Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Overview of Keeper Secrets Manager (KSM) for IT Admins, DevOps & Developers
Keeper Secrets Manager (KSM) provides your DevOps, IT Security and software development teams with a fully cloud-based, Zero-Knowledge platform for managing all of your infrastructure secrets such as API keys, Database passwords, access keys, certificates and any type of confidential data.
Common use cases for Secrets Manager include:
Removing hard-coded credentials from source code
Replacing configuration file secrets
Pulling secrets into CI/CD systems like Jenkins, GitHub Actions and More
Protecting access to privileged passwords, API keys and other managed secrets
Providing vault access to machines and applications
Automatically rotating passwords, service account credentials and cloud identities
No hosted software or VMs to configure and manage (100% Cloud-based)
Secure and user-friendly Web Vault and Browser Extensions for secrets management
Automated password rotation across any target user or machine
Powerful native Mobile and Desktop Applications for every device type and OS
Admin Console for managing enforcement policies, users, teams and provisioning
SAML 2.0 and Master Password user login methods
Shared passwords and secrets among Teams and individual users
Simple and fast deployment methods
Developer-friendly SDKs for the most popular programming languages and environments
Built for all users - not just DevOps!
Advanced Reporting & Alerts for audit and compliance
Integration with Slack and Microsoft Teams
Dedicated 24/7 support
SOC2, ISO27001 certified
FIPS 140-2 validated
FedRAMP Authorized and StateRAMP Authorized
This quick start guide will get you set up with Keeper Secrets Manager
The basic steps of setting up Secrets Manager is in the video below.
PIP version 21+ (Included in Python)
First, we need to follow a few steps to enable Secrets Manager for your Keeper account.
To activate your trial of Keeper Secrets Manager, login to the Admin Console and click on "Secrets Manager".
Create a Keeper account role that will be used by Secrets Manager users. Keeper account roles can be created in the Admin Console.
Click "Add Role" to create a new role, give it a name like "Secrets Managers".
Enable Application Access for roles in the Keeper Secrets Manager enforcement policies.
Select the Role
Open Enforcement Policies
Choose Keeper Secrets Manager tab
Enable Keeper Secrets Manager policy
In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
In the Keeper Web Vault or Desktop App user interface, create a Shared Folder and then add Secrets to the folder.
Create a shared folder
Click "Create New" and choose "Shared Folder"
Enter a name and click "Create" to create a new shared folder.
With the new shared folder selected, click the "Create New" button and select "Record" to create a new record inside the shared folder
In the Keeper Vault, navigate to the Secrets Manager tab to see a list of Secrets Manager applications. Then click "Create Application"
Enter a name for the new Secrets Manager Application
Next choose the shared folder(s) to share with the new Application. The Application will only have access to the records in the selected folder(s).
You can choose to give the Application Read Only or Write access to the Vault records, and choose if the first Secrets Manager Client Device should be locked to the first IP address that accesses Secrets Manager. (More on Client Devices below)
Click "Generate Access Token" to create the Application and automatically create the first Secrets Manager Client Device.
When a Secrets Manager Application is created in the Keeper Vault, a Secrets Manager Client Device is also created.
When a Client Device is created, a One-Time Access Token is generated and displayed. You will need this One-Time Access Token later in the guide. Copy or download the token to use later.
The One-Time Access Token will not be shown again once the dialog is closed. New Client Devices can be created to generate more tokens.
Once the Secrets Manager Application is created, more Client Devices can be created for the Application.
Secrets Manager is now setup and ready to use!
Next we'll view the secrets from the Keeper Vault shared with Secrets Manager using the Secrets Manager CLI.
When launching the CLI in Windows or macOS, via the UI, the CLI will run in a shell mode. The ksm
command is still available via the command line.
The Linux binary is just an executable and should be moved to a directory in the PATH.
If you prefer to install using pip3 and Python3, use the commands below:
If pip3 is not installed on your system, make sure to install Python3. For example, using yum:
Initialize the CLI using the One-Time Access Token obtained above.
To retrieve a list of all secrets, use the ksm secret list
command:
The CLI should show a list of secrets shared with the Secrets Manager Application.
