Offline & air-gapped operation

Some fleets never touch the internet. Defence sites, isolated factory cells, and classified networks need the same signed, rollback-safe update path as a connected fleet — without an outbound dependency, and without exporting anything about the devices or their payloads. Meshanics is built so that the entire trust domain can live inside an air gap.

The trust anchor is created offline

The root of trust for every update is established in an offline ceremony, deliberately separated from the running system:

• The root and targets keys are generated and held on an air-gapped machine and never leave it. They sign the metadata that anchors the fleet's trust.
• Only the signed public metadata is carried back — typically on removable media — and placed where the control plane can serve it.
• The freshness and publishing keys that the control plane holds online are a strictly narrower set; the keys that matter most never sit on a networked host.

This division means a compromise of the running backend cannot re-root the fleet. For the role layout and how devices verify it, see Update verification with TUF.

Pinning trust into devices

The signed root metadata is the anchor a device pins so it can verify every update independently. It is placed onto the device at provisioning time. From then on the agent checks signatures and freshness against that anchor on every update, regardless of how the device was enrolled.

Enrolling devices with no online exchange

A connected device enrolls with a short-lived token over the network. Where there is no path to the control plane, the same identity is provisioned from removable media instead:

• the device's certificate authority bundle,
• the device's own certificate and locally held private key,
• the pinned trust anchor.

The agent then runs exactly as it would on a connected device. The verification logic is identical — there is no relaxed, offline-only code path, and no --insecure mode anywhere.

Moving updates across the gap

Updates cross the air gap as signed artifacts and their metadata, not as trust exceptions. An artifact built and signed on the connected side is carried to the isolated control plane, which serves it to devices over the same mutually authenticated channel used everywhere. Because each artifact and its metadata carry their own signatures, transport across the gap never weakens the guarantee the device checks before it applies anything.

Metadata only — nothing leaves

The platform records device records, update history, and an append-only audit trail. It never inspects or exports the contents of customer payloads. In an air-gapped deployment there is, by construction, no outbound telemetry at all — a property defence and regulated customers can audit directly.

Related

• Single-node deployment
• Relay for restricted networks
• Update verification with TUF
• Device identity
• Zero-trust model