To get help on a particular command, run:

help <command>

Import and Export Commands

import command

Command: import

Detail: Import data to Keeper from a local file or other password managers.

Parameters:

Path of file to import from.

*note: in file paths, backslash "\" needs to be escaped by using two in a row "\\"

Switches:

--format <FORMAT> file format (required)

FORMAT options:

--folder <FOLDER PATH OR UID> import into a specified folder

--filter-folder <FOLDER NAME> only import the specific folder from the source vault

-s, --shared import folders from file as shared folders

-p, --permissions <PERMISSIONS> default shared folder permissions if importing as shared folders

• U - manage users permission granted

• R - manage records permission granted

• E - edit records permission granted

• S - share permission granted

• A - all permissions granted

• N - no permissions granted

-dc, --display-csv show instructions for importing using the CSV format

-dj, --display-json show instruction for importing using JSON format

--record-type <RECORD TYPE NAME> import all records as the specified type

--dry-run display records to be imported without importing them

--show-skipped display skipped records

--update update records with common login, url or title

--users apply shared folder permissions for users and teams (similar to apply-membership)

-l, --login-type import records as login type

-od, --old-domain OLD_DOMAIN old domain for swapping the user emails in permissions

-nd, --new-domain NEW_DOMAIN new domain for swapping the user emails in permissions

--file-cache TMPDIR temp directory used to cache the encrypted attachments

Examples:

1. Import records from a "records" CSV file into the vault

2. Import records from a "records" CSV file into the "social" folder

3. Import records from a "shared-records" json file, importing and folders as shared folders with all permissions granted

4. Import passwords from a Lastpass export file

5. Show instructions and example for importing using CSV

6. Import records from a "records" CSV file as login type records

7. Import records from Thycotic/Delinea Secret Server using full URL

8. Import records from Thycotic/Delinea Secret Server using username/hostname syntax

9. Import JSON folders and records (no permissions)

10. Apply permissions from the JSON import file only - no importing of records or folders

Detailed Import Instructions

Additional instructions are documented for migrating data and importing into Keeper from the following sources:

• Cyberark

• Cyberark User Portal

• LastPass

• Thycotic/Delinea Secret Server

export command

Command: export

Detail: Export vault data to a file or the console

Parameters:

File name to export to, or nothing to export to console stdout

Switches:

--format <{json, csv, keepass}> file format

--max-size <SIZE> maximum size of file attachment to export

• format: number followed by "K","M","G" (Kilobyte, Megabyte, Gigabyte respectively)

• e.g. "100k" , "10M" , "2G"

-kp, --keepass-file-password <PASSWORD> if exporting in keepass format, set the file's password

--zip Create ZIP archive for file attachments. JSON only

--folder <FOLDER NAME OR UID> select a folder as the export source

--store-in-vault Stores exports file as a record attachment. Keepass only

Examples:

1. Export the vault in CSV format to a file named "my-vault"

2. Export the vault in JSON format to the console, ignoring any file attachments over 10 KB

3. Export the vault in keepass format to a file named "keeper" and set the file's password

4. Export the records in the "Socials" folder

download-membership command

Command: download-membership

Detail: Download shared folder membership to a local JSON file.

Switches:

--source <{keeper, lastpass, thycotic}> (required)

--folders-only Unload shared folder membership only. Skip team membership.

--sub-folder <{ignore, flatten}> (optional, default ignore) Thycotic/Delinea Secret Server allows shared folder permission to be overwritten by the subfolders. This option controls how these folders are imported.

• ignore Subfolder permissions are ignored. Folder structure is preserved.

• flatten Such subfolders are moved to the root of the vault. Folder permissions are preserved.

This command will reach out to the source password vault (either the current Keeper vault, remote LastPass vault or remote Thycotic/Delinea Secret Server), retrieve Team and Shared Folder file structure, and then create a local JSON file containing this structure. The filename generated locally will be called shared_folder_membership.json.

This file can then be used for subsequently sharing folders with Keeper users and teams. The sharing operation is performed by executing the apply-membership command.

Examples:

or

or

Sample Permission File

After executing download-membership, the resulting JSON file contains information about the teams, user-team assignments and shared folder permissions. An example file is below. This example file contains 3 teams, and 3 shared folders. The 3rd shared folder exists within a regular folder.

apply-membership command

Command: apply-membership

Detail: Apply shared folder membership changes from a local JSON file. This command is used alongside the download-membership command.

Switches:

--full-sync force full sync of shared folder permissions. Permissions are only added by default

The apply-membership command will look for a JSON file (defaults to shared_folder_membership.json) that contains sharing permissions.

The reason for separating the downloading and applying of membership, is so that you can apply the membership changes as new Keeper users or teams are onboarded. The apply-membership command can be run over and over, or whenever a new Keeper user account or team is created. Shared folder membership will be applied to any new corresponding user accounts and teams.

