Overview

Rotation relies on the port field in resource records to determine its connection method.

For example, in a PAM Machine record, port 22 tells the gateway to use SSH, port 5985 for WinRM (http) and port 5986 for WinRM (https).

The expected standard ports are listed in the following table.

Rotation Standard Ports

Using Port Mappings

To use a non-standard port, specify the alternative port in two places:

• In the PAM Configuration port mapping field, enter {port}={connection}, for example, 32636=ldaps.

• For {connection}: refer to the labels under Standard Port in the standard ports table.

• In the PAM Machine/Directory/Database record, enter the chosen port in the port field

For example, to connect to a MySQL database using port 3307, your PAM Configuration should have 3307=mysql under port mapping, and your PAM Database record should reference port 3307.

Multiple port mappings are newline-separated in the PAM Configuration.

Overview

Customers are responsible for the configuration of their servers and environments.

Secure Shell (SSH) allows confidential and authenticated remote access to a computer. SSH traffic is fully encrypted and, by default, runs on port 22. For reference and testing, see below for instructions and guidance on enabling SSH for your target operating system.

Linux

Linux requires the SSH daemon to be running in order to accept SSH connections. Most Linux distributions will have the OpenSSH server installed, but may not have the service enabled. The service needs to be enabled, started, and added to the list of services to be started upon reboot.

To verify that ssh is running on your Linux system, invoke the following command:

ps aux | grep sshd

If ssh is not running, you may need to install OpenSSH or/and enable ssh. The following commands demonstrate this in Ubuntu:

apt-get install openssh-server
systemctl enable ssh
systemctl start ssh

Note:

• you may need sudo permissions to install and enable ssh

• The installation command may be different based on your linux distribution

Windows

SSH is normally not installed on Windows. However, SSH can easily be installed via Windows capability packages which are maintained by Microsoft.

The following PowerShell script will:

• Install SSH

• Start the SSH service and makes sure it starts with each reboot

• Ensure the firewall allows SSH connections

# Install OpenSSH
Add-WindowsCapability -Online -Name OpenSSH.Server

# Start service and make sure it automatically starts after reboot.
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

# Make sure the the firewall will allow SSH connections
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

To connect through SSH, simply create a new PAM Machine record and set the connection protocol to SSH.

Once connected, PowerShell Commands can be executed by typing powershell.exe:

domain\admin@MACHINE C:\Users\Administrator\Desktop>powershell.exe

Windows\system32\conhost.exe - powershell.exeWindows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\Desktop> 

Windows Shell

Windows SSH can either default to PowerShell or CMD. Keeper Rotation uses PowerShell commands. If the default shell is CMD, Keeper Rotation will invoke rotation commands via PowerShell Invoke-Command -ScriptBlock { COMMANDS }. To change the default shell to PowerShell, invoke the following PowerShell command:

# Enable PowerShell in SSH
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell `
  -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -PropertyType String -Force

MacOS

SSH is installed on macOS and usually not turned on for the user.

To enable it via the UI, enable Remote Login on the General->Sharing panel.

To enable it via the command line, invoke the following command:

$ sudo systemsetup -setremotelogin on

Note:

• you will require Full Disk Access privileges for this command line method.

Overview

Customers are responsible for the configuration of their servers and environments. For reference and testing, the below PowerShell script can be run on a target machine to enable WinRM with a self-signed certificate. We recommend creating a certificate with a public CA in your production environment.

# Enable WinRM
Set-NetConnectionProfile -NetworkCategory Private
winrm quickconfig -force
Enable-PSRemoting -force

# Allow non-SSL traffic (port 5985)
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

# Create a cert for SSL (port 5986)
$Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
$Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
$A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

# Firewall Rules
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5985" -Profile Public
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Domain,Private
New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
  -Protocol TCP -LocalPort "5986" -Profile Public

Below is a breakdown of what this script performs to configure WinRM on a Windows machine:

1. Set the network connection profile to Private:

   Copy

   Set-NetConnectionProfile -NetworkCategory Private

2. Configure and enable WinRM:

   Copy

   winrm quickconfig -force
   Enable-PSRemoting -force

3. Allow non-SSL (unencrypted) traffic on port 5985:

   Copy

   winrm set winrm/config/service '@{AllowUnencrypted="true"}'
   winrm set winrm/config/service/auth '@{Basic="true"}'
   winrm set winrm/config/client/auth '@{Basic="true"}'

4. Create a self-signed SSL certificate for encrypted traffic on port 5986:

   Copy

   $Hostname = [System.Net.Dns]::GetHostByName($env:computerName).HostName
   $Thumbprint = (New-SelfSignedCertificate -Subject "CN=$Hostname" -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1').Thumbprint
   $A = '@{Hostname="'+$Hostname+'"; CertificateThumbprint="'+$Thumbprint+'"}'
   winrm create winrm/config/Listener?Address=*+Transport=HTTPS $A

5. Create Windows Firewall rules to allow inbound traffic on ports 5985 (non-SSL) and 5986 (SSL):

   Copy

   New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5985" -Profile Public
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Domain,Private
   New-NetFirewallRule -DisplayName "WinRM Secure" -Group "Windows Remote Management" -Program "System" `
     -Protocol TCP -LocalPort "5986" -Profile Public

After running this script, WinRM will be configured to allow both unencrypted (port 5985) and encrypted (port 5986) remote connections. Additionally, Windows Firewall rules will be created to allow inbound traffic on these ports.

From a Windows server, you can test the connectivity to the target machine through PowerShell:

Test-NetConnection -ComputerName <host> -Port <port>

Below is the PowerShell commands to open up port 1433 on the SQL Server instance.

# Define the SQL Server port (default is 1433 for TCP)
$SQLPort = 1433

# Create a firewall rule for inbound SQL Server traffic (TCP)
New-NetFirewallRule -DisplayName "Allow SQL Server TCP" `
    -Direction Inbound -Protocol TCP -LocalPort $SQLPort `
    -Action Allow

# Allow SQL Server traffic on UDP port 1434 for SQL Browser service (optional)
New-NetFirewallRule -DisplayName "Allow SQL Server UDP" `
    -Direction Inbound -Protocol UDP -LocalPort 1434 `
    -Action Allow

# Verify the rules were created
Get-NetFirewallRule -DisplayName "Allow SQL Server*"

Overview

In this guide, you will learn how to import and export a file for the following supported Database protocols:

• MySQL

• SQL Server

• PostgreSQL

SQL Import and Export

SQL Import

Import data from a file on your machine into the MySQL connection.

To import data from a csv file, is the LOAD DATA MySQL command:

Copy

LOAD DATA LOCAL INFILE "input.csv" INTO TABLE <table> FIELDS
  TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\r\n'

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

SQL Export

Data from the connected MySQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

SQL Server Import and Export

SQL Server Import

Import data from a file on your machine into the SQL Server connection.

To import data from a csv file, is the COPY command:

Copy

BULK INSERT <table> FROM LOCAL FILE

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

SQL Server Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 SELECT <query> INTO LOCAL OUTFILE "<name>.csv"

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

PostgreSQL Import and Export

PostgreSQL Import

Import data from a file on your machine into the PostgreSQL connection.

To import data from a csv file, is the COPY command:

Copy

 \COPY <table> FROM "input.csv" With CSV

In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.

After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.

The file uploaded does not have to have the same name given in the query

PostgreSQL Export

Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:

Copy

 \COPY (<query>) TO "<name>.csv" With CSV HEADER

The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.

Amazon Linux

Import the Microsoft GPG keys

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

Add the Microsoft SQL Server Tools repository

sudo curl -o /etc/yum.repos.d/mssql-tools.repo https://packages.microsoft.com/config/rhel/7/prod.repo

Install Command

sudo yum update -y

sudo ACCEPT_EULA=Y yum install -y mssql-tools unixODBC-devel

echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bash_profile
source ~/.bash_profile

This page provides quick install instructions for setting up Docker on different flavors of Linux.

