LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Sharing Gateways
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Access Controls
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • SaaS Rotation Plugins
        • Custom Scripts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
        • Kubernetes
        • RBI Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • KeeperAI
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Gateway Network Configuration
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Resources
      • Managing Rotation via CLI
      • ITSM Integration
      • Vendor Privileged Access Management
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Collections
    • Policies
      • Example Policies
    • Managing Requests
  • Best Practices
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Sharing Secrets Manager Applications
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Model Context Protocol (MCP) for AI Agents (Docker)
      • Model Context Protocol (MCP) for AI Agents (Node)
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Commands
  • import command
  • export command
  • download-membership command
  • apply-membership command
  • download-record-types command
  • load_record_types command
  • Detailed Import Instructions
  • Exporting Records from Keeper

Was this helpful?

Export as PDF
  1. Commander CLI
  2. Command Reference

Import and Export Data

Commands for importing and exporting vault records, folders and teams permissions.

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

Import and Export Commands

Command

Explanation

Import data from a local file or other password managers

Export vault records

Download shared folder memberships

Apply shared folder membership changes

Download custom record types

Load custom record type into Keeper

import command

Command: import

Detail: Import data to Keeper from a local file or other password managers.

Parameters:

Path of file to import from.

*note: in file paths, backslash "\" needs to be escaped by using two in a row "\\"

Switches:

--format <{json, csv, keepass, lastpass, myki, manageengine, 1password, bitwarden, thycotic, proton}> file format (required)

--folder <FOLDER PATH OR UID> import into a specified folder

--filter-folder <FOLDER NAME> only import the specific folder from the source vault

-s, --shared import folders from file as shared folders

-p, --permissions <PERMISSIONS> default shared folder permissions if importing folders as shared

folders

  • U - manage users permission granted

  • R - manage records permission granted

  • E - edit records permission granted

  • S - share permission granted

  • A - all permissions granted

  • N - no permissions granted

-dc, --display-csv show instructions for importing using the CSV format

-dj, --display-json show instruction for importing using JSON format

--record-type <RECORD TYPE NAME> import all records as the specified type

--dry-run display records to be imported without importing them

--show-skipped display skipped records

--update update records with common login, url or title

Examples:

import C:\\records.csv --format csv
import C:\\records.csv --format csv --folder social
import C:\\shared-records.json --format json -s -p A
import C:\\lastpass\\passwords.csv --format lastpass
import --display-csv
import C:\\records.csv --format csv --record-type login
import --format=thycotic https://hostname/SecretServer
import --format=thycotic username@hostname --update --dry-run
  1. Import records from a "records" CSV file into the vault

  2. Import records from a "records" CSV file into the "social" folder

  3. Import records from a "shared-records" json file, importing and folders as shared folders with all permissions granted

  4. Import passwords from a Lastpass export file

  5. Show instructions and example for importing using CSV

  6. Import records from a "records" CSV file as login type records

  7. Import records from Thycotic/Delinea Secret Server using full URL

  8. Import records from Thycotic/Delinea Secret Server using username/hostname syntax

Additional import instructions are documented below.

Ensure that you upgrade to the latest version of Commander to support all import methods.

export command

Command: export

Detail: Export vault data to a file or the console

Parameters:

File name to export to, or nothing to export to console stdout

Switches:

--format <{json, csv, keepass}> file format

The keepass format is encrypted and can not be exported to the CLI. Keepass exports must be output to file.

--max-size <SIZE> maximum size of file attachment to export

  • format: number followed by "K","M","G" (Kilobyte, Megabyte, Gigabyte respectively)

  • e.g. "100k" , "10M" , "2G"

-kp, --keepass-file-password <PASSWORD> if exporting in keepass format, set the file's password

--zip Create ZIP archive for file attachments. JSON only

--folder <FOLDER NAME OR UID> select a folder as the export source

--store-in-vault Stores exports file as a record attachment. Keepass only

Examples:

export my-vault.csv --format csv
export --format json --max-size 10K
export keeper.kdbx --format keepass -kp 9EqfhCqbym-w
export socials.csv --format csv --folder "Socials"
  1. Export the vault in CSV format to a file named "my-vault"

  2. Export the vault in JSON format to the console, ignoring any file attachments over 10 KB

  3. Export the vault in keepass format to a file named "keeper" and set the file's password

  4. Export the records in the "Socials" folder

download-membership command

Command: download-membership

Detail: Download shared folder membership to a local JSON file.

Switches:

--source <{keeper, lastpass, thycotic}> (required)

--folders-only Unload shared folder membership only. Skip team membership.

--sub-folder <{ignore, flatten}> (optional, default ignore) Thycotic/Delinea Secret Server allows shared folder permission to be overwritten by the subfolders. This option controls how these folders are imported.

  • ignore Subfolder permissions are ignored. Folder structure is preserved.

  • flatten Such subfolders are moved to the root of the vault. Folder permissions are preserved.

This command will reach out to the source password vault (either the current Keeper vault, remote LastPass vault or remote Thycotic/Delinea Secret Server), retrieve Team and Shared Folder file structure, and then create a local JSON file containing this structure. The filename generated locally will be called shared_folder_membership.json.

This file can then be used for subsequently sharing folders with Keeper users and teams. The sharing operation is performed by executing the apply-membership command.

Examples:

download-membership --source=lastpass
apply-membership

or

download-membership --source=thycotic
apply-membership

or

download-membership --source=keeper
apply-membership

Sample Permission File

After executing download-membership, the resulting JSON file contains information about the teams, user-team assignments and shared folder permissions. An example file is below. This example file contains 3 teams, and 3 shared folders. The 3rd shared folder exists within a regular folder.