Examples:

or

download-record-types command

Command: download-record-types

Detail: Download custom record types to a JSON file.

Switches:

--source <{keeper, thycotic}> (required)

This command will reach out to the source password vault (either Keeper or Thycotic/Delinea Secret Server), retrieve custom record types (Secret Server calls it secret templates), and then create a local JSON file containing this information. The filename generated locally will be called record_types.json.

This file can then be used for subsequently loading custom record types to Keeper. The record types loading operation is performed by executing the load-record-types command.

--ssh-key-as-file

Thycotic/Delinea Secret Server stores SSH keys as file attachments. Keeper stores SSH keys on a record. If you would like to preserve Thycotic/Delinea Secret Server behavior (imported SSH keys from Secret Server will be stores as file attachments) use this option.

Examples:

or

load_record_types command

Command: load-record-types

Detail: Load custom record types from a JSON file into Keeper.

Detail: Load custom record types from a local JSON file. This command is used alongside the download-record-types command.

The load_record_types command will look for a JSON file (defaults to record_types.json) that contains custom record types and loads missing record types into Keeper.

Examples:

or

Exporting Records from Keeper

To export records from your vault, use the export command. Supported export formats:

• JSON

• CSV

• Keepass (see additional install instructions)

JSON export files contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions. CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions. Keepass files contain records, file attachments, folders and subfolders.

Keepass Export

You can optionally provide the keepass encrypted file password through command line option --keepass-file-password

This flag will only apply when --format=keepass is set. The Master Password is required for Keepass export - if none provided you will be asked during export, and your input will be masked.

If the user is a CyberArk user, then it will prompt for a password:

The authentication process after that is dynamic, and in most cases will require additional factors or challenges, e.g., an OATH OTP Client code:

The import process will start once all the challenges have been completed successfully.

Federated login (SSO)

If the user is federated, i.e., login uses an identity provider integrated with CyberArk using SAML or OpenID Connect (OIDC), then a CyberArk user with administrative privileges will need to create an OAuth2 Client Application for Keeper Commander in the Identity Administration portal for the import process to work.

Create the CyberArk OAuth2 Client Application

1. Log in to the CyberArk Identity Administration portal

2. Click Web Apps under Apps & Widgets on the left menu

3. Click the Add Web Apps button in the top-right

4. Click the Add button next to OAuth2 Client, then click the Yes button to confirm
5. Close the Add Web Apps dialog

6. Under Application ID, enter KeeperCommander

7. Under Description>Name, enter Keeper Commander OAuth2 Client

8. Click General Usage on the left and select Anything under Client ID Type

9. Click the Add button under Allowed Redirects and add http://localhost:38389
10. Click Tokens on the left, then uncheck Implicit
11. Click Scopes on the left, then click the Add button under Authorized Scopes

12. Enter the name UPData, then click the Add button under Allowed REST APIs

13. Enter the REST Regex UPRest/Get.*
14. .Click the Save button on the Authorized Scopes dialog

15. Click Permissions

16. Click the Add button and use the User, Group, or Role selection dialog to permit the appropriate user(s) access to the application by adding them with the (default) Run and Automatically Deploy permissions

17. Click the Save button

The Status of the Keeper Commander Application should now show as "Deployed" in green.

If it is not deployed correctly, users will receive an error response after successfully authenticating via the browser, and the import process will be aborted.

Logging via the browser

The CyberArk Identity API will send a "redirect" when the import process starts authentication with a federated user. This redirect will be followed in the user's local browser to authenticate the user and authorize the OAuth2 Client Application.

After the user authenticates successfully, the import process will use the OAuth2 authorization code that the CyberArk Identity API sends back to request an "access token," at which point the authentication (and authorization) process is complete.

If the user is not permitted to use the Keeper Commander OAuth2 Client application (per step 16 above), they will get an access_denied error response, and the process will be aborted.

Importing Items

The import process will list the Applications and iterate through them to create Keeper login records for each one. It will then do the same with Secured items, which include Passwords. Passwords will import as login records, and secured items will become Secure Notes.

In Secret Server admin settings, ensure Webservices are enabled

Settings -> Configuration -> Edit -> Enable Webservices

Adjust Session Timeout

In Secret Server admin settings, ensure that "Session Timeout for Webservices" is set to a high enough value.

