The Keeper Secrets Manager SDK expects the developer to use their required cryptographic provider. As documented above, Keeper will use the default cryptographic module of the Java runtime unless a specific provider is added. In the examples here in this documentation, we are using the BouncyCastle FIPS provider.
In the source code, ensure that the provider is loaded in the security context:
fun main() {
Security.addProvider(BouncyCastleFipsProvider())
...
See the file CryptoUtilsTest.kt as shown in this on how to use a custom security provider.
Source Code
Initialize Storage
Using token only to generate a new config (for later usage) requires at least one read operation to bind the token and fully populate config.json
In order to retrieve secrets, you must first initialize the local storage on your machine.
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import com.keepersecurity.secretsManager.core.LocalConfigStorage;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// oneTimeToken is used only once to initialize the storage
// after the first run, subsequent calls will use "ksm-config.txt" file
String oneTimeToken = "[One Time Access Token]";
LocalConfigStorage storage = new LocalConfigStorage("ksm-config.txt");
Security.addProvider(new BouncyCastleFipsProvider());
try {
initializeStorage(storage, oneTimeToken);
SecretsManagerOptions options = new SecretsManagerOptions(storage);
// Using token only to generate a config (for later usage)
// requires at least one access operation to bind the token
//getSecrets(options)
} catch (Exception e) {
System.out.println(e.getMessage());
}
Object containing all Keeper records, or records that match the given filter criteria
Example Usage
Retrieve all Secrets
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
//get secrets
SecretsManagerOptions options = new SecretsManagerOptions(storage);
KeeperSecrets secrets = SecretsManager.getSecrets(options);
//get records from secrets
List<KeeperRecord> records = secrets.getRecords();
Retrieve one secret by UID
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
//get secrets
SecretsManagerOptions options = new SecretsManagerOptions(storage);
KeeperSecrets secrets = SecretsManager.getSecrets(options);
// identify one or more record UID to fetch secrets by
List<String> uidFilter = List.of("[XXX]");
// fetch secrets with the filter
KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
//get records from secrets
List<KeeperRecord> records = secrets.getRecords();
Retrieve Secrets by Title
// get all matching records
getSecretsByTitle(recordTitle: String): List<KeeperRecord>
// get only the first matching record
getSecretByTitle(recordTitle: String): KeeperRecord
Parameter
Type
Required
Description
recordTitle
String
Yes
Record title to search for
Example Usage
import com.keepersecurity.secretsManager.core.*;
import java.util.List;
public class KSMSample {
public static void main(String[] args){
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// get pre-initialized storage
KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
try {
SecretsManagerOptions options = new SecretsManagerOptions(storage);
// title of the record to fetch
String recordTitle = "My Credentials";
// search for record by title
KeeperRecord myCredentials = secrets.getRecords().getSecretByTitle(recordTitle);
// print out record details
System.out.println("Record UID: " + myCredentials.getRecordUid());
System.out.println("Title: " + myCredentials.getData().getTitle());
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
Retrieve Values From a Secret
Retrieve a Password
This shortcut gets the password of a secret once that secret has been retrieved from Keeper Secrets Manager.
secret.getPassword()
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
//get secrets
SecretsManagerOptions options = new SecretsManagerOptions(storage);
KeeperSecrets secrets = SecretsManager.getSecrets(options);
//get the first record
List<KeeperRecord> records = secrets.getRecords().get(0);
//get the password from the first record
firstRecord.getPassword()
Retrieve Fields
secret.getData().getField(<FIELD_TYPE>)
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
//get secrets
SecretsManagerOptions options = new SecretsManagerOptions(storage);
KeeperSecrets secrets = SecretsManager.getSecrets(options);
//get the first record
List<KeeperRecord> records = secrets.getRecords();
KeeperRecord firstRecord = secrets.getRecords().get(0);
//get the password from the first record
KeeperRecordField pwd = firstRecord.getData().getField(Password.class)
Keeper Notation
Notation.getValue(secret, "<query>");
// Query example "<RECORD UID>/field/login"
import static com.keepersecurity.secretsManager.core.SecretsManager.*
import static com.keepersecurity.secretsManager.core.Notation.*;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// get secrets
KeeperSecrets secrets = getSecrets(options);
// get login with dot notation
String login = getValue(secrets, "BediNKCMG21ztm5xGYgNww/field/login");
Parameter
Type
Required
Default
Description
secret
KeeperRecord
Yes
Record to get field value from
query
String
Yes
Dot notation query of desired field
Get TOTP Code
TotpCode.uriToTotpCode(url)
import static com.keepersecurity.secretsManager.core.Notation.*;
import static com.keepersecurity.secretsManager.core.TotpCode.*;
import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
...
