Skip to content

Linux

Installation

Requires at least Ubuntu 16.04 LTS or Debian 10 or Raspbian 10.

  1. Install apt-transport-https

    sudo apt install gpg curl apt-transport-https

  2. Add Enclave’s package signing key and set up the apt repository

    curl -fsSL https://packages.enclave.io/apt/enclave.stable.gpg  | sudo gpg --dearmor -o /usr/share/keyrings/enclave.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/enclave.gpg] https://packages.enclave.io/apt stable main" | sudo tee /etc/apt/sources.list.d/enclave.stable.list

  3. Install Enclave

    sudo apt update && sudo apt install enclave

  4. Enrol

    sudo enclave enrol

  5. Provide your Default Enrolment Key to complete the installation

Select your version:

  1. Install Enclave using our quick-start script

    bash <(curl -Ss https://install.enclave.io/setup.sh)

  2. Provide your Default Enrolment Key to complete the installation

Requires at least CentOS or RHEL 8.

  1. Install Dependencies

    sudo dnf -y install dnf-plugins-core

  2. Add Enclave’s repository to rpm sources

    sudo dnf config-manager --add-repo https://packages.enclave.io/rpm/enclave.repo

  3. Install Enclave

    sudo dnf install enclave

  4. Enrol

    sudo enclave enrol

  5. Provide your Default Enrolment Key to complete the installation

Requires at least Fedora 38.

  1. Install Dependencies

    sudo dnf -y install dnf-plugins-core

  2. Add Enclave’s repository to rpm sources

    sudo dnf config-manager --add-repo https://packages.enclave.io/rpm/enclave.repo

  3. Install Enclave

    sudo dnf install enclave

  4. Enrol

    sudo enclave enrol

  5. Provide your Default Enrolment Key to complete the installation

Requires at least Amazon Linux 2018.03.

  1. Install Enclave using our quick-start script

    bash <(curl -Ss https://install.enclave.io/setup.sh)

  2. Provide your Default Enrolment Key to complete the installation

  1. Add Enclave’s repository to rpm sources

    sudo zypper addrepo https://packages.enclave.io/rpm/enclave.repo

  2. Install Enclave

    sudo zypper install enclave

  3. Enrol

    sudo enclave enrol

  4. Provide your Default Enrolment Key to complete the installation

Requires at least Arch Linux 2020.08.01.

  1. Install Enclave using our quick-start script

    bash <(curl -Ss https://install.enclave.io/setup.sh)

  2. Provide your Default Enrolment Key to complete the installation

Unattended installation

Enclave supports unattended installations by setting the Enrolment Key in a specially named environment variable: ENCLAVE_ENROLMENT_KEY.

  1. Set the Enrolment Key you want to use as an environment variable 

    $ export ENCLAVE_ENROLMENT_KEY=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

  2. Enrol the system using enclave enrol. If you're using sudo don't forget to include the -E argument (also --preserve-env) to preserve environment variables. 

    $ sudo -E enclave enrol

  3. Enclave will automatically enrol and daemonise as a background process.

Starting and stopping

The Enclave installer creates a lightweight supervisor service set to run at system start which is responsible for starting the Enclave fabric. The supervisor service exists to start, stop and restart Enclave fabric in the background as daemon child processes.

The supervisor service responds to the Enclave CLI verbs start and stop to control the Fabric.

Updating

Enclave is updated using the standard apt package manager.

sudo apt update && sudo apt install enclave

Warning

During updates, the Enclave service will restart. This can cause SSH sessions established over the Enclave tunnel to disconnect and the apt operation to terminate prior to completion. To avoid this, we suggest launching apt install using nohup so even if the SSH session disconnects, the upgrade operation will continue in the background. sudo nohup apt install enclave

Enclave is updated using the standard apt package manager.

sudo dnf update enclave --refresh

Warning

During updates, the Enclave service will restart. This can cause SSH sessions established over the Enclave tunnel to disconnect and the apt operation to terminate prior to completion. To avoid this, we suggest launching dnf update using nohup so even if the SSH session disconnects, the upgrade operation will continue in the background. sudo nohup dnf update enclave

Enclave is updated using the standard apt package manager.

sudo zypper install enclave

Warning

During updates, the Enclave service will restart. This can cause SSH sessions established over the Enclave tunnel to disconnect and the apt operation to terminate prior to completion. To avoid this, we suggest launching zypper install using nohup so even if the SSH session disconnects, the upgrade operation will continue in the background. sudo nohup zypper install enclave

Upgrade to the latest version of Enclave by running our quick-start script.

bash <(curl -Ss https://install.enclave.io/setup.sh)

Automatic Updates

You can configure your linux distribution to automatically update Enclave to ensure you receive the latest fixes and security updates.

