Show HN: Mini-Diarium - An encrypted, local, cross-platform journaling app

Posted by holyknight 1 day ago

Show HN: Mini-Diarium - An encrypted, local, cross-platform journaling app(github.com)

130 points | 62 commentspage 3

sneak 1 day ago|

key reuse, and probably other issues in a homebrew cryptosystem that wraps AES.

is there a reason we aren’t using high level crypto libraries in 2026?

holyknight 1 day ago|

Thanks for the feedback. This is why I built it FOSS.

On the libraries: Mini Diarium actually does use established, widely audited crates rather than rolling its own primitives. See https://github.com/RustCrypto/AEADs for AES-256-GCM, https://github.com/RustCrypto/password-hashes for key derivation, and https://github.com/dalek-cryptography/curve25519-dalek + https://github.com/RustCrypto/KDFs for the key file ECIES scheme. The thin cipher.rs wrapper just handles nonce prepending with no custom crypto primitives.

On key reuse: the master key is intentionally shared across entries (as in Signal, 1Password, etc.), but each encrypt() call generates a fresh 96-bit nonce from the OS CSPRNG, so the (key, nonce) pair is never repeated.

That said, I am not a security expert by any means. If you've spotted something concrete, a specific call site, a protocol flaw, or a library you'd swap in, I'd genuinely love to hear it. Open to PRs or a discussion issue.

Regards

artzev_ 1 day ago||

[dead]

cranberryturkey 1 day ago||

Nice project. The SQLite-on-cloud-drive approach mentioned in another comment is actually pretty solid — if the encryption is done client-side before the file hits the cloud, it doesn't matter where it's stored. The key thing is making sure the key derivation is robust enough that a compromised cloud account doesn't compromise journal contents.

One thing I'd push back on regarding the "what if you stop maintaining it" concern: SQLite with AES-256-GCM is about as future-proof as you can get. Both are standards with multiple implementations. The real risk isn't the format dying — it's losing the password. A recovery key export (even just a paper backup of the key material) would go a long way.

For the cross-device case, you might also consider something like Syncthing for sync without any cloud intermediary. Keeps the threat model simpler.

crossroadsguy 1 day ago||

Let alone the cloud, SQLite in iCloud Drive is the reason I am not using Bear notes app. After losing to convoluted file formats a couple of times I do not consider any journal or notes app that doesn’t let me see/edit plain text files on the disk. I will deal with encryption, storage, etc on my own. Those are too personal files to be either locked or go behind any amount of friction. I still have tons of files locked from Dyrii that was abandoned

holyknight 1 day ago||

Hey, thanks for the feedback! Yes, currently in the preferences you can see the path of your local SQLite DB file, so you could definitely sync that to the cloud.

I will improve it further in next releases to make it even simpler (for example, by defining a custom path for the store, which cannot be done currently), but it can definitely be done already.

Regarding the key for recovery: you can already do it. Mini-Diarium already supports both password and public key authentication. So you can use the password and generate the .key file and keep it in a secure place as a backup in case you forget your password (or do it in reverse: use the key file and have the password as a backup).

Thanks again!

giahug 1 day ago||

for aem

cranberryturkey 1 day ago||

[flagged]

isodev 1 day ago|

This site is not for bots, go away please.

hackingonempty 1 day ago|

> Every entry is encrypted with AES-256-GCM before it touches disk

Until the OS needs more memory and swaps your secrets out.

tptacek 1 day ago||

The "before it touches disk" thing in the promo copy is silly, yes, but there's really no sane threat model for this; from every vantage point where this could matter, you already have game-over attacks on the app.

mhluongo 1 day ago|||

Protected memory can be used to fix that. Working on a related project that I'm planning to share soon.

mystifyingpoi 1 day ago|||

But so what? Another app can't really read swap file/partition. Unless it runs with elevated privileges like root, in which case the system is compromised anyway.

holyknight 1 day ago|||

Hey, thanks for the feedback! That's a valid point; currently, my main focus is to secure the store on disk, but this is definitely a point which could be improved later on.

If your machine is fully compromised or actively monitored by a threat actor with physical access, then this tool would not cover you, that's for sure.

If you have any concrete recommendations, I can even give it a try in one of the next releases.

Thanks!

plagiarist 1 day ago||

I thought we were all supposed to be encrypting our swap. Or is there something better an app can do about this?

hackingonempty 1 day ago||

We're all supposed to be encrypting our storage too but this tool advertises that it encrypts your secrets before they hit the disk.

All of the supported operating systems have memory locking functions that prevent swapping out but they are not used in this tool, AFAIK. Also, they are intended to lock things like secret keys that are small and not displayed to the user in a GUI. You can lock the whole process though but a big web browser process is going to significantly up the amount of unswappable memory. Stuff sent to the windowing system may get swapped out too.