{
  "teams": [
    {
      "name": "AWS Team",
      "uid": "A-XXiApbEBMeqMbfcHMbyQ",
      "members": [
        "user1@company.com",
        "user2@company.com",
        "user3@company.com",
        "user4@company.com",
        "user5@company.com"
      ]
    },
    {
      "name": "Secrets Managers",
      "uid": "EqLqF_D7qO6zOs_9OxfWiw",
      "members": [
        "user5@acme-demo.com",
        "user6@acme-demo.com",
        "user7@acme-demo.com"
      ]
    },
    {
      "name": "Social Media",
      "uid": "yIKS09TaqxESMwRym4aMkQ",
      "members": [
        "craig@acme-demo.com",
        "jack@acme-demo.com",
        "randy@acme-demo.com",
        "shiela@acme-demo.com"
      ]
    }
  ],
  "shared_folders": [
    {
      "path": "Amazon AWS",
      "uid": "aWaqKbSTaLTmpKlVeusrow",
      "manage_users": true,
      "manage_records": true,
      "can_edit": true,
      "can_share": true,
      "permissions": [
        {
          "name": "AWS Team",
          "manage_users": true,
          "manage_records": true,
          "uid": "A-XXiApbEBMeqMbfcHMbyQ"
        },
        {
          "name": "Secrets Managers",
          "manage_users": true,
          "manage_records": true,
          "uid": "EqLqF_D7qO6zOs_9OxfWiw"
        },
        {
          "name": "craig@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "jack@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    },
    {
      "path": "PR Social ",
      "uid": "d4iVESSPVvuXBJtlkDzWzg",
      "manage_users": false,
      "manage_records": false,
      "can_edit": false,
      "can_share": false,
      "permissions": [
        {
          "name": "Social Media",
          "manage_users": false,
          "manage_records": false,
          "uid": "yIKS09TaqxESMwRym4aMkQ"
        },
        {
          "name": "craig@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "shiela@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    },
    {
      "path": "Outer Regular Folder\\Inner Shared Folder",
      "uid": "0VBh9NNDm4eyhHqnXI0OeA",
      "manage_users": false,
      "manage_records": false,
      "can_edit": false,
      "can_share": false,
      "permissions": [
        {
          "name": "user1@company.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "user2@company.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    }
  ]
}

apply-membership command

Command: apply-membership

Detail: Apply shared folder membership changes from a local JSON file. This command is used alongside the download-membership command.

Switches:

--full-sync force full sync of shared folder permissions. Permissions are only added by default

The apply-membership command will look for a JSON file (defaults to shared_folder_membership.json) that contains sharing permissions.

The reason for separating the downloading and applying of membership, is so that you can apply the membership changes as new Keeper users or teams are onboarded. The apply-membership command can be run over and over, or whenever a new Keeper user account or team is created. Shared folder membership will be applied to any new corresponding user accounts and teams.

Folders can only be shared to users and teams that exist (because the public key must be used to encrypt the folder keys).

Examples:

apply-membership --full-sync

or

apply-membership my_permission_file.json

download-record-types command

Command: download-record-types

Detail: Download custom record types to a JSON file.

Switches:

--source <{keeper, thycotic}> (required)

This command will reach out to the source password vault (either Keeper or Thycotic/Delinea Secret Server), retrieve custom record types (Secret Server calls it secret templates), and then create a local JSON file containing this information. The filename generated locally will be called record_types.json.

This file can then be used for subsequently loading custom record types to Keeper. The record types loading operation is performed by executing the load-record-types command.

--ssh-key-as-file

Thycotic/Delinea Secret Server stores SSH keys as file attachments. Keeper stores SSH keys on a record. If you would like to preserve Thycotic/Delinea Secret Server behavior (imported SSH keys from Secret Server will be stores as file attachments) use this option.

Examples:

download-record-types --ssh-key-as-file 

or

download-record-types my_record_types_file.json

load_record_types command

Command: load-record-types

Detail: Load custom record types from a JSON file into Keeper.

Detail: Load custom record types from a local JSON file. This command is used alongside the download-record-types command.

The load_record_types command will look for a JSON file (defaults to record_types.json) that contains custom record types and loads missing record types into Keeper.

Examples:

load-record-types

or

load-record-types my_record_types_file.json

Detailed Import Instructions

Step by step instructions are documented for migrating data and importing into Keeper from the following sources:

  • Cyberark

  • LastPass

  • Thycotic/Delinea Secret Server

  • Keepass

  • ManageEngine

  • Myki

  • Proton Pass

  • CSV

  • JSON

Exporting Records from Keeper

To export records from your vault, use the export command. Supported export formats:

  • JSON

  • CSV

  • Keepass (see additional install instructions)

JSON export files contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions. CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions. Keepass files contain records, file attachments, folders and subfolders.

Keepass Export

$ keeper export --format=keepass test.kdbx

You can optionally provide the keepass encrypted file password through command line option --keepass-file-password

This flag will only apply when --format=keepass is set. The Master Password is required for Keepass export - if none provided you will be asked during export, and your input will be masked.

$ keeper export --format=keepass --keepass-file-password=file_password_here test.kdbx
PreviousCommand ReferenceNextImport/Export Commands

Last updated 6 months ago

Was this helpful?

import
export
download-membership
apply-membership
download-record-types
load-record-types