  1. Install the unattended-upgrades package

    sudo apt update && sudo apt install unattended-upgrades

  2. Add the line "Enclave:stable"; into the Unattended-Upgrade::Allowed-Origins section of the configuration file /etc/apt/apt.conf.d/50unattended-upgrades. Please note that by default, the unattended-upgrades package will automatically apply updates to your entire system. If you only want Enclave to be updated, comment out everything in the within Unattended-Upgrade::Allowed-Origins section, except for "Enclave:stable";.

    Unattended-Upgrade::Allowed-Origins {
    "Enclave:stable";
};

  3. Restart the unattended-upgrades service

    sudo systemctl restart unattended-upgrades

  4. Configure the unattended-upgrades service to run automatically by running

    sudo dpkg-reconfigure --priority=low unattended-upgrades

    If prompted, select yes. This will create the file /etc/apt/apt.conf.d/20auto-upgrades. You can learn more here.

  5. Your system, along with Enclave, will be automatically upgraded as new updates are released. Perform a --dry-run to test the configuration and print a list of currently available updates. No output is shown if updated packages are not available.

    sudo unattended-upgrades --dry-run --debug

  6. Now configured, by default the unattended-upgrades package will check for and install new updates daily at around 2am (local time for the system). If you would like the system to automatically reboot when required, as well as choosing when that happens, you can adjust the following lines in /etc/apt/apt.conf.d/50unattended-upgrades as appropriate and restart the service following any configuration changes with sudo systemctl restart unattended-upgrades.

    // Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

  1. Install the unattended-upgrades package

    sudo apt update && sudo apt install unattended-upgrades

  2. Add the line "origin=Enclave,archive=stable"; into the Unattended-Upgrade::Origins-Pattern section of the configuration file /etc/apt/apt.conf.d/50unattended-upgrades. Please note that by default, the unattended-upgrades package will automatically apply updates to your entire system. If you only want Enclave to be updated, comment out everything in the within Unattended-Upgrade::Origins-Pattern section, except for "origin=Enclave,archive=stable";.

    Unattended-Upgrade::Origins-Pattern {
    "origin=Enclave,archive=stable";
};

  3. Restart the unattended-upgrades service

    sudo systemctl restart unattended-upgrades

  4. Configure the unattended-upgrades service to run automatically by running

    sudo dpkg-reconfigure --priority=low unattended-upgrades

    If prompted, select yes. This will create the file /etc/apt/apt.conf.d/20auto-upgrades. You can learn more here.

  5. Your system, along with Enclave, will be automatically upgraded as new updates are released. Perform a --dry-run to test the configuration and print a list of currently available updates. No output is shown if updated packages are not available.

    sudo unattended-upgrades --dry-run --debug

  6. Now configured, by default the unattended-upgrades package will check for and install new updates daily at around 2am (local time for the system). If you would like the system to automatically reboot when required, as well as choosing when that happens, you can adjust the following lines in /etc/apt/apt.conf.d/50unattended-upgrades as appropriate and restart the service following any configuration changes with sudo systemctl restart unattended-upgrades.

    // Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

  1. Install the dnf-automatic package

    sudo dnf install dnf-automatic --refresh

  2. Set apply_updates to yes in the dnf-automatic configuration file at /etc/dnf/automatic.conf 

    apply_updates = yes

    Note

    dnf-automatic will update all packages on the system by default. dnf-automatic runs at 6am daily. Adjust `/usr/lib/systemd/system/dnf-automatic.timer` to change the schedule.

  3. Enable the service

sudo systemctl enable --now dnf-automatic.timer

Uninstalling

Remove the Enclave package while leaving configuration files on the system.

sudo apt remove enclave

Warning

Enclave does not backup a system's private keys. Lost or deleted private keys are not recoverable. If a system's configuration and private keys are lost, to use that system with Enclave again it must be re-enrolled.

Remove the Enclave package while leaving configuration files on the system.

sudo dnf remove enclave

Warning

Enclave does not backup a system's private keys. Lost or deleted private keys are not recoverable. If a system's configuration and private keys are lost, to use that system with Enclave again it must be re-enrolled.

Remove the Enclave package while leaving configuration files on the system.

sudo zypper remove enclave

Warning

Enclave does not backup a system's private keys. Lost or deleted private keys are not recoverable. If a system's configuration and private keys are lost, to use that system with Enclave again it must be re-enrolled.

Remove the Enclave package and associated files.

bash <(curl -Ss https://install.enclave.io/setup.sh) -r

If you'd like to remove the Enclave private key data and configuration after uninstalling, run the command below.

sudo rm -rd /etc/enclave/

Troubleshooting

What to do if install fails

If installation fails and you are unable to resolve the problem, please contact support@enclave.io or get help in our community support channels.

For general troubleshooting and errors, visit our troubleshooting page to find common issues.

Last updated April 25, 2025