Local-first password security

KeePassXC password manager: private local vault guide

KeePassXC is designed for users seeking password security without uploading their vault to a provider. It stores logins, passkeys, notes, TOTP codes, and SSH secrets in a local KDBX database unlocked only by your master secret.

This guide covers when KeePassXC suits you, safe setup, syncing without losing control, and potential pitfalls with browser integration, mobile apps, backups, and hardware keys.

Start with the setup checklist Download KeePassXC

The concise summary

KeePassXC suits those who want full ownership. It’s not the simplest for families, emergency recovery, or team sharing. A safe setup involves a strong master password, tested backup, auto-lock, careful browser pairing, and an offline recovery note.

Choose KeePassXC if You want a local KDBX vault and are confident managing backups yourself.
Opt for a cloud manager if You require simple sharing, web access, emergency recovery, or reduced maintenance.
Do first Create the vault, note the recovery details, test a backup, then import existing passwords.
Contents

When KeePassXC is a strong choice

KeePassXC performs best when you take full responsibility for security. There’s no provider account, subscription, server-side vault recovery, or forced cloud sync. This is intentional, but means your backup routine is crucial.

Ownership

Local vault, no account

Your password database is a file you control. KeePassXC requires no provider login, billing account, or hosted synchronisation service.

Transparency

Open-source desktop application

KeePassXC is open source, cross-platform, and compatible with the KDBX format used by other KeePass-style applications.

Daily use

Browser, TOTP, passkeys, SSH

The desktop app supports browser autofill, time-based one-time codes, passkeys via the official extension, and SSH agent workflows.

No lock-in

Compatible with supported clients

A KDBX vault can be accessed using maintained apps like KeePassDX or KeePass2Android on Android devices.

Offline resilience

Operates without internet

You can unlock the database while travelling, during outages, or on restricted networks if you have the file and master secret.

Sensitive workflows

Small provider footprint

No hosted vault service can be subpoenaed, breached, suspended, or altered silently. Your device security is the trust anchor.

KeePassXC vs cloud password managers

Do not select KeePassXC solely for its privacy appeal. Choose it if the trade-offs suit your needs. Cloud managers may be safer for some due to sync, sharing, device loss, and recovery features. KeePassXC excels when local control and a smaller provider footprint are priorities.

Requirement Better fit Why
You want maximum local control KeePassXC The vault can remain offline, synchronisation is optional, and no provider account is linked to the database.
You frequently share passwords with family Cloud password manager Sharing, recovery, invitations, and device onboarding tend to be smoother with Bitwarden, Proton Pass, 1Password, or iCloud Keychain.
You travel with unreliable internet KeePassXC The vault opens locally even if your provider, browser sync, or mobile connection is unavailable.
You might forget the master password Cloud password manager Some cloud services provide account recovery or emergency access. KeePassXC cannot recover a lost master password.
You manage developer secrets KeePassXC SSH agent support, local notes, attachments, custom fields, and offline export control benefit technical workflows.
You want breach alerts and refined autofill Cloud password manager Cloud managers often provide built-in breach alerts, smoother mobile autofill, and reduced manual upkeep.

KeePassXC secure setup checklist

The first hour with KeePassXC is crucial. Set sensible defaults before importing passwords, as fixing a messy vault later is harder.

Use a long master password

Choose a memorable passphrase you can enter under pressure. There is no reset option if forgotten.

Keep Argon2id enabled

Use modern KDBX settings with Argon2id. Increase memory and iterations only as much as all devices can unlock comfortably.

Create backups before importing

Retain at least one encrypted offline backup and a separate copy of any key file. Verify the backup can be opened.

Enable auto-lock

Lock the vault when the screen locks, the system sleeps, or KeePassXC is idle. Also clear the clipboard promptly.

Document recovery

Record where the vault, backup, key file, and spare hardware key are stored. Keep this note offline.

Import gradually

After importing from a browser or another password manager, remove duplicates, update weak passwords, and add URLs before activating autofill.

Browser integration, Auto-Type, and passkeys

KeePassXC can autofill browser logins via the official KeePassXC-Browser extension for Firefox and Chromium browsers. Treat it as a bridge to your vault: pair only trusted browsers, remove old pairings, and keep browser profiles separate.

Use browser integration when

  • You use a single trusted daily browser profile and want quick login autofill.
  • You have verified the official KeePassXC-Browser extension is paired with the correct database.
  • You want passkey support and can test account recovery before migrating important logins.
  • You’re prepared to remove old browser pairings when profiles or devices change.

Use Auto-Type or manual copy when

  • You log in using a temporary, anonymous, work, or shared browser profile.
  • The app runs outside the browser, e.g. desktop app, SSH prompt, or admin console.
  • You’re entering a rare, high-value password and want to limit broad browser extension access.
  • The page URL seems unusual; verify the entry before autofilling.
Passkey note: KeePassXC supports storing and using passkeys via the official browser extension, but test recovery before migrating important accounts. Some sites behave differently across browsers and OS.

Synchronise and back up without losing control

A KDBX file is encrypted, so placing a copy in a synchronisation folder is not inherently unsafe. The main risks tend to be operational: weak master passwords, database conflicts, absent backups, or storing the key file alongside the vault.

Lowest exposure

Local-only with offline backup

Ideal if you use a single main device and do not require immediate mobile synchronisation.

  • Keep the active database stored on the device.
  • Copy backups to an encrypted USB stick or offline drive.
  • Keep the key file separate from the KDBX file.

