KeePassXC

KeePassXC is an offline, open-source password manager that stores your credentials in an encrypted database file on your own device — no cloud servers, no accounts, no subscriptions, no company involved. Your vault is a single .kdbx file encrypted with AES-256 or ChaCha20, locked with a master password (and optionally a key file or hardware key). You control where this file lives: on your laptop, on a USB drive, on an encrypted external drive, or synced through any cloud service of your choosing. Nothing leaves your device unless you explicitly copy it somewhere.

For crisis scenarios where you cannot trust any cloud service, KeePassXC is the most secure way to manage passwords. Unlike Bitwarden (which stores your encrypted vault on their servers), KeePassXC keeps everything local. There is no server to be breached, no company to be subpoenaed, no infrastructure to go offline. If the internet goes down, your passwords are still accessible. If Bitwarden's servers are seized, your passwords are still accessible. If you're in a country that blocks access to cloud services, your passwords are still accessible. The trade-off is that you're responsible for syncing and backing up the vault file yourself.

KeePassXC is included by default in Tails OS, making it the natural password manager for users who are already in the Tails ecosystem. It's also the recommended password manager for Qubes OS, where the vault file can be stored in an isolated, network-disconnected qube for maximum security. For users who want the convenience of cloud sync, KeePassXC works perfectly with Syncthing (encrypted P2P file sync) or any cloud storage service — the vault file is encrypted regardless of where it's stored.

KeePassXC supports two encryption algorithms: AES-256-CBC and ChaCha20. Key derivation uses Argon2d or Argon2id (configurable), which are memory-hard functions designed to be resistant to GPU and ASIC-based brute force attacks. Argon2 won the Password Hashing Competition in 2015 and is considered the state of the art for key derivation. The default parameters can be tuned to increase the computational cost of cracking — KeePassXC recommends configuring Argon2 to take at least 1 second to derive the key on your hardware, which makes brute-force attacks against the vault computationally prohibitive.

The vault file format (KDBX 4.0) encrypts each entry individually with the vault's master key. The master key can be composed of up to three factors: a master password (something you know), a key file (something you have), and a hardware security key like a YubiKey (something you possess). Using all three factors provides defense-in-depth — even if your master password is compromised, the attacker also needs physical access to your key file and your hardware key. The KDBX format includes HMAC-SHA256 authentication to detect tampering with the encrypted database.

KeePassXC requires no account, no registration, no email, no phone number, and no internet connection. You download the application, create a database file, set a master password, and you're done. There is no telemetry, no analytics, no update checks (unless you enable them), and no network connections of any kind during normal operation. KeePassXC is the most anonymous password manager possible because it has zero relationship with any server or service.

Your vault file is just a file on your filesystem. It can be stored on an encrypted USB drive, carried in your pocket, and used on any computer with KeePassXC installed. There is no account to lock, no service to terminate, and no company that knows you're a user. The only way anyone can know you use KeePassXC is if they find the application on your device or the vault file in your storage — and the vault file can be named anything and stored anywhere, making it easy to conceal.

KeePassXC is fully open source under the GPLv2 and GPLv3 licenses, available on GitHub. It's a community fork of KeePassX, which was itself a cross-platform port of the original KeePass (a Windows-only application). The entire codebase — including the encryption implementation, the KDBX file format parser, the auto-type system, and the browser integration — is available for inspection. KeePassXC is written in C++ using the Qt framework, and the codebase is actively maintained by a team of volunteer developers.

The KDBX file format is well-documented and has been implemented by multiple independent projects (KeePass, KeePassXC, KeePassDX, Strongbox, KeeWeb), which means the format has been reviewed and validated by numerous independent development teams. Independent security audits of KeePassXC have been conducted, and the project participates in the EU's Free and Open Source Software Auditing program (EU-FOSSA). The cryptographic libraries used (libsodium, libgcrypt) are themselves widely audited and trusted.

KeePassXC is a community-driven open-source project with no legal entity, no incorporation, and no geographic base. Contributors are distributed globally. There is no company to subpoena, no server to seize, and no organization that holds any user data. The project exists as code on GitHub and as compiled applications distributed through package managers and the official website.

Because KeePassXC is entirely offline, jurisdiction is irrelevant for the software itself. The only jurisdictional consideration is the physical location of your vault file — if it's on a device that's seized by law enforcement, the file's protection depends entirely on the strength of your master password and key derivation parameters. With a strong passphrase and properly configured Argon2, the vault is computationally infeasible to crack. If the vault file is also protected by a key file stored on a separate device (like a YubiKey), seizure of the computer alone is insufficient.

