🩺 Vitals
- 🟢 Last active: 2026-07-11
- 📦 Latest release: 2.7.12 (2026-03-10)
- 🐞 Open issues: 893
- 🌟 Stars: 28k
What do these metrics mean?
- Last active: when code was last pushed, as of our last check. The dot is green when that was recent, grey otherwise. A long gap can mean a tool is finished and stable, not only unmaintained.
- Latest release: the most recent tagged, packaged version the maintainers published. Not every healthy project tags releases.
- Open issues: unresolved reports and requests. A high number is normal for a popular project and is not a warning on its own.
- Stars: how many people bookmarked the project on its forge. A rough popularity signal, not a measure of quality.
🏗️ Profile
- Official: keepassxc.org
- Source: github.com/keepassxreboot/keepassxc
- License: GPL-2.0 or GPL-3.0
- Deployment: Desktop | Extension
- Data Model: Local encrypted file (KDBX 4 / AES-256 or ChaCha20 / Argon2)
- Jurisdiction: Global Community 🌐 (No Legal Entity)
- Compliance (SaaS): N/A (No Vendor Cloud)
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: Low (1/5) - Desktop Install
- Maintenance: Low (2/5) - Package Manager Updates
- Enterprise Ready: Low (1/5) - No Central Admin, SSO or Audit Log
1. The Executive Summary
What is it? KeePassXC is a desktop password vault that stores credentials in a single encrypted file on disk. There is no server component, no vendor account, and no synchronisation service. It is the maintained reboot of the abandoned KeePassX, itself a port of the Windows application KeePass, and it is the reference implementation of the KDBX format on Linux and macOS. It ships importers for Bitwarden, 1Password, Proton Pass, KeePass 1.x and CSV, which makes it the standard landing zone when an organisation exits a commercial vault.
The Strategic Verdict:
- 🔴 For Team Credential Management: Caution. There is no central administration, no directory sync, and no audit log. When someone leaves, you cannot revoke their access; you can only rotate every secret they saw. Use Bitwarden for the shared org vault.
- 🟢 For Break-Glass and Air-Gapped Secrets: Strong Buy. Root accounts, domain admin, certificate authority keys and HSM PINs are precisely the credentials that should never reach a sync service. A file that never touches a network cannot be exfiltrated from a vendor's cloud.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | 1Password (SaaS) | KeePassXC (Desktop) |
|---|---|---|
| License Fee | ~$8/user/mo | $0 (no paid tier exists) |
| Infrastructure | $0 (vendor cloud) | $0 (existing endpoints) |
| Offboarding | Automated central revoke | Manual rotation of every shared secret |
The third row is the one that matters. KeePassXC has no license cost and no hosting cost, and it loses the comparison anyway the moment more than one person shares a vault. Price the rotation labour before you price the subscription.
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: Native packages for Windows, macOS and Linux. No server to stand up. Browser integration runs over native messaging to the local process rather than through a cloud relay.
- Scalability: It does not scale as a team system, by design. Sharing a vault means putting the KDBX file on storage you already run, and that storage becomes your availability and backup problem. Database merge reconciles conflict copies by entry UUID and timestamp, which handles cloud-sync collisions but is not a substitute for real multi-user state.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & The Absent Entity: There is no company, no foundation, and no vendor cloud behind KeePassXC. Jurisdictional data access risk is structurally eliminated because there is no third party holding your vault and nothing to serve a warrant on. The same fact cuts the other way in procurement: there is no counterparty to sign a DPA, no support SLA to buy, and no entity obliged to notify you of a breach. Vendor risk is not reduced here, it is transferred to you.
- The Compliance Shift: The absence of an audit log is not a missing feature, it is a control you must build elsewhere. KeePassXC produces no evidence that an auditor can read: no access review artefacts for SOC 2, no records supporting ISO 27001 access control, no proof of timely offboarding. Scope it to a small custodian group where a manual, documented rotation procedure is credible. Deploy it fleet-wide and you have created an inventory of corporate secrets that you cannot enumerate, revoke, or attest to.
- License & The Mobile Client Trap: The GPL-2 or GPL-3 disjunction is a non-issue for internal use; copyleft only bites on redistribution of modified binaries, which no ordinary deployment does. The real trap is platform coverage. KeePassXC is desktop only, and the project ships no mobile app. Users who want their vault on a phone will reach for a third-party KDBX client that the KeePassXC team does not audit, control, or vouch for. Your credentials end up inside software that never appeared in your procurement review.
4. Market Landscape
🏢 Proprietary Incumbents
- 1Password: Mandatory vendor cloud. Convenience and central administration in exchange for your vault living on infrastructure you do not run.
🤝 Open Source Ecosystem
- Bitwarden: The counterpart, not the competitor. Bitwarden runs the shared organisational vault with the central administration KeePassXC deliberately lacks; KeePassXC holds the credentials that should never sync anywhere.