How do I use TOTP or Two Factor Codes?
You can setup a TOTP or Two Factor code from the Edit Record screen. There is a TOTP/2FA button. This will give you a choice to scan a QR code with the camera (iOS Only), or enter the secret or OTPAuth URL manually. Once the secret/otpauth URL has been scanned then Strongbox will display the code.
Strongbox uses KeePass custom fields (compatible with KeepassXC (“TOTP Seed” and “TOTP Settings” or the KeeOTP (“otp”) plugin). If you already have these configured, Strongbox should just work.
If you enter an OTPAuth URL as the Password field, or anywhere in the Notes field (handy for Password Safe users) then Strongbox will automatically pick this up and display the TOTP code.
How do I change my Master Password?
For the iOS app, Open your Safe, and then find the little ‘Gear’ icon in the bottom right corner. Tap that, and you select ‘Change Master Password’.
For the Mac application. Go to the ‘Safe’ menu item, and select ‘Change Master Credentials’.
Nextcloud WebDAV URL when Installed as a Snap
Some users have had issues determining their WebDAV url when they install Nextcloud as a Snap, on services like DigitalOcean.
The correct URL format looks something like so, where “mark” is your username/home:
The following GitHub issue goes into much more detail:
Are there any Browser plugins for Strongbox
Not particularly for Strongbox, but if you use a KeePass format database you can use the excellent Tusk for both Firefox and Chrome:
If I buy the Pro version will it work on my other devices
If you purchase the Pro upgrade it is linked to your iTunes Apple account. This means it will work where ever you use that account. Note however, that the Mac and iPhone/iPad applications are separate products and require separate upgrades.
If you upgrade on one iOS device, say your iPhone, then you can unlock pro on your other iOS devices (e.g. iPad) by tapping ‘Restore Previous Purchase’ in the Upgrade screen.
Strongbox disappears/dies sometimes when using AutoFill
This is related to Apple’s App Extension Resource Budget policies. Apple allows App Extensions (which is what the Strongbox AutoFill component is) only a very small portion of system resources, and terminates the process very quickly and without warning if it exceeds certain CPU/Memory usage limitations.
If you are seeing this, it is likely because your database size is too large or your cryptography settings are too high to be used in the Auto Fill context. The exact limit will vary depending on what device you are using also.
If you are using Argon2, it is likely caused by your Memory setting being too high. You could try to reduce this and see if that helps.
Unfortunately there isn’t much I can do about this, Apple’s limitations are somewhat arbitrary and not open to appeal. This is a difficult situation for a Password Manager to be in, because CPU/Memory is a large part of opening an encrypted database.
How do I use iOS AutoFill
If you are using iOS12 or later, you can use the Strongbox Auto Fill Credential Provider. This means when you are asked to enter a password or username, you will be presented with a button that allows you to open Strongbox and find your password from within whatever app you are using, be it Safari or another app.This is the easiest and most streamlined way to use Strongbox on your iOS device.
To make sure AutoFill works check the following:
1) On your iOS Device, go to Settings > Passwords & Accounts > AutoFill Passwords
2) Make sure AutoFill passwords is turned on
3) Make sure that under “Allow Filling From” section, Strongbox is ticked.
Now when you go to login in Safari and other applications and tap on a username or password entry field you will be presented with a ‘Passwords’ option on the keyboard. Tapping this you will be able to select ‘Strongbox’ from and from there open your database.
How do I use a Username/Password or Private Key for iOS SFTP
Strongbox supports both Username and Password and Private Key authentication for your SFTP server.
Username/Password is very straightforward, simply enter them in the fields provided.
For a private key based authentication, you will need to point Strongbox at your key by locating it via the Files app when asked.
Some people like to copy the key directly into Strongbox documents folder instead of accessing it via the Files app. To copy the key file locally to Strongbox documents you have two main options:
1) You can use iTunes File Sharing to copy the key from your laptop to the Strongbox documents folder
2) You can use the iOS Files app and navigate your other apps/providers/drives, then select “Copy To” or “Open With” Strongbox
From here you can locate your key in Strongbox documents when asked or as mentioned above you can browse all your iOS documents if it is stored elsewhere.
I cannot see a safe I added to iCloud, where is it?
It is not possible to directly add an iCloud safe by dropping it into your iCloud drive. Unless of course you drop it in the correct folder. iCloud safes will automatically appear in the iOS app once they are located in the correct Strongbox folder on iCloud. This folder has the Strongbox icon, though it is possible it has not been created yet.
So if you already have a safe on your iCloud drive, it needs to be in the specific Strongbox folder before it will appear in the app. This is because Strongbox is only allowed to look in this folder and not at the rest of your iCloud drive.
