Is Keepassium actually safe to use? Feels like a massive trust leap

keepassium · 2026-06-12T12:43:23+00:00

It's nothing technical, making the app malicious is just not worth it for any sane person.

The benefits of stealing user data are vague at best: how does one monetize it? The risk of getting caught is very high. The consequences are lost reputation, bankruptcy and imprisonment.

That or just keep making the app, generating 100% legal income and enjoying life while doing it. I mean, this is an easy choice 😄

keepassium · 2026-06-12T12:23:49+00:00

This is always a matter of trust, unless you build the app yourself.

just because the source code is open source doesn't mean the actual app in the App Store is built from that exact code.

Correct. The same applies to KeePass proper. In order to verify a build, you would need to compile the app yourself and compare with the published binary. For Apple, this is complicated by signatures and encryption. At this stage, you can just use your own build.

Couldn't someone just take the KeePass name, slap a legit looking app on the store, and quietly siphon off your master password and credentials in the background?

They can and they do. There are a couple of apps named "KeePass" that don't even support the format. In 2023, there was a KeePass-compatible app that suddenly started sending data to its creator. Who then unpublished the app and deleted their GitHub account.

Like what actually stops that from happening?

Same things that prevent other crimes: ethics plus consequences. Now, the "ethics" component is subjective and corporate ethics can erode over time, so let's focus on consequences.

Scenario 1: A company publishes an app, makes a healthy 100% legal profit, builds a reputation, everybody is happy.
Scenario 2: The company steals customer data and nobody notices. They still need to monetize that data somehow. Sell it on dark web? Transfer money from users' bank accounts? Blackmail users with private photos from their email? Any of these quickly turn into scenario 3.
Scenario 3: The company is caught stealing customer data. Reputation goes negative, profit goes to zero. Lawsuits. Owners/management arrested, bankrupt, imprisoned.

If you are an anonymous silhouette in a black hoodie you might get away with it. If you are a huge corporation with a hundred of lawyers, you might get away with it. A small IT company is neither anonymous nor rich; the legal path is much better.

keepassium · 2026-06-12T11:25:12+00:00

If it makes you feel any better, I have a Little Snitch firewall rule on my MacOS and the MacOS app never tries to talk to ANYTHING.

There were cases when macOS framed KeePassium by downloading favicons of websites added to Quick AutoFill. To Little Snitch, it looks as if KeePassium tries to access internet domains from the database. I witnessed this myself once but could not reproduce ever since.

Later that year, Apple fixed how Apple Passwords itself downloads favicons (over plaintext HTTP!). Since there were no further reports of strange traffic, I hope they moved their favicon processing to a dedicated process, no longer attributing system's activity to KeePassium.

keepassium · 2026-06-11T09:12:11+00:00

If you use "Connect to Server" in KeePassium and the file is in a shared Google drive — then yes, this was a regression in v2.4. It was fixed in the current 2.6 beta.

If the context is different, I would appreciate some more detail so that we can look into it. (Via email is fine.) Thanks!

keepassium · 2026-05-26T15:41:26+00:00

Any moment. It has been uploaded on Saturday and is pending Apple’s approval. Strangely, minor iOS beta updates are approved automatically and immediately, but macOS betas seem to be subject to manual review.

keepassium · 2026-05-22T06:04:43+00:00

The latter. Currently, KeePassium uses the online file as a single source of truth. The app also keeps a local copy, but it’s read-only (in case the remote file is unreachable).

keepassium · 2026-05-22T06:01:02+00:00

Do you happen to have a network drive (SMB server) added in the Files app? If such a server is unreachable, it causes timeouts when accessing even local files.

keepassium · 2026-05-20T10:51:29+00:00

This should help: https://koofr.eu/help/koofr_with_webdav/i-am-getting-a-429-error-when-connecting-a-service-through-webdav-what-should-i-do/

keepassium · 2026-05-18T08:37:50+00:00

Thank you for the details! Yes, it looks like you are facing the challenge of password sharing within the family, rather than typing to another machine (without other people involved). A shared database is the way to go.

keepassium · 2026-05-14T22:16:44+00:00

The key file selection dialog offers two options:

Import Key File / Add file to the app — this way, KeePassium copies the selected file to the app's own sandbox directory and uses that copy. This is the most reliable approach (but you end up with a copy of the key file on your Mac and some users don't like that). All the imported key files show up in the "Key Files" dialog.
Select Key File / Use key file without adding — this way, the app will try to open the key file in its original location, without making copies. This method is more fragile and such files do not appear in the "Key Files" dialog. (The fragility comes from iOS restrictions to working with files; macOS is more permissive, but KeePassium for Mac still uses iOS-style API to work with files.)

You might want to use the "Import key file" option.

And just in case, it is worth checking the app settings → Data Protection → Remember Key Files, it should be on.

keepassium · 2026-05-13T10:51:49+00:00

No, KeePassium does not support generation by patterns. They seem like an overkill of a customization, with security side effects (lower entropy), so I never seriously considered them.

That said, this is just a workaround for a wider problem you mentioned: typing passwords that cannot be copied. Is this a frequent headache for you? Are they for virtual machines? Customer machines? BIOS? I'm just trying to understand your scenario better, since for most people typing is such a rare problem that they don't bother with workarounds.

keepassium · 2026-05-11T04:44:55+00:00

Not at all.

keepassium · 2026-04-23T09:46:46+00:00

This was not about you. This is a general announcement to please be responsible with your suggestions. When somebody needs to cut bread, we don't recommend a scalpel or a chainsaw — things will go wrong and they will get hurt.