• Amazon Linux

• Ubuntu

Amazon Linux

Ensure all packages up to date

sudo yum update -y

Install Docker

sudo yum install -y docker

Start the service

sudo service docker start

Add the ec2-user to the docker group so that you can run Docker commands without using sudo.

sudo usermod -a -G docker ec2-user
newgrp docker

Start automatically at boot

sudo chkconfig docker on

Install Docker Compose

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version

Ubuntu

Update the instance

apt update -y
apt upgrade -y

Install Docker

sudo apt install docker.io

Install Docker Compose

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Ensure docker-compose is executable

sudo chmod +x /usr/local/bin/docker-compose

Activate Docker

sudo systemctl enable docker
sudo systemctl start docker

Add the current user to the docker group so that you can run Docker commands without using sudo.

sudo usermod -aG docker $USER
newgrp docker

Overview

Prior to working with Rotation, you need to create a KSM application. For more information on KSM, visit:

Setup KSM

1. In the Keeper Web Vault or Desktop App user interface, create a shared folder. This shared folder will contain the PAM records you will create as you are working through the use-case guides.

2. Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application

3. In the prompted window:

   • Enter the name of your KSM application

   • Choose the shared folder you have created in Step 1

   • Set the Record Permissions for Application to "Can Edit"

4. Click on "Generate Access Token" and then click on "OK"

Overview

When creating a PAM Directory Resource, it is recommended that you use a service account with the least required privileges to perform rotation.

The following steps show you how to enable a service account to rotate credentials using Active Directory's Delegation of Control feature.

Procedure

1. Launch Active Directory Users and Computers

2. In the directory tree, select a node for which password rotation should be allowed.

3. Right-click on the node, then click Delegate Control.

4. In the Delegation of Control Wizard, click 'Add'.

5. Locate your chosen service account, then click 'OK'.

1. Click 'Next' to advance to permission selection.

2. In 'Delegate the following common tasks', check the option for 'Reset user passwords and force password change at next logon', then click 'Next'.

1. Add the service account's login and password to the Resource Record for the AD instance.

Overview

Events related to Secrets Management and Privileged Access Management are included in the Advanced Reporting & Alerts module within the Keeper Admin Console.

SIEM Events

Secrets Manager Events

Keeper Connection Manager (KCM) Cloud Events

Alerts

To receive immediate feedback on any rotation related events, Keeper's "Alerts" capability can push these events to email, SMS, webhooks, Slack, Teams, etc.

To learn more about the Keeper Advanced Reporting & Alerts module at this link.

Reporting, Alerts & SIEMEnterprise Guide

Keeper supports importing of PAM records through the Keeper Commander CLI.

Record Types Supported:

• pamDatabase

• pamDirectory

• pamMachine

• pamUser

Below is an example template in JSON format which imports 2 PAM Machine records, 2 PAM User records and adds then to a shared folder called "My Shared Folder".

{
  "shared_folders": [],
  "records": [
  {
      "title": "Test Machine 1",
      "$type": "pamMachine",
        "custom_fields": {
        "$pamHostname": {
          "hostName": "207.148.1.154",
          "port": "22"
        },
        "$checkbox:sslVerification": true
      },
      "login": "some-username",
      "password": "some-password",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
  },
  {
      "title": "Test Machine 2",
      "$type": "pamMachine",
        "custom_fields": {
        "$pamHostname": {
          "hostName": "207.148.1.155",
          "port": "22"
        },
        "$checkbox:sslVerification": true
      },
      "login": "some-username",
      "password": "some-password",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    },
    {
      "title": "Test User 1",
      "login": "some-user",
      "password": "some-password",
      "$type": "pamUser",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    },
    {
      "title": "Test User 2",
      "login": "some-other-user",
      "password": "some-other-password",
      "$type": "pamUser",
      "folders": [
        {
          "shared_folder": "My Shared Folder",
          "can_edit": true,
          "can_share": true
        }
      ]
    }
  ]
}

To import this file, run the command:

import "c:\path\to\myfile.json" --format json

To see all import options:

 import -h

See the Keeper Commander options for additional PAM automation capabilities.

