An air-gapped registry is a private, internal artifact repository that exists on a network completely isolated from the internet—no inbound or outbound connectivity of any kind. It serves as the sole source of truth for container images, OCI artifacts, and model weights within classified or critical infrastructure environments, ensuring that all software is manually vetted and transferred via controlled physical media or data diodes before being admitted.
Glossary
Air-Gapped Registry

What is Air-Gapped Registry?
An air-gapped registry is a private container registry operating on a network segment with no physical or logical connection to the internet, used to host and distribute signed artifacts in high-security environments.
This architecture enforces a strict zero-trust boundary by eliminating remote attack vectors entirely. All artifacts stored in the registry must be cryptographically signed using tools like Cosign and accompanied by an SBOM and attestation to prove provenance. The registry enforces immutable tags and binary authorization policies, guaranteeing that only tamper-proof, verified workloads are deployed in the disconnected sovereign environment.
Core Characteristics of an Air-Gapped Registry
An air-gapped registry is a private container image and artifact repository operating on a network segment with no physical or logical connection to the internet. It serves as the definitive source of truth for signed, verified software artifacts in high-security environments where external connectivity is prohibited by policy or regulation.
Physical Network Isolation
The defining characteristic is the complete absence of any external network pathway. This is enforced through:
- Physical air gap: No network interface cards connected to external switches or routers
- Logical air gap: Disabled routing, absent default gateways, and firewall rules that drop all packets to and from external networks
- No DNS resolution: The registry cannot resolve external hostnames, preventing even accidental data exfiltration via DNS tunneling
This isolation ensures that even if the registry software itself is compromised, an attacker cannot establish a command-and-control channel to exfiltrate model weights or container images.
Sneakernet Artifact Ingestion
Artifacts enter the air-gapped environment through a strictly controlled, offline transfer process known as a sneakernet:
- Physical media transfer: Signed artifacts are written to encrypted, write-once media (e.g., optical discs, hardware-encrypted USB drives) in a connected staging area
- Malware scanning: All media undergoes mandatory antivirus and static analysis scanning on a dedicated, isolated scanning station before being introduced to the air-gapped network
- Cryptographic verification: Artifacts are verified against their Sigstore or Cosign signatures before ingestion, ensuring integrity across the physical transfer
- One-way data diode: Some architectures employ optical data diodes that physically enforce unidirectional data flow, allowing artifacts in while making outbound communication physically impossible
Immutable and Signed Storage
Once ingested, artifacts must be protected against tampering and overwrite:
- Immutable tags: Registry policies enforce that a semantic version tag (e.g.,
v1.2.3) can only be pushed once and is permanently bound to a specific content-addressable digest - Content trust enforcement: The registry rejects any artifact push that lacks a valid cryptographic signature from an authorized signing identity, verified against a locally hosted Rekor transparency log replica
- WORM backing store: The underlying storage layer (object storage or block storage) is configured in a Write-Once-Read-Many mode, preventing even administrative users from modifying or deleting artifacts after ingestion
- Manifest immutability: The OCI manifest, which references all layers and configurations, is hashed and stored immutably, creating a tamper-evident chain from tag to content
Localized Vulnerability Scanning
Without internet access, traditional vulnerability scanners that rely on live CVE feeds cannot function. An air-gapped registry requires:
- Locally mirrored vulnerability databases: A complete, periodically updated mirror of vulnerability databases (e.g., NVD, OSV, GitHub Advisory Database) is transferred via the same sneakernet process
- Offline scanning engine: The registry integrates with a scanning engine (like Trivy or Grype) configured to use only the local database, scanning every pushed artifact for known vulnerabilities
- Policy-based admission: Using an integrated Open Policy Agent (OPA) instance, the registry can reject artifacts that exceed a defined severity threshold or contain prohibited licenses, all evaluated locally without external API calls
- SBOM attestation verification: The registry validates that every artifact is accompanied by a signed Software Bill of Materials (SBOM), enabling precise component tracking even in the disconnected environment
Internal Replication and High Availability
Air-gapped registries must provide robust availability without relying on external failover or cloud-based distribution:
- Intra-site replication: Multiple registry instances within the air-gapped boundary replicate artifacts synchronously or asynchronously, ensuring availability during maintenance or localized failures
