Architecture Diagram

Keeper Password Rotation architecture diagram and data flow

Architecture Diagram

The KeeperPAM infrastructure and security model ensures zero-knowledge encryption between the end-user's device and the target infrastructure. Keeper's servers have no ability to decrypt or intercept the underlying sessions.

KeeperPAM Architecture

Components

Keeper Gateway

The Keeper Gateway is a service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.

Keeper Router

The Keeper Router is infrastructure in Keeper's cloud that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.

Keeper Relay

The Keeper Relay is infrastructure in Keeper's cloud that is responsible for establishing encrypted WebRTC connections between the end-user vault interface and the customer-hosted Keeper Gateway service.

Keeper Backend API

Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.

Scheduler

Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.

Admin Console and Control Plane

The Management console used to set and enforce policies across all Keeper components.

Client Applications

The end-user interface for managing the vault, rotating passwords, running discovery jobs, creating connections and managing tunnels.

Data Flow

  1. Keeper user performs action (rotation, connection, tunneling, discovery) from the Vault interface, Admin Console, Commander CLI or other endpoint application.

  2. Keeper Gateway establishes an outbound WebSocket connection to the Keeper Router, receives the requests to perform the action.

  3. The Vault Client application establishes a WebRTC connection to the customer's hosted Keeper Gateway.

  4. The Keeper Gateway pulls the necessary secrets from the vault using Keeper Secrets Manager APIs.

  5. The Keeper Gateway performs the action on the target infrastructure (such as rotating a credential) and updates the relevant Keeper vault records.

  6. The Keeper Gateway runs any required privilege automation scripts on the Gateway or target machines using native protocols and APIs.

  7. Client devices securely retrieve the updated record using Keeper Secrets Manager APIs.

  8. Vault end-users receive push notifications indicating that new data is available for syncing.

  9. The vault performs encrypted syncing to the Keeper cloud to retrieve the latest record content.

  10. Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts.

PreviousArchitectureNextVault Security

Last updated

Was this helpful?