Skip to main content

Privacera Platform



Installation overview

To install Privacera Platform, the following steps need to be followed:

  1. Choose the installation options

    • Cloud Provider - Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).

    • Deployment Type - Docker Container or Kubernetes.

  2. Choose the databases and services you want to secure or scan

    • Services for Access Control: AWS S3, Databricks, Snowflake, Azure SQL, Google BigQuery

    • Services for Discovery: AWS S3, Azure ADSL, GCS, Snowflake, Azure SQL, Google BigQuery

    • Services for Encryption Databricks, Apache Hive, Snowflake

  3. Get requirements from your security team

    • SSL Management: CA, Corporate CA, Self Signed

    • Encryption: Encrypted PVs in Kubernetes, External Vault to be used

  4. Perform prerequisites

    • Operating environment: EC2, Virtual instances, Kubernetes Cluster, Load Balancers

    • Dependent Resources: External Databases

    • IAM policies: EC2 Instance Roles, Kubernetes NodeGroups

    • Firewalls: Ingress/Egress Ports

    • Security: SSL certificates, encryption keys, service user/passwords, Single Signon

  5. Install and configure

    • Install Privacera Manager. Using PM CLI

    • Create Privacera Manager Recipe. Based on Supported Services, Security and Advance Requirements

    • Deploy Privacera. Run pre check, deploy and validate

Environment variables

Obtain the values for the following variables from your Privacera technical sales representative. These values are used as you set installation properties.







Privacera Docker repository is where all the Privacera packages are uploaded to. To get the latest packages, you will need the repository name and its credentials.


Privacera release version of the Privacera product.



URL location of downloadable Privacera product software tar file.


Partial URL location of downloadable Privacera Manager software.


URL location of downloadable Privacera Manager software tar file.

Follow the steps on these pages to continue with the installation:

Download installation packages

Your values for the following variables can be obtained from your Privacera technical sales representative. To learn more, see Environment Variables.








These values are used to set installation properties.

Steps to download packages
  1. In a terminal window, connect to the cloud Linux instance using an SSH client. Follow the steps given in the links below.

  2. Run the export command as shown below. Replace $PRIV_MGR_PACKAGE, $PRIV_MGR_IMAGE and $PRIVACERA_HUB_REPO_NAME with your values.

  3. Using your $PRIVACERA_HUB_REPO_NAME value, log onto the Privacera Docker Hub:

  4. The default installation folders for Privacera and Privacera Manager are ~/privacera, and ~/privacera/privacera-manager, if using a different folder you will need to adjust the commands and sequences accordingly.

    Use the following commands to create the installation folder. Then using wget, download and extract the privacera-manager components as shown:

    mkdir -p ~/privacera/downloads 
    cd ~/privacera/downloads
    wget $PRIV_MGR_PACKAGE -O privacera-manager.tar.gz 
    cd ~/privacera
    tar -zxf ~/privacera/downloads/privacera-manager.tar.gz

    The folder ~/privacera/privacera-manager will contain all the required components.

  5. Next use the following commands to create, this is a shell script used for Privacera Manager upgrades.

    cd ~/privacera/privacera-manager/config 
    echo '#!/bin/bash' > 
    echo "export PRIV_MGR_PACKAGE=$PRIV_MGR_PACKAGE" >> 
    echo "export PRIV_MGR_IMAGE=$PRIV_MGR_IMAGE" >>

After the packages are downloaded, the next step is to set up the environment for installing the packages. For an overview of the installation steps, see Installation Overview.

Privacera Manager installation steps

Installation using CLI

Before installing, make sure you have downloaded all the required Privacera installation packages. For more information, click here.

Environment setup
  1. Copy the template configuration file sample.vars.privacera.yml to vars.privacera.yml and modify it for your specific environment.

    cd ~/privacera/privacera-manager
    cp config/sample.vars.privacera.yml config/vars.privacera.yml 
    vi config/vars.privacera.yml
  2. Edit the properties in the file.

    Property Name


    Example Values


    This is the environment name. Specify a value that includes only lowercase alphanumeric characters or dashes (-), starts and ends with an alphanumeric character, and is no longer than 63 characters.

    privacera-env; privacera-prod; privacera-1


    If the Privacera Platform has a fully qualified domain name (FQDN) assign that value, otherwise leave the property commented out.



