Secrets Manager

Quick Start Guide

This quick start guide will get you set up with Keeper Secrets Manager

Video Overview

The basic steps of setting up Secrets Manager is in the video below.

Prerequisites

Keeper Business License

Secrets Manager is available for Business accounts. If you are not a Keeper customer yet, you can start a free trial from our website.

On your workstation:

Getting Started

First, we need to follow a few steps to enable Secrets Manager for your Keeper account.

Enable Secrets Manager

To activate your trial of Keeper Secrets Manager, login to the Admin Console and click on "Secrets Manager".

Follow the links below to access the Keeper Admin Console: US: https://keepersecurity.com/console EU: https://keepersecurity.eu/console AU: https://keepersecurity.com.au/console CA: https://keepersecurity.ca/console JP: https://keepersecurity.jp/console US_GOV: https://govcloud.keepersecurity.us/console

(Or open KeeperSecurity.com > Login > Admin Console)

Create a Role

Create a Keeper account role that will be used by Secrets Manager users. Keeper account roles can be created in the Admin Console.

Click "Add Role" to create a new role, give it a name like "Secrets Managers".

Enable Secrets Manager for the Role

Enable Application Access for roles in the Keeper Secrets Manager enforcement policies.

  1. Select the Role

  2. Open Enforcement Policies

  3. Choose Keeper Secrets Manager tab

  4. Enable Keeper Secrets Manager policy

Setup Secrets Manager

In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.

From here, Secrets Manager can be setup using the Keeper Vault, or Keeper Commander. The following instructions show the steps for using the Keeper Vault. For Commander CLI steps, see the instructions at the bottom of this page.

Create a Secret

Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.

Learn more about Secrets Manager Secrets

In the Keeper Web Vault or Desktop App user interface, create a Shared Folder and then add Secrets to the folder.

Create a shared folder

Click "Create New" and choose "Shared Folder"

Enter a name and click "Create" to create a new shared folder.

With the new shared folder selected, click the "Create New" button and select "Record" to create a new record inside the shared folder

Create a Secrets Manager Application

Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history. Learn more about Secrets Manager Applications

In the Keeper Vault, navigate to the Secrets Manager tab to see a list of Secrets Manager applications. Then click "Create Application"

Enter a name for the new Secrets Manager Application

Next choose the shared folder(s) to share with the new Application. The Application will only have access to the records in the selected folder(s).

You can choose to give the Application Read Only or Write access to the Vault records, and choose if the first Secrets Manager Client Device should be locked to the first IP address that accesses Secrets Manager. (More on Client Devices below)

Click "Generate Access Token" to create the Application and automatically create the first Secrets Manager Client Device.

Create a Secrets Manager Client Device

A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device. Learn more about Secrets Manager Client Devices

When a Secrets Manager Application is created in the Keeper Vault, a Secrets Manager Client Device is also created.

When a Client Device is created, a One-Time Access Token is generated and displayed. You will need this One-Time Access Token later in the guide. Copy or download the token to use later.

The One-Time Access Token will not be shown again once the dialog is closed. New Client Devices can be created to generate more tokens.

Create Additional Client Devices (optional)

Once the Secrets Manager Application is created, more Client Devices can be created for the Application.

See the documented instructions to create additional Client Devices and One-Time Access Token

Secrets Manager is now setup and ready to use!

View Secrets

Next we'll view the secrets from the Keeper Vault shared with Secrets Manager using the Secrets Manager CLI.

Secrets Manager has SDKs in various languages and many pre-built integrations which can be used to access secrets.

For this example we will use the Secrets Manager CLI tool (ksm) to fetch and view secrets from the Keeper Vault.

Install the Secrets Manager CLI

Installing using binary release

The latest binary release can be found on the GitHub repository. Download the installer based on your operating system and click to install, or unarchive, to use.

When launching the CLI in Windows or macOS, via the UI, the CLI will run in a shell mode. The ksm command is still available via the command line.

The Linux binary is just an executable and should be moved to a directory in the PATH.

