Managed privileged access: implementing a KeeperPAM POC

Managed privileged access: implementing a KeeperPAM POC

Posted on October 6, 2025
12 min read
privileged access management pam keeper zero-trust security
index

Section titled tl%3Bdr

Having just completed a proof-of-concept implementation for KeeperPAM, I’m impressed by it and I think it has great potential. The integration between the Keeper Vault (the password manager), the Secrets Manager - a powerful API for interacting programmatically with the Vault items, and an agentless architecture makes for a very easy to setup and manage system. And, if you are already familiar with the Keeper Enterprise Password Management the learning curve is very smooth.

Section titled Architecture%20Overview

KeeperPAM is Keeper Security’s privileged access management (PAM) solution designed around a zero-trust, agentless, and outbound-only connection model. Its main strength is the tight integration with the Keeper Vault, the enterprise password manager, which securely stores both credentials and connection configurations side by side.

KeeperPAM Workflow diagram

KeeperPAM consists of four key components:

  • Keeper Vault – Securely stores credentials, connection details, and rotation policies.
  • Keeper Cloud – Acts as a secure relay between users and Gateways, brokering WebRTC sessions without requiring inbound access.
  • Keeper Secrets Manager – API layer for programmatic access and automated credential rotation.
  • Keeper PAM Gateway – The only component deployed in your environment. It connects outbound over port 443 to Keeper Cloud, decrypts credentials locally, and proxies privileged sessions (SSH, RDP, database, etc.).

This design eliminates the need for inbound firewall rules or agents on target systems. Each Gateway serves as a secure bridge to the systems in its local network segment, enabling easy management across on-premises, cloud, or hybrid environments.

The Gateway can also perform session recording, credential rotation, and resource discovery, giving security and infrastructure teams full visibility without increasing attack surface.

Section titled Deployment

Deploying KeeperPAM is straightforward and easy. The entire deployment can be completed in just a few minutes once you have setup a machine in your network that will have the gateway role. For automating the VM creation process, see my automation guide in my OpsCafe notebook.

Section titled Step%201%3A%20Configuring%20User%20Groups%20and%20Assigning%20Licenses

The first thing we need to do is assign a license to the Keeper users who need to have access to this functionality. For this we need to set up two new roles, let’s call them: KeeperPAM Admins and KeeperPAM Users.

Through the Admin Console you can define different user roles. Open the Admin Console and create two new roles named as above by going to Admin > Roles and click the Add Role button.

The roles have attached policies which enable specific features for users in that role. Select the KeeperPAM Admins role and click the Enforcement Policies button. Admin Console

In the pop-up go to Privileged Access Manager section and for the KeeperPAM Admins select all options. Now repeat the step and for KeeperPAM Users role only select those checkboxes that permit the user to start sessions.

Note, you can go more granular and create additional groups, but it depends on the size of the organization and teams managing these rights. For this POC these groups were enough.

Admin Console

Now all that is left is to add the users to their respective new groups.

Section titled Step%202%3A%20Deploy%20the%20Keeper%20Gateway

The recommended deployment is using Docker because it is fast and easier to manage during updates.

  1. From the Keeper Vault, click Create New > Gateway. This will open the Gateway Wizard, which will automatically create all necessary Vault “components”.
  2. Select “Docker” as your deployment method. Additionally, you can choose Windows or Linux, but keep in mind that there are some functionality differences which, at the time of writing, are highlighted here: KeeperPAM features list
  3. When the wizard finishes the Vault configuration it will provide you with an installation command. Click the copy button to make sure you copy the entire command which contains a large base64 encoded string storing the necessary configuration for the initial setup.
  4. On the gateway system host, execute the installation command.
  5. The installer generates two files: docker-compose.yml, docker-seccomp.json. The last file, docker-seccomp.json, is a security profile which Docker will use to secure the gateway containers.
  6. Run docker compose up -d to start the Gateway containers.

The Gateway will establish an outbound websocket connection to the Keeper Cloud and authenticate using a one-time access token. After initial authentication, subsequent connections use a Client Device Identifier (HMAC_SHA512 hash of the token) for added security.

