KeePassXC
Local-only password manager. No cloud, no server, no account required.
What should journalists know about KeePassXC?
KeePassXC fills the gap 1Password doesn't — a password manager with zero cloud dependency. Your database is a file you control completely. For journalists whose threat model includes compromised cloud services or government compulsion of cloud providers, KeePassXC is the right choice. The French national cybersecurity agency (ANSSI) awarded it a CSPN security visa in November 2025, and an independent audit in 2023 found no major problems in its cryptographic implementation. KDBX4 format with Argon2id key derivation is memory-hard, meaning GPU-based brute-force attacks are orders of magnitude more expensive. YubiKey challenge-response adds hardware-backed authentication without any network call. Passkey/WebAuthn support landed in 2.7.7 and is improving. Less convenient than 1Password for cross-device sync, but the attack surface is fundamentally smaller — there is no server to breach.
Journalists who cannot use cloud-hosted password managers due to threat model or policy. Storing credentials that must never touch a server. Air-gapped environments. High-risk reporting where hardware key authentication is required.
Users who need seamless cross-device sync (requires manual file management or third-party cloud storage). Teams who need shared vaults (use 1Password Teams or Bitwarden). Beginners who want zero configuration (1Password is more user-friendly).
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
No network connectivity by default. No telemetry, no accounts, no servers. The application is entirely local. Update checks can be disabled. There is nothing to subpoena because there is no service provider.
How to protect yourself:
Use a strong master passphrase (20+ characters) plus a key file for two-factor database access. Add YubiKey challenge-response (HMAC-SHA1) for hardware-backed authentication — program a backup key with the same secret in case your primary key is lost. Store database backups in a separate encrypted location. Use the built-in TOTP generator to consolidate 2FA codes. Enable KeePassXC-Browser for autofill — it communicates over encrypted native messaging (libsodium), not the network. Set Argon2id parameters high enough that unlocking takes 1-2 seconds on your hardware.
Open source (GPLv3), fully local, no cloud dependency. KDBX4 format with AES-256-CBC + HMAC-SHA256 or ChaCha20 encryption. Argon2id key derivation (memory-hard, GPU-resistant). ANSSI CSPN security visa (November 2025, valid through 2028). Independent audit (2023) found no major cryptographic issues. YubiKey challenge-response support. No attack surface from cloud infrastructure. The trade-off is convenience — you manage your own sync, backups, and key recovery.
Who Owns This
Known issues
CVE-2023-32784 (master password recovery from memory dump) affected KeePass 2.x only — KeePassXC is not affected, as it uses a different codebase (C++/Qt, not .NET). Passkey/WebAuthn support (since 2.7.7) is still maturing — disabled by default in the browser extension, and some WebAuthn features like resident keys and PIN/biometric verification are not yet fully implemented. Cross-device sync requires manual file management or third-party cloud storage (Dropbox, Syncthing, etc.), with no built-in conflict resolution. YubiKey implementation is incompatible with KeePass 2's KeeChallenge plugin. The 2023 independent audit was conducted pro bono by a single consultant — not a funded firm-level engagement like Cure53 audits of 1Password or Bitwarden.
Pricing
Free. Open source (GPLv3).
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.