Be wary of file sync conflicts with KeePass apps on Android

KeePass is a tried and tested open-source encrypted password manager available for Windows. You can also use one of the many forks for Android, iOS, Linux, MacOS, and other operating systems. KeePass has created the defacto standard for encrypted password vault/database files (.kdbx). Syncing the vault files between your computers and Android can cause problems with some KeePass apps, however.

KeePass (and its many forks) stores your passwords encrypted in a secure vault/database file. Unlike other password managers like LastPass and Bitwarden, you’re solely responsible for storing and backing up your password vault. You can transfer the vault file between computers with Syncthing, Resillio, Dropbox, OneDrive, Google Drive, a floppy diskette, or however you prefer moving your files around. Multi-computer set-ups with file synchronization introduces the risk of file synchronization delays and conflicts.

For example, say you have KeePass open on your laptop and your desktop computer simultaneously. KeePass will detect changes to the database file and reload it automatically. They also read the file anew before saving any changes to be doubly-sure they don’t overwrite any remote changes. The pull-before-push file handling pattern will help prevent file synchronization conflicts and data loss in everyday use.

The password database can still get out of sync, e.g. due to a temporary loss of networking, and this will still cause conflicts. Ideally, you should choose a file synchronization program or cloud storage solution with file version history. In case of a sync conflict or overwritten changes, you can restore old versions of the password database from the file version history.

You can find several KeePass-compatible password managers for Android in the Google Play Store. Some have millions of active installations, so these apps are quite popular. Unfortunately, many of these apps don’t handle remote changes to the KeePass vault file as well as their computer app brethren.

To compound the problem, cloud storage and file synchronization often gets delayed on mobile apps due to stricter background power- and data-saving policies. A file synchronization app might not run until you unlock your device and have already opened your preferred KeePass app. After you’ve opened your KeePass app and unlocked your vault, a new version of your vault might be downloaded in the background. That’s a potential data loss disaster waiting to happen.

I’ve tested how the five most popular KeePass-compatible apps for Android handle a simple database conflict. The test was quite simple: I opened the database on my Android phone and my computer simultaneously. I added a new entry to the database on my computer and waited until the updated database file had synced to my phone. I then added a new entry on my phone, and inspected how the app handled the conflict.

Just to get the bad apps out of the way first. The following list of apps failed my tests completely and just overwrote my remote changes with no questions asked.

You should avoid using any of the above apps if you use KeePass on more than one device. Luckily, there are two more KeePass-compatible Android apps, and these two do a better, if not perfect, job at avoiding sync conflicts.

The KeePassDX app automatically detects that the database file has changed and tells you about it. It tells you to reload the database file, but it leaves it up to the user to cancel what they’re doing (discarding any unsaved changes in the process), go to the main app view, open the hamburger menu, and tap to reload the database. If you ignore the message, the app will overwrite any remote changes if you save any changes.

KeePass2Android automatically detects changes to the database file and prompts you to merge or overwrite it. Merging does a pull-before-push write, whereas an overwrite discards the remote changes. Worryingly, the merge option often causes the app to crash, but I haven’t actually lost any changes made in the app or remotely. The app doesn’t have a setting to remember your preferred conflict resolution method.

The merge and overwrite buttons in KeePass2Android are very close together and not visually differentiated. You can easily click the wrong button if you aren’t super careful. This is UI issue is partly the fault of Android’s material design language. It doesn’t differentiate between regular buttons and destructive buttons, e.g. buttons that cause irreversible data loss.

Neither of these Android apps does a superb job, but either one should help you avoid accidentally overwriting recent changes in your password vault. KeePass2Android does a better job at this one task, but KeePassDX will help you get set-up and going faster. Both apps come with a built-in password-entry keyboard and support for auto-filling passwords (in supported browsers and apps). Note that neither apps reload the database file if you use their quick-unlock features!

I’m getting a little off-track with app reviews here toward the end, but I’ll finish off with one last recommendation. KeePass for Windows is starting to show its age. For Linux, MacOS, and Windows; I recommend you try KeePassXC instead. I believe you’re more likely to have a good experience with it than the vintage KeePass version. Both can handle external changes to the password vault file without problems.

The original KeePass project has a database synchronization feature it uses to resolve conflicts. The feature lets you sync database changes between a local database copy and a golden copy residing on a remote server. It can even help resolve conflicting changes, although that usually isn’t a big problem unless you try to make multiple changes to the same database entry. This feature is quite complex and rarely supported in any of the forked projects. However, you’re more likely to run into a simpler file sync issue like the example discussed in this article.

KeePass can be a good option for your password management needs. The big caveat is, as already mentioned, that you must take responsibility for backing it up and versioning it. It involves a little more management work, but you stay more in control. In everyday use, you’ll find it no different than using LastPass, Bitwarden, 1Password, or one of the many commercial hosted password managers.

All the apps were reviewed on Android 11 using the latest app version available in the Google Play Store at the time of publication.