The Challenge
What Keeper Was Facing
Keeper provides secrets management for engineering teams — API keys, database credentials, TLS certificates — and the security bar for such a platform is exceptionally high. Every architectural decision had to assume breach: secrets had to be encrypted with keys the platform operator could not access, every read and write had to be immutably logged, and access had to be revocable instantly. Performance could not be sacrificed for security.
The Solution
What We Built
We built the encryption layer on AWS KMS with envelope encryption — each secret encrypted with a data key, the data key encrypted with a KMS CMK, and the CMK never leaving the HSM. The platform used a CQRS pattern: writes appended to an immutable event store (the audit log), with a projection worker maintaining the current state of each secret for fast reads. Access policies were evaluated by a dedicated authorization service using OPA (Open Policy Agent). All access flowed through an mTLS-authenticated API gateway with no public ingress.
Results