[josephg]

Where are the keys stored? If you encrypt the data but just have the keys in another database table, I don’t really see the point of having it encrypted at all.

I agree with others. I wouldn’t use this unless I trust how you’re handling my data security. All sorts of highly sensitive passwords and security keys hit my clipboard.

[imgopaal]

Keys are derived server-side using PBKDF2 (master key + user ID). Each user gets a unique key. Keys never leave the server. Details at https://quickclip.space/data-security. Thanks for asking—this is exactly the kind of question that matters for security.

[josephg]

Thanks for writing this up and posting it! So:

- It’s not E2ee. It’s not even client side encrypted.

- You encrypt at rest. But using a key that you control anyway. The master key presumably is never stored in the database, which is a nice touch in case the database gets stolen.

- Images aren’t encrypted at all for some reason. (I think you’d find encrypting images with aes to be pretty fast. If you’re using tls, the image data is already being encrypted and decrypted over the wire, but too fast for you to notice).

How long is data stored for? Are images ever deleted? Is text?

And are you using TLS? At the protocol level everything is sent in the clear. So your transport security is quite important.

[nicolas_17]

Why are you even encrypting? What's the threat model it's protecting against? Clearly it's not "prevent me from reading your data" since you have access to the keys anyway.

[Retr0id]

There is only one key, common across all users, stored server-side.