 – Complete Architecture, Deployment, HA, DR & Best Practices Guide 2026.png)
CyberArk Secrets Manager Self-Hosted (previously known as Conjur Enterprise) is CyberArk's enterprise-grade secrets management platform designed for DevOps, Cloud, Kubernetes, CI/CD pipelines, applications, containers, and Infrastructure-as-Code (IaC) environments.
Modern applications require access to thousands of secrets such as:
▢ Database passwords
▢ API keys
▢ SSH keys
▢ Cloud credentials
▢ Service account passwords
▢ Certificates
▢ Encryption keys
Managing these secrets manually creates significant security risks. CyberArk Secrets Manager Self-Hosted provides a centralized platform to securely store, manage, rotate, audit, and distribute secrets across hybrid and multi-cloud environments.
Organizations can accelerate DevOps adoption while maintaining compliance, security, and complete visibility into secret usage.
In traditional environments, credentials are often stored in:
▢ Application configuration files
▢ Source code repositories
▢ Shell scripts
▢ CI/CD pipelines
▢ Environment variables
▢ Shared documents
This creates major attack surfaces for cybercriminals.
CyberArk Secrets Manager eliminates these risks by:
▢ Centralizing secret storage
▢ Enforcing least privilege access
▢ Providing detailed auditing
▢ Supporting automated secret retrieval
▢ Integrating with Kubernetes and DevOps tools
▢ Supporting cloud-native applications
Many CyberArk professionals confuse Secrets Manager with the traditional CyberArk Digital Vault.
The traditional Vault primarily secures privileged accounts for human users and administrators.
Secrets Manager focuses on securing machine identities and application secrets.
For a deeper understanding of the Vault architecture, read:
🔗 CyberArk Vault Deep Dive Architecture
▢ Leader-Standby-Follower architecture
▢ Automatic failover support
▢ Manual failover support
▢ PostgreSQL streaming replication
▢ Synchronous replication
▢ Asynchronous replication
▢ Multi-data center deployment
▢ Disaster Recovery support
▢ Mutual TLS Authentication
▢ Server key encryption
▢ HSM Integration
▢ AWS KMS Integration
▢ Fine-grained access control
▢ Policy-based authorization
▢ Complete audit trail
▢ Active Directory Integration
▢ LDAP Integration
▢ SIEM Integration
▢ Kubernetes Integration
▢ Jenkins Integration
▢ GitLab Integration
▢ Azure DevOps Integration
▢ CyberArk PAS Integration
▢ Horizontal scaling using Followers
▢ Multiple regional deployments
▢ Auto-scaling support
▢ Low-latency secret retrieval
CyberArk Secrets Manager follows a highly available Leader-Standby-Follower architecture.
+----------------+
| Load Balancer |
+--------+-------+
|
+------------+------------+
| |
+-------+-------+ +-------+-------+
| Leader | | Standby |
+---------------+ +---------------+
|
|
+-------+-------+
| Standby |
+---------------+
|
Followers Cluster
|
+---------+----------+
| |
+-----------+ +-----------+
| Follower1 | | Follower2 |
+-----------+ +-----------+
The Leader is the central node of the Secrets Manager environment.
Responsibilities:
▢ Policy updates
▢ Secret creation
▢ Secret modifications
▢ User management
▢ Audit processing
▢ Write operations
There can only be one active Leader at any given time.
A Standby is an exact replica of the Leader.
Functions:
▢ Receives database replication
▢ Maintains synchronization
▢ Ready to become Leader
▢ Supports HA deployments
If the Leader fails, a Standby can be promoted automatically or manually.
Followers provide read-only access to applications.
Responsibilities:
▢ Authentication
▢ Authorization
▢ Secret retrieval
▢ Read scaling
Followers cannot perform write operations.
Attempting to write through a Follower results in an error.
Replication is one of the most important concepts in Secrets Manager.
In synchronous replication:
▢ Leader writes data
▢ Standby receives data immediately
▢ Transaction completes only after both nodes update
Benefits:
▢ Zero data loss
▢ Consistent database state
▢ Immediate failover readiness
CyberArk recommends having one synchronous Standby.
In asynchronous replication:
▢ Leader commits transaction first
▢ Replication occurs later
▢ Small delays may occur
Benefits:
▢ Better performance
▢ Geographic distribution
▢ Reduced latency
Followers receive data asynchronously.
