Miscellaneous Commands

Helpful commands for miscellaneous functionality.

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

this-device

Configure device logout and persistent login preferences (stay logged in).

login

login to Keeper

biometric

set up biometric login with passkeys

whoami

information on logged in user

logout

logout from Keeper

help

documentation on a given Commander command

debug

display debug logs of commands in console

sync-down or d

download, sync, and decrypt vault

version or v

display Commander version and path information

clear or c

clear the screen

run-batch or run

Execute commands sequentially from the provided file.

generate

Generate a secure password

verify-records

Verify the integrity of imported records

verify-shared-folders

Verify the integrity of records in shared folders

reset-password

Reset the master password

security-audit-sync

Calculate and update security data for all user-owned password records (enterprise only)

sleep

Add delay (in seconds) between batch commands

keeper-fill

Display or manage KeeperFill settings

keep-alive

Send a signal to prevent session timeout

2fa

2FA settings management

login-status

Check the current login status of the user outside of the Keeper shell.

this-device command

Command: this-device

Detail: Set device logout and persistent login preferences

Parameters:

None

Switches:

rename <Name of Device>: Change the name of the device

register: Encrypts the user's data key with the device public key in order to utilize persistent login sessions

persistent-login <ON|OFF>: Turn on or off the "Stay Logged In" setting for your account

ip-auto-approve <ON|OFF>: Control the IP Address device auto-approval security setting for your account

no-yubikey-pin <ON|OFF>: Turn on or off the PIN usage on Security Key (Webauthn) devices.

timeout: Set inactivity duration before automatic logout. Default unit is minutes (can be set to hours or days by appending "h" or "d", respectively).

Examples:

  1. Display the available options

  2. Rename the device that shows up in access logs

  3. Enable "Stay Logged In" on the account

  4. Register the user's "encrypted data key" with the server, for use in persistent login sessions

  5. Enables IP Address auto-approval (applies to master password logins only)

  6. Set the inactivity timeout to 10 minutes

  7. Set the inactivity timeout to 24 hours

login command

Command: login

Detail: Login to Keeper

Parameters:

Email address of account to login to

Switches:

-p, --password password of Keeper account

You will be prompted to enter the password if it is not provided with the switch

Examples:

  1. Login to John Doe's Keeper account. Will be prompted for password

  2. Login to Jane Doe's Keeper account with the given password

biometric command

Command: biometric

Detail: Manage biometric login with FIDO2 Passkeys on the local device.

When passkey authentication is activated, it replaces the need for a master password, SSO, and MFA by serving as both the first and second factor of authentication.

Sub-commands

Command
Description

biometric register

Activate and register biometric authentication with FIDO2 passkey

biometric list

List all registered passkeys on your account

biometric update-name

Update the friendly name of a passkey credential

biometric unregister

Remove the passkey from the Commander CLI on the local device

biometric verify

Test biometric authentication without logging in. Vault login and vault re-auth test methods available.

Switches:

--name Friendly name for the biometric method (used with register command)

--confirm Skip confirmation prompt (used with unregister command)

--purpose Quick verification of auth and re-auth challenges (used with verify command)

Examples:

whoami command

Command: whoami

Detail: Display information about the currently logged in user

Switches:

-v, --verbose include current datacenter and Commander environment

--json display the result in JSON format

Examples:

  1. See detailed user information

  2. See detailed user information with the current datacenter and environment in JSON format

Example Output:

logout command

Command: logout

Detail: Logout of Keeper

Examples:

  1. Logout of Keeper

help command

Command: help

Detail: Display information about a given Commander command or a list of all available commands.

Parameters:

A Commander command to see information for. To see a list of all available commands, leave unspecified.

Examples:

  1. See detailed information on add command

  2. See detailed information on sync-down command

  3. See list of all available commands

debug command

Command: debug

Detail: Display debug logs of the commands.

Parameters:

  • --file <file_path> - Optional. Specify a file path to save debug logs to a file instead of displaying them in the console.

Examples:

  1. Toggles debug logging on/off in the console. When enabled, detailed debug logs will be displayed for all subsequent commands.

  2. Enables debug logging to a specified file. All debug information will be written to the file instead of the console.

create-account command

Command: create-account

Details: Create a Keeper Account. You will be prompted to enter a password for the account, and then a verification email code.

Parameters:

Email address to use for the account.

Examples:

sync-down command

Command: sync-down or d

Detail: Download, sync, and decrypt vault

Examples:

  1. Sync vault

  2. Sync vault

version command

Command: version or v

Detail: Display Commander version and path information

Switches:

-v display information about the underlying SDK, OS, working directory, and configuration file

Examples:

  1. Show current Commander version

  2. Show current Commander version, as well as the SDK version, OS, working directory, and configuration file

clear command

Command: clear or c

Detail: Clear all lines from the screen

Examples:

  1. clear all lines from the screen

run-batch command

Command: run-batch or run

Detail: Execute commands sequentially from the provided file.

Switches:

-d [seconds] Specify a delay of this number of seconds in between commands. This will help in preventing throttling on the backend.

-q Quiet mode

-n or --dry-run Preview the commands that will be run without execution.

