# LastPass Data Import
## Overview
This document outlines the process for automatically and seamlessly migrating LastPass data into Keeper. Keeper supports automatic import of your LastPass vault with Master Password and MFA. Keeper also supports federated logins to LastPass from Okta/Azure/Google, and this is explained in detail below.
LastPass > Keeper Transfer Supported Data:
* Transfer of Passwords
* Transfer of Folders
* Transfer of Shared Folders
* Transfer of Shared Folder permissions (users and teams)
* Transfer of custom fields, TOTP seeds
* Transfer of File Attachments
{% embed url="" %}
## Summary of Steps
The steps we recommend to importing an entire organization from LastPass to Keeper are the following:
1. Admin **downloads the membership** of the Shared Folders data to json file
2. Admin **imports** their shared folders and non-shared passwords
3. Admin **applies** shared folder membership (includes permissions) for users who already exist in Keeper
4. End-users migrate their vaults over using the Keeper Desktop application.
5. Admins continue to periodically **apply membership** as more users join Keeper
{% hint style="info" %}
Note: Federated logins with SSO from Okta/Azure/Google are supported from the Keeper Desktop Application for the end-users to transfer their vaults. Keeper Commander CLI is used by the administrator and does not support federated login. Please use a LastPass admin account with a Master Password login for performing steps 1-3.
{% endhint %}
## Step 1. Download Team and Shared Folder Membership
In Keeper Commander, the Keeper/LastPass Administrator will run the following:
```
download-membership --source=lastpass
```
This will perform the following 3 functions:
* Download all Shared Folder information
* Download Shared Folder permissions
This step downloads a file locally called "`shared_folder_membership.json`" which contains the shared folder structure. The location of this file on Windows is typically C:\Users\username\shared\_folder\_membership.json. On Linux/Mac, it will be in the location where you run Commander.
The download-membership command basically produces a local file containing the share relationships. You can simply edit this file in a text editor and make any permission changes needed before proceeding to the next step.
## Step 2. Import Shared Folders
In Keeper Commander, the Admin will run the following command to perform the import of shared folders and data.
```
import --format=lastpass lastpass@example.com
```
The first time the import command is run, you may get the following notice that LastPass wants to verify the device from which you are connecting.
```aspnet
Try again OR look for an email from LastPass to verify it's you.
```
Check the email address associated with your LastPass account and click "verify" to allow Keeper to access the records in your LastPass account.
{% hint style="info" %}
The `import` command will migrate and populate regular folders, shared folders and records within the folders. This will NOT import the private folders of *other* users within LastPass. This step will only import the information available to the admin.
End-users will migrate their private LastPass data by using the Keeper Desktop automated import method. See [this page](https://docs.keeper.io/user-guides/import-records-1/import-from-lastpass) for the end-user documentation.
{% endhint %}
#### Record Type Mapping
Typed LastPass items are automatically imported as Keeper records with corresponding record types if your Enterprise environment has Record Types activated.
See the LastPass Item Type and corresponding Keeper Record Type in the table below.
| LastPass Item Type | Keeper Record Type |
| ------------------ | -------------------- |
| Bank Account | Bank Account |
| Credit Card | Bank Card |
| Address | Address |
| Driver's License | Driver's License |
| Passport | Passport |
| Social Security | SSN Card |
| Health Insurance | Health Insurance |
| Insurance | Health Insurance |
| Membership | Membership |
| Email Account | Login |
| Instant Messenger | Login |
| Database | Database Credentials |
| Server | Server Credentials |
| SSH Key | SSH Keys |
| Software License | Software License |
{% hint style="info" %}
See [Record Types](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/record-types) for more information about Keeper Record Types
{% endhint %}
### Share Permissions
If a folder is shared with another user or team in LastPass, the import will apply the same sharing permissions to Keeper teams with the same name, and Keeper users with the same email address.
Shared folder permissions can be re-applied and applied if a new Keeper user or team is added after the initial import.
## Step 3. Apply Shared Folder and Team Memberships
To assign Share Permissions to your imported passwords from LastPass, use the `apply-membership` command:
```
apply-membership
```
This will read the file called "`shared_folder_membership.json`" from Step 1 and apply the shared folder permissions for any users and team which exist in the Keeper enterprise environment. This command is safe to run over and over again, and it will not generate duplicates.
**Explanation:** When users are invited/created through SSO or your invitation process, their public keys are created. Therefore, Keeper cannot apply membership until the users exist.
For this reason, the Keeper Admin needs to run the "apply-membership" command on a daily basis, hourly, or on demand, when users are created in Keeper.
{% hint style="info" %}
If you would like to be notified as soon as users migrate to Keeper, use the Advanced Reporting & Alerts module in the Keeper Admin Console to set up an Alert when a user has been created.
{% endhint %}
## Step 4. End-Users migrate with Keeper Desktop
The Keeper Admin will invite users through one of the following methods:
* Just-in-time provisioning through SSO login
* Invite through the Admin Console
* SCIM
When the user registers to create their vault, they will generate a public/private key pair. At this point, they will be able to receive shared folders, as outlined in the next step.
