Regarding Decryption Time there isnt any significant noticeable difference between the max settings and the default so I decided to leave it at the max settings since it claims to offer better protection. Not sure if this is an indication of my master password length or the number of actual passwords the database is protecting.
For the Database Format I keep this on the default 4 since I need some interoperability with my synced database and my phone.
About the Key Derivation and Transform Rounds, I leave it at what is recommended. I think it likely pertains on how the password itself is encrypted within the database file. An expert on cryptology would probably give you a better answer. Its up to you what kind of encryption tech you want on your DB.
As with the Security File and Yubikey option: These things are for when you require a file or in the case of, Yubikey an extra hardware for you to open a database with in addition to your password. In the scenario that your database gets stolen and the attacker knows your master password, opening the DB will fail without the security file. Having a file is more convenient and portable, in cases where you cant use a hardware token like the Yubikey. Having a file is significantly easier to steal and useful in devices with a locked port (or a theoretical portless, wifi/LTE only device). Yubikey on the otherhand is useful against physically distant attackers (like foreign APTs for instance) who is very much unlikely to steal your stuff especially in these pandemic times.
Transform rounds, memory usage and Parallellism: Click on the 1s delay button.
Security Key File: Primarily use a security token (e.g., YubiKey) if possible. You can set a key file, however, there are several risks here (e.g., accidentally modifying or deleting the file).
The decryption time option is for artificially slowing down decryption. High values like 2 or 3 seconds render brute-force attacks on your database inefficient. The main goal is to slow down guessing-based attacks. Low values like less than 1 second help attackers, so keep it as high as possible.
Use kdbx 4. kdb and kdbx 3.1 are legacy formats of KeePass. There is no reason for using it when you create a fresh password database. For the complete changelog, see KDBX 4.
A KDF derives a cryptographic key from a secret, e.g., a password (user input → KDF → cryptographic secret). For example, your WiFi likely uses WPA2-PSK for security. In this scenario, you enter a pre-shared key in the form of a password. However, WPA2 applies the key derivation function PBKDF2 to derive cryptographic keys from your password that are actually used afterward. Some key derivation functions also apply key stretching. Key stretching is used to make brute-force attacks more difficult by increasing the time it takes to test each possible key. The overall goal of a KDF is to improve the cryptographic strength of the secret supplied by users.
These are more possibilities to artificially slowing down decryption. You can click on the 1s delay button to force a 1s delay customized to your hardware. Paranoid users can set longer delays, of course.
YubiKey Challenge-Response: Using this feature, KeePassXC and the YubiKey share a secret. When you decrypt your database, KeePassXC sends a challenge to the YK. The YK calculates its response based on the shared secret and the challenge, and sends the response to KeePassXC. KeePassXC conducts the same operations, compares the response, and unlocks the database. A benefit is that the secret is securely stored in your YubiKey, so an attacker can hardly retrieve it from there. On the other hand, you can loose your security token, so you might have to buy and configure a second one as a backup.
Key file: A key file is similar to your password. You can just create a file on your system and provide it as a password. In this case, the security is similar to storing a password in cleartext on your system. When you accidently modify or delete the key file, you loose this “password.” Furthermore, it is easier to copy a file from your system than retrieving a secret from a YubiKey.
In summary, use a YubiKey (or similar security tokens) if possible, and set a strong master password.
KeePassX: It was originally a Linux port of KeePass. However, there is no development for more than 3 years. So don’t use it.
KeePassXC: It started as a fork of KeePassX. So KeePassXC is a fork of a Linux port of KeePass. It is also open-source software, and it comes with cross-platform support and similar security features. While KeePassXC and KeePass use the same file format .kdbx, there are some incompatible features like the support for security tokens (challenge-response).
“What should I use?”: I used KeePass for many years, but recently migrated to KeePassXC. Both projects are solid password managers that offer modern cryptography and are in development. On the other hand, KeeWeb can be interesting for people who want to access their password database on multiple devices.