For Android: download from f-droid Note: KeePassXC as appimage is a portable version for GNU/Linux you can learn here to run it. For Android, it is 'KeePassDX' a mobile app which is compatible with but not developed by KeePassXC. Get KeePass for all of the devices you want to use KeePassXC can be downloaded for desktop operating systems, while mobile devices can use interoperable versions of KeePass. Download it for the devices you want to use. Windows, Mac, and Linux users: Download KeePassXC here. Android users, consider KeePass2Android. IPhone users, consider Strongbox. Few months ago I started using KeePass as my main password manager. On my desktop, I use KeePassXC with sync to Onedrive and on my Android phone I use Keepass2Android. Unfortunately, browser auto-fill in Keepass2Android works quite bad in my case, so I want to try some other KeePass clients. KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”. keepassxreboot/keepassxc.
Frequently Asked Questions
Questions
General
Security
AppImage and Snap package
Key Files
YubiKey / OnlyKey
![Keepassx android Keepassx android](https://ssd.eff.org/files/2017/12/19/1._creating_an_account.png)
Browser integration
SSH Agent
Platform-specific
Development
Answers
General
- Why KeePassXC instead of KeePassX?
- KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes.
- Why KeePassXC instead of KeePass?
- KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.
KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration. - Which password database formats are compatible with KeePassXC?
- KeePassXC currently uses the KeePass 2.x (.kdbx) password database format as its native file format in versions 3.1 and 4. Database files in version 2 can be opened, but will be upgraded to a newer format. KeePass 1.x (.kdb) databases can be imported into a .kdbx file, but this process is one-way.
- Why is there no cloud synchronization feature built into KeePassXC?
- Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
- Does KeePassXC support (KeePass2) plugins?
- No, KeePassXC does not support plugins at the moment. We are thinking about providing some kind of plugin infrastructure or external API in the future, but cannot specify how it will work or when it will be ready.
- How can I add additional word lists to the passphrase generator?
- You can add additional word lists to the passphrase generator by copying the word list file to the
share/wordlists
folder inside your KeePassXC installation directory and then restarting KeePassXC.
On Linux, the default install location is/usr/share/keepassxc
, on macOS it's/Applications/KeePassXC.app/Contents/Resources
and on WindowsC:Program FilesKeePassXC
(orC:Program Files (x86)KeePassXC
for 32-bit).
Security
In any case, keep in mind that:
- An audit is not a 100% proof that a software is safe and secure. Some flaws can be overlooked even by the best auditors.
- An audit is valid only for a “snapshot” of the code. If new code is added, new vulnerabilities can be introduced.
-DWITH_XC_NETWORKING=OFF
(see Building KeePassXC). AppImage and Snap package
- How do I execute an AppImage?
- The AppImage is a self-contained executable archive, comparable to an Android APK or macOS DMG. To execute it, simply give the downloaded
*.AppImage
file execution permissions: After that you can execute it either from the terminal or by double clicking it just like any other program. - What systems can I use the AppImage or Snap package on?
- The AppImage should run out of the box on almost any moderately modern Linux distribution. The Snap is supported on all systems, which have
snapd
installed. This is primarily Ubuntu, but also Debian, Fedora, OpenSUSE, Arch Linux and many more. For a full list and more information visit snapcraft.io. Note that not all systems that can run Snaps also support confinement via AppArmor. - How do I use the KeePassXC CLI tool with the AppImage?
- Starting with version 2.2.2, you can run the KeePassXC CLI tool from the AppImage by executing it with the
cli
argument: - Why doesn't my theme work?
- Since Snaps and AppImages are self-contained and mostly isolated from your system, they cannot know what theme you are currently running. This is a known issue with both Snaps and AppImages.
- How do I get my YubiKey to work with the Snap?
- Due to a Snap's isolation and security settings, you must manually enable the
raw-usb
interface in order to use your YubiKey. Issue the following command from a terminal to enable this interface: - Why can't I see anything outside my home directory?
- Due to Snap's isolation and security settings, you cannot access any files outside your home directory. Furthermore, you cannot access any hidden files within your home directory. The only exception is mounted USB drives, but you must type in
/media/
into the file open dialog to see them.
If you still cannot access the/media/
directory then you may need to enable this permission in the Ubuntu store. Open the Ubuntu store, choose the KeePassXC app, and click permissions.
Key Files
- What is a key file and how can I get one?
