Comment on page
Quick Start Guide
This quick start guide will get you set up with Keeper Secrets Manager
The basic steps of setting up Secrets Manager is in the video below.
Secrets Manager is available for Business accounts. If you are not a Keeper customer yet, you can start a free trial from our website.
- PIP version 21+ (Included in Python)
First, we need to follow a few steps to enable Secrets Manager for your Keeper account.
To activate your trial of Keeper Secrets Manager, login to the Admin Console and click on "Secrets Manager".
Follow the links below to access the Keeper Admin Console:
US: https://keepersecurity.com/console
EU: https://keepersecurity.eu/console
AU: https://keepersecurity.com.au/console
CA: https://keepersecurity.ca/console
JP: https://keepersecurity.jp/console
US_GOV: https://govcloud.keepersecurity.us/console
Start Free Trial
Create a Keeper account role that will be used by Secrets Manager users. Keeper account roles can be created in the Admin Console.
Click "Add Role" to create a new role, give it a name like "Secrets Managers".
Add a Keeper role
Enable Application Access for roles in the Keeper Secrets Manager enforcement policies.
- 1.Select the Role
- 2.Open Enforcement Policies
- 3.Choose Keeper Secrets Manager tab
- 4.Enable Keeper Secrets Manager policy
Enable Secrets Manager on Role Policy
In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.
From here, Secrets Manager can be setup using the Keeper Vault, or Keeper Commander. The following instructions show the steps for using the Keeper Vault. For Commander CLI steps, see the instructions at the bottom of this page.
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
In the Keeper Web Vault or Desktop App user interface, create a Shared Folder and then add Secrets to the folder.
Create a shared folder
Click "Create New" and choose "Shared Folder"
Create New button in the Keeper vault
Create New Shared Folder that will contain secrets
Enter a name and click "Create" to create a new shared folder.
Name and create a new Shared Folder
With the new shared folder selected, click the "Create New" button and select "Record" to create a new record inside the shared folder
Select "Record" from the create new list
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history. Learn more about Secrets Manager Applications
In the Keeper Vault, navigate to the Secrets Manager tab to see a list of Secrets Manager applications. Then click "Create Application"
The Secrets Manager Tab
Create new Secrets Manager Application
Enter a name for the new Secrets Manager Application
Enter a name for the Secrets Manager Application
Next choose the shared folder(s) to share with the new Application. The Application will only have access to the records in the selected folder(s).
Select the Share Folder(s) to give the Application access to
You can choose to give the Application Read Only or Write access to the Vault records, and choose if the first Secrets Manager Client Device should be locked to the first IP address that accesses Secrets Manager. (More on Client Devices below)
A completed "Add Application" form
Click "Generate Access Token" to create the Application and automatically create the first Secrets Manager Client Device.
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device. Learn more about Secrets Manager Client Devices
When a Secrets Manager Application is created in the Keeper Vault, a Secrets Manager Client Device is also created.
When a Client Device is created, a One-Time Access Token is generated and displayed. You will need this One-Time Access Token later in the guide. Copy or download the token to use later.
A One-Time Access Token is generated when a Client Device is created
The One-Time Access Token will not be shown again once the dialog is closed. New Client Devices can be created to generate more tokens.
Once the Secrets Manager Application is created, more Client Devices can be created for the Application.
Secrets Manager is now setup and ready to use!
Next we'll view the secrets from the Keeper Vault shared with Secrets Manager using the Secrets Manager CLI.
Secrets Manager has SDKs in various languages and many pre-built integrations which can be used to access secrets.
For this example we will use the Secrets Manager CLI tool (
ksm) to fetch and view secrets from the Keeper Vault.The latest binary release can be found on the GitHub repository. Download the installer based on your operating system and click to install, or unarchive, to use.
When launching the CLI in Windows or macOS, via the UI, the CLI will run in a shell mode. The
ksm command is still available via the command line.The Linux binary is just an executable and should be moved to a directory in the PATH.
If you prefer to install using pip3 and Python3, use the commands below:
sudo pip3 install --upgrade pip
sudo pip3 install keeper-secrets-manager-cli
If pip3 is not installed on your system, make sure to install Python3. For example, using yum:
sudo yum install python3
Initialize the CLI using the One-Time Access Token obtained above.
$ ksm profile init --token PASTE_TOKEN_HERE
If the KSM profile is not initialized successfully, the One Time Access Token may have expired. Try creating a new Client Device to generate a new One-Time Access Token.
To retrieve a list of all secrets, use the
ksm secret list command:$ ksm secret list
The CLI should show a list of secrets shared with the Secrets Manager Application.
Example output
UID Record Type Title
----------------------- -------------------- ---------------
bf3dg-99-JuhoaeswgtFxg login My Secret
3FXqmP5nFKwju0H8pl0DmQ databaseCredentials MySQL Credentials
For more detailed usage information about the Secrets Manager CLI, see the Secrets Manager CLI page.
Congratulations! You have completed the basic setup
🎉
- Schedule time with the Secrets Manager team to discuss your use case
If preferred, Secrets Manager can be setup using Keeper's command line tool Commander instead of the Keeper Vault. Follow these steps to setup Secrets Manager using Keeper Commander.
In some cases, Commander is needed to enable Secrets Manager for a Keeper role. To do this, use the following command:
enterprise-role "Keeper Admin" --enforcement "ALLOW_SECRETS_MANAGER:True"
Replace "Keeper Admin" with the name of any role you would like to enable secrets manager for.
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
Run Keeper Commander by typing
keeper shell then login with your Keeper email:$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
vXX.X.X |_|
password manager & digital vault
Not logged in> login [email protected]
After logging in:
- Create a Secret
- Create a Shared Folder
- Move the secret into the Shared Folder.
Example commands are shown below:
My Vault> add --login admin --pass "46$$62512%Rd1" --url "192.168.1.1" -t "My Secret"
My Vault> mkdir -sf -a "DevOps Secrets"
My Vault> mv "My Secret" "DevOps Secrets"
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
In the example below, replace
XXX with the Shared Folder UID or Record UID from your vault.My Vault> secrets-manager app create MyApplication
My Vault> secrets-manager share add --app MyApplication --secret XXX
Keeper Commander can be used to perform many Secrets Manager actions. For more detailed usage information about the Secrets Manager commands see the Commands documentation
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
Create a client device to generate a One Time Access Token, which is used to initialize a device.
My Vault> secrets-manager client add --app MyApplication
Successfully generated Client Device
====================================
One-Time Access Token: US:4d8THSdmLZOeqZubMNqKWKcrgh7SyQiAQ9afVI0IL0I
IP Lock: Enabled
Token Expires On: 2021-08-26 12:03:23
App Access Expires on: Never
Secrets Manager is now setup and ready to use!
From this point forward, follow the instructions above to access Secrets using Secrets Manager and complete this guide.
Last modified 4mo ago