CINXE.COM
Documentation and FAQ – KeePassXC
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>Documentation and FAQ – KeePassXC</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="KeePassXC Password Manager"> <meta name="author" content="KeePassXC Team"> <meta name="theme-color" content="#417e29"> <link rel="canonical" href="https://keepassxc.org/docs/"> <link rel="shortcut icon" href="https://keepassxc.org/favicon.ico" type="image/x-icon"> <link rel="icon" href="https://keepassxc.org/favicon.ico" type="image/x-icon"> <link rel="apple-touch-icon-precomposed" href="https://keepassxc.org/assets/img/apple-touch-icon-precomposed.png" sizes="192x192"> <link rel="mask-icon" href="https://keepassxc.org/assets/img/safari-pinned-tab.svg" color="#45862b"> <link href="/assets/css/style.a2dfaa5616bce804b4268ea053d57baf0c3a9684f5b709106fa25adc2d434bfa.css" rel="stylesheet"> <script type="module" src="/js/copyable.83c432a23b82d5d93dc59798ba0030e3dbfa6c06c009059a50b54d9b75c65898.js"></script> <noscript> <link href="/assets/css/noscript.19d79cc98ae89212683f33b29f9bc0bd9cf83c84d92ff8e6fe16266e9456fb77.css" rel="stylesheet"> </noscript> <script src="/assets/js/uikit.min.de3778071c0013fd2b19c23a67f04013eb6425bf52f937c8e0ec9e95897762fa.js"></script> <script type="module" src="/assets/js/jquery.min.a0fe8723dcf55da64d06b25446d0a8513e52527c45afcb37073465f9c6f352af.js"></script> </head> <body> <div id="offcanvas-navigation" uk-offcanvas="flip: true; mode: reveal"> <nav class="uk-offcanvas-bar uk-padding-large" aria-label="Main"> <button class="uk-offcanvas-close" type="button" uk-close></button> <ul class="uk-nav uk-nav-primary uk-margin-large-top"> <li><a href="/download/">Download</a></li> <li><a href="/blog/">Blog</a></li> <li><a href="/screenshots/">Screenshots</a></li> <li class="uk-active"><a href="/docs/">Docs / FAQ</a></li> <li><a href="/team/">The Team</a></li> </ul> </nav> </div> <div uk-sticky="start: 10; animation: uk-animation-fade; sel-target: .uk-navbar-container; cls-active: uk-navbar-sticky uk-light; cls-inactive: uk-navbar-transparent"> <nav class="uk-navbar uk-navbar-container" uk-navbar aria-label="Main"> <div class="uk-navbar-left"> <a class="uk-navbar-item uk-logo" href="https://keepassxc.org/"> <img src="https://keepassxc.org/assets/img/keepassxc.svg" alt=""> <span>KeePassXC</span> </a> </div> <div class="uk-navbar-right"> <ul class="uk-navbar-nav uk-visible@l"> <li><a href="/download/">Download</a></li> <li><a href="/blog/">Blog</a></li> <li><a href="/screenshots/">Screenshots</a></li> <li class="uk-active"><a href="/docs/">Docs / FAQ</a></li> <li><a href="/team/">The Team</a></li> </ul> <button class="uk-navbar-toggle uk-hidden@l" uk-navbar-toggle-icon uk-toggle="target: #offcanvas-navigation" type="button"></button> </div> <a aria-label="View on Github" class="github-corner uk-visible@l uk-position-absolute uk-position-top-right" href="https://github.com/keepassxreboot/keepassxc"> <svg aria-hidden="true" height="50" viewbox="0 0 250 250" width="50"> <path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path> <path class="octo-arm" d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;"></path> <path class="octo-body" d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor"></path> </svg> </a> </nav> </div> <main uk-height-viewport="expand: true"> <div class="uk-section"> <div class="uk-container uk-margin-medium"> <h1>Documentation and FAQ</h1> <hr class="uk-margin-medium-bottom"> <section class="uk-card uk-card-default"> <div class="uk-card-body"> <h2 class="uk-margin-top-large uk-card-title">New to KeePassXC?</h2> <ul class="uk-list uk-list-bullet uk-list-primary"> <li>Our <strong><a href="KeePassXC_GettingStarted.html" target="_blank"><i class="fa-solid fa-rocket"></i> Getting Started Guide</a></strong> will get you up and running quickly.</li> <li>Looking for more comprehensive documentation? Our <strong><a href="KeePassXC_UserGuide.html" target="_blank"><i class="fa-solid fa-book"></i> User Guide</a></strong> is there to help.</li> <li>Need help troubleshooting the browser integration? Check the <strong><a href="KeePassXC_GettingStarted.html#_setup_browser_integration" target="_blank"><i class="fa-solid fa-globe"></i> Setup Browser Integration</a></strong> section.</li> <li><strong><a href="https://github.com/keepassxreboot/keepassxc/wiki" target="_blank"><i class="fa-solid fa-gears"></i> Build instructions</a></strong> and other technical guides can be found in the GitHub Wiki.</li> <li>Looking for an audit of KeePassXC? Read the <a href="#faq-audit">FAQ entry</a> or <strong><a href="/assets/pdf/KeePassXC-Review-V1-Molotnikov.pdf" target="_blank"><i class="fa-solid fa-book"></i>Download the Audit Report</a></strong>.</li> </ul> <h2 id="contribute" class="uk-card-title">Looking for ways to contribute?</h2> You can contribute to the project by <a href="https://github.com/keepassxreboot/keepassxc/blob/develop/.github/CONTRIBUTING.md#bug-reports">reporting bugs</a>, <a href="https://github.com/keepassxreboot/keepassxc/blob/develop/.github/CONTRIBUTING.md#feature-requests">proposing new features</a>, <a href="https://github.com/keepassxreboot/keepassxc/blob/develop/.github/CONTRIBUTING.md#your-first-code-contribution">writing code</a>, <a href="https://github.com/keepassxreboot/keepassxc/blob/develop/.github/CONTRIBUTING.md#translations">translating</a>, and / or <a href="https://keepassxc.org/donate/">donating</a>. </div> </section> <section id="faq"> <h2 class="uk-margin-large-top">Frequently Asked Questions</h2> <h3>General</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-keepassx" href="#faq-keepassx" class="uk-accordion-title">Why KeePassXC instead of KeePassX?