You unlock your journal
Your account sign-in tells PYD who you are. Your journal password is separate: it unlocks the private journal key in your browser.
Encryption
How PYD keeps journals private.
The key is protected
PYD derives a key from your journal password with PBKDF2 SHA-256 and uses it to unwrap your journal master key. A recovery key can unlock the same master key if you saved it.
Text is encrypted before sync
Journal titles, body text, and tags are encrypted in the browser with AES-GCM before they are written to cloud storage.
The cloud stores locked data
Firestore stores encrypted journal payloads under your sync account. PYD still stores account and subscription data, but not readable journal content.
Your session remembers the key
After you unlock once, PYD Web keeps the unlocked journal key for the current browser session so you do not need to re-enter the password for every journal.
Losing the password matters
Because PYD does not know your journal password, private journal content cannot be recovered without your password or recovery key.