Commands for importing and exporting vault records, folders and teams permissions.
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Import and Export Commands
Command | Explanation |
Import data from a local file or other password managers | |
Export vault records | |
Download shared folder memberships | |
Apply shared folder membership changes | |
Download custom record types | |
Load custom record type into Keeper |
Command: import
Detail: Import data to Keeper from a local file or other password managers.
Parameters:
Path of file to import from.
*note: in file paths, backslash "\" needs to be escaped by using two in a row "\\"
Switches:
--format <{json, csv, keepass, lastpass, myki, manageengine, 1password, bitwarden, thycotic, proton}> file format (required)
--folder <FOLDER PATH OR UID> import into a specified folder
--filter-folder <FOLDER NAME> only import the specific folder from the source vault
-s, --shared import folders from file as shared folders
-p, --permissions <PERMISSIONS> default shared folder permissions if importing folders as shared
folders
U - manage users permission granted
R - manage records permission granted
E - edit records permission granted
S - share permission granted
A - all permissions granted
N - no permissions granted
-dc
, --display-csv
show instructions for importing using the CSV format
-dj
, --display-json
show instruction for importing using JSON format
--record-type
<RECORD TYPE NAME> import all records as the specified type
--dry-run
display records to be imported without importing them
--show-skipped
display skipped records
--update
update records with common login, url or title
Examples:
Import records from a "records" CSV file into the vault
Import records from a "records" CSV file into the "social" folder
Import records from a "shared-records" json file, importing and folders as shared folders with all permissions granted
Import passwords from a Lastpass export file
Show instructions and example for importing using CSV
Import records from a "records" CSV file as login type records
Import records from Thycotic/Delinea Secret Server using full URL
Import records from Thycotic/Delinea Secret Server using username/hostname syntax
Additional import instructions are documented below.
Ensure that you upgrade to the latest version of Commander to support all import methods.
Command: export
Detail: Export vault data to a file or the console
Parameters:
File name to export to, or nothing to export to console stdout
Switches:
--format
<{json, csv, keepass}> file format
The keepass
format is encrypted and can not be exported to the CLI. Keepass exports must be output to file.
--max-size
<SIZE> maximum size of file attachment to export
format: number followed by "K","M","G" (Kilobyte, Megabyte, Gigabyte respectively)
e.g. "100k" , "10M" , "2G"
-kp
, --keepass-file-password
<PASSWORD> if exporting in keepass format, set the file's password
--zip
Create ZIP archive for file attachments. JSON only
--folder
<FOLDER NAME OR UID> select a folder as the export source
--store-in-vault
Stores exports file as a record attachment. Keepass only
Examples:
Export the vault in CSV format to a file named "my-vault"
Export the vault in JSON format to the console, ignoring any file attachments over 10 KB
Export the vault in keepass format to a file named "keeper" and set the file's password
Export the records in the "Socials" folder
Command: download-membership
Detail: Download shared folder membership to a local JSON file.
Switches:
--source <{keeper, lastpass, thycotic}> (required)
--folders-only Unload shared folder membership only. Skip team membership.
--sub-folder <{ignore, flatten}> (optional, default ignore) Thycotic/Delinea Secret Server allows shared folder permission to be overwritten by the subfolders. This option controls how these folders are imported.
ignore Subfolder permissions are ignored. Folder structure is preserved.
flatten Such subfolders are moved to the root of the vault. Folder permissions are preserved.
This command will reach out to the source password vault (either the current Keeper vault, remote LastPass vault or remote Thycotic/Delinea Secret Server), retrieve Team and Shared Folder file structure, and then create a local JSON file containing this structure. The filename generated locally will be called shared_folder_membership.json
.
This file can then be used for subsequently sharing folders with Keeper users and teams. The sharing operation is performed by executing the apply-membership
command.
Examples:
or
or
After executing download-membership, the resulting JSON file contains information about the teams, user-team assignments and shared folder permissions. An example file is below. This example file contains 3 teams, and 3 shared folders. The 3rd shared folder exists within a regular folder.
Command: apply-membership
Detail: Apply shared folder membership changes from a local JSON file. This command is used alongside the download-membership command.
Switches:
--full-sync force full sync of shared folder permissions. Permissions are only added by default
The apply-membership
command will look for a JSON file (defaults to shared_folder_membership.json) that contains sharing permissions.
