Introduction to Keeper Security

Identity based attacks with stolen and weak credentials remain the leading cause of data breaches. Organizations face a dual challenge of empowering employees to manage passwords securely while giving IT and security teams the visibility and control they need to enforce policy and respond to threats. Keeper Security addresses both challenges with a unified, zero-trust platform that scales from individual users to the most complex enterprise environments.

This article provides an overview of Keeper's core capabilities, from everyday password management to privileged access and quantum-resistant encryption, to help you understand what Keeper is, how it works, and why it matters.

The Keeper Vault

At the heart of the Keeper platform is the Keeper Vault, an encrypted, cloud-based repository where users store passwords, files, sensitive records, and more. The vault is accessible from virtually anywhere with no compromises on security.

Users can access the vault through two primary interfaces:

• Desktop App: The desktop application is the primary interface for day-to-day vault management. Users can organize credentials into folders and subfolders, create and edit records, manage sharing permissions, configure security settings, and access the full suite of Keeper features. It runs natively on Windows, macOS, and Linux, providing fast, offline-capable access without relying on a browser.
• Web Vault: The web vault delivers the same full-featured experience through any modern browser with no installation required. It is particularly useful for accessing credentials from a managed corporate workstation, a shared device, or any environment where installing software is not practical. Administrators also use the web vault as the primary interface for managing users, enforcing role-based access policies, and reviewing audit logs across the organization.

The vault goes far beyond simple password storage. Record types give organizations the flexibility to store structured data for virtually any use case, including:

• Login credentials and passwords
• Payment cards and financial information
• SSH keys and database credentials
• API tokens and secrets
• Identity documents and medical records
• Custom record types defined by the organization

A built-in Password Generator helps users create strong, unique passwords on demand, with configurable rules for length, complexity, and character sets. This eliminates the temptation to reuse or simplify credentials.

Zero Knowledge Architecture and Quantum-Resistant Encryption

Keeper's security is built on two foundational principles: Zero Knowledge Architecture and a layered cryptographic model using industry-proven standards.

Zero Knowledge means that Keeper as a company never has access to a customer's vault data. All encryption and decryption happens locally on the user's device. The cryptographic stack includes:

• AES-256: AES-256 for encrypting vault records at rest. AES-256 is one of the strongest symmetric encryption standards available and is the same algorithm used by governments and financial institutions worldwide.
• PBKDF2: PBKDF2 (Password-Based Key Derivation Function 2) for deriving the encryption key from the user's master password. PBKDF2 applies a high iteration count and a unique per-user salt, making the key derivation process intentionally slow and computationally expensive. This makes brute-force and dictionary attacks against a stolen key infeasible at any practical scale.
• Elliptic Curve Cryptography (ECC): Elliptic Curve Cryptography (ECC) for key exchange and secure sharing operations such as sharing records between users or provisioning access to new vault members. ECC provides strong asymmetric encryption with significantly smaller key sizes compared to RSA, making it both highly secure and efficient for real-time, multi-party key operations.
• Quantum-Resistant Encryption: Post-quantum cryptographic algorithms aligned with NIST's post-quantum standardization process. This protects against future quantum computing threats that could break current asymmetric cryptography. Data encrypted today remains secure against tomorrow's quantum-based attacks.

What is stored in Keeper's cloud is ciphertext, encrypted data that is mathematically meaningless without the user's master key. That key never leaves the user's control. Even in the event of a breach of Keeper's infrastructure, customer vault data remains protected.

KeeperFill and Password Sharing

Security tools only work if people actually use them. Keeper is built with adoption in mind, providing tools that make secure behavior the path of least resistance.

• KeeperFill: KeeperFill automatically detects login forms in the browser and fills credentials. It works across all major browsers and supports web apps, internal portals, and consumer sites alike. KeeperFill also prompts users to save new credentials as they create accounts, keeping the vault current without requiring manual effort.
• Password Share: Password Share allows users to securely share individual records or entire folders with colleagues, with granular permission controls that specify whether recipients can view, edit, or re-share the credential. Sharing is encrypted end-to-end so credentials are never transmitted in plaintext. Time-limited sharing and one-time sharing options give teams flexibility without sacrificing control.
• File Storage: Encrypted file and document storage enables users to attach sensitive files such as contracts, certificates, and security keys directly to records. All stored files benefit from the same zero-knowledge encryption as every other item in the vault.

