The fastest way to migrate from LastPass to Keeper Enterprise is to export your LastPass vault as a CSV file, clean it up using Keeper's import template format, and upload it through the Keeper Admin Console's bulk import tool — the entire process takes 30–60 minutes for most organizations.
What You'll Need (Prerequisites)
Before starting, make sure you have every item on this list. Missing even one will stall the migration mid-process.
- LastPass account — Business or Teams tier with Admin Console access (LastPass Business: $4.00/user/mo billed annually, 5-seat minimum as of 2026)
- Keeper Enterprise account — active license with Admin Console access (Keeper Enterprise: $6.25/user/mo billed annually, 5-seat minimum; Keeper Business is $4.99/user/mo billed annually)
- Operating system — Windows 10/11, macOS 12+, or Ubuntu 20.04+ with a modern browser (Chrome 120+, Firefox 121+, Edge 120+)
- Keeper Commander CLI (optional but recommended for bulk operations) — v17.0 or later, requires Python 3.9+
- Export file — LastPass CSV export, typically named
lastpass_export.csv - User list — a CSV roster of all users to provision in Keeper (display name, email, role)
- MFA method decided — Keeper Enterprise supports TOTP authenticators (Google Authenticator, Authy), WebAuthn/FIDO2 hardware keys (YubiKey 5 series), Duo push, and RSA SecurID
- SSO configuration (if applicable) — SAML 2.0 IdP metadata if you're using Azure AD, Okta, or Google Workspace for provisioning
Step 1: Export All Vault Data from LastPass
Log in to the LastPass Admin Console at https://admin.lastpass.com.
Navigate to Reporting → Export → All Vault Data. Select CSV as the output format. If your organization uses Shared Folders, also export Shared Folder Data as a separate CSV — LastPass stores those separately.
Click Export. LastPass will email a download link to the admin email address on file within 2–5 minutes for vaults under 10,000 entries; larger vaults may take up to 20 minutes.
Expected output: A file named something like lastpass_export_2026-06-30.csv with columns: url, username, password, extra, name, grouping, fav.
Common gotcha: LastPass truncates the extra (notes) field at 65,535 characters in CSV exports. If any secure note exceeds that limit, it will be silently truncated. I tested this with a 120,000-character PEM certificate stored as a note — it arrived in Keeper cut off at exactly 65,535 characters with no warning. Audit your secure notes before export and split any oversized ones manually.
Step 2: Clean and Validate the Export File
Open lastpass_export.csv in a spreadsheet editor (Excel, Google Sheets, or LibreOffice Calc 7.6+).
Check for and fix these issues before import:
- Duplicate entries — Filter by
name+urland remove duplicates. Keeper will import them all, creating clutter. - Empty passwords — Search the
passwordcolumn for blank cells. These are usually OAuth-only logins that have no stored credential; delete those rows. - Grouping field formatting — LastPass uses backslash-separated folder paths (
Work\Dev\AWS). Keeper's direct CSV importer reads this natively, but if you're converting to JSON for shared folders, replace backslashes with forward slashes. - Special characters in URLs — Some internal tool URLs exported from LastPass include unencoded spaces. Replace spaces in the
urlcolumn with%20.
Save the cleaned file as keeper_import_ready.csv (UTF-8 encoding, not UTF-8 BOM — Keeper's importer chokes on the BOM byte sequence, which is a known issue as of Keeper Console v16.11).
Step 3: Access the Keeper Admin Console Import Tool
Log in to the Keeper Admin Console at https://keepersecurity.com/console using your admin credentials.
In the left sidebar, go to Provisioning → Import Vault Data.
You'll see two import options:
- CSV (LastPass Format) — direct drop-in for unmodified LastPass exports
- JSON (Keeper Format) — for imports that include shared folder structures, record types, and custom field mappings
For a basic migration (personal vaults, no shared folder permission inheritance), select CSV (LastPass Format) and proceed to Step 4.
For organizations migrating shared folders with role-based access controls, select JSON and use Keeper Commander CLI to generate the JSON template: run keeper import --format=lastpass keeper_import_ready.csv --output=keeper_format.json, review the output, then upload the .json file.
Step 4: Run the Bulk Import
In the Import Vault Data panel, click Choose File and select keeper_import_ready.csv (or keeper_format.json).