Keeper Commander can perform individual or bulk updates on PAM resource records, such as adding rotation to a whole set of records in a folder.

Prerequisites:

• All of your rotation records are imported to the appropriate folders

• You have at least one Keeper Gateway installed and running

• You have at least one active PAM Configuration

Example 1: Adding PAM Resources to a PAM Configuration

To attach a PAM Machine resource record to an existing PAM Configuration, and to assign a default rotation schedule, use the sample Commander CLI commands below:

sync-down
pam config edit -c "<PAM_Config_UID>" --resource-record "<Machine1_UID>" --schedule Daily
pam config edit -c "<PAM_Config_UID>" --resource-record "<Machine2_UID>" --schedule Daily

Note 1: The PAM Configuration UID can be found by typing: pam config list

Note 2: Machine UIDs can be found by navigating to the folder and using ls -l

My Vault> cd "My Folder"
My Vault> ls -l

Example 2: Assign Rotation Settings to PAM Machine records

The commands below will assign a scheduled rotation to the specific PAM Machine records, and it also sets the resource record to

sync-down
pam rotation set --record="<Machine1_UID>" --config="<PAM_Config_UID>" --resource="<Machine1_UID>" --schedulecron "0 3 * * 2" --enable --force
pam rotation set --record="<Machine2_UID>" --config="<PAM_Config_UID>" --resource="<Machine2_UID>" --schedulecron "0 3 * * 2" --enable --force

Example 3: Assign Rotation Settings in JSON Notation

The below command will assign a resource and set up a rotation schedule using JSON notation:

pam rotation set --record="<Machine1_UID>" --config="<PAM_Config_UID>" --resource="<Machine1_UID>" -sj '{"type":"DAILY","tz":"Etc/UTC","time":"03:00:00","intervalCount":60}' --enable --force

Example 4: Assign Rotation Settings for All Records

The below command will assign rotation capabilities in bulk for all records within a specific folder. In this case the folder is a sub-folder beneath a Shared Folder.

pam rotation set --folder="/ShareFolder1/PrivateFolder2" --config="<PAM_CONFIG_UID>" --resource="<PAM_Machine_UID>" --schedulecron "0 3 * * 2" --enable --force

Batch Mode

To run a large number of commands in a batch mode, see Keeper's Batch Mode command.

Keeper Commander commands have been created to automate and manage the Keeper PAM capabilities including:

• Managing Gateways

• Managing PAM Configurations

• Managing Password Rotation and Discovery

• Managing jobs

For more information see the KeeperPAM "pam" command documentation.

In the Keeper Vault, users can configure rotation using a standardized UNIX Cron specification.

The Keeper backend scheduler uses the open source Quartz Job Scheduler for executing rotations. The content below is based on the Quartz public documentation.

In the example below, the Cron Spec is set to 0 28 17 ? * * which means every day at 5:28PM PST.

Format

A cron expression is a string comprised of 6 or 7 fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields are as follows:

Cron expressions can be as simple as this: * * * * ? *

or more complex, like this:

0/5 14,18,3-39,52 * ? JAN,MAR,SEP MON-FRI 2002-2010

Special characters

• * (“all values”) - used to select all values within a field. For example, “*” in the minute field means “every minute”.

• ? (“no specific value”) - useful when you need to specify something in one of the two fields in which the character is allowed, but not the other. For example, if I want my trigger to fire on a particular day of the month (say, the 10th), but don’t care what day of the week that happens to be, I would put “10” in the day-of-month field, and “?” in the day-of-week field. See the examples below for clarification.

• - - used to specify ranges. For example, “10-12” in the hour field means “the hours 10, 11 and 12”.

• , - used to specify additional values. For example, “MON,WED,FRI” in the day-of-week field means “the days Monday, Wednesday, and Friday”.

• / - used to specify increments. For example, “0/15” in the seconds field means “the seconds 0, 15, 30, and 45”. And “5/15” in the seconds field means “the seconds 5, 20, 35, and 50”. You can also specify ‘/’ after the ‘’ character - in this case ‘’ is equivalent to having ‘0’ before the ‘/’. ‘1/3’ in the day-of-month field means “fire every 3 days starting on the first day of the month”.

