# KeeperDB 2.0.2

## Overview

**KeeperDB** is a fast, secure, cross-platform database management tool. Use it inside KeeperPAM connections or as a standalone desktop app on Windows, macOS, and Linux.

Query, explore, and operate PostgreSQL, MySQL, SQLite, Microsoft SQL Server, Oracle, and Amazon Redshift from one interface.

KeeperDB is built for engineers and data scientists. It replaces legacy tools like DBeaver, MySQL Workbench, and pgAdmin. In KeeperPAM, it brings core database workflows into a fully managed passwordless experience.

Quick Links: [Product Documentation](/keeperpam/privileged-access-manager/keeperdb.md) | [Download Now](https://www.keepersecurity.com/download.html?t=db)

#### KeeperPAM Connection

KeeperPAM database connection resources work with the latest Keeper Vault and Keeper Gateway. This adds session management, just-in-time workflows, and KeeperAI threat detection. The screen recording below shows a live demo.

<figure><img src="/files/8hnkr3P6ZpjRodLzgxUj" alt=""><figcaption><p>KeeperPAM interaction</p></figcaption></figure>

Keeper Vault and KeeperDB automatically match your local system's light or dark mode setting.

<figure><img src="/files/KwPontqKA2dJ0uyZUoYP" alt=""><figcaption><p>Keeper Vault and KeeperDB in light and dark mode</p></figcaption></figure>

#### Standalone Desktop App

The KeeperDB desktop app is a modern replacement for legacy tools like DBeaver, MySQL Workbench, pgAdmin, DataGrip, Beekeeper, and HeidiSQL.

**Download:** <https://www.keepersecurity.com/download.html?t=db>

<figure><img src="/files/9hapYjJAI8xiMDu1r1ih" alt=""><figcaption></figcaption></figure>

#### What's New in 2.0.2

Since 1.8.3, we've added multi-host clusters, the Top Queries screen, desktop polish, a searchable connection picker, ER graph tooling, and security hardening.

**Multi-host cluster connections**

Connect to highly-available PostgreSQL clusters by listing multiple hosts in one connection. KeeperDB now mirrors `libpq` / Connector/J failover semantics natively in the desktop UI — no more falling back to CSV-in-host strings.

* **PostgreSQL** — multi-host with `target_session_attrs` (any / read-write / read-only / primary / standby / prefer-standby) and `load_balance_hosts` (disable / random)
* **Per-driver advanced options** — the Advanced... modal under Host+Port is gated on driver

<figure><img src="/files/SKJjzO7RFyOhW9noOxfS" alt=""><figcaption></figcaption></figure>

#### **Top Queries (historical query analysis)**

A new **Top Queries** tab inside Monitor surfaces the heaviest historical SQL across each supported engine — total time, mean time, call count, rows, and percent of total — sorted server-side for performance.

* **PostgreSQL** — `pg_stat_statements` (cross-version, surfaces an "extension missing" hint when not installed)
* **MySQL / MariaDB / Aurora** — `performance_schema` digest analysis, with Aurora-aware consumer diagnostics ("performance\_schema is enabled but no digest data — likely consumers are off")
* **Oracle** — `V$SQLSTATS` (Enterprise / Standard editions)
* Click any row to open the full normalized SQL, jump to **EXPLAIN** (Postgres/MySQL), or send the statement to KeeperAI for analysis

<figure><img src="/files/skcOHbmt70rFw3h8BnU7" alt=""><figcaption></figcaption></figure>

#### **ER diagram tooling**

The schema graph is now usable on real production schemas (hundreds of tables, deep FK chains):

* **↻ Reset Layout** — re-runs dagre auto-layout if positions have drifted
* **⊞ Snap-to-grid** — toggle, persisted per-user; 20px grid for clean alignment
* **⇩ Export PNG** — high-DPI export scoped to the viewport (no toolbar artifacts)
* **Hover-highlight** — hovering a table fades non-connected tables to 25% so you can trace foreign-key paths at a glance
* **Bulk schema fetch** — columns and foreign keys load via a single batched query per schema (was N+1 per table); large graphs build dramatically faster
* **Configurable table cap** — Settings → Editor → Graph View now exposes "Max tables in graph" (default 200, up to 1000)
* **Viewport sanity-check** — if a saved viewport would leave zero nodes on screen, falls back to `fitView` automatically

