Home

What do you use for syncing your password manager between your Android phone and your PC? Apparently Nextcloud doesn’t support two-way syncing on Android for some reason, and Syncthing-Fork is still untrustworthy since the disastrous handover. The AI generated profile picture of researchxxl doesn’t exactly inspire confidence either, neither does his GitHub bio:

Hi! My name is Jonas and I like to use my coding skills from games and modding to continue work on the Syncthing for Android wrapper.

Everything about this person screams vibe coder.

Bitwarden is an alternative, but I don’t like how non-standard it is. It’s cumbersome to manage and backup, meanwhile the KeePass format is just a file that I can backup wherever and however I want and there are many frontends to choose from.

Have you solved this?

I use proton and it seems to work just fine for me

I use passwordstore.org which is basically a bash script that wraps GPG; but there is an Android client as well.

Everything is stored in encrypted files tracked by git. Files are synchronized by git/SSH to a server I run.

I don’t update my db often enough to need syncing. Maybe every other week or so I just pull the latest backup from my desktop from backblaze b2 to my phone, or if I change something on the phone, I send a copy to myself using signal “note to self.” Then I manually merge the databases.

Pretty low-tech.

Keepass for Android, my database is stored on OneDrive. Easy access on my win pc and android (KPA has built in sync for many cloud storage providers)

I migrated out of keypass and into vaultwarden, not looked back since.

Vaultwarden handles the syncing for me.

However I do export backups on both my phone and laptop just in case.

Yeah, I have a tendency to modify my database quite often. I often make new accounts, add attachments, modify passphrases on older accounts, etc. I modify it several times a week. I might be an outlier, and in that case I understand why people don’t consider this to be a huge problem haha.

What’s the problem with Nextcloud? I use KeepassDX (on android, KeepassXC on desktop) with the database on Nextcloud and don’t have any problem syncing.

I use KeepassDX syncing via Nextcloud, works flawlessly. I also used to use Keepass2Android, also works very well.

Can you elaborate on the “nextcloud doesn’t support 2-way syncing on android” statement? I can sync my Keepass database back and forth without issues.

I actually used pass many years ago and I quite enjoyed it, except for the fact that the entry names are presented in clear text. You’d also have to manage your GPG secret which I’m not a fan of (in fact, my password manager is how I usually manage GPG and SSH keys in the first place). On the other hand, I guess you should keep a key file on each device on top of a passphrase even if you use a KeePass database, so I guess that point is moot. There are also no good way to include attachments. At that point Vaultwarden feels more convenient, but the more I’m thinking about it, the more I’m warming up to the idea. We’ll see, maybe I’ll give it a shot again.

Thanks for sharing your thoughts!

I just switched back to vaultwarden. My vaultwarden data is backed up as part of my nightly backups. Desktop and android use bitwarden clients. Otherwise you could see how seafile might work for you to sync your keepass db. If you are on android with termux you can run syncthing in termux which also works and avoids the issue with the syncthing fork

Do you do it manually into e.g. protected json, or to a normal zip (the former doesn’t support attachments as far as I know)? Or have you found a way to do it automatically? One con that I’ve read about this is that backups from one version is not guaranteed to work on another version. Thanks.

I’m looking for a selfhosted alternative, I’m not really to keen to place all of my password eggs into one company basket so to speak. But yes, other than that, Proton is a good choice (but I’d probably go with Bitwarden personally). Thank you.

Understandable why you would want to selfhost. I also use proton and for me it is something that I would rather pay for so I don’t have to administer it. I also hope they’ll keep improving the auto-fill experience.

I am also using KeepassDX and Nextcloud. I’ve had this setup for years and never had an issue with syncing.

This issue: https://github.com/nextcloud/android/issues/19

I’m talking about this issue: https://github.com/nextcloud/android/issues/19

On Android I use KeePassDx Syncthing-Fork. The handover was rough but the maintainer of the Play version joined researchxxl’s team. Many on the Syncthing forum seem to have accepted research which is good enough for me. Also, KeePass’s database in encrypted so no danger there.

I ain’t reading all that… All I can say is, sync (both ways) with Keepass & Nextcloud on Android works just fine for me.

