Hidden in Plain Sight

Adding Secret Posts to the Blog

From now on some of my posts will be encrypted! These "secret posts" give me the opportunity to help manage the privacy of some of my posts. With secret posts, I can not only use this blog as a personal "diary" that gets immortalized on the Internet but also keep track of exactly who gets to see each post, in case I only want certain family or friends to read a post.

Try it for yourself!

If you want to see an example of a secret post and try the workflow for decrypting one, check out my first test secret post. Just follow the instructions on each page to see the original message. The password for that post is password.

How it works

For this version of secret posts, the plaintext is encrypted using the AES symmetric key algorithm with the CBC mode of operation and a 256 bit key size. The encryption key is derived from a password using PBKDF2. At the moment, all of this is done in an OpenSSL command.

Limitations and future improvements

Using an OpenSSL command that has to be run in a terminal isn't really the best experience to have for a web-native blog like this. Using Repl.it as a sort of terminal in the web is a decent solution for this, but ideally a secret post would prompt you for a password and decrypt the ciphertext without your needing to leave the page. That's top of mind when I think of secret posts, but I'm not sure that I feel like putting in the engineering time to do that just yet.

Another marginal improvement is to use the GCM mode of operation instead of CBC, but, again, the development time needed to make such a change functional doesn't meet the security payoff at this point in time, so it'll have to wait.

To wrap up

I think more personal blogs should add secret posts. As a feature, they're not useful at first glance, but you can get really creative with them. Honestly, I expect influencers and creators to use private and "walled garden" style features as a whole much more often to help enrich the experiences that they provide their communities. But, that's a topic for another post. Thanks for your time!