The Strongbox folder should be in the root of your iCloud drive. If you do not see it there it is possible it has not yet been created. If you create a new iCloud safe from the iOS app, it will create the folder and place the new safe in there. You can create a new safe by tapping the ‘+’ icon in the top right corner and selecting ‘New Safe’.
Once the folder is created you can move any existing safe you might have into that folder and it should appear (with maybe a little delay) in the app automatically.
I have lost or forgotten my master password, is there any way to access my safe
I’m afraid there is absolutely no way to get into your safe without the master password.
Unless Biometric ID (Touch ID or Face ID) is still working to open your safe. Even in this case, you should always know your master password in case of biometric failure. If you are using biometric id to open your safe and you do not know the master password, it is critical that you at once change the master password to something you will not forget.
There is absolutely no email (“I forgot my password”) reset. This is by design. The security of the your safe is paramount, and the only way it can be opened is with your master password.
If you have forgotten your password, I’m afraid there is nothing Strongbox support can do for you. Our only recommendation is to try to remember it. We wish you luck, and hope you understand the security design decision made here.
How do I access my cloud safes?
It depends on your cloud provider.
If you are using iCloud, then you will be able to save or open your safes from the Strongbox iCloud folder in the usual fashion. You should click File > Open or File > Save as appropriate and select the location as usual from the dialog.
For other providers you should use their specific Drive synchronisation software. Google Drive uses ‘Backup and Sync’, Dropbox and OneDrive have their own Mac syncing application. You will find these applications on their respective websites.
Once you have installed that synchronisation software, you will find the Dropbox, OneDrive or Google Drive folder in Finder, where you can load or save your safes.
What kind of cryptography does Strongbox use?
Strongbox implements many cryptography algorithms.
For Password Safe based files use TwoFish in CBC Mode, SHA256 and RFC2104 HMAC. This is all put together following the Password Safe design which you can learn more about here: https://en.wikipedia.org/wiki/Password_Safe
How secure is Touch ID or Face ID?
While Touch/Face ID is very convenient, it is not a perfect system for protecting your passwords. It is provided for convenience only. It is within the realm of possibilities that someone with access to your device and your fingerprint or photo, can produce a good enough fake to fool Apple’s system. Therefore you should be aware that a strong passphrase held only in your mind provides the most secure experience with Strongbox.
How do I select a good master password?
A vital and important question. There are varying opinions on this, but one of the best guides around can be found here:
The weak link in the security chain with Strongbox is always going to be the master password. It can be difficult to come up with one, but it’s always better to use a multiple word phrase instead of a single word and to thrown in some numbers too. The above guide should help.
Always, always, ALWAYS remember your master password, there is no getting into your safe without this. No one can.
Can I store images, videos or other files with Strongbox?
This depends on the underlying file format you choose to use. You can choose to use KeePass or Password Safe formats.
For the KeePass format, yes, you can add any attachment(s) you like to each entry in the safe. It is recommended that you keep the file size small in general, particularly if you are using a cloud based safe, as synchronizing a large file may take a while.
For Password Safe formats, the answer is No, unfortunately not, since this is not supported currently by the Password Safe file format, these items are not supported, though there are plans to add this capability.
Is Strongbox Compatible with other Password Safe Clients?
Yes, Strongbox is compatible with any application that supports version 3 of the Password Safe file format. You can find a list of clients for various platforms at the official Password Safe site here:
What version of Password Safe does Strongbox support?
Strongbox supports version 3 of the Password Safe format. In particular it implements version 3.31, though not all features maybe supported or exposed in the UI. In particular Linked entries, Credit Card fields and other less used features are not supported, though Strongbox will respect that data and not edit or change it. So your data is always safe, it’s just that Strongbox does not display it in the interface.
Where can I find the source code for Strongbox?
Online at Github here: https://github.com/mmcguill/StrongBox
Has Strongbox been audited for security?
Short answer: No.
Longer Answer: The database formats supported by Strongbox have been audited, and the source code for Strongbox is available freely online.
An audit on Strongbox source code has never been done, though it would be great to have that done, Strongbox is an independently developed and supported app, and the resources are currently not available to have this done. If you know of anyone qualified to do this, who would like to contribute, then please get in touch, it would be great to have this done.
Password Safe Format Audit
A full security audit of the Password Safe design can be found here:
Strongbox is a client built for the Password Safe file format, and is compatible with any other password safe applications. This format was designed by renowned security expert Bruce Schneier. A more general answer to the question can be found here:
You can also find all the code for Strongbox online at:
Is Strongbox Free?
