Documentation

Encryption architecture

DeepJournal uses end-to-end encryption (E2EE) to protect your data.

All encryption and decryption happens locally on your device before anything is synced to the server. DeepJournal server never see plaintext data or any keys required to decrypt it.

For maximum security and privacy, DeepJournal encrypts data before synchronization to the server and at rest on the device’s disk.

Encryption algorithms used

  • XChaCha20-Poly1305 (256-bit keys)

    Used for:

    • Encrypting all journal data (entries, states, logs, embeddings, etc.) before syncing to the server.
    • Encrypting the local SQLite database at rest via Sqleet

  • Argon2id

    Used for securely deriving 256-bit encryption keys from the user’s encryption password

Encryption password

DeepJournal uses a separate encryption password that is distinct from account authentication password.

  • The encryption password is required to access the app in order to decrypt journal data.
  • Logging into an account does not grant access to encrypted journal data.

Recovery Phrase

If the encryption password is lost, encrypted data cannot be recovered unless a Recovery Phrase was generated and stored by the user (strongly recommended).

  • The recovery phrase is shown once.
  • It must be stored securely by the user (e.g. password manager).
  • DeepJournal does not store the plaintext recovery phrase.

If both the encryption password and recovery phrase are lost, data recovery is impossible.