// get secrets
KeeperSecrets secrets = getSecrets(options);
// get TOTP url from record
String url= getValue(secrets, "BediNKCMG21ztm5xGYgNww/field/oneTimeCode");
// get TOTP code
TotpCode totp = uriToTotpCode(url);
Parameter
Type
Required
Default
Description
url
String
Yes
TOTP Url
Update Values in a Secret
Record update commands don't update local record data on success (esp. updated record revision) so any consecutive updates to an already updated record will fail due to revision mismatch. Make sure to reload all updated records after each update batch.
import static com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperSecrets;
// get secrets
SecretsManagerOptions options = SecretsManagerOptions(storage);
KeeperSecrets secrets = getSecrets(options);
// we'll update the first record
KeeperRecord recordToUpdate = secrets.getRecords().get(0);
// update password
recordToUpdate.updatePassword("aP1$t367QOCvL$eM$bG#");
// save changes
SecretsManager.updateSecret(options, recordToUpdate);
Parameter
Type
Required
Default
Description
password
String
Yes
New password to set
Update other fields
//format
RecordField.getValue().set(index, value)
//example - Login field
recordLogin.getValue().set(0, "New Login");
// get field to edit
Login recordLogin = (Login) recordToUpdate.getData().getField(Login.class);
// update field value
recordLogin.getValue().set(0, "New Login");
// save changes
SecretsManager.updateSecret(options, recordToUpdate);
Fields can have multiple values, which is accessed in a List. In this example we are updating the login field, which only accepts one value, so we update the one value in the values list.
import com.keepersecurity.secretsManager.core.CryptoUtils;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// get field to edit
Password recordPassword = (Password) recordToUpdate.getData().getField(Password.class);
// generate a random password
String password = CryptoUtils.generatePassword();
// update field value
recordPassword.getValue().set(0, password);
// save changes
SecretsManager.updateSecret(options, recordToUpdate);
Parameter
Type
Required
Default
length
int
Optional
64
lowercase
int
Optional
0
uppercase
int
Optional
0
digits
int
Optional
0
specialCharacters
int
Optional
0
Each parameter indicates the min number of a type of character to include. For example, 'uppercase' indicates the minimum number of uppercase letters to include.
Download a File
SecretsManager.downloadFile(file): ByteArray
import static com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperFile;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// download the first file from the first record
KeeperRecord firstRecord = secrets.getRecords().get(0);
KeeperFile file = firstRecord.getFileByName("acme.cer");
byte[] fileBytes = SecretsManager.downloadFile(file);
// write file to a disk
try (FileOutputStream fos = new FileOutputStream(file.getData().getName())) {
fos.write(fileBytes);
} catch (IOException ioException){
ioException.printStackTrace();
}
Parameter
Type
Required
Default
Description
file
KeeperFile
Yes
File to download
Response
Type:ByteArray
ByteArray of file for download
Download a Thumbnail
SecretsManager.downloadThumbnail(file): ByteArray
import static com.keepersecurity.secretsManager.core.SecretsManager;
import com.keepersecurity.secretsManager.core.KeeperRecord;
import com.keepersecurity.secretsManager.core.KeeperFile;
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// download the first file from the first record
KeeperRecord firstRecord = secrets.getRecords().get(0);
KeeperFile file = firstRecord.getFileByName("acme.cer");
byte[] fileBytes = SecretsManager.downloadThumbnail(file);
// write file to a disk
try (FileOutputStream fos = new FileOutputStream(file.getData().getName())) {
fos.write(fileBytes);
} catch (IOException ioException){
ioException.printStackTrace();
}
KeeperFileUpload(
val name: String,
val title: String,
val type: String?,
val data: ByteArray
)
Parameter
Type
Required
Description
name
string
Yes
What the name of the file will be in Keeper once uploaded
title
string
Yes
What the title of the file will be in Keeper once uploaded
type
string
Optional
The mime type of data in the file. 'application/octet-stream' will be used if nothing is given
data
ByteArray
Yes
File data as bytes
Example Usage
import com.keepersecurity.secretsManager.core.*;
import java.io.File;
import java.io.FileInputStream;
import java.util.Arrays;
public class KSMSample {
public static void main(String[] args){
// Ensure security provider is loaded
Security.addProvider(new BouncyCastleFipsProvider());
// get pre-initialized storage
KeyValueStorage storage = new LocalConfigStorage("ksm-config.json");
try {
SecretsManagerOptions options = new SecretsManagerOptions(storage);
// create a filter with the UID of the record we want
List<String> uidFilter = List.of("XXX");
// fetch secrets with the filter
KeeperSecrets secrets = SecretsManager.getSecrets(options, uidFilter);
// get the desired secret to upload a file to
KeeperRecord ownerRecord = secrets.getRecords().get(0);
// get bytes from file to upload
File file = new File("./myFile.json");
FileInputStream fl = new FileInputStream(file);
byte[] fileBytes = new byte[(int)file.length()];
fl.read(fileBytes);
fl.close();
// create a Keeper File to upload
KeeperFileUpload myFile = new KeeperFileUpload(
"myFile.json",
"My File",
"application/json",
fileBytes
)
// upload the file to the selected record
SecretsManager.uploadFile(options, ownerRecord, myFile);
} catch (Exception e) {
System.out.println("KSM ran into an problem: " + e.getMessage());
}
}
}
Create a Secret
Prerequisites:
Shared folder UID
Shared folder must be accessible by the Secrets Manager Application
You and the Secrets Manager application must have edit permission
There must be at least one record in the shared folder
Created records and record fields must be formatted correctly
TOTP fields accept only URL generated outside of the KSM SDK
Freshly fetched list of all folders from the Keeper servers
This example creates a login type record with a login value and a generated password.
