Integration with Secrets Manager

Overview

KeeperDB Desktop integrates with Keeper Secrets Manager (KSM) to retrieve database targets and credentials directly from the Keeper Vault. This workflow fits standalone database access from your workstation or through an existing VPN or ZTNA solution.

Key capabilities

• Eliminates locally stored secrets. This reduces exposure to malware and endpoint theft.

• Supports automated secret rotation. Users always connect with the latest credentials when rotation is enabled.

• Simplifies collaboration. Share users to database resources in the vault without manually distributing connection details.

Prerequisites

An active Keeper Secrets Manager or KeeperPAM license is required.

• Keeper Secrets Manager Homepage

• KeeperPAM Homepage

• Request a Demo

• Contact Support

This integration is simple. No Keeper Gateway is required.

Vault as a Connection Source

When a user attaches their Keeper Vault to KeeperDB Desktop, KeeperDB reads PAM Database and Database records directly from the vault and surfaces them as ready-to-connect entries. These entries show a green Vault badge in the connection list so users can distinguish them from locally saved connections.

Setup Steps

1. Create a shared folder

In the Keeper Vault, create a shared folder for the database resources. In this example, the folder is shared with other team members and the Engineering team.

2. Add database records

In the shared folder, create Database records or PAM Database records, depending on your license, for each target database resource.

This example uses several Database records. In addition to the standard fields, each record includes a custom field named Database. This tells KeeperDB which default database to open. In this example, KeeperDB opens the Chinook schema.

3. Create a Secrets Manager application

In Secrets Manager, create a new application or select an existing one. Make sure the shared folder is selected. If you plan to use Keeper Secrets Manager as a storage backend, set the permission to Can Edit. Then click Generate Access Token.

Optionally, select Lock external... for initial request. This restricts Keeper cloud access to your external WAN IP during the initial request.

Copy the token for the next step.

4. Connect KeeperDB to your vault

From the KeeperDB login screen, or from Settings → Connections → External Vaults, click Connect to your Keeper Vault.

Give the remote vault connection a name and paste the token.

5. Launch vault-backed connections

After the vault is connected, the login screen and connection switcher automatically retrieve the database targets and associated credentials.

Using KeeperDB with PAM Database Records

KeeperDB also supports PAM Database records. Unlike standard Database records, PAM Database records support PAM features such as rotation, connections, tunnels, JIT access, workflow, and KeeperAI. They also separate the database resource from the linked credential.

Vault as Storage Sync

KeeperDB can also use the vault as a storage backend. In Settings, the Storage feature syncs locally saved connections back to the user's Keeper Vault in a dedicated folder named KeeperDB Storage.

What syncs to the vault:

• Each saved connection becomes a Database or PAM Database record in the vault folder.

• App preferences, such as theme, page size, and editor settings, are stored as a single preferences record.

• Each record includes a keeperdb_local_id custom field. KeeperDB uses it to match vault records back to local ones and to prevent storage records from reappearing as vault-source connections.

Sync behavior:

• New connections are pushed as new records.

• Edited connections are deleted and recreated. The record UID changes, but the local ID stays the same in the custom field.

• The Settings UI shows live progress, such as Configuring... 4 of 245, while records are written to Keeper.

• This feature is available only in standalone desktop mode. In PAM or Gateway mode, it is hidden because the Gateway is the only credential authority.