LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Platforms That Support Offline Access
  • Work Offline With an SSO Enabled Account
  • Offline Setup
  • Enable Offline Access
  • Web Vault & Desktop App
  • Android
  • 2FA and Offline Mode
  • Re-authentication for Offline Access Changes
  • Work Offline
  • Biometric Login
  • Resuming Online Session
  • Offline Features
  • Administrative Guide
  • Admin Console Interface for Offline Mode
  • Offline SSO and Master Password
  • Considerations for Offline Access

Was this helpful?

Export as PDF

Vault Offline Access

Offline access is a common use case for organizations who require vault access in poor network conditions or when SSO is unavailable.

PreviousCompliance ReportsNextSecrets Manager

Last updated 1 month ago

Was this helpful?

Overview

Offline Mode allows users access to their vaults from any device when they are not able to connect online to Keeper or to their SSO Identity Provider. Offline access is available for Keeper Web, Desktop, iOS and Android Mobile Apps.

This capability works by making a copy of your encrypted vault to your local device. The vault ciphertext is stored in an encrypted format which is only accessible if the user provides their Master Password or biometric authentication. Offline access also works with multiple accounts on the same device.

Offline Authentication Methods

  • Master Password

  • Biometrics

Platforms That Support Offline Access

Platform
Version

Desktop

Keeper Desktop App (Mac, Windows, Linux)

Web Browser

Mobile (Conditional Access on iOS)

iOS | Android

Mobile - Conditional Offline Access:

Offline mode is available as long as there are no enforcements or specific 2FA settings that directly prevent it. See for scenarios that affect offline access via your mobile device.

Work Offline With an SSO Enabled Account

If your organization's SSO is not available (e.g. is offline), click Work Offline in the lower right corner of your screen then click the Enterprise SSO Login dropdown and select Master Password to gain access to your vault offline.

From the login screen, enter your Master Password as usual to login offline.

For users who normally login with SSO and do not also have a master password setup, you must first configure one in order to login to Keeper when offline. Simply visit your vault Settings Menu and clicking Setup next to "Master Password".

Offline Setup

To access Offline Mode, your device will need to be “primed” with a local copy of your vault by logging in with an online connection at least once. Moving forward, you will have access to all of the records in your vault and you can create new records and edit existing records, all without requiring a network connection.

Users can confirm their Keeper Vault is available offline via a lightning bolt icon or "Available Offline" text which indicates your vault data has been loaded onto that device. If the availability indicator is not present, you will need to login to your vault at least once while online.

Enable Offline Access

Web Vault & Desktop App

By default, Offline Access will be turned off. To allow Offline Access, click on your email address in the upper-right corner of your vault home screen and select Settings > Security. Next click the dropdown menu next to "Allow Offline Access". You will then be asked to re-authenticate to Keeper in order to proceed.

Once you've entered your master password, you can choose for how long you would like Offline Access to be available (Always, 30 days, 14 days, 7 days or 1 day).

Android

To allow Offline Access on your Android device, navigate to Keeper's Settings menu (Settings are located under your Avatar in the upper right corner of the app).

Next, tap Allow Offline Access and choose your preferred offline duration (Always, 30 Days, 14 Days, 7 Days, or 1 Day). Lastly re-authenticate to Keeper when prompted.

2FA and Offline Mode

If 2FA is enabled on your account, a warning will appear informing you that 2FA will be bypassed when accessing your vault in Offline Mode. This ensures that users are aware of the potential reduction in security when accessing the vault offline.

Re-authentication for Offline Access Changes

You will be required to re-authenticate whenever you toggle the offline access on, including selecting a specific offline duration (e.g., Always Allowed or 30 Days). No re-authentication is needed when changing between the available "on" options (e.g., from 30 days to 14 days).

Work Offline

To activate Offline Mode from the vault login screen or from within your vault on Keeper Web or Desktop, click on the Work Offline button in the lower right corner of your screen. On iOS and Android, Offline Mode will automatically be initiated when logging in if you aren't connected to the internet.

The "Offline Mode" indicator will appear at that top of your vault window.

You can resume a session online at anytime (provided you have a stable network connection) by clicking Go Online in the upper right corner of your vault window.

Biometric Login

When biometrics (Touch ID, Windows Hello) have been activated on an account from the Keeper Desktop application, you can use this to authenticate offline instead of a Master Password.

To log in offline with biometrics, first enable it from your account dropdown menu, Settings > Security.

Resuming Online Session

You can resume a session online at anytime (provided you have a stable network connection) by clicking Go Online in the upper right corner of your vault window.

Offline Features

Keeper's offline capabilities are central to a user's ability to retrieve important data even in the poorest of network conditions. Key vault features that are available offline include:

  • Creating new records

  • Editing records

  • Moving records and shortcut creation (Mobile App)

  • Viewing your Security Audit score

  • Viewing Deleted Items (Web and Desktop)

A notice will appear if you attempt to perform an action that is not available while offline.

If a device is being used temporarily (e.g. a borrowed PC), then the stored offline vault can be deleted from that device.

From the vault login screen, click the dropdown icon in the email address field, then click the "X" to the right of your email address to delete all offline data associated with that vault from the device. This action can be similarly performed on all Keeper platforms.

Administrative Guide

Admin Console Interface for Offline Mode

Offline access for users can be enabled or disabled via the Admin Console's Enforcement Policies menu with a simple toggle, by default Offline Access is enabled.

Offline SSO and Master Password

To provide users who normally login with SSO the ability to access their vault in offline mode, the Keeper Administrator can enable the use of a Master Password as a role-based enforcement, this feature is disabled by default.

To enable SSO users the ability to set a Master Password for offline access, turn "on" the Allow users who login with SSO to create a Master Password toggle in the Login Settings section of Enforcement Policies menu.

Considerations for Offline Access

  • In order have a local repository to access offline the vault needs to have been authenticate and synchronized online first at least once.

  • Ensure that the Remember Email checkbox is selected at the login screen of the Web Vault.

  • The data in the vault will be as current as the last data push.

  • Master Password or Biometrics support offline access.

  • By definition, Two-Factor Authentication protects cloud-based APIs and online authentication. When users authenticate to their vault, they authenticate both locally and on the server. During offline mode, the user is authenticating locally and decrypting their vault. Therefore, during offline mode, users are not prompted for Two-Factor Authentication.

  • If 2FA is enforced for every login from role policies or user selection, offline mode will not function on that particular device.

(Chrome, Safari, Firefox, Edge)

This feature can be activated by the Keeper Administrator from the Keeper Admin Console. The role enforcement policies are .

Deleting Offline Data

When logging in offline on a Web Browser (Chrome, Firefox, Safari, Edge), the user must navigate to the exact URL: US Data Center: US Public Sector / GovCloud: EU Data Center: AU Data Center: CA Data Center: JP Data Center:

Troubleshooting
documented here
https://keepersecurity.com/vault
https://govcloud.keepersecurity.us/vault
https://keepersecurity.eu/vault
https://keepersecurity.com.au/vault
https://keepersecurity.ca/vault
https://keepersecurity.jp/vault
Web Vault
Work Offline
SSO Master Password for Offline Login
Account Dropdown > Settings > Setup
Offline Availability on Web and Desktop
Settings > Security > Allow Offline Access
Set Offline Access Duration
Enable Offline Access
Select Offline Access Duration
Re-authenticate to Keeper
Activate Offline Mode from the Vault Login Screen
Enable Touch ID on Keeper Desktop App
Restrict Offline Access Enforcement
SSO Master Password Enforcement (Disabled by Default)