Is it possible to get Auto-Type working with local password managers in Bazzite?
As best I can tell, Bazzite with KDE Plasma is now strictly Wayland. When I tried to get a local password manager (KeepassXC) working, I found that Auto-Type did not work (it wasn’t even an option in the settings). I found references to a browser plugin to let KeepassXC do something similar to Auto-type in the browser, but since I also need passwords in local files and applications, that didn’t help. I also found references to setting an environment variable (QT_QPA_PLATFORM=xcb) in .bashrc. I thought that got things working, but after a reboot, the desktop was, essentially, gone: no taskbar, no system tray, no start button (sorry for the Windows-centric terminology). Removing that line from .bashrc fixed things. Since I think that line is supposed to set up an X11 server, I assume the Desktop going Tango Uniform with it means X11 just won’t run on Bazzite.
Is there, in fact, any way to actually get Auto-type working in Bazzite so a local password manager can work properly? Maybe I’m “holding it wrong” by trying to get Auto-type to work. Maybe there’s a better, more linux-centric or Wayland-centric way to do that. But, I couldn’t find it. I’d seen some references that someday, someone might come up with an API to allow password managers to securely communicate with browsers and other applications. But, even if that was in the works, it would be years before anything came of it. I’m not going to store my passwords (or some other equivalent) out in the cloud. I’m not going to store them in the various browsers I use. I need them for local files and applications as well as in browsers. Is there some solution I’m missing?
Well, it looks like I’ll be staying trapped on Windows for a while longer. I HAVE to have a password manager that works with multiple browsers, local applications and local files. I can’t understand why there isn’t more noise about this. Surely Bazzite users use password managers. And, surely, some of them have to be using local (i.e., non-cloud-based) password managers.
Maybe I’m wrong about getting KeepassXC set up. But, here’s a 7 year old, unsolved issue on their github page about it:
I think if you go to flatseal, search for keepassxc and scroll down to environment and there type in QT_QPA_PLATFORM=xcb you will get keepassxc running through xwayland (i think you can also just toggle off wayland and toggle on x11 in the same settings) . I think if you apply the same to your browser (via flatseal turn on x11 and turn off wayland) then you should be good to go. note that x11 is less “secure”, but it should work. I will qualify I haven’t tested it as I setup browser integration another way Installing 1Password in Bluefin, a better way? - #26 by jpl .
Sorry for the delay in getting back. I’d already uninstalled Bazzite and had to re-install it to test this. Adding QT_QPA_PLATFORM=xcb to the KeepassXC Environment Variable area in Flatseal got things (mostly) working. It looks like window titles/names aren’t getting communicated to KeepassXC, so auto-type isn’t really “auto.” I have to filter the auto-type popup window to narrow down the selection. But, once I do that, I can at least use the password manager. Not the best of all worlds, but usable. Adding the environment variable and the X11 fallback options to the Brave entry didn’t help.
Also unfortunately, it looks like Browser Integration doesn’t work with the flatpak versions of KeepassXC and browsers. I assume that’s because of the sandboxes.
Hopefully, the KDE Plasma people can get this Wayland-level inter-app communication working in the near future (from what I can find, it looks like the Wayland people don’t want to do it).
Thanks for the reply. I can at least continue working with Bazzite and see if it’ll work for me.
not sure how adventurous you are, but I think people have gotten flatpak keepassxc → flatpak browser working. It does escape the flatpak sandbox a little bit, but I use something similar for Bitwarden and for me having a working password manager > technically escaping the flatpak sandbox.
I was doing ok with the QT_QPA_PLATFORM=xcb “fix” to get Autotype semi-working in KeePassXC until the Bazzite upgrade from F43.20260217 to F43.2026030. Unfortunately, something in the latest Bazzite release (and it looks like it started up at the Fedora level and trickled down) rendered Autotype almost completely useless (it now randomly lower-cases some upper-case symbols). I took a look at the link @gghardwareissues posted and am completely lost. I’m going to have to research that quite a bit in the hope I can understand it at some point and get it working for my Flatpak Brave browser and my flatpak KeePassXC password manager.
And, in case anyone’s interested, here are the various bugs I filed about this (all closed: KeePassXC doesn’t care about “only broken on one distro” (i.e., Fedora and all its offspring), Bazzite (rightfully) points upstream to Fedora, and Fedora says they’re not messing with Autotype things until KeePassXC supports Qt 6 (I think that’s what they mean – they pointed to a KeePassXC WIP issue))
Been thinking about your situation…as I lurked your thread
Here is my take. Opinion, of course.
