Shield · Install

Get Shield running in a few minutes.

Shield self-hosts via Docker. One command stands up the backend; the Shield Chrome extension reports to it. Here is the whole thing, start to finish — including Docker setup per OS, automatic HTTPS, and troubleshooting.

Step 1 · Stand up the backend

The whole install is one command.

Run this on your server (a Linux box, a Mac, or Windows via WSL — see Docker setup below). Use the license key from your trial page in place of the placeholder.

curl -fsSL https://install.cinderlabs.ai/shield/install.sh | bash -s -- SHIELD-YOUR-LICENSE-KEY-HERE

That pulls the installer, fetches your image-registry credentials from the license server using your key, writes the Docker Compose stack, and brings it up. In ~2 minutes Shield is reachable at http://<your-server-ip>/.

Want HTTPS? Add a domain that already points at the box as a second argument and TLS is automatic (see HTTPS):

bash install-shield.sh SHIELD-YOUR-LICENSE-KEY-HERE shield.yourcompany.com

Shield's Visibility (log-only) vs Defend (visibility + blocking) tier is set by your license — same install either way; the backend self-configures. Free trials run Defend with blocking on.

Prerequisites

What you need.

  • A host with Docker + the docker compose plugin. Minimum 2 vCPU, 4 GB RAM, 20 GB disk. Linux, Mac (Docker Desktop), or Windows (Docker Desktop + WSL2).
  • Outbound HTTPS to ghcr.io (image pulls) and license.cinderlabs.ai (license validation, every few hours).
  • Your Shield license key — from your free-trial page or your rep.
Step 0 · If you don't have Docker yet

Install Docker.

Ubuntu 22+ / Debian 12+

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
# Log out and back in so the docker group takes effect

Amazon Linux 2023 / RHEL / Rocky / AlmaLinux

sudo dnf install -y docker
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
# compose plugin isn't bundled with the dnf package:
sudo mkdir -p /usr/libexec/docker/cli-plugins
sudo curl -SL https://github.com/docker/compose/releases/download/v2.29.7/docker-compose-linux-x86_64 \
  -o /usr/libexec/docker/cli-plugins/docker-compose
sudo chmod +x /usr/libexec/docker/cli-plugins/docker-compose
# Log out and back in

Mac

Install Docker Desktop, then run the install command in Terminal. The compose plugin ships with Docker Desktop.

Windows

The installer is a bash script — it does not run in PowerShell or CMD. You need WSL2 + Ubuntu + Docker Desktop:

  1. In PowerShell as Administrator: wsl --install -d Ubuntu, then reboot and set a Linux username/password.
  2. Install Docker Desktop with the default WSL2 backend.
  3. Docker Desktop → Settings → Resources → WSL integration → enable your Ubuntu distro → Apply & restart.
  4. Open the Ubuntu app and run the install command there. Verify with docker version first.
Step 2 · Deploy the extension

Install the Shield browser extension.

Shield captures activity through the Shield by Cinder Labs Chrome extension on each user's browser, reporting to the backend you just stood up. It auto-updates from the Web Store.

  • Single user / pilot: add it from the Chrome Web Store, then open it and point it at your server URL.
  • Org-wide (recommended): force-install via Chrome enterprise policy (GPO, Intune, Jamf, Workspace ONE). Add extension ID bcflmbmmfjddkkepanocompdapokcgdl to ExtensionInstallForcelist, and push the server URL + API key through managed storage so users can't disconnect it.

Optional: the shield-id-helper companion lets SOC analysts attribute events to a specific machine name / LAN IP / OS user. Install it only if you need that level of attribution.

Step 3 · First login

Create your admin account.

Open Shield in your browser (http://<your-server-ip>/ or your HTTPS domain) and Register the first user — that account becomes the org owner. Blocking is on from first boot on Defend.

HTTPS

Add a domain for automatic TLS.

The stack ships a built-in Caddy reverse proxy. Pass a domain as the second argument and Caddy fetches and auto-renews a free Let's Encrypt certificate — no cert files, no renewal cron.

bash install-shield.sh SHIELD-YOUR-LICENSE-KEY-HERE shield.yourcompany.com

Two prerequisites for the cert to issue:

  • The domain's DNS A record already points at this server.
  • Inbound ports 80 and 443 are open (Let's Encrypt validates over port 80).

Behind Cloudflare? Set that DNS record to DNS-only (grey cloud) so Let's Encrypt can validate the origin. Already on HTTP and want HTTPS later? Re-run the installer with the domain argument — it flips to HTTPS without touching your data.

Day-2 operations

Run, update, and back out.

docker compose ps              # stack status
docker compose logs -f api     # tail API logs
docker compose down            # stop (data persists)
bash update-shield.sh          # update to the latest version
docker compose down -v         # stop + WIPE all data (destructive)

Email (recommended): password resets and invites need SMTP. Add to .env then docker compose up -d:

SMTP_HOST=smtp.yourprovider.com
SMTP_PORT=587
SMTP_USER=your-smtp-user
SMTP_PASS=your-smtp-password
SMTP_FROM=noreply@yourcompany.com

Without SMTP, a forgotten admin password can't be self-recovered — keep it safe.

Troubleshooting

Common snags.

  • docker: command not found — Docker isn't installed or isn't on PATH. On Windows, use a WSL terminal, not PowerShell.
  • permission denied on docker — run sudo usermod -aG docker $USER, then log out and back in.
  • compose' is not a docker command — the compose plugin isn't installed (see the AL2023 steps above).
  • Pull fails with 401/403 — the registry token expired; email your rep for a refreshed install script.
  • API never healthy — license rejected; run docker compose logs api and check the key isn't expired/revoked.
  • License server unreachable — allowlist license.cinderlabs.ai on egress.
  • Port 80/443 in use — set HTTP_PORT=8080 (and HTTPS_PORT=8443) in .env, then docker compose up -d.

Each install runs entirely on your infrastructure — Cinder Labs has no remote access. Stuck? Email support@cinderlabs.ai with your docker compose logs api output.