</a> <div class="uk-accordion-content"> <p>KeePassX is no longer developed - as announced on the KeePassX website on 2021-12-09. Our decision to fork KeePassX was made some years prior, due to a sharp decline in code frequency at the time, combined with our wish to provide you with everything you love about KeePassX plus many new <a href="/#project">features and bugfixes</a>.</p> </div> </li> <li> <a id="faq-keepass" href="#faq-keepass" class="uk-accordion-title">Why KeePassXC instead of KeePass?</a> <div class="uk-accordion-content"> <p>KeePass is a very proven and feature-rich password manager and there is nothing fundamentally wrong with it. However, it is written in C# and therefore requires Microsoft's .NET platform. On systems other than Windows, you can run KeePass using the Mono runtime libraries, but you won't get the native look and feel which you are used to.</p> <p>KeePassXC, on the other hand, is developed in C++ and runs natively on Linux, macOS and Windows giving you the best-possible platform integration.</p> </div> </li> <li> <a id="faq-format" class="uk-accordion-title" href="#faq-format">Which password database formats are compatible with KeePassXC?</a> <div class="uk-accordion-content"> <p>KeePassXC currently uses the KeePass 2.x (.kdbx) password database formats KDBX 3.1 and KDBX 4 as its native file formats. KDBX 2 files can be opened, but will be upgraded to a newer format. KeePass 1.x (.kdb) databases can be imported into a .kdbx file, but saving a .kdbx file as .kdb would be lossy, and saving to .kdb is not supported by KeePassXC.</p> </div> </li> <li> <a id="faq-cloudsync" class="uk-accordion-title" href="#faq-cloudsync">Why is there no cloud synchronization feature built into KeePassXC?</a> <div class="uk-accordion-content"> <p>Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your synchronization service of choice do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.</p> </div> </li> <li> <a id="faq-general-plugins" class="uk-accordion-title" href="#faq-general-plugins">Does KeePassXC support (KeePass2) plugins?</a> <div class="uk-accordion-content"> <p>No, KeePassXC does not support plugins at the moment and probably never will. KeePassXC already provides many of the features that need third-party plugins in KeePass2, so for most things you don't even need plugins, nor should you ever want them. Plugins are inherently dangerous. Many KeePass2 plugins are barely maintained (if at all), some have known vulnerabilities that have never been (and probably never will be) fixed, and none of them are as thoroughly tested and reviewed as we test and review code that goes into our main application. We find that encouraging users to install untested (and often quickly-abandoned) third-party plugins is inherently incompatible with the security demands of a password manager.</p> <p>If you really need external functionality not available in KeePassXC, you can look for "plugins" that use the KeePassXC-Browser API, which is a much more secure way of sharing passwords with third-party applications than loading those applications as plugins directly into KeePassXC.</p> </div> </li> <li> <a id="faq-general-wordlist" class="uk-accordion-title" href="#faq-general-wordlist">How can I add additional word lists to the passphrase generator?</a> <div class="uk-accordion-content"> <p>You can add additional word lists to the passphrase generator by copying the word list file to the <code>share/wordlists</code> folder inside your KeePassXC installation directory and then restarting KeePassXC.</p> <p>On Linux, the default install location is <code>/usr/share/keepassxc</code>, on macOS it is <code>/Applications/KeePassXC.app/Contents/Resources</code> and on Windows <code>C:\Program Files\KeePassXC</code> (or <code>C:\Program Files (x86)\KeePassXC</code> for 32-bit).</p> </div> </li> </ul> <h3>Security</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-security-kdbx4" class="uk-accordion-title" href="#faq-security-kdbx4">How can I migrate my database to KDBX 4?</a> <div class="uk-accordion-content"> <p>In the <em>Database</em> application menu, select <em>Database security...</em>. Select the <em>Encryption Settings</em> tab and choose <em>KDBX 4.0 (recommended)</em>. Press OK and save the database.</p> </div> </li> <li> <a id="faq-security-totp" class="uk-accordion-title" href="#faq-security-totp">KeePassXC allows me to store my TOTP secrets. Doesn't this undermine any advantage of two-factor authentication?</a> <div class="uk-accordion-content"> <p>Yes. But only if you store them in the same database as your password. We believe that storing both together can still be more secure than not using 2FA at all, but to maximize the security gain from using 2FA, you should always store TOTP secrets in a separate database, secured with a different password, possibly even on a different computer.</p> </div> </li> <li> <a id="faq-security-why-pm" class="uk-accordion-title" href="#faq-security-why-pm">Why would I use a password manager? Isn't it totally insecure to use one password for everything?</a> <div class="uk-accordion-content"> <p>Password reuse and simple, easy-to-guess passwords are the biggest problems when using online services. If one service gets compromised (either by guessing your password or by exploiting a security vulnerability in the service's infrastructure), an attacker may gain access to all of your other accounts.