# .NET SDK

## Download and Installation ### Prerequisites > `dotnet add package Keeper.SecretsManager` For more information, see ### Source Code Find the .Net source code in the [GitHub repository](https://github.com/Keeper-Security/secrets-manager/tree/master/sdk/dotNet) ## Using the SDK ### Initialize Storage {% hint style="info" %} Using token only to generate a new config (for later usage) requires at least one read operation to bind the token and fully populate `config.json` {% endhint %} In order to retrieve secrets, you must first initialize the local storage on your machine. ```csharp SecretsManagerClient.InitializeStorage(storage: IKeyValueStorage, oneTimeToken: string, hostName: string = null) ```

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`storage`	`IKeyValueStorage`	Yes		Storage implementation for persisting config
`oneTimeToken`	`string`	Yes		One Time Access Token used to initialize the config
`hostName`	`string`	Optional	null	Keeper server hostname (auto-detected from token if omitted)

#### **Example Usage** ```csharp var storage = new LocalConfigStorage("ksm-config.json"); SecretsManagerClient.InitializeStorage(storage, "[One Time Access Token]"); // Using token only to generate a config (for later usage) // requires at least one access operation to bind the token var options = new SecretsManagerOptions(storage); await SecretsManagerClient.GetSecrets(options); ``` {% hint style="success" %} **Automatic File Security** (v17.1.0+) The .NET SDK automatically secures configuration and cache files: * **Unix/macOS**: Sets `chmod 600` (owner read/write only) * **Windows**: Restricts ACLs to current user only Files protected: * `ksm-config.json` (or your custom config file name) * `cache.dat` (if using caching) No additional configuration needed - the SDK handles this automatically. {% endhint %} #### Secrets Manager Options ```csharp SecretsManagerOptions( IKeyValueStorage storage, QueryFunction queryFunction = null, bool allowUnverifiedCertificate = false, string proxyUrl = null ) ```

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`storage`	`IKeyValueStorage`	Yes
`queryFunction`	`QueryFunction`	Optional	null
`allowUnverifiedCertificate`	`bool`	Optional	false
`proxyUrl`	`string`	Optional	null

### Retrieve Secrets ```csharp GetSecrets(options: SecretsManagerOptions, recordsFilter: string[] = null): Task ``` | Parameter | Type | Required | Default | Description | | --------------- | ----------------------- | -------- | ------- | ------------------------------- | | `options` | `SecretsManagerOptions` | Yes | | Storage and query configuration | | `recordsFilter` | `string[]` | Optional | `null` | Record search filters | **Response** Type: `KeeperSecrets` Object containing all Keeper records, or records that match the given filter criteria **Example Usage** Retrieve all Secrets ```csharp var options = new SecretsManagerOptions(storage, testPostFunction); var secrets = await SecretsManagerClient.GetSecrets(options); ``` ### Retrieve Secrets by Title ```csharp // get all matching records async Task> GetSecretsByTitle(SecretsManagerOptions options, string recordTitle) // get only the first matching record async Task GetSecretByTitle(SecretsManagerOptions options, string recordTitle) ```

Parameter	Type	Required	Description
`options`	SecretsManagerOptions	Yes	Preconfigured options
`recordTitle`	string	Yes	Record title to search for