KeeperPAM

For organizations managing servers, databases, cloud infrastructure, and other high-value assets, KeeperPAM extends the Keeper platform into full-featured Privileged Access Management (PAM) territory.

Key capabilities include:

• Privileged session management records and monitors access to privileged systems such as servers, databases, cloud-based applications, and more. Each recording is secured in the vault and encrypted.
• Remote browser isolation (RBI) allows users to access highly sensitive web-based applications through an isolated environment.
• Point-to-point tunneling enables secure, encrypted connections directly between a user and a target system without exposing that system to the broader network, keeping lateral movement risk low even in complex environments.
• Just-in-time access to privileged systems with session recording, connection brokering, and credential rotation.
• Password rotation automatically cycles credentials on a defined schedule or after each use, ensuring that privileged passwords are never static and reducing the window of exposure if a credential is ever compromised.
• Granular access policies and least-privilege enforcement with a complete audit trail of every privileged session.
• Integration with existing IT workflows and ITSM platforms for access requests, approvals, and provisioning.
• No agent or client required on target systems. KeeperPAM uses an agentless architecture to broker connections, dramatically reducing deployment complexity and lowering overhead on managed endpoints.

Keeper Gateway

A key component of the KeeperPAM architecture is the Keeper Gateway, a lightweight service deployed within the customer's environment that acts as the secure bridge between internal systems and the Keeper cloud. The Gateway communicates with the Keeper Router, a cloud-side relay service that facilitates encrypted communication between the Keeper backend API and end-user applications. This router-based model means that neither the Gateway nor any target system needs to expose inbound ports or firewall rules to the internet. All traffic is initiated outbound from the customer environment, dramatically reducing the network attack surface.

The combination of the Gateway, Router, and agentless design gives security teams centralized control without the operational burden of deploying and maintaining endpoint software across every managed resource.

IdP Integration

Keeper integrates natively with leading Identity Providers (IdPs), allowing users to authenticate with the same corporate credentials they use across the rest of the business. Supported providers include:

• Microsoft Entra ID (Azure AD)
• Okta
• Google Workspace
• Ping Identity
• Other SAML 2.0-compatible identity providers

These integrations also support automated user provisioning and deprovisioning via SCIM (System for Cross-domain Identity Management). When an employee joins or leaves the organization, their Keeper access is automatically aligned with HR and directory data. This reduces the risk of orphaned accounts and helps organizations maintain least-privilege access at scale.

BreachWatch: Proactive Credential Monitoring

BreachWatch continuously monitors passwords stored in the vault against databases of compromised credentials from known breaches, without ever exposing the actual passwords to Keeper or third-party services.

Key capabilities include:

• Privacy-preserving protocol ensures actual credential values are never transmitted during scanning
• Alerts users when their credentials appear in dark web data dumps or breach databases, prompting immediate remediation
• Organization-wide dashboard for security teams to identify users with compromised credentials and prioritize remediation at scale

Reporting, Alerts, and Compliance

Keeper's reporting and alerting capabilities give security and compliance teams the visibility they need. Detailed event logs capture every vault action and provide a comprehensive audit trail.

Logged events include:

• Logins and failed authentication attempts
• Record access and modification
• Sharing events and permission changes
• Policy changes and administrative actions

Customizable alerts notify administrators of suspicious activity in real time, including repeated failed logins, access from unusual locations, and changes to privileged credentials.

Pre-built and customizable compliance reports map vault activity to common regulatory frameworks, including:

• SOC 2
• HIPAA
• PCI-DSS

These reports streamline audit preparation and help organizations demonstrate due diligence to regulators and auditors.

Summary of Capabilities

Keeper Security is a zero-knowledge, cloud-based security platform designed to protect credentials, passkeys, secrets, files, privileged accounts, and remote access workflows. At its core, Keeper uses client-side encryption so vault data is encrypted and decrypted locally on the user's device before it is stored or synchronized through Keeper's cloud services. This architecture helps ensure that sensitive vault contents remain unreadable to Keeper, cloud administrators, and unauthorized third parties.

The platform supports enterprise password management through encrypted vaults, structured record types, password generation, secure record and folder sharing, encrypted file storage, and much more. These capabilities help standardize how users manage sensitive information while reducing common risks such as password reuse and weak credentials. From a technical perspective, Keeper is beneficial because it centralizes credential and access management while preserving separation between encrypted customer data and cloud infrastructure.