KeePassium 1.36 released

KeePassium 1.36 adds in-app WebDAV sync, YubiKey support on macOS (beta builds) and prepares headroom for future improvements.

Network access setting

From its conception in 2018, KeePassium was designed as an offline app. This was critically important for transparency. The only way to check the app does not “call home” was to check the data consumption stats in device settings. To make this possible, all the “networked” features were mercilessly rejected. KeePassium had to stay offline.

Since then, a few things have changed:

  • We have received many requests for password-management features that rely on an external service (such as HIBP). By rejecting these features KeePassium would fall below the industry standards.
  • Cloud sync via Files integration proved to have issues. When a cloud provider’s bug breaks your synchronization, there is nothing we can do about it on KeePassium’s side. All we could do is observe and document known issues in a dozen of third-party apps.
  • Most importantly, iOS 15 had introduced App Privacy Reports which show detailed network activity of every app. Now you can see which exactly services every app has contacted, when and how often. So it is possible to add some networking features and remain transparent.
    Network connections of KeePassium vs another app. KeePassium only requested its in-app purchases from Apple. The other app sent logs and usage analytics to Google. Network connections of KeePassium vs another app. KeePassium only requested its in-app purchases from Apple. The other app sent logs and usage analytics to Google.
    Network connections of KeePassium vs another app. KeePassium only requested its in-app purchases from Apple. The other app sent logs and usage analytics to Google.

So the project was at the crossroads:

  1. Keep staying strictly offline, no matter what. Hardcore privacy fans would respect that. However, the majority of users would grow tired of Files sync issues and the lack of industry-standard features — and would eventually migrate somewhere else. The project would slowly decay.
  2. Forget about offline and go wild with networking features. This would mean breaking a promise and offending the most loyal KeePassium users.
  3. Split the project into an “offline” and “online” apps. This would cater both to offline purists and those who want online functionality. However, premium users would have trouble transitioning between the apps. Plus, another app edition would add a significant development and maintenance overhead.

After a long and rather painful consideration, we have settled on a hybrid solution: network access permission.

Network access permission in KeePassium settings Network access permission in KeePassium settings
Network access permission in KeePassium settings

Starting from this update, KeePassium has a network access permission in the app settings. This way, you can decide for yourself whether to keep the app offline (the default setting) or enable network-dependent features. And the first of these features is…

In-app WebDAV support

WebDAV is a well-established protocol for remote file storage. It is particularly important for people who self-host their files — be it on a home NAS or a private Nextcloud instance. Unfortunately, the original iOS apps of these services leave a lot to be desired regarding their integration with the Files app. That is, self-hosting users — KeePassium’s core audience! — were the ones most affected by sync issues caused by third-party apps.

In this update, KeePassium introduces the long-awaited solution: in-app WebDAV support. If you ever struggled with Nextcloud or Synology Drive, now you have an alternative:

  • Open KeePassium settings and activate network features
  • Go to the list of databases, tap Plus button → Connect to Server
  • Link KeePassium to your database. (For self-signed HTTPS certificates, turn on the “Allow untrusted certificate” option.)
    WebDAV connection setup
    WebDAV connection setup

This new feature enables seamless sync with a long list of WebDAV-compatible services, such as:

  • Nextcloud
  • Synology NAS
  • Seafile Pro
  • ownCloud
  • QNAP NAS
  • pCloud
  • NutStore
  • HiDrive
  • Surfdrive
  • Yandex.Disk
  • Fritz!Box NAS
  • WD My Cloud NAS
  • myCloud by Swisscom
  • MagentaCloud by Deutsche Telekom
  • …and many others

So far, we have tested KeePassium with Nextcloud and Synology NAS. Should you notice any issues with WebDAV sync, please let us know.

YubiKey support on macOS (beta builds only)

KeePassium for macOS also made a big step towards the release. The native Mac version now supports YubiKey hardware keys with USB interface.

YubiKey support on macOS
YubiKey support on macOS

While the iOS app uses Yubico’s convenient library to communicate with the key over NFC or Lightning port, the code for macOS had to be written from the scratch. It works via USB HID (human interface device) report protocol, similar to how the system works with keyboards and other input devices.

The first time you use the YubiKey, the system will prompt you to grant KeePassium the “Input Monitoring” permission, the same as for YubiKey configuration apps. Without this permission, the app won’t be able to receive responses from the YubiKey.

Input Monitoring permission required for USB YubiKeys on macOS.
Input Monitoring permission required for USB YubiKeys on macOS.
⚠︎ Native macOS builds only

YubiKey support won’t yet work if KeePassium is installed from the App Store. While Apple Silicon based Macs can pretend to be an iPad and run iOS apps from the App Store, these mobile apps don’t have access to USB ports.

Only the native “KeePassium for macOS” build can use to the required USB capabilities. You can install macOS beta builds from GitHub or via TestFlight. Once the Mac app is officially released, the App Store version will also gain YubiKey support.

The above does not apply to iPad Pro users: unfortunately, iPadOS still does not support USB YubiKeys…