For transferring the user's LastPass private folders and records, we recommend directing the user to install the Keeper Desktop application.
Here's the link to the public / latest version:
{% embed url="" %}
To automatically deploy Keeper Desktop to your users through group policy, see:
{% embed url="" %}
## Receiving Shared Folders
Once users create their Keeper vaults, they can then be added to a team and/or a folder. The next time that the Admin runs the `apply-membership` command, any new Keeper users will receive access to their Shared Folders.
{% hint style="info" %}
You can run apply-membership repeatedly as more users are onboarded to keeper. It will apply the memberships to users that exist in Keeper.
{% endhint %}
Due to the number of steps, we recommend performing a pilot test with a few users before rolling out to the entire organization.
If you have any questions please contact your Keeper sales engineer or email .
## Advanced Features
### Transforming Email Domains for Sharing
If your LastPass email domain has changed and you would like to transition to a new email domain when transferring share permissions, you can use the `--old-domain` and `--new-domain` optional parameters. Example below:
{% code title="Example" overflow="wrap" %}
```bash
download-membership --source=lastpass --old-domain=acme-old.com --new-domain=acme-demo.com lastpass@example.com
```
{% endcode %}
### Override Imported Shared Folder Permissions
The LastPass `download-membership` applies the shared folder permissions from LastPass users to your Keeper shared folders, but the permission settings can be overridden during membership download.
To override the "manage records" and "manage users" permissions for all users on all imported shared folders, use the `--permissions` or `--restrictions` options.
`--permissions` allows the permission(s) for all users on all imported shared folder.
`--restrictions` denies the permission(s) for all users on all imported shared folders.
To set for "manage records" pass `r`, for "manage users" pass `u` for both use `ru`
```
// override enable manage records permission
download-membership --source=lastpass --permissions=r
// override disable manage users permission
download-membership --source=lastpass --restrictions=u
// override enable manage records and manage users permissions
download-membership --source=lastpass --permissions=ru
```
### Import Top Level Folders as Shared Folders
You can optionally make all top level folders shared folders with specified permissions by passing the `--shared` and `--permissions=` flags.
The available permissions options are:
* U - manage users permission granted
* R - manage records permission granted
* E - edit records permission granted
* S - share permission granted
* A - all permissions granted
* N - no permissions granted
Use the letters corresponding to the permissions you want to grant with no spaces or characters in between.
{% code title="Example" %}
```bash
import --format=lastpass --shared --permissions=URES lastpass@example.com
```
{% endcode %}
### **Attachment Files Cache**
Attachment files can be cached during import so that they do not have to be redownloaded if another import is performed.
To run the import with a file cache, add the `--file-cache ` flag. Specify a directory to use as the cache.
To use the cache on a subsequent import, apply the `--file-cache` flag with the same directory.
{% code title="Example" %}
```
import --format=lastpass --file-cache tmpDir
```
{% endcode %}
{% hint style="info" %}
Cached attachment files are encrypted
{% endhint %}
### Record Size Limit
Keeper records have a size limit of 5MB (excluding attachments). If a record from LastPass is larger than this limit, fields will be converted to a text file, starting with the largest field, until the record is smaller than the limit.
Created attachments are named in the following format:
`_<type of field>_field.txt`
For example a "notes" field titled "Instructions" would be converted to an attachment titled:
`Instructions_notes_field.txt`
### Import to a Specified Folder
The contents of your LastPass vault can be imported into a specified folder in your Keeper vault. To do this, use the `--folder` option.
{% code title="Example" %}
```
import --format lastpass --folder="A Keeper Folder" lastpass@example.com
```
{% endcode %}
### Import from a Specified LastPass Folder
You can limit the import of your LastPass vault to a specific folder in LastPass by using the `--filter-folder` option. This filters the data from LastPass to ONLY the specific folder on the LastPass side.
{% code title="Example" overflow="wrap" %}
```
import --format lastpass --filter-folder="Some Folder In LastPass" lastpass@example.com
```
{% endcode %}
### Locating Duplicates
If you believe there may be duplicate records in your vault after import, you can use the `find-duplicate` feature in Commander to locate them.
If you wanted to locate duplicates based on title, login, password for example:
```
find-duplicate --title --login --password
```
From the output of this report, you can gather a list of record UIDs to delete with the "`rm`" command.
### Changing Record Permissions
By default, records are imported into Shared Folders with "Can View" permission. This means that the record is only editable by the owner of the record, and any [share admins](https://docs.keeper.io/enterprise-guide/sharing/share-admin) that have been added to the folder.
To change the permissions of records inside a shared folder (after the import is complete), you can use the [record-permission](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/sharing/record-and-file-sharing#user-permissions) command. For example:
```
record-permission -a grant --can-edit --recursive <folder name or UID>
```