• L (“last”) - has different meaning in each of the two fields in which it is allowed. For example, the value “L” in the day-of-month field means “the last day of the month” - day 31 for January, day 28 for February on non-leap years. If used in the day-of-week field by itself, it simply means “7” or “SAT”. But if used in the day-of-week field after another value, it means “the last xxx day of the month” - for example “6L” means “the last friday of the month”. You can also specify an offset from the last day of the month, such as “L-3” which would mean the third-to-last day of the calendar month. When using the ‘L’ option, it is important not to specify lists, or ranges of values, as you’ll get confusing/unexpected results.

• W (“weekday”) - used to specify the weekday (Monday-Friday) nearest the given day. As an example, if you were to specify “15W” as the value for the day-of-month field, the meaning is: “the nearest weekday to the 15th of the month”. So if the 15th is a Saturday, the trigger will fire on Friday the 14th. If the 15th is a Sunday, the trigger will fire on Monday the 16th. If the 15th is a Tuesday, then it will fire on Tuesday the 15th. However if you specify “1W” as the value for day-of-month, and the 1st is a Saturday, the trigger will fire on Monday the 3rd, as it will not ‘jump’ over the boundary of a month’s days. The ‘W’ character can only be specified when the day-of-month is a single day, not a range or list of days.

The 'L' and 'W' characters can also be combined in the day-of-month field to yield 'LW', which translates to *"last weekday of the month"*.

• # - used to specify “the nth” XXX day of the month. For example, the value of “6#3” in the day-of-week field means “the third Friday of the month” (day 6 = Friday and “#3” = the 3rd one in the month). Other examples: “2#1” = the first Monday of the month and “4#5” = the fifth Wednesday of the month. Note that if you specify “#5” and there is not 5 of the given day-of-week in the month, then no firing will occur that month.

The legal characters and the names of months and days of the week are not case sensitive. MON is the same as mon.

Examples

Here are some full examples:

Pay attention to the effects of '?' and '*' in the day-of-week and day-of-month fields!

Preview Updates

The KeeperPAM Preview offers customers early access to test and prepare for upcoming changes.

Accessing the Preview Environment

Preview features are accessed using the links below.

Web Vault Preview

• US: https://keepersecurity.com/vault/preview

• EU: https://keepersecurity.eu/vault/preview

• AU: https://keepersecurity.com.au/vault/preview

• CA: https://keepersecurity.ca/vault/preview

• JP: https://keepersecurity.jp/vault/preview

Desktop Vault Preview

• Mac (.dmg) - Download

• Mac (.pkg) - Download

• Windows (.appx) - Download

• Windows (.msix) - Download

• Windows (.msi) - Download

• Linux (.rpm) - Download

• Linux (.deb) - Download

Note: the Desktop App preview does not auto-update. On Windows computers, a new version of the preview version requires a full uninstall and re-install of Keeper. This does not affect stored data.

Admin Console Preview

• US: https://keepersecurity.com/console/preview

• EU: https://keepersecurity.eu/console/preview

• AU: https://keepersecurity.com.au/console/preview

• CA: https://keepersecurity.ca/console/preview

• JP: https://keepersecurity.jp/console/preview

• GOV: Not available for preview, use commercial environment

Gateway Preview

Docker Installation

For Docker environments, you can reference the tag keeper/gateway:preview to get the preview version.

services:
      keeper-gateway:
        platform: linux/amd64
        image: keeper/gateway:preview

Linux Preview

To update an existing Gateway on Linux:

curl -fsSL https://keepersecurity.com/pam/beta/install | \
  sudo bash -s -- --preview

Executing the following command will uninstall the Keeper Gateway Preview:

curl -fsSL https://keepersecurity.com/pam/beta/uninstall | sudo bash -s -- --preview

Windows Preview Installers

Download the latest installer: 64-bit Installer (preferred) or 32-bit Installer