Creating Vault Records

How to create, manage, import and export data in your Keeper vault

What's a Keeper Record?

A Keeper record can be any password, file or secret information that is stored in your encrypted vault. When a new user signs up for Keeper, they are walked through a step-by-step guide to import existing passwords from their web browser, other password manager or file upload. They will also be walked through the process of creating records manually through their desktop computer.

Users can create new vault records many different ways including:

  • Manual creation on the Desktop App, Web Vault, Browser Extensions or Mobile App

  • Import from another password manager like Chrome, iCloud Keychain, Keepass, LastPass, Dashlane, 1Password and many more.

  • Import from a .CSV or .JSON text file

  • Automated LastPass transfer Vault-to-Vault

  • Command-line and automated SDK

Records created in any platform will instantly sync to the user's other devices. Records that are shared among users will receive updates in real time.

Import from Web Browsers

Keeper's Import Tool will seamlessly import passwords that are stored in Chrome, Firefox, Safari, iCloud, Edge and Internet Explorer web browsers on your computer.

From the Web Vault or Desktop App, click your account email address > Settings > Import. On the Web Vault, you will be then prompted to download Keeper's Import Tool. On the Desktop App, the import will start immediately.

More information about the Keeper Import tool can be found at the User Guide below:

Import from Password Managers

Keeper support drag-and-drop import of files from other password managers or text files. From the Web Vault or Keeper Desktop app, select Settings > Import and then select the password manager you'd like to import your passwords from. Click View Import Instructions for step-by-step instructions to generate the proper file format from the original password manager. Once the file has been created, drag-and-drop it into the "Drop a File Here" field.

Automated Import from LastPass

Keeper's Desktop Application supports an automated transfer of vault records from LastPass to Keeper. To perform an import, follow these steps:

  1. Download the Keeper Desktop App from:

  2. Login to Keeper Desktop using your Master Password.

  3. Click on your account email address in the upper right-hand corner.

  4. Click Settings > Import.

  5. Choose LastPass.

  6. Input your LastPass Email and Password and click Next.

Bulk Import from .CSV File

Keeper's CSV import method also supports advanced structure including Folders, Subfolders and Shared Folders.

File Format

Folder,Title,Login,Password,Website Address,Notes,Shared Folder,Custom Fields

• To specify subfolders, use backslash "\" between folder names • To make a Shared Folder specify the name or path to it in the 7th field

Example 1: Create a regular folder at the root level with 2 custom fields

My Business Stuff,Twitter,,123456,,These are some notes,,API Key,5555,Date Created,2018-04-02

Example 2: Create a shared subfolder with edit and re-share permission, inside a regular folder

Personal,Twitter,,123456,,,Social Media#edit#reshare

Example 3: Create a shared folder with edit and re-share permission on the outside and a nested folder tree underneath.

Personal\Financial\Home,Chase,,123456,,,Family Records#edit#reshare

In this 3rd example, the outer shared folder is called "Family Records" and underneath is a folder tree. The record is added to the nested folder 3 levels down.

To visually see how the import will look, drag and drop the file into the Import screen and click Next. You'll see a preview of the structure:

More detailed and advanced CSV import instructions can be found here:

Import from Commander SDK

The Keeper Commander SDK provides command-line or scripted capabilities to import records and folders into your Keeper Vault. Supported import formats are JSON, CSV, LastPass and Keepass.

  • JSON import files can contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions.

  • CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions.

  • Keepass files will transfer records, file attachments, folders and subfolders.

  • LastPass import will transfer records, file attachments, shared folders and permissions.

Most features available in the Keeper Admin Console are available through Commander's interactive shell and SDK interface. Learn more about Keeper Commander at

Keeper provides many ways of importing structured data. See the Importing Data page for additional details.

Manual Record Creation

From any Keeper Vault application, select Create New > Record to add a record. When creating a record, you may select the Dice icon to generate a strong, unique password. Once you have entered the details of your records, click Save to finish.

