Air-Gapped Operations
Install and operate ABS Core on servers with no internet access -- banks, defense, and classified environments.
Air-Gapped Operations
ABS Core is designed to operate at full capacity on servers with no internet connectivity. This guide covers installation, key management, and ongoing operations in air-gapped environments.
What Works Without Internet
| Capability | Air-Gapped | Notes |
|---|---|---|
| Governance engine | Yes | All policy evaluation is local |
| Ed25519 signing | Yes | Keys are generated and stored locally |
| Hash chain ledger | Yes | SQLite on local filesystem |
| Policy enforcement | Yes | ALLOW / DENY / ESCALATE |
| Compliance reports | Yes | Generated on-device |
| SAR Verifier | Yes | Standalone HTML, no external dependencies |
| RFC 3161 timestamp | No | Requires TSA network access |
| License heartbeat | No | 30-day grace period applies |
| Update channel | No | Manual update via mídia física segura |
| Threat intelligence | No | Manual policy updates |
🛑 Fail-Closed Validation (Defense Standard)
Para aprovação em comitês de segurança nacional ou core bancário, a premissa de Air-Gapped exige a validação do princípio de Fail-Closed.
Se a infraestrutura do ABS Core perder o acesso à fonte de tempo (NTP) ou detectar corrupção na mídia de armazenamento local, o sistema cortará imediatamente a comunicação do Agente com o barramento de execução, abortando qualquer intenção em andamento.
Procedimento de Teste de Validação (Chaos Engineering):
- Instancie o OConnector via Docker em uma VLAN sem rota externa.
- Inicie a geração de tráfego sintético (
make benchmark-vrf). - Interrompa o serviço de relógio local ou manipule corrupção de bit no SQLite ledger (
~/.abs/ledger.db). - Comportamento Esperado: O node deve alternar para o status
EMERGENCY_HALTem menos de 5ms. Nenhuma transação downstream pode ser despachada.
Installation
Step 1: Prepare the Package
On an internet-connected machine:
# Download the ABS Core package and all dependencies
npm pack @abscore/mcp-gateway
# This produces: abscore-mcp-gateway-4.3.1.tgzTransfer the .tgz file to the air-gapped server via approved media (USB, optical disc, or secure file transfer).
Step 2: Install on the Air-Gapped Server
# Install from the local package
npm install ./abscore-mcp-gateway-4.3.1.tgz
# Initialize the governance configuration
npx @abscore/mcp-gateway initStep 3: Generate Keys Locally
# Keys are generated on-device, no network needed
npx @abscore/mcp-gateway keys generate
# Output:
# [KeyProvider:FS] Keys stored at ~/.abs/keys/ (fingerprint: a3b4c5...)License Activation
Online activation (before air-gap)
If the server will have temporary internet access during setup:
npx @abscore/mcp-gateway activate LICENSE-KEY-XXXXOffline activation
For servers that never connect to the internet:
-
Generate a machine fingerprint on the air-gapped server:
npx @abscore/mcp-gateway fingerprint # Output: MACHINE-FP-a3b4c5d6e7f8 -
On an internet-connected machine, visit
abscore.app/activateand submit the license key + machine fingerprint. -
Receive an activation token. Transfer it to the air-gapped server.
-
Apply the token:
npx @abscore/mcp-gateway activate --offline-token TOKEN-XXXX
The offline license is valid for 365 days without any heartbeat.
RFC 3161 Without Internet
In air-gapped mode, RFC 3161 timestamps are unavailable. Each SAR will contain:
{
"rfc3161_token": "",
"rfc3161_authority": "",
"temporal_drift_ms": 0
}Mitigation: Use the server's NTP-synchronized hardware clock as the timestamp source. For legal admissibility, document the NTP configuration and clock calibration procedure.
For classified environments, consider a local TSA appliance (e.g., Guardtime, Ascertia) connected to the isolated network.
Updates & Patching (Offline)
Atualizações em ambientes Air-Gapped seguem um rigoroso processo de transferência manual em clean-rooms:
- Download do pacote de atualização (
.tgz) em uma máquina conectada à internet (Bastion Host). - Validação obrigatória da dupla-assinatura criptográfica (Development Key + Production Key) utilizando a chave pública da OConnector.
- Transferência física via mídia sanitizada para o ambiente classificado.
- Aplicação no servidor Air-Gapped:
npx @abscore/mcp-gateway update --from-file abs-core-4.3.1-verified.tgz
O engine_fingerprint nos relatórios SAR subsequentes será atualizado automaticamente, garantindo rastreabilidade do patch de segurança.
Backup and Recovery
Local Backup
# Export ledger to JSONL with integrity verification
npx @abscore/mcp-gateway backup --output /secure/backup/ledger-2026-04-11.jsonl
# Verify backup integrity
npx @abscore/mcp-gateway verify --file /secure/backup/ledger-2026-04-11.jsonlDisaster Recovery
- Install ABS Core on the replacement server (from local package)
- Copy the key files from backup:
~/.abs/keys/ - Import the ledger backup:
npx @abscore/mcp-gateway restore --from /secure/backup/ledger-2026-04-11.jsonl - Verify chain integrity:
npx @abscore/mcp-gateway verify # Chain integrity: VALID (4,231 blocks verified)
Compliance Verification
The standalone SAR Verifier (tools/sar-verifier.html) runs entirely in the browser with no external dependencies:
- Open
sar-verifier.htmlin any browser on the air-gapped network - Paste a SovereignAuditRecord JSON
- The verifier checks:
- Hash chain integrity
- Ed25519 signature presence
- RFC 3161 token presence (flagged if missing)
- All required fields present
No data leaves the browser. No network requests are made.
Related
- KeyProvider API -- Key management options
- MCP Security Gateway -- Gateway configuration
- Sovereign Checklist -- Installation verification
KeyProvider API
How to configure Ed25519 key management for ABS Core -- filesystem, environment variables, AWS KMS, HashiCorp Vault, and hardware security modules.
Enterprise Deployment (IaC)
Official architecture blueprints for deploying ABS Core via Terraform and Kubernetes (Helm) in highly regulated environments.