Strongbox operates on the Freemium model. That means there is a Pro version of Strongbox and a Free version of Strongbox, and you are encouraged to upgrade to the Pro version by paying a small fee. This helps me to keep developing the app, adding new features, fixing bugs, providing support and other nice things. The source code is available for free under the AGPL licence and is kept on Github
Why, every now and then, do I get asked to login to Google Drive, Dropbox or OneDrive?
If you are storing your safe on one of the cloud providers like Google Drive, Dropbox, or OneDrive, then Strongbox needs to maintain a session with that provider to access your safe. After a while Strongbox’s session will expire and the cloud provider will want you to sign in again to allow Strongbox to access the safe file. This is typically every few weeks to every couple of months depending on the provider. This is entirely driven by the Cloud Provider.
What information is shared with Cloud Providers (e.g. Google Drive) by Strongbox?
This is up to the cloud provider and how they define the interaction of third party apps with their storage API. In brief this is likely to include your email address or account username, the name of the third party app (in this case Strongbox) and probably data like the current date/time and IP address.
To be very clear, Strongbox will never send any confidential information or your passwords to a cloud provider.
I paid for the Mac app upgrade but I cannot restore the upgrade on my iOS device (or vice versa)
The Mac app and the iOS app are separate products and require separate upgrade purchases. I hope you will like the applications enough that this is something you will be happy to pay for.
Can I open my safes on my Android, PC, other device? Is there a Strongbox for those Platforms?
Yes, you can open your password safes on many different platforms. Depending on whether your safe is in Password Safe or KeePass format, you can find a client that is compatible.
For the Password Safe format, here is a link to a short list of compatible clients, you can probably find many more with a search for ‘Password Safe client for [insert platform here]’.
For safes in one of the KeePass formats you can find many clients here:
Strongbox is only available for iOS and Mac at the moment but there are many clients for many other platforms available as you can see from the above.
Is this system compatible with MacOS/MacBook?
Yes, you can find the Mac version in the App Store, linked from the homepage here.
Can my safes be set to sync between Mac and iOS (my iPad, iPhone etc)?
Yes, probably the easiest way to do this is to use an iCloud based safe. You can create a new iCloud safe in both the Mac and iOS versions of the app and it will automatically appear in your other devices in Strongbox. Your safe(s) will then be automatically be synchronised and updated automatically across all of your devices.
Otherwise you can use one of the other cloud providers, like Google Drive, Dropbox, or OneDrive. This is relatively straightforward.
You could even store your files locally on each device and manually manage updates and synchronisation via iTunes, File Sharing, Email or URL Import, though this might be a little inconvenient.
Can I use my own passwords or do I have to use passwords generated within the app?
Yes, you can use whatever you like as your passwords. Strongbox will helpfully generate and suggest good passwords (which can also be configured) but you are free to ignore these suggestions.
What version of KeePass does Strongbox support?
Strongbox supports versions 1 and 2 of the KeePass format. Strongbox supports both the KDB and KDBX formats. It also supports both versions of the KeePass 2 (KDBX) formats. These are often referred to as KDBX file versions 3.1 and 4. Because KeePass uses a pluggable architecture some KeePass files using special plugins may not be supported by Strongbox. If you use any algorithms outside of the standard range of AES, Salsa20, Argon2D, and ChaCha20 you may find Strongbox is not able to open the file.
NB: Not all features of KeePass are supported or exposed in the UI. In particular expiry, OTP, custom fields and other less used features are not currently supported, though Strongbox will respect that data and not edit or change it. So your data is always safe, it’s just that Strongbox does not display it in the interface.
How do I use a Key File with my KeePass database on an iOS Device?
To use a key file on your device, the best method is to copy the key file into Strongbox using iTunes File Sharing or the iOS Files app. If it is named correctly (see below), Strongbox will auto detect it when you open your database.
iOS Auto Key File Detection
If the key file is named “<database-name>.key”, where database name is the filename of your kdbx file, and is in the Strongbox documents directory, Strongbox will detect it and use it automatically to open the corresponding database.
This will also be clearly indicated on the Unlock dialog before you type in your password, so you will know Strongbox has detected it.
So, for example, if you’ve got a database file named my-database.kdbx then you would name your key file my-database.key, and drop it in Strongbox documents.
- Once you’ve dropped it in Strongbox Documents (using iTunes File Sharing, or the Files app, or other method), you can/should remove the key file from iCloud or whatever other cloud storage you might have used.
- It is not a requirement that the key file have any specific extension or be any specific form/type of file.
- Auto Detection is not required, you can access your key from anywhere within the iOS Files app, that will also work, auto detection is purely for convenience.