Schedule time with the Secrets Manager team to discuss your use case
If preferred, Secrets Manager can be setup using Keeper's command line tool Commander instead of the Keeper Vault. Follow these steps to setup Secrets Manager using Keeper Commander.
In some cases, Commander is needed to enable Secrets Manager for a Keeper role. To do this, use the following command:
Replace "Keeper Admin" with the name of any role you would like to enable secrets manager for.
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
Run Keeper Commander by typing keeper shell
then login with your Keeper email:
After logging in:
Create a Secret
Create a Shared Folder
Move the secret into the Shared Folder.
Example commands are shown below:
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
In the example below, replace XXX
with the Shared Folder UID or Record UID from your vault.
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
Create a client device to generate a One Time Access Token, which is used to initialize a device.
Secrets Manager is now setup and ready to use!
Select a section to learn more about Keeper Secrets Manager
Keeper Secret Manager Security and Encryption Model
Keeper Secrets Manager is a Zero Knowledge platform. Encryption and decryption of secrets takes place locally on the Client Device running the ksm
application, CI/CD plugins or the developer SDK.
The local configuration file (e.g. keeper.ini) for the ksm
application contains the following format:
This file should be protected on your local filesystem. It contains keys can authenticate with the Keeper API and decrypt secrets that have been explicitly associated with the Application and Client Device.
The Client Device only authenticates with the hashed One Time Access Token one time. The client signs the payload and registers a Client Device Public Key with the server on the first authentication. After the first authentication, subsequent requests are signed with the Client Device Private Key.
API requests to the Keeper Cloud are sent with a Client Device Identifier and a request body that is signed with the Client Device Private Key. The server checks the ECDSA signature of the request for the given Client Device Identifier using the Client Public Key of the device.
The Client Device decrypts the ciphertext response from the server with the Application Private Key, which decrypts the Record Keys and Shared Folder Keys. The Shared Folder Keys decrypt the Record Keys, and the Record Keys decrypt the individual Record secrets.
By default, when creating a Client Device profile, IP lockdown is enabled.
For example:
The client which initializes using this token will be locked on IP. To disable IP lockdown, an additional parameter must be specified, for example:
It is recommended to allow IP lockdown, unless you are deploying to an environment which has a dynamic WAN IP.
Keeper utilizes best-in-class security with a Zero-Knowledge security architecture and Zero-Trust framework. Technical documentation about Keeper's Zero-Knowledge encryption model can be found at the links below:
Keeper is SOC 2 Type 2, ISO27001 certified. Customers may request access to our certification reports and technical architecture documentation under mutual NDA.
Keeper Secrets Manager is part of the . With millions of users worldwide, Keeper Password Manager + Keeper Secrets Manager provides numerous benefits over using Hashicorp Vault, Delinea, Cyberark and other "legacy" Secrets Management products:
Superior Zero-Knowledge encryption model ()
Ready to get started with Keeper Secrets Manager? .
Secrets Manager is available for Business accounts. If you are not a Keeper customer yet, you can from our website.
You'll need the ability to install (3.6+)
(Make sure you can )
Follow the links below to access the Keeper Admin Console: US: EU: AU: CA: JP: US_GOV:
(Or open > Login > Admin Console)
From here, Secrets Manager can be setup using the Keeper Vault, or Keeper Commander. The following instructions show the steps for using the Keeper Vault. For Commander CLI steps, see .
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
See the to create additional Client Devices and One-Time Access Token
Secrets Manager has and many which can be used to access secrets.
For this example we will use the tool (ksm
) to fetch and view secrets from the Keeper Vault.
The latest binary release can be found on the . Download the installer based on your operating system and click to install, or unarchive, to use.
If the KSM profile is not initialized successfully, the One Time Access Token may have expired. Try to generate a new One-Time Access Token.
For more detailed usage information about the Secrets Manager CLI, see the page.
Congratulations! You have completed the basic setup
Learn about integrating Keeper Secrets Manager with your software using the
Learn more about the
Learn about accessing secrets from CI/CD systems with
Have questions? Contact
See the for installation instructions.
Keeper Commander can be used to perform many Secrets Manager actions. For more detailed usage information about the Secrets Manager commands see the
From this point forward, follow the to access Secrets using Secrets Manager and complete this guide.
Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program. Please submit reports through or send an email to security@keepersecurity.com.