KeePassXC
KeePassXC is a free and open-source, cross-platform password manager that securely stores and organizes sensitive information, including passwords, usernames, URLs, attachments, and notes, within an encrypted database file accessible offline without reliance on remote servers.[1][2] Originally developed as a community-driven fork of KeePassX—a prior cross-platform port of the Windows-based KeePass Password Safe—KeePassXC emerged to address stalled development and incorporate unresolved bug fixes, feature requests, and enhancements that had accumulated in KeePassX.[3][2] The project, hosted on GitHub under the GPLv2 or GPLv3 license, emphasizes rigorous code review, testing, and community contributions through pull requests, translations, and bug reporting to maintain high standards of security and usability.[1][2] KeePassX itself ceased active development in 2021, solidifying KeePassXC as the primary maintained evolution of the lineage, with ongoing releases—such as version 2.7.10 in March 2025—introducing improvements like passkey support and importers for other managers.[3][1] KeePassXC supports Windows, macOS, and Linux platforms, built using the Qt framework for broad compatibility, and offers key features including a customizable password generator, two-factor authentication via TOTP, browser integration for autofill in tools like Chrome and Firefox, and advanced options such as YubiKey hardware support, SSH agent integration, and multiple encryption algorithms like AES, Twofish, and ChaCha20.[2][1] Unlike cloud-based alternatives, it operates entirely locally to prioritize privacy, with no advertisements, subscriptions, or data transmission to third parties, making it a favored choice for users seeking self-hosted security.[1] The software's database format (.kdbx) ensures compatibility with the original KeePass while adding modern enhancements, and its active community fosters regular updates focused on robustness and accessibility.[3][2]Overview
Description and Purpose
KeePassXC is a free, open-source, cross-platform password manager forked from KeePassX, designed to securely store and manage sensitive information such as usernames, passwords, URLs, notes, and file attachments.[1][3][2] Its core purpose is to enable offline storage of credentials in a single, portable encrypted database file, allowing users to access their data across devices without relying on internet connectivity or remote servers.[4][1] KeePassXC emphasizes user control by keeping all data locally on the user's device or chosen storage location, eliminating subscription fees and reducing vulnerability to server-side data breaches common in cloud-based alternatives.[1][3] As a community-driven project evolving from the original KeePass software, KeePassXC supports modern needs like seamless multi-platform access while maintaining a focus on privacy and security.[3][2]Platforms and Licensing
KeePassXC offers native applications for Linux, macOS, and Windows, utilizing the Qt framework to deliver a consistent user interface and experience across these desktop operating systems.[1][5] This cross-platform design ensures seamless integration with each platform's native features, such as system trays and keyboard shortcuts, while maintaining high performance without relying on web-based or emulated environments.[3] The software is released under the GNU General Public License version 2 or later (GPLv2+), a copyleft license that allows users to freely view, modify, distribute, and study the source code.[6][7] This licensing model supports the project's community-driven development, with the source code hosted on GitHub for public inspection and contributions.[2] KeePassXC does not provide official mobile applications for Android or iOS, but its database format is fully compatible with third-party KeePass-compatible apps, enabling users to access and sync databases on mobile devices via tools like KeePassDX and KeePass2Android for Android, or similar options for iOS.[3] The GPLv2+ license fosters transparency by permitting independent security audits of the codebase, which has been conducted in reviews such as the 2023 application security assessment, and encourages forks and enhancements from the community, exemplified by KeePassXC's own evolution from earlier projects.[5][2]History
Origins in KeePass and KeePassX
KeePass was originally developed by Dominik Reichl starting in November 2003 as a free, open-source password manager exclusively for Windows, designed to store sensitive data in an encrypted database protected by a master password or key file using the Advanced Encryption Standard (AES) with a 256-bit key.[8] KeePassX originated as an unofficial community-driven port of KeePass to non-Windows platforms, initially targeting Linux under the name KeePass/L before being renamed KeePassX in March 2006 upon expanding to macOS support, with the project built using the Qt application framework to ensure cross-platform compatibility while replicating the core functionality of KeePass versions 1.x and later adapting to 2.x database formats.[9] Among its key adaptations, KeePassX introduced support for the KDBX database format—KeePass 2.x's standard encrypted file type—in the initial 2.0 alpha release in May 2012, alongside auto-type capabilities for simulating keyboard input on Linux/X11 systems added in the October 2012 alpha 3 update, providing basic cross-platform usability up to the 2.0 alpha series culminating in December 2013. However, KeePassX's development stagnated after the release of version 2.0 alpha 5 in December 2013, with limited progress until a stable 2.0 release in August 2016; the project officially ceased active development and maintenance on December 9, 2021.[10] This prolonged period of inactivity led to a buildup of unresolved bugs, security concerns, and feature requests, prompting the community to fork the project into KeePassXC in 2016.[3]Fork and Reboot as KeePassXC
In August 2016, due to the slowing development of KeePassX, a group of developers including Frank Morgner initiated a community fork on GitHub under the "keepassxreboot" organization, aiming to revitalize the project by addressing long-pending issues and expanding its capabilities.[2][11] The primary objectives of this reboot were to merge dozens of stalled pull requests from the original KeePassX codebase, strengthen integration with the Qt framework for better cross-platform performance, and implement contemporary features such as native browser extension support to enhance usability in web environments.[12][3] In early 2017, the project underwent rebranding to KeePassXC, with the "C" denoting its community-driven focus and commitment to cross-platform compatibility across Windows, macOS, and Linux.[1] The inaugural stable release, version 2.1.0, launched on January 22, 2017, delivering foundational stability, improved error handling, and essential password management tools to early adopters.[13] A pivotal update arrived with version 2.2.0 on June 26, 2017, which added Time-based One-Time Password (TOTP) generation for two-factor authentication support and compatibility with YubiKey hardware tokens, significantly bolstering security options without relying on external services.[14] From 2016 to 2020, the project advanced through key technical shifts, including a migration to the C++11 standard to modernize the codebase and leverage enhanced language features for efficiency and maintainability.[2] In version 2.3.0, released February 27, 2018, KeePassXC adopted the KDBX 4.0 database format, enabling stronger encryption primitives like Argon2 for master key derivation and improved protection against brute-force attacks.[15] Later, in January 2023, the project underwent its inaugural independent security audit, conducted by consultant Zaur Molotnikov, which reviewed core cryptographic implementations and database handling, identifying no critical vulnerabilities while recommending minor enhancements for robustness.[16][5]Features
