Inferensys

Glossary

Air-Gapped Registry

A private container registry operating on a network segment with no physical or logical connection to the internet, used to host and distribute signed artifacts in high-security environments.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
HIGH-SECURITY ARTIFACT MANAGEMENT

What is Air-Gapped Registry?

An air-gapped registry is a private container registry operating on a network segment with no physical or logical connection to the internet, used to host and distribute signed artifacts in high-security environments.

An air-gapped registry is a private, internal artifact repository that exists on a network completely isolated from the internet—no inbound or outbound connectivity of any kind. It serves as the sole source of truth for container images, OCI artifacts, and model weights within classified or critical infrastructure environments, ensuring that all software is manually vetted and transferred via controlled physical media or data diodes before being admitted.

This architecture enforces a strict zero-trust boundary by eliminating remote attack vectors entirely. All artifacts stored in the registry must be cryptographically signed using tools like Cosign and accompanied by an SBOM and attestation to prove provenance. The registry enforces immutable tags and binary authorization policies, guaranteeing that only tamper-proof, verified workloads are deployed in the disconnected sovereign environment.

ISOLATION ARCHITECTURE

Core Characteristics of an Air-Gapped Registry

An air-gapped registry is a private container image and artifact repository operating on a network segment with no physical or logical connection to the internet. It serves as the definitive source of truth for signed, verified software artifacts in high-security environments where external connectivity is prohibited by policy or regulation.

01

Physical Network Isolation

The defining characteristic is the complete absence of any external network pathway. This is enforced through:

  • Physical air gap: No network interface cards connected to external switches or routers
  • Logical air gap: Disabled routing, absent default gateways, and firewall rules that drop all packets to and from external networks
  • No DNS resolution: The registry cannot resolve external hostnames, preventing even accidental data exfiltration via DNS tunneling

This isolation ensures that even if the registry software itself is compromised, an attacker cannot establish a command-and-control channel to exfiltrate model weights or container images.

02

Sneakernet Artifact Ingestion

Artifacts enter the air-gapped environment through a strictly controlled, offline transfer process known as a sneakernet:

  • Physical media transfer: Signed artifacts are written to encrypted, write-once media (e.g., optical discs, hardware-encrypted USB drives) in a connected staging area
  • Malware scanning: All media undergoes mandatory antivirus and static analysis scanning on a dedicated, isolated scanning station before being introduced to the air-gapped network
  • Cryptographic verification: Artifacts are verified against their Sigstore or Cosign signatures before ingestion, ensuring integrity across the physical transfer
  • One-way data diode: Some architectures employ optical data diodes that physically enforce unidirectional data flow, allowing artifacts in while making outbound communication physically impossible
03

Immutable and Signed Storage

Once ingested, artifacts must be protected against tampering and overwrite:

  • Immutable tags: Registry policies enforce that a semantic version tag (e.g., v1.2.3) can only be pushed once and is permanently bound to a specific content-addressable digest
  • Content trust enforcement: The registry rejects any artifact push that lacks a valid cryptographic signature from an authorized signing identity, verified against a locally hosted Rekor transparency log replica
  • WORM backing store: The underlying storage layer (object storage or block storage) is configured in a Write-Once-Read-Many mode, preventing even administrative users from modifying or deleting artifacts after ingestion
  • Manifest immutability: The OCI manifest, which references all layers and configurations, is hashed and stored immutably, creating a tamper-evident chain from tag to content
04

Localized Vulnerability Scanning

Without internet access, traditional vulnerability scanners that rely on live CVE feeds cannot function. An air-gapped registry requires:

  • Locally mirrored vulnerability databases: A complete, periodically updated mirror of vulnerability databases (e.g., NVD, OSV, GitHub Advisory Database) is transferred via the same sneakernet process
  • Offline scanning engine: The registry integrates with a scanning engine (like Trivy or Grype) configured to use only the local database, scanning every pushed artifact for known vulnerabilities
  • Policy-based admission: Using an integrated Open Policy Agent (OPA) instance, the registry can reject artifacts that exceed a defined severity threshold or contain prohibited licenses, all evaluated locally without external API calls
  • SBOM attestation verification: The registry validates that every artifact is accompanied by a signed Software Bill of Materials (SBOM), enabling precise component tracking even in the disconnected environment
05

Internal Replication and High Availability

Air-gapped registries must provide robust availability without relying on external failover or cloud-based distribution:

  • Intra-site replication: Multiple registry instances within the air-gapped boundary replicate artifacts synchronously or asynchronously, ensuring availability during maintenance or localized failures
  • Pull-through caching: Downstream registry instances can act as caches, pulling artifacts from a central air-gapped registry on first request and storing them locally for subsequent pulls by Kubernetes nodes
  • Garbage collection policies: Administrators define retention policies to manage storage, but deletion is always a soft delete with audit trails, never a permanent overwrite, to maintain non-repudiation
  • Disconnected Kubernetes integration: The registry integrates with air-gapped Kubernetes clusters via admission controllers that verify image signatures and SBOMs before allowing a pod to start, ensuring runtime integrity matches registry integrity
06

Auditable Export and Compliance Reporting

Regulatory frameworks require proof of what artifacts exist and their provenance, even in disconnected environments:

  • Cryptographic audit trails: Every push, pull, and policy decision is logged with a signed, timestamped entry, creating a non-repudiable record of all registry activity
  • Compliance artifact export: The registry can export a signed, machine-readable report (e.g., in-toto attestation bundle) detailing all artifacts, their SBOMs, vulnerability scan results, and signature chains, for transfer to external auditors via physical media
  • Role-based access control (RBAC): Granular permissions ensure that only authorized personnel can push new artifacts, while a wider group of systems and operators can pull verified artifacts for deployment
  • Quota and retention dashboards: Local dashboards provide visibility into storage consumption and artifact lifecycle without any telemetry data leaving the air-gapped boundary
AIR-GAPPED REGISTRY

Frequently Asked Questions

Essential questions about operating private container registries in physically disconnected environments for high-security AI artifact distribution.

An air-gapped registry is a private container registry operating on a network segment with no physical or logical connection to the internet, used to host and distribute signed OCI artifacts in high-security environments. It functions as an isolated artifact repository where all images, model weights, Helm charts, and attestations are transferred via sneakernet—physically moving storage media across the air gap. The registry enforces strict content trust policies, requiring every artifact to carry a valid cryptographic signature verified against an internal Hardware Security Module (HSM) before deployment. In sovereign AI infrastructure, air-gapped registries ensure that proprietary model weights and sensitive container images never traverse external networks, eliminating exfiltration risks and supply chain tampering vectors. Operators typically run vulnerability scanners and admission controllers within the isolated segment to validate artifacts before they reach production Kubernetes clusters.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.