I built a cryptographic memory layer for humans in Python tags: python, opensource, security, blockchain

DiaryVault — Sat, 07 Feb 2026 22:43:51 +0000

Planes have black boxes. Cars have dash cams. Companies have audit logs.
Humans have... memory. And memory is terrible.
You forget 70% of new information within 24 hours. Meanwhile, AI can now generate fake photos, voices, and text indistinguishable from reality. So I asked myself: what if there was a way to create a tamper-proof, encrypted, verifiable record of your life?
I built it over a weekend and open sourced it. Here's how.
What it does
DiaryVault Memory Layer is a Python SDK that turns any text — journal entries, notes, decisions, thoughts — into cryptographically verified, encrypted, permanent memory records.
You write → SHA-256 hashed → AES-256 encrypted → HMAC signed → optionally anchored on-chain
Five lines to get started:
pythonfrom diaryvault_memory import MemoryVault

vault = MemoryVault(encryption_key="your-secret-key")
memory = vault.create(
content="Today I decided to start a company.",
tags=["career", "milestone"]
)
print(memory.hash) # a7f3b2c1d4e5...
print(memory.verified) # True
That's it. Your memory is now hashed, encrypted, signed, and stored.
The architecture
The system has four layers:

Capture Layer — Gets data in. Manual entries now, AI agents later.
Synthesis Layer — AI enrichment. Summarization, pattern detection, emotional analysis. (Coming in v0.2)
Verification Layer — The cryptographic core. This is where it gets interesting.
Permanence Layer — Where verified hashes get anchored. Local storage, Arweave, Ethereum L2, or IPFS. The crypto decisions I made (and why) This was the part I spent the most time thinking about. Every choice here matters because if the crypto is wrong, the whole project is meaningless. Key derivation: HKDF, not raw SHA-256 My first implementation derived encryption and signing keys by doing SHA-256(master_key + purpose). It worked, but it's not how serious cryptographic systems do it. I switched to HKDF (RFC 5869), which is the industry standard used by TLS 1.3 and the Signal Protocol: pythonfrom cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.hazmat.primitives import hashes

def _derive_key(self, purpose: bytes) -> bytes:
hkdf = HKDF(
algorithm=hashes.SHA256(),
length=32,
salt=None,
info=purpose,
)
return hkdf.derive(self._master_key)
Why does this matter? HKDF properly separates the "extract" and "expand" phases of key derivation, making it resistant to related-key attacks. Raw SHA-256 concatenation can leak information about the master key if an attacker sees multiple derived keys.
Encryption: AES-256-GCM
I chose AES-256-GCM over alternatives like ChaCha20-Poly1305 for one reason: ubiquity. AES-GCM is hardware-accelerated on virtually every modern CPU, it's NIST-approved, and every security auditor on earth knows how to review it.
GCM mode is critical — it provides both confidentiality (nobody can read it) AND authenticity (nobody can tamper with it without detection). A unique 96-bit nonce per encryption prevents pattern analysis:
pythondef encrypt(self, plaintext: str) -> tuple[bytes, bytes]:
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

nonce = os.urandom(12)
aesgcm = AESGCM(self._enc_key)
ciphertext = aesgcm.encrypt(nonce, plaintext.encode("utf-8"), None)
return ciphertext, nonce

Signing: HMAC-SHA256
Every memory hash gets signed with HMAC-SHA256. This proves that the holder of the key created the hash — not just that the hash exists.
Batch verification: Merkle trees
If you have 1,000 memories, you don't want to anchor 1,000 hashes on-chain. Merkle trees let you compute a single root hash that verifies the entire batch:
[Root Hash] ← Anchor this ONE hash
/ \
[Hash AB] [Hash CD]
/ \ / \
[A] [B] [C] [D] ← Individual memories
One hash on-chain. Thousands of memories verified. Cost: one transaction.
Tamper detection in action
This is my favorite part. If someone changes even one character, the verification fails:
pythonmemory = vault.create(content="I said this.")
vault.verify(memory) # True

memory.content = "I NEVER said this."
vault.verify(memory) # False — hash mismatch detected
The SHA-256 hash acts as a fingerprint. Any modification, no matter how small, produces a completely different hash. Combined with the HMAC signature, you get proof of both content and authorship.
The .dvmem open format
I didn't want to lock anyone into a proprietary format. The .dvmem format is a documented JSON structure that any tool can read:
json{
"dvmem_version": "1.0",
"encoding": "utf-8",
"payload": {
"id": "550e8400-...",
"content": "...",
"hash": "a1b2c3d4...",
"encrypted_content": "...",
"signature": "...",
"created_at": "2025-02-07T14:32:01+00:00",
"metadata": {
"tags": ["daily", "career"],
"mood": "optimistic",
"source": "manual"
}
}
}
Export your data anytime. No lock-in. If this project disappears tomorrow, your memories survive.
What I learned shipping my first open source project
A few things surprised me:
The README matters more than the code. I spent as much time on the README as on the SDK itself. If someone can't understand your project in 30 seconds, they leave.
pip install has to work. Sounds obvious, but I almost launched without publishing to PyPI. A developer who can't install your package in 5 seconds will never try it.
CI signals legitimacy. Adding GitHub Actions with a green badge took 10 minutes but immediately made the project look more real.
Start small. The SDK does one thing: hash, encrypt, verify, store. I had grand visions of AI agents, blockchain anchoring, and a mobile SDK. All of that is on the roadmap, but none of it is in v0.1. Ship the core, see if anyone cares, then build what people ask for.
What's next
The roadmap is public, but honestly it depends on what the community wants:

AI capture agents (v0.2)
Arweave and Ethereum L2 anchoring (v0.3)
Photo and voice capture (v0.4)
Dead man's switch for digital legacy (v0.5)
Personal AI training export (v0.6)

Try it
bashpip install diaryvault-memory

GitHub: github.com/DiaryVault/diaryvault-memory-layer
Landing page: memory.diaryvault.com
PyPI: pypi.org/project/diaryvault-memory

MIT licensed. 28 tests passing. No VC. No tokens. Just a thing I think should exist.
Stars and feedback welcome. Especially on the crypto — I'd love eyes from security folks on the implementation.

I'm Stephen — I build AI products including DiaryVault and Crene. This is my first open source project. You can find me on Twitter and GitHub.

DEV Community: DiaryVault

I built a cryptographic memory layer for humans in Python tags: python, opensource, security, blockchain