The KeePass ecosystem (KeePass, KeePassX, KeePassXC) has been in continuous use since 2003 — over two decades of real-world deployment. KeePassXC specifically has been active since 2016 as a cross-platform community fork that modernized the codebase and added features like browser integration, YubiKey support, and TOTP. No security breach has ever been attributed to a flaw in the KDBX format or KeePassXC's encryption implementation.

In 2023, a vulnerability in the original KeePass (not KeePassXC) allowed extraction of the master password from process memory. KeePassXC was not affected because it uses a different codebase with different memory management. The incident highlighted the value of the KDBX ecosystem's diversity — multiple independent implementations mean a vulnerability in one does not affect the others. KeePassXC is recommended by Privacy Guides, the German Federal Office for Information Security (BSI), and is included in Tails OS, one of the most security-conscious operating systems available.

KeePassXC's interface is functional and organized, though less polished than commercial password managers like 1Password or Bitwarden. The main window displays your vault's folder structure with entries listed in a table. Creating entries, generating passwords, organizing folders, and searching are all straightforward. The password generator is powerful, offering random passwords, passphrases (diceware-style), and configurable character sets.

Browser integration is available through the KeePassXC-Browser extension for Firefox, Chrome, Brave, Edge, and Vivaldi. Once configured, the extension detects login forms and auto-fills credentials from your KeePassXC vault — the experience is comparable to Bitwarden's browser extension. The initial setup (connecting the browser extension to the desktop application) requires a few configuration steps, but the documentation walks through the process clearly. For non-technical users, KeePassXC has a moderate learning curve — it's less plug-and-play than Bitwarden but more accessible than command-line tools.

KeePassXC runs on Windows, macOS, and Linux. It is the default password manager in Tails OS and is available in most Linux distribution package managers. The KDBX file format is supported by companion apps on mobile: KeePassDX (Android, open source, available on F-Droid and Google Play) and Strongbox or KeePassium (iOS). These mobile apps open the same vault file, so you can share a single encrypted database across all your devices.

Sync between devices is manual or handled through a file sync service of your choice. Common approaches include Syncthing (encrypted peer-to-peer sync with no cloud server), Proton Drive, or any cloud storage service (the vault file is encrypted regardless of the transport). There is no built-in cloud sync — this is by design. The benefit is zero dependency on any cloud infrastructure; the cost is that you manage sync yourself. For crisis use, keeping the vault on a USB drive that you carry with you is the simplest and most reliable approach.

KeePassXC is completely free. It is open-source software developed by volunteers and funded by community donations. There is no paid tier, no premium features, no subscription, and no financial relationship of any kind. You download the application from keepassxc.org, and you have access to every feature. The companion mobile apps (KeePassDX, Strongbox, KeePassium) are also free for their core features, with some offering optional paid upgrades for convenience features like iCloud sync.

There is no payment involved at any point in using KeePassXC. No account, no email, no registration. You download an application and create a local file. This makes KeePassXC maximally accessible and completely untraceable from a financial perspective.

Download KeePassXC from keepassxc.org for your platform. On Linux, you can also install it from your distribution's package manager or as an AppImage. Verify the download using the GPG signature provided on the download page. On Tails OS, KeePassXC is pre-installed — no download needed.

Open KeePassXC and create a new database (Database > New Database). Choose a name and save location for your vault file. For crisis preparation, save it to an encrypted USB drive rather than your computer's hard drive — this way, you can carry your passwords with you. On the encryption settings screen, select Argon2id for key derivation and increase the memory and iteration parameters until the "Benchmark" button shows the derivation takes at least 1 second. Set your master password — use a passphrase of at least 5-6 random words that you can memorize. For additional security, add a key file (Database > Database Settings > Security > Add Key File) stored on a separate USB drive or on a YubiKey.

Your vault is now ready. Create your first entries: add your ProtonMail credentials, your Mullvad account number, your Signal PIN, and any other critical information. Use the built-in password generator (the dice icon in the entry editor) for all passwords — generate at least 20-character random passwords for online accounts and memorable passphrases for accounts where you might need to type the password manually. Install the KeePassXC-Browser extension in Brave or Firefox and connect it to your KeePassXC application (Tools > Settings > Browser Integration > Enable browser integration, then click "Connect" in the browser extension). Back up your vault file by copying the .kdbx file to a second USB drive or secure location. If you use a key file, back that up separately — you need both the vault file and the key file (plus your master password) to access your passwords.