diff --git a/apps/fluux/src/App.tsx b/apps/fluux/src/App.tsx
index 4fcada4e..f8346938 100644
--- a/apps/fluux/src/App.tsx
+++ b/apps/fluux/src/App.tsx
@@ -10,6 +10,7 @@ import { useToastStore } from './stores/toastStore'
 import { UnlockEncryptionDialog } from './components/UnlockEncryptionDialog'
 import { IdentityChoiceDialog } from './components/IdentityChoiceDialog'
 import { RestorePassphraseDialog } from './components/RestorePassphraseDialog'
+import { useWebUnlockDialogStore } from './stores/webUnlockDialogStore'
 import { detectRenderLoop } from '@/utils/renderLoopDetector'
 import { LoginScreen } from './components/LoginScreen'
 import { ChatLayout } from './components/ChatLayout'
@@ -154,7 +155,9 @@ function App() {
   // Used to distinguish initial page load reconnect from wake-from-sleep reconnect
   const [hasBeenOnline, setHasBeenOnline] = useState(false)
 
-  const [showWebUnlockDialog, setShowWebUnlockDialog] = useState(false)
+  const showWebUnlockDialog = useWebUnlockDialogStore((s) => s.isOpen)
+  const openWebUnlockDialog = useWebUnlockDialogStore((s) => s.openWebUnlockDialog)
+  const closeWebUnlockDialog = useWebUnlockDialogStore((s) => s.closeWebUnlockDialog)
   // Set when auto-init detects a server-side OpenPGP identity for this
   // account but no local key. Forces the user through IdentityChoiceDialog
   // instead of the standard unlock dialog (which would otherwise reach
@@ -226,7 +229,7 @@ function App() {
           }
         }
         if (isKeyLocked()) {
-          setShowWebUnlockDialog(true)
+          openWebUnlockDialog()
         }
       })
     } else if (status !== 'connecting') {
@@ -237,7 +240,7 @@ function App() {
         setIsAutoReconnecting(false)
       }
     }
-  }, [status, client, jid])
+  }, [status, client, jid, openWebUnlockDialog])
 
   // --- Identity-choice handlers (web first-login safety net) ---
   // Each resolves `pendingIdentityChoice` with one explicit recovery
@@ -395,7 +398,7 @@ function App() {
       {showWebUnlockDialog && (
         <UnlockEncryptionDialog
           client={client}
-          onClose={() => setShowWebUnlockDialog(false)}
+          onClose={() => closeWebUnlockDialog()}
         />
       )}
       {pendingIdentityChoice && (
diff --git a/apps/fluux/src/components/BackupPassphraseDialog.tsx b/apps/fluux/src/components/BackupPassphraseDialog.tsx
index 7bb1106a..bbcc41c4 100644
--- a/apps/fluux/src/components/BackupPassphraseDialog.tsx
+++ b/apps/fluux/src/components/BackupPassphraseDialog.tsx
@@ -2,6 +2,7 @@ import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { Copy, Check, AlertTriangle, Loader2, RefreshCw } from 'lucide-react'
 import { generateBackupPassphrase, generateBackupCode, USE_V6_KEYS } from '@/e2ee/passphraseGenerator'
+import { SaveToPasswordManagerButton } from './SaveToPasswordManagerButton'
 
 // Draw a fresh passphrase in the user's UI language. 8 words ×
 // 11 bits (BIP-39) = 88 bits, which matches the acceptability gate
@@ -218,6 +219,12 @@ export function BackupPassphraseDialog({
               ? t('settings.encryption.backupCopied')
               : t('settings.encryption.backupCopy')}
           </button>
+          <SaveToPasswordManagerButton
+            id="openpgp-passphrase"
+            name={t('settings.encryption.savePassphraseManagerLabel')}
+            passphrase={passphrase}
+            disabled={isPublishing}
+          />
           <button
             onClick={handleRegenerate}
             disabled={isPublishing || !passphrase}
diff --git a/apps/fluux/src/components/ChatHeader.tsx b/apps/fluux/src/components/ChatHeader.tsx
index 7e0e22d2..aae1b8b8 100644
--- a/apps/fluux/src/components/ChatHeader.tsx
+++ b/apps/fluux/src/components/ChatHeader.tsx
@@ -14,6 +14,7 @@ import { getTranslatedStatusText } from '@/utils/statusText'
 import { Tooltip } from './Tooltip'
 import { ArrowLeft, Clock, Hash, Lock, LockOpen, Loader2, Search, ShieldAlert, ShieldCheck, ShieldOff, ShieldX } from 'lucide-react'
 import type { ConversationEncryptionState } from '@/hooks/useConversationEncryptionState'
+import { useWebUnlockDialogStore } from '@/stores/webUnlockDialogStore'
 
 export interface ChatHeaderProps {
   name: string
@@ -156,6 +157,32 @@ function formatFingerprint(fp: string): string {
   return fp.match(/.{1,4}/g)?.join(' ') ?? fp
 }
 
+function KeyLockedIcon({ fingerprint }: { fingerprint?: string }) {
+  const { t } = useTranslation()
+  const openWebUnlockDialog = useWebUnlockDialogStore((s) => s.openWebUnlockDialog)
+  const btnClass = 'p-1.5 rounded transition-colors'
+  const tooltip = (
+    <div>
+      <div>{t('chat.encryption.keyLockedTooltip')}</div>
+      {fingerprint && (
+        <div className="font-mono text-xs mt-0.5 opacity-75">{formatFingerprint(fingerprint)}</div>
+      )}
+    </div>
+  )
+  return (
+    <Tooltip content={tooltip} position="bottom">
+      <button
+        type="button"
+        onClick={() => openWebUnlockDialog()}
+        className={`${btnClass} text-yellow-500 hover:text-yellow-600 cursor-pointer`}
+        aria-label={t('chat.encryption.keyLocked')}
+      >
+        <Lock className="w-4 h-4" />
+      </button>
+    </Tooltip>
+  )
+}
+
 function EncryptionIcon({
   state,
   peerName,
@@ -212,6 +239,10 @@ function EncryptionIcon({
     )
   }
 
+  if (state.kind === 'keyLocked') {
+    return <KeyLockedIcon fingerprint={state.fingerprint} />
+  }
+
   if (state.kind === 'rejected') {
     return (
       <div ref={containerRef} className="relative">
diff --git a/apps/fluux/src/components/ChatView.tsx b/apps/fluux/src/components/ChatView.tsx
index 7754101f..afd4b81c 100644
--- a/apps/fluux/src/components/ChatView.tsx
+++ b/apps/fluux/src/components/ChatView.tsx
@@ -15,6 +15,7 @@ import { MessageBubble, MessageList as MessageListComponent, shouldShowAvatar, b
 import { FindOnPageBar } from './conversation/FindOnPageBar'
 import { useFindOnPage, type FindOnPageHandle } from '@/hooks/useFindOnPage'
 import { useConversationEncryptionState, type ConversationEncryptionState } from '@/hooks/useConversationEncryptionState'
+import { useWebUnlockDialogStore } from '@/stores/webUnlockDialogStore'
 import { ChristmasAnimation } from './ChristmasAnimation'
 import { ChatHeader } from './ChatHeader'
 import { MessageComposer, type ReplyInfo, type EditInfo, type MessageComposerHandle, type PendingAttachment } from './MessageComposer'
@@ -945,6 +946,7 @@ function MessageInput({
 }) {
   const { t } = useTranslation()
   const { sendMessage, sendChatState, isArchived, unarchiveConversation, setDraft, getDraft, clearDraft, clearFirstNewMessageId } = useChatActive()
+  const openWebUnlockDialog = useWebUnlockDialogStore((s) => s.openWebUnlockDialog)
 
   // Draft persistence - saves on conversation change, restores on load
   const [text, setText] = useConversationDraft({
@@ -983,6 +985,19 @@ function MessageInput({
   }
 
   const handleSend = async (text: string): Promise<boolean> => {
+    // Refuse to send while the local OpenPGP key is locked for an
+    // encrypted conversation. Without the guard, the file upload would
+    // happen plaintext-or-ciphertext-with-no-recipient (depending on
+    // `encryptAttachment` below) and the send would fail at encrypt
+    // time, leaving an orphaned upload on the server. Opening the
+    // unlock dialog routes the user to the passphrase prompt; the
+    // typed text stays in the composer (we return `false` here, which
+    // skips the `setText('')` clear in MessageComposer).
+    if (encryptionState.kind === 'keyLocked') {
+      openWebUnlockDialog()
+      return false
+    }
+
     // Unarchive conversation if archived (user is actively chatting)
     // and switch to Messages view to see it in the main list
     if (type === 'chat' && isArchived(conversationId)) {
diff --git a/apps/fluux/src/components/SaveToPasswordManagerButton.tsx b/apps/fluux/src/components/SaveToPasswordManagerButton.tsx
new file mode 100644
index 00000000..dc4df151
--- /dev/null
+++ b/apps/fluux/src/components/SaveToPasswordManagerButton.tsx
@@ -0,0 +1,81 @@
+import { useCallback, useState } from 'react'
+import { useTranslation } from 'react-i18next'
+import { KeyRound, Check } from 'lucide-react'
+import { saveCredentialToManager } from '@/utils/saveCredentialToManager'
+import { USE_V6_KEYS } from '@/e2ee/passphraseGenerator'
+import { isTauri } from '@/utils/tauri'
+
+interface SaveToPasswordManagerButtonProps {
+  /** Stable credential identifier; matches the dialog's hidden username so save and autofill share an entry. */
+  id: string
+  /** Human-readable label persisted in the PM entry list. Selected in the user's UI language. */
+  name: string
+  /** Passphrase to save. Button is disabled while this is null. */
+  passphrase: string | null
+  /** External disable (e.g. while the dialog is publishing). */
+  disabled?: boolean
+}
+
+/**
+ * Explicit "save to password manager" affordance for Tauri.
+ *
+ * Web is intentionally not handled here — the hidden form inputs +
+ * `autoComplete="new-password"` already drive the browser PM detection on
+ * form submission, so a button would be redundant. In Tauri the embedded
+ * webview doesn't reliably trigger that detection, hence this explicit path.
+ *
+ * Gated on `USE_V6_KEYS`: V4 backup codes don't fit the PM model because
+ * the restore flow uses a formatted input with `autoComplete="off"`, so we
+ * don't offer to save them. Returns null in V4 mode and on the web.
+ */
+export function SaveToPasswordManagerButton({
+  id,
+  name,
+  passphrase,
+  disabled,
+}: SaveToPasswordManagerButtonProps) {
+  const { t } = useTranslation()
+  const [feedback, setFeedback] = useState<'saved' | 'fallback' | null>(null)
+
+  const handleClick = useCallback(async () => {
+    if (!passphrase) return
+    const outcome = await saveCredentialToManager({ id, name, password: passphrase })
+    if (outcome === 'saved') {
+      setFeedback('saved')
+    } else {
+      try {
+        await navigator.clipboard.writeText(passphrase)
+      } catch {
+        // Clipboard may also be unavailable (no user gesture, secure context, etc.);
+        // we still show the fallback hint so the user knows the save didn't go through.
+      }
+      setFeedback('fallback')
+    }
+    setTimeout(() => setFeedback(null), 2000)
+  }, [id, name, passphrase])
+
+  if (!isTauri() || !USE_V6_KEYS) return null
+
+  const isFallback = feedback === 'fallback'
+  const isSaved = feedback === 'saved'
+
+  return (
+    <button
+      type="button"
+      onClick={handleClick}
+      disabled={disabled || !passphrase}
+      className="flex-1 flex items-center justify-center gap-1.5 px-3 py-1.5 text-sm text-fluux-text bg-fluux-hover hover:bg-fluux-active rounded-lg transition-colors disabled:opacity-50"
+    >
+      {isSaved ? (
+        <Check className="w-3.5 h-3.5 text-green-500" />
+      ) : (
+        <KeyRound className="w-3.5 h-3.5" />
+      )}
+      {isSaved
+        ? t('settings.encryption.savePassphraseManagerSaved')
+        : isFallback
+          ? t('settings.encryption.savePassphraseManagerFallback')
+          : t('settings.encryption.savePassphraseManager')}
+    </button>
+  )
+}
diff --git a/apps/fluux/src/components/UnlockEncryptionDialog.tsx b/apps/fluux/src/components/UnlockEncryptionDialog.tsx
index 889010c2..4ceadf99 100644
--- a/apps/fluux/src/components/UnlockEncryptionDialog.tsx
+++ b/apps/fluux/src/components/UnlockEncryptionDialog.tsx
@@ -108,6 +108,11 @@ export function UnlockEncryptionDialog({ client, onClose }: UnlockEncryptionDial
   return (
     <div
       data-modal="true"
+      role="dialog"
+      aria-modal="true"
+      aria-labelledby="unlock-encryption-dialog-title"
+      aria-describedby="unlock-encryption-dialog-body"
+      aria-busy={loading || isWorking || undefined}
       className="fixed inset-0 bg-black/50 flex items-center justify-center z-50"
       onMouseDown={(e) => {
         mouseDownTargetRef.current = e.target
@@ -127,10 +132,10 @@ export function UnlockEncryptionDialog({ client, onClose }: UnlockEncryptionDial
         {/* Hidden username distinguishes this entry from the XMPP login in password managers. */}
         <input type="text" name="username" autoComplete="section-openpgp username" value="openpgp-passphrase" readOnly aria-hidden="true" className="hidden" />
         <div className="px-5 pt-5 pb-3">
-          <h3 className="text-lg font-semibold text-fluux-text mb-1">
+          <h3 id="unlock-encryption-dialog-title" className="text-lg font-semibold text-fluux-text mb-1">
             {loading ? ' ' : title}
           </h3>
-          <p className="text-sm text-fluux-muted">{loading ? ' ' : body}</p>
+          <p id="unlock-encryption-dialog-body" className="text-sm text-fluux-muted">{loading ? ' ' : body}</p>
         </div>
 
