Banner image of KeePassXC for beginners – setup and basic usage

KeePassXC for beginners – setup and basic usage

Weak passwords, reused passwords, or passwords based on “magic formulas” weaken your online security significantly. We suggest password management software to generate strong passwords, store passwords securely, and keep track of passwords.

In this tutorial for beginners, we set up and show a typical use case of KeePassXC, an open-source password manager.

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

Requirements

The following steps are required before creating your first database:

  1. Download KeePassXC and install it on your operating system. For this tutorial, we use KeePassXC 2.6.0. If you install another version of KeePassXC, the setup and usage might differ.
  2. Start KeePassXC.
  3. If your operating system manages the KeePassXC package, select “No” when asked, “Would you like KeePassXC to check for updates on startup?” If you update it manually, or you are unsure, select “Yes.”

Create your first database

After starting KeePassXC, click “Create new database.” Set the database name and a description, as shown in the picture below. Click “Continue.”

An image showing the 'general database information' dialogue in KeePassXC.
Set a database name and a description. (🔍 Zoom in)

Keep or change the encryption settings

After setting a name and description, you can change the encryption settings. We recommend staying with the defaults if there are no particular reasons to change them.

  • You can set the “Decryption Time” to up to 5 seconds. This value slows down the decryption of your locked database to make brute-force attacks time-consuming.
  • We recommend using “KDBX 4.0” (default) as the database format.

If you want to change the encryption algorithm, key derivation function, or other advanced settings, click “Advanced Settings,” as shown in the picture below:

An image showing the 'encryption settings' dialogue in KeePassXC.
You can either keep the default encryption settings or click 'Advanced Settings.' (🔍 Zoom in)

The “Advanced Settings” allow you to choose:

  • Encryption Algorithm: AES 256-bit (default), Twofish 256-bit, ChaCha20 256-bit.
  • Key Derivation Function: Argon2 (KDBX 4 – recommended; default), AES-KDF (KDBX 4), AES-KDF (KDBX 3.1).
  • Transformation rounds: 10 (default).
  • Memory Usage: 64 MiB (default).
  • Parallelism: 2 threads (default).

We recommend AES-256 and Argon2. The remaining parameters (transformation rounds, memory usage, parallelism) can be increased to slow down your database’s decryption time.

The defaults are shown in the image below:

An image showing the advanced 'encryption settings' dialogue in KeePassXC.
We recommend AES-256 and Argon2. You can increase the number of transformation rounds to slow down brute-force attacks. (🔍 Zoom in)

After setting the “Encryption settings,” click “Continue.”

Set a password or passphrase

Finally, you have to set a password or passphrase that is used to protect all database entries. We recommend that you click the small dice icon (🎲) in the password field to generate a random passphrase.

Clicking the dice icon opens the “Generate Password” window, as shown in the picture below:

An image showing the 'generate password' dialogue in KeePassXC.
You can generate a random password to protect your database. (🔍 Zoom in)

Alternatively, you can select “Passphrase.” We recommend setting a 9-word passphrase since it is easier to avoid spelling mistakes when unlocking your database. You can write down the passphrase and store it offline.

The following screenshot shows the default setting (7-word passphrase):

An image showing the 'generate passphrase' dialogue in KeePassXC.
Alternatively, you can generate a random passphrase. (🔍 Zoom in)

After setting your password or passphrase, click “Done.” If you want to add a key file or YubiKey, see Next steps.

Check the settings

You created your first database. Now, we recommend checking the default settings of KeePassXC. Go to “Tools” → “Settings.”

We recommend selecting “Backup database file before saving,” as shown in the next picture. Enable or disable the remaining settings as required.

An image showing the 'basic settings' dialogue in KeePassXC.
In the application settings, we recommend enabling 'Backup database file before saving'. (🔍 Zoom in)

The security settings allow you to customize timeouts and lock events:

An image showing the 'security settings' dialogue in KeePassXC.
In the application settings, you can set timeouts and events that automatically lock your database. (🔍 Zoom in)

Create your first entry

After creating the database itself, you can add your first entry. You should see an empty “Root” folder, as shown below:

An image showing the unlocked database in KeePassXC.
After opening your new database, you should see a 'Root' folder. (🔍 Zoom in)

Click “Entries” → “New Entry.” Alternatively, press CTRL + N, or click the “plus” icon.

Enter the title of the account, your username for the account, your password, and the URL. If you didn’t set a password for the account before, click the “dice” icon to generate a random password or passphrase again.

Moreover, you can set a date when your password expires. There are some presets for the expiration (click “Presets”).

If you click the “download” icon (to the right of the URL field), KeePassXC downloads the favicon of the URL. Then, the favicon is shown in front of the password entry in your database. The favicon makes it easier to find the account you search visually.

An example entry is shown below:

An image showing the 'add entry' dialogue in KeePassXC.
For each entry, we recommend setting a title, username, password, and URL. (🔍 Zoom in)

Additionally, you can set attributes or add attachments. These features can be helpful in some use cases:

An image showing the 'additional attributes' dialogue in KeePassXC.
You can add additional attributes to each entry. (🔍 Zoom in)

Instead of downloading the favicon, you can select default icons or manually add icons, as shown below:

An image showing the 'select icon' dialogue in KeePassXC.
You can set predefined or custom icons per entry. (🔍 Zoom in)

Done. You created your first database and your first entry. Now, you can add more entries, migrate to strong passwords, and fully discover all settings of KeePassXC.

Tip: Use the “Auto-Type” feature that automatically types your username and password into a form. On Linux, select the form, switch to KeePassXC, select the correct entry and press SHIFT + CTRL + V.

An image showing the unlocked database in KeePassXC with a single entry.
After creating your first entry, you should see it and its details. (🔍 Zoom in)

Next steps

Customize KeePassXC for your use cases. You can read our article “Modern credential management” for advanced credential management.

Besides, you can add a key file or YubiKey for additional protection. Finally, have a look at the statistics, as explained below:

Add a key file or YubiKey/OnlyKey

KeePassXC supports adding a key file or a YubiKey for additional protection. Understand the pros and cons of both options.

Warning
KeePassXC and KeePass 2 implement the support for key files and YubiKey differently. The differing implementation means that you can't open a kdbx file created with KeePassXC in KeePass 2, and vice versa (assuming that you added a key file or YubiKey).

Key file

A key file can be any file. However, you should use a file that contains random bytes. For instance, on some Linux systems, you can enter the following command to create a key file, containing about 10MB of random bytes: dd if=/dev/urandom of=keyfile bs=1M count=10.

  • Some benefits: It is free (no cost). You can easily back up your key file. It is beginner-friendly.
  • Some drawbacks: Malware or an attacker can easily copy your key file. You can accidentally modify or remove the key file.

YubiKey or OnlyKey

A YubiKey is a physical security token (see our YubiKey articles). We recommend setting up two YubiKeys (primary + backup).

  • Some benefits: It drastically improves the encryption key. It can’t be accidentally modified.
  • Some drawbacks: It isn’t free. You need a backup in case you lose your YubiKey. Setting it up may be hard for beginners.

In the following, you see the settings “Database Credentials” where you can add a key file or a YubiKey:

An image showing the 'database credentials' dialogue in KeePassXC.
Besides the password, you can add a key file or YubiKey to protect your database further. (🔍 Zoom in)

Statistics

KeePassXC gives an insight into your passwords, as shown in the picture below. Check these statistics regularly to improve the strength of your passwords:

An image showing the 'statistics' dialogue in KeePassXC.
KeePassXC gives an insight into your passwords. (🔍 Zoom in)

Summary

Is KeePassXC the perfect and most secure password manager? No, it isn’t. For instance, attackers can steal your passwords by installing malware on your system, even if you set a 50-digit password and use a YubiKey. Furthermore, other password managers are more appropriate for specific use cases.

Our message is: Use a password manager of your choice. KeePassXC and KeePass 2 generate strong passwords for you and store them securely. Moreover, they help you to use your passwords every day.

Read also