PowerShell Module

Installing the Keeper Commander PowerShell Module

Overview

A version of Keeper Commander is developed in .Net with a PowerShell module. This is published to the PowerShell Gallery as the PowerCommander module. This document provides instructions for installing and using this PowerShell Module.

PowerShell CLI

Keeper's PowerShell command-line tool (PowerCommander) provides basic vault access and administrative functions.

PowerShell module for Keeper Commander is available on the PowerShell Gallery:

LogoPowerCommander 1.0.7nuget

PowerShell Gallery Install

To install PowerCommander from PowerShell Gallery:

Install-Module -Name PowerCommander

GitHub Repository

To run the PowerCommander module from the source, refer to the following GitHub Link:

https://github.com/Keeper-Security/keeper-sdk-dotnet/tree/master/PowerCommander

Installation Troubleshooting

Set Execution Policy Permissions

If you are unable to run PowerCommander commands, you may need to set the Execution Policy. To check this, run the following command:

PS> Get-ExecutionPolicy -List

Your output would be similar to this:

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine       Undefined

If the Scope for your installation is Undefined or Restricted, set it to Unrestricted with the following command:

PS> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Note: The above command sets the CurrentUser scope

Logging in with Biometric Authentication

If biometric authentication is configured on your device, you can use Windows Hello to log in to Keeper Commander. This allows you to bypass both the Master Password and two-factor authentication (2FA) for a faster, secure login experience.

For Windows users, ensure Windows Hello is configured:

  • Navigate to Settings > Accounts > Sign-in options > Windows Hello

  • Set up Face recognition, Fingerprint, or PIN

Register Biometric Authentication

First, login to Keeper Commander with your Master Password (or SSO), then register biometric authentication:

PS>Register-KeeperBiometricCredential -PassThru
Biometric Credential Creation for Keeper
Please complete Windows Hello verification to create the credential...
Credential ID stored for user: <user>
Credential created successfully
Success! Biometric authentication "<user>" has been registered.
Please register your device using the "Set-KeeperDeviceSettings -Register" command to set biometric authentication as your default login method.

Name                           Value
----                           -----
Username                       <user>
Timestamp                      26-09-2025 08:01:08
DisplayName                    <user>
CredentialId                   ...W25xo-z_9QyWdti5CsQ
Success                        True

Biometric authentication prompt (fingerprint or Face ID) will be displayed.

Register by authenticating with your fingerprint or faceID when prompted by the system.

With successful fingerprint or faceID authentication the registration will be completed:

Attempting keeper biometric authentication...
Verification completed successfully!

Device Registration

To use biometric authentication as your default login method, you must register your device

PS > Set-KeeperDeviceSettings -Register

PowerCommander Commands

Login Commands

Cmdlet name
Alias
Description

Connect-Keeper

kc

Login to Keeper

Disconnect-Keeper

kq

Logout and clear the data

Biometric Login Commands

Cmdlet name
Alias
Description

Register-KeeperBiometricCredential

Registers a new biometric credential (Windows Hello/WebAuthn)

Assert-KeeperBiometricCredential

Checks if a biometric credential exists for the current user

Show-KeeperBiometricCredentials

Lists all biometric credentials registered for the current user

Unregister-KeeperBiometricCredential

Removes the biometric credential from the current user

Record Commands

Cmdlet name
Alias
Description

Connect-Keeper

kc

Login to Keeper server

Sync-Keeper

ks

Sync with Keeper server

Disconnect-Keeper

Logout and clear the data

Get-KeeperLocation

kpwd

Print current Keeper folder

Set-KeeperLocation

kcd

Change Keeper folder

Get-KeeperChildItem

kdir

Display subfolder and record names in the current Keeper folder

Get-KeeperObject

ko

Get Keeper object by UID

Get-KeeperRecord

kr

Enumerate all records

Add-KeeperRecord

kadd

Add/Modify Keeper record

Remove-KeeperRecord

kdel

Delete Keeper record

Get-KeeperSharedFolder

ksf

Enumerate all shared folders

Move-RecordToFolder

kmv

Move records to Keeper folder

Add-KeeperFolder

kmkdir

Create Keeper folder

Edit-KeeperFolder

Remove-KeeperFolder

krmdir

Remove Keeper folder

Get-KeeperRecordType

krti

Get Record Type Information

Copy-KeeperToClipboard

kcc

Copy record password to clipboard

Show-TwoFactorCode

2fa

Display Two Factor Code

Copy-KeeperFileAttachment

kda

Download file attachments

Copy-KeeperFileAttachmentToStream

Download file attachement to stream

Copy-FileToKeeperRecord

Upload file attachment to a record

Get-KeeperInformation

kwhoami

Print account license information

Get-KeeperDeviceSettings

Print the current device settings

Set-KeeperDeviceSettings

this-device

Modifies the current device settings

Get-KeeperPasswordVisible

Show/hide secret fields setting

Set-KeeperPasswordVisible

Sets whether password fields should be visible or not

New-KeeperRecordType

Add a new custom Keeper Record Type.