The reason for separating the downloading and applying of membership, is so that you can apply the membership changes as new Keeper users or teams are onboarded. The apply-membership command can be run over and over, or whenever a new Keeper user account or team is created. Shared folder membership will be applied to any new corresponding user accounts and teams.
Folders can only be shared to users and teams that exist (because the public key must be used to encrypt the folder keys).
Examples:
or
Command: download-record-types
Detail: Download custom record types to a JSON file.
Switches:
--source <{keeper, thycotic}> (required)
This command will reach out to the source password vault (either Keeper or Thycotic/Delinea Secret Server), retrieve custom record types (Secret Server calls it secret templates), and then create a local JSON file containing this information. The filename generated locally will be called record_types.json.
This file can then be used for subsequently loading custom record types to Keeper. The record types loading operation is performed by executing the load-record-types
command.
--ssh-key-as-file
Thycotic/Delinea Secret Server stores SSH keys as file attachments. Keeper stores SSH keys on a record. If you would like to preserve Thycotic/Delinea Secret Server behavior (imported SSH keys from Secret Server will be stores as file attachments) use this option.
Examples:
or
Command: load-record-types
Detail: Load custom record types from a JSON file into Keeper.
Detail: Load custom record types from a local JSON file. This command is used alongside the download-record-types command.
The load_record_types
command will look for a JSON file (defaults to record_types.json) that contains custom record types and loads missing record types into Keeper.
Examples:
or
Step by step instructions are documented for migrating data and importing into Keeper from the following sources:
To export records from your vault, use the export
command. Supported export formats:
JSON
CSV
Keepass (see additional install instructions)
JSON export files contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions. CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions. Keepass files contain records, file attachments, folders and subfolders.
You can optionally provide the keepass encrypted file password through command line option --keepass-file-password
This flag will only apply when --format=keepass
is set. The Master Password is required for Keepass export - if none provided you will be asked during export, and your input will be masked.
Migration of CyberArk secrets to Keeper
Please see the documentation posted at the link below:
Automatic migration of your LastPass vault and shared folders
This document outlines the process for automatically and seamlessly migrating LastPass data into Keeper. Keeper supports automatic import of your LastPass vault with Master Password and MFA. Keeper also supports federated logins to LastPass from Okta/Azure/Google, and this is explained in detail below.
LastPass > Keeper Transfer Supported Data:
Transfer of Passwords
Transfer of Folders
Transfer of Shared Folders
Transfer of Shared Folder permissions (users and teams)
Transfer of custom fields, TOTP seeds
Transfer of File Attachments
The steps we recommend to importing an entire organization from LastPass to Keeper are the following:
Admin downloads the membership of the Shared Folders data to json file
Admin imports their shared folders and non-shared passwords
Admin applies shared folder membership (includes permissions) for users who already exist in Keeper
End-users migrate their vaults over using the Keeper Desktop application.
Admins continue to periodically apply membership as more users join Keeper
Note: Federated logins with SSO from Okta/Azure/Google are supported from the Keeper Desktop Application for the end-users to transfer their vaults. Keeper Commander CLI is used by the administrator and does not support federated login. Please use a LastPass admin account with a Master Password login for performing steps 1-3.
In Keeper Commander, the Keeper/LastPass Administrator will run the following:
This will perform the following 3 functions:
Download all Shared Folder information
Download Shared Folder permissions
This step downloads a file locally called "shared_folder_membership.json
" which contains the shared folder structure. The location of this file on Windows is typically C:\Users\username\shared_folder_membership.json. On Linux/Mac, it will be in the location where you run Commander.
The download-membership command basically produces a local file containing the share relationships. You can simply edit this file in a text editor and make any permission changes needed before proceeding to the next step.
In Keeper Commander, the Admin will run the following command to perform the import of shared folders and data.
The first time the import command is run, you may get the following notice that LastPass wants to verify the device from which you are connecting.
Check the email address associated with your LastPass account and click "verify" to allow Keeper to access the records in your LastPass account.
The import
command will migrate and populate regular folders, shared folders and records within the folders. This will NOT import the private folders of other users within LastPass. This step will only import the information available to the admin.
End-users will migrate their private LastPass data by using the Keeper Desktop automated import method. See this page for the end-user documentation.
Typed LastPass items are automatically imported as Keeper records with corresponding record types if your Enterprise environment has Record Types activated.
See the LastPass Item Type and corresponding Keeper Record Type in the table below.
