Vault Release 17.3

Released on July 24, 2025

New PAM Features & Improvements

Summary

Keeper version 17.3 brings several powerful PAM enhancements that empower DevOps, IT Security, and development teams with enhanced visibility, control, and collaboration across IT environments.

  • Updates to Keeper Discovery introduce the Domain Controller configuration for Active Directory environments.

  • Connection updates include Launch Credentials, Personal Credentials, and Ephemeral Accounts within Keeper Connections, offering flexible, secure access options that eliminate standing privilege, and enable Just-in-Time session-based authentication.

  • Secrets Manager now allows sharing of applications and Gateways with other Keeper users, enabling secure and collaborative management of secrets across your organization.

  • The One-Time Share (OTS) feature now enables secure, temporary, bidirectional content exchange with non-Keeper users—no account required—ensuring secure collaboration without sacrificing control or compliance.


Discovery

Keeper Discovery provides DevOps, IT Security, and development teams with centralized visibility into privileged accounts and IT assets across local, AWS, and Azure environments. Integrated through the Keeper Gateway, it helps organizations identify unmanaged accounts, misconfigurations, and security risks. By automating asset discovery and delivering actionable insights, Keeper Discovery strengthens security, streamlines operations, and supports compliance across complex infrastructure setups. Version 17.3 brings additional features to the discovery process for customers.

Details

To create a Discovery Job, navigate to the Discovery tab and click Create Discovery Job. Then, select an active Keeper Gateway to perform the scan. The Gateway is linked to a PAM Configuration, which defines the environment type being scanned.

If the PAM Configuration is missing required details, such as CIDR ranges or cloud credentials, you’ll be prompted to provide that information before the job can proceed.

Once a Discovery Job reaches the Completed state, clicking on the job allows you to review and process the findings interactively. You can select multiple items or go through them individually, adding findings to a queue before finalizing the results.

While reviewing discovery results, you can choose the Vault location where each resource will be stored and assign the appropriate Admin Credentials. These credentials serve several key functions:

  • User Account Discovery: Used in future discovery jobs to remotely access the resource and identify local user accounts.

  • Password Rotation: Enables on-demand and scheduled password rotations for discovered accounts.

Additionally, PAM Users identified during discovery can be configured for automatic password rotation.

In the Discovery Job panel, you can view all previously run jobs along with their status, such as Completed, Running, or Failed.


New Ways to Connect with Keeper Connections

Keeper Connections offer multiple authentication methods to securely access target systems:

  • Launch Credentials: Use credentials configured directly on the PAM Machine, Database, or Directory record. Users can initiate sessions without needing direct access to the credentials themselves.

  • Personal/Private Credentials: Users can authenticate using their own credentials stored securely in their Keeper Vault, providing flexibility and personal control.

  • Ephemeral Accounts: When enabled, a temporary, system-generated privileged account is created specifically for the session. This account is automatically removed after the session ends, supporting Just-in-Time access with zero standing privilege.

Connection Templates

PAM Machine, PAM Database, and PAM Directory record types can now be set up as Connection Templates, allowing users to launch sessions to target systems without needing a predefined hostname or credential.

Each template requires configuration of the Keeper Gateway and the relevant connection protocol settings. Once created, templates can be shared with other users. When launching a session from a template, users are prompted to:

  • Enter the target hostname

  • Select a credential from their own Keeper Vault for authentication

The Keeper Connections tab enable users to instantly and securely access infrastructure assets, such as servers, databases, web apps, and workloads, directly from the Keeper Vault, without exposing credentials. This ensures a zero-trust, zero-knowledge security model.

Connections are configured on PAM Machine, PAM Database, PAM Directory, and PAM Remote Browser record types, and can be launched directly from these records.

Under the Connection tab, you can enable users to select credentials from their own vault and optionally configure the launch credentials to rotate automatically upon session termination.

Within the PAM settings, we've added a new Rotation tab and a JIT Settings tab for each resource.

Just-in-Time Access with Ephemeral Accounts and Role Elevation enables secure, one-click privileged sessions to infrastructure assets directly from the Keeper Web Vault. With Just-in-Time (JIT) access, users are granted elevated privileges only for the duration of a session, significantly reducing the risk of standing privileged accounts. Once the session ends, all elevated access is automatically revoked.

Ephemeral Account Creation

The Keeper Gateway can automatically create temporary privileged accounts on the target system at the start of a session and delete them at the end. This ensures no persistent accounts exist to be compromised.

Role and Group Elevation

Instead of creating temporary accounts, KeeperPAM also supports role or group-based elevation, temporarily assigning elevated privileges (e.g., Windows “Administrators” or AWS IAM roles) to the session user. Elevation is revoked automatically when the session ends.

This flexible approach to JIT access, via ephemeral accounts or role elevation, supports a zero-trust security model while simplifying privileged access management across your infrastructure.


Sharing Secrets Manager Applications and Gateways

Keeper Secrets Manager (KSM) offers DevOps, IT Security, and development teams a fully cloud-based, Zero-Knowledge platform to securely manage infrastructure secrets, such as API keys, database passwords, access tokens, certificates, and other sensitive data.

Once a KSM Application is created, it can be securely shared with other users in your organization. Shared users gain access to application features, including viewing secrets, managing devices and gateways, and configuring PAM record types via the associated Keeper Gateway.

This sharing capability enables secure team collaboration while preserving strict access controls through Keeper’s Zero-Knowledge security model.

Domain Controller Configuration

KeeperPAM now supports Domain Controller configurations, enabling seamless discovery and management of domain-joined resources. When combined with Keeper Discovery, organizations can automatically identify domain-connected assets across their environment and securely manage access through shared KSM Applications, PAM record types, and the Keeper Gateway, all within Keeper’s Zero-Knowledge architecture.