         <div className="flex-1 overflow-y-auto min-h-0 px-5">
diff --git a/apps/fluux/src/components/conversation/EncryptedPlaceholder.tsx b/apps/fluux/src/components/conversation/EncryptedPlaceholder.tsx
new file mode 100644
index 00000000..791d46f9
--- /dev/null
+++ b/apps/fluux/src/components/conversation/EncryptedPlaceholder.tsx
@@ -0,0 +1,61 @@
+import { memo } from 'react'
+import { useTranslation } from 'react-i18next'
+import { Lock, LockOpen } from 'lucide-react'
+import { useWebKeyLocked } from '@/hooks/useWebKeyLocked'
+import { useWebUnlockDialogStore } from '@/stores/webUnlockDialogStore'
+
+export interface EncryptedPlaceholderProps {
+  /**
+   * `true` when the failure was almost certainly a wrong-key situation
+   * (we tried to decrypt and the cipher rejected the unlocked private
+   * key). The placeholder still renders, but the click affordance is
+   * dropped — unlocking again won't help.
+   *
+   * Left optional for now; consumers don't yet distinguish.
+   */
+  hardFailure?: boolean
+}
+
+/**
+ * Rendered inside a message bubble when {@link BaseMessage.encryptedPayload}
+ * is set — meaning the SDK received an E2EE-claimed stanza but could not
+ * decrypt it. Two visual states:
+ *
+ * - **Locked** (`useWebKeyLocked()` is true): a click prompts for the
+ *   session passphrase. Once unlocked, the SDK's
+ *   `retryPendingDecrypts()` re-runs and the placeholder is replaced
+ *   by the real body on success.
+ * - **Unlocked**: the cipher rejected the unlocked key (revoked
+ *   identity, wrong recipient, corrupt payload). The placeholder is
+ *   static — clicking again won't help.
+ */
+export const EncryptedPlaceholder = memo(function EncryptedPlaceholder(
+  _props: EncryptedPlaceholderProps,
+) {
+  const { t } = useTranslation()
+  const locked = useWebKeyLocked()
+  const openWebUnlockDialog = useWebUnlockDialogStore((s) => s.openWebUnlockDialog)
+
+  if (locked) {
+    return (
+      <button
+        type="button"
+        onClick={() => openWebUnlockDialog()}
+        className="flex items-center gap-2 text-fluux-muted italic hover:text-fluux-text transition-colors cursor-pointer text-start"
+        aria-label={t('chat.encryption.encryptedClickToUnlock')}
+      >
+        <Lock className="w-3.5 h-3.5 flex-shrink-0 text-yellow-500" aria-hidden="true" />
+        <span className="underline underline-offset-2 decoration-dotted">
+          {t('chat.encryption.encryptedClickToUnlock')}
+        </span>
+      </button>
+    )
+  }
+
+  return (
+    <div className="flex items-center gap-2 text-fluux-muted italic">
+      <LockOpen className="w-3.5 h-3.5 flex-shrink-0" aria-hidden="true" />
+      <span>{t('chat.encryption.encryptedCouldNotDecrypt')}</span>
+    </div>
+  )
+})
diff --git a/apps/fluux/src/components/conversation/MessageBubble.tsx b/apps/fluux/src/components/conversation/MessageBubble.tsx
index 87a48e0d..26a6800b 100644
--- a/apps/fluux/src/components/conversation/MessageBubble.tsx
+++ b/apps/fluux/src/components/conversation/MessageBubble.tsx
@@ -12,6 +12,7 @@ import { Avatar } from '../Avatar'
 import { AvatarLightbox } from '../AvatarLightbox'
 import { MessageToolbar } from './MessageToolbar'
 import { MessageBody } from './MessageBody'
+import { EncryptedPlaceholder } from './EncryptedPlaceholder'
 import { MessageReactions } from './MessageReactions'
 import { scrollToMessage, isActionMessage } from './messageGrouping'
 import { MessageAttachments } from '../MessageAttachments'
@@ -446,25 +447,30 @@ export const MessageBubble = memo(function MessageBubble({
 
         {/* Collapsible wrapper for long messages */}
         <CollapsibleContent messageId={message.id} isSelected={isSelected} isHovered={isHovered}>
-          {/* Message body (SDK already strips OOB URL from body for non-XEP-0428 clients) */}
-          <MessageBody
-            body={message.body}
-            isEdited={message.isEdited}
-            originalBody={message.originalBody}
-            isRetracted={message.isRetracted}
-            isModerated={message.isModerated}
-            moderatedBy={message.moderatedBy}
-            moderationReason={message.moderationReason}
-            noStyling={message.noStyling}
-            senderName={senderName}
-            senderColor={senderColor}
-            mentions={mentions}
-            nickname={nickname}
-            knownNicks={knownNicks}
-            isDarkMode={isDarkMode}
-            highlightTerms={highlightTerms}
-            isCurrentMatch={isCurrentMatch}
-          />
+          {/* Encrypted-payload placeholder takes precedence over body text
+              so the SDK's English fallback string never reaches the UI. */}
+          {message.encryptedPayload ? (
+            <EncryptedPlaceholder />
+          ) : (
+            <MessageBody
+              body={message.body}
+              isEdited={message.isEdited}
+              originalBody={message.originalBody}
+              isRetracted={message.isRetracted}
+              isModerated={message.isModerated}
+              moderatedBy={message.moderatedBy}
+              moderationReason={message.moderationReason}
+              noStyling={message.noStyling}
+              senderName={senderName}
+              senderColor={senderColor}
+              mentions={mentions}
+              nickname={nickname}
+              knownNicks={knownNicks}
+              isDarkMode={isDarkMode}
+              highlightTerms={highlightTerms}
+              isCurrentMatch={isCurrentMatch}
+            />
+          )}
 
           {/* File attachments (image, video, audio, text preview, document card) - hidden for retracted */}
           {!message.isRetracted && <MessageAttachments attachment={message.attachment} onMediaLoad={onMediaLoad} isSelected={isSelected} isHovered={isHovered} />}
diff --git a/apps/fluux/src/components/settings-components/EncryptionSettings.tsx b/apps/fluux/src/components/settings-components/EncryptionSettings.tsx
index 9e3e45fe..49be5eb2 100644
--- a/apps/fluux/src/components/settings-components/EncryptionSettings.tsx
+++ b/apps/fluux/src/components/settings-components/EncryptionSettings.tsx
@@ -12,7 +12,7 @@ import { RestorePassphraseDialog } from '@/components/RestorePassphraseDialog'
 import { ExternalKeyExportDialog } from '@/components/ExternalKeyExportDialog'
 import { IdentityChoiceDialog } from '@/components/IdentityChoiceDialog'
 import { OwnKeyConflictBanner } from '@/components/OwnKeyConflictBanner'
-import { UnlockEncryptionDialog } from '@/components/UnlockEncryptionDialog'
+import { useWebUnlockDialogStore } from '@/stores/webUnlockDialogStore'
 import { KeyPickerDialog } from '@/components/KeyPickerDialog'
 import type { KeyBundle } from '@/e2ee/OpenPGPPluginBase'
 import {
@@ -101,7 +101,7 @@ export function EncryptionSettings() {
   const [showExternalExportDialog, setShowExternalExportDialog] = useState(false)
   const [showImportFileDialog, setShowImportFileDialog] = useState(false)
   const [pendingImportFileArmored, setPendingImportFileArmored] = useState<string | null>(null)
-  const [showUnlockDialog, setShowUnlockDialog] = useState(false)
+  const openWebUnlockDialog = useWebUnlockDialogStore((s) => s.openWebUnlockDialog)
   const [pendingKeyPicker, setPendingKeyPicker] = useState<{
     candidates: KeyBundle[]
     backupMessage: string
@@ -210,7 +210,7 @@ export function EncryptionSettings() {
         // state.
         await registerE2EEPlugins(client)
         if (!bareJid) {
-          if (isKeyLocked()) setShowUnlockDialog(true)
+          if (isKeyLocked()) openWebUnlockDialog()
           return
         }
         const plugin = client.e2ee?.getPlugin('openpgp') as
@@ -232,7 +232,7 @@ export function EncryptionSettings() {
           }
         }
         if (isKeyLocked()) {
-          setShowUnlockDialog(true)
+          openWebUnlockDialog()
         }
         return
       }
@@ -298,7 +298,7 @@ export function EncryptionSettings() {
     } finally {
       setIsToggling(false)
     }
-  }, [openpgpEnabled, online, client, jid, setOpenpgpEnabled, addToast, t])
+  }, [openpgpEnabled, online, client, jid, setOpenpgpEnabled, addToast, t, openWebUnlockDialog])
 
   // --- Identity choice dialog handlers (silent-fork prevention) ---
   // Each handler resolves the `pendingIdentityChoice` state with one of
@@ -798,7 +798,7 @@ export function EncryptionSettings() {
               {t('settings.encryption.lockedBannerBody')}
             </p>
             <button
-              onClick={() => setShowUnlockDialog(true)}
+              onClick={() => openWebUnlockDialog()}
               className="flex-shrink-0 px-3 py-1.5 text-sm text-white bg-fluux-brand hover:opacity-90 rounded-lg transition-colors"
             >
               {t('settings.encryption.unlockAction')}
@@ -1166,13 +1166,6 @@ export function EncryptionSettings() {
         />
       )}
 
