Skip to main content

Overview

On-premise deployment gives you full infrastructure sovereignty. Enclave runs on your servers, connects to your HSM, and stores data in your storage systems. No traffic leaves your network perimeter.

System requirements

ComponentMinimumRecommended
CPU4 vCPU8 vCPU
RAM8 GB16 GB
Storage (app)50 GB SSD100 GB SSD
Storage (files)Depends on usageS3-compatible or NFS
DatabasePostgreSQL 14+PostgreSQL 15, HA pair
OSUbuntu 22.04 LTSUbuntu 22.04 LTS

Components

[Reverse Proxy: nginx / Caddy]

[Enclave Application (Docker)]

   ┌────┴────┐
   │         │
[PostgreSQL] [Object Storage: MinIO / Ceph / NetApp]

[HSM via KMIP (Thales / Entrust / Utimaco)]

Installation

Enclave ships as a Docker Compose stack. You receive a private registry token when you purchase an on-premise licence. 
# Authenticate with Quelden registry
echo "$QUELDEN_REGISTRY_TOKEN" | docker login registry.quelden.com -u token --password-stdin

# Pull the deployment package
curl -L https://releases.quelden.com/enclave/latest/onprem.tar.gz | tar xz
cd enclave-onprem

# Configure
cp .env.example .env
# Edit .env with your database, storage, HSM, and SMTP settings

# Start
docker compose up -d

Environment configuration

Key variables in .env: 
# Database
DATABASE_URL=postgres://enclave:password@db:5432/enclave

# Object storage (S3-compatible)
S3_ENDPOINT=https://minio.internal
S3_BUCKET=enclave-files
S3_ACCESS_KEY=...
S3_SECRET_KEY=...

# HSM (KMIP)
KMIP_HOST=hsm.internal
KMIP_PORT=5696
KMIP_CERT_FILE=/certs/client.pem
KMIP_KEY_FILE=/certs/client.key
KMIP_CA_FILE=/certs/ca.pem

# SMTP (for email notifications)
SMTP_HOST=smtp.internal
SMTP_PORT=587
SMTP_USER=...
SMTP_PASS=...
EMAIL_FROM=Enclave <no-reply@yourcompany.com>

# Licence
ENCLAVE_LICENCE_KEY=...

Updates

docker compose pull
docker compose up -d
Database migrations run automatically on startup. Back up PostgreSQL before each update.

High availability

For HA deployments, run multiple application instances behind a load balancer. The application is stateless — all state is in PostgreSQL and object storage. Use PostgreSQL streaming replication for database HA. Contact hello@quelden.com for the HA architecture guide.