On-Premise Deployment

AnkaSecure is available as a first-class on-premise deployment, not as a SaaS-only product. Customers in regulated finance, healthcare, defense, and critical infrastructure run AnkaSecure entirely inside their own perimeter — on-prem, air-gapped, or on a private-cloud VPC. The control plane, the database, and the HSM all stay under customer ownership.

This page describes the on-premise deployment model, what the customer operates, and what AnkaTech provides.

Why On-Premise

Driver	On-Premise Answer
Data sovereignty / residency	All cryptographic operations and keys remain inside the customer's network. No traffic leaves to a third-party SaaS.
Air-gapped environments	Supported. Offline installation packages are provided.
Regulated industries	FedRAMP, DFARS, ITAR, and similar regimes that prohibit third-party hosting are satisfied by full customer ownership.
Existing HSM investments	Reuse Thales Luna, Entrust nShield, AWS CloudHSM, Azure Dedicated HSM, or any PKCS#11 v2.40 HSM you already operate.
Custom integration	Integrate with the customer's identity provider (Okta, Azure AD, Keycloak, IBM API Connect), SIEM (Splunk, Elastic, Sentinel), and key escrow practices.

What the Customer Operates

In on-premise mode, the customer owns the entire stack:

AnkaSecure microservices (Core API, Auth API, Admin API, PQC Handshake, License Server, Doc Aggregator, Event Processor, Audit API)
Admin console (web UI)
PostgreSQL databases (operational + audit)
Redis (cache, sessions, pub/sub)
Kafka (event streaming)
The customer's existing HSM (PKCS#11)
The customer's existing identity provider (OAuth 2.0 / OIDC)
The customer's existing SIEM and observability stack

AnkaTech does not require any inbound network access, telemetry, or call-home connection. The license is validated locally against a signed license file or, for connected installations, against the customer's own license server inside the customer's network.

Reference Topology

┌──────────────────────────────────────────────────────────┐
│                Customer Network / VPC                       │
│                                                             │
│   ┌─────────────────┐    ┌──────────────────────────┐      │
│   │  Customer apps  │───▶│  AnkaSecure Control Plane │      │
│   │  (REST / SDK)   │    │  (Docker Swarm / K8s)     │      │
│   └─────────────────┘    └──────────┬───────────────┘      │
│                                     │                       │
│                                     │ PKCS#11               │
│                                     ▼                       │
│                          ┌──────────────────────┐           │
│                          │  Customer HSM        │           │
│                          │  (Thales / nShield / │           │
│                          │   CloudHSM / etc.)   │           │
│                          └──────────────────────┘           │
│                                                             │
│   ┌──────────────┐    ┌──────────────┐   ┌─────────────┐   │
│   │  PostgreSQL  │    │  Redis       │   │  Kafka      │   │
│   └──────────────┘    └──────────────┘   └─────────────┘   │
│                                                             │
│   ┌──────────────┐    ┌──────────────┐                     │
│   │  Customer    │    │  Customer    │                     │
│   │  IdP (OAuth) │    │  SIEM        │                     │
│   └──────────────┘    └──────────────┘                     │
└──────────────────────────────────────────────────────────┘

   ▲ No required outbound traffic to ANKATech.

Deployment Modes

Connected on-premise

The customer runs AnkaSecure inside their network with normal outbound internet access (e.g., for OS patches, container registry pulls). Updates can be pulled from a private mirror of the AnkaTech container registry.

Air-gapped on-premise

Fully offline. The customer receives:

Signed offline installation bundle (Docker images, schema scripts, configuration templates)
Signed license file (no online activation required)
Signed update bundles for new versions

This mode is used in defense and intelligence environments where outbound connectivity is prohibited.

Private cloud (managed perimeter)

A hybrid: the customer's cloud VPC hosts the deployment, with AnkaTech operating the platform under a managed-service agreement. Data and keys remain in the customer's tenancy. Suitable for organizations that want SaaS-like operations without yielding data residency.

What AnkaTech Provides

For on-premise customers, AnkaTech provides:

Installation bundle: signed Docker images, Compose / Swarm / Kubernetes manifests, environment templates
Architecture and capacity planning: sizing for expected operations / second, multi-tenant footprint, HSM selection guidance
HSM integration support: validated configurations for Thales Luna, Entrust nShield, AWS CloudHSM, Azure Dedicated HSM
Identity provider integration: OAuth 2.0 / OIDC configuration for the customer's IdP
Documentation: this site (also available offline as a static bundle)
Support and maintenance: tiered SLAs, security advisories, signed update bundles
Compliance evidence package: architecture diagrams, threat model, audit log samples, references to the deployed HSM's CMVP certificate

AnkaTech does not require remote access to the customer's environment for normal operations.

What AnkaTech Does Not See

In an on-premise deployment, AnkaTech has no visibility into:

Customer plaintext or ciphertext
Customer keys (which never leave the HSM)
Customer audit logs
Customer tenants, users, or applications
Operational metrics (unless the customer chooses to share them under a support engagement)

This is a deliberate design choice for high-assurance buyers.

System Requirements (Minimum)

Component	Minimum
Compute	4 vCPU, 16 GB RAM per microservice node (8 microservices)
Storage	100 GB SSD for PostgreSQL, 50 GB for Kafka, 20 GB for Redis
Network	1 Gbps internal between services; HSM reachable over PKCS#11 (typically network-attached or PCIe)
OS	Linux (Ubuntu 22.04 LTS, RHEL 9, Rocky 9) or Windows Server 2022
Container runtime	Docker 24+, Docker Swarm or Kubernetes 1.28+
Java runtime	OpenJDK 25 (bundled in the official images)
HSM	Any PKCS#11 v2.40-compliant HSM. See HSM Integration.

For air-gapped deployments, no internet connectivity is required after initial bundle delivery.

Procurement and Licensing

On-premise deployments are licensed per:

Endpoint count (number of distinct applications using the platform), or
API operation volume (annual operations, with overage tiers), or
Site license (unlimited use within a single legal entity)

License files are signed and validated locally. Federal procurement vehicles are on the GSA Schedule 70 roadmap.

For a deployment quote, contact [email protected].

What's Next

Threat Model — what the control plane sees and what it doesn't
HSM Integration — how AnkaSecure sits above the HSM
Multi-Tenancy & Isolation — for multi-business-unit deployments inside a single customer
Compliance Overview — how on-premise satisfies FedRAMP / DFARS / ITAR / HIPAA boundaries

Last updated: 2026-04-29