Installing KSM using pip3 and Python3

If you prefer to install using pip3 and Python3, use the commands below:

sudo pip3 install --upgrade pip
sudo pip3 install keeper-secrets-manager-cli

If pip3 is not installed on your system, make sure to install Python3. For example, using yum:

sudo yum install python3

Connect Keeper Secrets Manager CLI to the Secrets Manager Application

Initialize the CLI using the One-Time Access Token obtained above.

$ ksm profile init --token PASTE_TOKEN_HERE

If the KSM profile is not initialized successfully, the One Time Access Token may have expired. Try creating a new Client Device to generate a new One-Time Access Token.

Access Your Secrets

To retrieve a list of all secrets, use the ksm secret list command:

$ ksm secret list

The CLI should show a list of secrets shared with the Secrets Manager Application.

Example output
 UID                     Record Type          Title
 ----------------------- -------------------- ---------------
 bf3dg-99-JuhoaeswgtFxg  login                My Secret
 3FXqmP5nFKwju0H8pl0DmQ  databaseCredentials  MySQL Credentials

For more detailed usage information about the Secrets Manager CLI, see the Secrets Manager CLI page.

Finishing Up

🎉 Congratulations! You have completed the basic setup

Next steps:

  • Schedule time with the Secrets Manager team to discuss your use case

  • Learn about integrating Keeper Secrets Manager with your software using the SDKs

  • Learn more about the Secrets Manager CLI

  • Learn about accessing secrets from CI/CD systems with Integrations

Have questions? Contact sm@keepersecurity.com

Setup Using Keeper Commander CLI

If preferred, Secrets Manager can be setup using Keeper's command line tool Commander instead of the Keeper Vault. Follow these steps to setup Secrets Manager using Keeper Commander.

See the Commander Documentation for installation instructions.

Enable Secrets Manager for a Role

In some cases, Commander is needed to enable Secrets Manager for a Keeper role. To do this, use the following command:

enterprise-role "Keeper Admin" --enforcement "ALLOW_SECRETS_MANAGER:True"

Replace "Keeper Admin" with the name of any role you would like to enable secrets manager for.

Create a Secret

Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.

Learn more about Secrets Manager Secrets

Run Keeper Commander by typing keeper shell then login with your Keeper email:

$ keeper shell
  _  __  
 | |/ /___ ___ _ __  ___ _ _ 
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
 vXX.X.X      |_|

 password manager & digital vault

Not logged in> login me@company.com

After logging in:

  • Create a Secret

  • Create a Shared Folder

  • Move the secret into the Shared Folder.

Example commands are shown below:

My Vault> add --login admin --pass "46$$62512%Rd1" --url "192.168.1.1" -t "My Secret"
My Vault> mkdir -sf -a "DevOps Secrets"
My Vault> mv "My Secret" "DevOps Secrets"

Create a Secrets Manager Application

Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.

Learn more about Secrets Manager Applications

In the example below, replace XXX with the Shared Folder UID or Record UID from your vault.

My Vault> secrets-manager app create MyApplication
My Vault> secrets-manager share add --app MyApplication --secret XXX

Keeper Commander can be used to perform many Secrets Manager actions. For more detailed usage information about the Secrets Manager commands see the Commands documentation

Create a Secrets Manager Client Device

A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.

Learn more about Secrets Manager Client Devices

Create a client device to generate a One Time Access Token, which is used to initialize a device.

My Vault> secrets-manager client add --app MyApplication

Successfully generated Client Device
====================================

One-Time Access Token: US:4d8THSdmLZOeqZubMNqKWKcrgh7SyQiAQ9afVI0IL0I
IP Lock: Enabled
Token Expires On: 2021-08-26 12:03:23
App Access Expires on: Never

Continue Quick Start Guide

Secrets Manager is now setup and ready to use!

From this point forward, follow the instructions above to access Secrets using Secrets Manager and complete this guide.

PreviousOverviewNextAbout KSM

Last updated