KeePassium is an offline app. It will never ask for your server credentials. Instead, it integrates with the iOS Files app, and delegates all the networking to the cloud provider apps. KeePass for iOS. By Maple Labs Free. Developer's Description. By Maple Labs Password Keeper app that protect your password and personal informations. KeePass offers unlimited password storage for. Bitwarden is the easiest and safest way to store your logins and passwords across all of. 'KeePass' is the password manager developed by Dominik Reichl. Any software by other developers that is using the name 'KeePass' in the software's name without any direct non-numeric/non-special prefix/suffix is abusing the name 'KeePass' and we do not recommend such software. For example, 'KeePassDroid' is ok, but 'KeePass Droid' is not.
Frequently Asked Questions
Questions
General
Security
AppImage and Snap package
Key Files
Keepass For Ios
YubiKey / OnlyKey
Browser integration
SSH Agent
Platform-specific
Answers
General
- Why KeePassXC instead of KeePassX?
- KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes.
- Why KeePassXC instead of KeePass?
- KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.
KeePassXC, on the other hand, is developed in C++ and runs natively on all platforms giving you the best-possible platform integration. - Which password database formats are compatible with KeePassXC?
- KeePassXC currently uses the KeePass 2.x (.kdbx) password database format as its native file format in versions 3.1 and 4. Database files in version 2 can be opened, but will be upgraded to a newer format. KeePass 1.x (.kdb) databases can be imported into a .kdbx file, but this process is one-way.
- Why is there no cloud synchronization feature built into KeePassXC?
- Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
- Does KeePassXC support (KeePass2) plugins?
- No, KeePassXC does not support plugins at the moment. We are thinking about providing some kind of plugin infrastructure or external API in the future, but cannot specify how it will work or when it will be ready.
- How can I add additional word lists to the passphrase generator?
- You can add additional word lists to the passphrase generator by copying the word list file to the
share/wordlists
folder inside your KeePassXC installation directory and then restarting KeePassXC.
On Linux, the default install location is/usr/share/keepassxc
, on macOS it's/Applications/KeePassXC.app/Contents/Resources
and on WindowsC:Program FilesKeePassXC
(orC:Program Files (x86)KeePassXC
for 32-bit).
Security
In any case, keep in mind that:
- An audit is not a 100% proof that a software is safe and secure. Some flaws can be overlooked even by the best auditors.
- An audit is valid only for a “snapshot” of the code. If new code is added, new vulnerabilities can be introduced.
-DWITH_XC_NETWORKING=OFF
(see Building KeePassXC). AppImage and Snap package
- How do I execute an AppImage?
- The AppImage is a self-contained executable archive, comparable to an Android APK or macOS DMG. To execute it, simply give the downloaded
*.AppImage
file execution permissions: After that you can execute it either from the terminal or by double clicking it just like any other program. - What systems can I use the AppImage or Snap package on?
- The AppImage should run out of the box on almost any moderately modern Linux distribution. The Snap is supported on all systems, which have
snapd
installed. This is primarily Ubuntu, but also Debian, Fedora, OpenSUSE, Arch Linux and many more. For a full list and more information visit snapcraft.io. Note that not all systems that can run Snaps also support confinement via AppArmor. - How do I use the KeePassXC CLI tool with the AppImage?
- Starting with version 2.2.2, you can run the KeePassXC CLI tool from the AppImage by executing it with the
cli
argument: - Why doesn't my theme work?
- Since Snaps and AppImages are self-contained and mostly isolated from your system, they cannot know what theme you are currently running. This is a known issue with both Snaps and AppImages.
- How do I get my YubiKey to work with the Snap?
- Due to a Snap's isolation and security settings, you must manually enable the
raw-usb
interface in order to use your YubiKey. Issue the following command from a terminal to enable this interface: - Why can't I see anything outside my home directory?
- Due to Snap's isolation and security settings, you cannot access any files outside your home directory. Furthermore, you cannot access any hidden files within your home directory. The only exception is mounted USB drives, but you must type in
/media/
into the file open dialog to see them.
If you still cannot access the/media/
directory then you may need to enable this permission in the Ubuntu store. Open the Ubuntu store, choose the KeePassXC app, and click permissions.
Key Files
- What is a key file and how can I get one?
