Using the KeePassXC password manager you can:

  • Store many passwords in an encrypted database which is protected by a single passphrase of your choice.

  • Always use different and stronger passwords, since you only have to remember a single passphrase to unlock the entire database.

  • Generate very strong random passwords.

  • Generate one-time verification codes for two-factor authentication.

For more detailed instructions on how to use KeePassXC, refer to the official KeePassXC User Guide.

Creating and saving a password database

Follow these steps to create a new password database and save it in the Persistent Storage for use in future working sessions.

To learn how to create a Persistent Storage, read our documentation on the Persistent Storage.

  1. When starting Tails, unlock the Persistent Storage.

  2. In Tails, choose Applications ▸ Persistent Storage.

  3. Verify that the Persistent Folder feature is turned on.

  4. To start KeePassXC, choose Applications ▸ Accessories ▸ KeePassXC.

  5. To create a new database, click Create new database.

  6. Continue with the defaults settings in the configuration screens General Database Information and Encryption Settings.

  7. The database is encrypted and protected by a passphrase. In the configuration screen Database Credentials:

    • Specify a passphrase of your choice in the Enter password text box.
    • Type the same passphrase again in the Confirm password text box.
    • Click Done.
  8. Save the database as Passwords.kdbx in the /home/amnesia/Persistent folder.

Restoring and unlocking the password database

Follow these steps to unlock the password database saved in the Persistent Storage from a previous working session.

  1. When starting Tails, unlock the Persistent Storage.

  2. In Tails, choose Applications ▸ Accessories ▸ KeePassXC.

  3. If you have a database named Passwords.kdbx in your Persistent folder, KeePassXC automatically displays a dialog to unlock that database.

    Enter the passphrase for this database and click Unlock.

  4. If you enter a wrong passphrase the following error message appears:

    Error while reading the database: Invalid credentials were provided, please try again.

Storing your KeePassXC settings in the Persistent Storage

To store your KeePassXC settings in the Persistent Storage, in addition to the password database:

  1. Turn on the Dotfiles feature of the Persistent Storage.

  2. In the Welcome Screen, unlock the Persistent Storage.

  3. In Tails, choose Places ▸ Dotfiles.

  4. Create the folder /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/.

  5. Copy the file /home/amnesia/.config/keepassxc/keepassxc.ini to /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/keepassxc.ini.

  6. Restart Tails before changing more settings.

Using KeePassXC as an authenticator app for two-factor authentication

Many websites offer two-factor authentication as a safer method than using just a password. For example, you can configure an authentication app, like Google Authenticator, to generate a one-time code of 6 digits when signing in to a website.

You can use KeePassXC to generate such one-time codes in Tails. The technology used to generate these codes is called time-based one-time password (TOTP).

To configure two-factor authentication for an entry in your KeePassXC database:

  1. Click on the entry of your database for which you want to configure two-factor authentication.

  2. Choose Entries ▸ TOTP ▸ Set up TOTP….

For more detailed instructions, see Adding TOTP to an Entry in the official KeePassXC User Guide.

After two-factor authentication is configured for an entry, choose Entries ▸ TOTP ▸ Show TOTP to generate a one-time code for this entry.