# Architecture

## System Architecture

In Keeper's model, all your servers, CI/CD pipelines, developer environments and source code pull secrets from a secure API endpoint.

The client device retrieves **encrypted ciphertext** from the Keeper cloud and the secrets are decrypted locally on the device (not on the server). Each secret is encrypted with a 256-bit AES key, and then encrypted again by another AES-256 Application Key.

In addition to Zero-Knowledge encryption, every request to the server is additionally encrypted with an AES-256 Transmission Key on top of TLS to prevent MITM or replay attacks. This multi-layered cryptography is handled transparently using our client-side SDKs which are easy to integrate into any environment.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FMsOUZw5soC8Xyi4dSPuT%2Fsecrets-manager-diagram.png?alt=media&#x26;token=b58ec693-cbe8-4fb9-b08a-2b87d8b9cc14" alt=""><figcaption></figcaption></figure>

## High Availability and Local Cache

Keeper's infrastructure serves requests for millions of users and tens of thousands of Enterprise customers every day.

Keeper Secrets Manager benefits from the existing Keeper platform architecture in addition to an optional offline caching mechanism in all Secrets Manager SDK endpoints.

Each client device platform provides an optional local caching components. If the Keeper endpoint is unavailable, the Client Device will pull the last requested Secrets from a local encrypted cache.

## Encryption Model

More details about the security and encryption model are [available here](/en/keeperpam/secrets-manager/about/security-encryption-model.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/secrets-manager/about/architecture.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.