Every cloud-based password manager works the same way. You hand all your credentials to a company. They store them on their servers. They promise encryption. They promise they cannot see your data. Then one day you read that their servers were breached and encrypted vaults were exfiltrated. Now your passwords are sitting on an attacker’s hard drive, and the only thing between them and every account you own is the strength of your master password.

That is not a hypothetical. That is recent history.

KeePassXC does not work that way. Your passwords never leave your machine.

What KeePassXC Is

KeePassXC is a free, open source, offline password manager. It stores your credentials in an encrypted database file on your own device. AES-256 or ChaCha20 encryption. Argon2 key derivation. The database is a single file with a .kdbx extension. You control where that file lives. Your hard drive. Your USB stick. Your own server. Nowhere else unless you put it there.

There is no account to create. No server to connect to. No company to trust. No subscription. No cloud sync service that can be subpoenaed, breached, or shut down. Just a file that only you can open.

The official KeePassXC website is keepassxc.org. That is the only official source for downloads, documentation, and release information.

Warning: Trojanized KeePass installers are an active threat

There is a documented, ongoing campaign where attackers build trojanized KeePass installers and distribute them through fake lookalike domains. The malware functions exactly like the real application. It looks right. It works right. But in the background it silently exports your entire password database to an unencrypted file and installs a Cobalt Strike beacon on your system, giving attackers remote access to your machine.

This is not theoretical. In early 2025, WithSecure investigated a ransomware attack where the initial infection vector was a trojanized KeePass installer downloaded from a lookalike domain. The attackers used it to gain access, move laterally, and ultimately encrypt the victim's VMware ESXi servers. Kaspersky has also documented this attack pattern in detail.

We are flagging keepass-xc.com specifically. That domain is not affiliated with the KeePassXC project. It has no identifiable team, contains scraped content, and features a mystery submission form. We do not know who operates it. That is the exact profile of the domains used in these attacks.

The official KeePassXC domain is keepassxc.org. Not a .com. Not a hyphenated variation. If you are downloading a password manager and the domain does not match exactly, close the tab. Go to keepassxc.org directly. Type it yourself. Your entire credential vault depends on downloading the real software from the real source.

Why Offline Matters

Cloud password managers ask you to trust that the company storing your credentials will never be compromised. That they will never be compelled by a court to hand over your vault. That their employees will never make a mistake. That their infrastructure will never have a vulnerability. That their encryption implementation is flawless and will remain flawless forever.

That is a lot of trust for a single point of failure.

KeePassXC eliminates the entire attack surface. There is no server to breach because there is no server. There is no company to subpoena because your database is not on anyone else’s hardware. There is no employee who can make a mistake with your data because no employee has access to your data. The threat model collapses to one thing: someone getting physical access to your encrypted database file and your master password. That is a problem you can manage yourself.

What It Does

KeePassXC is not a stripped-down tool that trades features for privacy. It is a full password manager.

  • Password generation. Configurable length, character sets, passphrases. Generate passwords that are actually random, not variations of the same pattern you always use.
  • Auto-type. KeePassXC can type your credentials into any application. Not just browsers. Any window. Any login form. Any application on your machine. It matches the window title to the entry in your database and types the username and password for you.
  • Browser integration. A browser extension connects KeePassXC to Firefox, Chrome, Chromium, Brave, Edge, and Vivaldi. It fills login forms the same way cloud managers do. The difference is the passwords come from a local file, not a remote server.
  • TOTP. KeePassXC stores time-based one-time passwords. Your two-factor authentication codes live in the same encrypted database as your passwords. No separate authenticator app needed.
  • SSH agent integration. Store SSH keys in your KeePassXC database. When the database is unlocked, the keys are available to your SSH agent. Lock the database and the keys are gone. No unencrypted private keys sitting in ~/.ssh.
  • Passkeys and hardware keys. KeePassXC supports FIDO2 passkeys and can be unlocked with YubiKey or OnlyKey hardware security keys as an additional factor.
  • Attachments. Store files inside your encrypted database. Certificates, recovery codes, license keys, secure notes. Anything you need to keep encrypted alongside your passwords.