**Example Usage** ```csharp using System; using System.Threading.Tasks; using SecretsManager; private static async Task getOneIndividualSecret() { var storage = new LocalConfigStorage("ksm-config.json"); var options = new SecretsManagerOptions(storage); var records = await SecretsManagerClient.GetSecretsByTitle( options, "My Credentials"); foreach (var record in records) { Console.WriteLine(record.RecordUid + " - " + record.Data.title); foreach (var field in record.Data.fields) { Console.WriteLine("\t" + field.label + " (" + field.type + "): [" + String.Join(", ", field.value) + "]"); } } } ``` ### Retrieve Values from a Secret **Retrieve a Password** {% tabs %} {% tab title="Get Password" %} ```csharp secret.FieldValue("password") ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets= (await SecretsManagerClient.GetSecrets(options)).Records; // get the password from the first secret var firstSecret= secrets[0]; var password = firstSecret.FieldValue("password").ToString(); ``` {% endtab %} {% endtabs %} Field types are based on the Keeper [Record Type](https://docs.keeper.io/enterprise-guide/record-types). For a detailed list of available fields based on the Keeper Record Type, see the [record-type-info](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/record-commands/record-type-commands#record-type-info-command) command in Keeper Commander. **Retrieve Other Fields Using Keeper Notation** {% tabs %} {% tab title="Get Value" %} ```csharp GetValue(KeeperSecrets secrets, string notation) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get login field value using dot notation var password = Notation.GetValue(secrets, "BediNKCMG21ztm5xGYgNww/field/login"); ``` {% endtab %} {% endtabs %} {% hint style="info" %} See [Keeper Notation documentation](https://docs.keeper.io/en/keeperpam/secrets-manager/about/keeper-notation) to learn about Keeper Notation format and capabilities {% endhint %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`secrets`	`KeeperSecrets`	Yes		Secrets to query
`notation`	`string`	Yes		Field query in dot notation format

**Retrieve TOTP Code** {% tabs %} {% tab title="Get TOTP Code" %} ```csharp CryptoUtils.GetTotpCode(string url) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get TOTP url from a record var url = Notation.GetValue(secrets, "BediNKCMG21ztm5xGYgNww/field/OneTimeCode"); // get TOTP code var totp = CryptoUtils.GetTotpCode(url); Console.WriteLine(totp.Code); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`url`	`string`	Yes		TOTP Url

### Update Values in a Secret {% hint style="warning" %} Record update commands don't update local record data on success *(esp. updated record revision)* so any consecutive updates to an already updated record will fail due to **revision** mismatch. Make sure to reload all updated records after each update batch. {% endhint %} #### Save Changes to a Secret {% tabs %} {% tab title="Update Secret" %} ```csharp UpdateSecret(options: SecretsManagerOptions, record: KeeperRecord, transactionType: UpdateTransactionType? = null); ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var options = new SecretsManagerOptions(storage, testPostFunction); await SecretsManagerClient.UpdateSecret(options, secret); ``` {% endtab %} {% tab title="Transactional updates" %} ```csharp var storage = new LocalConfigStorage(configName); var options = new SecretsManagerOptions(storage); //get secrets var secrets = (await SecretsManagerClient.GetSecrets(options)).Records; // get the first secret var secret = secrets[0]; // rotate password on the record secret.UpdateFieldValue("password", "MyNewPassword"); //start a transaction await SecretsManagerClient.UpdateSecret(options, secret, UpdateTransactionType.Rotation); // rotate password on remote host success = rotateRemoteSshPassword("MyNewPassword"); // complete the transaction - commit or rollback await SecretsManagerClient.CompleteTransaction(options, secret.RecordUid, rollback: !success); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default	Description
Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Storage and query configuration
`record`	`KeeperRecord`	Yes		The record with updated field values
`transactionType`	`UpdateTransactionType?`	Optional	null	Set to `Rotation` for transactional (two-phase) updates

Use UpdateSecret to save changes made to a secret record. Changes will not be reflected in the Keeper Vault until UpdateSecret is performed. **Update a Field Value** {% tabs %} {% tab title="Update Field Value" %} ```csharp UpdateFieldValue(string fieldType, object value) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp var storage = new LocalConfigStorage(configName); Console.WriteLine($"Local Config Storage opened from the file {configName}"); if (clientKey != null) SecretsManagerClient.InitializeStorage(storage, ""); var options = new SecretsManagerOptions(storage); //get secrets var secrets= (await SecretsManagerClient.GetSecrets(options)).Records; // get the password from the first secret var firstSecret= secrets[0]; // update the login field firstSecret.UpdateFieldValue("login", "My New Login"); // update title and notes firstSecret.Data.title = "New Title"; firstSecret.Data.notes = "New Notes"; // save changes await SecretsManagerClient.UpdateSecret(options, firstSecret); ``` {% endtab %} {% endtabs %} | Parameter | Type | Required | Default | Description | | ----------- | -------- | -------- | ------- | ------------------------- | | `fieldType` | `string` | Yes | | The field to update | | `value` | `object` | Yes | | Value to set the field to | #### Generate a Random Password {% tabs %} {% tab title="Generate Password" %} ```csharp CryptoUtils.GeneratePassword( int minLength = 32, int? lowercase = null, int? uppercase = null, int? digits = null, int? specialCharacters = null, string specialCharacterSet = AsciiSpecialCharacters ) ``` {% endtab %} {% tab title="Example Usage" %} ```csharp // generate a 32-character password with balanced character distribution var password = CryptoUtils.GeneratePassword(); // generate a 64-character password with at least 10 digits and 5 special characters var strongPassword = CryptoUtils.GeneratePassword(minLength: 64, digits: 10, specialCharacters: 5); // generate a 16-character password using only alphanumeric characters (no special chars) var alphanumeric = CryptoUtils.GeneratePassword(minLength: 16, specialCharacters: 0); // update a record with the new password firstRecord.UpdateFieldValue("password", password); await SecretsManagerClient.UpdateSecret(options, firstRecord); ``` {% endtab %} {% endtabs %}

