KeePassXC

A cross-platform, offline password manager with YubiKey, passkey, browser integration, and TOTP — all encrypted locally in the open KDBX format.

27.9Kstars
1.8Kforks
Custom / Unknown
C++

KeePassXC is a modern, community-driven password manager that keeps all your credentials stored in an encrypted KDBX database on your own device — no cloud, no subscription, no third-party servers. It handles usernames, passwords, URLs, file attachments, TOTP codes, and custom fields across Windows, macOS, and Linux, delivering the same feature set on all three platforms.

Built as a C++/Qt fork of the original KeePass, KeePassXC extends the core with native browser integration (Chrome, Firefox, Edge, Brave, Tor Browser), hardware key support via YubiKey and OnlyKey, a full command-line interface, SSH agent integration, and FreeDesktop.org Secret Service compatibility that lets other Linux applications retrieve credentials over D-Bus.

The database format supports both KDBX3 and KDBX4, with a choice of AES-256, Twofish, or ChaCha20 encryption, and AES-KDF or Argon2 key derivation. Composite keys let you combine a master password, a key file, and a hardware challenge-response token for multi-factor database protection.

KeePassXC is licensed under GPL-2/GPL-3, has no paid tiers, and runs entirely offline. Synchronization across devices is left to the user — any file sync service or KeeShare’s encrypted peer-to-peer mechanism works, keeping cloud providers out of the security model entirely.

What You Get

  • KDBX3 and KDBX4 database support - Opens and saves databases in both KDBX3 and KDBX4 formats, with a choice of AES-256, Twofish, or ChaCha20 encryption and AES-KDF or Argon2 key derivation functions, ensuring backward compatibility and modern security simultaneously.
  • Browser auto-fill and passkey support - Integrates with Chrome, Firefox, Edge, Chromium, Vivaldi, Brave, and Tor Browser via dedicated extensions to auto-fill credentials and handle WebAuthn passkey registration and assertion without leaving the browser.
  • YubiKey and OnlyKey challenge-response authentication - Combines a master password with a hardware security key challenge-response to unlock the database, requiring physical presence even if the KDBX file is compromised.
  • Built-in TOTP generator - Stores and generates time-based one-time passwords directly within entries, removing the need for a separate authenticator app while keeping secrets encrypted in the database.
  • Composite multi-factor key system - Combines any mix of master password, key file, and hardware key into a single composite key, giving users control over the exact authentication factors required to open a database.
  • KeeShare encrypted peer-to-peer sync - Shares and synchronizes database groups between devices using signed and encrypted export files, enabling collaborative credential management without a central server.
  • Full command-line interface (keepassxc-cli) - Provides a complete set of commands for reading, writing, searching, and exporting database entries, enabling scripting and headless server automation.
  • FreeDesktop.org Secret Service integration - Acts as a drop-in replacement for GNOME Keyring and other system keychains, allowing any D-Bus-aware application on Linux to securely retrieve stored credentials.
  • SSH Agent integration - Loads private keys from database entries directly into the SSH agent on connect and removes them on database lock, protecting keys at rest while remaining convenient during active sessions.
  • Multi-format import - Imports databases from CSV, 1Password OpVault/1PUX, Bitwarden JSON, Proton Pass, and KeePass1 KDB files, covering the most common migration paths from other password managers.
  • Password health and HIBP breach reports - Scans the database for weak, reused, or expired passwords and checks entries against the Have I Been Pwned offline hash list to identify compromised credentials.
  • File attachments and custom attributes - Attaches encrypted files such as certificates, SSH keys, or PDFs to any entry and adds unlimited custom fields, making the database a secure document and secrets vault.

Common Use Cases

  • Managing credentials across a full-stack development environment - A developer stores database passwords, API keys, SSH passphrases, and TOTP codes in KeePassXC and auto-fills web admin panels via browser integration, with the CLI feeding secrets into deployment scripts.
  • Hardening personal account security with hardware keys - A privacy-conscious user protects their KDBX file with both a master password and a YubiKey challenge-response, so stealing the database file alone is not enough to decrypt it.
  • Running an offline password manager on an air-gapped machine - A security researcher keeps a KeePassXC database on an air-gapped Linux workstation, using KeeShare to transfer encrypted updates via USB without ever touching a network.
  • Replacing a cloud password manager after a data breach scare - A team migrates from Bitwarden or 1Password by importing their existing vaults through the native importers and distributing the KDBX file via a shared network drive or sync tool they control.
  • Storing SSH keys and loading them automatically on login - A sysadmin keeps all infrastructure private keys as encrypted attachments in KeePassXC entries, using the SSH Agent integration to load them on database unlock and clear them when the database locks after inactivity.
  • Providing credential lookup for desktop applications on Linux - A power user configures KeePassXC as the FreeDesktop.org Secret Service provider so that GNOME apps, Git credential helpers, and other D-Bus clients retrieve passwords without a separate keychain daemon.

