The deniability infrastructure.

Every secret leaks eventually. We make sure what leaks is the decoy. SDK in four languages, hosted API, verified audit posture. Built for AI agent platforms, custody products, and security teams who plan for the breach instead of pretending it won't happen.

Read the agent docs How it works
// the problem

Standard encryption only has one answer.

When someone has the bytes (a stolen backup, a seized device, a pwned agent), there's only one plaintext to recover. If they have the right key, it's game over.

deny.sh changes that. The same ciphertext decrypts to different content depending on which key you use. One key gives the real plaintext. Another gives a plausible decoy. No forensic tool can tell which is which because mathematically there's nothing to tell. Both decryptions are valid. The bytes don't betray you.

// how it works

Three steps. One ciphertext. Two truths.

1

Choose two passwords.

Your primary password protects the real content. Your control password creates a control file, a small key that determines what the encrypted file decrypts to. Different control file, different output.

2

Set your decoy.

Write what you want an attacker to see. A low-balance wallet. Old notes. deny.sh computes a second control file that makes the same ciphertext open to the decoy instead. You keep the real control file hidden. The decoy goes somewhere plausible.

3

Both truths coexist.

The encrypted file never changes. If the bytes leak, what an attacker tries first is the decoy control file you placed somewhere plausible. They decrypt, they see your decoy, they walk away. No hidden partition. No metadata. No tell.

// the realism engine

Decoys you couldn't write yourself.

Every other deniability tool ships fingerprintable static decoys. Ours don't. The realism engine generates shape-correct decoys across 17 credential types on demand, runs every candidate through a deterministic validator (Luhn, mod-97, BIP39 checksum, JWT structural, PEM tag), and returns only what passes. The engine sees the type. It never sees your real secret.

OpenAI key
sk-proj-1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t…
BIP39 phrase
include error famous fantasy parade mountain spatial void stumble loyal shop segment
IBAN
FR47 3915 7204 8629 1048 57
Postgres URI
postgres://admin:x7kQ9mP2rL4vW8nJ@db-prod-01.acme-internal.net:5432/maindb
JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzQ1NiIsImlhdCI6MTcxNTAwMDAwMH0.aB3cD9eF2gH5iJ8kL1mN4oPqRsT…
Credit card
4532 1872 3456 7891

All six examples are real engine output. Validator-gated. Never sees your real secret. Never echoes plaintext. Read the architecture: The decoy realism engine.

// the playground

Try it yourself.

Everything runs in your browser. Your keys never leave your machine. The realism engine ships as a static bundle, no server call.

or just start typing below. Everything runs in your browser.

Text, seed phrases, keys, passwords. Max 10MB. Never sent anywhere.

Used to encrypt. You'll need this to decrypt.

Produces the deniable decoy on decrypt.

The ciphertext output from encryption.

Determines which plaintext is revealed. Different control file = different message.

Same ciphertext from step 1.

What an attacker will see. Must be same length or shorter than the original.

Drop any file here or click to browse Max 50MB. Any file type. Processed entirely in your browser.

Used to encrypt. You'll need this to decrypt.

Produces the deniable decoy on decrypt.

// what it is

Three pillars. One category.

Deniability isn't a feature. It's a category of infrastructure: a cryptographic primitive, an operational runtime, and a verifiable trust posture. We build all three.

ENCRYPT

The primitive

One ciphertext, two passwords, two truths. SDK in TypeScript, Rust, Go, and Python. Apache 2.0. Free for any use, proprietary or open. The wedge.

OPERATE

The runtime

Hosted API with per-tenant key isolation, 365-day audit log, MCP server, and named SLA. The pillar AI agent platforms and custody products run on. Paid.

VERIFY

The trust posture

Published threat model, formal construction proof, reproducible builds, signed releases, RFC 9116 disclosure pipeline. Independent audit in scoping for Q3 2026. The moat brick competitors can't fake.

// install

Install once. Five surfaces.

One primitive. One wire format. One threat model. Pick the surface that fits the workload.

SDK CLI Chrome Telegram bot MCP server 
$ npm install deny-sh
# 8.4KB · zero deps · types included

Prefer an app to an SDK? See the deny.sh toolkit: Encrypt Anything, Seed Phrase Protector, Vault, Secret Photos →

// who it's for

One primitive. Four audiences.

Same wire format, same threat model, same construction. The surface you reach for depends on who you are.

  1. // 01 · hobbyist

    Protecting your own bytes.

