# April 2026 ## Go SDK 1.7.0 > **Breaking changes** > > **Go 1.16 required:** Minimum Go version raised to 1.16 (was 1.14); update your `go.mod` and CI/CD images accordingly. > > **Decryption Failures:** `NewRecordFromJson`, `NewFolderFromJson`, `NewKeeperFolder`, and `NewKeeperFileFromJson` now return `nil` on decryption failure instead of empty stubs; nil-check before dereferencing. > > **HTTP Error Format:** `GetSecrets`/`PostQuery` errors on the JSON path now include `HTTPStatus=N`; switch from `err.Error()` substring checks to `errors.As(err, &khe)`. (KSM-919) **New Features** * **KSM-532:** HTTP proxy support added via `ClientOptions.ProxyUrl`; `HTTPS_PROXY` and `HTTP_PROXY` environment variables are now honored when `ProxyUrl` is not set * **KSM-565:** KSM tokens with a region prefix (`US:`, `EU:`, `AU:`, `GOV:`, `JP:`, `CA:`) now set the server hostname automatically * **KSM-583:** `SetNotes` now upserts. It creates the notes field if it does not exist instead of silently doing nothing * **KSM-616:** Removed deprecated `ioutil` dependency; minimum Go version raised to 1.16 (was 1.14) * **KSM-626:** GraphSync link sharing support added * **KSM-632:** File attachment links can now be removed from records via `SaveWithOptions` with `UpdateOptions.LinksToRemove` * **KSM-745:** Transmission public key #18 added for Gov Cloud Dev environment support **Bug Fixes** * **KSM-663:** Malformed vault data (broken records, files, or folders) no longer crashes the SDK; valid data is returned when some entries cannot be decrypted * **KSM-665:** HTTP errors from `GetSecrets`/`PostQuery` are now returned as `*core.KeeperHTTPError` with `StatusCode`, `ResultCode`, and `Message` fields accessible via `errors.As`; the error string on the JSON-error path now includes `HTTPStatus=N` (matching the non-JSON path) * **KSM-701:** Config files are now created with `0600` permissions, preventing other local users from reading KSM credentials * **KSM-736:** Notation lookup no longer fails with a duplicate UID error when a KSM app has access to both a record and a shortcut to the same record * **KSM-756:** Records in shared folders were decrypted with the app key instead of the folder key, producing empty field values; now uses the correct folder key * **KSM-826:** `RecordCreate` now always emits `"custom": []` when no custom fields are set, fixing record creation failures on some server configurations **Security updates** * **KSM-701:** Config files now created with `0600` permissions — prevents credential exposure to other local users on the same machine **Links:** * [pkg.go.dev](https://pkg.go.dev/github.com/keeper-security/secrets-manager-go/core@v1.7.0) * [GitHub Release](https://github.com/Keeper-Security/secrets-manager-go/releases/tag/v1.7.0) ## Terraform Provider for Keeper Secrets Manager 1.3.0 * **KSM-871:** Add ephemeral resources for all 25 record types (requires Terraform 1.10+) * Use `ephemeral "secretsmanager_"` blocks instead of `data` sources to keep secrets out of state * Available for all record types: login, address, file, bank accounts, SSH keys, PAM resources, and more * All existing resources and data sources remain fully backward compatible * **KSM-388:** Support user-defined `custom` fields on 22 compatible resources * **KSM-871:** Add `secretsmanager_pam_remote_browser` resource, data source, and ephemeral resource with full CRUD lifecycle and import support * **KSM-885:** Document Alpine Linux and musl-based container compatibility. All binaries are statically compiled with no C library dependencies * Mark `credential` provider attribute as sensitive; add nil-check guards in ephemeral resources; surface warnings for unreachable field references **Note:** Ephemeral resources require Terraform >= 1.10. All existing resources and data sources remain fully compatible with all supported Terraform versions. **Links:** * [Terraform Registry](https://registry.terraform.io/providers/Keeper-Security/secretsmanager/latest) * [GitHub Repository](https://github.com/Keeper-Security/terraform-provider-secretsmanager/releases/tag/v1.3.0) ## Python SDK 17.2.1 * **KSM-900:** Added IL5 region support **Helper Package:** * **1.1.1:** Bumped to require `keeper-secrets-manager-core>=17.2.1` **Links:** * [PyPI Core Package](https://pypi.org/project/keeper-secrets-manager-core/) * [PyPI Helper Package](https://pypi.org/project/keeper-secrets-manager-helper/) ## .NET SDK 17.1.2 * **KSM-843:** Fixed `ObjectDisposedException` in `LocalConfigStorage.SaveToFile()` which prevented config writes from completing * **KSM-822:** Record create payload now always includes `custom: []`, fixing creation failures on some server configurations * **KSM-864:** `GetSecrets` no longer silently drops records