Replace '[FOLDER UID]' in the example with the UID of a shared folder that your Secrets Manager Application has access to.
import com.keepersecurity.secretsManager.core.*;
KeeperRecordData newRecordData = new KeeperRecordData(
"Sample KSM Record: Java",
"login",
Arrays.asList(
new Login("My Username"),
new Password(CryptoUtils.generatePassword())
),
null,
"This is a \nmultiline\n\n\tnote"
);
String recordUid = SecretsManager.createSecret(options, folderUid, newRecordData);
This example creates a record with a custom record type.
Replace '[FOLDER UID]' in the example with the UID of a shared folder that your Secrets Manager Application has access to.
import com.keepersecurity.secretsManager.core.*;
KeeperRecordData newRecordData = new KeeperRecordData(
"Sample Custom Type KSM Record: Java",
"Custom Login", // Record Type Name
Arrays.asList(
new Hosts(
"My Custom Host lbl", // label
true, // required
false, // private screen
List.of(new Host("127.0.0.1", "8000"))),
// OR new Hosts(new Host("127.0.0.1", "8000"))
new Login("My Custom Login lbl",
true,
false,
List.of("login@email.com")),
// OR new Login("username@email.com")
new Password( "My Custom Password lbl",
true,
false,
List.of(CryptoUtils.generatePassword())),
// OR new Password(CryptoUtils.generatePassword())
new Url("My Login Page",
true,
false,
List.of("http://localhost:8080/login")),
// OR new Url("http://localhost:8080/login")
new SecurityQuestions(
"My Question 1",
true,
false,
List.of(new SecurityQuestion("What is one plus one (write just a number)", "2"))),
// OR new SecurityQuestions(new SecurityQuestion("What is one plus one (write just a number)", "2"))
new Phones("My Phone Number",
true,
false,
List.of(new Phone("US", "510-444-3333", "2345", "Mobile"))),
// OR new Phones(new Phone("US", "510-444-3333", "2345", "Mobile"))
new Date("My Date Lbl",
true,
false,
List.of(1641934793000L)
),
// OR new Date(1641934793000L),
new Names("My Custom Name lbl",
true,
false,
List.of(new Name("John", "Patrick", "Smith"))),
// OR new Names(new Name("John", "Patrick", "Smith"))
new OneTimeCode("My TOTP",
true,
false,
List.of("otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"))
// OR new OneTimeCode("otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example")
),
Arrays.asList(
new Phones(new Phone("US", "(510) 123-3456")),
new Phones(new Phone("US", "510-111-3333", "45674", "Mobile"))
),
"\tThis custom type record was created\n\tvia KSM Java Document Example"
);
String recordUid = SecretsManager.createSecret(options, "[FOLDER UID]", newRecordData);
Delete a Secret
The Java/Kotlin KSM SDK can delete records in the Keeper Vault.
deleteSecret(smOptions, recordUids);
Parameter
Type
Required
smOptions
SecretsManagerOptions
Yes
recordUids
List<Sting>
Yes
// setup secrets manager
val storage = LocalConfigStorage("ksm-config.json")
//initializeStorage(storage, "<One Time Access Token>")
val smOptions = SecretsManagerOptions(storage)
// delete a specific secret by record UID
deleteSecret(smOptions, List.of("EG6KdJaaLG7esRZbMnfbFA"));
Caching
To protect against losing access to your secrets when network access is lost, the Java SDK allows caching of secrets to the local machine in an encrypted file.
Setup and Configure Cache
In order to setup caching in the Java SDK, include a caching post function as the second argument when instantiating aSecretsManagerOptions object.
The Java SDK includes a default caching function cachingPostFunction which stores cached queries to a file.
//create options with caching
SecretsManagerOptions options = new SecretsManagerOptions(storage, SecretsManager::cachingPostFunction);
//example get all secrets
SecretsManager.getSecrets(options)
Folders
Folders have full CRUD support - create, read, update and delete operations.
Requires CreateOptions and folder name to be provided. The folder UID parameter in CreateOptions is required - UID of a shared folder, while sub-folder UID is optional and if missing new regular folder is created directly under the parent (shared folder). There's no requirement for the sub-folder to be a direct descendant of the parent shared folder - it could be many levels deep.
Removes a list of folders. Use forceDeletion flag to remove non-empty folders.
When using forceDeletion avoid sending parent with its children folder UIDs. Depending on the delete order you may get an error - ex. if parent force-deleted child first. There's no guarantee that list will always be processed in FIFO order.
Any folders UIDs missing from the vault or not shared to the KSM Application will not result in error.
To get a field value, you will need to cast the return to the of the corresponding field type. For a list of field types see the page.
See to learn about Keeper Notation format and capabilities
Each record field type is represented by a class. Cast the field to the corresponding class in order to correctly access the field's value. Check the documentation for a list of field types.
See the for expected field formats for each record type
After record creation, you can upload file attachments using