<figure><img src="/files/26ke0WQzcqfnbCv7aXdq" alt=""><figcaption></figcaption></figure>

#### **Sidebar table expansion**

Click the disclosure triangle (▸/▾) next to any table to expand its columns inline without leaving the current view. This matches the pattern in DBeaver, DataGrip, and TablePlus. **PK** and **FK** badges (text labels, not emoji) appear next to columns. FK rows show the `→ target.column` reference inline. Right and Left arrow keys also expand and collapse rows. Columns load lazily on first expand and reuse the schema-index cache.

<figure><img src="/files/5tmCEzf0kWspWo4k6rxE" alt=""><figcaption></figcaption></figure>

#### **Searchable connection picker**

Built for desktop users with hundreds of saved connections. It replaces native `<select>` dropdowns on the login screen, sidebar, and **Settings** with a fast, keyboard-driven modal:

* Auto-focused multi-keyword search input (whitespace-separated AND-match across name, host, database, type — order-independent)
* ↑/↓ to navigate, ↵ to pick, **Esc** to close
* Active connection pinned to top
* Same component drives the sidebar mini-switcher, the login-screen "Saved Connections" entry, and Settings → Connections

<figure><img src="/files/FWC8YLjntIX8Qs3rgno7" alt=""><figcaption></figcaption></figure>

#### **Desktop quality-of-life**

* **In-app update notifier** — login screen polls a hardened CDN endpoint and surfaces "New version X.Y.Z available — download now" with a download link.
* **Desktop zoom** — `Cmd/Ctrl +` / `Cmd/Ctrl -` zoom the UI (browser keeps native zoom).
* **Themes** - Graphite / Blue / Emerald / Violet / Rose / Amber and of course **Terminal**

<figure><img src="/files/L09sKsMgd2L25QVGvAr5" alt=""><figcaption><p>KeeperDB Themes (showing Terminal theme)</p></figcaption></figure>

#### **Editor and grid polish**

* **Tab key** in the Query editor and Notebook SQL cells inserts 4 spaces; Shift-Tab dedents; multi-line selections indent all selected lines
* **Tab key** in Notebook Markdown cells inserts 4 spaces too; selections indent/dedent line-by-line
* **Cmd/Ctrl+C** now copies cells in **Raw (no escaping)** format by default — JSON cells stay as `{"k":"v"}` instead of being CSV-wrapped. The COPY AS menu adds "Raw" at the top alongside CSV / TSV / JSON
* **CodeMirror drawSelection** — text-selection backgrounds now respect the editor theme (legible on dark backgrounds)
* **Row-detail drawer** on Query results — same chip + drawer experience as the Data tab; long type labels no longer overflow; each field has a Copy button with feedback
* **Inline edits** that end at the original value skip the API round-trip (no-op)
* **Type-aware filter values** — the Data tab's Filter Rows now generates dialect-correct literals for binary (`0xDEADBEEF` / `X'…'` / `HEXTORAW(…)`), numeric (unquoted), and boolean (`TRUE`/`FALSE` or `1`/`0`) columns instead of always wrapping in quotes
* **Foreign key referential actions** — `ON DELETE` / `ON UPDATE` (NO ACTION / RESTRICT / CASCADE / SET NULL / SET DEFAULT) now display in the Table Info modal across every driver

<figure><img src="/files/iiOcGvZEnk8eHF4ADJd3" alt=""><figcaption></figcaption></figure>