-      {showUnlockDialog && (
-        <UnlockEncryptionDialog
-          client={client}
-          onClose={() => setShowUnlockDialog(false)}
-        />
-      )}
-
       {pendingKeyPicker && (
         <KeyPickerDialog
           candidates={pendingKeyPicker.candidates}
diff --git a/apps/fluux/src/e2ee/webPassphraseStore.ts b/apps/fluux/src/e2ee/webPassphraseStore.ts
index 08e67a5d..410c7f9a 100644
--- a/apps/fluux/src/e2ee/webPassphraseStore.ts
+++ b/apps/fluux/src/e2ee/webPassphraseStore.ts
@@ -15,10 +15,16 @@
  */
 
 let sessionPassphrase: string | null = null
+const listeners = new Set<() => void>()
+
+function notify(): void {
+  for (const listener of listeners) listener()
+}
 
 /** Set the session passphrase. Call after the user enters it in the unlock dialog. */
 export function setSessionPassphrase(pp: string): void {
   sessionPassphrase = pp
+  notify()
 }
 
 /** Get the current session passphrase, or `null` if not yet unlocked. */
@@ -29,9 +35,25 @@ export function getSessionPassphrase(): string | null {
 /** Clear the session passphrase (e.g. on logout). */
 export function clearSessionPassphrase(): void {
   sessionPassphrase = null
+  notify()
 }
 
 /** Returns true when the session passphrase has not been set this session. */
 export function isKeyLocked(): boolean {
   return sessionPassphrase === null
 }
+
+/**
+ * Subscribe to lock-state changes. Listener fires whenever the session
+ * passphrase is set or cleared. Returns an unsubscribe function.
+ *
+ * Intended for {@link useSyncExternalStore}-based React hooks: callers
+ * read the current state via {@link isKeyLocked} and rely on this
+ * subscription to trigger re-renders when the state flips.
+ */
+export function subscribeKeyLockState(listener: () => void): () => void {
+  listeners.add(listener)
+  return () => {
+    listeners.delete(listener)
+  }
+}
diff --git a/apps/fluux/src/hooks/useConversationEncryptionState.test.tsx b/apps/fluux/src/hooks/useConversationEncryptionState.test.tsx
index 247c210a..e79bcc56 100644
--- a/apps/fluux/src/hooks/useConversationEncryptionState.test.tsx
+++ b/apps/fluux/src/hooks/useConversationEncryptionState.test.tsx
@@ -21,14 +21,22 @@ vi.mock('@fluux/sdk', async (importOriginal) => {
 vi.mock('@/stores/encryptionSettingsStore', () => ({
   useEncryptionSettingsStore: vi.fn(),
 }))
+// Lock-state hook stays under per-test control. Default to `false`
+// (unlocked) so the bulk of the suite, which tests other transitions,
+// is not affected by the keyLocked promotion path.
+vi.mock('@/hooks/useWebKeyLocked', () => ({
+  useWebKeyLocked: vi.fn(() => false),
+}))
 
 import { useConnection, useXMPPContext } from '@fluux/sdk'
 import { useEncryptionSettingsStore } from '@/stores/encryptionSettingsStore'
+import { useWebKeyLocked } from '@/hooks/useWebKeyLocked'
 
 const mockedUseConnection = useConnection as unknown as ReturnType<typeof vi.fn>
 const mockedUseXMPPContext = useXMPPContext as unknown as ReturnType<typeof vi.fn>
 const mockedUseEncryptionSettingsStore =
   useEncryptionSettingsStore as unknown as ReturnType<typeof vi.fn>
+const mockedUseWebKeyLocked = useWebKeyLocked as unknown as ReturnType<typeof vi.fn>
 
 interface FakePlugin {
   getPeerFingerprint: ReturnType<typeof vi.fn>
@@ -66,6 +74,9 @@ function makePlugin(overrides: Partial<FakePlugin> = {}): FakePlugin {
 describe('useConversationEncryptionState', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    // Default the lock-state hook to "unlocked" so existing tests aren't
+    // affected by the keyLocked promotion path.
+    mockedUseWebKeyLocked.mockReturnValue(false)
   })
   afterEach(() => {
     vi.restoreAllMocks()
@@ -617,4 +628,51 @@ describe('useConversationEncryptionState', () => {
       })
     })
   })
+
+  describe('web key-locked promotion', () => {
+    it("promotes 'encrypted' to 'keyLocked' when the web private key is locked", () => {
+      mockedUseWebKeyLocked.mockReturnValue(true)
+      const fp = 'LOCKED_FP'
+      wireMocks({
+        plugin: makePlugin({
+          getPeerFingerprint: vi.fn().mockReturnValue(fp),
+        }),
+      })
+      const { result } = renderHook(() =>
+        useConversationEncryptionState('bob@example.com', 'chat'),
+      )
+      expect(result.current).toEqual({ kind: 'keyLocked', fingerprint: fp })
+    })
+
+    it("returns 'encrypted' when the key becomes unlocked", () => {
+      mockedUseWebKeyLocked.mockReturnValue(false)
+      const fp = 'UNLOCKED_FP'
+      wireMocks({
+        plugin: makePlugin({
+          getPeerFingerprint: vi.fn().mockReturnValue(fp),
+        }),
+      })
+      const { result } = renderHook(() =>
+        useConversationEncryptionState('bob@example.com', 'chat'),
+      )
+      expect(result.current).toMatchObject({ kind: 'encrypted', fingerprint: fp })
+    })
+
+    it("does not affect 'unsupported' peers when locked", () => {
+      mockedUseWebKeyLocked.mockReturnValue(true)
+      wireMocks({
+        plugin: makePlugin({
+          probePeer: vi.fn().mockResolvedValue({ supported: false }),
+        }),
+      })
+      const { result } = renderHook(() =>
+        useConversationEncryptionState('bob@example.com', 'chat'),
+      )
+      // Lock state must not bubble up for peers we wouldn't encrypt to
+      // anyway — would be confusing UX.
+      return waitFor(() => {
+        expect(result.current).toEqual({ kind: 'unsupported' })
+      })
+    })
+  })
 })
diff --git a/apps/fluux/src/hooks/useConversationEncryptionState.ts b/apps/fluux/src/hooks/useConversationEncryptionState.ts
index 04814a4a..9cd303f2 100644
--- a/apps/fluux/src/hooks/useConversationEncryptionState.ts
+++ b/apps/fluux/src/hooks/useConversationEncryptionState.ts
@@ -6,6 +6,7 @@ import { useKeyChangeAlertsStore } from '@/stores/keyChangeAlertsStore'
 import { useConversationPlaintextOverrideStore } from '@/stores/conversationPlaintextOverrideStore'
 import { usePinnedPrimaryFingerprintsStore } from '@/stores/pinnedPrimaryFingerprintsStore'
 import { useCertRejectionStore, type CertRejection } from '@/stores/certRejectionStore'
+import { useWebKeyLocked } from './useWebKeyLocked'
 
 /**
  * Per-conversation encryption status surfaced to the composer chip.
@@ -40,6 +41,12 @@ import { useCertRejectionStore, type CertRejection } from '@/stores/certRejectio
  * - `plaintextForced` — user has explicitly disabled encryption for
  *                     this conversation. Messages are sent in plaintext
  *                     even if the peer has a published key.
+ * - `keyLocked`     — peer supports OpenPGP and we would normally encrypt
+ *                     to them, but the local private key is locked (web
+ *                     session passphrase not yet entered). Outbound
+ *                     encryption is blocked until the user unlocks; the
+ *                     chip surfaces the locked state with a click-to-unlock
+ *                     affordance. Tauri builds never reach this state.
  */
 export type ConversationEncryptionState =
   | { kind: 'disabled' }
@@ -64,6 +71,7 @@ export type ConversationEncryptionState =
   | { kind: 'blocked'; pinnedFingerprint: string; advertisedFingerprint: string }
   | { kind: 'unsupported' }
   | { kind: 'rejected'; reasons: CertRejection[] }
+  | { kind: 'keyLocked'; fingerprint?: string }
 
 /**
  * Minimal structural type for the pieces of `SequoiaPgpPlugin` this
@@ -146,6 +154,12 @@ export function useConversationEncryptionState(
     peerJid ? (s.rejectionsByJid[peerJid] ?? null) : null,
   )
 