Parameter	Type	Required	Default
minLength	`int`	Optional	32
lowercase	`int?`	Optional	null
uppercase	`int?`	Optional	null
digits	`int?`	Optional	null
specialCharacters	`int?`	Optional	null
specialCharacterSet	`string`	Optional	`"!@#$%()+;<>=?[]{}^.,`

Each parameter indicates the minimum number of that character type to include. When `null`, the generator uses a balanced distribution across all character categories. The `specialCharacterSet` parameter controls which special characters are eligible for inclusion. ### Download a File ```csharp DownloadFile(file: KeeperFile): ByteArray ``` | Parameter | Type | Required | Default | Description | | --------- | ------------ | -------- | ------- | ---------------- | | `file` | `KeeperFile` | Yes | | File to download | **Response** Type: `ByteArray` ByteArray of file for download ### Download a **Thumbnail** ```csharp DownloadThumbnail(file: KeeperFile): ByteArray ``` | Parameter | Type | Required | Default | Description | | --------- | ------------ | -------- | ------- | ------------------------------- | | `file` | `KeeperFile` | Yes | | File with thumbnail to download | **Response** Type: `ByteArray` ByteArray of thumbnail for download ### Upload a File Upload File: ```csharp UploadFile(SecretsManagerOptions options, KeeperRecord ownerRecord, KeeperFileUpload file) ```

Parameter	Type	Required	Description
`options`	SecretsManagerOptions	Yes	Storage and query configuration
`ownerRecord`	KeeperRecord	Yes	The record to attach the uploaded file to
`file`	KeeperFileUpload	Yes	The File to upload

Creating the Keeper File Upload Object: ```csharp KeeperFileUpload(string name, string title, string type, byte[] data) ```

Parameter	Type	Required	Description
`name`	string	Yes	What the name of the file will be in Keeper once uploaded
`title`	string	Yes	What the title of the file will be in Keeper once uploaded
`type`	string	Yes	The mime type of data in the file. 'application/octet-stream' for example
`data`	byte[]	Yes	File data as bytes

**Example Usage** ```csharp using System; using System.Threading.Tasks; using SecretsManager; private static async Task uploadFile() { // initalize storage and options var storage = new LocalConfigStorage("ksm-config.json"); var options = new SecretsManagerOptions(storage); // get a record to attach the file to var records = (await SecretsManagerClient.GetSecrets( options, new[] { "XXX" }) ).Records; var ownerRecord = records[0]; // get file data to upload var bytes = await File.ReadAllBytesAsync("my-file.json"); var myFile = new KeeperFileUpload( "my-file1.json", "My File", null, bytes ); // upload file to selected record await SecretsManagerClient.UploadFile(options, ownerRecord, myFile); } ``` ### Create a Secret #### Prerequisites: * Shared folder UID * Shared folder must be accessible by the Secrets Manager Application * You and the Secrets Manager application must have edit permission * There must be at least one record in the shared folder * Created records and record fields must be formatted correctly * See the [documentation](https://docs.keeper.io/enterprise-guide/record-types) for expected field formats for each record type * TOTP fields accept only URL generated outside of the KSM SDK * After record creation, you can upload file attachments using [UploadFile](#upload-a-file) {% tabs %} {% tab title="Create a Record" %} ```csharp SecretsManagerClient.CreateSecret(options, folderUid, record) ```

