Keeper SecurityATCIdentity and Access ManagementSecurity
Article10 minute read

Keeper Enterprise Features

Keeper Enterprise helps organizations reduce credential risk by securing passwords, privileged access, and secrets through a zero-trust, zero-knowledge platform. It gives teams centralized control with strong encryption and policy enforcement.

In this article

 Keeper Enterprise: Features, Architecture, and How It All Fits Together

Most security breaches don't start with some sophisticated, movie-style hack. They start with a stolen password or an overprivileged account that nobody got around to reviewing. As organizations grow, so does the surface area of their risk with more employees and systems.

Enterprise security teams are managing all of that across hybrid environments, where critical infrastructure might live in the cloud, on-premises, or both. The easy part is locking things down, but the challenge is doing it in a way that's actually usable, auditable, and scalable.

That's the problem Keeper is designed to address. This article walks through how Keeper approaches enterprise security, the architectural decisions behind it, the core features it provides, and how it integrates with the broader security ecosystem.

 The Foundation: Zero-Trust and Zero-Knowledge

Before getting into specific features, it's worth understanding the two architectural principles that shape how Keeper works.

Zero-trust is a security model built on the idea that no user, device, or system should be inherently trusted, even if they're inside the corporate network. Access is granted based on verified identity, the principle of least privilege, and continuous policy enforcement. In practice, this means every access request is evaluated against a defined set of rules, and permissions are scoped as narrowly as possible. Which means users only have access to the minimum functions to do their job.

Zero-knowledge takes a different angle. It refers to how Keeper handles data encryption. All encryption and decryption happens on the user's device, using keys derived from the user's master password. Keeper's servers store only encrypted ciphertext. That means even Keeper, as a company, cannot read or access a customer's vault data. If there were ever a breach of Keeper's infrastructure, the encrypted data would be useless without the keys that only the end user holds.

 Encryption

The encryption architecture behind this is layered by design. Each vault record is encrypted with its own unique 256-bit AES key in Galois/Counter (GCM) mode, generated client-side. If a record lives inside a shared folder, that record key is wrapped by a 256-bit AES shared folder key. From there, the keys are protected differently depending on how the user authenticates.

For users logging in with a Master Password, the keys used to encrypt and decrypt data are derived directly from that password. For users authenticating through SSO or passwordless technology, Elliptic Curve cryptography handles encryption and decryption at the device level. Vault users have their Record and Folder keys encrypted with an AES-256 Data Key, while Secrets Manager users use a 256-bit AES Application Key instead. This results in that the right cryptographic layer is applied based on how each user or system accesses Keeper.

Sharing between users is handled using Elliptic Curve cryptography for secure key distribution, meaning the underlying keys are exchanged safely without ever being exposed in transit. All encrypted payloads sent to Keeper's servers are also wrapped by an additional 256-bit AES transmission key on top of TLS, providing protection against man-in-the-middle attacks. That transmission key is generated on the client and transferred to the server using ECIES encryption via the server's public EC key.

 Quantum-Resistant Cryptography (QRC)

Looking ahead, Keeper began rolling out Quantum-Resistant Cryptography (QRC) as an additional encryption wrapper on the transmission key. This positions Keeper ahead of the curve as quantum computing continues to mature and the threat landscape around classical encryption evolves.

Diagram of four Keeper Security key pillars: Zero-Knowledge Security, Layered Encryption Model, Secure Key Exchange, and Future-Proofing.

 Role-Based Access Control and Administrative Policy

Understanding what data is encrypted is one thing. Understanding who can access what, and under what conditions, is another. Keeper's role-based access control (RBAC) system is where those decisions get made.

 Nodes

Administrators configure roles and enforce policies at an organizational level. Keeper structures organizations using Nodes, which function like organizational units. A Node can represent a department, a geographic location, a business unit, or any other logical grouping that makes sense for the organization. Each Node can have its own policies, administrators, and user memberships, which means access rules can be tailored to different parts of the organization without forcing a single global policy onto everyone.

 Enforcement Policy

Within those roles, administrators have granular control over a wide range of behaviors. Password complexity requirements can be enforced so that any credential stored in Keeper meets a defined standard. Multi-factor authentication can be required for vault access. Offline access can be permitted or restricted depending on the sensitivity of what a given role can see. IP allowlisting gives administrators the ability to restrict vault access to known network ranges, and sharing and data export restrictions can be applied to prevent sensitive records from leaving the organization's control.

 Vault Transfer

One area that often gets overlooked until it becomes urgent is employee offboarding. Keeper includes a Vault Transfer feature that allows administrators to securely transfer vault contents when an employee leaves, or in break-glass scenarios where access to a critical account is needed and the original owner is unavailable. This is the kind of capability that doesn't get used every day, but when it's needed, it needs to work reliably.

 Identity Provider Integration and User Provisioning

Most enterprise organizations already have an identity provider managing their user directory and authentication. Keeper is designed to connect with that existing infrastructure rather than replace it.

Keeper supports Single Sign-On (SSO) integration through standard protocols, allowing users to authenticate to their vault using the same corporate credentials they use for everything else. This reduces friction for end users, which has a real productivity benefit. Users also have control of password resets, which may alleviate the IT team with password reset tickets. 

On the provisioning side, Keeper supports SCIM for automated user lifecycle management. When a new employee is created in an identity provider like Okta or Azure AD, they can be automatically provisioned in Keeper and placed into the appropriate Node and role. When they leave, that access is revoked automatically.

