LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Sharing and Access Control
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • SaaS Accounts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
        • Network Devices
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
        • Kubernetes
        • RBI Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • KeeperAI
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Records
      • Managing Rotation via CLI
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Policies
    • Managing Requests
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • About
  • Features
  • Prerequisites
  • Installation
  • 1. Download the Secrets Manager Plugin
  • 2. Register the Plugin with HashiCorp Vault
  • 3. Configure a Secrets Manager Connection
  • Using the Plugin
  • List Secrets
  • Get a Single Secret
  • Read TOTP Code
  • Update a Secret
  • Create a Secret
  • Delete a Secret

Was this helpful?

Export as PDF
  1. Secrets Manager
  2. Integrations

Hashicorp Vault

Use Keeper Secrets Manager with HashiCorp Vault as a Data Source

PreviousGoogle Cloud Key Management EncryptionNextHeroku

Last updated 9 months ago

Was this helpful?

About

The Keeper Secrets Manager HashiCorp Vault integration allows you to use secrets from the Keeper Vault as a data store for HashiCorp Vault.

Features

  • Use Secrets from the Keeper Vault with HashiCorp Vault scripts and commands

  • Read secret information using HashiCorp Vault

  • Update secret information from HashiCorp Vault

Prerequisites

This page documents the Secrets Manager HashiCorp Vault integration. In order to utilize this integration, you will need:

    • Secrets Manager add-on enabled for your Keeper subscription

    • Membership in a Role with the Secrets Manager enforcement policy enabled

    • The HashiCorp Vault integration accepts our Base64 format configurations

  • HashiCorp Vault command line, and a Vault server running

Installation

1. Download the Secrets Manager Plugin

Download the latest integration release from the KSM GitHub page:

Look for a vault-plugin release in the list of releases that matched your platform.

Unzip the plugin and place it into your HashiCorp Vault plugins directory. In this example the folder is located at C:\vault\plugins (Windows) or /etc/vault/vault_plugins (MacOS/ Linux)

2. Register the Plugin with HashiCorp Vault

Development Mode

For testing the plugin or to allow quick development, development mode can be used to quickly get the HashiCorp Vault CLI up and running.

Start the HashiCorp Vault in dev mode

vault server -dev -dev-plugin-dir=C:\vault\plugins

Enable the Secrets Manager Plugin

vault secrets enable -path=ksm vault-plugin-secrets-ksm.exe

Start the HashiCorp Vault in dev mode

vault server -dev -dev-plugin-dir=/etc/vault/vault_plugins

Enable the Secrets Manager Plugin

vault secrets enable -path=ksm vault-plugin-secrets-ksm

HashiCorp Vault CLI development mode utilizes volatile in-memory storage. Any actions taken on secrets in the Keeper Vault are immediate, but the plugin will need to be re-enabled each time the HashiCorp Vault is started in dev mode.

Production Mode

When ready to move to production, the plugin will need to be registered using a SHA256 hash of the plugin.

Register and Enable the Secrets Manager Plugin

vault plugin register -command=vault-plugin-secrets-ksm.exe -sha256=<SHA256> secret vault-plugin-secrets-ksm
vault secrets enable -path=ksm vault-plugin-secrets-ksm

Generating SHA256 Hash

You will need a hash of the plugin file to enable it with production HashiCorp Vault servers. This hash can be generated for the Secrets Manager plugin.

Windows 7 and later comes with a built-in tool called CertUtil that can be used to generate the SHA256 hash. This example will show how to generate a SHA hash using CertUtil, but any tool that can generate a file hash in SHA256 will work.

CertUtil -hashfile C:\vault\plugins\vault-plugin-secrets-ksm.exe SHA256

Register and Enable the Secrets Manager Plugin

vault plugin register -sha256=<SHA256> secret vault-plugin-secrets-ksm
vault secrets enable -path=ksm vault-plugin-secrets-ksm

Generating SHA256 Hash

You will need a hash of the plugin file to enable it with production HashiCorp Vault servers. This hash can be generated for the Secrets Manager plugin.

Using the built-in shasum function this can be generated like this:

shasum -a 256 /etc/vault/vault_plugins/vault-plugin-secrets-ksm

Depending on your OS, you may use the sha256sum command instead

sha256sum /etc/vault/vault_plugins/vault-plugin-secrets-ksm

3. Configure a Secrets Manager Connection

Now that the HashiCorp Vault plugin is installed, a secure connection to the Keeper Vault needs to be established so that secret credentials can be accessed. To create this connection, a Secrets Manager configuration needs to be created and assigned to the plugin.

