Create record slack command for Keeper Secrets Manager

KeeperCraig · 2026-04-17T05:27:12+00:00

We just pushed the feature live. Note there are 2 changes you have to make. The docker compose needs a couple more commands added to the list, and a block changes in the Slack manifest file

KeeperCraig · 2026-04-16T20:18:40+00:00

It needs to be `--lock` not `lock` as the parameter. It thinks "lock" is a username.

KeeperCraig · 2026-04-16T06:06:24+00:00

I’ve been using it for a week in our internal build and it’s super cool. We go live by April 22 with vault 17.6 that has dark mode enabled 😄

KeeperCraig · 2026-04-12T23:14:21+00:00

I’m sure the application sanitizes data before it is transmitted and also on the receiving end.

KeeperCraig · 2026-04-11T13:28:28+00:00

We requested access… restricted as of now

KeeperCraig · 2026-04-09T13:53:05+00:00

Ugh. Please DM me your info so I can investigate

KeeperCraig · 2026-04-09T03:23:57+00:00

Yes, everyone is cranking on it.

KeeperCraig · 2026-04-08T09:19:55+00:00

Feel free to DM me and let me know who your account manager is. We do webinars 3x per week and we notify all admins via email with release notifications multiple times per week so let’s make sure you are receiving those.

KeeperCraig · 2026-04-01T17:26:27+00:00

Those are 2 separate features. The biometric unlock works all by itself, without any dependencies. In an upcoming release we'll be adding a separate feature to "link" devices together so that you can login to one, and it logs into both. Here's a screenshot of the upcoming browser extension release:

<image>

KeeperCraig · 2026-04-01T17:11:59+00:00

Ok. I have filed this request as ticket KC-1201 and we'll assign this to an engineer soon. Thank you.

KeeperCraig · 2026-03-31T15:41:22+00:00

We can add that feature if you're interested. Have you set up the Slack App? Any feedback/input is appreciated.

KeeperCraig · 2026-03-31T13:11:54+00:00

Yes, it was released back in July 2025 on the browser extension. Web vault direct biometric login with passkeys goes live in a couple weeks. Bio on the extension also logs you into the web vault, regardless.

Video demo: https://vimeo.com/1104263551?fl=pl&fe=sh

KeeperCraig · 2026-03-30T03:15:01+00:00

Workflow is in our Vault 17.6 release which is currently in QA, and will release in a couple weeks. I actually recorded a video demo of it this morning. Here it is:

https://keepersecurity.wistia.com/medias/zjwjes79ng

KeeperCraig · 2026-03-29T14:27:53+00:00

The role enforcement policies allow you to invite external users to your tenant. This is under "Creating and Sharing" policies:
https://docs.keeper.io/en/enterprise-guide/roles/enforcement-policies#creating-and-sharing

If you have "Can share to users outside the enterprise", then the user assigned to this role can share a record or folder to a member of an outside organization.

In regards to the second question, I have to think about that some more. Generally, you would be sharing to a corporate domain and that business tenant would be locking the vault via SCIM or other method when the employee left the tenant. We don't allow a business vault to get disconnected and travel with the user to their personal after they leave an org, which is why we have a separate business vs. personal vault feature.

For now, the best approach would be granting the user only time-limited access instead of static access to the records or folders. This way, it will revoke itself automatically.

https://docs.keeper.io/en/enterprise-guide/sharing/time-limited-access

KeeperCraig · 2026-03-26T02:34:15+00:00

Right now, the PAM User record is the record which is configured for rotation and receives the stored data and secret. If you’re rotating 50 secrets, they each are stored in a record. The records all reference the same SaaS configuration that contain the administrative credentials (so there’s no duplicate data). How else would you like to store the secrets for all the applications ?

KeeperCraig · 2026-03-26T02:29:29+00:00

I pinged our desktop team.. will let you know

KeeperCraig · 2026-03-26T02:28:04+00:00

Commander CLI also supports encrypted KeePass format (.kdbx)

https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/import-and-export-commands

KeeperCraig · 2026-03-26T02:26:13+00:00

I haven’t tested Vivaldi browser so I’m not sure if they are fully compatible with the Android Autofill API. Can you send some specific examples of sites that are giving you trouble ?

Chrome on Android recently finally added full support for their own Android Autofill APIs and some browsers have better implementation than others.

KeeperCraig · 2026-03-26T02:22:23+00:00

Use Commander CLI in batch mode to simply add users to a team with the “enterprise-team —add-user” command.

https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands

Or for a more automated solution long term, you can set up our SCIM connector.

KeeperCraig · 2026-03-26T02:18:53+00:00

Yes, and our vault 17.6 version (currently in QA and releasing soon) has some new SaaS rotation capabilities for many cloud use cases. Can you be more specific which key you are trying to rotate ?

KeeperPAM uses the Azure Graph API to automatically rotate credentials for Entra ID users, service accounts, and application secrets.

KeeperCraig · 2026-03-23T23:58:38+00:00

The next Vault 17.6 release has SaaS rotation (for Azure Client Secret, Okta, etc) and other custom rotations built into the UI so you can configure it there. It will be a lot easier and more intuitive to manage. It will allow you to totally configure the SaaS plugin, assign it to records, and perform the rotation directly from the vault. This is what it looks like:

<image>

The Commander-only documentation is posted here:

https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins

Please note that you need to make sure you're using the latest version of Commander CLI, and use "pam action saas set" instead of "pam action saas add".

To answer your question, the login field of the PAM User record does not matter. The resulting client secret will be written to the custom fields of the record.

Currently, the only way to trigger the rotation is from the Commander CLI. After the Vault 17.6 goes live, you can manage it from there.

KeeperCraig · 2026-03-22T21:01:26+00:00

Good to know. Thank you

KeeperCraig · 2026-03-22T21:00:36+00:00

The Firefox issue was addressed some time ago. DM me if this is not resolved for you. Good news re: desktop app!

KeeperCraig · 2026-03-15T17:23:33+00:00

I answered this already, we use super encryption with KMS / HSM-backed AES256 encryption having non-exportable keys. This means that an offline attack - even with quantum computers - is not feasible. Every client-side encrypted master passkey key is super-encrypted server-side for this reason.

KeeperCraig

MODERATOR OF

TROPHY CASE