- doc
- encryption and privacy
- Managing passwords using KeePassXC
Using the KeePassXC password manager you can:
Store many passwords in an encrypted database which is protected by a single passphrase of your choice.
Always use different and stronger passwords, since you only have to remember a single passphrase to unlock the entire database.
Generate very strong random passwords.
Generate one-time verification codes for two-factor authentication.
For more detailed instructions on how to use KeePassXC, refer to the official KeePassXC User Guide.
Creating and saving a password database
Follow these steps to create a new password database and save it in the Persistent Storage for use in future working sessions.
To learn how to create a Persistent Storage, read our documentation on the Persistent Storage.
When starting Tails, unlock the Persistent Storage.
In Tails, choose Applications ▸ Persistent Storage.
Verify that the Persistent Folder feature is turned on.
To start KeePassXC, choose .
To create a new database, click Create new database.
Continue with the defaults settings in the configuration screens General Database Information and Encryption Settings.
The database is encrypted and protected by a passphrase. In the configuration screen Database Credentials:
- Specify a passphrase of your choice in the Enter password text box.
- Type the same passphrase again in the Confirm password text box.
- Click Done.
Save the database as Passwords.kdbx in the /home/amnesia/Persistent folder.
Restoring and unlocking the password database
Follow these steps to unlock the password database saved in the Persistent Storage from a previous working session.
When starting Tails, unlock the Persistent Storage.
In Tails, choose Applications ▸ Accessories ▸ KeePassXC.
If you have a database named Passwords.kdbx in your Persistent folder, KeePassXC automatically displays a dialog to unlock that database.
Enter the passphrase for this database and click Unlock.
If you enter a wrong passphrase the following error message appears:
Error while reading the database: Invalid credentials were provided, please try again.
Storing your KeePassXC settings in the Persistent Storage
To store your KeePassXC settings in the Persistent Storage, in addition to the password database:
Turn on the Dotfiles feature of the Persistent Storage.
In the Welcome Screen, unlock the Persistent Storage.
In Tails, choose Places ▸ Dotfiles.
Create the folder /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/.
Copy the file /home/amnesia/.config/keepassxc/keepassxc.ini to /live/persistence/TailsData_unlocked/dotfiles/.config/keepassxc/keepassxc.ini.
Restart Tails before changing more settings.
Using KeePassXC as an authenticator app for two-factor authentication
Many websites offer two-factor authentication as a safer method than using just a password. For example, you can configure an authentication app, like Google Authenticator, to generate a one-time code of 6 digits when signing in to a website.
You can use KeePassXC to generate such one-time codes in Tails. The technology used to generate these codes is called time-based one-time password (TOTP).
To configure two-factor authentication for an entry in your KeePassXC database:
Click on the entry of your database for which you want to configure two-factor authentication.
Choose Entries ▸ TOTP ▸ Set up TOTP….
For more detailed instructions, see Adding TOTP to an Entry in the official KeePassXC User Guide.
After two-factor authentication is configured for an entry, choose Entries ▸ TOTP ▸ Show TOTP to generate a one-time code for this entry.