Quick start guide to Keeper Password Rotation
Rotation is a feature of Keeper Secrets Manager ("KSM"). Once you have activated Keeper Secrets Manager on your account, you can enable the Rotation feature for specific roles.
Log in to the Keeper Admin Console for your tenant.
Go to Admin > select a Role (or create new Role) > Enforcement Policies > Secrets Manager
Enable both policies:
Enable Keeper Secrets Manager: This activates the Secrets Manager functionality in the Vault, which is needed for rotation.
Manage Keeper Rotation: This allows users to deploy gateway and configure rotation for privileged access records in their vaults.
Rotation can also be enabled on the Keeper Commander CLI using the enterprise-role
command. The enterprise-role
command allows you to manage enforcement policies.
Prior to enabling rotation, you need to enable the KSM feature for a role:
After enabling KSM, you can enable the Rotation feature for the same role with:
After Enabling Keeper Rotation on a role, 4 new record types will become available in your vault. The users of that role will be able to the create the following new records types:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
All 4 record types can be added in the Vault, placed in folders, and shared like any other Keeper records. These records can be shared with non-privileged Keeper users, but they cannot be rotated unless the user has the "Manage Keeper Rotation" role enforcement policy enabled.
For more information on these record type and the role they play in Rotation, visit:
Record Type DetailsWhen rotation is activated, within the Secrets Manager screen of the vault you'll see a section called PAM Configurations. A PAM Configuration is an object which is contains the following:
Environment Local Network, AWS or Azure
Keeper Gateway Service which you install into your on-prem or cloud infrastructure
Application Folder Shared Folder which contains the Secrets Manager application and associated records
Administrative Credentials Keeper record which contains privileged credentials for performing rotation and discovery.
Customers may have any number of PAM Configurations, Applications and Gateways.
The basic steps to rotation of passwords in any target environment are:
Create a Shared Folder in the vault
Add PAM Directory, PAM Database or PAM Machine records to the Shared Folder
Add PAM User records to the Shared Folder
Create a Secrets Manager application
Assign the Secrets Manager application to the Shared Folder
Set the shared folder permissions from Read Only to Can Edit
Add a Keeper Gateway to the Secrets Manager application
Create a PAM Configuration which ties everything together
Keeper supports importing in bulk from JSON format. See the Importing PAM Records section for more details.