Import and Export Data

Commands for importing and exporting vault records, folders and teams permissions.

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

Import and Export Commands

import command

Command: import

Detail: Import data to Keeper from a local file or other password managers.

Parameters:

Path of file to import from.

*note: in file paths, backslash "\" needs to be escaped by using two in a row "\\"

Switches:

--format <{json, csv, keepass, lastpass, myki, manageengine, 1password, bitwarden, thycotic, proton}> file format (required)

--folder <FOLDER PATH OR UID> import into a specified folder

--filter-folder <FOLDER NAME> only import the specific folder from the source vault

-s, --shared import folders from file as shared folders

-p, --permissions <PERMISSIONS> default shared folder permissions if importing folders as shared

folders

  • U - manage users permission granted

  • R - manage records permission granted

  • E - edit records permission granted

  • S - share permission granted

  • A - all permissions granted

  • N - no permissions granted

-dc, --display-csv show instructions for importing using the CSV format

-dj, --display-json show instruction for importing using JSON format

--record-type <RECORD TYPE NAME> import all records as the specified type

--dry-run display records to be imported without importing them

--show-skipped display skipped records

--update update records with common login, url or title

Examples:

import C:\\records.csv --format csv
import C:\\records.csv --format csv --folder social
import C:\\shared-records.json --format json -s -p A
import C:\\lastpass\\passwords.csv --format lastpass
import --display-csv
import C:\\records.csv --format csv --record-type login
import --format=thycotic https://hostname/SecretServer
import --format=thycotic username@hostname --update --dry-run
  1. Import records from a "records" CSV file into the vault

  2. Import records from a "records" CSV file into the "social" folder

  3. Import records from a "shared-records" json file, importing and folders as shared folders with all permissions granted

  4. Import passwords from a Lastpass export file

  5. Show instructions and example for importing using CSV

  6. Import records from a "records" CSV file as login type records

  7. Import records from Thycotic/Delinea Secret Server using full URL

  8. Import records from Thycotic/Delinea Secret Server using username/hostname syntax

Additional import instructions are documented below.

Ensure that you upgrade to the latest version of Commander to support all import methods.

export command

Command: export

Detail: Export vault data to a file or the console

Parameters:

File name to export to, or nothing to export to console stdout

Switches:

--format <{json, csv, keepass}> file format

The keepass format is encrypted and can not be exported to the CLI. Keepass exports must be output to file.

--max-size <SIZE> maximum size of file attachment to export

  • format: number followed by "K","M","G" (Kilobyte, Megabyte, Gigabyte respectively)

  • e.g. "100k" , "10M" , "2G"

-kp, --keepass-file-password <PASSWORD> if exporting in keepass format, set the file's password

--zip Create ZIP archive for file attachments. JSON only

--folder <FOLDER NAME OR UID> select a folder as the export source

--store-in-vault Stores exports file as a record attachment. Keepass only

Examples:

export my-vault.csv --format csv
export --format json --max-size 10K
export keeper.kdbx --format keepass -kp 9EqfhCqbym-w
export socials.csv --format csv --folder "Socials"
  1. Export the vault in CSV format to a file named "my-vault"

  2. Export the vault in JSON format to the console, ignoring any file attachments over 10 KB

  3. Export the vault in keepass format to a file named "keeper" and set the file's password

  4. Export the records in the "Socials" folder

download-membership command

Command: download-membership

Detail: Download shared folder membership to a local JSON file.

Switches:

--source <{keeper, lastpass, thycotic}> (required)

--folders-only Unload shared folder membership only. Skip team membership.

--sub-folder <{ignore, flatten}> (optional, default ignore) Thycotic/Delinea Secret Server allows shared folder permission to be overwritten by the subfolders. This option controls how these folders are imported.

  • ignore Subfolder permissions are ignored. Folder structure is preserved.

  • flatten Such subfolders are moved to the root of the vault. Folder permissions are preserved.

This command will reach out to the source password vault (either the current Keeper vault, remote LastPass vault or remote Thycotic/Delinea Secret Server), retrieve Team and Shared Folder file structure, and then create a local JSON file containing this structure. The filename generated locally will be called shared_folder_membership.json.

This file can then be used for subsequently sharing folders with Keeper users and teams. The sharing operation is performed by executing the apply-membership command.

Examples:

download-membership --source=lastpass
apply-membership

or

download-membership --source=thycotic
apply-membership

or

download-membership --source=keeper
apply-membership

Sample Permission File

After executing download-membership, the resulting JSON file contains information about the teams, user-team assignments and shared folder permissions. An example file is below. This example file contains 3 teams, and 3 shared folders. The 3rd shared folder exists within a regular folder.

