Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Released on September 22, 2025
We are currently investigating an issue where the Keeper Gateway is unable to automatically re-establish a cloud connection after the backend Keeper Router cloud service is updated. If your Gateway no longer responds to requests, please restart the service.
We will be releasing a Keeper Gateway 1.7.1 within a couple of days.
Performance improvements on Windows and Linux deployments
Incorporated the latest changes
DR-924: Added support for the latest KeeperAI Service analysis.
DR-1102: Added AI-related fields to connection_close event in the Gateway.
DR-1110: Resolved issue where ephemeral domain accounts were not always deleting after session terminates.
DR-872: Resolved issue where MySQL password rotation was failing in older SQL versions.
PG-37: Resolved issue where Connections won't work without an Admin port specified.
PG-43: Resolve issue where unicode characters within web page titles immediately breaks RBI
Please visit the Keeper Gateway documentation for your specific platform.
DR-1107: Ensured sessions terminate fully when exception rules are triggered.
DR-1019: For general rotations of user account passwords, the current password is checked prior to rotating. If current password is incorrect and the user performing the rotation does not have access to the PAM resource (or PAM Configuration), the password rotation will return an error.
PG-46: Added support to create AD domain user ephemeral accounts on PAM Machine connections when JIT is enabled.
PG-67: Expanded Username support when using WinRM:
User Principal Name (UPN) format: [email protected]
Domain NetBIOS format: FINANCECORP\admin
Shortened UPN format (no TLD): admin@financecorpglobal
Domain FQDN with backslash format: financecorpglobal.com\admin
DR-1108: Improved Directory users search limit with Keeper Discovery.
DR-1111: We now ignore any entries without a name (CN) when getting the LDAP schema.
DR-1113: Support for "passwordless sudo" when performing administrative operations such as creating an ephemeral account.
DR-1100: Resolved KeeperAI issue where stale buffer issue caused false session termination triggers.
PG-54: Resolved error where Keeper Gateway Windows Installer failed on Elevation of Privileges.
PG-70: Resolved issue where "postgresql" library was not installed which broke postgreSQL connections and rotations.
PG-73: Resolved issue where Pyguacd.exe continues to run after new installation of Windows PAM Gateway
PG-78: Resolved issue where Installation command in QA is pulling the production Docker image instead of the QA image
Other minor improvements and bug fixes
Released on October 3, 2025
If you’re experiencing connection or stability issues, update to for improved reliability and performance
Keeper Gateway 1.7.1 introduces key enhancements to Keeper Connections, delivering greater compatibility, improved network flexibility, and overall performance gains. This release also resolves an issue where the Gateway was unable to automatically reestablish a cloud connection after a backend Keeper Router Cloud service update.
Released on April 2, 2025
PG-90: Resolved an issue where termination of a single active connection could cause all other open connections to close unexpectedly.
PG-92, PG-94: Resolved an issue where the gateway was unable to automatically reestablish connectivity after a backend Keeper Router Cloud service update.
Other minor improvements and stability fixes
Please visit the Keeper Gateway documentation for your specific platform:
Released on Nov 13, 2025
Keeper Gateway 1.7.4 delivers major improvements in stability and performance for Keeper Connections and Discovery, along with additional feature enhancements and bug fixes.
Major performance and stability improvements with Keeper Connections and Discovery
PG-60: Added a Linux folder build specification to support gateway deployments in locked-down environments without /tmp access
DR-949: Added password propagation to IIS Application Pool log-on credentials. Detection of the log-on credentials is automatically picked up and managed by or through Keeper Commander's command.
PG-77: Added support for ssh keys requiring passphrases. To connect to a resource using a PAM User record having the SSH private key, you need to simply create a new hidden field called "Private Key Passphrase". The name of this field must match exactly.
