Security

🔒 Your diary is protected by military-grade encryption. We take security seriously, and we've built our platform with privacy as the foundation.

End-to-End Encryption

All diary entries are encrypted on your device before being sent to our servers. This means:

  • Your diary content is never transmitted in plaintext
  • We cannot read your diary entries - even if we wanted to
  • Database administrators cannot access your diary content
  • Even in the event of a server breach, your entries remain encrypted and unreadable

Technical Details

  • Encryption Algorithm: AES-GCM (Advanced Encryption Standard - Galois/Counter Mode)
  • Key Size: 256 bits
  • Key Derivation: PBKDF2 (Password-Based Key Derivation Function 2)
  • KDF Iterations: 100,000 (NIST recommended)
  • Hash Algorithm: SHA-256
  • IV Size: 96 bits (12 bytes), randomly generated per entry

How It Works

1. Key Generation

When you create an account, a unique encryption key is derived from your user ID and a randomly generated salt. This salt is stored securely in your browser's localStorage.

2. Writing an Entry

As you write, your content remains in plaintext on your device. When you save:

  1. A random initialization vector (IV) is generated
  2. Your content is encrypted using your unique key and the IV
  3. The encrypted data is converted to base64 format
  4. Only the encrypted data is sent to our servers

3. Reading an Entry

When you view a diary entry:

  1. Encrypted data is fetched from our servers
  2. The IV is extracted from the encrypted data
  3. Your unique key is derived again from your user ID and salt
  4. The content is decrypted on your device
  5. You see your plaintext diary entry

What We Can See

Transparency is important to us. Here's exactly what we can and cannot see:

❌ We CANNOT See:

  • ✗ Your diary content
  • ✗ What you write about
  • ✗ Your thoughts and feelings
  • ✗ Any text in your entries

✓ We CAN See:

  • ✓ Your email address
  • ✓ Entry dates (when you wrote)
  • ✓ Word counts
  • ✓ Encrypted (unreadable) content
  • ✓ Login times

Additional Security Measures

🔐 Secure Authentication

We use Supabase Auth, which implements industry-standard authentication protocols:

  • Bcrypt password hashing with salt
  • JWT tokens for session management
  • Email verification
  • Password reset with secure tokens

🌐 HTTPS/TLS Encryption

All communication between your device and our servers is encrypted using TLS 1.3, preventing man-in-the-middle attacks and eavesdropping.

💾 Encrypted Backups

Database backups remain encrypted. Your diary content is never stored in plaintext, even in backups.

🛡️ Protection Against Attacks

Our encryption implementation protects against:

  • Brute Force: 100,000 PBKDF2 iterations make key guessing impractical
  • Rainbow Tables: Unique salts prevent precomputed attacks
  • Replay Attacks: Unique IVs prevent reuse of encrypted data
  • Tampering: AES-GCM provides authenticated encryption

Your Responsibilities

While we provide strong encryption, security is a shared responsibility:

  • Strong Password: Use a unique, complex password for your account
  • Backup Your Salt: Save your encryption salt in a secure location
  • Secure Device: Keep your device secure with a password/PIN
  • Log Out: Always log out on shared or public computers
  • Browser Security: Keep your browser updated
  • Be Careful: Don't share your account credentials

Limitations and Considerations

It's important to understand the current limitations:

⚠️ Device-Specific Encryption

Encryption keys are stored in your browser's localStorage, making them device-specific. To access your entries on a new device, you'll need to manually transfer your salt.

⚠️ No Password Recovery for Content

If you lose your encryption salt (by clearing browser data), we cannot recover your encrypted diary entries. Always backup your salt!

⚠️ Client-Side Vulnerabilities

While content is encrypted at rest and in transit, it's plaintext while you're writing. Malware or keyloggers on your device could capture content before encryption.

Compliance & Standards

Our security practices align with industry standards:

  • NIST Guidelines: Following NIST recommendations for cryptographic algorithms
  • OWASP: Implementing OWASP security best practices
  • GDPR: Compliant with EU data protection regulations
  • CCPA: Compliant with California privacy laws

Security Audits & Updates

We continuously work to improve our security:

  • Regular security reviews and updates
  • Monitoring for vulnerabilities in dependencies
  • Staying current with cryptographic best practices
  • Responding promptly to security reports

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

📧 Security Email: security@dailydiary.app

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information

We appreciate responsible disclosure and will respond within 48 hours.

Transparency

We believe in transparency about our security practices:

  • Our encryption implementation is open for review
  • We document our security measures publicly
  • We disclose any security incidents as required by law
  • We maintain detailed technical documentation

Want to learn more? Check our Support page or review our source code.