Keeper's password generator "Dice" button will auto-generate a strong and complex password. The user can customize the length and complexity level. Admin policies can also enforce the password complexity strength on a global or per-domain basis via Role policies.

Using the password generator feature will not automatically change the website's existing login password. You still must visit the corresponding website's "Change Password" form to update the old password to match the new, stronger password.

KeeperFill Browser Extension

The Keeper Browser Extension for Chrome, Firefox, Safari, Edge, Opera and Internet Explorer browsers can be used to dynamically add records to your vault and Autofill passwords.

To download KeeperFill for your browser, visit:

Create New records From any website login screen, select Create New and then fill in the appropriate fields. Select the check mark to save the record and autofill the login and password.

Prompt to Login & Fill When visiting a website login screen, Keeper will ask you to automatically login with your saved password.

Prompt to Change Password KeeperFill makes it easy to change your passwords. When a user visits a site's "Change Password" form, you will receive a prompt from Keeper asking if you would like help changing your password. By clicking Yes Keeper will run a wizard that walks you through a few quick steps to change your password and simultaneously update the record in your vault. These steps will include a series of prompts detailing the following actions:

  • Autofill your old/current password

  • Automatically generate and autofill a new secure password

  • Confirm the changes and save them to your vault

Keeper Record Fields

A Keeper Login record is made up of the following fields:

  • Title

  • Login (Email or Username)

  • Password

  • Website Address - This field is required to Autofill forms on websites. For security reasons, the website address (e.g. must match the website that you are visiting.

  • Custom Fields - Creating Custom Fields takes away the pain of having to manually copy and paste your information into websites. For example, if you have a website like this one from the USAA Bank, it requires a PIN field, in addition to Password. Corresponding the website field title and the Custom Field Name will allow Keeper to auto-fill these fields with their values. Custom Fields may also allow the user to use the same record for multiple websites. For example, if a user has the same login and password for and, the user may add the website address in the Custom Field Value and that single record will now recognize two different website logins. This allows the user to not have to create a record for each website where that username and password are used.

  • File Attachments - File attachments can be any type of file, photo, video or other document. An unlimited number of files can be attached to any Keeper vault record. File storage is an add-on subscription. If file storage is disabled, please contact your Keeper administrator or email

  • Two-Factor Codes - Keeper can protect and generate 2FA codes for any website or service that supports the use of TOTP (Time-Based One-Time-Passwords).

  • Notes - Any free-form notes can be protected in this field such as access instructions or confidential documentation.

Individual Record Sharing

Keeper records can be shared on an individual basis to other Keeper users. Keeper sharing technology uses secure RSA encryption to exchange the individual record keys. Therefore, in order to share or transfer a record to another user, the recipient must first have a Keeper account. Attempting to share to a user without a Keeper account will invite them to the platform. For more detailed information, visit Keeper's Security Architecture. To share a Keeper record with another user, while viewing the record, select Options > Share and then enter the email address of the recipient (or select from previously shared users). Edit and re-share permission can be applied to any shared records. Role enforcement policies can be applied from the Keeper Admin Console to control the ability for records to be shared. Only the owner of a record is able to delete a record. A non-owner may see a Delete button but this will only remove the record from the non-owner's vault. When the owner of a record deletes it from their vault, it will delete it from everyone's vault.

Shared Folders

Shared folders can also be created which contain records, teams, users and permissions. You can create Shared Folders from the Web Vault, Commander CLI, import files or Desktop/Mobile Apps.

For more information on Shared Folders see page: Folders and Shared Folders

Transfer Ownership

Record ownership can be transferred to another Keeper user. To perform a transfer, while viewing a record, select Options > Share and enter the email address of the recipient (or select from previously shared users). Select Transfer Ownership from the sharing permission dropdown menu. Note that after transferring record ownership, the record will no longer be accessible from your vault.

Bulk Record Push from Admin

Through the use of Keeper Commander, records can be pushed to users in bulk.

Example usage of the "enterprise-push" command:

enterprise-push --team "Engineering Admins" push.json
enterprise-push --email push.json

The "push.json" file is structured an an array of password object, for example:

        "title": "Google",
        "login": "${user_email}",
        "password": "${generate_password}",
        "login_url": "",
        "notes": "",
        "custom_fields": {
            "Name 1": "Value 1",
            "Name 2": "Value 2"
        "title": "Admin Tool",
        "login": "${user_email}",
        "password": "",
        "login_url": "",
        "notes": "",
        "custom_fields": {

Supported template parameters:

${user_email}          User email address
${generate_password}   Generate random password
${user_name}           User full name

For more information about Keeper Commander please see our Github Page.

Version History

Every record created by a user is automatically backed-up through the Keeper Cloud Security Vault architecture. Every record change is also backed-up and a record version is created upon each change event. Each record is identified by a record UID and each record can have an unlimited number of version identifiers. Version History is a critical capability to ensure that a password or record change is never lost by accident. Version History also ensures that a deleted record can be recovered. When a record is deleted by the record owner, the record is moved into the Deleted Records trash bin. Records will remain in this location until the record owner explicitly empties the trash bin. Users can view the Version History of any Keeper record through Keeper Web Vault or Keeper Desktop App. To view a record's history, select a record, then select Options > Record History.

Each record version is tagged with a version number and modification date. Click on the record to display the old version. Then click on "Restore" to revert back to the old version. Restoring the version will also generate a new revision.

Data Export

The Keeper Web Vault and Keeper Desktop App include an Export capability which can be enabled by the Keeper Administrator. Exporting records from your vault can serve as a backup mechanism, however this does not retain any information about sharing relationships, folder structure or file attachments. If Export is allowed by the Keeper Administrator, we recommend that the customer stores the exported files in a secure location on an encrypted file system. The security and encryption model of Keeper purposely does not permit a Keeper Administrator to export user vaults. A user must be authorized on a Keeper record via the Team or User sharing capability in order to access and export vault information.

Keeper Commander has the additional capability of exporting data to an encrypted Keepass file which retains file attachments.

Offline Mode

Offline Mode allows users to have access to their vault from a web browser when they are not able to connect online to Keeper or to their SSO (if they have one). Note that “thick clients” such as desktop and mobile phones already have this capability, but it has been extended to users operating from web browsers.

Offline Mode is made possible by making a copy of your online vault to your local device. A user's vault data is stored in an encrypted format which is only accessible by providing their Master Password. Note, multiple users can share a single device (e.g. a laptop PC) and all users are able have their vault stored safely on that PC when offline.

User Device Setup

A user’s devices (e.g. laptops that might not have offline access) will need to be “primed” with a cache of their vault by logging in with an online connection at least once. A mirror copy of their vault will be replicated to that device once completed.

User Login & Vault status

User’s will know if their vault is available when offline via a lightning bolt icon indicating it has been loaded on that device when they attempt to access their vault offline. If the icon is not present, then that device will need to be setup using the steps described above. The X next to the user's email address allows a user to delete the local copy of their vault from the device.

Click on "Work Offline" to use Keeper in offline mode. Offline mode must be explicitly approved by the Keeper Administrator in the Role enforcement settings.

Once logged in, a user will know if they are offline by an Offline Mode text indicator at the top of their vault screen.

Not all vault features are available online and records will be "read only". For instance users can't create any new vault content such as record or folders when offline. When such a limitation occurs then a notice will be displayed.

SSO Account

If your organization's SSO is not available (e.g. is offline), then click on Work Offline to gain access to your vault offline using a Master Password.

Note: A user's Master Password has to be setup by the user via the Settings menu for this offline access to be available.

See the Role, RBAC and Permissions, Account Settings page for instructions on how to restrict Offline Access.

Last updated