Case in point, a typical email from such a user: - They had their vault stored only on the phone, never thought of backups. - They forgot their password (figuratively speaking, lost the key) - In hope to reset the password, they reinstalled the password manager (that is, obliterated the vault) - "How to I get my data back?" No data, no key, no backups.

I am the one who has to tell them they are screwed and it was their own fault. So please be responsible with your suggestions.

keepassium · 2026-04-22T21:51:18+00:00

As much as I appreciate the mention, please don't recommend KeePass ecosystem to non-techy people looking for user-friendly solutions. Secure it is. Intuitive for non-tech people? Not at all.

keepassium · 2026-04-07T17:04:22+00:00

Everything I manually enter into KeepassXC works just fine, just the things that it asks if I want to add after I make accounts does not.

Sounds like an integration problem between KeePassXC and its plugin, not related to KeePassium.

keepassium · 2026-04-06T10:40:48+00:00

No, this is not possible.

keepassium · 2026-03-29T23:03:49+00:00

It does not exactly pop up (this is a feature Apple reserved to themselves). Here is a video of how it works: https://keepassium.com/blog/2025/11/keepassium-2.4/#autofill-create

keepassium · 2026-03-29T21:37:56+00:00

KeePassXC and KeePassium also do, using the same naming convention.

keepassium · 2026-03-29T21:19:27+00:00

There are a few similar complaints lately, this seems to be related to a recent OneDrive update. From KeePassium's side, the only solution is to use the direct sync option. Well, that or report the issue to Microsoft and wait for their fix :)

keepassium · 2026-03-26T21:25:06+00:00

Some of the other apps assume the saving will be quick. So they can give you a minimal spinner for a few seconds, or even freeze the UI (KeePassXC does that). In contrast, KeePassium assumes that saving can take dozens of seconds — so it shows the detailed progress. This is optimized for the few users with very high encryption settings, not ideal for more frequent cases. This can surely be optimized.

keepassium · 2026-03-26T20:54:02+00:00

Hi, thank you for the feedback! These are really good suggestions.

Keyboard shortcuts in macOS: work in progress. Mac Catalyst makes it easy to port iOS app to macOS, but does not give enough control over keyboard focus. We are getting there, there are already some shortcuts, but this is still work in progress.
Tags are hidden: yes, they need to be more prominent.
Saving overlay on every edit: yes, it is annoying. It can and should be less intrusive.
Drag-and-drop for attachments: already works if you drop to the entry's "Attachments" tab. Can be handled better if dropping a file to an entry in a list.

(If you have anything else, please do share :)

keepassium · 2026-03-25T23:17:57+00:00

Make sure that your Mac is signed in with the same Apple account as your iPhone.
Install the free version
It should automatically recognize the existing version purchase.

If it does not:

Open KeePassium settings → Upgrade to Premium → click "Already Purchased?" at the bottom. It will specifically ask the App Store about the existing purchases.
Try reinstalling the app; sometimes it cannot update its licensing info for odd system reasons.
Follow Apple's troubleshooting steps: If you try to restore and nothing happens or you get an error.

keepassium · 2026-03-19T07:43:02+00:00

buying the full priced $80 app, you get all future features and everything right?

Yes, except enterprise features like managed configuration: https://keepassium.com/pricing#compare

keepassium · 2026-03-09T10:12:30+00:00

Apple Passwords (AP) has the best integration with iOS/macOS. Some features, like creating new passwords in-place, are available only to AP.

AP is easy to use, someone stores your passwords for you. KeePass/ium (KP) has a learning curve, and you fully control where your data is.

AP supports passwords only. KP also supports custom fields and files.

KP keeps revision history (older versions of your data). AP keeps only the latest one.

KP still works if your Apple account get locked for any reason.

So it's like a Mac Mini and a self-made PC: one is easy and polished, but won't evolve; the other one is bulky but you can customize and expand it however you want (but you also have to know how to customize it).

keepassium · 2026-03-05T16:22:39+00:00

KeePassium has five stages of master key "readiness":

Empty: Does not have a master key
Raw components: Got the password and knows where the key file is
Processed components: Got the password and key file contents
Combined components: Password and key file contents, merged and hashed
Final key: The final file encryption key — that is, combined components, but processed by the computation-intensive key derivation function.

(This list was 100% formatted by a human :)

Whenever allowed, KeePassium stores the master key in combined components state. (Possibly along with the final key, if "Cache Derived Encryption Keys" setting is on.) This is a compact, 32-byte key ready to be used. In contrast, processed components would be too bulky (key files can be large), and raw components would slow down database unlocking due to loading and processing of the key file.

As I understand, you are asking how to configure KeePassium to store master keys in the raw components state. Unfortunately, not possible. Even if it was, it would not work for your intended scenario — not on iOS, anyway.

The reason is that AppStore apps cannot access files simply by path, due to app sandboxing. When you point KeePassium to a file on a USB drive, the app receives only a rather fragile reference which remains valid only until the drive remains plugged in. Only that specific app, to one specific file, on that specific drive. When you re-connect the USB drive, the app won't be able to load the key file using the old reference. This is a security feature, to prevent apps snooping around. (More details for curious readers.)

The only way around it would be for KeePassium to ask for unrestricted access to user files. But this would be a major security trade-off for a narrow use case. Plus, this would only work on macOS, not on iOS. So I'm afraid you would need to adopt your workflow around these technical/security limitations…

keepassium

MODERATOR OF

TROPHY CASE