the two modes — same UI, same animations, same colors
• No way to tell from the encrypted database file which PIN is the "real" one

How does a Decoy PIN work technically?

JewelKhata stores two separate encrypted databases on the device: owner_vault.db and decoy_vault.db. Both files look like random bytes from the outside — there is no header, no metadata, no clue which is which. Each PIN goes through PBKDF2 with 100,000 iterations and its own random salt to derive a unique encryption key. The key only opens the database it was derived for.

When you enter a PIN, the app tries the derived key against both database files. If one of them decrypts successfully, that vault opens. Both vaults have the same schema and the same UI bindings — to the rest of the code, they are interchangeable.

Why do jewellers need this?

Jewellery shops carry high-value inventory, substantial cash flows, and detailed customer records — including who pawned what, who owes how much, and how much physical gold is at the shop on any given night. The threat model for that data is wider than most retail businesses.

Scenario 1: Property or inheritance dispute

Family disputes over shop ownership are common, and the shop's ledger becomes evidence. A relative who is not entitled to see your full books may pressure you to unlock the app to "verify" something. A decoy vault gives you a way to comply without revealing anything sensitive.

Scenario 2: Surveillance by a competitor or supplier

A jeweller in a small town may share trips, meals, and phones with people who also work in the gold supply chain. Casual access to your phone — say, when it is left on a table at lunch — should not be a window into your customer list or your gross margins.

Scenario 3: Coerced unlock under duress

The unfortunate but real case of being asked to show records during a robbery or extortion attempt. The decoy vault lets you produce a complete-looking but harmless ledger. Whether you trust this to work in a high-stress moment is a personal call — it works because you have practised it during calm times.

What does a Decoy PIN NOT do?

It is important to be specific about the limits.

• It is not legal protection. If you are subpoenaed and asked to produce records, using the decoy PIN to hide them is a problem you should discuss with a lawyer, not an app developer.
• It is not invisible to a determined forensic examiner with physical possession of your phone for several days. A forensic image will reveal both database files. They will both be encrypted, but their existence is detectable.
• It does not protect your records if you also write the real PIN on a sticky note. The PIN itself is the only key — guard it.
• It will not save you if you accidentally enter the real PIN in front of someone you were trying to hide it from. Practise.

Why do most apps not have this?

Two reasons. First, it requires a particular architecture — two completely separate encrypted databases sharing one app shell — and most billing apps are built cloud-first, which makes this design awkward. Second, "no recovery" is required for it to actually work, and most apps cannot stomach removing password reset.

If an app has a "forgot password" link, the cloud holds the key. If the cloud holds the key, the app can be compelled to give up data. That defeats the entire point of the Decoy PIN. Hence the trade-off JewelKhata makes: no password recovery, ever. We could not build the Decoy PIN any other way.

How do I set up a Decoy PIN in JewelKhata?

During first-time setup, the app asks you to set your real PIN, then offers an optional second PIN for Safe Mode. You can also add or change it later from Settings → Security → Set Decoy PIN. The full step-by-step guide is at /help/set-up-decoy-pin and takes about two minutes.

Bottom line

A Decoy PIN is a tool against informal coercion — not a way to obstruct lawful investigations. It exists because for a jewellery shop owner, the most common privacy threats are not faraway hackers but people physically near the phone. JewelKhata is offline-only by design, which is why the Decoy PIN actually works the way the marketing copy claims. We cannot reset your PIN. There is no master key. That is the whole point.