# Advanced
## Config Parameter Protection The Keeper Vault can be utilized to protect and store configuration secrets that would normally be hard-coded into the `guacamole.properties` or Docker Compose file. ### **Auto Docker Install Method** If you installed Keeper Connection Manager using the Auto Docker Install method, configuration secrets are protected in the auto-generated Docker Compose file. As root, edit the `/etc/kcm-setup/docker-compose.yml` file. For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record. **BEFORE:** ``` MYSQL_HOSTNAME: "db" MYSQL_DATABASE: "guacamole_db" MYSQL_USERNAME: "guacamole_user" MYSQL_PASSWORD: "your_mysql_database_password" ``` **AFTER:** ``` MYSQL_HOSTNAME: "db" MYSQL_DATABASE: "guacamole_db" MYSQL_USERNAME: "guacamole_user" MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password ``` The token syntax is using [Keeper Notation](https://docs.keeper.io/keeperpam/secrets-manager/about/keeper-notation). The name of the parameter must follow the format of `*_KSM_SECRET`. In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder. ![Configuration Storage in the Keeper Vault](https://3357255970-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb7weUpu7VBcMnESSH8vG%2Fuploads%2FER25scu5J6DgPGkCBMvf%2FScreen%20Shot%202022-04-26%20at%207.01.40%20AM.png?alt=media\&token=88012600-fdf5-4a28-803f-3757a10473a6) The value of each `*_KSM_SECRET` variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if `SOME_VARIABLE_KSM_SECRET` were set to valid Keeper notation, then the value of the Guacamole property normally associated with `SOME_VARIABLE` will be pulled from that secret in KSM. Once the file changes have been saved, update the containers: ``` $ sudo ./kcm-setup.run upgrade ``` ### **Docker Compose Install Method** Edit your `docker-compose.yml` file. For each configuration secret that you want to protect, you can replace the entry with a direct lookup in the Keeper vault. A good example of this is replacing the hard-coded MySQL database password with a vault record: ``` MYSQL_HOSTNAME: "db" MYSQL_DATABASE: "guacamole_db" MYSQL_USERNAME: "guacamole_user" MYSQL_PASSWORD_KSM_SECRET: keeper://2ZlOFQAYi4DubJWBtSbRxw/field/password ``` The token syntax is using [Keeper Notation](https://docs.keeper.io/keeperpam/secrets-manager/about/keeper-notation). In this example, the MySQL database password is pulled directly from a Keeper record in the Shared Folder as seen below: ![Configuration Storage in the Keeper Vault](https://3357255970-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fb7weUpu7VBcMnESSH8vG%2Fuploads%2FER25scu5J6DgPGkCBMvf%2FScreen%20Shot%202022-04-26%20at%207.01.40%20AM.png?alt=media\&token=88012600-fdf5-4a28-803f-3757a10473a6) The value of each `*_KSM_SECRET` variable should be the Keeper notation of the secret that should be used to pull the necessary configuration value. For example, if `SOME_VARIABLE_KSM_SECRET` were set to valid Keeper notation, then the value of the Guacamole property normally associated with `SOME_VARIABLE` will be pulled from that secret in KSM. Once the file changes have been saved, update the containers: ``` sudo su docker-compose up -d ``` ### Other configuration options In docker installations, the parameter `ADDITIONAL_GUACAMOLE_PROPERTIES_KSM` can be used to move parameters from the guacamole.properties file into guacamole.properties.ksm.