keeper-setup

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Keeper CLI Setup & Configuration

Keeper CLI安装与配置

Official documentation

官方文档

Secrets Manager (KSM) - concepts, KSM CLI install, and app/device setup
Commander CLI - concepts, install, and interactive shell
Keeper notation -
```
keeper://
```
URIs used by
```
ksm exec
```
and
```
ksm interpolate
```
(see keeper-secrets skill for usage)

Keeper provides two CLI tools. Install what you need:

Tool	Package	Purpose
KSM CLI ( `ksm` )	`keeper-secrets-manager-cli`	Machine secrets retrieval & injection
Commander ( `keeper` )	`keepercommander`	Admin, vault management, PAM, sessions

Secrets Manager (KSM) - 概念、KSM CLI安装以及应用/设备设置
Commander CLI - 概念、安装以及交互式Shell
Keeper notation -
```
ksm exec
```
和
```
ksm interpolate
```
使用的
```
keeper://
```
URI（使用方法请查看keeper-secrets技能）

Keeper提供两款CLI工具，你可以按需安装：

工具	安装包	用途
KSM CLI ( `ksm` )	`keeper-secrets-manager-cli`	机器机密获取与注入
Commander ( `keeper` )	`keepercommander`	管理员操作、保险箱管理、PAM、会话管理

Installation security

安装安全注意事项

Prefer PyPI (
```
pip install …
```
) so you consume the published packages with version pins in your own dependency files. That is the default path for these tools.
Official sources only: release binaries and source live under the Keeper-Security organization on GitHub. Before running any installer or
```
pip install
```
from a clone, confirm the remote URL and publisher match Keeper’s official documentation; use release tags or checksums published on the release page when you need extra assurance.
Agents must not fabricate or echo one-time tokens, master passwords, or vault field values in chat or generated scripts. Direct the user to paste or inject secrets only in their own secure terminal or secret store.

优先使用PyPI（
```
pip install …
```
），这样你可以在自己的依赖文件中固定已发布包的版本，这是这些工具的默认安装路径。
仅使用官方来源：发布的二进制文件和源码都存放在GitHub上的Keeper-Security组织下。从克隆仓库运行任何安装程序或执行
```
pip install
```
前，请确认远程地址和发布方与Keeper官方文档一致；如果需要更高安全性，请使用发布页上公开的版本标签或校验和。
Agent绝对不能在聊天内容或生成的脚本中编造或回显一次性令牌、主密码或保险箱字段值。引导用户仅在自己的安全终端或密钥存储中粘贴或注入机密信息。

Quick Install

快速安装

KSM CLI

bash

undefined

bash

undefined

With OS-native keyring (recommended for workstations)

带系统原生密钥环（工作站推荐）

pip install keeper-secrets-manager-cli[keyring]

Without keyring (for containers, CI/CD, headless)

不带密钥环（适用于容器、CI/CD、无UI环境）

pip install keeper-secrets-manager-cli

Verify

验证安装

ksm version


**Binary installers** (no Python required) are published for Windows, macOS, and Linux on the official **Keeper-Security/secrets-manager** GitHub Releases page linked from [Secrets Manager CLI](https://docs.keeper.io/en/keeperpam/secrets-manager/overview) documentation. Download only from that release page; verify checksums or signatures when the release provides them.

ksm version


**二进制安装包**（无需Python环境）已在官方文档[Secrets Manager CLI](https://docs.keeper.io/en/keeperpam/secrets-manager/overview)关联的**Keeper-Security/secrets-manager** GitHub Releases页发布，支持Windows、macOS和Linux系统。请仅从该发布页下载；如果版本提供了校验和或签名，请进行验证。

Commander

bash

pip install keepercommander

bash

pip install keepercommander

Optional: install from a local clone of the official repository (verify remote and use a tagged release)

可选：从官方仓库本地克隆安装（请确认远程地址并使用标签版本）

git clone https://github.com/Keeper-Security/Commander.git cd Commander git checkout <release-tag> python -m venv venv && source venv/bin/activate pip install -r requirements.txt && pip install -e .

Verify

验证安装

keeper version

undefined

keeper version

undefined

First-Time Setup

首次设置

KSM CLI Setup

KSM CLI设置

You need a One-Time Access Token from a KSM Application. If you don't have one, your Keeper admin can create it via the Vault UI or Commander (see keeper-admin skill).

Provide the token via environment variable so it is not passed as a

--token

argument (which can show up in shell history and process listings). Official docs: Profile command / init.

bash

undefined

你需要从KSM应用获取一次性访问令牌。如果你没有该令牌，你的Keeper管理员可以通过保险箱UI或Commander生成（请查看keeper-admin技能）。

请通过环境变量提供令牌，不要将其作为

--token

参数传递（该参数会出现在Shell历史和进程列表中）。官方文档：配置文件命令 / 初始化。

bash

undefined

Prerequisite: export KSM_CLI_TOKEN in this shell from Vault or Commander output (see Keeper profile docs). Never paste token values into chat or committed files.

前置条件：在当前Shell中从保险箱或Commander输出导出KSM_CLI_TOKEN（请查看Keeper配置文档）。绝对不要将令牌值粘贴到聊天内容或提交的文件中。

ksm profile init

Optional: unset KSM_CLI_TOKEN when finished in this shell.

可选：当前Shell操作完成后取消设置KSM_CLI_TOKEN

ksm secret list # Verify access


In CI or secret managers, inject the same variable without placing the value on the command line. For containers, see also `KSM_TOKEN` / `KSM_INI_DIR` behavior in the Keeper Secrets Manager CLI documentation.

ksm secret list # 验证访问权限


在CI或密钥管理器中，直接注入对应变量即可，不要将值放在命令行中。对于容器场景，请查看Keeper Secrets Manager CLI文档中`KSM_TOKEN` / `KSM_INI_DIR`的相关行为说明。

Commander Setup

Commander设置

bash

keeper shell

bash

keeper shell

Enter your email, master password, and 2FA code

输入你的邮箱、主密码和2FA验证码

Then enable persistent login:

然后开启持久登录：

My Vault> this-device register My Vault> this-device persistent-login ON

undefined

My Vault> this-device register My Vault> this-device persistent-login ON

undefined

Keeper Regions

Keeper区域

Region	Host	Token Prefix
US	keepersecurity.com	US:
EU	keepersecurity.eu	EU:
AU	keepersecurity.com.au	AU:
JP	keepersecurity.jp	JP:
CA	keepersecurity.ca	CA:
US Gov	govcloud.keepersecurity.us	GOV:

区域	Host	令牌前缀
美国	keepersecurity.com	US:
欧盟	keepersecurity.eu	EU:
澳大利亚	keepersecurity.com.au	AU:
日本	keepersecurity.jp	JP:
加拿大	keepersecurity.ca	CA:
美国政府	govcloud.keepersecurity.us	GOV:

Troubleshooting

问题排查

Issue	Fix
"Not authenticated"	Re-run `ksm profile init` after setting `KSM_CLI_TOKEN` from a new Client Device token
"Token expired"	Generate a new Client Device in Commander or Vault UI
IP lock errors	Use `--unlock-ip` when creating the client, or init from the locked IP
Keyring not available	Install with `[keyring]` extra or use `--ini-file` flag
Python version error	KSM CLI requires Python 3.10+, Commander requires 3.10+
Permission denied on keeper.ini	File should be 0600; check with `ls -la keeper.ini`

问题	解决方案
"未通过身份验证"	用新的客户端设备令牌设置 `KSM_CLI_TOKEN` 后重新运行 `ksm profile init`
"令牌已过期"	在Commander或保险箱UI中生成新的客户端设备令牌
IP锁定错误	创建客户端时使用 `--unlock-ip` 参数，或从被锁定的IP执行初始化
密钥环不可用	安装带 `[keyring]` 扩展的版本，或使用 `--ini-file` 参数
Python版本错误	KSM CLI要求Python 3.10+，Commander要求Python 3.10+
keeper.ini权限被拒绝	文件权限应为0600；可执行 `ls -la keeper.ini` 检查

What's Next

后续步骤

To retrieve and inject secrets (including Keeper notation): see the keeper-secrets skill
To manage enterprise, users, PAM: see the keeper-admin skill

要获取并注入机密（包括Keeper notation）：请查看keeper-secrets技能
要管理企业、用户、PAM：请查看keeper-admin技能