+  // Reactive web-only flag: true while the OpenPGP private key is locked
+  // (no session passphrase entered yet). Tauri builds always read `false`.
+  // Used to promote the `encrypted` state to `keyLocked` so the chip
+  // surfaces the unlock affordance instead of pretending encryption works.
+  const webKeyLocked = useWebKeyLocked()
+
   // The base state is what the probe / cache produces — kind, peer
   // fingerprint, and so on. Trust is derived below from this plus the
   // verified-store snapshot, so a verify action re-renders without
@@ -264,10 +278,18 @@ export function useConversationEncryptionState(
       return { kind: 'rejected', reasons: certRejections }
     }
     if (base.kind !== 'encrypted') return base
+    // When the peer key is cached and we would normally show `encrypted`,
+    // but the local private key is locked (web only), promote to
+    // `keyLocked` so the chip surfaces a click-to-unlock affordance. We
+    // keep the peer fingerprint around so the tooltip can still display
+    // it — handy for users who want to verify the peer before unlocking.
+    if (webKeyLocked) {
+      return { kind: 'keyLocked', fingerprint: base.fingerprint }
+    }
     return {
       kind: 'encrypted',
       fingerprint: base.fingerprint,
       trust: verifiedFingerprint === base.fingerprint ? 'verified' : 'unverified',
     }
-  }, [base, isForcedPlaintext, verifiedFingerprint, alertCurrentFp, alertPreviousFp, certRejections])
+  }, [base, isForcedPlaintext, verifiedFingerprint, alertCurrentFp, alertPreviousFp, certRejections, webKeyLocked])
 }
diff --git a/apps/fluux/src/hooks/useWebKeyLocked.ts b/apps/fluux/src/hooks/useWebKeyLocked.ts
new file mode 100644
index 00000000..87db4050
--- /dev/null
+++ b/apps/fluux/src/hooks/useWebKeyLocked.ts
@@ -0,0 +1,26 @@
+import { useSyncExternalStore } from 'react'
+import { isKeyLocked, subscribeKeyLockState } from '@/e2ee/webPassphraseStore'
+import { isTauri } from '@/utils/tauri'
+
+/**
+ * Reactive view of the web E2EE session-passphrase lock state.
+ *
+ * Returns `true` while the OpenPGP private key is locked (no session
+ * passphrase set this session) so consumers can surface unlock affordances
+ * (header lock icon, clickable encrypted-message placeholder, etc.).
+ *
+ * Always returns `false` on Tauri: the desktop build uses the
+ * `SequoiaPgpPlugin` which manages key material in the Rust process and
+ * doesn't go through the web passphrase store.
+ */
+export function useWebKeyLocked(): boolean {
+  const locked = useSyncExternalStore(
+    subscribeKeyLockState,
+    isKeyLocked,
+    // SSR fallback: assume locked so we never render an interactive
+    // "unlocked" state during hydration without confirmation.
+    () => true,
+  )
+  if (isTauri()) return false
+  return locked
+}
diff --git a/apps/fluux/src/i18n/locales/ar.json b/apps/fluux/src/i18n/locales/ar.json
index 0ed15b09..8e844aa5 100644
--- a/apps/fluux/src/i18n/locales/ar.json
+++ b/apps/fluux/src/i18n/locales/ar.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "التشفير مقفل",
+            "keyLockedTooltip": "التشفير مقفل — انقر للفتح",
+            "encryptedClickToUnlock": "رسالة مشفرة — انقر للفتح",
+            "encryptedCouldNotDecrypt": "تعذر فك تشفير هذه الرسالة",
             "rejected": "الشهادة مرفوضة",
             "rejectedTooltip": "شهادة OpenPGP الخاصة بالطرف الآخر غير صالحة — انقر للتفاصيل",
             "rejectedTitle": "الشهادة مرفوضة",
@@ -674,6 +678,10 @@
             "backupCopy": "نسخ العبارة السرية",
             "backupCopied": "تم النسخ",
             "backupCopyFailed": "تعذّر النسخ إلى الحافظة",
+            "savePassphraseManager": "حفظ في مدير كلمات المرور",
+            "savePassphraseManagerLabel": "Fluux — عبارة سرية لنسخة OpenPGP الاحتياطية",
+            "savePassphraseManagerSaved": "تم الحفظ",
+            "savePassphraseManagerFallback": "تم نسخ العبارة السرية — الصقها في مدير كلمات المرور",
             "backupRegenerate": "إنشاء عبارة سرية جديدة",
             "backupPublish": "حفظ",
             "backupSuccess": "تم حفظ المفتاح على الخادم",
diff --git a/apps/fluux/src/i18n/locales/be.json b/apps/fluux/src/i18n/locales/be.json
index ef0bdb10..11194a76 100644
--- a/apps/fluux/src/i18n/locales/be.json
+++ b/apps/fluux/src/i18n/locales/be.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Шыфраванне заблакаванае",
+            "keyLockedTooltip": "Шыфраванне заблакаванае — націсніце, каб разблакаваць",
+            "encryptedClickToUnlock": "Зашыфраванае паведамленне — націсніце для разблакоўкі",
+            "encryptedCouldNotDecrypt": "Не атрымалася расшыфраваць гэта паведамленне",
             "rejected": "Сертыфікат адхілены",
             "rejectedTooltip": "Сертыфікат OpenPGP суразмоўцы несапраўдны — націсніце для падрабязнасцей",
             "rejectedTitle": "Сертыфікат адхілены",
@@ -674,6 +678,10 @@
             "backupCopy": "Скапіяваць парольную фразу",
             "backupCopied": "Скапіявана",
             "backupCopyFailed": "Не атрымалася скапіяваць у буфер абмену",
+            "savePassphraseManager": "Захаваць у мэнэджары пароляў",
+            "savePassphraseManagerLabel": "Fluux — парольная фраза рэзервовай копіі OpenPGP",
+            "savePassphraseManagerSaved": "Захавана",
+            "savePassphraseManagerFallback": "Парольная фраза скапіявана — устаўце яе ў мэнэджар пароляў",
             "backupRegenerate": "Стварыць новую парольную фразу",
             "backupPublish": "Захаваць",
             "backupSuccess": "Ключ захаваны на серверы",
diff --git a/apps/fluux/src/i18n/locales/bg.json b/apps/fluux/src/i18n/locales/bg.json
index 40ea0f2b..3b123f13 100644
--- a/apps/fluux/src/i18n/locales/bg.json
+++ b/apps/fluux/src/i18n/locales/bg.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Криптирането е заключено",
+            "keyLockedTooltip": "Криптирането е заключено — щракнете за отключване",
+            "encryptedClickToUnlock": "Шифровано съобщение — щракнете за отключване",
+            "encryptedCouldNotDecrypt": "Това съобщение не можа да бъде дешифрирано",
             "rejected": "Сертификатът е отхвърлен",
             "rejectedTooltip": "OpenPGP сертификатът на отсрещната страна е невалиден — щракнете за подробности",
             "rejectedTitle": "Сертификатът е отхвърлен",
@@ -674,6 +678,10 @@
             "backupCopy": "Копирай паролата",
             "backupCopied": "Копирано",
             "backupCopyFailed": "Копирането в клипборда неуспешно",
+            "savePassphraseManager": "Запази в мениджъра на пароли",
+            "savePassphraseManagerLabel": "Fluux — парола за резервно копие на OpenPGP",
+            "savePassphraseManagerSaved": "Запазено",
+            "savePassphraseManagerFallback": "Паролата е копирана — поставете я в мениджъра на пароли",
             "backupRegenerate": "Генерирай нова парола",
             "backupPublish": "Запази",
             "backupSuccess": "Ключът е запазен на сървъра",
diff --git a/apps/fluux/src/i18n/locales/ca.json b/apps/fluux/src/i18n/locales/ca.json
index e88659a6..88948746 100644
--- a/apps/fluux/src/i18n/locales/ca.json
+++ b/apps/fluux/src/i18n/locales/ca.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Xifratge bloquejat",
+            "keyLockedTooltip": "Xifratge bloquejat — feu clic per desbloquejar",
+            "encryptedClickToUnlock": "Missatge xifrat — feu clic per desbloquejar",
+            "encryptedCouldNotDecrypt": "No s'ha pogut desxifrar aquest missatge",
             "rejected": "Certificat rebutjat",
             "rejectedTooltip": "El certificat OpenPGP del contacte no és vàlid — feu clic per veure'n els detalls",
             "rejectedTitle": "Certificat rebutjat",
@@ -676,6 +680,10 @@
             "backupCopy": "Copia la frase",
             "backupCopied": "Copiada",
             "backupCopyFailed": "No s'ha pogut copiar al porta-retalls",
+            "savePassphraseManager": "Desa al gestor de contrasenyes",
+            "savePassphraseManagerLabel": "Fluux — frase de pas de còpia de seguretat OpenPGP",
+            "savePassphraseManagerSaved": "Desat",
+            "savePassphraseManagerFallback": "Frase de pas copiada — enganxa-la al gestor de contrasenyes",
             "backupRegenerate": "Genera una frase de pas nova",
             "backupPublish": "Desa",
             "backupSuccess": "Clau desada al servidor",
diff --git a/apps/fluux/src/i18n/locales/cs.json b/apps/fluux/src/i18n/locales/cs.json
index 3f0bd588..f4cf0ec8 100644
--- a/apps/fluux/src/i18n/locales/cs.json
+++ b/apps/fluux/src/i18n/locales/cs.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifrování uzamčeno",
+            "keyLockedTooltip": "Šifrování uzamčeno — odemkněte kliknutím",
+            "encryptedClickToUnlock": "Šifrovaná zpráva — odemkněte kliknutím",
+            "encryptedCouldNotDecrypt": "Tuto zprávu se nepodařilo dešifrovat",
             "rejected": "Certifikát odmítnut",
             "rejectedTooltip": "OpenPGP certifikát protistrany je neplatný — klikněte pro podrobnosti",
             "rejectedTitle": "Certifikát odmítnut",
@@ -676,6 +680,10 @@
             "backupCopy": "Kopírovat heslo",
             "backupCopied": "Zkopírováno",
             "backupCopyFailed": "Nepodařilo se zkopírovat do schránky",
+            "savePassphraseManager": "Uložit do správce hesel",
+            "savePassphraseManagerLabel": "Fluux — heslo zálohy OpenPGP",
+            "savePassphraseManagerSaved": "Uloženo",
+            "savePassphraseManagerFallback": "Heslo zkopírováno — vložte je do správce hesel",
             "backupRegenerate": "Vygenerovat nové heslo",
             "backupPublish": "Uložit",
             "backupSuccess": "Klíč uložen na server",
diff --git a/apps/fluux/src/i18n/locales/da.json b/apps/fluux/src/i18n/locales/da.json
index 686dc6a8..6d46ebdf 100644
--- a/apps/fluux/src/i18n/locales/da.json
+++ b/apps/fluux/src/i18n/locales/da.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Kryptering låst",
+            "keyLockedTooltip": "Kryptering låst — klik for at låse op",
+            "encryptedClickToUnlock": "Krypteret besked — klik for at låse op",
+            "encryptedCouldNotDecrypt": "Kunne ikke dekryptere denne besked",
             "rejected": "Certifikat afvist",
             "rejectedTooltip": "Modpartens OpenPGP-certifikat er ugyldigt — klik for detaljer",
             "rejectedTitle": "Certifikat afvist",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopier adgangssætning",
             "backupCopied": "Kopieret",
             "backupCopyFailed": "Kunne ikke kopiere til udklipsholder",
+            "savePassphraseManager": "Gem i adgangskodehåndtering",
+            "savePassphraseManagerLabel": "Fluux — adgangssætning til OpenPGP-sikkerhedskopi",
+            "savePassphraseManagerSaved": "Gemt",
+            "savePassphraseManagerFallback": "Adgangssætning kopieret — indsæt den i din adgangskodehåndtering",
             "backupRegenerate": "Generer en ny adgangssætning",
             "backupPublish": "Sikkerhedskopier",
             "backupSuccess": "Nøgle sikkerhedskopieret til server",
diff --git a/apps/fluux/src/i18n/locales/de.json b/apps/fluux/src/i18n/locales/de.json
index 1b4fea1c..9633f2a3 100644
--- a/apps/fluux/src/i18n/locales/de.json
+++ b/apps/fluux/src/i18n/locales/de.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Verschlüsselung gesperrt",
