You can get Keysas either from source or from a pre-compiled binary. The following installation steps will therefore be annotated to take the source base installation in consideration.

Software dependencies

$ sudo echo "deb bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara9
$ sudo apt install \
             acl clamav-daemon clamav-freshclam libyara9 make \
             pkg-config bash ssh rsync apparmor

For a source based installation

$ sudo echo "deb bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara-dev libyara9
$ sudo apt install \
            libseccomp2 libseccomp-dev \
            lsb-release pkg-config bash software-properties-common \
            build-essential libudev-dev

# Install rustup
$ curl --proto '=https' --tlsv1.2 -sSf | sh

# Install the LLVM toolchain (x86_64 only)
$ bash -c "$(wget -O -"

Getting Keysas (Network gateway)

Thanks to the Gitlab CI a pre-compiled Keysas binary is at your disposal, you can choose and download a specific version of Keysas using the download section.

Download the following files of lastest stable version.



First, verify the sha256sum and compare it to the file, and import our public gpg key:

$ diff <(sha256sum
$ wget
$ gpg2 --import public.gpg
$ gpg2 --verify
$ unzip -d keysas


Ensure that /usr/sbin is present in your $PATH. If not, add it:

$ export PATH=$PATH:/usr/sbin

For a source based installation

Clone the gitlab repository and compile Keysas

$ git clone --depth=1
$ cd keysas
$ make build

Clamav configuration

Keysas uses Clamav as a virus scanner for now but additionnal scanners could be added in future. You should update your Clamav signature database on regular bases. This operation is handled by the clamav-freshclam daemon, you have to enable it.

Make sure that your clamav-daemon and clamav-freshclam services are up and running

$ systemctl status clamav-daemon clamav-freshclam

Edit the Clamav configuration

Enable TCP listening on the loopback interface using port 3310

TCPSocket 3310

We now need to allow the Clamav daemon to be able to read the /var/local/in directory with Apparmor.

Clamav apparmor profile tweak

Add the the following Clamav apparmor rules to authorise Clamd scanning the entry point:

/var/local/in/ r,
/var/local/in/* kr,
/var/local/in/** kr,

If not, add it manually and reload your apparmor configuration

$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd

You can now manually run a signature database update and restart the Clamav daemon to take the new configurations in account.

$ sudo systemctl start clamav-freshclam
$ sudo systemctl restart clamav-daemon

System wide installation

You can now install Keysas-core on your system.

$ cd keysas
$ sudo make install-core
$ sudo make install-yararules

To install the USB version of Keysas (decontamination station):

$ cd keysas
$ sudo make install
$ sudo make install-yararules

At the end of the installation, you should see something like this:


Installation details

  • Every binaries (ELF) are installed under /usr/bin/ ;

  • Systemd units are installed under /etc/systemd/system/ ;

  • Apparmor profiles are installed under /etc/apparmor.d/ ;

  • Configuration files are installed under /etc/keysas/ ;

  • Log directories are created under /var/log/ ;

  • Yara rules are installed under /usr/share/keysas/rules.

You can now check that every services are up and running (core mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out

If you want to check the full installation (USB mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out keysas-udev keysas-backend