Commands for creating and managing Record Types and Custom Templates
A Keeper Record Type is a structured template that can contain any type of information such as logins, payment cards, SSH keys, servers, etc. The commands associated with Record Types are listed below.
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command: record-type-info or rti
Detail: List available record types or display the field-level details of a specific record type
Switches:
-lr, --list-record <RECORD TYPE OR ID (optional)>
If record type name or ID is not given, lists all record type names and IDs
if a record type name or ID is given, displays the record type's details and fields
-lf, --list-field <FIELD NAME> show information about a specified field type. Can use "*" to show all fields.
-e, --example generate example json for a record type or field. *Must use with -lr or -lf
--syntax-help display extended help on record type parameters
--format <{csv, json, table}> choose the format to output in
--output <OUTPUT FILE> output results to a given file *ignored if table format is used
Get syntax help
Show a list of record types:
Show the fields and JSON structure of the "login" record type:
Display a list of all field types:
Get the field defails of the "host" field type:
Show an example full JSON record of a "passport" type:
Write the record type information as a CSV to a file:
Command: record-type or rt
Add, modify, or delete custom record types
Record type ID (if updating or deleting)
-a, --action <{add, update, remove}> action to perform
add - create a new custom record type
update - modify an existing custom record type
remove - delete an existing custom record type
--data <DATA> JSON formatted definition of the record type
Record types utilize the following formatting:
Example:
Use the following command to see a list of available field types: rti -lf *
Examples:
Add a new record type named "My Record Type"
Update the "My Record Type" record Type (which has an ID of 102 in this example). Here, the 'Address' field was removed
Remove the record type with ID 102
Required Version: v16.5.9+
Command: convert
Detail: Convert legacy (General typed or untyped) records to typed records.
Parameters:
Pattern to match records in the current folder. Matches against UIDs and titles. Can use "?" to match any single character and "*" to match any number of characters
Switches:
-t, --record-type <RECORD TYPE OR ID > The type to convert records to
-q, --quiet Do not show info about matched and converted records
-u, --url <URL Pattern> Only converts records with URLs that match the given pattern. Can use "?" to match any single character and "*" to match any number of characters
-n, --dry-run Display the outcome of the conversion without converting any records
-r, --recursive apply conversion to all matching records in the current and child folders
--ignore-ownership convert records even if they are not owned by the current account
Examples:
Convert the untyped record with the given UID to a login type record
Perform a dry-run of conversion of all records in the vault and display what records would be converted. (will match all records if performed at the root directory)
Convert all untyped records in the vault to login type (if performed at the root directory)
Convert any untyped record that contains 'sql' in its name to a database credential
Convert any record that ends in ssh-<anything> to a sshKey type record
e.g convert a record titled "Github ssh-1" and a record titled "Github ssh-2"
record-type-info or rti
List record types or see information about a specific record type
record-type or rt
Add, edit, or delete custom record types
convert
Convert legacy records to record-typed records
My Vault> rti --syntax-help
Get Record Types Command Syntax Description:
Column Name Description
recordTypeId Record Type Id
content Record type description in JSON format
--format:
csv CSV format
json JSON format
table Table format (default)
--example|-e: Print example JSON for the field or record type
--list-record|-lr: List specific record type - search by name or ID
--list-field|-lf: List specific field type - search by nameMy Vault> rti
Record Type ID Record Type Name
---------------- ------------------------------
1 address
2 bankAccount
3 bankCard
4 birthCertificate
5 contact
6 databaseCredentials
7 driverLicense
8 encryptedNotes
9 file
10 general
11 healthInsurance
12 login
13 membership
14 passport
15 photo
16 serverCredentials
17 softwareLicense
18 sshKeys
19 ssnCard
96 wifiCredentials
3000082 pamDatabase
3000083 pamDirectory
3000084 pamMachine
3000085 pamUser
3000093 pamRemoteBrowser
4000086 pamAwsConfiguration
4000087 pamAzureConfiguration
4000088 pamLocalConfiguration
4000089 pamNetworkConfiguration
4000094 pamDomainConfigurationMy Vault> rti -lr login
Record Type ID Content
---------------- ----------------------------------
12 {
"$id": "login",
"categories": [
"login"
],
"description": "Login template",
"fields": [
{
"$ref": "passkey"
},
{
"$ref": "login"
},
{
"$ref": "password"
},
{
"$ref": "url"
},
{
"$ref": "fileRef"
},
{
"$ref": "oneTimeCode"
}
]
}/My Vault> rti -lf *
Field Type ID Type Lookup Multiple Description
---------------- ---------------- ------------- ---------- ------------------------------------------------------------------------------
text text plain text
secret text plain text
title text plain text
login login login Login field, detected as the website login for browser extension or KFFA.
password password Field value is masked and allows for generation. Also complexity enforcements.
name name name multiple fields to capture name
company text company plain text
phone phone phone optional numbers and symbols only plus tag
email email email optional valid email address plus tag
address address multiple fields to capture address
addressRef addressRef addressRef reference to the address field on another record
date date calendar date with validation, stored as unix milliseconds
expirationDate date calendar date with validation, stored as unix milliseconds
birthDate date calendar date with validation, stored as unix milliseconds
paymentCard paymentCard Field consisting of validated card number, expiration date and security code.
accountNumber text accountNumber plain text
groupNumber text plain text
bankAccount bankAccount accountNumber bank account information
cardRef cardRef bankCard default reference to the bankCard field on another record
note multiline multiline text
url url optional url string, can be clicked
fileRef fileRef default reference to the file field on another record
host host host optional multiple fields to capture host information
securityQuestion securityQuestion default Security Question and Answer
pinCode secret the field value is masked
oneTimeCode otp captures the seed, displays QR code
keyPair privateKey private key in ASN.1 format
licenseNumber multiline multiline text
multiline multiline multiline text
passkey passkey Password-less loginMy Vault> rti -lf host
Field Type ID Type Value Type Value Format
--------------- ------ ------------ ----------------------------
host host object {'hostName': '', 'port': ''}My Vault> rti -lr passport -e
{
"type": "passport",
"title": "text",
"notes": "text",
"fields": [
{
"type": "accountNumber",
"value": [
"text"
],
"label": "passportNumber"
},
{
"type": "name",
"value": [
{
"first": "text",
"middle": "text",
"last": "text"
}
]
},
{
"type": "birthDate",
"value": [
0
]
},
{
"type": "addressRef",
"value": []
},
{
"type": "expirationDate",
"value": [
0
]
},
{
"type": "date",
"value": [
0
],
"label": "dateIssued"
},
{
"type": "password",
"value": [
"text"
]
},
{
"type": "fileRef",
"value": []
}
],
"custom": []
}rti --output logs/record-types.csv --format csv{
"$id": <record type name>,
"fields": [
{ "$ref": <field type>},
{ "$ref": <field type>, "label": <field label(optional)>, required: <true/false>}
]
}{
"$id":"My Record Type",
"fields": [
{
"$ref":"login",
"label":"AppLogin",
"required":true
},
{
"$ref":"name",
"label":"Your name"
},
{
"$ref":"address",
"required":true
}
]
}rt --action add --data '{"$id":"My Record Type", "fields": [{"$ref":"login","label":"AppLogin","required":true},{"$ref":"name","label":"Your name"},{"$ref":"address","required":true}]}'
rt 102 -a update --data '{"$id":"My Record Type", "fields": [{"$ref":"login","label":"AppLogin","required":true},{"$ref":"name","label":"Your name"}]}'
rt 102 -a removeconvert Dtvb84zwkBmZgxrUByUfpg --record-type login
convert * --record-type login --recursive --dry-run
convert * -t login -r
convert *sql* -t databaseCredentials
convert *ssh-? -t sshKeys --recursiveAll the commands related to Manipulating records
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following record commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command: list or l
Detail: List all records or search via a regular expression
Switches:
-v, --verbose verbose output (if record names are too long for the column)
Examples:
List all records
List all records with the string twitter
List all 'Azure' records that do not contain the string 'FTP" (Using regex)
Command: search or s
Detail: Search the vault using a regular expression
Parameters:
Regular expression to use with search
Switches:
-v, --verbose verbose output
--format <{table, json}> choose the format of the output
table - Show the result in table format (default)
json - Show the result in JSON format
Examples:
Search for records containing "dropbox"
Search for records with a string of numbers and letters only ending in ".org"
Search for records that include the term "dropbox" and return the results in JSON format.