The Gateway can also be deployed using container orchestration platforms like Kubernetes, Docker Swarm, or Amazon ECS for scalability and redundancy.

Best Practice Tip: Deploy one Gateway per environment or network segment you’re managing. For example, you might have separate Gateways for your AWS environment, Azure environment, and on-premises datacenter.

Section titled Step%203%3A%20Add%20Resources

Now you can start adding the systems and resources you want to manage:

  • Create PAM records for machines (SSH, RDP connections)
  • Add database connections (MySQL, PostgreSQL, SQL Server, Oracle)
  • Configure web application access
  • Set up service accounts and API credentials

Each resource is stored as another encrypted record in the vault. You can organize resources into shared folders and apply time-based access permissions or approval workflows.

Section titled Establishing%20the%20First%20Connection

With the Gateway deployed let’s establish the first connection to a Linux server via SSH:

In the Keeper Vault, you will find a new folder with the same name you provided when you registered the gateway. Opening it you will find two shared folders, one ending in Resources and one ending with Users.

Section titled Creating%20the%20access%20user
  1. In the Keeper Vault, select the folder ending with Users, and add a new Rotation entry. PAM new user menu
  2. In the pop-up make sure you have selected Rotation and User and enter a title. PAM new user popup
  3. Fill in the record details. PAM user config

This would be the administrative user which is used by KeeperPAM to connect and perform tasks like key/pass rotation, ephemeral user creation etc. So, it would need to have some privileged rights.

Section titled Creating%20an%20SSH%20Resource%3A
  1. In the Keeper Vault, select the folder ending with Resources, and add a new Connection Record entry. PAM new connection
  2. In the pop-up make sure you have selected Connection for Type and Machine for the Target, and finally enter a descriptive name (e.g., “Production Web Server 01”). PAM new connection popup
  3. Next, fill in the connection details:
  • Host: The server’s IP address or hostname
  • Port: SSH port (typically 22) PAM new connection config
  • Administrative Credentials: click the button to open a pop-up for adding the credentials we created earlier. Here we need to select: the PAM Configuration, Administrative Credential - the user record created earlier, the Protocol where we select SSH. This opens additional options, like session recording etc. PAM new credentials and protocol config Next, in the same dialog select the JIT tab to configure an ephemeral user. PAM ephemeral user config with docker group
Section titled Establishing%20the%20Connection%3A
  1. Open the new record in your Keeper Vault
  2. Click Launch - the vault will establish a secure WebRTC connection to your Gateway through the Keeper Cloud PAM launch resource connection
  3. The Gateway retrieves the encrypted credentials using Keeper Secrets Manager, decrypts them locally on the Gateway machine, and initiates the SSH session.
  4. In your Keeper Vault app window a terminal window will pop-up with an active SSH connection to the target system.

Throughout this process, the actual password or SSH key are never disclosed. The connection information can be safely shared with other people either as a temporary share or permanent one. The person with whom you shared the record will not have access to see the actual credentials values, but still be able to use the credentials for connecting to the target system. The credentials are injected automatically by KeeperPAM through its components, and if session recording is enabled, all activity is logged for audit and debugging purposes.

Section titled Using%20Native%20Tools%20with%20Tunnels

KeeperPAM also supports using your preferred native tools (PuTTY, MySQL Workbench, SQL Server Management Studio, etc.) through secure tunnels: And configuring a tunnel is as easy as:

  1. From the resource record, click the edit icon.
  2. Now click on the Administrative Credentials button to open the connection configuration. PAM open connection config
  3. Click the Tunnel tab and then check the Enable tunnel checkbox. You should only change the connection port if it is a different port than any other SSH connection. PAM open enable tunnel
  4. Now clicking the Start Tunnel button will instruct KeeperPAM to tunnel a local port to the remote machine through a SSH tunnel
  5. The tunnel is encrypted through the Gateway to your target system and you can now configure your native tool to connect to localhost on the specified port. For this example you run ssh kpam_user@localhost:54434 where 54434 is the randomly chosen local port.

This approach gives you the flexibility of using familiar tools while maintaining zero-trust security. The tunnels can be started with a single click and remain encrypted throughout the session.