</p> <p>But using different passwords for all websites is difficult without a way of storing them somewhere safe. Especially with arbitrary password rules for various services, it becomes increasingly hard to use both strong and diverse passwords. KeePassXC stores your passwords for you in an encrypted database file, so you only need to remember one master password. Of course, the security of all your services depends on the strength of your master password now, but with a sufficiently strong password, the password database should be infeasible to crack.</p> <p>The database is encrypted with either the industry-standard AES256 or the Twofish block cipher and the master password is strengthened by a configurable number of key transformations to harden it against brute force attacks. Additionally, you can use a key file filled with an arbitrary number of random bytes or a YubiKey to further enhance your master key.</p> </div> </li> <li> <a id="faq-audit" class="uk-accordion-title" href="#faq-audit">Has KeePassXC ever had an external security audit?</a> <div class="uk-accordion-content"> <p>Yes, an audit was conducted by Zaur Molotnikov, an independent security consultant, and completed on January 19, 2023. This audit was conducted free of charge to the KeePassXC Team and the findings and writeup were reviewed for correctness. <strong><a href="/assets/pdf/KeePassXC-Review-V1-Molotnikov.pdf" target="_blank"><i class="fa-solid fa-book"></i>Download the Audit Report</a></strong>. </p> <p>Keep in mind that:</p> <ul> <li>An audit is not 100% proof that software is safe and secure. Some flaws can be overlooked even by the best auditors.</li> <li>An audit is valid only for a “snapshot” of the code. If new code is added, new vulnerabilities can be introduced.</li> <li>Audits are expensive and time consuming, you can consult with <a href="https://ostif.org/" target="_blank">OSTIF</a> or <a href="https://www.opentech.fund/" target="_blank">OTF</a> for funding additional KeePassXC audits.</li> </ul> </div> </li> <li> <a id="faq-security-network" class="uk-accordion-title" href="#faq-security-network">I see that KeePassXC requires network access. What for?</a> <div class="uk-accordion-content"> <p>KeePassXC needs network access for downloading website icons (favicons) for password entries. This feature is optional and opt-in. KeePassXC will never access any network resource without your explicit prior consent. If you don't use this feature, you may also compile KeePassXC without any networking code (see next question).</p> </div> </li> <li> <a id="faq-security-no-network" class="uk-accordion-title" href="#faq-security-no-network">Can I get a KeePassXC version without any networking code?</a> <div class="uk-accordion-content"> <p>Yes, you can compile KeePassXC without any networking code. Simply configure CMake with <code>-DWITH_XC_NETWORKING=OFF</code> (see <a href="https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC">Building KeePassXC</a>).</p> </div> </li> </ul> <h3>AppImage and Snap package</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-appsnap-run-appimage" class="uk-accordion-title" href="#faq-appsnap-run-appimage">How do I execute an AppImage?</a> <div class="uk-accordion-content"> <p>The AppImage is a self-contained executable archive, comparable to an Android APK or macOS DMG. To execute it, simply give the downloaded <code>*.AppImage</code> file execution permissions:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#6c6f74">1</span><span>chmod +x ./KeePassXC-*.AppImage</span></span></code></pre></div> <p>After that you can execute it either from the terminal or by double clicking it just like any other program.</p> </div> </li> <li> <a id="faq-appsnap-support" class="uk-accordion-title" href="#faq-appsnap-support">What systems can I use the AppImage or Snap package on?</a> <div class="uk-accordion-content"> <p>The AppImage should run out of the box on almost any moderately modern Linux distribution. The Snap is supported on all systems, which have <code>snapd</code> installed. This is primarily Ubuntu, but also Debian, Fedora, OpenSUSE, Arch Linux and many more. For a full list and more information visit <a href="https://snapcraft.io/">snapcraft.io</a>. Note that not all systems that can run Snaps also support confinement via AppArmor.</p> </div> </li> <li> <a id="faq-appsnap-appimage-cli" class="uk-accordion-title" href="#faq-appsnap-appimage-cli">How do I use the KeePassXC CLI tool with the AppImage?</a> <div class="uk-accordion-content"> <p>Starting with version 2.2.2, you can run the KeePassXC CLI tool from the AppImage by executing it with the <code>cli</code> argument:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#6c6f74">1</span><span>./KeePassXC-*.AppImage cli</span></span></code></pre></div> </div> </li> <li> <a id="faq-appsnap-theme" class="uk-accordion-title" href="#faq-appsnap-theme">Why doesn't my theme work?</a> <div class="uk-accordion-content"> <p>Since Snaps and AppImages are self-contained and mostly isolated from your system, they cannot know what theme you are currently running. This is a known issue with both Snaps and AppImages.</p> </div> </li> <li> <a id="faq-appsnap-yubikey" class="uk-accordion-title" href="#faq-appsnap-yubikey">How do I get my YubiKey to work with the Snap?