### Queue Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Example configuration parameters for the request queue system. Adjust these values based on your needs. ```yaml queue_max_size: 100 # Maximum queued requests request_timeout: 300 # Request timeout (5 minutes) result_retention: 3600 # Result retention (1 hour) ``` -------------------------------- ### Slack App Integration Setup Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Automates the setup for integrating Commander Service Mode with Slack. This includes running the Docker setup and configuring Slack App integration by collecting tokens and updating the docker-compose.yml. ```bash My Vault> slack-app-setup ``` -------------------------------- ### Install lxml from Wheel File Source: https://github.com/keeper-security/commander/blob/master/keepercommander/importer/keepass/README.md Install the lxml package using a pre-compiled wheel file. This is a workaround for potential installation issues with pip. ```bash pip3 install lxml-4.2.3-cp36-cp36m-win32.whl ``` -------------------------------- ### Domain PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of a domain-based PAM configuration. Includes domain ID, hostname, port, SSL usage, network CIDR, and administrative credentials. ```json { "pam_configuration": { "environment": "domain", "title": "Project1 Domain PAM Configuration", "dom_domain_id": "my-domain_id", "dom_hostname": "my-hostname", "dom_port": "my-port", "dom_use_ssl": true, "dom_scan_dc_cidr": true, "dom_network_cidr": "192.168.1.0/28", "dom_administrative_credential": "admin1" } } ``` -------------------------------- ### Install Dependencies and Compile Proto Files Source: https://github.com/keeper-security/commander/blob/master/keepercommander/keeper_dag/proto/README.md Installs necessary Python packages and then compiles the router_abbr.proto file using protoc to generate Python and mypy output files. Ensure the protoc binary is in your PATH or provide the full path. ```shell pip install protobuf mypy-protobuf cd keeper-dag/proto /path/to/protoc/bin/protoc --python_out=. --mypy_out=. router_abbr.proto /path/to/protoc/bin/protoc --python_out=. --mypy_out=. router_abbr.proto ``` -------------------------------- ### OCI PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of an OCI PAM configuration. Requires OCI ID, admin ID, public key, private key, tenancy, and region for integration. ```json { "pam_configuration": { "environment": "oci", "title": "Project1 OCI PAM Configuration", "oci_id": "my-oci_id", "oci_admin_id": "my-oci_admin_id", "oci_admin_public_key": "my-oci_admin_public_key", "oci_admin_private_key": "my-oci_admin_private_key", "oci_tenancy": "my-oci_tenancy", "oci_region": "my-oci_region" } } ``` -------------------------------- ### Run Keeper Commander from Source Source: https://github.com/keeper-security/commander/blob/master/README.md Clones the Keeper Commander repository, sets up a virtual environment, and installs the package locally. Includes installation of email-related dependencies. ```bash git clone https://github.com/Keeper-Security/Commander cd Commander python3 -m venv venv source venv/bin/activate pip install -r requirements.txt pip install -e . pip install -e '.[email]' ``` -------------------------------- ### Install FIDO2 Libraries for Windows Source: https://github.com/keeper-security/commander/blob/master/keepercommander/biometric/README.md Install the necessary FIDO2 libraries on Windows if you encounter 'No biometric hardware detected' errors and suspect missing FIDO2 support. ```bash pip install fido2 ``` -------------------------------- ### Local PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of a local PAM configuration, including network settings and script attachments. Specific parameters like network_id and network_cidr are unique to local environments. ```json { "pam_configuration": { "environment": "local", "title": "Project1 Local PAM Configuration", "gateway_name": "Project1 Gateway", "connections": "on", "rotation": "on", "tunneling": "on", "ai_threat_detection": "off", "ai_terminate_session_on_detection": "off", "remote_browser_isolation": "on", "graphical_session_recording": "off", "text_session_recording": "off", "port_mapping": ["2222=ssh", "33306=mysql"], "default_rotation_schedule": { "type": "CRON", "cron": "30 18 * * *" }, "scripts": [ { "file": "/path/to/script1.ps1", "script_command": "pwsh", "additional_credentials": "user2"] }, { "file": "/path/to/script2.ps1", "script_command": "pwsh" }, { "file": "/path/to/script2.sh" } ], "attachments": ["/path/to/file1.txt", "/path/to/file2.bin"], "network_id": "project1-net", "network_cidr": "192.168.1.0/28" } } ``` -------------------------------- ### GCP PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of a GCP PAM configuration. Requires GCP ID, service account key, Google admin email, and region names for integration. ```json { "pam_configuration": { "environment": "gcp", "title": "Project1 GCP PAM Configuration", "gcp_id": "my-gcp_id", "gcp_service_account_key": "my-gcp_service_account_key", "gcp_google_admin_email": "my-gcp_google_admin_email", "gcp_region_names": ["us-east1", "us-central1"] } } ``` -------------------------------- ### AWS PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of an AWS PAM configuration. Requires AWS credentials and region names for integration with AWS services. ```json { "pam_configuration": { "environment": "aws", "title": "Project1 AWS PAM Configuration", "aws_id": "my-aws_id", "aws_access_key_id": "my-aws_access_key_id", "aws_secret_access_key": "my-aws_secret_access_key", "aws_region_names": ["us-east-1", "us-west-2"] } } ``` -------------------------------- ### Get