Section titled Security%20good%20practices

Section titled Enable%20MFA

Configure and enforce multi-factor authentication (MFA). KeeperPAM supports various MFA methods including FIDO2 hardware keys, TOTP authenticators, and biometric login with passkeys. If you’re using SSO integration, ensure MFA is configured at your identity provider level at minimum.

Section titled Gateway%20Considerations

The Gateway configuration file contains secrets that allow access to your Keeper Vault. On Linux and Windows installations, this file is protected by filesystem permissions and should only be accessible to the installing user and administrative accounts. For Docker deployments, protect the GATEWAY_CONFIG environment variable in your docker-compose.yml file by using Docker secrets or restrict access using file permission.

Monitor Gateway logs regularly through the Admin Console. Keeper provides Syslog formatted logs which can be integrated with your SIEM platform for centralized monitoring.

Section titled Session%20Recording%20and%20Compliance

Enable session recording for privileged access to maintain compliance with regulations like HIPAA, PCI-DSS, and SOX. KeeperPAM can record screen activity, keyboard input, and command logs across all connection protocols. These recordings are stored automatically by KeeperPAM and can be accessed from the resource’s Vault record.

You can also download the recordings and store them based on your retention policies and compliance requirements.

Section titled Credential%20Rotation

Implement automated credential rotation to minimize the impact of potential credential compromise. KeeperPAM can rotate credentials on-demand or on customized schedules. After a privileged session ends, credentials can be automatically rotated to prevent future unauthorized access.

For service accounts and machine credentials, leverage Keeper Secrets Manager to automate rotation across on-premises and cloud environments without manual intervention.

Section titled What%u2019s%20next%3F

Once your KeeperPAM deployment is operational, there are several capabilities you can explore to enhance your privileged access security:

Rotation and Secrets Management

Expand your credential rotation coverage beyond basic passwords. Configure rotation for:

  • SSH keys across your infrastructure
  • Database service account passwords
  • Cloud platform credentials

Additionally, you can use the Keeper Commander CLI to automate rotation tasks or integrate with CI/CD pipelines.

SIEM Integration

Configure event logging to push all KeeperPAM events to your Security Information and Event Management (SIEM) platform. KeeperPAM supports integration with major SIEM tools, allowing you to correlate privileged access events with other security telemetry. Set up alerts for suspicious patterns like:

  • After-hours access attempts
  • Failed authentication attempts
  • Access from unusual geographic locations
  • Rapid successive connections to multiple systems

In a future note I will share how to integrate event logs with Wazuh SIEM.

Zero Standing Privilege

Instead of having administrators with permanent elevated rights, implement a model where:

  • Normal user accounts have no elevated privileges
  • Privileged access is requested and approved when needed
  • All privileged actions are recorded and auditable

Section titled Final%20thoughts

The KeeperPAM proof of concept validated that deploying a secure, zero-trust PAM platform doesn’t need to be complex or invasive. The Gateway deployment and setup completed in under 30 minutes and required no inbound firewall rules — a significant simplification compared to older generation PAM solutions that depend on VPNs, jump servers, or installed agents.

Operational performance was equally strong: SSH and RDP tunnel latency was negligible, and credential synchronization between the Vault and Gateway worked flawlessly. Session recording and ephemeral account provisioning were straightforward to configure and did not require any additional components to be installed on the target machines.

These results confirm that KeeperPAM’s agentless architecture is practical for real environments and can scale easily. By eliminating standing privileges and implementing just-in-time access, it enables a realistic zero-trust model where access credentials are created, used, and retired dynamically.

From a deployment and security operations standpoint, KeeperPAM delivers three key advantages:

  • minimal infrastructure footprint - only an outbound gateway, no agents or inbound ports.
  • fast time to value - initial setup to first connection can be done in minutes.
  • consistent user experience - access via web vault or native tunnels with unified auditing.

With these characteristics, KeeperPAM shows strong potential as a lightweight yet enterprise-grade PAM option. Future testing will focus on integration with SIEM platforms like Wazuh and automated credential rotation.