Passwordstore was my password manager for a long time… That’s because I thought it’s very good idea to use software (git and gpg) which is necessary on my desktop anyway. That’s good for simplicity, attack surface, yadda yadda.

However, times changed. I switched my distribution from Arch Linux to Alpine Linux. Alpine is not using gnupg, it relies on X.509 certificates (backed by OpenSSL) to sign & verify packages. So that makes GnuPG 3-rd party software, and I was not happy with it…

  • gpg uses overly complex key format. Moreover, there’s no easy way to extract the raw key material. For example, to convert that to ssh key.
  • gpg doesn’t play well with modern supervisors. There’s no proper way (because of some tech debt, AFAIK) to launch it under systemd, openrc, s6 or whatever and get its sockets. GnuPG devs say “just use some gpg command, and it’ll launch the daemon by itself”. Great, how to properly save its logs? In a unified way, that is? Moreover, that doesn’t work with ssh emulation anyway. To get your gpg keys into ssh, the only way is to run the gpg-connect-agent /bye or something beforehand.
  • gpg doesn’t integrate with already existing ssh agent. It completely replaces that, which is very inconvenient on macOS. Because macOS runs its own ssh agent, and there’s no proper way to overwrite its $SSH_AUTH_SOCK system-wide.
  • no Android support. There’s that project, OpenKeychain, but… “This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on”, and this software is by no means “complete”.

Moreover, I wasn’t happy with passwordstore ecosystem itself. Not only OpenKeychain is buggy and abandoned, but the only pass-compatible software on Android, android-password-store (it uses that OpenKeychain), is also buggy and abandoned. For example it doesn’t work with ed25519 ssh keys to synchronize your passwords db with git repository, and there’s no biometric unlock. I had to enter my password all the time.

So after considering all of the above, I decided to take a look at KeepassXC once again.

  • it stores passwords in one database file. Good for synchronization.
  • it adds its ssh keys to already existing ssh agent. Works great with macOS.
  • it has actively maintained Android application (I use KeepassDX)
  • it supports passkeys

The showstopper for me back then was that there’s no way to get passwords from kpxc using CLI. However, I learned that it’s not exactly true on linux. KPXC can act as a XDG Secret Service provider, so you can use libsecret to work with that.

$ secret-tool lookup Path /openrouter.ai

Side note, I tried those LLM agents (as evident from the path openrouter.ai), however, spending money on that while coding my pet projects makes me nervous. And I can always use the LLM chat interface anyway. As for work projects, we determined that self-hosting something like DeepSeek makes sense for big teams only, like 50+ people. Which is not the case for us, so we’re not using that.

So, all in all, I finally decided to switch from passwordstore to KeepassXC. And was happy with that.