System Architecture

Keeper Password Rotation architecture diagram and data flow

System Architecture Diagram

The Keeper Rotation Module infrastructure diagram is below. Click the image to zoom in.

Data Flow

  1. Keeper Admin schedules rotation or clicks ‘Rotate Now’ from the Vault interface

  2. Keeper backend schedules the rotation using the Record UID

  3. Keeper Gateway establishes an outbound WebSocket connection, receives the request to rotate, and pulls the needed records using Keeper Secrets Manager APIs

  4. The Keeper Gateway generates new credentials and updates Keeper, and the target resource

  5. Gateway runs custom post-execution scripts on the Gateway or target machines

  6. Client devices securely retrieve the updated record using Keeper Secrets Manager

  7. Vault end-users receive the latest rotated information on the Keeper Vault user interface

  8. Keeper's Advanced Reporting & Alerts module logs all events and triggers alerts


Keeper Gateway

The Keeper Gateway is a lightweight service which is installed into the customer's environment and communicates outbound to Keeper services. The Gateway performs the rotation, discovery and connections to assets on the network. The Gateway receives commands from the Keeper Router, then uses Keeper Secrets Manager APIs to authenticate, communicate and decrypt data from the Keeper cloud.

Keeper Router

Keeper hosted infrastructure that manages connections between Keeper and Rotation Gateways. The Cloud Router provides real-time messaging and communication between the Keeper Vault, customer gateway and Keeper backend services.

Keeper Backend API

Keeper's Backend API is the endpoint which all Keeper client applications communicate with. Client applications encrypt data locally and transmit encrypted ciphertext to the API in a Protocol Buffer format.


Keeper hosted infrastructure that manages timing and logistics around scheduled rotation of credentials across the target infrastructure.

Admin Console

The Management console used to set and enforce policies across all Keeper component.

Client Applications

The end-user interface for managing the vault and rotating passwords.

Last updated