Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Keeper Connection Manager installation instructions in the cloud or on-prem environments.
Keeper Connection Manager is installed as a gateway in your cloud, virtual or on-prem environment. There are several methods of deployment, and installation only takes a few minutes.
For Auto Docker Install method, we support any version of Linux.
For Docker Compose Install, Keeper Connection Manager will run on any platform that supports Docker or Docker Desktop, including all versions of Windows and Linux.
Customers who directly installed via Linux RPMs can refer to our advanced linux install docs.
The container running Keeper Connection Manager needs network access to the target desktops/systems that will be managed.
In a production deployment, select a domain name to access the endpoint, e.g. kcm.company.com and create a new DNS record to map it to your server's public IP. You will be prompted to enter the domain name during the installation.
Ensure that the DNS record maps to your server's public IP address, or an IP that is internally available to your end-users over HTTPS port 443.
Keeper Connection Manager requires an SSL certificate for installation. Decide before starting installation if you want to use Let'sEncrypt, or if you have your own certificate file and private key.
LetsEncrypt is a certificate authority that is free, automated, open, and is also the world's largest CA. During installation using the Auto Docker Install method, Keeper Connection Manager will provide an option to utilize LetsEncrypt (option 1), which will generate a 3-month trusted certificate for your domain.
If you plan to use Let's Encrypt as your CA, you should open port 80 and 443. LetsEncrypt uses port 80 to perform automated SSL certificate generation.
However, if you would like to use your own certificate obtained by a different CA, you can do so by choosing (option 2) during the installation prompt.
If you would like to use your own certificate, Keeper Connection Manager installation will prompt you to enter the full path and file name first for your .crt
file, and next for your .pem
file. Make sure to transfer these files to your server before beginning installation.
Keeper Connection Manager can be installed using one of the following methods.
An automated installer script is available for Linux which performs several of the Docker setup steps, such as generating a Docker Compose file, setting up SSL certificates and other options.
Go to: Installation Instructions for Auto Docker Install
This method is recommended for users who are new to Docker and prefer Linux.
This advanced and customized Docker install for Keeper Connection Manager provides the Docker Compose file to deploy in any Docker environment with support for additional packages such as SSO, LDAP, TOTP and more.
Go to: Installation Instructions for Docker Compose Install
This method is required for Windows and recommended for users who are familiar with Docker.
Activating your Keeper Connection Manager license key
Starting with Keeper Connection Manager version 2.19, customers are required to obtain a license key from Keeper in order to continue the use of the application.
Before installing KCM 2.19 or later versions, please ensure you have a valid license key. Without a valid license key, users and administrators will be unable to use KCM after the update is applied
To obtain a license key, please contact Keeper Support directly at:
Upon request, Keeper staff will generate and send a copy of your license key.
To install your license key, follow the steps below:
During the installation process, you will be prompted to input the license key.
If using the or Install method, simply update the keeper/guacamole
container definition with the license as the value of the KCM_LICENSE
environment variable.
Example:
(Optional) If the license will be present within a file in your container, you may alternatively use the KCM_LICENSE_FILE
environment variable to point to that file.
(Optional) If using the RPM packages, you must provide the license as the sole contents of /etc/guacamole/kcm.license
, which must be readable by the guacamole group.
After adding the license key, restarting the container is necessary. If using the Auto Docker Install method, simply run:
Get your environment, network, and system ready and prepared.
Keeper Connection Manager will serve your secure "jumpbox" and you'll use your web browser to access it. First, choose a URL that you'd like to use for accessing KCM.
You'll need the following:
1. A designated machine (usually a Linux VM) with a static IP address 2. Choose a fully-qualified domain name (FQDN) 3. Your DNS record set to point your FQDN to the IP of your designated machine 4. An SSL certificate
No cert? Don't worry, you can:
Start by choosing "use a self-signed certificate" (for testing)
Choose "Let's Encrypt" to generate a 90 day auto-renewing cert (requires 80 and 443 open)
Bring your own cert during setup or add it in later using the reconfigure command
To prepare for installation:
Create/Identify and establish root access to the server that will run the Keeper Connection Manager gateway
Decide if you want your KCM gateway to be public-facing (assign public IP), or internal-only (assign private IP)
Add internal/external DNS A Record (or AAAA record) to point your domain to your KCM server's IP address
Make sure that ports 80 and 443 are open to the public if you plan to use Let's Encrypt.
