Terry KS SINGAPORE, 24 JUNE 2026 – Keeper Security, a leading provider of zero-trust and zero-knowledge identity security and Privileged Access Management solutions, has announced the general availability of Keeper Universal Secrets Sync, which officially launched on June 4th. The new capability within its KeeperPAM platform automatically distributes credentials and secrets to external secrets managers and cloud platforms the instant they rotate, effectively closing the dangerous gap between stored secrets and what is actually running in live production environments.
For organizations operating across multi-cloud infrastructure, the challenge goes beyond simple exposure. The deeper risk is drift, a condition where credentials stored in a PAM platform fall progressively out of sync with what is actively running in production pipelines. The consequences span access failures, delayed incident response, and the emergence of shadow secrets that carry active privileges no security team can monitor, govern, or revoke. According to global research cited by the company, 86 percent of IT and security leaders acknowledge their organization would benefit from a PAM solution, yet even among those with PAM already in place, 46 percent still struggle to manage privileged access consistently across cloud and hybrid environments.
Universal Secrets Sync is designed to close that gap entirely. The feature monitors one or more Keeper Secrets Manager shared folders and automatically distributes their contents to configured cloud targets, including AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
When a secret rotates within KeeperPAM, every connected cloud environment receives the updated credential automatically, without manual exports, custom integration scripts, or reconfiguration. Among its core capabilities, the feature includes automatic sync that pushes updates to all connected cloud targets the moment a change occurs, with the Gateway processing and distributing updates silently in the background. A Dry Run mode allows security teams to preview precisely what will change before any secret is distributed, making the feature compatible with change control requirements and environments demanding additional oversight. Multi-folder sync enables secrets from several Keeper shared folders to be synchronized within a single configuration, while a dedicated Sync Identity function allows administrators to assign a least-privilege IAM role, managed identity, or service account for the Keeper Gateway to use during sync operations. The system also features automatic error recovery, surfacing missing secrets and permission errors before sync failures go undetected.
Craig Lurey, CTO and Co-founder of Keeper Security, described secrets drift as one of the most underappreciated risks in enterprise security today. He noted that organizations routinely leave stale credentials active in downstream cloud environments when distribution depends on manual processes, and that Universal Secrets Sync makes distribution both automatic and fully auditable, with every rotation updating all connected targets simultaneously.
Beyond automated distribution, Universal Secrets Sync also delivers flexible retrieval options tailored to different workloads. Cloud-native applications requiring high throughput and low latency can continue reading directly from AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager using native SDKs and IAM controls, a suitable path for services handling millions of retrievals daily. For CI/CD pipelines, internal scripts, and services running outside cloud environments, developers can retrieve secrets directly from Keeper Secrets Manager via the KSM SDK or CLI, maintaining full zero-knowledge protection end-to-end. The result is a single source of truth supported by two complementary access patterns.
Keeper Universal Secrets Sync is available now as part of KeeperPAM and is included in all existing KeeperPAM licenses.