clibo is a single static binary that speaks the same E2EE protocol as the web app. Pipe text or files from any shell into a session; the server never sees plaintext.
curl -sSL https://clipboard.lab.rm-info.fr/install.sh | sh
Detects your platform, drops the binary in /usr/local/bin/clibo. Override the target with CLIBO_BIN=~/.local/bin/clibo to avoid sudo.
irm https://clipboard.lab.rm-info.fr/install.ps1 | iex
Downloads clibo.exe to %LOCALAPPDATA%\Programs\clibo\ and adds it to your user PATH. Open a new terminal afterwards.
Each link redirects to the latest GitHub release for that target.
Commands, configuration and build instructions live in the CLI repository README.
Open the READMEAbout
v2.5.1 · build 19d423c
Ephemeral, end-to-end encrypted clipboard for sharing text and files between machines. Self-hosted, 2-hour sliding TTL, no IP tracking.
Privacy & cookies
End-to-end encryption: your data is encrypted in your browser before it ever leaves the device. The operator stores ciphertext only and cannot read your messages or files. Here is everything else.
clip_token_<id> — An HMAC-signed write token bound to this session ID. Issued by the server after a successful E2EE handshake. Contains no key material — losing it just means re-authenticating. httponly, secure, samesite strict, lifetime tracks the session (max 2h, sliding).clip_lang — Language preference. samesite lax, 1-year lifetime. No sensitive data.Your AES-256 key is derived in the browser via Argon2id from the password you type and the session ID. The raw key is held in sessionStorage for the lifetime of the browser tab — closing the tab clears it. The key is never sent to the server in any form.
Text and files travel as AES-256-GCM ciphertext encrypted in your browser. The server stores opaque blobs and metadata it cannot decrypt. Filenames and thumbnails are also encrypted client-side. In transit: HTTPS only.
No IP address is logged or stored. Anti-abuse uses proof-of-work (your browser computes a small hash puzzle on each new session and each login attempt) plus per-token quotas. The server cannot link two sessions to the same visitor.
With end-to-end encryption, the server cannot reset or recover anything. If you forget the password, the data is gone. Use a real password manager if it matters.
For maximum protection against browser extensions or shared devices, open the session in a private/incognito window. The key in sessionStorage is then scoped to that window only — closing it leaves no local trace. You can also install this site as an app (from the browser's URL bar): the static crypto bundle then runs from your local cache and pins the version you installed.
No tracking, no analytics, no third-party scripts. No content logging. No IP logging. No backup beyond Redis and the ephemeral disk used for in-flight ciphertext. No data sent to any third party. No advertising cookies.
2-hour sliding window after the last write. After that, everything (encrypted content in Redis and on disk) is automatically deleted. You can also wipe immediately via the "Wipe session" button.