Import and Export Data
Commands for importing and exporting vault records, folders and teams permissions.
Commands
Keeper Command Reference
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Import and Export Commands
import command
Command: import
Detail: Import data to Keeper from a local file or other password managers.
Parameters:
Path of file to import from.
*note: in file paths, backslash "\" needs to be escaped by using two in a row "\\"
Switches:
--format <{json, csv, keepass, lastpass, myki, manageengine, 1password, bitwarden, thycotic, proton}> file format (required)
--folder <FOLDER PATH OR UID> import into a specified folder
--filter-folder <FOLDER NAME> only import the specific folder from the source vault
-s, --shared import folders from file as shared folders
-p, --permissions <PERMISSIONS> default shared folder permissions if importing folders as shared
folders
U - manage users permission granted
R - manage records permission granted
E - edit records permission granted
S - share permission granted
A - all permissions granted
N - no permissions granted
-dc
, --display-csv
show instructions for importing using the CSV format
-dj
, --display-json
show instruction for importing using JSON format
--record-type
<RECORD TYPE NAME> import all records as the specified type
--dry-run
display records to be imported without importing them
--show-skipped
display skipped records
--update
update records with common login, url or title
Examples:
Import records from a "records" CSV file into the vault
Import records from a "records" CSV file into the "social" folder
Import records from a "shared-records" json file, importing and folders as shared folders with all permissions granted
Import passwords from a Lastpass export file
Show instructions and example for importing using CSV
Import records from a "records" CSV file as login type records
Import records from Thycotic/Delinea Secret Server using full URL
Import records from Thycotic/Delinea Secret Server using username/hostname syntax
Additional import instructions are documented below.
Ensure that you upgrade to the latest version of Commander to support all import methods.
export command
Command: export
Detail: Export vault data to a file or the console
Parameters:
File name to export to, or nothing to export to console stdout
Switches:
--format
<{json, csv, keepass}> file format
The keepass
format is encrypted and can not be exported to the CLI. Keepass exports must be output to file.
--max-size
<SIZE> maximum size of file attachment to export
format: number followed by "K","M","G" (Kilobyte, Megabyte, Gigabyte respectively)
e.g. "100k" , "10M" , "2G"
-kp
, --keepass-file-password
<PASSWORD> if exporting in keepass format, set the file's password
--zip
Create ZIP archive for file attachments. JSON only
--folder
<FOLDER NAME OR UID> select a folder as the export source
--store-in-vault
Stores exports file as a record attachment. Keepass only
Examples:
Export the vault in CSV format to a file named "my-vault"
Export the vault in JSON format to the console, ignoring any file attachments over 10 KB
Export the vault in keepass format to a file named "keeper" and set the file's password
Export the records in the "Socials" folder
download-membership command
Command: download-membership
Detail: Download shared folder membership to a local JSON file.
Switches:
--source <{keeper, lastpass, thycotic}> (required)
--folders-only Unload shared folder membership only. Skip team membership.
--sub-folder <{ignore, flatten}> (optional, default ignore) Thycotic/Delinea Secret Server allows shared folder permission to be overwritten by the subfolders. This option controls how these folders are imported.
ignore Subfolder permissions are ignored. Folder structure is preserved.
flatten Such subfolders are moved to the root of the vault. Folder permissions are preserved.
This command will reach out to the source password vault (either the current Keeper vault, remote LastPass vault or remote Thycotic/Delinea Secret Server), retrieve Team and Shared Folder file structure, and then create a local JSON file containing this structure. The filename generated locally will be called shared_folder_membership.json
.
This file can then be used for subsequently sharing folders with Keeper users and teams. The sharing operation is performed by executing the apply-membership
command.
Examples:
or
or
Sample Permission File
After executing download-membership, the resulting JSON file contains information about the teams, user-team assignments and shared folder permissions. An example file is below. This example file contains 3 teams, and 3 shared folders. The 3rd shared folder exists within a regular folder.
apply-membership command
Command: apply-membership
Detail: Apply shared folder membership changes from a local JSON file. This command is used alongside the download-membership command.
Switches:
--full-sync force full sync of shared folder permissions. Permissions are only added by default
The apply-membership
command will look for a JSON file (defaults to shared_folder_membership.json) that contains sharing permissions.
The reason for separating the downloading and applying of membership, is so that you can apply the membership changes as new Keeper users or teams are onboarded. The apply-membership command can be run over and over, or whenever a new Keeper user account or team is created. Shared folder membership will be applied to any new corresponding user accounts and teams.
Folders can only be shared to users and teams that exist (because the public key must be used to encrypt the folder keys).
Examples:
or
download-record-types command
Command: download-record-types
Detail: Download custom record types to a JSON file.
Switches:
--source <{keeper, thycotic}> (required)
This command will reach out to the source password vault (either Keeper or Thycotic/Delinea Secret Server), retrieve custom record types (Secret Server calls it secret templates), and then create a local JSON file containing this information. The filename generated locally will be called record_types.json.
This file can then be used for subsequently loading custom record types to Keeper. The record types loading operation is performed by executing the load-record-types
command.
--ssh-key-as-file
Thycotic/Delinea Secret Server stores SSH keys as file attachments. Keeper stores SSH keys on a record. If you would like to preserve Thycotic/Delinea Secret Server behavior (imported SSH keys from Secret Server will be stores as file attachments) use this option.
Examples:
or
load_record_types command
Command: load-record-types
Detail: Load custom record types from a JSON file into Keeper.
Detail: Load custom record types from a local JSON file. This command is used alongside the download-record-types command.
The load_record_types
command will look for a JSON file (defaults to record_types.json) that contains custom record types and loads missing record types into Keeper.
Examples:
or
Detailed Import Instructions
Step by step instructions are documented for migrating data and importing into Keeper from the following sources:
Exporting Records from Keeper
To export records from your vault, use the export
command. Supported export formats:
JSON
CSV
Keepass (see additional install instructions)
JSON export files contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions. CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions. Keepass files contain records, file attachments, folders and subfolders.
Keepass Export
You can optionally provide the keepass encrypted file password through command line option --keepass-file-password
This flag will only apply when --format=keepass
is set. The Master Password is required for Keepass export - if none provided you will be asked during export, and your input will be masked.
Last updated