Quick Start Guide

This quick start guide will get you set up with Keeper Secrets Manager


Your Keeper Enterprise Account

  • A test Keeper Vault account. You can start a free trial from our website.

  • Secrets Manager and Record Types enabled on your account. Contact your Keeper account manager or email [email protected] to request access.

  • If you use Slack, Click Here to join the Keeper community beta Slack channel and join the #secrets-manager channel.

  • Once Secrets Manager is enabled on your account, it needs to be enabled for your role. This can be done via the commander CLI, as noted below.

On your workstation:

Getting Started

In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.

Ensure your account and role have Secrets Manager enabled. To enable SM on the default admin role run the following command in Commander:

My Vault> er --enforcement="allow_secrets_manager:true" "Keeper Administrator"

1. Setup Secrets

With Vault UI
With Commander CLI
With Vault UI

In the Keeper Vault user interface, create a Shared Folder and Secrets.

Create a Shared Folder and Secrets

Copy the Shared Folder UID as seen in the screenshot below.

Copy the Shared Folder UID
With Commander CLI

Run Keeper Commander by typing keeper shell then login with your Keeper email:

$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
vXX.X.X |_|
password manager & digital vault
Not logged in> login [email protected]

After logging in:

  • Create a Secret

  • Create a Shared Folder

  • Move the secret into the Shared Folder.

Example commands are shown below:

My Vault> add --login admin --pass "46$$62512%Rd1" --url "" -t "My Test Secret"
My Vault> mkdir -sf -a "DevOps Secrets"
My Vault> mv "My Test Secret" "DevOps Secrets"

2. Create an Application

The Commander CLI can be used to create an Application. In the example below, replace XXX with the Shared Folder UID or Record UID from your vault.

My Vault> secrets-manager app create MyApplication
My Vault> secrets-manager share add --app MyApplication --secret XXX

For more detailed usage information about the Secrets Manager commands Click Here.

3. Configure a Client Device

A Client Device can be a project, application, CI/CD pipeline or any other endpoint that is granted access to the Keeper secrets. Create a client device to generate a One Time Access Token, which is used to initialize a device.

My Vault> secrets-manager client add --app MyApplication
Successfully generated Client Device
One-Time Access Token: 4d8THSdmLZOeqZubMNqKWKcrgh7SyQiAQ9afVI0IL0I
IP Lock: Enabled
Token Expires On: 2021-08-26 12:03:23
App Access Expires on: Never

Do not lose this one time token, you'll need it later!

What Have we Done so Far?

Everything needed for a client to successfully connect has been completed. 🎉

Next we'll access your secrets using the Secrets Manager CLI. Typically this is done on another device using a SDK or plugin, but for this example we will use the CLI.

4. Access Secrets via the Client

Now that we have a One Time Access Token, the Secrets Manager CLI ksm can be used on the target machine to retrieve secrets from the Vault.

Install the Secrets Manager CLI

$ pip3 install keeper-secrets-manager-cli

You can verify that your pip version is up to date by running python -m pip3 install --upgrade pip

Initialize the CLI using your one time token

$ ksm profile init --token=PASTE_TOKEN_HERE

To retrieve a list of all secrets, use the ksm secret list command:

$ ksm secret list

Fore more detailed usage information about the Secrets Manager CLI, follow the instructions in the Secrets Manager CLI page.

🎉 Congratulations! You have completed the basic setup

Next steps:

Have questions? Contact [email protected] or use the Slack Channel.