Full disclosure is more opinion than fact: (I used KeyPass/XC for a few years, but switch to a different service due to sync difficulty)
Your risk tolerance is really based on your own comfort level and personal threat level. If you are a high-value target this conversation would be different.
In General, having 2 or more backups is good, BUT all in the same space is bad. Off-site backups are important, but then you need to trust the offsite location. Second is the need to sync, a backup database that out of date is not too helpful. So syncing will be an issue and difficult if the off-site copy is in a bank vault for example.
Assuming Windows pc with a not high-value target, modist risk.
I would recommend:
Store one of the vaults in a trusted/one you comfortable with cloud storage (this solves the offsite need).
Keep the master password and key file (if applicable) out of the cloud storage. (cloud storage user cannot decrypt if storage is not the key file isn't accessible.) Alternatively, there is a phone app option.
- keep another DB/key file on a USB stick ( the master password stay separate)
- this allows you to have the password on go (if stolen/lost they still need master password). If really paranoid, you can get a pin protected USB, but that more to remember.
- You may not want to store the totp data with the keypassxc database. Save in a phone app like authy?
- Building off of another question increasing iteration and using a strong master password will make brute force harder, though slow down the app.
- As for the sync issue, I did it manually, there is a feature called keeshare, that offers sync options, however I could only find docs in the beta page, so it's functionally/stability may be limited.
- Finally, there is no perfect security, it all about trade-off and risks
