Cyberark Conjur

Role-based secrets management for modern cloud infrastructure

Conjur secures secrets and manages machine identities across cloud toolchains using policy-driven access control, REST APIs, and industry-standard cryptography.

Overview

Secure Secrets for Cloud-Native Infrastructure

Conjur is a secrets management platform designed for DevOps teams and security engineers managing modern cloud environments. It provides centralized control over secrets, credentials, and machine identities across IaaS, CI/CD pipelines, container orchestration, and configuration management tools.

Policy-Driven Access Control

At its core, Conjur uses Machine Authorization Markup Language (MAML), a role-based policy language that defines system components, privileges, and access rules. This declarative approach enables teams to version-control security policies alongside infrastructure code. The platform manages identity lifecycles for both humans and machines, issues signed authentication tokens, and enforces sophisticated permission models through a REST API.

Enterprise-Grade Security

Conjur encrypts secrets using AES-256-GCM and signs tokens with 2048-bit RSA keys via the Slosilo cryptography library, which has undergone professional security audits. The system runs in Docker containers with PostgreSQL as the data store, supports multi-tenant account isolation, and integrates throughout the cloud toolchain. Organizations can enable built-in authenticators and rotators or create custom extensions to fit specific workflows.

Highlights

Machine Authorization Markup Language (MAML) for declarative, role-based access policies

REST API for identity lifecycle management, secret storage, and authorization

AES-256-GCM encryption with audited Slosilo cryptography library

Native integrations across IaaS, CI/CD, container orchestration, and configuration management

Pros

Policy-as-code approach enables version control and GitOps workflows
Multi-tenant architecture supports isolated accounts within single deployment
Extensible authenticator and rotator framework for custom integrations
Professional cryptographic audit provides security assurance

Considerations

Requires PostgreSQL database management and backup strategy
Master data key loss results in unrecoverable encrypted data
Docker-centric deployment may require adaptation for non-containerized environments
Ruby-based codebase may limit contributor pool compared to Go or Python projects

Managed products teams compare with

When teams consider Cyberark Conjur, these hosted platforms usually appear on the same shortlist.

Akeyless

Cloud-native SaaS platform for unified secrets management and machine identity security

AWS Secrets Manager

Managed service for securely storing, retrieving, and rotating application secrets (credentials, API keys, etc.)

Azure Key Vault

Cloud service for secure storage and management of cryptographic keys, secrets, and certificates

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

DevOps teams managing secrets across multi-cloud and hybrid infrastructure
Organizations requiring policy-driven access control with audit trails
Teams seeking container-native secrets management with Kubernetes integration
Enterprises needing multi-tenant secret isolation within shared infrastructure

Not ideal when

Teams without container orchestration or Docker expertise
Projects requiring secrets management without external database dependencies
Organizations unable to implement robust master key backup procedures
Small teams seeking turnkey SaaS solutions without self-hosting requirements

How teams use it

CI/CD Pipeline Secret Injection

Securely deliver database credentials and API keys to build agents without hardcoding secrets in repositories or environment variables

Kubernetes Workload Authentication

Authenticate pods and containers using machine identities, then retrieve secrets based on role-based policies tied to service accounts

Multi-Environment Access Control

Define separate policies for dev, staging, and production environments while maintaining centralized secret storage and rotation

Automated Credential Rotation

Schedule regular rotation of database passwords and API tokens using built-in rotators, reducing exposure window for compromised credentials

Tech snapshot

Ruby78%

Gherkin18%

Shell4%

Python1%

HTML1%

CSS1%

Frequently asked questions

What happens if I lose the CONJUR_DATA_KEY?

All encrypted data becomes permanently unrecoverable. The master data key must be securely backed up and protected as it encrypts all secrets, API keys, and signing keys in the database.

Can Conjur run without Docker containers?

Conjur is designed for Docker-based deployment with PostgreSQL. While technically possible to run outside containers, the architecture and documentation assume containerized environments.

How does multi-tenancy work in Conjur?

Conjur supports multiple isolated accounts within a single database. Each account has its own token-signing key and policy namespace, managed through the /accounts service with policy-controlled access.

What is MAML and why use it?

Machine Authorization Markup Language is Conjur's declarative policy language for defining roles, resources, and permissions. It enables infrastructure-as-code practices for security policies with version control and peer review.

How do I migrate from Conjur Open Source to Enterprise Edition?

CyberArk provides a migration guide in the repository (design/MIGRATION.md) that documents the data migration process from the open-source version to Conjur Enterprise Edition.

Project at a glance

Active

Visit site View repo

Stars: 906
Watchers: 906
Forks: 141

Repo age9 years old

Last commit2 months ago

Primary languageRuby

Last synced 3 hours ago