Website: mini-diarium.com
A local-only journal with serious encryption. Free, open source, and never touches the internet.
Mini Diarium keeps your journal private. Every entry is encrypted with AES-256-GCM, the app never connects to the internet, and your data never leaves your machine. Built with Tauri, SolidJS, and Rust.
Download the latest release for your platform from GitHub Releases.
For platform package formats and first-run notes, see Installation.
Mini Diarium is a spiritual successor to Mini Diary by Samuel Meuli. I loved the original tool. It was simple, private, and did exactly what a journal app should do. Unfortunately, it's been unmaintained for years and its dependencies have aged out. I initially thought about forking it and modernizing the stack, but turned out impractical. So I started over from scratch, keeping the same core philosophy (encrypted, local-only, focused) while rebuilding completely with Tauri 2, SolidJS, and Rust. The result is a lighter, faster app with stronger encryption and a few personal touches.
Mini Diarium is intentionally opinionated. The philosophy is not a side note, it is the product:
- Small, extensible core: keep core responsibilities tight (encrypt, store, authenticate) and push extras to extension points
- Boring security: use established algorithms and audited libraries, never custom crypto
- Local-only by design: no cloud sync, no telemetry, no analytics, no hidden network behavior
- Easy in, easy out: import from common formats and export in open formats to avoid lock-in
- Focused scope: private journaling over feature sprawl
- Simplicity over cleverness: fewer moving parts, smaller attack surface, easier maintenance
Read the full principles and how these translates to the architecture in PHILOSOPHY.md.
Mini Diarium uses AI tools willingly and without apology, but always as leverage for human engineers, never as a replacement for them. This is NOT a vibe-coded app: every meaningful change still has to pass through deliberate design, careful implementation, proper testing, sound engineering practice, and direct feedback from both developers and users. We do not believe serious software can be reduced to "no-code magic" or delegated to prompts without judgment, especially when privacy, security, and long-term maintainability matter. Good tools should be used; responsibility, authorship, and final judgment remain human.
- Key file authentication: unlock your journal with an X25519 private key file instead of (or alongside) your password, like SSH keys for your journal. Register multiple key files; manage all auth methods from Preferences. See Key File Authentication for details.
- AES-256-GCM encryption: all entries are encrypted with a random master key. Each auth method holds its own wrapped copy of that key, so adding or removing a method is O(1), with no re-encryption of your entries.
- Rich text editor
- Multiple entries per day: keep separate entries for the same date without merging them together
- Calendar navigation
- Import: Mini Diary JSON, Day One JSON/TXT, and jrnl JSON with additive imports that preserve separate same-date entries
- Export: JSON for structural fidelity and Markdown for human-readable best-effort export
- Themes
- Automatic backups: backup on unlock with rotation
- Statistics
- Preferences: first day of week, future entries toggle, title visibility, spellcheck, password change, authentication method management
- Cross-platform: Windows, macOS, and Linux
- Zero network access: no telemetry, no analytics, no update checks
Mini Diarium uses a wrapped master key design.
- A random master key encrypts all entries using AES-256-GCM
- Authentication methods wrap the master key
- Unlocking unwraps the master key into memory for the session
- Argon2 key derivation
- AES-GCM unwrap of master key
- X25519 key pair
- ECDH followed by HKDF
- AES-GCM unwrap of master key
The master key is never stored in plaintext.
Everything runs locally on the user's machine.
- The UI communicates with the Rust backend via Tauri
invoke() - The backend reads and writes to local SQLite
- No HTTP clients
- No background sync
- No telemetry
When saving an entry:
- The content is encrypted using the master key.
- The encrypted content is stored in the
entriestable.
Mini Diarium follows a layered structure.
Download the latest release for your platform from GitHub Releases:
| Platform | Format |
|---|---|
| Windows | .msi or .exe (NSIS installer, no admin required) |
| macOS | .dmg |
| Linux | .AppImage or .deb |
The easiest way to install Mini Diarium on Windows is via WinGet:
winget install mini-diariumTo update an existing installation later:
winget upgrade mini-diariumThe easiest way to install Mini Diarium on macOS is via Homebrew:
brew tap fjrevoredo/mini-diarium
brew install --cask mini-diariumNote: Mini Diarium is not code-signed. On first launch, macOS Gatekeeper may show a "damaged and can't be opened" error. Run the following command in Terminal, then open the app normally:
xattr -cr "/Applications/Mini Diarium.app"
Windows
On first launch, Windows SmartScreen may show a warning ("Windows protected your PC"). This is expected for unsigned applications. Click "More info" then "Run anyway" to proceed. Mini Diarium is open source and builds are reproducible from source.
macOS
macOS Gatekeeper may block the app on first launch with "damaged and can't be opened". This happens because the app is open-source and not commercially code-signed.
