KeePassXC review — offline password manager without cloud
Who is this for? Anyone who wants no cloud-based password manager and prefers to handle synchronisation themselves. For most users, [Bitwarden](/en/reviews/bitwarden-review/) is the simpler choice.
KeePassXC review
Who is this for? Anyone who wants no cloud-based password manager and prefers to handle synchronisation themselves. For most users, Bitwarden is the simpler choice.
KeePassXC is an open-source password manager that stores an encrypted database file locally. No cloud, no account, no synchronisation service. You manage everything — and that is exactly why part of the privacy community prefers this over Bitwarden.
How KeePassXC differs from Bitwarden
Bitwarden synchronises your vault to the Bitwarden cloud (or your own server). KeePassXC doesn’t. The database file (.kdbx) sits on your device. You decide where it lives, how it’s synchronised and who has access to it.
Advantage: No dependency on an external service. Even if KeePassXC stops existing tomorrow, your database still works — any compatible KeePass programme can open the file.
Disadvantage: Synchronisation across multiple devices must be arranged yourself — via Syncthing, an encrypted cloud folder, or a USB drive.
Specifications
| Property | Value |
|---|---|
| Platform | Windows, macOS, Linux |
| Database format | KDBX 3.1 / 4 (.kdbx) |
| Encryption | AES-256, ChaCha20 or Twofish |
| Open-source | Yes (GPL-3.0) |
| Cloud sync | No — local file |
| Browser extension | Yes (KeePassXC-Browser for Firefox, Chrome, Edge, Brave, Chromium, Vivaldi and Tor Browser) |
| YubiKey / hardware key | Yes — challenge-response with YubiKey or OnlyKey |
| Biometric | Yes on Windows and macOS (Windows Hello, Touch ID, Apple Watch Quick Unlock) |
| Mobile | No official app — use KeePassDX or KeePass2Android (Android), Strongbox or KeePassium (iOS) |
| Price | Free |
Database security
KeePassXC encrypts the database with AES-256 or ChaCha20. Access requires a combination of:
- Master password — required
- Key file — optional extra file stored separately (on USB drive)
- Hardware key (YubiKey/OnlyKey) — optional, as extra challenge-response protection
The combination of master password, key file and optional challenge-response through a hardware key makes offline attacks much harder. Important detail: this is not classic online 2FA, but additional protection for the database key itself.
Synchronisation across devices
KeePassXC doesn’t synchronise automatically. Options for using the database across multiple devices:
Syncthing: Peer-to-peer synchronisation without cloud. The database is synchronised encrypted between your devices. Most privacy-friendly option.
Encrypted cloud folder (Proton Drive, Cryptomator + Dropbox): Store the .kdbx in an encrypted cloud folder. KeePassXC opens it locally — the cloud only sees an encrypted file.
USB drive: Copy the database manually. Simple, no automation, suitable for minimal use.
Browser extension
KeePassXC-Browser connects the extension to the desktop app via a local socket. The extension recognises login fields and fills in automatically — comparable to Bitwarden’s extension. Works on Firefox, Chrome, Edge, Brave, Chromium, Vivaldi and Tor Browser.
Requirement: KeePassXC desktop must be running for the extension to work. No browser-only use like Bitwarden.
Mobile use
KeePassXC itself has no mobile app. The official FAQ points to these compatible alternatives:
- Android: KeePassDX or KeePass2Android — both open
.kdbxfiles and work well with local storage or your own sync setup - iOS: Strongbox or KeePassium — both support KeePass databases; Strongbox has a free base version with paid Pro features. If you want a first-party mobile app without extra setup, consider Bitwarden.
KeePassXC vs Bitwarden
| KeePassXC | Bitwarden | |
|---|---|---|
| Cloud dependency | No | Optional (cloud or self-hosted) |
| Automatic sync | No — arrange yourself | Yes |
| Open-source | Fully | Fully |
| Mobile app | Via third parties | Own app |
| Hardware key | Yes (YubiKey/OnlyKey challenge-response) | Yes (hardware keys for account protection, premium) |
| Difficulty | Higher | Lower |
| Price | Free | Free + premium subscription available |
Choose KeePassXC if:
- You don’t want data in a cloud, even encrypted
- You want complete control over the database file
- You already have a synchronisation solution (Syncthing, NAS)
- You want to use a YubiKey as a database key
Choose Bitwarden if:
- You want easy synchronisation across multiple devices
- You want a mobile app without extra configuration
- You prioritise ease of use
Caveats
Control comes with operational burden: KeePassXC is excellent when you actually want to own the file, the sync method, and the backup process. If you do not want to think about those things, the same control becomes friction rather than an advantage.
Mobile is still an ecosystem workaround: The database format is portable, but the experience is not as unified as with Bitwarden. That matters if you expect a seamless first-party app stack across laptop and phone.
A bad DIY sync setup can be worse than a good hosted service: KeePassXC is not automatically safer just because it is local-first. If you handle backups or synchronisation badly, you can end up with more failure modes and less reliability than a well-run cloud option.
Pros and cons
Pros
- No cloud dependency — the .kdbx file lives entirely on your device and works even if KeePassXC stops existing
- Supports master password + key file + optional hardware-key challenge-response, which makes offline attacks much harder
- Fully open-source (GPL-3.0) and free
- Browser extension works with Firefox, Chrome, Brave, and Edge via local socket
- KeePassXC format is an open standard — any compatible KeePass programme can open the file
Cons
- No official mobile app — requires a separate KeePass app such as KeePassDX, KeePass2Android, Strongbox or KeePassium
- Synchronisation across devices must be arranged manually via Syncthing, encrypted cloud, or USB
- Desktop app must be running for the browser extension to work — no browser-only access
- Higher learning curve than Bitwarden for new users
Conclusion
KeePassXC is the most privacy-friendly password manager for users willing to manage a bit more themselves. No cloud, fully open-source, excellent hardware key integration. The price for that control is that you need to arrange synchronisation and mobile access yourself.
Beginners choose Bitwarden. Advanced users who prefer control over convenience choose KeePassXC.
See also:
- Bitwarden review — the cloud-based open-source choice
- YubiKey vs Nitrokey review — hardware keys as second factor for KeePassXC
- Two-factor authentication guide — 2FA alongside your password manager