Check your firewall to make sure that traffic can flow between your server and Docker. Some domains that it will need to reach include docker.com, docker.io and others.
To check your that your linux system's entropy level is at least 1000, use the command:
To increase the speed of entropy generation, you can install the haveged
service to ensure that the environment can efficiently create secure random numbers.
If Podman is installed, you must run the following two commands before installation:
Detailed list of system and operating system requirements for Keeper Connection Manger
The recommended method to install Keeper Connection Manager is via the. This removes any operating system, system pre-requisites and other requirements. If the underlying system supports a current version of Docker, the container is fully supported.
Glyptodon 1.x - Full support for 2 years after any major release
Glyptodon 2.x - Full support for 2 years after any major release
Keeper Connection Manager 2.x - Full support for 2 years after any major release
The generalized formula for sizing Keeper Connection Manager is 1 CPU core and 2 GB of memory for every 25 concurrent users anticipated. We recommend a minimum of 8GB RAM and 2 cores for any small deployment.
For anything over 200 concurrent sessions, we have several options, and it may be best to talk through this with our sales engineering team to find the right solution based on your needs and connection types.
A single session recording can vary based on the content being shown. This is affected by the type of connection. GUIs typically have higher recording sizes versus CLI connections like SSH, which can be quite small.
There are far too many variables in play to accurately predict disk space needs for recordings. The best practices are to monitor the recordings folder and offload them to another location as needed.
Network throughput also varies based on activity, type of session and connection settings. From actual examples, we've found that for a system running about 100 concurrent sessions, network traffic varies between 9Mbit/s and 15Mbit/s for all 100 connections. Each connection would be on average 1/100th of the 15Mbit value.
In the same above scenario with 100 connections, we would expect about 15gb total traffic per hour on the network adaptor. Comparing inbound and outbound traffic, just over 90% of the traffic is outbound from the server to the clients.
Instantly access your infrastructure with zero-trust security.
Keeper Connection Manager (KCM) On-Prem is an agentless remote desktop gateway that provides instant and secure access to desktops, servers, databases and web applications from a web browser.
Benefits of the KCM On-Prem platform:
Self-hosted
Agentless
Lightning Fast and Responsive
Simple Access Controls
Customizable
Features include:
Support for RDP, SSH, VNC, K8s remote access protocols
Support for MySQL, PostgreSQL, SQL Server database protocols
Support for web application protection through Remote Browser Isolation technology
Session Recording and playback
Privileged Session Management
Multi-User Session Sharing
Role-Based Access Controls
MFA Options: TOTP, Duo
PIV/CAC smart card authentication
SSO, OpenID Connect, Active Directory, LDAP Integration
Custom Branding
Keeper is typically deployed as a Docker container. The system architecture diagram is below.
Keeper Connection Manager is the commercially-supported solution produced by the original creators of Apache Guacamole, the open source platform used by millions of people for accessing remote desktops. Keeper Connection Manager is built on top of the Guacamole gateway, with expanded capabilities, advanced integrations and ongoing feature development. Glyptodon was Acquired by Keeper Security in December 2021.
Keeper Connection Manager security and encryption model
Keeper utilizes best-in-class security with a zero-trust framework and zero-knowledge security architecture to safeguard your infrastructure and mitigate the risk of a data breach.
Keeper Security, Inc. (KSI) is passionate about protecting its customer's information and infrastructure with Keeper desktop and mobile security software. Millions of consumers and businesses trust Keeper to secure and access remote systems, passwords and private information. Keeper's software is constantly improved and updated to provide our customers with the latest in technology and protection. This page provides an overview of Keeper's security architecture and encryption methodologies.
