Binary Installation

Cerbos provides pre-compiled binaries and native packages for multiple operating systems and architectures. All releases are available on the GitHub releases page.

Supported Platforms

Cerbos binaries are available for:

OS	Architecture	Bundle Format
Linux	x86-64	`cerbos_VERSION_Linux_x86_64.tar.gz`
Linux	arm64	`cerbos_VERSION_Linux_arm64.tar.gz`
macOS	Universal	`cerbos_VERSION_Darwin_all.tar.gz`
macOS	x86-64	`cerbos_VERSION_Darwin_x86_64.tar.gz`
macOS	arm64	`cerbos_VERSION_Darwin_arm64.tar.gz`

Download and Install Binary

Download the binary

Download the appropriate bundle for your platform:

curl -L -o cerbos.tar.gz "https://github.com/cerbos/cerbos/releases/download/v0.52.0/cerbos_0.52.0_Linux_x86_64.tar.gz"

Extract the archive

Extract and make the binary executable:

tar xvf cerbos.tar.gz
chmod +x cerbos

Move to PATH (optional)

Move the binary to a directory in your PATH:

sudo mv cerbos /usr/local/bin/

Verify installation

Check the installed version:

cerbos version

Binary Verification

All Cerbos binaries are signed using Sigstore during the automated build process. Each release includes a .sigstore.json verification bundle.

Download binary and verification bundle

# Download the binary archive
curl -L -o cerbos_0.52.0_Linux_x86_64.tar.gz \
  "https://github.com/cerbos/cerbos/releases/download/v0.52.0/cerbos_0.52.0_Linux_x86_64.tar.gz"

# Download the verification bundle
curl -L -o cerbos_0.52.0_Linux_x86_64.tar.gz.sigstore.json \
  "https://github.com/cerbos/cerbos/releases/download/v0.52.0/cerbos_0.52.0_Linux_x86_64.tar.gz.sigstore.json"

Verify the signature

cosign verify-blob \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity="https://github.com/cerbos/cerbos/.github/workflows/release.yaml@refs/tags/v0.52.0" \
  --bundle="cerbos_0.52.0_Linux_x86_64.tar.gz.sigstore.json" \
  "cerbos_0.52.0_Linux_x86_64.tar.gz"

Linux Packages

Cerbos provides native DEB and RPM packages for Linux distributions.

Packages require systemd as the init system. For other init systems, install from the tarball instead.

Package Installation

# Download the package
curl -L -O "https://github.com/cerbos/cerbos/releases/download/v0.52.0/cerbos_0.52.0_Linux_x86_64.deb"

# Install
sudo dpkg -i cerbos_0.52.0_Linux_x86_64.deb

What Gets Installed

The packages install:

Binaries: cerbos and cerbosctl in /usr/local/bin
Configuration: Default config at /etc/cerbos.yaml
Policy Directory: /var/cerbos/policies
Systemd Service: cerbos.service with automatic startup

Default Configuration

The default configuration (/etc/cerbos.yaml):

server:
  httpListenAddr: ":3592"
  grpcListenAddr: ":3593"

engine:
  defaultPolicyVersion: "default"

storage:
  driver: "disk"
  disk:
    directory: /var/cerbos/policies
    watchForChanges: true

Managing the Service

sudo systemctl status cerbos

Systemd Service Details

The service file (/etc/systemd/system/cerbos.service):

[Unit]
Description=Cerbos Policy Decision Point

[Service]
ExecStart=/usr/local/bin/cerbos server --config=/etc/cerbos.yaml
ProtectSystem=full
ProtectHome=true
PrivateUsers=true
PrivateTmp=true
DynamicUser=yes

[Install]
WantedBy=multi-user.target

Homebrew (macOS)

Install Cerbos using Homebrew:

Add the Cerbos tap

brew tap cerbos/tap

Install Cerbos

brew install cerbos

Verify installation

cerbos version

Update via Homebrew

brew upgrade cerbos

npm Package

Install Cerbos binaries via npm for JavaScript/TypeScript projects. This allows version locking and eliminates separate setup steps.

npm install --save-dev cerbos cerbosctl

Do not use the --no-optional flag with npm, as the packages rely on platform-specific optional dependencies.

Using npm Packages

Packages are available separately:

cerbos - Cerbos PDP server
cerbosctl - Cerbos CLI tool

Run the binaries via npx:

npx cerbos server --config=.cerbos.yaml
npx cerbosctl version

Nix Flake

A Nix flake is available at github:cerbos/cerbos-flake.

nix run github:cerbos/cerbos-flake#cerbos -- server --set=storage.disk.directory=/path/to/policies

Running Cerbos

After installation, start the Cerbos server:

cerbos server --config=/path/to/config.yaml

For quick testing with default settings:

cerbos server --set=storage.disk.directory=/path/to/policies

Next Steps

Create your first policy
Configure storage backends
Set up TLS encryption
Explore deployment options

Get Started

Installation

Deployment

Policies

Configuration

Operations

Integration

Binary Installation

Supported Platforms

Download and Install Binary

Binary Verification

Linux Packages

Package Installation

What Gets Installed

Default Configuration

Managing the Service

Systemd Service Details

Homebrew (macOS)

Update via Homebrew

npm Package

Using npm Packages

Nix Flake

Running Cerbos

Next Steps

Get Started

Installation

Deployment

Policies

Configuration

Operations

Integration

​Supported Platforms

​Download and Install Binary

​Binary Verification

​Linux Packages

​Package Installation

​What Gets Installed

​Default Configuration

​Managing the Service

​Systemd Service Details

​Homebrew (macOS)

​Update via Homebrew

​npm Package

​Using npm Packages

​Nix Flake

​Running Cerbos

​Next Steps

Supported Platforms

Download and Install Binary

Binary Verification

Linux Packages

Package Installation

What Gets Installed

Default Configuration

Managing the Service

Systemd Service Details

Homebrew (macOS)

Update via Homebrew

npm Package

Using npm Packages

Nix Flake

Running Cerbos

Next Steps