The Challenge
What Keeper Was Facing
Keeper provides secrets management for engineering teams — API keys, database credentials, TLS certificates — and the security bar for such a platform is exceptionally high. Every architectural decision had to assume breach: secrets had to be encrypted with keys the platform operator could not access, every read and write had to be immutably logged, and access had to be revocable instantly. Performance could not be sacrificed for security.
The Solution
What We Built
We built the encryption layer on AWS KMS with envelope encryption — each secret was encrypted with a data key, the data key was encrypted with a KMS CMK, and the CMK never left the HSM. The platform was designed around a CQRS pattern: writes went to an append-only event store (the audit log), and a projection worker maintained the current state of each secret for fast reads. Access policies were evaluated by a dedicated authorization service using OPA (Open Policy Agent) — fully programmable and independently testable. The entire deployment ran in a hardened VPC with no public ingress; all access was via a mTLS-authenticated API gateway.
Results