Secure Clips

What it does

Secure Clips lets you encrypt individual clips so their content is hidden until you explicitly unlock them. Two encryption modes are available:

  • DPAPI (Windows-bound) — The clip is locked using your Windows login. It unlocks automatically when you’re logged in — no password needed. Clips encrypted this way are tied to your machine and Windows account; they cannot be moved to another PC.
  • AES-256 (Portable) — The clip is locked with your vault’s master password. These clips can be backed up and restored on any machine, provided you know the recovery password.

Locked clips show a 🔒 SEC badge in the clips list. Their content is never shown in the preview until unlocked.

How to use it

Locking a clip

  1. Right-click any clip → Lock clip
  2. Choose DPAPI or AES-256
  3. For AES-256: you’ll be prompted to unlock the vault first if it’s not already open
  4. The clip is encrypted and shows the SEC badge

Unlocking a clip

  1. Select the locked clip
  2. The preview shows a lock badge — click the unlock button, or double-click to paste (auto-unlocks for DPAPI)
  3. For AES-256: enter your vault password when prompted
  4. Content is shown temporarily (peek) or permanently unlocked depending on your action

Auto-peek on select (DPAPI only)

When enabled in Settings → Security, selecting a DPAPI-locked clip automatically decrypts and shows its content in the preview — no extra click needed.

Vault lock status

The clips status bar shows a 🔓 or 🔒 vault indicator. Hover to see:

  • DPAPI: “DPAPI session — bound to Windows login”
  • Password session: “Xm Xs remaining” (counts down to TTL)

Click the indicator to go directly to Security Settings.

Configuration

All settings live in Settings → Security → Secure Vault:

Setting Description
Session timeout How long a password-based unlock stays active (5m / 15m / 30m / session)
Auto-peek on select Auto-decrypt DPAPI clips when selected in the list
Recovery password Optional AES-256 backup password for cross-machine restore

Note: Session timeout applies only to password-based unlocks. DPAPI auto-unlock is always session-lifetime — Windows manages the credential.

Backup and restore

Secure clips are fully backed up:

  • Encrypted content is included in the backup file as-is (ciphertext)
  • The vault key configuration is also backed up
  • On restore to the same machine: everything works, DPAPI clips auto-unlock as usual
  • On restore to a different machine: a warning is shown — DPAPI clips cannot be decrypted on another Windows account. AES-256 clips restore fine with the recovery password.

Two dedicated categories appear in the clips tree sidebar:

  • Secure — shows only clips where encryption is active
  • Protected — shows clips excluded from retention cleanup or masked from view

Edge cases & known limits

  • DPAPI clips are permanently unrecoverable if your Windows account is lost or you reinstall without a backup
  • Image clips cannot be encrypted in v1 — only text and rich-text clips
  • Rich-text / HTML formats stored alongside the main clip are not encrypted even if the main clip is — this will be addressed in a future version
  • The overlay does not yet show the SEC badge or decrypt on paste (planned)
  • Search — search works on the visible (unencrypted) clip metadata; locked content is not indexed