Password Rotation Plugins
Rotate passwords on any remote system using Keeper Commander plugins

Password Rotation

Keeper Commander can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.

Typed Records

Typed records add simplcity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.
Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.
Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.
Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.
Not sure the difference between typed and untyped records? See the Troubleshooting section

Untyped Records

Older, non-typed records require some additional setup in order to support Commander rotation.
To support a rotation plugin, simply add a set of custom field values to the Keeper record. The custom field values tell Commander which plugin to use, and what system to communicate with when rotating the password. To modify your Keeper record to include custom fields, login to Keeper on the Web Vault or Keeper Desktop app.
Example custom fields for MySQL password rotation:
Custom Field Name
Custom Field Value
cmdr:plugin
mysql
cmdr:host
192.168.1.55
cmdr:db
testing
Typed records also support custom record fields. If an older record is converted to be typed (and the fields are unchanged) it will work with Commander rotation.
When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.
Check out the plugins folder for all of the available plugins. Keeper's team adds new plugins on an ongoing basis. If you need a particular plugin created, send us an email to [email protected].

Supported Plugins

Plugin
Active Directory
Amazon AWS Key
Amazon AWS Password
Azure AD Password
MS SQL
MySQL
Oracle
PostgreSQL
PsPasswd
SSH Passphrase
SSH Key
Unix Password
Windows Password

Github Location

Activating a Plugin

To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.
To perform a rotation use the rotate command.
Keeper's team is expanding the number of plugins on an ongoing basis. If you need a particular plugin created or modified, email us at [email protected].
Export as PDF
Copy link
On this page
Password Rotation
Typed Records
Untyped Records
Supported Plugins
Github Location