# SilverDuress

**Status**: v1.1 (planning)

Duress password / panic-wipe / anti-coercion. The "I am being forced to unlock this device" feature.

## What it does

- **Duress password**: an alternate password that, when entered, *appears to unlock normally* but actually triggers a configured action
- **Panic-wipe**: secure erasure of encrypted volumes / keys
- **Decoy unlock**: opens a clean profile / sandbox containing decoy data
- **Silent alert**: optional outbound signal to trusted contact / SilverLABS service that duress was activated

User configures which behaviours apply.

## Per-platform implementation

| Platform | Mechanism | Strength |
|---|---|---|
| **Linux** | PAM module — duress passphrase wipes LUKS keys / drops to decoy profile | Strong |
| **Android (Pixel ROM)** | Inherited from GrapheneOS duress PIN | Strong |
| **Android (other)** | Best-effort: app-level duress action when SilverLABS Stack apps are unlocked with duress credential | Moderate |
| **Windows** | Group Policy + scheduled task triggered by duress credential entry; BitLocker key destruction | Moderate (closed kernel limits us) |
| **macOS** | Configuration profile + login script; FileVault key destruction on duress | Moderate |
| **iOS** | OS-provided erase-after-failed-attempts (Apple primitive); Stack-app-level duress where feasible | Limited (we cannot run code at unlock) |

The per-platform table is shown to users in the SilverDuress setup UI so they understand what's possible on their device.

## Non-goals

- Not a "tracking your stolen phone" feature — different product, different threat model
- Not a "remote wipe" service — that requires constant network and trust in the wipe operator. We may offer it later, but v1.1 is local-only.

## Risks we acknowledge

- A sufficiently sophisticated adversary may forensically recover from a partial wipe — we use cryptographic erasure (destroy the key, not the data) which is robust against this
- A coerced user may be unable to remember to use the duress password — we document this clearly in the setup UI; this is a fundamental limitation, not a SilverMetal-specific one