How to Remove KeePass2 Password Manager Completely

KeePass2 is a security risk and needs to be removed with all its installed root certificates. This guide shows how to remove it completely

KeePass seems to be recommended in some places. Here it is not so. Still, you may find that you need to handle KeePass files. And when you have done so, you may want to get rid of KeePass entirely.

Note: If you do not require this specific password manager (eg because you have already used it before or/and hence have files in this format) do not use it. If you do not need to recover keys from a KP file you should use another PW manager.

Why delete KeePass?

There are two flavours of KeePass: KeePass2 and KeePassXC:

Upon install, KeePass2 will co-install a lot of new root certificates without even asking first! The amount of certificates is large and the effort required to investigate them is prohibitive. This is not only a privacy concern, it is a clear security risk.

Technically these are installed by "libmono-system" which is a library used by KeePass. This fact does not change the effect and neither does it remedy the situation.
See Remove KeePass below

This does not seem to happen with KeePassXC. So, if you absolutely need some flavour of "KeePass" for something that just can not be done with another password manager, choose "XC". Then, delete it.

Please install only password managers that does not make your computer trust things that you don't even know if you want to trust or not. Of course that goes for any other type of software too.

Remove KeePass and unwanted certificates:

Note: This guide will remove either of KeePass2 or KeePassXC. If you have both installed both will be removed permanently!

First, simulate
# sudo aptitude -s purge keepass*

Then, if everything seems in order:

# sudo apt purge keepass*

Then, make sure the unwanted certificates are removed too. The package "ca-certificates-mono" is the one that installs the certificates in the first place, due to "libmono-system4.0-cil", so remove these as well

Of course, you should examine dependencies for your own system first:

# aptitude why ca-certificates-mono
- then
# aptitude why libmono-system4.0-cil

# sudo apt purge ca-certificates-mono libmono-system4.0-cil

Finish off with
# sudo apt autoremove

A shortcut to purge mono and KeePass

First, try running this simulation:

# sudo aptitude -s purge *mono*

- if this does not seem to remove anything apart from the mono framework and keepass, it may be safe running it without the "-s".

You may get warnings like these:

dpkg: warning: while removing libmono-security4.0-cil, directory '/etc/mono/certstore' not empty so not removed
dpkg: warning: while removing mono-runtime-common, directory '/etc/mono' not empty so not removed

... examine these directories
# ls -la /etc/mono/certstore*
# ls -la /etc/mono*

... and remove if appropriate (likely so)
# sudo rm -r /etc/mono

Finish off with
# sudo apt autoremove

Last, update system certificates
# sudo update-ca-certificates