Examples:

generate command

Requires Commander v16.5.10+

Command: generate

Detail: Generate a secure password

Switches:

-cc or --clipboard-copy copy the created password to the clipboard

-nb or --no-breachwatch skip Breachwatch check

-f <{table, json}> or --format <{table, json}> select an output method for the generated password

  • requires Commander v16.5.11+

-i <NUMBER> or --json-indent <NUMBER> with json format:

  • 0 for plain json output

  • a number greater than 0 to select the indentation for easy to read output

  • requires Commander v16.5.11+

-n [NUMBER] or --number [NUMBER] create the given number of passwords

-c [LENGTH] or --count [LENGTH] length of the password

-s [SYMBOLS] or --symbols [SYMBOLS] minimum number of special symbols to include in the password

-d [DIGITS] or --digits [DIGITS] minimum number of digits to include in the password

-u [UPPERCASE] or --uppercase [UPPSERCASE] minimum number of uppercase letters to include in the password

-l [LOWERCASE] or --lowercase [LOWERCASE] minimum number of lowercase letters to include in the password

-dr [DICE_ROLLS] or --dice-rolls [DICE_ROLLS] number of dice rolls

Examples:

  1. Generate a secure password

  2. Generate a secure password that is 12 characters longs with at least 2 uppercase letters and 2 symbols and copy the password to the system clipboard

  3. Generate a password and show password strength, and Breachwatch result in plain json format

  4. Generate 10 diceware passwords of 6 words

generate dice-roll passwords

Requires Commander v16.7.6+

Command: generate --dice-rolls

Detail: Generate a dice roll secure password consisting of random words

Switches:

-dr or --dice-rolls <NUMBER OF WORDS TO GENERATE> generate a dice roll password, and identify how many words to generate

--word-list <WORD LIST FILENAME>optionally use a file of words to use as a wordlist

Examples:

  1. generate a password of 6 random words

  2. generate a password of 5 random words from the given file of words

verify-records command

Command: verify-records

Detail: Check for record format integrity and perform necessary repairs to record structure. Edge cases are added to this command when issues in the field are reported to Keeper support.

Examples:

verify-shared-folders command

Command: verify-shared-folders

Parameters

Name or UID of shared folder to check. Leave blank to check all

Detail: Check for records in shared folders that do not have the correct shared data key, then add the correct key where needed

Examples:

reset-password command

Command: reset-password

Detail: reset the account's master password

Switches:

--delete-sso deletes SSO master password

--current the current master password

--new the new password to set as master password

Examples:

Hint: you can use the generate command to generate a secure password within Commander

security-audit-sync command

Command: security-audit-sync or sas

This command is available only to enterprise administrators

Detail: Sync security audit data for enterprise vault(s). Used to correct mis-matching summary security audit scores as seen by the user (in their vault) and by an enterprise administrator (either in the admin console app or via a call to security-audit-report in Commander)

Parameters:

Username(s) of vault(s) whose security data are to be synced. Multiple values allowed. Specify@all to perform sync for all enterprise vaults.

Switches:

--soft Do a "soft" sync of security data. Does not require corresponding vault login. This is the default sync-type.

--medium Do a "medium" sync of security data. Can sync some data without the corresponding vault login.

--hard Do a "hard" sync of security data. No data are synced until the corresponding vault login occurs.

-f or --force Perform sync without being prompted for confirmation (non-interactive mode)

-v or --verbose Output a Security Audit report after performing sync

Examples:

  1. Perform a "soft" sync of security data for vault owned by [email protected]

  2. Initiate a "hard" security-data sync for the vaults belonging to [email protected] and [email protected]

  3. Initiate a "hard" security-data sync for all vaults in the enterprise

  4. Perform a "hard" sync of security-audit data for [email protected] and run a Security Audit report immediately after. Note that, in this scenario, you should expect the resulting report to show all 0s in the affected vault's summary scores (to be updated eventually once the affected owner logs in to their vault).

Hint: If the total password record count shown in a user's vault (in "Security Audit" view) differs from the corresponding value shown in the admin console (also in "Security Audit" view) or the output of Commander's security-audit-report --show-updated command, use the --hard flag to force a summary security audit score reset/re-calculation to re-align those values.

For more on the use of this command to correct mis-aligned security scores, please refer to the "Security Audit Report Score Re-alignment Process" section of our Troubleshooting page.

sleep command

This command is deprecated. If your goal is to add delay between commands, please refer to the run-batch command.

Command: sleep

Detail: Add delay (in seconds) between batch commands

Switches:

The number of seconds, the delay, to be added between batch commands

Example:

  1. Sleep for 5 seconds

keeper-fill command

Command: keeper-fill

Detail: Display or manage KeeperFill settings. For example, this allows you to view/change the "Autofill" and "Auto Submit" preferences on a specific Keeper record.

To get help on the command run:

Possible values for "set" command: none, off, on.

If set to "none", the behavior of the browser extension is to follow the user preference (in the browser extension general Settings screen). If the value is set to "on" or "off", the browser extension will follow the setting for the record.

Example commands:

keep-alive command

Command: keep-alive

Detail: Send a signal to the Keeper server to prevent session timeout during long-running operations or interactive sessions.

Example:

  1. Prevent session timeout while performing long operations or during periods of inactivity

2fa command

Command: 2fa

Detail: Display, add, or delete manage 2FA settings.

To get help on the command run:

Example commands:

login-status command

Command: login-status

Detail: Displays the current login session status of the user based on Persistent Login. It can be executed outside of the shell, allowing interactive use directly from the system terminal.

Example commands: When Persistent Login is Disabled

When Persistent Login is Enabled

PreviousDomain Reservation CommandsNextPassword Rotation

Last updated

Was this helpful?