Instructions for installing Keeper Gateway on Windows
This document contains information on how to install, configure, and update the Keeper Gateway on Windows.
Prior to proceeding with this document, make sure you .
The latest Keeper Gateway for Windows is downloaded from here:
You can run the service under system privilege or use a service account.
Upon installation of the service, select "Enter a Keeper One-Time Access Token" and supply the token provided by when you on the Vault. After installation, the service will automatically start up and register with the Keeper cloud.
If you are upgrading an existing Gateway, un-check the "Enter a Keeper One-Time Access Token" so that the existing configuration is maintained.
The default installation location is the following:
Install Windows service - Installs the gateway as a Windows service.
Use service account - Use the , otherwise the account installing the gateway will be used.
Start Windows service - Start the Keeper Gateway service immediately after installation
If "Use service account" is specified you will be prompted to enter the valid credentials of the desired service account:
The final step prior to successfully installing the Keeper Gateway as service is to enter the Token provided from the Keeper Vault.
After clicking "Next", click "Install" in the next screen to install the Keeper Gateway.
After installing and running the Keeper Gateway as a service, this service can be accessed and easily managed within the Windows Services Manager as "Keeper Gateway Service".
The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and tenant server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the One-Time Access Token generated when you .
If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location:
If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:
Logs that contain helpful debugging information are automatically created and stored on the local machine.
If the gateway is running as a service, the gateway log files are stored in the following location:
If the gateway is not running as a service, the gateway log files are stored in the following location:
To activate verbose logging:
Go to Windows Services > Keeper Gateway > Properties
Stop the service
Set the "Start parameters" to: --debug or -d
To update the Keeper Gateway, stop the service, install the latest version and then start the service.
Run the latest Keeper Gateway installer
During installation DO NOT select "Enter a Keeper One-Time Access Token".
Select "Enable automatic updates" during the installer process to ensure that your Keeper Gateway is automatically updated when there are new versions available.
To monitor the Gateway service, you can configure health checks that expose its operational status. These checks are useful for Docker orchestration, load balancing, and automated monitoring. See the for full setup details and examples.
This section provides instructions for performing a silent installation of the Keeper Gateway on Windows systems. Silent installation allows the setup process to run in the background without displaying any user interface or messages.
To install the Keeper Gateway silently, use the following command in your command prompt or script:
Replace <TOKEN> with the token provided in the Keeper Vault when creating the Keeper Gateway.
If you have previously installed Keeper Gateway and wish to use the existing configuration, you can bypass the token entry by using:
To generate a log file during the installation process, use the following option and specify the desired log file path:
If you prefer to run the Keeper Gateway under a specific Windows service account, use the following options to specify the account details:
Replace <ACCOUNT USERNAME> and <ACCOUNT PASSWORD> with the credentials of the service account you intend to use.
To enable the Auto Updater feature, allowing Keeper Gateway to automatically check for and apply updates, use the following option:
To uninstall the service:
Uninstall Keeper Gateway from "Add and remove programs"
If desired, delete the private configuration .json file
Turn on debug logging - Enable verbose logging on the gateway log files. NOT recommended for production environments. Only use this when debugging with Keeper support.
Remove Keeper Gateway configuration and logs from previous installations
C:\ProgramFiles (x86)\Keeper Gateway\<version>C:\ProgramData\KeeperGateway\config\gateway-config.jsonC:\Users\<User>\.keeper\gateway-config.jsonC:\ProgramData\KeeperGateway\logs\C:\Users\<User>\.keeper\logs\keeper-gateway_windows_x86_64.exe /verysilent /suppressmsgboxes /norestart /token=<TOKEN>/existingconfig=1/log=<Optional log file>/mergetasks="service/account" /serviceuser=<ACCOUNT USERNAME> /servicepass=<ACCOUNT PASSWORD>/autoupdate=1The Keeper Gateway establishes outbound-only connections and does not require any inbound firewall rules. The following outbound connections must be allowed:
Keeper Cloud (keepersecurity.[com|eu|com.au|jp|ca|us])
TLS Port 443
Communicates with Keeper Cloud to access target infrastructure via native protocols (e.g., SSH, RDP)
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
Keeper Router (connect.keepersecurity.[com|eu|com.au|jp|ca|us])
TLS Port 443
Communicates with Keeper Router to establish secure, real-time WebSocket connections
Keeper KRelay Server (krelay.keepersecurity.[com|eu|com.au|jp|ca|us])
TCP and UDP opened on Port 3478 Outbound access to TCP and UDP ports 49152 through 65535
Facilitates secure and encrypted relay connections between end-user's vault and target systems via the Gateway
Keeper Gateway SHA256 hashes for the latest version are published at the below location:
https://keepersecurity.com/pam/latest.txt
Calculating and verifying the checksum:
sha256sum keeper-gateway_linux_x86_64
cat keeper-gateway_X.X.X_SHA256SUMS | grep keeper-gateway_linux_x86_64Get-FileHash -Algorithm SHA256 keeper-gateway_windows_x86_64.exe | Format-List
Get-Content keeper-gateway_X.X.X_SHA256SUMS | Select-String keeper-gateway_windows_x86_64.exe