    The hub username access credential, set to the value provided for <PRIVACERA_HUB_USER>.

    Note: For an air-gap install, enter the username of the internal repository URL.


    The hub password access credential, set to the value assigned for <PRIVACERA_HUB_PASSWORD>.

    Note: For an air-gap install, enter the password of the internal repository URL.


    The image tag, set to the value assigned for <PRIVACERA_IMAGE_TAG>.


    The download URL, set to the value assigned for <PRIVACERA_BASE_DOWNLOAD_URL>.


    This is the deployment size. Valid values are SMALL (default), MEDIUM and LARGE.

    For more information on CPU, memory, disk space, etc., for the deployment sizes, click here.

    Note: This is applicable only for a Kubernetes environment.


Configure the deployment mode


To deploy Privacera as Docker containers, simply copy the Docker properties template into custom-vars/ folder.

cd ~/privacera/privacera-manager 
cp config/sample-vars/vars.docker.yml config/custom-vars/


  1. To use and create a Kubernetes based deployment, first copy the Kubernetes properties template into the custom-vars/ folder.

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.kubernetes.yml config/custom-vars/
  2. Edit the 'vars.kubernetes.yml' file and set the value of K8S_CLUSTER_NAME to the name of the target Cluster.

    kubectl config get-contexts
  3. The value is displayed under CLUSTER , the value contains the ARN of the EKS cluster along with the cluster name. Copy the cluster name, and set the value of K8S_CLUSTER_NAME.

  4. Open the YML file.

    vi config/custom-vars/vars.kubernetes.yml
  5. Edit the following properties:

    #This variables enable Kubernetes related properties
    #Note: Please update all mandatory fields. Search for <PLEASE_CHANGE>
    #Name of the deployment. You can use privacera-prod, privacera-stage, etc
    #Zones for Storage. For now, only one zone should be given
    #  - "us-east-1a"
    #Default as 1, Recommended value is 32Gi and 3 for CLUSTER SIZE
    #Default as 1, Recommended value is 32Gi and 3 for CLUSTER SIZE
    #If your storage is encrypted, then set the below property
    #K8S_PV_ENCRYPTED: "true"
    #For AWS, it is ARN with keyId. E.g. arn:aws:kms:us-east-1:<account>:key/<hash>
    #K8S_PV_KEY: ""
    PRIVACERA_INSTALL_MODE: "kubernetes"
    #Uncomment to obtain external loadbalancer. Default values are "false"

    By default, Privacera creates a service account with the name, privacera-sa. The account is bound to a namespace-level Role and RoleBinding, whose default values are privacera-sa-role and privacera-sa-role-bind respectively. If you want to change the default values of these three Kubernetes objects, click here.

    For more information about configuring the service account, click here.

Configure the cloud platform
AWS Cloud Platform
  1. For an AWS cloud environment, copy the sample AWS configuration file to custom-vars/.

    cd ~/privacera/privacera-manager/config/ 
    cp sample-vars/ custom-vars/
  2. Edit this configuration file:

    vi custom-vars/
  3. Set the property value for AWS_REGION based on where your instance will be running.

Azure Cloud Platform
  • For an Azure environment, copy the sample configuration file to custom-vars/.

    cd ~/privacera/privacera-manager/config/
    cp sample-vars/ custom-vars/
Google Cloud Platform
  1. For a Google Cloud Platform environment, copy the sample GCP configuration file to custom-vars/.

    cd ~/privacera/privacera-manager/config/ 
    cp sample-vars/vars.gcp.yml custom-vars/
  2. Edit this configuration file:

    vi custom-vars/vars.gcp.yml
  3. Set the Project ID of your GCP project, this value can be found in the Google Console.

Configure secrets in keystores

Privacera can encrypt secrets used in Privacera services, this allows passwords to be stored safely in keystores, instead of being exposed in plaintext. Note that this does not need to be configured initially to install Privacera Manager, but is necessary for security in a production environment.