PG-88: Improved docker installer command
DR-1127 & DR-1122: Optimized discovery graph checking when adding resources and users
PG-81: Added support for RHEL 9 Gateway docker image
PG-132: Gateway now refuses connection if Gateway is overloaded
DR-1128: Improved date parsing in LDAP user search
PG-133: Improved CPU performance on Windows Gateway
PG-40: Fixed issue where Router restart caused windows gateway service to stop
DR-1115: Fixed issue where Rotation fails for Windows local for non admin records
PG-89: Fixed issue with Docker permissions when installing the gateway with the docker installer command
PG-91: Fixed issue where installing hangs on Ubuntu Kerberos installation
Please visit the Keeper Gateway documentation for your specific platform:
The Keeper Gateway is a service that is installed on any Docker, Linux or Windows machine in order to execute rotation, discovery, connection and tunneling
Released on February 2, 2024
DR-537 IAM Rotation in GovCloud: Fixed an issue where IAM client rotation in GovCloud required specifying a region to switch endpoints, differing from commercial AWS behavior.
DR-541 WinRM Executable Fix: Addressed a problem in the 'make executable' code for WinRM by correcting the regular expression match group, preventing 'no such group' exceptions.
DR-539 Improved Sudoer Error Message: Enhanced the error message for users not in the sudoers file, making it more descriptive and actionable.
PG-118: Fixed issue where Linux Gateway goes offline after repeated interactions
PG-125: Fixed Session Recording delays on Windows Gateway
PG-131: Fixed delays in connection closures
Released on February 13, 2025
Get started by setting up your KeeperPAM sandbox! Visit to begin.
KeeperPAM is now available for all customers.
For more information on KeeperPAM, visit the following:
- manage all rotations directly from the Vault UI
- instantly and securely access assets within their target infrastructure
- use native apps for establishing remote access
- protect web-based apps
Improved windows gateway installer user experience
Resolved issue where windows gateway doesn't start due to service account login issue
Released on July 10, 2023
Local Connections Settings are now cached
Better management of connection details (shell path, shell type, sudo password requirements, etc.) to better associate PAM records and its associated gateways
Optimization & necessary refactoring of code to reduce API calls
General Improvements
Escaped the '{' character for macOS 'su' expect script due to it being a special character in expect.
Added 'echo' before getting the user list in macOS to avoid output pre-pending issues.
Fixed finding Linux shell if the SHELL environment variable is not set.
Released on October 9, 2025
Keeper Gateway 1.7.2 improves gateway stability and configuration reliability by fixing reconnection issues after network disruptions and adding validation for the KEEPER_GATEWAY_AI_BASE_URL setting.
PG-115: Resolved an issue where the gateway goes offline and fails to reconnect upon network disruptions
Other minor improvements and stability fixes
PG-112: Added validation to ensure a protocol is included in the KEEPER_GATEWAY_AI_BASE_URL configuration.
Please visit the Keeper Gateway documentation for your specific platform:
Released on June 16, 2025
Note: Version 1.5.4 was immediately updated to 1.5.5 on June 19 after resolving a critical bug. Please ensure you are running v1.5.5.
Added support for IPv6 connection targets
Added health checks for service monitoring -
Added support for copying files over WinRM using chunked transfers
Improved startup performance of Windows gateways
Improved consistency of Windows gateway auto-updates
Reduced log file verbosity
Fixed issue with v1.5.4 where the service stops after 5 minutes on Windows
Resolved issue where users received a “The service did not start due to a logon failure” error during Gateway installation, even when the provided service password was correct
Resolved issue where managed service accounts on Windows gateway did not start the gateway service due to logon failures
Resolved issue where rotations were not honoring custom symbols configured in password complexity
For instructions on installing or updating your Keeper Gateway, visit this page:
Released on November 18, 2023
GovCloud Compatibility: This version of the Keeper Gateway ensures full compatibility with GovCloud customers requiring EC encryption.
Custom Fields for advanced Gateway Configurations:shell, Private Key Rotate, read more
Expanded Private Key Beyond RSA Format
Additional Key Support: Besides the previously supported RSA private keys, added support for ed25519, ecdsa, and dss private keys, aligning with algorithms backed by ssh-keygen.
Key Rotation: Private key rotation now uses the algorithm and bit size of the current key for generating a new one. A custom text field "Private Key Type" is introduced to specify a desired algorithm.
