> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/keeperdb/integration-with-secrets-manager.md). # Integration with Secrets Manager

## Overview KeeperDB Desktop integrates with Keeper Secrets Manager (KSM) to retrieve database targets and credentials directly from the Keeper Vault. This workflow fits standalone database access from your workstation or through an existing VPN or ZTNA solution. ### Key capabilities * Eliminates locally stored secrets. This reduces exposure to malware and endpoint theft. * Supports automated secret rotation. Users always connect with the latest credentials when rotation is enabled. * Simplifies collaboration. Share users to database resources in the vault without manually distributing connection details. ## Prerequisites An active Keeper Secrets Manager or KeeperPAM license is required. * [Keeper Secrets Manager Homepage](https://www.keepersecurity.com/secrets-manager.html) * [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/) * [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales) * [Contact Support](https://www.keepersecurity.com/support.html) This integration is simple. No Keeper Gateway is required. ### Vault as a Connection Source When a user attaches their Keeper Vault to KeeperDB Desktop, KeeperDB reads **PAM Database** and **Database** records directly from the vault and surfaces them as ready-to-connect entries. These entries show a green **Vault** badge in the connection list so users can distinguish them from locally saved connections.

KeeperDB Connection Picker with Local and Vault Targets

### Setup Steps #### 1. Create a shared folder In the Keeper Vault, create a shared folder for the database resources. In this example, the folder is shared with other team members and the Engineering team. {% hint style="info" %} KeeperDB supports both new-style folders and the classic shared-folder permissions model. {% endhint %}

Optionally share folder to other team members

#### 2. Add database records In the shared folder, create **Database** records or **PAM Database** records, depending on your license, for each target database resource.

This example uses several **Database** records. In addition to the standard fields, each record includes a custom field named `Database`. This tells KeeperDB which default database to open. In this example, KeeperDB opens the `Chinook` schema. {% hint style="info" %} We recommend specifying a `Database` custom field to select the default schema. {% endhint %}

#### 3. Create a Secrets Manager application In **Secrets Manager**, create a new application or select an existing one. Make sure the shared folder is selected. If you plan to use Keeper Secrets Manager as a storage backend, set the permission to **Can Edit**. Then click **Generate Access Token**. Optionally, select **Lock external... for initial request**. This restricts Keeper cloud access to your external WAN IP during the initial request.

Copy the token for the next step.

#### 4. Connect KeeperDB to your vault From the KeeperDB login screen, or from **Settings** → **Connections** → **External Vaults**, click **Connect to your Keeper Vault**.

Give the remote vault connection a name and paste the token.

#### 5. Launch vault-backed connections After the vault is connected, the login screen and connection switcher automatically retrieve the database targets and associated credentials.

#### Using KeeperDB with PAM Database Records KeeperDB also supports **PAM Database** records. Unlike standard **Database** records, **PAM Database** records support PAM features such as rotation, connections, tunnels, JIT access, workflow, and KeeperAI. They also separate the database resource from the linked credential.

### Vault as Storage Sync KeeperDB can also use the vault as a storage backend. In **Settings**, the **Storage** feature syncs locally saved connections back to the user's Keeper Vault in a dedicated folder named **KeeperDB Storage**.

What syncs to the vault: * Each saved connection becomes a **Database** or **PAM Database** record in the vault folder. * App preferences, such as theme, page size, and editor settings, are stored as a single preferences record. * Each record includes a `keeperdb_local_id` custom field. KeeperDB uses it to match vault records back to local ones and to prevent storage records from reappearing as vault-source connections. Sync behavior: * New connections are pushed as new records. * Edited connections are deleted and recreated. The record UID changes, but the local ID stays the same in the custom field. * The Settings UI shows live progress, such as `Configuring... 4 of 245`, while records are written to Keeper. * This feature is available only in standalone desktop mode. In PAM or Gateway mode, it is hidden because the Gateway is the only credential authority. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/keeperdb/integration-with-secrets-manager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.