I see where you’re coming from. I also really wanted that in my early days of android and nextcloud. Turns out, nowadays you don’t really need that for most use cases, and definitely not for KeePass syncing. Nextcloud app for android exposes all the files via content framework and KeePassDX can sync two ways via that. Other apps like Keepass2Android even have direct nextcloud support via WebDAV, though these days I prefer KeePassDX a little bit more for unrelated reasons.

I recommend you try either KeePassDX or Keepass2Android and see for yourself.

Also, most file managers support CF and will show you your nextcloud files as if they were real files on the device, even without “real” two way sync, and most other apps will be able to save & open files directly from nextcloud.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #167 for this comm, first seen 15th Mar 2026, 17:10] [FAQ] [Full list] [Contact] [Source code]

i self host, and back up, vaultwarden, and use bitwarden in browser and android.

smbsync2

I’m currently using KeePassDX and I’ve set up the Nextcloud server and downloaded the Android app. I’ll give it another shot. Can you explain more how you’ve set this up for yourself? What does CF mean, and what file manager do you recommend?

Thanks!

KeePass2Android:

1000068180:https://feddit.org/pictrs/image/8f3846a6-1563-4c06-9a52-ee1a06ef8624.jpeg

I use keepass2android and “sync” via its native WebDAV support with my nextcloud instance as the source. Been working great forever.

CF = content framework, android somehow decided that users shall not see and interact with “real” files and instead, have apps like nextcloud actnlike content providers and expose a file-like API …whatever, it is what it is, but in the end it works.

I’m currently using Material Files, but even android’s default file manager, bundled with the OS, shows Nextcloud in the left sidebar (your mileage may vary on this one, as each phone vendor tens to customize it a bit).

As for my setup, there’s really not much to it: I selfhost nextcloud, have KeePassDX and the Nextcloud app, and when you setup KeePassDX, select “Open existing vault” and in the sidebar you should be able to select Nextcloud and pick files from there.

Note: For Material files, and most file managers really, nextcloud might not show up by default (“security” or something), but you can “add external storage” and give it permissions.

I managed to get it up and running now, thank you! It wasn’t intuitive at all, compared to using nextcloud-client on the desktop. I’ll try this for a while and see if it works for me.

Glad to help!

Yeah, self-hosting often means trading more control for less convenience, some times more than others. Either way, I hope this setup works for you!

Are there mechanisms for fully automatic synchronization on every file change and every initialization in the Android and console apps for password-store out of the box these days? Using Syncthing with password-store at the moment to get a user experience as close to that as possible. Had to switch from the Android app to Termux and the CLI because the app no longer supports usage with Syncthing.

I still think a syncthing client of some form is ideal. As someone else mentioned there is the option of using the Syncthing Tray devs experimental android build. To avoid issues with sync-conflicts / maintain high-availability access to the most recent file, I sync the databse to a raspberry pi with the encryption option selected (not that the pi is untrusted per se, but it is a device that doesn’t need access to the file, it just serves the most recent changes to other devices since often my laptop / phone / desktop are not all on at the same time).

Passwords Nextcloud app

Selfhost Vaultwarden. Browsers Bittwarden extensions and Android with Keyguard app.

I share your sentiment about Syncthing-Fork and the botched handoff to researchxxl. I have yet to implement the Termux-based workaround that allows me to use Syncthing from the browser without the Android app / wrapper.

For say a keypass db you don’t need even that, Just sshd gets you rsync on your computer with cron or systemd timer / service… Personally I just use an old version of Syncthing-Fork though, security implications for local network are minimal.

bitwarden

seems odd you say how cumbersome it is to manage and backup (not an issue I’ve faced though) and yet you are using some cumbersome alternative ?

Do you store TOTP in a seperate KeePass?

For me swappog between two Keepass DBs is annoying. I can’t find anything that will sync my 2FAs.

Well with Vaultwarden any synced device is a complete backup. So you don’t need to worry about version issues.

I use Vaultwarden. Each synced device is a backup, so there’s no real need to keep anything further than that, but I do keep one backup of the server files anyway.