Characteristics:
▢ Read-only nodes
▢ Horizontally scalable
▢ Application-facing
▢ Low latency
▢ Global deployment support
Secrets Manager supports automatic failover using:
▢ etcd
▢ Raft Consensus Algorithm
When Leader becomes unavailable:
▢ Cluster health is evaluated
▢ Standbys communicate via etcd
▢ Most up-to-date Standby is selected
▢ New Leader is promoted automatically
This minimizes downtime and maintains business continuity.
Organizations can also choose manual failover.
Advantages:
▢ Greater administrative control
▢ Suitable for regulated environments
▢ Simpler architecture
Disadvantages:
▢ Requires human intervention
▢ Longer recovery time
CyberArk recommends deploying DR Standbys in separate regions.
Example:
▢ Leader
▢ Sync Standby
▢ Async Standby
▢ DR Standby
Benefits:
▢ Regional disaster protection
▢ Business continuity
▢ Data recovery capability
If an entire region fails, DR Standby can be manually promoted.
For additional HA and DR concepts, read:
🔗 CyberArk Primary DR Vault Environment
🔗 CyberArk Distributed Vault Environment
🔗 Learn about CyberArk Digital Vault Cluster Environment
CyberArk recommends:
▢ 1 Leader
▢ 2 Standbys
▢ Minimum 2 Followers per Data Center
▢ Cluster Load Balancer
▢ Follower Load Balancer
This architecture provides:
▢ High Availability
▢ Scalability
▢ Disaster Recovery
▢ Fault Tolerance
Minimum recommended deployment:
▢ 1 Leader
▢ 1 Standby
▢ 1 Follower
▢ 2 Load Balancers
This setup closely resembles production environments and supports testing activities.
By default:
▢ All secrets replicate to every Follower
Organizations can improve security by using replication sets.
Example:
▢ India-related secrets only
▢ Europe-related secrets only
▢ US-related secrets only
Benefits:
▢ Reduced risk
▢ Better compliance
▢ Regional data isolation
▢ Lower attack surface
CyberArk strongly recommends Layer-4 Load Balancers.
Supported Examples:
▢ F5
▢ AWS ELB
▢ HAProxy
▢ NGINX TCP Load Balancing
Requirements:
▢ Preserve source IP
▢ Health check support
▢ TLS pass-through
▢ Route traffic only to active Leader
▢ 443 – UI/API Access
▢ 444 – Health Check
▢ 5432 – PostgreSQL Replication
▢ 1999 – Audit Stream
▢ 22 – Administrative Access
▢ 443 – UI/API
▢ 444 – Health Check
▢ 22 – Administrative Access
By default, server keys reside on local nodes.
CyberArk recommends protecting them using:
▢ Centralized key management
▢ Automated decryption
▢ Cloud-native protection
▢ Hardware-based protection
▢ Strong cryptographic security
▢ Compliance support
Secrets Manager records all activities.
Audit locations:
▢ audit.json
▢ audit.log
▢ Audit Database
Audited activities include:
▢ Secret retrieval
▢ Policy changes
▢ Authentication requests
▢ Authorization requests
▢ Administrative actions
CyberArk recommends forwarding audits to enterprise SIEM platforms.
Supported integrations include:
▢ Splunk
▢ QRadar
▢ ArcSight
▢ Sentinel
▢ 4 CPU Cores
▢ 16 GB RAM
▢ 50 GB Storage
▢ SSD for Auto-Failover
▢ 4 CPU Cores
▢ 16 GB RAM
▢ 50 GB Storage
▢ 2 CPU Cores
▢ 4 GB RAM
▢ 20 GB Storage
▢ 2 CPU Cores
▢ 4 GB RAM
▢ 20 GB Storage
CyberArk Secrets Manager supports:
▢ Docker
▢ Podman
▢ Kubernetes (Followers only)
▢ OpenShift (Followers only)
Important:
Leader and Standby nodes cannot run on Kubernetes.
Only Followers are supported on Kubernetes/OpenShift platforms.
CyberArk strongly recommends third-party certificates in production.
Required certificate attributes:
▢ Common Name (CN)
▢ Subject Alternative Names (SAN)
▢ Client Authentication
▢ Server Authentication
▢ Digital Signature
▢ Key Encipherment
Self-signed certificates should only be used for:
▢ Development
▢ Testing
▢ Proof-of-Concept environments
The Evoke utility is the primary administration tool.
Functions include:
▢ Configure Leader
▢ Configure Standby
▢ Configure Follower
▢ Generate Seed Files
▢ Backup Secrets Manager
▢ Restore Secrets Manager
▢ Configure Auto-Failover
▢ Manage Replication Sets
▢ Encrypt Server Keys
▢ Decrypt Server Keys
The Evoke utility is installed on every Secrets Manager node.
One of the most powerful capabilities is integration with CyberArk Privileged Access Manager.
Benefits:
▢ Automatic secret synchronization
▢ Vault-to-Conjur replication
▢ Unified secret governance
▢ Reduced operational effort
This allows organizations to leverage existing privileged credentials already managed inside CyberArk.
If you are new to CyberArk, start with:
🔗 CyberArk Tutorial for Beginners
▢ Deploy minimum 1 Leader and 2 Standbys
▢ Configure one synchronous Standby
▢ Deploy Followers near applications
▢ Use Layer-4 load balancers
▢ Enable audit forwarding to SIEM
▢ Use HSM or AWS KMS
▢ Use third-party certificates
▢ Implement disaster recovery Standbys
▢ Regularly perform evoke backups
▢ Test failover procedures periodically
CyberArk Secrets Manager Self-Hosted is one of the most powerful enterprise secrets management solutions available today. Its Leader-Standby-Follower architecture provides exceptional scalability, security, and resilience for modern DevOps and cloud-native environments.
With features such as auto-failover, disaster recovery, replication sets, HSM/KMS integration, Kubernetes support, and CyberArk PAS integration, organizations can securely manage machine identities and secrets at enterprise scale.
For professionals looking to master CyberArk Conjur and Secrets Manager technologies, practical hands-on training is essential.
🎓 CyberArk Conjur Self Paced Training
🎓 CyberArk Full Training – SecApps Learning
Mastering Secrets Manager today will prepare you for the growing demand for DevSecOps, cloud security, Zero Trust, and machine identity management roles in 2026 and beyond.
Your email address will not be published. Required fields are marked*
June 06 2026
 Certification Guide 2026 by SL.png)
June 04 2026
 Complete Guide 2026 – Identity Protection, Identity Threat Detection, AI-Powered Security Monitoring, Response Playbooks, and ISI Migration.png)
June 02 2026
May 30 2026
 Complete Guide – Architecture, Security, User Provisioning & Identity Governance.png)
May 29 2026
 Complete Guide – IdentityIQ, Identity Security Cloud (ISC), Certification, Architecture & Career Roadmap.png)
May 27 2026
 Complete Getting Started Guide – Architecture, Configuration & Real-World Implementation.png)
May 26 2026
 – Complete Comparison 2026.png)
May 24 2026
May 22 2026
May 21 2026
 vs Privileged Session Manager (PSM) Complete 2026 Guide.png)
May 20 2026
May 19 2026
.png)
May 18 2026
.png)
May 17 2026
 The Complete Beginner to Advanced Guide to Ethical Hacking.png)
May 15 2026
May 15 2026
May 14 2026
 by SecApps Learning.png)
May 14 2026
May 13 2026
 (1).png)
May 12 2026
.png)
May 11 2026
May 10 2026
May 10 2026
May 08 2026
.png)
May 07 2026
.png)
May 06 2026
.png)
May 06 2026
 Complete Guide (2026).png)
May 05 2026
.png)
May 05 2026
 (1).png)
May 04 2026
.png)
May 03 2026
.png)
May 01 2026
.png)
May 01 2026
.png)
April 30 2026
.png)
April 29 2026
.png)
April 28 2026
.png)
April 27 2026
 System Health, Safe Management, Platform & Master Policy Explained.png)
April 26 2026
April 20 2026
.png)
April 19 2026
.png)
April 17 2026
.png)
April 16 2026
.png)
April 15 2026
April 14 2026
April 10 2026
April 09 2026
April 08 2026
April 07 2026
July 31 2025
May 01 2026
December 26 2024
December 15 2024
.jpeg)
December 08 2024
May 01 2026
October 29 2024
October 19 2024
October 15 2024
October 07 2024
September 30 2024
September 23 2024
September 16 2024
May 04 2026
August 27 2024
August 27 2024
August 21 2024
August 19 2024
May 01 2026
May 10 2024
May 08 2024
May 01 2026
April 30 2024
.jpg)
April 29 2024
April 25 2024
April 22 2024
April 12 2024
April 05 2024
March 30 2024
May 01 2026
March 27 2024
March 27 2024
March 11 2024
March 07 2024
February 29 2024
.jpg)
May 01 2026
January 24 2024
January 20 2024
January 20 2024
January 20 2024
January 20 2024
January 03 2024
January 03 2024
January 03 2024
January 03 2024
Copyright 2022 SecApps Learning. All Right Reserved
Comments ()