Ctrlk
HomepageSystem Status
For the complete documentation index, see llms.txt. This page is also available as Markdown.

KeeperDB 2.0.2

Released on May 15, 2026

Overview

KeeperDB is a fast, secure, cross-platform database management tool. Use it inside KeeperPAM connections or as a standalone desktop app on Windows, macOS, and Linux.

Query, explore, and operate PostgreSQL, MySQL, SQLite, Microsoft SQL Server, Oracle, and Amazon Redshift from one interface.

KeeperDB is built for engineers and data scientists. It replaces legacy tools like DBeaver, MySQL Workbench, and pgAdmin. In KeeperPAM, it brings core database workflows into a fully managed passwordless experience.

Quick Links: Product Documentation | Download Now

KeeperPAM Connection

KeeperPAM database connection resources work with the latest Keeper Vault and Keeper Gateway. This adds session management, just-in-time workflows, and KeeperAI threat detection. The screen recording below shows a live demo.

KeeperPAM interaction

Keeper Vault and KeeperDB automatically match your local system's light or dark mode setting.

Keeper Vault and KeeperDB in light and dark mode

Standalone Desktop App

The KeeperDB desktop app is a modern replacement for legacy tools like DBeaver, MySQL Workbench, pgAdmin, DataGrip, Beekeeper, and HeidiSQL.

Download: https://www.keepersecurity.com/download.html?t=db

What's New in 2.0.2

Since 1.8.3, we've added multi-host clusters, the Top Queries screen, desktop polish, a searchable connection picker, ER graph tooling, and security hardening.

Multi-host cluster connections

Connect to highly-available PostgreSQL clusters by listing multiple hosts in one connection. KeeperDB now mirrors libpq / Connector/J failover semantics natively in the desktop UI — no more falling back to CSV-in-host strings.

  • PostgreSQL — multi-host with target_session_attrs (any / read-write / read-only / primary / standby / prefer-standby) and load_balance_hosts (disable / random)

  • Per-driver advanced options — the Advanced... modal under Host+Port is gated on driver

Top Queries (historical query analysis)

A new Top Queries tab inside Monitor surfaces the heaviest historical SQL across each supported engine — total time, mean time, call count, rows, and percent of total — sorted server-side for performance.

  • PostgreSQLpg_stat_statements (cross-version, surfaces an "extension missing" hint when not installed)

  • MySQL / MariaDB / Auroraperformance_schema digest analysis, with Aurora-aware consumer diagnostics ("performance_schema is enabled but no digest data — likely consumers are off")

  • OracleV$SQLSTATS (Enterprise / Standard editions)

  • Click any row to open the full normalized SQL, jump to EXPLAIN (Postgres/MySQL), or send the statement to KeeperAI for analysis

ER diagram tooling

The schema graph is now usable on real production schemas (hundreds of tables, deep FK chains):

  • ↻ Reset Layout — re-runs dagre auto-layout if positions have drifted

  • ⊞ Snap-to-grid — toggle, persisted per-user; 20px grid for clean alignment

  • ⇩ Export PNG — high-DPI export scoped to the viewport (no toolbar artifacts)

  • Hover-highlight — hovering a table fades non-connected tables to 25% so you can trace foreign-key paths at a glance

  • Bulk schema fetch — columns and foreign keys load via a single batched query per schema (was N+1 per table); large graphs build dramatically faster

  • Configurable table cap — Settings → Editor → Graph View now exposes "Max tables in graph" (default 200, up to 1000)

  • Viewport sanity-check — if a saved viewport would leave zero nodes on screen, falls back to fitView automatically

Sidebar table expansion

Click the disclosure triangle (▸/▾) next to any table to expand its columns inline without leaving the current view. This matches the pattern in DBeaver, DataGrip, and TablePlus. PK and FK badges (text labels, not emoji) appear next to columns. FK rows show the → target.column reference inline. Right and Left arrow keys also expand and collapse rows. Columns load lazily on first expand and reuse the schema-index cache.

Searchable connection picker

Built for desktop users with hundreds of saved connections. It replaces native <select> dropdowns on the login screen, sidebar, and Settings with a fast, keyboard-driven modal:

  • Auto-focused multi-keyword search input (whitespace-separated AND-match across name, host, database, type — order-independent)

  • ↑/↓ to navigate, ↵ to pick, Esc to close

  • Active connection pinned to top

  • Same component drives the sidebar mini-switcher, the login-screen "Saved Connections" entry, and Settings → Connections

Desktop quality-of-life

  • In-app update notifier — login screen polls a hardened CDN endpoint and surfaces "New version X.Y.Z available — download now" with a download link.