Field Type Information in JSON or Example Source: https://github.com/keeper-security/commander/blob/master/record_types.md Retrieve field type definitions in JSON format or request an example using the `--format=json` or `--example` options with `record-type-info --list-field`. ```bash rti -lf name --format=json ``` ```bash rti -lf phone --example ``` -------------------------------- ### Install Biometric Dependencies Source: https://github.com/keeper-security/commander/blob/master/keepercommander/biometric/README.md Install the necessary Python packages for biometric authentication support. Ensure you have Python and pip installed. ```bash pip install cbor2 pyobjc-framework-LocalAuthentication fido2 ``` -------------------------------- ### Azure PAM Configuration Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Example of an Azure PAM configuration. Requires Azure Entra ID, client ID, client secret, subscription ID, tenant ID, and resource groups for integration. ```json { "pam_configuration": { "environment": "azure", "title": "Project1 Azure PAM Configuration", "az_entra_id": "my-az_entra_id", "az_client_id": "my-az_client_id", "az_client_secret": "my-az_client_secret", "az_subscription_id": "my-az_subscription_id", "az_tenant_id": "my-az_tenant_id", "az_resource_groups": ["rg-WebApp1-Dev", "rg-WebApp1-Prod"] } } ``` -------------------------------- ### Run Automated Docker Setup Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Executes the automated Docker deployment setup for Keeper Secrets Manager. This command registers the device, creates necessary resources like shared folders and config records, and generates a KSM client device with a base64 config. ```bash My Vault> service-docker-setup ``` -------------------------------- ### PAM Directory Resource Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Defines a PAM directory resource with connection details, SSL usage, and specific PAM settings for Active Directory. ```json { "pam_data": { "resources": [ { "type": "pamDirectory", "title": "PAM Directory Machine", "notes": "Directory Machine1", "host": "127.0.0.1", "port": "3389", "use_ssl" : true, "domain_name": "MyDomain", "alternative_ips": ["127.0.0.1", "127.0.0.2"], "directory_id": "DirectoryId", "directory_type": "active_directory", "user_match": "UserMatch1", "provider_group": "ProviderGroup", "provider_region": "us-east1", "otp": "otpauth://totp/Example:alice3@example.com?secret=JBSWY3DPEHPK3PXP&issuer=ExampleApp3", "attachments": [], "scripts": [], "pam_settings": { "options" : { "rotation": "on", "connections": "on", "tunneling": "on", "remote_browser_isolation": "on", "graphical_session_recording": "on", "text_session_recording": "on" }, "allow_supply_host": false, "port_forward": { "port": "2222", "reuse_port": true }, "connection" : { "_comment": "Connections settings per protocol - RDP", "protocol": "ssh", "port": "2222", "allow_supply_user": true, "administrative_credentials": "admin1", "launch_credentials": "user1", "recording_include_keys": true, "disable_copy": true, "disable_paste": true, "color_scheme": "gray-black", "font_size": "18", "scrollback": 5000, "public_host_key": "", "command": "/bin/bash", "sftp": { "enable_sftp": true, "sftp_root_directory": "/tmp" } } }, "users": [] }, { "type": "pamDirectory", "directory_type": "openldap", "host": "127.0.0.8", "port": "636", "use_ssl": true, "users": [{"type": "pamUser","login": "pamuser2","password": "p4mus3r2!"}] } ] } } ``` -------------------------------- ### PAM Database Resource Example Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Defines a PAM database resource with connection details, SSL usage, and PAM settings for rotation, connections, and tunneling. ```json { "pam_data": { "resources": [ { "type": "pamDatabase", "title": "PAM MySQL Machine", "notes": "DB Machine1", "host": "127.0.0.1", "port": "13306", "use_ssl" : true, "database_id": "DatabaseId", "database_type": "mysql", "_comment": "database types: ", "provider_group": "ProviderGroup", "provider_region": "us-east1", "otp": "otpauth://totp/Example:alice3@example.com?secret=JBSWY3DPEHPK3PXP&issuer=ExampleApp3", "attachments": [], "scripts": [], "pam_settings": { "options" : { "rotation": "on", "connections": "on", "tunneling": "on", "remote_browser_isolation": "on", "graphical_session_recording": "on", "text_session_recording": "on", "ai_threat_detection": "off", "ai_terminate_session_on_detection": "off" }, "allow_supply_host": false, "port_forward": { "port": "2222", "reuse_port": true }, "connection" : { "protocol": "mysql", "_comment": "DB protocol types: ", "port": "2222", "allow_supply_user": true, "administrative_credentials": "admin1", "launch_credentials": "user1", "recording_include_keys": true, "disable_copy": true, "disable_paste": true, "color_scheme": "gray-black", "font_size": "18", "scrollback": 5000, "disable_csv_import": true, "disable_csv_export": true, "default_database": "db1" } }, "users": [] }, { "type": "pamDatabase", "title": "PAM MongoDB Machine", "database_type": "mongodb", "host": "127.0.0.8", "port": "27017", "use_ssl": true, "users": [{"type": "pamUser","login": "pamuser2","password": "p4mus3r2!"