Create a Secrets Manager Configuration

Once a configuration has been generated, set it to a variable to be used by the Vault Plugin.

vault write ksm/config ksm_config=<BASE64_CONFIG...>

Using the Plugin

List Secrets

vault list ksm/records

The records will be shown in the following format:

Keys
----
UID RECORDTYPE: RECORDTITLE

Example:

C:\Vault> vault list ksm/records
Keys
----
Hf6of4uo_2aD7IMjn4VPuA  login:  My Record
Lv3B9ObAjxdpdBl0IJ3oow  folder: 4 record(s)
Oq3fFu14hZY00d7sp3EYNA  MyCustomType:  My New Record (Custom record type)
YDx58Q94dE1k9B367ZVz1w  databaseCredentials:    MySQL Credentials
qe3EWYn840uR0bOMyZ2b0Q  login:  Dropbox Login

Get a Single Secret

vault read ksm/record uid=<UID>

Example:

C:\Vault> vault read ksm/record uid=Hf6r5Zuo_2aD7IMjn4VPuA
Key       Value
---       -----
fields    [map[type:login value:[username@email.com]] map[type:password value:[Pd08fi@1]]]
notes     Example Login Record
title     Sample KSM Record
type      login

Read TOTP Code

vault read ksm/record/totp uid=<UID>

Example:

C:\Vault> vault read ksm/record/totp uid=32t82-oRu-79yplIAZ6jmA 
Key    Value
---    ---
TOTP   [map[token:392528 ttl:22 url:otpauth://totp/Generator:?secret=JBSWY3DPEZAK3PXP&issuer=Generator&algorithm=SHA1&digits=6&period=30]] 
UID    32t82-oRu-79yplIAZ6jmA

Update a Secret

To update an existing secret, use the following command, passing in JSON data that represents the updated secret's information. The corresponding record in the Keeper Vault will be updated to match the JSON data passed.

vault write -format=json ksm/record uid=<UID> data=@update.json

In this example, the updated data is passed in from a file, this is recommended for cleaner and more simple CLI commands. The JSON data can be passed in on the command line, but quotes will need to be escaped.

Example data file:

update.json
{
  "fields": [
    {
      "type": "login",
      "value": [
        "username@email.com"
      ]
    },
    {
      "type": "password",
      "value": [
        "kjh4j3245DCD!d"
      ]
    }
  ],
  "notes": "\tThis record was updated with the Vault KSM plugin",
  "title": "Sample Updated Record",
  "type": "login"
}

TIP You can see the current values of a secret in JSON format with this command: vault read -field=data -format=json ksm/record uid=<UID>

Create a Secret

Similar to updating a secret, create a new secret by passing JSON data to the following command:

vault write -format=json ksm/record/create folder_uid=<UID> data=@data.json

In this example, the updated data is passed in from a file, this is recommended for cleaner and more simple CLI commands. The JSON data can be passed in on the command line, but quotes will need to be escaped.

Example data file:

data.json
{
      "fields": [
             {
      "type": "login",
      "value": [
       "username@email.com"
      ]
    },
    {
      "type": "oneTimeCode",
      "value": [
        "otpauth://totp/Generator:?secret=JBSWY3JP9HPK3PXP\u0026issuer=Generator\u0026algorithm=SHA1\u0026digits=6\u0026period=30"
      ]
    }
  ],
  "notes": "\tExample Record wth TOTP",
  "title": "Sample TOTP SECRET",
  "type": "login"
}

Delete a Secret

vault delete ksm/record uid=Oq3fFu14hZY00d7sp3EYNA

For a complete list of Keeper Secrets Manager features see the

Keeper Secrets Manager access (See the for more details)

A Keeper with secrets shared to it

See the for instructions on creating an Application

An initialized Keeper

See the for how to install

A Secrets Manager configuration can be created using Keeper Commander or the Secrets Manager CLI. See the for more information on creating a configuration.

Overview
Quick Start Guide
Secrets Manager Configuration
HashiCorp Vault documentation
Secrets Manager Application
Releases · Keeper-Security/secrets-managerGitHub
Secrets Manager Releases
Logo
Configuration Documentation
Quick Start Guide