Your clipboard is a security hole. Here's what to check.
Most clipboard managers store everything you copy — passwords included — in plaintext on disk. A short guide to what to look for, and how end-to-end encryption changes the picture.
By The Clypy team
Here's an uncomfortable fact about most clipboard managers: everything you copy — including passwords, 2FA codes, and API keys — gets written to a database on your disk, in plaintext. If someone has access to your machine, a backup, or the sync server, they can read it.
The convenience is real. So is the exposure. This is a short guide to what to check before you trust a clipboard manager with your day.
What "stored in plaintext" actually means
When you copy a password, a typical clipboard manager appends it to a local history file — often an unencrypted SQLite database. That file is:
You can verify this yourself for any tool you use:
# Find the history database (paths vary by app)
find ~ -name "*.sqlite" -path "*clipboard*" 2>/dev/null
# If you can read secrets out of it in plaintext, so can anything else
sqlite3 <path> "select * from history limit 20;"
If your copied secrets show up there as readable text, that's the problem in one command.
A checklist before you trust one
| Question | Why it matters |
|---|---|
| Is history encrypted at rest? | Stops local disk / backup reads. |
| Is sync end-to-end encrypted? | The server should never see plaintext. |
| Can you exclude apps? | Password managers should never be captured. |
| Do secrets auto-expire? | Limits the window if something leaks. |
If a tool can't answer the first two with "yes," assume everything you've ever copied is readable somewhere.
How end-to-end encryption changes the picture
End-to-end encryption means clips are encrypted on your device before they're stored or synced, and only your devices hold the keys. The server stores ciphertext it can't read. A stolen database — local or cloud — is useless without your keys.
That's the model Clypy uses. On top of it:
The safest clip is the one that was never stored in the clear. Read more about how Clypy handles security.