+            "keyLockedTooltip": "Verschlüsselung gesperrt — zum Entsperren klicken",
+            "encryptedClickToUnlock": "Verschlüsselte Nachricht — zum Entsperren klicken",
+            "encryptedCouldNotDecrypt": "Diese Nachricht konnte nicht entschlüsselt werden",
             "rejected": "Zertifikat abgelehnt",
             "rejectedTooltip": "Das OpenPGP-Zertifikat des Gesprächspartners ist ungültig — klicke für Details",
             "rejectedTitle": "Zertifikat abgelehnt",
@@ -676,6 +680,10 @@
             "backupCopy": "Passphrase kopieren",
             "backupCopied": "Kopiert",
             "backupCopyFailed": "In die Zwischenablage konnte nicht kopiert werden",
+            "savePassphraseManager": "Im Passwortmanager speichern",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP-Backup-Passphrase",
+            "savePassphraseManagerSaved": "Gespeichert",
+            "savePassphraseManagerFallback": "Passphrase kopiert — füge sie in deinen Passwortmanager ein",
             "backupRegenerate": "Neue Passphrase generieren",
             "backupPublish": "Sichern",
             "backupSuccess": "Schlüssel auf dem Server gesichert",
diff --git a/apps/fluux/src/i18n/locales/el.json b/apps/fluux/src/i18n/locales/el.json
index 93c3d7e9..ed75e1dd 100644
--- a/apps/fluux/src/i18n/locales/el.json
+++ b/apps/fluux/src/i18n/locales/el.json
@@ -483,6 +483,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Η κρυπτογράφηση είναι κλειδωμένη",
+            "keyLockedTooltip": "Η κρυπτογράφηση είναι κλειδωμένη — κάντε κλικ για ξεκλείδωμα",
+            "encryptedClickToUnlock": "Κρυπτογραφημένο μήνυμα — κάντε κλικ για ξεκλείδωμα",
+            "encryptedCouldNotDecrypt": "Δεν ήταν δυνατή η αποκρυπτογράφηση αυτού του μηνύματος",
             "rejected": "Πιστοποιητικό απορρίφθηκε",
             "rejectedTooltip": "Το πιστοποιητικό OpenPGP του συνομιλητή δεν είναι έγκυρο — κάντε κλικ για λεπτομέρειες",
             "rejectedTitle": "Πιστοποιητικό απορρίφθηκε",
@@ -675,6 +679,10 @@
             "backupCopy": "Αντιγραφή φράσης",
             "backupCopied": "Αντιγράφηκε",
             "backupCopyFailed": "Η αντιγραφή στο πρόχειρο απέτυχε",
+            "savePassphraseManager": "Αποθήκευση στον διαχειριστή κωδικών",
+            "savePassphraseManagerLabel": "Fluux — φράση πρόσβασης αντιγράφου ασφαλείας OpenPGP",
+            "savePassphraseManagerSaved": "Αποθηκεύτηκε",
+            "savePassphraseManagerFallback": "Η φράση αντιγράφηκε — επικολλήστε τη στον διαχειριστή κωδικών",
             "backupRegenerate": "Δημιουργία νέας φράσης",
             "backupPublish": "Αποθήκευση",
             "backupSuccess": "Το κλειδί αποθηκεύτηκε στον διακομιστή",
diff --git a/apps/fluux/src/i18n/locales/en.json b/apps/fluux/src/i18n/locales/en.json
index 1ded99be..e76606d6 100644
--- a/apps/fluux/src/i18n/locales/en.json
+++ b/apps/fluux/src/i18n/locales/en.json
@@ -481,6 +481,10 @@
             "blockedTooltip": "Peer's key has changed — resolve to resume encryption",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Encryption locked",
+            "keyLockedTooltip": "Encryption locked — click to unlock",
+            "encryptedClickToUnlock": "Encrypted message — click to unlock",
+            "encryptedCouldNotDecrypt": "Couldn't decrypt this message",
             "rejected": "Certificate rejected",
             "rejectedTooltip": "Peer's OpenPGP certificate is invalid — click for details",
             "rejectedTitle": "Certificate rejected",
@@ -590,6 +594,10 @@
             "backupCopy": "Copy passphrase",
             "backupCopied": "Copied",
             "backupCopyFailed": "Couldn't copy to clipboard",
+            "savePassphraseManager": "Save to password manager",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP backup passphrase",
+            "savePassphraseManagerSaved": "Saved",
+            "savePassphraseManagerFallback": "Passphrase copied — paste it into your password manager",
             "backupRegenerate": "Generate a new passphrase",
             "backupPublish": "Back up",
             "backupSuccess": "Key backed up to server",
diff --git a/apps/fluux/src/i18n/locales/es.json b/apps/fluux/src/i18n/locales/es.json
index 1f6b79b5..f7375853 100644
--- a/apps/fluux/src/i18n/locales/es.json
+++ b/apps/fluux/src/i18n/locales/es.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Cifrado bloqueado",
+            "keyLockedTooltip": "Cifrado bloqueado — haz clic para desbloquear",
+            "encryptedClickToUnlock": "Mensaje cifrado — haz clic para desbloquear",
+            "encryptedCouldNotDecrypt": "No se pudo descifrar este mensaje",
             "rejected": "Certificado rechazado",
             "rejectedTooltip": "El certificado OpenPGP del contacto no es válido — haz clic para más detalles",
             "rejectedTitle": "Certificado rechazado",
@@ -676,6 +680,10 @@
             "backupCopy": "Copiar la frase",
             "backupCopied": "Copiado",
             "backupCopyFailed": "No se pudo copiar al portapapeles",
+            "savePassphraseManager": "Guardar en el gestor de contraseñas",
+            "savePassphraseManagerLabel": "Fluux — frase de la copia de seguridad de OpenPGP",
+            "savePassphraseManagerSaved": "Guardado",
+            "savePassphraseManagerFallback": "Frase copiada — pégala en tu gestor de contraseñas",
             "backupRegenerate": "Generar una nueva frase",
             "backupPublish": "Guardar",
             "backupSuccess": "Clave guardada en el servidor",
diff --git a/apps/fluux/src/i18n/locales/et.json b/apps/fluux/src/i18n/locales/et.json
index 63b875e3..1c3cfdeb 100644
--- a/apps/fluux/src/i18n/locales/et.json
+++ b/apps/fluux/src/i18n/locales/et.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Krüpteerimine on lukus",
+            "keyLockedTooltip": "Krüpteerimine on lukus — vajuta avamiseks",
+            "encryptedClickToUnlock": "Krüpteeritud sõnum — vajuta avamiseks",
+            "encryptedCouldNotDecrypt": "Selle sõnumi dekrüpteerimine ebaõnnestus",
             "rejected": "Sertifikaat tagasi lükatud",
             "rejectedTooltip": "Vestluspartneri OpenPGP sertifikaat on kehtetu — klõpsa üksikasjade jaoks",
             "rejectedTitle": "Sertifikaat tagasi lükatud",
@@ -676,6 +680,10 @@
             "backupCopy": "Kopeeri paroolifraas",
             "backupCopied": "Kopeeritud",
             "backupCopyFailed": "Lõikepuhvrisse kopeerimine ebaõnnestus",
+            "savePassphraseManager": "Salvesta paroolihaldurisse",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP varundusparoolifraas",
+            "savePassphraseManagerSaved": "Salvestatud",
+            "savePassphraseManagerFallback": "Paroolifraas kopeeritud — kleebi see paroolihaldurisse",
             "backupRegenerate": "Genereeri uus paroolifraas",
             "backupPublish": "Salvesta",
             "backupSuccess": "Võti salvestatud serverisse",
diff --git a/apps/fluux/src/i18n/locales/fi.json b/apps/fluux/src/i18n/locales/fi.json
index aab37153..9bce47e7 100644
--- a/apps/fluux/src/i18n/locales/fi.json
+++ b/apps/fluux/src/i18n/locales/fi.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Salaus lukittu",
+            "keyLockedTooltip": "Salaus lukittu — avaa napsauttamalla",
+            "encryptedClickToUnlock": "Salattu viesti — avaa napsauttamalla",
+            "encryptedCouldNotDecrypt": "Tämän viestin salausta ei voitu purkaa",
             "rejected": "Varmenne hylätty",
             "rejectedTooltip": "Keskustelukumppanin OpenPGP-varmenne on virheellinen — napsauta nähdäksesi lisätietoja",
             "rejectedTitle": "Varmenne hylätty",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopioi tunnuslause",
             "backupCopied": "Kopioitu",
             "backupCopyFailed": "Leikepöydälle kopiointi epäonnistui",
+            "savePassphraseManager": "Tallenna salasanahallintaan",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP-varmuuskopion tunnuslause",
+            "savePassphraseManagerSaved": "Tallennettu",
+            "savePassphraseManagerFallback": "Tunnuslause kopioitu — liitä se salasanahallintaan",
             "backupRegenerate": "Luo uusi tunnuslause",
             "backupPublish": "Varmuuskopioi",
             "backupSuccess": "Avain varmuuskopioitu palvelimelle",
diff --git a/apps/fluux/src/i18n/locales/fr.json b/apps/fluux/src/i18n/locales/fr.json
index ca39cd0c..c7e47286 100644
--- a/apps/fluux/src/i18n/locales/fr.json
+++ b/apps/fluux/src/i18n/locales/fr.json
@@ -482,6 +482,10 @@
             "blockedTooltip": "La clé du correspondant a changé — résolvez pour reprendre le chiffrement",
             "plaintextForced": "Chiffrement désactivé",
             "plaintextForcedTooltip": "Vous avez désactivé le chiffrement pour cette conversation — les messages sont envoyés en clair",
+            "keyLocked": "Chiffrement verrouillé",
+            "keyLockedTooltip": "Chiffrement verrouillé — cliquez pour déverrouiller",
+            "encryptedClickToUnlock": "Message chiffré — cliquez pour déverrouiller",
+            "encryptedCouldNotDecrypt": "Ce message n'a pas pu être déchiffré",
             "rejected": "Certificat rejeté",
             "rejectedTooltip": "Le certificat OpenPGP du correspondant est invalide — cliquez pour plus de détails",
             "rejectedTitle": "Certificat rejeté",
@@ -675,6 +679,10 @@
             "backupCopy": "Copier la phrase",
             "backupCopied": "Copié",
             "backupCopyFailed": "Impossible de copier dans le presse-papiers",
+            "savePassphraseManager": "Enregistrer dans le gestionnaire de mots de passe",
+            "savePassphraseManagerLabel": "Fluux — phrase secrète de sauvegarde OpenPGP",
+            "savePassphraseManagerSaved": "Enregistré",
+            "savePassphraseManagerFallback": "Phrase copiée — collez-la dans votre gestionnaire de mots de passe",
             "backupRegenerate": "Générer une nouvelle phrase",
             "backupPublish": "Sauvegarder",
             "backupSuccess": "Clé sauvegardée sur le serveur",
diff --git a/apps/fluux/src/i18n/locales/ga.json b/apps/fluux/src/i18n/locales/ga.json
index e29e443f..ca448773 100644
--- a/apps/fluux/src/i18n/locales/ga.json
+++ b/apps/fluux/src/i18n/locales/ga.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Tá an criptiú faoi ghlas",
+            "keyLockedTooltip": "Tá an criptiú faoi ghlas — cliceáil chun é a dhíghlasáil",
+            "encryptedClickToUnlock": "Teachtaireacht chriptithe — cliceáil chun é a dhíghlasáil",
+            "encryptedCouldNotDecrypt": "Níorbh fhéidir an teachtaireacht seo a dhíchriptiú",
             "rejected": "Teastas diúltaithe",
             "rejectedTooltip": "Tá teastas OpenPGP an chomhpháirtí neamhbhailí — cliceáil le haghaidh sonraí",
             "rejectedTitle": "Teastas diúltaithe",
@@ -674,6 +678,10 @@
             "backupCopy": "Cóipeáil pasfhrása",
             "backupCopied": "Cóipeáilte",
             "backupCopyFailed": "Níorbh fhéidir cóipeáil chuig gearrthaisce",
+            "savePassphraseManager": "Sábháil chuig bainisteoir pasfhocail",
+            "savePassphraseManagerLabel": "Fluux — pasfhrása cúltaca OpenPGP",
+            "savePassphraseManagerSaved": "Sábháilte",
+            "savePassphraseManagerFallback": "Cóipeáladh an pasfhrása — greamaigh i do bhainisteoir pasfhocail é",
             "backupRegenerate": "Gin pasfhrása nua",
