diff --git a/THREAD_SAFETY.md b/THREAD_SAFETY.md
index d8087cf..3446ac1 100644
--- a/THREAD_SAFETY.md
+++ b/THREAD_SAFETY.md
@@ -23,6 +23,7 @@ Notes:
 * Sodium::Cipher::SecretStream
 * Sodium::Digest::Blake2b
 * Sodium::Kdf
+* Sodium::SecureBuffer
 
 Notes:
 * Use one instance per thread or wrap in a `Mutex`.
diff --git a/spec/sodium/secure_buffer_spec.cr b/spec/sodium/secure_buffer_spec.cr
index 6544047..a91cd23 100644
--- a/spec/sodium/secure_buffer_spec.cr
+++ b/spec/sodium/secure_buffer_spec.cr
@@ -41,9 +41,10 @@ describe Sodium::SecureBuffer do
     buf.readwrite
 
     buf2 = buf.dup
-    buf2.readonly
+    buf2.@state.should eq Sodium::SecureBuffer::State::Readwrite
 
     buf[0] = 0_u8
+    buf2[0] = 0_u8
   end
 
   it "transitions correctly" do
diff --git a/src/sodium/secure_buffer.cr b/src/sodium/secure_buffer.cr
index d4d01ea..89bb996 100644
--- a/src/sodium/secure_buffer.cr
+++ b/src/sodium/secure_buffer.cr
@@ -13,6 +13,7 @@ module Sodium
     end
 
     enum State
+      Cloning
       Wiped
       Noaccess
       Readonly
@@ -49,11 +50,14 @@ module Sodium
     # For .dup
     def initialize(sbuf : self)
       initialize sbuf.bytesize
+
       # Maybe not thread safe
       sbuf.readonly do
         sbuf.to_slice.copy_to self.to_slice
       end
-      readonly
+
+      @state = State::Cloning
+      set_state sbuf.@state
     end
 
     def wipe