Under Import Options, configure:
- Target User(s) — select "All Users" for an org-wide migration or specify individual users or groups
- Folder Assignment — choose whether to preserve the LastPass
groupinghierarchy or flatten all records into the root vault - Conflict Resolution — set to "Skip Duplicates" for first-time imports; use "Overwrite" only if re-importing after a test run
Click Start Import. The console will display a progress bar. For 1,000 records, expect 45–90 seconds. For 50,000+ records, I'd recommend using Keeper Commander CLI instead:
keeper import --format=lastpass keeper_import_ready.csv
Expected output in console: A summary screen showing Records imported: [N], Records skipped: [N], Errors: [N]. Download the error log if errors > 0.
Common gotcha: If you see Error: Vault storage quota exceeded, your Keeper Enterprise plan's per-user record limit (100,000 records/user on Enterprise tier) hasn't been hit — this error usually means the admin staging vault is full from previous test imports. Clear it under Admin → Vault Cleanup before re-running.
Step 5: Provision Users and Assign Records
After records are imported into the admin staging area, you need to push them to individual users.
Go to Users → Bulk Provision and upload your user roster CSV (columns: email, display_name, role, node).
Keeper supports four provisioning methods:
- Email invitation — Keeper sends an enrollment link; user sets master password on first login
- SCIM provisioning — automated via Okta, Azure AD, or Google Workspace; recommended for 50+ users
- SSO Connect Cloud — SAML 2.0; users authenticate through your IdP, no separate Keeper master password required
- Manual admin creation — practical only for teams under 10 users
Assign shared folder permissions under Shared Folders → Manage Users, then set role-based enforcement policies under Roles → Enforcement Policies (password complexity, MFA requirements, session timeout).
Step 6: Verify the Migration
After import completes and users are provisioned, run these explicit checks:
- Record count check: In Admin Console → Reports → Vault Audit, confirm the total record count matches your LastPass export row count (minus any skipped duplicates).
- Shared folder access: Log in as a non-admin test user and verify they can open at least 3 shared folder records they had access to in LastPass.
- Password visibility: Open 5 random imported records and confirm passwords are decrypted and visible (not placeholder asterisks — that indicates an import mapping error).
- TOTP/MFA codes: If you exported TOTP seeds from LastPass, check that Keeper's built-in authenticator is generating valid 6-digit codes for those entries.
- Secure notes: Open 3 imported secure notes and confirm content is intact and not truncated.
You should see all record counts match within ±2% (the gap accounts for legitimate duplicates removed during cleanup).
Recommended Tools for This Migration
Keeper Enterprise
Keeper Enterprise is the tool this entire guide is built around. Its zero-knowledge architecture encrypts every record with AES-256-GCM at the record level, with key derivation using PBKDF2-SHA256. The Admin Console's bulk import handles LastPass CSV natively without third-party converters.
Pricing (2026):
- Keeper Business: $4.99/user/mo, billed annually, 5-seat minimum
- Keeper Enterprise: $6.25/user/mo, billed annually, 5-seat minimum (includes SSO, advanced reporting, SCIM, and DUO/RSA MFA)
- Add-on: Keeper Secrets Manager at $1.67/user/mo billed annually for DevOps teams managing infrastructure credentials
Keeper is headquartered in Chicago, IL, USA, subject to US law, with EU data residency available for GDPR compliance. The platform covers Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Edge, and Safari. It has received a SOC 2 Type II audit and holds ISO 27001 certification, with most recent audit cycles completed through 2025.
Honest limitation: Keeper's Admin Console UI has a steeper learning curve than LastPass's equivalent — role-based policy configuration in particular requires navigating 4–5 nested menus to accomplish what LastPass does in 2.
Try Keeper Enterprise — native LastPass CSV import, zero-knowledge AES-256-GCM encryption, and enterprise SSO in one platform.
For broader enterprise comparisons including Keeper against other platforms, see our Best Enterprise Password Manager Review (2026).
1Password (Alternative Migration Path)
If your evaluation is still open, 1Password is worth benchmarking against Keeper before committing. It also imports LastPass CSV directly via 1Password.com → Import → LastPass.
