Secrets Manager CLI

Overview

The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.

Core Features

• Get Secrets from the Keeper Vault

• Update Secrets from the Keeper Vault

• Integrate with 3rd party CI/CD and other dev tools

• Sync secrets between Keeper and external secrets providers

• Replace environment variables with Keeper secrets in scripts and containers

Secure Configuration Storage

The KSM CLI stores configuration securely in your operating system's native secure storage manager by default. This provides enhanced security compared to storing credentials in configuration files.

How It Works

When you initialize a profile, your credentials are automatically stored in the OS-native secure storage. No keeper.ini file is created unless you explicitly request file-based storage.

Benefits of OS-Native Storage

• Enhanced Security: Credentials are encrypted using OS-level encryption

• No Plain-text Files: Eliminates the risk of accidentally exposing credential files

• Automatic Protection: Leverages existing OS security features (biometrics, system passwords)

• Multi-profile Support: Easily manage multiple KSM profiles securely

Note: OS-native secure storage requires the optional keyring extra: pip3 install keeper-secrets-manager-cli[keyring]. Without it, profiles fall back to keeper.ini file-based storage.

Application and Client Device Setup

In order to use the Secrets Manager CLI, or environment variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. Check out the Quick Start Guide to set this up.

Secrets Manager CLI Installation

The KSM CLI is available as a binary application for Windows/Mac/Linux or a pip3 install for any Python environment.

Binary Install Method

The latest binary release can be found on the GitHub repository. Download the installer based on your operating system.

⬇️ Download the Secrets Manager CLI Binary

When launching the CLI in Windows or macOS, the CLI will run in a shell mode. The ksm command is still available via the command line.

The Linux binary is just an executable and should be moved to a directory in the PATH.

Docker Install Method

See the Docker Container page for installation and setup from Keeper's Docker image.

Pip3 and Python3 Install Method

Please ensure that Python 3.10 or higher is installed. If not, use your OS-specific package manager to install it.

Make sure your pip3 is up to date:

Now you can install the Secrets Manager CLI:

To upgrade to the latest version:

This method will install the CLI into the system Python. If you do not have root or admin permissions, you can install the CLI by setting up a virtualenv. If you do not use virtualenv, the module and binary will be install into your $HOME/.local directory for Linux or macOS. You may need to include a PATH to the bin directory.

For more information, see https://pypi.org/project/keeper-secrets-manager-cli/

Installing KSM using virtualenv

For developers, using virtualenv is a clean way to install KSM in an isolated environment.

Then, install ksm to the virtual environment

Installing optional extras

The KSM CLI supports optional extras for additional functionality:

OS-native secure storage (recommended):

pip3 install keeper-secrets-manager-cli[keyring]

Note: The keyring extra enables storing profiles in macOS Keychain, Windows Credential Manager, or Linux Secret Service. Without it, profiles fall back to file-based storage with 0600 permissions.

AWS Secrets Manager sync support:

pip3 install keeper-secrets-manager-cli[aws]

Note: The aws extra (boto3) is required for the ksm sync command when syncing to AWS Secrets Manager. It is not installed by default.

Install all extras:

pip3 install keeper-secrets-manager-cli[keyring,aws]

Source Code

Find the Keeper Secrets Manager CLI source code in the GitHub repository.

Usage

The ksm CLI tool can be used for the following purposes:

• Initialize a configuration file for use in integrations such as Github Actions ("init")

• Create a local profile to execute commands as a client device ("profile")

• Query the Keeper vault and retrieve secrets ("secret")

• Wrap command-line applications for environmental variable substitution ("exec")

Create a local Client Device

The CLI is initialized as a client device by passing in the One Time Access Token in the ksm profile init command. After initialization, the CLI can be used to obtain secrets. In the example below, replace "XX:XXXX" with the One Time Access Token for your Client Device.

Default Behavior: For OS-Native Secure Storage

By default, configuration is stored in your operating system’s native secure storage when the KSM CLI is installed with keyring support pip3 install keeper-secrets-manager-cli[keyring]:

Example output (macOS):

Example output (Windows):

Example output (Linux):

After initialization, you can immediately use the CLI:

Alternative: File-Based Storage

If you prefer to store configuration in a configuration file , use the --ini-file option:

This creates a keeper.ini file with restricted permissions (0600 - owner-only access).

For Containerized / Serverless Environments

For containerized, serverless, or headless environments (such as Docker, Kubernetes, CI/CD pipelines, or cloud functions), install the KSM CLI without keyring support:

Initialize the profile using the token:

This will create a keeper.ini configuration file, which is suitable for environments where OS-native secure storage is not available.

If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.

Example:

Environment variables can be set to reduce the command line flags.

Execution of Commands

Keeper Secrets Manager commands are run using the ksm program from the command line.

ksm <command> <sub-command> <options>

To get help on a particular command, run:

ksm <command> --help

To get help on a sub-command, run:

ksm <command> <sub-command> --help

Options

--ini-file </path/to/keeper.ini>

Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.

• The path defined by the environmental variable KSM_INI_DIR

• The current directory

• The user's home directory

  • ${HOME}

  • ${HOME}/.config/ksm

  • $env:USERPROFILE

• Various system directories

  • /etc

  • /etc/ksm

  • /etc/keeper

  • $env:APPDATA/Keeper

  • $env:ProgramData/Keeper

  • $env:ProgramFiles/Keeper

-p, --profile-name <name> use specified configuration profile

-o, --output <{stdout, stderr, filename}> Sets the output destination

• stdout - Print to stdout (default)

• stderr - Print to stderr

• <filename> - Send output to a specified text file

--color/--no-color, -c/-nc Enable or disable color in the output instance.

--cache/--no-cache Enable or disable using the record cache for this command instance.

Deleting Keyring Configuration

To completely remove KSM configuration from your system's secure storage, follow the instructions for your operating system.

macOS (Keychain)

Using Keychain Access app:

1. Open Keychain Access (Applications → Utilities → Keychain Access)

2. In the search box, type KSM-cli

3. Select all matching entries

4. Right-click and choose Delete

Using command line:

Windows (Credential Manager)

Using Credential Manager UI:

1. Open Control Panel → User Accounts → Credential Manager

2. Click on Windows Credentials

3. Look for entries starting with KSM-cli

4. Click on each entry and select Remove

Using command line (PowerShell):

Using command line (CMD):

Linux (Secret Service / GNOME Keyring)

Using Seahorse (GNOME Keyring GUI):

1. Open Passwords and Keys (Seahorse)

2. Look under Login keyring

3. Search for entries containing KSM-cli

4. Right-click and delete each entry

Using secret-tool (command line):