Conjur provides secrets management and application identity for modern infrastructure:
Note: our badges and social media buttons never track you.
Table of contents generated with markdown-toc
Please refer to our Quick Start Guide for detailed information on using Conjur Open Source for the first time, or, refer to the Conjur docs for specific guides relating to setup, integrations, administration, and more.
We strongly recommend choosing the version of this project to use from the latest Conjur Open_Source suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version.
When upgrading your Conjur server running in a Docker Compose environment to the latest suite release version, please review the upgrade instructions. For any questions, please contact us on Discourse.
Our primary channel for support is through our CyberArk Commons community here
Migrating data from Conjur Open Source to Conjur EE is simple using our migration guide
Conjur is designed to run in a Docker container(s), using Postgresql as the
backing data store. It's easy to run both Conjur and Postgresql in Docker; see
the demo
directory for an example.
Conjur uses the DATABASE_URL
environment variable to connect to the database.
Typical options for this URL are:
pg
containerConjur creates and/or updates the database schema automatically when it starts
up. Migration scripts are located in the db/migrate
directory.
Conjur makes it easy to:
Detailed authenticator design documentation
Conjur makes it easy to:
Detailed rotator design documenation
Main article: Conjur Cryptography
Conjur uses industry-standard cryptography to protect your data.
Some operations require storage and management of encrypted data. For example:
authenticate
function issues a signed JSON token; the signing key is a
2048 bit RSA key which is stored encrypted in the databaseData is encrypted in and out of the database using Slosilo, a library which provides:
Slosilo has been verified by a professional cryptographic audit. Ask in our CyberArk Commons community for more details. (You can join here.)
When you start Conjur, you must provide a Base64-encoded master data key in the
environment variable CONJUR_DATA_KEY
. You can generate a data key using the
following command:
$ docker run --rm conjur data-key generate
Do NOT lose the data key, or all the encrypted data will be unrecoverable.
Conjur supports the simultaneous operation of multiple separate accounts within the same database. In other words, it's multi-tenant.
Each account (also called "organization account") has its own token-signing private key. When a role is authenticated, the HMAC of the access token is computed using the signing key of the role's account.
Accounts can be listed, created, and deleted via the /accounts
service.
Permission to use this service is controlled by the built-in resource
!:webservice:accounts
. Note that !
is itself an organization account, and
therefore privileges on the !:webservice:accounts
can be managed
via Conjur policies.
Starting from version 0.1.0, this project follows Semantic Versioning.
If you’re interested in running Conjur locally and learning about how it works, please see our Contributing Guide. It includes helpful instructions for Conjur development and debugging, including:
If you have any questions, please open an issue or ask us on Discourse.
The Conjur server (as in, the code within this repository) is licensed under the Free Software Foundation's GNU LGPL v3.0. This license was chosen to ensure that all contributions to the Conjur server are made available to the community. Commercial licenses are also available from CyberArk.
The Conjur API clients and other extensions are licensed under the Apache Software License v2.0.
Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.