ScriptsApr 13, 2026·3 min read

KeePassXC — Cross-Platform Offline Password Manager

KeePassXC is a free, open-source, cross-platform password manager that keeps your passwords in an encrypted local database. No cloud sync, no subscription, no telemetry — just a secure, audited vault protected by a master password and optional key file.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install KeePassXC
# macOS
brew install --cask keepassxc

# Linux
sudo apt install keepassxc
# Or Flatpak: flatpak install flathub org.keepassxc.KeePassXC

# Windows: download from keepassxc.org

# CLI usage
keepassxc-cli open ~/passwords.kdbx
keepassxc-cli show ~/passwords.kdbx "Email/Gmail"
keepassxc-cli generate -L 24 -slUn

Introduction

KeePassXC is a community-driven fork of KeePassX that stores all your passwords in a single, encrypted database file (.kdbx). Unlike cloud-based password managers (1Password, LastPass, Bitwarden), KeePassXC keeps everything local — your passwords never leave your machine unless you choose to sync the file yourself.

With over 27,000 GitHub stars, KeePassXC is the most popular desktop-first, offline password manager. It appeals to privacy-conscious users, security professionals, and organizations that require local-only credential storage for compliance.

What KeePassXC Does

KeePassXC stores credentials in an AES-256 or ChaCha20 encrypted database file. You unlock it with a master password, optional key file, or hardware key (YubiKey). The application provides auto-type (fills credentials into any application), browser integration, TOTP support, SSH agent integration, and a powerful password generator.

Architecture Overview

[KeePassXC Application]
C++ / Qt (native performance)
        |
   [Encrypted Database (.kdbx)]
   AES-256 or ChaCha20
   Argon2 key derivation
   Single file, portable
        |
+-------+-------+-------+
|       |       |       |
[Auto-Type] [Browser   [SSH Agent]
Fills into  Extension] Serve SSH
any app     Chrome,    keys from
via keyboard Firefox    the database
        |
   [Optional Sync]
   Syncthing, Dropbox,
   Google Drive, NAS
   (you control it)

Self-Hosting & Configuration

# CLI operations

# Create a new database
keepassxc-cli db-create ~/passwords.kdbx

# Add an entry
keepassxc-cli add ~/passwords.kdbx "Email/Gmail" \
  -u "user@gmail.com" --url "https://mail.google.com"

# Generate a strong password
keepassxc-cli generate -L 32 -slUn
# Output: xK9#mP2$vR7@nL4&bQ8*cT5!wF3^hJ6

# Search entries
keepassxc-cli locate ~/passwords.kdbx "gmail"

# Export to CSV (for migration)
keepassxc-cli export ~/passwords.kdbx --format csv > export.csv

# Merge databases
keepassxc-cli merge ~/passwords.kdbx ~/backup.kdbx

# Sync strategy: use Syncthing for encrypted .kdbx sync
# across devices — KeePassXC handles merge conflicts

Key Features

  • Offline First — all data stored locally in an encrypted file
  • Strong Encryption — AES-256 / ChaCha20 with Argon2 key derivation
  • Auto-Type — fills credentials into any application via keyboard simulation
  • Browser Integration — Chrome and Firefox extensions for web auto-fill
  • TOTP — built-in authenticator (2FA) code generation
  • SSH Agent — serve SSH keys directly from the password database
  • YubiKey — hardware key as additional authentication factor
  • Password Generator — customizable strong password generation

Comparison with Similar Tools

Feature KeePassXC Bitwarden 1Password LastPass
Storage Local file Cloud Cloud Cloud
Open Source Yes Yes (clients) No No
Cost Free Free + paid Paid Free + paid
Offline Access Full (default) Cached Cached Cached
Browser Extension Yes Yes Yes Yes
Mobile App KeePassDX/Strongbox Yes Yes Yes
TOTP Yes Yes (paid) Yes Yes
SSH Agent Yes No Yes No
Sync Manual (your choice) Cloud built-in Cloud built-in Cloud built-in

FAQ

Q: How do I sync KeePassXC across devices? A: Sync the .kdbx file using Syncthing (peer-to-peer), cloud storage (Dropbox, Google Drive), or a NAS. On mobile, use KeePassDX (Android) or Strongbox (iOS) to open the same file.

Q: Is local storage less secure than cloud? A: Local storage eliminates cloud breach risk but requires you to manage backups. The .kdbx file is strongly encrypted — even if someone gets the file, they cannot read it without your master password.

Q: Can I migrate from Bitwarden/1Password/LastPass? A: Yes. Export from your current manager as CSV, then import into KeePassXC via Database > Import. KeePassXC supports multiple import formats.

Q: What if I forget my master password? A: There is no recovery mechanism. If you forget the master password and do not have a key file backup, your data is permanently lost. This is by design for maximum security.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

GoReleaser — Release Engineering for Go Projects

GoReleaser automates the entire Go release process: cross-compilation for all platforms, Docker image building, Homebrew formula generation, changelog creation, and publishing to GitHub/GitLab releases — all from a single YAML config.

Script Depot

VHS — Record Terminal Sessions as GIFs and Videos

VHS by Charmbracelet lets you write terminal recordings as code. Define commands in a .tape file, and VHS generates beautiful GIFs, MP4s, or WebMs — perfect for documentation, README demos, and project showcases.

Script Depot

Air — Live Reload for Go Applications

Air provides live reload for Go development. It watches your source files, automatically rebuilds on changes, and restarts the binary — giving you a hot-reload experience similar to nodemon for Node.js or Flask debug mode for Python.

Script Depot
Home🔍Search👤Me