- A key file is a file containing random bytes that can be added to your master key for additional security. Think of it as a really complicated and long password that is read from a file, so you don't have to remember or type it into your master password field. You can basically use any file you want as a key file, but it is of utmost importance that a) the file never changes and b) it actually contains unpredictable data. If the file changes, it is as if you forgot your password and you will lose access to your database. On the other hand, if the data is not random enough, then it's a really bad password. So, for instance, a static and never-changing holiday picture is okay, your personal notes file is not. Generally, we recommend you let KeePassXC generate a dedicated key file for you. Go to Database -> Database Settings -> Security. There you click on Add Key File and then on Generate. Select the location where to save the key file, make sure the path to the new file is inserted into the Key File field, and save your database. Don't forget to keep a backup of the key file in a safe place!
- How secure is a key file and how can I sync it to other devices?
- A key file is only as secure as you keep it. It is basically a password that you've written down. As a general rule, you should never use a key file without an actual password, because it is harder to keep your key file secret than a memorized password that only you know. However, a key file can be very strong additional protection if kept separately from the database file, such as on an external thumb drive. If you sync your database via a cloud provider (Dropbox, Google Drive, Nextcloud, …), you should only sync the KDBX file and distribute the key file to your computers by different means, such as said thumb drive. But whatever you do, keep a backup in a safe location! If you lose your key file, you lose your database. Keep in mind that USB thumb drives are notoriously unreliable, break easily, or get lost. If you can afford it, we recommend you use a hardware token such as a YubiKey or OnlyKey instead of a key file (see next section). Such a key adds an even greater amount of security, but with fewer potential pitfalls.
YubiKey / OnlyKey
- Does KeePassXC support two-factor authentication (2FA) with YubiKeys or OnlyKeys?
- Yes and no. KeePassXC supports YubiKeys for securing a database, but strictly speaking, it's not two-factor authentication. KeePassXC generates a challenge and uses the YubiKey's response to this challenge to enhance the encryption key of your database. So in a sense, it makes your password stronger, but technically it doesn't qualify as a separate second factor, since the expected response doesn't change every time you try to decrypt your database. It does, however, change every time you save your database.
- How do I configure my YubiKey / OnlyKey for use with KeePassXC?
- To use a YubiKey or OnlyKey for securing your KeePassXC database, you have to configure one of your YubiKey / OnlyKey slots for HMAC-SHA1 Challenge Response mode (see this video for how to do this). Once your YubiKey (or OnlyKey, you got the point…) is set up, open your database in KeePassXC, go to File / Change master key, enable Challenge Response and then save the database.
Important: Always make a copy of the secret that is programmed into your YubiKey while you configure it for HMAC-SHA1 and store it in a secure location. If you lose or brick the key or accidentally reprogram it with a different secret, you will permanently lose access to your database! - When I use KeeChallenge with KeePass2, it creates an extra file. Why do I have no such file when using KeePassXC?
- Our implementation differs from how KeeChallenge handles YubiKeys. KeeChallenge uses the HMAC secret directly to enhance the database. To make this work, they need to store the secret in a side-car file, encrypted with the response of a challenge-response pair that is calculated ahead of time. In KeePassXC, we do not require any knowledge of the HMAC secret. We use the database's master seed (a random byte string that is part of your database) as challenge and then use the response to encrypt the database. That way we do not need an extra file and also gain the advantage that the required response changes every time you save the database, which resembles actual two-factor authentication more closely.
- When I secure my database in KeePass2 with a YubiKey, I can't open it in KeePassXC (or vice versa), why?
- Due to the fact that our YubiKey implementation differs from KeeChallenge's, they are inherently incompatible (see question above). If you need compatibility between KeePass2 and KeePassXC, you cannot use YubiKeys at the moment.
- Why only HMAC-SHA1? Why not FIDO-U2F or TOTP?
- Both FIDO-U2F and TOTP require a dynamic component (i.e., a counter or timestamp) for successful authentication. This is perfect for authenticating at an online service, but doesn't work for an offline database which needs to be encrypted with a fixed key. HMAC-SHA1, on the other hand, can be computed ahead of time as it only needs a fixed secret and no dynamic component of any kind.
- But the feature list says KeePassXC supports TOTP. I am confused.
- We do support generation of timed one-time passwords (TOTP), but do not (and cannot) support it for securing your KeePassXC database. KeePassXC allows you to store TOTP secrets for online services inside a database and generates the corresponding timed one-time passwords for you. For TOTP, see also the question KeePassXC allows me to store my TOTP secrets. Doesn't this alleviate any advantage of two-factor authentication?
- What happens if I break my YubiKey? Can I create backup keys?