#### **Driver improvements**

* **Oracle** — TCPS encryption by default with plain-TCP fallback for `SslMode::Prefer` (works through `keeperdb-proxy` without an Oracle Wallet); Easy Connect Plus support; raw TNS `connection_string_override` for RAC SCAN / EZConnect+ enterprise configurations; every identifier routed through SQL-92 doubling helper
* **MSSQL** — **encryption required and certificate validation enabled by default**; Failover Partner support; `MultiSubnetFailover` stub; `GO` batch separator handled client-side
* **PostgreSQL** — multi-host cluster support; SERIAL/BIGSERIAL/SMALLSERIAL detection in `get_table_ddl` so emitted DDL round-trips cleanly
* **MySQL** — multi-host cluster support
* **Error sanitization** — sqlx Protocol error suffixes (e.g. `... (sqlx::error::ProtocolError)`) are now stripped before reaching the client

#### Security and hardening

KeeperDB 2.0.x ships the results of an exhaustive security review:

* **MSSQL TLS hardened by default** — `encrypt=true` and certificate validation required out of the box; users can opt out per-connection from the Advanced options
* **WebSocket Origin validation** on every upgrade
* **AI provider base\_url allowlist** — restricted to vendor hosts (OpenAI, Anthropic, Bedrock, Vertex, Azure).
* **Vertex AI location** validated to prevent hostname injection
* **SQLite path sandbox** — defends against filesystem-probe attacks, Windows drive-relative paths (`C:Windows\...`), and Windows lookalike directories
* **Metadata-endpoint denylist** with canonical host comparison (closes IMDS SSRF)
* **CSV / Excel export hardening** — formula-prefix neutralization (`=`, `+`, `-`, `@`), `\r` injection closed, `Content-Disposition` filename sanitized
* **Saved-connection chokepoint** in the SDK now redacts Oracle `connection_string_override` (which can carry inline credentials) defense-in-depth; never persisted to disk
* **Session bearer redacted** in audit debug logs; **prior session disconnected** on every cookie/token-minting handler (only after the new connect succeeds, so a failed connect can't strand existing tabs)
* **Atomic handoff redemption** closes a TOCTOU race in session token exchange
* **Saved connections gated on standalone mode** — PAM/Gateway sidecars cannot list or connect to local saved profiles
* **Per-user keychain scoping** for saved connections on desktop

#### CVE sweep (closes 4 of 6 Dependabot alerts):

* `openssl` 0.10.79 — HIGH undefined-behavior in `X509Ref::ocsp_responders` + MEDIUM heap buffer overflow in AES key-wrap-with-padding
* `tauri` 2.11.1 — MEDIUM Origin Confusion (remote pages invoking local IPC commands)
* `postcss` 8.5.14 — MEDIUM XSS via unescaped `</style>` in CSS stringify output

***

### Features

* **Cross-platform native app** for Windows, macOS and Linux
* **PostgreSQL**, **MySQL**, **SQLite**, **Microsoft SQL Server**, **Oracle**, and **Amazon Redshift** — all from one tool, with consistent UI and behavior across protocols
* **Multi-host cluster connections** for PostgreSQL and MySQL with read/write target selection and load-balancing modes
* **Query editor** with SQL autocomplete (Ctrl+Space), multi-statement execution, drawSelection theming, 4-space Tab indent, and a record view toggle
* **Data browser** with paginated grids, type-aware filtering (binary/numeric/boolean literals), inline editing, row-detail drawer, and CSV/JSON export
* **Notebook** for combining SQL and Markdown cells into reusable analyses and runbooks
* **ER diagram** with hover-highlight, dagre auto-layout, snap-to-grid, PNG export, configurable table cap, and "Ask KeeperAI" per table
* **Monitor** for real-time process activity, blocking chains, locks, server parameters, and one-click process termination — protocol-aware for PostgreSQL, MySQL, MSSQL, and Oracle
* **Top Queries** historical query analysis tab for PostgreSQL, MySQL, MSSQL, and Oracle
* **Searchable saved-connection picker** across login, sidebar, and Settings
* **In-app update notifier** on the desktop login screen