 KeeperPAM: Privileged Access Management

Privileged access management addresses the accounts and credentials that carry the most risks. This includes administrator accounts, service accounts, root access to servers, and database credentials. These are the accounts where a compromise can escalate quickly and require an extra layer of protection. KeeperPAM consolidates several capabilities that traditionally required separate tools. 

  • Connection management gives authorized users brokered access to remote systems such as servers and databases, without ever exposing the underlying credential to the user.
  • Privileged session management records and monitors those sessions, capturing every action for security review and compliance purposes.
  • Remote browser isolation (RBI) lets users interact with sensitive web-based applications through an isolated environment, limiting the risk of common web-based attacks.
  • End-to-end encrypted tunnels to target environments, eliminating the need for a virtual private network (VPN).
  • Multi-protocol support with SSH, RDP, VNC, HTTPS and more.
  • Just-In-Time (JIT) access with ephemeral account provisioning or temporary elevated account access.
  • Credential rotation can be scheduled or triggered on demand, prevents passwords from becoming stale.
  • Zero-trust network access enforces which systems a user can reach at all, based on identity and policy rather than network location.

The value of consolidating these capabilities into one platform is significant from an administrative standpoint. Managing separate tools for each of these functions means separate policies, separate audit logs, and separate integrations. KeeperPAM brings that into a single pane of glass.

Diagram of eight KeeperPAM capabilities: Connection Management, Remote Browser Isolation, Multi-Protocol Support, Credential Rotation, Privileged Session Management, End-to-End Encrypted Tunnels, Just-In-Time Access, and Zero-Trust Network Access.

 Secrets Management

In DevOps and modern IT operations, secrets are a persistent problem. API keys, database connection strings, certificates, and service account credentials have a way of ending up hardcoded in configuration files or committed to source repositories, often by accident. Once a secret is in a code repository, it can be difficult to fully remediate.

Keeper Secrets Manager provides a programmatic way to store and retrieve those secrets without hardcoding them anywhere. Development teams and automated pipelines pull secrets at runtime from the Keeper vault, using SDKs built for common platforms and CI/CD environments. The secrets remain encrypted in the zero-knowledge vault, and access is controlled through the same role and policy framework used across the rest of the platform.

For organizations running containerized workloads, Keeper supports secrets injection for Docker environments as well, making adoption practical without requiring a significant rearchitecture of existing pipelines.

 Security Audit, Compliance Reporting, and BreachWatch

Keeper provides several tools aimed at giving administrators ongoing visibility into the security posture of their organization, not just at the point of deployment.

The Security Audit feature scores vault health across the organization, surfacing weak passwords, reused credentials, and records that haven't been updated in a long time. For administrators who want to improve security hygiene across a large user base, this gives them a starting point and a way to track progress over time.

Compliance Reports provide a structured view of who has access to what within the organization. This is particularly useful in regulated environments where demonstrating access control to an auditor is part of the compliance process. Rather than trying to manually reconstruct access history, Compliance Reports make that information readily available in a format that's useful for both internal reviews and external audits.

BreachWatch monitors the dark web for credentials that match what's stored in a user's vault. When a credential appears in a known data breach, BreachWatch surfaces that to the user and administrator so the password can be rotated before it's exploited. This kind of proactive monitoring is increasingly important given how frequently credentials from third-party breaches end up being used in credential stuffing attacks.

How Does It Work?

BreachWatch scans millions of websites and dark web marketplaces where stolen information is often shared. It collects and analyzes the data from those websites and looks for keywords and patterns related to the users information such as the username and password. It only compares a portion of the password hash, so no sensitive information is ever exposed. If a match is found, the user is immediately alerted. 

Diagram of five Security Audit and Compliance Reporting capabilities: Security Audit, Compliance Reports, BreachWatch Monitoring, Privacy-Preserving Detection, and Proactive Risk Mitigation.

Compliance Certifications

For organizations in regulated industries or government environments, the compliance posture of a security platform is often as important as the features themselves. Keeper holds a comprehensive set of certifications and compliance designations:

  • SOC 2 Certified
  • ISO 27001 and ISO 27017 Certified
  • FIPS 140-3 Validated
  • FedRAMP Authorized
  • StateRAMP Authorized
  • GSA and SAM Certified
  • GDPR Compliant
  • ITAR Compliant
  • Compliant with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework

For government and defense-adjacent organizations, Keeper offers a dedicated GovCloud environment hosted on AWS GovCloud, with a sequestered Customer Success team comprising U.S. persons specifically trained to handle ITAR-governed and export-controlled data.

 Putting It Together

Keeper's enterprise platform is built around a consistent set of principles: encrypt everything at the client, trust nothing by default, and give administrators the visibility and control they need to manage access at scale.

What makes the platform cohesive is that the same zero-knowledge architecture and role-based policy engine underlies all of it. From the employee vault to privileged session management to secrets in a CI/CD pipeline, they're expressions of the same underlying approach applied to different parts of an organization's security posture.

Understanding that architecture makes it significantly easier to deploy Keeper effectively, evaluate where it fits in an existing environment, and make the case for why it matters to the people responsible for the decision.

 

Table of six Keeper Security features: Zero-Trust/Zero-Knowledge, Layered Encryption, RBAC/Admin Policy, SSO/SCIM Integration, KeeperPAM Capabilities, and Secrets Management, Auditing, BreachWatch, and Compliance.

Technologies