when `required`, `privacyScreen`, or `enforceGeneration` fields contain integer values * **KSM-865:** `DownloadThumbnail` now correctly fetches the thumbnail instead of the full file * **KSM-873:** `Get-SecretInfo` now returns names that resolve correctly with `Get-Secret`. The list-then-fetch workflow documented at docs.keeper.io/powershell now works as expected * **KSM-863:** Fixed PowerShell module failing to import due to a bundled system DLL conflict * **KSM-874:** Removed `Set-KeeperVault` from the PowerShell module manifest, the function was never implemented and caused a hard error on call * **KSM-875:** Fixed `FieldValue()` throwing errors on records with empty or missing field values **Links:** * [NuGet Package](https://www.nuget.org/packages/Keeper.SecretsManager/17.1.2) * [PowerShell Gallery](https://www.powershellgallery.com/packages/SecretManagement.Keeper/17.1.2) ## KSM GitHub Action v1.3.0 * **KSM-641:** Added `<` operator to store values back to Keeper Vault * pipelines can now generate and persist credentials, not just consume them * **KSM-872:** Structured field values (SSH keys, host entries, phone numbers, etc.) now retrieve correctly * previously these fields returned garbled or unusable output **Security updates** * Stored values masked in GitHub Actions logs via `setSecret()` * File write paths validated within `GITHUB_WORKSPACE` boundary (path traversal prevention) * Sensitive field types (fileRef, passkey, recordRef) protected from direct modification **Links:** * [GitHub Marketplace](https://github.com/marketplace/actions/keeper-secrets-manager-github-action) * [Release v1.3.0](https://github.com/Keeper-Security/ksm-action/releases/tag/v1.3.0) ## JavaScript GCP KMS Storage 1.0.0 * **KSM-704:** You can now encrypt and decrypt KSM configuration files with GCP Cloud Key Management; supports symmetric and asymmetric keys, service account credentials or application default authentication, key rotation, and config export. **Security updates** * Upgraded `@google-cloud/kms` to 5.2.1 — resolves CVE-2025-65945 * Upgraded `pino` to v10 — resolves CVE-2025-57319 **Links:** * [Javascript SDK for Keeper Secrets Manager](/keeperpam/secrets-manager/developer-sdk-library/javascript-sdk.md) * [Google Cloud Key Encryption Documentation](/keeperpam/secrets-manager/integrations/google-cloud-key-management-encryption.md) * [NPM Package](https://www.npmjs.com/package/@keeper-security/secrets-manager-gcp) ## JavaScript Oracle KMS Storage 1.0.0 * **KSM-705:** You can now encrypt and decrypt KSM configuration files with Oracle Cloud Infrastructure (OCI) Vault; supports AES symmetric and RSA asymmetric keys, OCI config file authentication, key rotation, and config export. **Security updates** * Upgraded `oci-common` and `oci-keymanagement` to 2.127.0 — resolves CVE-2026-4800 and CVE-2026-2950 * Upgraded `pino` to v10 — resolves CVE-2025-57319 **Links:** * [Javascript SDK for Keeper Secrets Manager](/keeperpam/secrets-manager/developer-sdk-library/javascript-sdk.md) * [OCI Vault Encryption Documentation](/keeperpam/secrets-manager/integrations/oracle-key-vault.md) * [NPM Package](https://www.npmjs.com/package/@keeper-security/secrets-manager-oracle-kv) ## JavaScript AWS KMS Storage 1.0.0 * **KSM-703:** You can now encrypt and decrypt KSM configuration files with AWS KMS; supports symmetric and RSA asymmetric keys, explicit credentials or environment-based AWS authentication, key rotation, and config export. **Security updates** * Upgraded `pino` to v10 — resolves CVE-2025-57319 (fast-redact, HIGH) **Links:** * [Javascript SDK for Keeper Secrets Manager](/keeperpam/secrets-manager/developer-sdk-library/javascript-sdk.md) * [AWS KMS Encryption Documentation](/keeperpam/secrets-manager/integrations/aws-kms.md) * [NPM Package](https://www.npmjs.com/package/@keeper-security/secrets-manager-aws) *** ## JavaScript Azure Key Vault Storage 1.0.0 * **KSM-706:** You can now encrypt and decrypt KSM configuration files with Azure Key Vault; supports RSA keys, explicit credentials or environment-based DefaultAzureCredential, key rotation, and config export **Security updates** * Upgraded `pino` to v10 — resolves CVE-2025-57319 (fast-redact, HIGH) * Upgraded `jws` to v3.2.3 — resolves CVE-2025-65945 (HIGH) **Links:** * [Javascript SDK for Keeper Secrets Manager](/keeperpam/secrets-manager/developer-sdk-library/javascript-sdk.md) * [Azure Key Vault Encryption Documentation](/keeperpam/secrets-manager/integrations/azure-key-vault-ksm.md) * [NPM Package](https://www.npmjs.com/package/@keeper-security/secrets-manager-azure) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/release-notes/enterprise/keeper-secrets-manager/2026/april-2026.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.