How to Set Up KafkaGuard On-Prem: Enterprise Kafka Security in Under 30 Minutes

Your Kafka Clusters Deserve More Than a Spreadsheet

If you're running Kafka in production, you already know the drill: a compliance audit comes around, and someone spends a week pulling broker configs, cross-referencing ACLs, and building a spreadsheet that's outdated by the time it's reviewed.

KafkaGuard On-Prem replaces that entire workflow. It gives your team a self-hosted platform where every Kafka cluster gets scanned automatically, findings are tracked with remediation guidance, and compliance reports are one click away.

No data leaves your network. No SaaS dependency. No internet required.

What You Get

KafkaGuard On-Prem ships as a single bundle that runs entirely inside your infrastructure:

Web Dashboard — Multi-cluster view with compliance scores, findings, and remediation
REST API — Programmatic access for CI/CD integration
Scan Worker — Background processing with compliance scoring
50+ Security Controls — Across three policy tiers (baseline, enterprise, finance-iso)
Team Management — Role-based access with audit logging
Offline Licensing — RSA-signed keys bound to your machine, no phone-home

Everything runs in Docker containers managed by Docker Compose. For production HTTPS/TLS, an optional docker-compose.nginx.yml add-on is included in the bundle.

Prerequisites

You'll need one Linux server (or macOS for evaluation) with:

Docker 24+ with the Compose plugin
10 GB free disk space
Ports 3000 (dashboard), 3001 (API), 5432, 6379, 9002 available

That's it. No Kubernetes, no cloud account, no external database.

Step 1: Install (5 Minutes)

Download the on-prem bundle for your platform — it includes the CLI binary, Compose file, installer scripts, and policies:

# Linux x86_64
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/download/v2.3.0/kafkaguard-onprem-v2.3.0-Linux_x86_64.tar.gz
tar -xzf kafkaguard-onprem-v2.3.0-Linux_x86_64.tar.gz
cd kafkaguard-onprem-v2.3.0/

# macOS Apple Silicon
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/download/v2.3.0/kafkaguard-onprem-v2.3.0-Darwin_arm64.tar.gz
tar -xzf kafkaguard-onprem-v2.3.0-Darwin_arm64.tar.gz
cd kafkaguard-onprem-v2.3.0/

Check for port conflicts, then configure and start:

# Pre-flight check
./installer/check-ports.sh

# Configure passwords (do not use $ in passwords — Docker Compose expands them)
cp env.onprem.example .env.onprem
# Edit .env.onprem — set POSTGRES_PASSWORD, MINIO_SECRET_KEY

# Start all services
docker compose -f docker-compose.onprem.yml --env-file .env.onprem up -d

When services are healthy, open http://your-server:3000 — KafkaGuard automatically redirects to the setup page on first run. Fill in your organisation name, admin email, and password, then click Create account. You are logged in immediately.

Step 2: Activate Your License (2 Minutes)

The Community tier is free and activates automatically — no key needed for a single cluster.

To upgrade, go to kafkaguard.com/pricing, start a free trial or purchase a plan, and receive a kg_... license key by email. Then navigate to Settings in the dashboard, paste the key into the Activate a license key field, and click Activate →. The tier updates instantly — no CLI, no restart, no SSH required.

Settings also shows your machine fingerprint (kgfp-...). If your license is fingerprint-bound, do not recreate Docker containers — use unbound licenses with Docker.

Licenses are validated entirely offline using RSA signature verification. KafkaGuard never contacts an external server.

Evaluating? Leave LICENSE_KEY= blank in .env.onprem — the Community tier (1 cluster, 55 controls, all report formats) is free forever.

Step 3: Run Your First Scan (2 Minutes)

The CLI binary is already in your on-prem bundle. Move it to your PATH:

sudo mv kafkaguard /usr/local/bin/
kafkaguard version
# KafkaGuard v2.3.0

Create an API key in the dashboard (API Keys > Create Key), then scan and upload in one command:

export KAFKAGUARD_API_KEY="kg_onprem_your_key_here"

kafkaguard scan \
  --bootstrap kafka1:9092,kafka2:9092,kafka3:9092 \
  --policy policies/enterprise-default.yaml \
  --upload https://your-kafkaguard-server

Within seconds, your cluster appears in the dashboard with a compliance score, findings broken down by severity, and actionable remediation for every issue found.

Step 4: Review Findings and Fix Issues (10 Minutes)

Open the cluster in the dashboard. You'll see:

Compliance Score — A single number (0-100) showing your cluster's security posture. This is the number your auditors will ask for.

