Consider using KeePassXC

Last modified:

Why KeePass?

The KeePassXC logo.


KeePass is an offline password database. It generates passwords for you. You only have to remember one password, if you use KeePass. It is very convenient.

Some versions can manage SSH keys for you. Forget all your old passwords. You only have to create and remember one strong master password. Browser and mobile plugins for this database exist.


KeePass generates strong passwords for you. Passwords can't get cracked online, since the password manager is offline. Online password managers do have this problem.

Most (if not all) KeePass programs are free software and licensed under the GPL. Keep in mind that a GPL license doesn't mean that a program is trustable.


I recommend KeePassXC. It is a community fork of KeePassX. Here is a list with features which KeePassXC offers.

  • Updates regularly
  • Works on Linux, Windows and macOS without modifications
  • Can import passwords from other password databases
  • TOTP generation (including Steam Guard)
  • SSH Agent integration
  • Browser integration
  • Has key file and YubiKey support
  • Has Secret Service integration
  • ...

I would recommend KeePass2 if KeePassXC isn't available for you. KeePassXC should work cross-platform. It should work on almost every system.

Use on computer

  1. Install KeePass
  2. Open KeePass
  3. Create a new database and give it a master key (+ optional additional protection such as a key file and YubiKey).
  4. Create some entries - enter the username, password, URL (of login page), and optionally notes about the entry.
  5. Save

Extra options for KeePassXC are discussed after the use in browser section.

Use on mobile

I recommend transferring your database file to your phone if you want to use it on your phone. You can automatically sync the file through a cloud like Dropbox or Nextcloud, if you don't want to transfer it manually every time.


KeePassDX is available on F-Droid and the Google Play Store. It is compatible with all KeePass versions (KeePass, KeePassX, KeePassXC...).

F-Droid   Play Store


KeePassium is available on F-Droid and the Apple App Store. It is compatible with all KeePass versions (KeePass, KeePassX, KeePassXC...).

App Store

Use in Browser

KeePassXC has a browser plugin. You should enable browser integration if you want to use this. You can find links to the KeePassXC-Browser add-on here.

Firefox   Chrome   Safari

There are other add-ons for other KeePass versions such as the KeePassHttp-Connector add-on.

Use for SSH keys management

This can work on other versions of KeePass, but this guide focuses on KeePassXC.

Create a new key in KeePassXC

Create a new entry in your KeePassXC database and generate a password for it. Save this entry.

New key in KeePassXC.

Generate a key pair

You can generate a pair of keys with the ssh-keygen command if you don't own some yet. Use the generated password as password.

ssh-keygen -b 4096

ssh-keygen command output.

Enable SSH Agent

  1. Go to "Tools -> Settings".
  2. You can find SSH Agent in the left column.
  3. Click on it to enable it.
  4. Restart KeePassXC

KeePassXC Application Settings.

Implement SSH Agent

SSH Agent configuration in KeePassXC.

  1. Edit the key which you just made in KeePassXC. (Right click -> Edit entry or Ctrl+E)
  2. Click on SSH Agent
  3. Check the checkboxes which you want to have enabled.
    • The first two checkboxes are for basic functionality;
    • The third checkbox provides a dialog window when the key is used. An askpass program is required for this option. I recommend not checking this box.
  4. Add The key by selecting it as external file.
  5. Save the database.

You should have working SSH keys now.

Possible problem on GNU or Linux systems

Other SSH managers like the GNOME Keyring could cause problems. Only one SSH Agent should be running.

I recommend ssh-agent. It is installed on most systems. You can add the following code to "~/.bashrc" if you use bash. It will start up the SSH Agent if it isn't started yet.

# Run SSH agent
if ! pgrep -u "$USER" ssh-agent > /dev/null; then
    ssh-agent > "$XDG_RUNTIME_DIR/ssh-agent.env"
if [[ ! "$SSH_AUTH_SOCK" ]]; then
    eval "$(<"$XDG_RUNTIME_DIR/ssh-agent.env")"

Use Secret Service integration

This option is meant for GNU/Linux systems. It can replace applications like kwallet and gnome-keyring.

Secret Service saves your application profiles. It remembers authentication for desktop applications like nextcloud. You won't have to relogin every time you start applications.

I recommend toggling this option on if you use GNU/Linux. Disable kwallet and gnome-keyring. Use KeePassXC instead which focuses more on security than KDE or GNOME.

  1. Go to “Tools -> Settings”.
  2. You can find Secret Service integration in the left column.
  3. Enable it.
  4. Restart KeePassXC


Diaspora X Facebook LinkedIn