Learn more on how to Enable Password Encryption for Privacera Services.

Configure SSL

To secure your connections with Privacera, you can use self-signed or CA signed certificates.

Note these configurations are not required initially to install Privacera Manager, but is necessary for security in a production environment.

Default Privacera services

The following are core services that are installed as part of Privacera Manager. Make configurations to these services as needed based on your environment, click the Configure links below to learn more.

  • Privacera Portal - This is your Privacera dashboard for data access control and policy management across multiple cloud services.

  • Apache Ranger - Apache Ranger is an open-source project for data access governance for Big Data environments.

  • MariaDB - MariaDB is an open source relational database. It is part of most cloud offerings and the default in most Linux distributions.

  • Apache Zookeeper - ZooKeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Configure access to a Zookeeper pod.

  • Apache Solr - Solr is an open source enterprise search platform built on Apache Lucene. Configure Solr Authentication.

  • AuditServer - You can set up an AuditServer to receive audits from Privacera Plugins and Ranger Admin and send those audits to Solr and Fluentd. Configure Solr Destination.


Before installing Privacera Manager, you can run pre-validation checks to test your service configurations. For more information, see Validations.

Run the Privacera Manager install script

Run the following script to install Privacera Manager. This will initiate the installation process and install all the services based on the defined configurations.

cd ~/privacera/privacera-manager 
./ update
Privacera Service URLs

You can access the services either as Docker containers or Kubernetes pods. Privacera Manager records the URIs for each of the key services. These are written to standard output and will look similar to the following:





Each service provides you with an internal and external URL. To access a Privacera service, use the external URL of the service. For example, to access Privacera Portal, copy its external URL in a browser, and log on with default username/password: 'padmin' / 'padmin'.


Reset your administrator account ('padmin') password according to your enterprise policy. This password can be changed in the Privacera Portal under "Settings: User Management". See the Privacera Portal User Guide, Settings: User Management for more information.

Next Steps: Privacera component services

Once Privacera Manager is installed you can configure the component services listed below. Each of the services has a set of default and custom configurations. The default configurations are the minimum settings required for the service to run, whereas the custom configurations are the advanced/additional settings of the service to extend its functionality.

Advanced Kubernetes configuration

Proxy configuration for Kubernetes

If your clusters rely on a proxy service on the Privacera host, set the protocol, domain or IP address and port of your proxy server in the environment variable K8S_AUTH_PROXY in the script you create at installation.

  1. Open the file.

    cd privacera/privacera-manager/
    vi config/
  2. Add the following property.

  3. Restart Privacera.

    ./ update
Pod topology

If your pods are distributed across different nodes, zones or regions, you can use pod topology in Privacera Manager to control them for high availability and efficient resource utilization. For more information on pod topology, refer to the Kubernetes documentation.

By default, pod topology is disabled. To enable it:

  1. Copy the .yml file to the custom-vars directory and open it.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.kubernetes.pod-topology.yml config/custom-vars/
    vi config/custom-vars/vars.kubernetes.pod-topology.yml

Externalize access to Privacera services - Nginx Ingress


NGINX Ingress with Privacera is supported only for AWS.

By deploying NGINX Ingress in Privacera, you can provide external access to Privacera services such as Privacera Portal, Audit Server, Solr and Ranger.

Steps to deploy NGINX Ingress
  1. Copy the .yml file to the /custom-vars directory and open it.

    cd ~/privacera/privacera-manager/ 
    cp config/sample-vars/vars.kubernetes.nginx-ingress.yml config/custom-vars/ 
    vi config/custom-vars/vars.kubernetes.nginx-ingress.yml
  2. To enable NGINX Ingress, set K8S_NGINX_INGRESS_ENABLE:"true".

  3. Choose whether you want to deploy the NGINX Ingress controller for Privacera Manager. If you set it to true, then Privacera Manager deploys NGINX Ingress controller in privacera-services namespace of your Kubernetes cluster.


    Do not set the property to true, if NGINX Ingress controller is already installed in your cluster.