</a> <div class="uk-accordion-content"> <p>Due to a Snap's isolation and security settings, you must manually enable the <code>raw-usb</code> interface in order to use your YubiKey. Issue the following command from a terminal to enable this interface:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#6c6f74">1</span><span>sudo snap connect <span style="color:#a3be8c">"keepassxc:raw-usb"</span> <span style="color:#a3be8c">"core:raw-usb"</span></span></span></code></pre></div> </div> </li> <li> <a id="faq-appsnap-homedir" class="uk-accordion-title" href="#faq-appsnap-homedir">Why can't I see anything outside my home directory?</a> <div class="uk-accordion-content"> <p>Due to Snap's isolation and security settings, you cannot access any files outside your home directory. Furthermore, you cannot access any hidden files within your home directory. The only exception is mounted USB drives, but you must type in <code>/media/</code> into the file open dialog to see them.</p> <p>If you still cannot access the <code>/media/</code> directory then you may need to enable this permission in the Ubuntu store. Open the Ubuntu store, choose the KeePassXC app, and click permissions.</p> <figure uk-lightbox> <a href="https://keepassxc.org/assets/img/docs/snap_permissions.png"><img src="https://keepassxc.org/assets/img/docs/snap_permissions.png" style="height: 360px"></a> <figcaption>Snap Permission Settings</figcaption> </figure> </div> </li> </ul> <h3>Key Files</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-keyfile-howto" class="uk-accordion-title" href="#faq-keyfile-howto">What is a key file and how can I get one?</a> <div class="uk-accordion-content"> <p>A key file is a file containing random bytes that can be added to your master key for additional security. Think of it as a really complicated and long password that is read from a file, so you don't have to remember or type it into your master password field. You can basically use any file you want as a key file, but <strong>it is of <em>utmost</em> importance that a) the file never changes and b) it actually contains unpredictable data.</strong> If the file changes, it is as if you forgot your password and you will lose access to your database.</p> <p>On the other hand, if the data is not random enough, then it's a really bad password. So, for instance, a static and never-changing holiday picture is okay, your personal notes file is not. Generally, we recommend you let KeePassXC generate a dedicated key file for you. Go to <em>Database -> Database Settings -> Security</em>. There you click on <em>Add Key File</em> and then on <em>Generate</em>. Select the location where to save the key file, make sure the path to the new file is inserted into the Key File field, and save your database. Don't forget to keep a backup of the key file in a safe place!</p> </div> </li> <li> <a id="faq-keyfile-security" class="uk-accordion-title" href="#faq-keyfile-security">How secure is a key file and how can I sync it to other devices?</a> <div class="uk-accordion-content"> <p>A key file is only as secure as you keep it. It is basically a password that you've written down. As a general rule, you should never use a key file without an actual password, because it is harder to keep your key file secret than a memorized password that only you know. However, a key file can be very strong additional protection if kept separately from the database file, such as on an external thumb drive. If you sync your database via a cloud provider (Dropbox, Google Drive, Nextcloud, …), you should only sync the KDBX file and distribute the key file to your computers by different means, such as said thumb drive.</p> <p>But whatever you do, <strong>keep a backup in a safe location!</strong> If you lose your key file, you lose your database. Keep in mind that USB thumb drives are notoriously unreliable, break easily, or get lost. If you can afford it, we recommend you use a hardware token such as a YubiKey or OnlyKey instead of a key file (see next section). Such a key adds an even greater amount of security, but with fewer potential pitfalls.</p> </div> </li> </ul> <h3>YubiKey / OnlyKey</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-yubikey-2fa" class="uk-accordion-title" href="#faq-yubikey-2fa">Does KeePassXC support two-factor authentication (2FA) with YubiKeys or OnlyKeys?</a> <div class="uk-accordion-content"> <p>Yes and no. No, because technically speaking, KeePassXC is not a service and therefore does not use "authentication". Instead, you are "decrypting" your database, which is different from "authentication". Nonetheless, you can improve the security of your database by use of a YubiKey in a slightly different way. KeePassXC generates a challenge and uses the YubiKey's response to this challenge to enhance the encryption key of your database.</p> <p>So in a sense, it makes your password stronger, but technically it doesn't qualify as a separate second factor, since this is not an authentication scheme and also because the expected response doesn't change every time you try to decrypt your database. It does, however, change every time you save your database. Be aware, however, that the previous version of your database can still be decrypted with the old challenge/response (but no other version prior to that and no future version either).</p> </div> </li> <li> <a id="faq-yubikey-howto" class="uk-accordion-title" href="#faq-yubikey-howto">How do I configure my YubiKey / OnlyKey for use with KeePassXC?</a> <div class="uk-accordion-content"> <p>To use a YubiKey for securing your KeePassXC database, you have to configure one of your slots for HMAC-SHA1 Challenge-Response mode <strong>(see <a href="https://www.youtube.com/watch?v=vYUVzWDgmVc" target="_blank">this video</a>)</strong>. Instructions on how to use your OnlyKey are found <a href="https://docs.onlykey.io/usersguide.html#using-onlykey-with-a-software-password-manager" target="_blank">here</a>. Once your hardware key is set up, open your database in KeePassXC, go to <em>Database -> Database Security</em>, click on <em>Add additional protection</em>, then <em>Add Challenge Response</em>. Once your key/slot is recognized, press ok and then save your database. <br/><br/> <strong>Important:</strong> Always make a copy of the secret that is programmed into your hardware key while you configure it and store in a secure physical location. If you lose or brick the key you will permanently lose access to your database! <br/><br/> For more information on Challenge Response, please see <a href="https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html" target="_blank">Yubico's website</a>. </p> </div> </li> <li> <a id="faq-yubikey-no-extra-file" class="uk-accordion-title" href="#faq-yubikey-no-extra-file">When I use KeeChallenge with KeePass2, it creates an extra file. Why do I have no such file when using KeePassXC?</a> <div class="uk-accordion-content"> <p>Our implementation differs from how KeeChallenge handles YubiKeys. KeeChallenge uses the HMAC secret directly to enhance the database. To make this work, they need to store the secret in a side-car file, encrypted with the response of a challenge-response pair that is calculated ahead of time. In KeePassXC, we do not require any knowledge of the HMAC secret. We use the database's master seed (a random byte string that is part of your database) as challenge and then use the response to encrypt the database. That way we do not need an extra file and also gain the advantage that the required response changes every time you save the database, which resembles actual two-factor authentication more closely.</p> </div> </li> <li> <a id="faq-yubikey-incompatible" class="uk-accordion-title" href="#faq-yubikey-incompatible">When I secure my database in KeePass2 with a YubiKey, I can't open it in KeePassXC (or vice versa), why?</a> <div class="uk-accordion-content"> <p>Due to the fact that our YubiKey implementation differs from KeeChallenge's, they are inherently incompatible (see question above). If you need compatibility between KeePass2 and KeePassXC, you cannot use YubiKeys at the moment.</p> </div> </li> <li> <a id="faq-yubikey-why-hmac-sha1" class="uk-accordion-title" href="#faq-yubikey-why-hmac-sha1">Why only HMAC-SHA1? Why not FIDO-U2F or TOTP?</a> <div class="uk-accordion-content"> <p>Both FIDO-U2F and TOTP require a dynamic component (i.e., a counter or timestamp) for successful authentication. This is perfect for authenticating at an online service, but doesn't work for an offline database which needs to be encrypted with a fixed key. HMAC-SHA1, on the other hand, can be computed ahead of time as it only needs a fixed secret and no dynamic component of any kind.</p> </div> </li> <li> <a id="faq-yubikey-otp" class="uk-accordion-title" href="#faq-yubikey-otp">But the feature list says KeePassXC supports TOTP. I am confused.</a> <div class="uk-accordion-content"> <p>We do support generation of timed one-time passwords (TOTP), but do not (and cannot) support it for securing your KeePassXC database. KeePassXC allows you to store TOTP secrets for online services inside a database and generates the corresponding timed one-time passwords for you. For TOTP, see also the question <a href="#faq-security-totp">KeePassXC allows me to store my TOTP secrets. Doesn't this undermine any advantage of two-factor authentication?</a></p> </div> </li> <li> <a id="faq-yubikey-broken-yubikey" class="uk-accordion-title" href="#faq-yubikey-broken-yubikey">What happens if I break my YubiKey? Can I create backup keys?</a> <div class="uk-accordion-content"> <p>You should always make a copy of the HMAC secret that is stored on the YubiKey and keep it in a secure location. This can be an analog paper copy, but since the YubiKey personalization tool allows you to program a custom secret into the key, you may as well program a second key with the same secret.</p> </div> </li> <li> <a id="faq-yubikey-multiple-yubikeys" class="uk-accordion-title" href="#faq-yubikey-multiple-yubikeys">Can I register multiple YubiKeys with my KeePassXC database?</a> <div class="uk-accordion-content"> <p>You can only use a single secret for encrypting the database. So you can use multiple YubiKeys, but they all have to be programmed with the same secret (see question above).</p> </div> </li> </ul> <h3>Browser integration</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-browser" class="uk-accordion-title" href="#faq-browser">Does KeePassXC support browser extensions?</a> <div class="uk-accordion-content"> <p>Yes. KeePassXC supports the extension KeePassXC-Browser. You can download it for <a href="https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/">Mozilla Firefox</a> and <a href="https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk">Google Chrome / Chromium / Vivaldi</a>. Firefox ESR (52.x) is supported, but the following features are disabled because of WebExtension API limitations:</p> <ul> <li>Showing context menus on password fields (<code>menus.ContextType</code>) <li>HTTP Auth support (<code>webRequest.onAuthRequired</code>) </ul> </div> </li> <li> <a id="faq-browser-howto" class="uk-accordion-title" href="#faq-browser-howto">How do I connect browser extensions with KeePassXC?