Daniel Litvak
Projects

Encrypted Desktop App

Line by Line

A local-first desktop journal where entries seal on submit and stay encrypted until an unlock date passes, backed by an AES-256-GCM SQLite vault whose key is derived from the passphrase and never stored.

C#
.NET 7
Avalonia
Cryptography
SQLite
Live Code
Line by Line preview

Employer signal

What This Project Shows

This project shows that I can apply cryptography correctly with standard library primitives and ship the result as a real, downloadable cross-platform desktop app with its own CI/CD pipeline.

Problem

What Needed To Be Solved

Most journaling apps show your words the moment you open them, which invites re-editing and rumination, and many also sync everything to a server. The goal was a tool built around delayed reflection that stays genuinely private: no account, no sync, no server, and no way to immediately reread what you just wrote.

Approach

How I Built The Solution

Each entry is encrypted the instant you press Enter and locked until a configurable unlock date. The vault key is derived fresh from the passphrase on every unlock via PBKDF2 and zeroed from memory on lock, so nothing sensitive is persisted. A deterministic 'sealed preview' scramble shows the shape of locked writing without leaking any content.

Outcome

What It Demonstrates

Line by Line demonstrates end-to-end product ownership: a privacy-focused desktop app with correct authenticated encryption, a responsive native UI under crypto load, and a build-verify-package-distribute pipeline that produces downloadable binaries from a single git tag.

Evidence From Source

Source signal

The vault encrypts a known `LINE_BY_LINE_CHECK_V1` token to verify the passphrase, stores `ciphertext ++ 16-byte tag` per entry with the nonce in a separate column, and calls `Array.Clear` on the key bytes on Ctrl+L, Ctrl+W, `/lock`, and window close.

Engineering decision

The README honestly notes that unlock timing is app-enforced, not cryptographic — the app prevents casual access, not an adversary with direct DB access and the passphrase. Naming the threat model accurately is part of doing security work credibly.