DearDiary.Net
Getting StartedManaging DiariesWriting EntriesFeatures GuidePrivacy & SharingPlus Membership

Help / Features Guide / Secret Diary

Secret Diary

A Secret Diary is a diary whose entries are end-to-end encrypted in your browser before they leave your device. The server stores only ciphertext and has no access to the key — which means neither DearDiary.Net staff, nor anyone who gains access to the server, can ever read your secret entries.

Secret Diary is a Plus membership feature.

Why Secret Diary exists — the honest answer

Most web diary services (including DearDiary.Net for regular private diaries) protect your content from other users, but the service itself can technically read what's stored in the database. That's a reasonable level of trust for most people.

Secret Diary goes a step further: it removes DearDiary.Net from the trust chain entirely. Your passphrase never leaves your device. Your entries are encrypted before being sent to the server. We genuinely cannot read them.

The trade-off is that some server-side features can't work on secret content — search, sharing links, and data export are not available for secret entries. These features require the server to be able to read your content.

Industry-standard encryption — the same approach as password managers

The encryption used by Secret Diary is the same stack trusted by leading password managers like 1Password and Bitwarden:

  • AES-256-GCM encrypts your content — the same standard used to protect classified government data and financial transactions worldwide.
  • PBKDF2 (310,000 iterations) derives your encryption key from your passphrase, making brute-force attacks computationally expensive.
  • AES-256-KW (key wrapping) protects the content key itself, so your passphrase can be changed without re-encrypting all your entries.

Like a password manager, your passphrase is never transmitted — it stays on your device and is used only to unlock the key locally. The server stores only ciphertext it cannot read. The difference is that instead of protecting passwords, it's protecting your diary.

The only caveat is that you need to be using a relatively modern browser (newer than 2017) in order to use secret diaries and secret entries

Even a software bug can't expose your entries

One concern with client-side encryption is: what if there's a bug in the app that accidentally sends plaintext? We've thought about this.

Every time a secret entry or diary cover is saved, the server independently verifies that the content it receives is actually ciphertext — before it touches the database. Our encryption format has a fixed structural signature (a base64-encoded block with a 12-byte IV prefix) that is impossible to confuse with plaintext HTML or JSON, which always contain characters that can't appear in valid ciphertext.

If the server receives anything that doesn't match that signature, it rejects the request and logs a warning — your plaintext never reaches the database, and you see an error rather than a silent data leak. The server does this without needing — or having — your encryption key.

This means the guarantee is layered:

  1. Your key never leaves your browser.
  2. Even if it somehow did, the server rejects unencrypted content at the boundary.
  3. Even a software bug in the client, or a hand-crafted malicious request, cannot cause plaintext to be stored for a secret entry.

Setting up your Secret Diary

  1. You need a Plus membership and a diary with its privacy set to Secret (this is chosen when you create the diary — see below).
  2. From the system menu, open Account Settings and expand the Secret Diary section.
  3. Click Set Up Secret Diary. You'll be prompted to create a passphrase — this is the key to your encrypted content. Choose something memorable but strong.
  4. You'll then be shown a 12-word recovery phrase. Write this down and store it somewhere safe, away from your device. This is shown once and cannot be recovered. If you forget your passphrase and lose your recovery phrase, your encrypted content is permanently inaccessible.
  5. Once set up, your passphrase applies to all your secret content across all your diaries.

Alternatively - and somewhat easier - just create a new diary and choose Secret as the visibility option. The system will guide you through setting up your secret passphrase.

Creating a Secret Diary

When creating a new diary, choose Secret as the privacy setting. Secret diaries are permanent — you cannot change a secret diary to a different privacy type, nor convert an existing diary to secret. This is intentional: it avoids the complexity of bulk-encrypting or decrypting existing entries.

Individual secret entries can exist inside any type of diary (including public ones). When writing or editing an entry, set the entry's privacy to Secret from the privacy dropdown. Creating your first secret entry will also set up your secret passphrase as above.