Parameter	Type	Required
`options`	`SecretsManagerOptions`	Yes
`folderUid`	`string`	Yes
`record`	`KeeperRecordData`	Yes

{% endtab %} {% tab title="Create Record in Sub-folder" %} ```csharp SecretsManagerClient.CreateSecret2(options, createOptions, record, folders) ```

Parameter	Type	Required
`options`	`SecretsManagerOptions`	Yes
`createOptions`	`CreateOptions`	Yes
`record`	`KeeperRecordData`	Yes
`folders`	`KeeperFolder[]`	No

{% endtab %} {% tab title="Login Record Example" %} This example creates a login type record with a login value and a generated password. {% hint style="info" %} Replace '`[FOLDER UID]`' in the example with the UID of a shared folder that your Secrets Manager has access to. {% endhint %} ```csharp var newRecord = new KeeperRecordData{type = "login", title = "Sample KSM Record: C#"}; newRecord.fields = new[] { new KeeperRecordField { type = "login", value = new[] { "My Username" } }, new KeeperRecordField { type = "password", value = new[] { CryptoUtils.GeneratePassword() } }, }; newRecord.notes = "This is a C# record creation example"; var recordUid = await SecretsManagerClient.CreateSecret(options, folderUid, newRecord); ``` {% endtab %} {% tab title="Custom Type Example" %} This example creates a record with a custom record type. {% hint style="info" %} Replace '`[FOLDER UID]`' in the example with the UID of a shared folder that your Secrets Manager has access to. {% endhint %} ```csharp var newRecord = new KeeperRecordData(); newRecord.type = "Custom Login"; newRecord.title = "Sample Custom Type KSM Record: C#"; newRecord.fields = new[] { new KeeperRecordField { type = "host", value = new[] { new Dictionary { { "hostName", "127.0.0.1"}, { "port", "8080"} } }, label = "My Custom Host lbl", required = true }, new KeeperRecordField { type = "login", value = new[] { "login@email.com" }, required = true, label = "My Custom Login lbl" }, new KeeperRecordField { type = "password", value = new[] { CryptoUtils.GeneratePassword() }, required = true, label = "My Custom Password lbl" }, new KeeperRecordField { type = "url", value = new[] { "http://localhost:8080/login" }, label = "My Login Page", required = true }, new KeeperRecordField { type = "securityQuestion", value = new[] { new Dictionary { {"question", "What is one plus one (write just a number)"}, { "answer", "2" } } }, label = "My Question 1", required = true }, new KeeperRecordField { type = "phone", value = new[] { new Dictionary { { "region", "US" }, { "number", "510-444-3333" }, { "ext", "2345" }, { "type", "Mobile" } } }, label = "My Private Phone", privacyScreen = true }, new KeeperRecordField { type = "date", value = new[] {(object) 1641934793000 }, label = "My Date Lbl" }, new KeeperRecordField { type = "name", value = new[] { new Dictionary { {"first", "John"}, {"middle", "Patrick"}, {"last", "Smith"} } }, required = true }, new KeeperRecordField { type = "oneTimeCode", value = new[] { "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example" }, label = "My TOTP", required = true } }; newRecord.notes = "\tThis custom type record was created\n\tvia .NET SDK copied from https://docs.keeper.io/secrets-manager/secrets-manager/developer-sdk-library/.net-sdk"; var recordUid = await SecretsManagerClient.CreateSecret(options, "[FOLDER_UID]", newRecord); ``` {% endtab %} {% endtabs %} ### Delete a Secret The .Net KSM SDK can delete records in the Keeper Vault. {% tabs %} {% tab title="Delete Secret" %} ```csharp DeleteSecret(smOptions, recordsUids); ```

Parameter	Type	Required
`smOptions`	`SecretsManagerOptions`	Yes
`recordsUids`	`string[]`	Yes

{% endtab %} {% tab title="Example" %}

using SecretsManager;

// setup secrets manager
var storage = new LocalConfigStorage("ksm-config.json");
//SecretsManagerClient.InitializeStorage(storage, "<One Time Access Token>");
var smOptions = new SecretsManagerOptions(storage);