             "backupPublish": "Sábháil",
             "backupSuccess": "Eochair sábháilte chuig freastalaí",
diff --git a/apps/fluux/src/i18n/locales/he.json b/apps/fluux/src/i18n/locales/he.json
index c542cc80..1e34cd56 100644
--- a/apps/fluux/src/i18n/locales/he.json
+++ b/apps/fluux/src/i18n/locales/he.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "ההצפנה נעולה",
+            "keyLockedTooltip": "ההצפנה נעולה — לחץ לפתיחה",
+            "encryptedClickToUnlock": "הודעה מוצפנת — לחץ לפתיחה",
+            "encryptedCouldNotDecrypt": "לא ניתן היה לפענח הודעה זו",
             "rejected": "אישור נדחה",
             "rejectedTooltip": "אישור ה-OpenPGP של הצד השני אינו תקף — לחץ/י לפרטים",
             "rejectedTitle": "אישור נדחה",
@@ -674,6 +678,10 @@
             "backupCopy": "העתק את משפט הסיסמה",
             "backupCopied": "הועתק",
             "backupCopyFailed": "לא ניתן להעתיק ללוח",
+            "savePassphraseManager": "שמירה במנהל הסיסמאות",
+            "savePassphraseManagerLabel": "Fluux — משפט סיסמה לגיבוי OpenPGP",
+            "savePassphraseManagerSaved": "נשמר",
+            "savePassphraseManagerFallback": "משפט הסיסמה הועתק — הדבק אותו במנהל הסיסמאות שלך",
             "backupRegenerate": "צור משפט סיסמה חדש",
             "backupPublish": "שמור",
             "backupSuccess": "המפתח נשמר בשרת",
diff --git a/apps/fluux/src/i18n/locales/hr.json b/apps/fluux/src/i18n/locales/hr.json
index f3a9e20d..9d243ad6 100644
--- a/apps/fluux/src/i18n/locales/hr.json
+++ b/apps/fluux/src/i18n/locales/hr.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifriranje zaključano",
+            "keyLockedTooltip": "Šifriranje zaključano — kliknite za otključavanje",
+            "encryptedClickToUnlock": "Šifrirana poruka — kliknite za otključavanje",
+            "encryptedCouldNotDecrypt": "Ovu poruku nije bilo moguće dešifrirati",
             "rejected": "Certifikat odbijen",
             "rejectedTooltip": "OpenPGP certifikat sugovornika nije valjan — kliknite za pojedinosti",
             "rejectedTitle": "Certifikat odbijen",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopiraj lozinku",
             "backupCopied": "Kopirano",
             "backupCopyFailed": "Kopiranje u međuspremnik nije uspjelo",
+            "savePassphraseManager": "Spremi u upravitelj lozinki",
+            "savePassphraseManagerLabel": "Fluux — lozinka sigurnosne kopije OpenPGP",
+            "savePassphraseManagerSaved": "Spremljeno",
+            "savePassphraseManagerFallback": "Lozinka je kopirana — zalijepi je u svoj upravitelj lozinki",
             "backupRegenerate": "Generiraj novu lozinku",
             "backupPublish": "Spremi",
             "backupSuccess": "Ključ spremljen na poslužitelj",
diff --git a/apps/fluux/src/i18n/locales/hu.json b/apps/fluux/src/i18n/locales/hu.json
index 8b3b1248..3b882166 100644
--- a/apps/fluux/src/i18n/locales/hu.json
+++ b/apps/fluux/src/i18n/locales/hu.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Titkosítás zárolva",
+            "keyLockedTooltip": "Titkosítás zárolva — kattintson a feloldáshoz",
+            "encryptedClickToUnlock": "Titkosított üzenet — kattintson a feloldáshoz",
+            "encryptedCouldNotDecrypt": "Ezt az üzenetet nem sikerült visszafejteni",
             "rejected": "Tanúsítvány elutasítva",
             "rejectedTooltip": "A partner OpenPGP tanúsítványa érvénytelen — kattints a részletekért",
             "rejectedTitle": "Tanúsítvány elutasítva",
@@ -674,6 +678,10 @@
             "backupCopy": "Jelmondat másolása",
             "backupCopied": "Másolva",
             "backupCopyFailed": "A vágólapra másolás sikertelen",
+            "savePassphraseManager": "Mentés a jelszókezelőbe",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP biztonsági mentés jelmondat",
+            "savePassphraseManagerSaved": "Elmentve",
+            "savePassphraseManagerFallback": "A jelmondat vágólapra másolva — illeszd be a jelszókezelőbe",
             "backupRegenerate": "Új jelmondat előállítása",
             "backupPublish": "Mentés",
             "backupSuccess": "Kulcs mentve a kiszolgálóra",
diff --git a/apps/fluux/src/i18n/locales/is.json b/apps/fluux/src/i18n/locales/is.json
index 9f1fef9e..10378d8b 100644
--- a/apps/fluux/src/i18n/locales/is.json
+++ b/apps/fluux/src/i18n/locales/is.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Dulkóðun læst",
+            "keyLockedTooltip": "Dulkóðun læst — smelltu til að aflæsa",
+            "encryptedClickToUnlock": "Dulkóðuð skilaboð — smelltu til að aflæsa",
+            "encryptedCouldNotDecrypt": "Tókst ekki að afkóða þessi skilaboð",
             "rejected": "Vottorði hafnað",
             "rejectedTooltip": "OpenPGP-vottorð viðmælanda er ógilt — smelltu fyrir nánari upplýsingar",
             "rejectedTitle": "Vottorði hafnað",
@@ -674,6 +678,10 @@
             "backupCopy": "Afrita aðgangsorð",
             "backupCopied": "Afritað",
             "backupCopyFailed": "Ekki tókst að afrita á klippiborðið",
+            "savePassphraseManager": "Vista í lykilorðastjóra",
+            "savePassphraseManagerLabel": "Fluux — aðgangsorð fyrir OpenPGP-afrit",
+            "savePassphraseManagerSaved": "Vistað",
+            "savePassphraseManagerFallback": "Aðgangsorðið var afritað — límdu það í lykilorðastjórann",
             "backupRegenerate": "Búa til nýtt aðgangsorð",
             "backupPublish": "Afrita",
             "backupSuccess": "Lykill afritaður á þjón",
diff --git a/apps/fluux/src/i18n/locales/it.json b/apps/fluux/src/i18n/locales/it.json
index 2076fc2d..8c6766c6 100644
--- a/apps/fluux/src/i18n/locales/it.json
+++ b/apps/fluux/src/i18n/locales/it.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Cifratura bloccata",
+            "keyLockedTooltip": "Cifratura bloccata — fai clic per sbloccare",
+            "encryptedClickToUnlock": "Messaggio cifrato — fai clic per sbloccare",
+            "encryptedCouldNotDecrypt": "Impossibile decifrare questo messaggio",
             "rejected": "Certificato rifiutato",
             "rejectedTooltip": "Il certificato OpenPGP dell'interlocutore non è valido — clicca per i dettagli",
             "rejectedTitle": "Certificato rifiutato",
@@ -676,6 +680,10 @@
             "backupCopy": "Copia la passphrase",
             "backupCopied": "Copiata",
             "backupCopyFailed": "Impossibile copiare negli appunti",
+            "savePassphraseManager": "Salva nel gestore di password",
+            "savePassphraseManagerLabel": "Fluux — passphrase di backup OpenPGP",
+            "savePassphraseManagerSaved": "Salvato",
+            "savePassphraseManagerFallback": "Passphrase copiata — incollala nel tuo gestore di password",
             "backupRegenerate": "Genera una nuova passphrase",
             "backupPublish": "Salva",
             "backupSuccess": "Chiave salvata sul server",
diff --git a/apps/fluux/src/i18n/locales/lt.json b/apps/fluux/src/i18n/locales/lt.json
index 07397885..c4f925b1 100644
--- a/apps/fluux/src/i18n/locales/lt.json
+++ b/apps/fluux/src/i18n/locales/lt.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifravimas užrakintas",
+            "keyLockedTooltip": "Šifravimas užrakintas — spustelėkite, kad atrakintumėte",
+            "encryptedClickToUnlock": "Šifruotas pranešimas — spustelėkite, kad atrakintumėte",
+            "encryptedCouldNotDecrypt": "Nepavyko iššifruoti šio pranešimo",
             "rejected": "Sertifikatas atmestas",
             "rejectedTooltip": "Pašnekovo OpenPGP sertifikatas yra negaliojantis — spustelėkite norėdami sužinoti daugiau",
             "rejectedTitle": "Sertifikatas atmestas",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopijuoti slaptažodinę frazę",
             "backupCopied": "Nukopijuota",
             "backupCopyFailed": "Nepavyko kopijuoti į iškarpinę",
+            "savePassphraseManager": "Įrašyti į slaptažodžių tvarkyklę",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP atsarginės kopijos slaptažodinė frazė",
+            "savePassphraseManagerSaved": "Įrašyta",
+            "savePassphraseManagerFallback": "Slaptažodinė frazė nukopijuota — įklijuokite ją į slaptažodžių tvarkyklę",
             "backupRegenerate": "Generuoti naują slaptažodinę frazę",
             "backupPublish": "Išsaugoti",
             "backupSuccess": "Raktas išsaugotas serveryje",
diff --git a/apps/fluux/src/i18n/locales/lv.json b/apps/fluux/src/i18n/locales/lv.json
index 801ebd38..6251aa8c 100644
--- a/apps/fluux/src/i18n/locales/lv.json
+++ b/apps/fluux/src/i18n/locales/lv.json
@@ -483,6 +483,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifrēšana ir bloķēta",
+            "keyLockedTooltip": "Šifrēšana ir bloķēta — noklikšķiniet, lai atbloķētu",
+            "encryptedClickToUnlock": "Šifrēts ziņojums — noklikšķiniet, lai atbloķētu",
+            "encryptedCouldNotDecrypt": "Šo ziņojumu nevarēja atšifrēt",
             "rejected": "Sertifikāts noraidīts",
             "rejectedTooltip": "Sarunu biedra OpenPGP sertifikāts nav derīgs — noklikšķiniet, lai uzzinātu vairāk",
             "rejectedTitle": "Sertifikāts noraidīts",
@@ -675,6 +679,10 @@
             "backupCopy": "Kopēt paroles frāzi",
             "backupCopied": "Nokopēts",
             "backupCopyFailed": "Neizdevās kopēt starpliktuvē",
+            "savePassphraseManager": "Saglabāt paroļu pārvaldniekā",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP dublējuma paroles frāze",
+            "savePassphraseManagerSaved": "Saglabāts",
+            "savePassphraseManagerFallback": "Paroles frāze nokopēta — ielīmējiet to savā paroļu pārvaldniekā",
             "backupRegenerate": "Ģenerēt jaunu paroles frāzi",
             "backupPublish": "Saglabāt",
             "backupSuccess": "Atslēga saglabāta serverī",
diff --git a/apps/fluux/src/i18n/locales/mt.json b/apps/fluux/src/i18n/locales/mt.json
index c6a12c91..11a8fb0d 100644
--- a/apps/fluux/src/i18n/locales/mt.json
+++ b/apps/fluux/src/i18n/locales/mt.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "L-encryption huwa msakkar",
+            "keyLockedTooltip": "L-encryption huwa msakkar — ikklikkja biex tiftaħ",
+            "encryptedClickToUnlock": "Messaġġ kriptat — ikklikkja biex tiftaħ",
+            "encryptedCouldNotDecrypt": "Ma setax jiġi deċifrat dan il-messaġġ",
             "rejected": "Iċ-ċertifikat ġie rrifjutat",
             "rejectedTooltip": "Iċ-ċertifikat OpenPGP tal-persuna l-oħra mhux validu — ikklikkja għad-dettalji",
             "rejectedTitle": "Iċ-ċertifikat ġie rrifjutat",
@@ -676,6 +680,10 @@
             "backupCopy": "Ikkopja l-frażi",
             "backupCopied": "Ikkopjata",
             "backupCopyFailed": "Ma stajtx nikkopja fil-clipboard",
+            "savePassphraseManager": "Ħażen fil-manager tal-passwords",
+            "savePassphraseManagerLabel": "Fluux — frażi tal-backup OpenPGP",
+            "savePassphraseManagerSaved": "Maħżun",
+            "savePassphraseManagerFallback": "Il-frażi ġiet ikkupjata — waħħalha fil-manager tal-passwords tiegħek",
             "backupRegenerate": "Iġġenera frażi ġdida",
             "backupPublish": "Issejvja",
             "backupSuccess": "Iċ-ċavetta ġiet issejvjata fuq is-server",
diff --git a/apps/fluux/src/i18n/locales/nb.json b/apps/fluux/src/i18n/locales/nb.json
index 1d6fe036..a08293d0 100644
--- a/apps/fluux/src/i18n/locales/nb.json