Command: ls
Detail: List folder contents
Switches:
-l, --list show detailed list
-f, --folders display folders
-r, --records display records
-v, --verbose verbose output
-R, --recursive show subfolder contents
--format format of output {table, csv, json, pdf}
--output path to resulting output file (ignored for "table" format)
Examples:
Detailed list of folder contents
List of only records in a folder (No sub folders)
Detailed list of records, and show long titles even if they skew the table
Show detailed list of all records and folders found in "Folder1" and its subfolders
Command: tree
Detail: Display the entire folder structure as a tree, using specified folder or the current location (if no folder specified) as the root
Parameters:
Full path, UID, or name (if current location is parent folder) of folder to use as tree root (optional)
Switches:
-r, --records display records in each folder in tree (shown in slightly dimmer text)
-s, --shares display shared-folder share permissions (symbols denoting permission-types shown in legend/key by default)
-hk, --hide-shares-key hide permissions legend (valid only when--shares flag is specified)
-t, --title <TITLE> show optional title for the folder-structure display
-v, --verbose verbose output (display record/folder UID in addition to name)
Examples:
Display entire folder structure as a tree, using the current location as the root
Display entire folder structure starting at sub directory "Office Codes" folder as the root
Display folder structure titled "My Folder Structure w/ Records (UIDs shown)" showing records in each folder (w/ corresponding UID for each folder/record), using current location as root
Command: cd
Detail: Change current directory
Parameters:
Location to move to.
Quotation marks can be used to move to folders with spaces or slashes in their name.
backslash (\) can be used to escape quotation marks in a folder's name
Examples:
Move to a folder named "social" in the current directory
Move to a folder named 'banks' inside a folder named 'financial'
Move to the vault root
Move to a folder named "folder/with/slashes"
Command: find-password
Detail: Display a specified Keeper record's password to the system output, given that record's UID or path
Parameters:
Path or UID of a record
Switches:
--username <USERNAME> match the login name using regex (optional). The given title or UID must also match to find the record
--output <{clipboard, stdout}> choose the destination of the output
stdout - display password to system output (default)
clipboard - copy password to clipboard
-l, --login output login name instead of password
Examples:
Show the password of a specific record with the given UID
Show the password of a record with the title "Zoom" in the "office" folder
Copy the password of a specific record to the clipboard
Show the login of a record with the title "Twitter" in the "social" folder
Command: clipboard-copy
Detail: Copy a specified Keeper record's password to the clipboard, or send the password to stdout, given that record's UID or path.
Parameters:
Path or UID of record
Switches:
--username <USERNAME> match the login name using regex (optional). The given title or UID must also match to find the record
--output <{clipboard, stdout, stdouthidden, variable}> choose the destination of the output
clipboard - copy output value to clipboard (default)
stdout - display output value to system output
stdouthidden - display output value to system output but hidden
-l, --login output login name instead of password
--field <FIELD NAME> output custom field
--name Keeper variable name
-r, --revision record revision
-t or --totp output TOTP code
Examples:
Copy the password of a specific record with the given UID to the clipboard
Copy the password of a record with the title "Zoom" in the "office" folder to the clipboard
Show the password of a specific record with the given UID
Copy the login of a record with the title "Twitter" in the "social" folder to the clipboard
Command: get or g
Detail: Retrieve and display a Keeper Record/Folder/Team in printable or JSON format, given a corresponding UID.
Parameters:
UID of a record, folder, or team
Switches:
--unmask display hidden field content as plaintext
--format<{detail, json, password}> choose the format of the output
detail - a detailed view of the Record/Folder/Team (default)
json - JSON-formatted structure
password - only the password
--include-dag includes additional PAM record data when JSON format is specified, such as the associated administrative credential UID and launch credential UID.
--legacy JSON output only. Display typed records in legacy json format
Examples:
Show the details of a specific record
Show the details of a specific record in JSON format
Provides JSON output with KeeperPAM info (launch credential, admin credential, etc)
Command: record-history or rh
Detail: Show the history of a record's modifications, given that record's UID
Parameters:
UID of record
Switches:
-a, --action <{list, diff, show, restore}> perform an action on the record
list - show revisions
diff - show changes made at each revision
show - show details about the current revision
restore - restore back to a previous revision (requires -r
-r, --revision <REVISION NUMBER> only show details for a specific revision
Examples:
List of specific record's modification history
List of the changes made in each version of the specific record
Details of the 4th revision of the specific record (V.4)
Revert the specified record to its 2nd version
Command: totp
Detail: Display the Two Factor code for a record, given its path or UID. Show a list of records with Two Factor codes if no path or UID is given
Parameters:
Path or UID of record (optional)
Switches:
--details display 2FA details
--range <RANGE> display last and next [x] codes
--format <{table, json}> choose the format of the output
table - Show the result in table format (default)
json - Show the result in JSON format
Examples:
List of records with TOTP Two Factor codes
Show a Two Factor code with timer for the "Dropbox" record
Show a Two Factor code with timer for the record with the given UID
Display the last, current, and next Two Factor codes for the "Dropbox" record
Command: download-attachment
Detail: Download all files attached to the specified record(s), given that record's path or UID
Parameters:
Path or UID of record or folder
-r or --recursive Download recursively through subfolders
--out-dir <LOCAL DIRECTORY> Local folder for downloaded files
--preserve-dir Preserve vault folder structure
--record-title Append record names to title of downloaded attachments
Naming Convention for downloaded attachments:
Examples:
Download all attachments of the record titled "Financial Records" in the "documents" folder
Download all attachments of the record with the given UID
Download all attachments in the vault recursively to the specified output location: "C:\Attachments"
Append the record name "Financial Records" to the name of all downloadable attachments for the record titled "Financial Records" in the "documents" folder
Command: upload-attachment
Detail: Upload a file and attach it to a specific record, given that record's path or UID
Parameters:
Path or UID of record
Switches:
--file <FILENAME> file name to upload (required)
Examples:
Attach a pdf file to the "Financial Records" record in the "documents" folder
Attach an image to the record with the given UID
Command: delete-attachment
Detail: Delete a file attached to a specified record, given that record's path or UID
Parameters:
Path or UID of record
Switches:
--name <FILE> name or ID of the file to delete (required)
Examples:
Delete a pdf file named "June_2021.pdf" from the "Financial Records" record in the "documents" folder
Delete an image named "5_15_21.jpg" from the record with the given UID
Delete all orphaned file attachments in the vault
Command: file-report
Detail: Show a report of details of all files that you can access in the vault. Report consists of: Title, Record UID, and File ID
Switches:
-d, --try-download attempt to download all the attachments in the vault
Examples:
Show a report of all the files attached to records in the vault
Attempt to download all the files attached to records in the vault
Command: list-sf or lsf
Detail: Display the UID, Name, Default Permissions, Record Permissions, User Permissions, and Team Permissions for all shared folders in the vault
Examples:
Show details for all shared folders in the vault
Command: list-team or lt
Detail: Display the UID and Name for each Team that you have access to
Switches:
-v, --verbose List users within each team
-a, --all Show all teams in your contacts list, including those outside your primary organization (e.g., teams in companies managed by an MSP admin)
Examples:
Show details for all teams you have access to within your organization
List the team members belonging to each team
List all teams you have access to, including those belonging to other organizations (e.g., teams in companies you might manage as a MSP admin)
Command: record-add or record-update
Detail: Adds a record to the vault or update an existing record. This is the recommended command for adding and updating records. This supports all record types, custom types, standard fields and custom fields. See --syntax-help for detailed examples.
