1 of 100

KeeperPAM and Secrets Manager

Overview

KeeperPAM is a modern, cloud-based Privileged Access Manager

Overview

KeeperPAM is a next-gen privileged access management solution that secures and manages access to critical resources, including servers, web apps, databases and workloads.

KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and a cloud-based access control plane in one unified product.

To learn more about KeeperPAM or sign up for a trial:

About this Documentation

This documentation is broken out into the following sections:

Additional documentation on the Keeper platform can be found here:

KeeperPAM vs. Keeper Connection Manager

KeeperPAM is a cloud-native privileged access solution that requires only a lightweight gateway installation, while Keeper Connection Manager (KCM) is a fully self-hosted solution.

KeeperPAM works through outbound-only connections with zero-knowledge encryption, eliminating the need for inbound firewall rules or direct line-of-sight to resources. In contrast, KCM is fully hosted by the customer with control over the authentication, database, web server, reverse proxy and session recordings.

Customers who purchase KeeperPAM may use either the cloud version (described in this documentation) or the self-hosted connection manager as part of the license.

Features

KeeperPAM provides the following capabilities:

Zero-trust connections launched from the Vault
Tunnels established from the Desktop App for ZTNA
Sharing connections without exposing credentials
Sharing tunnels on a time-limited basis
Built-in SSH Agent for use with and without tunneling
Launching remote browser isolation sessions
Session recording and playback
File transfer with drag-and-drop
Splitting credentials between PAM Resources and PAM Users
Discovery of resources
All new Keeper Gateway setup wizard
Docker-based deployment of the Keeper Gateway
Role-based enforcement policies covering PAM use cases
Event reporting of all PAM activity with SIEM integration

Contact the Keeper Team

If you are an existing customer, your customer success team can activate KeeperPAM in your account.

For technical questions, you can also email pam@keepersecurity.com.

Next Steps

Privileged Access Manager

Setup Steps

Accessing the KeeperPAM platform

Setup Steps

Follow the below steps to start using KeeperPAM.

Keeper Enterprise license

Activate Privileged Access Manager

From the Keeper Admin Console, ensure that your Privileged Access Manager subscription is active. Go to the Admin Console > Subscriptions and activate the trial or contact your Keeper customer success manager.

Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

Login to the Admin Console for your region.
Under Admin > Roles, create a new role for PAM or modify an existing role
Go to Enforcement Policies and open the "Privileged Access Manager" section.
Assign yourself or your test user account to this role.

Existing Customers: Updating your Gateway

This assumes you are an existing customer with Keeper Secrets Manager and you have a Gateway already deployed. Using the latest Keeper Gateway is required to support the new features. Depending on the operating system, features available will differ.

Docker

Use the basic docker-compose.yml file as shown below:

Download the file called docker-seccomp.json and place it in the same folder as your Docker Compose file.

Windows

You'll be asked to confirm uninstalling the previous Gateway, this is OK
Ensure the "Enter one-time access token" selection is NOT selected

Linux

To update an existing Gateway on Linux:

Retrieving the Configuration

If you are replacing an existing Gateway, get the old base64 configuration string from: /etc/keeper-gateway/gateway-config.json on Linux or C:\ProgramData\KeeperGateway\config\gateway-config.json on Windows.

New Customers: Create a new Gateway and Sandbox

Explore new features

Notes

PAM Features differ between Linux, Docker and Windows versions of the Keeper Gateway.
For a full range of features, use the Docker installation method, or Linux installation method on Rocky Linux or RHEL8.

Feedback

Please email us at pam@keepersecurity.com with your feedback and we'll quickly assist you with any questions.

Quick Start: Sandbox

Quickly and easily get started with a pre-configured PAM setup in your vault

Quick Start Wizard

To learn some KeeperPAM basics, we have created a wizard that is integrated into the Vault. If you select the Docker install method, this wizard will create all the necessary vault records, configurations and a customized Docker Compose file for quickly standing up a sandbox environment in less than 3 minutes.

Activate KeeperPAM

Under Admin > Roles, create a new role for PAM or modify an existing role
Go to Enforcement Policies and open the "Privilege Access Manager" section.
Enable all the PAM enforcement policies
Ensure you are assigned to this role

Run the New Gateway Wizard

Click on Create New > Gateway
Enter a name for the project, such as "My Infrastructure Demo"
Select Docker for the gateway
Select "Create with example records"
Click Next
After the wizard is finished, immediately download the provided docker-compose.yml and docker-seccomp.json files.

Run the Docker Environment

Set up a VM which supports Docker. It can be a Linux instance or Windows running Docker Desktop. The instance can exist anywhere, even on your local computer.
Transfer the Docker Compose and Seccomp files from Step 2 to the VM.
Run docker compose up -d from the folder where the files are saved.
- You may need to use a dash, e.g. docker-compose up -d depending on the VM

Test some PAM features

You can now instantly connect to any of the resources by clicking "Launch" from the record detail view.
The MySQL account, SSH password and SSH key can be rotated by clicking "Rotate" from the record detail within the Users folder.
Note: Remote Browser Isolation won't work on some ARM processors

Records Created

The wizard will create the following in your vault:

A folder containing Resources and Users in separate shared folders
A MySQL database
A Linux machine with VNC connection to the desktop UI
A Linux machine with SSH connection using an SSH Key
A Linux machine with SSH connection using a password
A Linux machine with RDP connection to the desktop UI
A Remote Browser Isolation session to bing.com
A Secrets Manager Application and PAM Configuration with all PAM features enabled
A Keeper Gateway ready to initialize

Quick Start Video

We've created a helpful Keeper 101 video to set up your sandbox environment:

Screenshots

Below are screenshots of the Quick Start Wizard from start to finish.

Getting Started

Getting Started with KeeperPAM fundamentals

The Basics

KeeperPAM Features

Secrets Manager Features

Commander CLI Features

Enterprise Password Manager

Architecture

Technical details on the KeeperPAM platform architecture

Overview

KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.

Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.

This security content will cover the key areas of KeeperPAM:

Router Security

Security and encryption model of the Keeper Router

Overview

Keeper Router ("Router") is a cloud service hosted in Keeper's cloud environment which facilitates communications between the Keeper backend API, end-user applications (Web Vault, Desktop App, etc.), and Keeper Gateways installed in the user’s environment. The Router is responsible for communications that perform resource discovery, password rotation, timed access and privileged connection management.

How does Keeper Router work?

In traditional or legacy privileged access products, the customer is responsible for installing on-prem software which is difficult to manage and configure in a cloud environment. In Keeper's model, a hosted service (called a Gateway) is installed into the customer's environment which establishes an outbound secure connection to the Keeper Router, enabling bi-directional communication to the Keeper cloud without any network configuration. Keeper Router makes cloud access to on-prem infrastructure easy and secure by utilizing WebSockets for the inbound requests.

With Keeper, WebSockets are established between the end-user device (e.g. Web Vault) and the Keeper Router using the user's current session token. The session token is verified by the Keeper Router to authenticate the session. All encrypted payloads sent to the Keeper Router are wrapped by a 256-bit AES transmission key in addition to TLS, to protect against MITM attacks. The transmission key is generated on the end-user device and transferred to the server using ECIES encryption via the Router's public EC key.

When a user on their Web Vault or Desktop App triggers a password rotation, discovery job or remote connection, the message flow is the following:

Upon installation of the Gateway, it authenticates with the Keeper Cloud using a hashed One Time Access Token one time. The client signs the payload and registers a Client Device Public Key with the server on the first authentication. After the first authentication, subsequent requests are sent to the Keeper Router and signed with the Client Device Private Key.
The Gateway establishes an authenticated WebSocket connection using the Client Device Private Key and ECDSA signature.
The Vault sends a message to the Keeper Router with a command to execute (rotation, tunnel, discovery, connection) and authenticates the command using the user's active session token.
The Vault only transmits command and control messages, for example: Rotate UID XXX. No secret information is communicated between Vault and Router. The Router authenticates the command using the session token of the record's rotation configuration to validate the user's request.
The Router relays the command to the destination gateway through the existing WebSocket connection.
The Gateway uses Keeper Secrets Manager "update" commands to update the user's vault with any password or discovery job updates.

The Keeper Router architecture is Zero Knowledge, and Keeper's infrastructure never has the ability to access or decrypt any of the customer's stored vault data.

Keeper Router Architecture

The Router consists of two logical deployments that work together - the Head and the Workers.

The Router is hosted in Keeper’s AWS cloud environment, isolated to each of the global regions (US, EU, CA, AUS, JP, and US Gov).

The Head is not exposed to the internet, and performs the following functions:

Synchronization of global state between Workers
Inter-worker communication
Scheduling of events (e.g. rotation, discovery and connection requests)

The Workers connect to the Head via WebSocket and also use REST API calls to retrieve information. The Workers perform the following functions:

Communication with Gateways
Communication with Keeper end-user applications
Communication with Keeper backend API
Communication with Head

Workers are scaled and load balanced in each Keeper environment. Access to the Keeper Router is established through a common URL pattern in each region:

US: https://connect.keepersecurity.com

EU: https://connect.keepersecurity.eu

AU: https://connect.keepersecurity.com.au

CA: https://connect.keepersecurity.ca

JP: https://connect.keepersecurity.jp

US GOV: https://connect.keepersecurity.us

The end-user device will always communicate through the same Router instance. When the end-user vault connects to the Router system, a communication exchange is performed to ensure that the vault is communicating to the desired gateway. Once the Gateway communication is established, a Cookie is stored locally on the user's browser which expires automatically in 7 days. This Cookie is only used to establish a sticky session with the target Router instance, and does not contain any secret information.

Each Gateway device is associated with a unique UID. The Gateway UID is stored within an encrypted “PAM Configuration” record in the administrator's vault. This way, the Keeper vault record knows which Gateway must be used to perform the requested rotation, discovery or connection features.