An encrypted journal app, with two ways to keep it for yourself.
Most apps treat encryption as a single switch you either trust or you don't. Innerholm gives you two honest options, each for a different kind of privacy: a journal you sync but seal even from us, and a journal that never leaves your device at all. You choose per journal, and we tell you exactly what each one does.
Innerholm has two encryption layers you can turn on per journal. End-to-end encryption seals a journal's title and content on your device with AES-256-GCM, using a key derived from your passphrase that never reaches the server, with recovery codes for safekeeping. Local Journal Mode goes fully on-device with no account, where the passphrase is never stored and never recoverable. Regular journals are not end-to-end encrypted, but they are encrypted in transit and at rest, and never scanned.
Layer one: end-to-end encryption, "Just for you"
When you want a journal sealed even from Innerholm, you turn on end-to-end encryption for that journal. Its title and content are encrypted on your device with AES-256-GCM, using a key derived from your passphrase with Argon2id. That key never reaches the server, so Innerholm stores only ciphertext for that journal and cannot read it.
It still lives in your account and syncs across your devices as ciphertext, so you can sign in elsewhere, enter your passphrase, and keep writing. Recovery codes exist for the day you forget the passphrase, and you keep them somewhere safe when you turn encryption on. Innerholm surfaces all of this quietly, inside the journal, marked "Just for you", rather than as a setting you have to hunt for.
- Encrypted on your device, before anything is sent AES-256-GCM, with a key derived from your passphrase using Argon2id.
- The key never reaches the server Innerholm stores only ciphertext for that journal, so it cannot read your words.
- Still yours across devices The journal syncs as ciphertext; sign in elsewhere and enter your passphrase to read it.
- Recovery codes for the day you forget Kept by you when you turn encryption on, so a forgotten passphrase is not the end.
Layer two: Local Journal Mode, fully on your device
Sometimes you want a journal that never touches the network at all. Local Journal Mode is a per-journal option that stays entirely on the device you write it on. It uses WebCrypto AES-GCM with a key derived from your passphrase, and it needs no account: there is nothing to sign in to, and nothing leaves the device.
The trade is sharper here, and Innerholm says so plainly: the passphrase is never stored and never recoverable. If you forget it, the journal is gone. That's the trade. It is the right option when the point is that no one, not even a future you on another device, can ever open the journal without the passphrase in your head.
- Stays on the device, no account needed Nothing syncs and nothing is uploaded; the data lives where you wrote it.
- Encrypted with a passphrase only you hold WebCrypto AES-GCM with a key derived from your passphrase.
- No recovery, by design The passphrase is never stored and never recoverable. Forget it and the journal is gone.
And the regular journals, stated plainly
Most journaling does not need either layer above, and Innerholm is honest about what a regular journal is. A regular journal is stored on Innerholm servers so that sync and full-text search work, encrypted in transit and at rest. That means the infrastructure can technically read it, and Innerholm states this plainly rather than hiding behind a slogan.
What balances that trade-off is an explicit commitment about what is never done with your words: no content scanning, no AI training on your entries, no behavioural profiling, and no ads or third-party trackers, just one sign-in cookie. AI features are off by default. A regular journal is private; it is just not sealed from Innerholm unless you turn on end-to-end encryption.
Frequently asked questions
What does it mean that Innerholm is an encrypted journal app?
Innerholm offers two layers you choose per journal. End-to-end encryption seals a journal's title and content on your device with AES-256-GCM, using a passphrase-derived key (Argon2id) that never reaches the server. Local Journal Mode goes fully on-device with WebCrypto AES-GCM and no account. Regular journals are not end-to-end encrypted, but they are encrypted in transit and at rest, with an explicit no-scanning commitment.
Are all Innerholm journals end-to-end encrypted by default?
No, and Innerholm says so plainly. A regular journal is stored on the server so sync and full-text search work, encrypted in transit and at rest, paired with an explicit commitment to no scanning, no AI training, and no profiling. The infrastructure can technically read a regular journal. End-to-end encryption is something you turn on per journal when you want it sealed even from Innerholm.
What happens if I forget the passphrase for an encrypted journal?
For an end-to-end encrypted journal, recovery codes exist for exactly this case, and you keep them safe when you turn encryption on. For a Local Journal Mode journal the trade is sharper: the passphrase is never stored and never recoverable, so if you forget it, the journal is gone. That is the cost of a journal no one but you can ever open.
How is Local Journal Mode different from end-to-end encryption?
An end-to-end encrypted journal still lives in your account and syncs as ciphertext, so you can reach it from another device by signing in and entering your passphrase, with recovery codes as a backstop. A local journal never leaves the device it was written on and needs no account. End-to-end encryption keeps a synced journal private; Local Journal Mode keeps a journal entirely off the network.
Is the encrypted journal free?
Yes. Innerholm is free during early access, with no credit card to start, and the encryption options are not behind a paywall. A paid Innerholm+ tier is planned but not yet priced, and the hardest seasons of life, like grief and sobriety, are kept free on principle.
Related: Private journal app · Journal app without AI · Privacy FAQ