// delete a specific secret by record UID
await SecretsManagerClient.DeleteSecret(smOptions, new string[] {"EG6KdJaaLG7esRZbMnfbFA"});

{% endtab %} {% endtabs %} ### Caching To protect against losing access to your secrets when network access is lost, the .Net SDK allows caching of secrets to the local machine in an encrypted file. **Setup and Configure Cache** In order to setup caching in the .Net SDK, include a caching post function as the second argument when instantiating a`SecretsManagerOptions` object. The .Net SDK includes a default caching function `cachingPostFunction` which stores cached queries to a file. ```csharp var options = new SecretsManagerOptions(storage, SecretsManagerClient.CachingPostFunction); var secrets = await SecretsManagerClient.GetSecrets(options); ``` ### Folders Folders have full CRUD support - create, read, update and delete operations. ### Read Folders Downloads full folder hierarchy. ```csharp Task GetFolders(SecretsManagerOptions options) ``` **Response** Type: `KeeperFolder[]` **Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); var folders = await SecretsManagerClient.GetFolders(options); ``` ### Create a Folder Requires `CreateOptions` and folder name to be provided. The folder UID parameter in `CreateOptions` is required - UID of a shared folder, while sub-folder UID is optional and if missing, a new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep. ```csharp Task CreateFolder(SecretsManagerOptions options, CreateOptions createOptions, string folderName, KeeperFolder[] folders = null) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`createOptions`	`CreateOptions`	Yes		The parent and sub-folder UIDs
`folderName`	`string`	Yes		The Folder name
`folders`	`KeeperFolder[]`	No	`null`	List of folders to use in the search for parent and sub-folder from CreateOptions

```csharp public class CreateOptions { public string FolderUid { get; } public string SubFolderUid { get; } } ``` ```csharp public class KeeperFolder { public byte[] FolderKey { get; } public string FolderUid { get; } public string ParentUid { get; } public string Name { get; } } ``` **Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); var co = new CreateOptions("[PARENT_SHARED_FOLDER_UID]"); var folderUid = await SecretsManagerClient.CreateFolder(options, co, "new_folder"); ``` ### Update a Folder Updates the folder metadata - currently folder name only. ```csharp Task UpdateFolder(SecretsManagerOptions options, string folderUid, string folderName, KeeperFolder[] folders = null) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`folderUid`	`string`	Yes		The folder UID
`folderName`	`string`	Yes		The new folder name
`folders`	`KeeperFolder[]`	No	`null`	List of folders to use in the search for parent folder

**Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); await SecretsManagerClient.UpdateFolder(options, "[FOLDER_UID]", "new_folder_name"); ``` ### Delete Folders Removes a list of folders. Use `forceDeletion` flag to remove non-empty folders. {% hint style="info" %} When using forceDeletion avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - *ex.* if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order. {% endhint %} {% hint style="info" %} Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error. {% endhint %} ```csharp Task DeleteFolder(SecretsManagerOptions options, string[] folderUids, bool forceDeletion = false) ```

Parameter	Type	Required	Default	Description
`options`	`SecretsManagerOptions`	Yes		Preconfigured options
`folderUids`	`string[]`	Yes		The folder UID list
`forceDeletion`	`bool`	No	`false`	Force deletion of non-empty folders

**Example Usage** ```csharp using SecretsManager; var options = new SecretsManagerOptions(new LocalConfigStorage("ksm-config.json")); await SecretsManagerClient.DeleteFolder(options, new string[]{"[FOLDER_UID1]", "[FOLDER_UID2]"}, true); ``` ### Proxy support .NET SDK supports setting proxy through environment variables and passing proxy url to `SecretsManagerOptions` directly {% hint style="info" %} Keeper recommends using **environment variables** for proxy settings. This approach keeps configuration details out of code, ensures consistency across tools and environments, and simplifies deployment and maintenance {% endhint %} **Example usage through environment variables** ``` HTTPS_PROXY=http://user:password@127.0.0.1:3128 dotnet run ``` Example usage passing url to `SecretsManagerOptions` ```csharp var options = new SecretsManagerOptions(storage, null, false, "http://user:password@127.0.0.1:3128"); ```