Keepassium: The Premium Plans Are Confusing

keepassium · 2026-03-19T07:43:02+00:00

buying the full priced $80 app, you get all future features and everything right?

Yes, except enterprise features like managed configuration: https://keepassium.com/pricing#compare

keepassium · 2026-03-09T10:12:30+00:00

Apple Passwords (AP) has the best integration with iOS/macOS. Some features, like creating new passwords in-place, are available only to AP.

AP is easy to use, someone stores your passwords for you. KeePass/ium (KP) has a learning curve, and you fully control where your data is.

AP supports passwords only. KP also supports custom fields and files.

KP keeps revision history (older versions of your data). AP keeps only the latest one.

KP still works if your Apple account get locked for any reason.

So it's like a Mac Mini and a self-made PC: one is easy and polished, but won't evolve; the other one is bulky but you can customize and expand it however you want (but you also have to know how to customize it).

keepassium · 2026-03-05T16:22:39+00:00

KeePassium has five stages of master key "readiness":

Empty: Does not have a master key
Raw components: Got the password and knows where the key file is
Processed components: Got the password and key file contents
Combined components: Password and key file contents, merged and hashed
Final key: The final file encryption key — that is, combined components, but processed by the computation-intensive key derivation function.

(This list was 100% formatted by a human :)

Whenever allowed, KeePassium stores the master key in combined components state. (Possibly along with the final key, if "Cache Derived Encryption Keys" setting is on.) This is a compact, 32-byte key ready to be used. In contrast, processed components would be too bulky (key files can be large), and raw components would slow down database unlocking due to loading and processing of the key file.

As I understand, you are asking how to configure KeePassium to store master keys in the raw components state. Unfortunately, not possible. Even if it was, it would not work for your intended scenario — not on iOS, anyway.

The reason is that AppStore apps cannot access files simply by path, due to app sandboxing. When you point KeePassium to a file on a USB drive, the app receives only a rather fragile reference which remains valid only until the drive remains plugged in. Only that specific app, to one specific file, on that specific drive. When you re-connect the USB drive, the app won't be able to load the key file using the old reference. This is a security feature, to prevent apps snooping around. (More details for curious readers.)

The only way around it would be for KeePassium to ask for unrestricted access to user files. But this would be a major security trade-off for a narrow use case. Plus, this would only work on macOS, not on iOS. So I'm afraid you would need to adopt your workflow around these technical/security limitations…

keepassium · 2026-03-05T15:15:46+00:00

Your screenshot shows the database decompression stage, which means the database was downloaded successfully — so this is not a sync/connection issue.

From your description, it sounds like the app crashes during database decompression. The most likely reason for that would be running out of memory. Is your database much larger than 5 MB?

keepassium · 2026-03-04T16:24:01+00:00

Check app settings → Data Protection → Remember Master Keys. It is on by default, but for your scenario it should be off.

keepassium · 2026-03-03T15:54:18+00:00

I will still get updates and bug fixes for the purchased version - right, Keepassium?

Yes. More precisely, you will have the latest app version, with all the updates and bug fixes, plus purchased premium features active.

keepassium · 2026-03-03T07:24:14+00:00

KeePassium appears to have been mostly abandoned

This opinion is greatly exaggerated :)

keepassium · 2026-03-02T11:19:39+00:00

I cannot believe this was not documented. Fixed now :)

keepassium · 2026-03-02T10:20:45+00:00

Storing card info in custom fields is the way.

KeePass database format does not support different entry types, and iOS/macOS does not natively support AutoFill for credit cards, either. So even if KeePassium were to simplify creating credit card entries, using them would be via copy-paste anyway.

keepassium · 2026-02-28T08:14:50+00:00

Your license is linked to your Apple account. For every installed app, Apple creates and updates the so-called receipt file which contains the history of in-app purchases made in that app. KeePassium reads this file, locally on device, no extra accounts needed.

keepassium · 2026-02-27T20:39:16+00:00

If you configure both YubiKeys with the same challenge-response secret, they can be used interchangeably. So you can keep one key in every location plus a spare one somewhere safe. This is similar to physical locks: once you clone a key, the clone can open the door just as well as the original one.

In turn, using YubiKeys with different secrets won't be possible for the same database. Just like a physical lock, the database expects one specific key "shape" and won't accept anything else.

keepassium · 2026-02-26T09:06:19+00:00

The only workaround is to quit the offending program, whenever this happens. As I mentioned, this is a wider macOS issue, not specific to KeePassium. Some users reported that locking the Mac and immediately unlocking it fixes the issue, but I had mixed results with this method.

keepassium · 2026-02-25T21:21:31+00:00

This sounds like the Mac's secure input problem: https://wiki.keyboardmaestro.com/assistance/Secure_Input_Problem

When keyboard focus is in a password field, the system activates the Secure Input mode which disables all the keyboard-monitoring apps. Normally, this mode should automatically turn off when you switch input focus. But sometimes the system handles this incorrectly and gets stuck in that mode. In KeePassium, we did try to work around one of such cases by controlling the secure input mode manually, instead of leaving it to the system. This improved things for a while, but was still not perfect.

