Inferensys

Glossary

Air-Gapped Registry

A fully isolated container registry operating on a network with no physical or logical connection to the internet, requiring manual import and synchronization of images.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
ISOLATED ARTIFACT REPOSITORY

What is an Air-Gapped Registry?

An air-gapped registry is a container image repository operating on a network with no physical or logical connection to the internet, requiring manual data transfer for all image synchronization.

An air-gapped registry is a private container registry deployed within a high-security network segment that has absolutely no inbound or outbound connectivity to external networks, including the public internet. Unlike a standard private registry that may use a registry mirror or pull-through cache to proxy external images, an air-gapped instance relies entirely on a manual import process. This involves using a physical transfer medium, such as a removable hard drive, or a strictly controlled one-way data diode to physically shuttle container images, Helm charts, and OCI artifacts across the isolation boundary.

Operational integrity in an air-gapped environment depends on the completeness of the transferred data. Administrators must ensure that every dependency, including multi-arch images for heterogeneous hardware, SBOMs, and Cosign signatures for content trust verification, is bundled and exported using tools like Skopeo. Once imported, local security policies enforced by an admission controller can validate image digests and SLSA provenance without ever needing to query an external Sigstore transparency log, ensuring that the binary authorization process remains fully self-contained within the sovereign infrastructure.

ISOLATION ARCHITECTURE

Core Characteristics of an Air-Gapped Registry

An air-gapped registry operates in a physically disconnected environment, requiring specialized mechanisms for artifact ingestion, integrity verification, and lifecycle management that fundamentally differ from connected registries.

01

Physical Network Isolation

The defining characteristic is the complete absence of any network pathway to the internet or external networks. This is enforced through physical air gaps—no routers, no gateways, no transient connections. All data transfer occurs via sneakernet: physically moving storage media (USB drives, portable HDDs) across the gap through a controlled transfer station. This eliminates remote exfiltration vectors but introduces manual synchronization latency as a core operational constraint.

Zero
External Attack Surface
Physical
Transfer Mechanism
02

Manual Image Import Workflow

Images cannot be pulled from Docker Hub or any upstream source. Instead, a staging workstation on the connected side pulls and verifies images, then exports them as OCI-compliant tarballs using tools like skopeo copy or docker save. These archives are transferred across the gap via removable media, scanned for malware at the boundary, and loaded into the air-gapped registry using docker load or skopeo copy targeting the internal registry endpoint. This process must preserve multi-arch manifests and image digests.

OCI Tarball
Transfer Format
Skopeo
Primary Tool
03

Integrity and Provenance Verification

Without live internet access, real-time signature verification against public transparency logs is impossible. The air-gapped registry must rely on pre-imported trust data:

  • Cosign public keys and Sigstore root of trust materials must be imported alongside images.
  • SBOM attestations are verified offline against known vulnerability databases that are also manually synchronized.
  • Image digests become the primary integrity anchor—every pull must verify the content-addressable SHA256 hash matches the expected value before deployment.
SHA256
Integrity Anchor
Offline
Verification Mode
04

Synchronized Vulnerability Database

Security scanning in an air-gapped environment requires a locally mirrored vulnerability database. Tools like Trivy and Harbor must be configured to use an internal database instance that receives periodic offline updates. The synchronization process involves:

  • Exporting vulnerability feeds (NVD, OSV, proprietary) on the connected side.
  • Transferring them across the gap on the same physical media schedule.
  • Importing them into the internal database so scanners can evaluate images against current known vulnerabilities without external API calls.
Periodic
Update Cadence
Trivy
Common Scanner
05

Immutable Retention and Garbage Collection

Storage is a finite, precious resource in air-gapped environments where expanding capacity requires physical procurement. Retention policies must be strictly enforced:

  • Immutable tags (digest-based) prevent accidental overwrites.
  • Garbage collection reclaims space from untagged manifests and orphaned layers.
  • Image promotion between internal namespaces (dev, staging, prod) uses registry-internal copy operations rather than re-importing.
  • A golden image strategy ensures only hardened, approved base images consume storage.
Immutable
Tag Strategy
Golden Images
Storage Optimization
06

Admission Control Enforcement

The air-gapped registry integrates with Kubernetes admission controllers to enforce deploy-time policies without external webhook dependencies. An admission controller intercepts pod creation requests and validates:

  • The image digest matches an approved signature stored in the local registry.
  • The image has passed the most recent offline vulnerability scan.
  • The image originates from a trusted internal project namespace. This provides a binary authorization gate that runs entirely within the isolated cluster.
Deploy-Time
Enforcement Point
Binary Auth
Policy Type
AIR-GAPPED REGISTRY

Frequently Asked Questions

Essential questions and answers about operating container registries in physically disconnected environments, covering synchronization, vulnerability management, and operational integrity.

An air-gapped registry is a fully isolated container image repository operating on a network with no physical or logical connection to the internet. It functions as the sole source of truth for containerized workloads within high-security environments, requiring all images to be manually imported via sneakernet—the physical transfer of data using removable media like encrypted hard drives or optical discs. The registry implements the OCI Distribution Specification internally, serving image manifests and layer blobs to container runtimes without any external dependency. All synchronization operations, including vulnerability database updates and image replication, must be executed through controlled, auditable offline procedures that pass through security checkpoints before data enters the isolated enclave.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.