mdenc — Encrypt your Markdown

mdenc │ password: │ scrypt:

── PLAINTEXT ──

▶

── ENCRYPTED ──

what is mdenc? │ │ github │ npm

── HOW IT WORKS ──

Paragraph-granular encryption

mdenc splits Markdown on blank lines and encrypts each paragraph independently with XChaCha20-Poly1305. Change one paragraph and only that chunk's ciphertext changes.

Deterministic ciphertext

Nonces are derived from HMAC-SHA256(key, plaintext), not random. Same password + same text = same output. This makes encrypted files produce clean git diffs.

File format

mdenc:v1 salt_b64=... file_id_b64=... scrypt=N=...,r=...,p=...
hdrauth_b64=<HMAC-SHA256 of header>
<base64 chunk: nonce ‖ ciphertext ‖ tag>
<base64 chunk: nonce ‖ ciphertext ‖ tag>
seal_b64=<HMAC-SHA256 of all lines above>

Git integration

Uses git's native smudge/clean filter. Your working directory stays plaintext; git objects store ciphertext. Diffs show plaintext via textconv.

Color coding

Each color above maps a plaintext paragraph to its encrypted chunk. Edit a paragraph and watch only the matching chunk change.