- You should always make a copy of the HMAC secret that is stored on the YubiKey and keep it in a secure location. This can be an analog paper copy, but since the YubiKey personalization tool allows you to program a custom secret into the key, you may as well program a second key with the same secret.
- Can I register multiple YubiKeys with my KeePassXC database?
- You can only use a single secret for encrypting the database. So you can use multiple YubiKeys, but they all have to be programmed with the same secret (see question above).
Browser integration
- Showing context menus on password fields (
menus.ContextType
) - HTTP Auth support (
webRequest.onAuthRequired
)
- From the extension popup menu, click 'Choose custom login fields'. You can skip the Username, Password, and TOTP fields if not needed.
- On Step 4 (Confirm Selection), choose the additional string fields you need to fill. Note that they are numbered sequentially.
- After choosing the String Fields, go to your KeePassXC client and create advanced attributes with a prefix of 'KPH: ' in the order you chose them above. NOTE: The space after the colon is required.
- If you wish, you may add a short name after the prefix to help you remember its purpose.
- An example using the page https://meine.deutsche-bank.de/trxm/db/init.do
- Choose custom login fields for this page and select Branch, Account and Sub-account as String Fields when you reach step 4.
- KPH: Branch
- KPH: Account
- KPH: Sub-account
- Go to your entry and add the following advanced attributes (the order is critical):
SSH Agent
- How does the SSH Agent work?
- The SSH Agent feature is supported on all target platforms (Linux, macOS and Windows) and it acts as a client for an existing agent. It can automatically add SSH keys from your KeePassXC database to a running SSH agent when unlocked and remove them when locked.
On Linux, most desktops are already running an agent without any set up required.
On Windows, you need to have Pageant running. It is part of the PuTTY suite.
On macOS,ssh-agent
is running by default and no further setup is required. - What SSH key types are supported?
- Most SSHv2 key types are supported (DSA, RSA and Ed25519), including encrypted keys. ECDSA keys are only supported with the new OpenSSH file format. 3DES-encrypted keys are not supported and we highly recommend upgrading them for external storage or store them decrypted inside the database.
SSHv1 keys are not supported.
PuTTY format key files (.ppk) are not supported. You can use PuTTY Key Generator (puttygen.exe) to convert your keys to OpenSSH format.
RFC4716 format key files are not supported. - Why are the agent buttons greyed out / why doesn't it work?
- On Linux or macOS, you need to have
ssh-agent
running and the SSH_AUTH_SOCK environment variable available for KeePassXC at launch. Arch Linux wiki has a generic guide how to manually runssh-agent
if it's not already set up. Sometimes other applications like GNOME Keyring orgpg-agent
already provide a compatible agent that also works with KeePassXC.
On Windows, Pageant needs to be running, see How does the SSH Agent work?. - How do I set up a passphrase for encrypted keys?
- The SSH Agent feature uses the entry password field as the decryption key.
- Why does the public key (seem to) have no comment?
- When using normal DSA or RSA keys, the private key file does not contain any embedded text. In that case, the entry username field is used as the public key comment. It is also sent to the agent when adding a key and is visible in the agent when listing keys.
If you are using Ed25519 keys or have converted your old key to the new OpenSSH file format, the comment is embedded in the key file which is then used by KeePassXC. You can usessh-keygen
to modify the comment. - I'm already using KeeAgent, is KeePassXC compatible with it?
- Yes, mostly. KeeAgent supports more key types and provides a custom agent, but otherwise you can use the same database with KeeAgent and KeePassXC.
- Why is Pageant refusing my keys?
- Pageant does not support confirm-on-use or automatic removal of key after a timeout. There doesn't seem to be any alternative to Pageant for Windows that supports both of them.
- Why is OpenSSH ssh-agent refusing my keys?
- If you are using confirm-on-use option for your keys,
ssh-agent
needs to have a 'ssh-askpass' program available.
On Linux it depends on your distribution and desktop environment how to install and configure one as there are several available.
On macOS, you need a third party program like theseal/ssh-askpass. - I'm getting protocol or connection errors, what's wrong?
- If you are using GNOME Keyring, it is known to be buggy and the SSH Agent implementation fairly incomplete prior to release 3.27.92. You are encouraged to use OpenSSH
ssh-agent
if you are stuck with an older version.
Known limitations of older versions include no support for Ed25519 keys, no support for confirm-on-use and incorrect implementation of the agent protocol causing protocol errors. - I'm getting a 'Too many authentication failures' error, what shall I do?
