However, how do one access their diary, when you stopped maintaining it? Is this targeted more at the technically inclined, high-profile people who need to keep secrets?
Personally, I believe that for something like a diary/journal, it should be in a format easily readable by most tools (so a Plain-Text or a MarkDown at best), then it is in a container/folder. Now, encrypt that container/folder instead. In the future, when you need to change the tool for Encryption/Decryption, move the container/folder.
I think there are two different concerns mixed together:
1) Can I still read my data in 10 years? That’s mostly about open, well-documented formats + an export path. A journaling app can still be “safe” here if it can export to Markdown/plain-text (or at least JSON) and the on-disk schema is documented.
2) Can I decrypt it in 10 years? That’s about using boring primitives (AES-GCM, Argon2/scrypt/PBKDF2) and keeping the crypto layer simple. If it’s standard crypto, you’re not locked to one vendor the way you might be with a bespoke format.
The “plain files in an encrypted folder” approach (Cryptomator/VeraCrypt) is totally reasonable—and arguably the simplest threat model—but you do give up a lot of what makes a journal app nice (full-text search, tags, structured metadata, conflict handling, etc.). SQLite + client-side encryption is a fine compromise if there’s a solid export and the KDF/password story is strong.
The biggest real risk is still: losing the password. A printable recovery key / key export would help more than switching formats.
armchairhacker 1 days ago [-]
Make the journal app store its data in plain-text Markdown files in an encrypted folder (or ZIP).
If necessary for things like search, add a cache file to the folder.
andai 1 days ago [-]
When I had a Mac I used an encrypted volume in Dropbox. (Not sure if that's a good idea, but I didn't have any issues.)
I used Notational Velocity in those days :) A rare gem of ergonomics.
Later I did the same thing with a VeraCrypt volume.
Now I'm in Obsidian, which has its own encryption (if you trust 'em!), but never quite got the frictionless feeling of NV back.
You could also use plain markdown files, any free Markdown editor/IDE, and git, and sync with a remote Git repo using gcrypt for encryption (git-remote-gcrypt).
It's just a bit of a pain to set up, and also, not mobile-friendly.
holyknight 9 hours ago [-]
yeah, that's the whole point! :D
holyknight 1 days ago [-]
yeah, currently you can export your journal to json or markdown files. So you can walk away at any point.
Vendor lock-in is one of the main things i wanted to avoid. That's why I sticked with boring and standard libraries and encryption as much as possible.
Thanks for the feedback!
ddtaylor 1 days ago [-]
You could store the encrypted contents in an IPFS collection or just use old DHT. Obviously someone else needs to access the content to keep it fresh (even if they don't have the ability to decrypt it), but considering it's markdown you could run an "official" seeder that seeds everything or just have each client run an IPFS node etc.
No more fighting with gifs for README files. Thanks!
holyknight 1 days ago [-]
Thanks! I will check that out
danpalmer 23 hours ago [-]
Some feedback, a screenshot of the main app experience rather than the login screen might help.
guiambros 22 hours ago [-]
You can reload the page. It's an animated gif that shows the full app functionality.
But your feedback is still valid. It's unfortunate that OP used the login screen as the last frame; it'd be better to show the app as the last frame, or just loop the animation.
danpalmer 22 hours ago [-]
Oh yeah, neat. I completely missed that because it was on the last frame and not at all apparent that it had previously animated.
holyknight 14 hours ago [-]
thanks for the feedback, i think i will loop the gif. I was more focused on making it as small as possible to be fast and i forgot about the looping.
g947o 1 days ago [-]
The biggest problem is that this is not available on mobile platforms. Most people do this on their phones, not their laptops.
holyknight 1 days ago [-]
The support for it is planned. It was thought from the beginning with supporting all the major platforms; I just started with the desktop support because there was my best use case. But the support is already planned in the near future. Android will follow shortly, and an iOS version can be done if there is demand for it.
Thanks!
It's a paid app, not open source, but I've been using it for years and it has been working very well for me.
otterpro 1 days ago [-]
I like the idea, as a niche project for users that don't have control over their hardware/OS, or run on USB flash for portability.
Speaking of which, I have notes / journal entries dating back several decades, all in plain text files. I'm worried about these new projects and their longevity and whether it'll be actively supported 30 years from now. For simplicity, I'd use gocryptfs, Veracrypt, or other general file-based encryption which suits your risk tolerance, and use whatever editor (ie Obsidian, vscode, OneNote, etc) I want to use.
holyknight 14 hours ago [-]
Definitely a niche thing. Thanks for the feedback
hodanli 17 hours ago [-]
I'm still using allmyjournals, even though the app, website, and company are all gone.