Settings -> Application -> Session Timeout for Webservices

Step 1. Download Team and Shared Folder Structure

Prior to running the above code snippet, make sure to:

• Verify the base Thycotic URL in your browser

• The Username is in the correct format:

  • If it's a AD user, the format is DOMAIN\username otherwise username

In Keeper Commander, the Keeper/Thycotic Administrator will run the following:

You will then be prompted with the following:

Executing the above code snippet will perform the following 3 functions:

• Download all Shared Folder information

• Download Team Membership

• Download Shared Folder permissions

This step downloads a file locally called "shared_folder_membership.json" which contains the team and shared folder structure. The file location should be under your user folder

Step 2. Import Shared Folders

Before importing records, we will first create the shared folder structure on the Keeper side. Run the below command:

Step 3. Export TOTP Codes

The TOTP codes stored in Thycotic/Delinea Secret Server can only be retrieved by manually downloading a CSV file. The admin of Secret Server needs to go to Secret Server > Export Secrets and select the following options:

• Export Type: Export All

• Export Folder Path: Checked

• Export TOTP Settings: Checked

• Export Format: CSV

Export the file and save it to your home folder or the folder where Keeper Commander is running. By default, the file will be called "secrets-export.csv."

Step 4. Import the Secret Server Vault

In Keeper Commander, the Keeper/Thycotic Administrator will run the following command to perform the import of data using the Secret Server API:

This command will take several minutes (or more) to complete, depending on the number of vault records and users. A large Secret Server instance could take 20 minutes or more.

Commander will attempt to build the same folder structure as Secret Server in the admin's Keeper vault.

Commander will also look for the file "secrets-export.csv" in the user's home folder or current Commander folder to import TOTP codes.

Note 1: This command will import and populate regular folders, shared folders and records within the folders. This will NOT import the private folders of other users within Secret Server. This step will only import the information available to the admin.

Note 2: If a Shared Folder is found within another shared folder with different permissions, the shared folder will be moved to the root folder (since Keeper does not support subfolder permissions).

Note 3: Commander may not be able to import secrets with certain security policies applied. For instance, if a secret has the require comment security policy applied (directly or by inheritance), Commander will not be able to import it.

Step 5. Applying Memberships

Note: All Thycotic teams must exist in Keeper with exact matching names before execution. This way, existing users will be applied to the corresponding teams. You can create missing teams through:

• Keeper Admin Console (Teams > Create New Team)

• Commander's create-team command

In Keeper Commander, the Keeper/Thycotic Administrator will run the following:

This will read the file called "shared_folder_membership.json" from Step 1 and apply the shared folder permissions for any users and teams in the Keeper enterprise environment. This command is safe to run repeatedly and will not generate duplicates.

Explanation: When users are invited/created through SSO or your invitation process, their public keys are created. Therefore, Keeper cannot apply membership until the users exist.

For this reason, the Keeper Admin must run the "apply-membership" command daily, hourly, or on demand when users are created in Keeper.

Step 6. End-Users are invited to Keeper

The Keeper Admin will invite users through one of the following methods:

• Just-in-time provisioning through SSO login

• Invite through the Admin Console

• SCIM

When the user registers to create their vault, they will generate a public/private key pair. At this point, they will be able to receive shared folders, as outlined in the next step.

Receiving Shared Folders

The next time that the Admin runs the apply-membership command, any new Keeper users will receive access to their Shared Folders.

Due to the number of steps, we recommend performing a pilot test with a few users before rolling out to the entire organization.

If you have any questions, please email [email protected].

• To specify subfolders, use backslash "\" between folder names

• To set shared folder permission on the record, use the #edit or #reshare tags as seen below

• Enclose fields in quotes for multi-line or special characters

• Ensure files are UTF-8 encoded for support of international or double-byte characters

Below is an example csv file that showcases several import features including personal folders, shared folders, subfolders, special characters and multi-line fields.

To import this file as "login" records:

The resulting vault will look like this:

Here is a list of some record types (you may have more if you have custom record types, or less if you are restricting some record types):

Below is a list of all possible field types (including custom fields). You can use these as a custom field names such as $oneTimeCode as shown below.

More advanced import options are available using the JSON Import format described in the next section.

Summary of Steps

The steps we recommend to importing an entire organization from LastPass to Keeper are the following:

1. Admin downloads the membership of the Shared Folders data to json file

2. Admin imports their shared folders and non-shared passwords

3. Admin applies shared folder membership (includes permissions) for users who already exist in Keeper

4. End-users migrate their vaults over using the Keeper Desktop application.

5. Admins continue to periodically apply membership as more users join Keeper

Step 1. Download Team and Shared Folder Membership

In Keeper Commander, the Keeper/LastPass Administrator will run the following:

This will perform the following 3 functions:

• Download all Shared Folder information

• Download Shared Folder permissions

This step downloads a file locally called "shared_folder_membership.json" which contains the shared folder structure. The location of this file on Windows is typically C:\Users\username\shared_folder_membership.json. On Linux/Mac, it will be in the location where you run Commander.

The download-membership command basically produces a local file containing the share relationships. You can simply edit this file in a text editor and make any permission changes needed before proceeding to the next step.

Step 2. Import Shared Folders

In Keeper Commander, the Admin will run the following command to perform the import of shared folders and data.