One-Time Share (OTS) Bidirectional Update

Keeper One-Time Share (OTS) enables secure, time-limited sharing of records with anyone, no Keeper account required. Ideal for sharing sensitive information with friends, family, or colleagues, OTS eliminates the risks of sending data via email, text, or messaging apps.

Introducing Keeper's Bidirectional One-Time Share

Each share link:

  • Expires automatically at a time you choose

  • Can only be accessed on a single device (device-locked for added security)

  • Prevents unauthorized access, even if the link is intercepted or your email is compromised

  • Supports bidirectional communication, allowing both parties to securely view, edit, or upload content during the session, while maintaining full control and temporary access

When the recipient opens the share link, the record will launch in their web browser and become bound to that specific device. Access will automatically expire after the designated time, at which point the link becomes invalid and the record can no longer be viewed, even on the originally authorized device.

The new bidirectional capabilities of Keeper’s One-Time Share (OTS) feature enable true two-way collaboration between Keeper users and non-Keeper recipients, all within a secure, time-limited session. Once the recipient opens the shared record in their browser, they can not only view the information but also:

  • Edit existing fields within the record (e.g., notes, credentials, custom fields)

  • Upload and attach files, such as documents, images, or certificates

All changes are made within the same secure, device-bound session. Once the recipient clicks Save, the updates are reflected in the sender’s vault in real time.

This allows for secure, efficient collaboration, such as collecting sensitive onboarding details, exchanging credentials, or updating records, without requiring the recipient to create a Keeper account or leave the zero-knowledge environment. Once the session expires, all access is revoked, ensuring the shared information remains tightly controlled.

To learn more about Keeper's One-Time Share feature, click here.

Activating Editable One-Time Sharing

By default, this permission is disabled for Enterprise environments. To activate the feature, visit the Admin Console > Roles > Enforcement Policies > Creating and Sharing and check the box next to "Can create links with editable fields and file upload capabilities".


Discover all the PAM features, or visit Keeper PAM website to start your free trial or request a personalized demo.

Enhancements

  • VAUL-7283: Admins can now create flexible resource records with separate admin and launch credentials, user-supplied credentials, or templates that support custom host and credential entry.

  • VAUL-7285: Admins can now enable JIT ephemeral access, allowing temporary admin privileges, automatic account cleanup, and post-session credential rotation—all securely managed in PAM settings.

  • VAUL-5995, VAUL-7333, VAUL-7235: KSM applications can now be shared with users, with role-based permissions and enhanced management of folders, devices, gateways, and activity logs for better collaboration and security.

  • DR-646: Keeper Discovery enhancements to the vault UI provide teams with complete visibility into privileged accounts and IT assets across different environments, helping to eliminate misconfigurations and security gaps.

  • VAUL-6904, VAUL-6167, VAUL-7499: This update enables bidirectional sharing of files, notes, and record content, with full editing capabilities, for seamless collaboration.

Other Updates

  • VAUL-7488: We improved the import of Dashlane .dash files into Keeper.

  • VAUL-7138: We added the UID from reporting & alerts to the deleted items.

  • VAUL-7370: Fixed a bug that prevented session recording playback from scaling properly.

  • VAUL-7432: Now, users can rotate credentials on PAM user records as long as they have the "Can Rotate" policy and the KSM application has edit permissions.

  • VAUL-7480: Updated expired account popups to use the latest UI design.

  • VAUL-7195: Keeper Discovery now supports asset discovery with the Domain Controller configuration in Active Directory environments.

  • VAUL-7217: We implemented new router API’s for the DAG.

  • VAUL-6363: Added a warning pill and banner for users in preview mode to highlight the limitations of using beta features and encourage informed testing.

  • VAUL-6055: Updated role enforcement for password length requirements.

Bug Fixes

  • VAUL-6440: Fixed an issue where 2FA duration settings were not honored for users with SMS-based 2FA, causing repeated prompts on each login.

  • VAUL-7325: Fixed an issue where non-owners could manually enter passwords in the Privacy Screen.

  • VAUL-6069, VAUL-6070: Fixed alignment issues in the advanced search results dropdown.

  • VAUL-5979: Updated the login flow so that selecting ‘Master Password’ from the SSO dropdown now defaults the cursor to the email field.

  • VAUL-6123: Fixed an issue so that when you click on a record in the search results, it takes you to the correct record.

  • VAUL-7075: Fixed an issue in PAM where the record rotation setting wasn’t being properly checked when updating the resource configuration.

  • VAUL-7172: Updated the PAM script documentation.

  • VAUL-7121: Fixed an issue in the Create New PAM Record modal where tab focusing removed the visual outline around the selected record type.

  • VAUL-6141: Fixed an issue in BreachWatch where a weak password did not correctly update BreachWatch after a record restore.

  • VAUL-7427: Fixed style bugs on the new Security Audit page.

  • VAUL-7215: Fixed an issue where consumers with expired accounts were logged into an unintended limbo state.

  • VAUL-7462: Fixed an issue where importing a Keeper JSON file displayed an error and failed to import folder permissions correctly.

  • VAUL-7472: Fixed an issue where the ARAM event “Created Re-used Password” (reused_password) was not triggering in specific scenarios from the web vault.

  • VAUL-7244: Fixed an issue where SCIM-provisioned, Automator-approved Teams were not appearing in the Vault as expected.

  • VAUL-7490: Fixed a bug where the credentials record icon should be gray when not selected.

  • VAUL-7491: Updated the PAM user record settings to rename one of the duplicate “Rotation” fields to “Rotation Profile” for clarity.

Last updated

Was this helpful?