User Guide

Overview

We're excited you have chosen Keeper to protect your business. This guide will provide valuable information on how to quickly onboard your employees and use the powerful features of the Keeper Enterprise platform.


Resources

To help the decision making process in adopting Keeper Enterprise, several resources are provided for your executive and IT management team.


Why Choose Keeper Enterprise?

Keeper Enterprise provides the highest levels of security while at the same time providing a simple user experience - with over 14 million users worldwide, Keeper is the proven industry leader.

Passwords are the single greatest cause of a data breach. 81% of data breaches are due to weak or stolen passwords. Password management solutions provide an affordable and simple way for companies to solve the root cause of most data breaches. By helping businesses to generate strong passwords, manage them and securely share them among teams, they reduce the risk of data breach significantly.

Zero-Knowledge Security Architecture

Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a model that provides least privileged access. This foundation is what gives Keeper the ability to apply the most granular level of protection to user data and enables the core features and capabilities of the product. Users, Roles, Teams, Records and Shared Folders are all protected and managed through the use of client-side generated keys.

To learn more about Keeper's security architecture, visit this page.

Fills Critical Gaps in Single Sign-On

SSO and SAML simplify login to many cloud applications, however, it does have its limitations. Keeper (with Keeper SSO Connect) complements the two major gaps with your SSO deployment:

  • Offering privileged access to applications that don’t support SAML protocols.
  • Enabling non-password use cases, such as management and sharing of digital certificates, SSH keys, API keys, secret notes, lists, files and more.

With Keeper SSO Connect, you can easily add Keeper to the apps that your IdP services. Whether you use AWS, Okta, Centrify, Ping, Jumpcloud or any other SAML 2.0 Identity Provider, Keeper will easily integrate. Keeper SSO Connect logs the user directly into their encrypted vault while maintaining true zero knowledge.

Keeper SSO Connect is essentially an on-prem hosted high availability solution that the customer hosts and manages. This architecture preserves zero knowledge and allows the end-user to authenticate directly into their vault.

Role-Based Access Controls

The ability provide "least privilege access" to an employee is critical in the deployment of an Enterprise Password Manager. Keeper gives fine-grained control over what users are capable of accessing and managing within the platform through the use of customizable role policies. By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of the employee. For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants the ability to onboard new users, manage teams and run reports. The entire process is fully customizable through a user friendly interface.

Role Enforcements Include:

  • Password Complexity Rules and Biometrics
  • Multi-Factor Authentication, Token Expiration and Device Restriction
  • IP Whitelisting, Sharing and Data Export Restrictions
  • Account Transfers (Employee offboarding and break-glass scenarios)
  • Administrative Permissions

Delegated Administration

Keeper Administrators can create organizational units (called "Nodes"). A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different people in the organization to have management controls over subsets of teams of users, roles and shared folders.

Eliminate the Risk of Critical Data Loss

Keeper's Zero Knowledge "Account Transfer" capabilities provide Enterprise customers with the peace of mind that an employee will never walk away with critical data when they leave the organization.

Access from Any Platform or Device

Keeper is a cross-platform solution that provides full capabilities from every major platform and device including iOS, Android, Windows, Mac and Linux. Browser plugins are compatible with Chrome, Firefox, Edge, Safari and Internet Explorer.

Increase Productivity Gains

There's a significant productivity gain by rolling out a password manager since 50% of help desk calls are estimated to be password related. When employees don't need to worry about remembering passwords, the cost savings are massive.

Meet Compliance Needs

Compliance is becoming even more complex with requirements mandating internal control policies and standards. An enterprise password management product solves many of the pain points in enforcing complex passwords and safeguarding of data that is protected by these passwords.

Keeper is SOC 2 Compliant, GDPR Compliant, GSA Certified, SAM Certified and TRUSTe Certified.


Implementation Overview

For the most successful rollout of Keeper Enterprise, we recommend following the below steps:

  1. 1. Inform your POC users, stakeholders, DevOps and IT Admin teams that you'll be adopting Keeper as your password management solution. Let users know that Keeper is secure, easy to use and will help everyone in the long run by protecting, generating and storing strong passwords and confidential information in their vault.
  2. 2. Create a Keeper Enterprise Trial from our website or by contacting the sales team. Ensure to allocate the necessary number of total users you expect to onboard.
  3. 3. Create your Keeper Admin account and login to the Keeper Admin Console by following the instructions sent via email from the trial registration form.
  4. 4. Schedule a demo/training session with our Business Support team by contacting your sales representative or emailing business.support@keepersecurity.com.
  5. 5. Onboard your users using one of the methods described in the "User Provisioning & Onboarding" section below.

