Deploy AnkaSecure On-Premise
Complete control over your cryptographic infrastructure - deploy in your data center in 30 minutes
🚀 Get deployment guide: Start trial to access installation scripts
Quick Start: Evaluate On-Premise in 30 Minutes
Estimated time: 30 minutes
What you'll achieve: AnkaSecure running in your environment, ready for testing Requirements: Linux server (Ubuntu 24.04 or RHEL 8+), root access
Step 1/5: Check system requirements (2 minutes)
Minimum specifications:
# Verify your server meets these requirements:
CPU: 8 cores (16+ recommended)
RAM: 16 GB (32 GB+ recommended)
Disk: 100 GB SSD (200 GB+ for production)
OS: Ubuntu 24.04 LTS or RHEL 8+
Network: Outbound HTTPS (443) for package downloads
✅ Quick check command:
# Run this on your server to verify specs
lscpu | grep "^CPU(s):"
free -g | grep "^Mem:"
df -h / | tail -1
Expected output: 8+ CPUs, 16+ GB RAM, 100+ GB disk
Step 2/5: Download installer (3 minutes)
Register for trial to receive installation bundle:
📥 Register for on-premise trial (email required)
What you'll receive:
- Automated installation script (one command)
- Configuration templates
- Docker Compose files
- 30-day evaluation license
✅ After registration, you'll get:
Step 3/5: Run automated setup (10 minutes)
One-command installation (abstracts infrastructure complexity):
# Installation script handles:
# - Prerequisites (Docker, dependencies)
# - Platform bootstrap
# - Service deployment
# - Health verification
sudo ankasecure-install --mode trial --domain your-company.com
✅ Installation progress:
[1/5] Installing prerequisites... ✓
[2/5] Bootstrapping platform... ✓
[3/5] Deploying services... ✓
[4/5] Generating certificates... ✓
[5/5] Running health checks... ✓
Installation complete!
Access: https://ankasecure.your-company.com
Step 4/5: Verify installation (5 minutes)
Health check:
✅ Expected output:
Service Status Health
---------------------- -------- --------
Core API Running Healthy
Authentication Running Healthy
Key Management Running Healthy
Admin Console Running Healthy
Database Running Healthy
Cache Running Healthy
Overall Status: ✓ Healthy
Web UI test:
# Access admin console
open https://ankasecure.your-company.com/admin
# Default credentials (change immediately!):
Username: [email protected]
Password: (sent to your email)
Step 5/5: Test cryptographic operations (10 minutes)
Generate first key:
Encrypt test data:
Decrypt to verify:
✅ Success: Original file recovered → Installation working!
🎯 What's next?
- Integrate your app: SDK integration guide
- Production deployment: Enterprise deployment guide
- Migrate from cloud: AWS KMS to on-premise migration
Why Deploy On-Premise?
Control & Sovereignty
Full control over:
- ✅ Cryptographic keys (never leave your infrastructure)
- ✅ Data location (compliance with data residency laws)
- ✅ Infrastructure (custom hardware, HSMs, network topology)
- ✅ Update schedule (deploy when YOU decide, not vendor-driven)
Use cases:
- Government agencies (FISMA, FedRAMP requirements)
- Financial institutions (regulatory capital requirements)
- Healthcare (HIPAA, patient data sovereignty)
- Defense contractors (classified data processing)
Cost Optimization
SaaS vs On-Premise cost comparison:
| Scenario | SaaS Annual Cost | On-Premise Annual Cost | Savings |
|---|---|---|---|
| Small (100K ops/month) | $12,000 | $15,000 (infra + license) | -$3,000 (SaaS cheaper) |
| Medium (1M ops/month) | $60,000 | $25,000 | $35,000 saved |
| Large (10M ops/month) | $300,000 | $50,000 | $250,000 saved |
| Enterprise (100M ops/month) | $1,500,000 | $150,000 | $1,350,000 saved |
Break-even point: ~500K operations/month (on-premise becomes cheaper)
📊 Interactive cost calculator - Compare for your volume
Air-Gapped / Offline Environments
Fully disconnected deployment for classified networks:
Capabilities:
- ✅ No internet connectivity required (after initial download)
- ✅ Offline license validation (cryptographic license files)
- ✅ Manual updates (via USB/secure file transfer)
- ✅ Internal PKI support (bring your own CA certificates)
Example: Classified government network:
Internet-connected system (download installer)
↓
USB drive (transfer installer + license)
↓
Air-gapped network (deploy offline)
Use cases: SCIF environments, classified data processing, defense systems
Hybrid Deployment
Best of both worlds: SaaS control plane + on-premise data plane
Architecture:
Your Data Center AnkaSecure Cloud