The Docker container is made up of several core components including:
Apache Guacamole web application software
Apache Guacamole "guacd" protocol service
NGINX for SSL termination and reverse proxy
Apache Tomcat services
MySQL, PostgreSQL or other supported databases
Additional packages that support Enterprise capabilities such as SAML 2.0 / SSO, OpenID Connect, TOTP, Vault Integration and components are provided as part of the package installers or as separate add-on components.
Once ready to deploy Keeper Connection Manager to production, it is critically important that customers configure SSL encryption. You will need to obtain an SSL certificate for your server such that all Keeper Connection Manager traffic is encrypted.
Customer vault records are protected using stringent and tightly monitored internal control practices. Keeper is certified as SOC 2 Type 2 compliant in accordance with the AICPA Service Organization Control framework. SOC 2 certification helps ensure that your vault is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.
Keeper Security is ISO 27001 certified, covering the Keeper Security Information Management System which supports the Keeper Enterprise Platform. Keeper's ISO 27001 certification is scoped to include the management and operation of the digital vault and cloud services, software and application development, and protection of digital assets for the digital vault and cloud services.
Keeper software is compliant with global, medical data protection standards covering, without limitation, HIPAA (Health Insurance Portability and Accountability Act) and DPA (Data Protection Act).
Keeper is a SOC2-certified and ISO 27001-certified zero-knowledge security platform that is HIPAA compliant. Strict adherence and controls covering privacy, confidentiality, integrity and availability are maintained. With this security architecture, Keeper cannot decrypt, view or access any information, including ePHI, stored in a user’s Keeper Vault. For the foregoing reasons, Keeper is not a Business Associate as defined in the Health Insurance Portability and Accountability Act (HIPAA), and therefore, is not subject to a Business Associate Agreement.
Keeper Security environments are tested daily by TrustedSite to ensure that the Keeper web application and KSI's Cloud Security Vault are secure from known remote exploits, vulnerabilities and denial-of-service attacks. A comprehensive external security scan is conducted monthly on the Keeper websites, Keeper web application, and Keeper Cloud Security Vault by TrustedSite. Keeper staff periodically initiate on-demand external scans.
Keeper Security uses PayPal and Stripe for securely processing credit and debit card payments through the KSI payment website. PayPal and Stripe are PCI-DSS compliant transaction processing solutions. Keeper Security is certified PCI-DSS compliant.
Improved FIPS compliance support for SSH and RDP connections
Better log messaging when a compliant connection cannot be made
Keeper Connection Manager is hosted by the customer. The Keeper website and cloud storage runs on secure Amazon Web Services (AWS) cloud computing infrastructure. The AWS cloud infrastructure which hosts Keeper's system architecture has been certified to meet the following third-party attestations, reports and certifications:
SOC 1 / SSAE 16 / ISAE 3402 (SAS70)
SOC 2
SOC 3
PCI DSS Level 1
ISO 27001, 27017 and 27018
FedRamp
DIACAP
FISMA
ITAC
FIPS 140-2
CSA
MPAA
Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues. We take your security and privacy seriously and, we are committed to protecting our customers’ privacy and personal data. KSI’s mission is to build world’s most secure and innovative security apps, and we believe that bug reports from the worldwide community of security researchers is a valuable component to ensuring the security of KSI’s products and services.
Keeping our users secure is core to our values as an organization. We value the input of good-faith researchers and believe that an ongoing relationship with the cybersecurity community helps us ensure their security and privacy, and makes the Internet a more secure place. This includes encouraging responsible security testing and disclosure of security vulnerabilities.
The Keeper Connection Manager team actively monitors the upstream Apache Guacamole project for newly-disclosed security vulnerabilities, and has procedures in place for releasing security updates outside the normal release cycle. Should a vulnerability be found in Guacamole, the patch for that vulnerability will made be immediately available through the Keeper Connection Manager repository, and can be applied automatically using the upgrade process based on your installation method.
Keeper's Vulnerability Disclosure Policy sets out expectations when working with good-faith researchers, as well as what you can expect from us.