}] } ] } } ``` -------------------------------- ### Install fido2 Python Module Source: https://github.com/keeper-security/commander/blob/master/keepercommander/yubikey/README.md Install the necessary Python module to enable FIDO U2F Security Key support with Keeper Commander. This is a prerequisite for using security keys. ```bash pip3 install fido2 ``` -------------------------------- ### Get Syntax Help for record-add Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Access syntax help for the `record-add` command to understand its options and field formats. This is useful for ensuring correct command construction. ```bash record-add --syntax-help ``` -------------------------------- ### Install pykeepass Module Source: https://github.com/keeper-security/commander/blob/master/keepercommander/importer/keepass/README.md Install the pykeepass module using pip. This is required for Keepass import/export functionality. ```bash pip3 install pykeepass ``` -------------------------------- ### Install Keeper Commander with PIP Source: https://github.com/keeper-security/commander/blob/master/README.md Installs Keeper Commander and its dependencies into a Python virtual environment. ```bash python3 -m venv keeper-env source keeper-env/bin/activate pip install keepercommander ``` -------------------------------- ### Get Help for record-update Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md View the help documentation for the `record-update` command to understand its arguments and usage. This is essential for performing record modifications. ```bash record-update --help ``` -------------------------------- ### Basic Login Record - Single Line Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md A simple example of adding a login record with title, type, login, password, and URL. This single-line version is safe for copy-pasting. ```bash record-add -t "Gmail Account" -rt login login=john.doe@gmail.com password=SecurePass123 url=https://accounts.google.com ``` -------------------------------- ### Create One-Time WiFi Credentials Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of creating a self-destructing WiFi credentials record that expires in 30 minutes. Ideal for temporary visitor access. ```bash record-add -t "Guest WiFi Access" -rt wifiCredentials \ text.ssid="Company-Guest" \ password=TempPass123 \ --self-destruct 30m \ --notes "Visitor access for meeting" ``` -------------------------------- ### Comprehensive License Consumption Analysis Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/LICENSE_CONSUMPTION_REPORT.md Provides examples of comprehensive license consumption analysis, combining various flags for detailed reporting and export. ```bash # All features with detailed breakdown keeper license-consumption-report --feature all --details --include-teams # PAM users with details, including teams, export to CSV keeper license-consumption-report --feature pam --details --include-teams --format csv --output pam_detailed.csv # Quick overview of all license consumption keeper license-consumption-report --feature all ``` -------------------------------- ### Common Field Formats in Commander Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Examples of how to format common data fields like dates, phone numbers, names, addresses, and security questions for use with Commander. ```bash # Unix timestamp date=1668639533 # ISO format date="2022-11-16T10:58:53Z" # Simple date date="2022-11-16" ``` ```bash phone.Work='$JSON:{"region": "US", "number": "(555) 555-1234", "ext": "123", "type": "Work"}' phone.Mobile='$JSON:{"number": "(555) 555-1234", "type": "Mobile"}' ``` ```bash name='$JSON:{"first": "John", "middle": "Michael", "last": "Doe"}' name='$JSON:{"first": "Jane", "last": "Smith"}' ``` ```bash address='$JSON:{"street1": "123 Main St", "street2": "Apt 4B", "city": "New York", "state": "NY", "zip": "10001", "country": "USA"}' ``` ```bash securityQuestion.Mother='$JSON:[{"question": "What is your mother's maiden name?", "answer": "Smith"}]' securityQuestion.Pet='$JSON:[{"question": "What was your first pet's name?", "answer": "Fluffy"}]' ``` -------------------------------- ### Create Temporary Password Record Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of creating a self-destructing login record that expires in 1 hour. This is useful for temporary access credentials. ```bash record-add -t "Temporary Server Access" -rt login \ login=admin \ password='$GEN:rand,16' \ url=https://server.company.com \ --self-destruct 1h \ --notes "Emergency access for John Doe" ``` -------------------------------- ### Example Workflow for Self-Destructing Records Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md A complete workflow demonstrating the creation of a self-destructing record and secure sharing of its URL. This illustrates the end-to-end process for sensitive data handoffs. ```bash # 1. Create self-destructing record URL=$(record-add -t "Emergency DB Access" -rt databaseCredentials \ host='$JSON:{"hostName": "db.company.com", "port": "5432"}' \ login=emergency_user \ password='$GEN:rand,20' \ text.database="production" \ --self-destruct 4h \ --notes "Emergency access for incident response - $(date)") # 2. Share URL securely (example with secure messaging) echo "Emergency database access: $URL" | secure-send user@company.com # 3. Record will auto-delete 5 minutes after first access ``` -------------------------------- ### Login to Keeper Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Initiates a Keeper shell session and logs in a user. Ensure you have KSM enabled for automated setup. ```bash keeper shell My Vault> login user@example.com ``` -------------------------------- ### Start Keeper Commander Source: https://github.com/keeper-security/commander/blob/master/README.md Provides commands to launch the Keeper Commander application in different modes: general help, interactive shell, or a full terminal UI. ```bash keeper help ``` ```bash keeper shell ``` ```bash keeper supershell ``` -------------------------------- ### Initialize and Configure Service (Interactive) Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Use this command to interactively set up the service with customizable settings, including port, tunneling, security, and command access. ```bash My Vault> service-create ``` -------------------------------- ### Create Temporary File Share Record Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of creating a self-destructing file record that expires in 24 hours. Suitable for sharing sensitive documents that should auto-delete after viewing. ```bash record-add -t "Confidential Document" -rt file \ file='@/path/to/sensitive-doc.pdf' \ --self-destruct 1d \ --notes "Contract for review - auto-deletes after viewing" ``` -------------------------------- ### Set up a shared project folder Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Commands to create a new folder, add a record to it, share the folder with a colleague, and verify the folder listing. ```bash # 1. Create folder nsf-mkdir "Client Projects" --color blue # 2. Add a record nsf-record-add -t "Client Portal" -rt login --folder "Client Projects" \ login=admin@client.com password=Secret123 url=https://portal.client.com # 3. Share the folder with a colleague nsf-share-folder "Client Projects" -e colleague@company.com -r content-manager # 4. Verify the listing nsf-list --folders ``` -------------------------------- ### Install Dependencies for macOS Source: https://github.com/keeper-security/commander/blob/master/keepercommander/biometric/README.md Install required Python dependencies for biometric authentication on macOS, specifically `cbor2` and `pyobjc-framework-LocalAuthentication`, to resolve hardware detection issues. ```bash pip install cbor2 pyobjc-framework-LocalAuthentication ``` -------------------------------- ### Initial PAM Project Import Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Use this command to create a new PAM project from a JSON file. The `--dry-run` option allows testing the import without modifying the vault. ```bash pam project import --name=project1 --filename=/path/to/import.json [--dry-run] ``` -------------------------------- ### Create New PAM Configuration with Parameters Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam/README.md Use this command to create a new PAM configuration. Specify the group, configuration name, type, and relevant record UIDs and types. ```shell pam config new -g TCDth67bSkqp0Gu-6WlqYQ -cn "Prod AWS Rotation Creds" -ct "aws" -cp v165TFXM2WpNj5lwNn1SEg -cr B2VHZ16mGDWhNpqAPxChhA -cr UIs2POKxWX81PjtbZQ1mOg ``` -------------------------------- ### KCM Import Max Instances Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Sets the gateway pool size. A value of 0 skips gateway creation. ```bash --max-instances N → Set gateway pool size _(0 = skip, requires new gateway)_ ``` -------------------------------- ### Get Queue Status Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Retrieve the current status and statistics of the request queue. ```APIDOC ## GET /api/v2/queue/status ### Description Provides information about the current state of the request queue, including size and active requests. ### Method GET ### Endpoint `/api/v2/queue/status` ### Response #### Success Response - **success** (boolean) - Indicates if the queue status retrieval was successful. - **queue_size** (integer) - The number of requests currently waiting in the queue. - **active_requests** (integer) - The number of requests currently being processed. - **completed_requests** (integer) - The total number of requests that have been completed. - **currently_processing** (string) - The request ID currently being processed. - **worker_running** (boolean) - Indicates if the worker process is running. #### Response Example ```json { "success": true, "queue_size": 3, "active_requests": 5, "completed_requests": 12, "currently_processing": "550e8400-e29b-41d4-a716-446655440000", "worker_running": true } ``` ``` -------------------------------- ### Get Request Result Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Retrieve the results of a completed asynchronous request using its request ID. ```APIDOC ## GET /api/v2/result/{request_id} ### Description Retrieves the results of a completed asynchronous request. ### Method GET ### Endpoint `/api/v2/result/` ### Parameters #### Path Parameters - **request_id** (string) - Required - The ID of the request whose results are to be retrieved. ### Response #### Success Response - **result** (string) - The output of the executed command. - **status** (string) - The final status of the request (e.g., "success"). #### Response Example ```json { "result": "...", "status": "success" } ``` ``` -------------------------------- ### Get Queue Status Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Retrieve the current status of the request queue, including size and active requests. ```bash curl 'http://localhost:/api/v2/queue/status' \ --header 'api-key: ' ``` ```json { "success": true, "queue_size": 3, "active_requests": 5, "completed_requests": 12, "currently_processing": "550e8400-e29b-41d4-a716-446655440000", "worker_running": true } ``` -------------------------------- ### Import production secrets owned by the payments team Source: https://github.com/keeper-security/commander/blob/master/docs/azure-secrets-import.md Imports secrets that start with 'prod-' and have the tag 'Team=payments'. ```bash azsi my-vault xAbCdEfGhIjK --name-starts-with prod- --tags Team=payments ``` -------------------------------- ### Authenticate with a service account key file Source: https://github.com/keeper-security/commander/blob/master/docs/gcp-secrets-import.md Imports secrets by authenticating with a