┌─────────────────┐ ┌──────────────────┐
│ Data Encryption │ │ Key Management │
│ (on-premise) │◄────►│ (SaaS control) │
│ │ mTLS │ │
│ • Process data │ │ • Generate keys │
│ • Never leaves │ │ • Audit logs │
│ your network │ │ • Analytics │
└─────────────────┘ └──────────────────┘
Benefits:
- ✅ Data never leaves your network (compliance)
- ✅ Managed key lifecycle (reduced operational burden)
- ✅ Centralized audit logs (SOC 2 compliance)
- ✅ Auto-updates for control plane (reduced maintenance)
Use case: Financial services with strict data residency but need centralized key management
Deployment Models Comparison
SaaS (Fully Managed)
Best for: Startups, small teams, rapid prototyping
| Aspect | Details |
|---|---|
| Time to deploy | 5 minutes (API key signup) |
| Operational burden | Zero (we manage everything) |
| Scalability | Automatic (elastic) |
| Cost model | Pay-per-operation (usage-based) |
| Data location | US, EU, or Asia regions |
| Compliance | SOC 2, ISO 27001, GDPR |
| Customization | Limited (standard config) |
When to choose:
- ✅ Need to start immediately (< 1 day)
- ✅ Unpredictable workload (auto-scaling)
- ✅ Small team (no DevOps resources)
- ✅ Compliance not strict (standard regions OK)
🚀 Start SaaS trial (5 minutes)
On-Premise (Self-Hosted)
Best for: Enterprises, regulated industries, high-volume users
| Aspect | Details |
|---|---|
| Time to deploy | 30 minutes (automated script) |
| Operational burden | Medium (you manage infrastructure) |
| Scalability | Manual (add servers as needed) |
| Cost model | Flat annual license + infrastructure |
| Data location | YOUR data center (full control) |
| Compliance | ANY (FISMA, FedRAMP, ITAR, etc.) |
| Customization | Full (custom HSMs, networks, policies) |
When to choose:
- ✅ Data sovereignty required (regulatory)
- ✅ High-volume operations (> 1M ops/month)
- ✅ Custom hardware (HSMs, TPMs)
- ✅ Air-gapped networks (classified environments)
📥 Get on-premise trial (email registration)
Hybrid (Split Architecture)
Best for: Large enterprises needing both control and convenience
| Aspect | Details |
|---|---|
| Time to deploy | 1 hour (on-premise + SaaS connection) |
| Operational burden | Low (we manage control plane) |
| Scalability | Hybrid (elastic control, fixed data plane) |
| Cost model | Mixed (license + SaaS fees) |
| Data location | Data on-premise, keys in SaaS |
| Compliance | Hybrid (meets most regulations) |
| Customization | Medium (configure split points) |
When to choose:
- ✅ Need data residency but want managed services
- ✅ Multiple data centers (centralized management)
- ✅ Gradual cloud migration (keep data on-prem temporarily)
System Requirements
Development / Evaluation
Minimum specs (single-node, trial workloads):
Hardware:
CPU: 8 cores (Intel Xeon or AMD EPYC)
RAM: 16 GB
Disk: 100 GB SSD
Network: 1 Gbps
Software:
OS: Ubuntu 24.04 LTS (preferred) or RHEL 8+
Kernel: 5.15+
Container runtime: Docker 24+ or Podman 4+
Optional:
HSM: SoftHSM (included) or Luna/nShield (supported)
Supports: ~1,000 operations/second, 100 concurrent users
Production (Small)
Recommended specs (3-node cluster, production workloads):
Per Node:
CPU: 16 cores
RAM: 32 GB
Disk: 200 GB NVMe SSD
Network: 10 Gbps
Cluster:
Nodes: 3 (high availability)
Load balancer: HAProxy or NGINX
Database: PostgreSQL 15+ (dedicated server)
Cache: Redis 7+ (Sentinel mode)
HSM:
Production-grade: Luna, nShield, or Cloud HSM
Supports: ~10,000 operations/second, 1,000 concurrent users
Production (Large)
Enterprise specs (10+ node cluster, high-volume workloads):
Per Node:
CPU: 32 cores
RAM: 128 GB
Disk: 500 GB NVMe SSD (RAID 10)
Network: 25 Gbps
Cluster:
Nodes: 10-50 (horizontal scaling)
Load balancer: F5 or AWS ALB
Database: PostgreSQL cluster (Patroni HA)
Cache: Redis cluster (6+ nodes)
HSM:
Dedicated: Luna HSM cluster (3+ nodes)
Backup: Secondary datacenter with DR HSM
Supports: 100,000+ operations/second, 10,000+ concurrent users
Architecture Overview
Logical Components
High-level system architecture (abstracts implementation):
┌──────────────────────────────────────────────────────┐
│ Client Applications │
│ (SDK, CLI, REST API, Direct Integration) │
└───────────────────┬──────────────────────────────────┘
│ HTTPS (TLS 1.3)
↓
┌──────────────────────────────────────────────────────┐
│ API Gateway Layer │
│ • Authentication (JWT, OAuth2, mTLS) │
│ • Rate limiting (per-tenant) │
│ • Request routing │
