# Session Recording & Playback
## What are Session Recordings? **Keeper Session Recordings** capture and store activity from sessions launched through [**Keeper Connections**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections) or [**Remote Browser Isolation (RBI)**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/remote-browser-isolation). These recordings can be **graphical**, **text-based**, or both, depending on the session configuration. * **Graphical Session Recordings**: Captures a visual playback of user activity during the session, including screen interactions. * **Text-Based Session Recordings (Typescript)**: Logs the text input and output within the session for a streamlined, searchable record. The full, raw text content of terminal sessions, including timing information of user activity during the session * **Zero-Knowledge Encryption:** Sessions are encrypted by the customer's Keeper Gateway using keys only available to designated privileged users, ensuring that zero knowledge is preserved. There is no limit to the number of recordings or session length. ### **Supported Connection Protocols** The following table shows the available session recordings available for each connection protocol: | Connection Protocol | Available Session Recordings | | ------------------------ | ------------------------------------------- | | SSH | Graphical and Text-Based Session Recordings | | RDP | Graphical Session Recordings only | | MySQL | Graphical and Text-Based Session Recordings | | PostgreSQL | Graphical and Text-Based Session Recordings | | SQL Server | Graphical and Text-Based Session Recordings | | Telnet | Graphical and Text-Based Session Recordings | | VNC | Graphical Session Recordings only | | Remote Browser Isolation | Graphical Session Recordings only | ### Remote Browser Isolation (RBI) For RBI connections, Graphical Session Recordings are available. ## Enforcement Policies Allowing users to view session recordings is managed through [PAM Enforcement Policies](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies). The following enforcement policies need to be turned on: #### **For Connections:** | Policy | Definition | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | Can configure connection settings | Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types | | Can view session recordings | Allow users to view Session Recordings | #### **For Remote Browser Isolation** | Policy | Definition | | ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | Can configure remote browsing | Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types | | Can view RBI session recordings | Allow users to view RBI Session Recordings | For more information on PAM enforcement policies, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies). ## Activating Session Recording {% stepper %} {% step %} **Enforcement Policies** From the Admin Console > Roles > Enforcement Policies > Privileged Access Manager tab, ensure that policies to configure settings is enabled at minimum.

Enforcement Policies to configure session recording

{% endstep %} {% step %} **PAM Configuration** To enable session recordings, the [PAM Configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration) needs to permit graphical and text session recording. Go to Secrets Manager > PAM Configurations and edit the configuration associated with your resources.

Allow Session Recording from PAM Configuration

{% endstep %} {% step %} **Record PAM Settings** From the KeeperPAM resource records in the vault, edit the record and then edit PAM Settings. Enable the Graphical and Text Session recording feature as required.

Edit PAM Settings

Edit Session Recording Features

{% endstep %} {% endstepper %} ## Connections - Session Playback To view session recording history and watch a recording from a Connection: * The user must also have the appropriate "view recording" policy enabled for their role. * The user must have at least view-only access to the record, from a Shared Folder or direct share. To view the recordings: * Click on the record overflow menu > Session Activity

View Session Activity

The **Session Activity** screen will display a list of all recorded sessions. Each session includes: * **User** who initiated the session * **Timestamp** of the session * **Play Button** for graphical recordings * **Duration** of the recording * For sessions that support text-based recordings (Typescripts), users can **download a zip folder** of the session recording.

Session Recording History

View Session Recording

### AI Session Activity When [KeeperAI](https://docs.keeper.io/en/keeperpam/privileged-access-manager/keeperai) is activated on a resource, Keeper provides additional searching and analysis of the session activity.
KeeperAI summaries
### Playback Graphical Session Recordings To playback Graphical Session recordings, click the **Play** icon next to the session. ### Playback Text Session Recordings (Typescript) For sessions that support text session recordings, download the associated **zip file** from the list of recordings. The zip file will contain: * A `.tys` file: Contains the raw text data. * A `.tm` file: Contains the timing information. ext session recordings can only be played back on **macOS** and **Linux** systems: #### **macOS** Recordings can be replayed using **script**. For example, to replay a typescript called “`NAME`”, you can run: ``` script -p NAME ``` #### **Linux** Typescript recordings can be replayed using **scriptreplay**: ``` scriptreplay timing.tm typescript.tys ``` ### Encryption of Session Recordings KeeperPAM is a zero-knowledge platform where all sessions are end-to-end encrypted between the user's vault and the destination resource. Session recordings are encrypted and managed by the Keeper Gateway, which is installed and operated by the customer. Keeper has no access to or ability to decrypt these recordings. Only users with the necessary privileges and access to the corresponding Keeper record can view session recordings. When a recording is accessed, the encrypted data is downloaded from the Keeper Cloud and decrypted locally in the user's vault for playback. Each session is encrypted with a unique record key, ensuring least privilege access.