- A key file is a file containing random bytes that can be added to your master key for additional security. Think of it as a really complicated and long password that is read from a file, so you don't have to remember or type it into your master password field. You can basically use any file you want as a key file, but it is of utmost importance that a) the file never changes and b) it actually contains unpredictable data. If the file changes, it is as if you forgot your password and you will lose access to your database. On the other hand, if the data is not random enough, then it's a really bad password. So, for instance, a static and never-changing holiday picture is okay, your personal notes file is not. Generally, we recommend you let KeePassXC generate a dedicated key file for you. Go to Database -> Database Settings -> Security. There you click on Add Key File and then on Generate. Select the location where to save the key file, make sure the path to the new file is inserted into the Key File field, and save your database. Don't forget to keep a backup of the key file in a safe place!
- How secure is a key file and how can I sync it to other devices?
- A key file is only as secure as you keep it. It is basically a password that you've written down. As a general rule, you should never use a key file without an actual password, because it is harder to keep your key file secret than a memorized password that only you know. However, a key file can be very strong additional protection if kept separately from the database file, such as on an external thumb drive. If you sync your database via a cloud provider (Dropbox, Google Drive, Nextcloud, …), you should only sync the KDBX file and distribute the key file to your computers by different means, such as said thumb drive. But whatever you do, keep a backup in a safe location! If you lose your key file, you lose your database. Keep in mind that USB thumb drives are notoriously unreliable, break easily, or get lost. If you can afford it, we recommend you use a hardware token such as a YubiKey or OnlyKey instead of a key file (see next section). Such a key adds an even greater amount of security, but with fewer potential pitfalls.
YubiKey / OnlyKey
- Does KeePassXC support two-factor authentication (2FA) with YubiKeys or OnlyKeys?
- Yes and no. KeePassXC supports YubiKeys for securing a database, but strictly speaking, it's not two-factor authentication. KeePassXC generates a challenge and uses the YubiKey's response to this challenge to enhance the encryption key of your database. So in a sense, it makes your password stronger, but technically it doesn't qualify as a separate second factor, since the expected response doesn't change every time you try to decrypt your database. It does, however, change every time you save your database.
- How do I configure my YubiKey / OnlyKey for use with KeePassXC?
- To use a YubiKey or OnlyKey for securing your KeePassXC database, you have to configure one of your YubiKey / OnlyKey slots for HMAC-SHA1 Challenge Response mode (see this video for how to do this). Once your YubiKey (or OnlyKey, you got the point…) is set up, open your database in KeePassXC, go to File / Change master key, enable Challenge Response and then save the database.
Important: Always make a copy of the secret that is programmed into your YubiKey while you configure it for HMAC-SHA1 and store it in a secure location. If you lose or brick the key or accidentally reprogram it with a different secret, you will permanently lose access to your database! - When I use KeeChallenge with KeePass2, it creates an extra file. Why do I have no such file when using KeePassXC?
- Our implementation differs from how KeeChallenge handles YubiKeys. KeeChallenge uses the HMAC secret directly to enhance the database. To make this work, they need to store the secret in a side-car file, encrypted with the response of a challenge-response pair that is calculated ahead of time. In KeePassXC, we do not require any knowledge of the HMAC secret. We use the database's master key as challenge and then use the response to encrypt the database. That way we do not need an extra file and also gain the advantage that the required response changes every time you save the database, which resembles actual two-factor authentication more closely.
- When I secure my database in KeePass2 with a YubiKey, I can't open it in KeePassXC (or vice versa), why?
- Due to the fact that our YubiKey implementation differs from KeeChallenge's, they are inherently incompatible (see question above). If you need compatibility between KeePass2 and KeePassXC, you cannot use YubiKeys at the moment.
- Why only HMAC-SHA1? Why not FIDO-U2F or TOTP?
- Both FIDO-U2F and TOTP require a dynamic component (i.e., a counter or timestamp) for successful authentication. This is perfect for authenticating at an online service, but doesn't work for an offline database which needs to be encrypted with a fixed key. HMAC-SHA1, on the other hand, can be computed ahead of time as it only needs a fixed secret and no dynamic component of any kind.
- But the feature list says KeePassXC supports TOTP. I am confused.
- We do support generation of timed one-time passwords (TOTP), but do not (and cannot) support it for securing your KeePassXC database. KeePassXC allows you to store TOTP secrets for online services inside a database and generates the corresponding timed one-time passwords for you. For TOTP, see also the question KeePassXC allows me to store my TOTP secrets. Doesn't this alleviate any advantage of two-factor authentication?
- What happens if I break my YubiKey? Can I create backup keys?
- You should always make a copy of the HMAC secret that is stored on the YubiKey and keep it in a secure location. This can be an analog paper copy, but since the YubiKey personalization tool allows you to program a custom secret into the key, you may as well program a second key with the same secret.