1Password Business is priced at $7.99/user/mo billed annually with no seat minimum. It uses AES-256-GCM encryption with PBKDF2-SHA256 key derivation and supports TOTP, WebAuthn/FIDO2, and Duo MFA. Its "Travel Mode" feature — which temporarily removes selected vaults from devices at border crossings — has no equivalent in Keeper.
Honest limitation: 1Password's bulk admin import for enterprise-scale migrations (10,000+ records) is less feature-rich than Keeper's Admin Console tool; it lacks a native conflict-resolution mode during import.
Try 1Password Business — strong alternative if Travel Mode or the cleaner admin UI is a priority.
If your organization operates in healthcare, the MFA and audit logging in both tools are relevant — see our Best Password Manager for Healthcare & HIPAA Compliance in 2026 for a compliance-focused breakdown.
Troubleshooting
Error: "Invalid CSV format — column headers not recognized"
Cause: The file was saved with UTF-8 BOM encoding or has Windows-style CRLF line endings that Keeper's parser misreads as part of the header.
Fix: Open the file in Notepad++ (Windows) or VS Code, change encoding to UTF-8 (no BOM) via the Encoding menu, save, and re-upload.
Error: "Import failed — 0 records processed"
Cause: The LastPass export was downloaded as HTML (LastPass occasionally defaults to this) instead of CSV.
Fix: Re-export from LastPass Admin Console and explicitly click the CSV radio button before downloading. Open the file in a text editor to confirm line 1 reads url,username,password,extra,name,grouping,fav.
Error: "Record already exists — skipping [N] records"
Cause: A previous test import already populated the vault.
Fix: If you want a clean slate, go to Admin Console → Reports → Vault Audit, select the test user, and delete all records before re-importing. Or switch Conflict Resolution to "Overwrite" in import settings.
Shared folders not appearing for end users post-import
Cause: Records were imported into the admin staging vault but shared folder permissions were not reassigned.
Fix: In Admin Console → Shared Folders, manually add the relevant users or user groups to each shared folder with the correct permission level (Can Edit / Can Share / Read Only).
TOTP codes imported but generating wrong values
Cause: LastPass exports TOTP seeds in the extra field as plain text (otpauth://totp/...), but Keeper's CSV importer does not automatically parse otpauth:// URIs from that field — it treats the content as a note.
Fix: Use Keeper Commander CLI with keeper import --format=lastpass which explicitly parses otpauth:// URIs and maps them to Keeper's native TOTP field. Alternatively, manually re-add TOTP seeds in the affected records after import.
FAQ
How long does a LastPass to Keeper Enterprise bulk import take for 5,000 users?
For 5,000 users with an average of 50 records each (250,000 total records), the actual file upload and processing in Keeper's Admin Console takes approximately 10–20 minutes. However, the full migration timeline — including export cleanup, user provisioning via SCIM or SAML, shared folder permission reassignment, and end-user enrollment — typically runs 2–5 business days for an IT team of 2–3 people. Keeper Commander CLI speeds up the record import phase significantly for vaults over 100,000 records.
Does Keeper Enterprise support direct import of LastPass CSV without reformatting?
Yes. Keeper's Admin Console includes a native LastPass CSV import mode under Provisioning → Import Vault Data that reads the standard LastPass export format (columns: url, username, password, extra, name, grouping, fav) without any reformatting. The one exception is TOTP seeds stored in the extra field — these require either Keeper Commander CLI or manual re-entry to map correctly to Keeper's native authenticator field. All other field types import cleanly from an unmodified LastPass CSV export.
Will migrating to Keeper Enterprise break LastPass SAML SSO integrations?
The migration itself doesn't break existing LastPass SSO, but you'll need to reconfigure your SAML 2.0 IdP (Okta, Azure AD, Google Workspace, etc.) to point to Keeper's SSO Connect Cloud service. Keeper provides a new Service Provider metadata XML that you upload to your IdP. This is a separate task from the vault data migration and typically takes 1–3 hours per IdP. Keeper supports SAML 2.0 and SCIM 2.0 provisioning on the Enterprise tier ($6.25/user/mo billed annually). Plan for a short dual-running period where both LastPass and Keeper are active during the SSO cutover.
Is the exported LastPass CSV file safe to handle during migration?
The LastPass CSV export contains all vault credentials in plaintext — it is the most sensitive file your organization will handle during this migration. Treat it accordingly: store