specific service account key file. Ensure the file path is correct. ```bash gcsi xAbCdEfGhIjK \ --project-id my-gcp-project \ --service-account-file /path/to/service-account-key.json ``` -------------------------------- ### Get Nested Share Record Details Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Show full details for a Nested Share Record or folder by UID or title. Use `--unmask` to reveal masked fields like passwords or secrets. Use `--verbose` to show full per-permission flag breakdown for each accessor. Use `--format json` to get output in JSON format. ```bash nsf-get rec123abc ``` ```bash nsf-get "Gmail Account" --unmask ``` ```bash nsf-get abc123folder --verbose ``` ```bash nsf-get rec123abc --format json ``` ```bash nsf-get rec123abc --format json --verbose ``` -------------------------------- ### KCM Import Yes Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Skips the confirmation prompt before importing. ```bash --yes, -y → Skip confirmation prompt. ``` -------------------------------- ### List Shortcuts in JSON Format Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Lists shortcut information for records within a specific folder and formats the output as JSON. ```bash nsf-shortcut list "Projects" --format json ``` -------------------------------- ### Check Python Platform Source: https://github.com/keeper-security/commander/blob/master/keepercommander/importer/keepass/README.md Identify the platform of your Python installation. This is crucial for selecting the appropriate lxml binary package. ```python import distutils.util; print(distutils.util.get_platform()) ``` -------------------------------- ### All Features Overview Report Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/LICENSE_CONSUMPTION_REPORT.md Generates a comprehensive overview of all features license consumption. This command provides a summary of license usage across all available features. ```bash # All features overview lcr --feature all ``` -------------------------------- ### Get Asynchronous Command Result Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Fetch the result of a completed asynchronous command request using its request ID. ```bash curl 'http://localhost:/api/v2/result/' \ --header 'api-key: ' ``` ```json { "result": "...", "status": "success" } ``` -------------------------------- ### Import Secrets by Name Prefix Source: https://github.com/keeper-security/commander/blob/master/docs/azure-secrets-import.md Use the --name-starts-with flag to import all secrets whose names begin with a specified prefix. ```bash # All secrets whose name starts with "prod-" azsi my-vault xAbCdEfGhIjK --name-starts-with prod- ``` -------------------------------- ### KCM Import List Groups Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Lists available KCM connection groups with resource and user counts, then exits. ```bash --list-groups → List available KCM connection groups with resource/user counts, then exit. ``` -------------------------------- ### Get Metadata for Multiple Records Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Retrieves metadata for multiple records simultaneously. Provide all record UIDs or titles as parameters. ```bash nsf-record-details rec123abc rec456def rec789ghi ``` -------------------------------- ### QRC Implementation Structure Source: https://github.com/keeper-security/commander/blob/master/keepercommander/qrc/README.md Outlines the directory structure and external dependencies for the QRC implementation within Keeper Commander. ```text qrc/ ├── qrc_crypto.py # Hybrid encryption: ECDH + ML-KEM + HKDF └── README.md # This file External dependency: └── keeper-mlkem # ML-KEM-1024 implementation (PyPI package) ``` -------------------------------- ### KCM Import Config Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Specifies an existing PAM configuration to extend, skipping project creation. ```bash --config, -c → Existing PAM config UID or name to extend (skip project creation). ``` -------------------------------- ### Create Temporary Contact Record Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of creating a self-destructing contact record that expires in 2 hours. Useful for time-sensitive contact information. ```bash record-add -t "Emergency Contact" -rt contact \ name='$JSON:{"first": "Emergency", "last": "Contact"}' \ phone.Mobile='$JSON:{"number": "(555) 911-0000", "type": "Emergency"}' \ --self-destruct 2h ``` -------------------------------- ### Individual Feature Type Reports Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/LICENSE_CONSUMPTION_REPORT.md Examples of generating reports for individual feature types like Secrets Manager, Connection Manager, and BreachWatch. ```bash keeper license-consumption-report --feature secrets-manager keeper license-consumption-report --feature connection-manager keeper license-consumption-report --feature breachwatch ``` -------------------------------- ### General Import JSON Format Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Shows the global JSON structure for PAM import. Command line option --name overrides the 'project' key. Sub-sections are explained separately. ```json { "project": "Project1", "shared_folder_users": {}, "shared_folder_resources": {}, "pam_configuration": {}, "pam_data": { "resources": [ {"type": "pamDatabase"}, {"type": "pamDirectory"}, {"type": "pamMachine"}, {"type": "pamRemoteBrowser"} ], "users": [ {"type": "pamUser"}, {"type": "login"} ] } } ``` -------------------------------- ### Import Secrets by Name Prefix Source: https://github.com/keeper-security/commander/blob/master/docs/azure-secrets-import.md Use the `--name-starts-with` flag