Conjur
Conjur provides secrets management and application identity for modern infrastructure:
- Machine Authorization Markup Language ("MAML"), a role-based
access policy language to define system components & their roles,
privileges and metadata - A REST web service to:
- manage identity life cycles for humans and machines
- organize and search roles and data in your secrets infrastructure
- authorize access to resources using a sophisticated permission model
- store secrets and make them available securely
- Integrations throughout the cloud toolchain:
- infrastructure as a service (IaaS)
- configuration management
- continuous integration and deployment (CI/CD)
- container management and cloud orchestration
Note: our badges and social media buttons never track you.
- Getting Started
- Community Support
- Migrating to Conjur EE
- Architecture
- Versioning
- Contributing
- License
Table of contents
generated with markdown-toc
Getting Started
Please refer to our Quick Start Guide for detailed information on using Conjur OSS for the first time, or, refer to the
Conjur docs for specific guides relating to setup, integrations, administration, and more.
Compatibility
We strongly recommend choosing the version of this project to use from the latest Conjur OSS
suite release.
Conjur maintainers perform additional testing on the suite release versions to ensure
compatibility. When possible, upgrade your Conjur version to match the
latest suite release;
when using integrations, choose the latest suite release that matches your Conjur version.
When upgrading your Conjur server running in a Docker Compose environment to the
latest suite release version, please review the
upgrade instructions. For any questions, please contact us on Discourse.
Community Support
Our primary channel for support is through our CyberArk Commons community
here
Migrating to Conjur EE
Migrating data from Conjur Open Source to Conjur EE is simple using our
migration guide
Architecture
Conjur is designed to run in a Docker container(s), using Postgresql as the
backing data store. It's easy to run both Conjur and Postgresql in Docker; see
the demo directory for an example.
Database
DATABASE_URL environment variable
Conjur uses the DATABASE_URL environment variable to connect to the database.
Typical options for this URL are:
- Local linked
pgcontainer - External managed database such as AWS RDS.
Database initialization
Conjur creates and/or updates the database schema automatically when it starts
up. Migration scripts are located in the db/migrate directory.
Authenticators
Conjur makes it easy to:
- Enable and disable built-in authenticators
- Secure access to authenticators using policy files
- Create custom authenticators
Detailed authenticator design documentation
Rotators
Conjur makes it easy to:
- Rotate variables regularly using built-in rotators
- Create custom rotators
Detailed rotator design documenation
Secrets and keys
Main article: Conjur Cryptography
Conjur uses industry-standard cryptography to protect your data.
Some operations require storage and management of encrypted data. For example:
- Roles can have associated API keys, which are stored encrypted in
the database - the
authenticatefunction issues a signed JSON token; the signing key is a
2048 bit RSA key which is stored encrypted in the database
Data is encrypted in and out of the database
using Slosilo, a library which provides:
- symmetric encryption using AES-256-GCM
- a Ruby class mixin for easy encryption of object attributes into the database
- asymmetric encryption and signing
- a keystore in a Postgresql database for easy storage and retrieval of keys
Slosilo has been verified by a professional cryptographic audit. Ask in our
CyberArk Commons community for more details. (You can join here.)
Important: avoid data loss
When you start Conjur, you must provide a Base64-encoded master data key in the
environment variable CONJUR_DATA_KEY. You can generate a data key using the
following command:
$ docker run --rm conjur data-key generate
Do NOT lose the data key, or all the encrypted data will be unrecoverable.
Account management
Conjur supports the simultaneous operation of multiple separate accounts within
the same database. In other words, it's multi-tenant.
Each account (also called "organization account") has its own token-signing
private key. When a role is authenticated, the HMAC of the access token is
computed using the signing key of the role's account.
Accounts can be listed, created, and deleted via the /accounts service.
Permission to use this service is controlled by the built-in resource
!:webservice:accounts. Note that ! is itself an organization account, and
therefore privileges on the !:webservice:accounts can be managed
via Conjur policies.
Versioning
Starting from version 0.1.0, this project follows
Semantic Versioning.
Contributing
If you’re interested in running Conjur locally and learning about how it works,
please see our Contributing Guide. It includes helpful
instructions for Conjur development and debugging, including:
- Development prerequisites
- Building Conjur as a Docker image
- Setting up a local development environment
- Running the test suites
- Pull request workflow
- Style guide
- Changelog maintenance
If you have any questions, please open an issue
or ask us on Discourse.
License
The Conjur server (as in, the code within this repository) is licensed under the
Free Software Foundation's GNU LGPL v3.0. This license was chosen to
ensure that all contributions to the Conjur server are made available to the
community. Commercial licenses are also available
from CyberArk.
The Conjur API clients and other extensions are licensed under
the Apache Software License v2.0