LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Access Controls
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • SaaS Rotation Plugins
        • Custom Scripts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
        • Kubernetes
        • RBI Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • KeeperAI
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Gateway Network Configuration
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Records
      • Managing Rotation via CLI
      • ITSM Integration
      • Vendor Privileged Access Management
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Collections
    • Policies
      • Example Policies
    • Managing Requests
  • Best Practices
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Model Context Protocol (MCP) for AI Agents (Docker)
      • Model Context Protocol (MCP) for AI Agents (Node)
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Core Features
  • Application and Client Device Setup
  • Secrets Manager CLI Installation
  • Binary Install Method
  • Docker Install Method
  • Pip3 and Python3 Install Method
  • Source Code
  • Usage
  • Create a local Client Device
  • Execution of Commands

Was this helpful?

Export as PDF
  1. Secrets Manager

Secrets Manager CLI

The Secrets Manager CLI provides shell access to vault secrets

PreviousField/Record TypesNextProfile Command

Last updated 7 months ago

Was this helpful?

Overview

The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.

Core Features

  • Get Secrets from the Keeper Vault

  • Update Secrets from the Keeper Vault

  • Integrate with 3rd party CI/CD and other dev tools

  • Sync secrets between Keeper and external secrets providers

  • Replace environment variables with Keeper secrets in scripts and containers

Application and Client Device Setup

Secrets Manager CLI Installation

The KSM CLI is available as a binary application for Windows/Mac/Linux or a pip3 install for any Python environment.

Binary Install Method

When launching the CLI in Windows or macOS, the CLI will run in a shell mode. The ksm command is still available via the command line.

The Linux binary is just an executable and should be moved to a directory in the PATH.

Docker Install Method

Pip3 and Python3 Install Method

Please ensure that Python 3.x is installed. If not, use your OS-specific package manager to install it.

sudo yum install python3

Make sure your pip3 is up to date:

sudo pip3 install --upgrade pip

Now you can install the Secrets Manager CLI:

sudo pip3 install keeper-secrets-manager-cli

To upgrade to the latest version:

sudo pip3 install -U keeper-secrets-manager-cli keeper-secrets-manager-core

This method will install the CLI into the system Python. If you do not have root or admin permissions, you can install the CLI by setting up a virtualenv. If you do not use virtualenv, the module and binary will be install into your $HOME/.local directory for Linux or macOS. You may need to include a PATH to the bin directory.

Installing KSM using virtualenv

For developers, using virtualenv is a clean way to install KSM in an isolated environment.

sudo pip3 install virtualenv
virtualenv -p python3 my_env
source my_env/bin/activate

Then, install ksm to the virtual environment

pip3 install keeper-secrets-manager-cli

Source Code

Usage

The ksm CLI tool can be used for the following purposes:

  • Initialize a configuration file for use in integrations such as Github Actions ("init")

  • Create a local profile to execute commands as a client device ("profile")

  • Query the Keeper vault and retrieve secrets ("secret")

  • Wrap command-line applications for environmental variable substitution ("exec")

ksm
Usage: ksm [OPTIONS] COMMAND [ARGS]...

  Keeper Secrets Manager CLI  Version: X.X.X

Options:
  --ini-file TEXT                INI config file.
  -p, --profile-name TEXT        Config profile
  -o, --output TEXT              Output [stdout|stderr|filename]
  -c, --color / -nc, --no-color  Use color in table views, where applicable.
  --cache / --no-cache           Enable/disable record caching.
  --help                         Show this message and exit.

Commands:
  config   Configure the command line tool
  exec     Wrap an application and replace env variables
  init     Initialize a configuration file for integrations
  profile  Manage local client device profiles
  quit     Quit shell mode
  secret   Query the Keeper vault and retrieve secrets
  folder   Manage folders
  shell    Run KSM in a shell
  version  Get module versions and information.

Create a local Client Device

The CLI is initialized as a client device by passing in the One Time Access Token in the ksm profile init command. After initialization, the CLI can be used to obtain secrets. In the example below, replace "XX:XXXX" with the One Time Access Token for your Client Device.

ksm profile init XX:XXXX
ksm secret list

If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.

Example:

KSM_TOKEN="XX:XXXX" ksm secret list

Environment variables can be set to reduce the command line flags.

Environment Variable Name

Description

KSM_TOKEN

The one time access token used to initialize the client device

KSM_HOSTNAME

The host of your Keeper environment. Either US, EU, AU, JP, CA, US_GOV or a full URL. The token will contain the hostname, so this variable is not used in most cases.

KSM_INI_DIR

The directory where the INI config file is stored for the CLI.

KSM_INI_FILE

The name of the INI config file for the CLI.

KSM_CLI_PROFILE

The active profile in the CLI.

KSM_CONFIG

A Base64 config string. The CLI will use this for the default profile.

Execution of Commands

Keeper Secrets Manager commands are run using the ksm program from the command line.

ksm <command> <sub-command> <options>

To get help on a particular command, run:

ksm <command> --help

To get help on a sub-command, run:

ksm <command> <sub-command> --help

Command

Explanation

secret

Retrieve secrets from the vault

folder

Manage folders

profile

Manage local configuration profiles

init

Initialize one time access token

exec

Execute scripts with environmental variable substitution

config

Manage CLI configuration

version

Display the CLI version information

shell

Start the CLI in an interactive shell mode

quit

Quit the shell mode

Options

--ini-file </path/to/keeper.ini>

Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.

  • The path defined by the environmental variable KSM_INI_DIR

  • The current directory

  • The user's home directory

    • ${HOME}

    • ${HOME}/.config/ksm

    • $env:USERPROFILE

  • Various system directories

    • /etc

    • /etc/ksm

    • /etc/keeper

    • $env:APPDATA/Keeper

    • $env:ProgamData/Keeper

    • $env:ProgramFiles/Keeper

-p, --profile-name <name> use specified configuration profile

-o, --output <{stdout, stderr, filename}> Sets the output destination

  • stdout - Print to stdout (default)

  • stderr - Print to stderr

  • <filename> - Send output to a specified text file

--color/--no-color, -c/-nc Enable or disable color in the output instance.

--cache/--no-cache Enable or disable using the record cache for this command instance.

Keeper provides 2 different CLI tools. The Secrets Manager CLI is targeted to machine-based secrets management. The is more focused on administrative capabilities.

In order to use the Secrets Manager CLI, or environment variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. Check out the to set this up.

The latest binary release can be found on the . Download the installer based on your operating system.

See the page for installation and setup from Keeper's Docker image.

Find the Keeper Secrets Manager CLI source code in the .

Commander CLI
Quick Start Guide
GitHub repository
⬇️
Download the Secrets Manager CLI Binary
Docker Container
GitHub repository