Security - Coppy

Security First

Your data stays
on your Mac. Period.

Unlike cloud-based clipboard managers, Coppy stores everything locally using SQLite. Your sensitive data never leaves your device.

AES-256 encryption with your unique password
Zero network requests – works 100% offline
No telemetry, analytics, or tracking
Sandboxed macOS app for extra protection

How We Protect Your Password (Zero Knowledge)

The app does not store your password. Instead, it uses a secure verification method:

When you set a password

→ Generate random "salt" and combine with password to create unique Encryption Key
→ Encrypt a special token (the word "VALID") with this key
→ Save Salt and Encrypted Token, discard password and key

Between launches

→ App sees Salt and Encrypted Token, knows a vault exists
→ Cannot decrypt anything without the key

When you unlock

→ Enter your password
→ Combine with stored Salt to recreate Encryption Key
→ Decrypt the Token to verify password is correct
→ Keep Key in memory only while app is running

Exception (Touch ID)

If you enable Touch ID, we do store the Encryption Key in the macOS Keychain, but it is wrapped in a biometric lock. It can only be retrieved when you successfully authenticate with your fingerprint/FaceID.

Brute-Force Resistance

An attacker with the encrypted device/storage would need ~2²⁸–2³⁰ PBKDF2 operations to brute-force an 8-character complex password (numbers, mixed case, symbols).

That's hundreds of thousands to billions of years on a single high-end GPU in 2025.

Even a weak 6-character password now requires years instead of days or hours.

Encryption Parameters

KDF:

                                    PBKDF2

PRF:

                                    HMAC-SHA256

Iterations:

                                    200,000

Key Length:

                                    256 bits (32 bytes)

Salt:

Random (stored in UserDefaults)

Security Comparison

App / System	PBKDF2 Iterations	Status
Coppy app	200,000	✓ Excellent
1Password (2024–2025)	300,000–650,000	Slightly stronger
Apple Keychain (app pw)	~100,000–400,000	Very similar
Bitwarden (local cache)	200,000 (client-side)	Identical
Old 2015-era apps	20,000–50,000	⚠ Now considered weak

Your data stayson your Mac. Period.