Enterprise Deployment Guide

Step-by-step instructions for installing, configuring, and operationalizing the CyberVault Security Platform in your environment.

v4.2.1 📅 Updated: March 15, 2025 ⏱️ Read time: ~12 mins 🏷️ Category: Infrastructure

Overview

The CyberVault Enterprise Security Platform centralizes threat detection, endpoint protection, cloud security, and compliance monitoring into a unified control plane. This guide covers a standard deployment on Linux servers with multi-node agent distribution.

ℹ️

Deployment Architecture

Standard deployments use a control plane (3 nodes for HA) and distributed lightweight agents. Minimum requirements assume a production workload of up to 500 endpoints.

Prerequisites

Component	Requirement	Notes
OS	Ubuntu 22.04+ / RHEL 8+ / Debian 12+	Kernel 5.15 or newer
CPU	4 vCPUs (Control Plane)	8 vCPUs recommended for >500 nodes
RAM	16 GB	32 GB for high-throughput environments
Storage	100 GB NVMe/SSD	For telemetry & audit logs
Network	Private subnet + NAT outbound	Ports 443, 8443, 9090 exposed
Licensing	Activation key from CyberVault Portal	Required for initialization

⚠️

Security Hardening

Ensure SELinux/AppArmor is enabled. The installer will fail validation if mandatory access controls are disabled in production mode.

Installation

Add Official Repository

# Import GPG key & add repo
curl -fsSL https://packages.cybervault.io/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/cybervault.gpg
echo "deb [signed-by=/etc/apt/keyrings/cybervault.gpg] https://packages.cybervault.io/release/ stable main" | sudo tee /etc/apt/sources.list.d/cybervault.list
sudo apt update

Install Core Platform

Install the control plane components. The installer automatically pulls dependencies and generates initial certificates.

# Install control plane & core services
sudo apt install cybervault-core cybervault-agent cybervault-dashboard
echo "✅ Installation complete. Run 'cybervault init' to configure."

Initialize & Activate

Run the initialization wizard and provide your license key. This sets up the local DB, generates TLS certs, and connects to the licensing server.

sudo cybervault init --license-key "CV-XXXX-XXXX-XXXX-XXXX" \
  --fqdn "cv-primary.internal.net" \
  --admin-email "security-ops@yourcompany.com"

Configuration

Core configuration resides in /etc/cybervault/config.yaml. Below is a minimal production-ready example:

# /etc/cybervault/config.yaml
service:
  mode: production
  bind_addr: "0.0.0.0"
  port: 8443
  tls:
    enabled: true
    cert_path: /etc/cybervault/certs/server.crt
    key_path: /etc/cybervault/certs/server.key

security:
  encryption_algorithm: AES-256-GCM
  audit_logging: true
  log_retention_days: 90

integrations:
  siem_endpoint: "https://siem.internal.net/api/v1/ingest"
  ldap_bind: "ou=security,dc=company,dc=com"
  smtp_relay: "smtp.internal.net:587"

🔧

Hot-Reloading

Changes to config.yaml are applied automatically. No service restart required. Validate syntax with cybervault config validate.

Network & Firewall

Ensure the following ports are accessible according to your security zones:

Port	Protocol	Direction	Purpose
443	TCP	Inbound	Web Dashboard & API Gateway
8443	TCP	Inbound	Agent Heartbeat & Telemetry
9090	TCP	Internal	Inter-node replication (HA)
53	UDP/TCP	Outbound	DNS resolution
123	UDP	Outbound	NTP time sync (critical)

# Example iptables rules
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9090 -s 10.0.0.0/8 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

Agent Deployment

Agents are distributed as lightweight daemons. They auto-register with the control plane using mutual TLS.

Generate Deployment Token

sudo cybervault token create --scope "agent:register" --duration 24h
# Output: CV-AGENT-TOKEN-xxxxxxxxxxxxxxxx

Distribute & Install

Push the agent binary via your existing orchestration (Ansible, Puppet, SCCM, etc.):

sudo wget https://packages.cybervault.io/releases/agent/cybervault-agent.deb
sudo dpkg -i cybervault-agent.deb
sudo systemctl enable --now cybervault-agent

✅

Auto-Discovery

Agents resolve the control plane via DNS SRV records or the --server flag. Once connected, they receive baseline policies within 60 seconds.

Verification

Confirm your deployment is healthy and communicating correctly:

# Check control plane status
sudo cybervault status
# Expected: Nodes: 3/3 Active | Agents: 42 Registered | Uptime: 14d

# Verify TLS & API endpoint
curl -k https://localhost:8443/api/v1/health
# Expected: {"status":"healthy","version":"4.2.1","timestamp":"2025-03-15T10:22:00Z"}

# View real-time agent telemetry
sudo cybervault agent list --output json

Access the web dashboard at https://<your-server>:443. Default admin credentials are rotated during initialization. Check your inbox for the secure access link.

Troubleshooting

Agent fails to register: Verify outbound port 8443 and DNS resolution. Run cybervault agent diagnose --verbose on the endpoint.
Certificate validation errors: Ensure system time is synchronized within ±30s via NTP. Rotate certs with sudo cybervault cert renew.
High CPU/memory usage: Check log verbosity. Set log_level: warn in config.yaml. Default telemetry aggregation runs every 15s; adjust via telemetry_interval.
Logs location: /var/log/cybervault/core.log (control plane) and /var/log/cybervault/agent.log (endpoints).

🆘

Need Immediate Support?

Open a ticket via the portal, email ops@cybervault.io, or call our 24/7 support line. Include your instance ID: sudo cybervault info --instance-id.

Next Steps

Now that your platform is deployed and verified, proceed with:

Importing existing threat intelligence feeds
Configuring baseline security policies & compliance rules
Integrating with your SIEM, SOAR, and ITSM workflows
Scheduling your first security awareness training campaign