    Your seed phrase. A document. A photo. A backup that might end up on a stolen laptop or a breached cloud drive. Open /encrypt, set a real password and a decoy password, done. Free, browser-based, no account.

  2. // 02 · builder

    Shipping it inside your product.

    Adding deniable storage to something you're building. SDK in TypeScript, Rust, Go, and Python. Apache 2.0, zero copyleft, drop-in. Pick a language, npm install deny-sh (or your equivalent), ship.

  3. // 03 · platform operator

    Running an AI agent platform.

    Serving paying customers who store secrets in agents that get prompt-injected. Per-tenant key isolation, per-tenant audit log, MCP server, named SLA. Agents Infrastructure tier, $999/mo. Agent docs.

  4. // 04 · enterprise

    On the balance sheet.

    Regulated organisation, custody platform, or security product where deniability needs to land in your audit trail. Self-host or private deployment, bring your own KMS, structured audit events for SOC 2 / ISO 27001. From $25K/year.

// how it compares

Every tool below encrypts well. Only one can lie about what's encrypted.

deny.sh VeraCrypt PGP BitLocker
Plausible deniability Partial
Cryptographic deniability
Multiple decoys from one file
AI-generated decoys (shape-correct, validator-gated)
No hidden partition needed
Works on single files Volumes Drives
API / SDK CLI

Hidden volumes are detectable by disk usage analysis. deny.sh has no volumes, no partitions, no structural tell. Full comparison.

// trust

Four trust anchors. All published. All checkable.

AES-256-CTR, scrypt, and XOR composition. Standard primitives, open construction, no magic. A deniability product gets held to a higher bar, so we publish all four layers. Read each one, run the commands, decide for yourself. Independent cryptographic audit is in scoping for Q3 2026; results will be published when complete.

01

Threat model

What we defend against. What we partially defend against. What we do not defend against at all. Plain English, no equivocation.

Read /threat-model →
02

Construction

Five-step algorithm. Named primitives at every step (scrypt, AES-256-CTR, HKDF, XOR). Deniability proof sketch. KAT byte-compat across four SDKs.

Read /security →
03

Disclosure

Coordinated disclosure with 48h acknowledgement. GPG key on keys.openpgp.org. RFC 9116 signed security.txt. Safe harbor for good-faith research.

Read /disclosure →
04

Supply chain

Signed git tags. npm / crates / PyPI / Go-module integrity. SRI on every served asset, with a machine-readable manifest at /.well-known/integrity.json. Reproducible build recipe.

Read /verify →

Walkthrough with concrete commands: How to verify deny.sh.

// enterprise

Built for teams that protect data at rest.

Custody platforms, exchanges, and security products. The same primitive that protects an individual key protects an institution's vault.

LICENSING

Apache 2.0 SDK, commercial app layer

Embed the SDK in any product, proprietary or open, with no copyleft surface. Application-layer (vault, dispatcher, dashboard) is dual-licensed AGPL or commercial.

DEPLOYMENT

On-prem or VPC, full audit trail

Run deny.sh inside your own infrastructure. Bring your own KMS. Every encrypt / decrypt / deny call logged with structured audit events for SOC 2 / ISO 27001 evidence.

SLA

Dedicated SLA, named escalation

99.95% uptime SLA, <15-min P1 acknowledgement, named security and engineering escalation paths. UK / EU / US business-hours coverage with on-call escalation. Annual contract, paid quarterly or annually.

Enterprise plans Talk to us
// pricing

Simple pricing.

CLI and browser tools are free forever. API tiers for when you need more.

Free
$0
forever
  • 500 API calls/month
  • Full encrypt, decrypt, deny
  • Realism engine: 10 decoys/day
  • Vault storage (5 items)
  • Dead man's switch (1)
  • Community support
Get your API key
Most popular
Dev
$99
/month
  • 10,000 API calls/month
  • Full encrypt, decrypt, deny
  • Realism engine: 100 decoys/day
  • Vault storage (100 items)
  • Dead man's switch (5)
  • Audit log + email support
Upgrade
Pro
$199
/month
  • 100,000 API calls/month
  • Full encrypt, decrypt, deny
  • Realism engine: 1,000 decoys/day
  • Vault storage (1,000 items)
  • Dead man's switch (20)
  • Priority support + SLA
Upgrade

Full pricing details · Enterprise licensing · Crypto inheritance

// next

Encrypt your first file.

Browser-based. No account needed. Free to use. If you need API access, SDKs, or MCP integration, get a free API key after.

What leaks is the decoy.

Encrypt now Get an API key