From ArchWiki
Jump to navigation Jump to search

KeePass is an encrypted password database format. It is an alternative to online password managers and is supported on all major platforms.

There are two versions of the format: KeePass 1.x (Classic) and KeePass 2.x


There are three major implementations of KeePass, which are all available in the official repositories:

  • KeePass — A cross-platform password manager that has autotype and clipboard support when respectively xdotool and xsel are installed. It lets you import many formats and has many plugins. || keepass
  • KeePassX — Started as a Linux port of KeePass. keepassx2 uses the KeePass 2.x format, but can import 1.x databases. It also lets you import PwManager and KWallet XML databases. It does not support plugins. [1]. || keepassx keepassx2
  • KeePassXC — Fork of KeePassX that aims to incorporate stalled pull requests, that are not being incorporated into KeePassX. || keepassxc

Other lesser-known alternatives can be found in the AUR:

  • keepassc — A curses-based password manager compatible to KeePass v.1.x and KeePassX. It uses xsel for clipboard functions. || keepasscAUR
  • kpcli — A command line interface for KeePass database files *.kdb or *.kdbx. || kpcliAUR
  • keepmenu — Dmenu/Rofi frontend for Keepass database files. || python-keepmenu-gitAUR
  • keeweb — A web app (online / Electron) compatible with KeePass 2.x. KeeWeb is the only version with default Sync support for major cloud services, Gdrive, Onedrive, Dropbox etc... || keeweb-desktopAUR nextcloud-app-keewebAUR


Many plugins and extensions are available for integrating KeePass to other software.

Plugin Installation

Tip: Starting from KeePassXC version 2.3, an official plugin is available that supports Chrome, Chromium, Firefox and Vivaldi - which replaces KeePassHTTP.
Note: KeePassX does not support plugins on its master branch. An alternative is to use global autotype feature.

KeePass is by default, installed at /usr/share/keepass/. Copy plugin.plgx to a plugins sub-directory under the KeePass installation directory as demonstrated below:

# mkdir /usr/share/keepass/plugins
# cp plugin.plgx /usr/share/keepass/plugins
Warning: Upstream strongly advises to disable KeePassHTTP because of security issues. For more information see, pfn/keepasshttp/issues and keepassxreboot/keepassxc/issues. To mitigate the impact of the KeePassHTTP flaw, KeePassXC has issued a hotfix as of version 2.1.1. Some users consider the improvement good enough (1, 2) for practical purposes, as long as the system is not compromised. However, as there is still some risk involved, KeePassHTTP support is no longer enabled by default in KeePassXC.


Firefox extension that links the browser to existing or new KeePass database. KeeFox needs to be setup before it is fully functional.
Extension allowing Firefox to form-fill passwords stored in KeePass.
Modifies window title to assist autotype feature.
Official browser plugin for the KeePassXC password manager (Firefox version).


Extension allowing Google Chrome and Chromium to form-fill passwords stored in KeePass.
Modifies window title to assist autotype feature. Similar to KeePass Helper for Firefox in function.
Official browser plugin for the KeePassXC password manager (Chrome/Chromium version).


Open Keepass stores inside Nextcloud


YubiKey can be integrated with KeePass thanks to contributors of KeePass plugins.

  1. StaticPassword
    Configure one of Yubikey slots to store static password. You can make the password as strong as 65 characters (64 characters with leading `!`). This password can then be used as master password for your KeePass database.
  2. one-time passwords (OATH-HOTP)
    1. Download plugin from KeePass website:
    2. Use yubikey-personalization-gui-gitAUR to setup OATH-HOTP
    3. In advanced mode untick `OATH Token Identifier`
    4. In KeePass additional option will show up under `Key file / provider` called `One-Time Passwords (OATH HOTP)
    5. Copy secret, key length (6 or 8), and counter (in Yubikey personalization GUI this parameter is called `Moving Factor Seed`)
    6. You may need to setup `Look-ahead count` option to something greater than 0, please see thread for more information
    7. See video for more help
  3. Challenge-Response (HMAC-SHA1)
    1. Get the plugin from AUR: keepass-plugin-keechallengeAUR
    2. In KeePass additional option will show up under `Key file / provider` called `Yubikey challenge-response`
    3. Plugin assumes slot 2 is used

KeepassXC provides built-in support for Yubikey Challenge-Response without plugins.

Tips and tricks

Disable your clipboard manager

If you are an avid user of clipboard managers, you can may need to disable your clipboard manager before you launch keepass and then re-start your clipboard manager afterward.

See Also