KeePassXC password manager: open-source and free from lock-in

Q: Can I access the same KDBX vault on all platforms?

Yes. The KDBX format is cross-platform, so the same database works on Linux, Windows, macOS, and Android without needing conversion.

Q: How can I strengthen my KeePassXC vault?

Use Argon2id with increased memory and iterations, add an offline key file, and enable auto-lock on inactivity or suspend.

Q: Is cloud sync necessary for KeePassXC?

No. You can keep the database local, sync with Syncthing or Git, or transfer it manually on encrypted media.

Q: Which Android client is best to use?

KeePassDX on F-Droid prioritises privacy; KeePass2Android is dependable on the Play Store. Both open the same KDBX file.

Q: What if I lose my master password?

Without the master password (and key file, if used), recovery is impossible. Keep offline backups of both.

Last Update 29/01/2026

KeePassXC is a local-first, open-source password manager that keeps all your credentials in a single offline KDBX vault under your full control.

Use it as a Linux desktop password manager, then access the same vault on Android with trusted apps like KeePassDX or KeePass2Android.

KeePassXC password manager displaying an encrypted offline KDBX vault with credentials stored locally only — KeePassXC stores passwords in a locally encrypted vault, avoiding cloud dependency or subscription fees.

Contents

Why KeePassXC is still the most secure choice

Security designed for auditing

KeePassXC is entirely open source, allowing you to review the code and avoid any hidden telemetry.

Vaults stored locally first

Your KDBX vault remains offline unless you choose to sync it yourself.

Access across multiple platforms

A single portable KDBX database works on Linux, Windows, macOS, and Android.

Robust cryptography by default, using Argon2id and up-to-date ciphers.
Supports hardware tokens (YubiKey, Nitrokey) for keyfiles or challenge-response authentication.
No subscriptions or paywalls—security without extra charges.

Recommended hardware key for KeePassXC

Security pick

Nitrokey 3A USB security key

A hardware key adds an extra layer of protection for your vault and supports offline workflows.

Shop on Amazon

A single portable vault file for all devices

Your KeePass database consists of a single .kdbx file. You can keep the KDBX vault on an encrypted USB drive, a private Git repository, or your own storage server.

Opening it on another device requires no account—just your master password (and key file, if set up).

Use version-controlled sync tools like Syncthing or Git to prevent conflicts and maintain offline backups. Decryption occurs locally, so your offline password manager never exposes secrets to third parties.

Official apps and reliable partners

Use these supported clients that adhere to the open KeePass standard.

KeePassXC (Windows & Linux) KeePassDX (Android) KeePass2Android (Android)

Platform	Package or source	Notes
Linux	Distribution repositories, Flatpak, AppImage	Prefer distribution packages for updates; Flatpak provides sandboxing.
Windows	Signed installer, portable version	Enable auto-lock on resume and use Windows Hello solely for unlocking convenience.
Android	KeePassDX (F-Droid) or KeePass2Android	Enable clipboard clearing; use biometrics only for local unlocking.
Browsers	KeePassXC-Browser (Firefox/Chromium)	Uses the active desktop client—no cloud bridge needed.

Checklist for securing your vault

Create a strong, unique master password and optionally add an offline key file.
Use Argon2id with high memory (64–128 MB) and iterations to deter brute-force attacks.
Organise entries, add tags, and save TOTP secrets to generate codes offline.
Set automatic lock on inactivity, sleep, or screen lock.
Back up the .kdbx file and key file to an encrypted offsite location.

Suggested workflows

Linux and Windows desktops

Run KeePassXC with browser integration enabled only for trusted profiles.
Use SSH agent forwarding from KeePassXC for Git or server access to avoid saving keys on disk.
Keep infrastructure secrets (API tokens, database logins) in separate entry groups per project.

Android

Install from F-Droid to avoid trackers and ensure reproducible builds.
Store the database in device-encrypted storage; avoid third-party cloud folders.
Allow quick unlock with biometrics only after the master password has been entered once per session.

Sync and backup methods

Select a sync method that keeps your KDBX file under your control:

Syncthing: Peer-to-peer, end-to-end encrypted, ideal for family or team sharing.
Git : Version history with signed commits; avoid public remotes and rotate credentials regularly.
Self-hosted storage: WebDAV or SFTP on your own server, using key-based authentication only.
Offline rotation: Regular copies to an encrypted drive stored offsite to recover from ransomware.

Apps I do not recommend

These services add complexity, restrict key features behind paywalls, or have a history of issues:

LastPass: Multiple breaches and essential features locked behind the Pro tier.
Dashlane: Cloud-only model with limited control over vault storage.
1Password: Closed-source sync backend and subscription-only access.
Bitwarden: Cloud-only plans: convenient but self-hosted or KeePassXC provide better control.

Frequently asked questions

01 Can I access the same KDBX vault on all platforms?

02 How can I strengthen my KeePassXC vault?

03 Is cloud sync necessary for KeePassXC?

04 Which Android client is best to use?

05 What if I lose my master password?

Additional reading and internal resources

Keep enhancing your privacy setup with these guides: