Password Manager Lab
Home Posts Topics
Matcher Tools Glossary Resources About
Defensive / Tools network
AnonGuide Privacy Ranker Secure Mail Guide
Isometric KeePassXC vault file on desktop with local storage sync and hardware key connection
reviews

KeePassXC review 2026: the best local-only password manager

KeePassXC reviewed: fully local KDBX vault, cross-platform desktop app, browser integration, no cloud, and where it struggles compared to cloud managers.

By PML Editorial · · 8 min read

KeePassXC is the right answer for a specific user: someone who wants a password manager with zero cloud dependency, fully auditable open-source code, and no subscription. It’s not the right answer for someone who wants a seamless cross-device experience.

What KeePassXC is

KeePassXC is a community-maintained rewrite of KeePass (original Windows app) in C++ using Qt, supporting Windows, macOS, and Linux. It reads and writes the KDBX 4.0 format, an open vault format.

Your vault is a local file. KeePassXC never connects to the internet (by choice — it has no network functionality at all). Sync across devices, if you want it, is your responsibility: Syncthing, rsync, a cloud drive.

Encryption

KDBX 4.0 uses:

  • ChaCha20 or AES-256 for vault encryption
  • Argon2d for key derivation (configurable iterations, memory, threads)
  • Key file as an optional second factor (a file you must have to open the vault)

The Argon2d parameters are user-configurable. Default settings are strong; power users can raise memory usage for additional offline brute-force resistance.

The format specification is public. Multiple independent applications read KDBX files. You are not locked into KeePassXC.

Browser integration

KeePassXC provides browser extensions for Chrome, Firefox, and Edge via the KeePassXC-Browser extension. The extension communicates with the KeePassXC desktop app over a local socket — no network connection, no server intermediary.

Auto-fill works well on standard forms. It’s less reliable than 1Password on complex pages, roughly similar to Bitwarden.

Caveat: the browser integration requires the KeePassXC app to be running and unlocked. If you close or lock the app, the browser extension stops working. This is a workflow difference from cloud managers where the extension can fetch credentials independently.

Mobile

KeePassXC does not have an official mobile app. Recommended third-party options:

  • Strongbox (iOS) — excellent KeePass/KDBX reader, paid with free tier
  • KeePassium (iOS) — also good, slightly different UI
  • KeePassDX (Android) — widely used, free, open source
  • AuthPass (cross-platform) — Flutter-based, works on Android/iOS/Desktop

For mobile sync: point your mobile app at the same vault file stored in iCloud Drive, Google Drive, or Syncthing. It works, but it requires setup.

Strengths

  • Zero cloud — your vault is on your hardware. No company can lose it, have it breached, or go out of business taking it with them.
  • Open source (GPL) — fully auditable. The code has been reviewed externally.
  • No subscription — free forever.
  • Key file 2FA — require a key file plus the master password to open the vault.
  • KDBX is a standard — multiple apps read it. You’re never locked into KeePassXC.
  • SSH agent integration — KeePassXC can serve as an SSH agent, unlocking SSH keys when you unlock the vault.
  • TOTP storage — store your TOTP secrets alongside your passwords in the same vault.

Weaknesses

  • No native mobile app — requires a third-party app and a sync strategy
  • Sync is your problem — cloud managers handle device sync automatically. You manage it.
  • Desktop app must be open for browser integration — different workflow than cloud managers
  • Less polished UI — functional, not modern
  • No emergency access / family recovery — if you die or lose your vault, there’s no recovery mechanism built in

Who KeePassXC is for

  • Self-hosters and privacy maximalists who won’t store credentials in any third-party system
  • Security professionals who need offline credential management
  • Linux users who want the best-supported cross-platform manager on their OS
  • Users with SSH workflows who want vault + SSH agent integration

Who should use something else

If you want sync that just works across phone and desktop with no setup: use Bitwarden or 1Password.

If you want local-first with cloud fallback: Bitwarden has a self-hostable server option (Vaultwarden) that you fully control.

Bottom line

KeePassXC is excellent at what it does. It’s the gold standard for local-only vault management. Its limitations are structural, not implementation bugs — the “offline by design” choice is the reason for the sync and mobile friction. Know that going in and it’s a great tool.

See also

#review #keepassxc #local #open-source

Related

Isometric Dashlane vault with dark web monitoring alerts and bundled VPN interface
reviews

Dashlane Review 2026: Polished, Paid-Only, No More Free Tier

A full Dashlane review for 2026: the discontinued free plan, Premium and Friends & Family pricing, dark web monitoring, VPN, passkeys, and who it's
Isometric NordPass vault with xChaCha20 encryption badge and email masking feature
reviews

NordPass Review 2026: xChaCha20 Encryption, Cheap Premium, One-Device Free Tier

A full NordPass review for 2026: xChaCha20 encryption, the Cure53 audit, the single-device free plan, Premium and Family pricing, passkeys, Data Breach
Isometric 1Password vault interface with Secret Key certificate and polished auto-fill menu
reviews

1Password Review 2026: Best-in-Class Auto-Fill, Subscription Cost

A full 1Password review: Secret Key architecture, Watchtower, Travel Mode, family and team plans, and why it has no free tier.

Comments