Keeper Secrets Manager Devices with KeeperPAM
A Device can be any machine, application or endpoint that has the ability to communicate with the Keeper platform, authenticate and decrypt data that has been provisioned.
Applications have any number of devices associated. Each device has a unique identifier so that it can be tightly controlled and managed. Devices authenticate and decrypt data using a API and encryption model as defined in the Keeper Secrets Manager Security & Encryption model page.
See the Security & Encryption Model of a Device
A device can be created through the Applications section of the vault user interface or through the Keeper Commander CLI.
From the Vault user interface, go to Secrets Manager and select the Application. Then select the Devices tab and click "Add Device".
A Keeper device can be initialized through either a One-Time Access Token or a pre-built configuration file in either base64 or JSON format.
The One-Time Access Token is an encryption key used by a device for only one authentication to the cloud. After that, a local configuration is created with all of the necessary keys for subsequent authentications and decryption of the resulting vault ciphertext. The Keeper Secrets Manager SDKs and many out of the box integrations utilize this method.
One additional feature of this method is that you can optionally lock down API requests to a specific IP address. The IP address allowed to transact is based on the IP as seen by Keeper's cloud infrastructure.
The Configuration file method of creating a device is useful for tools and integrations where all of the secrets need to be provided at runtime. Most of the CI/CD integration methods use this pre-built configuration file.
For more information about the contents of a Keeper Secrets Manager configuration:
The Keeper Commander CLI can create devices with some additional capabilities that are not available in the UI. For example, the CLI can create any number of devices in bulk, or set an expiration on the validity of the device.
Additional features of the Commander CLI device initialization method:
Control over the device name
Access expiration when the device can be initialized
Access expiration of the device
Allow all IPs or restrict to the first requested IP
Generate a number of device tokens or configurations in bulk
Option to initialize with a on-time access token or configuration file
secrets-manager client add --app [APP NAME OR UID] --unlock-ip
Options:
--name [CLIENT NAME] : Name of the client (Default: Random 10 characters string)
--first-access-expires-in-min [MIN] : First time access expiration (Default 60, Max 1440)
--access-expire-in-min [MIN] : Client access expiration (Default: no expiration)
--unlock-ip : Does not lock IP address to first requesting device
--count [NUM] : Number of tokens to generate (Default: 1)
--config-init [json, b64 or k8s] : Initialize configuration string from a one-time token
Example:
See more details on the secrets-manager Commander CLI command