External Storage Device

You can store PSM video and text recordings outside of the vault, in an external storage device.

How it works

You can configure a PSM to store recording files in the Vault or in an external storage. Recordings from multiple PSM servers can use the same storage architecture.

When configured to work with an external storage, a PSM uploads the video recording file and the text recording file to an external storage device when a session ends. The session file that captures the meta data for the session recording is saved in the Vault specifically, in the recording safe configured for the account's platform. The StorageLocation File Category in the session file specifies the recording file's external storage location.

To upload a recording file, the PSM connects to the storage device and authenticates using the internal upload-user's credentials stored in the Vault. The recording files are uploaded using the SMB protocol.

When an Auditor wants to review a session's recording in the PVWA, the PVWA authenticates to the storage device using the internal download-user's credentials, and streams or downloads the files using the SMB protocol.

Auditors can access session recordings from the PVWA using the same permissions as in previous versions. While the video recording file and the text recording file is stored in the external storage, the session file is stored in the recoding safe in the Vault. An Auditor requires authorization for the recording safe in which the session file is stored.

For permission details, see Permissions.

Set up an external storage device

Device requirements

You can use any storage device that complies with the following secured storage requirements:



Secure Communication And Authentication

The storage must support the SMB 3.0 protocol.

It is recommended to apply the following requirements to benefit from SMB mutual authentication support (Kerberos Protocol):

Storage-level Tampering Protection

Enable only authorized users, such as CyberArk systems and maintenance users, to access the storage.

It is recommended to protect the storage maintenance users' credentials in the Vault. Where possible, ensure that all access to the storage is performed through the PSM, using a built-in connection component or by creating a custom Universal Connector connection component.

It is recommended to protect the storage with disk encryption\ file system encryption (such as BitLocker) to provide protection at rest.

File Sharing Support

The storage device should provide data access to a group of hosts and be accessible for multiple read and write operations simultaneously, such as a file server or network-attached storage (NAS).

Create designated users on the storage device to upload and download files

The PSM and PVWA both require designated users on the storage device to upload and download recording files. Configure one user on the storage device to upload files and another user to download files, each with the appropriate permissions. These users can be either local or domain users.


If you are managing those users through CPM, you must use a local user.

Define a shared location

Define a shared storage location on the storage device where the recording files are stored. Make sure the upload and download users have access to this share.

Configure PSM to use an external storage device

This section describes how to configure the PSM to store recording files in an external storage device

Additional notes and limitations

The following limitations apply :

  • Attestations for recordings that are stored in an external storage device are not available.

  • Recording Size for recordings stored in an external storage device are not displayed in the PVWA.

  • Recording management, such as delete, backup, and archive, need to be done with the external storage device's built-in functionality.