- Pull-through caching: Downstream registry instances can act as caches, pulling artifacts from a central air-gapped registry on first request and storing them locally for subsequent pulls by Kubernetes nodes
- Garbage collection policies: Administrators define retention policies to manage storage, but deletion is always a soft delete with audit trails, never a permanent overwrite, to maintain non-repudiation
- Disconnected Kubernetes integration: The registry integrates with air-gapped Kubernetes clusters via admission controllers that verify image signatures and SBOMs before allowing a pod to start, ensuring runtime integrity matches registry integrity
Auditable Export and Compliance Reporting
Regulatory frameworks require proof of what artifacts exist and their provenance, even in disconnected environments:
- Cryptographic audit trails: Every push, pull, and policy decision is logged with a signed, timestamped entry, creating a non-repudiable record of all registry activity
- Compliance artifact export: The registry can export a signed, machine-readable report (e.g., in-toto attestation bundle) detailing all artifacts, their SBOMs, vulnerability scan results, and signature chains, for transfer to external auditors via physical media
- Role-based access control (RBAC): Granular permissions ensure that only authorized personnel can push new artifacts, while a wider group of systems and operators can pull verified artifacts for deployment
- Quota and retention dashboards: Local dashboards provide visibility into storage consumption and artifact lifecycle without any telemetry data leaving the air-gapped boundary
Frequently Asked Questions
Essential questions about operating private container registries in physically disconnected environments for high-security AI artifact distribution.
An air-gapped registry is a private container registry operating on a network segment with no physical or logical connection to the internet, used to host and distribute signed OCI artifacts in high-security environments. It functions as an isolated artifact repository where all images, model weights, Helm charts, and attestations are transferred via sneakernet—physically moving storage media across the air gap. The registry enforces strict content trust policies, requiring every artifact to carry a valid cryptographic signature verified against an internal Hardware Security Module (HSM) before deployment. In sovereign AI infrastructure, air-gapped registries ensure that proprietary model weights and sensitive container images never traverse external networks, eliminating exfiltration risks and supply chain tampering vectors. Operators typically run vulnerability scanners and admission controllers within the isolated segment to validate artifacts before they reach production Kubernetes clusters.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and technologies that form the foundation of air-gapped registry operations in high-security environments.
Private Container Registries
An internal artifact repository that hosts and scans container images for AI workloads within a fully isolated network. Unlike public registries, a private instance enforces role-based access control, vulnerability scanning, and image signing without external dependencies. In air-gapped environments, the registry must operate entirely offline, synchronizing updates via sneakernet or one-way data diodes.
Software Bill of Materials (SBOM)
A machine-readable inventory of every component, library, and dependency within a container image. In an air-gapped registry, the SBOM is critical for vulnerability management without live CVE feeds. It enables auditors to trace every package back to its source and verify that no unauthorized code exists in the supply chain.
Cosign & Keyless Signing
A tool within the Sigstore ecosystem that signs container images and stores signatures directly in the registry. In disconnected environments, keyless signing using ephemeral keys bound to workload identity eliminates the risk of long-lived key compromise. Signatures are verified at deployment time by an admission controller before any image runs.
Immutable Tag
A registry feature that prevents a specific image tag from being overwritten. Once v1.4.3-prod is pushed and signed, no force-push can alter its digest. This guarantees non-repudiation—the artifact deployed today is cryptographically identical to the one audited last quarter. Combined with WORM storage, it creates a tamper-proof deployment chain.
Admission Controller
A Kubernetes-native policy engine that intercepts every deployment request and validates it against custom rules. In an air-gapped model serving pipeline, the admission controller verifies:
- Image signature against the trusted registry
- SBOM attestation for vulnerability compliance
- Workload identity matches the authorized service account Only images passing all checks are permitted to run.
Hardware Security Module (HSM)
A dedicated physical device that safeguards the root signing keys for the air-gapped registry. The HSM performs all cryptographic operations internally—keys never leave the tamper-resistant hardware. This protects against logical extraction and physical theft, ensuring that even an insider with console access cannot exfiltrate the private key material used to sign model artifacts.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us