A secure, user-authenticated CLI journal application with per-user encryption, session management, and robust data features.
- User Authentication & Management:
- Register new users:
journaler register-user - Log in automatically when running any command (prompted if session expired)
- Change your password:
journaler change-password - Session persists for a configurable timeout (default 30 minutes)
- End session instantly:
journaler logout
- Register new users:
- Per-User Data Encryption:
- All journal data (entries, tags, etc.) is encrypted with a key derived from your password using Argon2 and AES-256-GCM.
- Only you can decrypt your data after login.
- Session Management:
- Persistent session file stored securely in your OS config directory
- Timeout configurable via
--session-timeoutorJOURNALER_SESSION_TIMEOUT - Session file is deleted on logout or after timeout
- Entry Management:
- Add:
journaler add --content "..." [--tags ...] [--due ...] [--status ...] - Update:
journaler update --id <ID> [--content ...] [--tags ...] [--remove-tag ...] [--due ...] [--status ...] - Delete (moves to recycle bin):
journaler delete --id <ID> - List:
journaler list - View:
journaler view --id <ID> - Search:
journaler search --query "..." - Export:
journaler export --format csv|md|txt [--output <file>]
- Add:
- Recycle Bin:
- Deleted entries go to a recycle bin for 30 days
- Recover:
journaler recover --id <ID> - Purge expired:
journaler purge-recycle-bin - List recycle bin:
journaler recycle-bin
- Tag Management:
- Tags are per-user and encrypted
- Add tags on entry creation/update
- Remove tags from entries
- List tags:
journaler tags - Tag usage counts
- Statistics:
journaler listshows:- Total entries
- Average age
- Average time since last update
- Number of unique users
- Entries per user (by username)
- Entry updates in the last hour, day, week, month
- Legacy Data Cleanup:
journaler clean-legacyremoves legacy/unowned data
- Help & Guide:
journaler --guideorjournaler --helpfor all commands and options
- Password Hashing: Uses Argon2 with salt for secure password storage
- Data Encryption: AES-256-GCM; all journal content, tags, and sensitive user data are encrypted per user
- Session Security: Session file contains only encrypted user credentials and expires automatically
- No Plaintext: Passwords and sensitive data are never stored or transmitted in plaintext
- Rust toolchain (https://rustup.rs)
- SQLite3 (for the underlying database)
git clone https://github.com/balain/journaler.git
cd journaler
cargo build --releasejournaler register-user
journaler add --content "My encrypted journal entry" --tags personal,private
journaler update --id 3 --content "Updated text" --tags work --remove-tag oldtag --due "2025-05-01" --status completed
journaler delete --id 3
journaler list
journaler logout
journaler recover --id 3
journaler change-password
journaler clean-legacy
journaler --guide
Journaler supports detailed debugging output for troubleshooting and development.
Add the --debug flag to any command to display internal debug messages:
$ ./journaler --debug list
Set the JOURNALER_DEBUG=1 environment variable when running tests to see debug output from test helpers and setup:
$ JOURNALER_DEBUG=1 cargo test -- --nocapture
Debug output is hidden by default and only shown when the flag or environment variable is set.
JOURNAL_DB: Set the SQLite DB path (default:journal.db)JOURNALER_SESSION_TIMEOUT: Set session timeout in seconds (default: 1800)
For more details, see the built-in guide: journaler --guide
This project is licensed under the MIT License.