Use Cases

This document covers the most common use cases for the Keeper Enterprise product.

End-User Vault

Upon deployment of the Keeper Enterprise product, each user is provided a secure, private Keeper Vault. Keeper works on all device types, platforms and operating systems to enable users to:

  • Create and manage strong passwords across all device types

  • Securely store files and other private information

  • Autofill passwords across web browsers, apps and mobile devices

  • Share confidential information between users and teams

Deploy a Zero-Knowledge Vault to Employees

Keeper zero-knowledge, secure vault is protected with multiple layers of encryption. Each user’s vault is protected by a Master Password which is used to encrypt and decrypt data on the local device. Additionally, Two-Factor Authentication protects cloud access. Below are some of the key vault security features:

  • A user's Master Password is used to derive an encryption key using PBKDF2, which will encrypt and decrypt their vault.

  • Each password and file stored in the vault are protected with a separate, strong 256-bit AES key.

  • Users who login with Keeper SSO Connect integration don’t require a master password, since the encryption keys are managed by the Enterprise. For convenience, Admins can permit Biometric Login to the vault (Face ID/Touch ID, Windows Hello, etc.).

Generate Strong Passwords

Creating strong, randomly generated login passwords for each website is critical in protecting against data breaches, password stuffing and password spraying attacks. Keeper’s password generator and auditing capabilities ensure password compliance company-wide.

Protect All Platforms and Devices

Keeper protects passwords and private information on all devices and operating systems. Deployment options are available through the Keeper Security website and every major app store. SCCM deployments and virtual environments (e.g. Citrix) are fully supported.

Keeper® Desktop App

Keeper's fully-featured desktop application for fast and secure access to your Keeper vault.


The KeeperFill browser extension quickly autofills your login credentials into your favorite websites.

Keeper® Mobile App

Keeper's fully-featured mobile application for fast and secure access to your Keeper Vault.

Autofill Website Passwords with KeeperFill®

KeeperFill for web browsers provides a powerful and easy-to-use autofill feature. Various paths and scenarios are covered by the browser extensions, including the following:

  • Filling a login and password

  • Selecting from multiple passwords on the same website

  • Autofilling a login, password and two-factor code

  • Prompting to fill or manual click to fill

  • Saving new passwords to the vault as you type

The ability to customize the behavior of the browser extension can be configured from the extension's Settings Menu.

Change Passwords and Monitor Security with KeeperFill

KeeperFill makes it easy to change your passwords. When visiting a site's "Change Password" form, you will receive a prompt from Keeper asking if you would like help changing your password. By agreeing, Keeper will walk you through a few quick steps to change your password and simultaneously update the record in your vault. Additionally, using Keeper’s Security Audit feature within the vault, users can identity which accounts contain weak passwords and take the necessary steps to change them.

Autofill Native Desktop Applications with KeeperFill for Apps

KeeperFill for Apps is a convenient tool used to further enhance your experience with the fully-featured Keeper Desktop App. Used in conjunction with your desktop applications, KeeperFill for Apps provides a simple login solution and quick access to your vault records.

Additionally, KeeperFill for Apps provides a unique and powerful native app form fill capability using simple hotkey commands. IT admins who are accessing remote services can make use of this capability without having to resort to “copy” and “paste”. By storing all of your passwords in the vault and using KeeperFill for Apps, you can rest assured that even your application passwords aren't left vulnerable in plain text.

KeeperFill for Apps works across Mac and PC platforms with popular native applications such as:

  • Skype, Slack, Evernote and other productivity apps

  • Custom and/or proprietary applications

  • Remote Desktop, VNC, Terminal and other command-line utilities

KeeperFill for Apps can be configured via Settings > KeeperFill within the Keeper Desktop App. Once opened, it can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.

Stay Organized and Efficient with Keeper’s Advanced User Interface Features

Folders & Subfolders

Folders and Subfolders (or folders within folders) provide greater control and organization over your private Keeper records and files. Subfolders also increase organization across teams and accounts types.

Grid View Layout

Grid view allows you to view your records in a graphical, tile format which displays beautiful, curated logos for popular websites. To enter Grid view, simply click on the grid icon in your vault.

Record History

Every change made to a record creates a backup version that can be viewed and restored at any time. Similarly, deleted records can be recovered and there is no limit to the number of record versions that can be stored.


A record can exist outside of a folder, inside a folder or inside a shared folder. A record can also be linked to multiple folders or shared folders and is referred to as a “shortcut”. Shortcuts like alias files, can exist in two or more places and when edited, change together.

Protect Confidential Files, Photos and Videos

Keeper offers Secure File Storage to protect your confidential files, photos, and videos. Keeper protects these files with 256-bit AES encryption using record-level keys, just like our password encryption technology. Users can easily drag-and-drop files directly into their vault and take pictures & videos directly from their mobile devices. These files can be easily and securely shared with other Keeper users, from vault-to-vault.

Examples of files that might be stored in the vault include:

  • Customer Information

  • Financial and Banking Documents

  • Tax Returns

  • Medical Photos and Videos

Protect Secure Certificates and SSH Keys

The growing threat of trust-based attacks is opening security risks for IT organizations who rely heavily on access to critical systems via digital certificates and keys. Keeper protects certificates and keys with 256-bit AES zero-knowledge encryption. Examples of the types of certificates that can be stored include:

  • SSL Certificates

  • SSH Keys

  • RSA Key Pairs

  • Code Signing Certificates

  • API Keys

Certificates and SSH keys can be stored in any Keeper vault record as either a custom field, note, or file attachment.