Parameters:
A space separated list of field values. A field has the following syntax:
<FIELD_NAME>=<FIELD_VALUE> see ...
Switches:
-t, --title Record title
-n, --notes Record notes
-rt, --record-type Record type. See the list of standard record types.
-f, --folder <FOLDER PATH or UID> Folder for the record. Applies to record-add only.
--self-destruct <NUMBER>[(mi)nutes|(h)ours|(d)ays|(mo)nths|(y)ears]Time period record share URL is valid. The record will be deleted from your vault 5 minutes after opening. Applies to record-add only.
-r, --record <RECORD PATH or UID> Path or UID of the record to edit. Applies to record-update only.
-f, --force Ignore warnings.
--syntax-help Displays detailed information on usage for these commands.
--email-config <NAME> Email configuration to use for sending (required with --send-email)
--send-email <EMAIL> Send one-time share link via email
--email-message <MESSAGE> Custom email message body (optional)
Examples:
Detailed examples of using record-add to create records is available .
For email delivery of the one-time share, you need to .
Command: rm
Detail: Remove record(s) with given path(s) or UID(s)
Parameters:
Path or UID of record(s)
Switches:
-f, --force do not prompt
Examples:
Remove the "Twitter" record in the "social" folder. Will be prompt to enter "y" to approve.
Remove the record with the given UID and don't prompt to approve.
Remove the "Bank" record and purge it from the trash (record will not be recoverable)
Remove records "rec1" and "rec2"
Command: delete-all
Detail: Delete all records and folders from the user vault
-f, --force - Force deletion without confirmation prompt
This command automatically skips shared folders and their records
Only processes user folders and records
Records are deleted in batches of 999 items per API call
Folders are deleted in batches of 500 items per API call
For shared folders, use the recommended workflow:
Run transform-folder <shared_folder_uid> to convert shared folder to user folder
Then run delete-all to clean remaining user vault content
The command will alert you about any skipped shared folder content.
Delete all records and folders from your vault. Will prompt for confirmation with a warning message.
or
Delete all records and folders from your vault without prompting for confirmation.
This command deletes ALL records and folders
Always ensure you have backups before using this command
Shared folders and their records are automatically skipped for safety
Command: append-notes or an
Detail: Append to the notes of a record with a given path or UID
Parameters:
Path or UID of record
Switches:
--notes <NOTES> notes to append
Examples:
Append to the notes of the "Twitter" record in the "social" folder. Will be prompted to enter notes to add
Append to the notes of the record with the given UID with the message "Outdated as of June 2021"
Command: mkdir
Detail: Create a folder or shared folder at the given path
Parameters:
Path/name of new folder
Switches:
-sf, --shared-folder create a shared folder
-uf, --user-folder create a user folder (not shared)
-a, --all set default folder permissions to allow any user to manage users, manage records, share records, and edit records
-u, --manage-users set default folder permissions to allow all users to manage user access
-r, --manage-records set default folder permissions to allow all users to manage records
-s, --can-share set default folder permissions to allow all users to share records
-e, --can-edit set default folder permissions to allow all users to edit records
--color <{none, red, green, blue, orange, yellow, gray}> sets folder color
Examples:
Create a folder named "personal" in the existing "finance" folder. Will be prompted to create a shared folder or user folder
Create a user folder named "social"
Create a shared folder named "office-codes" with the default permissions set to allow all users to share the records in the folder
Command: rmdir
Detail: Delete a folder or shared folder given the folder's path or UID
Parameters:
Path of folder
Accepts patterns, which will remove all matching folders.
* matches everything
? matches any single character
[seq] matches any character in seq
Accepts multiple parameters separated by a space
Switches:
-f, --force Delete folder without prompting
-q, --quiet returns no output when used in conjunction with -f
Examples:
Delete the folder named "temporary" in the "social" folder. Will be prompted to confirm
Delete the folder with the given UID and don't prompt to confirm
Delete all folders with only letters in the name, ending in '2'
Delete the folder 'secrets' in the 'DevOps' folder, and the 'MyFolder' folder
Command: rndir
Detail: Rename a folder or shared folder given the folder's path or UID
Parameters:
Path of folder
Switches:
-n, --name <NEW FOLDER NAME> New folder name
--color {none,red,green,blue,orange,yellow,gray} set/change folder color
-q, --quiet returns no output
Examples:
Command: mv
Detail: Move a record or folder to another folder, given the record or folder's path or UID and the path or UID of the destination folder
Parameters:
Path or UID of record followed by path or UID of destination folder
mv SRC DST
SRC: the source path to folder or record. Accepts title paths, search patterns, and UIDs
DST: the destination folder name or UID to move to
Switches:
-f, --force move record or folder without prompting
-s. --can-reshare anyone can reshare records
-e, --can-edit anyone can edit records
Examples:
Move the "Twitter" record into the "social" folder
Move the record with the given UID to the root folder
Command: ln
Detail: Link a record or folder to another folder, given the record or folder's path or UID and the path or UID of the destination folder
Parameters:
Path or UID of record followed by path or UID of destination folder
ln SRC DST
SRC: the source path to folder or record. Accepts title paths, search patterns, and UIDs
DST: the destination folder name or UID to link to
Switches:
-f, --force move record or folder without prompting
-s. --can-reshare anyone can re-share records
-e, --can-edit anyone can edit records
Examples:
Link the "Twitter" record with the "social" folder
Link the record with the given UID to the root folder
Command: find-duplicate
Detail: Useful tool to help locate duplicate records in the vault based on one or more record fields.
Parameters:
Provide a list of fields to use for comparison.
Switches:
--title Match the title field to locate a duplicate
--login Match the login field to locate a duplicate
--password Match the password field to locate a duplicate
--url Match the URL field to locate a duplicate
--shares Match on share-permissions
--full Match all fields to locate a duplicate
--merge, -m Consolidate duplicate records (Note: when this flag is included, duplicate records are automatically matched on all fields, including shares)
--ignore-shares-on-merge Ignore share-permissions when matching duplicate records for merging
--force, -f Delete duplicates w/o being prompted for confirmation (valid only w/ --merge option)
--quiet, -q Suppress screen output (valid only w/ --force/--merge options)
--dry-run, -n Simulate removing duplicates (no records are ever removed or modified). Valid only w/ --merge flag
--scope, -s <enterprise, vault> Define the scope of the search (default is vault). Enterprise scope available only to enterprise account administrators with compliance data-access privileges.
--refresh-data, -r Populate local cache with latest audit data. Valid only when used with the --scope=enterprise option.