Unlocking your diary

Your passphrase is not stored anywhere — it must be entered each time you start a new session.

When you navigate to a secret diary or a secret entry for the first time after logging in, you'll see a prompt to enter your passphrase. Once unlocked:

  • Your entries decrypt and display in the browser.
  • The session key is stored temporarily in your browser's sessionStorage — it's only available in the current tab and is automatically cleared when you close it.
  • A configurable session timeout (set in Account Settings → Secret Diary → Key Timeout) locks the diary automatically after a period of inactivity. The default is 30 minutes.

Locking manually

  • In the My Diaries card on your dashboard, click the small lock icon next to the Active badge to immediately lock the session.
  • Switching to a non-secret diary also locks the secret diary session automatically.
  • Closing the browser tab always clears the session.

What is and isn't encrypted

Content Encrypted?
Entry text ✅ Yes
Entry title ✅ Yes
Diary title ✅ Yes
Diary cover page ✅ Yes
Entry date ❌ No — stored in plaintext
Entry privacy level ❌ No
Tracker data (mood, sleep, weight) ❌ No
Comments ❌ No (secret diaries cannot have followers or public comments)

Dates and metadata are not encrypted because they are needed for features like the entry list, calendar, and activity charts.

Limitations

Because the server cannot read secret content, the following features are not available for secret entries:

  • Full-text search — secret entries do not appear in any search results, including your own "My Diaries" search.
  • Sharing links — you cannot create a shareable link for a secret entry.
  • Export — secret diaries cannot be exported. Secret entries inside a non-secret diary are skipped from any export. Decrypted export is planned for a future update.
  • Community feeds — secret entries never appear in any public feed, on-this-day, or community cards.
  • Sidebar entry list — when your secret diary is locked, the sidebar hides the entry list and calendar entirely. Entry dates and counts are considered sensitive and are not shown until you unlock. Once unlocked, the list and calendar appear as normal.

Changing your passphrase

You can change your passphrase at any time from Account Settings → Secret Diary → Change Passphrase. This does not re-encrypt your content — it only re-wraps the content key under your new passphrase. Your entries remain encrypted with the same underlying key.

You'll need to enter your current passphrase (or your recovery phrase) to authorise the change.

Recovery phrase

Your 12-word recovery phrase is generated once when you first set up your Secret Diary. It is an alternative way to unlock your diary if you forget your passphrase.

  • Store it somewhere secure and offline — a physical notebook, a password manager, or encrypted storage. Not on the same device as your diary.
  • If you lose both your passphrase and your recovery phrase, your encrypted content cannot be recovered. DearDiary.Net has no copy of your key.
  • You can generate a new recovery phrase at any time from Account Settings → Secret Diary, but this invalidates the old one.

Session timeout

The session timeout controls how long your secret diary stays unlocked after your last activity. When the timer expires, the key is cleared from your browser and you'll need to re-enter your passphrase.

Set the timeout in Account Settings → Secret Diary → Key Timeout. Options range from 5 minutes to 4 hours. The default is 30 minutes.

The timer resets each time you read or write a secret entry.

Frequently asked questions

Can DearDiary.Net read my secret entries? No. The encryption key is derived from your passphrase, which never leaves your device. The server stores only ciphertext.

What happens if I forget my passphrase? Use your recovery phrase to unlock and then set a new passphrase. If you've also lost your recovery phrase, the content is unrecoverable — by anyone.

Can I have more than one secret diary? Yes. All your secret diaries and secret entries use the same passphrase and content key. There is one key per user, not one per diary.

Does each browser tab need its own unlock? Yes. The session key is stored in sessionStorage, which is per-tab. Each tab you open will need a separate unlock. This is a security feature — it limits the window of exposure if you step away from a tab.

Is the entry date visible? Yes, dates are stored in plaintext. If the fact that you wrote an entry on a particular date is sensitive, be aware of this.

What happens to secret entries if I cancel my Plus membership? Your existing secret entries remain stored (as ciphertext). You can still read them if you unlock with your passphrase. You cannot create new secret entries while on a free account.