KeepassXC Review

KeePassXC is an open-source cross-platform implementation of the excellent KeePass password manager. Crucially, it uses standard KeePass (versions 1 and 2) .kbdx containers and is therefore compatible will all other apps which also use the KeePass standard.

Our score
4 / 5
Free option
Available
Country
n/a
Visit KeepassXC

Pricing

KeePassXC is a community fork of KeePassX, which itself is a cross-platform fork of the original KeePass for Windows. Unlike the original KeePass, which is written in .NET, KeePassXC is written in C++.

All of which is a somewhat long-winded way to say that KeePassXC is an open-source program that is free in every sense of the word.

Features

  • Strong client-side (e2e) encryption
  • Cross-platform support
  • Syncing via cloud services
  • 2FA support
  • Open-source
  • Autotype
  • Browser integration (via plugin)

KeePassXC does not support KeePass plugins, although it does now support KeePass containers that have been encrypted using the TwoFish encryption plugin. 

There are also no master password and/or keyfile recovery options. So don’t forget or lose them if you ever want to see your passwords again!

Cross-platform support

KeePassXC is available for Windows, macOS, and Linux, with Linux distribution-specific packages for Ubuntu, Debian, Artch, Gentoo, Fedora, CentOS, and OpenSUSE. Or you can simply compile from source code on any Linux platform.

It is important to note that KeePassXC is fully compatible with other KeePass-based apps which use .kbdx password containers.

This reviewer, for example, uses the original KeePass on his Windows machine, KeePass2 Android on his phone and Chromebook, KeePassium on his iPad, and KeePassXC on his macOS and Linux systems. All access the same .kbdx password file, which is stored on Dropbox for syncing passwords across all devices.

It is worth noting that KeePassXC’s initial main advantage over KeePass was its cross-platform support, but this has been undermined somewhat by the fact that KeePass can now be installed on almost all desktop platforms using Mono.

Thanks to running in C++, however, KeePassXC has a much more native look and feel than KeePass does when running on non-Windows platforms. 

Syncing via cloud services

.kbdx files are fully encrypted and self-contained password containers which can be safely stored anywhere - even on insecure cloud platforms such as Dropbox or Google Drive. This allows for easy and secure syncing of passwords across devices, platforms, and even different implementations of KeePass.

In the past, iOS’s many restrictions placed limitations on syncing via third-party cloud platforms. Recent updates to the built-in Files app have improved upon this, allowing iOS apps such as KeePassium to sync .kbdx containers in the usual way.

One thing to bear in mind if you secure your .kddx files with a keyfile (see below) is that you should never sync this keyfile between devices using an insecure cloud platform, or any other insecure platform such as email.

Ideally, you should only transfer keyfiles physically to trusted devices using USB or similar methods where the keyfile cannot be accessed by any third-party. In other words, don’t ever upload it to the internet! 

Privacy & security


Jurisdiction

KeePassXC is community-developed open source software, so jurisdiction doesn’t really apply.


Open-source

KeePassXC is entirely open-source. This means anyone can inspect its code to ensure no backdoors or major weaknesses exist in it and is therefore the only meaningful way that software can be trusted.

In 2016, the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA) audited KeePass 1.31, concluding that “the code has a good level from a security point of view, with only a few findings, none of which were critical or high-risk in nature.”

KeePass 1.x differs quite considerably from KeePass 2.x, let alone KeePassXC, but these findings are nevertheless encouraging.


End-to-end encryption

KeePass .kbdx containers are encrypted by KeePassXC on your computer, and can only be decrypted using the correct password (plus keyfile if used)

As already noted, these containers are self-contained and can therefore be stored securely just about anywhere. Even if someone can access the .kbdx files without the correct password (and keyfile if used), they will not be able to access your stored passwords.


Cryptography

.kbdx containers created in KeePassXC are always encrypted using AES-256. We cannot find confirmation, but we assume the same SHA256 hash authentication seen within KeePass is used. Keyfiles are hashed using the Argon2 key derivation function.

Although it can’t create them, KeePassXC can import and use .kdbx files that have been encrypted by other KeePass-compatible apps using the TwoFish or Chacha20 ciphers.


2FA support

As with all versions of KeePass, you can provide additional security for your passwords by creating a keyfile when you create a new .kbdx container.

In addition to a password, this provides two-factor authentication(2FA) which requires a copy of the keyfile to be present on your device before you can open the .kbdx database.

KeePassXC also supports 2FA via YubiKey. This is a feature not natively supported in the original KeePass, although it can be achieved via a plugin. 