  • Desktop zoomCmd/Ctrl + / Cmd/Ctrl - zoom the UI (browser keeps native zoom).

  • Themes - Graphite / Blue / Emerald / Violet / Rose / Amber and of course Terminal

KeeperDB Themes (showing Terminal theme)

Editor and grid polish

  • Tab key in the Query editor and Notebook SQL cells inserts 4 spaces; Shift-Tab dedents; multi-line selections indent all selected lines

  • Tab key in Notebook Markdown cells inserts 4 spaces too; selections indent/dedent line-by-line

  • Cmd/Ctrl+C now copies cells in Raw (no escaping) format by default — JSON cells stay as {"k":"v"} instead of being CSV-wrapped. The COPY AS menu adds "Raw" at the top alongside CSV / TSV / JSON

  • CodeMirror drawSelection — text-selection backgrounds now respect the editor theme (legible on dark backgrounds)

  • Row-detail drawer on Query results — same chip + drawer experience as the Data tab; long type labels no longer overflow; each field has a Copy button with feedback

  • Inline edits that end at the original value skip the API round-trip (no-op)

  • Type-aware filter values — the Data tab's Filter Rows now generates dialect-correct literals for binary (0xDEADBEEF / X'…' / HEXTORAW(…)), numeric (unquoted), and boolean (TRUE/FALSE or 1/0) columns instead of always wrapping in quotes

  • Foreign key referential actionsON DELETE / ON UPDATE (NO ACTION / RESTRICT / CASCADE / SET NULL / SET DEFAULT) now display in the Table Info modal across every driver

Driver improvements

  • Oracle — TCPS encryption by default with plain-TCP fallback for SslMode::Prefer (works through keeperdb-proxy without an Oracle Wallet); Easy Connect Plus support; raw TNS connection_string_override for RAC SCAN / EZConnect+ enterprise configurations; every identifier routed through SQL-92 doubling helper

  • MSSQLencryption required and certificate validation enabled by default; Failover Partner support; MultiSubnetFailover stub; GO batch separator handled client-side

  • PostgreSQL — multi-host cluster support; SERIAL/BIGSERIAL/SMALLSERIAL detection in get_table_ddl so emitted DDL round-trips cleanly

  • MySQL — multi-host cluster support

  • Error sanitization — sqlx Protocol error suffixes (e.g. ... (sqlx::error::ProtocolError)) are now stripped before reaching the client

Security and hardening

KeeperDB 2.0.x ships the results of an exhaustive security review:

  • MSSQL TLS hardened by defaultencrypt=true and certificate validation required out of the box; users can opt out per-connection from the Advanced options

  • WebSocket Origin validation on every upgrade

  • AI provider base_url allowlist — restricted to vendor hosts (OpenAI, Anthropic, Bedrock, Vertex, Azure).

  • Vertex AI location validated to prevent hostname injection

  • SQLite path sandbox — defends against filesystem-probe attacks, Windows drive-relative paths (C:Windows\...), and Windows lookalike directories

  • Metadata-endpoint denylist with canonical host comparison (closes IMDS SSRF)

  • CSV / Excel export hardening — formula-prefix neutralization (=, +, -, @), \r injection closed, Content-Disposition filename sanitized

  • Saved-connection chokepoint in the SDK now redacts Oracle connection_string_override (which can carry inline credentials) defense-in-depth; never persisted to disk

  • Session bearer redacted in audit debug logs; prior session disconnected on every cookie/token-minting handler (only after the new connect succeeds, so a failed connect can't strand existing tabs)

  • Atomic handoff redemption closes a TOCTOU race in session token exchange

  • Saved connections gated on standalone mode — PAM/Gateway sidecars cannot list or connect to local saved profiles

  • Per-user keychain scoping for saved connections on desktop

CVE sweep (closes 4 of 6 Dependabot alerts):

  • openssl 0.10.79 — HIGH undefined-behavior in X509Ref::ocsp_responders + MEDIUM heap buffer overflow in AES key-wrap-with-padding

  • tauri 2.11.1 — MEDIUM Origin Confusion (remote pages invoking local IPC commands)

  • postcss 8.5.14 — MEDIUM XSS via unescaped </style> in CSS stringify output

Features

  • Cross-platform native app for Windows, macOS and Linux

  • PostgreSQL, MySQL, SQLite, Microsoft SQL Server, Oracle, and Amazon Redshift — all from one tool, with consistent UI and behavior across protocols