LastPass Item Type | Keeper Record Type |
---|---|
Bank Account | Bank Account |
Credit Card | Bank Card |
Address | Address |
Driver's License | Driver's License |
Passport | Passport |
Social Security | SSN Card |
Health Insurance | Health Insurance |
Insurance | Health Insurance |
Membership | Membership |
Email Account | Login |
Instant Messenger | Login |
Database | Database Credentials |
Server | Server Credentials |
SSH Key | SSH Keys |
Software License | Software License |
See Record Types for more information about Keeper Record Types
If a folder is shared with another user or team in LastPass, the import will apply the same sharing permissions to Keeper teams with the same name, and Keeper users with the same email address.
Shared folder permissions can be re-applied and applied if a new Keeper user or team is added after the initial import.
To assign Share Permissions to your imported passwords from LastPass, use the apply-membership
command:
This will read the file called "shared_folder_membership.json
" from Step 1 and apply the shared folder permissions for any users and team which exist in the Keeper enterprise environment. This command is safe to run over and over again, and it will not generate duplicates.
Explanation: When users are invited/created through SSO or your invitation process, their public keys are created. Therefore, Keeper cannot apply membership until the users exist.
For this reason, the Keeper Admin needs to run the "apply-membership" command on a daily basis, hourly, or on demand, when users are created in Keeper.
If you would like to be notified as soon as users migrate to Keeper, use the Advanced Reporting & Alerts module in the Keeper Admin Console to set up an Alert when a user has been created.
The Keeper Admin will invite users through one of the following methods:
Just-in-time provisioning through SSO login
Invite through the Admin Console
SCIM
When the user registers to create their vault, they will generate a public/private key pair. At this point, they will be able to receive shared folders, as outlined in the next step.
For transferring the user's LastPass private folders and records, we recommend directing the user to install the Keeper Desktop application.
Here's the link to the public / latest version:
To automatically deploy Keeper Desktop to your users through group policy, see:
Once users create their Keeper vaults, they can then be added to a team and/or a folder. The next time that the Admin runs the apply-membership
command, any new Keeper users will receive access to their Shared Folders.
You can run apply-membership repeatedly as more users are onboarded to keeper. It will apply the memberships to users that exist in Keeper.
Due to the number of steps, we recommend performing a pilot test with a few users before rolling out to the entire organization.
If you have any questions please contact your Keeper sales engineer or email commander@keepersecurity.com.
If your LastPass email domain has changed and you would like to transition to a new email domain when transferring share permissions, you can use the --old-domain
and --new-domain
optional parameters. Example below:
The LastPass download-membership
applies the shared folder permissions from LastPass users to your Keeper shared folders, but the permission settings can be overridden during membership download.
To override the "manage records" and "manage users" permissions for all users on all imported shared folders, use the --permissions
or --restrictions
options.
--permissions
allows the permission(s) for all users on all imported shared folder.
--restrictions
denies the permission(s) for all users on all imported shared folders.
To set for "manage records" pass r
, for "manage users" pass u
for both use ru
You can optionally make all top level folders shared folders with specified permissions by passing the --shared
and --permissions=<PERMISSIONS>
flags.
The available permissions options are:
U - manage users permission granted
R - manage records permission granted
E - edit records permission granted
S - share permission granted
A - all permissions granted
N - no permissions granted
Use the letters corresponding to the permissions you want to grant with no spaces or characters in between.
Attachment files can be cached during import so that they do not have to be redownloaded if another import is performed.
To run the import with a file cache, add the --file-cache <DIR>
flag. Specify a directory to use as the cache.
To use the cache on a subsequent import, apply the --file-cache
flag with the same directory.
Cached attachment files are encrypted
Keeper records have a size limit of 5MB (excluding attachments). If a record from LastPass is larger than this limit, fields will be converted to a text file, starting with the largest field, until the record is smaller than the limit.
Created attachments are named in the following format:
<title of field>_<type of field>_field.txt
For example a "notes" field titled "Instructions" would be converted to an attachment titled:
Instructions_notes_field.txt
The contents of your LastPass vault can be imported into a specified folder in your Keeper vault. To do this, use the --folder
option.
You can limit the import of your LastPass vault to a specific folder in LastPass by using the --filter-folder
option. This filters the data from LastPass to ONLY the specific folder on the LastPass side.
If you believe there may be duplicate records in your vault after import, you can use the find-duplicate
feature in Commander to locate them.
If you wanted to locate duplicates based on title, login, password for example:
From the output of this report, you can gather a list of record UIDs to delete with the "rm
" command.
By default, records are imported into Shared Folders with "Can View" permission. This means that the record is only editable by the owner of the record, and any share admins that have been added to the folder.
To change the permissions of records inside a shared folder (after the import is complete), you can use the record-permission command. For example:
Automatic migration of your Delinea (Thycotic) Secret Server vault
This document outlines the process for automatically and seamlessly migrating Secret Server (Delinea/Thycotic) data into Keeper which includes private folders, shared folders, permissions, file attachments, TOTP codes. This process utilizes the Secret Server API to automate the process.
Note: A basic import capability is available on the Keeper Web Vault and Desktop App which supports Thycotic XML format. Visit the vault Settings > Import > Thycotic screen. The XML format does not include attachments or permissions. Therefore, we recommend using the automated method as described in this document.
In Secret Server admin settings, ensure Webservices are enabled
Admin -> Configuration -> Edit -> Enable Webservices
In Secret Server admin settings, ensure that "Session Timeout for Webservices" is set to a high enough value, since large vaults will take time to process. For example, 59 minutes.
In Keeper Commander, the Keeper/Thycotic Administrator will run the following:
Prior to running the above code snippet, make sure to:
Verify the base Thycotic URL in your browser
The Username is in the correct format:
If it's a AD user, the format is DOMAIN\username
otherwise username
Executing the above code snippet will perform the following 3 functions:
Download all Shared Folder information
Download Team Membership
Download Shared Folder permissions
This step downloads a file locally called "shared_folder_membership.json" which contains the team and shared folder structure.
Keeper does not yet support folders within shared folders that have different permissions than the parent.
download-membership
command provides an option --sub-folder
to control how these folders are imported.
--sub-folder=ignore
preserves folder structure. Folder permissions are ignored.
--sub-folder=flatten
folder will be moved to the root folder of the Keeper vault as its own shared folder.
Before importing records, we will first create the shared folder structure on the Keeper side. Run the below command:
The TOTP codes stored in Thycotic/Delinea Secret Server can only be retrieved by manually downloading a CSV file. The admin of Secret Server needs to go to Secret Server > Export Secrets and select the following options:
Export Type: Export All
Export Folder Path: Checked
Export TOTP Settings: Checked
Export Format: CSV
Export the file and save it to your home folder, or the folder where Keeper Commander is running. The file will be called "secrets-export.csv" by default.
In Keeper Commander, the Keeper/Thycotic Administrator will run the following command to perform the import of data using the Secret Server API:
This command will take several minutes (or more) to complete, depending on the number of vault records and users. A large Secret Server instance could take 20 minutes or more.
Commander will attempt to build the same folder structure as Secret Server in the admin's Keeper vault.
Commander will also look for the file "secrets-export.csv" in the user's home folder or current Commander folder, for the purpose of importing TOTP codes.
Note 1: This command will import and populate regular folders, shared folders and records within the folders. This will NOT import the private folders of other users within Secret Server. This step will only import the information available to the admin.
Note 2: If a Shared Folder is found within another shared folder with different permission, the shared folder will be moved to the root folder (since Keeper does not support subfolder permissions).
In Keeper Commander, the Keeper/Thycotic Administrator will run the following:
This will read the file called "shared_folder_membership.json" from Step 1 and apply the shared folder permissions for any users and team which exist in the Keeper enterprise environment. This command is safe to run over and over again, and it will not generate duplicates.
Explanation: When users are invited/created through SSO or your invitation process, their public keys are created. Therefore, Keeper cannot apply membership until the users exist.
For this reason, the Keeper Admin needs to run the "apply-membership" command on a daily basis, hourly, or on demand, when users are created in Keeper.
The Keeper Admin will invite users through one of the following methods:
Just-in-time provisioning through SSO login
Invite through the Admin Console
SCIM
When the user registers to create their vault, they will generate a public/private key pair. At this point, they will be able to receive shared folders, as outlined in the next step.
The next time that the Admin runs the apply-membership
command, any new Keeper users will receive access to their Shared Folders.
Due to the number of steps, we recommend performing a pilot test with a few users before rolling out to the entire organization.
If you have any questions please email commander@keepersecurity.com.
Automatic migration of your Keepass vault
Keeper Commander supports importing the record and folder structure directly from an encrypted Keepass file. File attachments are also supported. Make sure to first follow these instructions to install the necessary keepass modules.
You can optionally make all top level folders as shared folder object with default permissions.
For more options, see the help screen:
Automatic migration of your ManageEngine vault
Keeper supports importing the resources and connected accounts directly from a ManageEngine Password Manager Pro server. Importing file attachments from a File Store resource is also supported. You will need a ManageEngine user with API access and a generated token to use this import functionality.
Substitute https://localhost:7272
with your server URL and port. You will then need to enter your ManageEngine API token.
Automatic Migration of your Proton Pass Vault
This document outlines the steps required to seamlessly migrate your Proton Pass Vault data into Keeper.
By default, Proton Pass exports your data as a JSON File. Exporting on Proton Pass is only supported on the Proton Pass Browser Extension.
To export on Proton Pass:
Navigate to settings on your Proton Pass Browser Extension
Click on the Export tab and select Export.
This will export a zip file that contains the JSON file. Keeper commander gives you the option of providing either the zip file or the JSON file as input.
On Keeper Commander and with the exported zip file, executing the following command will import your Proton Pass Data:
Automatic migration of passwords from a CSV file
Keeper Commander supports .csv text file import using comma separated values. CSV import files can contain data for certain fields, folders, subfolders, shared folders and default shared folder permissions.
Use this order of fields shown below with commas separating each value (and no spaces around the commas). Not all fields are required; some can be left blank.
Position | Column | Value | Description / Format |
---|---|---|---|
1 | A | Folder | FolderName\Subfolder (optional) |
2 | B | Title | Name of the record (required) |
3 | C | Login (Username) | sampleuser |
4 | D | Password | samplepassword |
5 | E | Website Address (URL) | domain.com/login |
6 | F | Notes | notes about this account (optional) |
7 | G | Shared Folder Name | SharedFolderName (optional) |
8 | H | Custom Field 1 Name |
|
9 | I | Custom Field 1 Value | otpauth://totp/?secret=ABC123ABC123ABC123ABC123ABC123 |
10 | J | Custom Field 2 Name |
|
11 | K | Custom Field 2 Value | login |
Custom fields begin with the name in the 8th field, (column H). The custom field value goes in the next field (column I).
To specify subfolders, use backslash "\" between folder names
To set shared folder permission on the record, use the #edit or #reshare tags as seen below
Enclose fields in quotes for multi-line or special characters
Ensure files are UTF-8 encoded for support of international or double-byte characters
Below is an example csv file that showcases several import features including personal folders, shared folders, subfolders, special characters and multi-line fields.
To import this file as "login" records:
The resulting vault will look like this:
Here is a list of some record types (you may have more if you have custom record types, or less if you are restricting some record types):
Below is a list of all possible field types (including custom fields). You can use these as a custom field names such as $oneTimeCode
as shown below.
Folder | Title | Login | Password | Website Address | Notes | Shared Folder | Custom Field1 Name | Custom Field1 Value | Custom Field2 Name | Custom Field2 Value | Custom Field3 Name | Custom Field3 Value | Custom Field4 Name | Custom Field4 Value |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Folder1\subfolder | My Login Account | user@example.com | liu.W241Q<q$RGl9r;N1 | main google account | TeamFolder | $oneTimeCode | otpauth://totp/?secret=ABC123ABC123ABC123ABC123ABC123 | $type | login | $host | 10.0.0.1 | $url |
More advanced import options are available using the JSON Import format described in the next section.
Automatic migration of passwords from a JSON file
JSON import files can contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions.
Below is a JSON import file with 2 records. The first record is added to a folder called "My Websites\\Online". The second record is added to "Social Media" and also added to a shared folder called "Shared Social".
The import file example below is an array of record objects which can import into private folders and shared folders. Note in the example that the Facebook record contains a TOTP seed which will render on the Vault user interface and Commander CLI.
Another example below first creates shared folders that are shared to users and teams, then imports records into the shared folders. The format of the file is slightly different and allows you to separate the creation of shared folder objects and records:
The format must be strict JSON or it will fail parsing. To import this file:
There are more complex import file examples that supports shared folders, folder permissions, user permissions and team permissions located in the sample_data/ folder. To import the sample JSON file into your vault, type this command:
Example 1: import.json.txt
Example 2: import_records_existing_folders.json.txt
Example 3: import_records_into_folders.json.txt
Example 4: import_shared_folders.json.txt
Example 5: import_shared_folders_and_records.json.txt
The sample file contains "permissions" objects that contain email address or team names. If the email or team name exists in your Keeper enterprise account, they will be added to the shared folder, otherwise the information is ignored.