Quick Start Guide
This quick start guide will get you set up with Keeper Secrets Manager

Video Overview

The basic steps of setting up Secrets Manager is in the video below.

Prerequisites

Keeper Business License

Secrets Manager is available for Business accounts. If you are not a Keeper customer yet, you can start a free trial from our website.

On your workstation:

Getting Started

First, we need to follow a few steps to enable Secrets Manager for your Keeper account.

Enable Secrets Manager

To activate your trial of Keeper Secrets Manager, login to the Admin Console and click on "Secrets Manager".
(Or open KeeperSecurity.com > Login > Admin Console)
Start Free Trial

Create a Role

Create a Keeper account role that will be used by Secrets Manager users. Keeper account roles can be created in the Admin Console.
Click "Add Role" to create a new role, give it a name like "Secrets Managers".
Add a Keeper role

Enable Secrets Manager for the Role

Enable Application Access for roles in the Keeper Secrets Manager enforcement policies.
  1. 1.
    Select role
  2. 2.
    Open Enforcement Policies
  3. 3.
    Choose Keeper Secrets Manager tab
  4. 4.
    Enable Keeper Secrets Manager policy
Enable Secrets Manager on Role Policy
If you do not see "Keeper Secrets Manager" as an enforcement policy option, use the Commander method described below to enable Secrets Manager for a role.

Setup Secrets Manager

In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.
From here, Secrets Manager can be setup using the Keeper Vault, or Keeper Commander. The following instructions show the steps for using the Keeper Vault. For Commander CLI steps, see the instructions at the bottom of this page.

Create a Secret

Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
In the Keeper Web Vault or Desktop App user interface, create a Shared Folder and then add Secrets to the folder.
Create a shared folder
Click "Create New" and choose "Shared Folder"
Create New button in the Keeper vault
Create New Shared Folder that will contain secrets
Enter a name and click "Create" to create a new shared folder.
Name and create a new Shared Folder
With the new shared folder selected, click the "Create New" button and select "Record" to create a new record inside the shared folder
Select "Record" from the create new list

Create a Secrets Manager Application

Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history. Learn more about Secrets Manager Applications
In the Keeper Vault, navigate to the Secrets Manager tab to see a list of Secrets Manager applications. Then click "Create Application"
The Secrets Manager Tab
Create new Secrets Manager Application
Enter a name for the new Secrets Manager Application
Enter a name for the Secrets Manager Application
Next choose the shared folder(s) to share with the new Application. The Application will only have access to the records in the selected folder(s).
Select the Share Folder(s) to give the Application access to
You can choose to give the Application Read Only or Write access to the Vault records, and choose if the first Secrets Manager Client Device should be locked to the first IP address that accesses Secrets Manager. (More on Client Devices below)
A completed "Add Application" form
Click "Generate Access Token" to create the Application and automatically create the first Secrets Manager Client Device.

Create a Secrets Manager Client Device

A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device. Learn more about Secrets Manager Client Devices
When a Secrets Manager Application is created in the Keeper Vault, a Secrets Manager Client Device is also created.
When a Client Device is created, a One-Time Access Token is generated and displayed. You will need this One-Time Access Token later in the guide. Copy or download the token to use later.
A One-Time Access Token is generated when a Client Device is created
The One-Time Access Token will not be shown again once the dialog is closed. New Client Devices can be created to generate more tokens.

Create Additional Client Devices (optional)

Once the Secrets Manager Application is created, more Client Devices can be created for the Application.
See the documented instructions to create additional Client Devices and One-Time Access Token
Secrets Manager is now setup and ready to use!

View Secrets

Next we'll view the secrets from the Keeper Vault shared with Secrets Manager using the Secrets Manager CLI.
Secrets Manager has SDKs in various languages and many pre-built integrations which can be used to access secrets.
For this example we will use the Secrets Manager CLI tool (ksm) to fetch and view secrets from the Keeper Vault.

Install the Secrets Manager CLI

Installing using binary release

The latest binary release can be found on the GitHub repository. Download the installer based on your operating system and click to install, or unarchive, to use.
When launching the CLI in Windows or macOS, via the UI, the CLI will run in a shell mode. The ksm command is still available via the command line.
The Linux binary is just an executable and should be moved to a directory in the PATH.

