Using the KeePassXC password manager you can:

  • Store many passwords in an encrypted database which is protected by a single passphrase of your choice.
  • Always use different and stronger passwords, since you only have to remember a single passphrase to unlock the entire database.
  • Generate very strong random passwords.

Create and save a password database

Follow these steps to create a new password database and save it in the persistent volume for use in future working sessions.

To learn how to create and configure the persistent volume, read the documentation on persistence.

  1. When starting Tails, enable the persistent volume.

  2. In the Persistent Volume Assistant, verify that the Personal Data persistence feature is activated. If it is deactivated, activate it, restart Tails, and enable the persistent volume.

  3. To start KeePassXC, choose Applications ▸ Accessories ▸ KeePassXC.

  4. To create a new database, click Create new database.

  5. Save the database as keepassx.kdbx in the Persistent folder.

  6. The database is encrypted and protected by a passphrase.

    • Specify a passphrase of your choice in the Enter password text box.
    • Type the same passphrase again in the Repeat password text box.
    • Click OK.

Restore and unlock the password database

Follow these steps to unlock the password database saved in the persistent volume from a previous working session.

  1. When starting Tails, enable the persistent volume.

  2. To start KeePassXC, choose Applications ▸ Accessories ▸ KeePassXC.

  3. If you have a database named keepassx.kdbx in your Persistent folder, KeePassXC automatically displays a dialog to unlock that database.

    Inserite la frase d'accesso per questo database e cliccate OK.

  4. If you enter an invalid passphrase the following error message appears:

    Unable to open the database.
    Wrong key or database file is corrupt.

In addition to the password database, you can store your KeePassXC settings using the Dotfiles persistence feature. To do so, create the folder /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/ and copy the file ~/.config/keepassxc/keepassxc.ini to it.

Update the cryptographic parameters of your password database

KeePassXC, included in Tails 4.0 and later, supports the KBDX 4 file format. The KBDX 4 file format uses stronger cryptographic parameters than previous file formats. The parameters of previous file formats are still secure.

To update your database to the latest cryptographic parameters:

  1. Choose Database ▸ Database settings.

  2. In the Encryption tab, change the following parameters:

    • Set Encryption Algorithm to ChaCha20.
    • Set Key Derivation Function to Argon2.
  3. Click OK.

Migrating a password database from Tails 2.12 and earlier

The database format of KeePass 1 (Tails 2.12 and earlier) is incompatible with the database format of KeePassXC (Tails 4.0 and later).

To migrate your database to the new format:

  1. Start KeePassXC.

  2. Choose Database ▸ Import ▸ Import KeePass 1 database.

  3. Select your database, for example keepassx.kdb.

  4. After your database is open, save it to the new format:

    • Choose Database ▸ Save database.
    • Save the database as keepassx.kdbx in the Persistent folder.

    Note that only the file extension is different:

    • kdb for the old format.
    • kdbx for the new format.
  5. This operation does not delete your old database from your Persistent folder.

    You can now delete your old database or keep it as a backup.

Additional documentation

For more detailed instructions on how to use KeePassXC, refer to the KeePassXC guide of the Electronic Frontier Foundation.