  4. If K8S_NGINX_INGRESS_CONTROLLER_ENABLE is false, then provide your existing controller service load balancer URL.

  5. By default DNS names of Privacera services are set in the following pattern: service_name-namespace.domain_name. If you want to change the domain-name for the Privacera service URL, edit the AWS_ROUTE53_DOMAIN_NAME property.

  6. Provide AWS Route53 Zone ID to allow Privacera Manager to create records of DNS names.


    You can get the value by doing one of the following:

    • Run the following command where your Privacera Manager is installed.

      aws route53 list-hosted-zones-by-name --dns-name <ZONE_NAME> --query HostedZones[].Id --output text | cut -d/ -f3


    • Navigate to your AWS account > Route53 > Hosted Zone ID.

Air-gapped install

Airgap Installation refers to installation of Privacera product in servers/VMs which are offline or have no access to Privacera Hub Repository to download the required packages and images.

  • A host machine without internet access where Privacera will be installed. Make sure you have met all the prerequisite hardware configuration and software for your platform, including Docker/Kubernetes on AWS or Azure. See Prerequisites Overview.

  • An intermediate system with internet access to download packages and images from Privacera Hub Repository.

  • Privacera installation variables. For more information about the variables, see Installation Environment Variables

Intermediate system for download

If the Privacera Manager host does not have access to the internet or Privacera Hub Repository, then you will need an intermediate system for access. On this intermediate system, you will download all necessary Privacera packages and images. Once downloaded, you can host the images on your internal repository and copy the packages to any cloud storage or copy them to the Privacera Manager host using SSH.

The Privacera airgap script can help you download the packages and images, push images to your internal repository or copy them to your Privacera Manager host.

Download packages and images of Privacera Manager
  1. On your intermediate system, download the following script. This script allows you to download all the images required for installing Privacera Manager and upload them to an internal repository.

  2. Using the script, download Privacera Platform components (packaged as 'Docker images') to your intermediate system. You may choose to download the complete set, or in consultation with your Privacera sales advisor elect to download select a subset based on your licensing and local requirements.

    Image Name



    Core Components


    Privacera Manager (Installation Update)



    Privacera Portal - Centralized Dashboard



    Search engine for Privacera



    Sync users from LDAP/Active Directory to Privacera Portal



    Fluentd log/audit management



    Coordination and synchronization service



    Authorization and Authentication



    Data access user LDAP/AD importer



    Discovery to Access Manager tags synchronization



    Audit/log server abstraction layer


    Internal Database


    Default configuration database


    Access Manager


    Proxy server based access control service



    Policy-based access control service



    Version 2 (V2) of policy-based access control service



    BPMN Engine for Access Request workflow




    Discovery / Spark service for scanning and tagging data



    Kafka service for real-time scanning


    Encryption & Masking


    Apache Ranger KMS



    Privacera Encryption Gateway (PEG) Service


    Metrics and Monitoring


    Statistics and monitoring



    Statistics and monitoring


  3. The script has three actions - pull, push and sync. By default, it runs the pull action which downloads the Privacera packages and images. The script will first request for the Privacera Base and Privacera Manager Download URLs, then you to select which set of images to be downloaded (see above table).

    1. Before running the script, ensure Privacera images with the same tag should not be present in the system. To verify, run docker images command.

    2. To pull the packages and images, run the following script. By default, it runs with pull action.

      sudo chmod +x 

      Sequence of prompts:

      • Enter the Privacera Base Download URL.

      • Choose whether you want to download the images of Core Components.

      • Choose whether you want to download the image of Internal Database.

      • Choose whether you want to download the images of Access Manager.

      • Choose whether you want to download the images of Discovery.

      • Choose whether you want to download the images of Encryption and Masking.

      • Choose whether you want to download the images of Statistics and Monitoring.

      The scripts lists the packages and images downloaded and saved in ${PWD}/privacera/downloads and ${PWD}/privacera/downloads/images locations respectively.

    3. Run the script to upload the packages either to your internal repository or the Privacera Manager host machine.

      Internal Repository

      Run the script again with push action to upload the images to your private Repository and copy (.tar) packages to your Privacera Manager host.

      ./ push
      1. Sequence of prompts:

        • Enter Privacera Docker Hub URL.

        • Enter Privacera Image Tag.