Edit-KeeperRecordType

Update an existing custom Keeper Record Type.

Remove-KeeperRecordType

Delete a custom Keeper Record Type by its ID.

Import-KeeperRecordTypes

Imports custom record types into Keeper from a JSON file.

Export-KeeperRecordTypes

Downloads custom record types from Keeper Vault to a JSON file.

Get-KeeperRecordPassword

Gets the password from a Keeper record by name, title, UID, or record object.

Get-KeeperPasswordReport

Generate comprehensive password security report for Keeper records.

Sharing Cmdlets

Cmdlet name
Alias
Description

Show-KeeperRecordShare

kshrsh

Show a record sharing information

Grant-KeeperRecordAccess

kshr

Share a record with user

Revoke-KeeperRecordAccess

kushr

Remove record share from user

Move-KeeperRecordOwnership

ktr

Transfer record ownership to user

Grant-KeeperSharedFolderAccess

kshf

Add a user or team to a shared folder

Revoke-KeeperSharedFolderAccess

kushf

Remove a user or team from a shared folder

Get-KeeperAvailableTeam

kat

Get available teams

Get-KeeperOneTimeShare

kotsg

Get One-Time Shares for a record

New-KeeperOneTimeShare

kotsn

Create One-Time Share

Remove-KeeperOneTimeShare

kotsr

Remove One-Time Share

Enterprise Cmdlets

Cmdlet name
Alias
Description

Sync-KeeperEnterprise

ked

Sync Keeper enterprise information

Get-KeeperEnterpriseNode

ken

Enumerate all enterprise nodes

Get-KeeperEnterpriseUser

keu

Enumerate all enterprise users

Get-KeeperEnterpriseTeam

ket

Enumerate all enterprise teams

Get-KeeperEnterpriseTeamUser

ketu

Get a list of enterprise users for team

New-KeeperEnterpriseNode

kena

Create Node (new)

Add-KeeperEnterpriseUser

invite-user

Invite User to Enterprise (new)

Lock-KeeperEnterpriseUser

lock-user

Lock Enterprise User

Unlock-KeeperEnterpriseUser

unlock-user

Unlock Enterprise User

Move-KeeperEnterpriseUser

transfer-user

Transfer user account to another user

Remove-KeeperEnterpriseUser

delete-user

Delete Enterprise User

Get-KeeperEnterpriseRole

ker

Enumerate all enterprise roles (new)

Get-KeeperMspLicenses

msp-license

Return MSP licenses

Switch-KeeperMC

switch-to-mc

Switch to Managed Company (new)

Switch-KeeperMSP

switch-to-msp

Switch back to MSP (new)

Get-KeeperManagedCompany

kmc

Enumerate all enterprise managed companies

New-KeeperManagedCompany

kamc

Create Managed Company

Remove-KeeperManagedCompany

krmc

Remove Managed Company

Edit-KeeperManagedCompany

kemc

Edit Managed Company

Get-MspBillingReport

Run MSP Billing Report

Get-KeeperNodeName

Return Name of current Enterprise Node

Get-KeeperRoleName

Get Display Name of Enterprise Role

New-KeeperEnterpriseTeam

Create an enterprise team

Get-KeeperEnterpriseRoleUsers

Get a list of enterprise users for a role

Get-KeeperEnterpriseRoleTeams

Get a list of enterprise teams for a role

Get-KeeperEnterpriseAdminRole

Get a list of Administrator Permissions

Remove-KeeperEnterpriseTeamMember

Removes existing enterprise users from a Keeper team.

Add-KeeperEnterpriseTeamMember

Adds existing enterprise users to a Keeper team.

