KeeperDB
Passwordless zero-trust database access, monitoring, and AI-assisted administration with KeeperDB
Overview
KeeperDB is a secure, multi-protocol database management tool built on the Keeper zero-knowledge platform. It ships in two forms — an embedded session launched automatically from KeeperPAM records, and a standalone desktop application for macOS, Windows, and Linux.
Privileged database access has historically been the weakest link in an enterprise security posture. Database credentials sprawl across laptops on plaintext files, keychains, sticky notes, and shared password vaults that nobody rotates. Connections go over unmonitored TCP. Actions inside the session are invisible to the security team. KeeperDB closes every one of those gaps while still feeling like the database client a DBA wants to use.
At a glance
Supported protocols — PostgreSQL, MySQL / MariaDB, SQL Server, Oracle, Amazon Redshift, SQLite
Zero credentials on the client — passwords delivered encrypted from the Keeper Vault through the Gateway; never typed, never stored locally
Embedded KeeperAI — conversational DBA co-pilot that runs read-only queries autonomously, writes DML/DDL only with explicit consent, and is scope-guarded against off-topic code generation
Built-in real-time monitor — process list, blocking chains, lock analysis, and one-click session termination across all supported engines
Runs anywhere — native desktop application and fully embedded inside KeeperPAM-launched RBI sessions
What Is KeeperDB?
KeeperDB is a full-featured database client and operational monitoring tool built into the Keeper platform.
Zero-knowledge integration with the Keeper Vault
Sessions can be launched directly from the Keeper Vault for passwordless access. Credentials for a database record are decrypted inside the customer's Gateway and delivered to KeeperDB over an encrypted channel. Connections can be configured for session recording and KeeperAI session analysis.
When a user launches a PAM Database connection, the Keeper Gateway spawns KeeperDB as a sidecar process, streams it into the user's browser through Keeper's Remote Browser Isolation (RBI) layer, and records the entire session alongside every other privileged action.
Multi-protocol from a single UI
The same query editor, data grid, ER diagram, scratchpad notebook, and performance monitor work across PostgreSQL, MySQL, SQL Server, Oracle, Redshift, and SQLite — so a DBA managing a heterogeneous fleet doesn't have to context-switch between different applications.
KeeperAI as a built-in DBA co-pilot
An embedded assistant with full schema context answers natural-language questions, writes and runs queries on the user's behalf, generates charts from result sets, and is constrained by server-side guardrails that forbid off-topic code generation and destructive actions without explicit approval.
Two Deployment Modes, One Experience
KeeperDB is delivered two ways: Embedded in the Keeper Vault and Standalone Desktop App. Both forms share an identical interface, feature set, and security model.
Visual themes provide a custom experience based on user preference.
Embedded in KeeperPAM (Privileged Sessions)
This is the deployment method for regulated, zero-trust environments. A user browses the Keeper Vault, finds a record (e.g. "Production Postgres"), and clicks Launch KeeperDB.
The user never handles the credential. Not on the wire, not in memory, not in a config file. The credential's lifetime is: Vault (encrypted) → Gateway (decrypted briefly in-memory) → KeeperDB (in-memory, zeroized on disconnect) → never written to disk on the client, ever.
Standalone Desktop App (Mac / Windows / Linux)
The standalone app is a cross-platform native desktop application. This application targets the following use cases:
Keeper customers who don't yet have KeeperPAM but want a modern, secure database client that integrates with the Vault for credential retrieval.
DBAs, data engineers, and developers who need a day-to-day client that isn't "janky shareware that stores my password in plaintext."
Consultants and contractors who connect to many customer databases and want per-customer credential isolation without cross-contamination.
Send all KeeperDB feature requests to: [email protected]
Download Links
The desktop app can connect to a database three ways:
Direct connection with credentials the user enters once and stores in an OS-native secure store — the simplest workflow, familiar to anyone who has used DBeaver, but with secure storage of credentials.
Keeper Vault integration — the app authenticates with a user's Keeper account, enumerates their PAM database records, and launches a session using ephemeral or static credentials fetched at click-time (never cached).
KeeperDB Proxy on a PAM record — described in its own section below.
Use Case: KeeperDB Tunnels
For customers who already use Keeper Tunnels to expose internal databases through the Gateway, KeeperDB is the natural front end. A tunneled database looks local to the user's machine — it's reachable at 127.0.0.1:<port> — but every byte flows through Keeper's zero-trust and zero-knowledge encryption, with no inbound firewall rules and no VPN.
