Deployment Guide
This guide covers deploying Enprivacy 3.0 into your own environment, including container configuration, recommended encryption settings, and signature verification.
Prerequisites
Section titled “Prerequisites”Enprivacy 3.0 is distributed as Open Container Initiative (OCI) / Docker container images and is designed to run on most cloud and on-premises environments. Before deploying, ensure you have:
- Container runtime — Docker Engine 24+ with Compose v2, or a Kubernetes cluster / cloud ‘container application’ service (e.g. AWS ECS, Azure Container Apps, Google Cloud Run).
- Operating system (for self-managed hosts) — a 64-bit Linux distribution such as Ubuntu 22.04+ or Debian 12.
- PostgreSQL 16+ (18+ recommended) with the
hstore,PostGIS, andpgvectorextensions (optionallypgRouting). This may be a managed service or a self-hosted container — see Database Setup below. - Blob / object storage — an S3-compatible service (managed, or self-hosted such as MinIO or Garage) for document uploads and redacted output.
- GPU (LLM service only) — a T4-equivalent or better GPU, unless you use an external/hosted LLM provider (e.g. AWS Bedrock, Azure OpenAI, Google Vertex).
For full per-service resource requirements and sizing, see the Quick Start Guide.
Container Image
Section titled “Container Image”All Enprivacy 3.0 release images are published to the GitHub Container Registry:
ghcr.io/enprivacyhq/invisiq2:<version>Verifying Image Signatures
Section titled “Verifying Image Signatures”All artefacts are signed with Cosign. Before deploying, verify the signature:
# TODO: Insert cosign verify command and public key once availablecosign verify \ --key <public-key> \ ghcr.io/enprivacyhq/invisiq2:<version>The Cosign public key is published on the Supply Chain Security page.
Container UID
Section titled “Container UID”The container runs as a non-root user. The UID is: TODO
Services and Resource Requirements
Section titled “Services and Resource Requirements”A standard deployment comprises four services, a PostgreSQL database, and blob storage:
| Service | Purpose | GPU |
|---|---|---|
| Web | End-user and administrative interfaces; public Job interfaces | No |
| Job | Background job and task processing | No |
| LLM | Inference (detection and classification) via vLLM | Yes (T4-equivalent) |
| OCR | Text extraction via Docling | No |
The Web and Job services support horizontal scaling and are stateless — all state is held in the database or blob storage. See the Quick Start Guide for minimum and recommended CPU/RAM/disk per service.
Durable Storage for Model Cache
Section titled “Durable Storage for Model Cache”By default, the Web, Job, and LLM services download models to ~/.cache. Mount this path to durable storage so models persist across restarts and accelerate start-up. Models can alternatively be pre-loaded into durable storage as a one-off action to support network-restricted or air-gapped environments — see the Network Security Guide.
Database Setup
Section titled “Database Setup”Enprivacy 3.0 requires an always-on PostgreSQL database (16+, 18+ recommended) that holds state for the Web and Job services.
- Create a database schema.
- Create a database user with a password and all privileges over that schema. The service uses this user to prepare the schema on first run, to apply schema updates during upgrades, and for day-to-day operations.
- Enable the required extensions:
hstore,PostGIS, andpgvector. Optionally enablepgRouting(without it, the platform falls back to less-optimised recursive queries).
For improved security, rotate the database password using either a single-user or dual-user configuration — see the Operations Guide.
Deployment Models
Section titled “Deployment Models”Enprivacy 3.0 supports several deployment models; see the Quick Start Guide for full detail.
- Cloud managed services (recommended) — deploy each service via the cloud provider’s container application service or Kubernetes, using managed PostgreSQL and managed object storage.
- Self-hosted containers — run the database (with the required extensions) and an S3-compatible store (e.g. MinIO or Garage) as containers.
- All-In-One (demonstration only) — run the Web, Job, OCR, and Database services in a single environment with local-disk durable storage and an external LLM service. Not recommended for production.