└───────────────────┬──────────────────────────────────┘
│
↓
┌──────────────────────────────────────────────────────┐
│ Cryptographic Services │
│ • Key generation & management │
│ • Encryption / Decryption │
│ • Digital signatures │
│ • Migration operations │
└───────────────────┬──────────────────────────────────┘
│
↓
┌──────────────────────────────────────────────────────┐
│ Security Boundary │
│ • HSM integration (Luna, nShield, SoftHSM) │
│ • Key wrapping (AES-256-GCM) │
│ • Access controls (RBAC) │
└───────────────────┬──────────────────────────────────┘
│
↓
┌──────────────────────────────────────────────────────┐
│ Data Layer │
│ • Encrypted key storage │
│ • Metadata database │
│ • Audit logs (tamper-proof) │
└──────────────────────────────────────────────────────┘
Key design principles:
- ✅ Separation of concerns: API, crypto, storage isolated
- ✅ Defense-in-depth: Multiple security layers
- ✅ Zero-trust: All components authenticate mutually
- ✅ Audit everything: Complete trail of operations
Note: Detailed implementation architecture provided in trial documentation
Security Features
Built-In Security
No configuration needed (secure by default):
- ✅ TLS 1.3: All communication encrypted
- ✅ mTLS: Service-to-service authentication
- ✅ HSM integration: Keys never in plaintext in memory
- ✅ Multi-tenant isolation: Database + application layer
- ✅ Audit logging: Tamper-proof operation trails
- ✅ Rate limiting: Per-tenant DoS protection
- ✅ OWASP compliance: 100% REST API Security Cheat Sheet
Optional Security Enhancements
Available in production deployments:
| Feature | Description | Use Case |
|---|---|---|
| Network HSM | Luna, nShield integration | FIPS 140-2 Level 3/4 |
| LDAP/AD integration | Enterprise SSO | Corporate identity |
| SIEM integration | Splunk, ELK forwarding | Security monitoring |
| Geo-fencing | IP whitelist/blacklist | Restrict access by location |
| Custom policies | Algorithm restrictions | Compliance enforcement |
Licensing & Support
Trial License (30 days)
Included in trial:
- ✅ Full product features (no limitations)
- ✅ 10,000 operations/day limit
- ✅ Email support (48-hour response)
- ✅ Community forum access
- ✅ Documentation access
Get trial: Register here
Production License
Pricing models:
| Model | Best For | Pricing |
|---|---|---|
| Perpetual | One-time purchase + annual maintenance | $50K base + $10K/year |
| Subscription | Annual renewal | $25K/year |
| Enterprise | Unlimited operations, priority support | Custom (contact sales) |
Included:
- ✅ Production license key
- ✅ Software updates (security patches)
- ✅ Technical support (SLA-based)
- ✅ Documentation updates
- ✅ Upgrade assistance
Support Tiers
| Tier | Response Time | Channels | Price |
|---|---|---|---|
| Community | Best effort | Forum, email | Free (trial) |
| Standard | 48 hours | Email, tickets | Included in license |
| Premium | 8 hours | Email, phone, Slack | +$10K/year |
| Enterprise | 2 hours (24/7) | Email, phone, Slack, on-site | Custom |
Production Deployment
Pre-Deployment Checklist
Before deploying to production, ensure:
- [ ] Infrastructure ready: Servers provisioned, specs meet requirements
- [ ] Network configured: Firewall rules, DNS, load balancer
- [ ] HSM available (if using): Luna/nShield credentials obtained
- [ ] Certificates ready: TLS certificates for HTTPS
- [ ] Backup strategy: PostgreSQL backup, key recovery procedures
- [ ] Monitoring setup: Health checks, alerting, log aggregation
- [ ] Disaster recovery: Secondary datacenter, failover plan
- [ ] Security review: Penetration testing, compliance audit
- [ ] License obtained: Production license key from sales team
Timeline: 2-4 weeks for full production readiness (after trial)
Deployment Steps (High-Level)
Phase 1: Infrastructure preparation (1 week)
- Provision servers (physical or VMs)
- Configure networking (VLANs, firewalls, load balancers)
- Set up HSM (if using production-grade hardware)
- Install OS and prerequisites
Phase 2: Platform deployment (3-5 days)
- Run automated installer (trial script)
- Configure production settings (database, cache, HSM)
- Generate production certificates
- Deploy services
Phase 3: Integration & testing (1 week)
- Integrate with your applications (SDK/API)
- Performance testing (load tests)
- Security testing (vulnerability scans)
- Failover testing (disaster recovery)
Phase 4: Go-live (1 day)
- Final validation