Added Virtual Resource for the
There is an issue where If the admin credential is not set & the NOOP flag is set to TRUE, the resource UID is set to None/blank, breaking the resource hierarchy and potentially leading to provider misidentifications. Instead, to resolve this issue, a virtual resource will be generated.
Minor bug fixes and improvements
Released on July 24, 2025
Keeper Gateway v1.0.0 is the first official release of the Keeper Gateway.
The Keeper Gateway is a lightweight service that is installed on any Windows, Linux or macOS machine in order to execute rotation, discovery and connection tasks.
For installation steps and more information on the Keeper Gateway, visit:
How to install the Preview version of the Keeper Gateway
Keeper maintains a "Preview" channel release of the Keeper Gateway. Customers are welcome to install the Preview version which is published a few days ahead of full public release.
Changed Azure integration tests to provision Python in the Azure Instance Extension.
Addressed issues in Azure tests related to creating AD users via the provisioning script. AD Admin doesn't have privileges on the local machine to change local user passwords.
Resolved a problem where the Linux subprocess didn't like the 'type' command, now attempts 'which' first and then 'type'.
Improved efficiency by shifting the IP address collection process from the gateway to the connection as part of the existing setup
Implemented lazy loading of the gateway record which requires the IP addresses. If the connection settings are not cached, a local connection will be established and the connection setting cache will be filled.
Overrode the password property to allow for lazy loading if the password has not been loaded yet. If a connection requests the gateway password and the gateway record has not been loaded, it will load it and then return the password from the record.
Local connections will now check if the gateway has cached connection settings. If it does, it will set those values in the connection. If not, the connection will proceed with the standard setup, copying the connection settings into the gateway upon completion.
If the local connection's password is blank, the connection will retrieve the password from the gateway.
Implemented queues and loggers for the CLI thread to streamline operations.
Added an optional output to queue for the CLI thread, increasing flexibility.
Made modifications to stop messages and prompt command updates.
Introduced the CLI thread runner for better management of operations.
Enabled the Windows service to use the CLI thread runner, providing better integration and functionality.
Adjusted the system to use the Windows service thread for PyInstaller, enhancing compatibility.
Integrated the use of a process pool executor for gateway actions to improve performance and responsiveness.
Enabled Keeper Gateway command line and service to use a single binary, simplifying the system and reducing potential issues
Improved Error Messages
Prevented display of raw exception messages by creating a global method to handle exceptions for AWS & Azure
For databases, a global exception handler was created and refined to handle different database engines
Updated the "retype" prompts to be less specific to account for differences based on Linux OS versions or the service the password is being changed within
Exception messages for Linux/macOS password interaction were modified.
PG-7: Resolved an issue where some connections were failing to launch in Japan (JP), Canada (CA), and Australia (AU) regions
Other minor improvements and bug fixes
DR-953: Updated to Python 3.12
DR-915: Add additional command-line tools in the production Docker image
paramiko from ==3.0.0 to >=3.4.0
oracledb from ==1.2.2 to >=1.4.0
Minor bug fixes and improvements
Private Key Rotation Control: Added a custom field "Private Key Rotate" that lets users control if the private key should be rotated.
- monitor usage for all privileged sessions
- discover and onboard resources and accounts into Keeper
- controlling privilege across your fleet of devices
- PAM enforcement policies to enable and configure PAM feature permissions
Resolved issue where RBI sessions were failing to start even when RBI was allowed on PAM config
Resolved issue where upon installing a new gateway, one-time access token is still prompted even with previous gateway configurations
Resolved an issue where gateway dependent processes did not terminate properly when the Keeper Gateway was shut down
Other minor improvements and bug fixes
PG-124: Ephemeral JIT users were not cleaned up properly when a session was closed abnormally
PG-113: Long RBI sessions (over 24 hours) caused the gateway to stop responding to new requests
PG-126: Gateway logs were getting to large when debug mode enabled
Please visit the Keeper Gateway documentation for your specific platform:
Released on June 28, 2023
Scripts Field Feature - New Feature
Introduced support for the scripts field.
