this post was submitted on 24 Mar 2026
27 points (90.9% liked)
Selfhosted
60451 readers
1188 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
An airgapped machine is certainly going to be most robust from external attack, but even then you should probably encrypt your files to ensure privacy should you ever discard, or otherwise lose control of, the storage media.
An encrypted partition may be sufficient, but your journal entries will still be "plain text" when it is mounted, and so you will be able to read them without extra effort. If you want to make it so that once an entry is written it is encrypted and can only be read with deliberate effort, you could use GPG encryption.
First generate a key pair with a really strong passphrase, and store it on a USB drive. Then import just the public key onto your journaling machine and store the USB drive somewhere safe. With just the public key on your machine you can encrypt files, but you can't decrypt them. Ideally you'll set up your journalling tool to only write via GPG, but if not, you can just encrypt each entry after you write it.
As to what journalling tool to use, I like VIM, although I know not everyone gets on with it. You can have it start up with a template ready to go, not write temporary files, and save via GPG so the plaintext never hits persistent storage.
Thank you. This is really insightful and something that I think might be a robust solution for me. I’ll research GPG more, I clearly need to.
The fundamental difference between GPG encryption and encrypted partition is that of asymmetric vs. symmetric encryption. Whether you mount encrypted storage or decrypt a file with GPG, there's some "effort" in putting in the passphrase and in both cases the system's keyring is briefly aware of it and the plaintext is saved to memory (volatile, unless you have encrypted swap or other edge cases).
Asymmetric encryption is not normally used for personal stuff but mostly to exchange material with one party holding the private key, and other having access to the public key (which is public). Of course you can act as both parties if you like. If you do, keep in mind:
/dev/shmbefore encryption.Personally I use Joplin. On the clients it's secure because the database is saved on encrypted storage secured by my login phrase. On the server it's secure by Joplin encrypting the files saved to WebDAV storage. Is it 100% safe? Probably not, but probably good enough to stop all but a nation-state level actor.