You should use KeePass — Robin Wils's website

Last modified: Tue, Aug 16, 2022

Table of Contents

Why KeePass?

The KeePassXC logo.

Figure 1: KeePassXC - CC0 licensed.


KeePass is an offline password database. It generates passwords for you. You only have to remember one password, if you use KeePass. It is very convenient.

Some versions can manage SSH keys for you. Forget all your old passwords. You only have to create and remember one strong master password. Browser and mobile plugins for this database exist.


KeePass generates strong passwords for you. Passwords can’t get cracked online, since the password manager is offline. Online password managers do have this problem.

Most (if not all) KeePass programs are free software and licensed under the GPL. Keep in mind that a GPL license doesn’t mean that a program is trustable.


I recommend KeePassXC. It is a community fork of KeePassX. Here is a list with features which KeePassXC offers.

I would recommend KeePass2 if KeePassXC isn’t available for you. KeePassXC should work cross-platform. It should work on almost every system.

Use on computer

  1. Install KeePass
  2. Open KeePass
  3. Create a new database and give it a master key (+ optional additional protection such as a key file and YubiKey).
  4. Create some entries– enter the username, password, URL (of login page), and optionally notes about the entry.
  5. Save

Extra options for KeePassXC are discussed after the use in browser section.

Use on mobile

I recommend transferring your database file to your phone if you want to use it on your phone. You can automatically sync the file through a cloud like Dropbox or Nextcloud, if you don’t want to transfer it manually every time.


KeePassDX is available on F-Droid and the Google Play Store. It is compatible with all KeePass versions (KeePass, KeePassX, KeePassXC…).


KeePassium is available on F-Droid and the Apple App Store. It is compatible with all KeePass versions (KeePass, KeePassX, KeePassXC…).

Use in Browser

KeePassXC has a browser plugin. You should enable browser integration if you want to use this. You can find links to the KeePassXC-Browser add-on here.

There are other add-ons for other KeePass versions such as the KeePassHttp-Connector add-on.

Use for SSH keys management

This can work on other versions of KeePass, but this guide focuses on KeePassXC.

Create a new key in KeePassXC

Create a new entry in your KeePassXC database and generate a password for it. Save this entry.

New key in KeePassXC.

Figure 2: Screenshot taken by Robin Wils - CC0 licensed.

Generate a key pair

You can generate a pair of keys with the ssh-keygen command if you don’t own some yet. Use the generated password as password.

ssh-keygen -b 4096
ssh-keygen command output.

Figure 3: Screenshot taken by Robin Wils - CC0 licensed.

Enable SSH Agent

  1. Go to “Tools –> Settings”.
  2. You can find SSH Agent in the left column.
  3. Click on it to enable it.
  4. Restart KeePassXC
KeePassXC Application Settings.

Figure 4: Screenshot taken by Robin Wils - CC0 licensed.

Implement SSH Agent

SSH Agent configuration in KeePassXC.

Figure 5: Screenshot taken by Robin Wils - CC0 licensed.

  1. Edit the key which you just made in KeePassXC. (Right click –> Edit entry or Ctrl+E)
  2. Click on SSH Agent
  3. Check the checkboxes which you want to have enabled.
    • The first two checkboxes are for basic functionality;
    • The third checkbox provides a dialog window when the key is used. An askpass program is required for this option. I recommend not checking this box.
  4. Add The key by selecting it as external file.
  5. Save the database.

You should have working SSH keys now.

Possible problem on GNU or Linux systems

Other SSH managers like the GNOME Keyring could cause problems. Only one SSH Agent should be running.

I recommend ssh-agent. It is installed on most systems. You can add the following code to “~/.bashrc” if you use bash. It will start up the SSH Agent if it isn’t started yet.

# Run SSH agent
if ! pgrep -u "$USER" ssh-agent > /dev/null; then
    ssh-agent > "$XDG_RUNTIME_DIR/ssh-agent.env"
if [[ ! "$SSH_AUTH_SOCK" ]]; then
    eval "$(<"$XDG_RUNTIME_DIR/ssh-agent.env")"

Use Secret Service integration

This option is meant for GNU/Linux systems. It can replace applications like kwallet and gnome-keyring.

Secret Service saves your application profiles. It remembers authentication for desktop applications like nextcloud. You won’t have to relogin every time you start applications.

I recommend toggling this option on if you use GNU/Linux. Disable kwallet and gnome-keyring. Use KeePassXC instead which focuses more on security than KDE or GNOME.

  1. Go to “Tools –> Settings”.
  2. You can find Secret Service integration in the left column.
  3. Enable it.
  4. Restart KeePassXC