The first time the import command is run, you may get the following notice that LastPass wants to verify the device from which you are connecting.

Check the email address associated with your LastPass account and click "verify" to allow Keeper to access the records in your LastPass account.

Record Type Mapping

Typed LastPass items are automatically imported as Keeper records with corresponding record types if your Enterprise environment has Record Types activated.

See the LastPass Item Type and corresponding Keeper Record Type in the table below.

Share Permissions

If a folder is shared with another user or team in LastPass, the import will apply the same sharing permissions to Keeper teams with the same name, and Keeper users with the same email address.

Shared folder permissions can be re-applied and applied if a new Keeper user or team is added after the initial import.

Step 3. Apply Shared Folder and Team Memberships

To assign Share Permissions to your imported passwords from LastPass, use the apply-membership command:

This will read the file called "shared_folder_membership.json" from Step 1 and apply the shared folder permissions for any users and team which exist in the Keeper enterprise environment. This command is safe to run over and over again, and it will not generate duplicates.

Explanation: When users are invited/created through SSO or your invitation process, their public keys are created. Therefore, Keeper cannot apply membership until the users exist.

For this reason, the Keeper Admin needs to run the "apply-membership" command on a daily basis, hourly, or on demand, when users are created in Keeper.

Step 4. End-Users migrate with Keeper Desktop

The Keeper Admin will invite users through one of the following methods:

• Just-in-time provisioning through SSO login

• Invite through the Admin Console

• SCIM

When the user registers to create their vault, they will generate a public/private key pair. At this point, they will be able to receive shared folders, as outlined in the next step.

For transferring the user's LastPass private folders and records, we recommend directing the user to install the Keeper Desktop application.

Here's the link to the public / latest version:

To automatically deploy Keeper Desktop to your users through group policy, see:

Receiving Shared Folders

Once users create their Keeper vaults, they can then be added to a team and/or a folder. The next time that the Admin runs the apply-membership command, any new Keeper users will receive access to their Shared Folders.

Due to the number of steps, we recommend performing a pilot test with a few users before rolling out to the entire organization.

If you have any questions please contact your Keeper sales engineer or email [email protected].

Advanced Features

Transforming Email Domains for Sharing

If your LastPass email domain has changed and you would like to transition to a new email domain when transferring share permissions, you can use the --old-domain and --new-domain optional parameters. Example below:

Override Imported Shared Folder Permissions

The LastPass download-membership applies the shared folder permissions from LastPass users to your Keeper shared folders, but the permission settings can be overridden during membership download.

To override the "manage records" and "manage users" permissions for all users on all imported shared folders, use the --permissions or --restrictions options.

--permissions allows the permission(s) for all users on all imported shared folder.

--restrictions denies the permission(s) for all users on all imported shared folders.

To set for "manage records" pass r, for "manage users" pass u for both use ru

Import Top Level Folders as Shared Folders

You can optionally make all top level folders shared folders with specified permissions by passing the --shared and --permissions=<PERMISSIONS> flags.

The available permissions options are:

• U - manage users permission granted

• R - manage records permission granted

• E - edit records permission granted

• S - share permission granted

• A - all permissions granted

• N - no permissions granted

Use the letters corresponding to the permissions you want to grant with no spaces or characters in between.

Attachment Files Cache

Attachment files can be cached during import so that they do not have to be redownloaded if another import is performed.

To run the import with a file cache, add the --file-cache <DIR> flag. Specify a directory to use as the cache.

To use the cache on a subsequent import, apply the --file-cache flag with the same directory.

Record Size Limit

Keeper records have a size limit of 5MB (excluding attachments). If a record from LastPass is larger than this limit, fields will be converted to a text file, starting with the largest field, until the record is smaller than the limit.

Created attachments are named in the following format:

<title of field>_<type of field>_field.txt

For example a "notes" field titled "Instructions" would be converted to an attachment titled:

Instructions_notes_field.txt

Import to a Specified Folder

The contents of your LastPass vault can be imported into a specified folder in your Keeper vault. To do this, use the --folder option.

Import from a Specified LastPass Folder

You can limit the import of your LastPass vault to a specific folder in LastPass by using the --filter-folder option. This filters the data from LastPass to ONLY the specific folder on the LastPass side.

Locating Duplicates

If you believe there may be duplicate records in your vault after import, you can use the find-duplicate feature in Commander to locate them.

If you wanted to locate duplicates based on title, login, password for example:

From the output of this report, you can gather a list of record UIDs to delete with the "rm" command.

Changing Record Permissions

By default, records are imported into Shared Folders with "Can View" permission. This means that the record is only editable by the owner of the record, and any share admins that have been added to the folder.

To change the permissions of records inside a shared folder (after the import is complete), you can use the record-permission command. For example: