How KeePassium stays offline and works with online storage

Every iOS app lives it is own system-enforced sandbox and cannot simply access files inside other apps.

Some older KeePass apps used to work with cloud storage directly. That is, you had to provide your FTP/Dropbox/OneDrive credentials, and the app would make a direct network connection to the respective server. As a side effect, the app also received complete access to all the user files, with all the associated risks.

KeePassium, in contrast, defaults to a better method: it integrates with cloud providers indirectly, via the system. The system stands between the app and cloud storage, so they cannot and don’t need to know about each other.

How KeePassium works with storage providers
How KeePassium works with storage providers

Here’s what happens when you add an existing database to KeePassium:

  1. KeePassium asks the system to show a standard file picker dialog (UIDocumentPickerViewController).
  2. The system takes control, pauses KeePassium and shows the file selection screen.
  3. The system interacts with storage provider apps to show your cloud-based folders and files. KeePassium remains paused by the system and cannot look at your files even if it wanted.
  4. Once you select a database, the system returns control to KeePassium and gives the app a special reference to the selected file. The reference is not a file path or URL, it is a numeric identifier with some auxiliary data.

As a result, KeePassium:

  • Can access the file you selected — and only that file;
  • Does not know about your other files;
  • Does not know your cloud/server credentials.
In case of trouble…

Our support requests show that some storage providers don’t integrate with the system too well. As a workaround, in September 2022 KeePassium started to add direct connections to certain storage providers. However, this is intended only as a second-choice alternative; the integration method remains the default and recommended one.

See also