The real encrypted journal is hidden among several fake ones, so two authentication factors are used: the key and the journal ID.
sanarg 1 days ago [-]
looks sleek, fast, and stays true to the privacy-first roots we all loved. Awesome job modernizing a classic without losing its soul.
khalic 1 days ago [-]
Dann, that’s a fancy README.md , love it
holyknight 1 days ago [-]
thanks!
eviks 19 hours ago [-]
What are the benefits of cramming everything into an app instead of using better editors in an encrypted container?
junipertea 16 hours ago [-]
Honest answer: The pain of setting up an encrypted container. This seems simple, single use and immediately ready to use after downloading.
eviks 15 hours ago [-]
What if the app set up an encrypted container for you in a similar "immediately ready to use after installation" fashion?
spangry 1 days ago [-]
Looks really cool, I like the pretty but minimalist interface. Could I store the SQlite file on, say, google drive so that I could access my journal from different devices while the contents are still kept secure because they’re encrypted?
holyknight 1 days ago [-]
Yes, you can definetely can! Currently you can see the location of the .db file on the preferences while your journal is open.
I will improve the experience for this use case in follow up releases, by for example being able to define a arbitrary path for your db file.
Thanks for the feedback!
Obscurity4340 23 hours ago [-]
Why not simply use your password manager like KeePass to store journal entries and notes?
holyknight 9 hours ago [-]
You certainly can, this is just a different flavor of solving a problem that can be solved in multiple ways.
CafeRacer 1 days ago [-]
I'm using obsidian and cryfs. Nothing has access to those except a few programs. I'm storing notes, files, documents, whatever is important and everything is synced to the cloud.
bayindirh 1 days ago [-]
This is the beauty of it. If it works for you it's great. If this new app works for others, then it's great.
That's a good win-win situation.
As a fellow obsidian user, I wouldn't scoff at a simple app which does one thing well.
holyknight 1 days ago [-]
I also, myself, had a similar setup some time ago; that's super valid.
alabhyajindal 1 days ago [-]
Here's another approach using Rclone and an editor of your choice. Rclone has a built in crypt library that can encrypt your data and store it in a cloud provider. I use it along with Sublime Text to journal, and store my encrypted data on Dropbox.
Thank you for sharing this, this is very interesting problem to tackle.
I find this interesting mostly to understand how you are handling encryption and security. I think this is one approach but others expressed concern over long term viability.
Using Tauri is also very interesting. How did you find using it for this simpler case?
Anyhow, very cool project. Don't aband it :)
october8140 1 days ago [-]
Obsidian.md
holyknight 1 days ago [-]
yes, that's definitely also a valid approach.
goodpoint 1 days ago [-]
You can just encrypt your partition and use a file editor.
holyknight 1 days ago [-]
you can certainly do that, indeed.
drcongo 1 days ago [-]
How are we pronouncing that name?
holyknight 1 days ago [-]
It's based on a latin word so it should be not that far from the english pronunciation. It would be something like MIN-ee Dee-AIR-ee-um
saberience 1 days ago [-]
One major problem, I don't want a journal with unbreakable encryption where I lose all my data if I ever lose the key.
I already pay for a journaling website where I know I can always recover my journals as long as I have access to my Gmail.
So, while I appreciate this security first mindset, for me it actually becomes less interesting. I want my journal to sync to the cloud, I want to be able to unlock it, I don't want to risk losing years of journals if I forget a single key.
duskdozer 1 days ago [-]
>as long as I have access to my Gmail
I think you should be more cautious about relying on the services of a company like Google that can arbitrarily decide to remove your account data or access. Similar, though the person was fortunate enough to regain access: https://hey.paris/posts/appleid/
You can mitigate hardware failure and data loss, especially for a simple key, but you may not be able to prevent Google from deciding your account is gone one day.
holyknight 1 days ago [-]
Thanks for the feedback! That point is super valid; that's why I created it with multiple authentication slots in mind (currently, it supports both password and public key authentication) so you can use multiple simultaneously and do not need to rely on one single point of failure.
For example, if you set up a password and a key, you can use your key, and if it gets lost or compromised, you can still log in with the password, remove the old key, and generate a new one.
You can do the same in reverse: just use the password and keep the key in a safe place (like a password manager or a physical USB), and if you lose your password, you can still get access with the key.
Thanks again!
sneak 1 days ago [-]
key reuse, and probably other issues in a homebrew cryptosystem that wraps AES.
is there a reason we aren’t using high level crypto libraries in 2026?
holyknight 1 days ago [-]
Thanks for the feedback. This is why I built it FOSS.