In addition to storing SSH keys, they can be used to securely establish connections.

Keeper Commander, a command-line SDK and toolkit for DevOps users allows you to connect to remote systems using stored credentials or SSH keys.

For more information on establishing connections using Keeper Commander, click here.

Share a Password with a Colleague or Team

Keeper uses RSA encryption to share passwords and files. You can share passwords or files directly with another Keeper user or with a team. Behind the scenes, information is encrypted with the recipient’s public key and decrypted with their private key. Permissions (can edit, can share, can edit & share, and read only) can be assigned to individual users or to teams of users.

View, edit and share permission sets can be applied to individual users. Shared folder permissions can provide control over the management of the folder, users and records.

Teams are created and managed in the Keeper Admin Console. Teams can also be provisioned automatically using our Active Directory Bridge software, SCIM protocols or the Keeper Commander SDK.

Separate Business and Personal Information

Since Keeper Enterprise provides a mechanism for administrators to suspend and transfer end-user vaults, Keeper recommends that end-users keep business and personal vaults separate. This easily be achieved by using Keeper’s Account Switching features. Every platform supports the ability to easily switch between business and personal vaults.

Log in with Existing Identity Providers

Through the use of Keeper SSO Connect technology, end-users can seamlessly log in to their Keeper Vault with any existing SAML 2.0 compatible identity provider such as Okta, Centrify, Microsoft AD FS / Azure, G-Suite, JumpCloud and F5 BIG-IP APN.

Once this capability is activated by the Keeper Administrator, logging in is seamless across all device types and platforms. Alternatively, users can first log in to their identity the provider and then launch their Keeper Vault.

Administration and Deployment

Keeper Enterprise provides a web-based Admin Console application. The Admin Console allows administrators to:

  • Onboard and offboard users

  • Apply role-based enforcement policies

  • Manage two-factor authentication

  • Monitor the security score of the organization

  • Customize the end-user experience

Manage and Onboard Users

The Keeper Admin Console provides several solutions to deploy Keeper to users based on the size of the organization. Users can be provisioned through one of the following methods:

  • Active Directory or LDAP sync via AD Bridge

  • Single Sign-ON (SAML 2.0)

  • SCIM and Azure AD

  • Email Auto-Provisioning

  • CSV File Upload

  • Manual entry via the web interface

  • Command Line Provisioning via Keeper Commander SDK

Different organization units (nodes) can be provisioned in different ways. For example, end-users within one organizational unit can onboard via Active Directory and another group of users can be provisioned with an identity platform like Microsoft Azure or Okta.

Enforce Role-based Permissions

Keeper’s role-based enforcement policies provide organizations with the most flexibility to customize their solution to meet the needs of internal controls, this includes:

  • Master password complexity rules

  • Two-Factor Authentication channels

  • Physical location, IP addresses and device platforms

  • Sharing and data export rules

  • Device biometrics

Administrative permissions are also applied at the role level. Any role with administrative permission can log in to the Keeper Admin Console and perform specific job functions.

Transfer an Employee's Vault When They Leave the Organization

Retaining critical and confidential data is important when employees leave the organization, especially users that are in some administrative or management capacity.

Through the use of Keeper’s secure “Account Transfer” feature, a user’s vault can be locked and then transferred to another user within the organization. The process of account transfer remains fully zero-knowledge, and the responsibility of performing the account transfers can be limited based on roles within the organization. For example, only the Engineering Manager can transfer the vault of an Engineer or the Marketing Manager can only transfer the vault of a Marketing Coordinator.

Keeper’s security model is based on the least-privileged access, meaning, Keeper implements least-privileged policies, so when a user is a member of multiple roles, their net policy is most restrictive. Administration of groups can be delegated and restricted based on job function or any other criteria.

Account Transfers are a one-directional action. Upon account transfer, the source account is deleted and the vault records are transferred to another user account.

Monitor the Security Score of the Company

The overall security score of the organization can be monitored by delegated Keeper administrators to ensure compliance with password policies. Detailed reports identify users who need to take corrective action. Record password strengths, master password strengths and two-factor authentication usage can all be monitored in the Security Audit tab and are what make up an organization's security score.

Audit Event Logs and Perform Forensic Analysis

Advanced Reporting & Alerts Module

Keeper’s Advanced Reporting & Alerts Module (ARA Module) provides event logging and log event tracking for over 75 event types, the ability to send event based alerts and the capability to log events to an external system.

Admins can create customized reports by specifying what criteria to filter and present in each column. Reports can now be filtered and saved based on Event Types (Policy Changes, Sharing, Logins, etc), Users, and Attributes (Nodes, Devices, Location, etc).

Alerts can be triggered based upon any event criteria, such as role policy changes, privileged password access or other security events. Alerts can be sent via SMS or email and can also be viewed within the Admin Console interface.

The ARA Module integrates with 3rd party Security Information and Event Management (SIEM) tools for external logging. Integrations include the following:

  • Splunk

  • Sumo Logic

  • Amazon S3

  • IBM QRadar

The ARA Module supports over 75 event types (e.g. Expired Master Password, Changed Master Password, Shared Record, Disabled Two-Factor Authentication etc. ) that can be automatically pushed to popular SIEM products such as Splunk, Sumo and QRadar.

Recent Activity

Keeper’s “Recent Activity” report provides event logging and forensic analysis capabilities to comply with corporate governance and audit requirements. Events are tracked throughout the system while maintaining zero-knowledge. Only privileged users with sharing or ownership rights to decrypt individual vault records are capable of viewing the stored vault information.

Last updated