This Keeper Enterprise manual is a high level overview of our technology and implementation steps. A detailed and technical step-by-step setup guide for Keeper administrators can be found in our Keeper Admin Guide. End-user documentation is available in our Keeper Enterprise End-User Guide.


User Provisioning & Onboarding

User provisioning is simple and easy with Keeper Enterprise. There are many choices to choose from based on your needs, the location of your user directory and the complexity of your organization's structure.

Customized Email Invitations

Before you invite users to your Keeper account, you may want to customize the vault logo and email invitation message that they receive.

  • To customize the email language, subject and logo, click on "Advanced Configuration" then "Edit" under "Email Invitations".
  • You can also customize the logo which appears on the upper left corner of the screen when users are logged into their vault. Click on "Advanced Configuration" then "Edit" under "Add Company Logo".

Manual User Creation

For organizations who do not require any advanced directory integration or SSO, manual user creation can be performed at any time from within the Keeper Admin Console.

  1. 1. Login to the Admin Console
  2. 2. Click on (+) Add User
  3. 3. Type in the Name and Email of the user

Bulk User Import

You can optionally import all of your user accounts via a flat file (.csv).

  1. 1. Login to the Admin Console
  2. 2. Click on (+) Add User
  3. 3. Drag and drop a CSV file with 3 columns: Name, Email and Role.

Syncing Active Directory or LDAP

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory or LDAP service. To activate and install the Keeper Bridge, follow the below steps:

  1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration
  2. 2. Create a Node to sync with your Active Directory
  3. 3. Visit the "Bridge/SSO" or "Provisioning" tab to download the Bridge and proceed with setup.

For detailed installation instructions see the Keeper Bridge section of the Admin Console user guide. Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment.

Note 1: The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section.

Note 2: Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user.

Note 3: Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console.

Single Sign-On (SAML 2.0) Authentication

Keeper can dynamically (Just-in-time) provision and authenticate users through any SAML 2.0 compatible identity provider through the use of our proprietary Keeper SSO Connect component.

Keeper SSO Connect is a SAML 2.0 application which leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision users to the platform. Keeper SSO Connect works with popular SSO IdP platforms such as G Suite, Microsoft AD FS / Azure, AWS, F5 BIG-IP APM, Okta, Centrify, OneLogin, Ping Identity and CAS.

Keeper SSO Connect is installed on the customer's on-prem or cloud infrastructure in order to preserve Keeper's Zero-Knowledge architecture. Your SSO Identity Provider will communicate and authenticate users by communicating directly with the Keeper SSO Connect instances that you operate in a high availability configuration.

Here's how Keeper SSO Connect works:

  1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration.
  2. 2. Create a Node to configure for your SSO provider beneath the root node.
  3. 3. Visit the "Bridge/SSO" or "Provisioning" tab to download the Bridge and proceed with setup.

The Keeper SSO Connect service application can be installed on a private on-premise or cloud-based server. Windows, Mac OS and Linux operating systems are fully supported. On Microsoft Windows environments, the Keeper SSO Connect application runs as a standard Windows service. This ensures the service won't exit when anyone logs off the PC and will automatically start up upon reboot. It can also be configured for High Availability (HA). In order to ensure the service is always active, Keeper SSO connect can be installed on multiple servers that sit behind a load balancer.

When installing and configuring SSO on a node within your Keeper account, you will be asked to select an "Enterprise Domain". This is a unique string that will be typed in by your end-users to login to Keeper when accessing their account on a device. We recommend informing your users of the Enterprise Domain name so that they are able to access their Keeper vault on any device and platform. The Enterprise Domain is not needed when logging in to Keeper directly from the Identity Provider portal.

For detailed setup instructions, FAQs and workflow questions please see the Keeper SSO Connect setup guide. Our implementation engineers are also available by emailing business.support@keepersecurity.com. Most implementation issues can be addressed quickly via a screen sharing session or email.