The desktop KeeperDB app can connect to a tunneled endpoint the same way it connects to any direct-connect database. Combined with the Keeper Vault integration, the workflow becomes:
User clicks Start Tunnel on a PAM Database record in the Vault.
The Keeper Gateway establishes a zero-trust tunnel and returns the local port to the Vault.
User enters the localhost and local port into the KeeperDB app.
All traffic between the user's laptop and the target database is authenticated, end-to-end encrypted, and recorded as a Keeper privileged session.
Why Tunnels + KeeperDB beats a jump host. No bastion server to maintain, no SSH key distribution. The tunnel is authenticated per user, the database session is recorded, and when the engagement ends you just revoke the Vault share.
Use Case: KeeperDB Proxy on a PAM Record
Some customers want the best of both worlds — the tactile responsiveness of a desktop app, plus the zero-credential and recorded-session guarantees of KeeperPAM. That combination is enabled by enabling the KeeperDB Proxy option on a PAM Database record.
When KeeperDB Proxy is active on a record:
The Gateway stands up a KeeperDB Proxy listener for that record's protocol (MySQL / PostgreSQL / MSSQL wire protocol).
Connection traffic from the user's desktop KeeperDB app is routed to the proxy, which authenticates with Keeper, fetches the credentials Gateway-side, injects them into the protocol handshake, and then forwards traffic to the target database.
The user's desktop KeeperDB app is pointed at the proxy endpoint — it never sees the real credentials, and the user never types them — but they still get native desktop-app performance, native OS-level keyboard shortcuts, unmetered bandwidth, and the ability to run long exports without RBI overhead.
This is the recommended configuration for internal DBAs and SREs who work with the same set of production databases every day:
No password in their keychain.
No password on their terminal history.
Full session recording for compliance.
Desktop performance (huge ER diagrams, long-running exports, multi-gigabyte result grids, offline notebook work on the local file system).
Learn more about KeeperDB Proxy
Supported Databases
KeeperDB supports six protocols out of the box, each with a native driver — no ODBC, no JDBC bridge, no driver-install step on the user's machine.
PostgreSQL
TLS, SCRAM-SHA-256, all modern auth modes
MySQL / MariaDB
Text protocol for DDL compatibility, binary protocol for data
SQL Server
Azure SQL, AWS RDS, on-prem; Windows and SQL Server authentication
Oracle
Including Autonomous DB and Exadata Cloud
Amazon Redshift
Redshift-specific quirks handled
SQLite
File-based or in-memory; ideal for local scratch work
The User Experience
Regardless of how the session was launched, the user lands in the same interface. A sidebar lists schemas and tables. A top tab bar switches between Query, Data, Notebook, Monitor, and Graph. A gear icon opens Settings. A chat bubble opens KeeperAI.
Query Editor
The Query tab is the SQL workspace. Provides syntax highlighting, autocomplete, multi-statement execution, and a toggle between tabular and record views.
Multi-statement execution — paste a migration script, hit Run, get per-statement status.
Destructive-query confirmation — any non-SELECT syntax triggers a modal listing exactly what's about to be executed before it runs.
Per-session query history — scoped to the current user's session; user-based or resource-based session persistence is available based on the PAM Settings of the database record.
Data Grid
Click any table in the sidebar and the Data tab opens the full paginated table browser.
Pagination — 50 rows per page default, configurable up to several thousand.
In-place cell editing — double-click a cell, edit the value, and KeeperDB generates a previewed
UPDATEstatement you confirm before it executes.Export to CSV, JSON, or SQL INSERT — straight from the current filter / page state.
Schema Explorer & ER Diagram
The sidebar is a searchable, sortable tree of schemas and tables. Click a schema to see its tables, hover a table to see its row count and size, click overflow [...] to view the table schema and CREATE syntax.
Notebook (Scratchpad)
Not every database task is a single query. The Notebook is a persistent, per-user scratchpad with SQL cells and Markdown cells, auto-saved every 2 seconds.
Build up a set of reusable queries for an investigation.
Document findings in-line in Markdown alongside the SQL that produced them.
Re-run any cell individually without losing the others' state.
Per-user or per-record session persistence based on the PAM Database configuration.
Performance Monitor
The Monitor tab is a real-time operational dashboard — the moment your database is on fire, this is the view you want open.
"The site is slow, what's happening?" The Monitor tab answers this in under five seconds: who's connected, what they're running, what's blocking what, and which long-running query to kill.
The Top Queries section reviews the query time and latency of slow running queries.
