KeePassXC review 2026: the best local-only password manager
KeePassXC reviewed: fully local KDBX vault, cross-platform desktop app, browser integration, no cloud, and where it struggles compared to cloud managers.
KeePassXC is the right answer for a specific user: someone who wants a password manager with zero cloud dependency, fully auditable open-source code, and no subscription. It’s not the right answer for someone who wants a seamless cross-device experience.
What KeePassXC is
KeePassXC is a community-maintained rewrite of KeePass (original Windows app) in C++ using Qt, supporting Windows, macOS, and Linux. It reads and writes the KDBX 4.0 format, an open vault format.
Your vault is a local file. KeePassXC never connects to the internet (by choice — it has no network functionality at all). Sync across devices, if you want it, is your responsibility: Syncthing, rsync, a cloud drive.
Encryption
KDBX 4.0 uses:
- ChaCha20 or AES-256 for vault encryption
- Argon2d for key derivation (configurable iterations, memory, threads)
- Key file as an optional second factor (a file you must have to open the vault)
The Argon2d parameters are user-configurable. Default settings are strong; power users can raise memory usage for additional offline brute-force resistance.
The format specification is public. Multiple independent applications read KDBX files. You are not locked into KeePassXC.
Browser integration
KeePassXC provides browser extensions for Chrome, Firefox, and Edge via the KeePassXC-Browser extension. The extension communicates with the KeePassXC desktop app over a local socket — no network connection, no server intermediary.
Auto-fill works well on standard forms. It’s less reliable than 1Password on complex pages, roughly similar to Bitwarden.
Caveat: the browser integration requires the KeePassXC app to be running and unlocked. If you close or lock the app, the browser extension stops working. This is a workflow difference from cloud managers where the extension can fetch credentials independently.
Mobile
KeePassXC does not have an official mobile app. Recommended third-party options:
- Strongbox (iOS) — excellent KeePass/KDBX reader, paid with free tier
- KeePassium (iOS) — also good, slightly different UI
- KeePassDX (Android) — widely used, free, open source
- AuthPass (cross-platform) — Flutter-based, works on Android/iOS/Desktop
For mobile sync: point your mobile app at the same vault file stored in iCloud Drive, Google Drive, or Syncthing. It works, but it requires setup.
Strengths
- Zero cloud — your vault is on your hardware. No company can lose it, have it breached, or go out of business taking it with them.
- Open source (GPL) — fully auditable. The code has been reviewed externally.
- No subscription — free forever.
- Key file 2FA — require a key file plus the master password to open the vault.
- KDBX is a standard — multiple apps read it. You’re never locked into KeePassXC.
- SSH agent integration — KeePassXC can serve as an SSH agent, unlocking SSH keys when you unlock the vault.
- TOTP storage — store your TOTP secrets alongside your passwords in the same vault.
Weaknesses
- No native mobile app — requires a third-party app and a sync strategy
- Sync is your problem — cloud managers handle device sync automatically. You manage it.
- Desktop app must be open for browser integration — different workflow than cloud managers
- Less polished UI — functional, not modern
- No emergency access / family recovery — if you die or lose your vault, there’s no recovery mechanism built in
Who KeePassXC is for
- Self-hosters and privacy maximalists who won’t store credentials in any third-party system
- Security professionals who need offline credential management
- Linux users who want the best-supported cross-platform manager on their OS
- Users with SSH workflows who want vault + SSH agent integration
Who should use something else
If you want sync that just works across phone and desktop with no setup: use Bitwarden or 1Password.
If you want local-first with cloud fallback: Bitwarden has a self-hostable server option (Vaultwarden) that you fully control.
Bottom line
KeePassXC is excellent at what it does. It’s the gold standard for local-only vault management. Its limitations are structural, not implementation bugs — the “offline by design” choice is the reason for the sync and mobile friction. Know that going in and it’s a great tool.
Related
1Password review 2026: best-in-class auto-fill, subscription-only pricing
A full 1Password review: Secret Key architecture, Watchtower, Travel Mode, family and team plans, and why it has no free tier.
Bitwarden review 2026: the best free password manager, with caveats
A full Bitwarden review covering its zero-knowledge encryption, open-source codebase, free vs. premium tiers, and where it falls short.
Bitwarden setup guide: from zero to secure vault in 30 minutes
A complete Bitwarden setup walkthrough for new users: account creation, browser extension, mobile app, master password, and importing existing passwords.