April 2026

Go SDK 1.7.0

Breaking changes

Go 1.16 required: Minimum Go version raised to 1.16 (was 1.14); update your go.mod and CI/CD images accordingly.

Decryption Failures: NewRecordFromJson, NewFolderFromJson, NewKeeperFolder, and NewKeeperFileFromJson now return nil on decryption failure instead of empty stubs; nil-check before dereferencing.

HTTP Error Format: GetSecrets/PostQuery errors on the JSON path now include HTTPStatus=N; switch from err.Error() substring checks to errors.As(err, &khe). (KSM-919)

New Features

• KSM-532: HTTP proxy support added via ClientOptions.ProxyUrl; HTTPS_PROXY and HTTP_PROXY environment variables are now honored when ProxyUrl is not set

• KSM-565: KSM tokens with a region prefix (US:, EU:, AU:, GOV:, JP:, CA:) now set the server hostname automatically

• KSM-583: SetNotes now upserts. It creates the notes field if it does not exist instead of silently doing nothing

• KSM-616: Removed deprecated ioutil dependency; minimum Go version raised to 1.16 (was 1.14)

• KSM-626: GraphSync link sharing support added

• KSM-632: File attachment links can now be removed from records via SaveWithOptions with UpdateOptions.LinksToRemove

• KSM-745: Transmission public key #18 added for Gov Cloud Dev environment support

Bug Fixes

• KSM-663: Malformed vault data (broken records, files, or folders) no longer crashes the SDK; valid data is returned when some entries cannot be decrypted

• KSM-665: HTTP errors from GetSecrets/PostQuery are now returned as *core.KeeperHTTPError with StatusCode, ResultCode, and Message fields accessible via errors.As; the error string on the JSON-error path now includes HTTPStatus=N (matching the non-JSON path)

• KSM-701: Config files are now created with 0600 permissions, preventing other local users from reading KSM credentials

• KSM-736: Notation lookup no longer fails with a duplicate UID error when a KSM app has access to both a record and a shortcut to the same record

• KSM-756: Records in shared folders were decrypted with the app key instead of the folder key, producing empty field values; now uses the correct folder key

• KSM-826: RecordCreate now always emits "custom": [] when no custom fields are set, fixing record creation failures on some server configurations

Security updates

• KSM-701: Config files now created with 0600 permissions — prevents credential exposure to other local users on the same machine

Links:

• pkg.go.dev

• GitHub Release

Terraform Provider for Keeper Secrets Manager 1.3.0

• KSM-871: Add ephemeral resources for all 25 record types (requires Terraform 1.10+)

  • Use ephemeral "secretsmanager_<type>" blocks instead of data sources to keep secrets out of state

  • Available for all record types: login, address, file, bank accounts, SSH keys, PAM resources, and more

  • All existing resources and data sources remain fully backward compatible

• KSM-388: Support user-defined custom fields on 22 compatible resources

• KSM-871: Add secretsmanager_pam_remote_browser resource, data source, and ephemeral resource with full CRUD lifecycle and import support

• KSM-885: Document Alpine Linux and musl-based container compatibility. All binaries are statically compiled with no C library dependencies

• Mark credential provider attribute as sensitive; add nil-check guards in ephemeral resources; surface warnings for unreachable field references

Note: Ephemeral resources require Terraform >= 1.10. All existing resources and data sources remain fully compatible with all supported Terraform versions.

Links:

• Terraform Registry

• GitHub Repository

Python SDK 17.2.1

• KSM-900: Added IL5 region support

Helper Package:

• 1.1.1: Bumped to require keeper-secrets-manager-core>=17.2.1

Links:

• PyPI Core Package

• PyPI Helper Package

.NET SDK 17.1.2

• KSM-843: Fixed ObjectDisposedException in LocalConfigStorage.SaveToFile() which prevented config writes from completing

• KSM-822: Record create payload now always includes custom: [], fixing creation failures on some server configurations

• KSM-864: GetSecrets no longer silently drops records when required, privacyScreen, or enforceGeneration fields contain integer values

• KSM-865: DownloadThumbnail now correctly fetches the thumbnail instead of the full file

• KSM-873: Get-SecretInfo now returns names that resolve correctly with Get-Secret. The list-then-fetch workflow documented at docs.keeper.io/powershell now works as expected

• KSM-863: Fixed PowerShell module failing to import due to a bundled system DLL conflict

• KSM-874: Removed Set-KeeperVault from the PowerShell module manifest, the function was never implemented and caused a hard error on call

• KSM-875: Fixed FieldValue<T>() throwing errors on records with empty or missing field values

Links:

• NuGet Package

• PowerShell Gallery

KSM GitHub Action v1.3.0

• KSM-641: Added < operator to store values back to Keeper Vault

  • pipelines can now generate and persist credentials, not just consume them

• KSM-872: Structured field values (SSH keys, host entries, phone numbers, etc.) now retrieve correctly

  • previously these fields returned garbled or unusable output

Security updates

• Stored values masked in GitHub Actions logs via setSecret()

• File write paths validated within GITHUB_WORKSPACE boundary (path traversal prevention)

• Sensitive field types (fileRef, passkey, recordRef) protected from direct modification

Links:

• GitHub Marketplace

• Release v1.3.0

JavaScript GCP KMS Storage 1.0.0

• KSM-704: You can now encrypt and decrypt KSM configuration files with GCP Cloud Key Management; supports symmetric and asymmetric keys, service account credentials or application default authentication, key rotation, and config export.

Security updates

• Upgraded @google-cloud/kms to 5.2.1 — resolves CVE-2025-65945

• Upgraded pino to v10 — resolves CVE-2025-57319

Links:

• Javascript SDK for Keeper Secrets Manager

• Google Cloud Key Encryption Documentation

• NPM Package

JavaScript Oracle KMS Storage 1.0.0

• KSM-705: You can now encrypt and decrypt KSM configuration files with Oracle Cloud Infrastructure (OCI) Vault; supports AES symmetric and RSA asymmetric keys, OCI config file authentication, key rotation, and config export.

Security updates

• Upgraded oci-common and oci-keymanagement to 2.127.0 — resolves CVE-2026-4800 and CVE-2026-2950

• Upgraded pino to v10 — resolves CVE-2025-57319

Links:

• Javascript SDK for Keeper Secrets Manager

• OCI Vault Encryption Documentation

• NPM Package

JavaScript AWS KMS Storage 1.0.0

• KSM-703: You can now encrypt and decrypt KSM configuration files with AWS KMS; supports symmetric and RSA asymmetric keys, explicit credentials or environment-based AWS authentication, key rotation, and config export.

Security updates

• Upgraded pino to v10 — resolves CVE-2025-57319 (fast-redact, HIGH)

Links:

• Javascript SDK for Keeper Secrets Manager

• AWS KMS Encryption Documentation

• NPM Package

JavaScript Azure Key Vault Storage 1.0.0

• KSM-706: You can now encrypt and decrypt KSM configuration files with Azure Key Vault; supports RSA keys, explicit credentials or environment-based DefaultAzureCredential, key rotation, and config export

Security updates

• Upgraded pino to v10 — resolves CVE-2025-57319 (fast-redact, HIGH)

• Upgraded jws to v3.2.3 — resolves CVE-2025-65945 (HIGH)

Links:

• Javascript SDK for Keeper Secrets Manager

• Azure Key Vault Encryption Documentation

• NPM Package