to import secrets whose names begin with a specified prefix. ```bash --name-starts-with PREFIX ``` -------------------------------- ### Get Metadata for a Single Record Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Retrieves metadata (title, type, version, revision) for a single record. Specify the record UID as a parameter. ```bash nsf-record-details rec123abc ``` -------------------------------- ### Update Password and URL Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of updating a record's password using a generated random string and its URL. Ensure the record identifier is correct. ```bash record-update -r "Gmail Account" \ password='$GEN:rand,20' \ url=https://accounts.google.com/new-login ``` -------------------------------- ### Dry-run complex filter before committing Source: https://github.com/keeper-security/commander/blob/master/docs/azure-secrets-import.md Performs a dry run with multiple filters: secrets starting with 'prod-', ending with '-creds', and tagged with 'Env=prod,Owner=platform'. ```bash azsi my-vault xAbCdEfGhIjK \ --name-starts-with prod- \ --name-ends-with -creds \ --tags Env=prod,Owner=platform \ --dry-run ``` -------------------------------- ### Preview and Execute KCM Cleanup Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/KCM_IMPORT.md Use these commands to preview or perform a cleanup of resources created by a KCM import. The `--dry-run` flag shows what would be deleted without making changes, while `--yes` executes the deletion. You can reference the import by name or by its PAM config UID. ```bash # Preview what would be deleted My Vault> pam project kcm-cleanup --name "KCM Migration" --dry-run ``` ```bash # Delete everything from the import My Vault> pam project kcm-cleanup --name "KCM Migration" --yes ``` ```bash # Or reference by PAM config UID My Vault> pam project kcm-cleanup --config VxANFEPLi8E9gdtlDmfBvw --yes ``` -------------------------------- ### Get Record Metadata in JSON Format Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Retrieves metadata for a record and formats the output as JSON. Use the --format json switch for machine-readable output. ```bash nsf-record-details rec123abc --format json ``` -------------------------------- ### Add Additional Service Configuration Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Execute this command to add new API configurations and command access settings to the running service. ```bash My Vault> service-config-add ``` -------------------------------- ### Preview KCM Import with Docker Auto-Detect Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/KCM_IMPORT.md Use `--docker-detect` and `--dry-run` to preview the import process without making any changes to your vault. This is useful for understanding what data will be migrated. ```bash My Vault> pam project kcm-import --docker-detect --dry-run ``` -------------------------------- ### Verify Biometric Authentication Source: https://github.com/keeper-security/commander/blob/master/keepercommander/biometric/README.md Test your registered biometric authentication method without actually logging into Keeper Commander. This is useful for confirming that the biometric setup is working correctly. ```bash biometric verify ``` -------------------------------- ### KCM Import SSL Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Enforces SSL/TLS for the database connection. ```bash --db-ssl ``` -------------------------------- ### Full Auto-Detect from Docker Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Automatically detects container, database type, IP, and credentials from a Docker environment. Use --dry-run to preview without making changes. ```bash # Full auto-detect from Docker (discovers container, db type, IP, credentials) pam project kcm-import --docker-detect --dry-run ``` -------------------------------- ### Dry Run KCM Import with Credentials Included in JSON Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/KCM_IMPORT.md Preview the KCM import and include credentials in the JSON output using `--include-credentials`. Credentials are redacted by default in the output. ```bash # Include credentials in the JSON (redacted by default) My Vault> pam project kcm-import --docker-detect \ --output ~/kcm-full.json \ --include-credentials ``` -------------------------------- ### List Available Connection Groups Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Lists all available connection groups within the Docker environment before performing an import. This helps in planning which groups to include or exclude. ```bash # List available connection groups before importing pam project kcm-import --docker-detect --list-groups ``` -------------------------------- ### List All Shortcut Records Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Lists all records that are linked to more than one folder. By default, output is in table format. ```bash nsf-shortcut list ``` -------------------------------- ### Get Record Type Information Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Use `record-type-info` to view available record types or fields for a specific type. This helps in understanding the structure and available fields for your records. ```bash record-type-info ``` ```bash record-type-info --list-record login ``` ```bash record-type-info --list-field phone ``` -------------------------------- ### Configure Service Streamlined with Ngrok Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Streamline service configuration with Ngrok for public URL access, specifying port, file format, allowed commands, Ngrok token, custom domain, run mode, request queue, and IP access lists. ```bash