{
  "teams": [
    {
      "name": "AWS Team",
      "uid": "A-XXiApbEBMeqMbfcHMbyQ",
      "members": [
        "user1@company.com",
        "user2@company.com",
        "user3@company.com",
        "user4@company.com",
        "user5@company.com"
      ]
    },
    {
      "name": "Secrets Managers",
      "uid": "EqLqF_D7qO6zOs_9OxfWiw",
      "members": [
        "user5@acme-demo.com",
        "user6@acme-demo.com",
        "user7@acme-demo.com"
      ]
    },
    {
      "name": "Social Media",
      "uid": "yIKS09TaqxESMwRym4aMkQ",
      "members": [
        "craig@acme-demo.com",
        "jack@acme-demo.com",
        "randy@acme-demo.com",
        "shiela@acme-demo.com"
      ]
    }
  ],
  "shared_folders": [
    {
      "path": "Amazon AWS",
      "uid": "aWaqKbSTaLTmpKlVeusrow",
      "manage_users": true,
      "manage_records": true,
      "can_edit": true,
      "can_share": true,
      "permissions": [
        {
          "name": "AWS Team",
          "manage_users": true,
          "manage_records": true,
          "uid": "A-XXiApbEBMeqMbfcHMbyQ"
        },
        {
          "name": "Secrets Managers",
          "manage_users": true,
          "manage_records": true,
          "uid": "EqLqF_D7qO6zOs_9OxfWiw"
        },
        {
          "name": "craig@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "jack@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    },
    {
      "path": "PR Social ",
      "uid": "d4iVESSPVvuXBJtlkDzWzg",
      "manage_users": false,
      "manage_records": false,
      "can_edit": false,
      "can_share": false,
      "permissions": [
        {
          "name": "Social Media",
          "manage_users": false,
          "manage_records": false,
          "uid": "yIKS09TaqxESMwRym4aMkQ"
        },
        {
          "name": "craig@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "shiela@acme-demo.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    },
    {
      "path": "Outer Regular Folder\\Inner Shared Folder",
      "uid": "0VBh9NNDm4eyhHqnXI0OeA",
      "manage_users": false,
      "manage_records": false,
      "can_edit": false,
      "can_share": false,
      "permissions": [
        {
          "name": "user1@company.com",
          "manage_users": true,
          "manage_records": true
        },
        {
          "name": "user2@company.com",
          "manage_users": true,
          "manage_records": true
        }
      ]
    }
  ]
}

apply-membership command

Command: apply-membership

Detail: Apply shared folder membership changes from a local JSON file. This command is used alongside the download-membership command.

Switches:

--full-sync force full sync of shared folder permissions. Permissions are only added by default

The apply-membership command will look for a JSON file (defaults to shared_folder_membership.json) that contains sharing permissions.

The reason for separating the downloading and applying of membership, is so that you can apply the membership changes as new Keeper users or teams are onboarded. The apply-membership command can be run over and over, or whenever a new Keeper user account or team is created. Shared folder membership will be applied to any new corresponding user accounts and teams.

Folders can only be shared to users and teams that exist (because the public key must be used to encrypt the folder keys).

Examples:

apply-membership --full-sync

or

apply-membership my_permission_file.json

download-record-types command

Command: download-record-types

Detail: Download custom record types to a JSON file.

Switches:

--source <{keeper, thycotic}> (required)

This command will reach out to the source password vault (either Keeper or Thycotic/Delinea Secret Server), retrieve custom record types (Secret Server calls it secret templates), and then create a local JSON file containing this information. The filename generated locally will be called record_types.json.

This file can then be used for subsequently loading custom record types to Keeper. The record types loading operation is performed by executing the load-record-types command.

--ssh-key-as-file

Thycotic/Delinea Secret Server stores SSH keys as file attachments. Keeper stores SSH keys on a record. If you would like to preserve Thycotic/Delinea Secret Server behavior (imported SSH keys from Secret Server will be stores as file attachments) use this option.

Examples:

download-record-types --ssh-key-as-file 

or

download-record-types my_record_types_file.json

load_record_types command

Command: load-record-types

Detail: Load custom record types from a JSON file into Keeper.

Detail: Load custom record types from a local JSON file. This command is used alongside the download-record-types command.

The load_record_types command will look for a JSON file (defaults to record_types.json) that contains custom record types and loads missing record types into Keeper.

Examples:

load-record-types

or

load-record-types my_record_types_file.json

Detailed Import Instructions

Step by step instructions are documented for migrating data and importing into Keeper from the following sources:

Exporting Records from Keeper

To export records from your vault, use the export command. Supported export formats:

JSON export files contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions. CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions. Keepass files contain records, file attachments, folders and subfolders.

Keepass Export

$ keeper export --format=keepass test.kdbx

You can optionally provide the keepass encrypted file password through command line option --keepass-file-password

This flag will only apply when --format=keepass is set. The Master Password is required for Keepass export - if none provided you will be asked during export, and your input will be masked.

$ keeper export --format=keepass --keepass-file-password=file_password_here test.kdbx

Last updated