Monitor support varies slightly by database:
Active process list
✅
✅
✅
✅
✅
—
Blocking chains
✅
✅
✅
✅
✅
—
Lock analysis
✅
✅
✅
✅
✅
—
Kill session
✅
✅
✅
✅
✅
—
Server parameters inspector
✅
✅
✅
✅
✅
—
AI-assisted triage
✅
✅
✅
✅
✅
—
Every live process shows its connection ID, user, database, the exact SQL it is currently executing, and elapsed time. Click a blocker in the blocking chain to see its full context. Click Kill to terminate a session (confirmation required).
KeeperAI — Your Embedded DBA Co-Pilot
KeeperAI is KeeperDB's integrated AI assistant. It opens as a chat panel on the right side of the UI, has full knowledge of the schema you're connected to, and can operate in three modes:
Chat mode — you ask a question in natural language, it answers in prose and (if appropriate) SQL.
Autonomous mode — you ask for an outcome, not a query. KeeperAI writes SQL, runs it against the database, reads the results, iterates if needed, and reports back. Read-only statements run without prompting; write statements surface the same destructive-query confirmation modal as a human-authored statement.
Explain mode — paste a SQL query and ask for an explanation. Useful for code review of a teammate's migration or for onboarding a new engineer into a legacy schema.
Supported AI Providers
KeeperAI is provider-pluggable. Administrators choose the model vendor that fits their data-governance posture:
OpenAI
OpenAI-compatible endpoints (self-hosted, etc)
Anthropic
Google Gemini
Microsoft Azure OpenAI
AWS Bedrock (Claude, Llama, Titan, etc.)
Google Vertex AI
Learn More on activation of KeeperAI on the Keeper Gateway
Your data stays in your walled garden. Enterprise customers can wire KeeperAI to their own Azure OpenAI or AWS Bedrock endpoint so prompts and schema never leave their network perimeter.
KeeperAI Chart Generation
Ask "show me revenue by product category for the last 30 days" in autonomous mode and KeeperAI will:
Query the schema to find the relevant tables.
Write and execute the aggregation SQL.
Emit a
chartJSON spec describing the result as a bar chart.Render the chart inline in the chat panel.
Supported chart types: bar, line, pie, area, scatter. The underlying data comes directly from the live query — no hallucinated numbers.
KeeperAI in the Performance Monitor
From the Monitor tab, a Triage with KeeperAI action packages the current process list, blocking chains, and server parameters into a prompt and asks the AI to summarize "what's wrong and what should I do next." The AI suggests which queries to kill, which indexes are missing, and which parameters are misconfigured.
KeeperAI Scope Guardrails
KeeperAI is strictly scoped to database work. It will answer questions about SQL, schema design, indexing, query optimization, performance tuning, troubleshooting, and database theory.
Defense in depth. KeeperAI's guardrail is two layers deep: a hoisted, imperative refusal clause at the top of the system prompt, plus a post-response validator that replaces any blocked response with a canned "I'm a database assistant…" refusal. Even when a user crafts a prompt injection, the AI cannot be used to generate arbitrary code inside a KeeperPAM session.
KeeperAI and Session Recording / Monitoring
KeeperPAM already records every keystroke and visual interaction of a privileged session through session recording & playback features. With KeeperDB, now all database interactions can be recorded and monitored - including the AI agent interaction within the KeeperDB user session.
Every AI-executed SQL statement is logged the same way a human-typed statement
Every AI-initiated destructive statement surfaces through the same confirmation modal a human must click — the user remains the explicit authorizer of any write.
Every chart, explanation, and autonomous iteration is attributed to the session recording, so a compliance reviewer can reconstruct the activity that took place.
A session summary is generated along with a detailed session log of every action
Learn more about session recording and KeeperAI for privileged sessions.
Security Benefits
Credentials Never Live on the Endpoint
Stolen laptop, forensic disk image
No credentials on disk. zeroize-on-drop for in-memory password material.
Shell history or config-file leakage
No local credentials stored on disk
Git-committed connection strings
There is no connection string to commit.
Shared-password sprawl
Every launch pulls the current password from the Vault. Rotate once — everyone gets the new value.
Contractor offboarding
Revoke the Vault share. Done. No need to rotate the database password.
Zero-Knowledge and Per-User Isolation
KeeperDB inherits Keeper's zero-knowledge architecture: secrets are only ever decrypted on a user's device or inside the customer's Gateway, never on Keeper's servers. When a Gateway is shared across multiple users, each user's scratchpad, settings, and schema cache are isolated.