If security testing and reporting is done within the guidelines of this policy, we:
Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
Consider it legal, and will not pursue or support any legal action related to this program against you,
Will work with you to understand and resolve the issue quickly, and
Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue.
To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:
Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
Perform research only within the scope set out by the Bugcrowd vulnerability disclosure program linked below, and respect systems and activities which are out-of-scope,
You give us reasonable time to analyze, confirm and resolve the reported issue before publicly disclosing any vulnerability finding.
Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program.
Keeper Security utilizes best-in-class security with a Zero-Knowledge security architecture and Zero-Trust framework. Additional technical documentation about Keeper's Zero-Knowledge encryption model can be found at the links below:
Keeper is SOC 2 Type 2, ISO27001 certified, FedRAMP Authorized. Customers may request access to our certification reports, 3rd party penetration reports and technical architecture documentation with a signed mutual NDA.
You can either bring your own SSL certificate, or you can generate one during the installation by choosing the option for . If planning to use Let's Encrypt, make sure that ports 80 and 443 are open to the internet during the installation.
On RHEL, the haveged
package is not available from the Red Hat repositories and must instead be installed from the EPEL repository. EPEL provides instructions for configuring their repository here: . After EPEL is installed, run the following commands:
Ready to get started with Keeper Connection Manager? Proceed to the .
The Keeper Connection Manager Gateway is a platform that is fully hosted by the customer in any cloud, on-prem or virtual environment. Keeper provides customers with the and method of installation.
The engineering team at Keeper Security that built Keeper Connection Manager (formerly Glyptodon) are the inventors and primary maintainers of the open source project. Keeper Security is proud to support the open source community and millions of users who use the Apache Guacamole remote desktop software.
The packages provided by Keeper Connection Manager have been designed to follow best practices with respect to security, particularly with respect to the . This is accomplished through careful delegation of rights through users and groups which are automatically created by the Keeper Connection Manager packages, and through strict file permissions.
If you have have deployed Keeper Connection Manager using the or method, you may have already configured SSL.
Customers who deploy the Auto Docker Install version can use the .
Customers who deploy the Docker Compose Install version can use the .
Keeper is GDPR compliant and we are committed to ensuring our business processes and products continue to maintain compliance for our customers in the European Union. to learn more about Keeper's GDPR compliance and download data processing agreements.
To learn more about the additional benefits for healthcare providers and health insurance companies, please read our and visit our .
Keeper performs quarterly pen testing with 3rd party experts including and . In addition, Keeper works with independent security researchers who test against all of our products and systems through our .
The Keeper web client, Android App, Windows Phone App, iPhone/iPad App and browser extensions have been certified Privacy Shield compliant with the U.S. Department of Commerce's EU-U.S. Privacy Shield program, meeting the European Commission's Directive on Data Protection. For more information about the U.S. Department of Commerce U.S. Privacy Shield program, see
Keeper utilizes FIPS 140-2 validated encryption modules to address rigorous government and public sector security requirements. Keeper’s encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third party laboratories. Keeper has been issued under the NIST CMVP. For the best FIPS experience use KCM version 2.9.6+ for improvements including:
Keeper is certified by the U.S. Department of Commerce Bureau of Industry and Security under Export Commodity Classification Control Number 5D992, in compliance with Export Administration Regulations (EAR). For more information about EAR:
Keeper is monitored 24x7x365 by a global third-party monitoring network to ensure that our website and Cloud Security Vault are available worldwide. If you have any questions regarding this security disclosure, please .
If you receive an email purporting to be sent from KSI and you are unsure if it is legitimate, it may be a “phishing email” where the sender's email address is forged or “spoofed”. In that case, an email may contain links to a website that looks like KeeperSecurity.com but is not our site. The website may ask you for your Keeper Security master password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other emails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called "malware." If you are unsure about an email received in your inbox, you should delete it without clicking any links or opening any attachments. If you wish to report an email purporting to be from KSI that you believe is a forgery or you have other security concerns involving other matters with KSI, please .
If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us at before proceeding.
Contact us immediately at if you encounter any user data during testing, and
Please submit reports through .