Loading...
Loading...
Cliprift is built around a simple principle: your clipboard is yours. This guide explains how encryption works, what data we detect and protect, and how you control what's stored and for how long.
Cliprift offers multiple layers of privacy protection that work together to keep your data safe:
All clipboard data is encrypted in transit with TLS and at rest with AES-256 on our servers. End-to-end encryption is coming soon.
Credit cards, API keys, and secrets are automatically flagged and can auto-expire after a configurable time.
Exclude specific applications from clipboard monitoring entirely. Items from ignored apps never enter your history.
Choose how long items are kept — from 7 days to indefinitely. Sensitive items have their own separate timer.
Encryption is offered during onboarding when you first set up Cliprift. You can also enable it later from Settings. The process takes about 30 seconds.
Choose a passphrase
Pick a passphrase of at least 8 characters. A real-time strength meter guides you — we recommend 12 or more characters with a mix of character types. You'll confirm it in a second field.
Your key is derived locally
Cliprift combines your passphrase with a random salt through 600,000 rounds of PBKDF2-SHA256. This happens entirely on your device. The passphrase is never sent to our servers.
Save your recovery codes
You'll see 10 single-use recovery codes displayed in a grid. Copy them or download the file. These are your backup if you ever forget your passphrase.
Existing items are encrypted
If you already have clipboard items, they're automatically re-encrypted in batches. A progress bar shows the migration status. No data is lost.
One passphrase per session
You enter your passphrase once when you open Cliprift. The encryption key is held in memory for the duration of the session and cleared when you sign out. You won't be prompted again until next time.
What happens under the hood: Every clipboard item is encrypted with AES-256-GCM — the same standard used by banks and governments. Each item gets a unique random initialization vector (IV), so even identical clipboard entries produce completely different encrypted output. A verification hash of your key is stored server-side so other devices can confirm you've entered the correct passphrase.
Recovery codes are your safety net if you forget your passphrase. Each code can restore full access to your encrypted data — but only once. After use, that code is permanently consumed.
During setup, your raw encryption key is wrapped (encrypted) with a key derived from each recovery code. These wrapped copies are stored on the server. When you use a code, the corresponding wrapped key is decrypted locally to restore your encryption key.
Codes are shown once during setup. You can copy all to your clipboard or download them as a text file. Store them in a password manager or print them and keep them somewhere safe.
Lost codes = lost data
If you lose both your passphrase and all recovery codes, your encrypted clipboard items cannot be recovered — by anyone, including Cliprift. This is the trade-off of zero-knowledge encryption: maximum privacy means no backdoors.
Running low on codes?
If you have 2 or fewer recovery codes remaining, Cliprift will prompt you to regenerate a fresh set. You can also regenerate codes at any time from the encryption settings.
Encryption works seamlessly across all your devices. Because the key is derived deterministically from your passphrase and a shared salt, every device that knows your passphrase derives the exact same encryption key. There is no key file to transfer or sync.
Enter your passphrase once per session. The derived key is held in memory and cleared on sign-out. Encryption and decryption happen via the Web Crypto API with no noticeable delay.
After pairing, enter your passphrase to derive the same key. On iOS, the key is stored in the Keychain. On Android, it uses the hardware-backed Keystore. Biometric unlock is available for subsequent sessions.
The server only stores the salt. The salt is a random value generated once per account. It is combined with your passphrase during key derivation but is useless on its own. Even if someone obtained the salt, they would need your passphrase to derive the encryption key.
Cliprift automatically scans clipboard content for sensitive data patterns — credit cards, API keys, social security numbers, and other secrets. This detection runs locally on your device at capture time, before any data leaves your machine.
| Data type | Pattern | Detail |
|---|---|---|
| Credit cards | 4111 1111 1111 1111 | Validated with Luhn algorithm to reduce false positives |
| Social Security Numbers | 123-45-6789 | US SSN format with dashes |
| API keys | sk-proj-..., sk_live_..., AKIA... | OpenAI, Stripe, AWS, GitHub, GitLab, Slack key formats |
| Generic secrets | api_key=abc123..., secret_key=... | Matches api_key, secret_key, access_token, auth_token, private_key followed by 20+ characters |
Flagged items appear in your clipboard history with a sensitive badge. You can configure what happens to them using the auto-expire timer in Settings > Privacy.
Always on
Sensitive data detection cannot be disabled. It runs in both the Rust clipboard watcher and the TypeScript layer as a safety net. This dual detection ensures nothing slips through regardless of how content enters your history.
In Settings > Privacy > Auto-expire sensitive items, you control how long flagged items stay in your history. The default is 1 hour.
5 minutes
Strictest — sensitive items vanish quickly
15 minutes
Short window for pasting
1 hour
Default — balances convenience and privacy
24 hours
Full day before cleanup
Never
Sensitive items kept like normal items
If you use a password manager or other sensitive application, you can tell Cliprift to completely ignore anything copied from that app. Items from ignored applications never enter your clipboard history — they are filtered at the watcher level before any processing.
Open Settings > Privacy > Ignored applications
You'll see a text input and a list of any apps you've already added.
Enter the application name
Type the app name exactly as it appears in your system. On Windows, include the .exe extension (e.g., "1Password.exe"). On macOS, use the app name (e.g., "1Password").
Items are blocked immediately
The change takes effect instantly. Anything you copy from that app will be silently discarded by the clipboard watcher.
Common apps to ignore
Password managers (1Password, Bitwarden, KeePass), banking apps, and any application that handles credentials. App matching is case-insensitive, so "bitwarden" and "Bitwarden" both work.
You have full control over how long clipboard items are stored. Cliprift provides two independent retention timers — one for general history and one for sensitive items — so you can apply stricter policies to sensitive data without affecting the rest.
In Settings > Clipboard > Auto-clear after, choose how long to keep unpinned items.
| Option | Behavior |
|---|---|
| Never(default) | Items kept indefinitely |
| 7 days | Unpinned items removed after 7 days |
| 30 days | Unpinned items removed after 30 days |
| 90 days | Unpinned items removed after 90 days |
Auto-clear runs on app startup (with a short delay), every hour while Cliprift is open, and immediately when you change the retention setting. Sensitive auto-expire follows the same schedule.
Pinned items are never auto-cleared, regardless of their age or sensitivity status. If you need to keep something permanently, pin it and it will survive all retention policies.
You can always delete individual items with the Delete key or trash icon, or use bulk selection to remove multiple items at once. Deleted items are removed from the server immediately.
Deletion is permanent
When items are deleted — whether by auto-clear, auto-expire, or manual deletion — they are removed from both your device and the server. If encryption is enabled, the encrypted blobs are also removed. There is no recycle bin or undo for deleted items.