Wayland is not X11, and X11 is not Wayland.
As far as KeePassXC goes, it is up to the developers to make their software work within the design and limitations of the Wayland stack. If Wayland’s security model does not allow something like traditional X11-style Auto Type, then KeePassXC may simply not be able to offer that feature under Wayland. KeePassXC itself states that Auto Type on Linux works only in an X11 session, not Wayland.
That may suck for the KeePassXC developers and for users because it can mean losing a feature that previously worked under X11. But if the platform does not provide a supported way to implement it, then it simply is not going to happen.
A somewhat similar example is 1Password (which I use). If you install 1Password as a Flatpak, communication between the browser extension and the desktop app can break. That is due to Flatpak’s sandboxing limits. It may very well be that AgileBits cannot support that feature when 1Password is installed as a Flatpak. I’ve just made the decision to use the Flatpak and accept that browser plugin to app communication is broken. The only solution is running Firefox and 1Password out of Distrobox or building my own custom image. For my desktop, I’ve chosen to stay on the mainline Aurora image rather than do my own custom (which I do for other stuff) because I value the integration testing the Universal Blue team does, and once I build my own image, now I have to take on some of that responsibility.
Tradeoffs. Some things are simply not solvable in the same way they worked before. If a feature you rely on is critical, you have to decide what you value more: the platform, the application, or the specific feature. You may need to switch to another password manager or use a system that still supports X11.
From what I’ve been able to find, it looks like Autotype can’t work properly for any password manager. Wayland just doesn’t support the inter-app communication needed (and, apparently, won’t ever support it because of their security model). Everyone seems to be waiting for someone else (like KDE, I guess) to come up with a mechanism that will allow the needed inter-app communication in such a way that will work with Wayland (and possibly between flatpak sandboxes). I was mostly ok with that. But then this random lower-case thing happened.
I’ve been looking for other local, non-cloud password managers to try. But, really, the goto for Linux seems to be KeePassXC. I really don’t want to try a cloud-based password manager, but I’m starting to consider it. Of course, as you say, the inter-app communication problem exists there.
If I were to try a cloud-based password manager, I’m not sure which I’d try. The one I keep seeing recommended is Bitwarden. But, I’m wondering about Proton Pass since I already have access to it via my existing email subscription through them.
I’ve been using Proton Pass from almost right when they launched it. It has worked fine but I mostly just use it with my browser and with their extension.
There is a unofficial flatpak for the desktop app but it won’t really provide anything extra.
Maybe I need to get a bit more serious about changing my password manager from KeePassXC. The following regards Secure Blue instead of Universal Blue, but still…:
“On a related note: KeePassXC failed to upgrade to Qt 6 in 6 years: keepassxreboot/keepassxc#7774. Maybe makes sense to remove it from curated Bazaar apps with GNOME Secrets taking its place? It’s not as feature-rich as KeePassXC, but at least it doesn’t depend on an outdated framework.”
In case anyone’s looking for a script to set up the integration between KeePassXC (flatpak) and Brave (flatpak) on Bazzite (actually Kinoite – but since that’s also an atomic offshoot of Fedora, I figured it would work for Bazzite), I found this:
I did my best to look it over and compare it to other sources of manually configuring this and it seems good. It does seem to work.
Along with Auto-Type still having random characters in userids/passwords randomly shifted to uppercase/lowercase, Browser Integration with Brave (as noted above) has stopped working for me with the new Bazzite version 44.20260429 (“Key exchange was not successful”). EDIT: if I revert back to Bazzite version 43.20260420, everything works correctly again.
I realize the intersection of Bazzite users, KeePassXC users and Brave users is probably pretty small, but Is anyone else seeing this problem with the new Bazzite version?
EDIT: For some reason, I had to give the full path to the keepassxc-proxy ( /var/lib/flatpak/app/org.keepassxc.KeePassXC/current/active/files/bin/) in my keepassxc-proxy-wrapper.sh file to get browser integration working again. Thanks to YaLTeR (two above my post) in:
OP: I tried Bazzite v 44.20260501.1 and confirmed it doesn’t work there either. I’m going to dump everything I can think of here in case anyone can come up with something to fix this. My apologies for the length.
START OF INFODUMP:
Starting with Bazzite version 44 (and up to the current v 44.20260501.1), browser integration between the flatpak version of KeePassXC (v 2.7.12) and the flatpak version of the Brave browser (v 1.89.145) ceased working. It worked with Bazzite version 43 prior to upgrading and it works again if I revert back to the last Bazzite 43 version (v 43.20260420).