Run this command in Terminal after dragging the app to Applications:
xattr -cr "/Applications/Mini Diarium.app"Then launch the app normally. This is a one-time step.
Linux
No code signing is required. For security, verify the SHA256 checksum against checksums-linux.txt from the release before installation:
sha256sum Mini-Diarium-*.AppImage
# Compare with checksums-linux.txt- Launch Mini Diarium
- Create a password (this encrypts your journal; there is no recovery if forgotten)
- Write your first entry. It auto-saves as you type
- Navigate between days with
Ctrl+[/Ctrl+]or click dates on the calendar - Lock your journal when you're done
Most journal apps only offer a password. Mini Diarium also lets you unlock with an X25519 private key file, a small .key file that acts like an SSH key for your journal. You can use a key file instead of your password, or register both and use whichever is convenient.
| Scenario | How a key file helps |
|---|---|
| Physical second factor | Keep the .key file on a USB drive. The journal can only be unlocked when the drive is plugged in, with no app, no phone, and no OTP codes. |
| Password manager integration | Store the .key file as a secure attachment. Unlock without memorizing a passphrase at all. |
| Multiple machines | Register one key file per machine. Revoke access to a single machine by removing that slot without touching your password or re-encrypting any entries. |
| Shared account, separate keys | Register several key files under different labels. Each is independent, and removing one doesn't affect the others. |
Each auth method stores its own encrypted copy of a random master key that encrypts all journal entries. For key files, this wrapping uses X25519 ECIES:
- A 256-bit master key is generated once when you create the journal and never changes.
- You generate an X25519 keypair in Preferences. The app saves the private key to a
.keyfile (64-character hex string) and retains only the public key. - The public key is used to wrap the master key: an ephemeral DH key exchange produces a one-time secret, HKDF-SHA256 derives a wrapping key from it, and AES-256-GCM encrypts the master key. The resulting blob is stored in the
auth_slotstable alongside your password slot. - To unlock, Mini Diarium reads the
.keyfile, performs the same ECDH derivation in reverse, and unwraps the master key; your password is never required.
The private key never enters the database. The public key stored in the database cannot unlock the journal. A wrong or tampered key file is rejected by AES-GCM authentication.
- Open Preferences → Authentication Methods
- Click Generate Key File
- Save the
.keyfile somewhere only you control, such as a USB drive, a password manager's secure notes, or an encrypted folder - Enter your current password to authorize the registration
- Give the slot a label (e.g. "USB drive" or "laptop")
From that point you can unlock from the login screen by switching to Key File mode and selecting your .key file. To remove a key file, open Preferences → Authentication Methods and delete its slot (the last remaining method is always protected from deletion).
Backup your key file. Like an SSH private key, it cannot be regenerated. If you lose both your password slot and all key files, there is no recovery path.
| Action | Shortcut |
|---|---|
| Previous Day | Ctrl+[ |
| Next Day | Ctrl+] |
| Go to Today | Ctrl+T |
| Go to Date | Ctrl+G |
| Previous Month | Ctrl+Shift+[ |
| Next Month | Ctrl+Shift+] |
| Preferences | Ctrl+, |
Statistics, Import, and Export are available via the Journal menu (no default keyboard accelerators).
On macOS, use Cmd instead of Ctrl.
Prerequisites: Rust 1.75+, Bun 1.x, and Tauri v2 system dependencies.
git clone https://github.com/fjrevoredo/mini-diarium.git
cd mini-diarium
bun install
bun run tauri buildArtifacts will be in src-tauri/target/release/bundle/.
- Tauri 2: desktop app framework (Rust backend, web frontend)
- SolidJS: reactive UI framework
- Rust: backend logic, encryption, database
x25519-dalek,hkdf,sha2: X25519 ECIES key wrapping for key file authentication
- SQLite: local encrypted database storage
- TipTap: rich text editor
- UnoCSS: utility-first CSS
- Kobalte: accessible UI primitives
- Concurrent access to the journal is not supported
You can add local import/export extensions using Rhai scripts in your journal's plugins/ folder.
See docs/user-plugins/USER_PLUGIN_GUIDE.md for requirements, best practices, and a complete example plugin.
See CONTRIBUTING.md for setup instructions, development workflow, and conventions. For maintainers adding official plugins, see docs/BUILTIN_PLUGIN_GUIDE.md.
For maintainers: See docs/RELEASING.md for step-by-step release instructions.
See SECURITY.md for the security model and how to report vulnerabilities.
Made with love by Francisco J. Revoredo (with a little help from Claude Code).