Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Quickly and easily get started with a pre-configured PAM setup in your vault
To learn some KeeperPAM basics, we have created a wizard that is integrated into the Vault Preview. If you select the Docker install method, this wizard will create all the necessary vault records, configurations and a customized Docker Compose file for quickly standing up a sandbox environment in less than 3 minutes.
Login to the Keeper Vault Preview version. If the policies are active, you'll see a Secrets Manager tab on the left side.
Click on Create New > Gateway
Enter a name for the project, such as "My Infrastructure Demo"
Select Docker for the gateway
Select "Create with example records"
Click Next
After the wizard is finished, immediately download the provided docker-compose.yml
and docker-seccomp.json
files.
Set up a VM which supports Docker. It can be a Linux instance or Windows running Docker Desktop. The instance can exist anywhere, even on your local computer.
If necessary, Install Docker per the Docker installation instructions.
Transfer the Docker Compose and Seccomp files from Step 2 to the VM.
Run docker compose up -d
from the folder where the files are saved.
You may need to use a dash, e.g. docker-compose up -d
depending on the VM
You can now instantly connect to any of the resources by clicking "Launch" from the record detail view.
The MySQL account, SSH password and SSH key can be rotated by clicking "Rotate" from the record detail within the Users folder.
Note: Remote Browser Isolation won't work on some ARM processors
The wizard will create the following in your vault:
A folder containing Resources and Users in separate shared folders
A MySQL database
A Linux machine with VNC connection to the desktop UI
A Linux machine with SSH connection using an SSH Key
A Linux machine with SSH connection using a password
A Linux machine with RDP connection to the desktop UI
A Remote Browser Isolation session to bing.com
A Secrets Manager Application and PAM Configuration with all PAM features enabled
A Keeper Gateway ready to initialize
We've created a helpful Keeper 101 video to set up your sandbox environment:
Below are screenshots of the Quick Start Wizard from start to finish.
Technical details on the KeeperPAM platform architecture
KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.
Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.
This security content will cover the key areas of KeeperPAM:
Getting Started with KeeperPAM fundamentals
KeeperPAM is a modern, cloud-based Privileged Access Manager
KeeperPAM is a next-gen privileged access management solution that secures and manages access to critical resources, including servers, web apps, databases and workloads.
KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and an cloud-based access control plane in one unified product.
To learn more about KeeperPAM or sign up for a trial:
This documentation is broken out into 3 sections:
Additional documentation on the Keeper platform can be found here:
KeeperPAM is a cloud-native privileged access solution that requires only a lightweight gateway installation, while Keeper Connection Manager (KCM) is a fully self-hosted solution.
KeeperPAM works through outbound-only connections with zero-knowledge encryption, eliminating the need for inbound firewall rules or direct line-of-sight to resources. In contrast, KCM is fully hosted by the customer with control over the authentication, database, web server, reverse proxy and session recordings.
In summary, KeeperPAM is designed for organizations embracing cloud transformation and zero-trust security, while KCM serves specialized use cases requiring full infrastructure control, such as classified environments or those with specific compliance requirements like PIV/CAC authentication.
Several new and exciting capabilities of KeeperPAM are now available in Preview:
Zero-trust connections launched from the Vault
Tunnels established from the Desktop App for ZTNA
Sharing connections without exposing credentials
Sharing tunnels on a time-limited basis
Built-in SSH Agent for use with and without tunneling
Launching remote browser isolation sessions
Session recording and playback
File transfer with drag-and-drop
Splitting credentials between PAM Resources and PAM Users
Discovery of resources
All new Keeper Gateway setup wizard
Docker-based deployment of the Keeper Gateway
Role-based enforcement policies covering PAM use cases
Event reporting of all PAM activity with SIEM integration
Unified with the Keeper Vault: Keeper PAM features integrates directly with the Keeper Vault, offering a centralized, secure platform for managing credentials, connections, and privileged access.
Zero-Knowledge Security: Built on a zero-knowledge architecture, KeeperPAM ensures that only the end user can access their data, with no visibility or access for Keeper itself.
Agentless Deployment: With a simplified setup process, KeeperPAM requires only the deployment of a single gateway in each target environment, using agentless protocols to manage infrastructure.
Credential-less Sharing: Users can securely share access to connections without exposing passwords, enhancing both security and usability
Before jumping into the KeeperPAM advanced capabilities, we require that you first set up your Keeper Enterprise or Keeper MSP license and set up your basic environment.
Deploy the Keeper Vault to your employees
If you are an existing customer, your customer success team can activate KeeperPAM in your account.
For technical questions during the Preview period, you can also email pam@keepersecurity.com which routes to our engineers.
or
Check out the
Learn about the new
Launch the
Deep dive into the
Security and encryption model of Connections and Tunnels
KeeperPAM provides the capability to establish cloud and on-prem privileged sessions, create tunnels, establish direct infrastructure access and secure remote database access.
A Connection is a visual remote session using the web browser. Interaction between the user and the target device is with a web browser window or within the Keeper Desktop application.
A Tunnel is a TCP/IP connection that is established between the local vault client through the Keeper Gateway to the target endpoint. The user can utilize any native application for communicating with the target endpoint, such as the command-line terminal, GUI application or database management application.
When the user establishes a connection or tunnel:
The Vault Client application communicates to the Keeper Router infrastructure to initiate a WebRTC connection that is protected by a ECDH symmetric key that is stored inside the relevant Keeper record.
The Keeper Gateway communicates with the Keeper Router through outbound-only WebSockets. This is described in detail in the section.
The Keeper Gateway utilizes Keeper Secrets Manager APIs to retrieve the necessary secrets from the vault, including the ECDH symmetric key.
For Connections, the Vault Client (using the Apache Guacamole protocol) passes data through the WebRTC connection to the Keeper Gateway that then uses Guacd to connect to the destination found in the Keeper record.
For Tunneling features (port forwarding), a local port is opened up on the local device running Keeper Desktop software. Data sent to the local port is transmitted through the WebRTC connection to the Keeper Gateway and subsequently forwarded to the target endpoint defined in the Keeper record.
Session recordings of connections are protected by an AES-256 encryption key ("recording key") which is generated on the Keeper Gateway on every session. The recording key is additionally wrapped by a HKDF-derived AES-256 resource key.