Core Password Management
KeePassXC enables users to create secure databases for storing sensitive information, primarily through a master password or key file for authentication. During database creation, users set a master password, which serves as the primary access mechanism, and optionally add a key file as a secondary factor to enhance security. The software supports key derivation functions to transform the master key into a robust encryption key; for databases in the KDBX 4 format, Argon2 is the recommended option due to its memory-hard design that resists brute-force attacks on specialized hardware, while AES-KDF remains available for compatibility with older KDBX 3.1 files and offers adjustable iterations to balance security and performance.[17][18] Entries within the database are managed through a hierarchical structure of groups and subgroups, allowing users to organize passwords, usernames, and notes into logical folders with inherited settings from parent groups for efficient categorization. Each entry can include attachments such as files or secure notes stored in encrypted form, which users can preview directly within the application if they are text or images. A comprehensive search function scans across entry fields like titles, usernames, URLs, tags, and notes, supporting wildcards (e.g., * for any characters) and modifiers (e.g., - to exclude terms) to quickly locate specific items without manual browsing.[19][20][21] The built-in password generator provides tools to create strong, unique passwords with customizable entropy levels, enabling users to specify length via a slider and select character sets including uppercase letters, lowercase letters, digits, and special symbols. Advanced options allow avoidance of ambiguous characters, such as distinguishing between '0' and 'O' or '1' and 'l', to reduce errors during manual entry. This generator integrates directly into entry creation, ensuring high-entropy outputs tailored to user preferences without relying on external tools.[22] For accessing stored credentials, KeePassXC offers auto-type functionality that simulates keystrokes to fill login forms, using configurable sequences like {USERNAME}{TAB}{PASSWORD}{ENTER} with placeholders for dynamic content and delays for reliable input. Clipboard support allows temporary copying of passwords or other fields, protected by automatic clearing after a configurable timeout to minimize exposure risks. These features support brief integration with advanced tools such as TOTP codes via placeholders in auto-type sequences.[23][24]Advanced Security and Integration Tools
KeePassXC provides native support for two-factor authentication through Time-based One-Time Password (TOTP) integration, allowing users to generate and verify 6-digit codes directly within password entries. These codes refresh every 30 seconds based on a shared secret key and the device's synchronized time, enhancing security for services requiring 2FA without relying on external apps.[6] To set up TOTP, users right-click an entry, select the TOTP option, and input the secret key—often obtained via QR code scanning or manual entry—customizing parameters like code length and interval before saving.[6] Generated codes can be viewed in the entry preview, copied for manual use, or automatically inserted via the Auto-Type feature using the{TOTP} placeholder, ensuring seamless verification during login processes.[6]
For hardware-based security, KeePassXC integrates with YubiKey devices using HMAC-SHA1 challenge-response mode to serve as an additional authentication factor for unlocking databases. This requires configuring the YubiKey in KeePassXC settings, where the device responds to a challenge prompt alongside the master password or key file, preventing access without the physical token.[3] Multiple YubiKeys can be registered per database for redundancy, though no backup keys are generated, emphasizing the need for secure storage to avoid lockout.[3] Additionally, since version 2.7.7, KeePassXC supports FIDO2 passkeys stored within entries, enabling passwordless authentication for compatible websites via the browser extension, which leverages WebAuthn standards for secure credential creation and use without exposing the database.[25]
Browser integration is facilitated through official extensions for Google Chrome, Mozilla Firefox, and Microsoft Edge, utilizing native messaging to communicate securely with the KeePassXC desktop application. This setup allows autofill of credentials and TOTP codes on web forms without transmitting the database over the network, maintaining end-to-end encryption and user control.[26] Users connect the extension once via a secure handshake, after which it queries the locked database for matches, prompting for unlock only when needed to retrieve specific entries.[4] The extensions also support passkey operations, prompting the browser's built-in FIDO2 capabilities while referencing stored secrets from KeePassXC entries.[25]
KeePassXC includes SSH agent integration, enabling users to store SSH private keys as attachments in database entries and dynamically add or remove them from the system SSH agent (such as OpenSSH on Linux and macOS, or Pageant on Windows) upon database unlock. This feature requires enabling it in the application's settings and supports automatic key loading for secure remote access without manual passphrase entry each time.[27]
KeePassXC enables database sharing and merging in the native KDBX format (versions 3.1 and 4), allowing users to export entire databases or import them into another instance for synchronization across devices.[3] It supports importing data from other password managers, including 1Password (via .1pux and .opvault formats, added in version 2.7.7), Bitwarden (.json, added in version 2.7.7), and Proton Pass (.json, added in version 2.7.10). For entry-level sharing, individual entries or groups can be exported to XML format via the Database menu, facilitating secure transfer through file sharing methods like email or cloud storage, followed by import into a target database.[28] Merging operations, accessed through Database → Merge From Database, intelligently combine changes from source databases, resolving conflicts based on timestamps and user prompts to preserve history and attachments without data loss.[6] This file-based approach ensures compatibility with other KeePass-compatible tools while avoiding centralized servers.[3]