Secrets Manager CLI

The Secrets Manager CLI provides shell access to vault secrets


The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.

Core Features:

  • Get Secrets from the Keeper Vault

  • Update Secrets from the Keeper Vault

  • Replace environmental variables with Keeper secrets in scripts and containers

The KSM CLI is different than the Commander CLI. The KSM CLI is specifically for secrets management and the Commander CLI is for general vault and administrative features.

Application and Client Device Setup

In order to use the Secrets Manager CLI, or environmental variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. This configuration can be performed in the Keeper Commander CLI.

If you haven't done this yet, please install Commander and check out the Secrets Manager commands:

Commander Installation and Setup

Secrets Manager Commands

Secrets Manager CLI Installation

To install the Keeper Secrets Manager CLI please use "pip install'. Note that Python 3 is required.

$ pip3 install keeper_sm_cli

Initialize the Client Device

The CLI is initialized by passing in the One Time Access Token when the Client Device was created. After initialization, the CLI can used to obtain secrets. In the example below, replace "XXXX" with the One Time Access Token for your Client Device.

$ ksm profile init --token=XXXX
$ ksm secret list

If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.


$ KSM_TOKEN="XXXX" ksm secret list

Other environmental variables can also be set. For example, KSM_SERVER must be configured to point to the destination region if your Keeper Enterprise tenant is hosted outside of the US.

Environmental Variable Name



The one time access token used to initialize the client device


The endpoint domain, defaults to US. Either US, EU, AU, US_GOV or a full URL.


The directory where the INI config file is stored for the CLI.


The name of the INI config file for the CLI.


The active profile in the CLI.

Execution of Commands

Keeper Secrets Manager commands are run using the ksm program from the command line.

$ ksm <command> <sub-command> <options>

To get help on a particular command, run:

ksm <command> --help




Retrieve secrets from the vault


Manage local configuration profiles


Execute scripts with environmental variable substitution


Manager CLI configuration


Display the CLI version information


--ini-file </path/to/keeper.ini>

Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.

  • The path defined by the environmental variable KSM_INI_DIR

  • The current directory

  • The user's home directory

    • ${HOME}

    • $env:USERPROFILE

  • Various system directories

    • /etc

    • /etc/keeper

    • $env:APPDATA/Keeper

    • $env:ProgamData/Keeper

    • $env:ProgramFiles/Keeper

-p, --profile-name <name> use specified configuration profile

-o, --output <{stdout, stderr, filename}> Sets the output destination

  • stdout - Print to standard out, the default

  • stderr - Print to standard error

  • <filename> - If neither stdout or stderr are used, the CLI will assume the value is a file name and will write all output to that file. It will create the file and overwrite it, if it exists.