storage-p
Library

storage-p vs KeePassXC: zero-knowledge & self-hosted

Both storage-p and KeePassXC keep secrets safe, but they take different routes. storage-p is a self-hosted, zero-knowledge vault you operate yourself; KeePassXC is a local, device-based app. Here is a factual side-by-side.

At a glance

  1. Hosting: storage-p runs self-hosted on your own server; KeePassXC is a local, device-based app.
  2. Encryption: storage-p is zero-knowledge — your key is derived in the browser with Argon2id and the server only ever stores XChaCha20-Poly1305 ciphertext.
  3. Beyond passwords: storage-p also stores SSH/TLS keys, API keys and TOTP, and generates Ed25519 SSH keys and self-signed certificates client-side.
  4. Integrations: storage-p issues scoped API tokens whose every read can require your in-app or Telegram confirmation.
  5. Both KeePassXC and storage-p can be self-hosted; storage-p keeps the database encrypted at rest with SQLCipher on top of client-side encryption.

Where storage-p stands out

The server never sees your master password or plaintext — encryption, decryption, key generation and the security audit all run on your device. You can store and generate SSH/TLS material, share via burn-after-read links or end-to-end sealed-box, and grant integrations narrow, auditable access instead of all-or-nothing exports.

When KeePassXC may fit better

KeePassXC is a mature, established option with its own ecosystem and community. If you rely on its specific apps or integrations, it may fit your workflow better.

Switching from KeePassXC

Moving is straightforward: KeePassXC can export a CSV, which storage-p reads as a KeePass import. See the step-by-step migration guide linked below.

How to migrate from KeePassXC to storage-p →How to move from storage-p to KeePassXC →