</a> <div class="uk-accordion-content"> <p>You can enable Browser Integration (KeePassXC-Browser) from the application settings. See the page <a href="https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_configure_keepassxc_browser">How to connect KeePassXC-Browser with KeePassXC</a> for more detailed information for the new Browser Integration. For troubleshooting see the following <a href="https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide">wiki page</a>.</p> </div> </li> <li> <a id="faq-browser-string-fields" class="uk-accordion-title" href="#faq-string-fields">How do I fill in additional values on a webpage?</a> <div class="uk-accordion-content"> <p>It is possible to fill additional information beyond username, password, and TOTP by defining String Fields on a page.</p> <ol class="uk-list uk-list-decimal"> <li>From the extension popup menu, click "Choose custom login fields". You can skip the Username, Password, and TOTP fields if not needed.</li> <li>On Step 4 (Confirm Selection), choose the additional string fields you need to fill. Note that they are numbered sequentially.</li> <li>After choosing the String Fields, go to your KeePassXC client and create advanced attributes with a prefix of 'KPH: ' in the order you chose them above. NOTE: The space after the colon is required.</li> <li>If you wish, you may add a short name after the prefix to help you remember its purpose.</li> </ol> <p>An example using the page <code>https://meine.deutsche-bank.de/trxm/db/init.do</code>:</p> <ol class="uk-list uk-list-decimal"> <li>Choose custom login fields for this page and select Branch, Account and Sub-account as String Fields when you reach step 4.</li> <li> Go to your entry and add the following advanced attributes (the order is critical): <ol class="uk-list uk-list-decimal uk-margin-small-top"> <li>KPH: Branch</li> <li>KPH: Account</li> <li>KPH: Sub-account</li> </ol> </li> <li>Test the filling of the string fields by refreshing the page and using the extension.</li> </ol> </div> </li> </ul> <h3>SSH Agent integration</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-ssh-agent-how" class="uk-accordion-title" href="#faq-ssh-agent-how">How does the SSH Agent integration work?</a> <div class="uk-accordion-content"> <p>The SSH Agent integration is supported on all target platforms (Linux, macOS and Windows) and it acts as a client for an existing agent. It can automatically add SSH keys from your KeePassXC database to a running SSH agent when unlocked and remove them when locked.</p> <ul class="uk-list uk-list-bullet"> <li>On Linux, most desktops are already running an agent without any set up required.</li> <li>On macOS, <code>ssh-agent</code> is running by default and no further setup is required.</li> <li>On Windows, you have multiple options: <ul class="uk-list uk-list-circle"> <li>One is to have <i>Pageant</i> running. It is part of the <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html">PuTTY suite</a>.</li> <li>An alternative is to use e.g. <a href="https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse">Win32 OpenSSH</a> which may come preinstalled with your Windows 10 version.</li> <li>The MSYS2 ssh-agent socket offered by Git for Windows's bundled OpenSSH is <a href="https://github.com/keepassxreboot/keepassxc/issues/4681" target="_blank"><strong>not supported</strong></a></li> </ul> </li> </ul> </div> </li> <li> <a id="faq-ssh-agent-keys" class="uk-accordion-title" href="#faq-ssh-agent-keys">What SSH key types are supported?</a> <div class="uk-accordion-content"> <p>Most SSHv2 key types are supported (DSA, RSA and Ed25519), including encrypted keys. ECDSA keys are only supported with the new OpenSSH file format. 3DES-encrypted keys are not supported and we highly recommend upgrading them for external storage or store them decrypted inside the database.</p> <ul class="uk-list uk-list-bullet"> <li>SSHv1 keys are <strong>not</strong> supported.</li> <li>PuTTY format key files (.ppk) are <strong>not</strong> supported. You can use <em>PuTTY Key Generator (puttygen.exe)</em> to convert your keys to OpenSSH format.</li> <li>RFC4716 format key files are <strong>not</strong> supported.</li> </ul> </div> </li> <li> <a id="faq-ssh-agent-not-working" class="uk-accordion-title" href="#faq-ssh-agent-not-working">Why are the agent buttons greyed out / why doesn't it work?</a> <div class="uk-accordion-content"> <p>On Linux or macOS, you need to have <code>ssh-agent</code> running and the <code>SSH_AUTH_SOCK</code> environment variable available for KeePassXC at launch.</p> <p><a href="https://wiki.archlinux.org/index.php/SSH_keys#SSH_agents">Arch Linux wiki</a> has a generic guide how to manually run <code>ssh-agent</code> if it's not already set up. Sometimes other applications like <em>GNOME Keyring</em> or <code>gpg-agent</code> already provide a compatible agent that also works with KeePassXC.</p> <p>On Windows, either Pageant needs to be running, see <a href="#faq-ssh-agent-how">How does the SSH Agent integration work?</a> or, alternatively, you need to enable and start the Windows <code>OpenSSH Authentication Agent</code> (commonly referred to as <code>ssh-agent</code>). This process is documented in <a href="https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#user-key-generation">Microsoft's documentation for user keys</a>.</p> <p>The MSYS2 ssh-agent socket offered by Git for Windows's bundled OpenSSH is <a href="https://github.com/keepassxreboot/keepassxc/issues/4681" target="_blank">not supported</a>.</p> </div> </li> <li> <a id="faq-ssh-agent-passphrase" class="uk-accordion-title" href="#faq-ssh-agent-passphrase">How do I set up a passphrase for encrypted keys?