Yeah, that’s a good point. There are still a few cons though:

1. If the server goes down (or your internet connection goes down), you can’t add entries to your database. Local changes aren’t allowed.
2. Bitwarden doesn’t support supplementing your passphrase with a key file.
3. The Bitwarden clients aren’t enitrely FOSS as far as I understand, the SDK used has a non-free license.

There are pros and cons in both alternatives, and there is unfortunately not a perfect solution. I like the idea and philosophy behind the KeePass format, so the increase in syncing complexity is worth it (for now at least).

Tbh, I’ve never bothered figuring out how SSHing into an Android device works.

You’re right about the security of older versions of Synching-Fork if you remember to configure it to only do syncs locally (it’s not configured like that by default).

I use Nextcloud + KeepassDX on android and KeepassXC on PC. Have never had an issue. Changes on desktop/phone are propagated virtually immediately across devices.

I’ve run into this issue with obsidian, but for whatever reason I haven’t had any issues with keepassdx.

When opening an existing keepass vault, on the left there’s an “Open From” pullout menu. You should be able to select your nextcloud from there. Then find your keepass file and it’ll just work.

I don’t know why, but obsidian doesn’t have the same file picker. There’s no “open from” menu. So you just have to drill into the filesystem, find the folder nextcloud is using, and choose your notes vault you’ve sync’ed in there. And for whatever reason, that seems to be the method that breaks Two-Way Sync.

Same here. There was a window of a couple of months when some NC background process wasn’t running reliably in Android, but that got fixed (a year ago?) and it’s been rock solid before and since.

I don’t. Kinda seems silly to me.

To access a keepass file you already need 2 factors: the master password and access to the file.

Syncthing-Fork is still untrustworthy since the disastrous handover

Maybe I’m OOTL on this?

I thought everyone concluded that it was poorly communicated but ultimately no indication of any foul play.

I’m running the standard version of syncthing through termux at the moment. It lacks some of the power management options, but otherwise I’ve experienced no issues.

Correct.

That conversation has finished, the dust has settled and syncthing-fork is fine.

Vaultwarden with the Bitwarden Android app and browser extension for my desktop. I already have a solid system for backing up the important data for all my docker containers. As soon as I added it, it was automatically added to that process.

My spouse has an account so if I side she can gain access to my passwords with a simple request. That’s function is important to me.

If you’re using a keepass database, Keepass2Android can natively sync with many cloud options including self hosted and generic ones, even without specific “companion” apps. That’s what I use. In my case, it’s backed by my NextCloud, but it used to be Google drive before.

Just also sync the file on your PC, merging changes from different clients is part of the keepass database format and “just works”.

Also VaultWarden works great if your can self host it, but I prefer keepass for a variety of features and integrations.

Nextcloud and favorite the file. It’s worked reliably forms for years.

Its not really 2 factors if it’s stored in the same DB though.

I came from Bitwarden where the community recommendation was to not store passwords and 2FA together in the cloud. If a beach orccurs and you lose both then there wasn’t a point in having the 2FA.

Less of a risk with a local solution but still not sure.

Keypass with the vault loaded onto a free OneDrive account.

Just back it up occasionally.

Personally, I use Keepass with syncthing and it works fine enough. If you don’t really trust the new person behind Syncthing-Fork, you could always install the older version before the handover (I think before v3.4?). If you really don’t trust syncthing at all, you could just manually back it up. New passwords aren’t made every day, so you could just copy the passwords database over between your devices whenever there’s a change. That’s what I did before I heard about syncthing, and is what I do with my music still, since I don’t regularly update what music I listen to.

In the event of a server fail, can you export from any device?

If u have 2fa in the same database u can login on devices you don’t trust. E.g. a coworkers computer/public computer in library.

Yeah. So that seems to remove the 2 from 2FA…

Yes, it is two factor, it’s just that there is no additional factors required to get the TOTP.

If you don’t use a password manager then you just remember your passwords. In this case the second factor is having access to a device that has your TOTP generator.

If you use keepass then you remember the password for your password db, and to access your passwords or TOTP you need access to a device with your keepass db.