--format <{csv, json, table}> Choose the format of the output
--output <FILENAME> Export search results to a file
Examples:
Find duplicate records based on matching titles
Find duplicate records based on matching logins and passwords
Find duplicate records based on matching logins, passwords, and website addresses
Find duplicate records by matching on all relevant fields (including custom fields and share-permissions that apply for each record)
Command: shortcut
Detail: List or manage record shortcuts. Shortcuts are links to records in a folder other than the folder that record belongs to.
Parameters:
Command:
list <RECORD UID, FOLDER UID, PATH (optional)>: Show a list of all shortcuts. Filtered to record or folder if given
keep <RECORD OR FILE PATH> : Remove all but one shortcut
Switches:
list switches:
--format <{csv, json, table}> choose the format of the output
--output <FILENAME> file to write output results to
Examples:
Display a list of record shortcuts
Output a list of record shortcuts to a file
Output a list of record shortcuts that exist in the folder with the give UID
Remove all record shortcuts other than record at the given location
Use Case: Deleting all but one shortcut with command keep
Suppose there are multiple shortcuts for the following record, and you only want to keep the record
To keep this record only in the "key-folder2" and remove all other shortcuts, you can execute the following command:
To verify that the additional shortcuts have been deleted, you can do one of the following:
Access your web vault and observe that the shortcuts have been deleted.
Example:
In the above scenario & example, I will find only one instance of the record ksm-key1 in key-folder2
Running the shortcut list <Record UID> command will output that the record has no shortcuts
In the above scenario & example, after deleting the unwanted shortcuts, running the list command will give me the following:
Command: transform-folder
Detail: Transform a folder from a shared folder to a personal folder and vice versa
Parameters:
Folder UID or path/name (accepts multiple values)
-l, --link Do not delete the source folder(s). Creates record links instead of moving records.
-n, --dry-run Preview the folder transformation without updating
-f, --force Skip confirmation prompt and minimize output
-t, --target=TARGET Target Folder UID or path/name (root folder if omitted)
--folder-type {personal,shared} if --targetis omitted specify the new folder type
Examples:
1. Transform a user folder into a shared-folder
Executing the following command (from within the vault's root folder)
If "My Folder (Misc.)" is a user folder then it will be transformed to a shared folder. transform-folder command changes folder from user to shared and vice versa if no parameters are specified
2. Transform a shared-folder into a user folder
Executing the following command (from within the vault's root folder)
For security reasons and because of current limitations on the type of folders that any given shared-folder can contain, not every folder in a given vault is necessarily eligible for transformation using the command described above. Consequently, there are certain types of folders for which this command will fail to execute. These include
user folders that contain -- either in the folder itself, or in any of its subfolders, or in any of its subfolders' subfolders, etc. -- any 1 of the following items:
Command: trash <sub command>
Detail: List or manage deleted records in the trash. Deleted records remain in the trash until purged.
Parameters:
Sub-command:
list <SEARCH PATTERN> : Show a list of all deleted records in the trash can. Filtered to record or folder if given
get <RECORD UID> : show information about deleted record with the given UID
restore <RECORD UID(S)> : restore a previously deleted record or records. Can be given several UIDs separated by a space
Switches:
list switches:
--format <{csv, json, table}> choose the format of the output
--output <FILENAME> file to write output results to
--reload refresh the list of deleted records
list examples:
Display a list of deleted records
Output a list of deleted records to a file named 'deleted.csv'
Display a list of deleted records that have a title starting with "Twitter"
get examples:
Display details of deleted record with the given UID
restore switches:
--force don't prompt when restoring
list examples:
Restore the deleted record with the given UID
Restore the deleted records with all the given UIDs
Restore the deleted records with all the given UIDs and don't prompt
unshare example:
purge examples:
purge all deleted records from the trash
Command: password-report
Detail: Display password report
Switches:
--policy <comma separated integers> Password complexity policy. Length,Lower,Upper,Digits,Special. Example: 12,2,2,2,0
--length <Number> Minimum password length
--lower <Number> Minimum lowercase characters
--upper <Number> Minimum uppercase characters
--digits <Number> Minimum digits
--special <Number> Minimum special characters
Parameters:
folder Optional. Scan for weak passwords in a folder
Examples:
Command: find-ownerless
Detail: List (and, optionally, claim) records in the user's vault that currently do not have an owner
Switches:
--format <{csv, json, table}> choose the format of the output
--output <FILENAME> file to write output results to (ignored for table format)
--claim claim records found
-v, --verbose output details for each record found
Parameters:
folder path or UID of folder to search (optional, with multiple values allowed)
Examples:
Find all the records that do not have an owner and print additional details for each record found
Claim all found records without an owner
Copy the specified Keeper Record password field to the clipboard or send to stdout
or rh
Show the history or a record's modifications
Display the Two Factor code for a given record, or show a list of records with Two Factor codes if no record is specified
Download all attachments of a specified record
Upload and attach a file to a given record
Delete an attachment from a given record
Show a report of all the file attachments that you have access to in the vault
or lsf
Show details about all shared folders in the vault
or lt
List all teams that you have access to
add or a
Deprecated: use
or ra
Add a record
edit
Deprecated: use
or ru
Edit an existing record
Remove a record
or an
Append notes to a record
Create a folder or shared folder
Remove a folder or shared folder and its contents
Rename a folder
Move a record to or folder
Create a link between records or folders
Locate duplicate records in the vault (or several) based on specified attributes and fields.
List or manage record shortcuts
Transform a folder from a shared folder to a personal folder and vice versa
List and manage deleted records in the trash
Display password report
List (and, optionally, claim) records in the vault that currently do not have an owner
or rti
Display information about record types (templates) and fields.
or rt
Add, edit, or delete custom record types
Convert legacy records to record-typed records
Detailed list of folder contents in JSON format
Move to a folder named 'folder"with"quotes'
Show the password for a record with a title that starts with "reddit", and "second" as part of the username
variable - store output value to Keeper variable
Copy the password for a record with a title that starts with "reddit", and "second" as part of the username to the clipboard
--revisionDisplay the TOTP token details for the record with the given UID
Display the TOTP token details for the record with the given UID in JSON format
This action cannot be undone
[!seq] matches any character not in seq
Delete the folder with the given UID and don't show any output
Remove all folders from the Keeper Vault
Find duplicate records -- matching on all relevant fields (and shares) -- and consolidate them into one (i.e., delete all but one record for each set of records deemed to be duplicates of each other) per set of duplicates without prompting for confirmation prior to record deletion
Find duplicate records (matching on all fields) and simulate consolidating the results
Find duplicate records across vaults within the entire enterprise and export the search results to a CSV-formatted filed named enterprise_duplicates.csv
a shared-folder for which the user does not have either of the following:
share-admin privileges
full share permissions ("Can Manage Users", "Can Manage Records")
a direct-share record for which the user does not have either of the following:
share-admin privileges
re-share permissions ("Can Share")
user folders contained within a shared-folder (i.e., any user folder whose parent folder, or parent folder's parent folder, etc., is a shared-folder)
unshare <RECORD UID(S)>: remove shares from deleted records
purge : permanently delete all records in the trash
list or l
List all records or search via a regular expression.
search or s
Search all records via a regular expression.
List folder contents
Display entire folder structure as a tree
Change current folder
get or g
Retrieve and display a Keeper Record/Folder/Team in printable or JSON format.
$AttachmentFileName
By default, all downloaded attachments will retain their original name.
If a record contains the attachment "file.txt", the name of the downloaded attachment will be: file.txt
$AttachmentFileName($RecordUUID).$AttachmentFileNameExtension
This is the naming convention for duplicates.