+++ b/apps/fluux/src/i18n/locales/nb.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Kryptering låst",
+            "keyLockedTooltip": "Kryptering låst — klikk for å låse opp",
+            "encryptedClickToUnlock": "Kryptert melding — klikk for å låse opp",
+            "encryptedCouldNotDecrypt": "Kunne ikke dekryptere denne meldingen",
             "rejected": "Sertifikat avvist",
             "rejectedTooltip": "Samtalepartnerens OpenPGP-sertifikat er ugyldig — klikk for detaljer",
             "rejectedTitle": "Sertifikat avvist",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopier passordsetning",
             "backupCopied": "Kopiert",
             "backupCopyFailed": "Kunne ikke kopiere til utklippstavlen",
+            "savePassphraseManager": "Lagre i passordbehandler",
+            "savePassphraseManagerLabel": "Fluux — passordsetning for OpenPGP-sikkerhetskopi",
+            "savePassphraseManagerSaved": "Lagret",
+            "savePassphraseManagerFallback": "Passordsetningen er kopiert — lim den inn i passordbehandleren",
             "backupRegenerate": "Generer en ny passordsetning",
             "backupPublish": "Sikkerhetskopier",
             "backupSuccess": "Nøkkel sikkerhetskopiert til server",
diff --git a/apps/fluux/src/i18n/locales/nl.json b/apps/fluux/src/i18n/locales/nl.json
index 4ecd010a..4e76ccc6 100644
--- a/apps/fluux/src/i18n/locales/nl.json
+++ b/apps/fluux/src/i18n/locales/nl.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Versleuteling vergrendeld",
+            "keyLockedTooltip": "Versleuteling vergrendeld — klik om te ontgrendelen",
+            "encryptedClickToUnlock": "Versleuteld bericht — klik om te ontgrendelen",
+            "encryptedCouldNotDecrypt": "Dit bericht kon niet worden ontsleuteld",
             "rejected": "Certificaat geweigerd",
             "rejectedTooltip": "Het OpenPGP-certificaat van de gesprekspartner is ongeldig — klik voor details",
             "rejectedTitle": "Certificaat geweigerd",
@@ -674,6 +678,10 @@
             "backupCopy": "Wachtwoordzin kopiëren",
             "backupCopied": "Gekopieerd",
             "backupCopyFailed": "Kon niet naar het klembord kopiëren",
+            "savePassphraseManager": "Opslaan in wachtwoordbeheerder",
+            "savePassphraseManagerLabel": "Fluux — wachtwoordzin voor OpenPGP-back-up",
+            "savePassphraseManagerSaved": "Opgeslagen",
+            "savePassphraseManagerFallback": "Wachtwoordzin gekopieerd — plak deze in je wachtwoordbeheerder",
             "backupRegenerate": "Nieuwe wachtwoordzin genereren",
             "backupPublish": "Back-uppen",
             "backupSuccess": "Sleutel naar server geback-upt",
diff --git a/apps/fluux/src/i18n/locales/pl.json b/apps/fluux/src/i18n/locales/pl.json
index 293348ba..56e556bd 100644
--- a/apps/fluux/src/i18n/locales/pl.json
+++ b/apps/fluux/src/i18n/locales/pl.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Szyfrowanie zablokowane",
+            "keyLockedTooltip": "Szyfrowanie zablokowane — kliknij, aby odblokować",
+            "encryptedClickToUnlock": "Wiadomość zaszyfrowana — kliknij, aby odblokować",
+            "encryptedCouldNotDecrypt": "Nie udało się odszyfrować tej wiadomości",
             "rejected": "Certyfikat odrzucony",
             "rejectedTooltip": "Certyfikat OpenPGP rozmówcy jest nieprawidłowy — kliknij, aby uzyskać szczegóły",
             "rejectedTitle": "Certyfikat odrzucony",
@@ -676,6 +680,10 @@
             "backupCopy": "Skopiuj hasło",
             "backupCopied": "Skopiowane",
             "backupCopyFailed": "Nie udało się skopiować do schowka",
+            "savePassphraseManager": "Zapisz w menedżerze haseł",
+            "savePassphraseManagerLabel": "Fluux — hasło kopii zapasowej OpenPGP",
+            "savePassphraseManagerSaved": "Zapisano",
+            "savePassphraseManagerFallback": "Hasło skopiowane — wklej je do menedżera haseł",
             "backupRegenerate": "Wygeneruj nowe hasło",
             "backupPublish": "Zapisz",
             "backupSuccess": "Klucz zapisany na serwerze",
diff --git a/apps/fluux/src/i18n/locales/pt.json b/apps/fluux/src/i18n/locales/pt.json
index cf87a27f..76e8a318 100644
--- a/apps/fluux/src/i18n/locales/pt.json
+++ b/apps/fluux/src/i18n/locales/pt.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Criptografia bloqueada",
+            "keyLockedTooltip": "Criptografia bloqueada — clique para desbloquear",
+            "encryptedClickToUnlock": "Mensagem criptografada — clique para desbloquear",
+            "encryptedCouldNotDecrypt": "Não foi possível descriptografar esta mensagem",
             "rejected": "Certificado rejeitado",
             "rejectedTooltip": "O certificado OpenPGP do interlocutor é inválido — clica para mais detalhes",
             "rejectedTitle": "Certificado rejeitado",
@@ -676,6 +680,10 @@
             "backupCopy": "Copiar a frase-passe",
             "backupCopied": "Copiada",
             "backupCopyFailed": "Não foi possível copiar para a área de transferência",
+            "savePassphraseManager": "Guardar no gestor de palavras-passe",
+            "savePassphraseManagerLabel": "Fluux — frase-passe da cópia OpenPGP",
+            "savePassphraseManagerSaved": "Guardada",
+            "savePassphraseManagerFallback": "Frase-passe copiada — cole-a no seu gestor de palavras-passe",
             "backupRegenerate": "Gerar uma nova frase-passe",
             "backupPublish": "Guardar",
             "backupSuccess": "Chave guardada no servidor",
diff --git a/apps/fluux/src/i18n/locales/ro.json b/apps/fluux/src/i18n/locales/ro.json
index 1005d9aa..2e5e2485 100644
--- a/apps/fluux/src/i18n/locales/ro.json
+++ b/apps/fluux/src/i18n/locales/ro.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Criptare blocată",
+            "keyLockedTooltip": "Criptare blocată — apasă pentru a debloca",
+            "encryptedClickToUnlock": "Mesaj criptat — apasă pentru a debloca",
+            "encryptedCouldNotDecrypt": "Nu s-a putut decripta acest mesaj",
             "rejected": "Certificat respins",
             "rejectedTooltip": "Certificatul OpenPGP al interlocutorului este invalid — apasă pentru detalii",
             "rejectedTitle": "Certificat respins",
@@ -676,6 +680,10 @@
             "backupCopy": "Copiază fraza",
             "backupCopied": "Copiat",
             "backupCopyFailed": "Copierea în clipboard a eșuat",
+            "savePassphraseManager": "Salvează în managerul de parole",
+            "savePassphraseManagerLabel": "Fluux — fraza de backup OpenPGP",
+            "savePassphraseManagerSaved": "Salvat",
+            "savePassphraseManagerFallback": "Fraza a fost copiată — lipește-o în managerul de parole",
             "backupRegenerate": "Generează o frază nouă",
             "backupPublish": "Salvează",
             "backupSuccess": "Cheia salvată pe server",
diff --git a/apps/fluux/src/i18n/locales/ru.json b/apps/fluux/src/i18n/locales/ru.json
index 6f29a1cd..539236a6 100644
--- a/apps/fluux/src/i18n/locales/ru.json
+++ b/apps/fluux/src/i18n/locales/ru.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Шифрование заблокировано",
+            "keyLockedTooltip": "Шифрование заблокировано — нажмите, чтобы разблокировать",
+            "encryptedClickToUnlock": "Зашифрованное сообщение — нажмите, чтобы разблокировать",
+            "encryptedCouldNotDecrypt": "Не удалось расшифровать это сообщение",
             "rejected": "Сертификат отклонён",
             "rejectedTooltip": "Сертификат OpenPGP собеседника недействителен — нажмите для подробностей",
             "rejectedTitle": "Сертификат отклонён",
@@ -674,6 +678,10 @@
             "backupCopy": "Скопировать парольную фразу",
             "backupCopied": "Скопировано",
             "backupCopyFailed": "Не удалось скопировать в буфер обмена",
+            "savePassphraseManager": "Сохранить в менеджере паролей",
+            "savePassphraseManagerLabel": "Fluux — парольная фраза резервной копии OpenPGP",
+            "savePassphraseManagerSaved": "Сохранено",
+            "savePassphraseManagerFallback": "Парольная фраза скопирована — вставьте её в менеджер паролей",
             "backupRegenerate": "Создать новую парольную фразу",
             "backupPublish": "Сохранить",
             "backupSuccess": "Ключ сохранён на сервере",
diff --git a/apps/fluux/src/i18n/locales/sk.json b/apps/fluux/src/i18n/locales/sk.json
index a8d1f590..1157a3d8 100644
--- a/apps/fluux/src/i18n/locales/sk.json
+++ b/apps/fluux/src/i18n/locales/sk.json
@@ -483,6 +483,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifrovanie uzamknuté",
+            "keyLockedTooltip": "Šifrovanie uzamknuté — kliknutím odomknite",
+            "encryptedClickToUnlock": "Šifrovaná správa — kliknutím odomknite",
+            "encryptedCouldNotDecrypt": "Túto správu sa nepodarilo dešifrovať",
             "rejected": "Certifikát zamietnutý",
             "rejectedTooltip": "OpenPGP certifikát partnera je neplatný — kliknite pre podrobnosti",
             "rejectedTitle": "Certifikát zamietnutý",
@@ -675,6 +679,10 @@
             "backupCopy": "Kopírovať heslo",
             "backupCopied": "Skopírované",
             "backupCopyFailed": "Nepodarilo sa skopírovať do schránky",
+            "savePassphraseManager": "Uložiť do správcu hesiel",
+            "savePassphraseManagerLabel": "Fluux — heslo zálohy OpenPGP",
+            "savePassphraseManagerSaved": "Uložené",
+            "savePassphraseManagerFallback": "Heslo skopírované — vložte ho do správcu hesiel",
             "backupRegenerate": "Vygenerovať nové heslo",
             "backupPublish": "Uložiť",
             "backupSuccess": "Kľúč uložený na server",
diff --git a/apps/fluux/src/i18n/locales/sl.json b/apps/fluux/src/i18n/locales/sl.json
index a127f799..1d5c8bcd 100644
--- a/apps/fluux/src/i18n/locales/sl.json
+++ b/apps/fluux/src/i18n/locales/sl.json
@@ -484,6 +484,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Šifriranje zaklenjeno",
+            "keyLockedTooltip": "Šifriranje zaklenjeno — kliknite za odklepanje",
+            "encryptedClickToUnlock": "Šifrirano sporočilo — kliknite za odklepanje",
+            "encryptedCouldNotDecrypt": "Tega sporočila ni bilo mogoče dešifrirati",
             "rejected": "Potrdilo zavrnjeno",
             "rejectedTooltip": "Potrdilo OpenPGP sogovornika ni veljavno — kliknite za podrobnosti",
             "rejectedTitle": "Potrdilo zavrnjeno",
@@ -676,6 +680,10 @@
             "backupCopy": "Kopiraj geslo",
             "backupCopied": "Kopirano",
             "backupCopyFailed": "Kopiranje v odložišče ni uspelo",
+            "savePassphraseManager": "Shrani v upravitelj gesel",
+            "savePassphraseManagerLabel": "Fluux — geslo varnostne kopije OpenPGP",
+            "savePassphraseManagerSaved": "Shranjeno",
+            "savePassphraseManagerFallback": "Geslo je kopirano — prilepi ga v svojega upravitelja gesel",
             "backupRegenerate": "Ustvari novo geslo",
             "backupPublish": "Shrani",
             "backupSuccess": "Ključ shranjen na strežnik",
diff --git a/apps/fluux/src/i18n/locales/sv.json b/apps/fluux/src/i18n/locales/sv.json
index 64011dab..1b012707 100644
--- a/apps/fluux/src/i18n/locales/sv.json
+++ b/apps/fluux/src/i18n/locales/sv.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Kryptering låst",
+            "keyLockedTooltip": "Kryptering låst — klicka för att låsa upp",