- SSH will try all available identity files in sequence when connecting to a server. If you export many SSH keys at a time, you'll very likely experience a 'Received disconnect from {port}: Too many authentication failures' error. To solve this issue, you'll have to tell SSH which identity file to use. Either use the
-i
command line option or theIdentityFile
directive in your OpenSSH config file (~/.ssh/config
) to pass the path to the respective private key file.
If you use theIdentityFile
directive, you likely want to use theIdentitiesOnly
directive, too. The Arch Linux wiki has a generic guide on how to manage multiple keys.
If you prefer storing your private key inside your database using an attachment, you can still do so. Instead of letting theIdentityFile
directive point to a private key file, let it point to your public key file. The SSH Agent will use the provided information to select the correct private key.
Platform-specific
- For Android, we recommend KeePassDX and KeePass2Android.
- And for iOS, we suggest Strongbox and KeePassium.
appmenu-qt5
You have 3 options:
- Remove the
appmenu-qt5
package - Set the environment variable
UBUNTU_MENUPROXY='
- Set the environment variable
QT_QPA_PLATFORMTHEME='
LastPass got hacked a few times in the past and I was having second thoughts about moving to another service. After all, it’s the master key to my entire digital life that they own. Still, I stayed with them, hoping they will fix these issues and make things more secure. However, the latest news about the tie-up with LogMeIn dealt a final blow and shattered my domino of trust and I started looking for alternatives the next second.
Khamosh made things a bit easier by coming up with top 3 alternatives to LastPass and KeePass being the only one free among them, I chose it over others. My dad says, a penny saved is a penny earned and I always look out for any possible way to save mine.
However, the free price tag means that there’s no solid support and there are no official tools for browsers and smartphones which is really essential for any password manager. Luckily, it’s open source and therefore, a couple of tools, plugins and apps are available to bridge the gap. We have already written about how you can integrate KeePass with your browser. Today, as promised, I will be talking about some nice apps for Android and iOS.
Move the Vault to the Cloud
For the trick to work, your password vault must be stored on the clouds and as the KeePass doesn’t have a server of its own, you will have to take help from Dropbox. Install the app on your computer and either move the existing database file to the cloud, or create a new one if you are just starting with KeePass.
Note: Android users can choose to host the KeePass database file to Google Drive, OneDrive or even a personal SFTP network. iPhone users don’t have a choice though.Keepass2Android on Android
There are a lot of third party apps available for KeepPass on Android. But the reason I chose Keepass2Android over others is its ability to work with database files hosted on the cloud. When you install and open the app, it will ask you to either create a new database file or open one from local drive or a variety of cloud services.
After the file is read, it will ask you to enter the master password to decrypt the file and load all the entries in the exact same category as your computer.
To use the app, you need to search for the website you are visiting and open the link. You will get buttons to copy the username and the password on the notification drawer and will reflect the last website you searched on the app. So once you are on the webpage, or the app where you need to enter the credentials, copy and paste the respective fields from the notification drawer. Ndfeb magnets gadgets.
One of the interesting features the app offers is the ability to work with any Android browser. Open the share option on browser and select Keepass2Android. If not already unlocked, you will be asked for the password. Here you can search the database. You can also choose the KeePass keyboard from the notification drawer and enter the username and password.
KeePass Touch for iOS
Due to so many restrictions imposed by the iOS, KeePass Touch is not as feature rich as Keepass2Android. You can sync file from Dropbox and local FTP. There’s no option for OneDrive or Google Drive. Once you select the file, you will be asked to unlock it using the master password.
There’s no way you can directly import the username and password while you are browsing on Safari. But the app has a built-in browser using which can easily log you in to websites. If you really want to use Safari, or you need to enter your credentials on an app, you can copy the username and password from the clipboard.
Download flash video from website chrome mac. For security, you can put a PIN lock and you also get touch ID recognition making it easier to unlock the database. The file updates on Dropbox are automatically updated. Apart from that, there are settings like visible password and clipboard memory you can configure.
Conclusion
So that’s all. We have already seen how to transfer all the data from LastPass to KeePass and how to use it on Chrome and Firefox. Now we know how to use it on our smartphones. If you have any request on KeePass usage, please get in touch with us on our forum and I will definitely look into it.
Keepass Ios App
The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.
Best Keepass Ios
Read Next
How To Sync KeePass Database And Passwords To Android
Keepass Ios 2020
Here's How To Sync KeePass Database And Passwords From Computer To