Under The Hood

Architecture KeePassXC follows a strict layered architecture where the core library — covering database models, cryptographic primitives, format parsers, and key management — carries no GUI dependency and can be exercised entirely through the CLI or tests. The GUI layer consumes the core through Qt signal-slot mechanisms and QSharedPointer ownership, preventing any upward dependency from data logic to presentation. Compile-time feature flags gate optional subsystems such as YubiKey, SSH Agent, FreeDesktop Secret Service, and browser integration, allowing the core binary to remain lean while packaging systems enable each feature independently. The CompositeKey abstraction polymorphically combines password, file, and hardware challenge-response components, with KDF selection entirely decoupled from key composition. File monitoring detects external database modifications at the block level rather than polling the full file, reducing both latency and unnecessary decryption overhead.

Tech Stack KeePassXC is a C++ application built on the Qt framework, using Qt’s GUI, network, and D-Bus modules for native cross-platform desktop integration without Electron or a web renderer. Cryptographic work is handled by the Botan library — providing AES-256, Twofish, ChaCha20, Argon2, and HMAC-SHA256 — while vcpkg in manifest mode pins all third-party library versions at build time, ensuring reproducible cryptographic behavior across platforms. The build system uses CMake with platform-specific configuration for Windows (MSVC/vcpkg), macOS (Homebrew), and Linux/FreeBSD (system packages or vcpkg). Database serialization and deserialization go through a custom KDBX binary format and a layered XML reader, with Argon2 KDF computations offloaded to background threads to keep the UI responsive during unlock. Browser integration uses a native messaging host over stdio, keeping communication entirely local without any network socket.

Code Quality The test suite contains approximately 60 test classes using the QtTest framework, covering core operations including database open/save/merge, all KDBX format versions, TOTP generation, browser protocol, CLI commands, and individual subsystems such as SSH Agent, FdoSecrets, and password health checks. Tests make extensive use of QSignalSpy to validate state transitions and TemporaryFile helpers to isolate file system side effects. Error handling avoids C++ exceptions throughout; failures surface through boolean return values, nullable output parameters, and explicit error strings passed by pointer, making error paths visible without relying on catch blocks. Memory management relies on QSharedPointer throughout core types, with const-correctness applied consistently to prevent accidental mutation. CodeQL static analysis runs in CI and codecov tracks coverage across the develop branch.

What Makes It Unique KeePassXC’s implementation of the FreeDesktop.org Secret Storage specification as a first-class feature — not a plugin — lets it serve as a drop-in system keychain on Linux desktops without running a separate background daemon. Its composite key architecture genuinely separates multi-factor authentication at the cryptographic layer rather than the UI layer, so hardware key challenge-response is integral to the KDF transform rather than bolted on as a UI gate. The KeeShare subsystem implements encrypted, signed group exports for peer-to-peer sharing without requiring a central server or cloud account, a design uncommon in desktop password managers. Supporting bidirectional import and export with 1Password OpVault, Bitwarden JSON, Proton Pass, CSV, and the legacy KeePass1 KDB format in a single application makes KeePassXC a practical migration hub, not just an end-point.

Self-Hosting

KeePassXC is released under the GNU General Public License version 2 or version 3, at the user’s choice. This is a strong copyleft license: you can use KeePassXC commercially, modify it, and redistribute it without paying any license fee, but if you distribute modified versions you must also release the source under the same GPL terms. For self-hosting or internal deployment — meaning you run it on employee machines without distributing it externally — the copyleft clause does not require you to publish any modifications. There is no commercial license, enterprise add-on, or open-core model; every feature in the repository is available to every user under the same terms.

Operationally, KeePassXC is a desktop application, not a server. Each user runs their own instance against a KDBX file they store wherever they choose — a local disk, a network share, or a cloud sync folder. There is no central server to provision, patch, or back up. The operational burden falls on deciding where the KDBX file lives and ensuring it is backed up, since KeePassXC itself provides no backup mechanism. Team deployments typically combine KeePassXC with an existing file sync solution (Nextcloud, a shared network drive, or a version-controlled repository) and distribute a shared KDBX file, or use KeeShare to maintain separately encrypted group exports for different teams.

Because there is no hosted version of KeePassXC, there are no SaaS alternatives to compare against in the traditional sense. Users who move from a managed service like Bitwarden Cloud or 1Password gain full data ownership, portability, and no dependency on a vendor’s uptime, but they give up automatic cross-device sync without additional infrastructure, centralized admin controls, directory integration (SAML/SSO), audit logs, and emergency access workflows. For individuals and small teams comfortable managing a file, those trade-offs are typically acceptable; for larger organizations needing centralized policy enforcement, a self-hosted Bitwarden (Vaultwarden) or Passbolt installation may provide a better fit.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search