On key reuse: the master key is intentionally shared across entries (as in Signal, 1Password, etc.), but each encrypt() call generates a fresh 96-bit nonce from the OS CSPRNG, so the (key, nonce) pair is never repeated.
That said, I am not a security expert by any means. If you've spotted something concrete, a specific call site, a protocol flaw, or a library you'd swap in, I'd genuinely love to hear it. Open to PRs or a discussion issue.
Regards
artzev_ 1 days ago [-]
[dead]
1 days ago [-]
cranberryturkey 1 days ago [-]
[flagged]
crossroadsguy 1 days ago [-]
Let alone the cloud, SQLite in iCloud Drive is the reason I am not using Bear notes app. After losing to convoluted file formats a couple of times I do not consider any journal or notes app that doesn’t let me see/edit plain text files on the disk. I will deal with encryption, storage, etc on my own. Those are too personal files to be either locked or go behind any amount of friction. I still have tons of files locked from Dyrii that was abandoned
holyknight 1 days ago [-]
Hey, thanks for the feedback! Yes, currently in the preferences you can see the path of your local SQLite DB file, so you could definitely sync that to the cloud.
I will improve it further in next releases to make it even simpler (for example, by defining a custom path for the store, which cannot be done currently), but it can definitely be done already.
Regarding the key for recovery: you can already do it. Mini-Diarium already supports both password and public key authentication. So you can use the password and generate the .key file and keep it in a secure place as a backup in case you forget your password (or do it in reverse: use the key file and have the password as a backup).
Thanks again!
giahug 1 days ago [-]
for aem
cranberryturkey 1 days ago [-]
[flagged]
isodev 1 days ago [-]
This site is not for bots, go away please.
hackingonempty 1 days ago [-]
> Every entry is encrypted with AES-256-GCM before it touches disk
Until the OS needs more memory and swaps your secrets out.
tptacek 1 days ago [-]
The "before it touches disk" thing in the promo copy is silly, yes, but there's really no sane threat model for this; from every vantage point where this could matter, you already have game-over attacks on the app.
mhluongo 1 days ago [-]
Protected memory can be used to fix that. Working on a related project that I'm planning to share soon.
mystifyingpoi 1 days ago [-]
But so what? Another app can't really read swap file/partition. Unless it runs with elevated privileges like root, in which case the system is compromised anyway.
holyknight 1 days ago [-]
Hey, thanks for the feedback! That's a valid point; currently, my main focus is to secure the store on disk, but this is definitely a point which could be improved later on.
If your machine is fully compromised or actively monitored by a threat actor with physical access, then this tool would not cover you, that's for sure.
If you have any concrete recommendations, I can even give it a try in one of the next releases.
Thanks!
plagiarist 1 days ago [-]
I thought we were all supposed to be encrypting our swap. Or is there something better an app can do about this?
hackingonempty 1 days ago [-]
We're all supposed to be encrypting our storage too but this tool advertises that it encrypts your secrets before they hit the disk.
All of the supported operating systems have memory locking functions that prevent swapping out but they are not used in this tool, AFAIK. Also, they are intended to lock things like secret keys that are small and not displayed to the user in a GUI. You can lock the whole process though but a big web browser process is going to significantly up the amount of unswappable memory. Stuff sent to the windowing system may get swapped out too.
Rendered at 22:39:03 GMT+0000 (Coordinated Universal Time) with Vercel.
However, how do one access their diary, when you stopped maintaining it? Is this targeted more at the technically inclined, high-profile people who need to keep secrets?
Personally, I believe that for something like a diary/journal, it should be in a format easily readable by most tools (so a Plain-Text or a MarkDown at best), then it is in a container/folder. Now, encrypt that container/folder instead. In the future, when you need to change the tool for Encryption/Decryption, move the container/folder.
For instance, tools such as https://cryptomator.org comes to mind.
1) Can I still read my data in 10 years? That’s mostly about open, well-documented formats + an export path. A journaling app can still be “safe” here if it can export to Markdown/plain-text (or at least JSON) and the on-disk schema is documented.
2) Can I decrypt it in 10 years? That’s about using boring primitives (AES-GCM, Argon2/scrypt/PBKDF2) and keeping the crypto layer simple. If it’s standard crypto, you’re not locked to one vendor the way you might be with a bespoke format.
The “plain files in an encrypted folder” approach (Cryptomator/VeraCrypt) is totally reasonable—and arguably the simplest threat model—but you do give up a lot of what makes a journal app nice (full-text search, tags, structured metadata, conflict handling, etc.). SQLite + client-side encryption is a fine compromise if there’s a solid export and the KDF/password story is strong.
