Linux Installation
Instructions for installing Keeper Gateway on Linux
Overview
This document contains information on how to install, configure, and update your Keeper Gateway on Linux.
Prerequisites
Prior to proceeding with this document, make sure you created a Gateway device.
For full capabilities, use Rocky Linux 8, RHEL 8 or Alma Linux 8.
If you cannot use one of these Linux flavors, please install using the Docker method
Installation
Install Command
Executing the following command will install the Keeper Gateway, and run it as a service:
Replace XXXXX with the One-Time Access Token provided from creating the Keeper Gateway
Installation Location
The gateway will be installed in the following location:
An alias gateway is also created in the same directory
Gateway Service Management
For managing the Keeper Gateway as a service, the following are created during the Gateway installation:
A
keeper-gatewayfolderA
keeper-gwuser
keeper-gateway folder
The keeper-gateway folder contains the gateway configuration file and is created in the following location:
keeper-gw user
During the gateway installation, a new user, keeper-gw, is created and added to the sudoers list in /etc/sudoers.d/.
The keeper-gw user is the owner of the keeper-gateway folder and runs the gateway service. This is required when performing rotations on the gateway service and performing post-execution scripts.
Managing the Gateway Service
The following commands can be executed to start, restart, or stop the Keeper Gateway as a service:
Keeper Gateway Configuration File
The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you created the Gateway.
If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location:
If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:
Keeper Gateway Log files
Logs that contain helpful debugging information are automatically created and stored on the local machine.
If the Gateway is running as a service, the log files are stored in the following location:
If the Gateway is not running as a service, the log files are stored in the following location:
Verbose Logging
To add verbose debug logging, modify this file:
and add the -d flag to the "gateway start" command, e.g:
Apply changes to the service:
Tailing the Logs
Upgrading
Executing the following command will upgrade the Keeper Gateway to the latest version:
Auto Update
Configure your Keeper Gateway installation to automatically check for updates, ensuring it stays up-to-date with the latest version.
Uninstalling
Executing the following command will uninstall the Keeper Gateway:
Network Configuration
The Gateway establishes outbound-only connections to the following:
Keeper Cloud (keepersecurity.[com|eu|com.au|ca|us|jp)
TLS Port 443
Outbound access for Vault login and Keeper Secrets Manager APIs.
Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])
TCP and UDP port 3478
Needed to establish secure & encrypted connections between the user's vault and the Gateway service.
Keeper Relay (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])
Outbound access to TCP and UDP ports 49152 through 65535
Needed to establish outbound access over the designated port ranges
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
Checksum Verification
Keeper Gateway SHA256 hashes for the latest version are published at the below location:
https://keepersecurity.com/pam/latest.txt
Calculating and verifying the checksum:
Linux
PowerShell
Last updated
Was this helpful?