Mini Diarium blog

Secure Journal App: What Actually Makes One Secure

Plenty of apps call themselves secure. A journal app earns it by encrypting entries on disk, running fully offline, and holding no key it could hand over.

  • secure journal app
  • encrypted journal
  • offline journal
  • private diary app

Short answer: A secure journal app encrypts each entry on disk with a named algorithm, has no recovery backdoor, and keeps a minimal network surface. Mini Diarium encrypts entries with AES-256-GCM before they touch disk, has no HTTP client at all, and is open source under the MIT license for Windows, macOS, and Linux, so its security claims can be verified rather than trusted.

"Secure" is the most overused word in software marketing. Almost every journal app claims it, which makes the word useless on its own. A secure journal app is not one that says the right things on its landing page. It is one whose architecture makes your entries unreadable to anyone but you, and keeps them that way even if the company disappears or the device is lost.

This post breaks "secure" into the specific properties you can check, then explains why the strongest version of a secure journal is a desktop, offline one.

What "secure" should mean for a journal

Three properties do most of the work. Everything else is secondary.

The first is encryption at rest. Entries should be encrypted before they are written to disk, using a named algorithm such as AES-256-GCM. The test is whether the file is readable when copied to another machine. If it is, the app is not secure at the storage layer no matter what the login screen looks like.

The second is no recovery backdoor. If the vendor can reset your password and still show you your entries, then the vendor holds a key to your writing, and so does anyone who can compel or breach the vendor. Real security means the app cannot read your entries either.

The third is a small attack surface. An app that never talks to the network cannot leak your entries over the network. Encrypted journal software that also syncs to a server has more ways to fail than one that stays on your machine. Fewer moving parts is a security property, not just a simplicity one.

Security you can verify versus security you are asked to trust

There is a difference between an app that lets you verify its claims and one that asks you to trust them.

Open source is the clearest form of verification. When the code is public, anyone can confirm that the encryption is implemented correctly and that no entries leave the device. A closed-source app can make identical claims, but you are trusting the publisher rather than checking the implementation. For a tool that holds years of private writing, that difference is worth weighing.

The absence of a network client is verifiable too. An app with no HTTP code cannot send telemetry, cannot sync silently, and cannot change its data-sharing behavior in a future update, because the transport layer does not exist. That is a structural guarantee rather than a policy promise, and structural guarantees do not change when a privacy policy is rewritten.

A secure journal is a desktop-first idea

The most secure journaling setups tend to be desktop ones, and that is not an accident. On a desktop or laptop, the app can store an encrypted database as an ordinary file that you control, back up yourself, and keep entirely offline. There is no requirement for an account, a server, or a sync service. An offline encrypted diary on your own Windows, macOS, or Linux machine is about as small an attack surface as journaling gets.

This is also where the word "offline" does real work. An offline diary for your PC keeps writing available with no network and keeps your entries out of reach of anything that would need the network to touch them. The trade-off is honest: you do not get automatic cross-device sync, and you are responsible for your own backups. For many people who want a secure journal, that trade is the point.

Where Mini Diarium fits

Mini Diarium is a secure journal app for Windows, macOS, and Linux. Each entry is encrypted with AES-256-GCM before it is written to a local SQLite database, so plaintext never touches disk. There is no HTTP client in the binary, which means no cloud, no sync, no telemetry, and no account. The app cannot send your entries anywhere because it has no way to.

It is free and open source under the MIT license, so the encryption and the absence of network code can be checked rather than taken on faith. Unlock works with a password (its key is derived with Argon2id) or a key file that works like an SSH private key. There is no recovery backdoor: Mini Diarium keeps no copy of your key, so losing both the password and the key file means the entries cannot be recovered. That is the cost of security that actually holds.

The main limitation is that Mini Diarium is desktop-only. If you need to write from a phone with cross-device sync, this model does not provide it.

The practical takeaway

If an app calls itself secure, check the three properties: encryption at rest with a named algorithm, no recovery backdoor, and a small or absent network surface. If you can also read the source, better still.

For the underlying idea, read what an encrypted diary actually is. To evaluate specific apps against a full checklist, use how to choose a private journal app. For a side-by-side view of how Mini Diarium compares to Day One, Notion, Obsidian, and Standard Notes on these criteria, see the comparison page.