Where It Runs

KeePassXC runs on macOS, Linux, and Windows. Native applications. Not Electron. Not a web app wrapped in a browser. A compiled C++ application that runs efficiently and does not need a runtime environment.

macOS

brew install --cask keepassxc

Linux

# Fedora / RHEL
sudo dnf install keepassxc

# Ubuntu / Debian
sudo apt install keepassxc

Also available as a Flatpak, Snap, and AppImage.

Windows

winget install KeePassXCTeam.KeePassXC

Mobile

KeePassXC does not have its own mobile app. That is worth saying directly. The project is desktop-only. There is no official KeePassXC app for iOS or Android. If that bothers you, it should. A password manager you cannot access from your phone is incomplete.

The reason it works anyway is that KeePassXC uses an open database format. The .kdbx file is a documented standard. Any application that implements the format can read your database. You are not locked into one vendor’s app. Your data is portable by design.

There are two open source mobile apps worth using. Both are free. Both are GPL licensed. Both are actively maintained.

Android: KeePassDX

KeePassDX is open source under the GPL-3.0 license. Source code on GitHub. Available on F-Droid and Google Play. Full support for .kdbx 4 databases including TOTP, attachments, biometric unlock, and Android autofill. It is the best open source KeePass app on Android and it is completely free. No premium tier. No paid unlock. No ads.

iOS: KeePassium

KeePassium is open source under the GPL-3.0 license. Source code on GitHub. Available on the App Store. Full .kdbx support, iOS autofill integration, biometric unlock, and Face ID. There is a premium tier for convenience features like multiple databases and longer auto-lock timeouts, but the core app is free and fully functional. The source code is public and auditable.

There are closed-source KeePass-compatible apps on both platforms. I am not recommending them. The entire point of using KeePassXC is to keep your credentials out of proprietary systems. Using a closed-source app to read an open database defeats the purpose. If you cannot read the source code, you do not know what the app is doing with your passwords.

Syncing to mobile

Since your database is a single file, syncing it to your phone is as simple as syncing any file. Put the .kdbx file in a folder that syncs to your phone and the mobile app reads it directly.

  • Syncthing: peer-to-peer file sync. No cloud. Your devices talk directly to each other over your local network or encrypted connections. The database never touches a third-party server.
  • Nextcloud: self-hosted cloud. If you run your own Nextcloud instance, the database syncs through your own server. Same result as a cloud password manager without handing your vault to someone else.
  • Any cloud drive: if you use iCloud, Google Drive, or Dropbox, you can put the .kdbx file there. The file is AES-256 encrypted. Even if the cloud provider is compromised, the attacker gets an encrypted blob they cannot open without your master password. It is not as clean as self-hosted sync, but the database encryption means the file is safe at rest regardless of where it sits.

Importing From Other Managers

KeePassXC imports directly from most password managers. If you are coming from a cloud-based service, export your vault as CSV and import it into KeePassXC. It supports imports from 1Password, Bitwarden, LastPass, Chrome, Firefox, and generic CSV files.

# From the KeePassXC menu:
# Database > Import > CSV File
# or
# Database > Import > 1Password Export

After importing, delete the unencrypted export file. Securely. That CSV contains every password you own in plaintext.

Backups

Because your database is a single file, backing it up is trivial. Copy it anywhere. An external drive. A USB stick in a safe. A second machine. An encrypted archive. You are not dependent on a company’s backup infrastructure. You are not hoping their disaster recovery plan works. Your backups are your responsibility and your guarantee.

KeePassXC can be configured to save backup copies automatically every time the database is saved. One setting. Automatic versioned backups to a directory you choose.

The Principle

Your passwords are the keys to your entire digital life. Your email. Your bank. Your servers. Your business accounts. Every service you use. Every system you manage. Whoever holds your passwords holds everything.

Cloud password managers put a company between you and those keys. That company becomes a target. A single breach exposes every user. A single court order can compel access. A single business decision, an acquisition, a shutdown, a pricing change, can hold your credentials hostage.

KeePassXC puts you in control. Your passwords live on your device, encrypted by keys only you hold. No company in the middle. No server to breach. No subscription to cancel. No trust required.

Your passwords belong to you. Keep them that way.