Mini Diarium

Website: mini-diarium.com

A local-first journal with serious encryption. Free, open source, and never touches the internet.

Mini Diarium keeps your journal private. Every entry is encrypted with AES-256-GCM, the app never connects to the internet, and your data never leaves your machine. Built with Tauri, SolidJS, and Rust.

Background

Mini Diarium is a spiritual successor to Mini Diary by Samuel Meuli. I loved the original tool. It was simple, private, and did exactly what a journal app should do. Unfortunately, it's been unmaintained for years and its dependencies have aged out. I initially thought about forking it and modernizing the stack, but turned out impractical. So I started over from scratch, keeping the same core philosophy (encrypted, local-only, minimal) while rebuilding completely with Tauri 2, SolidJS, and Rust. The result is a lighter, faster app with stronger encryption and a few personal touches.

Philosophy First

Mini Diarium is intentionally opinionated. The philosophy is not a side note, it is the product:

• Small, extensible core: keep core responsibilities tight (encrypt, store, authenticate) and push extras to extension points
• Boring security: use established algorithms and audited libraries, never custom crypto
• Local-only by design: no cloud sync, no telemetry, no analytics, no hidden network behavior
• Easy in, easy out: import from common formats and export in open formats to avoid lock-in
• Focused scope: private journaling over feature sprawl
• Simplicity over cleverness: fewer moving parts, smaller attack surface, easier maintenance

Read the full principles and how these translates to the architecture in PHILOSOPHY.md.

Features

• Key file authentication: unlock your diary with an X25519 private key file instead of (or alongside) your password, like SSH keys for your journal. Register multiple key files; manage all auth methods from Preferences. See Key File Authentication for details.
• AES-256-GCM encryption: all entries are encrypted with a random master key. Each auth method holds its own wrapped copy of that key, so adding or removing a method is O(1), with no re-encryption of your entries.
• Rich text editor
• Calendar navigation
• Import: Mini Diary JSON, Day One JSON/TXT, and jrnl JSON with merge conflict resolution
• Export: JSON and Markdown formats
• Themes
• Automatic backups: backup on unlock with rotation
• Statistics
• Preferences: first day of week, future entries toggle, title visibility, spellcheck, password change, authentication method management
• Cross-platform: Windows, macOS, and Linux
• Zero network access: no telemetry, no analytics, no update checks

Architecture

Unlock Model

Mini Diarium uses a wrapped master key design.

• A random master key encrypts all entries using AES-256-GCM
• Authentication methods wrap the master key
• Unlocking unwraps the master key into memory for the session

Unlock Flow

<picture>


</picture>

Password Unlock

• Argon2 key derivation
• AES-GCM unwrap of master key

Key File Unlock

• X25519 key pair
• ECDH followed by HKDF
• AES-GCM unwrap of master key

The master key is never stored in plaintext.

System Context

Everything runs locally on the user's machine.

<picture>


</picture>

Properties

• The UI communicates with the Rust backend via Tauri invoke()
• The backend reads and writes to local SQLite
• No HTTP clients
• No background sync
• No telemetry

Saving an Entry

When saving an entry:

1. The content is encrypted using the master key.
2. The encrypted content is stored in the entries table.

<picture> </picture>

Layered Architecture

Mini Diarium follows a layered structure.

<picture>


</picture>

Installation

Download the latest release for your platform:

Installation Notes

Windows

On first launch, Windows SmartScreen may show a warning ("Windows protected your PC"). This is expected for unsigned applications. Click "More info" then "Run anyway" to proceed. Mini Diarium is open source and builds are reproducible from source.

macOS

macOS Gatekeeper may block the app on first launch with "damaged and can't be opened". This happens because the app is open-source and not commercially code-signed.

Run this command in Terminal after dragging the app to Applications:

xattr -cr "/Applications/Mini Diarium.app"

Then launch the app normally. This is a one-time step.

Linux

No code signing is required. For security, verify the SHA256 checksum against checksums-linux.txt from the release before installation:

sha256sum Mini-Diarium-*.AppImage
# Compare with checksums-linux.txt

Quick Start

1. Launch Mini Diarium
2. Create a password (this encrypts your diary; there is no recovery if forgotten)
3. Write your first entry. It auto-saves as you type
4. Navigate between days with Ctrl+[ / Ctrl+] or click dates on the calendar
5. Lock your diary when you're done

Key File Authentication

Most journal apps only offer a password. Mini Diarium also lets you unlock with an X25519 private key file, a small .key file that acts like an SSH key for your diary. You can use a key file instead of your password, or register both and use whichever is convenient.

Why use a key file?

How it works

Each auth method stores its own encrypted copy of a random master key that encrypts all diary entries. For key files, this wrapping uses X25519 ECIES:

1. A 256-bit master key is generated once when you create the diary and never changes.
2. You generate an X25519 keypair in Preferences. The app saves the private key to a .key file (64-character hex string) and retains only the public key.
3. The public key is used to wrap the master key: an ephemeral DH key exchange produces a one-time secret, HKDF-SHA256 derives a wrapping key from it, and AES-256-GCM encrypts the master key. The resulting blob is stored in the auth_slots table alongside your password slot.
4. To unlock, Mini Diarium reads the .key file, performs the same ECDH derivation in reverse, and unwraps the master key; your password is never required.

The private key never enters the database. The public key stored in the database cannot unlock the diary. A wrong or tampered key file is rejected by AES-GCM authentication.

Setting up a key file

1. Open Preferences → Authentication Methods
2. Click Generate Key File
3. Save the .key file somewhere only you control, such as a USB drive, a password manager's secure notes, or an encrypted folder
4. Enter your current password to authorize the registration
5. Give the slot a label (e.g. "USB drive" or "laptop")

From that point you can unlock from the login screen by switching to Key File mode and selecting your .key file. To remove a key file, open Preferences → Authentication Methods and delete its slot (the last remaining method is always protected from deletion).

Backup your key file. Like an SSH private key, it cannot be regenerated. If you lose both your password slot and all key files, there is no recovery path.

Keyboard Shortcuts

Statistics, Import, and Export are available via the Diary menu (no default keyboard accelerators).

On macOS, use Cmd instead of Ctrl.

Building from Source

Prerequisites: Rust 1.75+, Bun 1.x, and Tauri v2 system dependencies.

git clone https://github.com/fjrevoredo/mini-diarium.git
cd mini-diarium
bun install
bun run tauri build

Artifacts will be in src-tauri/target/release/bundle/.

Tech Stack

• Tauri 2: desktop app framework (Rust backend, web frontend)
• SolidJS: reactive UI framework
• Rust: backend logic, encryption, database
• x25519-dalek, hkdf, sha2: X25519 ECIES key wrapping for key file authentication
• SQLite: local encrypted database storage
• TipTap: rich text editor
• UnoCSS: utility-first CSS
• Kobalte: accessible UI primitives

Known Issues

• Concurrent access to the journal is not supported

Extending Mini Diarium

You can add local import/export extensions using Rhai scripts in your diary plugins/ folder.
See docs/user-plugins/USER_PLUGIN_GUIDE.md for requirements, best practices, and a complete example plugin.

Contributing

See CONTRIBUTING.md for setup instructions, development workflow, and conventions.
For maintainers adding official plugins, see docs/BUILTIN_PLUGIN_GUIDE.md.

Releasing

For maintainers: See docs/RELEASING.md for step-by-step release instructions.

Security

See SECURITY.md for the security model and how to report vulnerabilities.

Credits

Made with love by Francisco J. Revoredo (with a little help from Claude Code).