Combining AD and SSO Authentication

Enterprise customers may want the benefit of automated provisioning and deprovisioning of users, roles, and team through Active Directory integration while also leveraging the ability for their users to Single Sign-On (SSO) to their vaults through authentication to an Identity Provider (IdP) like Active Directory Federated Services (AD FS), Okta, G Suite, Azure, etc.

While the specific instructions on installation and configuration can be found in the Admin Guide for the Keeper AD Bridge and in the Keeper SSO Connect Setup Guides for specific identity providers, the below high level instructions will provide some best practices to leverage both integrations simultaneously.

  1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration.
  2. 2. Create a Node to configure for your Bridge and SSO provider beneath the root node. Both Bridge and SSO will be activated in this node via the "Bridge/SSO" or "Provisioning" tab.
  3. 3. Create a new Role for the node created in step 2. This will become the default role that all auto-provisioned users will receive.
  4. 4. Set the role enforcement policies:
    • Set desired enforcement settings like, 2FA, Sharing, etc.
    • Optional but recommended: Set up Account Transfer for break glass vault access.
    • Optional: Enable the “Don’t Send Email Invitations” if dynamic provisioning will be configured for SSO or if users will be notified of their vault access at a later time.
    • After the Role enforcement settings are configured. Check the “Add role to new users created in the Node and Sub nodes”.
  5. 5. Install and setup Keeper SSO Connect. Following our Keeper SSO Connect Setup Guide, configure your identity provider with Keeper to automatically authenticate users into their vault. Users will be provisioned into the default role for the node as set up in step 4.
  6. 6. Install the Keeper AD Bridge. Following the instructions in the Admin Guide, install and configure the Keeper AD Bridge. When the bridge is deployed your users, roles, and teams that meet the LDAP Query syntax will be added/invited to your Keeper subscription.
    • If you opt to enforce the “Don’t Send Email Invitations” role enforcement setting, users will not receive notification upon their first Keeper vault access.
    • We recommend sending a separate email to your end-users to communicate the onboarding process. The email should guide users to either login directly to their IdP and click on the Keeper icon, or to sign in directly to Keeper using the "Enterprise Domain" that was configured in your Keeper SSO Connect installation. You may also provide your end-users with a full user guide found here.
    • We recommend testing with a small user subset to validate configuration and workflow before rolling out to a larger group of users.
    • Install and configure SSO Connect before the AD Bridge. Choosing to implement SSO at a later time will cause more user friction by requiring existing users to change their login method from "master password" to SSO-based authentication. We recommend having SSO set up at the initial onboarding.
    • After successful testing, onboard the remaining users and send users instructions to create their accounts.
    • Users in an SSO-enabled node will not be able to change their master password. This enforcement is by design to ensure users who authenticated via SSO do not have the ability to bypass IdP authentication for access to their vault.

Email Auto-Provisioning

To facilitate the rapid onboarding of Keeper to a large number of end-users such as a university, Keeper supports email auto-provisioning. For example, anyone with the email address having a domain of "acme.com" can be automatically provisioned to a particular node and role within the "Acme Corp" Keeper Enterprise account upon creating their vault.

  1. 1. Create a role within the Keeper Admin Console and click the checkbox "Add role to new users created in this Node..." to set it as the default role.
  2. 2. Manually add a single user on the admin console in the node and role.
  3. 3. Contact business.support@keepersecurity.com and request email auto-provisioning for your domain(s) e.g. "mycompany.com". Also, provide us with the email address used in step 2. The support team will validate your domain ownership and provision the system.
  4. 4. After confirmation from the Keeper business support team that your domain has been provisioned, you can begin inviting your users. You can send users a link to signup that is either pre-populated with their email address, or just a generic link to the site. For example:

https://keepersecurity.com/vault/#new/email/xxxxx@mycompany.com (Replace xxxxx with the email address)

OR

https://keepersecurity.com/vault/#new/

Alternatively users can simply go to our app store or download page: https://keepersecurity.com/download

Azure AD Sync (SCIM)

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams for receiving Shared Folders.

  1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration
  2. 2. Create a Node to configure specifically for Azure AD deployment under the root node.
  3. 3. Visit the "Provisioning" tab and follow the Azure AD instructions.