The following is the terminal output from re-running the setup-brave-keepassxc.sh script I used that sets up browser integration between the flatpak KeePassXC app and the flatpak Brave browser app on my system:
~/Documents/setup-brave-keepassxc.sh [INFO] Starting Brave Browser and KeePassXC integration setup… [INFO] Granting filesystem permissions to Brave Browser… [INFO] Filesystem permissions granted successfully. [INFO] Creating target directories… [INFO] Creating keepassxc-proxy-wrapper.sh… [INFO] Making keepassxc-proxy-wrapper.sh executable… [INFO] Wrapper script created and made executable successfully. [INFO] Wrapper script real path: /var/home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/keepassxc-proxy-wrapper.sh [INFO] Copying native messaging host configuration… [INFO] Native messaging host configuration copied successfully. [INFO] Updating path in native messaging host configuration… [INFO] Native messaging host configuration updated successfully. [INFO] Backup saved as: /home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json.backup [INFO] Verifying setup… [INFO] ✓ Wrapper script exists and is executable [INFO] ✓ Native messaging host configuration exists [INFO] ✓ Native messaging host path is correctly configured [INFO] Setup completed successfully! [INFO] [INFO] Next steps: [INFO] 1. Enable Browser integration in KeePassXC settings [INFO] 2. Install the KeePassXC Browser extension [WARN] 3. RESTART Brave Browser [INFO] 4. Configure the extension to connect to KeePassXC [INFO] [INFO] Files created/modified: [INFO] - /home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/keepassxc-proxy-wrapper.sh [INFO] - /home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json [INFO] [INFO] If you encounter any issues, check the backup file: /home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json.backup
Even after rebooting, browsing integration no longer works. The KeePassSC-Browser icon at the top-right of my Brave now has a red flag on it with a white “x”. Opening it says:
“KeePassXC-Browser has encountered an error:
Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings.”
Clicking on the Reload button gives:
“Key exchange was not successful.”
Looking at KeePassXC settings, Browser Integration is enabled, Brave is the browser checked and the top two radio buttons are selected (“Request to unlock the database if it is locked” and “Match URL scheme”)
In Brave, looking at the Extensions settings, selecting Developer Mode and clicking on the Service Worker link at:
“KeePassXC-Browser 1.10.1 KeePassXC integration for modern web browsers ID: oboonakemofpalcgghocfoadofidjkkk Inspect views service worker”
Brings up the following:
client.js:383 KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser global.js:194 [Error client.js:403] KeePassXC-Browser - Failed to connect: Native host has exited. global.js:194 [Error keepass.js:998] KeePassXC-Browser - No content script available for this tab. global.js:194 [Error keepass.js:322] KeePassXC-Browser - 5: Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings. 2global.js:194 [Error keepass.js:998] KeePassXC-Browser - No content script available for this tab. 3global.js:194 [Error page.js:179] KeePassXC-Browser - Cannot send activated_tab message: Could not establish connection. Receiving end does not exist.
The json file (org.keepassxc.keepassxc_browser.json) at /home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/ is:
And /var/home/dave/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/keepassxc-proxy-wrapper.sh exists and contains:
#!/bin/bash
APP_REF=“org.keepassxc.KeePassXC/x86_64/stable”
for inst in “$HOME/.local/share/flatpak” “/var/lib/flatpak”; do
if [ -d “$inst/app/$APP_REF” ]; then
FLATPAK_INST=“$inst”
break
fi
done
[ -z “$FLATPAK_INST” ] && exit 1
APP_PATH=“$FLATPAK_INST/app/$APP_REF/active”
RUNTIME_REF=$(awk -F’=’ ‘$1==“runtime” { print $2 }’ < “$APP_PATH/metadata”)
RUNTIME_PATH=“$FLATPAK_INST/runtime/$RUNTIME_REF/active”
exec flatpak-spawn
–env=LD_LIBRARY_PATH=/app/lib
–app-path=“$APP_PATH/files”
–usr-path=“$RUNTIME_PATH/files”
– keepassxc-proxy “$@”
I’m well beyond my abilities here. I’m just a guy who wants to enter passwords into a browser. As far as I can see, everything looks like it should. But, for some reason, it doesn’t work in Bazzite 44, but does in Bazzite 43.
