DEV Community

Cover image for The best password manager on Linux?
Rob OLeary
Rob OLeary

Posted on • Edited on • Originally published at roboleary.net

The best password manager on Linux?

KeePass was my first choice password manager, but as time went by, I noticed that it has some persistent issues. Its time to look for a replacement!

Issues with KeePass

Firstly, it is worth mentioning that KeePass does a lot of things well. It is free and open-source. You can store all your passwords in a secure database, which is locked with a master key. So, you only have to remember the master key to unlock the database. It has integrations with browsers, and a decent feature set. However, it has some issues that set me off on a path to explore alternatives.

KeePass is written in C# (.NET framework). It officially supports macOS and Linux operating systems through the use of Mono, which is an open source implementation of Microsoft's .NET Framework. Therefore, it has the native look-and-feel of a Windows program. This can be a bit weird on Linux and MacOS, but not that big deal!

You can install KeePass on Ubuntu using the keepass2 package. And this works, but maybe not as you may expect.

A plugin is required for communicating with the browser extensions to perform functions such as autofilling fields. You have to download the plugin yourself and drop it into a particular folder wherever you installed it to. Then, you need to install the accompanying browser extension for them to interact in kind of a client-server way.

The plugin I used was not maintained by the core project. It was recommended (as much as I can remember) to use the KeePassHttp-Connector for Firefox at the time, which was developed independently by Andy Brandt (kudos to him). This project has now been archived and is no longer maintained.

It is a concern to have this functionality outside of the remit of the core project. Relying on plugins for browser integration in this manner is not a good setup in my opinion.

I had issues keeping the plugin up-to-date with the accompanying extension. Occasionally, it would just stop working if the extension required a particular version of the plugin. Then, I would need to update the plugin myself,ensuring that they are compatible.

A personal peev was not being able to use common keyboard shortcuts such as Ctrl + C to copy text of the fields from the app. When this plugin-extension version issue occured, I had to: open KeePass, track down the entry, and copy the password field manually. Having to select the text with the mouse and then right-click to copy the text via a context menu was an extra nuisance.

What are the alternatives?

There are some projects that are forks of KeePass, namely KeePassX and KeePassXC.

KeePassX has discontinued development. I would skip it.

KeePassXC is actively developed and looks promising. Let's look into it further, for sure!

If a KeePass relative is not quite your speed, you can consider Spectre. It takes a drastically different approach to KeePass, it is a "password app that contains no passwords"! Whaat?

Spectre uses a password cipher algorithm to hash and store your credentials for websites as a single value, if I am understanding it correctly. I don't fully get how it works end-to-end. It does not appear to have an import feature if you have an existing database/dataset of passwords, which is a deal-breaker for me.

If you want something simple that follows the Unix philosophy. You can try pass. Your passwords live inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

One downside to this approach is that you have to backup the password files and the gpg key (could be done by using paperkey).

There are some compatible clients that you can use with pass. It appears that a plugin is required for browser integration, and that chrome and firefox are the supported browsers.

For example, to get set-up for Firefox, you must install:

zx2c4 pass repository
This extension requires zx2c4 pass to be installed and set up with a password repository. Make sure you can execute pass show some-password-name in a terminal before continuing.

Host application
For the extension to communicate with your system's pass script, you need to install what's called the host application from the official GitHub repository. The host application allows the extension to communicate with pass on your system.

PassFF extension
Install the current release of PassFF for your browser:

Firefox

This looks like the plugin-extension combination, which I am trying to get away from!

If you prefer to use an online service, you can try LastPass (Freemium proprietary), 1Password (Paid proprietary), or Bitwarden (Freemium open source). I don't want someone to host my passwords, however airtight everything is. No deal for me.

If you want to run your own secure password server, you can do this with Bitwarden, or vaultwarden (an unofficial Bitwarden compatible server written in Rust). You could run one of this on raspberry pi and use it in your home network, and expose it externally if you wish. This is a bit too heavy-duty for my needs.

Fast forwarding, I tried and liked KeePassXC. So, I did not dig deeper. Read on if you want to find out more about KeePassXC.

If you want to explore more alternatives, look through this list on AlternativeTo.net.

Tell me more about KeePassXC

KeePassXC is an open source project written in C++. It is compiled to platform-specific exectuables, so it has the native look-and-feel of the OS it is running on.

KeePassXC uses the KeePass 2.x (.kdbx) password database format as the native format. So, you should be able to switch to it from KeePass without any issue.

KeePassXC has a similar feature set to KeePass. The important one for me is that browser integration is a core feature.

The core features are:

  • Create, open, and save databases in the KDBX format (KeePass compatible to KDBX4 and KDBX3)
  • Store sensitive information in entries that are organized by groups
  • Search for entries
  • Password generator
  • Auto-Type passwords into applications
  • Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser
  • Entry icon download
  • Import databases from CSV, 1Password, and KeePass1 formats

There are more advanced features too that you can review.

The tech collective PrivacyTools has included KeePassXC in their list of recommended password manager software because of its active development.

It ticks all of the boxes for me.

Let's get it set up and see how it goes!

Installing and configuring KeePassXC on Ubuntu

KeePassXC is available as a package in many Linux package managers.

I will install it for Ubuntu using the official PPA:



sudo add-apt-repository ppa:phoerious/keepassxc
sudo apt update
sudo apt install keepassxc


Enter fullscreen mode Exit fullscreen mode

The latest version at the moment is 2.7.1. You can keepassxc --version to check the version installed.

And indeed, this has installed the latest version! Yay!

Now, open the application and this is what you see.

default view of KeePassXC

Now, you can open an existing database. This worked as expected for me. Or you can create a new database.

To configure it with your browser of choice, go the main menu and choose Tools, then choose Settings from the dropdown. Then, go to the Browser Integrations tab, as below.

browser integration tab in settings

Now, you can select the browsers you want to use. There are links to download the KeePassXC-Browser extension for all of the major browsers. Very handy!

I opened the "Google Chrome / Chromium / Vivaldi / Brave" link in Brave. It opens the page for the KeePassXC-Browser in the chrome web store. There is a blue "Add to Brave" button. I clicked it to install the extension.

chromestore keepassxc-browser extension in brave

Once you install an extension, you may be prompted to pin it to the menu bar for quick access. In this case, it does not happen, and it is convenient to have available so that you to see if you are connected to your database.

We can pin the extension to the menu bar ourselves by clicking the extensions settings button (a jigsaw piece) and click the pin next to the extension name, as per screenshot below.

pin icon to menu-bar

Now, click on the pinned KeePassXC icon to reveal the connection status. If your database is open, you will see a "Connect" button, as below.

keepassxc-extension settings dialog showing connection status

Click this and you will prompted to enter a key association for the browser. Enter one (I entered "brave") and click the "Save" button. You should now be connected, as below.

keepassxc extension settings dialog connected message

Now, when you open a website that has an entry in your database, it should give you options to fill the credentials in for you.

For example, I have the following entry for GitHub. You can use "https://github.com" for the URL field, no need to give the URL for the actual signin page, KeePassXC will recognize the login page when you open it for websites.

github entry in my database

Now, when you go to the "Sign in" page on GitHub, you will see the KeePassXC icon in the Username or email address text field.

github signin with keepassxc icon in user field

Click on this icon and it will fill in your username and password!

It also offers to fill the fields as a quick suggestion when the Username or email address field gets focus and you press the down key.

There are further options that be accessed in a context menu when you right-click inside one of the fields, as below.

keepassxc-extension context-menu offered by right-clicking inside the field

Want to know more?

Dive into the Getting Started Guide.

Syncing across devices

If you want to sync the database file across devices, you can use any syncing method you like. You can use a service like DropBox if you wish. Or instead you can use ssh in KeePassXC, so you can securely access your database file remotely!

If you do choose to sync the file, look into the File Management settings to ensure there is no conflict with your sync process. It is probably a good idea to disable the settings "Automatically save after every change". There is an option to specifically address this issue called "Use alternative saving method (may solve problems with Dropbox, Google Drive, GVFS, etc.)"

file management settings

You can turn on periodic backups too, with the "Backup database file before saving" option. Better safe than sorry, right?

Wrapping up

It is quite quick to get set-up with KeePassXC. I found it easier to use than KeePass, albeit I have experience with KeePass. Importantly, it resolves the issue I had with browser integration., and there is no friction with switching from KeePass. I can recommend using it.

Is it the best password manager?

It is always good to extend the idea of "best" to "best for your needs". For the features I use, it does everything I need admirably. I didn't feel the need to try out the competitors. I will leave that up to you. Lazy, I know! ๐Ÿฆฅ๐Ÿ˜€

I hope this has shone some light on how to manage your own passwords securely!

What is your favourite password manager?

Top comments (19)

Collapse
 
moopet profile image
Ben Sinclair

I've been happily using Bitwarden for this for a few years now. It has a decent comman-line client and is also free software, but it uses cloud sync rather than the DIY approach Keepass likes. But they're both good :)

Collapse
 
robole profile image
Rob OLeary • Edited

Thanks for sharing Ben. When do you find yourself using the CLI client?

I was aware of BitWarden from years ago and it sounds solid now. When I browsed their website recently, I doubted it was the same thing! The first impression is that it is a business cloud product. The fact that it is something you can use locally and is free for personal use gets lost.

Collapse
 
moopet profile image
Ben Sinclair

I pretty much don't use the CLI client, I'm just aware that it works because I've used it a couple of times. On a desktop I always have a browser open to copy something from and on a mobile device I don't have a CLI anyway.

Usually I'm a big fan of using the command line over GUIs, but with password management... I don't, for some reason!

Thread Thread
 
robole profile image
Rob OLeary • Edited

I guess since typically a browser is a desktop app, using a browser extension is more practical. It can be handy to have the CLI occasionally too.

You could use a CLI web browser along with a CLI password manager. I don't know if itd be practical, but Im sure there is someone out there doing it!

Collapse
 
codewithcaen profile image
CodeWithCaen

I love Bitwarden! You can self host it too

Collapse
 
neorejalist profile image
Jeroen

Checkout vaultwarden, a bitwarden remake in rust. Run it on an rpi and only sync passwords locally, or open a port to the berry. I have it running in docker behind a ssl-proxy.

Collapse
 
robole profile image
Rob OLeary • Edited

Sounds interesting! There are so many cool private infrastructure projects you can do with a raspberry pi. I would fear that I would turn my bedroom into a micro-server farm as these can be fun projects!

Collapse
 
pontusk profile image
Pontus Karlsson • Edited

I moved away from KeePassXD to Pass, the standard Unix password store. Downside is the setup is more complex and I couldn't get it to work on Windows. Upside is passwords are stored in plain text files encrypted with standard gpg and synced with git so its maximally portable and future proof. It's more hackable (in the sense that you can easily extend functionality, like using fzf to enhance search, not that it's easier to break). It's on the command line. I really like not having to keep a separate app open since I mostly work in a terminal window. It has a lot of ui programs as well including phone apps and browser extensions.

Collapse
 
alexwinder profile image
Alex Winder

I'm a big fan of Keepass and have been using it for the last 10 years. I move around my environment as well between Windows and Linux and the switching between Keepass and KeepassXC is seamless - I actually prefer KeepassXC though as it is generally much more user friendly.

Collapse
 
tiguchi profile image
Thomas Werner

KeepassXC also has been my password manager of choice for the past few years. I store my wallet on a network attached storage device and I can easily share the same passwords between all my computers without a problem (Linux, Mac OS and Windows). My most favorite feature is OTP. Super convenient to use. Just copy & paste the code from KeepassXC. No fumbling around with a mobile phone app.

My only issue is with the browser extensions. It's been a bit of a hit and miss for me over the years. Sometimes it works great, but most of the time it doesn't, so I intuitively resort to just opening the main app, search the record there and copy and paste ๐Ÿคทโ€โ™‚๏ธ

Collapse
 
robole profile image
Rob OLeary • Edited

The browser extensions for password managers seem to be tricky to get right. I am set-up on Brave and Firefox with KeePassXC now, and so far, so good. Hopefully, it will continue on this way.

Collapse
 
amir2mi profile image
Amir M. Mohamadi

Firefox itself has a great password manager that will be synced with your Firefox account and I'm using it all these years.

Collapse
 
goodevilgenius profile image
Dan Jones

To go along with KeePassXC, KeePassDX on Android works really well.

Collapse
 
robole profile image
Rob OLeary

man struggling to think of password, removes brain and shakes on table, and all passwords drop out, and he passes them into the computr

Collapse
 
haydenmcp profile image
Hayden McParlane

Is there some way to secure password manager communication with plugins? The idea of sending passwords from plugin to plugin seems a bit freaky to me but I'm probably just ignorant of the solutions used.

Collapse
 
robole profile image
Rob OLeary • Edited

In the case of KeepassXC, you do not need plugins. All of the functionality is contained in the core application.

If you want to use a browser extension to autofill fields in the browser, these are made by the core team also. So they should be trustworthy and secure. In any case nothing is sent over a network. The transfer of a password from the database to the browser is done on your local machine.

If you have doubts, then you can skip using the extensions. You can research it further and inspect the code if you want to have confidence using it.

Collapse
 
haydenmcp profile image
Hayden McParlane

Thanks for the great info. I'd be more worried about using multiple third-party sources for plugins. The more you rely on different people the more likely you are to introduce malicious actors. It sounds like KeepassXC would be worth looking into.

Collapse
 
webbureaucrat profile image
webbureaucrat

Bitwarden is not proprietary. It uses GPL. Please revise.

Collapse
 
robole profile image
Rob OLeary

Sure. Done! ๐Ÿ™‚