playbooks

home / mcp / ksm mcp server

KSM MCP Server

Keeper Secrets Manager - MCP (Model Context Protocol) server implementation

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "keeper-security-keeper-mcp-golang-docker": {
      "command": "/path/to/ksm-mcp",
      "args": [
        "serve",
        "--profile",
        "default"
      ],
      "env": {
        "KSM_MCP_PROFILE": "default",
        "KSM_CONFIG_BASE64": "YOUR_BASE64_CONFIG_STRING",
        "KSM_MCP_CONFIG_DIR": "~/.keeper/ksm-mcp"
      }
    }
  }
}

You run a secure MCP server that sits between AI language models and Keeper Secrets Manager, enabling automated secret management while protecting your credentials. It handles listing, creating, retrieving, and deleting secrets and folders, with strong prompts for sensitive actions to keep you in control.

How to use

You interact with the KSM MCP server through an MCP client. The server exposes tools to manage secrets, folders, and file attachments, while enforcing user confirmations for sensitive operations. Use an MCP client to request actions such as listing secrets, creating a secret in a specific folder, uploading a file to a secret, or generating a secure password. Your AI agent can chain these actions to automate workflows, but you retain final decision power for any destructive operation.

How to install

Prerequisites: you need a modern operating system with Docker or a pre-compiled binary for your platform. You also need a base64-encoded KSM configuration string that represents your Keeper Secrets Manager application credentials.

Option 1: Install with Docker (recommended) — start the MCP server using Docker and supply your KSM configuration via an environment variable.

1) Prepare your base64 configuration string from Keeper Secrets Manager.

2) Create or update your Claude Desktop MCP configuration to include the KSM server entry. You will reference your base64 configuration in the KSM_CONFIG_BASE64 environment variable.

3) Restart Claude Desktop to connect to the KSM MCP server for the first time.

4) Run the following configuration snippet to define the MCP server connection for KSM in your client.

{
  "mcpServers": {
    "ksm": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "KSM_CONFIG_BASE64=YOUR_BASE64_CONFIG_STRING_HERE",
        "keepersecurityinc/ksm-mcp-poc:latest"
      ]
    }
  }
}

Option 2: Install with a pre-compiled binary

If you prefer to run a native binary, download the appropriate binary for your system and initialize a local profile with your base64 configuration.

1) Download the binary for your platform and make it executable.

2) Initialize a local MCP profile with your base64 config and a profile name.

3) Configure Claude Desktop to use the binary and the chosen profile.

4) Start Claude Desktop to connect to the KSM MCP server.

5) Run the following configuration snippet to point Claude Desktop at the KSM MCP server using your profile.

{
  "mcpServers": {
    "ksm": {
      "command": "/path/to/ksm-mcp",
      "args": ["serve", "--profile", "default"]
    }
  }
}

Additional installation notes

If you prefer automated, non-interactive usage, you can run in batch mode or silent mode, and you can set environment variables to supply your configuration. See the available command line flags and environment variables below for more details.

Configuration, security, and troubleshooting

Configuration priority determines how the MCP server reads its credentials and profile information. You can supply the base64 configuration directly as a CLI flag, via an environment variable, or through a local profile. This gives you flexibility for development, CI/CD, or production deployments.

Security considerations include protecting your base64 KSM configuration, using profiles with password protection, and enabling batch mode for automated environments. The server supports a silent mode that disables local audit logs for compliant or ephemeral deployments.

If you encounter issues, verify that you provided a valid profile or base64 config, check that the server command and arguments are correctly specified, and ensure the executables have proper permissions. For debugging, you can enable verbose logging to help identify startup or connection problems.

Sample use cases

Ask your AI agent to create a new secret inside a folder, list secrets in a folder, or upload a configuration file to a secret. You can also generate secure passwords or fetch current TOTP codes for secrets configured with TOTP.

Notes

The KSM MCP server can be run in different modes and supports multiple configuration methods. Choose the method that best fits your deployment environment, whether you want full local control with a binary or a containerized setup with Docker.

Available tools

list_secrets

List all accessible secrets (metadata only).

get_secret

Retrieve a specific secret (sensitive fields masked by default; unmasking requires confirmation).

search_secrets

Search secrets by title, notes, or other field content.

create_secret

Create a new secret (requires confirmation).

update_secret

Update an existing secret (requires confirmation).

delete_secret

Delete a secret (requires confirmation).

list_folders

List all accessible folders.

create_folder

Create a new folder (requires confirmation; must specify a parent shared folder).

delete_folder

Delete a folder (requires confirmation; option to force delete non-empty folders).

upload_file

Upload a file attachment to a secret (requires confirmation).

download_file

Download a file attachment from a secret.

generate_password

Generate a secure password. Can optionally save directly to a new secret without exposing it to the AI.

get_totp_code

Get the current TOTP code for a secret that has TOTP configured.

get_server_version

Get the current version of the KSM MCP server.

health_check

Check the operational status of the MCP server and its connection to KSM.