Well yes, but no. If you only operate your password store on devices you trust, then even typing in your password on a device with a keylogger active, won’t compromise your account since you have the 2nd factor (e.g. the TOTPs)

Vaultwarden is FOSS (GPL).

It’s true re adding passwords while the server is offline, but my server runs 24x7 and it’s never down for more than a few minutes. If it goes down, I fix it. I also backup the encrypted DB regularly to cloud, so there is little risk of data loss. I am a very satisfied Vaultwarden user. Especially because it allows password sharing with my family. Everyone has an account.

Yes, but do not log out. If you do, you can’t log back in, and you can’t export. I’m paranoid so I still back up my encrypted db to cloud on a schedule.

Paid bitwarden.

I use Bitwarden too. I now use the paid version (which is incredibly cheap) but I was able to sync between Android and PC without the paid for version iirc

Keepass + syncthing = win

The only (known to me) perk of the paid version is the encrypted storage (and probably the org feature).

So yeah. I see it more of a donation/appreciation than a service fee.
But the recent peice increase stung a bit.

OpenCloud seems promising. It’s a fork of ownCloud from former developers of ownCloud, lighter weight than NextCloud, it uses flat files to store data rather than a DB, and it has an Android client on F-Droid (and Google Play).

My exact answer as well. Saved me some typing - thanks :)

Paid also helps if you share passwords with multiple people.

Bitwarden.

Paid. Not because I need the added paid features, but because I value it and want to show my appreciation for the developers.

Vaultwarden, no question. When I used KeePass, I had Synology Drive which worked well to sync.

KeePass and Syncthing. Nearly flawless - I sync the database across 6 devices, so there is the occasional conflict, but I think that’s more user error than anything. It’s fairly easy to resolve since Syncthing clearly labels the affected file.

I’m hesitant about OpenCloud. Their parent company is Heinlein Group, and I know nothing about them or their reputation. Their website uses a lot of marketing fluff, which puts me off already.

KeepassXC and Nextcloud. Been working fine for years.

If you’re curious, their GitHib issues and website have a bit more about them: https://github.com/opencloud-eu/opencloud/issues/231

The Heinlein Group, to which OpenCloud belongs, is probably best known as the operator of the email provider mailbox.org, but also develops OpenTalk, an open source video conferencing solution. from heise.de.

Being the owner of mailbox.org doesn’t mean anything to me, but it’s context. And there’s more info in that GitHub issue’s links.

My impression is that they know what they’re doing when it comes to production ready software–I share the OPs concerns about the syncthing-fork maintainer–and they have the funding and acumen to stay in business, meaning their software will be maintained.

@clifmo @versionc not on android but vaultwarden syncs across basically everything. Mac, Linux, Windows, ios, and should hit the bitwarden app and extensions on android too. my only extras catch is I put it behind my tailnet. so I have to have the device on it to see it. Though if you are trying to stay away from bitwarden/vaultwarden I'm not sure.

This bit from the heise.de article stood out:

Kiteworks, on the other hand, is less than enthusiastic about – a closed group of developers who are now using the same code in their own company that they already developed under Kiteworks or ownCloud? For Kiteworks, this smells like poaching, so the company is going on the offensive: in an interview with heise online, Kiteworks CEO Jonathan Yaron stated that he intends to sue Peer Heinlein under German and US law: “We love open source, but we won’t let anyone steal from us”.

facepalm

KeePass2Android is a fantastic project. I’ve been using it for 10+ years on my Android devices. Every once in a while I’ll try a different variant, like KeePassDX, but I always return to the spartan look of KP2A. It “just works”, with no extra fluff.

Works perfectly on android. Push notifications, sync, passkeys, everything

Same setup here. Worked for years and I’ve no plans to switch. As long as Nextcloud is up, bidirectional editing is simple. Trouble comes when one of the clients edited the KeePass file and can’t sync.

I’ve had that happen though rarely. In those cases it’s been easy to manually merge the one or two entries if necessary.