Audit Everywhere
Privileged session recording (via KeeperPAM) captures every rendered frame.
Structured audit log (in-memory ring buffer, per-session) captures every query action.
KeeperAI scope log captures every guardrail decision.
KSM access log (via Keeper's normal KSM audit trail) captures every credential fetch from the Vault.
Collectively, these answer the regulated-industry question "who ran what, against which database, when, and who approved any change?" without a forensic investigation.
Why Not Just Use DBeaver / DataGrip / TablePlus?
General-purpose database clients are great for a developer on their laptop connecting to their own sandbox. They fall apart at enterprise scale:
Credential storage
Local keychain / JSON workspace file
Never stored on the client
Credential rotation
Every user re-enters manually
One Vault change, everyone's current
Contractor offboarding
Rotate database password
Revoke Vault share
Session recording
No
Yes, via KeeperPAM
DBA assistant AI
Paid add-on, sends schema to vendor cloud
Included, can pin to customer's own AI provider
Multi-database coverage
Varies; often fragmented plugin ecosystem
Multiple protocols, one UI
Performance monitor
Separate tool or missing
Built in
Zero-trust network posture
Requires VPN / bastion
Works with Keeper Tunnels
Install-on-endpoint burden
Drivers, JDBC jars, ODBC bridges
Zero local drivers — all bundled
Compliance audit
Client-side logs, if any
Centralized, server-enforced, tamper-evident
Audit gaps create compliance risk. If an auditor asks for every query run against a production database over the last 90 days, most database clients cannot provide a complete answer. KeeperDB can return that activity from a centralized audit trail.
Getting Started
From a KeeperPAM pamDatabase record
pamDatabase recordIn the Keeper Vault, navigate to the PAM Database record.
Click Launch KeeperDB.
An RBI tab opens with KeeperDB already connected.
No setup on the user side. Administrators configure the record once (host, port, protocol, credentials, JIT, Workflow, KeeperAI) and Gateway-side policy controls who can launch it.
Frequently Asked Questions
Does KeeperDB require a Keeper Enterprise subscription?
The embedded KeeperPAM experience requires KeeperPAM. The standalone desktop app works for any Keeper account tier that supports Secrets Manager record retrieval and can also be used in a purely local mode without any Keeper account at all.
Where is data stored?
Row data is never persisted by KeeperDB — it is streamed from the database to the UI and held in memory only while the session is active. User-specific artifacts (notebook cells, UI preferences) are stored either in the Keeper Secrets Manager vault (default for enterprise deployments), in the user's local file system (desktop app), or in memory (ephemeral mode).
Can we point KeeperAI at our own Azure OpenAI endpoint?
Yes. KeeperAI supports Azure OpenAI, AWS Bedrock, Vertex AI, and any OpenAI-compatible self-hosted endpoint as first-class providers. Configuration is per-deployment; no traffic is routed to a Keeper-hosted AI service.
What happens if the AI provider is unavailable?
KeeperDB continues to work normally. The AI chat panel surfaces an "unavailable" state, but every other feature — query editor, data grid, monitor, ER diagram, scratchpad, import/export — continues to operate.
Can the standalone desktop app connect to databases that aren't in Keeper?
Yes. The desktop app supports direct connections with user-entered credentials (stored in the OS secure store with zeroize-on-drop discipline), connections through Keeper Tunnels, and connections to PAM-record-proxied databases. A single installation can use all three simultaneously.
How does the destructive-query confirmation work with KeeperAI autonomous mode?
Identically to a human-typed statement. KeeperAI can freely run read-only queries (SELECT, SHOW, EXPLAIN, DESCRIBE) without prompting. Any write statement — INSERT, UPDATE, DELETE, DROP, CREATE, ALTER, TRUNCATE, and dialect-specific variants like BULK INSERT / COPY … FROM / LOAD DATA — triggers a modal that shows the exact SQL before it executes. The user is always the approver.
What's the difference between KeeperDB Tunnels and KeeperDB Proxy?
A Tunnel exposes the database's native wire protocol at a local port on the user's machine. The user's desktop app talks to 127.0.0.1 as if the database were local, and the credentials come from the user (either entered, or pulled from the Vault at the app layer).
A KeeperDB Proxy adds credential injection at the Gateway. The user's desktop app connects to the proxy, the proxy authenticates against Keeper and fetches the credentials server-side, and the database handshake is completed without the user's machine ever touching the password. KeeperDB Proxy is the stricter, more zero-trust configuration.
Last updated
Was this helpful?