Using the KeePassXC password manager you can:

  • Store many passwords in an encrypted database which is protected by a single passphrase of your choice.
  • Always use different and stronger passwords, since you only have to remember a single passphrase to unlock the entire database.
  • Generate very strong random passwords.

Create and save a password database

Follow these steps to create a new password database and save it in the Persistent Storage for use in future working sessions.

To learn how to create and configure the Persistent Storage, read the documentation on the Persistent Storage.

  1. When starting Tails, unlock the Persistent Storage.

  2. In the Persistent Storage settings, verify that the Personal Data feature is turned on.

    Otherwise, turn it on, restart Tails, and unlock the Persistent Storage.

  3. To start KeePassXC, choose Applications ▸ Accessories ▸ KeePassXC.

  4. To create a new database, click Create new database.

  5. Save the database as Passwords.kdbx in the Persistent folder.

  6. The database is encrypted and protected by a passphrase.

    • Specify a passphrase of your choice in the Enter password text box.
    • Type the same passphrase again in the Repeat password text box.
    • Click OK.

Restore and unlock the password database

Follow these steps to unlock the password database saved in the Persistent Storage from a previous working session.

  1. When starting Tails, unlock the Persistent Storage.

  2. To start KeePassXC, choose Applications ▸ Accessories ▸ KeePassXC.

  3. If you have a database named Passwords.kdbx in your Persistent folder, KeePassXC automatically displays a dialog to unlock that database.

    Enter the passphrase for this database and click OK.

  4. If you enter an invalid passphrase the following error message appears:

    Unable to open the database.
    Wrong key or database file is corrupt.

To store your KeePassX settings in the Persistent Storage, in addition to the password database:

  1. Turn on the Dotfiles feature of the Persistent Storage.
  2. Restart Tails.
  3. Unlock the Persistent Storage in the Welcome Screen.
  4. Choose Places ▸ Dotfiles.
  5. Create the folder /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/.
  6. Copy the file ~/.config/keepassxc/keepassxc.ini to

Update the cryptographic parameters of your password database

KeePassXC, included in Tails 4.0 and later, supports the KBDX 4 file format. The KBDX 4 file format uses stronger cryptographic parameters than previous file formats. The parameters of previous file formats are still secure.

To update your database to the latest cryptographic parameters:

  1. Choose Database ▸ Database settings.

  2. In the Encryption tab, change the following parameters:

    • Set Encryption Algorithm to ChaCha20.
    • Set Key Derivation Function to Argon2.
  3. Click OK.

Migrating a password database from Tails 2.12 and earlier

The database format of KeePass 1 (Tails 2.12 and earlier) is incompatible with the database format of KeePassXC (Tails 4.0 and later).

To migrate your database to the new format:

  1. Start KeePassXC.

  2. Choose Database ▸ Import ▸ Import KeePass 1 database.

  3. Select your database, for example keepassx.kdb.

  4. After your database is open, save it to the new format:

    • Choose Database ▸ Save database.
    • Save the database as Passwords.kdbx in the Persistent folder.

    Note that only the file extension is different:

    • kdb for the old format.
    • kdbx for the new format.
  5. This operation does not delete your old database from your Persistent folder.

    You can now delete your old database or keep it as a backup.

Additional documentation

For more detailed instructions on how to use KeePassXC, refer to the KeePassXC guide of the Electronic Frontier Foundation.