        • Enter Docker login URL

        • Enter Docker user.

        • Enter Docker password.

      2. Once the images are pushed to the internal repository, it will clean up images in the ${PWD}/privacera/downloads/images directory and prompts to copy packages to Privacera Manager host.

        The following is the sequence of prompts for reference:

        • Choose whether the the remote user has passwordless access to the PM host.

        • Enter the host name of the PM host.

        • Enter the name of the remote user.

      Privacera Manager Host


      The steps below are applicable for a Docker-based environment.

      Run the script again with sync action to copy the packages and images to the Privacera Manager host.

      ./ sync

      The following is the sequence of prompts for reference:

      • Do you want to copy packages to PM Host.

      • Can current user SSH(Passwordless), to PM Host.

      • Enter the host name of the PM host.

      • Enter the name of the remote user.

Configure Privacera Manager
  1. Log in to the Privacera Manager host.

  2. Follow the steps on Configure the deployment mode to configure the enviroment, deployment mode and cloud platform.

  3. Configure Privacera Manager to use Air-Gap installation, with either the internal repository or the PM Host:

    Internal Repository

    cd ~/privacera/privacera-manager 
    cp config/sample.vars.privacera.yml config/vars.privacera.yml vi config/vars.privacera.yml

    Add the following property and enter your internal repository URL.

    privacera_hub_url: ""

    Privacera Manager Host


    This is applicable for a Docker-based environment.

    cd ~/privacera/privacera-manager 
    cp config/sample-vars/vars.airgap.install.yml config/custom-vars/
  4. Run the following commands to update.

    cd ~/privacera/privacera-manager 
    ./ update
Upgrade Privacera Manager
Internal Repository
  1. On the intermediate system, download the latest PM packages and upload them to the internal repository.

  2. Edit the file.

    cd ~/privacera/privacera-manager vi config/

    Update the following in the command below:

    • <YOUR_INTERNAL_REPO_URL> - Your internal repository URL where the privacera-manager.tar.gz package is stored.

    • <INTERNAL_REPO_HUB_NAME> - Your internal repository name.

    • rel_x.x.x.x - Privacera release version.

    export PRIV_MGR_PACKAGE=<YOUR_INTERNAL_REPO_URL>/privacera-manager.tar.gz 
    export PRIV_MGR_IMAGE=<INTERNAL_REPO_HUB_NAME>/privacera-manager:rel_x.x.x.x
  3. Update the download URL and image tag with the new build number. Open config/vars.privacera.yml.

    cd ~/privacera/privacera-manager 
    vi config/vars.privacera.yml 

    Edit the following properties:

  4. Upgrade Privacera Manager with the following commands.

    cd ~/privacera/privacera-manager 
    ./ upgrade-manager
    ./ update
Privacera Manager Host


The steps below are applicable for a Docker-based environment.

  1. From your PM host, remove the all files in the downloads folder (~/privacera/downloads) and images folder (~/privacera/downloads/images).

  2. On the intermediate system, download the latest PM packages and copy them to the PM host.

  3. Verify that all the PM packages and images are the latest versions in their respective folders. Also, verify that release tag is updated in the and vars.privacera.yml files.

  4. Upgrade Privacera Manager with the following commands.

    cd ~/privacera/privacera-manager 
    ./ upgrade-manager
    ./ update
Upgrade Solr from 8.5.1 to 8.9.0
Internal Repository
  1. In the intermediate system, get the latest Solr image by downloading the privacera_solr.gz package.

  2. Upload privacera_solr.gz package to the internal repository URL.

  3. On the PM host, add the following variable in config/vars.privacera.yml.

  4. Upgrade Privacera Manager with the following commands.

    cd ~/privacera/privacera-manager 
    ./ update
Privacera Manager Host
  1. In the intermediate system, get the latest Solr image by downloading the privacera_solr.gz package.

  2. Sync/copy the latest privacera_solr.gz package to the ~/privacera/downloads/images folder in PM host.

  3. On the PM host, add the following variable in config/vars.privacera.yml.

  4. Upgrade Privacera Manager with the following commands.

    cd ~/privacera/privacera-manager 
    ./ update