KeePassium 1.28 released

KeePassium 1.28 introduces Quick AutoFill, improved security and read-only databases.

Quick AutoFill

With Quick AutoFill, you can enter passwords with a single tap. When you are in a login form, KeePassium will show relevant entries directly above the keyboard:

Quick AutoFill in action

Tap the username, look at Face ID prompt — and the form is filled out.

Behind the scenes, KeePassium receives the page URL and username, loads your database, finds the relevant entry, and returns the password. This responsiveness requires KeePassium to share (in advance) some sensitive data with the system. That’s why Quick AutoFill is an opt-in feature, turned off by default. For more details, please check how to use Quick AutoFill.

Quick AutoFill saves you the time and distraction, so you can stay focused on your work. As a convenience feature, it is available in the premium version of KeePassium.

Improved security

Process memory protection

KeePassium now uses Secure Enclave hardware to encrypt the most sensitive data in process memory. In particular, this applies to database encryption keys. This way, even an advanced attacker with access to device memory won’t be able to extract the database keys.

(It is important to mention, however, that some data cannot be protected. In particular, any text you see on the screen or enter manually. System libraries can keep temporary plain-text copies of these data, and there is no way to securely erase them all.)

File-level protection

All the app files now use the highest protection level available in iOS. Databases, key files and backup copies are now additionally encrypted in flash memory, with the encryption key stored in the Secure Enclave. This ensures that the files cannot be accessed while the device is locked.

The default file protection level is defined at the installation time, so you will need to reinstall KeePassium to activate file protection.

Device-bound keychain

All the data KeePassium stores in the system keychain are now explicitly restricted to the current device only, only while it is unlocked. This ensures that no sensitive data will ever touch iCloud, regardless of device settings. If you transfer KeePassium to a new device, you would also have to manually unlock your database first.

Biometric data changes

Starting from this version, KeePassium will allow biometric unlock if the original biometric data is intact. For example, if somebody registers a new fingerprint in device settings, KeePassium will ignore Touch ID sensor altogether. Once you unlock the app with your passcode, KeePassium will turn on the biometric sensor again.

Read-only databases

Now you can protect your database from accidental modification and mark it as read-only. This will disable all the interface elements that can potentially alter the database.

Marking a database as read-only in KeePassium

iOS 14 or newer

Starting from this update, KeePassium requires at least iOS 14. It has been around for more than a year and works on any device capable of running iOS 13. This way, KeePassium can focus on delivering the best possible user experience with new UI controls. This also saves a lot of time on finding workarounds for old iOS bugs that have been fixed years ago.

There is still about 1% of iOS 12 users who cannot upgrade to a newer iOS version. If you already have KeePassium installed, it will keep working as usual. You can also reinstall the app, if necessary — this would get you KeePassium 1.27, the latest version compatible with iOS 12.