Docker Installation
Instructions for installing Keeper Gateway on Docker
Last updated
Was this helpful?
KeeperPAM and Secrets Manager
Instructions for installing Keeper Gateway on Docker
Last updated
Was this helpful?
This document contains information on how to install, configure, and update your Keeper Gateway on Docker. The Docker container is built upon the base image of Rocky Linux 8 and it is hosted in DockerHub.
For full PAM capabilities, use a Linux host with a x86 AMD processor.
A Linux host with a x86 AMD processor
docker and docker-compose installed (see Docker Install for help)
Note: The syntax is docker-compose for servers, but on a local Docker Desktop it might be docker compose (with no space).
A new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App (version 17.1 or newer required).
You can also create a Gateway and configuration file from the Commander CLI:
The Application names and UIDs can be found with secrets-manager app list
A Docker Compose file is provided through the Vault UI. Typically this file would be saved in your local environment as docker-compose.yml in your preferred folder. An example is below:
The only required environment variable setting is GATEWAY_CONFIG which is the resulting base64-encoded configuration provided when creating a Gateway device.
When running the latest version of the Keeper Gateway, you'll see the output in the logs like below:
On the Vault UI in the Secrets Manager > Applications > Gateways screen, the Gateway will show Online.
If you need to enable verbose debug logs on the Gateway, enable debug logging by adding the below environment section variables to your Docker Compose file:
After debug is enabled, restart the service with docker compose restart
Executing the following command will update the Keeper Gateway container to the latest version and restart the service:
Adding the "restart" parameter in the docker-compose.yml file will assign a restart policy to the environment:
If you would like to force the host operating system to automatically start the Keeper Gateway on a Docker installation, follow these steps (Linux host).
First, create a .service file in /etc/systemd/system/keeper-gateway.service
NOTE:
Replace /home/ec2-user with the path to your docker-compose.yml
Replace ec2-user user with your user running Docker
Replace docker group with your defined group
Then enable the service:
DockerHub listing: https://hub.docker.com/r/keeper/gateway
Quick reference for Installing Docker and Docker Compose on Linux
The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Keeper Cloud (keepersecurity.[com|eu|com.au|jp|ca|us])
TLS Port 443
Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)
Keeper KRelay Server (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])
TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted relay connections between end-user's vault and target systems via the Gateway
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
A very useful capability of the Keeper Gateway is being able to open connections and tunnels to the host machine. By adding the extra_hosts section to your docker compose file with a value of host.docker.internal:host-gateway, you can open sessions directly to the host.
Example docker compose with the Gateway container:
Enabling this option allows you to establish a Connection to the host. For example, to open an SSH connection:
If you use KeeperPAM to SSH over to the host service, you can upgrade the container by running the container update of the gateway in the background:
Create a record with the SSH private key
Create a record with the hostname to host.docker.internal and port 22
Activate the in PAM settings referencing the PAM User