  • Multi-host cluster connections for PostgreSQL and MySQL with read/write target selection and load-balancing modes

  • Query editor with SQL autocomplete (Ctrl+Space), multi-statement execution, drawSelection theming, 4-space Tab indent, and a record view toggle

  • Data browser with paginated grids, type-aware filtering (binary/numeric/boolean literals), inline editing, row-detail drawer, and CSV/JSON export

  • Notebook for combining SQL and Markdown cells into reusable analyses and runbooks

  • ER diagram with hover-highlight, dagre auto-layout, snap-to-grid, PNG export, configurable table cap, and "Ask KeeperAI" per table

  • Monitor for real-time process activity, blocking chains, locks, server parameters, and one-click process termination — protocol-aware for PostgreSQL, MySQL, MSSQL, and Oracle

  • Top Queries historical query analysis tab for PostgreSQL, MySQL, MSSQL, and Oracle

  • Searchable saved-connection picker across login, sidebar, and Settings

  • In-app update notifier on the desktop login screen

KeeperAI built in

  • A context-aware AI assistant that sees your structure and live performance data

  • Bring your own AI provider: OpenAI, Anthropic, Google Gemini, AWS Bedrock (commercial + GovCloud), Google Vertex, Azure OpenAI, or any OpenAI-compatible endpoint

  • Autonomous agent loop for multi-step tasks like query optimization, error triage, and performance investigation

  • "Ask KeeperAI" available directly from the ER diagram and Top Queries panel

  • Provider base_url allowlist enforced at save time and at request time

Security and enterprise readiness by default

  • Zero-knowledge: session credentials live only in process memory; saved-connection passwords live in the OS-native secret store, never written to disk in plaintext

  • MSSQL encryption required by default with certificate validation

  • Mandatory confirmation flow for destructive queries (DROP, DELETE without WHERE, etc.) — canonical SQL-safety classifier in the SDK, not duplicated in the frontend

  • Backend limit enforcement and pagination on every query — built for enterprise-scale schemas without runaway result sets

Architecture

Built for performance and security. KeeperDB is built as a single self-contained Rust binary — no Java runtime, no Electron, no separate components to install or update. The result is a fraction of the memory footprint of JVM-based tools like DBeaver, near-instant startup, a much smaller security attack surface, and a signed installer that ships as one compact native app instead of a multi-hundred-megabyte distribution.

Credential Storage

KeeperDB Desktop stores credentials in the OS-native secret store on every platform. All entries are stored under the service identifier com.keepersecurity.keeperdb and scoped per-user.

Operating System
Storage Backend

macOS

Keychain Services (login keychain). Visible in Keychain Access.app.

Windows

Windows Credential Manager (Generic Credentials). Visible under Control Panel → Credential Manager → Windows Credentials, or via cmdkey /list.

Linux

freedesktop Secret Service over D-Bus. Backed by GNOME Keyring, KDE KWallet, or KeePassXC, depending on which is running in your desktop session.

What is stored

  • Saved connection passwords — only when you explicitly choose to save a connection in the UI

  • AI provider API keys — OpenAI, Anthropic, AWS Bedrock, Google Vertex, Azure OpenAI, etc.

What is not stored on disk

  • Live session credentials for the current database connection live only in memory and are never written to disk. If you restart KeeperDB, you must reconnect.

  • Oracle connection_string_override (TNS / EZConnect+) is never persisted — TNS descriptors can carry inline credentials. You re-enter the override on each reconnect.

  • The next update to Keeper Forcefield will also protect application memory on Windows devices against local malware. It is scheduled for later in May 2026.

Get KeeperDB

The standalone KeeperDB Desktop App is available from our download page:

https://www.keepersecurity.com/download.html?t=db

Desktop installers: macOS DMG (Apple Silicon, signed + notarized), Windows MSI (x64, EV signed), Linux AppImage (any distro). Server packages also available: musl static tarball (Alpine / containers), glibc tarball, RPM (RHEL / Rocky / Amazon Linux), DEB (Debian / Ubuntu).

JSON file containing the latest binaries and sha256 hashes:

https://keepersecurity.com/pam/keeperdb/versions.json

Roadmap

We publish bi-weekly updates based on customer feedback. Send feature requests and bug reports to pam@keepersecurity.com, or post on our Reddit community page.

Resources

PreviousKeeperDB 2.1.0NextKeeperDB 1.8.3

Last updated