The SCIM protocol is used for provisioning of users and teams, not for authentication. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Setup Guide.

Provisioning API / SDK

Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:

  • Command line access to your Keeper vault
  • Importing passwords, folders and shared folder
  • Provisioning users and teams
  • Sharing records and folders with users and teams
  • Performing targeted password rotation

Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.


Deploying Keeper to End-Users

Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari, Firefox, Edge and IE. Native app installation is available from the Keeper website and every public-facing app store (iTunes, Google Play, Microsoft Store, etc).

Keeper Web Vault

Many enterprise customers utilize the Keeper Web Vault, which is a fully featured web-based application. To access the Keeper Web Vault login, visit https://keepersecurity.com/vault.

During the first time setup, users are directed to install the Keeper Browser Extension for the platform of their choice. Platform-specific installation notes are below:

Google Chrome
Google now requires all browser extensions must be installed from the Chrome store.

Firefox
Mozilla requires that all browser extensions are installed directly from their store.

Safari
The Safari extension can be installed from the Safari store. Or, it can be side-loaded directly by loading the extension file here.

Internet Explorer
The IE extension exe and msi is installed from the Keeper website or the links below:

https://keepersecurity.com/ie_extension/SetupKeeperIE.exe
or
https://keepersecurity.com/ie_extension/SetupKeeperIE.msi

Note: the .exe file will auto-update. The MSI installer can be deployed and will not auto-update for users.

Microsoft Edge
The Edge extension must be installed from the Microsoft store.

Desktop App Deployment

The Desktop App has a few more capabilities than the Keeper Web Vault such as:

  • Ability to Autofill native apps using KeeperFill for Apps functionality
  • Ability to automatically import existing passwords without additional component installation
  • Offline access
  • Increased performance

Microsoft Windows
The Keeper desktop application can be deployed to users via exe or .msi file. The .msi file will not auto-update. We offer a 32-bit and 64-bit version linked below:

32-bit EXE | 64-bit EXE | 32-bit MSI

Mac OS
Keeper for Mac can be installed through the link here.

Linux
Keeper for Linux can be installed here.

Note: Keeper supports Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint.

Mobile App Deployment

Keeper for mobile and tablet devices can be deployed through the public-facing app stores. MDM solutions can also push these applications to end-user devices without any special requirements. When the users register or sign into an account, Enterprise enforcement policies are automatically applied.


Folders

Personal Folder

A personal folder is only visible by the user who created the folder. A personal folder can be made up of subfolders and records. A personal folder can also contain other shared folders and shared records.

Shared Folder

A shared folder can be shared to an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records.

When a user is provisioned to a Team through any of the previously described onboarding methods (Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...) the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, they are revoked access from any shared folders and those folders are immediately removed from their vault.

Any user within the Keeper Vault can create a personal folder or shared folder (unless restricted by the Keeper Administrator).

Subfolders

Both personal folders and shared folders can be nested, and each subfolder retains the same permission structure as the parent shared folder. A folder can contain an unlimited number of records or subfolders.

User and Team Permissions

You can assign "Can Manage Users" and "Can Manage Records" to a user or team in a Shared Folder. "Can Manage Users" allows the user or team to control who has the ability to add and delete user permissions. "Can Manage Records" allows the user or team to add and remove records within the shared folder.

Record Permissions

Permissions on records within the Shared Folder can be individually controlled with "Can Edit" and "Can Share" permission. Records with "Can Edit" permission are editable by anyone in the shared folder. Records with "Can Share" permission are re-shareable by anyone in the shared folder.

Default Folder Settings

When creating a Shared Folder, we recommend setting the Default Folder Settings to ensure that records added to the folder by team members retain a desired set of permissions. By default, the permissions are least privileged access. Click on the "Default Folder Settings" and configure the 4 options:

  • Can Manage Users
  • Can Manage Records
  • Can Edit Record
  • Can Share Record

Changing the default folder settings applies to only new users and records added moving forward. Therefore we recommend always setting default folder permissions when creating a new shared folder.

Managing Folders and Subfolders

A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most secure encryption model while providing ease-of-use functionality like Drag & Drop.