My Vault> service-create -p -f -c 'tree,record-add,audit-report' -ng -cd -rm -q -aip -dip ``` -------------------------------- ### Import Production Secrets Owned by Payments Team Source: https://github.com/keeper-security/commander/blob/master/docs/aws-secrets-import.md Imports secrets that start with 'prod/' and are tagged with 'Team=payments'. This allows for targeted imports based on naming conventions and ownership. ```bash amsi xAbCdEfGhIjK --name-starts-with prod/ --tags Team=payments ``` -------------------------------- ### Configure Service Streamlined with TLS Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Streamline service configuration with TLS enabled, specifying port, file format, allowed commands, run mode, request queue, certificate paths, and IP access lists. ```bash My Vault> service-create -p -f -c 'tree,ls,search,record-add,mkdir' -rm -q -crtf -crtp -aip -dip ``` -------------------------------- ### Import production secrets owned by the payments team Source: https://github.com/keeper-security/commander/blob/master/docs/gcp-secrets-import.md Imports secrets that start with 'prod-' and have the tag 'team=payments'. This allows for targeted imports based on naming conventions and team ownership. ```bash gcsi xAbCdEfGhIjK --project-id my-gcp-project \ --name-starts-with prod- --tags team=payments ``` -------------------------------- ### Basic Login Record - Multi Line Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Adds a login record using multiple lines for readability. Ensure no spaces follow the backslash continuation character. ```bash record-add -t "Gmail Account" -rt login \ login=john.doe@gmail.com \ password=SecurePass123 \ url=https://accounts.google.com ``` -------------------------------- ### KEY=VALUE Lines Secret String Source: https://github.com/keeper-security/commander/blob/master/docs/aws-secrets-import.md If the secret string is not JSON, it's parsed as newline-separated KEY=VALUE pairs, similar to .env files. Lines starting with '#' and blank lines are ignored. ```shell # Database credentials username=admin password=s3cur3P@ss! host=db.internal.example.com ``` -------------------------------- ### Extend Existing PAM Configuration Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Add new PAM resources and users to an existing configuration using a JSON import file. It validates existing items and creates only new ones. Use `--dry-run` for preview. ```bash pam project extend --config= --filename=/path/to/import.json [--dry-run] ``` -------------------------------- ### Update Title and Add Custom Fields Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Example of updating a record's title and adding custom text fields for environment and last updated information. Custom fields are prefixed with `c.`. ```bash record-update -r "Old Server Name" \ --title "Production Web Server" \ c.text.Environment="Production" \ c.text.Last_Updated="2024-01-15" ``` -------------------------------- ### KCM Import Project Name Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Sets the name for the imported PAM project. ```bash --name, -n → Project name _(default: KCM-Import-TIMESTAMP)_ ``` -------------------------------- ### Estimate KCM Import Size Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/KCM_IMPORT.md Get an estimate of the number of records that would be created during a KCM import without connecting to the Keeper vault. Use `--estimate` for a quick size check. ```bash My Vault> pam project kcm-import --docker-detect --estimate ``` -------------------------------- ### KCM Import Dry Run Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Previews the import without modifying the vault. Credentials will be redacted. ```bash --dry-run, -d → Preview without vault changes (credentials redacted). ``` -------------------------------- ### Dry-run complex filter before committing Source: https://github.com/keeper-security/commander/blob/master/docs/gcp-secrets-import.md Performs a dry run with multiple filters: secrets starting with 'prod-', ending with '-creds', and tagged with 'env=prod,owner=platform'. This helps validate complex import criteria. ```bash gcsi xAbCdEfGhIjK --project-id my-gcp-project \ --name-starts-with prod- \ --name-ends-with -creds \ --tags env=prod,owner=platform \ --dry-run ``` -------------------------------- ### Execute Command Asynchronously via API Source: https://github.com/keeper-security/commander/blob/master/keepercommander/service/README.md Send a command to the Keeper Commander service for asynchronous execution using the executecommand-async API endpoint. Includes examples for a standard command and a command with dry-run validation. ```bash curl -X POST 'http://localhost:/api/v2/executecommand-async' \ --header 'Content-Type: application/json' \ --header 'api-key: ' \ --data '{ "command": "credential-provision --config-base64 dXNlcjoKICBmaXJzdF9uYW1lOiAiSm9obiIK..." }' ``` ```bash curl -X POST 'http://localhost:/api/v2/executecommand-async' \ --header 'Content-Type: application/json' \ --header 'api-key: ' \ --data '{ "command": "credential-provision --config-base64 dXNlcjoKICBmaXJzdF9uYW1lOiAiSm9obiIK... --dry-run --output json" }' ``` -------------------------------- ### PAM License Consumption Report - Detailed Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/LICENSE_CONSUMPTION_REPORT.md Displays detailed PAM license consumption per user, including roles and features. Use the --details flag to omit redundant count columns. ```text PAM License Consumption Report - 15 Users Found Username Display Name Node Status Direct Roles Team Roles PAM Features john.doe@company.com John Doe