</a> <div class="uk-accordion-content"> <p>The SSH Agent integration uses the entry password field as the decryption key.</p> </div> </li> <li> <a id="faq-ssh-agent-comment" class="uk-accordion-title" href="#faq-ssh-agent-comment">Why does the public key (seem to) have no comment?</a> <div class="uk-accordion-content"> <p>When using normal DSA or RSA keys, the private key file does not contain any embedded text. In that case, the entry username field is used as the public key comment. It is also sent to the agent when adding a key and is visible in the agent when listing keys.</p> <p>If you are using Ed25519 keys or have converted your old key to the new OpenSSH file format, the comment is embedded in the key file which is then used by KeePassXC. You can use <code>ssh-keygen</code> to modify the comment.</p> </div> </li> <li> <a id="faq-ssh-agent-keeagent" class="uk-accordion-title" href="#faq-ssh-agent-keeagent">I'm already using KeeAgent, is KeePassXC compatible with it?</a> <div class="uk-accordion-content"> <p>Yes, mostly. KeeAgent supports more key types and provides a custom agent, but otherwise you can use the same database with KeeAgent and KeePassXC.</p> </div> </li> <li> <a id="faq-ssh-agent-pageant" class="uk-accordion-title" href="#faq-ssh-agent-pageant">Why is Pageant refusing my keys?</a> <div class="uk-accordion-content"> <p>Pageant does not support confirm-on-use or automatic removal of key after a timeout. There doesn't seem to be any alternative to Pageant for Windows that supports both of them.</p> </div> </li> <li> <a id="faq-ssh-agent-openssh" class="uk-accordion-title" href="#faq-ssh-agent-openssh">Why is OpenSSH ssh-agent refusing my keys?</a> <div class="uk-accordion-content"> <p>You may experience an <q>Agent protocol error</q> if you are using confirm-on-use option for your keys (e.g. set via the environment variable <code>SSH_ASKPASS_REQUIRE</code>). In that case <code>ssh-agent</code> needs to have a <code>ssh-askpass</code> program available.</p> <ul class="uk-list uk-list-bullet"> <li>On Linux it depends on your distribution and desktop environment how to install and configure one as there are several available.</li> <li>On macOS, you need a third party program like <a href="https://github.com/theseal/ssh-askpass">theseal/ssh-askpass</a>.</li> <li>On Windows the default Windows OpenSSH installation does not support confirm-on-use or automatic removal of key after a timeout.</li> </ul> </div> </li> <li> <a id="faq-ssh-agent-errors" class="uk-accordion-title" href="#faq-ssh-agent-errors">I'm getting protocol or connection errors, what's wrong?</a> <div class="uk-accordion-content"> <p>If you are using <em>GNOME Keyring</em>, it is known to be buggy and the SSH Agent implementation fairly incomplete prior to release <strong>3.27.92</strong>. You are encouraged to use OpenSSH <code>ssh-agent</code> if you are stuck with an older version.</p> <p>Known limitations of older versions include no support for Ed25519 keys, no support for confirm-on-use and incorrect implementation of the agent protocol causing protocol errors.</p> </div> </li> <li> <a id="faq-ssh-agent-auth-errors" class="uk-accordion-title" href="#faq-ssh-agent-auth-errors">I'm getting a "Too many authentication failures" error, what shall I do?</a> <div class="uk-accordion-content"> <p>SSH will try all available identity files in sequence when connecting to a server. If you export many SSH keys at a time, you'll very likely experience a <em>"Received disconnect from {port}: Too many authentication failures"</em> error. To solve this issue, you'll have to tell SSH which identity file to use. Either use the <code>-i</code> command line option or the <code>IdentityFile</code> directive in your OpenSSH config file (<code>~/.ssh/config</code>) to pass the path to the respective private key file.</p> <p>If you use the <code>IdentityFile</code> directive, you likely want to use the <code>IdentitiesOnly</code> directive, too. The <a href="https://wiki.archlinux.org/index.php/SSH_keys#Managing_multiple_keys"> Arch Linux wiki</a> has a generic guide on how to manage multiple keys.</p> <p>If you prefer storing your private key inside your database using an attachment, you can still do so. Instead of letting the <code>IdentityFile</code> directive point to a private key file, let it point to your public key file. The SSH Agent will use the provided information to select the correct private key.</p> </div> </li> <li> <a id="faq-ssh-agent-git-bash" class="uk-accordion-title" href="#faq-ssh-agent-git-bash">How do I use KeePassXC SSH Agent integration with Git (Bash) on Windows?</a> <div class="uk-accordion-content"> <p>KeePassXC on Windows can be used with <a href="KeePassXC_UserGuide.html#_openssh_agent_and_pageant_on_windows" target="_blank">Pageant</a> or with Windows OpenSSH.<br> Git for Windows supports both options since version <a href="https://github.com/git-for-windows/git/releases/tag/v2.33.0.windows.1" target="_blank">2.33.0</a>.</p> <p>You will be prompted during installation of Git for Windows to pick the option you prefer – depending on your Windows version and whether PuTTY is installed.</p> <p>The MSYS2 ssh-agent socket offered by Git for Windows's bundled OpenSSH is <a href="https://github.com/keepassxreboot/keepassxc/issues/4681" target="_blank"><strong>not supported</strong></a>.