Secret Manager Cmdlets

Cmdlet name
Alias
Description

Get-KeeperSecretManagerApp

ksm

Enumerate all Keeper Secret Manager Applications

Add-KeeperSecretManagerApp

ksm-create

Add a Keeper Secret Manager Application

Remove-KeeperSecretManagerApp

Delete a Keeper Secret Manager Application

Grant-KeeperSecretManagerFolderAccess

ksm-share

Add a shared folder to KSM Application

Revoke-KeeperSecretManagerFolderAccess

ksm-unshare

Remove a Shared Folder from KSM Application

Add-KeeperSecretManagerClient

ksm-addclient

Add a client/device to KSM Application

Remove-KeeperSecretManagerClient

ksm-rmclient

Remove a client/device from KSM Application

Grant-KeeperAppAccess

Grant Keeper Secret Manager Application Access to a user

Revoke-KeeperAppAccess

Revoke Keeper Secret Manager Application Access from a user

BreachWatch Commands

Cmdlet name
Alias
Description

Get-KeeperBreachWatchList

List passwords which are breached based on breachwatch

Test-PasswordAgainstBreachWatch

check a given password against breachwatch passwords

Set-KeeperBreachWatchRecordIgnore

Ignore a given record from breachwatch alerts

Get-KeeperIgnoredBreachWatchRecords

list ignored breachwatch records

Biometric Login Support Commands

Cmdlet name
Alias
Description

Register-KeeperBiometricCredential

Registers a new biometric credential (Windows Hello/WebAuthn)

Assert-KeeperBiometricCredential

Checks if a biometric credential exists for the current user

Show-KeeperBiometricCredentials

Lists all biometric credentials registered for the current user

Unregister-KeeperBiometricCredential

Removes the biometric credential from the current user

Additional Commands

Not all capabilities of Keeper Commander (Python) have been added to the PowerShell module. We add them on request by customers. If you have requests for our engineering team, please email [email protected].

Examples

Connect To Keeper Account

PS > Connect-Keeper
     Keeper Username: [email protected]
        ... Password:

List the content of Keeper folder

PS > kdir

    Vault Folder: \


Mode    UID                      Name
----    ---                      ----
f-----  b3TMAYfOWJqNxeLjlA6v_g   dasdasd
f----S  BvHeHGkdRJfhGaRcI-J5Ww   shared
-r-AO-  5qx_urh2EsrL0wBdi34nFw   Web
-r---S  ktY3jEBqwFDi9UYZSxmIpw   Control

  • f - folder

  • r - record

  • S - shared

  • A - file attachments

  • O - owner

Show Two Factor Code for all records in the current Keeper folder

PS > kdir -ObjectType Record | Show-TwoFactorCode

Show Two Factor Code for all records in the Vault.

PS > kr|2fa

where

  • kr is alias for Get-KeeperRecord

  • 2fa is alias for Show-TwoFactorCode

Copy record password to clipboard

PS > 'contro' | kcc

where

  • contro is a substring of the record title. See last entry of kdir output in example #2

  • kcc is alias for Copy-KeeperToClipboard

or

PS > 'ktY3jEBqwFDi9UYZSxmIpw' | kcc

'ktY3jEBqwFDi9UYZSxmIpw' is the Record UID of the same record

Add/Modify Keeper record

PS > kadd -Title 'Record for John Doe' -GeneratePassword [email protected] url=https://company.com 'User Name=John Doe'

creates a legacy record in Keeper

PS > kadd -RecordType login -Title 'Record for John Doe' -GeneratePassword [email protected] url=https://company.com 'User Name=John Doe'

creates a record of login type in Keeper

PS > $address = @{"street1" = "123 Main St."; "city" = "Neitherville"; "state" = "CA"; "zip" = "12345"}
PS > kadd -RecordType address -Title 'Home Address' -address $address phone.Home='(555)123-4567' name="Doe, John"
PS > kadd -Uid <RECORD UID> -GeneratePassword

generates a new password for existing record

Pre-defined fields supported by both legacy and typed records

  • login Login

  • password Password

  • url Website Address

Copy owned record to folder

PS > Get-KeeperChildItem -ObjectType Record | Move-RecordToFolder 'Shared Folder'

copies all records in the current Keeper folder to the folder with name 'Shared Folder'

List all enterprise users

PS > Get-KeeperEnterpriseUser

Create a new Managed Company

PS> New-KeeperManagedCompany -Name "Company Name" -PlanId enterprisePlus -Allocated 5

Switch to a new Managed Company

PS> switch-to-mc "Company Name"

Previous.Net Commander CLINextBiometric Login

Last updated

Was this helpful?