+            "encryptedClickToUnlock": "Krypterat meddelande — klicka för att låsa upp",
+            "encryptedCouldNotDecrypt": "Kunde inte dekryptera detta meddelande",
             "rejected": "Certifikat avvisat",
             "rejectedTooltip": "Samtalspartnerns OpenPGP-certifikat är ogiltigt — klicka för detaljer",
             "rejectedTitle": "Certifikat avvisat",
@@ -674,6 +678,10 @@
             "backupCopy": "Kopiera lösenfrasen",
             "backupCopied": "Kopierad",
             "backupCopyFailed": "Kunde inte kopiera till urklipp",
+            "savePassphraseManager": "Spara i lösenordshanteraren",
+            "savePassphraseManagerLabel": "Fluux — lösenfras för OpenPGP-säkerhetskopia",
+            "savePassphraseManagerSaved": "Sparat",
+            "savePassphraseManagerFallback": "Lösenfrasen kopierades — klistra in den i lösenordshanteraren",
             "backupRegenerate": "Generera en ny lösenfras",
             "backupPublish": "Säkerhetskopiera",
             "backupSuccess": "Nyckel säkerhetskopierad till server",
diff --git a/apps/fluux/src/i18n/locales/uk.json b/apps/fluux/src/i18n/locales/uk.json
index d1cc8a43..fe1e45c2 100644
--- a/apps/fluux/src/i18n/locales/uk.json
+++ b/apps/fluux/src/i18n/locales/uk.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "Message not sent — the attachment is encrypted but end-to-end encryption is unavailable. Sending would expose the file key.",
             "plaintextForced": "Encryption disabled",
             "plaintextForcedTooltip": "You've disabled encryption for this conversation — messages are sent in plaintext",
+            "keyLocked": "Шифрування заблоковано",
+            "keyLockedTooltip": "Шифрування заблоковано — натисніть для розблокування",
+            "encryptedClickToUnlock": "Зашифроване повідомлення — натисніть для розблокування",
+            "encryptedCouldNotDecrypt": "Не вдалося розшифрувати це повідомлення",
             "rejected": "Сертифікат відхилено",
             "rejectedTooltip": "Сертифікат OpenPGP співрозмовника недійсний — натисніть для подробиць",
             "rejectedTitle": "Сертифікат відхилено",
@@ -674,6 +678,10 @@
             "backupCopy": "Скопіювати парольну фразу",
             "backupCopied": "Скопійовано",
             "backupCopyFailed": "Не вдалося скопіювати в буфер обміну",
+            "savePassphraseManager": "Зберегти в менеджері паролів",
+            "savePassphraseManagerLabel": "Fluux — парольна фраза резервної копії OpenPGP",
+            "savePassphraseManagerSaved": "Збережено",
+            "savePassphraseManagerFallback": "Парольну фразу скопійовано — вставте її в менеджер паролів",
             "backupRegenerate": "Створити нову парольну фразу",
             "backupPublish": "Зберегти",
             "backupSuccess": "Ключ збережено на сервері",
diff --git a/apps/fluux/src/i18n/locales/zh-CN.json b/apps/fluux/src/i18n/locales/zh-CN.json
index e2b2bcda..7b01b08c 100644
--- a/apps/fluux/src/i18n/locales/zh-CN.json
+++ b/apps/fluux/src/i18n/locales/zh-CN.json
@@ -482,6 +482,10 @@
             "attachmentKeyWouldLeak": "消息未发送 — 附件已加密，但端到端加密不可用。发送将暴露文件密钥。",
             "plaintextForced": "加密已禁用",
             "plaintextForcedTooltip": "您已为此对话禁用加密 — 消息将以明文形式发送",
+            "keyLocked": "加密已锁定",
+            "keyLockedTooltip": "加密已锁定 — 点击解锁",
+            "encryptedClickToUnlock": "加密消息 — 点击解锁",
+            "encryptedCouldNotDecrypt": "无法解密此消息",
             "rejected": "证书被拒绝",
             "rejectedTooltip": "对方的 OpenPGP 证书无效 — 点击查看详情",
             "rejectedTitle": "证书被拒绝",
@@ -674,6 +678,10 @@
             "backupCopy": "复制密码短语",
             "backupCopied": "已复制",
             "backupCopyFailed": "无法复制到剪贴板",
+            "savePassphraseManager": "保存到密码管理器",
+            "savePassphraseManagerLabel": "Fluux — OpenPGP 备份密码短语",
+            "savePassphraseManagerSaved": "已保存",
+            "savePassphraseManagerFallback": "密码短语已复制 — 请粘贴到您的密码管理器",
             "backupRegenerate": "生成新的密码短语",
             "backupPublish": "备份",
             "backupSuccess": "密钥已备份到服务器",
diff --git a/apps/fluux/src/stores/webUnlockDialogStore.ts b/apps/fluux/src/stores/webUnlockDialogStore.ts
new file mode 100644
index 00000000..a3bd6014
--- /dev/null
+++ b/apps/fluux/src/stores/webUnlockDialogStore.ts
@@ -0,0 +1,31 @@
+import { create } from 'zustand'
+
+/**
+ * Cross-component control for the {@link UnlockEncryptionDialog} mount.
+ *
+ * The dialog is rendered once at the App root and any component (chat
+ * header lock icon, encrypted-message placeholder, settings page) can
+ * open it by calling `openWebUnlockDialog()`. Keeping the open flag in a
+ * zustand store avoids prop-drilling a setter through the component tree
+ * and prevents duplicate dialog mounts.
+ */
+interface WebUnlockDialogState {
+  isOpen: boolean
+  openWebUnlockDialog: () => void
+  closeWebUnlockDialog: () => void
+}
+
+export const useWebUnlockDialogStore = create<WebUnlockDialogState>((set) => ({
+  isOpen: false,
+  openWebUnlockDialog: () => set({ isOpen: true }),
+  closeWebUnlockDialog: () => set({ isOpen: false }),
+}))
+
+/**
+ * Imperative open — for non-React code paths (e.g. connect-time auto
+ * detection in App.tsx) that need to surface the dialog without going
+ * through a hook.
+ */
+export function openWebUnlockDialog(): void {
+  useWebUnlockDialogStore.getState().openWebUnlockDialog()
+}
diff --git a/apps/fluux/src/utils/saveCredentialToManager.test.ts b/apps/fluux/src/utils/saveCredentialToManager.test.ts
new file mode 100644
index 00000000..11d2e209
--- /dev/null
+++ b/apps/fluux/src/utils/saveCredentialToManager.test.ts
@@ -0,0 +1,136 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { saveCredentialToManager } from './saveCredentialToManager'
+
+interface MutableGlobal {
+  PasswordCredential?: unknown
+}
+
+const mutableGlobal = globalThis as MutableGlobal
+
+describe('saveCredentialToManager', () => {
+  const originalCredentials = navigator.credentials
+  const originalPasswordCredential = mutableGlobal.PasswordCredential
+
+  beforeEach(() => {
+    delete mutableGlobal.PasswordCredential
+    Object.defineProperty(navigator, 'credentials', {
+      value: undefined,
+      configurable: true,
+      writable: true,
+    })
+  })
+
+  afterEach(() => {
+    if (originalPasswordCredential === undefined) {
+      delete mutableGlobal.PasswordCredential
+    } else {
+      mutableGlobal.PasswordCredential = originalPasswordCredential
+    }
+    Object.defineProperty(navigator, 'credentials', {
+      value: originalCredentials,
+      configurable: true,
+      writable: true,
+    })
+  })
+
+  it('returns "unsupported" when PasswordCredential is missing', async () => {
+    Object.defineProperty(navigator, 'credentials', {
+      value: { store: vi.fn() },
+      configurable: true,
+      writable: true,
+    })
+
+    const result = await saveCredentialToManager({
+      id: 'openpgp-passphrase',
+      name: 'Fluux — OpenPGP backup passphrase',
+      password: 'correct horse battery staple',
+    })
+
+    expect(result).toBe('unsupported')
+  })
+
+  it('returns "unsupported" when credentials.store is missing', async () => {
+    mutableGlobal.PasswordCredential = class {
+      constructor(_data: unknown) {}
+    }
+
+    const result = await saveCredentialToManager({
+      id: 'openpgp-passphrase',
+      name: 'Fluux — OpenPGP backup passphrase',
+      password: 'correct horse battery staple',
+    })
+
+    expect(result).toBe('unsupported')
+  })
+
+  it('returns "saved" when credentials.store resolves', async () => {
+    const constructed: Array<{ id: string; password: string; name: string }> = []
+    mutableGlobal.PasswordCredential = class {
+      constructor(data: { id: string; password: string; name: string }) {
+        constructed.push(data)
+      }
+    }
+    const store = vi.fn().mockResolvedValue(undefined)
+    Object.defineProperty(navigator, 'credentials', {
+      value: { store },
+      configurable: true,
+      writable: true,
+    })
+
+    const result = await saveCredentialToManager({
+      id: 'openpgp-passphrase',
+      name: 'Fluux — OpenPGP backup passphrase',
+      password: 'correct horse battery staple',
+    })
+
+    expect(result).toBe('saved')
+    expect(constructed).toEqual([
+      {
+        id: 'openpgp-passphrase',
+        password: 'correct horse battery staple',
+        name: 'Fluux — OpenPGP backup passphrase',
+      },
+    ])
+    expect(store).toHaveBeenCalledTimes(1)
+  })
+
+  it('returns "failed" when credentials.store rejects', async () => {
+    mutableGlobal.PasswordCredential = class {
+      constructor(_data: unknown) {}
+    }
+    Object.defineProperty(navigator, 'credentials', {
+      value: { store: vi.fn().mockRejectedValue(new Error('user dismissed')) },
+      configurable: true,
+      writable: true,
+    })
+
+    const result = await saveCredentialToManager({
+      id: 'openpgp-passphrase',
+      name: 'Fluux — OpenPGP backup passphrase',
+      password: 'correct horse battery staple',
+    })
+
+    expect(result).toBe('failed')
+  })
+
+  it('returns "failed" when the constructor throws', async () => {
+    mutableGlobal.PasswordCredential = class {
+      constructor(_data: unknown) {
+        throw new Error('invalid credential')
+      }
+    }
+    Object.defineProperty(navigator, 'credentials', {
+      value: { store: vi.fn() },
+      configurable: true,
+      writable: true,
+    })
+
+    const result = await saveCredentialToManager({
+      id: 'openpgp-passphrase',
+      name: 'Fluux — OpenPGP backup passphrase',
+      password: 'correct horse battery staple',
+    })
+
+    expect(result).toBe('failed')
+  })
+})
diff --git a/apps/fluux/src/utils/saveCredentialToManager.ts b/apps/fluux/src/utils/saveCredentialToManager.ts
new file mode 100644
index 00000000..4cb8ebdf
--- /dev/null
+++ b/apps/fluux/src/utils/saveCredentialToManager.ts
@@ -0,0 +1,46 @@
+/**
+ * Thin wrapper around the W3C Credential Management API for saving a
+ * password to the user's password manager. Returns a discriminated outcome
+ * so callers can fall back to clipboard + toast when the API is missing or
+ * the user dismisses the native prompt.
+ *
+ * Support matrix:
+ * - Chromium-based (Chrome, Edge, Tauri Windows WebView2): full support
+ * - Safari, Firefox, Tauri macOS WKWebView, Tauri Linux WebKitGTK: 'unsupported'
+ */
+
+export type SaveCredentialOutcome = 'saved' | 'unsupported' | 'failed'
+
+export interface SaveCredentialOptions {
+  /** Stable identifier the PM uses to match save and autofill across sessions. */
+  id: string
+  /** Human-readable name shown in the PM entry list. */
+  name: string
+  /** The secret to store. */
+  password: string
+}
+
+interface PasswordCredentialCtor {
+  new (data: { id: string; password: string; name: string }): Credential
+}
+
+export async function saveCredentialToManager(
+  opts: SaveCredentialOptions
+): Promise<SaveCredentialOutcome> {
+  const Ctor = (globalThis as { PasswordCredential?: PasswordCredentialCtor })
+    .PasswordCredential
+  const store = navigator.credentials?.store?.bind(navigator.credentials)
+  if (!Ctor || !store) return 'unsupported'
+
+  try {
+    const credential = new Ctor({
+      id: opts.id,
+      password: opts.password,
+      name: opts.name,
+    })
+    await store(credential)
+    return 'saved'
+  } catch {
+    return 'failed'
+  }
+}