</p> <p>If you did not choose Windows OpenSSH during Git installation you can still do the following to make Git (Bash) use Windows OpenSSH: Prepend the path to Windows OpenSSH to the <code>PATH</code> variable inside the Git Bash, e.g. <code>export PATH="/c/Windows/System32/OpenSSH:$HOME/bin:$PATH"</code> or use the <code>GIT_SSH_COMMAND</code> environment variable (<code>core.sshCommand</code> in the Git configuration file) to override the path to the SSH binary specifically for Git.</p> </div> </li> </ul> <h3>Platform-specific</h3> <ul uk-accordion="multiple: true"> <li> <a id="faq-autotype" class="uk-accordion-title" href="#faq-autotype">Is Auto-Type supported on macOS, Windows and Linux?</a> <div class="uk-accordion-content"> <p>Yes, Auto-Type works on all three supported platforms, although on Linux it only works in an X11 session, not Wayland.</p> </div> </li> <li> <a id="faq-platform-mobile" class="uk-accordion-title" href="#faq-platform-mobile">Does KeePassXC work on mobile phones? If not, which app would you recommend?</a> <div class="uk-accordion-content"> <p>We don't have our own mobile app, but you can have the same functionality on both Android and iOS!</p> <ul class="uk-list uk-list-bullet"> <li> For Android, we recommend <a href="https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free">KeePassDX</a> and <a href="https://play.google.com/store/apps/details?id=keepass2android.keepass2android">KeePass2Android</a>. </li> <li> And for iOS, we suggest <a href="https://itunes.apple.com/us/app/strongbox-password-safe/id897283731">Strongbox</a> and <a href="https://apps.apple.com/us/app/keepassium-keepass-passwords/id1435127111">KeePassium</a>. </li> </ul> <p>For KeePassXC, porting it properly to mobile platforms would require a full rewrite. You may be able to compile KeePassXC for the mobile OS of your choice, but it isn't at all optimized for mobile screen sizes and form factors, let alone multi-touch input. We also don't see any advantage in providing a mobile version of KeePassXC when there are already excellent options.</p> </div> </li> <li> <a id="faq-ubuntushortcuts" class="uk-accordion-title" href="#faq-ubuntushortcuts">Why do the tray menu and in-app shortcuts not work on Ubuntu/Unity?</a> <div class="uk-accordion-content"> <p>This is a bug caused by <code>appmenu-qt5</code>. You have 3 options:</p> <ul class="uk-list uk-list-bullet"> <li>Remove the <code>appmenu-qt5</code> package <li>Set the environment variable <code>UBUNTU_MENUPROXY=''</code> <li>Set the environment variable <code>QT_QPA_PLATFORMTHEME=''</code> </ul> <p><strong>Note:</strong> When you choose the first or third option, KeePassXC will lose the Unity look and feel.</p> </div> </li> <li> <a id="faq-ubuntushortcuts" class="uk-accordion-title" href="#faq-msvc-runtime-missing">I am getting "System Error: VCRUNTIME140_1.dll was not found" when starting KeePassXC. Why?</a> <div class="uk-accordion-content"> <p>This error indicates that you are missing the MSVC runtime library (Microsoft Visual C++ Redistributable). You can <a href="https://aka.ms/vs/17/release/vc_redist.x64.exe">download the latest version from Microsoft</a>. A download link can also be found on our <a href="https://keepassxc.org/download/#windows">downloads page</a>. </div> </li> </ul> </section> <script type="module"> $(() => { if (location.hash) { $(':target').each((i, e) => { if (e.id === location.hash.substring(1)) { UIkit.accordion(e.parentNode.parentNode).toggle(e.parentNode, true); } }); } }); </script> </div> </div> </main> <footer class="uk-section uk-light global-footer uk-text-small" role="contentinfo"> <div class="uk-container"> <div class="uk-grid" uk-grid> <div class="uk-width-expand"> <div class="uk-margin-large-bottom"> <img src="https://keepassxc.org/assets/img/keepassxc.svg" class="footer-logo uk-text-middle" alt=""> <strong><a href="https://keepassxc.org/">KeePassXC</a> Password Manager</strong> </div> <div class="copyright uk-margin-small-bottom"> <div class="uk-margin-small-bottom uk-text-muted">KeePassXC is released under the GPLv3.</div> <div class="uk-text-muted">© 2016 – 2024 KeePassXC Team</div> </div> </div> <div class="uk-width-2-5@s"> <nav class="uk-grid uk-child-width-expand uk-grid-large" uk-grid aria-label="Footer"> <ul class="uk-list"> <li><a href="/donate/">Donate</a></li> <li><a href="/blog/">Blog</a></li> <li><a href="/privacy/">Privacy</a></li> <li><a href="https://keepassxc.org/team#contact">Contact</a> <li><a href="https://keepassxc.org/team#legal">Legal Info / Impressum</a> </ul> <ul class="uk-list"> <li><i class="fa-brands fa-github" aria-hidden="true"></i> <a rel="me" href="https://github.com/keepassxreboot/keepassxc">GitHub</a> <li><i class="fa-brands fa-twitter" aria-hidden="true"></i> <a rel="me" href="https://twitter.com/KeePassXC">Twitter</a> <li><i class="fa-brands fa-mastodon" aria-hidden="true"></i> <a rel="me" href="https://fosstodon.org/@keepassxc">Mastodon</a> </ul> </nav> </div> </div> </div> </footer> <script async> let _paq = window._paq = window._paq || []; _paq.push(["setCookieDomain", "*.keepassxc.org"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { let u="https://analytics.keepassxc.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '4']); let d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script> <noscript><p><img src="https://analytics.keepassxc.org/matomo.php?idsite=4&rec=1" style="border:0;" alt="" /></p></noscript> <!-- Cloudflare Pages Analytics --><script defer src='https://static.cloudflareinsights.com/beacon.min.js' data-cf-beacon='{"token": "98a8c528eee543cb82abc5a29dfa259a"}'></script><!-- Cloudflare Pages Analytics --></body> </html>