- Can I register multiple YubiKeys with my KeePassXC database?
- You can only use a single secret for encrypting the database. So you can use multiple YubiKeys, but they all have to be programmed with the same secret (see question above).
Browser integration
- Showing context menus on password fields (
menus.ContextType
) - HTTP Auth support (
webRequest.onAuthRequired
)
![Keepassxc for android Keepassxc for android](https://d2.alternativeto.net/dist/s/bitwarden--free-password-manager_535790_full.png?format=jpg&width=1200&height=1200&mode=crop)
- Use 'Choose custom login fields' for this page from the popup. Username and password fields can be skipped if not needed.
- Now additional fields called String Fields can be chosen. Note that they are numbered sequentially. Dropdown elements can be choosed also. Remember the order they are selected.
- After choosing the String Fields, go to your KeePassXC client and create in attributes prefixed with 'KPH: ' in the order you chose them above. The attribute values you supply will be filled in that order.
- If you wish, you may add a further characters after the 'KPH: ' attribute name to help you remember its purpose. It is ignored by the extension. Only the sequential order of 'KPH: ' attributes matches the fields, not the further charatcters you can add.
- An example using the page https://meine.deutsche-bank.de/trxm/db/:
- Choose custom login fields for this page and select Branch, Account and Sub-account as String Fields after selecting or skipping username and password field.
- KPH: Account
- KPH: Branch
- KPH: Sub-account
- Go to your entry, Advanced and add the following attributes (in this order):
SSH Agent
- How does the SSH Agent work?
- The SSH Agent feature is supported on all target platforms (Linux, macOS and Windows) and it acts as a client for an existing agent. It can automatically add SSH keys from your KeePassXC database to a running SSH agent when unlocked and remove them when locked.
On Linux, most desktops are already running an agent without any set up required.
On Windows, you need to have Pageant running. It is part of the PuTTY suite.
On macOS,ssh-agent
is running by default and no further setup is required. - What SSH key types are supported?
- Most SSHv2 key types are supported (DSA, RSA and Ed25519), including encrypted keys. ECDSA keys are only supported with the new OpenSSH file format. 3DES-encrypted keys are not supported and we highly recommend upgrading them for external storage or store them decrypted inside the database.
SSHv1 keys are not supported.
PuTTY format key files (.ppk) are not supported. You can use PuTTY Key Generator (puttygen.exe) to convert your keys to OpenSSH format.
RFC4716 format key files are not supported. - Why are the agent buttons greyed out / why doesn't it work?
- On Linux or macOS, you need to have
ssh-agent
running and the SSH_AUTH_SOCK environment variable available for KeePassXC at launch. Arch Linux wiki has a generic guide how to manually runssh-agent
if it's not already set up. Sometimes other applications like GNOME Keyring orgpg-agent
already provide a compatible agent that also works with KeePassXC.
On Windows, Pageant needs to be running, see How does the SSH Agent work?. - How do I set up a passphrase for encrypted keys?
- The SSH Agent feature uses the entry password field as the decryption key.
- Why does the public key (seem to) have no comment?
- When using normal DSA or RSA keys, the private key file does not contain any embedded text. In that case, the entry username field is used as the public key comment. It is also sent to the agent when adding a key and is visible in the agent when listing keys.
If you are using Ed25519 keys or have converted your old key to the new OpenSSH file format, the comment is embedded in the key file which is then used by KeePassXC. You can usessh-keygen
to modify the comment. - I'm already using KeeAgent, is KeePassXC compatible with it?
- Yes, mostly. KeeAgent supports more key types and provides a custom agent, but otherwise you can use the same database with KeeAgent and KeePassXC.
- Why is Pageant refusing my keys?
- Pageant does not support confirm-on-use or automatic removal of key after a timeout. There doesn't seem to be any alternative to Pageant for Windows that supports both of them.
- Why is OpenSSH ssh-agent refusing my keys?
- If you are using confirm-on-use option for your keys,
ssh-agent
needs to have a 'ssh-askpass' program available.
On Linux it depends on your distribution and desktop environment how to install and configure one as there are several available.
On macOS, you need a third party program like theseal/ssh-askpass. - I'm getting protocol or connection errors, what's wrong?
- If you are using GNOME Keyring, it is known to be buggy and the SSH Agent implementation fairly incomplete prior to release 3.27.92. You are encouraged to use OpenSSH
ssh-agent
if you are stuck with an older version.
Known limitations of older versions include no support for Ed25519 keys, no support for confirm-on-use and incorrect implementation of the agent protocol causing protocol errors. - I'm getting a 'Too many authentication failures' error, what shall I do?
- SSH will try all available identity files in sequence when connecting to a server. If you export many SSH keys at a time, you'll very likely experience a 'Received disconnect from {port}: Too many authentication failures' error. To solve this issue, you'll have to tell SSH which identity file to use. Either use the
-i
command line option or theIdentityFile
directive in your OpenSSH config file (~/.ssh/config
) to pass the path to the respective private key file.
If you use theIdentityFile
directive, you likely want to use theIdentitiesOnly
directive, too. The Arch Linux wiki has a generic guide on how to manage multiple keys.
If you prefer storing your private key inside your database using an attachment, you can still do so. Instead of letting theIdentityFile
directive point to a private key file, let it point to your public key file. The SSH Agent will use the provided information to select the correct private key.
Platform-specific
- For Android, we recommend KeePass2Android (it's open-sourced on GitHub)
- And for iOS, we suggest Strongbox (also open-sourced on GitHub)
~/.config/kdeglobals
: If you are like us and think this is a stupid feature, please consider voicing your concerns to the KDE guys. appmenu-qt5
.Keepassxc Synchronize
You have 3 options:- Remove the
appmenu-qt5
package - Set the environment variable
UBUNTU_MENUPROXY='
- Set the environment variable
QT_QPA_PLATFORMTHEME='
Development
- Why do I get an error when I try to build from source for this platform?
- Please follow every step from our wiki page.
The amount of services offering (or even demanding) two-factor authentication (2FA) is ever-increasing. This has encouraged me to find a more resilient strategy for how I store, manage, and backup my secret keys. My old approach relied solely on using time-based one-time password (TOTP) applications capable of exporting and importing 2FA accounts.
The limitations of this strategy became painfully evident when I wanted to use a TOTP authenticator on my iPad. Unsurprisingly, the TOTP application I was using on Android was not available for iOS, and thus my export and import strategy failed at the very first hurdle.
Keepassxc Android Apk
After exporting 26 2FA accounts in clear-text and painstakingly adding them one-by-one with the TOTP authenticator on the iPad, I concluded that the ability to export and import 2FA accounts wasn’t the be-all and end-all solution I expected it to be.
Why KeePassXC?
Keepassxc For Android
Simply put, I want an open-source cross-platform password manager for the desktop, capable of handling TOTP. It will function as my primary backup and safe storage while allowing me to configure additional mobile authenticators on the fly. No more returning to work after hours to pick up the cell phone I left behind with my only authenticator.
Show me the keys
When configuring two-factor authentication for a service, you’ll receive a shared secret key to configure your TOTP authenticator. Granted, this is usually provided in the shape of a QR code that your authenticator scans and subsequently use to set up the account.
The QR code is just a specially crafted URI containing the secret key, issuer, label, and algorithm. The majority of 2FA capable services nowadays provide you with the secret key during configuration, but in case they don’t, any QR code scanner may be used to retrieve the required information.
Keepassxc Android
Setting up TOTP with KeePassXC
I’ll create a separate KeePassXC database for my 2FA accounts as I don’t want to store them together with the actual account credentials (you could though) for which they provide 2FA. KeePassXC will give me a fallback option when I don’t have access to my mobile authenticator. Additionally, it will come in handy every time I need to install an authenticator for a new device.
Keepassxc For Android 7
Fade in 3 0 576 – professional screenwriting software online. Anyhow, the first step is to add a new entry to the database and then right-click it to select
TOTP => Set up TOTP
.Paste in the secret key you previously extracted and click OK. When you right-click the entry once more and select TOTP, you’ll have a few additional options:
- Copy TOTP: Copy the time-based one-time password for authentication.
- Show TOTP: Show the time-based one-time password for authentication.
- Show TOTP QR Code: Generate a QR code that you can scan and import with your favorite mobile TOTP authenticator. The entry title will be used for the issuer, and if you provided a username it will be used for the label.
- Set up TOTP: Show the secret key used for the account.
The dark side clouds everything
With this configuration, there is no need to rely on any proprietary software or services. I don’t have any interest in cloud synchronization and backup in exchange for vendor lock-in and total lack of privacy.
Free open source authenticators:
Keepassxc Android Sync
- KeePassXC is cross-platform password manager.
- andOTP is a two-factor authentication App for Android*
- FreeOTP Plus is a two-factor authentication App for Android*
- iOS Authenticator is a two-factor authentication App for iOS.
- Windows Authenticator is a two-factor authentication App for Windows.
*= Get it on F-Droid.