If a record contains two attachments with the same name (i.e "file.txt") or the output directory already contains a file with the same name, the naming convention of the downloaded attachments will be:
file.txt and file(Lw7K5ah3LjP5uVkhkrSzrw).txt
$AttachmentFileName($AttachmentUUID).$AttachmentFileNameExtension
For duplicates, if the naming convention in the above row is used, then the AttachmentUUID will be used instead of RecordUUID.
In the given examples for the row above, downloading file.txt will use the attachmentUUID instead of the recordUUID:
file(Bu2WLg-7eqWPhO-NW18lgw).txt
$RecordName-$AttachmentFileName
If the switch --record-title is passed, the record name will be appended to downloaded attachment file. This also applies to duplicates.
For a record named "Record1" with the attachment "file.txt", the naming convention will be:
Record1-file.txt
Display the specified Keeper Record password field to the system output
l
l twitter
l ^(?!.*FTP).*Azure.*$ s dropbox
s [0-z]*\.org
search dropbox --format jsonls -l
ls -r
ls -l -r -v
ls -R -l "Folder1"
ls -l --format jsontree
tree "Office Codes/"
tree --verbose --records --title="My Folder Structure w/ Records (UIDs shown)"
tree --shares --hide-shares-key "/Work Folders/Team1"cd social/
cd financial/banks/
cd /
cd "folder/with/slashes"
cd folder\"with\"quotesfind-password rvwIBG_ban2VTH64OsnzLn
find-password office/Zoom
find-password rvwIBG_ban2VTH64OsnzLn --output clipboard
find-password social/Twitter -l
find-password reddit --username .*second.*clipboard-copy rvwIBG_ban2VTH64OsnzLn
clipboard-copy office/Zoom
clipboard-copy rvwIBG_ban2VTH64OsnzLn --output stdout
clipboard-copy social/Twitter -l
clipboard-copy reddit --username .*second.*get rvwIBG_ban2VTH64OsnzLn
g rvwIBG_ban2VTH64OsnzLn --format json --legacy
get E8pikwH-yUAfTQJZ2bezbQ --include-dag --format=jsonrecord-history rvwIBG_ban2VTH64OsnzLn
record-history rvwIBG_ban2VTH64OsnzLn -a diff
record-history rvwIBG_ban2VTH64OsnzLn -r 4
record-history rvwIBG_ban2VTH64OsnzLn -a restore -r 2totp
totp Dropbox
totp U-QSpjIL9e9_huXrbTwz4Q
totp Dropbox --range 1
totp U-QSpjIL9e9_huXrbTwz4Q --details
totp U-QSpjIL9e9_huXrbTwz4Q --format jsondownload-attachment "documents/Financial Records"
download-attachment _j0SPqnUeUCZN5UoEfD6cg
download-attachment / --recursive --preserve-dir --out-dir=C:\\Attachments
download-attachment "documents/Financial Records" --record-titleupload-attachment "documents/Financial Records" --file C:/June_2021.pdf
upload-attachment _j0SPqnUeUCZN5UoEfD6cg --file C:/Users/pictures/5_15_21.jpegdelete-attachment "documents/Financial Records" --name June_2021.pdf
delete-attachment _j0SPqnUeUCZN5UoEfD6cg --name 5_15_21.jpeg
delete-attachment -ofile-report
file-report -dlsflist-team
list-team -v
list-team -arecord-add --title="Sample Login" --record-type=login --folder="Personal Folder" login=username password=$GEN url=https://www.google.com "License ID"="9ACB123" url.AlternateURL=https://amazon.com
record-add --title="Empty Legacy Record" --record-type=legacy
record-add --syntax-help
record-update --syntax-help
record-add -t "Temporary Shared Login (1 hr)" -rt login --self-destruct 1h
record-add --record-type login --title 'Demo User - Gmail' [email protected] password=$GEN --self-destruct 1h --email-config 'Demo-Gmail' --send-email '[email protected]'rm social/Twitter
rm -wAZ13kI8d326j1HEUTqmQ -f
rm rec1 rec2delete-alldelete-all -fdelete-all --forceappend-notes social/Twitter
an KEdxyHgtCOv3hBdjz_aJEw --notes "Outdated as of June 2021"mkdir finance/personal
mkdir social -uf
mkdir office-codes -sf -srmdir social/temporary
rmdir zXuYXRYWgsie5TBPzQACLw -f
rmdir [A-Z]*2
rmdir DevOps/secrets MyFolder
rmdir t5uYXRYWgsie5TBPzQACLw -f -q
rmdir *rndir --name="Dev Ops/secrets" --color=red zXuYXRYWgsie5TBPzQACLwmv Twitter social
mv zXuYXRYWgsie5TBPzQACLw / ln Twitter social
ln zXuYXRYWgsie5TBPzQACLw /find-duplicate --title
find-duplicate --login --password
find-duplicate --login --password --url
find-duplicate --full
find-duplicate --merge --force
find-duplicate --merge -n
find-duplicate -s enterprise --format csv --output enterprise_duplicates.csvshortcut list
shortcut list --format csv --output "shortcuts.csv"
shortcut list 461XtX26R1SggIyQDf4HZg
shortcut keep "memberships/My Membership"My Vault> shortcut list 461XtX26R1SggIyQDf4HZg
Record UID Record Title Folder
---------------------- -------------- ----------------------
461XtX26R1SggIyQDf4HZg ksm-key1 [ User ] /key-folder1/
[ User ] /key-folder2/
[ User ] /key-folder3/My Vault> shortcut keep 461XtX26R1SggIyQDf4HZg key-folder2My Vault> shortcut list 461XtX26R1SggIyQDf4HZg
shortcut-get: Record UID 461XtX26R1SggIyQDf4HZg does not have shortcutsMy Vault> transform-folder --link SharedFolder1/FolderToTransform
The following folder(s) will be copied to "My Vault"
Source Folder Folder Count Record Count
--------------- -------------- --------------
SharedFolder1/Database/ 123 1234
Are you sure you want to proceed with this action? [y/n]: y
Executing transformation(s)...My Vault> transform-folder "My Folder (Misc.)"My Vault> transform-folder "Shared Folder (Team3, Admin)"trash list
trash list --format csv --output "deleted.csv"
trash list Twitter*trash get Do5[...]mJwtrash restore DoO[...]Gw
trash restore DoO[...]Gw Gng[...]1-g
trash restore --force DoO[...]Gw Gng[...]1-g// removes shares from all delete records
trash unshare *
// removes share from a single record
trash unshare <RECORD UID> trash purgeMy Vault> password-report --policy=12,2,2,2,0
My Vault> password-report --length=10 --digits=2My Vault> find-ownerless -v
My Vault> find-ownerless --claim Detailed documentation for record-add and record-update commands
This document provides comprehensive examples for creating records using the record-add command in Keeper Commander. The command supports dot notation for field specification and $JSON: syntax for complex field types.
Note: Keeper Commander supports line continuation using backslash (
\) at the end of lines, allowing you to split long commands across multiple lines for better readability.Important: Do not put spaces after the backslash (
\) character. The line should end immediately with\with no trailing spaces, otherwise empty arguments will be created and cause parsing errors.
--title / -t: Record title (required)
--record-type / -rt: Record type (required)
--notes / -n
Dot Notation Format:
Components:
FIELD_SET: Optional. f (fields) or c (custom)
FIELD_TYPE: Field type (e.g., login, password, url, etc.)
FIELD_LABEL: Optional field label
Special Value Syntax:
$JSON:{"key": "value"} - For complex object fields
$GEN - Generate passwords, TOTP codes, or key pairs
file=@filename - File attachments
Keeper Commander supports two types of records:
Typed Records - Structured records with predefined schemas (login, bankAccount, contact, etc.)