Installing KSM using pip3 and Python3

If you prefer to install using pip3 and Python3, use the commands below:
sudo pip3 install --upgrade pip
sudo pip3 install keeper-secrets-manager-cli
If pip3 is not installed on your system, make sure to install Python3. For example, using yum:
sudo yum install python3

Connect Keeper Secrets Manager CLI to the Secrets Manager Application

Initialize the CLI using the One-Time Access Token obtained above.
$ ksm profile init --token PASTE_TOKEN_HERE
If the KSM profile is not initialized successfully, the One Time Access Token may have expired. Try creating a new Client Device to generate a new One-Time Access Token.

Access Your Secrets

To retrieve a list of all secrets, use the ksm secret list command:
$ ksm secret list
The CLI should show a list of secrets shared with the Secrets Manager Application.
Example output
UID Record Type Title
----------------------- -------------------- ---------------
bf3dg-99-JuhoaeswgtFxg login My Secret
3FXqmP5nFKwju0H8pl0DmQ databaseCredentials MySQL Credentials
For more detailed usage information about the Secrets Manager CLI, see the Secrets Manager CLI page.

Finishing Up

🎉
Congratulations! You have completed the basic setup

Next steps:

  • Schedule time with the Secrets Manager team to discuss your use case
  • Learn about integrating Keeper Secrets Manager with your software using the SDKs
  • Learn more about the Secrets Manager CLI
  • Learn about accessing secrets from CI/CD systems with Integrations
Have questions? Contact [email protected]

Setup Using Keeper Commander CLI

If preferred, Secrets Manager can be setup using Keeper's command line tool Commander instead of the Keeper Vault. Follow these steps to setup Secrets Manager using Keeper Commander.
See the Commander Documentation for installation instructions.

Enable Secrets Manager for a Role

In some cases, Commander is needed to enable Secrets Manager for a Keeper role. To do this, use the following command:
enterprise-role "Keeper Admin" --enforcement "ALLOW_SECRETS_MANAGER:True"
Replace "Keeper Admin" with the name of any role you would like to enable secrets manager for.

Create a Secret

Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
Run Keeper Commander by typing keeper shell then login with your Keeper email:
$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
vXX.X.X |_|
password manager & digital vault
Not logged in> login [email protected]
After logging in:
  • Create a Secret
  • Create a Shared Folder
  • Move the secret into the Shared Folder.
Example commands are shown below:
My Vault> add --login admin --pass "46$62512%Rd1" --url "192.168.1.1" -t "My Secret"
My Vault> mkdir -sf -a "DevOps Secrets"
My Vault> mv "My Secret" "DevOps Secrets"

Create a Secrets Manager Application

Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
In the example below, replace XXX with the Shared Folder UID or Record UID from your vault.
My Vault> secrets-manager app create MyApplication
My Vault> secrets-manager share add --app MyApplication --secret XXX
Keeper Commander can be used to perform many Secrets Manager actions. For more detailed usage information about the Secrets Manager commands see the Commands documentation

Create a Secrets Manager Client Device

A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
Create a client device to generate a One Time Access Token, which is used to initialize a device.
My Vault> secrets-manager client add --app MyApplication
Successfully generated Client Device
====================================
One-Time Access Token: US:4d8THSdmLZOeqZubMNqKWKcrgh7SyQiAQ9afVI0IL0I
IP Lock: Enabled
Token Expires On: 2021-08-26 12:03:23
App Access Expires on: Never
Do not lose this one time token, you'll need it later!

Continue Quick Start Guide

Secrets Manager is now setup and ready to use!
From this point forward, follow the instructions above to access Secrets using Secrets Manager and complete this guide.
Export as PDF
Copy link
Outline
Video Overview
Prerequisites
Keeper Business License
On your workstation:
Getting Started
Enable Secrets Manager
Create a Role
Enable Secrets Manager for the Role
Setup Secrets Manager
Create a Secret
Create a Secrets Manager Application
Create a Secrets Manager Client Device
View Secrets
Install the Secrets Manager CLI
Connect Keeper Secrets Manager CLI to the Secrets Manager Application
Access Your Secrets
Finishing Up
Next steps:
Setup Using Keeper Commander CLI
Enable Secrets Manager for a Role
Create a Secret
Create a Secrets Manager Application
Create a Secrets Manager Client Device