# March 2026 ## Keeper Secrets Manager CLI 1.3.0 This update introduces enhanced security features that use native secure profile storage to safeguard Keeper device identity information. This security measure is enabled by default on all compatible Windows, macOS, and Linux devices. > **Breaking Change** Minimum supported Python version is now **3.10** (previously 3.7). Python 3.7-3.9 users should stay on `v1.2.0` > **Breaking Change** `boto3` is no longer installed by default. AWS sync users must install the `[aws]` extra: `pip install keeper-secrets-manager-cli[aws]` * **KSM-800:** Added OS-native keyring storage for CLI configuration * New profiles store configuration in the OS keyring by default (macOS Keychain, Windows Credential Manager, Linux Secret Service) * Existing `keeper.ini` profiles continue to work without migration * Added `--ini-file` flag to opt into explicit file-based storage * Install keyring support: `pip install keeper-secrets-manager-cli[keyring]` * Additional fixes: * Profile name validated against `[a-zA-Z0-9_-]{1,64}` before redeeming one-time token * SHA-256 integrity check on every keyring load with clear error and recovery hint * Warning on stderr when keyring is empty and a `keeper.ini` exists * Graceful fallback to `keeper.ini` on Linux when Secret Service is unavailable * `--ini-file` flag respected by all `profile` and `config` subcommands and no longer requires `boto3` for non-AWS profiles * **KSM-810**: added `ksm profile delete ` command * **KSM-820:** `ksm secret get --json` now outputs custom fields under `"custom"` key (was `"custom_fields"`), matching the canonical V3 record format * **KSM-818:** `ksm shell` no longer crashes when `click>=8.2` is installed * **KSM-702:** Record create payload now always includes `custom: []`; previously omitted when no custom fields were set * **KSM-691:** `keeper.ini` is now written with owner-only permissions (0600) * **Dependency Update:** Updated `keeper-secrets-manager-core` to `>=17.2.0` and `keeper-secrets-manager-helper` to `>=1.1.0` **Security updates** * **KSM-761:** Fixed CVE-2026-23949 (jaraco.context path traversal vulnerability) **Links:** * [KSM CLI Docs](https://app.gitbook.com/s/-MJXOXEifAmpyvNVL1to/secrets-manager/secrets-manager-command-line-interface) * [PyPI Package](https://pypi.org/project/keeper-secrets-manager-cli/) * [Docker Hub](https://hub.docker.com/r/keeper/keeper-secrets-manager-cli/tags?name=1.3.0) * [Docker Hub (Alpine)](https://hub.docker.com/r/keeper/keeper-secrets-manager-cli-alpine/tags?name=1.3.0) * [GitHub Release](https://github.com/Keeper-Security/secrets-manager/releases/tag/ksm-cli-v1.3.0) *** ## Ansible Integration 1.4.0 > **Breaking Change** Minimum supported Python version is now **3.9** (previously 3.7). Python 3.7-3.8 users should stay on `v1.3.0` * **KSM-811:** Raised minimum Python version from 3.7 to 3.9 * Updated `keeper-secrets-manager-core` dependency to `>=17.2.0` * Updated `keeper-secrets-manager-helper` dependency to `>=1.1.0` * Replaced `importlib_metadata` backport with stdlib `importlib.metadata` * **KSM-816:** Fixed `keeper_create` failing when the target shared folder contains no records * **KSM-827:** Fixed Tower Execution Environment Docker image missing system packages required by Ansible Automation Platform * Added `openssh-clients`, `sshpass`, `rsync`, and `git` to the EE image * Resolves `[dumb-init] ssh agent: No such file or directory` startup error **Links:** * [Ansible Integration Docs](https://app.gitbook.com/s/-MJXOXEifAmpyvNVL1to/secrets-manager/integrations/ansible) * [PyPI Package](https://pypi.org/project/keeper-secrets-manager-ansible/1.4.0/) * [Ansible Galaxy](https://galaxy.ansible.com/ui/repo/published/keepersecurity/keeper_secrets_manager/?version=1.4.0) * [Docker Hub](https://hub.docker.com/r/keeper/keeper-secrets-manager-tower-ee/tags)