Support

The KeePassXC website contains some basic documentation, a general (largely non-technical) FAQ, and a blog. After that, you’re on your own. Fortunately, anyone familiar with how to use KeePass with feel right at home with KeyPassXC. 

Ease of use

KeePassXC fits in with the host OS aesthetics better than KeePass does on non-Windows machines, but is otherwise very similar in use. In other words, it's a fairly straightforward and easy-to-use password manager.

list of passwords

Creating a new .kbdx database is very easy. Unlike KeePass, KeePassXC databases all use the same settings, so the only decisions you need to make are whether to create a keyfile to use with your database and what password or passphrase to use. 

updating the master key

Just make sure not to forget your master password (or lose your keyfile if used), as there are no recovery options available. 

In addition to passwords, you can use the notes field to store any information you want securely. You can choose your own passwords, or let KeePassXC generate secure ones for you.  For this, you can specify a range of criteria, which is great for websites that have fiddly password requirements.

Password entry

We particularly like the Passphrase generator feature, which instead of generating hard-to-remember passwords, generates secure but much easier-to-remember passphrases.

easy to remember passphrases

You can attach user-defined attributes to any password entry, plus almost any kind of file. These features make KeePassXC a flexible and powerful manager for all kinds of sensitive data -  not just passwords.

Keepass advanced password entry

Autotype

Another feature of KeePassXC that we really enjoy is Autotype. Select a password entry in KeePassXC and place your mouse cursor in a form field. Hit the Autofill button and KeePassXC will autofill both the username and password fields with impressive accuracy. It will even auto-hit the return button for you, for quicker login.

What is particularly nice about this feature is that works in just about any browser without the need for a browser plugin. 

Browser plugin 

The KeePassXC-Browser web add-on is available for Firefox and Chrome (including Chromium, Opera, and Vivaldi). It requires that the KeePassXC database be opened in order to work (which makes sense from a security perspective), but is easy to set up and intuitive to use.

Sadly, for the past few months (at the time of writing), the KeePassXC-Browser add-on has stopped working on this reviewer’s macOS and Ubuntu systems (in both Firefox and Chrome). 

The issue does not affect all users, but is a known problem. An update is promised which will fix it, although this has taken some time to materialize. 

Fortunately, and despite being officially depreciated by the KeePassXC team, the KeePassHTTP-Connector method of browser integration (described here for KeePass) continues to work fine for KeePassXC. 

The browser plugin

This situation is less than ideal but provides an acceptable workaround until the KeePassXC-Browser browser add-on is fixed for everyone. When it is, we’ll update this review. 

Final thoughts

We are big fans of KeePass in all its forms and would choose any version of it over commercial alternatives such as LastPass or 1Password. Bitwarden is open-source and does offer strong competition for more casual users, but this reviewer prefers the flexibility and entirely self-contained nature of the KeePass platform.

KeePassXC is not as flexible as KeePass due to its lack of support for KeePass’ wealth of useful plugins. But it looks good on non-Windows platforms, and we love the Autofill and passphrase generator functions. 

It's also interoperable with all other versions of KeePass, so there is no harm mixing and matching versions across platforms while still having full and secure access to your passwords no matter where you store them. 

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

3 Comments

Al Martinsen
on February 24, 2020
Reply
Nice reviews. I'm really looking forward to get back to use Keepass again after having used it many years ago, then switching to 1password when I moved to Mac, then moving to Bitwarden but not being happy with it (looks and feels very amateurish, slow and not very well integrated, specially in iOS) and now I'm testing Myki but there's something about it that I don't really like and I have a bad feeling about it, I don't know what, but I don't trust them very much. So I'm really considering going back to the only truly long term solution (Keepass) and if the chosen client app stops its development, I can simply switch to a different one but the database is still there without migration (I've learnt the hard way you always lose some field or category during migration and it's quite scary). My problem with Keepass is to choose the right client and the lack of one solution for integrating all my devices: Windows, 2 Macs and one iPhone and the fact that I have to choose a 3rd party sync service. Not because privacy, but to added complexity (but I have to say that I've used 1password through Dropbox for years without a single issue. I'm about to try Storngbox, a client I've found that works for MacOS and iOS with a freemium model and I'll see how it goes. Has anybody else the same feeling?
Claus
on December 29, 2019
Reply
Thank you for this review. Are you serious that your review was updated last on Jan 1st, 1970? :-)
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Claus
on January 2, 2020
Reply
Hi Claus. Ha ha. Good spot and thanks for letting us know. FWIW, wrote the article in November 2019.
Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: