Installation

One binary per server. Sixty seconds from download to first snapshot.

Before you install 1. Create your account at kefal.dev/app — 10 seconds, no credit card, 7-day free trial.
2. In the dashboard, open Settings → API Keys → Generate and copy the kfl_… key. The agent prompts for it on first run.

Linux (amd64 — Intel/AMD 64-bit)

The most common target: Ubuntu, Debian, RHEL, Rocky, AlmaLinux, Amazon Linux 2023. Works on any x86_64 distribution with glibc.

curl -L -o kefal-agent https://kefal.dev/download/kefal-agent-linux-amd64
chmod +x kefal-agent
sudo ./kefal-agent

The agent prompts for an API key (kfl_…, generated from your dashboard at kefal.dev/app → Settings → API Keys). On successful enrollment it writes its config to /etc/kefal/agent.conf with mode 0600 and begins sending snapshots every 60 seconds.

Run as a service (recommended)

By default the agent runs in the foreground. For production, wrap it in a systemd unit so it auto-starts at boot:

sudo tee /etc/systemd/system/kefal-agent.service >/dev/null <<'EOF'
[Unit]
Description=Kefal defense agent
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/kefal-agent
Restart=on-failure
RestartSec=10s
User=root

[Install]
WantedBy=multi-user.target
EOF

sudo mv kefal-agent /usr/local/bin/
sudo systemctl daemon-reload
sudo systemctl enable --now kefal-agent
sudo systemctl status kefal-agent

Linux (ARM64 — Raspberry Pi 4/5, AWS Graviton, Ampere, Apple Silicon Docker)

curl -L -o kefal-agent https://kefal.dev/download/kefal-agent-linux-arm64
chmod +x kefal-agent
sudo ./kefal-agent

Same interactive enrollment as above. The ARM64 binary is statically linked and runs on any aarch64 Linux system.

macOS (Apple Silicon — M1/M2/M3/M4)

curl -L -o kefal-agent https://kefal.dev/download/kefal-agent-darwin-arm64
chmod +x kefal-agent
xattr -d com.apple.quarantine kefal-agent  # bypass Gatekeeper for unsigned binary
sudo ./kefal-agent

The agent stores its config at /etc/kefal/agent.conf. The xattr step is required because the binary is not yet notarized — we plan to ship a signed/notarized build in a future release.

macOS (Intel — pre-2020 Macs)

curl -L -o kefal-agent https://kefal.dev/download/kefal-agent-darwin-amd64
chmod +x kefal-agent
xattr -d com.apple.quarantine kefal-agent
sudo ./kefal-agent

Windows (x64)

Open PowerShell as Administrator and run:

Invoke-WebRequest -Uri "https://kefal.dev/download/kefal-agent-windows-amd64.exe" `
                  -OutFile "kefal-agent.exe"
.\kefal-agent.exe

You'll be prompted for your Kefal API key. The agent stores its config under %ProgramData%\Kefal\agent.conf.

Run as a Windows service

Use Task Scheduler to run the agent at boot:

schtasks /create /tn "Kefal Agent" `
         /tr "C:\Program Files\Kefal\kefal-agent.exe" `
         /sc onstart /ru SYSTEM /rl HIGHEST

Verify the agent is reporting

Within 90 seconds of the first run, your host should appear in the dashboard. To verify from the server itself:

# Check the agent process is alive
ps aux | grep kefal-agent    # Linux
Get-Process kefal-agent      # Windows PowerShell

# Check snapshots are being sent (look for "ingest ok" lines every ~60s)
journalctl -u kefal-agent -f                      # systemd
Get-EventLog -LogName Application -Source Kefal   # Windows

Then open the dashboard at kefal.dev/app/. Within a minute or two you should see the host as a node in the Graph view.

Troubleshooting

Enrollment fails with "API key was rejected"

Agent runs but nothing shows up in the dashboard

"Permission denied" when the agent reads process info

Uninstall

# Linux
sudo systemctl stop kefal-agent
sudo systemctl disable kefal-agent
sudo rm -f /etc/systemd/system/kefal-agent.service /usr/local/bin/kefal-agent
sudo rm -rf /etc/kefal/

# Windows
schtasks /delete /tn "Kefal Agent" /f
Remove-Item -Recurse -Force "C:\Program Files\Kefal"
Remove-Item -Recurse -Force "C:\ProgramData\Kefal"

Also remove the agent from your account at kefal.dev/app/ under Settings → Agents.