[aborsy]

KeepassXC is a thick client password manager. Password store might be even more secure.

If you want “seamless sync of your secrets” by a trusted 3rd party with an online vault, well, then, Bitwarden or 1Password. But the architecture is roughly the same as that of lastpass (though they also encrypt URLs, and might have better KDF, and operational security).

In particular, you should assume that 3-letter agencies snapshot data in cloud placed at their feet, have your vault, and may attempt to crack it should that be needed.

[auxym]

I use Keepass(XC) across all my devices, windows, Linux and android.

I sync the DB with Nextcloud and encrypt with a combination of password and keyfile. The keyfile is a few KB of /dev/random and I only transfer it "offline" between devices (mostly over USB to/from my phone).

[aborsy]

I could suggest a small improvement: a diceware password instead of directly taking the output of /dev/urandom. That would allow you to easily and securely exchange the symmetric key by typing it.

Also, /dev/urandom instead of /dev/random (as seed to diceware).

[acidburnNSA]

Oooh smart. Yeah moving my keyfile when I get a new phone or device every few years via a USB cable hasn't been much of a hassle, but your plan is even better.