KeePassXC
KeePassXC is a password manager, but describing it that way undersells it. It is an encrypted personal database for anything that needs to stay private. Passwords, yes, but also SSH key passphrases, PIN codes, software licence keys, bank account details, API tokens, security questions, anything that would cause a problem if someone else had access to it.
The underlying format is KDBX, an open standard that has been around long enough to have client applications on every platform worth naming. Your database is a single encrypted file. It can be backed up, synced, or handed to a trusted person for safekeeping, and none of that creates a security risk because the file is useless without the passphrase that unlocks it.
Why KeePassXC specifically
There are several KeePass-compatible applications. KeePassXC is the right choice for a Kubuntu desktop for a few reasons. It is actively maintained, cross-platform, open source, and does not require any account, subscription, or internet connection to function. It integrates with browsers via an extension. It supports Yubikey as a second factor. And it handles the SSH agent integration that matters for this setup.
It is also the application that the rest of this series assumes you are using.
Installation
The version of KeePassXC in the standard Ubuntu repositories tends to lag behind the current release. The PPA maintained by the KeePassXC team gives you the latest version:
sudo add-apt-repository ppa:phoerious/keepassxc
sudo apt update
sudo apt install keepassxc
Verify the installation:
keepassxc --version
Creating your database
On first launch, KeePassXC will offer to create a new database or open an existing one. Choose to create a new database.
Step 1: Name your database. Give it a name and optionally a description. These are stored unencrypted in the file header, so keep the name generic rather than identifying.
Step 2: Set the encryption settings. The defaults are fine for most setups. AES-256 with a high number of transform rounds provides strong protection. If you are going to sync the database to slower devices, very high round counts can make unlock noticeably slow, but on a desktop the defaults are not going to cause issues.
Step 3: Set your database passphrase. This is the one passphrase that must live in your head. Use a seven-word Diceware passphrase as covered in the passphrases section. Do not use the same passphrase you use for anything else.
Step 4: Consider a key file. KeePassXC supports an additional key file alongside the passphrase, so that both are required to unlock the database. This is a meaningful additional layer of security: even if someone gets your passphrase, they also need the key file. Store the key file somewhere separate from the database, such as on a USB drive you keep physically secure.
Configuring the password generator
Before adding any entries, configure the password generator to produce credentials that are actually strong. Open Settings, go to Password Generator, and set the following:
- Length: 32 characters minimum
- Include uppercase, lowercase, numbers, and special characters
- Exclude ambiguous characters (the
0,O,l,1problem) if you ever need to read passwords aloud or type them manually
For credentials that will only ever be pasted or auto-typed, ambiguous character exclusion is not necessary. For anything you might ever need to type manually, it is worth enabling.
Save a custom profile for each use case. KeePassXC remembers generator profiles, so you can have one for standard web credentials, one for passphrases, and one for anything with specific character restrictions.
Organising your database
A flat list of entries gets unwieldy quickly. Set up a group structure before you start adding entries rather than after. A workable starting structure:
Root
├── Email
├── Finance
├── Infrastructure
│ ├── SSH Keys
│ ├── Server Credentials
│ └── Certificates
├── Social
├── Software & Services
└── Recovery Codes
The Infrastructure group is particularly important for this setup. Every server credential, every SSH key passphrase, every service account belongs here, organised consistently so you can find things quickly under pressure.
Browser integration
KeePassXC includes a browser extension called KeePassXC-Browser, available for Firefox and Chromium-based browsers. It communicates with the desktop application directly rather than going through any external service, which is exactly the right approach.
Install the extension for your browser, then in KeePassXC go to Settings, Browser Integration, and enable it. The first time the extension connects, KeePassXC will ask you to name the connection and confirm access.
Once connected, KeePassXC will offer to fill credentials on sites it recognises, and offer to save new credentials when you log in somewhere new. The URL matching is configurable per entry, which matters for things like self-hosted services running on non-standard ports.
SSH agent integration
KeePassXC can act as an SSH agent, storing your SSH key passphrases and providing them to the SSH client automatically. This is one of the more useful features for this setup given the number of servers you will eventually be connecting to.
Enable it in Settings under SSH Agent. KeePassXC needs to know about your SSH keys: add a new entry for each key, attach the private key file, and KeePassXC will add it to the SSH agent when the database is unlocked.
To use KeePassXC as your SSH agent rather than the system agent, set the environment variable in your shell configuration:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/keeagent.sock"
This tells SSH to look for the agent socket provided by KeePassXC rather than the default system socket.
Backing up your database
The database is a single file. Back it up the same way you back up everything else important, which is covered in the backup section of this series. At minimum, it should exist in at least two physically separate locations at all times.
One practical approach: keep the primary database on your desktop, sync it to your Nextcloud instance once that is running, and keep an additional copy on an encrypted USB drive stored somewhere sensible. The database is encrypted, so the backup medium does not need to be.
The database passphrase and the database file should never be stored in the same place. If both are on the same device and that device is stolen, the encryption is meaningless.