Here's a tip: GitHub now allows you to embed a proper video in your README. (https://stackoverflow.com/questions/4279611/how-to-embed-a-v...). Quality would be much better, and people can navigate back-and-forth in the video.
Speaking of which, I have notes / journal entries dating back several decades, all in plain text files. I'm worried about these new projects and their longevity and whether it'll be actively supported 30 years from now. For simplicity, I'd use gocryptfs, Veracrypt, or other general file-based encryption which suits your risk tolerance, and use whatever editor (ie Obsidian, vscode, OneNote, etc) I want to use.
It's a paid app, not open source, but I've been using it for years and it has been working very well for me.
I will improve the experience for this use case in follow up releases, by for example being able to define a arbitrary path for your db file.
Thanks for the feedback!
is there a reason we aren’t using high level crypto libraries in 2026?
On the libraries: Mini Diarium actually does use established, widely audited crates rather than rolling its own primitives. See https://github.com/RustCrypto/AEADs for AES-256-GCM, https://github.com/RustCrypto/password-hashes for key derivation, and https://github.com/dalek-cryptography/curve25519-dalek + https://github.com/RustCrypto/KDFs for the key file ECIES scheme. The thin cipher.rs wrapper just handles nonce prepending with no custom crypto primitives.
On key reuse: the master key is intentionally shared across entries (as in Signal, 1Password, etc.), but each encrypt() call generates a fresh 96-bit nonce from the OS CSPRNG, so the (key, nonce) pair is never repeated.
That said, I am not a security expert by any means. If you've spotted something concrete, a specific call site, a protocol flaw, or a library you'd swap in, I'd genuinely love to hear it. Open to PRs or a discussion issue.
Regards
More here: https://alabhya.me/rclone
I find this interesting mostly to understand how you are handling encryption and security. I think this is one approach but others expressed concern over long term viability.
Using Tauri is also very interesting. How did you find using it for this simpler case?
Anyhow, very cool project. Don't aband it :)
I already pay for a journaling website where I know I can always recover my journals as long as I have access to my Gmail.
So, while I appreciate this security first mindset, for me it actually becomes less interesting. I want my journal to sync to the cloud, I want to be able to unlock it, I don't want to risk losing years of journals if I forget a single key.
I think you should be more cautious about relying on the services of a company like Google that can arbitrarily decide to remove your account data or access. Similar, though the person was fortunate enough to regain access: https://hey.paris/posts/appleid/
You can mitigate hardware failure and data loss, especially for a simple key, but you may not be able to prevent Google from deciding your account is gone one day.
For example, if you set up a password and a key, you can use your key, and if it gets lost or compromised, you can still log in with the password, remove the old key, and generate a new one.
You can do the same in reverse: just use the password and keep the key in a safe place (like a password manager or a physical USB), and if you lose your password, you can still get access with the key.
Thanks again!
One thing I'd push back on regarding the "what if you stop maintaining it" concern: SQLite with AES-256-GCM is about as future-proof as you can get. Both are standards with multiple implementations. The real risk isn't the format dying — it's losing the password. A recovery key export (even just a paper backup of the key material) would go a long way.
For the cross-device case, you might also consider something like Syncthing for sync without any cloud intermediary. Keeps the threat model simpler.
I will improve it further in next releases to make it even simpler (for example, by defining a custom path for the store, which cannot be done currently), but it can definitely be done already.
Regarding the key for recovery: you can already do it. Mini-Diarium already supports both password and public key authentication. So you can use the password and generate the .key file and keep it in a secure place as a backup in case you forget your password (or do it in reverse: use the key file and have the password as a backup).
Thanks again!
Until the OS needs more memory and swaps your secrets out.
If your machine is fully compromised or actively monitored by a threat actor with physical access, then this tool would not cover you, that's for sure.
If you have any concrete recommendations, I can even give it a try in one of the next releases.
Thanks!
All of the supported operating systems have memory locking functions that prevent swapping out but they are not used in this tool, AFAIK. Also, they are intended to lock things like secret keys that are small and not displayed to the user in a GUI. You can lock the whole process though but a big web browser process is going to significantly up the amount of unswappable memory. Stuff sent to the windowing system may get swapped out too.
However, how do one access their diary, when you stopped maintaining it? Is this targeted more at the technically inclined, high-profile people who need to keep secrets?
Personally, I believe that for something like a diary/journal, it should be in a format easily readable by most tools (so a Plain-Text or a MarkDown at best), then it is in a container/folder. Now, encrypt that container/folder instead. In the future, when you need to change the tool for Encryption/Decryption, move the container/folder.
For instance, tools such as https://cryptomator.org comes to mind.
1) Can I still read my data in 10 years? That’s mostly about open, well-documented formats + an export path. A journaling app can still be “safe” here if it can export to Markdown/plain-text (or at least JSON) and the on-disk schema is documented.
2) Can I decrypt it in 10 years? That’s about using boring primitives (AES-GCM, Argon2/scrypt/PBKDF2) and keeping the crypto layer simple. If it’s standard crypto, you’re not locked to one vendor the way you might be with a bespoke format.
The “plain files in an encrypted folder” approach (Cryptomator/VeraCrypt) is totally reasonable—and arguably the simplest threat model—but you do give up a lot of what makes a journal app nice (full-text search, tags, structured metadata, conflict handling, etc.). SQLite + client-side encryption is a fine compromise if there’s a solid export and the KDF/password story is strong.
The biggest real risk is still: losing the password. A printable recovery key / key export would help more than switching formats.
If necessary for things like search, add a cache file to the folder.
I used Notational Velocity in those days :) A rare gem of ergonomics.
Later I did the same thing with a VeraCrypt volume.
Now I'm in Obsidian, which has its own encryption (if you trust 'em!), but never quite got the frictionless feeling of NV back.