And, for grins, the script I used to set up browser integration is:
#!/bin/bash
Copyright (C) 2025 Jim Chen, licensed under GPL-3.0-or-later
This script is rewritten from the solutions provided in the following comments, credited to Sergei von Alis(gasinvein) and Zihad(tazihad):
-
-
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see https://www.gnu.org/licenses/.
==================================================================
Setup Brave Browser (Flatpak) integration with KeePassXC (Flatpak)
Designed to work with Brave Browser (Flatpak) + KeePassXC (Flatpak) on Fedora Kinoite.
This script automates the process of configuring Brave Browser to work with KeePassXC.
IMPORTANT: Execute this script as a regular user (non-root). Do NOT use sudo.
Usage: ./setup-brave-keepassxc.sh
set -e # Exit on any error
Colors for output
RED=‘\033[0;31m’
GREEN=‘\033[0;32m’
YELLOW=‘\033[1;33m’
NC=‘\033[0m’ # No Color
Function to print colored output
print_info() {
echo -e “${GREEN}[INFO]${NC} $1”
}
print_warning() {
echo -e “${YELLOW}[WARN]${NC} $1”
}
print_error() {
echo -e “${RED}[ERROR]${NC} $1”
}
Function to check if command exists
command_exists() {
command -v “$1” >/dev/null 2>&1
}
Check if flatpak is installed
if ! command_exists flatpak; then
print_error “Flatpak is not installed. Please install flatpak first.”
exit 1
fi
Check if Brave Browser flatpak is installed
if ! flatpak list | grep -q “com.brave.Browser”; then
print_error “Brave Browser (Flatpak) is not installed. Please install it first:”
print_error “flatpak install flathub com.brave.Browser”
exit 1
fi
Check if KeePassXC flatpak is installed
if ! flatpak list | grep -q “org.keepassxc.KeePassXC”; then
print_error “KeePassXC (Flatpak) is not installed. Please install it first:”
print_error “flatpak install flathub org.keepassxc.KeePassXC”
exit 1
fi
print_info “Starting Brave Browser and KeePassXC integration setup…”
Step 1: Grant filesystem permissions to Brave Browser
print_info “Granting filesystem permissions to Brave Browser…”
flatpak override --user --filesystem={/var/lib,xdg-data}/flatpak/{app/org.keepassxc.KeePassXC,runtime/org.kde.Platform}:ro --filesystem=xdg-run/app/org.keepassxc.KeePassXC:create com.brave.Browser
if [ $? -eq 0 ]; then
print_info “Filesystem permissions granted successfully.”
else
print_error “Failed to grant filesystem permissions.”
exit 1
fi
Step 2: Create the target directory if it doesn’t exist
TARGET_DIR=“$HOME/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser”
NATIVE_MESSAGING_DIR=“$TARGET_DIR/NativeMessagingHosts”
print_info “Creating target directories…”
mkdir -p “$TARGET_DIR”
mkdir -p “$NATIVE_MESSAGING_DIR”
Step 3: Create keepassxc-proxy-wrapper.sh
WRAPPER_SCRIPT=“$TARGET_DIR/keepassxc-proxy-wrapper.sh”
print_info “Creating keepassxc-proxy-wrapper.sh…”
Check if the wrapper script file is locked by another process
if [ -f “$WRAPPER_SCRIPT” ]; then
# Try to check if file is locked by attempting to open it for writing
if ! touch “$WRAPPER_SCRIPT” 2>/dev/null; then
print_error “The wrapper script file appears to be locked by another process.”
print_error “This usually happens when Brave Browser is running.”
print_error “Please close Brave Browser completely and try again.”
print_error “File: $WRAPPER_SCRIPT”
exit 1
fi
# Additional check: try to write to the file to ensure it's not locked
if ! echo "" > "$WRAPPER_SCRIPT" 2>/dev/null; then
print_error "Cannot write to the wrapper script file. It may be locked by another process."
print_error "Please close Brave Browser completely and try again."