  • A Folder can be made up of personal records, shared records or other subfolders.
  • Subfolders can be either shared or personal.
  • You can create an unlimited number of folders and shared folders.
  • A Shared Folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent.
  • There is no limit to the folder tree depth.
  • A folder is a container of records and record references (shortcuts).
  • A Shared Folder is a container of records, with flexible user and team sharing capability.

Creating a Folder

To create a new Folder or Subfolder, click on "Create New" then "Folder" or "Shared Folder". You can select the parent folder or select "My Vault" to add the folder at the root level.

To provision a Shared Folder to a Team, click on the folder from the vault then click "Edit". From the "Users" screen select the Team and then assign the team level permissions.

To provision a Shared Folder to an individual user, click on the folder from the vault then click "Edit". From the "Users" screen type in the user's email address or select from the drop-down of previously shared users then assign the user permissions.

Moving Records

A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked into multiple folders or Shared Folders. A linked record is also referred to as a "Shortcut" or a "reference". In either case, modifying a linked record will change it everywhere that it is referenced.

There are two ways to Move a record into a shared folder:

  • Drag & Drop the record from the left pane and select "Move" when prompted
  • Right-click a record from the left pane and select "Move to..."

Creating Record Shortcuts

To add a record to multiple folders (e.g. create a Shortcut), follow one of these methods:

  • Click on the Folder and then click "Edit". In the "Add Records" search box, search for the records to add and click "Add". This method will always add a Shortcut (reference) to the folder.
  • Drag & Drop the record from the left pane and select "Create Shortcut" when prompted
  • Right-click a record from the left pane and select "Create Shortcut..."

Teams in Shared Folders

Teams are created by the Keeper Administrator, or any user who has been provided administrative permissions to the Keeper Admin Console for a specific node or organizational unit. There is no limit to the number of teams that can be created.

A team is made up of users within a node or sub-node. Teams can be provisioned in any of the below methods:

  • Manual creation in the Keeper Admin Console
  • Automatically provisioned through the Active Directory / LDAP Bridge software
  • Automatically provisioned through SCIM
  • Automatically provisioned through the Keeper Commander SDK

At the encryption layer, teams have a public and private key pair. In order to add a user to a team, you must first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key. This encryption process is automatically handled by the above provisioning methods.

Inside the Admin Console there are several team security options:

  • Individual users within the team can optionally hide shared folders from their own vault. This may be useful for Administrators who want to manage their teams but not see any of the shared folders in their own vault. To disable viewing shared folders, click "hide shared folders" in the team edit screen (hovering over the user name).

Team-Level Restrictions

Teams can be configured with several restrictions that will override any folder-level permission settings.

1. Disable viewing passwords
With this restriction in place, passwords are usable for logging in from the browser extension but are "masked" visually on the user interface. Note that password masking is visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection.

2. Disable record re-shares
With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence.

3. Disable record edits
With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence.


Roles

Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the "Keeper Administrator" role underneath the "Root Node". Other users can be assigned this role as well.

Users can be provisioned into Roles in several ways:

  • Manual mapping in the Keeper Admin Console via user interface
  • Manual mapping in the Keeper Admin Console via CSV file upload
  • Automatically provisioned through the Active Directory / LDAP Bridge software
  • Automatically provisioned through SCIM
  • Automatically provisioned through the Keeper Commander SDK

Role Enforcement Policies

Keeper role enforcements can be customized for each role. New role enforcement policies are being added on a continuous basis. If you have specific requirements for new role enforcement policies, please contact business.support@keepersecurity.com.

  • Master Password Complexity
  • Biometric Usage
  • Two-Factor Authentication
  • Two-Factor Authentication Channel
  • Two-Factor Authentication Token Expiration
  • Platform Restrictions
  • Record Sharing Restrictions
  • Exporting Records
  • Uploading Files
  • Offline Access
  • Changing Email
  • IP Address Whitelisting
  • Logout Timer Settings
  • Account Transfer Settings
  • Email Invitations
  • KeeperChat® Settings
  • Browser Extension Autofill Settings
  • Browser Extension Blacklisted Sites
  • Record Creation Outside of Shared Folders
  • Creating Folders

Account Transfer

If an employee leaves the organization or unable to access their vault, the Keeper Administrator (or delegated authority) can transfer the user's vault to another employee account. Account Transfer must be configured at the beginning of the Keeper Enterprise rollout, and due to the security model it is not retroactive.

