The following installation steps will guide you through compiling Keysas from sources and installing it on a Debian 12 (Bookworm) system.

Software dependencies

To compile Keysas from sources, let’s start by installing the required dependencies:

Dependencies installation

$ sudo echo "deb bookworm-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ apt -qy install -y libyara-dev libyara9 wget cmake make \
                     lsb-release software-properties-common \
                     libseccomp-dev clamav-daemon clamav-freshclam \
                     pkg-config git acl rsync bash libudev-dev \
                     libwebkit2gtk-4.0-dev build-essential curl \
                     wget libssl-dev apparmor ssh libgtk-3-dev \
                     libayatana-appindicator3-dev librsvg2-dev

# Install rustup
$ curl --proto '=https' --tlsv1.2 -sSf | sh

# Install the LLVM toolchain
$ bash -c "$(wget -O -"

# Install the nightly rust toolchain
$ curl -sSf | sh -s -- --default-toolchain nightly -y
$ rustup default nightly

Getting Keysas

A pre-compiled Keysas binary is at your disposal. We recommend using the latest version here:

Download the following files of lastest stable version.



First, verify the sha256sum and compare it to the file, and import our public gpg key:

$ diff <(sha256sum
$ wget
$ gpg2 --import public.gpg
$ gpg2 --verify
$ unzip -d keysas


Ensure that /usr/sbin is present in your $PATH. If not, add it:

$ export PATH=$PATH:/usr/sbin

For a source based installation

Clone the gitlab repository and compile Keysas

$ git clone --depth=1
$ cd keysas
$ make build

Clamav configuration

Keysas uses Clamav as a virus scanner for now but additionnal scanners could be added in future. You should update your Clamav signature database on regular bases. This operation is handled by the clamav-freshclam daemon, you have to enable it.

Make sure that your clamav-daemon and clamav-freshclam services are up and running

$ systemctl status clamav-daemon clamav-freshclam

Edit the Clamav configuration

Enable TCP listening on the loopback interface using port 3310

TCPSocket 3310

We now need to allow the Clamav daemon to be able to read the /var/local/in directory with Apparmor.

Clamav apparmor profile tweak

The following Clamav apparmor rules are used to authorise Clamd scanning the entry SAS:

/var/local/in/ r,
/var/local/in/* kr,
/var/local/in/** kr,

It should be automatically installed during installation.

You can now manually run a signature database update and restart the Clamav daemon to take the new configurations in account.

$ sudo systemctl start clamav-freshclam
$ sudo systemctl restart clamav-daemon

System wide installation

You can now install Keysas-core on your system.

$ cd keysas
$ sudo make install-core
$ sudo make install-yararules

To install the Full USB version of Keysas (decontamination station):

$ cd keysas
$ sudo make install
$ sudo make install-yararules

At the end of the installation, you should see something like this:


Installation details

  • Every binaries (ELF) are installed under /usr/bin/ ;

  • Systemd units are installed under /etc/systemd/system/ ;

  • Apparmor profiles are installed under /etc/apparmor.d/ ;

  • Configuration files are installed under /etc/keysas/ ;

  • Logs are available using journalctl ;

  • Yara rules are installed under /usr/share/keysas/rules.

You can now check that every services are up and running (core mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out

If you want to check the full installation (USB mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out keysas-io keysas-backend

Building Keysas-frontend

Keysas-frontend is a read-only Vue-JS application to help visualizing transfers for the end-user.

Go to the keysas-frontend directory and install the dependencies using npm:

$ npm i

One done, you can build the application:

$ npm run build

The application is now built into the dist directory. Copy the content of this directory at the root of a local webserver (like nginx for exemple). Open now a web browser like firefox and visit the

Building Keysas-admin

Keysas-admin needs to be signed by our personal private key. Nevertheless, if you want to build it yourself for testing purposes:

$ cd keysas-admin && npm i vite@latest && cargo install cargo-cli && cargo tauri build


Keysas-admin only work on GNU/Linux based systems for now !