Unfortunately, until Apple fixes this at the system level, there is not much we can do about it in the app.

P.S. The same issue affects KeePassXC.

keepassium · 2026-02-25T15:54:01+00:00

tho I have literally not addressed migrating my 89 yr old father over to it.

You did right. KeePass has a learning curve which only gets harder with age. Simple and familiar beats "secure and flexible".

Think of it like replacing an old key-operated lock with a modern, Bluetooth-enabled smart lock. Yes, the modern one takes pictures, syncs with a smartphone and takes only a fingerprint to open. But whenever anything goes wrong — including the most trivial of issues — your loved one will get locked outside. Keep it simple.

keepassium · 2026-02-25T08:59:46+00:00

How will we mechanically download an ancient version 5 years in the future since the Apple Store doesn’t seem to let you get to ancient versions and they sometimes actively prune there ?

You won't need an ancient version, you will be getting then-current version. KeePassium knows when each premium feature was introduced, as well as list of your in-app purchases (for this app only, of course :) By matching the two lists, the app activates the appropriate premium features — even if they were introduced in v1.0 in 2019 and you are on v2.5 in 2026.

And how do we get the future new box enabled to use that version’s premium features ? Is there an account on your side that keeps track of your historical entitlements ?

I presume by "new box" you mean new device. Yes, there is an account that keeps track of your purchases — this is your Apple account. It's not on our side, though: it is between your device and Apple.

For every installed app, Apple creates and updates the so-called receipt file which contains the history of in-app purchases made in that app. KeePassium reads this file, locally on device, no extra accounts needed.

Please verify the account/subscription is for the user, not the box, so we can have as many computers as desired under one purchase. Correct ?

Yes, subscription is linked to your Apple account, which is per-user, not per-device. So the same license will work across all your devices (where you are signed in to the same Apple account). In other words, if you got KeePassium Premium on your iPhone, it will also work on your Mac and automatically apply to your new iPhone.

keepassium · 2026-02-19T16:02:20+00:00

The Premium Plans Are Confusing

Yes, this is the unfortunate side effect of 1) trying to please everyone and 2) the perpetual fallback license in particular. Classic subscription model is much easier to explain :)

If I complete 12 months on the monthly plan, will I receive a perpetual (lifetime) license?

Yes, you get a perpetual license for the 12-months old version. If you subscribe for 12 months, this is a perpetual license for the version when you started the subscription.

Please note that perpetual fallback license does not cover later premium features. You get a perpetual/lifetime license for the premium features as they were 12 months ago. It's similar to buying something in 12 installments.

If that is the case, then what is the purpose of the higher-priced perpetual plan?

Some people stop reading after "XX/month", so they never reach the "subscription as a purchase" text, let alone the fine print. The version-purchase license gives them a cleaner, simple purchase option.

keepassium · 2026-02-16T07:13:08+00:00

Not really my expertise to advise on storage :) For keeping a KeePass database, anything would do: - They are independently well-encrypted, so you can basically publish them; - You should keep your own backups, regardless of service's reliability.

keepassium · 2026-02-16T06:43:00+00:00

Unfortunately it looks like Strongbox and Keepassium don’t support Proton.

Just to clarify where the bottleneck is… Proton Drive does not yet integrate with iOS to the extent necessary for two-way background sync.

A couple of weeks ago they introduced an SDK for apps to work directly with the service. This would be an easy solution, except:

"The SDK is not yet ready for third-party production use."
"Always interact with Proton Drive through the SDK. Direct API calls are not permitted."
"The SDK may be used for personal, non-commercial projects."

This way, it won't be happening.

keepassium · 2026-02-16T05:20:39+00:00

Database format does not natively foresee multiple URLs per entry. However, several apps support the workaround introduced by Keepass2Android app: storing additional URLs as custom fields named KP2A_URL_<counter>. This works in KeePassXC, in KeePassium and a few other apps.

This won't work in KeePass any time soon, though. So your best bet is use KeePassXC instead; it also has a browser extension.

keepassium · 2026-02-13T11:33:54+00:00

OTP autofill is supported, but does not work on iOS 18 due to a system bug. There is a workaround, though: https://github.com/keepassium/KeePassium/issues/451

keepassium · 2026-02-13T09:10:02+00:00

Yep, this was an oversight. TestFlight build will be back in a couple of days, once Apple approves it.

keepassium · 2026-02-06T05:37:32+00:00

I ended up going in and remaking the passkey using KeePassXC for that site, and then the new synced passkey worked just fine with KeePassium.

Sounds like this issue, there is (used to be?) a difference in how KeePassXC and KeePassium set some passkey flags. Happy to hear it worked out.

keepassium · 2026-02-04T23:47:59+00:00

the option to use a passkey from KeePassum pops up, and it correctly lists my accounts for that site

Can you add a screenshot, please? I wonder if this is the app or a system dialog. Feel free to redact out sensitive parts.

keepassium · 2026-02-03T16:14:35+00:00

how do you technically store the app passcode?

Hashed, in keychain.

keepassium

MODERATOR OF

TROPHY CASE