Add Password manager by default

I have always frowned upon using some specific software (especially GUI software) for managing passwords, what exactly is escaping me? I always used a plain text file to store passwords, which I encrypt using gpg. I have seen pass mentioned a few times in the news (and in this thread), but there’s one feature of it that totally put me off and killed my desire to consider it. AFAIK pass advertises to store per-site passwords in GPG encrypted files, but names those files with site names. To me this is a giant flaw since it leaks the names of the sites one has accounts for.

KeePassXC has a plethora of features that make it much more useful than a text file.

In a kdbx database, I can store the password to my bitcoin wallet. I can store the seed. I can store the master public key, I can store the master private keys. (extended too). I can store a CVS file of all public keys for all addresses. Also a CVS file of payment addresses.

I can store URLs (encrypted), notes, and all kinds of other things. It has a password generator for secure random passwords.

It has YubiKey support. And KeyFile support.

I could not live without KeePassXC.

The only thing that I don’t like is that every time you save a new password, or change the database in any way, the entire database needs to be re-uploaded to the cloud.

So if I have a database that has a lot of large files attached, every time I edit anything in the database, the whole 400mb database has to be re-uploaded to my cloud storage provider. But this is a minor gripe.

1 Like

wait what? my preciousss passwords never leave storage media I own

1 Like

I’m sorry that you feel you need to limit your mobility in this way.

Cryptomator + Nextcloud is your friend.

(Although Cryptomator not really necessary since kdbx is already encrypted with AES)

How does pass leak site names? In Qube-Whonix an AppVM which has networking disabled can be used for a password vault. Regardless if Qubes is used or not. I don’t see how site names in cleartext matters. If an adversary can see those files he/she likely has access to your system. All that they would have to do is wait until you entered your vault password and log the password.

That is were they should stay. Security and Anonymity should be your number 1 priority when selecting a password manager. Features that could possibly degrade security and anonymity should not be used.

@LakeMonster May I ask you what Cryptomator version do you use ? Do you connect to a cloud using Whonix or another system ?

LessPass is an interesting password manager because it deterministically generates the same password for the same logins no matter what device you use it from without needing to sync the databases. This is possible because it generates these passphrases based on site, login and a master password.

Not packaged yet for Debian because it has non-packaged dependency:

1 Like

Let’s add https://packages.debian.org/buster/keepassxc in Whonix 15?



Any opinion?

1 Like

Good find! Arcieri knows his stuff and it’s good to see a knowledgeable analysis about this family of pw managers. According to this new info we should actively discourage stateless managers on the wiki, citing the main argument headings. These ar core design flaws and can’t really be fixed.

1 Like

Yes it’s the only m well known major option

1 Like

YES! At last this five year old thread can find some closure. :grin:


Ive been using pass-qubes with SecBrowser.


It is possible to use the same vault for multiple AppVMs. I have that configured now for my SecBrowser. For example, i can add just my email password to my Thunderbird (only) AppVM. Then set environment QUBES_GPG_DOMAIN=my-vault.

Next I could add my whonix forum password in separate AppVM with environment QUBES_GPG_DOMAIN=my-vault set in that as well.

Also possible to add the password-store to an dvm template (AppVM with pref template_for_dispvms=true).

1 Like

Having tried keepassxc (the current default in Whonix 15) I consider to avoid it and use keepassx instead.

Main reason is I dislike the AutoType feature that can’t really be fully disabled as far as I’ve seen. I prefer not to have an app (especially one that is used so frequently) that sends data (and in this case, very sensitive data) to other applications in this way. Too easy for mistakes to be made.

1 Like

/cc @Patrick I’ll change it if you don’t have a strong argument against keepassx?

Github are being assholes and me to verify my account, but they never send the verification email, so my account is dead/locked until further notice.

supports yubikey.

Not sure we should change packages as quickly due to a single user mention. Because then the next user comes and asks why that was.

What was the reason to go with keepassxc in first place?


Also we get really disorganized by discussing this in a totally different forum thread.

Upstream discussion / upstream bug report?

Has this been discussed anywhere else before?

development of keepassx was basically ended. i don’t know if that has changed.

1 Like

Comparing the two further, I found that KeePassX also has an AutoType feature, it’s just doesn’t appear as a toolbar icon but rather as a menu item under “Entries”.

Then, disabling of AutoType is possible (in both managers) by:

  • Right click on the root group
  • Choose “Edit Group”
  • Choose “Disable” at the Auto-type menu

as long as the child folders keep the default setting of “Inherit from parent group” Autotype is disabled there too.

I’m still more comfortable using KeePassX but the end of maintenance as pointed out by @tempest may be a stronger argument as far as Whonix userbase is concerned.


keepassxc --config

allows launch with a custom config file.

I didn’t find a dot file or directory under the home dir though.


A post was split to a new topic: Install keepassxc by default in Kicksecure?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]