How to backup your password vault with KeePassXC

06 June 2025
security,
passwords

Using a password vault is one of the best things you can do for your digital security. There are many companies out there that will provide a password vault service (and also many reviews^[1] to rank them). This guide will focus on how to backup your passwords using an offline vault called KeePassXC, an open source program that can help both secure the backup, and keep things ready to go if you need to quickly access your passwords after the main service goes down.

Why is keeping an offline backup important?

If you go with a reputable cloud password vault, such as Bitwarden, Proton Pass, or 1Password both security and access should be top notch (99.99% uptime, if not more). However, there is one main risk that needs to be mitigated. If the company should decide to block access to your account for any reason, you will not be able to access your passwords^[2]. While you may think “I’m a good user, they would never have any reason to block access”, it only matters if they think you’re being a bad user, and it may not really be you on the other end. Perhaps someone pulls some shenanigans repeatedly trying to login with your email so they restrict or rate limit the account. Or, someone convinces a company support representative to delete the account, pretending to be you. However unlikely, part of good digital security is to have a good backup plan. Losing access to your accounts is a risk, just as unauthorized access is a risk. Both need to be mitigated as much as possible.

What is KeyPassXC?

KeyPassXC is an offline password manager. It works in a similar way to the cloud password managers, but doesn’t sync to anything by default, and doesn’t require an account. Rather, it stores passwords in a simple database file.

Installing KeyPassXC

KeyPassXC is available on macOS, Windows, and Linux. For Linux, it can either be downloaded as an AppImage, or you could build it from source. Downloads are available from the downloads page. Once downloaded, it will be the same as installing any other application.

Creating a database and backing up your passwords

Export from the cloud vault

The first step will be to export your passwords from the cloud service so that they are available for import. The instructions on how to do this will be specific to each provider, but I’ve included the big ones below for convenience:

Bitwarden: Export Vault Data
Proton Pass: How to export from Proton Pass
1Password: How to export your data from the 1Password desktop app

Throughout the process, you may see warnings that the data that you are exporting will be unencrypted. While this may sound scary, just treat it for what it is—your export file will be readable by anyone or any program, which is necessary for another program to import it. Make sure to delete it (including from the trash) after the import and you will be fine. If your threat model is beyond this (if you are a spy or journalist), you likely already know the further steps you should take.

Import into KeyPassXC

Open KeyPassXC and select “Import file”. In the import dialog, select the import file type that matches the export file, and then “New Database”. Giving your new database a descriptive name, such as “2025-06-04-pass-backup” is a good idea, and will help you know when you last did a backup at a glance.

From here, the setup is straightforward. Set a password for the vault (you can use the same password as the one for your main password vault, they protect the same thing and you will never enter this database password online). If you have a Yubikey, you can optionally use that with challenge-response as well.

Map the values in your import file to the appropriate values in KeyPassXC, save the database, and you are all done. Test that you can view records within KeypassXC before closing the program. You can move the database file between machines or USB sticks to store it wherever you like, knowing that in case of emergency, you are all squared away.

Wired: https://www.wired.com/story/best-password-managers/, NYT Wirecutter: https://www.nytimes.com/wirecutter/reviews/best-password-managers/ ↩︎
There may be some intricacies here, such as offline access settings, however I wouldn’t rely on it. ↩︎

← Previous
Email from the terminal with aerc
Next →
Copilot has entered the workplace. What's changed?