Password Rotation

Automatically rotate secrets in the cloud and on-prem

Activation of Password Rotation requires a Keeper Secrets Manager license. This capability can be activated at the role level from the Admin Console under Role > Enforcement Policies > Secrets Manager. If you have questions, please email

What is Keeper Password Rotation?

Keeper Password Rotation allows Keeper customers to securely rotate credentials in any cloud-based or on-prem environment. Automatically rotate Active Directory accounts, Windows or Linux Users, Database passwords, Azure IAM accounts, AWS accounts, SSH keys and many more. All components of rotation adhere to Keeper's Zero Trust and Zero Knowledge security model.

Why use Keeper Password Rotation?

For many organizations, periodic rotation of credentials is mandated by the company or compliance policy. Automating this with Keeper removes the trouble associated with ad-hoc or manual password rotation. Keeper's encryption model preserves the principle of Zero-Knowledge, ensuring that data is encrypted and decrypted locally in the customer's environment.

Keeper Password Rotation has been engineered in the cloud to provide the strongest security possible, while making deployment simple in any environment. Least privilege is enforced throughout the lifecycle and operations of the platform. Orchestration of password rotation is managed through the use of encrypted vault records.

Managing both secrets and their settings as encrypted records provides several benefits:

  • Secure sharing of records and configuration between IT users

  • Redundancy and data integrity

  • Audit logging and change history for rotation actions

All of this is built into an easy-to-manage enterprise password management platform, bridging the gap between the security challenges faced by IT and the needs of the workforce.


  • Automatically rotate credentials for machines, service accounts, and user accounts across your infrastructure and multi-cloud environments.

  • Schedule rotations to occur at any time or on demand

  • Perform post-rotation actions such as restarting services, or running other applications as needed

  • Securely store all credentials in the Keeper vault

  • Control and audit access to credentials through secure sharing and compliance reporting

  • Log all actions to Keeper’s Advanced Reporting and Alerts Module (ARAM)

  • Automate everything with Commander or using the Vault and Admin Console UI

Last updated