The Account Transfer function was developed to give businesses the ability to recover passwords and files that are stored in a user's vault that otherwise would be abandoned if that user was unable or unwilling to access their vault.

Account Transfer is a secure encryption process which is pre-configured by the Keeper Administrator based on the role and administrative permissions of users.

  • A role can be given the authority to perform an account transfer of another role (for example, the Engineering Manager can be permitted to transfer the vault of an Engineer).
  • The enforcement key is encrypted with each admins' public key that is allowed to perform the transfer.
  • The user's data key (for users in a role to which the enforcement is applied) is encrypted with the role enforcement's public key.
  • Vault transfers are zero-knowledge, one-time and destructive. This process ensures that even Keeper Administrators cannot casually browse or access a user's vault. The process is as follows:

    1. The source account must be locked on the Admin Console

    2. Admin initiates the "Transfer" on the Admin Console which decrypts the source vault

    3. The records are re-encrypted with the recipient's data key

    4. The source account is deleted

For detailed step-by-step setup instructions for Account Transfer, please see the Keeper Admin Guide.


Creating Vault Records

A Keeper record can be any password, file or secret information that is stored in your encrypted vault. When every new user is onboarded to the Keeper platform, they are walked through a step-by-step guide to import existing passwords from their web browser, other password manager or file upload. The user is also walked through the process of creating records manually through their desktop computer.

Automatic Browser Import

Keeper's Import Tool will seamlessly import passwords that are stored in Chrome, Firefox, Edge and IE web browsers on your computer. From the Web Vault or Desktop App, click on "More" -> "Import" then click "Start Import".

Import from Password Managers

Keeper supports drag-and-drop import of files from other password managers or text files. From the Web Vault or Keeper Desktop app, click on "More" -> "Import" and then select the file format. Click on the "?" next to "Import Instructions" for a step by step guide to generating the proper file from the original password manager.

Bulk Import from .CSV File

File Format
Folder,Title,Login,Password,Website Address,Notes,Shared Folder,Custom Fields

  • To specify subfolders, use backslash "\" between folder names
  • To make a shared folder specify the name or path to it in the 7th field

Example 1: Create a regular folder at the root level with 2 custom fields
My Business Stuff,Twitter,marketing@company.com,123456,https://twitter.com,These are some notes,,API Key,5555,Date Created, 2018-04-02

Example 2: Create a shared subfolder inside another folder with edit and re-share permission Personal,Twitter,craig@gmail.com,123456,https://twitter.com,,Social Media#edit#reshare

In the preview screen, click on the column header above each line to map the columns to the Keeper field.

Manual Record Creation

From any Keeper vault application, click on "Create New" -> "Record" to add a record. Click on the "Dice" icon to generate a strong password. Title is the only required field.

Import from Commander SDK

The Keeper Commander SDK provides command-line or scripted capabilities to import records and folders into your Keeper Vault through either CSV or JSON-formatted files. For more information, click the link here.

Browser Extension

The Keeper Browser extension for Chrome, Firefox, Safari, Edge and IE browsers can be used to dynamically add records to your vault and Autofill passwords. Install the Keeper Browser Extension from our download page. From any website login screen, click on "Create New Record" and then fill in the appropriate fields. Click the check mark to save the record and autofill the login and password. If you manually type in a login and password to a website, Keeper will also prompt you to save the password to your vault.

Keeper Record Fields

A Keeper record is made up of the following fields:

  • Title
  • Login / Username
  • Password
  • Login URL
  • Custom Fields
  • File attachments
  • Notes

Special considerations:

  • The Login URL is required to Autofill forms in websites. For security reasons, the Login URL domain (e.g. google.com) must match the website that you are visiting.
  • Custom Fields are name/value pairs. Unlimited number of custom fields can be added to a record.
  • File attachments can be any type of file, photo, video or other documents. An unlimited number of files can be attached to any Keeper vault record.
  • File storage is an add-on subscription. If file storage is disabled, please contact your Keeper administrator or email sales@keepersecurity.com.