MariaDB Connector C Build Improvements
macOS: Utilized Homebrew for installation of mariadb-connector-c.
Linux: Required the Python module cmake for cloning and building the mariadb-connector-c repo, specifically version 3.3.
Released on September 1, 2023
Gateway Configuration with an AWS EC2 Instance
An IAM Role Policy can be created and assigned to an EC2 Instance in order to provide the Keeper Gateway service with the required permissions to retrieve the necessary configuration from the AWS Key Management Service (KMS). This method eliminates the need for storing a configuration file on the disk, and instead, stores the configuration file in your AWS KMS.
Updates to handle Non-UTF8 Encoding
Added functionality to ignore bad characters during decoding, addressing potential encoding mismatches, especially with Windows.
Removed the AD Organizational Unit (OU) Check
Released on July 7th, 2025
Keeper Gateway 1.6.0 provides significant performance improvements in connections and sessions in Docker installations.
Changes are required to use Keeper Gateway 1.6 as documented below. There are a few known issues with version 1.6 that are outlined in the section. For any connectivity issues in Japan (JP), Canada (CA), and Australia (AU) regions, upgrade your gateway to
requests to >=2.28.2 due to a conflict with keeper-secrets-manager-core.Updated the version of msal in the DR-Controller.
Additional Unix Shell Support
Expanded shell support to include BASH, ZSH, ASH, Dash, CSH, and TCSH.
Implemented command history prevention for these shells. If the system's shell is not supported, it will still function, but the command history will not be prevented.
Added feature to handle repeated new/re-enter password prompts for password changes, particularly for Linux boxes joined to OpenLDAP servers and using Linux PAM.
PowerShell Management
Fixed an issue where a PowerShell instance remained open after password rotation on a local machine.
Made local Windows connection less CPU intensive by reducing constant output polling and improving prompt detection.
Fixed issue with Microsoft's Azure extension requiring a reboot due to a .Net update in chocolately, which was breaking Windows instance provisioning.
Reconnection Management
Limited reconnection attempts to approximately 6 hours for other connection failures.
Sudo Prompt Fix
Included Linux sudo prompt in the list of allowed responses to prevent sudo failures in Linux when a password is required.
Fixed issue where the sudo prompt in STDERR was causing false-positive error detection.
macOS Command Hang
Fixed command freezing issue in the gateway due to the use of ZSH for the local connection on macOS. Switched the shell back to BASH to resolve the issue.
Process Pool for Actions
Made software compatible with new async-repl.
Replaced thread pool with process pool for actions.
Clean Password Constraints
Identified and addressed an issue where a password, specifically for PostgreSQL, would not have illegal characters removed. This occurred when rotating a user, as the object would be a PAM User record which has no constraints for password.
Removed the OU check feature as it was not performing as expected.
Handle Nologin User Shell
Implemented measures to detect and handle instances with a /sbin/nologin shell or false, searching for a supported shell instead.
Enforced the overriding of the SHELL variable in the spawned shell to prevent inconsistencies.
Clean Up Rotation Action Processes, Use Environment Variable Options
Moved log configuration to process initializer for better control.
Excluded process information in job debug messages temporarily.
Added the ability to obtain command-line parameters from environment variables, providing more flexible configuration options.
Created constants to guide the retrieval of parameters from environment variables.
Prioritized command-line parameters over environment variables to ensure consistency in configurations.
Add MAC_CONFIG_PATH Variable and Permissions Settings
Introduced a MAC_CONFIG_PATH variable pointing to the configuration file for enhanced readability.
Added explicit permission settings for directories and configuration files to bolster security.
Improved Reconnection Strategy
Modified the system to continue reconnection attempts if the WebSocket response code is 500 or greater. Reused reconnection code for HTTP status codes less than 500.
Websocket Client Updates
Modified the 'create_dispatcher' method to choose the correct dispatcher based on SSL configuration, addressing issues when connecting to routers without SSL.
Logging Improvements
Improve Error Messages
Continued refinement of error messages to enhance the user experience and enable more effective troubleshoot
Logging Configuration: Restricted the allowance of multiple configurations for logging to prevent conflicts and potential errors.
