Skip to content
Overshow
Enterprise enquiryStart free

Encryption at rest

How sensitive Overshow data is protected on disk and how key material is tied to your device.

Last updated: 17 May 2026

SQLCipher database encryption

Sensitive Overshow data in the desktop database is encrypted at rest with SQLCipher whole-database encryption. That covers transcripts, OCR text, generated summaries, FTS search tables, embeddings metadata, and other rows inside the local SQLite database file.

The database key is derived from a high-entropy secret stored in the platform keychain, mixed with device and user identifiers through HKDF-SHA256. The SQLite file uses SQLCipher's AES-256-CBC + HMAC-SHA512 format, so stock sqlite3 cannot read it without the key.

What is encrypted

Examples stored inside the encrypted database include:

  • OCR text and UI accessibility text
  • Transcripts and related audio-derived text
  • Meeting and daily summaries
  • Question-detection and answer-candidate data held for search and Ask
  • FTS and embedding rows used for local recall

The application process sees plaintext after it opens the database with the key. That is required for local search and summaries to work, but the on-disk database and its WAL/SHM sidecars stay encrypted.

What can still be plaintext

SQLCipher does not encrypt files that you explicitly export. Markdown meeting exports, context exports, diagnostic exports, and markdown mirror files should be treated as sensitive plaintext artefacts once you save or share them. Runtime logs are also plaintext, but are designed not to include captured content.

Durable capture/audio spillover queues sit outside the SQLite database and are protected separately with file-level AEAD encryption. They are transient backpressure files, not the primary datastore.

Where it lives

Your database sits under your macOS user folder (see Data management). Overshow does not sync that database to cloud storage as part of the core product. Backup tools you run yourself may copy encrypted files; that is under your control, not a built-in Overshow sync service.

You are always in control of what Overshow captures; encryption reduces the impact if storage is copied, but pairing it with pause, exclusions, and purge when appropriate remains important.

Encryption at rest protects data on disk. It does not replace macOS login security, FileVault, or careful handling of unlocked sessions. Use those layers together for defence in depth.