Quick Start Guide
This quick start guide will get you set up with Keeper Secrets Manager
Last updated
Was this helpful?
KeeperPAM and Secrets Manager
This quick start guide will get you set up with Keeper Secrets Manager
Last updated
Was this helpful?
The basic steps of setting up Secrets Manager is in the video below.
PIP version 21+ (Included in Python)
First, we need to follow a few steps to enable Secrets Manager for your Keeper account.
To activate your trial of Keeper Secrets Manager, login to the Admin Console and click on "Secrets Manager".
Create a Keeper account role that will be used by Secrets Manager users. Keeper account roles can be created in the Admin Console.
Click "Add Role" to create a new role, give it a name like "Secrets Managers".
Enable Application Access for roles in the Keeper Secrets Manager enforcement policies.
Select the Role
Open Enforcement Policies
Choose the Privileged Access Manager tab
Enable Keeper Secrets Manager policies as required
In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
In the Keeper Web Vault or Desktop App user interface, create a Shared Folder and then add Secrets to the folder.
Create a shared folder
Click "Create New" and choose "Shared Folder"
Enter a name and click "Create" to create a new shared folder.
With the new shared folder selected, click the "Create New" button and select "Record" to create a new record inside the shared folder
In the Keeper Vault, navigate to the Secrets Manager tab to see a list of Secrets Manager applications. Then click "Create Application"
Enter a name for the new Secrets Manager Application
Next choose the shared folder(s) to share with the new Application. The Application will only have access to the records in the selected folder(s).
You can choose to give the Application Read Only or Write access to the Vault records, and choose if the first Secrets Manager Client Device should be locked to the first IP address that accesses Secrets Manager. (More on Client Devices below)
Click "Generate Access Token" to create the Application and automatically create the first Secrets Manager Client Device.
When a Secrets Manager Application is created in the Keeper Vault, a Secrets Manager Client Device is also created.
When a Client Device is created, a One-Time Access Token is generated and displayed. You will need this One-Time Access Token later in the guide. Copy or download the token to use later.
Once the Secrets Manager Application is created, more Client Devices can be created for the Application.
Secrets Manager is now setup and ready to use!
Next we'll view the secrets from the Keeper Vault shared with Secrets Manager using the Secrets Manager CLI.
When launching the CLI in Windows or macOS, via the UI, the CLI will run in a shell mode. The ksm command is still available via the command line.
The Linux binary is just an executable and should be moved to a directory in the PATH.
If you prefer to install using pip3 and Python3, use the commands below:
If pip3 is not installed on your system, make sure to install Python3. For example, using yum:
Initialize the CLI using the One-Time Access Token obtained above.
To retrieve a list of all secrets, use the ksm secret list command:
The CLI should show a list of secrets shared with the Secrets Manager Application.
Schedule time with the Secrets Manager team to discuss your use case
If preferred, Secrets Manager can be setup using Keeper's command line tool Commander instead of the Keeper Vault. Follow these steps to setup Secrets Manager using Keeper Commander.
In some cases, Commander is needed to enable Secrets Manager for a Keeper role. To do this, use the following command:
Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records.
Run Keeper Commander by typing keeper shell then login with your Keeper email:
After logging in:
Create a Secret
Create a Shared Folder
Move the secret into the Shared Folder.
Example commands are shown below:
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
In the example below, replace XXX with the Shared Folder UID or Record UID from your vault.
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
Create a client device to generate a One Time Access Token, which is used to initialize a device.
Secrets Manager is now setup and ready to use!
Secrets Manager is available for Business accounts. If you are not a Keeper customer yet, you can from our website.
You'll need the ability to install (3.6+)
(Make sure you can )
Follow the links below to access the Keeper Admin Console: US: EU: AU: CA: JP: US_GOV:
(Or open > Login > Admin Console)
Note: This screenshot is based on the new .
From here, Secrets Manager can be setup using the Keeper Vault, or Keeper Commander. The following instructions show the steps for using the Keeper Vault. For Commander CLI steps, see .
Secrets are shared to Applications as records or shared folders. Applications maintain client devices, permissions, audit trail, and history.
A Client Device is any endpoint that needs to access secrets associated with an Application. This can be a physical, virtual, or cloud-based device.
See the to create additional Client Devices and One-Time Access Token
Secrets Manager has and many which can be used to access secrets.
For this example we will use the tool (ksm) to fetch and view secrets from the Keeper Vault.
The latest binary release can be found on the . Download the installer based on your operating system and click to install, or unarchive, to use.
If the KSM profile is not initialized successfully, the One Time Access Token may have expired. Try to generate a new One-Time Access Token.
For more detailed usage information about the Secrets Manager CLI, see the page.
Congratulations! You have completed the basic setup
Learn about integrating Keeper Secrets Manager with your software using the
Learn more about the
Learn about accessing secrets from CI/CD systems with
Have questions? Contact
See the for installation instructions.
Keeper Commander can be used to perform many Secrets Manager actions. For more detailed usage information about the Secrets Manager commands see the
From this point forward, follow the to access Secrets using Secrets Manager and complete this guide.
