The biggest objection to KeePassXC is sync. Cloud password managers sync automatically. You add a password on your laptop and it appears on your phone. KeePassXC is an offline tool. Your database is a local file. How do you get it everywhere?

The answer is Nextcloud. Your KeePassXC database syncs through your own server to every device you own. Desktop, phone, tablet. All platforms. All open source. This article walks through the entire setup.

What You Need

  • KeePassXC on your desktop (macOS, Linux, or Windows)
  • Nextcloud running on a home server or VPS
  • Nextcloud desktop client syncing a folder on your computer
  • KeePassDX on Android or KeePassium on iOS
  • Nextcloud mobile app on your phone

If you do not have Nextcloud set up yet, read the Nextcloud article first. If you need remote access to your home server, read the WireGuard article.

Step 1: Create Your Database in KeePassXC

If you do not have a KeePassXC database yet, create one. Open KeePassXC and click Create New Database. Choose a strong master password. This is the one password you need to remember. Everything else lives inside the database.

Save the database file (.kdbx) inside your Nextcloud sync folder. That is the key step. The file needs to be in a directory that the Nextcloud desktop client syncs to your server.

# Example path on macOS
~/Nextcloud/Passwords/passwords.kdbx

# Example path on Linux
~/Nextcloud/Passwords/passwords.kdbx

If you already have a KeePassXC database, move it into your Nextcloud sync folder. Then open it from the new location in KeePassXC.

Step 2: Install the Nextcloud Desktop Client

The Nextcloud desktop client syncs files between your computer and your Nextcloud server. Install it if you have not already.

macOS

brew install --cask nextcloud

Linux

# Ubuntu / Debian
sudo apt install nextcloud-desktop

# Fedora
sudo dnf install nextcloud-client

Windows

winget install Nextcloud.NextcloudDesktop

Sign into your Nextcloud server and sync the folder containing your .kdbx file. Once the sync completes, your password database is on your server.

Step 3: Set Up Your Android Phone

Install the Nextcloud Android app

Install Nextcloud from F-Droid or Google Play. Open source, GPL-2.0 licensed. Sign into your Nextcloud server. The app gives your phone access to all files on your server.

Install KeePassDX

Install KeePassDX from F-Droid or Google Play. Open source, GPL-3.0 licensed. Free. No ads. No premium tier.

Connect KeePassDX to your database

  1. Open KeePassDX
  2. Tap Open existing database
  3. Browse to your Nextcloud folder and select the .kdbx file
  4. Enter your master password

KeePassDX can read the file directly from the Nextcloud-synced location. When the database changes on your server, the Nextcloud app syncs the updated file and KeePassDX reads the new version.

Enable autofill

Go to Android Settings > Passwords & accounts > Autofill service and select KeePassDX. Now when you tap a login field in any app or browser, KeePassDX offers to fill your credentials from your encrypted database.

Enable biometric unlock

In KeePassDX settings, enable fingerprint or face unlock. You enter your master password once. After that, your fingerprint opens the database. Same convenience as any cloud password manager.

Step 4: Set Up Your iPhone

Install the Nextcloud iOS app

Install Nextcloud from the App Store. Open source, GPL-3.0 licensed. Sign into your Nextcloud server.

Install KeePassium

Install KeePassium from the App Store. Open source, GPL-3.0 licensed. The core app is free and fully functional. There is a premium tier for convenience features like multiple databases and longer auto-lock timeouts.

Connect KeePassium to your database

  1. Open KeePassium
  2. Tap the + button to add a database
  3. Select Open existing file
  4. Navigate to the Nextcloud folder in the iOS Files app and select your .kdbx file
  5. Enter your master password

The Nextcloud iOS app integrates with the iOS Files app. Your Nextcloud server appears as a storage location alongside iCloud Drive and local files. KeePassium can open the database directly from there.

Enable AutoFill

Go to iOS Settings > Passwords > Password Options > AutoFill Passwords and enable KeePassium. When you tap a login field in Safari or any app, iOS offers to fill from your KeePassXC database.

Enable biometric unlock

In KeePassium settings, enable Face ID or Touch ID. Same as Android. Enter the master password once, then use biometrics to open the database.

Step 5: Additional Desktops

If you use multiple computers, install the Nextcloud desktop client and KeePassXC on each one. Point the Nextcloud client at the same sync folder. Open the .kdbx file from the synced location. Every computer sees the same database, synced through your server.

How Sync Works

When you add or change a password in KeePassXC on any device, the .kdbx file is modified. The Nextcloud client detects the change and uploads the new version to your server. Other devices running the Nextcloud client download the updated file. The next time you open the database on another device, it has the latest passwords.

The database is AES-256 encrypted at all times. It is encrypted on your desktop. It is encrypted in transit to your server. It is encrypted on your server. It is encrypted on your phone. At no point does the plaintext content of your passwords exist anywhere except in memory on the device where you unlocked the database.

Conflict Handling

If you edit the database on two devices at the same time before either one syncs, Nextcloud creates a conflict file. You will see a file like passwords (conflicted copy).kdbx in your sync folder. This is rare in practice. Password databases are small files that sync in seconds. But if it happens, open both files in KeePassXC on your desktop and merge the entries manually. Then delete the conflict copy.

To avoid conflicts, let each device sync after making changes before editing on another device. KeePassXC and KeePassDX both save and close quickly. The window for conflicts is small.

The Full Stack

Here is what you end up with:

  • KeePassXC on your desktop: create and manage passwords
  • Nextcloud on your server: sync the encrypted database file
  • WireGuard on your server: secure remote access when you are away from home
  • KeePassDX on Android: read and autofill passwords from the synced database
  • KeePassium on iOS: read and autofill passwords from the synced database
  • Nextcloud mobile app: keeps the database file synced to your phone

Every component is open source. Every component is free. Your passwords are encrypted on every device and in transit. The only server involved is yours. No cloud password service has your credentials. No company can be breached to expose them. No subscription can be cancelled to lock you out.

The Principle

Cloud password managers solve the sync problem by putting a company in the middle. You trust them with every credential you own. That is a single point of failure for your entire digital life.

This setup solves the sync problem without the middleman. Your passwords sync across every device you own through infrastructure you control. Same convenience. Same autofill. Same biometric unlock. No trust required.

Your passwords. Your server. Every device. No one else involved.