The biggest real risk is still: losing the password. A printable recovery key / key export would help more than switching formats.
If necessary for things like search, add a cache file to the folder.
I used Notational Velocity in those days :) A rare gem of ergonomics.
Later I did the same thing with a VeraCrypt volume.
Now I'm in Obsidian, which has its own encryption (if you trust 'em!), but never quite got the frictionless feeling of NV back.
It's just a bit of a pain to set up, and also, not mobile-friendly.
Here's a tip: GitHub now allows you to embed a proper video in your README. (https://stackoverflow.com/questions/4279611/how-to-embed-a-v...). Quality would be much better, and people can navigate back-and-forth in the video.
But your feedback is still valid. It's unfortunate that OP used the login screen as the last frame; it'd be better to show the app as the last frame, or just loop the animation.
It's a paid app, not open source, but I've been using it for years and it has been working very well for me.
Speaking of which, I have notes / journal entries dating back several decades, all in plain text files. I'm worried about these new projects and their longevity and whether it'll be actively supported 30 years from now. For simplicity, I'd use gocryptfs, Veracrypt, or other general file-based encryption which suits your risk tolerance, and use whatever editor (ie Obsidian, vscode, OneNote, etc) I want to use.
I will improve the experience for this use case in follow up releases, by for example being able to define a arbitrary path for your db file.
Thanks for the feedback!
That's a good win-win situation.
As a fellow obsidian user, I wouldn't scoff at a simple app which does one thing well.
More here: https://alabhya.me/rclone
I find this interesting mostly to understand how you are handling encryption and security. I think this is one approach but others expressed concern over long term viability.
Using Tauri is also very interesting. How did you find using it for this simpler case?
Anyhow, very cool project. Don't aband it :)
I already pay for a journaling website where I know I can always recover my journals as long as I have access to my Gmail.
So, while I appreciate this security first mindset, for me it actually becomes less interesting. I want my journal to sync to the cloud, I want to be able to unlock it, I don't want to risk losing years of journals if I forget a single key.
I think you should be more cautious about relying on the services of a company like Google that can arbitrarily decide to remove your account data or access. Similar, though the person was fortunate enough to regain access: https://hey.paris/posts/appleid/
You can mitigate hardware failure and data loss, especially for a simple key, but you may not be able to prevent Google from deciding your account is gone one day.
For example, if you set up a password and a key, you can use your key, and if it gets lost or compromised, you can still log in with the password, remove the old key, and generate a new one.
You can do the same in reverse: just use the password and keep the key in a safe place (like a password manager or a physical USB), and if you lose your password, you can still get access with the key.
Thanks again!
is there a reason we aren’t using high level crypto libraries in 2026?
On the libraries: Mini Diarium actually does use established, widely audited crates rather than rolling its own primitives. See https://github.com/RustCrypto/AEADs for AES-256-GCM, https://github.com/RustCrypto/password-hashes for key derivation, and https://github.com/dalek-cryptography/curve25519-dalek + https://github.com/RustCrypto/KDFs for the key file ECIES scheme. The thin cipher.rs wrapper just handles nonce prepending with no custom crypto primitives.
On key reuse: the master key is intentionally shared across entries (as in Signal, 1Password, etc.), but each encrypt() call generates a fresh 96-bit nonce from the OS CSPRNG, so the (key, nonce) pair is never repeated.
That said, I am not a security expert by any means. If you've spotted something concrete, a specific call site, a protocol flaw, or a library you'd swap in, I'd genuinely love to hear it. Open to PRs or a discussion issue.
Regards
I will improve it further in next releases to make it even simpler (for example, by defining a custom path for the store, which cannot be done currently), but it can definitely be done already.
Regarding the key for recovery: you can already do it. Mini-Diarium already supports both password and public key authentication. So you can use the password and generate the .key file and keep it in a secure place as a backup in case you forget your password (or do it in reverse: use the key file and have the password as a backup).
Thanks again!
Until the OS needs more memory and swaps your secrets out.
If your machine is fully compromised or actively monitored by a threat actor with physical access, then this tool would not cover you, that's for sure.
If you have any concrete recommendations, I can even give it a try in one of the next releases.
Thanks!
All of the supported operating systems have memory locking functions that prevent swapping out but they are not used in this tool, AFAIK. Also, they are intended to lock things like secret keys that are small and not displayed to the user in a GUI. You can lock the whole process though but a big web browser process is going to significantly up the amount of unswappable memory. Stuff sent to the windowing system may get swapped out too.