Legacy Records - General records (use -rt legacy or -rt general)
login - Username/login field
password - Password field (masked)
url - Website URL
phone - Phone number with region/type
name - Person's name (first, middle, last)
address - Physical address
Single-line version (safest for copy-paste):
Multi-line version (type manually, don't copy-paste):
Keeper Commander allows scripting through run-batch or run . The easiest way to get the record JSON template is to create one record in web vault then in Keeper Commander run get UID --format=json that gives the exact format to use for complex object fields in the form $JSON:{"key": "value"} Then you can generate the batch script and run it.
PAM records require additional commands to set them up for rotation, connections, tunneling etc. see the example below this section.
PAM Configuration types are created using command.
Each PAM Record belongs to a PAM Configuration which references a Keeper Gateway usually installed in your local network or in a place that provides access to the PAM resources. The following is a good starting point for configuring a new PAM Environment.
The --self-destruct option creates temporary records that automatically delete themselves after being accessed. This is perfect for sharing sensitive information that should only be viewed once.
Creates a temporary shareable URL that expires after your specified time
Record stays in your vault until someone opens the share URL
Auto-deletes from your vault 5 minutes after the URL is first accessed
Maximum duration is 6 months
Time Units:
m or minutes - Minutes (default if no unit specified)
h or hours - Hours
d or days
Share temporary password (expires in 1 hour):
One-time WiFi credentials (expires in 30 minutes):
Temporary file share (expires in 24 hours):
Emergency contact info (expires in 2 hours):
When using --self-destruct, the command returns a shareable URL instead of a record UID:
⚠️ Security Considerations:
URL is the key - Anyone with the URL can access the record
No authentication required - Share URLs bypass login requirements
One-time access - Record deletes 5 minutes after first view
Cannot be recovered - Once deleted, the record is gone forever
⚠️ Limitations:
Maximum 6 months expiration time
Cannot update self-destructing records
No preview - You can't see the record again after creation
Immediate sharing - URL is active immediately upon creation
Copy the URL immediately - You won't be able to retrieve it later
Use short expiration times for maximum security (minutes/hours vs days)
Include context in notes about why the record was created
Share URL through secure channels (encrypted messaging, in person)
Emergency access credentials for system administrators
Temporary passwords for contractors or consultants
One-time document sharing for sensitive files
Guest network credentials for visitors
Use single-line commands for copy-paste to avoid trailing space issues
Quote JSON values to prevent shell interpretation
Use $GEN for passwords instead of hardcoding them
Test with simple records first before creating complex ones
"Expected: =, got: ; Missing ="
Remove trailing spaces after backslashes in multi-line commands
Use single-line format for copy-paste
"Field type not supported"
Check available field types with record-add --syntax-help
Use custom fields with c. prefix for non-standard fields
JSON parsing errors
Ensure JSON is properly quoted
Escape single quotes in JSON: '\''
Use double quotes inside JSON objects
File attachment errors
Use @ prefix: file=@/path/to/file.txt
Ensure file path is accessible
Use absolute paths to avoid confusion
While record-add creates new records, record-update modifies existing records. Here's how they compare:
Key Arguments:
--record / -r: Record title or UID (required)
--title / -t: Update record title
--record-type / -rt
Update password and URL:
Add a phone number to existing contact:
Append to notes (notice the + prefix):
Update title and add custom field:
Change record type (converts structure):
Use record-add when:
Creating a completely new record
You want to specify all fields from scratch
Setting up initial record structure
Use record-update when:
Modifying existing records
Adding new fields to existing records
Updating passwords or other credentials
Appending information to notes
Important Notes:
record-update only changes the fields you specify
Existing fields not mentioned remain unchanged
Use field= (empty value) to clear a field
Notes with +
--folder: Folder path or UID to store the record (optional)
--force / -f: Ignore warnings (optional)
--syntax-help: Display field syntax help
FIELD_VALUE: The field value
email - Email addresstext - Plain text
multiline - Multi-line text
secret - Masked text field
note - Masked multiline text
oneTimeCode - TOTP/2FA codes
date - Unix epoch time or date strings
paymentCard - Credit card detailsbankAccount - Bank account details
securityQuestion - Security Q&A pairs
host - Hostname/port combinations
keyPair - SSH key pairs
Generate strong passwords using $GEN for temporary access
Verify recipient received URL before the expiration time
Secure information handoffs between team members
Time-sensitive shared secrets for automated systems
Use custom fields (c.) for non-standard data
Organize records in folders using the --folder parameter
Add meaningful notes with --notes for context
Notes behavior
Sets notes
Appends with + prefix, overwrites without
--notes / -n: Update notes (+text appends, text overwrites)
--force / -f: Ignore warnings
+Purpose
Creates new records
Modifies existing records
Record identifier
Not required
Required (-r or --record)
Record type
Required (-rt)
Optional (can change type)
Field behavior
Sets all fields
Updates only specified fields
record-add --title "Record Title" --record-type "RECORD_TYPE" [OPTIONS] [FIELDS...][FIELD_SET.][FIELD_TYPE][.FIELD_LABEL]=FIELD_VALUErecord-add -t "Gmail Account" -rt login [email protected] password=SecurePass123 url=https://accounts.google.comrecord-add -t "Gmail Account" -rt login \
[email protected] \
password=SecurePass123 \
url=https://accounts.google.comrecord-add -t "John Smith" -rt contact \
name='$JSON:{"first": "John", "middle": "Michael", "last": "Smith"}' \
[email protected] \
phone.Mobile='$JSON:{"number": "(555) 555-1234", "type": "Mobile"}'# my_script.txt
record-add -t "Gmail Account" -rt login [email protected]
record-add -t "Yahoo Account" -rt login [email protected]
# run batch
keeper shell run-batch my_script.txt# Basic login
record-add -t "Gmail Account" -rt login \
[email protected] \
password=SecurePass123 \
url=https://accounts.google.com
# Login with generated password
record-add -t "Work Account" -rt login \
login=john.doe \
password='$GEN:rand,16' \
url=https://company.com
# Login with TOTP
record-add -t "Banking Login" -rt login \
login=john.doe \
password=MySecurePassword \
url=https://mybank.com \
oneTimeCode='$GEN'
# Login with security questions
record-add -t "Investment Account" -rt login \
login=john.doe \