### **KeeperAI built in**

* A **context-aware AI assistant** that sees your structure and live performance data
* Bring your own AI provider: **OpenAI**, **Anthropic**, **Google Gemini**, **AWS Bedrock** (commercial + GovCloud), **Google Vertex**, **Azure OpenAI**, or any OpenAI-compatible endpoint
* **Autonomous agent loop** for multi-step tasks like query optimization, error triage, and performance investigation
* "**Ask KeeperAI**" available directly from the ER diagram and Top Queries panel
* Provider `base_url` allowlist enforced at save time and at request time

### **Security and enterprise readiness by default**

* **Zero-knowledge:** session credentials live only in process memory; saved-connection passwords live in the OS-native secret store, never written to disk in plaintext
* **MSSQL encryption required by default** with certificate validation
* **Mandatory confirmation flow** for destructive queries (DROP, DELETE without WHERE, etc.) — canonical SQL-safety classifier in the SDK, not duplicated in the frontend
* **Backend limit enforcement** and pagination on every query — built for enterprise-scale schemas without runaway result sets

## Architecture

Built for performance and security. KeeperDB is built as a single self-contained Rust binary — no Java runtime, no Electron, no separate components to install or update. The result is a fraction of the memory footprint of JVM-based tools like DBeaver, near-instant startup, a much smaller security attack surface, and a signed installer that ships as one compact native app instead of a multi-hundred-megabyte distribution.

### Credential Storage

KeeperDB Desktop stores credentials in the **OS-native secret store** on every platform. All entries are stored under the service identifier `com.keepersecurity.keeperdb` and scoped per-user.

| Operating System | Storage Backend                                                                                                                                               |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **macOS**        | Keychain Services (login keychain). Visible in `Keychain Access.app`.                                                                                         |
| **Windows**      | Windows Credential Manager (Generic Credentials). Visible under **Control Panel → Credential Manager → Windows Credentials**, or via `cmdkey /list`.          |
| **Linux**        | freedesktop Secret Service over D-Bus. Backed by **GNOME Keyring**, **KDE KWallet**, or **KeePassXC**, depending on which is running in your desktop session. |

#### What is stored

* **Saved connection passwords** — only when you explicitly choose to save a connection in the UI
* **AI provider API keys** — OpenAI, Anthropic, AWS Bedrock, Google Vertex, Azure OpenAI, etc.

#### What is *not* stored on disk

* **Live session credentials** for the current database connection live **only in memory** and are never written to disk. If you restart KeeperDB, you must reconnect.
* **Oracle `connection_string_override`** (TNS / EZConnect+) is never persisted — TNS descriptors can carry inline credentials. You re-enter the override on each reconnect.
* The next update to [Keeper Forcefield](https://www.keepersecurity.com/forcefield-endpoint-protection/) will also protect application memory on Windows devices against local malware. It is scheduled for later in May 2026.

### Get KeeperDB

The standalone KeeperDB Desktop App is available from our download page:

<https://www.keepersecurity.com/download.html?t=db>

Desktop installers: **macOS DMG** (Apple Silicon, signed + notarized), **Windows MSI** (x64, EV signed), **Linux AppImage** (any distro). Server packages also available: **musl** static tarball (Alpine / containers), **glibc** tarball, **RPM** (RHEL / Rocky / Amazon Linux), **DEB** (Debian / Ubuntu).

JSON file containing the latest binaries and sha256 hashes:

<https://keepersecurity.com/pam/keeperdb/versions.json>

### Roadmap

We publish bi-weekly updates based on customer feedback. Send feature requests and bug reports to <pam@keepersecurity.com>, or post on our [Reddit community page](https://www.reddit.com/r/KeeperSecurity/).

#### Resources

* [KeeperDB Documentation](/keeperpam/privileged-access-manager/keeperdb.md)
* [KeeperDB Proxy Documentation](/keeperpam/privileged-access-manager/keeperdb-proxy.md)
* [KeeperDB Feature Page](https://www.keepersecurity.com/features/keeper-db/)
* [KeeperAI Documentation](/keeperpam/privileged-access-manager/keeperai.md)
* [KeeperPAM](https://www.keepersecurity.com/privileged-access-management/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/release-notes/desktop/keeperdb/keeperdb-2.0.2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.