Engineering Active PAM Admin IT Team -> PAM User PAM Gateway, Configure RBI jane.smith@company.com Jane Smith IT Active DevOps -> PAM Role Launch PAM Tunnels ``` -------------------------------- ### Dry-run Complex Filter for Production Secrets Source: https://github.com/keeper-security/commander/blob/master/docs/aws-secrets-import.md Performs a dry run with multiple filters: secrets starting with 'prod/', ending with '/creds', and tagged with 'Env=prod' and 'Owner=platform'. This helps validate complex import criteria before execution. ```bash amsi xAbCdEfGhIjK \ --name-starts-with prod/ \ --name-ends-with /creds \ --tags Env=prod,Owner=platform \ --dry-run ``` -------------------------------- ### Create a Nested Share Folder Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Use `nsf-mkdir` to create a new folder. You can specify a color and control permission inheritance. Folder names can include escaped slashes using `//`. ```bash nsf-mkdir "My Projects" ``` ```bash nsf-mkdir "Sensitive" --color red --no-inherit ``` ```bash nsf-mkdir "Reports//2026" ``` -------------------------------- ### KCM Import Database Name Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Sets the name of the KCM database. ```bash --db-name NAME ``` -------------------------------- ### Extend Existing PAM Configuration Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Extends an existing PAM configuration by importing data from a specified database host and type. Requires the database host and type to be provided. ```bash # Extend existing PAM config from PostgreSQL pam project kcm-import --db-host pg.example.com --db-type postgresql --config "Existing Config" ``` -------------------------------- ### Login Record with Custom Fields Source: https://github.com/keeper-security/commander/blob/master/RECORD_ADD_DOCUMENTATION.md Demonstrates adding custom text fields to a login record using the 'c.' prefix for custom fields. ```bash record-add -t "Work VPN" -rt login \ login=john.doe \ password=VpnPass123 \ url=https://vpn.company.com \ c.text.Department="IT Security" \ c.text.Employee_ID="EMP001" ``` -------------------------------- ### KCM Import Database Host Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Specifies the hostname for connecting to the KCM database. ```bash --db-host HOST ``` -------------------------------- ### Add a Record from a File Source: https://github.com/keeper-security/commander/blob/master/record_types.md Create a new record by specifying a JSON file containing the record's data using the `--from-file` option with the `add` command. ```bash add --from-file MyLogin.json ``` -------------------------------- ### Import Secrets by Name Prefix Source: https://github.com/keeper-security/commander/blob/master/docs/gcp-secrets-import.md Use the `--name-starts-with` flag to import all secrets whose names begin with a specified prefix. This is helpful for batch importing secrets related to a specific application or environment. ```bash gcsi xAbCdEfGhIjK --project-id my-project --name-starts-with prod- ``` -------------------------------- ### JSON Rendering with Syntax Highlighting Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/supershell/README.md Shows how to use the JsonRenderer for syntax highlighting JSON data, with options for password masking. ```python # JSON rendering with syntax highlighting renderer = JsonRenderer(theme_colors, unmask_secrets=False) renderer.render_lines(json_obj, on_line_callback) # Field formatting helpers format_password_line("Password", "******", theme_colors) format_totp_display("123456", 25, theme_colors) ``` -------------------------------- ### All Features License Consumption Report - Detailed Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/LICENSE_CONSUMPTION_REPORT.md Displays a detailed breakdown of all features license consumption, including specific feature names. Use the --details flag to omit redundant count columns. ```text All Features License Consumption Report - 15 Users Found Username Display Name Node Status Direct Roles Pam Features Secrets Manager Features Total Features john.doe@company.com John Doe Engineering Active PAM Admin PAM Gateway, Configure RBI, ... Secrets Manager 12 jane.smith@company.com Jane Smith IT Active DevOps Secrets Manager 2 ``` -------------------------------- ### KCM Import Allow Cleartext Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Allows an unencrypted connection to a remote database. Use with caution. ```bash --allow-cleartext ``` -------------------------------- ### Generate Python File with Protoc Source: https://github.com/keeper-security/commander/blob/master/keepercommander/proto/README.md Use the protoc command to generate Python protobuf files. Ensure you are in the directory containing the .proto files, as they may include other .proto files. The output file will be created in the specified directory. ```shell /path/to/protoc-3.19.4-osx-x86_64/bin/protoc --python_out=.. FOO.proto ``` -------------------------------- ### KCM Import Output Option Source: https://github.com/keeper-security/commander/blob/master/keepercommander/commands/pam_import/README.md Saves the import JSON to a file for review before importing. ```bash --output, -o → Save JSON to file for review before importing. ``` -------------------------------- ### Preview Permission Changes Source: https://github.com/keeper-security/commander/blob/master/NESTED_SHARE_FOLDER_COMMANDS.md Simulates permission changes for a record without applying them. Use --dry-run to review the intended modifications before execution. ```bash nsf-share-record rec123abc -e user@example.com -r full-manager --dry-run ```