password=InvestPass123 \
url=https://investment.com \
securityQuestion.Mother='$JSON:[{"question": "What is your mother'\''s maiden name?", "answer": "Smith"}]'
# Login with custom fields
record-add -t "Work VPN" -rt login \
login=john.doe \
password=VpnPass123 \
url=https://vpn.company.com \
c.text.Department="IT Security" \
c.text.Employee_ID="EMP001"# Basic bank account
record-add -t "Chase Checking" -rt bankAccount \
bankAccount='$JSON:{"accountType": "Checking", "routingNumber": "021000021", "accountNumber": "123456789"}' \
name='$JSON:{"first": "John", "last": "Doe"}' \
login=john.doe \
password=BankPass123
# Bank account with online banking
record-add -t "Wells Fargo Savings" -rt bankAccount \
bankAccount='$JSON:{"accountType": "Savings", "routingNumber": "121042882", "accountNumber": "987654321"}' \
name='$JSON:{"first": "Jane", "last": "Smith"}' \
login=jane.smith \
password=SavePass456 \
url=https://wellsfargo.com \
--notes "High yield savings account"# Credit card
record-add -t "Chase Sapphire Preferred" -rt bankCard \
paymentCard='$JSON:{"cardNumber": "4111111111111111", "cardExpirationDate": "12/2025", "cardSecurityCode": "123"}' \
text.cardholderName="John Doe" \
pinCode=1234 \
login=john.doe \
password=CardPass123
# Debit card
record-add -t "Bank of America Debit" -rt bankCard \
paymentCard='$JSON:{"cardNumber": "5555555555554444", "cardExpirationDate": "08/2026", "cardSecurityCode": "456"}' \
text.cardholderName="Jane Smith" \
pinCode=5678# Personal contact
record-add -t "John Smith" -rt contact \
name='$JSON:{"first": "John", "middle": "Michael", "last": "Smith"}' \
[email protected] \
phone.Mobile='$JSON:{"number": "(555) 555-1234", "type": "Mobile"}' \
text.company="ABC Corporation"
# Business contact with multiple phone numbers
record-add -t "Dr. Sarah Johnson" -rt contact \
name='$JSON:{"first": "Sarah", "last": "Johnson"}' \
[email protected] \
phone.Work='$JSON:{"number": "(555) 987-6543", "type": "Work"}' \
phone.Mobile='$JSON:{"number": "(555) 123-4567", "type": "Mobile"}' \
text.company="Medical Associates" \
c.text.Title="Chief Medical Officer"# Home address
record-add -t "Home Address" -rt address \
address='$JSON:{"street1": "123 Main St", "street2": "Apt 4B", "city": "New York", "state": "NY", "zip": "10001", "country": "US"}'
# Work address
record-add -t "Office Address" -rt address \
address='$JSON:{"street1": "456 Business Ave", "city": "San Francisco", "state": "CA", "zip": "94105", "country": "US"}' \
--notes "Main office location"# Web server
record-add -t "Production Web Server" -rt serverCredentials \
host='$JSON:{"hostName": "web.company.com", "port": "22"}' \
login=admin \
password='$GEN:rand,20' \
c.text.Environment="Production" \
c.text.Purpose="Web Server"
# Database server
record-add -t "MySQL Database" -rt databaseCredentials \
host='$JSON:{"hostName": "db.company.com", "port": "3306"}' \
login=dbadmin \
password=DbSecure123 \
text.database="production_db"# SSH key pair
record-add -t "Production SSH Key" -rt sshKeys \
keyPair='$GEN:ed25519,enc' \
host='$JSON:{"hostName": "prod.company.com", "port": "22"}' \
login=deploy \
c.text.Purpose="Production deployment"
# Existing SSH key
record-add -t "GitHub SSH Key" -rt sshKeys \
keyPair='$JSON:{"privateKey": "-----BEGIN OPENSSH PRIVATE KEY-----\n...", "publicKey": "ssh-ed25519 AAAAC3..."}' \
host='$JSON:{"hostName": "github.com", "port": "22"}' \
login=git# Software license
record-add -t "Microsoft Office" -rt softwareLicense \
licenseNumber="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" \
c.text.Product_Version="Office 365" \
c.text.Licensed_To="John Doe" \
c.date.Purchase_Date="2023-01-15" \
c.date.Expiration_Date="2024-01-15"# WiFi network
record-add -t "Home WiFi" -rt wifiCredentials \
text.ssid="MyHomeNetwork" \
password=WiFiPassword123 \
c.text.Security_Type="WPA2" \
c.text.Frequency="5GHz"# Basic secure note
record-add -t "Important Information" -rt encryptedNotes \
note="This is confidential information that needs to be encrypted." \
date="2024-01-15"
# Secure note with custom fields
record-add -t "Recovery Codes" -rt encryptedNotes \
note="Backup codes for two-factor authentication" \
c.text.Service="Google Authenticator" \
c.multiline.Codes="123456\n789012\n345678"# PostgreSQL database
record-add -t "Production PostgreSQL" -rt databaseCredentials \
host='$JSON:{"hostName": "db.company.com", "port": "5432"}' \
login=postgres \
password='$GEN:rand,24' \
text.database="production_db" \
c.text.Environment="Production" \
c.text.SSL_Mode="require"
# MongoDB database
record-add -t "Analytics MongoDB" -rt databaseCredentials \
host='$JSON:{"hostName": "mongo.company.com", "port": "27017"}' \
login=admin \
password=MongoPass456 \
text.database="analytics" \
c.text.Replica_Set="rs0"# Driver's license
record-add -t "Driver's License" -rt driverLicense \
accountNumber=DL123456789 \
name='$JSON:{"first": "John", "last": "Doe"}' \
birthDate="1990-01-15" \
expirationDate="2025-01-15" \
address='$JSON:{"street1": "123 Main St", "city": "New York", "state": "NY", "zip": "10001", "country": "US"}' \
c.text.License_Class="Class C"
# Commercial driver's license
record-add -t "CDL License" -rt driverLicense \
accountNumber=CDL987654321 \
name='$JSON:{"first": "Jane", "last": "Smith"}' \
birthDate="1985-05-20" \
expirationDate="2024-05-20" \
c.text.License_Class="Class A" \
c.text.Endorsements="Hazmat, Passenger"# US Passport
record-add -t "US Passport" -rt passport \
accountNumber=123456789 \
name='$JSON:{"first": "John", "last": "Doe"}' \
birthDate="1990-01-15" \
expirationDate="2030-01-15" \
date="2020-01-15" \
address='$JSON:{"street1": "123 Main St", "city": "New York", "state": "NY", "zip": "10001", "country": "US"}' \
c.text.Place_of_Birth="New York, NY" \
c.text.Nationality="US"# Health insurance
record-add -t "Blue Cross Blue Shield" -rt healthInsurance \
accountNumber=12345678901 \
name='$JSON:{"first": "John", "last": "Doe"}' \
login=john.doe \
password=HealthPass123 \
url=https://bcbs.com \
c.text.Plan_Type="PPO" \
c.text.Group_Number="12345" \
c.text.Deductible="$2000"# Gym membership
record-add -t "Gold's Gym" -rt membership \
accountNumber=GYM123456 \
name='$JSON:{"first": "John", "last": "Doe"}' \
password=GymPass123 \
c.text.Membership_Type="Premium" \
c.date.Expiration_Date="2024-12-31"
# Professional membership
record-add -t "IEEE Membership" -rt membership \
accountNumber=IEEE987654 \
name='$JSON:{"first": "Jane", "last": "Smith"}' \
password=IEEEPass456 \
c.text.Membership_Grade="Senior Member" \
c.text.Specialization="Computer Science"# Birth certificate
record-add -t "Birth Certificate" -rt birthCertificate \
name='$JSON:{"first": "John", "middle": "Michael", "last": "Doe"}' \
birthDate="1990-01-15" \
address='$JSON:{"street1": "Hospital Address", "city": "New York", "state": "NY", "country": "US"}' \
c.text.Certificate_Number="BC123456789" \
c.text.Place_of_Birth="New York General Hospital" \
c.text.Parents_Names="Jane Doe, Robert Doe"# SSN card
record-add -t "Social Security Card" -rt ssnCard \
