Linux Installation

Overview

This document contains information on how to install, configure, and update your Keeper Gateway on Linux.

Prerequisite

Prior to proceeding with this document, make sure you generated a Keeper Gateway One-Time Access Token in your Vault. For more information, visit the following page:

Installation

Install Command

Executing the following command will install the Keeper Gateway:

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s

Executing the following command will install, initialize the Keeper Gateway, and run it as a service:

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s -- --token XXXXX

Note: Replace XXXXX with the One-Time Access Token supplied by the Vault screen, more information here

Installation Location

The gateway will be installed in the following location:

/usr/local/bin/keeper-gateway

An alias gateway is also created in the same directory

gateway -> /usr/local/bin/keeper-gateway

Gateway Service Management

For managing the Keeper Gateway as a service, the following are created during the Gateway installation:

• A keeper-gateway folder

• A keeper-gw user

keeper-gateway folder

The keeper-gateway folder contains the gateway configuration file and is created in the following location:

/etc/keeper-gateway

keeper-gw user

During the gateway installation, a new user, keeper-gw, is created and added to the sudoers list in /etc/sudoers.d/.

The keeper-gw user is the owner of the keeper-gateway folder and runs the gateway service. This is required when performing rotations on the gateway service and performing post-execution scripts.

Managing the Gateway Service

The following commands can be executed to start, restart, or stop the Keeper Gateway as a service:

sudo systemctl start keeper-gateway
sudo systemctl restart keeper-gateway
sudo systemctl stop keeper-gateway

Keeper Gateway Configuration File

The Keeper Gateway configuration file contains a set of tokens that includes encryption keys, client identifiers, and destination server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. This configuration file is created from the Gateway One Time Access Tokens and have a one to one relationship with client devices.

If the Keeper Gateway is installed and running as a service, the gateway configuration file is stored in the following location:

/etc/keeper-gateway/gateway-config.json

If the Keeper Gateway is installed locally and not running as a service, the gateway configuration file is stored in the following location:

<User>/.keeper/gateway-config.json

Keeper Gateway Log files

Logs that contain helpful debugging information are automatically created and stored on the local machine.

If the gateway is running as a service, the gateway log files are stored in the following location:

/var/log/keeper-gateway/

If the gateway is not running as a service, the gateway log files are stored in the following location:

<User>/.keeper/logs/

Verbose Logging

To add verbose debug logging, modify this file:

/etc/systemd/system/keeper-gateway.service

and add the -d flag to the "gateway start" command, e.g:

ExecStart=/bin/bash -c "/usr/local/bin/gateway start --service -d --config-file /etc/keeper-gateway/gateway-config.json"

Apply changes to the service:

sudo systemctl daemon-reload
sudo systemctl restart keeper-gateway

Upgrading

Executing the following command will upgrade the Keeper Gateway:

curl -fsSL https://keepersecurity.com/pam/install | sudo bash -s

Auto Update

Configure your Keeper Gateway installation to automatically check for updates, ensuring it stays up-to-date with the latest version. For more information, refer to the following:

Uninstalling

Executing the following command will uninstall the Keeper Gateway:

curl -fsSL https://keepersecurity.com/pam/uninstall | sudo bash -s