Findings by Severity — Critical, High, Medium, and Low issues with clear descriptions. Click any finding to expand it and see step-by-step remediation:

KG-028: Auto-create topics disabled
Severity: Medium
Status: FAIL

Remediation:
Set auto.create.topics.enable=false in server.properties.
This prevents unauthorized topic creation which can lead to
data leakage and resource exhaustion.

Every finding includes the specific config change needed, why it matters, and which compliance framework it maps to.

Step 5: Onboard Your Team (5 Minutes)

Go to Users in the dashboard and invite your team:

Role	Can Do
Admin	Full access — manage users, API keys, clusters
Operator	Run scans, acknowledge/resolve findings
Read-only	View dashboards and reports

Every action is tracked in the audit log — who ran which scan, who acknowledged which finding, and when. This is the trail your compliance team needs.

Step 6: Integrate with CI/CD (5 Minutes)

Add KafkaGuard to your deployment pipeline so every release gets a security check:

# GitLab CI example
kafka-security-scan:
  stage: test
  script:
    - kafkaguard scan
        --bootstrap $KAFKA_BOOTSTRAP
        --policy policies/enterprise-default.yaml
        --upload $KAFKAGUARD_URL
        --format json --out scan-results/
  artifacts:
    paths:
      - scan-results/

# GitHub Actions example
- name: Kafka Security Scan
  run: |
    kafkaguard scan \
      --bootstrap ${{ secrets.KAFKA_BOOTSTRAP }} \
      --policy policies/enterprise-default.yaml \
      --upload ${{ secrets.KAFKAGUARD_URL }} \
      --format json --out scan-results/
  env:
    KAFKAGUARD_API_KEY: ${{ secrets.KAFKAGUARD_API_KEY }}

Failed scans return a non-zero exit code, so your pipeline blocks on security regressions automatically.

Choosing the Right Policy Tier

KafkaGuard ships with three policy tiers. Pick the one that matches your environment:

Policy	Controls	Best For
baseline-dev	21	Development, staging, testing
enterprise-default	45	Production workloads
finance-iso	55	Regulated industries (banking, healthcare, insurance)

You can also create custom policies with your own controls and severity mappings.

Air-Gapped Deployment

For environments with no internet access, download the pre-built air-gap bundle on a connected machine and transfer it:

# On a connected machine — download the air-gap bundle (~187 MB)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/download/v2.3.0/kafkaguard-airgap-v2.3.0.tar.gz

# Transfer to air-gapped server (USB, SCP, etc.), then:
tar -xzf kafkaguard-airgap-v2.3.0.tar.gz
cd kafkaguard-airgap-v2.3.0/
./airgap-upgrade.sh 2.3.0

The air-gap bundle contains all 3 Docker images pre-loaded via docker save, the Linux CLI binary, and the Compose file. No external downloads required during installation.

Backup, Restore, and Upgrades

KafkaGuard includes built-in operations tooling:

# Backup everything (database + scan files + config)
./installer/backup.sh ./backups

# Restore from a backup
./installer/restore.sh ./backups/kafkaguard-backup-20260410-120000

# Upgrade to a new version (backs up first, then pulls new images)
./installer/upgrade.sh 2.4.0

The upgrade script creates a pre-upgrade backup, pulls the new Docker images, restarts services, and runs a health check — all in one command.

What Makes This Different

No SaaS lock-in. Your data stays on your servers. Period. There's no telemetry, no usage tracking, no external API calls.

No Kubernetes required. Docker Compose on a single server handles clusters scanning thousands of topics. Scale up when you need to, not before.

No manual audit spreadsheets. One scan replaces days of manual configuration review. The reports are generated instantly in JSON, CSV, or HTML.

No compliance scrambles. Run scans continuously in CI/CD. When the auditor asks for evidence, export the report. When they ask who reviewed it, show the audit log.

Pricing

Plan	Clusters	Price
Community	1	Free forever
Starter	Per cluster	$99/cluster/month
Team	Up to 10	Contact sales
Enterprise	Unlimited	Custom

All paid plans include compliance framework mapping (PCI-DSS, SOC 2, ISO 27001), priority support, and unlimited users.

The CLI is free — scan any cluster, generate any report format, no account needed.

Get Started

Ready to try it? Three ways to get started:

Download the CLI (free, no sign-up): kafkaguard.com/download
Start a 14-day free trial: kafkaguard.com/pricing — self-serve, no sales call needed
Read the full setup guide: On-Prem Setup Documentation

Questions? Reach out at sales@kafkaguard.com — we typically respond within one business day.

ShareX / Twitter LinkedIn Copy link