Read more here
Custom Field for better record management in post-rotation: Records Control
Added command length verification
Command Length Limitation: Added checks to ensure that commands in post-rotation do not exceed the byte limit specific to the shell (e.g., 8192 bytes for Windows CMD).
Fixed issue where the user parameter was not being set in the Base64 encoded JSON object for Post Rotation Scripts
Eliminated the redundant user parameter from _generate_params function, as it's already available in the object.
Fixed Illegal Characters for Oracle
Added @ to the list of illegal characters to meet Oracle's input requirements. Other characters such as single quotes were also added for SQL safety.
Fixed Gateway Permission Settings for Non-English Windows
Modified permission settings logic to work correctly on Windows systems using languages other than English.
Fixed Windows Shell Detection
Delayed setting the command prompt until after the shell type is definitively determined, therefore resulting in fixing issues when the shell is not PowerShell.
Improved handling of Shell Responses
Stream Handling: Improved the response stream handling for slow systems on Linux and macOS by waiting for a known prompt.
Character Stream Cleanup: Added several clean-up steps to the character stream to remove extraneous characters and control codes.
Updated Gateway Logs to include Post Rotation Script Output when Debug flag is set
Debug Block: A new debug block that logs details of the script, its success status, and STDOUT/STDERR.
Secret Redaction: Ensured that secret or sensitive information is redacted from the logs.
Resolved issue where LDAP connections through tunnels terminate abruptly when SSL port (636) is used
Resolved issue where configured password complexity rules are being ignored
Resolved issue where OS field was not Case-Sensitive
Resolved issue where incorrect CPU architecture was being used during Windows installation
Resolved issues with Session recordings on the Windows Gateway
Localization improvements
Improved Error Handling
Other minor improvements and bug fixes
Executing the following command will update the Keeper Gateway container to the latest version and restart the service:
Executing the following command will upgrade the Keeper Gateway to the latest version:
To upgrade, stop the service, install the latest version and then start the service.
Back up your gateway-config.json configuration file
Run the latest Keeper Gateway installer
During installation DO NOT select "Enter a Keeper One-Time Access Token".
For more information on KeeperPAM, visit the following:
docker compose pull
docker compose down
docker compose up -dcurl -fsSL https://keepersecurity.com/pam/install | sudo bash -s --Performance Enhancements: Major performance improvements for session handling, delivering a smoother, faster experience across RDP, SSH, and Remote Browser Isolation protocols.
After upgrading to Keeper Gateway 1.6.0, and deploying via Docker, you must update your Dockerfile-compose.yaml and docker-seccomp.json file:
The following needs to be adding to the security_opt section of docker-compose.yaml:
The keeper-gateway service section in your docker-compose.yaml now looks like the following:
The docker-seccomp.json file needs to be replaced. Please use the below file:
Alternatively, you can use the following curl command:
For instructions on installing or updating your Keeper Gateway, visit this page:
We are aware of certain environments causing connection errors in the CA/JP/AU regions. We have identified the issue and we will be publishing an update with version 1.6.1. If you are experiencing an issue, revert to the gateway 1.5.6 image.
When upgrading Windows servers, if you receive any errors during install, please perform a reboot prior to installing the new version. This ensures that all running processes are stopped.
Docker running on Ubuntu Linux has a known issue with RBI. We are planning a 1.6.1 release to address this. A temporary fix is running the below command on the Ubuntu host in addition to the above Docker changes
Only the Docker version of the Keeper Gateway 1.6 contains major speed improvements. The Windows gateway and Linux binary version will be updated in the next release.
If you need to revert your Keeper Gateway version, update your docker-compose.yml file to use the keeper/gateway:1.5.6 image instead of keeper/gateway:latest.
The web vault and desktop app provide the previous docker-seccomp.json and docker-compose.yml files when creating a new gateway. We are pushing a new vault version 17.3 which provides the updated versions. In the meantime, please follow the on installing the Docker version.
