Air-Gapped Operations
Install and operate ABS Core on servers with no internet access -- banks, defense, and classified environments.
Air-Gapped Operations
ABS Core is designed to operate at full capacity on servers with no internet connectivity. This guide covers installation, key management, and ongoing operations in air-gapped environments.
What Works Without Internet
| Capability | Air-Gapped | Notes |
|---|---|---|
| Governance engine | Yes | All policy evaluation is local |
| Ed25519 signing | Yes | Keys are generated and stored locally |
| Hash chain ledger | Yes | SQLite on local filesystem |
| Policy enforcement | Yes | ALLOW / DENY / ESCALATE |
| Compliance reports | Yes | Generated on-device |
| SAR Verifier | Yes | Standalone HTML, no external dependencies |
| RFC 3161 timestamp | No | Requires TSA network access |
| License heartbeat | No | 30-day grace period applies |
| Update channel | No | Manual update via secure physical media |
| Threat intelligence | No | Manual policy updates |
Fail-Closed Validation (Defense Standard)
For approval by national security committees or banking cores, the Air-Gapped premise requires validation of the Fail-Closed principle.
If the ABS Core infrastructure loses access to the time source (NTP) or detects corruption in the local storage media, the system will immediately cut off Agent communication with the execution bus, aborting any ongoing intent.
Validation Test Procedure (Chaos Engineering):
- Instantiate OConnector via Docker in a VLAN with no external route.
- Start synthetic traffic generation (
make benchmark-vrf). - Interrupt the local clock service or manipulate bit corruption in the SQLite ledger (
~/.abs/ledger.db). - Expected Behavior: The node must switch to
EMERGENCY_HALTstatus in less than 5ms. No downstream transactions can be dispatched.
Installation
Step 1: Prepare the Package
On an internet-connected machine:
# Download the ABS Core package and all dependencies
npm pack @oconnector/mcp-gateway
# This produces: abscore-mcp-gateway-4.3.1.tgzTransfer the .tgz file to the air-gapped server via approved media (USB, optical disc, or secure file transfer).
Step 2: Install on the Air-Gapped Server
# Install from the local package
npm install ./abscore-mcp-gateway-4.3.1.tgz
# Initialize the governance configuration
npx @oconnector/mcp-gateway initStep 3: Generate Keys Locally
# Keys are generated on-device, no network needed
npx @oconnector/mcp-gateway keys generate
# Output:
# [KeyProvider:FS] Keys stored at ~/.abs/keys/ (fingerprint: a3b4c5...)License Activation
Online activation (before air-gap)
If the server will have temporary internet access during setup:
npx @oconnector/mcp-gateway activate LICENSE-KEY-XXXXOffline activation
For servers that never connect to the internet:
-
Generate a machine fingerprint on the air-gapped server:
npx @oconnector/mcp-gateway fingerprint # Output: MACHINE-FP-a3b4c5d6e7f8 -
On an internet-connected machine, visit
abscore.app/activateand submit the license key + machine fingerprint. -
Receive an activation token. Transfer it to the air-gapped server.
-
Apply the token:
npx @oconnector/mcp-gateway activate --offline-token TOKEN-XXXX
The offline license is valid for 365 days without any heartbeat.
RFC 3161 Without Internet
In air-gapped mode, RFC 3161 timestamps are unavailable. Each SAR will contain:
{
"rfc3161_token": "",
"rfc3161_authority": "",
"temporal_drift_ms": 0
}Mitigation: Use the server's NTP-synchronized hardware clock as the timestamp source. For legal admissibility, document the NTP configuration and clock calibration procedure.
For classified environments, consider a local TSA appliance (e.g., Guardtime, Ascertia) connected to the isolated network.
Updates & Patching (Offline)
Updates in Air-Gapped environments follow a rigorous manual transfer process in clean-rooms:
- Download the update package (
.tgz) on an internet-connected machine (Bastion Host). - Mandatory validation of the dual cryptographic signature (Development Key + Production Key) using the OConnector public key.
- Physical transfer via sanitized media to the classified environment.
- Application on the Air-Gapped server:
npx @oconnector/mcp-gateway update --from-file abs-core-4.3.1-verified.tgz
The engine_fingerprint in subsequent SAR reports will be automatically updated, ensuring security patch traceability.
Backup and Recovery
Local Backup
# Export ledger to JSONL with integrity verification
npx @oconnector/mcp-gateway backup --output /secure/backup/ledger-2026-04-11.jsonl
# Verify backup integrity
npx @oconnector/mcp-gateway verify --file /secure/backup/ledger-2026-04-11.jsonlDisaster Recovery
- Install ABS Core on the replacement server (from local package)
- Copy the key files from backup:
~/.abs/keys/ - Import the ledger backup:
npx @oconnector/mcp-gateway restore --from /secure/backup/ledger-2026-04-11.jsonl - Verify chain integrity:
npx @oconnector/mcp-gateway verify # Chain integrity: VALID (4,231 blocks verified)
Compliance Verification
The standalone SAR Verifier (tools/sar-verifier.html) runs entirely in the browser with no external dependencies:
- Open
sar-verifier.htmlin any browser on the air-gapped network - Paste a SovereignAuditRecord JSON
- The verifier checks:
- Hash chain integrity
- Ed25519 signature presence
- RFC 3161 token presence (flagged if missing)
- All required fields present
No data leaves the browser. No network requests are made.
Related
- KeyProvider API -- Key management options
- MCP Security Gateway -- Gateway configuration
- Sovereign Checklist -- Installation verification
KeyProvider API
How to configure Ed25519 key management for ABS Core -- filesystem, environment variables, AWS KMS, HashiCorp Vault, and hardware security modules.
Enterprise Deployment (IaC)
Official architecture blueprints for deploying ABS Core via Terraform and Kubernetes (Helm) in highly regulated environments.