I’m a vaultwarden user, who likes the idea of both the bitwarden and the keepass way. Just to consider new possibilities, isnt it possible to put the keepass db in a private git (selfhosted forgejo or gitea). And sync the repo with an app like puppygit which syncs automatically everytime I open or close keepass. Is this a safe walkthrough?

I like the idea of using git, and there are people using it with their KeePass database (here’s an example), but I don’t think it’s optimal. If you want to use git, pass is probably the better option, but that brings in a whole lot of other problems.

I’ve started using Nextcloud to sync my database and it’s worked out fine so far. Though it would be nice to use something like git that I use all the time regardless, right now the whole bloated Nextcloud stack I have hosted only syncs my small password database haha.

Android Password Store!

Its a port of linux passwith git built in.

You backup your passwords in a private repo and sync back and forth. It’s great if you already use pass

Yeah, it seems like ownCloud isn’t happy about some of their developers forking the code and starting a new company.

For me, that doesn’t really affect my opinion of OpenCloud for my personal use, though.

Yeah, pass has been discussed a bit in the thread already, but there are a few security issues that keep me from using it. Speaking of security, I had no idea the Android app was archived in 2024. That’s quite a long time without updates. Are you using a fork?

Thank you for sharing your workflow wither way! Using a git based solution would be amazing.

I ended up going with KeePassXC on desktop + KeePassDX on Android, synced via Syncthing. Here is what made it work reliably:

• Set Syncthing to sync only the .kdbx file (not the whole vault directory)
• Enable “ignore permissions” on the Android side
• Use Syncthing’s file versioning (simple, keep 5 versions) as a safety net against corruption
• On Android, KeePassDX can directly open from the Syncthing folder — no extra steps

The Syncthing-Fork situation is concerning, but the original Syncthing Android app still works. You can grab it from F-Droid or GitHub releases directly.

Alternatively, if you already run any kind of server (even a small VPS), Vaultwarden is genuinely fantastic. It is a lightweight Rust implementation of the Bitwarden API — runs in a single Docker container using maybe 20MB RAM. The official Bitwarden apps on every platform just connect to your self-hosted instance. Setup takes about 10 minutes with Docker Compose + Caddy reverse proxy.

I have been running Vaultwarden for about a year and it has been completely bulletproof for syncing across 4 devices.

Vaultwarden

well, now i need to move from owncloud to owncloud

That entry names are stored in plain text doesn’t bother me; if somebody has broken into my system so well that they’ve copied my password store then the last of my concerns will be if they can easily find out if I have a password stored for example.org or example.net. At that point it doesn’t matter if they can tell that I have a Jellyfin password stored, because that service is running on my server with clients installed on my phone & tablet.

And I handle key storage with a pair of Yubikeys which hold a copy of my private key. It can’t be extracted (only overwritten). There is a physical copy kept on offline, disconnected storage, which could be an attack vector – but if we’re at the point of somebody breaking into my house to target my password management then all bets are off: you don’t need to break my kneecaps with a hammer for me to tell you everything, I prefer to keep my knees undamaged.

For attachments I just add another entry; /services/example.org-otherThing - there’s nothing stopping you from encrypting binary data like an image.

And when it comes to convenience: I have a set of bash scripts that use Wofi to popup a list of options and automatically fill in data. Open example.org click the login field, hit meta-l, type example.org, hit enter and wait a moment: it’ll copy and paste the username, hit tab for me, then copy/paste the password, then copy a bunch of random data into the clipboard buffer like 10 times before copying an empty string another hundred times to flush said buffer. meta-f for username only, meta-g for password only; it’s honestly way more convenient for me than the 1Password setup I use at work.

I understand the point the video is making, but I think it’s irrelevant if you keep the private key on something like a Yubikey.

There has to be, the PasswordStore app for Android can keep the GPG files in a storage location where other apps can read & write them. All you need is something to handle the synchronization.

I’m a control freak and prefer to do things like that manually, so I just use the built-in git & SSH based method it provides.

I remember the shared storage location functionality in the Password Store app but I no longer see it in any versions released since last year. That’s why I had to switch to Termux. Also a control freak, just a different kind 😅

I keep everything in the KeePass DB. I wouldn’t do this with a password manager that stores info in the cloud.