Individual Record Sharing

Keeper records can be shared on an individual basis to other Keeper users. Keeper sharing technology uses secure RSA encryption to exchange the individual record keys. Therefore, in order to share or transfer a record to another user, the recipient must first have a Keeper account. Attempting to share to a user without a Keeper account will invite them to the platform. For more detailed information about Keeper's security architecture, click here.

To share a Keeper record with another user, click on "Options" -> "Share" and then type in the email address of the recipient (or select from previously shared users). Edit and re-share permission can be applied to any shared records.

Role enforcement policies can be applied from the Keeper Admin Console to control the ability for records to be shared.

Transfer Ownership

Record ownership can be transferred to another Keeper user. To perform a transfer, click on "Options" -> "Share" and then type in or select the email address of the recipient. Click on the "Make Owner" checkbox and click "Send". Note that after transferring record ownership, the record will no longer be accessible from your vault.

Version History

Every record created by a user is automatically backed up through the Keeper Cloud Security Vault architecture. Every record change is also backed up and a record version is created upon each change event. Each record is identified by a record UID and each record can have an unlimited number of version identifiers.

Version History is a critical capability to ensure that a password, record change is never lost by accident. Version history also ensures that a deleted record can be recovered.

When a record is deleted by the record owner, the record is moved in the "Deleted Records" trash bin. Records will remain in this location until the record owner explicitly empties the trash bin.

Users can view the Version History of any Keeper record by accessing the Keeper Web Vault or Keeper Desktop. Click on the record, then click "Options" and "Record History".

Data Export

Keeper Web Vault and Keeper Desktop applications also include an "Export" capability which can be enabled by the Keeper Administrator. Exporting records from your vault can serve as a backup mechanism, however this does not retain any information about sharing relationships, folder structure or file attachments. If Export is allowed by the Keeper Administrator, we recommend that the customer stores the exported files in a secure location on an encrypted file system. The security and encryption model of Keeper purposely does not permit a Keeper Administrator to export user vaults. A user must be authorized on a Keeper record via the Team or User sharing capability in order to access and export vault information.


Two-Factor Authentication

Keeper supports popular methods of 2FA including Text Message, TOTP applications such as Google and Microsoft Authenticator, Duo Security, RSA SecurID and Keeper DNA (using Apple Watch and Android Wear devices).

Each user is able to individually configure their Two-Factor Authentication settings from their vault "Settings" screen. Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the Admin Console and perform up-front configuration.

To access the Two-Factor Authentication configuration, visit the "2FA" tab of the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

Available 2FA Methods

Text Message
Keeper supports Text Message (SMS) delivery of two-factor authentication codes. To select Text Message method, visit the "Settings" or "DNA" screens within the Web App or Mobile App.

Google Authenticator (TOTP)
Download the Google Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the barcode Keeper provides.

Smart Watch
Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable Keeper DNA 2FA method, visit the "DNA" screen on your iPhone or Android app.

RSA SecurID
To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at business.support@keepersecurity.com.

DUO Security
To activate Duo Security, follow the below steps:

1. Make an account and login to Duo.com. Select “Applications” on the left side menu list.

2. Click "Protect An Application" to bring up a list of applications. Then select "Keeper Security" from the list.

3. Copy the provided credentials from Duo's website (including the Secret Key which needs to be clicked on to view)

4. Return to Keeper's admin console and click on the 2FA tab. Click on the gear icon under Duo and paste in the info copied information from Duo's site. Slide the switch to enable and click save.

Once activated, each individual user can enroll in Duo by logging into their Keeper app and going to Keeper's "Settings" or "DNA" screen, select "One-Time Passcodes" (or Two-Factor Authentication) and selecting Duo Security. User is walked through a process to activate their device.

Security Keys (FIDO U2F)

Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware security keys, including YubiKey, which provides secure and easy two-factor authentication (2FA). Security Keys are configured on the Keeper Web Vault or Keeper Desktop App.

To activate 2FA using Security keys, follow the steps below:

1. Click on "More" -> "Settings" and then "Security" tab.

2. Setup and activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available.

3. Click on "Setup" under the "Security Keys" section.

4. Follow the on-screen prompts and give your Security Key a name and click on "Register".

5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.


Training and Support

Keeper Security provides our Enterprise customers with training, onboarding and individual end-user support through email, phone and live chat. We utilize web video tools for training and personalized support. To contact your business support team, please email business.support@keepersecurity.com.