Released on June 6th, 2023
Updated the Windows installer to incorporate service account support and introduced new options to reset permissions and assign user access IDs.
Enhanced file and config permissions handling: included checks for additional users, verification of added permissions, and automated corrections for mismatching identities.
Improved command-line functionality: added the "create-config-dir" command, adjusted 'fix-config' and log permissions based on users without access.
Improved codebase: refactored the permissions setting code, moved Windows utility functions and constants to 'utils.windows', and created 'utils.posix' for managing posix permissions.
Installer enhancements: included 'waituntilterminated' option for inno-setup commands, added a prompt for service uninstall before new installation on Windows, and handled older Python compatibility by removing type from dataclass.
Debugging and logging: provided a way to show subprocess command and output, improved subprocess command logging, and ensured logging includes any file permission checks.
Account handling: validated service account and created 'service-account.txt' for storing service account details.
Enhanced MariaDB Connector C build process across macOS, Linux, and Windows.macOS: Utilized Homebrew for installation of mariadb-connector-c.
Linux: Required the Python module cmake for cloning and building the mariadb-connector-c repo, specifically version 3.3.
Windows: No changes required, the existing setup works smoothly.
Implemented Kerberos and NTLM support to Windows Remote Management (WinRM), with automatic usage of Kerberos if user format meets certain conditions. Also included a custom field to override automatic usage based on issues.
Included libkrb5-dev and libmariadb-dev as dependencies for Kerberos and MariaDB modules respectively.
Introduced host mapping for providers, enabling the use of aliases for hostnames or IPs, particularly useful for Kerberos in Discovery.
Expanded shell support to include BASH, ZSH, ASH, Dash, CSH, KSH, TCSH, and Fish, improving compatibility across different systems and preventing command history logging.
Implemented a feature that handles password changes requiring repeated new/re-enter password prompts, particularly useful for Linux boxes joined to OpenLDAP servers and using Linux PAM.
Replaced hardcoded text values in the code with Enum constants, improving code readability and maintenance.
Fixed an issue where a PowerShell instance remained open after a local machine password rotation was completed. Adjustments have been made to ensure that connections close appropriately once done.
Enhanced the logging feature by including the Process ID (PID) of each spawned PowerShell. This allows for easier debugging, making it possible to match any lingering PowerShell instances to the PIDs in the log.
Updated the testing suite to include the PID in local connection responses, further improving traceability and troubleshooting capabilities.
Refactored the handling of AWS region names and Azure resource groups, ensuring consistent behavior and improved reliability.
Now, if the region name (or resource groups) is in an unknown state or not of the expected string or list type, it is set to an empty array.
Additionally, unit tests were added to validate these conditions, and existing unit tests were reorganized for better readability.
apparmor=unconfinedkeeper-gateway:
platform: linux/amd64
image: keeper/gateway:latest
shm_size: 2g
security_opt:
- seccomp:./docker-seccomp.json
- apparmor=unconfinedcurl -O https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/gateway/docker-seccomp.jsonecho 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_usernsImproved the unit test suite for Kerberos authentication, including the creation of a WinRM instance that joins a domain.
Modified the logging mechanism to include Process ID (PID) in log messages for better process-message association.
Added MariaDB in requirements.txt to resolve utf-8 encoding issue in Windows.
PG-161: Fixed an issue where the Windows Gateway uses too many file handles
PG-160: Fixed a file descriptor leak from failed WebRTC session initialization
DR-1136: Back tick symbol is added to the list of illegal passwords for rotations
DR-1137: Password rotations fail immediately during initialization when Windows Performance Counters are corrupted or unavailable
Please visit the Keeper Gateway documentation for your specific platform:
Released on February 6, 2024
DR-542 PowerShell Command Scope Limitation: Limited PowerShell command to local admin groups by default to improve startup reliability.
DR-545 Sensitive Data Logging Removal: Removed logging of sensitive information (username, password, one-time token) during Windows installation, enhancing security.
DR-546 Pin MSGraph to 0.2.2: Fixed issues caused by MSGraph 1.0.0 release by pinning to version 0.2.2.
