March 2026

Keeper Secrets Manager CLI 1.3.0

This update introduces enhanced security features that use native secure profile storage to safeguard Keeper device identity information. This security measure is enabled by default on all compatible Windows, macOS, and Linux devices.

Breaking Change Minimum supported Python version is now 3.10 (previously 3.7). Python 3.7-3.9 users should stay on v1.2.0

Breaking Change boto3 is no longer installed by default. AWS sync users must install the [aws] extra: pip install keeper-secrets-manager-cli[aws]

• KSM-800: Added OS-native keyring storage for CLI configuration

  • New profiles store configuration in the OS keyring by default (macOS Keychain, Windows Credential Manager, Linux Secret Service)

  • Existing keeper.ini profiles continue to work without migration

  • Added --ini-file flag to opt into explicit file-based storage

  • Install keyring support: pip install keeper-secrets-manager-cli[keyring]

  • Additional fixes:

    • Profile name validated against [a-zA-Z0-9_-]{1,64} before redeeming one-time token

    • SHA-256 integrity check on every keyring load with clear error and recovery hint

    • Warning on stderr when keyring is empty and a keeper.ini exists

    • Graceful fallback to keeper.ini on Linux when Secret Service is unavailable

    • --ini-file flag respected by all profile and config subcommands and no longer requires boto3 for non-AWS profiles

• KSM-810: added ksm profile delete <name> command

• KSM-820: ksm secret get --json now outputs custom fields under "custom" key (was "custom_fields"), matching the canonical V3 record format

• KSM-818: ksm shell no longer crashes when click>=8.2 is installed

• KSM-702: Record create payload now always includes custom: []; previously omitted when no custom fields were set

• KSM-691: keeper.ini is now written with owner-only permissions (0600)

• Dependency Update: Updated keeper-secrets-manager-core to >=17.2.0 and keeper-secrets-manager-helper to >=1.1.0

Security updates

• KSM-761: Fixed CVE-2026-23949 (jaraco.context path traversal vulnerability)

Links:

• KSM CLI Docs

• PyPI Package

• Docker Hub

• Docker Hub (Alpine)

• GitHub Release

Ansible Integration 1.4.0

Breaking Change Minimum supported Python version is now 3.9 (previously 3.7). Python 3.7-3.8 users should stay on v1.3.0

• KSM-811: Raised minimum Python version from 3.7 to 3.9

  • Updated keeper-secrets-manager-core dependency to >=17.2.0

  • Updated keeper-secrets-manager-helper dependency to >=1.1.0

  • Replaced importlib_metadata backport with stdlib importlib.metadata

• KSM-816: Fixed keeper_create failing when the target shared folder contains no records

• KSM-827: Fixed Tower Execution Environment Docker image missing system packages required by Ansible Automation Platform

  • Added openssh-clients, sshpass, rsync, and git to the EE image

  • Resolves [dumb-init] ssh agent: No such file or directory startup error

Links:

• Ansible Integration Docs

• PyPI Package

• Ansible Galaxy

• Docker Hub