Change encryption key

  • Unknown's avatar
    cryptycus · Member ·

    Hello,

    For security reasons, I would wish to be able to change the encryption key of a diary. When the key is compromised, this would be very important and would give a better feeling. For me, with the new web app (congrats to this milestone!), this is more important as the devices might be not so secure as the iPhone or iPad running DayOne.

    The actual way of creating a new account to change the encryption key is very effortful in my opinion.

    Are there any plans for this?

    Thanks!

    Andreas

  • staff-reid · Staff ·

    Hello there,

    Thanks for reaching out to us. Currently, the only way to get a new key would be to create a new account. The steps on how to do that can be seen here.

    I would be happy to submit a feature request to the team for a quicker way to replace the key.

  • Unknown's avatar
    zeronaught · Member ·

    I request that feature too! I love Day One and I trust it with my private data. So I was very disturbed to discover that it is not possible to change the encryption key if it has been compromised. That’s a major headache. The current approach of deleting your account and creating a new one is extremely onerous. Presumably it disrupts my subscription too.

    It is crucial for users to be able to change the encryption key at a whim, if they suspect it has been compromised. I implore the Day One developers to take this important security feature seriously.

  • staff-eleanor · Staff ·

    Hi there, @zeronaught! Thank you for your feedback regarding the encryption key options. I’ve added your vote to a feature request for this feature.

  • Unknown's avatar
    zeronaught · Member ·

    Thank you @staff-eleanor for adding my vote. However, I see it as a security flaw rather than a mere feature wish. It is a flaw because changing encryption keys should not be so onerous that it discourages users from doing so when their keys have been compromised. The issue was raised nearly two years ago now. So I would like to prod the development team to take it more seriously. Can you please convey my concerns?Thank you again for responding. I really do love Day One, which is why I posted in the first place.

  • staff-bluejay · Staff ·

    Hi @zeronaught, your concern is valid, and we agree that this is a feature that needs serious attention. Our team has been looking into implementing a better encryption key generation flow, but we don’t have an ETA at the moment. Since it concerns security, we will take a great care to get it right instead of pushing for a fast update.

    Thank you for your patience and understanding.

  • Unknown's avatar
    sbelunek · Member ·

    I’m seeking clarification on whether Day One’s encryption approach aligns with zero-knowledge principles, as users cannot independently rotate their encryption keys. In typical zero-knowledge E2EE systems, providers do not have access to encryption keys or plaintext, and users have the option to re-encrypt and re-upload their data if a key is compromised.

    Echoing others in this thread, I’d like the capability to download all my diary entries locally, disable sync, and then re-enable sync to upload everything with a new encryption key—all without deleting my account or interrupting my subscription. I accept responsibility for distributing the new key to other client endpoints via iCloud or manual entry.

    Requiring account deletion for key rotation raises concerns that account credentials may be tied to encryption keys, or that architectural constraints exist that are inconsistent with zero-knowledge models. Could the development team comment on how the current inability to rotate keys fits with modern security standards, and clarify whether key rotation is planned for the near future, especially given this is a longstanding feature request?

    Many thanks!

  • staff-fred · Staff ·

    @sbelunek Thank you for bringing this up! We’re currently clarifying this with our development team. As soon as we receive their feedback, we’ll get back to you.

  • staff-fred · Staff ·

    @sbelunek Thanks for your patience. Here’s what our development team say.

    Day One is designed with zero-knowledge principles in mind; our servers indeed do not have access to any encryption keys or plaintext. (Except in the case of legacy non-encrypted journals.) Day One is designed such that key rotation is possible, and indeed, the keys for shared journals do automatically get rotated as membership in the journal changes. We just haven’t actually implemented the ability for users to rotate their top-level key.

    The challenges in doing so are not related to the encryption architecture, but more around data loss concerns — downloading all your data and then re-uploading it all introduces opportunities for things to go wrong — what if your device runs out of storage space, or if the network connection goes down, or if the user starts deleting or creating new content mid-process. All of these scenarios (and many others) can lead to users losing their data, which is a terrible outcome for an app focused on preserving your memories, and so they need to be handled carefully. It used to be that moving entries between journals required downloading and re-uploading the content, and even doing that on the level of a handful of entries was a source of frequent data loss due to these kinds of scenarios. (We have since rebuilt the entry move architecture so that it can be done without requiring a full download + re-upload, with much better outcomes.)

    Which is simply to say that all of this requires careful engineering work, and that has to be balanced against the other development priorities of Day One. We can’t make any promises about when this feature request would be prioritized, but we are indeed aware of the request.

Reply to Change encryption key