KeePassXC is a community fork of KeePassX, which itself is a cross-platform fork of the original KeePass for Windows. Unlike the original KeePass, which is written in .NET, KeePassXC is written in C++.
All of which is a somewhat long-winded way to say that KeePassXC is an open-source program that is free in every sense of the word.
- Strong client-side (e2e) encryption
- Cross-platform support
- Syncing via cloud services
- 2FA support
- Browser integration (via plugin)
KeePassXC does not support KeePass plugins, although it does now support KeePass containers that have been encrypted using the TwoFish encryption plugin.
There are also no master password and/or keyfile recovery options. So don’t forget or lose them if you ever want to see your passwords again!
KeePassXC is available for Windows, macOS, and Linux, with Linux distribution-specific packages for Ubuntu, Debian, Artch, Gentoo, Fedora, CentOS, and OpenSUSE. Or you can simply compile from source code on any Linux platform.
It is important to note that KeePassXC is fully compatible with other KeePass-based apps which use .kbdx password containers.
This reviewer, for example, uses the original KeePass on his Windows machine, KeePass2 Android on his phone and Chromebook, KeePassium on his iPad, and KeePassXC on his macOS and Linux systems. All access the same .kbdx password file, which is stored on Dropbox for syncing passwords across all devices.
It is worth noting that KeePassXC’s initial main advantage over KeePass was its cross-platform support, but this has been undermined somewhat by the fact that KeePass can now be installed on almost all desktop platforms using Mono.
Thanks to running in C++, however, KeePassXC has a much more native look and feel than KeePass does when running on non-Windows platforms.
Syncing via cloud services
.kbdx files are fully encrypted and self-contained password containers which can be safely stored anywhere - even on insecure cloud platforms such as Dropbox or Google Drive. This allows for easy and secure syncing of passwords across devices, platforms, and even different implementations of KeePass.
In the past, iOS’s many restrictions placed limitations on syncing via third-party cloud platforms. Recent updates to the built-in Files app have improved upon this, allowing iOS apps such as KeePassium to sync .kbdx containers in the usual way.
One thing to bear in mind if you secure your .kddx files with a keyfile (see below) is that you should never sync this keyfile between devices using an insecure cloud platform, or any other insecure platform such as email.
Ideally, you should only transfer keyfiles physically to trusted devices using USB or similar methods where the keyfile cannot be accessed by any third-party. In other words, don’t ever upload it to the internet!
Privacy & security
KeePassXC is community-developed open source software, so jurisdiction doesn’t really apply.
KeePassXC is entirely open-source. This means anyone can inspect its code to ensure no backdoors or major weaknesses exist in it and is therefore the only meaningful way that software can be trusted.
In 2016, the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA) audited KeePass 1.31, concluding that “the code has a good level from a security point of view, with only a few findings, none of which were critical or high-risk in nature.”
KeePass 1.x differs quite considerably from KeePass 2.x, let alone KeePassXC, but these findings are nevertheless encouraging.
KeePass .kbdx containers are encrypted by KeePassXC on your computer, and can only be decrypted using the correct password (plus keyfile if used)
As already noted, these containers are self-contained and can therefore be stored securely just about anywhere. Even if someone can access the .kbdx files without the correct password (and keyfile if used), they will not be able to access your stored passwords.
.kbdx containers created in KeePassXC are always encrypted using AES-256. We cannot find confirmation, but we assume the same SHA256 hash authentication seen within KeePass is used. Keyfiles are hashed using the Argon2 key derivation function.
Although it can’t create them, KeePassXC can import and use .kdbx files that have been encrypted by other KeePass-compatible apps using the TwoFish or Chacha20 ciphers.
As with all versions of KeePass, you can provide additional security for your passwords by creating a keyfile when you create a new .kbdx container.
In addition to a password, this provides two-factor authentication(2FA) which requires a copy of the keyfile to be present on your device before you can open the .kbdx database.
KeePassXC also supports 2FA via YubiKey. This is a feature not natively supported in the original KeePass, although it can be achieved via a plugin.
The KeePassXC website contains some basic documentation, a general (largely non-technical) FAQ, and a blog. After that, you’re on your own. Fortunately, anyone familiar with how to use KeePass with feel right at home with KeyPassXC.
Ease of use
KeePassXC fits in with the host OS aesthetics better than KeePass does on non-Windows machines, but is otherwise very similar in use. In other words, it's a fairly straightforward and easy-to-use password manager.
Creating a new .kbdx database is very easy. Unlike KeePass, KeePassXC databases all use the same settings, so the only decisions you need to make are whether to create a keyfile to use with your database and what password or passphrase to use.
Just make sure not to forget your master password (or lose your keyfile if used), as there are no recovery options available.
In addition to passwords, you can use the notes field to store any information you want securely. You can choose your own passwords, or let KeePassXC generate secure ones for you. For this, you can specify a range of criteria, which is great for websites that have fiddly password requirements.
We particularly like the Passphrase generator feature, which instead of generating hard-to-remember passwords, generates secure but much easier-to-remember passphrases.
You can attach user-defined attributes to any password entry, plus almost any kind of file. These features make KeePassXC a flexible and powerful manager for all kinds of sensitive data - not just passwords.
Another feature of KeePassXC that we really enjoy is Autotype. Select a password entry in KeePassXC and place your mouse cursor in a form field. Hit the Autofill button and KeePassXC will autofill both the username and password fields with impressive accuracy. It will even auto-hit the return button for you, for quicker login.
What is particularly nice about this feature is that works in just about any browser without the need for a browser plugin.
The KeePassXC-Browser web add-on is available for Firefox and Chrome (including Chromium, Opera, and Vivaldi). It requires that the KeePassXC database be opened in order to work (which makes sense from a security perspective), but is easy to set up and intuitive to use.
Sadly, for the past few months (at the time of writing), the KeePassXC-Browser add-on has stopped working on this reviewer’s macOS and Ubuntu systems (in both Firefox and Chrome).
The issue does not affect all users, but is a known problem. An update is promised which will fix it, although this has taken some time to materialize.
Fortunately, and despite being officially depreciated by the KeePassXC team, the KeePassHTTP-Connector method of browser integration (described here for KeePass) continues to work fine for KeePassXC.
This situation is less than ideal but provides an acceptable workaround until the KeePassXC-Browser browser add-on is fixed for everyone. When it is, we’ll update this review.
We are big fans of KeePass in all its forms and would choose any version of it over commercial alternatives such as LastPass or 1Password. Bitwarden is open-source and does offer strong competition for more casual users, but this reviewer prefers the flexibility and entirely self-contained nature of the KeePass platform.
KeePassXC is not as flexible as KeePass due to its lack of support for KeePass’ wealth of useful plugins. But it looks good on non-Windows platforms, and we love the Autofill and passphrase generator functions.
It's also interoperable with all other versions of KeePass, so there is no harm mixing and matching versions across platforms while still having full and secure access to your passwords no matter where you store them.