Getting Started

Quick start guide to Keeper Password Rotation

Enable Rotation

Rotation is a feature of Keeper Secrets Manager ("KSM"). Once you have activated Keeper Secrets Manager on your account, you can enable the Rotation feature for specific roles.

Enabling Rotation on the Admin Console

  1. Log in to the Keeper Admin Console for your tenant.

  2. Go to Admin > select a Role (or create new Role) > Enforcement Policies > Secrets Manager

  3. Enable both policies:

    • Enable Keeper Secrets Manager: This activates the Secrets Manager functionality in the Vault, which is needed for rotation.

    • Manage Keeper Rotation: This allows users to deploy gateway and configure rotation for privileged access records in their vaults.

Enabling Rotation using Commander

Rotation can also be enabled on the Keeper Commander CLI using the enterprise-role command. The enterprise-role command allows you to manage enforcement policies.

Prior to enabling rotation, you need to enable the KSM feature for a role:

enterprise-role "Keeper Administrator" --enforcement "ALLOW_SECRETS_MANAGER":true

After enabling KSM, you can enable the Rotation feature for the same role with:

enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_ROTATION":true

Record Types for Rotation

After Enabling Keeper Rotation on a role, 4 new record types will become available in your vault. The users of that role will be able to the create the following new records types:

  • PAM User Contains a login / password, private key, or both.

  • PAM Directory Information about your on-prem or cloud-based directory

  • PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc

  • PAM Machine Windows, Linux, macOS machines on-prem or in the cloud

All 4 record types can be added in the Vault, placed in folders, and shared like any other Keeper records. These records can be shared with non-privileged Keeper users, but they cannot be rotated unless the user has the "Manage Keeper Rotation" role enforcement policy enabled.

For more information on these record type and the role they play in Rotation, visit:

pageRecord Type Details

PAM Configurations

When rotation is activated, within the Secrets Manager screen of the vault you'll see a section called PAM Configurations. A PAM Configuration is an object which is contains the following:

  • Environment Local Network, AWS or Azure

  • Keeper Gateway Service which you install into your on-prem or cloud infrastructure

  • Application Folder Shared Folder which contains the Secrets Manager application and associated records

  • Administrative Credentials Keeper record which contains privileged credentials for performing rotation and discovery.

Customers may have any number of PAM Configurations, Applications and Gateways.

How to Rotate a Password

The basic steps to rotation of passwords in any target environment are:

  • Create a Shared Folder in the vault

  • Add PAM Directory, PAM Database or PAM Machine records to the Shared Folder

  • Add PAM User records to the Shared Folder

  • Create a Secrets Manager application

  • Assign the Secrets Manager application to the Shared Folder

  • Set the shared folder permissions from Read Only to Can Edit

  • Add a Keeper Gateway to the Secrets Manager application

  • Create a PAM Configuration which ties everything together

Last updated