Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Technical details on the KeeperPAM platform architecture
KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.
Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.
This security content will cover the key areas of KeeperPAM:
Installation and setup of the Keeper Gateway
The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute rotation, discovery, connection and tunneling. A single Gateway can be used to communicate with any target infrastructure, both on-prem and cloud. Typically, customers deploy a Keeper Gateway in each environment that is being managed.
The Keeper Gateway offers different feature capabilities based on the underlying operating system and hardware. We recommend using Docker on a Linux or Windows host with x86 CPUs for full feature support and ease of management.
Note: EL9 which includes Rocky Linux 9 and RHEL 9 support is coming soon.
For optimal performance, we recommend a minimum of 2 CPUs, 2GB of RAM, and 500MB of disk space for any Keeper Gateway device. However, actual system requirements vary based on the number of simultaneous user sessions and the types of connections being established. As the volume of simultaneous connections grows, scaling CPU and memory resources becomes essential. In particular, remote browser isolation (RBI) launches a headless Chromium instance for each session. If you anticipate a high number of RBI sessions, ensure the system is scaled to meet these demands.
The Gateway only establishes outbound-only connections to the Keeper cloud over TLS port 443, and communicates to target infrastructure through native protocols (SSH, RDP, etc).
The Gateway preserves zero knowledge by performing all encryption and decryption of data locally. Keeper Secrets Manager APIs are used to communicate with the Keeper cloud.
The Keeper Gateway generates encryption keys and a local Secrets Manager configuration that is used to authenticate with the Keeper cloud. The location depends on the context in which the Gateway is being run. It can be installed to the local user or installed as a service.
Click on Secrets Manager on the left side
Create a new Secrets Manager Application or select existing application
Click on the "Gateways" tab and click "Provision Gateway"
Select Docker, Linux or Windows install method
Install the Keeper Gateway using the provided method
During the creating of a Keeper Gateway using a one-time token method for Linux and Windows, you have the choice to select "Lock external WAN IP Address of device for initial request". This will additionally IP lock the Gateway in addition to the authentication and encryption built into the service.
Based on your Operating System, refer to the corresponding guide on installing the Keeper Gateway:
Setting up a basic Remote Browser Isolation record for protecting web-based applications
KeeperPAM remote browser records ensure safe access to internal and cloud apps via a protected browser inside the vault. This browser is shown from the Keeper Gateway to the Keeper Vault, isolating the session for zero-trust access.
This quick guide extends the sandbox that you created in the Quick Start Wizard to add a remote browser isolation resource in the vault.
Below are screenshots of the Remote Browser Isolation setup from start to finish.