- Cutover from staging to production
- Monitor for 24-48 hours
Total timeline: 2-4 weeks (depends on complexity)
Migration from SaaS to On-Premise
Already using AnkaSecure SaaS? Migrate to on-premise without downtime:
Step 1: Deploy on-premise instance (parallel to SaaS)
Step 2: Export keys from SaaS (secure transfer)
Step 3: Import keys to on-premise
Step 4: Dual-run period (validate functionality)
- 1 week: 10% of traffic to on-premise
- 2 weeks: 50% of traffic
- 3 weeks: 90% of traffic
- 4 weeks: 100% cutover, decommission SaaS
Zero data re-encryption needed (keys are portable)
Get Installation Guide
Option 1: Free Trial (Evaluation)
Register to receive:
- Automated installation script
- 30-day evaluation license
- Trial documentation
- Community forum access
What we need:
- Name & email
- Company name
- Planned use case (helps us provide better support)
You'll receive within 5 minutes:
- Download link for installer
- Trial license key
- Quick start guide (PDF)
Option 2: Production Deployment (Enterprise)
Schedule consultation for production deployments:
What we'll discuss (1-hour session):
- Your requirements (volume, compliance, HSM)
- Architecture design (single vs multi-datacenter)
- Timeline (trial → production)
- Pricing (perpetual vs subscription)
- Support options (standard vs premium)
Include in email:
- Company name
- Number of applications integrating
- Expected operation volume (ops/month)
- Compliance requirements (FIPS, FedRAMP, etc.)
Option 3: Proof of Concept (POC)
Extended evaluation for large enterprises:
What's included (60-90 day POC):
- Full production features
- Higher operation limits (100K ops/day)
- Technical account manager
- Architecture review
- Integration assistance
- Custom feature demos
Requirements: Signed POC agreement (no cost)
Frequently Asked Questions
Can I run AnkaSecure on my existing Kubernetes cluster?
Yes! AnkaSecure supports Kubernetes deployment (Helm charts provided in production license).
Trial installer uses Docker Compose for simplicity, but production deployments can use:
- ✅ Kubernetes (native)
- ✅ Docker Swarm
- ✅ OpenShift
- ✅ Nomad
What databases are supported?
Supported databases:
- ✅ PostgreSQL 15+ (recommended, included in trial)
- ✅ PostgreSQL-compatible (AWS Aurora, Google Cloud SQL)
- ⚠️ MySQL/MariaDB (experimental, contact support)
Trial includes PostgreSQL automatically.
Can I use my existing HSM?
Yes! Production deployments support:
- ✅ Thales Luna HSM (network or PCIe)
- ✅ Entrust nShield (network or PCIe)
- ✅ AWS CloudHSM (via PKCS#11)
- ✅ Azure Dedicated HSM
- ✅ Google Cloud HSM
Trial includes SoftHSM (software emulation, not for production).
Configuration guides provided after production license purchase.
How do I upgrade from trial to production?
Simple upgrade path: 1. Purchase production license (contact sales) 2. Replace trial license key with production key 3. Configure production settings (HSM, database replication) 4. Restart services (zero data loss)
No reinstallation needed - trial and production use same software.
What about high availability?
Production deployments support HA:
- ✅ Multi-node clustering (3+ nodes)
- ✅ Load balancing (HAProxy, F5, cloud LBs)
- ✅ Database replication (PostgreSQL streaming)
- ✅ HSM failover (Luna HA, nShield groups)
- ✅ Geographic redundancy (active-active or active-passive)
HA architecture design included in enterprise support tier.
Can I test on AWS/Azure before deploying on-premise?
Yes! Deploy trial on cloud VMs to evaluate:
AWS:
# Launch EC2 instance (Ubuntu 24.04, t3.xlarge minimum)
# SSH into instance
# Run trial installer
sudo ankasecure-install --mode trial --domain test.example.com
Azure/GCP: Same process (provision Ubuntu VM, run installer)
Benefit: Validate functionality before committing to on-premise hardware.
What's Next?
Ready to deploy on-premise?
- 📥 Register for trial (receive installer in 5 minutes)
- 📊 Cost calculator: SaaS vs on-premise
- 📧 Schedule architecture review (free 1-hour consultation)
- 📘 Download deployment checklist (PDF, 15 pages)
Compare deployment options:
- SaaS overview - Fully managed option
- Hybrid deployment - Split architecture
Explore use cases:
- Government/defense - Air-gapped deployments
- Financial services - Regulatory requirements
- Healthcare - HIPAA compliance
Have questions? Email [email protected] or join our community forum
Last updated: 2026-01-07 | Version: 3.0.0