accountNumber=123-45-6789 \
name='$JSON:{"first": "John", "middle": "Michael", "last": "Doe"}' \
c.text.Issue_Date="2008-01-15" \
c.text.Issue_State="New York"# Photo record
record-add -t "Profile Photo" -rt photo \
file='@/path/to/profile.jpg' \
c.text.Description="Professional headshot" \
c.date.Date_Taken="2024-01-15"# Record with file attachment
record-add -t "Important Document" -rt file \
file='@/path/to/document.pdf' \
--notes "Legal documents"
# Multiple file attachments
record-add -t "Project Files" -rt file \
file='@/path/to/project.zip' \
file='@/path/to/readme.txt' \
c.text.Project_Name="Alpha Release"# PAM Database configuration
record-add -t "Production Oracle DB" -rt pamDatabase \
pamHostname='$JSON:{"hostName": "oracle.company.com", "port": "1521"}' \
login=system \
password='$GEN:rand,20' \
text.database="PROD" \
c.text.Instance_Name="ORCL" \
c.text.Service_Name="prod.company.com"# Active Directory PAM
record-add -t "Corporate Active Directory" -rt pamDirectory \
pamHostname='$JSON:{"hostName": "dc.company.com", "port": "389"}' \
login=administrator \
password='$GEN:rand,24' \
c.text.Domain="company.com" \
c.text.Base_DN="dc=company,dc=com" \
c.text.Security_Protocol="LDAPS"# Production server PAM
record-add -t "Production Web Server" -rt pamMachine \
pamHostname='$JSON:{"hostName": "web01.company.com", "port": "22"}' \
login=root \
password='$GEN:rand,20' \
c.text.OS="Ubuntu 20.04" \
c.text.Environment="Production" \
c.text.Purpose="Web Application Server"# Privileged user account
record-add -t "Database Admin User" -rt pamUser \
login=dbadmin \
password='$GEN:rand,24' \
name='$JSON:{"first": "Database", "last": "Administrator"}' \
c.text.Department="IT Operations" \
c.text.Access_Level="Full Database Admin" \
c.date.Account_Expiry="2024-12-31"# Remote browser session
record-add -t "Salesforce Admin Session" -rt pamRemoteBrowser \
url=https://company.salesforce.com \
[email protected] \
password='$GEN:rand,16' \
c.text.Session_Type="Administrative" \
c.text.Browser_Profile="Chrome Enterprise"# Create shared folder
mkdir gwapp -sf -a
# Create Secrets Manager Application
secrets-manager app create gwapp1
# Add newly created shared folder to the new App
secrets-manager share add --app=gwapp1 --secret=SHARED_FOLDER_UID --editable
# Create new PAM Gateway - output: base64 config for docker
pam gateway new --name=gateway1 --application=gwapp1 --config-init=b64 --return_value
# Create new PAM Configuration using the new Gateway
pam config new --environment=local \
--title=config1 \
--gateway=gateway1 \
-sf=SHARED_FOLDER_UID \
--connections=on --tunneling=on --rotation=on --remote-browser-isolation=on
# Create PAM resource records and users: 1 machine with admin and rotation user(s)
record-add --folder=SHARED_FOLDER_UID --title=admin1 -rt=pamUser \
login=admin1 password="$GEN:rand,16"
record-add --folder=SHARED_FOLDER_UID --title=user1 -rt=pamUser \
login=user1 password="$GEN:rand,16"
record-add --folder=SHARED_FOLDER_UID --title=machine1 -rt=pamMachine \
pamHostname="$JSON:{\"hostName\": \"127.0.0.1\", \"port\": \"22\"}"
# Setup PAM Machine for connections and tunnelling
pam tunnel edit PAM_MACHINE_UID --configuration=PAM_CONFIG_UID --enable-tunneling
pam connection edit PAM_MACHINE_UID --configuration=PAM_CONFIG_UID \
--connections=on \
--protocol=ssh \
--admin-user=ADMIN_USER_UID
# Setup PAM User for rotation on the machine (resource)
# --force switches to non-interactive mode
pam rotation edit --config=PAM_CONFIG_UID \
--record=PAM_USER_UID \
--resource=PAM_MACHINE_UID \
--admin-user=ADMIN_USER_UID \
--on-demand --enable --force
# After installing the Gateway you can test the setup
pam tunnel start PAM_MACHINE_UID
# pam tunnel stop ENDPOINT_UID
pam action rotate --record-uid=PAM_USER_UID# Random password (default)
password='$GEN'
password='$GEN:rand,16' # 16 characters
# Diceware password
password='$GEN:dice,5' # 5 words
# Crypto password
password='$GEN:crypto'# Generate TOTP secret
oneTimeCode='$GEN'
# Existing TOTP URL
oneTimeCode='otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example'# Generate RSA key pair
keyPair='$GEN:rsa'
# Generate EC key pair
keyPair='$GEN:ec'
# Generate Ed25519 key pair (recommended)
keyPair='$GEN:ed25519'
# Generate encrypted key pair
keyPair='$GEN:ed25519,enc'# Custom text field
c.text.Department="Engineering"
# Custom multiline field
c.multiline.Notes="Line 1\nLine 2\nLine 3"
# Custom secret field (masked)
c.secret.API_Key="secret-api-key-here"
# Custom date field
c.date.Expiration="2024-12-31"# Unix timestamp
date=1668639533
# ISO format
date="2022-11-16T10:58:53Z"
# Simple date
date="2022-11-16"phone.Work='$JSON:{"region": "US", "number": "(555) 555-1234", "ext": "123", "type": "Work"}'
phone.Mobile='$JSON:{"number": "(555) 555-1234", "type": "Mobile"}'name='$JSON:{"first": "John", "middle": "Michael", "last": "Doe"}'
name='$JSON:{"first": "Jane", "last": "Smith"}'address='$JSON:{"street1": "123 Main St", "street2": "Apt 4B", "city": "New York", "state": "NY", "zip": "10001", "country": "US"}'securityQuestion.Mother='$JSON:[{"question": "What is your mother'\''s maiden name?", "answer": "Smith"}]'
securityQuestion.Pet='$JSON:[{"question": "What was your first pet'\''s name?", "answer": "Fluffy"}]'--self-destruct <NUMBER>[(m)inutes|(h)ours|(d)ays]record-add -t "Temporary Server Access" -rt login \
login=admin \
password='$GEN:rand,16' \
url=https://server.company.com \
--self-destruct 1h \
--notes "Emergency access for John Doe"record-add -t "Guest WiFi Access" -rt wifiCredentials \
text.ssid="Company-Guest" \
password=TempPass123 \
--self-destruct 30m \
--notes "Visitor access for meeting"record-add -t "Confidential Document" -rt file \
file='@/path/to/sensitive-doc.pdf' \
--self-destruct 1d \
--notes "Contract for review - auto-deletes after viewing"record-add -t "Emergency Contact" -rt contact \
name='$JSON:{"first": "Emergency", "last": "Contact"}' \
phone.Mobile='$JSON:{"number": "(555) 911-0000", "type": "Emergency"}' \
--self-destruct 2h$ record-add -t "Temp Password" -rt login login=user password=pass123 --self-destruct 1h
https://keepersecurity.com/vault/share/AbCdEf123456...record-update --record "RECORD_TITLE_OR_UID" [OPTIONS] [FIELDS...]record-update -r "Gmail Account" \
password='$GEN:rand,20' \
url=https://accounts.google.com/new-loginrecord-update -r "John Smith" \
phone.Work='$JSON:{"number": "(555) 987-6543", "type": "Work"}'record-update -r "Server Credentials" \
--notes "+Updated password on 2024-01-15"record-update -r "Old Server Name" \
--title "Production Web Server" \
c.text.Environment="Production" \
c.text.Last_Updated="2024-01-15"record-update -r "Simple Login" \
--record-type contact \
name='$JSON:{"first": "John", "last": "Doe"}' \
[email protected]# View all available record types
record-type-info
# View fields for a specific record type
record-type-info --list-record login
# View field information
record-type-info --list-field phone
# View field syntax help
record-add --syntax-help
# View record-update syntax help
record-update --help