Last year, the company I work for signed up for Keeper Enterprise. A good password manager was something I’d been vouching for at work for a while, for a few reasons:
- Security policies often dictate practises that simply isn’t feasible to follow.
- Even though sharing passwords is discouraged, sometimes it just can’t be helped. There is all kinds of services that give you only one account, and unless you are going to be heavily dependent upon individual people in the team, you need a way to share them.
- There’s also other kinds of secrets – pass phrases, security keys, and all sorts of things that should be stored in a safe way. Keeper can also store files, so i.e. ssh keys and TLS keys/certificates are certainly possible to store. Now, storing TLS keys outside the system they are used is not best practise, but if you still need to, then Keeper is one of the better options.
In a large organization, distributed over several locations, you need a secure way to do all of these things. Which is where tools like Keeper enter the field.
With Keeper, you can create teams – so that you can give a team access to a set of secrets. You can also set up rules for sharing, i.e. that you can’t share outside your organisation or team.
The secrets can be organised in folders, which is something I recommend. If you want to share a folder, you’ll have to create a shareable folder at creation time, and there is not much downsides to creating shareable folders – since you still decide who to share it with.
Keeper Enterprise also comes with a great perk: A complimentary Keeper Family subscription to all Keeper Enterprise users!
In my organization, we have opted not for allowing sharing outside the organization – and keep in mind that your Keeper Family accounts are outside the organization. Thus, for things that are on the borderline between work and private – like, the online newspaper subscriptions we have at work – I store them in my Keeper Personal account. I can still share the other way, from my Keeper Personal to my Keeper Enterprise identity, so this gives me access to the secrets from both identities.
In my keeper personal account, I organize all the secrets in shareable folders based by topic – like: Banking/Finance, Newspapers, Social Media etc. I share the folders I’m likely to need at work with my Keeper Enterprise identity. That way, as long as I am thorough about the sorting, I’m rarely not be able to access a password I need.
I almost never create non-shareable folders, and in my honest opionion, I’m not sure I see the reason behind having non-shareable folders at all.
Keeper come with browser plugins for the standard browsers: Microsoft Edge, Firefox, Chrome and Safari are the ones I have used. The user experience is about the same between all of them. There is of course also an Android and an iOS app, making it possible to share passwords between desktop and your mobile.
Some other hints:
One other feature I have come to like is the support for 2-factor, Google Authenticator style. Keeper will happily fill in the code in addition to the username and password. Keep in mind that this of course makes it even more important to secure the access to Keeper in itself. Make sure you turn on 2 factor-authentication, and if you are ever using shared computers, make sure you don’t store the 2-factor login when using those computers. There is a bit of a chicken and egg here, you of course need a separate device to keep this 2-factor login on 🙂
- When storing a password automatically, it’ll often store the whole URL – including path. Some websites even tend to do login on a different host, i.e. login.site.name. If you ever get into trouble having your browser recognize/match those logins, changing this to a more general URL helps. I.e. if Keeper stored https://signup.site.name/register.php, you might opt to change it to https://site.name/ – those are usually easily matched.
- The mobile apps aren’t always able to find the keeper entries automatically. You can usually search for and find the correct entry during the login process, and then you are given the option to link the entry to the app where you need to use the password. This has worked well for me so far, and makes sure that next time you open the app, keeper will find the correct for you.
- You also shouldn’t limit your view of Keeper to a simple password manager. If you i.e. have a login at an online shop, you can store receipts in that entry itself – and perhaps some notes about product IDs etc if those are hard to remember and you need them regularly.
- Get rid of the notion that you should remember passwords. With Keeper, you don’t have to, so do let keeper generate the passwords – and the longer and more complex, the better!
For the more technically inclined of us – and if you like command lines – there’s Keeper Commander – a command-line application to manage your Keeper repo. It comes with some nice features like for example starting ssh from within keeper commander, using an ssh-key stored in Keeper. It can also help you with tasks like rotating passwords, although I haven’t yet tested that feature of Keeper Commander.
Keeper Enterprise accounts also comes with additional features – like Secrets Manager. This is how you’d allow software and systems access to your secrets. I was able to test this feature together with my backup system, Borg Backup, that I have written about in an earlier post.
I started off with hardcoding the pass phrase for the backup keys in the configuration files for Borg. Hardcoding passwords is never best practise, but when setting up automated systems, you have to do some compromises here. However, Secrets Manager allows systems to fetch secrets from Keeper. Now, of course, you *still* need to give these systems a way to access keeper – so if you do go this route, make sure you give systems access to as few secrets as they need.
I opted for storing the secrets that systems need in shareable folders, and with only as many entries in the folder that each client system/software package needs. Playing around, and since I run my backup jobs as root (because they need access to all files), I just shared the pass phrases with the root user.
Follow the quick start guide to get up to speed with setting up your account and client software installation.
The process to give is roughly:
Create an application – this is a logical set of secrets that you can share out to client systems. Keep this small, and make sure each system only gets access to the secrets they need.
My Vault> secrets-manager app create serverbackup My Vault> secrets-manager share add --app serverbackup --secret <uid> My Vault> secrets-manager client add --app serverbackup The last command gave you a token. You need to log on from the client system with this token:
$ ksm profile init --token <token>
You’re now all set to interact with keeper from the command line and any scripts, run under the context of the user you ran this command.
- ksm secret list – to list all entry you have access to
- ksm secret get -t <Entry-title> to list out an entry
- ksm secret get -t <Entry-title> –field <field> to get the contents of a specific field. This is what you’d typically need to use in your automation scripts.
For my backup need, borgmatic has a configuration file entry, encryption_passcommand, that I can use instead of encryption_passphrase
encryption_passcommand: ksm secret get -t Borg --field password
Here, the record with name Borg exists within the folder I shared to with secrets-manager share –add –application serverbackup –secret <uid>, where uid is the uid of the folder I shared. You can find the uid within your Keeper vault, if you press the icon with an i in a circle, or from Keeper Commander when you list an entry/folder.
And that’s about it! Now, borgmatic will fetch the passphrase from Keeper each time the backup job runs!
Keeper is a password/secret manager that caters to both the simple and the advanced needs. Many people will not go beyond the vault in the browser and the mobile applications, to automate logins to their personal sites. It works well for this use case, but it also give you more options, if you are technically inclined like me, or if your needs grow.
If there is one thing I would wish, it would be that some of the enterprise functions, like secrets manager, was also available under a personal account – but I do realize I’m more nerdy than most people, so there might be not all that many people besides me that see this need.
All in all, I’m pretty happy with Keeper Password Manager. I have used other password managers before, and while they are also good, I have found more of the features I need with Keeper.