KeePassXC

KeePassXC is the canonical local-first password manager — a desktop application that stores your passwords in a single encrypted `.kdbx` database file under your control, with no servers, no accounts, no cloud sync, and no telemetry. Listed at Grade A · editor's pick because it occupies the lowest-trust-surface point in the password manager space: there is nothing to leak when there is no operator infrastructure, no SaaS company, and no third-party storage. The default pick for users who treat password storage as an infrastructure problem rather than a hosted service.

Background. KeePassXC is a community-maintained cross-platform fork of the original KeePassX (which was itself a Qt-based fork of the Windows-only KeePass). Active development by a distributed contributor team since 2016, released under the GPLv3 license. Cross-platform desktop (macOS, Windows, Linux) with full feature parity across platforms; mobile platforms have separate but compatible apps (KeePassDX on Android, Strongbox or KeePassium on iOS — all read/write the same `.kdbx` format). The `.kdbx` file format is an open specification with established cryptographic primitives (AES-256, ChaCha20, Argon2 for key derivation); the same file works across KeePassXC, KeePass, KeePassDX, Strongbox, KeePassium, and many other clients. Funded entirely by donations + occasional sponsorships; no commercial entity behind the project.

What you trust. Local file storage — your `.kdbx` database is just a file on your disk; you control where it lives (local drive, USB stick, your own Nextcloud, your own Syncthing setup, etc.). Open-source codebase + reproducible builds — the source is auditable; signed releases are reproducible from source. Strong cryptography — AES-256 or ChaCha20 encryption, Argon2 key derivation function (resistant to GPU/ASIC attacks), HMAC-SHA256 integrity check. No operator — there is no KeePassXC company that could be subpoenaed, no SaaS backend, no service to compromise. YubiKey + hardware-token support — second-factor unlock via hardware tokens for users who want defence-in-depth. Audited — the codebase has received independent security audits; full audit reports are linked from keepassxc.org. PGP support — for users who use PGP keys, KeePassXC integrates with system PGP for additional encryption workflows.

Operational specs. Platforms: desktop apps for macOS / Windows / Linux (Qt-based, native to each platform). Database format: `.kdbx` (KeePass database format) — same format readable by KeePass family clients across mobile and desktop. Encryption: AES-256 or ChaCha20 symmetric encryption; Argon2 key derivation (configurable iterations + memory cost). Unlock methods: master passphrase, key file, YubiKey/hardware token, or combination. Auto-type: configurable per-entry; types username + Tab + password + Enter into the focused window. Browser integration: official browser extensions (KeePassXC-Browser) for Firefox / Chromium-derivatives — opt-in, communicates over local IPC, no network involvement. TOTP support: built-in TOTP (RFC 6238) generation; the database stores the TOTP secret alongside the password. Sharing: read-only or read-write groups can be shared across multiple users via shared `.kdbx` files (each user has their own master passphrase). Database conversion: imports from LastPass / 1Password / Bitwarden / Chrome / Firefox / etc. for migration. Mobile complement: KeePassDX (Android), Strongbox / KeePassium (iOS) — all open-source, all read/write the same `.kdbx` format.

Philosophy. KeePassXC's editorial differentiator is the local-first, server-less posture. SaaS password managers (Bitwarden, 1Password, Dashlane) offer convenience — cross-device sync without the user thinking about it, web-based recovery, account-based access. The trade-off: a hosted operator becomes a trust surface. Bitwarden self-hostable (and Vaultwarden) closes some of that gap by letting you operate the server, but introduces self-hosting operational complexity. KeePassXC sidesteps the whole hosted-vs-self-hosted question: the database is a file, the application is local, sync is whatever you already use for files (Nextcloud, Syncthing, USB drive, encrypted backup service). The trade-off: cross-device sync is on you — KeePassXC doesn't have a "log in on a new phone" path; you have to get the `.kdbx` file onto the new device by your preferred file-sync mechanism.

Grade rationale. Grade A and editor's pick reflect: open-source GPLv3 codebase; cross-platform desktop (macOS, Windows, Linux) with feature parity; compatible mobile clients (KeePassDX, Strongbox, KeePassium); no operator infrastructure, no SaaS backend, no telemetry; strong cryptography (AES-256/ChaCha20 + Argon2 KDF); YubiKey + hardware-token second-factor support; independent security audits with public reports; built-in TOTP support; browser extension with local IPC (no network); reproducible builds + signed releases; entirely donation-funded (no commercial-pressure conflicts); cross-listed in Privacy Guides peer directory. Over 8 years of operational continuity (since 2016 fork). Last verified 2026-05-13.

Useful when. You want the most-conservative password manager posture — no operator, no SaaS, no third-party storage. You're a Privacy Guides-tier user comfortable managing your own file backups. You want cross-platform desktop (macOS/Windows/Linux) without compromising on the local-first principle. You use YubiKey or hardware tokens as your second factor (KeePassXC's hardware-token integration is mature). You want a mobile-compatible vault — KeePassXC desktop pairs cleanly with KeePassDX (Android) or Strongbox / KeePassium (iOS) via shared `.kdbx` files. You're an organisation or family that wants shared password vaults with per-user master passphrases. You're migrating off a SaaS password manager and want a local-first destination.

Caveats. Cross-device sync is your responsibility — KeePassXC has no built-in sync; you use Nextcloud, Syncthing, Resilio, USB drive, or whatever file-sync mechanism you trust. This is a feature (no operator), but it's a friction. No web-based access — there's no "log in from a friend's computer" path; if you don't have your `.kdbx` file with you, you don't have your passwords. Mobile parity depends on which mobile client — KeePassXC official is desktop-only; the recommended mobile clients (KeePassDX on Android, Strongbox / KeePassium on iOS) are separately maintained and have their own UX. Auto-type quirks — auto-type relies on simulated keyboard input which can be finicky with specific applications; modern browser-extension integration is more reliable than auto-type for web logins. Browser extension is opt-in — if you want password autofill, install KeePassXC-Browser; if you prefer manual copy-paste, the extension is unnecessary. No emergency recovery — if you forget your master passphrase and don't have a key file backup, the database is unrecoverable; this is the price of zero-trust local-first design. Plan accordingly: print a key file to paper backup, use a hardware token, share a sealed master-passphrase envelope with a trusted party. Database corruption is recoverable but not automatic — KeePassXC writes atomically, but if your file-sync mechanism creates conflicts (two devices writing simultaneously) you may end up with a conflict copy; resolve conflicts by opening both copies and merging manually. TOTP convenience trade-off — storing TOTP secrets in your password database is convenient but means a single compromise of the database exposes both factors; some users prefer a separate authenticator (Aegis on Android, Ente Auth cross-platform) for higher-stakes accounts.