Setup Instructions

Quick start guide for setting up and using Keeper Secrets Manager

Keeper Secrets Manager is currently in beta. Please contact your Keeper account manager or join the Slack channel to join the beta.

1. Join the Keeper Slack Channel

If you use Slack, Click Here to join the Keeper Beta Slack channel. There is a #secrets-manager channel for discussing this platform. Please note that the Keeper team will need to activate Secrets Manager and Record Types on your Keeper Enterprise account.

2. Create a Keeper Enterprise Trial

If you are not yet a Keeper Enterprise or Keeper MSP customer, you can start a free trial from our website.

Start your Keeper Trial

3. Install the Keeper Commander CLI

Install the Keeper Commander CLI binary from the Github repo: https://github.com/Keeper-Security/Commander/releases Or, click here for installing Commander in developer mode.

4. Request Early Access

Please contact the Keeper Team on Slack or email to activate Secrets Manager. The rest of the instructions will not work until you contact the Keeper team and we activate these feature flags on your account.

5. Create Test Folder and Secret

Run the Commander CLI by either running the installed binary version or typing keeper shell from the terminal or command prompt.

From the Commander CLI, create a secret, create a Shared Folder, then move the secret into the Shared Folder. Example commands are below:

$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
v4.85 |_|
password manager & digital vault
My Vault> add --login admin --pass "46$$62512%Rd1" --url "192.168.1.1" -t "My Test Secret"
My Vault> mkdir -sf -a "DevOps Secrets"
My Vault> mv "My Test Secret" "DevOps Secrets"

Alternatively, you can use the Keeper Vault user interface to create the Shared Folder and Secret.

Create a Shared Folder and Secrets

If you are using the Keeper Vault user interface, copy the Shared Folder UID as seen in the screenshot below.

Copy the Shared Folder UID

6. Create a Secrets Manager Application and Client Device

To connect a device to the Secrets Manager, an Application and Client Device are required. In the Secrets Manager architecture, an Application can be linked to any number of Shared Folders or Secrets. A Client Device represents an endpoint that will be requesting access to the vault. An Application is made up of one or more Client Devices.

The Keeper Commander CLI can be used to create an Application and Client Devices. Soon, this will also be possible within the Vault user interface.

In the example below, replace gWHvvWy5J0WluIFJzj42NQ with the Shared Folder UID or Record UID from your vault.

My Vault> ksm-app-create MyApplication
My Vault> ksm-app-share --app MyApplication --secret gWHvvWy5J0WluIFJzj42NQ
My Vault> ksm-app-add-client --lock-ip true MyApplication
---------------------------------------------------------------------------
One Time Access Token: e8YUc8-qKs2QxH8LdUT_h22T9VAxZNXcdnp-SLvs0EZ
---------------------------------------------------------------------------

The ksm-app-add-client command will generate a Client Device and return a One Time Access Token when executed. Every time you execute ksm-app-add-client it will generate another token for a client. We recommend that each endpoint that connects to the vault uses a different token, so that it is tracked as a unique Client Device.

This token is used when the client device or SDK authenticates to the Keeper Vault for the first time. This one time token is not used in subsequent authentications.

For more detailed usage information about the Secrets Manager commands Click Here.

7. Pull Secrets with the Secrets Manager CLI ("ksm")

Now that we have a One Time Access Token, the Secrets Manager CLI ("ksm") can be used on the target machine to pull secrets from the vault. Secrets Manager CLI has several features including:

  • Getting records from the Keeper Vault

  • Updating records in the Keeper Vault

  • Substituting environmental variables with Keeper secrets in scripts and containers

To install the Keeper Secrets Manager CLI please use "pip install'.

$ pip3 install keeper_sm_cli

We need to initialize the device using the One Time Access Token from Step 6:

$ ksm profile init --token=e8YUc8-qKs2QxH8LdUT_h22T9VAxZNXcdnp-SLvs0EZ

To display the secrets, use the command below:

$ ksm secret list

Fore more detailed usage information about the Secrets Manager CLI, follow the instructions in the Secrets Manager CLI page.

🎉 Congratulations! You have completed the basic setup

Next steps:

Have questions? Contact [email protected] or use the Slack Channel.