print_error "File: $WRAPPER_SCRIPT"
exit 1
fi
fi
cat > “$WRAPPER_SCRIPT” << ‘EOF’
#!/bin/bash
APP_REF=“org.keepassxc.KeePassXC/x86_64/stable”
for inst in “$HOME/.local/share/flatpak” “/var/lib/flatpak”; do
if [ -d “$inst/app/$APP_REF” ]; then
FLATPAK_INST=“$inst”
break
fi
done
[ -z “$FLATPAK_INST” ] && exit 1
APP_PATH=“$FLATPAK_INST/app/$APP_REF/active”
RUNTIME_REF=$(awk -F’=’ ‘$1==“runtime” { print $2 }’ < “$APP_PATH/metadata”)
RUNTIME_PATH=“$FLATPAK_INST/runtime/$RUNTIME_REF/active”
exec flatpak-spawn
–env=LD_LIBRARY_PATH=/app/lib
–app-path=“$APP_PATH/files”
–usr-path=“$RUNTIME_PATH/files”
– keepassxc-proxy “$@”
EOF
Step 4: Make the wrapper script executable
print_info “Making keepassxc-proxy-wrapper.sh executable…”
chmod +x “$WRAPPER_SCRIPT”
if [ -f “$WRAPPER_SCRIPT” ] && [ -x “$WRAPPER_SCRIPT” ]; then
print_info “Wrapper script created and made executable successfully.”
else
print_error “Failed to create or make wrapper script executable.”
exit 1
fi
Resolve the real path for the wrapper script (following symlinks) after creation
Needed for Silverblue systems.
REAL_WRAPPER_SCRIPT=$(realpath “$WRAPPER_SCRIPT”)
print_info “Wrapper script real path: $REAL_WRAPPER_SCRIPT”
Step 5: Copy native messaging host configuration
SOURCE_NATIVE_MESSAGING=“$HOME/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts”
print_info “Copying native messaging host configuration…”
if [ -d “$SOURCE_NATIVE_MESSAGING” ] && [ -f “$SOURCE_NATIVE_MESSAGING/org.keepassxc.keepassxc_browser.json” ]; then
cp “$SOURCE_NATIVE_MESSAGING”/* “$NATIVE_MESSAGING_DIR/”
print_info “Native messaging host configuration copied successfully.”
else
print_warning “Source native messaging host configuration not found at $SOURCE_NATIVE_MESSAGING”
print_warning “Creating a default configuration…”
# Create default configuration
cat > "$NATIVE_MESSAGING_DIR/org.keepassxc.keepassxc_browser.json" << EOF
{
“allowed_origins”: [
“chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/”,
“chrome-extension://oboonakemofpalcgghocfoadofidjkkk/”
],
“description”: “KeePassXC integration with native messaging support”,
“name”: “org.keepassxc.keepassxc_browser”,
“path”: “$REAL_WRAPPER_SCRIPT”,
“type”: “stdio”
}
EOF
fi
Step 6: Update the path in the native messaging host configuration
JSON_FILE=“$NATIVE_MESSAGING_DIR/org.keepassxc.keepassxc_browser.json”
print_info “Updating path in native messaging host configuration…”
Use sed to replace the path with the correct wrapper script path
This handles both the case where the file was copied and where it was created new
if [ -f “$JSON_FILE” ]; then
# Create a backup
cp “$JSON_FILE” “$JSON_FILE.backup”
# Replace the path field with the correct wrapper script path
sed -i "s|\"path\": \".*\"|\"path\": \"$REAL_WRAPPER_SCRIPT\"|g" "$JSON_FILE"
print_info "Native messaging host configuration updated successfully."
print_info "Backup saved as: $JSON_FILE.backup"
else
print_error “Failed to find or create native messaging host configuration file.”
exit 1
fi
Step 7: Verify the setup
print_info “Verifying setup…”
Check if all files exist and have correct permissions
if [ -f “$WRAPPER_SCRIPT” ] && [ -x “$WRAPPER_SCRIPT” ]; then
print_info “✓ Wrapper script exists and is executable”
else
print_error “✗ Wrapper script missing or not executable”
fi
if [ -f “$JSON_FILE” ]; then
print_info “✓ Native messaging host configuration exists”
# Verify the path in JSON is correct
if grep -q “$REAL_WRAPPER_SCRIPT” “$JSON_FILE”; then
print_info “✓ Native messaging host path is correctly configured”
else
print_warning “⚠ Native messaging host path might not be correctly configured”
fi
else
print_error “✗ Native messaging host configuration missing”
fi
print_info “Setup completed successfully!”
print_info “”
print_info “Next steps:”
print_info “1. Enable Browser integration in KeePassXC settings”
print_info “2. Install the KeePassXC Browser extension”
print_warning “3. RESTART Brave Browser”
print_info “4. Configure the extension to connect to KeePassXC”
print_info “”
print_info “Files created/modified:”
print_info “- $WRAPPER_SCRIPT”
print_info “- $JSON_FILE”
print_info “”
if [ -f “$JSON_FILE.backup” ]; then
print_info “If you encounter any issues, check the backup file: $JSON_FILE.backup”
fi