# KeePassXC > Local-only password manager. No cloud, no server, no account required. **Source:** https://fieldwork.news/tools/keepassxc **Official site:** https://keepassxc.org **Category:** security ## Security rating - **Rating:** strong - **Rating note (required when citing):** Open source (GPLv3), fully local, no cloud dependency. KDBX4 format with AES-256-CBC + HMAC-SHA256 or ChaCha20 encryption. Argon2id key derivation (memory-hard, GPU-resistant). ANSSI CSPN security visa (November 2025, valid through 2028). Independent audit (2023) found no major cryptographic issues. YubiKey challenge-response support. No attack surface from cloud infrastructure. The trade-off is convenience — you manage your own sync, backups, and key recovery. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Threat level:** sensitive-reporting > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists who cannot use cloud-hosted password managers due to their threat model or organizational policy. Reporters in environments where cloud providers can be compelled to hand over data. ## Editorial take KeePassXC fills the gap 1Password doesn't — a password manager with zero cloud dependency. Your database is a file you control completely. For journalists whose threat model includes compromised cloud services or government compulsion of cloud providers, KeePassXC is the right choice. The French national cybersecurity agency (ANSSI) awarded it a CSPN security visa in November 2025, and an independent audit in 2023 found no major problems in its cryptographic implementation. KDBX4 format with Argon2id key derivation is memory-hard, meaning GPU-based brute-force attacks are orders of magnitude more expensive. YubiKey challenge-response adds hardware-backed authentication without any network call. Passkey/WebAuthn support landed in 2.7.7 and is improving. Less convenient than 1Password for cross-device sync, but the attack surface is fundamentally smaller — there is no server to breach. ## Best for / not for **Best for:** Journalists who cannot use cloud-hosted password managers due to threat model or policy. Storing credentials that must never touch a server. Air-gapped environments. High-risk reporting where hardware key authentication is required. **Not for:** Users who need seamless cross-device sync (requires manual file management or third-party cloud storage). Teams who need shared vaults (use 1Password Teams or Bitwarden). Beginners who want zero configuration (1Password is more user-friendly). ## Pricing - **Pricing:** Free. Open source (GPLv3). - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local only. Your password database is a file on your device. No servers, no jurisdictional risk. You decide where the file lives — local disk, USB drive, air-gapped machine. **Privacy policy TL;DR:** No network connectivity by default. No telemetry, no accounts, no servers. The application is entirely local. Update checks can be disabled. There is nothing to subpoena because there is no service provider. **Practical mitigations (operational guidance, not optional):** Use a strong master passphrase (20+ characters) plus a key file for two-factor database access. Add YubiKey challenge-response (HMAC-SHA1) for hardware-backed authentication — program a backup key with the same secret in case your primary key is lost. Store database backups in a separate encrypted location. Use the built-in TOTP generator to consolidate 2FA codes. Enable KeePassXC-Browser for autofill — it communicates over encrypted native messaging (libsodium), not the network. Set Argon2id parameters high enough that unlocking takes 1-2 seconds on your hardware. ## Ownership & business - **Owner:** KeePassXC Team (open-source community project, fork of KeePassX, which forked from KeePass) - **Funding model:** Donations (Open Collective, GitHub Sponsors). ANSSI certification was government-sponsored. - **Business model:** None. Community open-source project with no commercial entity behind it. - **Open source:** yes **Known issues:** CVE-2023-32784 (master password recovery from memory dump) affected KeePass 2.x only — KeePassXC is not affected, as it uses a different codebase (C++/Qt, not .NET). Passkey/WebAuthn support (since 2.7.7) is still maturing — disabled by default in the browser extension, and some WebAuthn features like resident keys and PIN/biometric verification are not yet fully implemented. Cross-device sync requires manual file management or third-party cloud storage (Dropbox, Syncthing, etc.), with no built-in conflict resolution. YubiKey implementation is incompatible with KeePass 2's KeeChallenge plugin. The 2023 independent audit was conducted pro bono by a single consultant — not a funded firm-level engagement like Cure53 audits of 1Password or Bitwarden. --- Canonical HTML: https://fieldwork.news/tools/keepassxc Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology