Everything stored in your Keeper vault is known as a record. There are several different record types, including logins, credit cards, identities, secure notes, and software licenses, but you can also create a general record with any fields you want, as well as add custom fields and attach files to other record types. Rather than tags or categories, Keeper lets you make folders, and you nest folders within each other.
You can share at a record or folder level. Record sharing speaks for itself, but folder sharing is interesting. Rather than sharing a full vault, as you have to do with a service like Proton Pass, you can create a shared folder with a permission structure similar to Google Drive. You can set your records to view only, give shared users editing access, and even allow users to add and manage other users.
These sharing settings aren’t strictly global. You can set up a view-only shared folder, but give some users the ability to manage users and/or records, and you can change the permissions on individual records within that folder. Some records can be view-only, while others can be unlocked for editing.
You can share individual records in a few ways. You can share them in perpetuity, but you can also create one-time share links for non-Keeper users. Access is limited to one device through that link. If you need something even more temporary, you can create a self-destruct record, which will be shared and then deleted shortly after the record is opened.
Keeper’s Security
Keeper uses a zero-knowledge, zero-trust security architecture. Each record you store in Keeper is encrypted individually with its own AES-256 key. Those keys are then wrapped in another AES-256 key, which is derived from your master password. Even if someone were to break your AES-256 key–not likely–that wouldn’t unlock your individual records.
All encryption happens locally, so Keeper never sees your vault data, and it doesn’t have the keys to decrypt it (read our passkey explainer for more on public-key encryption and how zero-knowledge models work). That gives you full end-to-end encryption, and to make extra sure nothing can happen in transit, Keeper generates an additional AES-256 transmission key to protect the data from man-in-the-middle attacks.
A zero-knowledge security architecture and several layers of encryption are expected from a password manager, but what stands out about Keeper is how transparent it is about its security architecture. Likely due to its enterprise focus, Keeper maintains extensive documentation about how it works and the protections in place.
Keeper has a lot of tools for operational security. In the browser extension, for example, there’s a clipboard expiration setting that defaults to 30 seconds. Anything you copy will be automatically cleared. There’s also a warning that will automatically display if you attempt to autofill on an HTTP address, blocking your credentials from traveling over an unsecured network.
Keeper’s enterprise focus surprisingly works well for personal use. The security architecture is top-notch, the apps come packed with features, and the sharing capabilities are second to none. Where Keeper loses out is pricing. Although its pricing is in line with the rest of the market for a single user, it’s a bit high for a family plan. And features that come standard with other password managers, such as dark web monitoring, are paid add-ons.
Leave a Reply