Reliable daily synchronisation

Syncthing

Ideal for peer-to-peer sync across your devices without using commercial cloud storage.

  • Sync only the database file, not a folder of exported secrets.
  • Enable file versioning to recover from accidental deletions.
  • Avoid simultaneous vault editing on two devices.

Convenient but cautious

Cloud drive

Suitable for many users provided the master password is strong and backups are kept separate from the cloud account.

  • Avoid storing the key file in the same cloud folder as the vault.
  • Enable multi-factor authentication on the cloud account.
  • Maintain a separate offline copy in case the account is locked or deleted.

Technical workflow

Git

Useful for version history if you understand private remotes and avoid accidentally publishing the vault.

  • Use a private repository and signed commits where feasible.
  • Never commit exported CSV files or temporary plaintext notes to repositories.
  • Change exposed passwords immediately if a remote is compromised.

Android and mobile access

KeePassXC is a desktop application. On Android, use a maintained KeePass-compatible client like KeePassDX or KeePass2Android. The key is the workflow: where the database is stored, how it unlocks, and clipboard clearing speed.

F-Droid

KeePassDX

A privacy-conscious Android client for KDBX files, ideal if you favour F-Droid and a straightforward local vault workflow.

Open KeePassDX

Google Play

KeePass2Android

A popular Android client with robust cloud file integration, suitable if your synchronisation workflow utilises Android document providers.

Open KeePass2Android

Desktop

KeePassXC

Use the official desktop app for vault editing, browser integration, passkey workflows, SSH agent setup, and extensive cleanup.

Open KeePassXC downloads

Should you add a hardware security key?

A hardware key is not essential for KeePassXC. It is primarily beneficial for securing accounts linked to your vault, such as email, device synchronisation, cloud storage, and recovery inboxes. Advanced users may consider challenge-response configurations, but must carefully document recovery procedures.

USB security key for vault protection
Optional upgrade

Hardware security key for vault recovery accounts

Use a FIDO2 security key for email and sync accounts protecting your vault. Purchase two if important, register both, and keep the spare separately.

View security keys on Amazon

Common mistakes that reduce KeePassXC security

01

No verified backup

You copy the database but never confirm it opens correctly.

Fix: test restoration after each significant setup change.

02

Key file stored alongside the vault

An attacker who obtains the folder gains access to both components.

Fix: keep the key file separate and record its location.

03

Browser extension everywhere

Each browser profile acts as a gateway into the vault.

Fix: pair only with profiles you trust.

04

Weak master password

Local encryption is effective only if brute force attacks are costly.

Fix: use a lengthy passphrase and up-to-date KDBX settings.

05

Conflicted synchronisation copies

Two devices edit the database simultaneously, causing missed entries.

Fix: enable versioning and close the vault before changing devices.

06

No emergency note

Your family or future self cannot locate the vault, backup, or spare key.

Fix: create a simple recovery map without revealing the master password.

Research

Sources checked

This guide uses official KeePassXC documentation, release notes, and browser extension details.

01 KeePassXC official website keepassxc.org 02 KeePassXC downloads keepassxc.org 03 KeePassXC getting started guide keepassxc.org 04 KeePassXC user guide keepassxc.org 05 KeePassXC 2.7.12 release notes keepassxc.org 06 KeePassXC source repository github.com 07 KeePassXC-Browser extension repository github.com

KeePassXC password manager FAQ

Is KeePassXC more secure than Bitwarden or 1Password?

KeePassXC can be safer for local control as your vault isn’t stored in a provider account by default. It may be less safe if you neglect backups, use a weak master password, or require sharing and recovery features better handled by cloud managers.

Can I save a KeePassXC database in Dropbox, iCloud, Google Drive, or OneDrive?

Yes, if the master password is strong and you maintain independent backups. The KDBX file is encrypted, but avoid storing the key file alongside it and don’t rely solely on the cloud account for backups.

Does KeePassXC support passkeys?

KeePassXC stores and uses passkeys through the official KeePassXC-Browser extension. Test with low-risk accounts first, as passkey recovery varies by site, browser, and device.

What if I lose my master password?

The vault cannot be reset by KeePassXC or support. You must have the master password and any key file or challenge-response device. Maintain an offline recovery plan.

Is there an official KeePassXC app for Android?

No. KeePassXC is a desktop app. On Android, use a compatible KeePass client like KeePassDX or KeePass2Android to open the same KDBX database.

Should I use a key file with KeePassXC?

A key file can be useful, but only if stored separately and backed up securely. Losing the key file may render the vault unrecoverable; if kept next to the database, it offers minimal protection.

Can KeePassXC substitute a team password manager?

Generally not suited for non-technical teams. KeePassXC excels in individual control and small, careful workflows, but managed sharing, revocation, auditing, and recovery are simpler with dedicated team password managers.

Next steps for improved account security

01 Account privacy

Guide to anonymous identity

Keep accounts, recovery methods, browser states, and habits separate when profiles must not connect to daily life.

Open guide 02 Network privacy

What is a VPN?

Know when a VPN aids password security and when it doesn’t prevent account compromise.

Open guide 03 Browser risk

Browser fingerprinting guide

Understand why a strong password vault doesn’t prevent browser tracking or device fingerprinting.

Open guide 04 Financial accounts

Secure online banking toolkit

Strengthen key logins with good password practices, hardware keys, and secure device habits.

Open guide